source: postlfs/security/firewalling.xml@ 5cd0959d

10.0 10.1 11.0 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since 5cd0959d was 5cd0959d, checked in by Archaic <archaic@…>, 17 years ago

Resetting keywords

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2592 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 26.9 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6]>
7
8<sect1 id="postlfs-security-fw-firewall" xreflabel="Firewalling">
9<sect1info>
10<othername>$LastChangedBy$</othername>
11<date>$Date$</date>
12</sect1info>
13<?dbhtml filename="firewall.html"?>
14<title>Setting up a network firewall</title>
15
16<para>Before you read this part of the chapter, note that we assume that you
17have already installed iptables as described in the previous section.</para>
18
19
20<sect2 id="postlfs-security-fw-intro" xreflabel="Firewalling Introduction">
21<title>Introduction to Firewall Creation</title>
22
23<para>The general purpose of a firewall is to protect a network
24against malicious access by using a single machine as a firewall.
25This does imply that the firewall is to be considered a single point
26of failure, but it can make the administrator's life a lot easier.</para>
27
28<para>In a perfect world where you knew that every daemon or service
29on every machine was perfectly configured and was immune to, e.g.,
30buffer-overflows and any other imaginable problem regarding its
31security, and where you trusted every user accessing your services
32to aim no harm, you wouldn't need to have a firewall!
33In the real world however, daemons may be misconfigured,
34exploits against essential services are freely available, you
35may wish to choose which services are accessible by certain machines,
36you may wish to limit which machines or applications are allowed
37to have Internet access, or you may simply not trust some of your
38apps or users.
39In these situations you might benefit by using a firewall.</para>
40
41<para>Don't assume however, that having a firewall makes careful
42configuration redundant, or that it makes any negligent
43misconfiguration harmless. It also doesn't prevent anyone from exploiting a
44service you intentionally offer but haven't recently updated or patched
45after an exploit went public. Despite having a firewall, you need to
46keep applications and daemons on your system well-configured and
47up-to-date; a firewall is not a cure-all!</para>
48
49</sect2>
50
51<sect2>
52<title>Meaning of the word firewall.</title>
53
54<para>The word firewall can have several different meanings.</para>
55
56<sect3><title><xref linkend="postlfs-security-fw-persFw"/></title>
57
58<para>This is a setup or program, for Windows commercially sold by
59companies such as Symantec, of which they claim or pretend that it
60secures a home or desktop-pc with Internet access. This topic is
61highly relevant for users who do not know the methods their computers
62might be accessed via the Internet or how to disable them,
63especially if they are always online and connected via
64broadband links.</para></sect3>
65
66<sect3><title><xref linkend="postlfs-security-fw-masqRouter"/></title>
67<para>This is a box placed between the Internet and an intranet.
68To minimize the risk of compromising the firewall itself it
69should generally have only one role, that of protecting the intranet.
70Although not completely risk free, the tasks of doing the routing
71and eventually IP masquerading (rewriting IP-headers
72of the packets it routes from clients with private IP-addresses onto
73the Internet so that they seem to come from the firewall
74itself) are commonly considered harmless.</para></sect3>
75
76<sect3><title><xref linkend="postlfs-security-fw-busybox"/></title>
77<para>This is often an old box you may have retired and nearly forgotten,
78performing masquerading or routing functions, but offering a bunch of
79services, e.g., web-cache, mail, etc. This may be very commonly used
80for home networks, but can definitely not be considered as secure
81anymore because the combining of server and router on one machine raises
82the complexity of the setup.</para></sect3>
83
84<sect3><title>Firewall with a demilitarized zone [not further described
85here]</title>
86<para>This box performs masquerading or routing, but grants public access to
87some branch of your network which, because of public IP's and a physically
88separated structure, is neither considered to be part of the inter- nor
89intranet. These servers are those which must be easily accessible
90from both the inter- and intranet. The firewall protects
91them all.</para></sect3>
92
93<sect3><title>Packetfilter / partly accessible net [partly described
94here, see <xref linkend="postlfs-security-fw-busybox"/>]</title>
95<para>Doing routing or masquerading, but permitting only selected
96services to be accessible, sometimes only by selected internal users or boxes;
97mostly used in highly secure business contexts, sometimes by distrusting
98employers. This was the common configuration of a firewall at the time of
99the Linux 2.2 kernel. It's still possible to configure a firewall this way,
100but it makes the rules quite complex and lengthy.</para></sect3>
101
102</sect2>
103
104<sect2 id="postlfs-security-fw-disclaimer" xreflabel="Disclaimer">
105<title>Disclaimer</title>
106
107<!-- <para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM
108ARE RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS
109DOCUMENT.</emphasis></para> -->
110
111<para>This document is meant as an introduction to how to setup a firewall. It
112is not a complete guide to securing systems. Firewalling is a complex issue
113that requires careful configuration. The scripts quoted here are simply
114intended to give examples as to how a firewall works, they are not intended to
115fit into any imaginable configuration and may not prevent any imaginable
116attack.</para>
117
118<para>The purpose of this text is simply to give you a hint on how to get
119started with a firewall.</para>
120
121<para>Customization of these scripts for your specific situation will
122be necessary for an optimal configuration, but you should make a serious
123study of the iptables documentation and creating firewalls in general before hacking
124away. Have a look at the list of <xref linkend="postlfs-security-fw-library"/> at the end
125of this section for more details. Here you will find a list of URLs that
126contain quite comprehensive information about building your own firewall.</para>
127
128</sect2>
129
130
131<sect2 id="postlfs-security-fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
132<title>Getting a firewall enabled Kernel</title>
133
134<para>If you want your Linux-Box to have a firewall, you must first ensure
135that your kernel has been compiled with the relevant options turned on.
136<!-- <footnote><para>If you needed assistance how to configure, compile and install
137a new kernel, refer back to chapter VIII of the LinuxFromScratch book,
138<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink>
139 and eventually
140<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink>
141; note, that you'll need to reboot
142to actually run your new kernel.</para></footnote>-->
143</para>
144
145<para>How to configure your kernel, with enabling the options to be
146either compiled into the kernel or as modules, depends on your personal
147preferences and experience. Note, that for the quoted scripts it is assumed
148that the modules need to be loaded at first.</para>
149
150<screen>Network options menu
151 Network packet filtering: Y
152 Unix domain sockets: Y or M
153 TCP/IP networking: Y
154 IP: advanced router: Y
155 IP: verbose route monitoring: Y
156 IP: TCP Explicit Congestion Notification support: Y
157 IP: TCP syncookie support: Y
158 IP: Netfilter Configuration menu
159 Every option except: Y or M
160 ipchains (2.2-style) support N
161 ipfwadm (2.0-style) support N
162 Fast switching: N</screen>
163
164<!--
165<table frame='none'>
166<title>Essential config-options for a firewall enabled Kernel</title>
167
168<tgroup cols='5'>
169<colspec colnum='1' colwidth='8*' align='center'/>
170<colspec colnum='2' colwidth='19*' align='left'/>
171<colspec colnum='3' colwidth='11*' align='center'/>
172<colspec colnum='4' colwidth='1*' align='center'/>
173<colspec colnum='5' colwidth='14*' align='left'/>
174
175<tbody>
176
177<row>
178<entry><emphasis><userinput>Networking options:</userinput></emphasis></entry>
179<entry><userinput>Network packet filtering</userinput></entry>
180<entry></entry>
181<entry>=</entry>
182<entry>CONFIG_NETFILTER</entry>
183</row>
184
185<row>
186<entry></entry>
187<entry><userinput>Unix domain sockets</userinput></entry>
188<entry></entry>
189<entry>=</entry>
190<entry>CONFIG_UNIX</entry>
191</row>
192
193<row>
194<entry></entry>
195<entry><userinput>IP: TCP/IP networking</userinput></entry>
196<entry></entry>
197<entry>=</entry>
198<entry>CONFIG_INET</entry>
199</row>
200
201<row>
202<entry></entry>
203<entry><userinput>IP: advanced router</userinput></entry>
204<entry></entry>
205<entry>=</entry>
206<entry>CONFIG_IP_ADVANCED_ROUTER</entry>
207</row>
208
209<row>
210<entry></entry>
211<entry><userinput>IP: verbose route monitoring</userinput></entry>
212<entry></entry>
213<entry>=</entry>
214<entry>CONFIG_IP_ROUTE_VERBOSE</entry>
215</row>
216
217<row>
218<entry></entry>
219<entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry>
220<entry></entry>
221<entry>=</entry>
222<entry>CONFIG_INET_ECN</entry>
223</row>
224
225<row>
226<entry></entry>
227<entry><userinput>IP: TCP syncookie support</userinput></entry>
228<entry></entry>
229<entry>=</entry>
230<entry>CONFIG_SYN_COOKIES</entry>
231</row>
232
233<row>
234<entry></entry>
235<entry align='center'>
236<emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry>
237<entry align='left'><userinput>every option</userinput></entry>
238<entry>=</entry>
239<entry>CONFIG_IP_NF_*</entry>
240</row>
241
242<row>
243<entry></entry>
244<entry align='right'><emphasis>WITHOUT:</emphasis></entry>
245<entry align='left'><literallayout><userinput>ipchains (2.2-style) support
246ipfw-adm (2.0-style) support</userinput></literallayout></entry>
247<entry>w\</entry>
248<entry>CONFIG_IP_NF_COMPAT_*</entry>
249</row>
250
251<row>
252<entry></entry>
253<entry><userinput>Fast switching</userinput></entry>
254<entry>Make sure to disable it because it would setup a bypass around
255your firewall rules.</entry>
256<entry>w\</entry>
257<entry>CONFIG_NET_FASTROUTE</entry>
258</row>
259
260</tbody>
261
262</tgroup>
263
264</table> -->
265
266</sect2>
267
268
269<sect2 id="postlfs-security-fw-writing" xreflabel="writing the firewalling-setup-scripts">
270<title>Now you can start to build your Firewall</title>
271
272
273<sect3 id="postlfs-security-fw-persFw" xreflabel="Personal Firewall">
274<title>Personal Firewall</title>
275
276<para>A Personal Firewall is supposed to let you access all the services
277offered on the Internet, but keep your box secure and your data private.</para>
278
279<para>Below is a slightly modified version of Rusty Russell's recommendation
280from the <ulink
281url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">Linux
2822.4 Packet Filtering HOWTO</ulink>:</para>
283
284<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
285#!/bin/sh
286
287# Begin $rc_base/init.d/firewall
288
289# Insert connection-tracking modules (not needed if built into the kernel).
290modprobe ip_tables
291modprobe iptable_filter
292modprobe ip_conntrack
293modprobe ip_conntrack_ftp
294modprobe ipt_state
295modprobe ipt_LOG
296
297# allow local-only connections
298iptables -A INPUT -i lo -j ACCEPT
299# free output on any interface to any ip for any service (equal to -P ACCEPT)
300iptables -A OUTPUT -j ACCEPT
301
302# permit answers on already established connections
303# and permit new connections related to established ones (eg active-ftp)
304iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
305
306# Log everything else: What's Windows' latest exploitable vulnerability?
307iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
308
309# set a sane policy: everything not accepted &gt; /dev/null
310iptables -P INPUT DROP
311iptables -P FORWARD DROP
312iptables -P OUTPUT DROP
313
314# be verbose on dynamic ip-addresses (not needed in case of static IP)
315echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
316
317# disable ExplicitCongestionNotification - too many routers are still ignorant
318echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
319
320# End $rc_base/init.d/firewall
321<command>EOF</command></userinput></screen>
322
323<para>His script is quite simple, it drops all traffic coming in into your
324computer that wasn't initiated from your box, but as long as you are simply
325surfing the Internet you are unlikely to exceed its limits.</para>
326
327<para>If you frequently encounter certain delays at accessing ftp-servers,
328please have a look at <xref linkend="postlfs-security-fw-busybox"/> -
329<xref linkend="postlfs-security-fw-BB-4"/>.</para>
330
331<para>Even if you have daemons or services running on your box, these
332should be inaccessible everywhere but from your box itself.
333If you want to allow access to services on your machine, such as ssh or pinging,
334take a look at <xref linkend="postlfs-security-fw-busybox"/>.</para>
335
336</sect3>
337
338
339<sect3 id="postlfs-security-fw-masqRouter" xreflabel="Masquerading Router">
340<title>Masquerading Router</title>
341
342<para>A true Firewall has two interfaces, one connected to an intranet,
343in this example, <emphasis role="strong">eth0</emphasis>, and one
344connected to the Internet, here, <emphasis role="strong">ppp0</emphasis>.
345To provide the maximum security against the box itself being broken into,
346make sure that there are no servers running on it, especially not
347<application>X11</application> et
348al. And, as a general principle, the box itself should not access any untrusted
349service (Think of a name server giving answers that make your
350bind crash, or, even worse, that implement a worm via a
351buffer-overflow).</para>
352
353<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
354#!/bin/sh
355
356# Begin $rc_base/init.d/firewall
357
358echo
359echo "You're using the example-config for a setup of a firewall"
360echo "from the firewalling-hint written for LinuxFromScratch."
361echo "This example is far from being complete, it is only meant"
362echo "to be a reference."
363echo "Firewall security is a complex issue, that exceeds the scope"
364echo "of the quoted configuration rules."
365echo "You can find some quite comprehensive information"
366echo "about firewalls in Chapter 4 of the BLFS book."
367echo "http://www.linuxfromscratch.org/blfs"
368echo
369
370# Insert iptables modules (not needed if built into the kernel).
371
372modprobe ip_tables
373modprobe iptable_filter
374modprobe ip_conntrack
375modprobe ip_conntrack_ftp
376modprobe ipt_state
377modprobe iptable_nat
378modprobe ip_nat_ftp
379modprobe ipt_MASQUERADE
380modprobe ipt_LOG
381modprobe ipt_REJECT
382
383# allow local-only connections
384iptables -A INPUT -i lo -j ACCEPT
385iptables -A OUTPUT -o lo -j ACCEPT
386
387# allow forwarding
388iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
389iptables -A FORWARD -m state --state NEW -i ! ppp+ -j ACCEPT
390
391# do masquerading (not needed if intranet is not using private ip-addresses)
392iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
393
394# Log everything for debugging (last of all rules, but before DROP/REJECT)
395iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
396iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
397iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
398
399# set a sane policy
400iptables -P INPUT DROP
401iptables -P FORWARD DROP
402iptables -P OUTPUT DROP
403
404# be verbose on dynamic ip-addresses (not needed in case of static IP)
405echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
406
407# disable ExplicitCongestionNotification
408echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
409
410# activate TCPsyncookies
411echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
412
413# activate Route-Verification = IP-Spoofing_protection
414for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
415 echo 1 &gt; $f
416done
417
418# activate IP-Forwarding
419echo 1 &gt; /proc/sys/net/ipv4/ip_forward
420<command>EOF</command></userinput></screen>
421
422<para>With this script your intranet should be sufficiently secure against
423external attacks. No one should be able to setup a new connection to any
424internal service and, if it's masqueraded, it's even invisible. Furthermore,
425your firewall should be nearly immune because there are no services running
426that a cracker could attack.</para>
427
428<para>Note: if the interface you're connecting to the Internet
429doesn't connect via ppp, you will need to change
430<replaceable>ppp+</replaceable> to the name of the interface which you are
431using. If you are using the same interface type to connect to both your
432intranet and the Internet, you need to use the actual name of the
433interface such as <emphasis role="strong">eth0</emphasis>,
434on both interfaces.</para>
435
436<para>If you need stronger security (e.g., against DOS, connection
437highjacking, spoofing, etc.), have a look at the list of
438<xref linkend="postlfs-security-fw-library"/> at the end of this section.</para>
439
440</sect3>
441
442<sect3 id="postlfs-security-fw-busybox" xreflabel="BusyBox">
443<title>BusyBox</title>
444
445<para>This scenario isn't too different from (<xref linkend="postlfs-security-fw-masqRouter"/>),
446but in this case you want to offer some services to your intranet.
447Examples of this can be when you want to admin your box from another host
448on your intranet or use it as a proxy or a name server. Note: Outlining a true
449concept of how to protect a server that offers services on the Internet
450goes far beyond the scope of this document,
451see <xref linkend="postlfs-security-fw-disclaimer"/>.</para>
452
453<para>Be cautious. Every service you offer and have enabled makes your
454setup more complex and your box less secure. You induce the risks of
455misconfigured services or running a service with an exploitable bug. A firewall
456should generally not run any extra services. See the introduction to
457<xref linkend="postlfs-security-fw-masqRouter"/> for some more details.</para>
458
459<para>If the services you'd like to offer do not need to access the Internet
460themselves, like internal-only samba- or name-servers, it's quite
461simple and should still be acceptable from a security standpoint.
462Just add the following lines <emphasis>before</emphasis> the logging-rules
463into the script.</para>
464
465<screen>iptables -A INPUT -i ! ppp+ -j ACCEPT
466iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen>
467
468<para>If your daemons have to access the web themselves, like squid would need
469to, you could open OUTPUT generally and restrict INPUT.</para>
470
471<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
472iptables -A OUTPUT -j ACCEPT</screen>
473
474<para>However, it is generally not advisable to leave OUTPUT unrestricted. You lose
475any control over trojans who'd like to "call home", and a bit of redundancy in case
476you've (mis-)configured a service so that it does broadcast its existence to the
477world.</para>
478
479<para>If you prefer to have this protection, you may restrict INPUT and OUTPUT
480on all ports except those that it's absolutely necessary to have open.
481Which ports you have to open depends on your needs: mostly you will find them
482by looking for failed accesses in your log-files.</para>
483<itemizedlist spacing="compact">
484<!-- <orderedlist numeration="arabic" spacing="compact"> -->
485<title>Have a look at the following examples:</title>
486
487<listitem><para>Squid is caching the web:</para>
488<screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
489iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
490
491<listitem><para>Your caching name server (e.g., dnscache) does its
492lookups via udp:</para>
493<screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
494iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
495
496<listitem><para>Alternatively, if you want to be able to ping your box to ensure
497it's still alive:</para>
498<screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
499iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen></listitem>
500
501<listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are
502frequently accessing ftp-servers or enjoy chatting, you might notice certain
503delays because some implementations of these daemons have the feature of
504querying an identd on your box for logging usernames.
505Although there's really no harm in this, having an identd running is not
506recommended because some implementations are known to be vulnerable.</para>
507
508<para>To avoid these delays you could reject the requests
509with a 'tcp-reset':</para>
510
511<screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
512iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></listitem>
513
514<listitem><para>To log and drop invalid packets (harmless packets
515that came in after netfilter's timeout or some types of network scans):</para>
516
517<screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \
518"FIREWALL:INVALID"
519iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></listitem>
520
521<listitem><para>Anything coming from the outside should not have a
522private address, this is a common attack called IP-spoofing:</para>
523
524<screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP
525iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP
526iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></listitem>
527
528<listitem><para>To simplify debugging and be fair to anyone who'd like to
529access a service you have disabled, purposely or by mistake, you should REJECT
530those packets that are dropped.</para>
531
532<para>Obviously this must be done directly after logging as the very
533last lines before the packets are dropped by policy:</para>
534
535<screen>iptables -A INPUT -j REJECT
536iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></listitem>
537</itemizedlist>
538<!--</orderedlist>-->
539
540<para>These are only examples to show you some of the capabilities of the new
541firewall code in Linux-Kernel 2.4. Have a look at the man page of
542iptables.
543There you will find more of them. The port-numbers you'll need for this
544can be found in <filename>/etc/services</filename>, in case you didn't
545find them by trial and error in your log file.</para>
546
547<para>If you add any of your offered or accessed services such as the above,
548maybe even in FORWARD and for intranet-communication, and delete the
549general clauses, you get an old fashioned packet filter.</para>
550
551
552</sect3>
553
554</sect2>
555
556
557<sect2 id="postlfs-security-fw-finale" xreflabel="Conclusion">
558<title>Conclusion</title>
559
560<para>Finally, I'd like to remind you of one fact we must not forget:
561The effort spent attacking a system corresponds to the value the cracker
562expects to gain from it.
563If you are responsible for such valuable assets that you expect great
564effort to be made by potential crackers, you hopefully won't be in the
565need of this hint!</para>
566
567<!-- <para><literallayout>Be cautious!
568
569 Henning Rohde
570<email>Henning.Rohde@uni-bayreuth.de</email></literallayout></para>
571
572<para>PS: And always do remember:
573SecureIT is not a matter of a status-quo but one of never stopping
574to take care!</para>
575
576<para>PPS: If any of these scripts fail, please tell me. I will try to trace
577any faults.</para> -->
578
579</sect2>
580
581
582<sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
583<title>Extra Information</title>
584
585<sect3 id="postlfs-security-fw-library" xreflabel="Links for further reading">
586<title>Where to start with further reading on firewalls.</title>
587
588<para><blockquote><literallayout>
589<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>
590<ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
591<ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
592<ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
593<ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
594<ulink url="http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
595<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink>
596<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink>
597<ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink>
598<ulink url="http://www.linuxsecurity.com/docs/">www.linuxsecurity.com/docs/</ulink>
599<ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German &amp; outdated, but very comprehensive)</ulink>
600<ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink>
601<ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>
602<ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink>
603<ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink>
604<ulink url="http://www.circlemud.org/~jelson/writings/security/index.htm">www.circlemud.org/~jelson/writings/security/index.htm</ulink>
605<ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink>
606<ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink>
607<ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink>
608<ulink url="http://www.linux-firewall-tools.com/linux/">www.linux-firewall-tools.com/linux/</ulink>
609<ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink>
610<ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
611<ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
612</literallayout></blockquote></para>
613
614<!-- <para>If a link proves to be dead or if you think I missed one,
615please mail!</para> -->
616
617</sect3>
618
619<sect3 id="postlfs-security-fw-status" xreflabel="/etc/rc.d/init.d/firewall.status">
620<title>firewall.status</title>
621
622<para>If you'd like to have a look at the chains your firewall consists of and
623the order in which the rules take effect:</para>
624
625<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.status &lt;&lt; "EOF"</command>
626#!/bin/sh
627
628# Begin $rc_base/init.d/firewall.status
629
630echo "iptables.mangling:"
631iptables -t mangle -v -L -n --line-numbers
632
633echo
634echo "iptables.nat:"
635iptables -t nat -v -L -n --line-numbers
636
637echo
638echo "iptables.filter:"
639iptables -v -L -n --line-numbers
640<command>EOF</command></userinput></screen>
641</sect3>
642
643<sect3 id="postlfs-security-fw-stop" xreflabel="/etc/rc.d/init.d/firewall.stop">
644<title>firewall.stop</title>
645
646<para>If you need to turn the firewall off, this script will do it:</para>
647
648<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.stop &lt;&lt; "EOF"</command>
649#!/bin/sh
650
651# Being $rc_base/init.d/firewall.stop
652
653# deactivate IP-Forwarding
654echo 0 > /proc/sys/net/ipv4/ip_forward
655
656iptables -Z
657iptables -F
658iptables -t nat -F PREROUTING
659iptables -t nat -F OUTPUT
660iptables -t nat -F POSTROUTING
661iptables -t mangle -F PREROUTING
662iptables -t mangle -F OUTPUT
663iptables -X
664iptables -P INPUT ACCEPT
665iptables -P FORWARD ACCEPT
666iptables -P OUTPUT ACCEPT
667<command>EOF</command></userinput></screen>
668
669</sect3>
670
671</sect2>
672</sect1>
673
Note: See TracBrowser for help on using the repository browser.