source: postlfs/security/firewalling.xml@ 14c0be2f

10.0 10.1 11.0 11.1 11.2 9.1 lazarus plabs/python-mods qt5new trunk upgradedb xry111/intltool xry111/soup3 xry111/test-20220226
Last change on this file since 14c0be2f was 14c0be2f, checked in by DJ Lucas <dj@…>, 3 years ago

Add nftables-0.9.2. Fixes #4620.
Add firewalld-0.7.2.
Add libnftnl-1.1.4.
Add libmnl-1.0.4.
Add decorator-4.4.0.
Add python-slip-0.6.5.
Update to blfs-bootscripts-20191025.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22301 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 9.4 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6]>
7
8<sect1 id="fw-firewall" xreflabel="Firewalling">
9 <?dbhtml filename="firewall.html"?>
10
11 <sect1info>
12 <othername>$LastChangedBy$</othername>
13 <date>$Date$</date>
14 </sect1info>
15
16 <title>Setting Up a Network Firewall</title>
17
18 <sect2 id="fw-intro" xreflabel="Firewalling Introduction">
19 <title>Introduction to Firewall Creation</title>
20
21 <para>
22 The purpose of a firewall is to protect a computer or a network against
23 malicious access. In a perfect world every daemon or service, on every
24 machine, is perfectly configured and immune to security flaws, and all
25 users are trusted implicitly to use the equipment as intended. However,
26 this is rarely, if ever, the case. Daemons may be misconfigured, or
27 updates may not have been applied for known exploits against essential
28 services. Additionally, you may wish to choose which services are
29 accessible by certain machines or users, or you may wish to limit which
30 machines or applications are allowed external access. Alternatively, you
31 simply may not trust some of your applications or users. For these
32 reasons, a carefully designed firewall should be an essential part of
33 system security.
34 </para>
35
36 <para>
37 While a firewall can greatly limit the scope of the above issues, do not
38 assume that having a firewall makes careful configuration redundant, or
39 that any negligent misconfiguration is harmless. A firewall does not
40 prevent the exploitation of any service you offer outside of it. Despite
41 having a firewall, you need to keep applications and daemons properly
42 configured and up to date.
43 </para>
44
45 </sect2>
46
47 <sect2>
48 <title>Meaning of the Word "Firewall"</title>
49
50 <para>
51 The word firewall can have several different meanings.
52 </para>
53
54 <sect3>
55 <title>Personal Firewall</title>
56
57 <para>
58 This is a hardware device or software program, intended to secure a
59 home or desktop computer connected to the Internet. This type of
60 firewall is highly relevant for users who do not know how their
61 computers might be accessed via the Internet or how to disable
62 that access, especially if they are always online and connected
63 via broadband links.
64 </para>
65
66 <para>
67 An example configuration for a personal firewall is provided at
68 <xref linkend="fw-persFw-ipt"/>.
69 </para>
70
71 </sect3>
72
73 <sect3>
74 <title>Masquerading Router</title>
75
76 <para>
77 This is a system placed between the Internet and an intranet.
78 To minimize the risk of compromising the firewall itself, it should
79 generally have only one role&mdash;that of protecting the intranet.
80 Although not completely risk-free, the tasks of doing the routing and
81 IP masquerading (rewriting IP headers of the packets it routes from
82 clients with private IP addresses onto the Internet so that they seem
83 to come from the firewall itself) are commonly considered relatively
84 secure.
85 </para>
86
87 <para>
88 Example configurations for a masquerading firewall are provided at
89 <xref linkend="fw-masqRouter-ipt"/> and
90 <xref linkend="fw-masqRouter-nft"/>.
91 </para>
92
93 </sect3>
94
95 <sect3>
96 <title>BusyBox</title>
97
98 <para>
99 This is often an old computer you may have retired and nearly
100 forgotten, performing masquerading or routing functions, but offering
101 non-firewall services such as a web-cache or mail. This may be used
102 for home networks, but is not to be considered as secure as a firewall
103 only machine because the combination of server and router/firewall on
104 one machine raises the complexity of the setup.
105 </para>
106
107 <para>
108 An example configuration for a BusyBox is provided at
109 <xref linkend="fw-busybox-ipt"/>.
110 </para>
111
112 </sect3>
113
114 <sect3>
115 <title>Firewall with a Demilitarized Zone</title>
116
117 <para>
118 This type of firewall performs masquerading or routing, but grants
119 public access to some branch of your network that is physically
120 separated from your regular intranet and is essentially a separate
121 network with direct Internet access. The servers on this network are
122 those which must be easily accessible from both the Internet and
123 intranet. The firewall protects both networks. This type of firewall
124 has a minimum of three network interfaces.
125 </para>
126
127 </sect3>
128
129 <sect3>
130 <title>Packetfilter</title>
131
132 <para>
133 This type of firewall does routing or masquerading but does
134 not maintain a state table of ongoing communication streams. It is
135 fast but quite limited in its ability to block undesired packets
136 without blocking desired packets.
137 </para>
138
139 </sect3>
140
141 </sect2>
142
143 <sect2>
144 <title>Conclusion</title>
145
146 <caution>
147 <para>
148 The example configurations provided for <xref linkend="iptables"/> and
149 <xref linkend="nftables"/> are not intended to be a complete guide to
150 securing systems. Firewalling is a complex issue that requires careful
151 configuration. The configurations provided by BLFS are intended only to
152 give examples of how a firewall works. They are not intended to fit any
153 particular configuration and may not provide complete protection from
154 an attack.
155 </para>
156 </caution>
157
158 <para>
159 BLFS provides two utilities to manage the kernel Netfilter interface,
160 <xref linkend="iptables"/> and <xref linkend="nftables"/>.
161 </para>
162
163 <para>
164 <xref linkend="iptables"/> has been around since early 2.4 kernels, and
165 has been the standard since. If you plan not to use a configuration
166 utility, this is likely the set of tools that will be most familiar to
167 existing admins.
168 </para>
169
170 <para>
171 <xref linkend="nftables"/> is the successor to <xref linkend="iptables"/>
172 and provies all of the same functionality with a single userspace tool,
173 <command>nft</command>, that uses similar syntax to BSD's
174 <application>pf</application> utility, and may be easier for new users or
175 admins already familiar with that platform.
176 </para>
177
178 <para>
179 While both can be used in tandem, that is an advanced configuration and
180 you should decide on one or the other. Both pages include very simple
181 example configurations, and customization of the provided configurations
182 for your specific environment will be necessary if you elect to use
183 either without a configuration tool.
184 </para>
185
186 <para>
187 Additionally, a firewall management tool, <xref linkend="firewalld"/>, is
188 provided to greatly ease firewall configuration for both simple and
189 complex environments, and can be used with either tool. You should not
190 use the example configurations if you intend to use
191 <application>firewalld</application> to manage your firewall rules.
192 </para>
193
194 <para>
195 If you elect to configure manually, have a look at the
196 list of further reading below for more details. Here you will find a
197 list of URLs that contain comprehensive information about building
198 firewalls and further securing your system.
199 </para>
200
201 </sect2>
202
203 <sect2 id="fw-extra-info">
204 <title>Extra Information</title>
205
206 <sect3>
207 <title>Further Reading on Firewalls</title>
208
209 <blockquote>
210 <literallayout>
211<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables/nftables projects</ulink>
212<ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
213<ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
214<ulink url="https://wiki.nftables.org/wiki-nftables/index.php/Main_Page">nftables HOWTO</ulink>
215<ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
216<ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
217<ulink url="http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
218<ulink url="http://www.linuxsecurity.com/docs/">www.linuxsecurity.com/docs/</ulink>
219<ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German &amp; outdated, but very comprehensive)</ulink>
220<ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>
221<ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink>
222<ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink>
223<ulink url="http://www.circlemud.org/~jelson/writings/security/index.htm">www.circlemud.org/~jelson/writings/security/index.htm</ulink>
224<ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink>
225<ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink>
226<ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink>
227<ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
228 </literallayout>
229 </blockquote>
230
231 </sect3>
232
233 </sect2>
234
235</sect1>
Note: See TracBrowser for help on using the repository browser.