自测

下面的问题将帮助你理解本章内容。Red Hat 考试中没有多选题，本书也是如此。这些问题将考察你对本章的理解。如果你将它当作任务那是最好。不要去背诵结果，那对 Red Hat考试是无效的。一个问题可能有多种答案。

使用 tcp_wrappers 提供安全服务
1、如果你在 /etc/hosts.allow 中允许一个服务，并又在 /etc/hosts.deny 中禁止它，会发生什么事？

2、你使用 xinetd启动服务。你如何限制 192.168.170.0网络对 Telnet服务的访问？提示：telnet的后台进程以及安装，为 /usr/kerberos/sbin/telnetd。

防火墙和包过滤

3、你需要将你的组织连接到因特网，但是你担心在因特网于局域网间没有路由器。你正好有一台 400MHz 256MB RAM的PC，它有两块网卡。你的网络是一个混合系统，包括Macintosh、Windows 2000 和 Linux。你同样希望系统能拒绝不想要的报。你该如何做？？

4、考虑下面命令：
# iptables -A INPUT -s 192.168.77.77 -j REJECT
当你将它保存到防火墙中，当客户端IP为 192.168.77.77 试图连接到你的系统时会发生什么事情？

5、哪条命令储存 iptables规则？

6、iptables 的规则储存在哪里？

网络地址转换

7、你需要将一个小型办公室的少数用户连接到因特网，但是你无法制服每个系统申请公有地址的费用。你该如何做？

8、iptables 中使用伪装的参数是？

SELinux

9、/etc/sysconfig/selinux 中的哪条指令用来启用 SELinux？

10、如果你想让 SELinux 允许 vsFTP 服务访问用户的家目录，你该如何做？

11、SELinux 的布尔值贮存在哪里？

12、如果你想关闭 SELinux，你该做什么？


答案：
1.  
If you allow a service in /etc/hosts.allow and prohibit it in /etc/hosts.deny, the service is allowed.
2.  
You are using the xinetd program to start services. To limit Telnet access to clients on the 192.168.170.0 network, you'd allow access to the network in /etc/hosts.allow and deny it to all others in /etc/hosts.deny. As /usr/kerberos/sbin is in the root user path, you can cite telnetd directly and add the following directive to /etc/hosts.allow (remember, CIDR notation doesn't work in these files):
3.  
It's best to create a firewall using the iptables command. The standard Red Hat Security Level Configuration tool creates iptables commands that REJECT unwanted packets by default. You can now even support access to the network that can communicate natively with Microsoft and modern Macintosh systems, Samba. All you need is to allow access using the tool.
4.  
Based on the given command, any connection attempt (including pings) from the 192.168.77.77 system is rejected.
5.  
The command that saves iptables rules is iptables-save.
6.  
Rules associated with iptables rules are stored in /etc/sysconfig/iptables.
7.  
To set up a small office while providing Internet access to a small number of users, all you need is one dedicated IP address. The other addresses can be on a private network. Masquerading makes this possible.
8.  
The iptables command switch that sets up masquerading is -t nat.
9.  
The directive in /etc/sysconfig/selinux that activates Security Enhanced Linux is SELINUX=enabled.
10.  
If you want SELinux to allow reading of home directories via an FTP server, activate the Allow Ftp To Read/Write Files In The User Home Directories option. Alternatively, run the setsebool-P ftp_home_dir 1 command. Additional configuration is required in the vsFTP configuration file, as defined in Chapter 10.
11.  
Standard SELinux boolean directives are stored in the /selinux/booleans directory.
12.  
You can disable SELinux in a number of ways. You can do so directly in /etc/sysconfig/selinux by setting SELINUX=disabled. You can use the Security Level Configuration tool or even the SELinux Management Tool. You can even add the selinux=0 directive to the kernel configuration line in your GRUB bootloader. I can even visualize a situation where all these options are used, which would make it more difficult for an RHCE candidate to enable SELinux during an exam.