亚洲AV无码一区二区三区国产,自拍偷自拍亚洲精品偷一,亚洲人成人网毛片在线播放

Android中文文档v0.1 beta低调发布,期待更多同学来参加review

地狱��L��(hellboys) — Wed, 05 Dec 2007 08:42:00 GMT

�W�一阶段:Android中文文档v0.1 beta发布--由www.androidcn.net�C�֌�提供

Android中文文档阅读地址: http://www.androidcn.net/wiki/index.php/Documentation

Android中文文档大部分已�l�完�? 但是可能有不��细节和不��之处需要完善和修补.

感谢��译的同�?已经在文档里面加�? 如果�~�少,误��p�L��

�W�二阶段:��h��旉��的同学进行review.

review阶段既然采用wiki上面形式. 希望review的同学可以联�p�AndroidCN��理员和各版版主.

�怿�review阶段对同学理解Android可以有更快的理解和提�? 阅读文档也是对Android理解之初�?

所有在阅读文档的时�?希望同学们不吝啬自己的一�W�之�?对于未完全或��译有误的地方进行涂�?

�怿�大家可以先阅��L��?然后提出��译中的不��q�行.

review 讨论区： http://www.androidcn.net/thread-119-1-1.html

地狱��L��(hellboys) 2007-12-05 16:42 发表评论

�Ƣ迎讉K��Android中国

地狱��L��(hellboys) — Thu, 15 Nov 2007 09:24:00 GMT

摘要: �Ƣ迎讉K��Android中国, Android是google为手机开发的操作�pȝ��, ��Z��Linux2.6内核. �U�d��l�端开发和使用是一个非常有��?有挑战的�z�d��.于是, 我们一些志同道合的朋友成立了Android中国, 致力于docs的中文化, 当然�q�有交流何��用经�? 共同开发Android��目. �Ƣ迎您的光��和加�?

主页�Q�http://www.androidcn.net 阅读全文

地狱��L��(hellboys) 2007-11-15 17:24 发表评论

一��C��多台电脑监控 (keyword:cacti,snmp,snmpd.conf)

地狱��L��(hellboys) — Wed, 07 Mar 2007 02:27:00 GMT

SNMPD.CONF(5)                                       SNMPD.CONF(5)

NAME
       share/snmp/snmpd.conf - configuration file for the ucd-
       snmp SNMP agent.

DESCRIPTION
       snmpd.conf is the configuration file which defines how the
       ucd-smnp SNMP agent operates. These files may contain any
       of the directives found in the DIRECTIVES section below.
       This file is not required for the agent to operate and
       report mib entries.

PLEASE READ FIRST
       First, make sure you have read the snmp_config(5) manual
       page that describes how the ucd-snmp configuration files
       operate, where they are located and how they all work
       together.

EXTENSIBLE-MIB
       The ucd-snmp SNMP agent reports much of its information
       through queries to the 1.3.6.1.4.1.2021 section of the mib
       tree.   Every mib in this section has the following table
       entries in it.

       .1 -- index
              This is the table's index numbers for each of the
              DIRECTIVES listed below.

       .2 -- name
              The name of the given table entry. This should be
              unique, but is not required to be.

       .100 -- errorFlag
              This is a flag returning either the integer value 1
              or 0 if an error is detected for this table entry.

       .101 -- errorMsg
              This is a DISPLAY-STRING describing any error trig-
              gering the errorFlag above.

       .102 -- errorFix
              If this entry is SNMPset to the integer value of 1
              AND the errorFlag defined above is indeed a 1, a
              program or script will get executed with the table
              entry name from above as the argument. The program
              to be executed is configured in the config.h file
              at compile time.

   Directives
       proc NAME

       proc NAME MAX

       proc NAME MAX MIN

              Checks to see if the NAME'd processes are running
              on the agent's machine. An error flag (1) and a
              description message are then   passed   to   the
              1.3.6.1.4.1.2021.2.100 and 1.3.6.1.4.1.2021.2.101
              mib tables (respectively) if the NAME'd program is
              not found in the process table as reported by
              "/bin/ps -e".

              If MAX and MIN are not specified, MAX is assumed to
              be infinity and MIN is assumed to be 1.

              If MAX is specified but MIN is not specified, MIN
              is assumed to be 0.

       procfix NAME PROG ARGS
              This registers a command that knows how to fix
              errors   with   the   given   process NAME.   When
              1.3.6.1.4.1.2021.2.102 for a given NAMEd program is
              set to the integer value of 1, this command will be
              called. It defaults to a compiled value set using
              the PROCFIXCMD definition in the config.h file.

       exec NAME PROG ARGS

       exec MIBNUM NAME PROG ARGS

              If MIBNUM is not specified, the agent executes the
              named PROG with arguments of ARGS and returns the
              exit status and the first line of the STDOUT output
              of   the   PROG   program   to   queries   of   the
              1.3.6.1.4.1.2021.8.100 and 1.3.6.1.4.1.2021.8.101
              mib tables (respectively).   All STDOUT   output
              beyond the first line is silently truncated.

              If MIBNUM is specified, it acts as above but
              returns the exit status to MIBNUM.100.0 and the
              entire STDOUT output to the table MIBNUM.101 in a
              mib table. In this case, the MIBNUM.101 mib con-
              tains the entire STDOUT output, one mib table entry
              per line of output (ie, the first line is output as
              MIBNUM.101.1, the second at MIBNUM.101.2, etc...).

              Note: The MIBNUM must be specified in dotted-inte-
                     ger notation and can not be specified as
                     ".iso.org.dod.internet..." (should instead
                     be

              Note: The agent caches the exit status and STDOUT
                     of the executed program for 30 seconds after
                     the initial query.   This is to increase
                     speed and maintain consistency of informa-
                     tion for consecutive table queries. The
                     cache can be flushed by a snmp-set request
                     of integer(1) to 1.3.6.1.4.1.2021.100.VER-
                     CLEARCACHE.

       execfix NAME PROG ARGS
              This registers a command that knows how to fix
              errors with the given exec or sh NAME. When
              1.3.6.1.4.1.2021.8.102 for a given NAMEd entry is
              set to the integer value of 1, this command will be
              called. It defaults to a compiled value set using
              the EXECFIXCMD definition in the config.h file.

       disk PATH

       disk PATH [ MINSPACE | MINPERCENT% ]

              Checks the named disks mounted at PATH for avail-
              able disk space. If the disk space is less than
              MINSPACE (kB) if specified or less than MINPERCENT
              (%) if a % sign is specified, or DEFDISKMINI-
              MUMSPACE (kB) if not specified, the associated
              entry in the 1.3.6.1.4.1.2021.9.100 mib table will
              be set to (1) and a descriptive error message will
              be returned to queries of 1.3.6.1.4.1.2021.9.101.

       load MAX1

       load MAX1 MAX5

       load MAX1 MAX5 MAX15

              Checks the load average of the machine and returns
              an error flag (1), and an text-string error message
              to   queries   of    1.3.6.1.4.1.2021.10.100    and
              1.3.6.1.4.1.2021.10.101   (respectively) when the
              1-minute, 5-minute, or 15-minute averages exceed
              the associated maximum values. If any of the MAX1,
              MAX5, or MAX15 values are unspecified, they default
              to a value of DEFMAXLOADAVE.

       file FILE [MAXSIZE]
              Monitors file sizes and makes sure they don't grow
              beyond a certain size. MAXSIZE defaults to infi-
              nite if not specified, and only monitors the size
              without reporting errors about it.

   Errors
       Any errors in obtaining the above information are reported
       via    the    1.3.6.1.4.1.2021.101.100    flag   and   the
       1.3.6.1.4.1.2021.101.101 text-string description.

SMUX SUB-AGENTS
       To enable and SMUX based sub-agent, such as gated, use the
       smuxpeer configuration entry

       smuxpeer OID PASS
              For gated a sensible entry might be

       .1.3.6.1.4.1.4.1.3 secret

ACCESS CONTROL
       snmpd supports the View-Based Access Control Model (vacm)
       as defined in RFC 2275. To this end, it recognizes the
       following keywords in the configuration file: com2sec,
       group, access, and view as well as some easier-to-use
       wrapper   directives: rocommunity, rwcommunity, rouser,
       rwuser.

       rocommunity COMMUNITY [SOURCE] [OID]

       rwcommunity COMMUNITY [SOURCE] [OID]
              These create read-only and read-write communities
              that can be used to access the agent. They are a
              quick method of using the following com2sec, group,
              access, and view directive lines. They are not as
              efficient either, as groups aren't created so the
              tables are possibly larger. In other words: don't
              use these if you have complex situations to set up.

              The format of the SOURCE is token is described in
              the com2sec directive section below. The OID token
              restricts access for that community to everything
              below that given OID.

       rouser USER [noauth|auth|priv] [OID]

       rwuser USER [noauth|auth|priv] [OID]
              Creates a SNMPv3 USM user in the VACM access
              configuration tables.   Again, its more efficient
              (and powerful) to use the combined com2sec, group,
              access, and view directives instead.

              The minimum level of authentication and privacy the
              user must use is specified by the first token
              (which defaults to "auth").   The OID parameter
              restricts access for that user to everything below
              the given OID.

       com2sec NAME SOURCE COMMUNITY
              This   directive   specifies the mapping from a
              source/community pair to a security name. SOURCE
              can be a hostname, a subnet, or the word "default".
              A subnet can be specified as IP/MASK or IP/BITS.
              The first source/community combination that matches
              the incoming packet is selected.

       group NAME MODEL SECURITY
              This directive defines the mapping from security-
              model/securityname to group. MODEL is one of v1,
              v2c, or usm.

       access NAME CONTEXT MODEL LEVEL PREFX READ WRITE NOTIFY
              The access directive maps from   group/security
              model/security level to a view. MODEL is one of
              any, v1, v2c, or usm.   LEVEL is one of noauth,
              auth, or priv. PREFX specifies how CONTEXT should
              be matched against the context of the incoming pdu,
              either exact or prefix.   READ, WRITE and NOTIFY
              specifies the view to be used for the corresponding
              access.   For v1 or v2c access, LEVEL will be
              noauth, and CONTEXT will be empty.

       view NAME TYPE SUBTREE [MASK]
              The defines the named view. TYPE is either included
              or excluded.   MASK is a list of hex octets, sepa-
              rated by '.' or ':'. The MASK defaults to "ff" if
              not specified.

              The reason for the mask is, that it allows you to
              control access to one row in a table, in a rela-
              tively simple way. As an example, as an ISP you
              might consider giving each customer access to his
              or her own interface:

              view cust1 included interfaces.ifTable.ifEntry.ifIndex.1 ff.a0
              view cust2 included interfaces.ifTable.ifEntry.ifIndex.2 ff.a0

              (interfaces.ifTable.ifEntry.ifIndex.1 == .1.3.6.1.2.1.2.2.1.1.1,
              ff.a0 == 11111111.10100000. which nicely covers up and including
              the row index, but lets the user vary the field of the row)

       VACM Examples:
              #       sec.name source          community
              com2sec local     localhost       private
              com2sec mynet     10.10.10.0/24   public
              com2sec public    default         public

              #             sec.model sec.name
              group mygroup v1         mynet
              group mygroup v2c        mynet
              group mygroup usm        mynet
              group local   v1         local
              group local   v2c        local
              group local   usm        local
              group public v1         public
              group public v2c        public
              group public usm        public

              #           incl/excl subtree                          mask
              view all    included .1                               80
              view system included system                           fe
              view mib2   included .iso.org.dod.internet.mgmt.mib-2 fc

              #              context sec.model sec.level prefix read   write notify
              access mygroup ""      any       noauth    exact mib2   none none
              access public ""      any       noauth    exact system none none
              access local   ""      any       noauth    exact all    all   all

       Default VACM model
              The default configuration of the agent, as shipped, is functionally
              equivalent to the following entries:
              com2sec   public    default   public
              group     public    v1   public
              group     public    v2c public
              group     public    usm public
              view      all included .1
              access    public    ""   any noauth    exact     all none none

SNMPv3 CONFIGURATION
       engineID STRING
              The snmpd agent needs to be configured with an
              engineID to be able to respond to SNMPv3 messages.
              With this configuration file line, the engineID
              will be configured from STRING. The default value
              of the engineID is configured with the first IP
              address found for the hostname of the machine.

       createUser username (MD5|SHA) authpassphrase [DES] [priv-
       passphrase]
              This directive should be placed into the "/var/ucd-
              snmp"/snmpd.conf file instead of the other normal
              locations. The reason is that the information is
              read from the file and then the line is removed
              (eliminating the storage of the master password for
              that user) and replaced with the key that is
              derived from it. This key is a localized key, so
              that if it is stolen it can not be used to access
              other agents. If the password is stolen, however,
              it can be.

              MD5 and SHA are the authentication types to use,
              but you must have built the package with openssl
              installed in order to use SHA. The only privacy
              protocol currently supported is DES. If the pri-
              vacy passphrase is not specified, it is assumed to
              be the same as the authentication passphrase. Note
              that the users created will be useless unless they
              are also added to the VACM access control tables
              described above.

              Warning: the minimum pass phrase length is 8 char-
              acters.

              SNMPv3 users can be created at runtime using the
              snmpusm command.

SETTING SYSTEM INFORMATION
       syslocation STRING

       syscontact STRING

              Sets the system location and the system contact for
              the agent. This information is reported by the
              'system' table in the mibII tree.

       authtrapenable NUMBER
              Setting authtrapenable to 1 enables generation of
              authentication failure traps. The default value is
              2 (disable).

       trapcommunity STRING
              This defines the default community string to be
              used when sending traps. Note that this command
              must be used prior to any of the following three
              commands that are intended use this community
              string.

       trapsink HOST [COMMUNITY [PORT]]

       trap2sink HOST [COMMUNITY [PORT]]

       informsink HOST [COMMUNITY [PORT]]
              These commands define the hosts to receive traps
              (and/or inform notifications). The daemon sends a
              Cold Start trap when it starts up. If enabled, it
              also sends traps on authentication failures.   Mul-
              tiple trapsink, trap2sink and informsink lines may
              be specified to specify multiple destinations. Use
              trap2sink to send SNMPv2 traps and informsink to
              send inform notifications.   If COMMUNITY is not
              specified, the string from a preceding trapcommu-
              nity directive will be used. If PORT is not speci-
              fied, the well known SNMP trap port (162) will be
              used.

PASS-THROUGH CONTROL
       pass MIBOID EXEC
              Passes entire control of MIBOID to the EXEC pro-
              gram.   The EXEC program is called in one of the
              following three ways:

              EXEC -g MIBOID

              EXEC -n MIBOID

                     These call lines match to SNMP get and get-
                     next requests. It is expected that the EXEC
                     program will take the arguments passed to it
                     and return the appropriate response through
                     it's stdout.

                     The first line of stdout should be the mib
                     OID of the returning value. The second line
                     should be the TYPE of value returned, where
                     TYPE is one of the text strings: string,
                     integer, unsigned,   objectid,   timeticks,
                     ipaddress, counter, or gauge.   The third
                     line of stdout should be the VALUE corre-
                     sponding with the returned TYPE.

                     For instance, if a script was to return the
                     value integer value "42" when a request for
                     .1.3.6.1.4.100 was requested, the script
                     should return the following 3 lines:
                       .1.3.6.1.4.100
                       integer
                       42

                     To indicate that the script is unable to
                     comply with the request due to an end-of-mib
                     condition or an invalid request, simple exit
                     and return no output to stdout at all. A
                     snmp error will be generated corresponding
                     to the SNMP NO-SUCH-NAME response.

              EXEC -s MIBOID TYPE VALUE

                     For SNMP set requests, the above call method
                     is used. The TYPE passed to the EXEC pro-
                     gram is one of the text strings: integer,
                     counter, gauge, timeticks, ipaddress, objid,
                     or string, indicating the type of value
                     passed in the next argument.

                     Return nothing to stdout, and the set will
                     assumed to have been successful. Otherwise,
                     return one of the following error strings to
                     signal an error: not-writable, or wrong-type
                     and the appropriate error response will be
                     generated instead.

                      Note: By   default,   the only community
                             allowed to write (ie snmpset) to
                             your script will be the "private"
                             community,or community #2 if defined
                             differently by the "community" token
                             discussed above. Which communities
                             are allowed write access are con-
                             trolled by the RWRITE definition in
                             the snmplib/snmp_impl.h source file.

EXAMPLE
       See the EXAMPLE.CONF file in the top level source direc-
       tory for a more detailed example of how the above informa-
       tion is used in real examples.

RE-READING snmpd.conf and snmpd.local.conf
       The ucd-snmp agent can be forced to re-read its configura-
       tion files. It can be told to do so by one of two ways:

       1.     An       snmpset       of       integer(1)       to
              1.3.6.1.4.1.2021.100.VERUPDATECONFIG.

       2.     A "kill -HUP" signal sent to the snmpd agent pro-
              cess.

FILES
       share/snmp/snmpd.conf

SEE ALSO
       snmp_config(5), snmpd(1), EXAMPLE.conf, read_config(3).

                           27 Jan 2000              SNMPD.CONF(5)

地狱��L��(hellboys) 2007-03-07 10:27 发表评论

妙解�|�络多台dhcp引�v的IP冲突

地狱��L��(hellboys) — Wed, 15 Nov 2006 02:22:00 GMT

客�h在我所供职的酒店上�|�的时候，�l�常会弹��Z��个对话框�Q�显�C�Z��些提�C�，如上�|�的注意事项和消�Ҏ��准等信息;�q�且有自��q��电媄和歌曲服务器�Q�DHCP-server也是其中的一台服务器�Q�宾馆、酒店就是用�q�台机器�Q��ؓ客户分配IP地址提供上网功能�Q�即客户把自��q��计算��上网�U�，�|�卡配置自动获取IP地址�Q�就会从动态主机配�|�协�?DHCP)服务器分配到一个IP地址;采用DHCP server可以自动为用戯��|�网�l�IP地址、掩码、网兟뀁DNS、Wins �{�网�l�参敎ͼ��化了用户�|�络讄��Q�提高了��理效率�?

　　那么我们的问题也出现�?常见的，很多用户抱怨用�q�种�Ҏ��上不了网�Q�但不是所有客户都上不了网。经�q�调查发玎ͼ�住宾馆、酒店的人绝大多数是商务人员和工�E�师�Q�他们携带的手提电脑一般安装的是Windows server版本�Q�server版本默认启动了DHCP server功能�Q�当一台这��L��计算��入网�l�，在他之后的计��机��׃��把他当成DHCP服务器，�q�被分配了不正确的IP地址�Q�从而上不了�|��?

　　DHCP服务器地址分配方式

　　DHCP是一�U�用于简化主机IP配置��理的协议标准。通过采用DHCP标准�Q�可以��用DHCP服务器�ؓ�|�络上所有启用了DHCP的客��L��分配、配�|�、跟�t�和更改(必要�?所有TCP/IP讄��。此外，DHCP�q�可以确保不使用重复地址、重新分配未使用的地址�Q��ƈ且可以自动�ؓ��L��q�接的子�|�分配适当的IP地址。当一个网�l�中�Q�有2个或2个以上的DHCP服务器时�Q�提醒切勿将DHCP地址池定义的�q�大�Q�以免多个地址池之间出现“包含于”的关系�Q�或者是部分客户端手工指定的IP地址包含于DHCP服务器的地址池中�Q�从而造成DHCP的一些异常故障�?

　　针对不同的需求，DHCP服务器有三种机制分配IP地址:

　　自动分配 DHCP服务器给首次�q�接到网�l�的某些客户端分配固定IP地址�Q�该地址��q��户长期��?

　　动态分�?DHCP服务器给客户端分配有旉��限制的IP地址�Q��用期限到期后�Q�客��L��需要重新申请地址�Q�客��L��也可以主动释放该地址。绝大多数客��L��L��得到的是�q�种动态分配的地址;

　　手动分配 ��q��l�管理员为客��L��指定固定的IP地址�?

　　三种地址分配方式中，只有动态分配可以重复��用客��L��不再需要的地址�?

　　每项技术都是有利有弊的�Q�DHCP也不例外�Q�由于DHCP有着配置��单，��理方便的优点，问题也随之��生，�׃��DHCP的运作机�Ӟ��通常服务器和客户端没有认证机�Ӟ��如果�|�络上存在多台DHCP服务器将会给�|�络造成混�ؕ。由于用户不��心配置了DHCP服务器引��L��|�络混�ؕ非常常见�Q��可见此问题的普遍性�?

　　本�h在从事网�l�工作的几年里，遇到�q�很多问题，其中有关DHCP-server冲突的不在少敎ͼ�在解决问题的同时也�ȝ��了一些经验，在这里简单介�l�一下，与大家分享，希望�l�在解决此类问题的同行一些帮助，也希望广大高手指出其中的不��和需要改�q�的地方�?br />
DHCP服务器冲�H�的解决�Ҏ��

　　使用DHCP snooping技术来解决

　　针对�q�种DHCP服务器冲�H�的解决�Ҏ��有很多，最直接的方法就是脓告示�Q�让入住的客户在上网时关闭Windows的DHCP�|�络服务�Q�这个选项在‘控刉��李쀙，‘管理工具’里的‘DHCP�|�络服务’，�q�入关闭卛_��。这里要注意的是�Q�非server版的Windows不用关闭�Q��ƈ且不要把‘控刉��李쀙，‘管理工具’，‘服务’中的DHCP client�l�停止了�Q�这��h��分配不到地址的�?

　　当然上面的方法比较被动也不合常理�Q�更不便于我们网�l�的��理�Q�所以还是应该从我们�|�络本��n出发来解决问题�?

　　既然是DHCP的问题，那么我们��q��DHCP的技术来解决问题�Q�比较有代表的就是DHCP snooping技术。DHCP snooping技术是DHCP安全�Ҏ��，通过建立和维护DHCP snooping�l�定表过滤不可信�ȝ��DHCP信息�Q�这些信息是指来自不信�Q区域的DHCP信息。DHCP snooping�l�定表包含不信�Q区域的用户mac地址、IP地址、租用期、vlan-id接口�{�信息�?

　　首先定义交换��Z��的信�ȝ��口和不信�ȝ��口，其中信�Q端口�q�接DHCP服务器或其他交换机的端口;不信�ȝ��口连接用��h��|�络。不信�Q端口��接收到的DHCP服务器响应的DHCP ack 和DHCP off报文丢弃;而信�ȝ��口将此配�|�中的命令都是以CISCO的设备�ؓ基础�Q�但不管是哪个公司的讑֤��Q��M��设计思想是一致的�Q�不同的可能在命令格式上略有差异�Q�工作�h员应该根据具体的实际情况来解决相应的问题�?

　　在全局模式下启动DHCP snooping功能�Q�这个默认是关闭的，而且不是所有设备都支持�q�个功能�Q�最好先看��用说明�?

　　switch(config)#ip dhcp-snooping

　　如果有vlan��׃��用下面的命��o来监��具体的vlan

　　switch(config)#ip dhcp-snooping vlan vlan-id

　　然后定义可信�ȝ��端口�Q�默认情况交换机的端口均��Z��信�Q端口�Q�通常�|�络讑֤�接口�Q?TRUNK 接口和连接DHCP服务器的端口定义为可信�Q端口�?

　　switch(config)#int f0/x

　　switch(config-if)#ip dhcp snooping trust

使用PVLAN技术来解决

　　有很多二层的技术可以防止DHCP-server冲突的，PVLAN��是其中一个运用比较广的技术�?

　　PVLAN�U�有局域网(private vlan)�Q�在PVLAN的概念里�Q�端口有3�U�类�?Isolated port�Q�Community port, Promiscuous port;它们分别对应不同的vlan�c�d��:Isolated port属于Isolated PVLAN�Q�Community port属于Community PVLAN�Q�而代表一个Private vlan整体的是Primary vlan�Q�前面两�c�vlan需要和它绑定在一��P��同时它还包括Promiscuous port。在Isolated PVLAN中，Isolated port只能和Promiscuous port�Q�彼此之间不能访�?在Community PVLAN中，vlan与vlan之间都不能访问，同一Community vlan的接口可以互相访问，�q�且所有Community vlan的接口都可以与Promiscuous port�q�行通信。利用这��Ҏ��术，我们可以把上�q�或�q�接DHCP服务器的接口定义为Promiscuous port�Q�其他接口分配到Isolated vlan里，�q�样所有接口都只能与上�q�或DHCP服务器进行通信�Q�即使有一台机器设为DHCP服务器，其他机器也不会与它��生流量，把它做�ؓ服务器�?

　　利用�q�个技术解决DHCP-server冲突的方法有很多�Q�也很灵�z�，下面介绍一�U�比较简单的�Ҏ��Q�也是用的比较多�?

　　首先把交换机配置成transparents模式:　　

　　switch(config)#vtp mode transparent

　　��Z��可以打开端口的保护功能，它的意思是打开端口保护的端口之间不能访问，但打开保护的端口可以与没有开启此��功能的端口通信�Q�可以根据自��q��需求来打开保护功能:

　　switch(config)#int range f0/124

　　switch(config-if-range)#switchitchport protected

　　建立isolated vlan和primary vlan�Q�把isolated vlan定义为primary lan的附属vlan�Q�因��与primary互相讉K��:

　　switch(config)#vlan 14

　　switch(config-vlan)private-vlan isolated

　　switch(config)#vlan 44

　　switch(config-vlan)#private-vlan primary

　　switch(config-vlan)#private-vlan association 14

地狱��L��(hellboys) 2006-11-15 10:22 发表评论

P2P之UDP�I�K��NAT的原理与实现

地狱��L��(hellboys) — Tue, 12 Sep 2006 16:32:00 GMT

P2P之UDP�I�K��NAT的原理与实现 - 增强��?附修改过的源代码)

------------------------------------------------------------------------------------------------------------

NAT(The IP Network Address Translator) 的概念和意义是什�?

NAT, 中文��译为网�l�地址转换。具体的详细信息可以讉K��RFC 1631 - http://www.faqs.org/rfcs/rfc1631.html, �q�是对于NAT的定义和解释的最权威的描�q�。网�l�术语都是很抽象和艰涩的�Q�除非是专业人士�Q�否则很难从字面中来准确理解NAT的含义�?/p>

要想完全明白NAT 的作用，我们必须理解IP地址的两大分�c�，一�c�L��U�有IP地址�Q�在�q�里我们�U�C��内网IP地址。一�c�L��非私有的IP地址�Q�在�q�里我们�U�C��公网IP地址。关于IP地址的概念和作用的介�l�参见我的另一��文�? http://hwycheng.blogchina.com/2402121.html

内网IP地址: 是指使用A/B/C�c�M��的私有地址, 分配的IP地址在全球不惧有唯一性，也因此无法被其它外网��L��直接讉K��?br />公网IP地址: 是指��h��全球唯一的IP地址�Q�能够直接被其它��L��讉K��的�?/p>

NAT 最初的目的是�ؓ使用内网IP地址的计��机提供通过��数几台��h��公网的IP地址的计��机讉K��外部�|�络的功能。NAT 负责��某些内�|�IP地址的计��机向外部网�l�发出的IP数据包的源IP地址转换为NAT自己的公�|�的IP地址�Q�目的IP地址不变, �q�将IP数据包�{发给路由器，最�l�到辑֤�部的计算机。同时负责将外部的计��机�q�回的IP数据包的目的IP地址转换为内�|�的IP地址�Q�源IP地址不变�Q��ƈ最 �l�送达到内�|�中的计��机�?br />
        ----------------------                           ----------------------
        | 192.168.0.5        | Internat host            | 192.168.0.6        | Internat host
        ----------------------                           ----------------------
                ^ port:2809                                      ^port: 1827
                |                                                |
                V                                                V
        ----------------------                           ----------------------
        | 192.168.0.1        | NAT device                | 192.168.0.2        | NAT device
        | 61.51.99.86        |                           | 61.51.77.66        |
        ----------------------                           ----------------------
                ^                                                ^
                |                                                |
                V port:80                                        V port: 80
        ----------------------                           ----------------------
        | 61.51.202.88       | Internet host             | 61.51.76.102       | Internet host
        ----------------------                           ----------------------

                              图一: NAT 实现了私有IP的计��机分��n几个公网IP地址讉K��Internet的功能�?br />
�? 着�|�络的普及，IPv4的局限性暴露出来。公�|�IP地址成�ؓ一�U�稀�~�的资源�Q�此时NAT 的功能局限也暴露出来�Q�同一个公�|�的IP地址�Q�某个时间只能由一台私有IP地址的计��机使用。于是NAPT(The IP Network Address/Port Translator)应运而生�Q�NAPT实现了多台私有IP地址的计��机可以同时通过一个公�|�IP地址来访问Internet的功能。这在很大程度上�? 时缓解了IPv4地址资源的紧张�?/p>

NAPT 负责��某些内�|�IP地址的计��机向外部网�l�发出的TCP/UDP数据包的源IP地址转换为NAPT自己的公�|�的IP地址�Q�源端口转�ؓNAPT自己的一个端口。目的IP地址和端口不�? �q�将IP数据包发�l��\由器�Q�最�l�到辑֤�部的计算机。同时负责将外部的计��机�q�回的IP数据包的目的IP地址转换内网的IP地址�Q�目的端口�{为内�|�计��机�? 端口�Q�源IP地址和源端口不变�Q��ƈ最�l�送达到内�|�中的计��机�?/p>

                ----------------------                           ----------------------
                | 192.168.0.5        | Internat host            | 192.168.0.6        | Internat host
                ----------------------                           ----------------------
                        port: 2809      ^                   ^ port: 1827
                                         \                 /
                                          v               v
                                        ----------------------
                                        | 192.168.0.1        | NAT device
                                        | 61.51.99.86        |
                                        ----------------------
        map port:9882 to 192.168.0.5:2809 ^              ^ map port: 9881 to 192.168.0.6:1827
                                         /                \
                             port:80    v                  v    port:80
                ----------------------                           ----------------------
                | 61.51.202.88       | Internet host             | 61.51.76.102       | Internet host
                ----------------------                           ----------------------

                              图二: NAPT 实现了私有IP的计��机分��n一个公�|�IP地址讉K��Internet的功能。                                           �?

�? 我们的工作和生活�? NAPT的作用随处可见，�l�大部分公司的网�l�架构，都是通过1至N台支持NAPT的�\由器来实现公司的所有计��机�q�接外部的Internet�|�络的。包�? 本�h在写�q�篇文章的时候，也是在家中��用一台IBM�W�记本通过一台宽带连接的台式机来讉K��Internet的。我们本��文章主要讨论的NAPT的问题�?/p>

NAPT(The IP Network Address/Port Translator) ��Z��ȝ��了P2P软�g的应�?

�? �q�NAPT 上网的特点决定了只能由NAPT内的计算��Z��动向NAPT外部的主机发赯��接，外部的主机想直接和NAPT内的计算机直接徏立连接是不被允许的。IM(�? 旉��讯)而言�Q�这意味着�׃��NAPT内的计算机和NAPT外的计算机只能通过服务器中转数据来�q�行通讯。对于P2P方式的下载程序而言�Q�意味着NAPT�? 的计��机不能接收到NAPT外部的连接，��D��q�接数用�q�少�Q�下载速度很难上去。因此P2P软�g必须要解决的一个问题就是要能够在一定的�E�度上解决NAPT 内的计算��Z��能被外部�q�接的问题�?/p>

NAT(The IP Network Address Translator) �q�行UDP�I�K��的原理是什�?

TCP/IP 传输时主要用到TCP和UDP协议。TCP协议是可靠的�Q�面向连接的传输协议。UDP是不可靠的，无连接的协议。根据TCP和UDP协议的实现原理，对于 NAPT来进行穿透，主要是指的UDP协议。TCP协议也有可能�Q�但是可行性非常小�Q�要求更高，我们此处不作讨论�Q�如果感兴趣可以到Google上搜索，有些文章对这个问题做了探讨性的描述。下面我们来看看利用UDP协议来穿透NAPT的原理是什�?

                        ----------------------                           ----------------------
                        | 192.168.0.5        | Internat host            | 192.168.0.6        | Internat host
                        ----------------------                           ----------------------
                          UDP port: 2809        ^                   ^ UDP port: 1827
                                                 \                 /
                                                  v               v
                                                ----------------------
                                                | 192.168.0.1        | NAT device
                                                | 61.51.99.86        |
                                                ----------------------
Session(192.168.0.6:1827 <-> 61.51.76.102:8098) ^              ^ Session(192.168.0.6:1827 <-> 61.51.76.102:8098)
               map port:9882 to 192.168.0.5:2809 /                \map port: 9881 to 192.168.0.6:1827
                                  UDP port:8098 v                  v    UDP port:8098
                        ----------------------                           ----------------------
                        | 61.51.202.88       | Internet host             | 61.51.76.102       | Internet host
                        ----------------------                           ----------------------


                                      图三: NAPT 是如何将�U�有IP地址的UDP数据包与公网��L��q�行透明传输的�?/p>

UDP协议包经NAPT透明传输的说�?

NAPT 为每一个Session分配一个NAPT自己的端口号�Q�依据此端口��h��判断��收到的公网IP��L��q�回的TCP/IP数据包�{发给那台内网IP地址的计��? 机。在�q�里Session是虚拟的�Q�UDP通讯�q�不需要徏立连接，但是对于NAPT而言�Q�的��要有一个Session的概念存在。NAPT对于UDP协议包的透明传输面��的一个重要的问题��是如何处理�q�个虚拟的Session。我们都知道TCP�q�接的Session以SYN包开始，以FIN包结束， NAPT可以很容易的获取到TCP Session的生命周期，�q�进行处理。但是对于UDP而言�Q�就�ȝ��了，NAPT�q�不知道转发出去的UDP协议包是否到达了目的��L��Q�也没有办法知道。�? 且鉴于UDP协议的特点，可靠很差�Q�因此NAPT必须强制�l�持Session的存在，以便�{�待��外部送回来的数据�q��{发给曄��发�v��h��的内�|�IP地址的计 ��机。NAPT具体如何处理UDP Session的超时呢�Q�不同的厂商提供的设备对于NAPT的实��C��q�相同，也许几分钟，也许几个��时�Q�些NAPT的实现还会根据设备的忙碌状态进行智�? 计算��时旉��的长短�?/p>

                  [192.168.0.6:1827]
                            | UDP Packet[src ip:192.168.0.6 src port:1827 dst ip:61.51.76.102 dst port 8098]
                            v
        [pub ip: 61.51.99.86]NAT[priv ip: 192.168.0.1]
                            | UDP Packet[src ip:61.51.99.86 src port:9881 dst ip:61.51.76.102 dst port 8098]
                            v
                  [61.51.76.102:8098]

                                    囑֛�: NAPT ��内部发出的UDP协议包的源地址和源端口改变传输�l�公�|�IP��L��?br />

                  [192.168.0.6:1827]
                            ^
                            | UDP Packet[src ip:61.51.76.102 src port:8098 dst ip:192.168.0.6 dst port 1827]
        [pub ip: 61.51.99.86]NAT[priv ip: 192.168.0.1]
                            ^
                            | UDP Packet[src ip:61.51.76.102 src port:8098 dst ip:61.51.99.86 dst port 9881]
                  [61.51.76.102:8098]

                                    图五: NAPT ��收到的公网IP��L��q�回的UDP协议包的目的地址和目的端口改变传输给内网IP计算机。                              �?
现在我们大概明白了NAPT如何实现内网计算机和外网��L��间的透明通讯。现在来看一下我们最兛_��的问题，��是NAPT是依据什么策略来判断是否要�ؓ一个请求发出的UDP数据包徏立Session的呢�Q�主要有一下几个策�?

A. 源地址(内网IP地址)不同�Q�忽略其它因�? 在NAPT上肯定对应不同的Session
B. 源地址(内网IP地址)相同�Q�源端口不同�Q�忽略其它的因素�Q�则在NAPT上也肯定对应不同的Session
C. 源地址(内网IP地址)相同�Q�源端口相同�Q�目的地址(公网IP地址)相同�Q�目的端口不同，则在NAPT上肯定对应同一个Session
D. 源地址(内网IP地址)相同�Q�源端口相同�Q�目的地址(公网IP地址)不同�Q�忽略目的端口，则在NAPT上是如何处理Session的呢�Q?/p>

D的情冉|��式我们关心和要讨论的问题。依据目的地址(公网IP地址)对于Session的徏立的军_��方式我们��NAPT讑֤�划分��Z��大类:

Symmetric NAPT:
对于到同一个IP地址�Q��Q意端口的�q�接分配使用同一个Session; 对于��C��同的IP地址, ��L��端口的连接��用不同的Session.
我们�U�此�U�NAPT�?Symmetric NAPT. 也就是只要本地绑定的UDP端口相同�Q?发出的目的IP地址不同�Q�则会徏立不同的Session.

        [202.223.98.78:9696] [202.223.98.78:9696] [202.223.98.78:9696]
                ^               ^                       ^
                |               |                       |
                v               v                       v
               9883            9882                    9881
                                 |
                             \ [NAT] /
                                 ^
                                 |
                                 v
                          [192.168.0.6:1827]

                          囑օ�: Symmetric 的英文意思是对称。多个端口对应多个主机，�q��的，对称�?

Cone NAPT:
对于到同一个IP地址�Q��Q意端口的�q�接分配使用同一个Session; 对于��C��同的IP地址�Q��Q意端口的�q�接也��用同一个Session.
我们�U�此�U�NAPT�?Cone NAPT. 也就是只要本地绑定的UDP端口相同�Q?发出的目的地址不管是否相同�Q?都��用同一个Session.

[202.223.98.78:9696] [202.223.98.78:9696] [202.223.98.78:9696]

                        ^          ^         ^
                         \         |        /
                          v        v       v
                                 9881
                                 [NAT]
                                   ^
                                   |
                                   v
                          [192.168.0.6:1827]

                          图七: Cone 的英文意思是锥。一个端口对应多个主机，是不是像个锥�?

�? 在绝大多数的NAPT属于后者，即Cone NAT。本人在��试的过�E�中�Q�只好��用了一台日本的Symmetric NAT。还好不是自��q��买的�Q�我从不买日�? 希望看这��文章的朋友也自觉的不要购买日本的东�ѝ��Win9x/2K/XP/2003�pȝ��自带的NAPT也是属于 Cone NAT的。这是值的庆幸的，因�ؓ我们要做的UDP�I�K��只能在Cone NAT间进行，只要有一��C��是Cone NAT�Q�对不�v�Q�UDP�I�K��没有希望了�Q�服务器转发吧。后面会做详�l�分�?

下面我们再来分析一下NAPT 工作时的一些数据结构，在这里我们将真正说明UDP可以�I�K��Cone NAT的依据。这里描�q�的数据�l�构只是��Z��说明原理�Q�不��h��实际参考�h��|��真正感兴��可以阅读Linux的中关于NAT实现部分的源码。真正的NAT实现也没有利用数据库的，呵呵�Q��ؓ了速度�Q?/p>

Symmetric NAPT 工作时的端口映射数据�l�构如下:

内网信息�?

[NAPT 分配端口] [ 内网IP地址 ] [ 内网端口 ] [ 外网IP地址 ] [ SessionTime 开始时�?]

PRIMARY KEY( [NAPT 分配端口] ) -> 表示依据[NAPT 分配端口]建立主键�Q�必��d��一且徏立烦引，加快查找.
UNIQUE( [ 内网IP地址 ], [ 内网端口 ] ) -> 表示�q�两个字�D�联合�v来不能重�?
UNIQUE( [ 内网IP地址 ], [ 内网端口 ], [ 外网IP地址 ] ) -> 表示�q�三个字�D�联合�v来不能重�?

映射�?

[NAPT 分配端口] [ 外网端口 ]

UNIQUE( [NAPT 分配端口], [ 外网端口 ] ) -> 表示�q�两个字�D�联合�v来不能重�?

Cone NAPT 工作时的端口映射数据�l�构如下:

内网信息�?

[NAPT 分配端口] [ 内网IP地址 ] [ 内网端口 ] [ SessionTime 开始时�?]

PRIMARY KEY( [NAPT 分配端口] ) -> 表示依据[NAPT 分配端口]建立主键�Q�必��d��一且徏立烦引，加快查找.
UNIQUE( [ 内网IP地址 ], [ 内网端口 ] ) -> 表示�q�两个字�D�联合�v来不能重�?

外网信息�?

[ wid 主键标识 ] [ 外网IP地址 ] [ 外网端口 ]

PRIMARY KEY( [ wid 主键标识 ] ) -> 表示依据[ wid 主键标识 ]建立主键�Q�必��d��一且徏立烦引，加快查找.
UNIQUE( [ 外网IP地址 ], [ 外网端口 ] ) -> 表示�q�两个字�D�联合�v来不能重�?

映射�? 实现一对多�Q�的

[NAPT 分配端口] [ wid 主键标识 ]

UNIQUE( [NAPT 分配端口], [ wid 主键标识 ] ) -> 表示�q�两个字�D�联合�v来不能重�?
UNIQUE( [ wid 主键标识 ] ) -> 标识此字�D�不能重�?

看完了上面的数据�l�构是更明白了还是更晕了�Q?呵呵! 多想一会儿��׃��明白了。通过NAT,内网计算��机向外�q�结是很�Ҏ��的，NAPT会自动处理，我们的应用程序根本不必关心它是如何处理的。那么外部的计算机想讉K��内网中的计算机如何实现呢�Q�我们来看一下下面的��程�Q?/p>

c 是一台在NAPT后面的内�|�计��机�Q�s是一台有外网IP地址的计��机。c ��d��?s 发�v�q�接��h��Q�NAPT依据上面描述的规则在自己的数据结构中记录下来�Q�徏立一个Session. 然后 c �?s 之间��可以实现双向的透明的数据传输了。如下面所�C?

c[192.168.0.6:1827] <-> [priv ip: 192.168.0.1]NAPT[pub ip: 61.51.99.86:9881] <-> s[61.51.76.102:8098]

我们假设两个内网计算机分别�ؓA和B�Q�对应的NAPT分别为AN和BN�Q?如果A在获取到B对应的BN的IP地址和映��的端口后，�q�不急待的向�q�个IP
�? 址和映��的端口发送了个UDP数据包，会有什么情况发生呢�Q�依据上面的原理和数据结构我们会知道�Q�AN会在自己的数据结构中生成一条记录，标识一个新 Session的存在。BN在收到数据包后，从自��q��数据�l�构中查询，没有扑ֈ�相关记录�Q�因此将包丢弃。B是个慢性子�Q�此时才慢吞吞的向着AN的IP地址和映��的端口发送了一个UDP数据包，�l�果如何呢？当然是我们期望的�l�构了，AN在收到数据包后，从自��q��数据�l�构中查扑ֈ�了记录，所以将数据包进行处�? 发送给了A。A 再次向B发送数据包�Ӟ��一切都时畅通无��M��。OK, 大工告成�Q�且慢，�q�时对于Cone NAPT而言�Q�对于Symmetric NAPT呢？呵呵�Q�自己分析一下吧...

NAPT(The IP Network Address/Port Translator) �q�行UDP�I�K��的具体情况分析!

首先明确的将NAPT讑֤�按照上面的说明分�? Symmetric NAPT �?Cone NAPT, Cone NAPT 是我们需要的。Win9x/2K/XP/2003 自带的NAPT也�ؓCone NAPT�?/p>

�W�一�U�情�? 双方都是Symmetric NAPT:

此情况应�l�不存在什么问题，肯定是不支持UDP�I�K��?/p>

�W�二�U�情�? 双方都是Cone NAPT:

此情冉|��我们需要的�Q�可以进行UDP�I�K��?/p>

�W�三�U�情�? 一个是Symmetric NAPT, 一个是Cone NAPT:

此情冉|��较复杂，但我们按照上面的描述和数据机构进行一下分析也很容易就会明白了, 分析如下,

假设: A -> Symmetric NAT, B -> Cone NAT

1. A 惌��?B, A 从服务器那儿获取�?B 的NAT地址和映��端�? A 通知服务器，服务器告�?B A的NAT地址和映��端�? B �?A 发�v�q�接�Q�A 肯定无法接收到。此�?A �?B 发�v�q�接�Q?A 对应的NAT建立了一个新的Session�Q�分配了一个新的映��端口， B �? NAT 接收到UDP包后�Q�在自己的映��表中查询，无法扑ֈ�映射��，因此��包丢弃了�?/p>

2. B 惌��?A, B 从服务器那儿获取�? A 的NAT地址和映��端�? B 通知服务�? 服务器告�?A B的NAT地址和映��端�?A �?B 发�v�q�接, A 对应的NAT建立了一个新的Session�Q�分配了一个新的映��端口B肯定无法接收到。此�?B �?A 发�v�q�接, �׃�� B 无法获取 A 建立的新的Session的映��端口，仍是使用服务器上获取的映��端口进行连接，因此 A 的NAT在接收到UDP包后�Q�在自己的映��表中查询，无法扑ֈ�映射��? 因此��包丢弃了�?/p>

�Ҏ��以上分析�Q�只有当�q�接的两端的NAT都�ؓCone NAT的情况下�Q�才能进行UDP的内�|�穿透互联�?/p>

NAPT(The IP Network Address/Port Translator) �q�行UDP�I�K��如何进行现实的验证和分�?

需要的�|�络�l�构如下:

三个NAT后面的内�|�机器，两个外网服务器。其中两台Cone NAPT�Q�一�?Symmetric NAPT�?/p>

验证�Ҏ��:

�? 以��用本�E�序提供的源码，�~�译�Q�然后分别运行服务器�E�序和客��L��。修改过后的源码增加了客��L��之间直接通过IP地址和端口发送消息的命��o�Q�利用此命��o�Q�你可以手动的验证NAPT的穿透情��c��ؓ了方便操作，推荐你��用一个远�E�登陆��Y�Ӟ��可以直接在一台机器上操作所有的相关的计��机�Q�这样很方便�Q�一个�h��可�? 完成所有的工作了。呵呵，本�h��是�q�么完成的。欢�q�有兴趣和经验的朋友来信批评指正�Q�共同进步�?/p>

原始作�? Hwycheng Leo(FlashBT@Hotmail.com)

源码下蝲: http://bbs.hwysoft.com/download/UDP-NAT-LEO.rar
参考：http://midcom-p2p.sourceforge.net/draft-ford-midcom-p2p-01.txt
P2P之UDP�I�K��NAT的原理与实现(shootingstars)

文章说明:

�? 于UDP�I�K��NAT的中文资料在�|�络上是很少的，仅有< >�q�篇文章有实际的参考�h倹{��本��两年来也一直从事P2P斚w��的开发工作，比较有代表性的是个人开发的BitTorrent下蝲软�g - FlashBT(变态快�?. 对P2P下蝲或者P2P的开发感兴趣的朋友可以访问��Y件的官方主页: http://www.hwysoft.com/chs/ 下蝲看看�Q�说不定有收莗��写�q�篇文章的主要目的是懒的再每�ơ单独回�{�一些网友的提问, 一�ơ性写下来, 卌��省了自己的时��_��也方便了对于P2P的UDP�I�K��感兴趣的网友阅��d��理解。对此有兴趣和经验的朋友可以�l�我发邮件或者访问我的个人Blog留言: http://hwycheng.blogchina.com.
您可以自��p�{载此��文章，但是请保留此说明�?/p>

再次感谢shootingstars�|�友的早期�A�? 表示谢意�?/p>

地狱��L��(hellboys) 2006-09-13 00:32 发表评论

desktop推荐使用ubuntu

地狱��L��(hellboys) — Tue, 29 Aug 2006 09:40:00 GMT

在安装ubuntu6.061LTS 以后,感觉非常不错.

桌面部分ubuntu5 和ubuntu6有很大的改进.不要自己费劲去装输入法了. 自带的scim感觉很不�?兼容性也可以.影音部分只要安装�?w32code��可以rth可以很流畅的play 军_��部分格式的文�?
驱动也支持的比较�?不过自己又做了一下nv的驱�?感觉也没什么太大的变化.
�q�有一贯的�l�承deb的安装包�l�织.可以很舒服的setup 一些东�? �q�个��׃��做广告了. 有兴��的可以试试.

感觉可惜的就�?apt-get 是lock单�Q务的, 安装很多东东的时候不太方�?

其实不必要用她和windows来比�? 因�ؓ各自的方�?如何你很喜欢shell,那么linux更加方便.当然,ubuntu6用户体验已经有了很大的提�?已经和windows很接�q�了.其实��是用户习惯的问�?

单张光盘的iso也让人非常满�?

地狱��L��(hellboys) 2006-08-29 17:40 发表评论

地狱��L��(hellboys) — Fri, 14 Jul 2006 09:10:00 GMT

了解 SNMP ��单网�l�管理协�?/span>

1. ��Z�� T C P / I P 的网�l�管理包�?/span> 3 个组成部分：

1) 一个管理信息库 M I B �Q?/span> Management Information Base �Q�。管理信息库包含所有代理进�E?/span>

的所有可被查询和修改的参数�?/span>

2) 关于 M I B 的一套公用的�l�构和表�C�符受��叫做管理信息结�?/span> S M I 。例如： S M I

定义计数器是一个非负整敎ͼ�它的计数范围�?/span> 0~4 294 967 295 �Q�当辑ֈ�最大值时�Q�又�?/span> 0 开�?/span>

计数�?/span>

3) ��理�q�程和代理进�E�之间的通信协议�Q�叫做简单网�l�管理协�?/span> S N M P �Q?/span> Simple Network

Management Protocol �Q?/span>

一般是 udp 协议�Q�默认端�?/span> udp:161.

2. 协议

关于��理�q�程和代理进�E�之间的交互信息�Q?/span> S N M P 定义�?/span> 5 �U�报文：

1) g e t - r e q u e s t 操作�Q�从代理�q�程处提取一个或多个参数倹{�?/span>

2) g e t - n e x t - r e q u e s t 操作�Q�从代理�q�程处提取一个或多个参数的下一个参数��|��关于“下一个（ n e x t �Q�”的含义��在后面的章节中介绍�Q��?/span>

3) s e t - r e q u e s t 操作�Q�设�|�代理进�E�的一个或多个参数倹{�?/span>

4) g e t - r e s p o n s e 操作�Q�返回的一个或多个参数倹{��这个操作是�׃��理进�E�发出的。它是前�?/span> 3 中操作的响应操作�?/span>

5) t r a p 操作�Q�代理进�E�主动发出的报文�Q�通知��理�q�程有某些事情发生�?/span>

版本字段�?/span> 0 。该字段的值是通过 S N M P 版本号减�?/span> 1 得到的。显�?/span> 0 代表 SNMP v1 �?img height="225" alt="image002.jpg" src="http://m.tkk7.com/images/blogjava_net/hellboys/image002.jpg" width="486" border="0" />

差错状态字�D�|��一个整敎ͼ�它是�׃��理进�E�标注的�Q�指明有差错发生。图是参数倹{��名�U�和描述之间的对应关�p�R�?/span>

差错索引字段是一个整数偏�U�量�Q�指明当有差错发�?/span>

�Ӟ��差错发生在哪个参数。它是由代理�q�程标注的，�q�且

只有在发�?/span> n o S u c h N a m e �?/span> r e a d O n l y �?/span> b a d V a l u e 差错

时才�q�行标注�?br />

3. 对象标识�W?/span>

对象标识是一�U�数据类型，它指明一�U�“授权”命名的对象。“授权”的意思就是这些标

识不是随便分配的�Q�它是由一些权威机构进行管理和分配�?/span>

对象标识是一个整数序列，以点�Q��?/span> . ”）分隔。这些整数构成一个树型结构，�c�M��?/span> D N S

�?/span> U n i x 的文件系�l�。对象标识从树的�剙��开始，�剙��没有标识�Q�以 r o o t 表示�Q�这�?/span>

U n i x 中文件系�l�的树遍历方向非常类��|��。树上的每个�l�点同时�q�有一个文字名。例如标�?/span> 1 . 3 . 6 . 1 . 2 . 1 ��和 i s o . o r g . d o d .

i n t e r n e t . m e m t . m i b 对应。这主要是�ؓ了�h们阅��L��ѝ��在实际应用中，也就是说在管理进�E?/span>

和代理进�E�进行数据报交互�Ӟ�� M I B 变量名是以对象标识来标识的，当然都是�?/span> 1 . 3 . 6 . 1 . 2 . 1 开头的�?img height="343" alt="image006.jpg" src="http://m.tkk7.com/images/blogjava_net/hellboys/image006.jpg" width="427" border="0" />

在图中，我们除了�l�出�?/span> m i b 对象标识外，�q�给��Z�� i s o . o r g . d o d . i n t e r n e t .

p r i v a t e . e n t e r p r i s e s �Q?/span> 1 . 3 . 6 . 1 . 4 . 1 �Q�这个标识。这是给厂家自定义而预留的。在 A s s i g n e d

Number RFC 中列��Z��在该�l�点下大�U?/span> 4 0 0 个标识�?/span>

此篇自做个�h参�?/span> .

更多了解��L�� TCPIP 协议详解卷一 ( 协议 ) 25 �?/span> .

地狱��L��(hellboys) 2006-07-14 17:10 发表评论

Mysql 集群��介和配置

地狱��L��(hellboys) — Wed, 28 Jun 2006 03:58:00 GMT

1�Q?span style="FONT: 7pt 'Times New Roman'"> 先了解一下你是否应该�?/span> mysql 集群�?/span>

减少数据中心�l�点压力和大数据量处理，采用�?/span> mysql 分布�Q�一个或多个 application 对应一�?/span> mysql 数据库。把几个 mysql 数据库公用的数据做出�׃�n数据�Q�例如购物�R�Q�用户对象等�{�，存在数据�l�点里面。其他不�׃�n的数据还�l�持在各自分布的 mysql 数据库本�w�中�?/span>

2�Q?span style="FONT: 7pt 'Times New Roman'"> 集群 Mysql 中名�U�概�?/span> .( 如上�?/span> )

1 �Q?/span> Sql �l�点�Q?/span> SQL node-- 上图对应�?/span> mysqld �Q?/span> : 分布式数据库。包括自�w�数据和查询中心�l�点数据 .

2 �Q�数据结�?/span> (Data node -- ndbd): 集群�׃�n数据 ( 内存�?/span> ).

3 �Q�管理服务器 (Management Server �?ndb_mgmd): 集群��理 SQL node,Data node.

3 �Q�配�|?/span>

mysql-max 版本�Q�当然现�?/span> mysql 集群�pȝ�� windonws �q�_��上面不被支持 .

安装 mysql ��׃��多说了，�|�上一打堆�Q�简明扼要�?/span>

A:192.168.1.251 �?Data node �?/span> Management Server.

B:192.168.1.254 �?SQL node.

当然�Q�你也可以让一个机器同时�ؓ 3 者�?/span>

A,B my.inf 加上�Q?/span>

[MYSQLD]

ndbcluster # run NDB engine

ndb-connectstring=192.168.1.251 # location of MGM node

# Options for ndbd process:

[MYSQL_CLUSTER]

ndb-connectstring=192.168.1.251 # location of MGM node

A: /var/lib/mysql-cluster/config.ini

[NDBD DEFAULT]

NoOfReplicas=1 # Number of replicas

DataMemory=80M # How much memory to allocate for data storage

IndexMemory=18M # How much memory to allocate for index storage

# For DataMemory and IndexMemory, we have used the

# default values. Since the "world" database takes up

# only about 500KB, this should be more than enough for

# this example Cluster setup.

# TCP/IP options:

[TCP DEFAULT]

portnumber=2202 # This the default; however, you can use any

# port that is free for all the hosts in cluster

# Note: It is recommended beginning with MySQL 5.0 that

# you do not specify the portnumber at all and simply allow

# the default value to be used instead

# Management process options:

[NDB_MGMD]

hostname=192.168.1.251 # Hostname or IP address of MGM node

datadir=/var/lib/mysql-cluster # Directory for MGM node logfiles

# Options for data node "A":

[NDBD]

# (one [NDBD] section per data node)

hostname=192.168.1.251 # Hostname or IP address

datadir=/usr/local/mysql/data # Directory for this data node's datafiles

# SQL node options:

[MYSQLD]

hostname=192.168.1.254

#[MYSQLD] # �q�个相当�?/span> 192.168.1.251

4. 启动��试

· 在管理服务器上面(�q�里�?code>192.168.1.251):

				
						·                
				
				
						shell> ndb_mgmd -f /var/lib/mysql-cluster/config.ini

· 在数据结�Ҏ��务器上面(依然�?code>192.168.1.251 and more):

				
						·                
				
				
						shell> ndbd --initial (
						
								�W�一�ơ时�?--initial 参数)

· SQL �l�点服务器上�?span lang="EN">(192.168.1.254):

				
						·                
				
				
						shell> mysqld &

�?/span> 251 上面察看

./ndb_mgm

-- NDB Cluster -- Management Client --

ndb_mgm> show

Connected to Management Server at: 192.168.1.251:1186

Cluster Configuration

---------------------

[ndbd(NDB)] 1 node(s)

id=2 @192.168.1.251 (Version: 5.0.22, Nodegroup: 0, Master)

[ndb_mgmd(MGM)] 1 node(s)

id=1 @192.168.1.251 (Version: 5.0.22)

[mysqld(API)] 1 node(s)

id=3 @192.168.1.254 (Version: 5.0.22)

关闭集群�Q?/span>

shell> ndb_mgm -e shutdown

5 �Q�基本的集群说明

1 �Q�在mysql 集群�?span lang="EN">.�?span lang="EN">table引擎�?span lang="EN">NDBCLUSTER时才做集��，其他�?span lang="EN">NDBCLUSTER表和一�?span lang="EN">mysql数据库表一��P��不会�׃�n数据. NDBCLUSTER 表数据存储在Data node服务�?b>内存�?/b>�Q?span lang="EN">Data Node可以�?span lang="EN">1台或多台服务器，它们之间存放�׃�n数据�?span lang="EN">Data Node服务器可以分�l�数�?span lang="EN">copy�?span lang="EN">

例如�Q?span lang="EN">2,3,4,5 为四�?span lang="EN">Data Node服务�?span lang="EN">ID. 2,3为组0�?span lang="EN"> 4�Q?span lang="EN">5为组1�?span lang="EN"> 2�Q?span lang="EN">3�l�持数据相同�Q?span lang="EN"> 4�Q?span lang="EN">5�l�持数据相同�?�l?span lang="EN">0和组1�l�持数据不同�?span lang="EN">

2 �Q?span lang="EN"> sql node 服务器中�Q�非NDBCLUSTER数据存在本��n数据库中�Q?span lang="EN">table引擎�?span lang="EN">NDBCLUSTER�Ӟ��数据存储�?span lang="EN">Data Node 中。当查询NDBCLUSTER表时�Q�它会从Data node集群中提��h��?span lang="EN">.

3)Manager server

��理SQl node �?span lang="EN">Data node 状态�?span lang="EN">

6 深入了解

http://dev.mysql.com/doc/refman/5.0/en/ndbcluster.html

地狱��L��(hellboys) 2006-06-28 11:58 发表评论

地狱��L��(hellboys) — Sat, 29 Apr 2006 16:21:00 GMT

VPN(Virtual Private Network�Q�虚拟专用网�l?是专用网�l�的延��Q�它可以通过�׃�nInternet或公��q��l�连接模拟点对点专用�q�接的方式，在本地计��机和远�E�计��机之间发送数据�?br />它具有良好的保密性和不受�q�扰性，使双方能够进行自��p��安全的点对点连接。下面介�l�一�U�快速构建VPN服务器的�Ҏ��?br />
安装软�g

1.安装PPP

安装PPP�Q�Point-to-Point Protocol�Q�点到点协议�Q?.4.2以上的版本，可以�?a >http://sourceforge.net/project/showfiles.php?group_id=44827下蝲ppp-2.4.3-0.cvs_20040527.1.i386.rpm软�g包�?br />
安装命��o如下�Q?br />
#rpm -Uvh ppp-2.4.3-0.cvs_20040527.1.i386.rpm

2.安装内核MPPE补丁

安装内核MPPE�Q�Microsoft Point to Point Encryption�Q�微软点对点加密�Q�补丁需要根据内栔R��择相应的版本。笔者��用的Linux内核�?.4.20-31.9版本�Q�可以到http: //pptpclient.sourceforge.net/mppe/kernel-mppe-2.4.20-31.9.i686.rpm下蝲相应�?kernel-mppe-2.4.20-31.9.i686.rpm软�g包。安装命令如下：

#rpm -ivh kernel-mppe-2.4.20-31.9.i686.rpm

用以下命令检查内核MPPE补丁是否安装成功�Q?

#modprobe ppp-compress-18

3.��查PPP是否支持MPPE

用以下命令检查PPP是否支持MPPE�Q?

#strings '/usr/sbin/pppd' |grep -i mppe | wc --lines

如果以上命��o输出为�?”则表示不支持；输出为�?0”或更大的数字就表示支持�?br />4.安装PPTPD

�?a >http://sourceforge.net/project/showfiles.php?group_id=44827下蝲pptpd-1.1.4-b4.i386.rpm软�g包，�q�安装�?

# rpm -ivh pptpd-1.1.4-b4.i386.rpm

修改配置文�g

1.修改modules.conf文�g

�~�辑/etc/modules.conf配置文�g�Q�加入如下内容：

alias net-pf-47 ip_gre

2.修改pptpd.conf文�g

�~�辑/etc/pptpd.conf配置文�g�Q�添加如下内容，��定本地VPN服务器的IP地址和客��L��d��后分配的IP地址范围�?

debug
option /etc/ppp/options.pptpd
localip 192.168.0.254 #本地VPN服务器的IP
remoteip 192.168.1.1-254 #客户端被分配的IP范围

3.修改options.pptpd文�g

�~�辑/etc/ppp/options.pptpd配置文�g�Q�替换成如下内容�Q?

auth
lock
debug
proxyarp
lock
name rh9vpn #VPN服务器的名字
multilink
refuse-pap
refuse-chap
refuse-mschap
refuse-eap
refuse-mschap-v2
require-mppe
ms-wins 192.168.1.2 #把想要在�|�络��d��中看到的机器的IP填写到这�?br />ms-dns 192.168.1.2 #DNS服务器地址
dump
logfile /var/log/pptpd.log #日志存放的�\�?br />4.修改chap-secrets文�g

�~�辑/etc/chap-secrets配置文�g�Q�添加如下内容：

# client server secret IP addresses
"test@gd.cn" * "test" *

上面�W�二行代码的四项内容分别对应�W�一行中的四��V�?a href="mailto:%E2%80%9Ctest@gd.cn">“test@gd.cn�?是Client端的VPN用户名；“server”对应的是VPN服务器的名字�Q�该名字必须�?etc/ppp/options.pptpd文�g中指明的一��P��或者设�|�成�?”号来表�C��动识别服务器�Q�“secret”对应的是登录密码；“IP addresses”对应的是可以拨入的客户端IP地址�Q�如果不需要做特别限制�Q�可以将其设�|��ؓ�?”号�?br />
5.讄��IP伪装转发

只有讄��了IP伪装转发�Q�通过VPN�q�接上来的远�E�计��机才能互相ping通，实现像局域网那样的共享。用下面的命令进行设�|�：

#echo 1 > /proc/sys/net/ipv4/ip_forward

可以��这条命令放到文�?etc/rc.d/rc.local里面�Q�以实现每次开机时自动�q�行该命令�?br />
6.打开防火墙端�?br />
��Linux服务器的1723端口�?7端口打开�Q��ƈ打开GRE协议�?br />
#/sbin/iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
#/sbin/iptables -A INPUT -p tcp --dport 47 -j ACCEPT
#/sbin/iptables -A INPUT -p gre -j ACCEPT

启动服务.

　　/etc/rc.d/init.d/pptpd start

在RHEL�p�d��配置服务:
   cp /usr/sbin/pptpd /etc/rc.d/init.d/
   可以用chkconfig --add pptpd 来添�?sbin/service pptpd 下面服务
   �W�方�?etc/rc.d/rc.l/sbin/service pptpd start

      cat rc.local
#!/bin/sh
/sbin/service pptpd start
echo 1 > /proc/sys/net/ipv4/ip_forward

到这里Linux服务器的讄��完成了�Q�下面将利用Windows客户端进行测试�?
��试

下面以Windows Server 2003��Z��来进行测试�?

1.新徏�q�接

单击“开始→讄��→网�l�和拨号�q�接”打开“网�l�和拨号�q�接”的�H�口�Q�再单击“新��接”打开“网�l�连接向导”的�H�口�Q�然后依�ơ选择或填写“连接到我的�?作场所�|�络→虚拟专用网�l�连接→公司名（可以随便填写�Q�→不拨初始�q�接↺�P地址�Q�填入VPN服务器的IP地址�Q�”，最后单几Z��确定”，��徏立了一个新�?�q�接�?

2. 修改�q�接属�?

叛_��刚才创徏的连接，再依�ơ单几Z��属性→�|�络�Q�选择TCP/IP协议�Q�→属性→高��”，然后把“在�q�程�|�络上��用默认网关”前面的勑֎�掉后单击“确定”�?

3.建立�q�接

双击刚才建立好的�q�接�Q�填入提前设�|�好的用户名和密码，单击“确定”进行连接。如果连接成功，在连接的“详�l�信息”里应该可以看到服务器所分配的IP地址�{�信息。这�Ӟ��可以跟�q�接�q�入的局域网里的其它计算��行通信了�?

如果客户端��用的仍然是Windows 95或Windows 98�Q�则需要到http://support.microsoft.com/support/kb/articles/q285/1/89.asp下蝲相关的拨��L��序�?/p>

地狱��L��(hellboys) 2006-04-30 00:21 发表评论

How Windows Peer-to-Peer Networking Works

地狱��L��(hellboys) — Sat, 01 Apr 2006 17:07:00 GMT

How Windows Peer-to-Peer Networking Works

In this section, we briefly describe the Windows Peer-to-Peer Networking architecture and then describe the details of the fundamental peer-to-peer capabilities of peer discovery and name resolution, graphing, grouping, replicated storage, and searching.

Windows Peer-to-Peer Networking Architecture

The architecture of Windows Peer-to-Peer Networking is shown in Figure 1.

Figure 1: Windows Peer-to-Peer Networking architecture
See full-sized image.

Windows Peer-to-Peer Networking architecture consists of the following components:

�?/td>	Graphing The Graphing component is responsible for maintaining a set of connected nodes known as a graph and providing flooding and replication of data across the graph. The Graphing component uses the Flood & Synchronization, Store, and Graph Maintenance subcomponents.
�?/td>	Grouping The Grouping component is the security layer provided by default on top of a graph. The security layer defines the security model behind group creation, invitation, and connection to the group. In addition, Grouping leverages PNRP as the name resolution protocol - and enables multiple applications to share the same graph. The Grouping component uses the Group Security and Group Security Service Provider (SSP) subcomponents.
�?/td>	NSP The Name Service Provider (NSP) component provides a mechanism to access an arbitrary name service provider. In the case of Windows Peer-to-Peer Networking, peer-to-peer applications use the NSP interface to access PNRP.
�?/td>	PNRP The PNRP component provides peer-to-peer name resolution.
�?/td>	Identity Manager Identity manager enables the creation and management of peer-to-peer identities.
�?/td>	Microsoft TCP/IP version 6 protocol The Microsoft TCP/IP version 6 protocol (IPv6) provides the transport over which Windows Peer-to-Peer Networking operates.

The details of how Windows Peer-to-Peer Networking works are described in the following sections:

�?/td>	IPv6 and NAT traversal
�?/td>	Name resolution and peer discovery with PNRP
�?/td>	Graphing
�?/td>	Grouping
�?/td>	Replicated store
�?/td>	Searching

IPv6 and NAT Traversal

Windows Peer-to-Peer Networking uses IPv6 as its Internet layer. IPv6 was chosen because it restores the end-to-end computing model to networking. With IPv6, there are no issues with address shortage that require the use of Network Address Translators (NATs). For more information about how NATs translate addresses and port numbers and use port mappings, see Windows 2000 Network Address Translator (NAT). NATs for IPv4 extend the lifetime of the IPv4 public address space, but at the expense of breaking end-to-end communication.

IPv6 support was included in Windows XP and Windows XP with SP1 as a developer preview edition. A production-quality release of an IPv6 protocol is available in Windows XP with SP1, Windows XP with SP2, and the Windows Server�?2003 family. A common misconception about IPv6 is that the existing IPv4 infrastructure (your intranet and the Internet) must be upgraded to support IPv6 before it can be used. This is not true. The designers of IPv6 realized that IPv4 infrastructures will be in place for the foreseeable future and created a series of transition technologies that allow IPv6 traffic to be sent over an IPv4 network by encapsulating an IPv6 packet with an IPv4 header.

The two transition technologies that are recommended for use and enabled by default for the IPv6 protocol for Windows XP and the Windows Server 2003 family are the following:

�?/td>

Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)

ISATAP is an address assignment and automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet. ISATAP is described in the Internet draft titled "Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)".

�?/td>

6to4

6to4 is an address assignment and automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 is described in RFC 3056.

For more information about ISATAP and 6to4, see the IPv6 Transition Technologies white paper.

For IPv6 connectivity across the IPv4 Internet, 6to4 is the preferred address assignment and tunneling technology. However, 6to4 depends on the assignment of a public IP address to a computer connected to a private network that acts as a 6to4 router. The IPv6 protocol for Windows XP and the Windows Server 2003 family can be used as a 6to4 router either automatically by enabling Internet Connection Sharing (ICS) or through manual configuration. Many Network Address Translators (NATs) that are used to connect small office or home office networks to the Internet do not yet have 6to4 router capability. Additionally, there might be more than one NAT between a host on a private network and the IPv4 Internet, in which case 6to4 would not work even if the NAT connected to the private network had 6to4 functionality. Another issue with NATs is their default inability to forward traffic that does not use either TCP or UDP. IPv6 over IPv4 traffic uses protocol 41. If this type of traffic is not recognized by the NAT, it is discarded.

To address the need for an IPv6 over IPv4 address assignment and tunneling solution that works for hosts that are located across NATs that cannot also be 6to4 routers, Microsoft is working with the Internet standards bodies to define Teredo, also known as IPv6 NAT Traversal (NAT-T). Teredo is defined in an Internet draft titled "Teredo: Tunneling IPv6 over UDP through NATs".

Teredo works by assigning global IPv6 addresses that are based on the public IPv4 address of the NAT interface that is connected to the Internet and then encapsulating IPv6 packets with both an IPv4 header and a UDP header. By using both an IPv4 and a UDP header, most NATs can translate Teredo traffic.

Teredo client support is included with Windows XP SP2. For computers running Windows XP with SP1, you must install the Advanced Networking Pack for Windows XP.

For additional information about how Teredo works, see the "Teredo Overview" white paper.

Name Resolution and Peer Discovery with PNRP

In order for communication to occur between peers, they must be able to discover each other's presence and resolve each other's network locations (addresses, protocols, and ports) from names or other types of identifiers. How peers discover each other and resolve each other's names for communication is complicated by transient connectivity and the lack of address records in DNS.

Windows Peer-to-Peer Networking solves this problem with a name resolution and peer discovery scheme with the following attributes:

�?/td>	Distributed and serverless for name resolution Like DNS, the complete list of names is stored on computers throughout the cloud. Unlike DNS, there are no servers that provide name resolution. Each peer stores a portion of the list in its cache and can refer to other peers. Central servers are not used to resolve names. Windows Peer-to-Peer Networking is not strictly serverless, as there is a seed node that facilitates initialization.
�?/td>	The use of identifiers (IDs) instead of names Rather than using a name, such as a fully qualified domain name in DNS, IDs are used to identify peer entities. IDs are just numbers and therefore are not subject to language and trademark or copyright issues.
�?/td>	The use of multiple IDs Each separate peer computer, user, group, device, service or other type of peer node can have its own peer ID.
�?/td>	Ability to scale to large numbers of IDs The list of IDs is distributed among the peers using a multi-level cache and referral system that allows name resolution to scale to billions of IDs, while requiring minimal resources on each node.

The protocol used to send messages between peers for name resolution and peer discovery is Peer Name Resolution Protocol (PNRP).

PNRP uses multiple clouds, in which a cloud is a grouping of computers that use addresses of a specific scope. A scope is an area of the network over which the address is unique. PNRP clouds are based on the address scopes for IPv6 addresses. The following clouds are defined:

�?/td>	The global cloud corresponds to the global IPv6 address scope and represents all the computers on the entire IPv6 Internet. There is only a single global could.
�?/td>	The site-specific cloud corresponds to the site IPv6 address scope and site-local addresses. A site is a portion of an organization network that has defined geographical or topological boundaries. There can be multiple site-specific clouds.
�?/td>	The link-local cloud corresponds to the link-local IPv6 address scope and link-local addresses. A link-local cloud is for a specific link, typically the same as the locally attached subnet. There can be multiple link-local clouds.

地狱��L��(hellboys) 2006-04-02 01:07 发表评论

NAT和P2P�|�络

地狱��L��(hellboys) — Sat, 01 Apr 2006 17:00:00 GMT

互联�|�是��Z��32位IP地址的，�q�意味着互联�|�理��Z��最大电脑数目约为四万亿。由于IP地址使用方式的无效性，实际的数量会��得多。实际上�Q�互联网�q�不了多久就会将IP地址用完�?/p>

因�ؓ可用的IP地址��来��少�Q�一�U�被�U�Cؓ�|�络地址解析或箭�U�NAT的技术被开发出来，它允�总�一个IP地址来代表整个网�l�的电脑�?/p>

一个NAT处在公用互联�|�与它所服务的网�l�之��_��重写数据中IP头部的IP地址和端口号以��所有的包看上去都象从一个NAT讑֤�的公用IP地址发来�Q�或到它去）的，而不是发自（往�Q�实际的源或者目标�?/p>

NAT如今已经在小型家庭－办公室�\��p��普遍�U�用,也在很多软�g中被用户使用以连接几台PC��C��个唯一的电�~�MODEM。它甚至被一些ISP使用�?/p>

�Q�NAT不是唯一可能的解军_��法，代理服务器也被普遍��用，但需要更多的配置�Q�有时还需要要定制的客��L��软�g。而最�l�，我们都将转换到IP�?�Q�它��?28位地址�Q�可以解军_��有的及所有的问题�Q�但那将在很久后才会普及�?/p>

某些协议是非NAT友好�?/strong>

一些应用程序将IP和端口号隐藏在它们的数据包中发送，NAT不能正确重写它们�Q�所以当你想在NAT�|�络内��用那些程序的话，它们��不会正��运行�?/p>
一些NAT�Q�由于安全原因，只允�总�已经发送过数据�ȝ��外部地址接收数据。这意味着处于不同NAT后的两个��Z��能以通常的方式徏立连接�?/p>
解决办法

希望NAT友好的Peer-to-peer�Q�点对点�Q�协议必��L��：其所嵌入数据包的��M��地址在通过NAT旉��可能变梦扌В��D��枰咕取Ｒ桓隹��械姆椒ㄈ��u�?/p>

两点之间所有的数据��都通过一个单一的UDP端口。存在着一个不处于��M��NAT之后的地址服务器，用户首先与地址服务器连接，�q�发送他们认为拥有的IP地址�Q�服务器标记该地址和它在UDP头部所看到的地址。然后服务器��两个地址都送往其它炏V��这��P��所有�h都知道其它�h的地址�?/p>
为打开点对点的�q�接�Q�所有的旧（�l�）点发送一个UDP包到新的�Q�结�Q�点�Q�且斎ͼ��l�）点发送一个UDP包到每一个老（�l�）炏V��因为无人知道开始它们是否处于同一个NAT之后�Q�第一个包往往被同旉��往公有和私有地址�?/p>
�q�导致每个�h的NAT为UDP数据��的通过打开一个双向的�z�。一旦第一个响应从每个�Q�结�Q�点�q�回�Q�发送者就知道使用哪个�q�回地址�Q��ƈ能停止向两个地址发送数据�?/p>
兼容性需�?/strong>

��Z��和超��基本的NAT　RFC�Q�一个想支持�q�个技术的NAT讑֤�必须有以下要求的属性：

�Q�＞NAT不允许改变被数据��用的UDP端口受��?br />如果一个处于NAT之后的主��Z��一个单一的UDP口发送了一�p�d��的包�Q�被NAT接棒后的包也必须表现为来自同一��L��和UDP口�?/p>
RFC蓝图

我正在拟订这��Ҏ��术RFC蓝图更�ؓ详细的细节。如果你感兴��，请与我联�p�R�?/p>
兼容性测试结�?/strong>

我正在测试实现几个NAT通讯的兼�Ҏ��。这里是部分�l�果�Q?/p>
已知的NAT实现的兼�Ҏ�?/strong>

�Q�＞NAT1000�Q�完全兼宏V��感谢Nevod技术�h员早期所帮助做的兼容性测试。无��M��东西需要改变；�q�项技术与他们的NAT一赯��行很�E�_��。Nevod已经不再存在了，它已被微软兼�q��?br />�Q�＞Win98 SE包含的网�l�联接共享��Y�Ӟ��h��贜AT1000�Q�所以一定运行良好�?br />�Q�＞SYGATE�Q�完全兼宏V�?br />�Q�＞NAT32�Q?999�q?�?号公布的BETA��试版完全兼宏V��现在公布的版本也应该完全兼宏V�?br />�Q�＞LINUX　IP　Masquerading�Q�LINUX　IP伪装�Q�：2.2.1版本内核和后�l�版本可以正常运行。请到http://juanjox.linuxhq.com/?��L��早期2.1版本的补丁�?.0版本的补丁见Glenn Lamb的页面：http://home.indyramp.com/lists/masq/msg03024.html�Q?br />ftp://ftp.netcom.com/pub/mu/mumford/loose-udp-2.0.36.patch.gz�Q?br />Glenn的端口��之拥有一个配�|�时选项CONFIG_IP_MASQ_LOOSE_UDP�Q�这是一个很好的举措�?br />�Q�＞WinNAT�Q�当前版本工作正常�?/p>
NAT实现卛_��可兼容的

�Q�＞Arescom Apex 1100 ISDN路由�Q�Arescom�?999�q?月针�Ҏ��问题发布了一个固件补丁；也许现在已经�q�入其标准固仉��?但我�q�没有证实�?br />�Q�＞Vicomsoft Softrouter Plus�Q�Vicom曑օ�布过一个版本以解决�q�个问题�Q�但我还没有��Z��来测试一下。注意：��Z�ɘq�个实现正常�q�行�Q�你必须把网兌��备上除指向内部以太适配器外的所有本地TCP�l�定��止。在使用Vicom的安装助手之前请阅读其文档�?/p>
未知是否兼容�?/strong>

�Q�＞Cisco IOS有一内置的NAT兼容�Ҏ��，也许有用也许不然�?br />�Q�＞我们已经��试了我们手上所有能得到的WIN32软�g。但�q�没有测试嵌入到许多��型家庭办公路由中的NAT�Q�也没有��试外置的NAT如SonicWall�{��?/p>
不兼容的

�Q�＞所有的�U�代理服务器解决办法�Q�如WINGATE2或者PPPShar�Q�都不能正常�q�行�?/p>
使用�q�项技术的软�g

以下软�g包是已知的支持在NAT后操作的�Q?br />�Q�＞Civilization: Call To Power
�Q�＞Heavy Gear 2

讨论�?/strong>

我想听到其它开发者对于这��Ҏ��术的��x��Q�以及Masq如何被重写以正确复用UDP端口。加入NAT-peer-games�Q?a >http://onelist.com/viewarchive.cgi?listname=nat-peer-games�Q�邮件列表让我们一赯��论�?/p>
实施问题

在测试SYGATE和近期NAT1000版本�Ӟ��我遇��C��些实施方面的问题。当�q�行�|�关的机器是通过MODEM与INTERNET联接的话所有一切均正常。但如果�|�关机器是通过以太�|�与INTERNET联接的话�Q�客��L��不能讉K��那个外部以太�|�上的其它主机。看上去��p��那台�|�关送出来的包完全被外部以太�|�上的其它主��Z��弃了。然而�\由器不会丢弃数据�Q�所以与�q�程��L��联接没有问题。想了解更多信息�Q�请到my Usenet post�Q?a >http://www.dejanews.com/getdoc.xp?AN=427631763�Q�获取�?/p>
我們֐�于相信这是硬件原因，但谁知道�?..

链接

�Q�＞IETF Working Group on NAT�Q?br />http://www.ietf.org/html.charters/nat-charter.html
新的RFC草图和邮件列表。其中一个文�?br />http://www.ietf.org/internet-drafts/draft-ietf-nat-protocol-issues-01.txt
提到�q�项技术；搜烦关键词“Activision�?/p>
�Q�＞NAT��面�Q?br />http://www.uq.edu.au/~gadmacka/the-nat-page/
列出了一些可行的NAT实现

�Q�＞LINUX　IP伪装�Q?br />http://www.indyramp.com/masq/
都是关于NAT实现的LINUX之Masq�?/p>
�Q�＞MASQ邮�g列表的可查询索引�Q?br />http://www.mail-archive.com/masq@tori.indyramp.com/

�Q�＞LINUX　IP　NAT论坛�Q?br />http://serf.csn.tu-chemnitz.de/HyperNews/get/linux-ip-nat.html
NAT论文�Q�老式的不支持的LINUX　NAT实现和一个讨论区。多半�ؓ了历史兴��?/p>
历史

相对于我的知识来讲这是一��Ҏ��技术。我�?997�q�开始研�I�它�Q��ƈ�?998�q�用它完成了我的�W�一个作品。这��Ҏ��术在制作Activision多玩家游戏中被开发�?/p>
1999　DAN　KEGEL　版权所�?br />dank@alumni.caltech.edu
最�q�更斎ͼ�1999�q?�?7�?br />KEGEL的主��：http://www.kegel.com/

地狱��L��(hellboys) 2006-04-02 01:00 发表评论

IDS�Q�Intrusion Detection System

地狱��L��(hellboys) — Fri, 24 Mar 2006 06:52:00 GMT
入��R��系�l�（IDS�Q�主要检��计��机�|�络中的非法、错误或者异常行为。运行在��L��上，�q�且负责��该��L��上恶意破坏行为的 ID �pȝ��Q�被�U�C��Z��机型 ID �pȝ��?
　　��L��?IDS 软�g被安装于需要监控的�pȝ��上。IDS 软�g上的数据源是日志文�g�?或系�l�审计代理。主机型 IDS 不仅着��g��计算��Z��通信��量的出入，同时也校验用��L��l�文件的完整性，�q�检��可疑程序。�ؓ了能使基于主机的 IDS 完整地覆盖受控站点，需要在每台计算��Z��都安�?IDS �pȝ��?/p>
　　��L��型入侉|��Y件主要有两种�c�d��Q�主�?wrapper /个�h防火墙和��Z��代理的��Y件。与�|�络�?IDS 相比�Q�主机型 IDS 中每�U�检��内部攻击（��x��谓的异常行�ؓ�Q�的�Ҏ��都更为高效，但相对而言�Q�两者在��外部攻��L��面都非常有效。主�?wrapper 或者个人防火墙都可以配�|�来着��g��受控机器的所有网�l�数据包�Q�连接尝试或��d��试�{�。另外还包含拨号��试或者其它非�|�络相关通信端口�{�功能�?/p>
　　�|�络�?IDS 的数据源是网�l�上的数据包�Q�IDS 监控各网�D늚�数据包流量作为。网�l�接口卡被设�|��ؓ混合模式�Q�以获取跨越各网�D늚�所有网�l�流量。但�|�络�?IDS 不能监控其它各段上的�|�络��量�?/p>
　　�|�络�?IDS 着��g��l�过传感器的�|�络数据包。传感器只能看到与其相连的网�l�段上装载的数据包。如果�ؓ�q�些数据包都匚w��一个标志，那么主要有以下三�U�标志类型：
串标志（String Signature�Q�：着��g��文本�Ԍ��表示可能性功能。�ؓ降低串信号错误数量，使用复合串信��h��非常必要的�?
端口标志�Q�Port Signature�Q�：着��g��众所周知的、高频率的攻�ȝ��口的�q�接��试。例�?telnet�Q�TCP 端口23�Q�、FTP�Q�TCP 端口21/20�Q�、SUNRPC�Q�TCP/UDP 端口111�Q�和 IMAP �Q�TCP 端口143�Q�等端口�?
头标志（Header Signature�Q�：着��g��危险的或不合理的数据包头�l�合。其中最著名的例子是 Winnuke�Q�数据包被指�?NetBIOS 端口和紧急指针，或者设�|�带外指针。对微��Y�pȝ��来说�q�将��D��“蓝频死机”现象�?
　　�|�络型和��L��?IDS 都具有正反两面。所以通常情况下，�|�络中结合两�U�技术提供完整保护功能。��M��Q�有关何处��用到�q�三�U�类型，以及如何整合数据都是一个切实且日益��x��的主题�?

地狱��L��(hellboys) 2006-03-24 14:52 发表评论

亚洲AV无码一区二区三区国产,自拍偷自拍亚洲精品偷一,亚洲人成人网毛片在线播放

Android中文文档v0.1 beta低调发布,期待更多同学来参加review

�Ƣ迎讉K��Android中国

一��C�������多台电脑监控 (keyword:cacti,snmp,snmpd.conf)

妙解�|�络多台dhcp引�v的IP冲突

P2P之UDP�I�K��NAT的原理与实现

P2P之UDP�I�K��NAT的原理与实现 - 增强��?附修改过的源代码)

desktop推荐使用ubuntu

Mysql 集群���介和配置

How Windows Peer-to-Peer Networking Works

How Windows Peer-to-Peer Networking Works

Windows Peer-to-Peer Networking Architecture

IPv6 and NAT Traversal

Name Resolution and Peer Discovery with PNRP

NAT和P2P�|�络

IDS�Q�Intrusion Detection System

一��C��多台电脑监控 (keyword:cacti,snmp,snmpd.conf)

Mysql 集群��介和配置