source: postlfs/security/firewalling.xml

Last change on this file was 3f2db3a6, checked in by Pierre Labastie <pierre.labastie@…>, 10 months ago

Remove sect1info tags

They only contain a date tag that is nowhere used.

  • Property mode set to 100644
File size: 9.9 KB
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
8<sect1 id="fw-firewall" xreflabel="Firewalling">
9 <?dbhtml filename="firewall.html"?>
12 <title>Setting Up a Network Firewall</title>
14 <sect2 id="fw-intro" xreflabel="Firewalling Introduction">
15 <title>Introduction to Firewall Creation</title>
17 <para>
18 The purpose of a firewall is to protect a computer or a network against
19 malicious access. In a perfect world every daemon or service, on every
20 machine, is perfectly configured and immune to security flaws, and all
21 users are trusted implicitly to use the equipment as intended. However,
22 this is rarely, if ever, the case. Daemons may be misconfigured, or
23 updates may not have been applied for known exploits against essential
24 services. Additionally, you may wish to choose which services are
25 accessible by certain machines or users, or you may wish to limit which
26 machines or applications are allowed external access. Alternatively, you
27 simply may not trust some of your applications or users. For these
28 reasons, a carefully designed firewall should be an essential part of
29 system security.
30 </para>
32 <para>
33 While a firewall can greatly limit the scope of the above issues, do not
34 assume that having a firewall makes careful configuration redundant, or
35 that any negligent misconfiguration is harmless. A firewall does not
36 prevent the exploitation of any service you offer outside of it. Despite
37 having a firewall, you need to keep applications and daemons properly
38 configured and up to date.
39 </para>
41 </sect2>
43 <sect2>
44 <title>Meaning of the Word "Firewall"</title>
46 <para>
47 The word firewall can have several different meanings.
48 </para>
50 <sect3>
51 <title>Personal Firewall</title>
53 <para>
54 This is a hardware device or software program, intended to secure a
55 home or desktop computer connected to the Internet. This type of
56 firewall is highly relevant for users who do not know how their
57 computers might be accessed via the Internet or how to disable
58 that access, especially if they are always online and connected
59 via broadband links.
60 </para>
62 <para>
63 An example configuration for a personal firewall is provided at
64 <xref linkend="fw-persFw-ipt"/>.
65 </para>
67 </sect3>
69 <sect3>
70 <title>Masquerading Router</title>
72 <para>
73 This is a system placed between the Internet and an intranet.
74 To minimize the risk of compromising the firewall itself, it should
75 generally have only one role&mdash;that of protecting the intranet.
76 Although not completely risk-free, the tasks of doing the routing and
77 IP masquerading (rewriting IP headers of the packets it routes from
78 clients with private IP addresses onto the Internet so that they seem
79 to come from the firewall itself) are commonly considered relatively
80 secure.
81 </para>
83 <para>
84 An example configuration for a masquerading firewall is provided at
85 <xref linkend="fw-masqRouter-ipt"/>.
86 </para>
88 </sect3>
90 <sect3>
91 <title>BusyBox</title>
93 <para>
94 This is often an old computer you may have retired and nearly
95 forgotten, performing masquerading or routing functions, but offering
96 non-firewall services such as a web-cache or mail. This may be used
97 for home networks, but is not to be considered as secure as a firewall
98 only machine because the combination of server and router/firewall on
99 one machine raises the complexity of the setup.
100 </para>
102 <para>
103 An example configuration for a BusyBox is provided at
104 <xref linkend="fw-busybox-ipt"/>.
105 </para>
107 </sect3>
109 <sect3>
110 <title>Firewall with a Demilitarized Zone</title>
112 <para>
113 This type of firewall performs masquerading or routing, but grants
114 public access to some branch of your network that is physically
115 separated from your regular intranet and is essentially a separate
116 network with direct Internet access. The servers on this network are
117 those which must be easily accessible from both the Internet and
118 intranet. The firewall protects both networks. This type of firewall
119 has a minimum of three network interfaces.
120 </para>
122 </sect3>
124 <sect3>
125 <title>Packetfilter</title>
127 <para>
128 This type of firewall does routing or masquerading but does
129 not maintain a state table of ongoing communication streams. It is
130 fast but quite limited in its ability to block undesired packets
131 without blocking desired packets.
132 </para>
134 </sect3>
136 </sect2>
138 <sect2>
139 <title>Conclusion</title>
141 <caution>
142 <para>
143 The example configurations provided for <xref linkend="iptables"/>
144<!-- and <xref linkend="nftables"/> -->
145 are not intended to be a complete guide to
146 securing systems. Firewalling is a complex issue that requires careful
147 configuration. The configurations provided by BLFS are intended only to
148 give examples of how a firewall works. They are not intended to fit any
149 particular configuration and may not provide complete protection from
150 an attack.
151 </para>
152 </caution>
154 <para>
155 BLFS provides two utilities to manage the kernel Netfilter interface,
156 <xref linkend="iptables"/> and <xref linkend="nftables"/>.
157 </para>
159 <para>
160 BLFS provides an utility to manage the kernel Netfilter interface,
161 <xref linkend="iptables"/>. It has been around since early 2.4 kernels,
162 and has been the standard since. This is likely the set of tools that
163 will be most familiar to existing admins. Other tools have been
164 developed more recently, see the list of further readings below
165 for more details. Here you will find a
166 list of URLs that contain comprehensive information about building
167 firewalls and further securing your system.
168 </para>
170 <para>
171 <xref linkend="nftables"/> is the successor to <xref linkend="iptables"/>
172 and provies all of the same functionality with a single userspace tool,
173 <command>nft</command>, that uses similar syntax to BSD's
174 <application>pf</application> utility, and may be easier for new users or
175 admins already familiar with that platform.
176 </para>
178 <para>
179 While both can be used in tandem, that is an advanced configuration and
180 you should decide on one or the other. Both pages include very simple
181 example configurations, and customization of the provided configurations
182 for your specific environment will be necessary if you elect to use
183 either without a configuration tool.
184 </para>
186 <para>
187 Additionally, a firewall management tool, <xref linkend="firewalld"/>, is
188 provided to greatly ease firewall configuration for both simple and
189 complex environments, and can be used with either tool. You should not
190 use the example configurations if you intend to use
191 <application>firewalld</application> to manage your firewall rules.
192 </para>
194 <para>
195 If you elect to configure manually, have a look at the
196 list of further reading below for more details. Here you will find a
197 list of URLs that contain comprehensive information about building
198 firewalls and further securing your system.
199 </para>
201 </sect2>
203 <sect2 id="fw-extra-info">
204 <title>Extra Information</title>
206 <sect3>
207 <title>Further Reading on Firewalls</title>
209 <blockquote>
210 <literallayout>
211<ulink url=""> - Homepage of the netfilter/iptables/nftables projects</ulink>
212<ulink url="">Netfilter related FAQ</ulink>
213<ulink url="">Netfilter related HOWTO's</ulink>
214<ulink url="">nftables HOWTO</ulink>
215<ulink url=""></ulink>
216<ulink url=""></ulink>
217<ulink url=""></ulink>
218<ulink url=""></ulink>
219<ulink url=""></ulink>
220<ulink url=""></ulink>
221<ulink url=""></ulink>
222 </literallayout>
224<!-- comment-out entries moved out of literallayout to avoid empty lines -->
226<!-- not accssible 2022-09-08
227<ulink url=""> (German &amp; outdated, but very comprehensive)</ulink>-->
228<!-- redirects somewhere you can buy a book, not sure if we should link to
229 a book which you'll need to pay for reading
230<ulink url=""></ulink>
232<!-- 404 2022-09-08
233<ulink url=""></ulink> -->
234<!-- redirects to dead bugtraq
235<ulink url=""></ulink>-->
236<!-- redirects to CERT main page
237<ulink url=""> - tech_tips</ulink>-->
238<!-- not accessible 2022-09-08
239<ulink url=""></ulink> -->
240 </blockquote>
242 </sect3>
244 </sect2>
Note: See TracBrowser for help on using the repository browser.