A.2. 修正和清空iptables的命令
即使你把iptables弄的一塌糊涂,我们也有非常有效的命令来处理,而不必重新启动计算机。我接到过很多关于这个问题的询问,所以我想最好在这儿回答一下。如果你增加的规则有问题,要想删掉它,只要把命令中的-A改为-D即可。这样,iptables就会找到那个错误的规则并删掉它,但如果在你的规则里有好几条同样的规则,它只能删掉找到的第一条。如果你不想这样的事情发生,那就试试用序号来删除。如,你想删除INPUT链的第10条规则,可以使用 iptables -D INPUT 10。
还有一种情况,就是要清空整个链,这就要使用选项-F。比如,我们要清空整个 INPUT链,使用的命令就是iptables -F INPUT。但是要注意,选项-F并不改变链的缺省策略。所以,如果被我们清空的那条INPUT链的策略是DROP,它还是会阻塞所有的包。那怎么才能重置策略呢?还记得策略DROP是如何设置的吧,还是用那个方法啊。比如,我们把INPUT链的策略改为ACCEPT,就用iptables -P INPUT ACCEPT。
我已经写了一个用来清空并重置iptables的脚本,叫做rc.flush- iptables.txt(附录里有它的代码),在你写自己的防火墙脚本时,很可能会用到。但如果你在mangle表里乱试乱改而导致问题的话,这个脚本就帮不上忙了。因为在脚本rc.firewall.txt里,我没有用到mangle表,所以在 rc.flush-iptables.txt里也就没有添加相应的恢复功能。
附录 B. 常见问题与解答
B.1. 模块装载问题
装载模块时,你可能会遇到几个问题,比如,有错误提示说明没有你指定名字的那种模块:
insmod: iptable_filter: no module by
that name found
这个提示是无关紧要的,因为那些模块很有可能已经被静态地编译进内核了。当你遇到这个信息时,这是你应该首先想到的。至于是否真的如我们所想,最简单的测试方就是敲一个用到那个模块功能的命令试试。对于上面的情况,可能是filter表没有装入,从而就没有相应的功能,当然不能使用filter表了。为了检查 filter表是否装入,可以用下面的命令来试试:
iptables -t filter -L
这个命令会输出filter表里所有的链,或者是运行失败,给出错误提示信息。如果一切正常,输出结果类似下面的情况,当然,这还要看你是否已经在filter表里加入了规则(译者注:在这个例子里,表是空的)。
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
如果你确实没有装载filter表,得到的就是如下信息:
iptables
v1.2.5: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
这个问题就有些严重了,从此提示中我们能得到两个信息:第一,我们确实没有把相应的功能编译进内核里;第二,在模块一般应在的目录中没有找到这个模块。这意味着问题是,你或者忘记了装载想用的模块,或者没有用depmod -a命令更新模块数据库,或者没有把相应的功能编译进内核(不论是静态的还是作为模块)。当然还可能是其他原因,但这些是主要的,不管怎样,大部分原因是很容易解决的。比如,第一个问题可以简单地通过在内核源码目录里运行make modules_install 命令来解决,这当然是有前提的,就是源码已经编译(compile)而且模块已经构建(build)。第二个问题的解决办法也很简单,只要运行一下depmod -a命令,之后再看看能否正常工作即可。第三个问题有点超出我们的范围了,而且这个问题或多或少会让你感到发晕。更多的信息可以在Linux文档计划里找到。
在运行iptables时,你还可能得到另外一个错误信息:
iptables: No chain/target/match by that name
这说明你要用的链或target、或match不存在,原因有很多,但最普遍的是你拼错了名字。当你想使用一个不可用的模块时也会产生这种错误。模块之所以不可用,可能是因为你没有装载正确的模块,或者内核里不包含那个模块,或者是iptables自动装载模块时失败了。通常,你不止应该考虑上面提到的所有解决办法,还要考虑规则中target的拼写错误,或者其他的原因。
B.2. 未设置SYN的NEW状态包
iptables有个“特点”没有被很好地给以说明,所以很多人(当然,也包括我)都忽视了它。这个“特点”就是:如果你使用状态NEW,那么未设置SYN的包也会通过防火墙。之所以有这个特点,是因为在某些情况下,我们想把那样的包看作某个(比如是和另一个防火墙有关的)已处于ESTABLISHED状态的连接的一部分。这个特点使拥有两个或更多的防火墙协同工作成为可能,而且可使数据在服务器间无丢失的传输,如辅助防火墙可以接受子网的防火墙的操作。但它也会导致这样的事情:状态 NEW会允许几乎所有的TCP连接进入,而不管是否有3次握手。为了处理这个问题,我们需要在防火墙的 INPUT链、OUTPUT链和FORWARD链加入如下规则(译者注:此规则作者称为“NEW not SYN rules”,下一小节还会提到):
$IPTABLES -A
INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
警告,在Netfilter/iptables项目中,这个特点所拥有的行为缺少文档说明,更明确的说,在你的防火墙上,它是一个很不安全的因素。
注意,这个规则用于microsoft的TCP/IP(微软实现的TCP/IP就是不行,至少现在不行)产生的包时还是有些问题。如果包是由microsoft的产品生成的,且被标为状态NEW,那么就会被此规则记录然后丢弃。看起来规则工作很正常啊,是吧。但问题就出在这儿了,因为连接无法中断了。这个问题出现在关闭连接时,在最后一个包即FIN/ACK包发出后,Netfilter的状态机制就会关闭连接、删除连接跟踪表里的相应记录。但就在这时,Microsoft那不完善的程序会发送另外一个包,这个包就是那种未设置SYN且被认为是NEW状态的包,因此它就会被上面的规则匹配。换句话说,就是对这个规则不需要过于关注,如果你很在意它,就在规则里加入选项--log-headers吧。这样,你就可以把包头记录下来,从而可以更好地了解相应的包。
对于这个规则,还有一些已知的问题。比如,某个连接(比如是从LAN发出的)已经连接到防火墙,而且有个脚本要在启动PPP时激活。当你启动PPP连接时,刚才提到的那个连接可能就会被干掉(be killed)。当然,这只会在特定的情况下才能发生,就是你把conntrack和nat作为模块运行,并且每次运行那个脚本时这两个模块都要被装入和卸载。如果你在防火墙之外的机子上运行telnet,而且又通过这个telnet连接运行脚本rc.firewall.txt,也会导致上面的问题。为了能简单地表达这个问题,你先准备一个telnet连接,或其他的流连接,再运行连接跟踪模块,然后装入上面的规则,最后,试着用telnet client或daemon发送一些数据。效果应该出来了,连接跟踪代码会认为这个连接是非法的,因为在此之前,它没有看到任何方向有包发出,更为严重的是现在连接上有了未设置SYN的包,因为刚才由telnet client或daemon发出的包肯定不是这个连接的第一个包。因此,上面的规则就起作用了,也就是说,这个包会被记录下来,然后被无情地扔掉,从而连接就会中断。
B.3. NEW状态的SYN/ACK包
某些,TCP欺骗攻击所用的技术叫做序列号预测(Sequence Number Prediction)。在这类攻击中,攻击者利用另一台机子的IP访问攻击对象(译者注:这就是为什么叫欺骗的原因了,攻击者是想假冒另一台被攻击对象信任的机子,以达到欺骗攻击对象的目的),然后再试着预测攻击对象使用什么序列号。
我们来看看典型的使用序列号预测技术的欺骗是如何实现的,参与者:攻击者[A](attacker)试图假装另一台机子[O](other host)向受害者[V](victim)发送数据。
[A]以[O]的IP为源地址向[V]发SYN。
[V]向[O]回应SYN/ACK。
现在,若[O]以RST回应这个未知的SYN/ACK,攻击就失败了,但如果[O]已经没有这个能力了呢?比如它早已被另外的攻击(如SYN flood)降服,或者被关闭,或者它的RST包被防火墙拒绝。
如果[O]没能破坏这条连接,而且[A]猜对了序列号,那它就能以[O]的身份和[V]交谈了。
只要我们没能在第三步以RST回应那个未知的SYN/ACK包,[V]就会被攻击,而且我们还会被连累(译者注:因为我们本身也被攻击了,而且还可能会成为攻击者的替罪羊被起诉,呜呜,好惨)。所以,为安全起见,我们应该以正确的方式向[V]发送一个RST包。如果我们使用类似“NEW not SYN rules”(译者注:在上一小节中)的规则,SYN/ACK包就可以被丢弃了。因此,我们在bad_tcp_packets链中加入了如下规则:
iptables -A
bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
这样,你想成为上面那个[O]的机会就很少了(译者注:作者好幽默啊,我们可不想成为被别人利用的对象),而且这条规则在绝大部分情况下是安全的,不会有什么副作用,但多个防火墙要协同工作的情况要除外。那种情况下,防火墙之间会经常传递、接受包或流,有了这条规则,有些连接可能会被阻塞,即使是合法的连接。这条规则的存在还产生了另外一问题,就是有几个portscan(端口扫描器)会看到我们的防火墙,但好在仅此而已。
B.4. 使用私有IP地址的ISP
我的一位朋友告诉我说有些事我完全忘记了,从那时起,我就把这一节加上了。你刚上网时连接的网络是 ISP提供的,但某些愚蠢的ISP在那个网络里使用的是私有地址,而那是IANA专门分配给局域网使用的。Swedish Internet Service Provider和电话垄断企业Telia就是这样做的,例如在DNS服务器上,他们使用的IP地址段就是10.x.x.x。我们最容易遇到的问题是,在这个脚本里,为了防止被欺骗,不允许从10.x.x.x发出的连接来访问我们。不幸的是,对于上面的例子,为了DNS能正常地被访问,我们不得不把规则的放宽松一些。也就是说,我们或者在刚才提到的那条防止欺骗的规则上面增加一条规则(如下),或者是把那条规则注释掉:
/usr/local/sbin/iptables -t nat -I PREROUTING -i
eth1 -s 10.0.0.1/32 -j ACCEPT
我愿意对这些ISP再多费些唇舌。这些IP地址不是为了让你象这样愚蠢的使用而分配给你的,至少我知道不是这样的。对于一个大集团的站点或者是我们自己的家庭网络来说,这样用是很合适的,但你不能只因为你们的一些原因就强迫我们把自己公示于天下。
B.5. 放行DHCP数据
一旦你了解DHCP是如何工作的,就会知道这其实是一个很简单的任务。但你必须小心处理到底让谁进入、不让谁进入。首先,我们要明白DHCP是工作在UDP协议之上的,所以,UDP协议是我们期望的第一个条件。其次,我们应该检查是从那个接口接收和发送请求的。例如,如果我们设置了DHCP使用接口eth0,那就要阻塞 eth1上的DHCP请求。为了让规则再详细些,我们只需打开(allow)DHCP实际使用的UDP端口,一般都是67和 68。这两个端口是标准定义,我们就用它们来匹配被允许的包。现在,规则应该是这个样子的:
$IPTABLES -I INPUT -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT
注意,现在我们能够接受所有来自和发往UDP端口67、68的数据,好像不太安全,但这并不是多大的问题,因为这条规则只允许从67或68端口连接的主机才能访问。当然,此规则还可以更严谨一些,但也应该足够接受所有的DHCP请求和更新,而不至于需要在防火墙上开一个大洞。如果你很在意现在的规则是否很宽松,你当然可以写一个限制条件更紧的。
B.6. 关于mIRC DCC的问题
mIRC使用一个特殊的设定,它可以使mIRC连接穿过防火墙,也可以使DCC连接能在防火墙不了解它的情况下正常工作。如果此选项和iptables还有ip_conntrack_irc模块与ip_nat_irc模块一起使用,那mIRC就不能工作了。问题在于mIRC会自动对包进行NAT操作,这样当包到达防火墙后,防火墙就完全不知道该对包做什么了,也不知道该怎么做。如果是防火墙来处理,它只是简单地用自己的IP去询问IRC服务器,然后用那个地址发送DCC请求。mIRC不希望防火墙自作聪明地以这种方式代替自己来处理这个包。
打开“I am behind a firewall”(我在防火墙后)这个配置选项并且使用ip_conntrack_irc和 ip_nat_irc模块,会导致Netfilter建立包含“Forged DCC send packet”的记录。
最简单的解决办法是不要选中mIRC的那个选项而让iptables来做这些工作。意思就是要明确地告诉mIRC,它不是在防火墙后面的。
附录 C. ICMP类型
这是一个完整的ICMP类型的列表:
Table C-1. ICMP类型
TYPE
CODE
Description
Query
Error
0
0
Echo Reply——回显应答(Ping应答)
x
3
0
Network Unreachable——网络不可达
x
3
1
Host Unreachable——主机不可达
x
3
2
Protocol Unreachable——协议不可达
x
3
3
Port Unreachable——端口不可达
x
3
4
Fragmentation needed but no frag. bit set——需要进行分片但设置不分片比特
x
3
5
Source routing failed——源站选路失败
x
3
6
Destination network unknown——目的网络未知
x
3
7
Destination host unknown——目的主机未知
x
3
8
Source host isolated (obsolete)——源主机被隔离(作废不用)
x
3
9
Destination network administratively prohibited——目的网络被强制禁止
x
3
10
Destination host administratively prohibited——目的主机被强制禁止
x
3
11
Network unreachable for TOS——由于服务类型TOS,网络不可达
x
3
12
Host unreachable for TOS——由于服务类型TOS,主机不可达
x
3
13
Communication administratively prohibited by filtering——由于过滤,通信被强制禁止
x
3
14
Host precedence violation——主机越权
x
3
15
Precedence cutoff in effect——优先中止生效
x
4
0
Source quench——源端被关闭(基本流控制)
5
0
Redirect for network——对网络重定向
5
1
Redirect for host——对主机重定向
5
2
Redirect for TOS and network——对服务类型和网络重定向
5
3
Redirect for TOS and host——对服务类型和主机重定向
8
0
Echo request——回显请求(Ping请求)
x
9
0
Router advertisement——路由器通告
10
0
Route solicitation——路由器请求
11
0
TTL equals 0 during transit——传输期间生存时间为0
x
11
1
TTL equals 0 during reassembly——在数据报组装期间生存时间为0
x
12
0
IP header bad (catchall error)——坏的IP首部(包括各种差错)
x
12
1
Required options missing——缺少必需的选项
x
13
0
Timestamp request (obsolete)——时间戳请求(作废不用)
x
14
Timestamp reply (obsolete)——时间戳应答(作废不用)
x
15
0
Information request (obsolete)——信息请求(作废不用)
x
16
0
Information reply (obsolete)——信息应答(作废不用)
x
17
0
Address mask request——地址掩码请求
x
18
0
Address mask reply——地址掩码应答
x
附录 D. 其他资源和链接
这里有一些资源的链接,我从这些地方获得了不少信息,相信对你应该也很有帮助:
ip-sysctl.txt ——来自内核2.4.14,一篇关于IP网络控制参数的短小精干的参考文章。
The Internet Control Message Protocol ——一篇很好的详细介绍ICMP协议的文章,作者是Ralph Walden。
RFC 792 - Internet Control Message Protocol ——ICMP的权威文件,如果你想找关于ICMP协议的信息,这是你应该首先想到的地方。作者:J. Postel。
RFC 793 - Transmission Control Protocol ——TCP的权威文件,从1981年开始,它就成为TCP的规范了。只要你想学习TCP,就一定要读读这篇技术性很强的文章。作者:J. Postel
ip_dynaddr.txt ——来自内核2.4.14,关于通过sysctl和proc文件系统设置ip_dynaddr 的参考文章。
iptables.8 ——iptables 1.2.4的帮助,这是HTML版本的。在你读写iptables规则时,这是一个很好的参考,你应该把它带在身边。
Firewall rules table ——由Stuart Clark给出的一个小小的PDF文件,里面是防火墙配置的参考样式,对你书写自己的防火墙规则很有帮助。
http://www.netfilter.org/ ——Netfilter和iptables的官方网站,是每一个打算在linux里配置iptables和 Netfilter的人必到之处。
http://www.netfilter.org/documentation/index.html#FAQ ——官方的Netfilter Frequently Asked Questions,是开始了解iptables和Netfilter的好去处。
http://www.netfilter.org/unreliable-guides/packet-filtering-HOWTO/index.html ——非常好的包过滤基础指南,介绍了如何使用iptables进行包过滤。作者是iptables 和Netfilter的核心开发者之一Rusty Russell。
http://www.netfilter.org/unreliable-guides/NAT-HOWTO/index.html ——介绍网络地址转换的很好的指南。作者是iptables和Netfilter的核心开发者之一Rusty Russell。
http://www.netfilter.org/unreliable-guides/netfilter-hacking-HOWTO/index.html ——只有很少的文章介绍如何在Netfilter和iptables 的用户空间、内核空间里编写代码,这是其中一篇。作者还是Rusty Russell。
http://www.linuxguruz.org/iptables/ ——很好的资源链接网页,里包含了Internet 上大部分关于iptables的链接,尤其是它还包含了很多为不同用处而写的iptables脚本的链接。
http://www.islandsoft.net/veerapen.html ——这篇文章讨论了iptables自动增强坚固性的可能,以及如何通过很少的改动使你的计算机能自动地把敌对站点加入iptables的一个特殊的“禁止列表”。
/etc/protocols ——此文件是从Slackware发行版中抽取的。你可以利用此文件找到协议所对应的协议号,如IP、ICMP或TCP对应的号码。
/etc/services ——此文件也是从Slackware发行版中抽取的。它非常值得一读,你可以大致了解什么协议使用什么端口。
Internet Engineering Task Force ——IETF是制定和维护互联网标准的最大的组织之一,很多大企业集团和个人都是它的成员,他们共同工作是为了确保Internet的互操作性。
Linux Advanced Routing and Traffic Control HOW-TO ——此站点主要讨论Linux高级路由和流量控制,这个HOW-TO是关于Linux高级路由的最大的也是最好的一篇文章。作者是Bert Hubert。
Paksecured Linux Kernel patches ——此站点包含了Matthew G. Marsh写的所有内核补丁,FTOS patch就在这儿。
ULOGD project page ——ULOGD的站点。
The Linux Documentation Project ——有关Linux的文档的极好(可以说是最好)的站点。有关Linux的很多较大的文档这儿都有,如果TLDP里没有,你就要好好地在网络上搜索一下了。如果你想了解多一些,就去看看吧。
http://kalamazoolinux.org/presentations/20010417/conntrack.html ——这篇文章里有一个极其精彩的例子,它是用来展示conntrack模块以及它在Netfilter里的工作的。如果你想多看一些有关conntrack的文章,这一篇应该是必读的。
http://www.docum.org/ ——此站点包含了全部有关CBQ(Class Based Queue)、tc和ip命令的资料,这是很少的几个这样的站点中的一个。此站点由Stef Coene维护。
http://lists.samba.org/mailman/listinfo/netfilter ——Netfilter的官方邮件列表,非常有用哦。万一你遇到了一些问题,而这篇文章或这里提到的一些链接解决不了,它就是你的救世主了。
当然,资源不止我上面提到的这些,还有iptables的源码和文档,及很多可以帮助你的朋友。
附录 E. 鸣谢
很多朋友在我写这篇文章时给了我热心的帮助,我要感谢他们:
Fabrice Marie,对我糟糕的语法和拼写做了大量的订正,还用make文件等工具把这篇指南转换成了DocBook。
Marc Boucher,在状态匹配代码的使用方面给了我很多帮助。
Frode E. Nyboe,大幅度改善了rc.firewall的规则,当我要重写这个规则集、把多个表的遍历(the multiple table traversing)引入同一份文件时,给了我很多灵感。
Chapman Brad, Alexander W. Janssen,开始时,我对包如何穿越nat和filter 表的理解是错误的,是他们使我了解到这一点的,而且他们还给了我正确的顺序。
Michiel Brandenburg, Myles Uyema,帮我解决了一些状态匹配代码,并让它正常问题。
Kent `Artech' Stahre,帮我绘制图形,还帮我查错。
Anders 'DeZENT' Johansson,提示我有些古怪的ISP在Internet上使用保留的网址,至少对他来说遇到了这样的情况。
Jeremy `Spliffy' Smith,提示我有些内容容易使大家糊涂,还帮我进行了测试和查错。
还有很多人,我和他们进行过讨论,也请教过他们,这里不能一一提及了。
Appendix F. History
Version 1.1.19 (21 May 2003)
.
By: Oskar Andreasson
Contributors: Peter van Kampen, Xavier Bartol, Jon Anderson, Thorsten Bremer
and Spanish Translation Team.
Version 1.1.18 (24 Apr 2003)
.
By: Oskar Andreasson
Contributors: Stuart Clark, Robert P. J. Day, Mark Orenstein and Edmond Shwayri.
Version 1.1.17 (6 Apr 2003)
.
By: Oskar Andreasson
Contributors: Geraldo Amaral Filho, Ondrej Suchy, Dino Conti, Robert P. J. Day,
Velev Dimo, Spencer Rouser, Daveonos, Amanda Hickman, Olle Jonsson and
Bengt Aspvall.
Version 1.1.16 (16 Dec 2002)
.
By: Oskar Andreasson
Contributors: Clemens Schwaighower, Uwe Dippel and Dave Wreski.
Version 1.1.15 (13 Nov 2002)
.
By: Oskar Andreasson
Contributors: Mark Sonarte, A. Lester Buck, Robert P. J. Day, Togan Muftuoglu,
Antony Stone, Matthew F. Barnes and Otto Matejka.
Version 1.1.14 (14 Oct 2002)
.
By: Oskar Andreasson
Contributors: Carol Anne, Manuel Minzoni, Yves Soun, Miernik, Uwe Dippel,
Dave Klipec and Eddy L O Jansson.
Version 1.1.13 (22 Aug 2002)
http://iptables- tutorial.haringstad.com
By: Oskar Andreasson
Contributors: Tons of people reporting bad HTML version.
Version 1.1.12 (19 Aug 2002)
http://www.netfilter.org/tutorial/
By: Oskar Andreasson
Contributors: Peter Schubnell, Stephen J. Lawrence, Uwe Dippel, Bradley
Dilger, Vegard Engen, Clifford Kite, Alessandro Oliveira, Tony Earnshaw,
Harald Welte, Nick Andrew and Stepan Kasal.
Version 1.1.11 (27 May 2002)
http://www.netfilter.org/tutorial/
By: Oskar Andreasson
Contributors: Steve Hnizdur, Lonni Friedman, Jelle Kalf, Harald Welte,
Valentina Barrios and Tony Earnshaw.
Version 1.1.10 (12 April 2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By: Oskar Andreasson
Contributors: Jelle Kalf, Theodore Alexandrov, Paul Corbett, Rodrigo
Rubira Branco, Alistair Tonner, Matthew G. Marsh, Uwe Dippel, Evan
Nemerson and Marcel J.E. Mol.
Version 1.1.9 (21 March 2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By: Oskar Andreasson
Contributors: Vince Herried, Togan Muftuoglu, Galen Johnson, Kelly Ashe, Janne
Johansson, Thomas Smets, Peter Horst, Mitch Landers, Neil Jolly, Jelle Kalf,
Jason Lam and Evan Nemerson.
Version 1.1.8 (5 March 2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By: Oskar Andreasson
Version 1.1.7 (4 February 2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By: Oskar Andreasson
Contributors: Parimi Ravi, Phil Schultz, Steven McClintoc, Bill Dossett,
Dave Wreski, Erik Sj鰈und, Adam Mansbridge, Vasoo Veerapen, Aladdin and
Rusty Russell.
Version 1.1.6 (7 December 2001)
http://people.unix-fu.org/andreasson/
By: Oskar Andreasson
Contributors: Jim Ramsey, Phil Schultz, G鰎an B錱e, Doug Monroe, Jasper
Aikema, Kurt Lieber, Chris Tallon, Chris Martin, Jonas Pasche, Jan
Labanowski, Rodrigo R. Branco, Jacco van Koll and Dave Wreski.
Version 1.1.5 (14 November 2001)
http://people.unix-fu.org/andreasson/
By: Oskar Andreasson
Contributors: Fabrice Marie, Merijn Schering and Kurt Lieber.
Version 1.1.4 (6 November 2001)
http://people.unix-fu.org/andreasson
By: Oskar Andreasson
Contributors: Stig W. Jensen, Steve Hnizdur, Chris Pluta and Kurt Lieber.
Version 1.1.3 (9 October 2001)
http://people.unix-fu.org/andreasson
By: Oskar Andreasson
Contributors: Joni Chu, N.Emile Akabi- Davis and Jelle Kalf.
Version 1.1.2 (29 September 2001)
http://people.unix-fu.org/andreasson
By: Oskar Andreasson
Version 1.1.1 (26 September 2001)
http://people.unix-fu.org/andreasson
By: Oskar Andreasson
Contributors: Dave Richardson.
Version 1.1.0 (15 September 2001)
http://people.unix-fu.org/andreasson
By: Oskar Andreasson
Version 1.0.9 (9 September 2001)
http://people.unix-fu.org/andreasson
By: Oskar Andreasson
Version 1.0.8 (7 September 2001)
http://people.unix-fu.org/andreasson
By: Oskar Andreasson
Version 1.0.7 (23 August 2001)
http://people.unix-fu.org/andreasson
By: Oskar Andreasson
Contributors: Fabrice Marie.
Version 1.0.6
http://people.unix-fu.org/andreasson
By: Oskar Andreasson
Version 1.0.5
http://people.unix-fu.org/andreasson
By: Oskar Andreasson
Contributors: Fabrice Marie.
Appendix G. GNU Free Documentation License
Version 1.1, March 2000
Copyright (C) 2000 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
0. PREAMBLE
The purpose of this License is to make a manual, textbook, or other written document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.
This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.
We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.
1. APPLICABILITY AND DEFINITIONS
This License applies to any manual or other work that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you".
A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.
A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (For example, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.
The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License.
The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License.
A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, whose contents can be viewed and edited directly and straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup has been designed to thwart or discourage subsequent modification by readers is not Transparent. A copy that is not "Transparent" is called "Opaque".
Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML designed for human modification. Opaque formats include PostScript, PDF, proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML produced by some word processors for output purposes only.
The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text.
2. VERBATIM COPYING
You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.
You may also lend copies, under the same conditions stated above, and you may publicly display copies.
3. COPYING IN QUANTITY
If you publish printed copies of the Document numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.
If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.
If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a publicly-accessible computer-network location containing a complete Transparent copy of the Document, free of added material, which the general network-using public has access to download anonymously at no charge using public-standard network protocols. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.
It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.
4. MODIFICATIONS
You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:
Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission.
List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has less than five).
State on the Title page the name of the publisher of the Modified Version, as the publisher.
Preserve all the copyright notices of the Document.
Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.
Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below.
Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice.
Include an unaltered copy of this License.
Preserve the section entitled "History", and its title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence.
Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission.
In any section entitled "Acknowledgements" or "Dedications", preserve the section's title, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein.
Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles.
Delete any section entitled "Endorsements". Such a section may not be included in the Modified Version.
Do not retitle any existing section as "Endorsements" or to conflict in title with any Invariant Section.
If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles.
You may add a section entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.
You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.
The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.
5. COMBINING DOCUMENTS
You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice.
The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.
In the combination, you must combine any sections entitled "History" in the various original documents, forming one section entitled "History"; likewise combine any sections entitled "Acknowledgements", and any sections entitled "Dedications". You must delete all sections entitled "Endorsements."
6. COLLECTIONS OF DOCUMENTS
You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.
You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.
7. AGGREGATION WITH INDEPENDENT WORKS
A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, does not as a whole count as a Modified Version of the Document, provided no compilation copyright is claimed for the compilation. Such a compilation is called an "aggregate", and this License does not apply to the other self-contained works thus compiled with the Document, on account of their being thus compiled, if they are not themselves derivative works of the Document.
If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one quarter of the entire aggregate, the Document's Cover Texts may be placed on covers that surround only the Document within the aggregate. Otherwise they must appear on covers around the whole aggregate.
8. TRANSLATION
Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License provided that you also include the original English version of this License. In case of a disagreement between the translation and the original English version of this License, the original English version will prevail.
9. TERMINATION
You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.
10. FUTURE REVISIONS OF THIS LICENSE
The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/.
Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.
How to use this License for your documents
To use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page:
Copyright (c) YEAR YOUR NAME. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST. A copy of the license is included in the section entitled "GNU Free Documentation License".
If you have no Invariant Sections, write "with no Invariant Sections" instead of saying which ones are invariant. If you have no Front-Cover Texts, write "no Front-Cover Texts" instead of "Front-Cover Texts being LIST"; likewise for Back-Cover Texts.
If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.
Appendix H. GNU General Public License
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
0. Preamble
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.
When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.
We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.
Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and modification follow.
1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.
You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.
You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.
You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.
In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.
You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:
