source: postlfs/security/firewalling.xml@ 0e3848e3

10.0 10.1 11.0 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since 0e3848e3 was 0e3848e3, checked in by Bruce Dubbs <bdubbs@…>, 17 years ago

Update firewalling section

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3539 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 22.4 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6]>
7
8<sect1 id="fw-firewall" xreflabel="Firewalling">
9<sect1info>
10<othername>$LastChangedBy$</othername>
11<date>$Date$</date>
12</sect1info>
13<?dbhtml filename="firewall.html"?>
14<title>Setting up a network firewall</title>
15
16<para>Before you read this part of the chapter, you should
17have already installed iptables as described in the previous section.</para>
18
19<sect2 id="fw-intro" xreflabel="Firewalling Introduction">
20<title>Introduction to Firewall Creation</title>
21
22<para>The general purpose of a firewall is to protect a computer or a network
23against malicious access.</para>
24
25<para>In a perfect world, every daemon or service
26on every machine is perfectly configured and immune to flaws such as
27buffer overflows or other problems regarding its
28security. Furthermore, you trust every user accessing your services.
29In this world, you do not need to have a firewall.</para>
30
31<para>In the real world however, daemons may be misconfigured
32and exploits against essential services are freely available. You
33may wish to choose which services are accessible by certain machines or
34you may wish to limit which machines or applications are allowed external
35access. Alternatively, you may simply not trust some of your
36applications or users. You are probably connected to the Internet. In this
37world, a firewall is essential.</para>
38
39<para>Don't assume however, that having a firewall makes careful configuration
40redundant, or that it makes any negligent misconfiguration harmless. It doesn't
41prevent anyone from exploiting a service you intentionally offer but haven't
42recently updated or patched after an exploit went public. Despite having a
43firewall, you need to keep applications and daemons on your system properly
44configured and up to date. A firewall is not a cure all, but should be an
45essential part of your overall security startegy.</para>
46
47</sect2>
48
49<sect2>
50<title>Meaning of the word "firewall"</title>
51
52<para>The word firewall can have several different meanings.</para>
53
54<sect3><title><xref linkend="fw-persFw"/></title>
55
56<para>This is a hardware device or software program commercially sold by
57companies such as Symantec which claims that it
58secures a home or desktop computer with Internet access. This type of firewall is
59highly relevant for users who do not know how their computers
60might be accessed via the Internet or how to disable that access,
61especially if they are always online and connected via
62broadband links.</para></sect3>
63
64<sect3>
65<title><xref linkend="fw-masqRouter"/></title>
66
67<para>This is a system placed between the Internet and an intranet. To minimize
68the risk of compromising the firewall itself, it should generally have only one
69role&mdash;that of protecting the intranet. Although not completely risk free,
70the tasks of doing the routing and IP masquerading (rewriting IP headers of
71the packets it routes from clients with private IP addresses onto the Internet
72so that they seem to come from the firewall itself) are commonly considered
73relatively secure.</para>
74</sect3>
75
76<sect3>
77<title><xref linkend="fw-busybox"/></title>
78
79<para>This is often an old computer you may have retired and nearly forgotten,
80performing masquerading or routing functions, but offering non-firewall
81services such as a web-cache or mail. This may be used for home
82networks, but is not be considered as secure as a firewall only
83machine because the combination of server and router/firewall on one machine
84raises the complexity of the setup.</para>
85</sect3>
86
87<sect3>
88<title>Firewall with a demilitarized zone [not further described here]</title>
89<para>This box performs masquerading or routing, but grants public access to
90some branch of your network which, because of public IP's and a physically
91separated structure, is essentially a separate network with direct Internet access.
92The servers on this network are those which must be easily accessible
93from both the Internet and intranet. The firewall protects
94both networks. This type of firewall has a minimum of three network interfaces.</para>
95</sect3>
96
97<sect3>
98<title>Packetfilter</title>
99<para>This type of firewall does routing or masquerading, but does not maintain
100a state table of ongoing communication streams. It is fast, but quite limited
101in its ability to block inappropriate packets without blocking desired
102packets.</para>
103</sect3>
104</sect2>
105
106<sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
107<title>Now you can start to build your Firewall</title>
108
109<caution><para>This introduction on how to setup a firewall
110is not a complete guide to securing systems. Firewalling is a complex issue
111that requires careful configuration. The scripts quoted here are simply
112intended to give examples of how a firewall works. They are not intended to
113fit into any particular configuration and may not provide complete protection
114from an attack.</para>
115
116<para>Customization of these scripts for your specific situation will
117be necessary for an optimal configuration, but you should make a serious
118study of the iptables documentation and creating firewalls in general before
119hacking away. Have a look at the list of
120<xref linkend="fw-library"/> at the end of this section for
121more details. There you will find a list of URLs that contain quite
122comprehensive information about building your own firewall.</para>
123</caution>
124
125<para>The firewall configuration script installed in the last section differs
126from the standard configuration script. It only has two of the standard
127targets: start and status. The other targets are clear and lock. For instance when you
128run:
129
130<screen><userinput><command>/etc/rc.d/init.d/iptables start</command></userinput></screen>
131
132the firewall will be restarted just as it is upon system startup. The status target
133will present a list of all currently implemented rules. The clear target turns off all
134firewall rules and the lock target will block all packets in and out of the computer
135with the exception of the loopback interface.</para>
136
137<para>The main startup firewall is located in the file
138<filename>/etc/rc.d/rc.iptables</filename>. The sections below provide three different
139approaches that can be used for a system.</para>
140
141<note><para>You should always run your firewall rules from a script. This ensures
142consistency and a record of what was done. It also allows retention of comments
143that are essential for understanding the rules long after they were written.
144</para></note>
145
146<sect3 id="fw-persFw" xreflabel="Personal Firewall">
147<title>Personal Firewall</title>
148
149<para>A Personal Firewall is designed to let you access all the services
150offered on the Internet, but keep your box secure and your data private.</para>
151
152<para>Below is a slightly modified version of Rusty Russell's recommendation
153from the
154<ulink url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
155Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable to the Linux 2.6 kernels.</para>
156
157<screen><userinput><command>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"</command>
158#!/bin/sh
159
160# Begin $rc_base/rc.iptables
161
162# Insert connection-tracking modules
163# (not needed if built into the kernel)
164modprobe ip_tables
165modprobe iptable_filter
166modprobe ip_conntrack
167modprobe ip_conntrack_ftp
168modprobe ipt_state
169modprobe ipt_LOG
170
171# Enable broadcast echo Protection
172echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
173
174# Disable Source Routed Packets
175echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
176
177# Enable TCP SYN Cookie Protection
178echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
179
180# Disable ICMP Redirect Acceptance
181echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
182
183# Don¹t send Redirect Messages
184echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
185
186# Drop Spoofed Packets coming in on an interface, where responses
187# would result in the reply going out a different interface.
188echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
189
190# Log packets with impossible addresses.
191echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
192
193# be verbose on dynamic ip-addresses (not needed in case of static IP)
194echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
195
196# disable Explicit Congestion Notification
197# too many routers are still ignorant
198echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
199
200# Set a known state
201iptables -P INPUT DROP
202iptables -P FORWARD DROP
203iptables -P OUTPUT DROP
204
205# These lines are here in case rules are already in place and the
206# script is ever rerun on the fly. We want to remove all rules and
207# pre-exisiting user defined chains before we implement new rules.
208iptables -F
209iptables -X
210iptables -Z
211
212iptables -t nat -F
213
214# Allow local-only connections
215iptables -A INPUT -i lo -j ACCEPT
216
217# Free output on any interface to any ip for any service
218# (equal to -P ACCEPT)
219iptables -A OUTPUT -j ACCEPT
220
221# Permit answers on already established connections
222# and permit new connections related to established ones
223# (e.g. port mode ftp)
224iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
225
226# Log everything else. What's Windows' latest exploitable vulnerability?
227iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
228
229# End $rc_base/rc.iptables
230<command>EOF</command></userinput></screen>
231
232<para>This script is quite simple, it drops all traffic coming in into your
233computer that wasn't initiated from your box, but as long as you are simply
234surfing the Internet you are unlikely to exceed its limits.</para>
235
236<para>If you frequently encounter certain delays at accessing ftp-servers,
237take a look at <xref linkend="fw-BB-4"/>.</para>
238
239<para>Even if you have daemons or services running on your system, these
240will be inaccessible everywhere but from your computer itself.
241If you want to allow access to services on your machine, such as ssh or
242ping, take a look at <xref linkend="fw-busybox"/>.</para>
243
244</sect3>
245
246<sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
247<title>Masquerading Router</title>
248
249<para>A true Firewall has two interfaces, one connected to an intranet, in this
250example <emphasis role="strong">eth0</emphasis>, and one connected to the
251Internet, here <emphasis role="strong">ppp0</emphasis>. To provide the
252maximum security for the firewall itself, make sure that there
253are no unnecessary servers running on it such as <application>X11</application> et
254al. As a general principle, the firewall itself should not access any
255untrusted service (Think of a remote server giving answers that makes a daemin on
256your system
257crash, or, even worse, that implements a worm via a buffer-overflow).</para>
258
259<screen><userinput><command>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"</command>
260#!/bin/sh
261
262# Begin $rc_base/rc.iptables
263
264echo
265echo "You're using the example configuration for a setup of a firewall"
266echo "from Beyond Linux From Scratch."
267echo "This example is far from being complete, it is only meant"
268echo "to be a reference."
269echo "Firewall security is a complex issue, that exceeds the scope"
270echo "of the configuration rules below."
271echo "You can find additional information"
272echo "about firewalls in Chapter 4 of the BLFS book."
273echo "http://www.linuxfromscratch.org/blfs"
274echo
275
276# Insert iptables modules (not needed if built into the kernel).
277
278modprobe ip_tables
279modprobe iptable_filter
280modprobe ip_conntrack
281modprobe ip_conntrack_ftp
282modprobe ipt_state
283modprobe iptable_nat
284modprobe ip_nat_ftp
285modprobe ipt_MASQUERADE
286modprobe ipt_LOG
287modprobe ipt_REJECT
288
289# Enable broadcast echo Protection
290echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
291
292# Disable Source Routed Packets
293echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
294
295# Enable TCP SYN Cookie Protection
296echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
297
298# Disable ICMP Redirect Acceptance
299echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
300
301# Don¹t send Redirect Messages
302echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
303
304# Drop Spoofed Packets coming in on an interface where responses
305# would result in the reply going out a different interface.
306echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
307
308# Log packets with impossible addresses.
309echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
310
311# Be verbose on dynamic ip-addresses (not needed in case of static IP)
312echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
313
314# Disable Explicit Congestion Notification
315# Too many routers are still ignorant
316echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
317
318# Set a known state
319iptables -P INPUT DROP
320iptables -P FORWARD DROP
321iptables -P OUTPUT DROP
322
323# These lines are here in case rules are already in place and the
324# script is ever rerun on the fly. We want to remove all rules and
325# pre-exisiting user defined chains before we implement new rules.
326iptables -F
327iptables -X
328iptables -Z
329
330iptables -t nat -F
331
332# Allow local connections
333iptables -A INPUT -i lo -j ACCEPT
334iptables -A OUTPUT -o lo -j ACCEPT
335
336# Allow forwarding if the initiated on the intranet
337iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
338iptables -A FORWARD -i ! ppp+ -m state --state NEW -j ACCEPT
339
340# Do masquerading
341# (not needed if intranet is not using private ip-addresses)
342iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
343
344# Log everything for debugging
345# (last of all rules, but before policy rules)
346iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
347iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
348iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
349
350# Enable IP Forwarding
351echo 1 &gt; /proc/sys/net/ipv4/ip_forward
352<command>EOF</command></userinput></screen>
353
354<para>With this script your intranet should be reasonably secure against
355external attacks. No one should be able to setup a new connection to any
356internal service and, if it's masqueraded, makes your intranet invisible to the
357Internet. Furthermore, your firewall should be relatively safe because there
358are no services running that a cracker could attack.</para>
359
360<note><para>If the interface you're connecting to the Internet doesn't connect
361via ppp, you will need to change <replaceable>ppp+</replaceable> to the name of
362the interface, e.g. <emphasis role="strong">eth1</emphasis>, which you are using.
363</para></note>
364
365</sect3>
366
367<sect3 id="fw-busybox" xreflabel="BusyBox">
368<title>BusyBox</title>
369
370<para>This scenario isn't too different from the <xref linkend="fw-masqRouter"/>,
371but additionally offers some services to your intranet.
372Examples of this can be when you want to administer your firewall from another host
373on your intranet or use it as a proxy or a name server.</para>
374
375<note><para>Outlining a true concept of how to protect a server that offers
376services on the Internet goes far beyond the scope of this document. See the references
377at the end of this section for more information.</para></note>
378
379<para>Be cautious. Every service you have enabled makes your
380setup more complex and your firewall less secure. You are exposed to the risks of
381misconfigured services or running a service with an exploitable bug. A
382firewall should generally not run any extra services. See the introduction to
383the <xref linkend="fw-masqRouter"/> for some more details.</para>
384
385<para>If you want to add services such as internal samba or name servers that do not
386need to access the Internet themselves, the additional statements are quite
387simple and should still be acceptable from a security standpoint.
388Just add the following lines
389into the script <emphasis>before</emphasis> the logging rules.</para>
390
391<screen>iptables -A INPUT -i ! ppp+ -j ACCEPT
392iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen>
393
394<para>If daemons, such as squid, have to access the Internet themselves,
395you could open OUTPUT generally and restrict INPUT.</para>
396
397<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
398iptables -A OUTPUT -j ACCEPT</screen>
399
400<para>However, it is generally not advisable to leave OUTPUT unrestricted. You
401lose any control over trojans who would like to "call home", and a bit of
402redundancy in case you've (mis-)configured a service so that it broadcasts
403its existence to the world.</para>
404
405<para>To accomplish this, you should restrict INPUT and OUTPUT
406on all ports except those that it's absolutely necessary to have open.
407Which ports you have to open depends on your needs: mostly you will find them
408by looking for failed accesses in your log files.</para>
409<itemizedlist spacing="compact" role='iptables'>
410
411<title>Have a look at the following examples:</title>
412
413<listitem><para>Squid is caching the web:</para>
414<screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
415iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \
416 -j ACCEPT</screen>
417</listitem>
418
419<listitem><para>Your caching name server (e.g., named) does its
420lookups via udp:</para>
421<screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</screen>
422</listitem>
423
424<listitem><para>You want to be able to ping your box to
425ensure it's still alive:</para>
426
427<screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
428iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen>
429</listitem>
430
431<listitem><para><anchor id='fw-BB-4' xreflabel="BusyBox example number 4"/>If you are
432frequently accessing ftp servers or enjoy chatting, you might notice certain
433delays because some implementations of these daemons have the feature of
434querying an identd on your system to obtain usernames. Although there's really
435little harm in this, having an identd running is not recommended because many
436security experts feel the service gives out too much additional information.</para>
437
438<para>To avoid these delays you could reject the requests
439with a 'tcp-reset':</para>
440
441<screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset</screen>
442</listitem>
443
444<listitem><para>To log and drop invalid packets (packets
445that came in after netfilter's timeout or some types of network scans):</para>
446
447<screen>iptables -I INPUT -p tcp -m state --state INVALID \
448 -j LOG --log-prefix "FIREWALL:INVALID"
449iptables -I INPUT -p tcp -m state --state INVALID -j DROP</screen></listitem>
450
451<listitem><para>Anything coming from the outside should not have a
452private address, this is a common attack called IP-spoofing:
453
454<screen>iptables -A INPUT -i ppp+ -s 10.0.0.0/8 -j DROP
455iptables -A INPUT -i ppp+ -s 172.16.0.0/12 -j DROP
456iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</screen>
457
458There are other addresses that you may also want to drop: 0.0.0.0/8,
459127.0.0.0/8, 224.0.0.0/3 (multicast and experimental), 169.254.0.0/16 (Link
460Local Networks), and 192.0.2.0/24 (IANA defined test network).</para>
461</listitem>
462
463<listitem><para>If your firewall is a DHCP client, you need to allow
464those packets:</para>
465
466<screen>iptables -A INPUT -i ppp0 -p udp -s 0.0.0.0 --sport 67 \
467 -d 255.255.255.255 --dport 68 -j ACCEPT</screen>
468</listitem>
469
470<listitem><para>To simplify debugging and be fair to anyone who'd like to
471access a service you have disabled, purposely or by mistake, you could REJECT
472those packets that are dropped.</para>
473
474<para>Obviously this must be done directly after logging as the very
475last lines before the packets are dropped by policy:</para>
476
477<screen>iptables -A INPUT -j REJECT</screen>
478</listitem>
479</itemizedlist>
480
481<para>These are only examples to show you some of the capabilities of the
482firewall code in Linux. Have a look at the man page of iptables.
483There you will find much more information. The port numbers needed for this can be
484found in <filename>/etc/services</filename>, in case you didn't find them by
485trial and error in your log file.</para>
486
487</sect3>
488</sect2>
489
490<sect2 id="fw-finale" xreflabel="Conclusion">
491<title>Conclusion</title>
492
493<para>Finally, there is one fact you must not forget: The effort spent
494attacking a system corresponds to the value the cracker expects to gain from
495it. If you are responsible for valuable information, you need to spend the
496time to protect it properly.</para>
497
498</sect2>
499
500<sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
501<title>Extra Information</title>
502
503<sect3 id="fw-library" xreflabel="Links for further reading">
504<title>Where to start with further reading on firewalls.</title>
505
506<para><blockquote><literallayout>
507<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>
508<ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
509<ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
510<ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
511<ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
512<ulink url="http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
513<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink>
514<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink>
515<ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink>
516<ulink url="http://www.linuxsecurity.com/docs/">www.linuxsecurity.com/docs/</ulink>
517<ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German &amp; outdated, but very comprehensive)</ulink>
518<ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink>
519<ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>
520<ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink>
521<ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink>
522<ulink url="http://www.circlemud.org/~jelson/writings/security/index.htm">www.circlemud.org/~jelson/writings/security/index.htm</ulink>
523<ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink>
524<ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink>
525<ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink>
526<ulink url="http://www.linux-firewall-tools.com/linux/">www.linux-firewall-tools.com/linux/</ulink>
527<ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink>
528<ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
529<ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
530</literallayout></blockquote></para>
531</sect3>
532
533</sect2>
534</sect1>
535
Note: See TracBrowser for help on using the repository browser.