.

.

.: Network Address Translation ( Komunikasi Data )

Posted by swilsarblog Sunday, April 12, 2009 0 comments

Network Address Translation (NAT) adalah suatu metode untuk menghubungkan lebih dari satu komputer ke jaringan internet dengan menggunakan satu alamat IP. Banyaknya penggunaan metode ini disebabkan karena ketersediaan alamat IP yang terbatas, kebutuhan akan keamanan (security), dan kemudahan serta fleksibilitas dalam administrasi jaringan.

Alamat IP
Saat ini, protokol IP yang banyak digunakan adalah IP versi 4 (IPv4). Dengan panjang alamat 4 byte berarti terdapat 2 pangkat 32 = 4.294.967.296 alamat IP yang tersedia. Jumlah ini secara teoretis adalah jumlah komputer yang dapat langsung koneksi ke internet. Karena keterbatasan inilah sebagian besar ISP (Internet Service Provider) hanya akan mengalokasikan satu alamat untuk satu penggna dan alamat ini bersifat dinamik, dalam arti alamat IP yang diberikan akan berbeda setiap kali user melakukan koneksi ke internet. Hal ini akan menyulitkan untuk bisnis golongan menengah ke bawah. Di satu sisi mereka membutuhkan banyak komputer yang terkoneksi ke internet, akan tetapi di sisi lain hanya tersedia satu alamat IP yang berarti hanya ada satu komputer yang bisa terkoneksi ke internet. Hal ini bisa diatasi dengan metode NAT. Dengan NAT gateway yang dijalankan di salah satu komputer, satu alamat IP tersebut dapat dibagi ke beberapa komputer yang lain dan mereka bisa melakukan koneksi ke internet secara bersamaan.

Keamanan
Ketika suatu komputer terkoneksi ke internet, komputer tersebut tidak saja dapat mengakses, misalnya ke server suatu situs tertentu, tetapi komputer tersebut juga sangat mungkin untuk diakses oleh komputer lain yang juga terkoneksi ke internet. Jika disalahgunakan, hal tersebut bisa sangat berbahaya. Data-data penting bisa saja dilihat atau bahkan dicuri oleh orang yang tak bertanggungjawab. NAT secara otomatis akan memberikan proteksi seperti halnya firewall dengan hanya mengizinkan koneksi yang berasal dari dalam jaringan. Hal ini berarti tingkat keamanan suatu jaringan akan meningkat, karena kemungkinan koneksi dari luar ke dalam jaringan menjadi relatif sangat kecil.

Administrasi Jaringan
Dengan NAT, suatu jaringan yang besar dapat dipecah-pecah menjadi jaringan yang lebih kecil. Bagian-bagian kecil tersebut masing-masing memiliki satu alamat IP, sehingga dapat menambahkan atau mengurangi jumlah komputer tanpa mempengaruhi jaringan secara keseluruhan. Selain itu, pada gateway NAT modern terdapat server DHCP yang dapat mengkonfigurasi komputer client secara otomatis. Hal ini sangat menguntungkan bagi admin jaringan karena untuk mengubah konfigurasi jaringan, admin hanya perlu mengubah pada komputer server dan perubahan ini akan terjadi pada semua komputer client. Selain itu gateway NAT mampu membatasi akses ke internet, juga mampu mencatat semua traffic, dari dan ke internet. Secara keseluruhan, dengan segala kelebihan gateway NAT tersebut, admin jaringan akan sangat terbantu dalam melakukan tugas-tugasnya.

.: install firewall in ubuntu

Posted by swilsarblog Saturday, April 4, 2009 0 comments

Ubuntu's desktop install provides a bunch of useful software for desktop users, but it doesn't install a firewall by default. Luckily, it's really simple to get a firewall up and running on Ubuntu.

Frankly, I'm glad that the default install doesn't set up a firewall. Most of my computers live behind a firewall at all times anyway, and I've always been annoyed by installers that demand I deal with firewall questions when I've already got the situation well in hand. If I want a firewall on a machine, I can set one up on my own. Since Ubuntu is, in part, aimed at corporate desktops, a firewall is unnecessary for many installations.

But if an Ubuntu desktop is your sole machine that connects directly to the Internet, then it's a good idea to configure one. Technically speaking, Ubuntu does include a firewall -- you could configure everything by hand using iptables. That, however, is a little more detailed than many users care to get. Instead, we'll look at installing a GUI application to configure a firewall in just a few easy steps.

We'll look at two packages that configure firewalls. The first is Lokkit, an application that walks you through a few simple steps and configures a basic firewall for you. Lokkit is dead easy to use, and requires very little understanding of firewalls to set up, but it provides few options, and it's not a good choice if you want to set up a complex firewall.

By contrast, Guarddog, a flexible GUI firewall configuration program, is much more complex than Lokkit. Choose Guarddog only if you know what you're doing.

To install Lokkit or Guarddog, fire up Synaptic or Adept and install the appropriate package. If you prefer to use APT, just run sudo apt-get install gnome-lokkit for Lokkit, or sudo apt-get install guarddog to install Guarddog.

Configuring your firewall with Lokkit

Configuring a basic firewall with Lokkit is a snap. You'll need to run it with superuser privileges, so open the Run Command dialog with Alt-F2 and run gksudo gnome-lokkit. After entering your password, you'll see a Configure Firewalling dialog.

Lokkit's configuration wizard is fairly self-explanatory. I'd recommend starting with the High Security option, unless you have a need for DCC file transfer over IRC. Also, if you're using DHCP to grab an IP address from a cable modem or DSL modem, you want to make sure to say "yes" when Lokkit asks about enabling DHCP. If you have a cable modem or DSL, you probably do pull the IP address via DHCP.

If the computer is the only one on the network, it's probably not necessary to enable any services, and it's safe to tell Lokkit "no" when it asks about doing that. By default, even if you select no here, Lokkit will leave SSH open to machines on the local network as long as you say "yes" when Lokkit asks if it's safe to trust hosts connected via your network interface.

After answering a few questions, Lokkit will say it's ready to enable the firewall, and then you can either apply the changes and start the firewall or cancel.

If you suspect you're having problems with the firewall, you can re-run Lokkit and select Disable Firewall to remove all of your firewall rules.

Lokkit is easy to use, and it sets up a decent set of firewall rules. However, even if you pick the most restrictive rules, Lokkit leaves SSH and VNC open, and allows ping and services such as BitTorrent to operate. If you want really tight firewall rules, or need to set up a more complex firewall, look to Guarddog.

Configuring your firewall with Guarddog

To set up a firewall with Guarddog, run gksudo guarddog. You can run Guarddog as a regular user, but you'd have to load the firewall rules separately as the superuser later.

Guarddog is much more complex than Lokkit. The first thing you'll see when firing up Guarddog is the Zones tab. Zones are basically sets of IP addresses, which are used to define firewall rules that apply to those addresses. For example, if your machine is on a local area network with IP addresses in a private network, you can set up a zone for all of those addresses. By default, Guarddog comes with two pre-configured zones; the Internet zone, for all IP addresses that don't match other zones, and a Local zone, for IP addresses on the local machine.

To set up a zone for your LAN, click on New Zone, and then under Zone Addresses, click on New Address. In the Address field, you can add a single address or a network mask to cover an entire network. Let's say your LAN is in the 10.0.0.0 range, and your IP addresses range from 10.0.0.1 to 10.0.0.255. You could set the address as 10.0.0.0/24.

You'd want to set zones other than Local and Internet so you can set up firewall rules to address those machines, if it's necessary to have different rules for local machines than you do for machines connected via the Internet zone. The best way to think of the Internet zone is as the "most hostile" zone. That is, you want to allow the bare minimum when it comes to traffic coming from Internet hosts.

Next you have the protocol configurations. Here you need to tell Guarddog exactly which protocols you want to enable. This can be a bit tricky, as anything that's not explicitly allowed is disabled. By default, nothing -- not even DNS, HTTP, or POP3 -- is allowed. Select all of the protocols you wish to enable for each zone, and then click "Apply." After approving the rules, see if you can browse the Web, get email, and whatever else you need to do. If not, you may need to tweak the allowed protocols a bit.

Guarddog also allows you to set logging options. You may wish to disable logging if you're not likely to read the logs to see what's being blocked or rejected. For desktop users, logging is probably unnecessary unless you're trying to troubleshoot a problem with the firewall.

Finally, under the Advanced tab, you can configure custom protocols if Guarddog doesn't include rules to match a protocol that you need to enable. See the Guarddog help for this if you need to add a protocol.

If you want to use your desktop machine as a router and firewall for a bunch of machines, you may need to set up Network Address Translation (NAT) using IP Masquerade. That's a bit beyond the scope of this article, and Guarddog. To set your system up as a router, have a look at Guidedog instead.

It may take a little tweaking to get everything set up the way you want it with Guarddog, but it's probably worth the time and effort.

Either Lokkit or Guarddog should be sufficient to protect your Linux desktop. If neither of these strikes your fancy, Ubuntu does offer other firewall configuration tools that might be more to your liking.

.: Konfigurasi firewall

Posted by swilsarblog Friday, April 3, 2009 0 comments

Untuk squid, download versi 2.5stable10 dari www.linuxpackages.net (squid2.5stable10-i486-1maew.tgz) Untuk firewall, download versi 2.0rc9
dari projectfiles.com/firewall (firewall_install.sh) Semuanya aku cari yang simple aja, biar tidak rumit perawatannya.

Karena squid sdh bentuk tgz maka tinggal ketikkan perintah:
#installpkg squid2.5stable10-i486-1maew.tgz

untuk konfigurasinya (boleh ambil dariku sbg contoh)
----------------------------------------------
# WELCOME TO SQUID 2
# ------------------
###no cache at cgi.............................
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
###caching set.................................
cache_mem 16 MB
maximum_object_size 4096 KB
maximum_object_size_in_memory 16 KB
# log_mime_hdrs on
# ftp_passive on
###timing access..............................
forward_timeout 3 minutes
connect_timeout 2 minutes
read_timeout 4 minutes
request_timeout 1 minutes
###access_list................................
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
###access_control.............................
acl porn url_regex "/etc/squid/porn"
acl noporn url_regex "/etc/squid/noporn"
http_access deny porn !noporn
acl our_MASTER src 192.168.0.100
http_access allow our_MASTER
http_access allow our_MASTER localhost
######################all_client..............
acl wjr1 src 192.168.0.1
acl wjr2 src 192.168.0.2
acl wjr3 src 192.168.0.3
acl wjr4 src 192.168.0.4
######################.....ke-1..............
#http_access allow wjr1
#######################....ke-2.............
#http_access allow wjr2
#######################....ke-3.............
#http_access allow wjr3
#######################....ke-4.............
#http_access allow wjr4
#######################
http_access deny all
logfile_rotate 5
---------------------------------------------

Selanjutnya aktifkan squid dengan perintah:
#Squid -z
#Squid -ND &

Ok, itu semua konfigurasinya untuk mengatur 4 client warnet kecil-ku. Untuk aktifkan client tinggal hilangkan tanda # di depan kalimat http_access allow wjr...
Lalu ketikkan perintah:
#squid -k reconfigure

Terus bagaimana untuk install firewall-nya.
Itu sih mudah lagi. Tinggal jalankan perintah:
#./firewall_install
Ikuti semua petunjuk, dan akhirnya firewall terinstall
dg selamat, untuk melindungi PC dari serangan "luar" Net.