什么叫坑爹?记某国产防火墙 - Show Cat's Eye

什么叫坑爹?记某国产防火墙

迷迷糊糊的猫 posted @ 2012年6月02日 22:14 in funny with tags FW5200 防火墙 , 3014 阅读

 

     最近行里的某东软防火墙有点问题,把东软的人叫来了看看,我在一旁瞄着。就看着telnet登过去后,某工程师打了个bash,立马汗了一下,然后就看着敲了top啥的,其后各种瀑布汗。

    虽说防火墙跑linux是件很正常的事,我自己也拿老爷机玩过软路由啥的,不过真想到商业产品用linux就罢了,还不封装一下,居然能开个后门进bash

    昨天突然无聊,就进到bash里乱敲了一下,然后槽点满满。

 

 1. 先看看是啥CPU吧

 

bash-2.05b# cat /proc/cpuinfo 
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 28
model name      : Intel(R) Atom(TM) CPU D525   @ 1.80GHz
stepping        : 10
cpu MHz         : 1795.642
cache size      : 512 KB
physical id     : 0
siblings        : 4
core id         : 0
cpu cores       : 2
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 10
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc pni monitor ds_cpl tm2 cx16 xtpr lahf_lm
bogomips        : 3594.24

    请自行脑补3遍,查ark就知道了,atom D525 双核四线程处理器,这这这...

    啥也不说了,大家都懂。

    2.内存多大呢?

 

bash-2.05b# cat /proc/meminfo 
MemTotal:      1808084 kB
MemFree:        846472 kB
Buffers:        131916 kB
Cached:         353172 kB
SwapCached:          0 kB
Active:         653612 kB
Inactive:       163052 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:      1808084 kB
LowFree:        846472 kB
SwapTotal:           0 kB
SwapFree:            0 kB
Dirty:              16 kB
Writeback:           0 kB
AnonPages:      331368 kB
Mapped:          18016 kB
Slab:            75976 kB
PageTables:       2076 kB
NFS_Unstable:        0 kB
Bounce:              0 kB
CommitLimit:    904040 kB
Committed_AS:   807684 kB
VmallocTotal:   122872 kB
VmallocUsed:     63412 kB
VmallocChunk:    59168 kB

显而易见2G内存

3.硬盘多大?

 

bash-2.05b# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/ram0                87.2M     29.8M     52.9M  36% /
/dev/hda5               371.7M    144.9M    207.6M  41% /mnt/cf/5
/dev/hda6                32.4M      4.1M     26.6M  13% /mnt/cf/6
/dev/hda7                 1.5G    627.3M    836.3M  43% /mnt/cf/7
tmpfs                    60.0M         0     60.0M   0% /neteye/var/di_ram
tmpfs                    40.0M         0     40.0M   0% /neteye/var/av_ram

    OK,答案是没有硬盘,就2G CF卡。

   4.之前我们用的时候把eth0口做了数据口,结果千兆起不来,跑长了还有性能问题,结果厂商说0口作管理口哟,是百兆的。我都想杀人了,拜托在面板上标下好吗,在说明书里写下好吗?

 

bash-2.05b# ethtool eth0
Settings for eth0:
        Supported ports: [ TP ]
        Port Type: [Fast Ethernet]
        Supported link modes:   10baseT/Half 10baseT/Full 
                                100baseT/Half 100baseT/Full 
        Supports auto-negotiation: Yes
        Advertised link modes:  10baseT/Full 
                                100baseT/Full 
        Advertised auto-negotiation: Yes
        Auto Speed: off
        Auto Duplex: off
        Speed: Unknown! (65535)
        Duplex: Unknown! (255)
        Port: Twisted Pair
        PHYAD: 1
        Transceiver: internal
        Auto-negotiation: on
        Supports Wake-on: pumbg
        Wake-on: d
        Current message level: 0x00000001 (1)
        Link detected: no

 

bash-2.05b# ethtool eth1
Settings for eth1:
        Supported ports: [ TP ]
        Port Type: [Gigabit Ethernet]
        Supported link modes:   10baseT/Half 10baseT/Full 
                                100baseT/Half 100baseT/Full 
                                1000baseT/Full 
        Supports auto-negotiation: Yes
        Advertised link modes:  10baseT/Half 10baseT/Full 
                                100baseT/Half 100baseT/Full 
                                1000baseT/Full 
        Advertised auto-negotiation: Yes
        Auto Speed: on
        Auto Duplex: on
        Speed: 1000Mb/s
        Duplex: Full
        Port: Twisted Pair
        PHYAD: 1
        Transceiver: internal
        Auto-negotiation: on
        Supports Wake-on: pumbg
        Wake-on: g
        Current message level: 0x00000001 (1)
        Link detected: yes
    请自行对比eth0eth1的不同。

    5.好了这是最关键的了,就算你拿个稀烂配置PC跑就算了,好歹得有个硬件芯片啥的跑转发吧?结果我心都凉了,大家都知道linux里著名的iptable吧,然后iptable里啥都没有。不过补全的时候看到了ipfilter

ipfilter

    以上节选,我反正看到了我要的防火墙策略,也就是说这伙跟个软路由没啥区别,全软件的东西,果然是“东软”呀。

    那ipfilter是啥,请自行去官方网站上去看,其官方网站说:“It has been tested and shown to work on RedHat 9.0, SuSE 9.1 and will, in general work with 2.4 and 2.6 kernels. It should be noted that not all Linux distros are the same so using others may not be smooth.”,这啥年代玩意?等等,我忘了给大家看这个:

 

bash-2.05b# uname -a
Linux HB_HLW_FW_21 2.6.18.8-1 #1 SMP Fri Dec 17 19:19:43 CST 2010 i686 unknown

    首先查kernel.org,2.6.18是2006年release的,然后东软2010年编译的内核,那么这货用ipfilter做防火墙核心就可以理解了。

    本来到这里对东软FW5200的探究就结束了,不过我一时手贱到淘宝上搜了下“atom d525 6网口”看那些980软妹币左右的主板,是不是觉得跟咱墙上的差不多呢?

    

    OK,结束了。本文仅代表作者对于某公司的怨念。反正你要知道这破玩意还是很贵的,也就比Juniper的便宜一点而已。

 

 

  • 无匹配

登录 *


loading captcha image...
(输入验证码)
or Ctrl+Enter
Host by is-Programmer.com | Power by Chito 1.3.3 beta | © 2007 LinuxGem | Design by Matthew "Agent Spork" McGee