Previous Page
Next Page

Appendix D. Glossary

This glossary defines terms and acronyms used in the book. Multiword terms are alphabetized on the major noun in the term, followed by a comma and the rest of the term.

ACCEPT

A firewall-filtering rule decision to pass a packet through to its next destination.



accept-everything-by-default policy

A policy that accepts all packets that don't match a firewall rule in the chain. Therefore, most firewall rules are DENY rules defining the exceptions to the default accept policy.



ACK

The TCP flag that acknowledges receipt of a previously received TCP segment.



application-level gateway

Often referred to as ALG, an application-level (or layer) gateway is an overloaded term. In firewall terms, ALG often refers to application-specific support modules that inspect application payload for embedded addresses and ports, and that recognize secondary streams associated with the session.

See also [proxy, application-level]


AUTH

TCP service port 113, associated with the identd user authentication server.



authentication

The process of determining that an entity is who or what it claims to be.



authorization

The process of determining what services and resources an entity can use.



bastion

See [firewall, bastion]
BIND

Berkeley Internet Name Domain, the Berkeley implementation of the DNS protocol.



BOOTP

Bootstrap Protocol, which is used by diskless workstations to discover their IP address and the location of the boot server, and to initiate the system download over TFTP before booting. BOOTP was developed to replace RARP.



BOOTPC

UDP service port 68, associated with the BOOTP and DHCP clients.



bootpd

The BOOTP server program.



BOOTPS

UDP service port 67, associated with the BOOTP and DHCP servers.



border router

A device to route packets that resides on the edge or boundary of a network.



broadcast

An IP packet that is addressed and sent to all interfaces connected to the same network or subnet.



CERT

Computer Emergency Response Team, an information coordination center and Internet security emergency prevention center formed at the Software Engineering Institute of Carnegie Mellon University after the Internet Worm incident in 1988.



CGI

Common Gateway Interface. CGI programs are local programs executed by the web server on behalf of the remote client. CGI programs are often Perl scripts, so these programs are often called CGI scripts.



chain

The list of rules defining which packets can come in and which can go out through a network interface.



checksum

A number produced by performing some arithmetic computation on the numeric value of each byte in a file or packet. If the file is changed, or the packet corrupted, a second checksum produced for the same object will not match the original checksum.



choke

See [firewall, choke]
chroot

Both a program and a system call that defines a directory to be the root of the filesystem, and that then executes a program to run confined to that virtual filesystem.



circuit gateway

See [proxy, circuit-level]
class, network address

Historically, one of five classes of network addresses. An IPv4 address is a 32-bit value. The address space is divided into Class A through Class E addresses, depending on the value of the first 4 most significant bits in the 32-bit value. The Class A network address space maps 128 separate networks, each addressing more than 16 million hosts. The Class B network address space maps 16,384 networks, each addressing up to 64,534 hosts. The Class C network address space maps about 2 million networks, each addressing up to 254 hosts. Class D is used for multicast addresses. Class E is reserved for unspecified or experimental purposes. The network classes have largely become an artifact with the introduction of CIDR. People refer to them out of familiarity and because their byte-boundary characteristics make them convenient to use in examples.



Classless Inter-Domain Routing

CIDR replaces the concept of network address classes for space allocation with the concept of variable-length network fields. A conceptual extension of the idea of variable-length subnet masks, CIDR is intended to improve router table scalability and to solve the allocation problems caused by the exhaustion of the classful address space for midsize organizations.



client/server model

The model for distributed network services, in which a centralized program, a server, provides a service to remote client programs requesting that service, whether the service is receiving a copy of a web page, downloading a file from a central repository, performing a database lookup, sending or receiving electronic mail, performing some kind of computation on client-supplied data, or establishing human communication connections between two or more people.



daemon

A basic system services server running in the background.



DARPA

Defense Advanced Research Projects Agency.



Datalink layer

In the OSI reference model, the second layer, which represents point-to-point data signal delivery between two adjacent network devices, such as the delivery of an Ethernet frame from your computer to your external router. (In the TCP/IP reference model, this functionality is included as part of the first layer, the subnet layer.)



default policy

A policy for a firewall rulesetwhether for an INPUT chain, an OUTPUT chain, or a FORWARD chain in the filter tablethat defines a packet's disposition when the packet doesn't match any rule in the set.

See also [accept-everything-by-default policy]
See also [deny-everything-by-default policy]


denial-of-service attack

An attack based on the idea of sending unexpected data or flooding your system with packets to disrupt or seriously degrade service, tie up local servers to the extent that legitimate requests can't be honored, or, in the worst case, crash a system or systems altogether.



deny-everything-by-default policy

A policy that silently drops all packets that don't match a firewall rule in the chain. Most firewall rules are ACCEPT rules defining the exceptions to the default deny policy.



DHCP

Dynamic Host Configuration Protocol, which is used to dynamically assign IP addresses and provide server and router information to clients without registered IP addresses. DHCP was developed to replace BOOTP.



DMZ

The demilitarized zone, a perimeter network containing machines hosting public services, separated from a local, private network. The less-secure public servers are isolated from the private LAN.



DNS

Domain name service, a global Internet database service primarily providing host-to-IP and IP-to-host mapping.



DROP

A firewall-filtering rule decision to silently drop a packet without returning any notification to the sender. DROP is identical to DENY in earlier Linux firewall technologies.



dual-homed

A computer that has two network interfaces.

See also [multihomed]


dynamically assigned address

IP addresses temporarily assigned to a client network interface by a central server, such as a DHCP server.



Ethernet frame

Over an Ethernet network, IP datagrams are encapsulated in Ethernet frames.



filter, firewall

A firewall packet-filtering rule defining the characteristics of the packet's IP and transport headers, which, if matched, determines whether the packet is to be allowed through the network interface or is to be dropped. Filters are defined in terms of such fields as a packet's source and destination addresses, source and destination ports, protocol type, TCP connection state, and ICMP message type.



finger

A user information lookup program.



firewall

A device or group of devices that enforces an access control policy between networks.



firewall, bastion

Frequently, a firewall that has two or more network interfaces and is the gateway or connection point between those networks, most typically between a local site and the Internet. Because a bastion firewall is the single point of connection between networks, the bastion is secured to the greatest extent possible. More generally, a bastion is a firewall that remote sites have direct access to, whether that host connects networks or protects a server that provides public services.



firewall, choke

A LAN firewall that has two or more network interfaces and is the gateway or connection point between those networks. One side connects to a DMZ perimeter network between the choke firewall and a bastion gateway firewall. The other network interface connects to an internal, private LAN.



firewall, dual-homed

A single-host, gateway firewall that either requires local users to specifically connect to the firewall machine to access the Internet from the firewall machine, or proxies all remote services accessible to the site. In a dual-homed gateway firewall system, no traffic is allowed to pass between the LAN and the Internet.



firewall, screened-host

Almost identical to a dual-homed firewall, the single-host firewall does not sit directly between the Internet and the local network. The screened-host firewall is separated from the public network by an intermediate router and a packet filter. Local users must either specifically connect to the firewall machine to access the Internet or go through proxies on the firewall machine. The screening router ensures that all traffic between networks, or at least specific kinds of traffic, goes through the screened host. The difference between the screened-host firewall and the dual-host firewall is primarily in the location of the firewall within the local network.



firewall, screened-subnet

A firewall system incorporating a gateway firewall, a DMZ network housing public servers, and an internal choke firewall that screens the LAN from both the DMZ and direct Internet access. Public services are not hosted from the choke firewall.



flooding, packet

A denial-of-service attack in which the victim host or network is sent more packets of a given type than the victim can accommodate.



forward

To route packets from one network to another in the process of delivering a packet from one computer to another.



fragment

An IP packet containing a piece of a TCP segment.



FTP

File Transfer Protocol. The protocol and programs used to copy files between networked computers.



FTP, anonymous

FTP service accessible to any client that requests the service.



FTP, authenticated

FTP service accessible to predefined accounts, which must be authenticated before using the service.



gateway

A computer or program serving as either the conduit or the termination point and relay between two networks.



hosts.allow, hosts.deny

TCP wrappers' configuration files are /etc/hosts.allow and /etc/hosts.deny.



HOWTO

In addition to the standard man pages, Linux includes user-supplied online documentation on numerous topics, in many languages and in multiple formats. The HOWTO documents are coordinated and maintained by the Linux Documentation Project.



HTTP

Hypertext Transfer Protocol, used by web servers and browsers.



hub

A hardware signal repeater used to physically connect multiple network segments, extend the distance of a physical network, or connect network segments of different physical types.



IANA

Internet Assigned Numbers Authority.



ICMP

Internet Control Message Protocol. A Network layer IP status and control message.



identd

The user authentication (AUTH) server.



IMAP

Internet Message Access Protocol, used to retrieve mail from mail hosts running an IMAP server.



inetd

A network superserver that listens for incoming connections to service ports used by servers that it manages. When a connection request arrives, inetd starts a copy of the request server to handle the connection. By default, inetd has been replaced by an extended version called xinetd.



IP datagram

An IP Network layer packet.



ipchains

With the introduction of the newer implementation of the IPFW firewall mechanism in Linux, the firewall administration program that replaced ipfwadm. iptables is supplied with an ipchains compatibility module for sites that want to continue using their existing firewall scripts.



IPFW

IP firewall mechanism, now replaced by Netfilter.



ipfwadm

Before the introduction of ipchains, the Linux IPFW firewall administration program. iptables is supplied with an ipfwadm compatibility module for sites that want to continue using their existing firewall scripts.



iptables

The firewall administration program for the current Netfilter firewall mechanism in Linux.



klogd

The kernel logging daemon that collects operating-system error and status messages from the kernel message buffers and, in conjunction with syslogd, writes the messages to a system log file.



LAN

Local area network.



localhost

The symbolic name often given to a machine's loopback interface in /etc/hosts.



loopback interface

A special software network interface used by the system to deliver locally generated network messages destined to the local machine, bypassing the hardware network interface and associated network driver.



man page

The standard Linux online documentation format. Manual pages are written for almost all user and system administration programs, as well as system calls, library calls, device types, and system file formats.



masquerading

The process of replacing an outgoing packet's local source address with that of the firewall or gateway machine so that the LAN's IP addresses remain hidden. In the IPFW firewall mechanism, masquerading referred to the source NAT functionality implemented in Linux. In Netfilter, masquerading refers to a specialized form of source NAT for use with connections that are dynamically assigned temporary IP addresses that tend to change with each connection.



MD5

A cryptographic checksum algorithm used to ensure data integrity by creating digital signatures, called message digests, of objects.



MTU

Maximum Transmission Unit, the maximum packet size based on the underlying network.



multicast

An IP packet specially addressed to a Class D multicast IP address. Multicast clients are registered with the intermediate routers to receive packets addressed to a particular multicast address.



multihomed

A computer that has two or more network interfaces.

See also [dual-homed]


name server, primary

An authoritative server for a domain or a zone of the domain space. The server maintains a complete database of hostnames and IP addresses for this zone.



name server, secondary

A backup or peer to a primary name server.



NAT

Network address translation, the process of replacing a packet's source or destination address with that of some other network interface. NAT is primarily intended to allow traffic between incompatible network address spaces, such as between the Internet and a LAN that is assigned private addresses internally.



Netfilter

The firewall mechanism included with the Linux 2.4 and 2.6 kernels.



netstat

A program that reports various kinds of network status based on the various network-related kernel tables.



Network layer

In the OSI reference model, the third layer, which represents end-to-end communication between two computers, such as routing and delivery of an IP datagram from your source computer to some external destination computer. In the TCP/IP reference model, this is referred to as the second layer, the Internet layer.



NFS

Network File System, used to share filesystems between networked computers.



NIS

Network Information Service, used to centrally manage and provide user account and host information.



nmap

A network security auditing (that is, port-scanning) tool that includes many of the newer scanning techniques in use today.



NNTP

Network News Transfer Protocol, used by Usenet.



NTP

Network Time Protocol, used by ntpd and ntpdate.



OSI (Open System Interconnection) reference model

A seven-layer model developed by the International Organization for Standardization (ISO) to provide a framework or guide for network interconnection standards.



OSPF

The Open Shortest Path First routing protocol for TCP/IP, which is the most commonly used routing protocol today.



packet

An IP network datagram.



packet filtering

See [firewall]
PATH

The shell environmental variable defining which directories the shell should search for unqualified executable commands and in which order the shell should search those directories.



peer-to-peer

A communication mode used for communication between two server programs. A peer-to-peer communication protocol is often, but not always, different from the protocol used to communicate between the server and a client.



Physical layer

In the OSI reference model, the first layer, which represents the physical medium used to carry the signals between two adjacent network devices, such as copper wire, optical fiber, packet radio, or infrared. In the TCP/IP reference model, this is included as part of the first layer, the subnet layer.



PID

Process ID, which is a process's unique numeric identifier on the system, usually associated with the process's slot in the system process table.



ping

A simple network-analysis tool used to determine whether a remote host is reachable and responding. Ping sends an ICMP Echo Request message. The recipient host returns an ICMP Echo Reply message in response.



POP

Post Office Protocol, used to retrieve mail from mail hosts running a POP server.



port

In TCP or UDP, the numeric designator of a particular network communication channel. Port assignments are managed by IANA. Some ports are assigned to particular application communication protocols as part of the protocol standard. Some ports are registered as being associated with a particular service by convention. Some ports are unassigned and free to be dynamically assigned for use by clients and user programs:

  • privileged A port in the range from 0 to 1023. Many of these ports are assigned to application protocols by international standard. On a Linux system, access to the privileged ports requires system-level privilege.

  • unprivileged A port in the range from 1024 to 65535. Some of these ports are registered for use by certain programs by convention. Any port in this range can be used by a client program to establish a connection with a networked server.



port scan

A probe of all or a set of a host computer's service ports, typically service ports that are often associated with security vulnerabilities.



portmap

An RPC manager daemon, used to map between a particular RPC service number that a client is requesting to access and the service port to which the associated server is bound.



probe

To send some kind of packet to a service port on a host computer. The purpose of a probe is to determine whether a response is generated from the target host.



proxy

A program that creates and maintains a network connection on behalf of another program, providing an application-level conduit between a client and a server. The actual client and server have no direct communication. The proxy appears to be the server to the client program and appears to be the client to the server program. Application proxies generally are categorized into application gateways and circuit gateways.



proxy, application-level

A proxy server for a particular service. Application-level gateway proxies understand the particular application protocol that they proxy for. The proxy is capable of inspecting the application payload and making decisions based on information at the application level, instead of making decisions merely at the IP and transport levels.



proxy, circuit-level

A proxy server that can be implemented either as separate applications for each service being proxied or as a single generalized connection relay. A circuit-level proxy doesn't have any specific knowledge about the application protocols. The proxy makes decisions based on the same IP and transport information that a packet-filtering firewall does, with the possible addition of some amount of user authentication functionality.



QoS

Quality of Service.



RARP

Reverse Address Resolution Protocol, developed to enable diskless machines to ask servers for their IP address based on their MAC hardware address.



REJECT rule

A firewall-filtering rule decision to drop a packet and return an error message to the sender.



resolver

The client side of DNS. The resolver is implemented as library code that is linked to programs requiring network access. The DNS client configuration file is /etc/resolv.conf.



RFC

Request for Comments, a note or memo published through the Internet Society or the Internet Engineering Task Force. Some RFCs become standards. RFCs typically concern a topic related to the Internet or the TCP/IP protocol suite.



RIP

Routing Information Protocol, an older routing protocol still in use today, especially within a large LAN. The routed daemon uses RIP.



RPC

Remote procedure call.



rule

firewallfilter, firewall.



runlevel

A booting and system state concept taken from System V UNIX. A system normally operates at one of runlevels 2, 3, or 5. Runlevel 3 is the default, normal, multiuser system state. Runlevel 2 is similar to runlevel 3, without xinetd, portmap, or Network File System (NFS) services running. Runlevel 5 is the same as runlevel 3, with the addition of the X Window Display Manager, which presents an X-based login and host-selection screen.



screened host

See [firewall, screened-host]
screened subnet

See [firewall, screened-subnet]
script

An ASCII file that can contain either shell or Linux program commands. These scripts are interpreted by shell programs such as sh, csh, bash, zsh, or ksh, or by programs such as perl, awk, or sed.



segment, TCP

A TCP message.



setgid

A program that, when executed, assumes the group ID of the program's owner rather than the group ID of the process running the program.



setuid

A program that, when executed, assumes the user ID of the program's owner rather than the user ID of the process running the program.



shell

A command interpreter, such as sh, csh, bash, zsh, and ksh.



SMTP

Simple Mail Transfer Protocol, used to exchange mail between mail servers and between mail programs and mail servers.



SNMP

Simple Network Management Protocol, used to manage network device configuration from a remote workstation.



socket

The unique network connection point defined by the pairing of an IP address with a particular TCP or UDP service port.



SOCKS

A circuit gateway proxy package available from NEC.



spoofing, source address

Forging the source address in an IP packet header so that it appears to be that of some other address.



SSH

Secure shell protocol, used for authenticated, encrypted network connections.



SSL

Secure Socket Layer protocol, used for encrypted communication. SSL is most commonly used by web servers and browsers for exchanging personal information for e-commerce.



statically assigned address

Permanently assigned, hard-coded IP addresses, whether publicly registered addresses or private class addresses.



subnet layer

In the TCP/IP reference model, the first layer, which represents both the physical media used to carry the signals between two adjacent network devices and point-to-point data signal delivery between two adjacent network devices, such as the delivery of an Ethernet frame from your computer to your external router.



SYN

The TCP connection synchronization request flag. A SYN message is the first message sent from a program seeking to open a connection with another networked program.



syslog.conf

The system-logging daemon's configuration file.



syslogd

The system-logging daemon, which collects error and status messages generated by system programs that post messages using the syslog() system call.



TCP

Transmission Control Protocol, used for reliable, ongoing network connections between two programs.



TCP/IP reference model

An informal network communication model developed when TCP/IP became the de facto standard for Internet communication among UNIX machines during the late 1970s and early 1980s. Rather than being a formal, academic ideal, the TCP/IP reference model is based on what manufacturers and developers finally came to agree on for communication across the Internet.



tcp_wrapper

An authorization scheme used to control which local services are available to which remote hosts on the network.



TFTP

Trivial File Transfer Protocol, the protocol used to download a boot image to a diskless workstation or router. The protocol is a UDP-based, simplified version of FTP.



three-way handshake

The TCP connection establishment protocol. When a client program sends its first message to a server, the connection request message, the SYN flag is set and accompanied by a synchronization sequence number that the client will use as the starting point to number all the rest of the messages that the client will send. The server responds with an acknowledgment (ACK) to the SYN message, along with its own synchronization request (SYN). The server includes the client's sequence number incremented by the number of contiguous data bytes received, plus 1. The purpose of the acknowledgment is to acknowledge the message to which the client referred by its sequence number. As with the client's first message, the SYN flag is accompanied by a synchronization sequence number. The server is passing along its own starting sequence number for its half of the connection. The client responds with an ACK of the server's SYN-ACK, incrementing the server's sequence number by the number of contiguous data bytes received, plus 1 to indicate receipt of the message. The connection is established.



TOS

Type of Service, the field in the IP packet header that was intended to provide a hint of the preferred routing policy or packet-routing preference.



traceroute

A network analysis tool used to determine the path from one computer to another across the network.



Transport layer

In the OSI reference model, the fourth layer, which represents end-to-end communication between two programs, such as the delivery of a packet from a client program to a server program. In the TCP/IP reference model, this is referred to as the third layer, also the Transport layer. However, the TCP/IP Layer 3 transport-level abstraction includes the concept of the OSI Layer 5 Session layer, which includes the concepts of an orderly and synchronized exchange of messages.



TTL

Time to live, an IP packet header field that is a maximum count of the number of routers the packet can pass through before reaching its destination.



UDP

User Datagram Protocol, used to send individual network messages between programs, without any guarantee of delivery or delivery order.



unicast

An IP packet sent point to point, from one computer's network interface to another's.



UUCP

UNIX-to-UNIX Copy Protocol.



world-readable

Filesystem objectsfiles, directories, and entire filesystemsthat are readable by any account or program on the system.



world-writable

Filesystem objectsfiles, directories, and entire filesystemsthat are writable by any account or program on the system.



X Windows

The Linux graphical user interface window display system.




Previous Page
Next Page