荣威35012款价格:bloodmelon - Jetico in ubuntu Way 之：去芜存菁

Jetico in ubuntu Way 之：去芜存菁

Sunday, 4. June 2006, 22:34

firewall, Jetico

主题：Jetico in ubuntu Way 之：去芜存菁 (无废话带你解读JPF手册的精华部分，及我在使用中的经验)
作者：ubuntu
版权声明：本文采用创作共用协议 在遵守创作共用协议，非商用，非盈利以及保留作者和版权声明的前提下，您可以任意转载本文。将本文用于商业用途请先联系作者，以获得授权。作者不对读者使用本文中软件造成的损失承担任何责任。
本文作者保留对违反本声明的行为进行法律诉讼的权利。


工欲善其事，必先利其器。要想用好JPF必须通读帮助手册。由于手册是英文的，好多人不愿意看，我就把精华部分挑出来，并结合自己的使用经验，写成此文。
说句实话，Jetico的手册又臭又长，很多问题可以有更好的表达方式，它不用，我也懒的看。不过整个手册，我还是看过的。

要设置规则，就得讲原理，就要看手册。知道英文的手册有人懒的看，下面我拣最重要的讲。详细去看手册，不多解释。
JPF手册英文的，里面废话一大堆。当然也有有用的。 下面我写的，就是精华部分，你看不懂的话，就不要折腾啦，安全第一。我不管它JPF怎么设计的，底层怎么过滤的，它是三层也好，或者和乐百氏搞个几十层。我只要事件，规则。

问题1:Root Table；Root Table由Application Table，Process Attack Table，Protocols Table，System IP Table，reject组成，不用看Jetico，你能记得它们的顺序嘛？
问题2: 下面两种情况，你会如何选择？


JPF管规则叫Rule，以后俺也叫Rule。 Filter，Event，Rule，再折腾也离不开这三个。牢记。

Rules of different types control different events. 牢记。

JPF的三层filter
Network Packet filter (由IP filter和Protocol filter组成)
Application filter
Process attack filter

看下面两张图，很好理解。TDI Filter就是Application Filter，它是内核级网络驱动的最高层，直接面向用户级应用。
由于Network filter有两部分，所以有4个过滤模块。

Filter，Event，Rule三者的关系

Network packet filter 对应的 Rule types：
Network protocol rule
IP rule

Application filter 对应的 Rule types：
Application rule

Process attack filter 对应的 Rule types：
Process attack rule

去JPF -> configuration -> Optimal Protection -> Root 看到了嘛？
四种Rules对应于4个Table，实际上是4个规则组，Table就是规则的容器。 都用过Windows，Table就像文件夹，规则就像文件夹里的文件。复杂嘛？ 一点都不复杂。

Network packet filter 对应的 Rule types：Network protocol rule; IP rule
Network protocol rule 对应的Events：
Event - select whether to match incoming packets, or outgoing packets or both
IP rule 对应的Event
Event - select whether to match incoming packets, or outgoing packets or both

Application filter 对应的 Rule types：Application rule
Application rule，对应的Events：
Event - application network event type:
any
inbound connection
outbound connection
listening port
receive datagrams
send datagrams
listening datagrams
access to network

any - any event is suitable
inbound connection - connection with local application initiated by remote end
outbound connection - connection to remote server initiated by local application
listening port - local application waits for incoming connections
receive datagrams - local application receives data within connectionless communications
send datagrams - local application sends data within connectionless communications
listening datagrams - local application waits for incoming data within connectionless communications
access to network - special event which means general access to networking subsystem preceding to all network communications. While 'access to network' is not enabled for an application, it won't be permitted to execute any network-related function

Process attack filter 对应的 Rule types：Process attack rule
Process attack rule，对应的Events：
attacker installs system-wide Windows hook
Attacker starts application with hidden window
Attacker writes to application's memory
Attacker injects own code into application
Attacker modifies child process
Low-level access to system memory

Attack type - suspicious action type
attacker installs system-wide Windows hook
Microsoft Windows operating systems provide so-called hooking mechanism. Application are allowed to install 'hook' function which can intercept some events (mouse actions, keystrokes, etc.) before they reach the target application.

The key point of some hooks is that hook function code must be executed on behalf of other application.

Windows hooking mechanism is widely used both by legal applications and trojans. As soon as trojan installs Windows hook, it can access network via its hook function. Since the hook function can reside in legal process' space (for example, in Explorer.exe process), the user will not realize that network is accessed by the trojan.

Attacker starts application with hidden window
Trojan program can run another trusted application with command-line arguments and make the application accessing network. Of course, the user will notice that something is going wrong if he/she sees unexpectedly appeared Internet Explorer's windows. So the trojan program can simply run Internet Explorer's windows in hidden mode.

Jetico Personal Firewall reports about the event, but it should be noted that legal programs often run their modules with hidden windows, for example, when such a module supports icon in the system tray.

Attacker writes to application's memory.
Trojan program can modify memory of another trusted application. Usually trojan replaces contents of memory where legal code of the trusted application resides by the code of the trojan's procedure that accesses network. As soon as the procedure runs, it accesses network so that everything looks like the trusted application itself decides to access network.

Attacker injects own code into application.
When Windows application runs, it may have one or several so-called "threads". Every thread works in parallel with other threads and executes its own code in the context of the application's process.

Windows allows creating of remote threads, i.e. one process can create thread that will work in context of another trusted process. In this case Windows beleives that this trusted process is responsible for everything that the remote thread makes.

Trojan programs can use the technology of remote threads to hide their activity.

Attacker modifies child process.
Trojan program (attacker) can run another trusted application and modify its memory before the process of trusted application will run. Since the trusted process is not running yet, it may be difficult to detect after some time that the trusted application will run the code of trojan program.

Low-level access to system memory.
Trojan program can harm loaded Windows system modules or running applications by modifying contents of system physical memory. Since the physical memory is common for all the processes running on the computer, such a dangerous program can make any process doing what the trojan program wants. Windows security mechanisms normally does not allow programs to make such a trick, but it is still possible. If Jetico Personal Firewall detects this kind of attack, it definitely means that the reported program is a trojan.

看明白没，三大filter，都是处理各自的Events，没有交集。他们是平行关系，不是从属关系。那么filter是做什么的？
1.拦截属于自己的Event，然后2. 去Security Policy里，通常是Optimal Protection里查找对应的Rules，根据Rules对Events进行处理。 Allow or Block 这就是问题所在。

Root Table；Root Table由Application Table，System IP Table，Protocols Table，Process Attack Table，reject组成。Root Table是个特例，只有它包括任何类型的规则，可以处理任何类型的事件。其它Table只能接受特定的事件和规则如：Application Table只能处理Application Event，而不能处理Process Attack Event。

Rules of different types control different events. 牢记。 意思就是说，不同的Rule支配管理驾驭对应不同的Event。再详细点：比如，svchost.exe inbound connection TCP local 135 port Event发生了，事件只会在Application Rule Table里找到匹配的规则，它绝不会在IP Rule Table里找到匹配的规则。不属于这个Event的Rule全部被无视了，它们相当于不存在。
于是，我看到有人问，都是屏蔽135端口的Rules，到底是svchost.exe里的优先，还是IP Rules里的优先。 我现在告诉你，它们是平行的，没有优先级的关系。JPF只会根据Events来选择对应的Rules。如果事件属于Application Table，Application rule被执行，无视System IP Table。如果事件属于System IP Table， System IP rule被执行，无视Application Table。

处理问题要抓主要矛盾，你看看Process attack filter的介绍太烦了，我们先把Process attack filter忽略掉。为什么，比如JPF有很多窗口是由Process attack filter弹出的，实际没联网你就开始弹窗口啦，我不喜欢这个，我只要它在联网的时候才弹出窗口，这点做的没CPF好。有人说关了不安全，那好，既然是不联网你都弹，我关掉你，装PG或 SSM GSS或者KAV6的Proactive Defence，这样即减少了JPF的复杂性，又不损失安全性，两全啊。注意Process attack filter不监控网络访问，关掉Process attack filter，并不影响其它filter对网络访问的监控，这需要你了解Process attack filter对应的事件。

Network protocol rule,IP rule 这两个没点基础的人，也不会设置，先丢一边，以后再说。

那么我们的重点就是Aplication Rules，实际上就是Application Rules里的Ask User，就是这里。

Application Rule搞定后，再去设置Network protocol rule,IP rule 最后你有兴趣的话再去设置Process attack rule。

规则的匹配是自上到下的顺序，这点要记住。

所有Action的图示说明：

Application Rules相关事件Event的说明：

我说JPF的手册废话一大堆，可不是胡说。比如下面这些事件：

Event - application network event type:
any
inbound connection
outbound connection
listening port
receive datagrams
send datagrams
listening datagrams
access to network

然后你去看手册对事件的解释，一般人根本不知道它在说什么。

你按字面直译：向外连接，向内连接，接收数据，发送数据，监听端口，监听数据，访问网络？ 翻译完了，天书嘛！你也搞不清它在说什么？你Event都搞不清楚，写出来的规则还不是一塌糊涂。

我下面用Rule Based Firewall的语言来解释一下，真正给防火墙写过规则的人，应该能看明白。我知道给OP，Kerio写过规则的人看者比较亲切。LNS的规则写法比较特别，熟悉的应该也能看懂。

inbound connection(Jetico) 是 TCP inbound/incoming TCP入站/传入(OP Kerio Comodo) 在LNS里要设成TCP双向(LNS)
outbound connection (Jetico) 是 TCP outbound/outgoing TCP出站/传出(OP Kerio Comodo)   在LNS里要设成TCP双向(LNS)
listening port (Jetico) 是 listening TCP port 监听TCP端口

receive datagrams (Jetico) 是 UDP inbound/incoming UDP入站/传入 (OP Kerio Comodo LNS)
send datagrams (Jetico) 是 UDP outbound/outgoing UDP出站/传出   (OP Kerio Comodo LNS)
listening datagrams (Jetico) 是 listening UDP port 监听UDP端口

access to network 这个以后再解释 @@

很明显，我的解释简单明了，手册里的说法晦涩难懂。

以上都是我所理解的Jetico手册里的精华部分，当然还有一些手册里没有，我自己的观点。但愿它们是有用的。授人以鱼不如授人以渔。

问题：
怎么设置可以允许一个信任的程序去hook其它的程序？不要让他总是提示xxxx入侵xxxx的内存~~

答案：

add to application trust zone

这是某人问过的问题？ 看懂本文的人应该很清楚答案是否正确。

20060603 第一版发布

本文系作者原创，转载请保留原文地址：
http://my.opera.com/bloodmelon/blog/show.dml/284350