source: postlfs/security/firewalling.xml@ a56c29d

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 12.2 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gimp3 gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb xry111/for-12.3 xry111/intltool xry111/llvm18 xry111/soup3 xry111/spidermonkey128 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since a56c29d was a56c29d, checked in by Randy McMurchy <randy@…>, 20 years ago

Updated to Ethereal-0.10.9; added new Index division 'Kernel Configuration'

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3347 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 26.5 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6]>
7
8<sect1 id="fw-firewall" xreflabel="Firewalling">
9<sect1info>
10<othername>$LastChangedBy$</othername>
11<date>$Date$</date>
12</sect1info>
13<?dbhtml filename="firewall.html"?>
14<title>Setting up a network firewall</title>
15
16<para>Before you read this part of the chapter, note that we assume that you
17have already installed iptables as described in the previous section.</para>
18
19<sect2 id="fw-intro" xreflabel="Firewalling Introduction">
20<title>Introduction to Firewall Creation</title>
21
22<para>The general purpose of a firewall is to protect a network
23against malicious access by using a single machine as a firewall.
24This does imply that the firewall is to be considered a single point
25of failure, but it can make the administrator's life a lot easier.</para>
26
27<para>In a perfect world where you knew that every daemon or service
28on every machine was perfectly configured and was immune to, e.g.,
29buffer-overflows and any other imaginable problem regarding its
30security, and where you trusted every user accessing your services
31to aim no harm, you wouldn't need to have a firewall!
32In the real world however, daemons may be misconfigured,
33exploits against essential services are freely available, you
34may wish to choose which services are accessible by certain machines,
35you may wish to limit which machines or applications are allowed
36to have Internet access, or you may simply not trust some of your
37apps or users. In these situations you might benefit by using a
38firewall.</para>
39
40<para>Don't assume however, that having a firewall makes careful
41configuration redundant, or that it makes any negligent
42misconfiguration harmless. It also doesn't prevent anyone from exploiting a
43service you intentionally offer but haven't recently updated or patched
44after an exploit went public. Despite having a firewall, you need to
45keep applications and daemons on your system well-configured and
46up-to-date; a firewall is not a cure-all!</para>
47
48</sect2>
49
50<sect2>
51<title>Meaning of the word firewall.</title>
52
53<para>The word firewall can have several different meanings.</para>
54
55<sect3><title><xref linkend="fw-persFw"/></title>
56
57<para>This is a setup or program, for Windows commercially sold by
58companies such as Symantec, of which they claim or pretend that it
59secures a home or desktop-pc with Internet access. This topic is
60highly relevant for users who do not know the methods their computers
61might be accessed via the Internet or how to disable them,
62especially if they are always online and connected via
63broadband links.</para></sect3>
64
65<sect3><title><xref linkend="fw-masqRouter"/></title>
66<para>This is a box placed between the Internet and an intranet.
67To minimize the risk of compromising the firewall itself it
68should generally have only one role, that of protecting the intranet.
69Although not completely risk free, the tasks of doing the routing
70and eventually IP masquerading (rewriting IP-headers
71of the packets it routes from clients with private IP-addresses onto
72the Internet so that they seem to come from the firewall
73itself) are commonly considered harmless.</para></sect3>
74
75<sect3><title><xref linkend="fw-busybox"/></title>
76<para>This is often an old box you may have retired and nearly forgotten,
77performing masquerading or routing functions, but offering a bunch of
78services, e.g., web-cache, mail, etc. This may be very commonly used
79for home networks, but can definitely not be considered as secure
80anymore because the combining of server and router on one machine raises
81the complexity of the setup.</para></sect3>
82
83<sect3><title>Firewall with a demilitarized zone [not further described
84here]</title>
85<para>This box performs masquerading or routing, but grants public access to
86some branch of your network which, because of public IP's and a physically
87separated structure, is neither considered to be part of the inter- nor
88intranet. These servers are those which must be easily accessible
89from both the inter- and intranet. The firewall protects
90them all.</para></sect3>
91
92<sect3><title>Packetfilter / partly accessible net [partly described
93here, see <xref linkend="fw-busybox"/>]</title>
94<para>Doing routing or masquerading, but permitting only selected
95services to be accessible, sometimes only by selected internal users or boxes;
96mostly used in highly secure business contexts, sometimes by distrusting
97employers. This was the common configuration of a firewall at the time of
98the Linux 2.2 kernel. It's still possible to configure a firewall this way,
99but it makes the rules quite complex and lengthy.</para></sect3>
100
101</sect2>
102
103<sect2 id="postlfs-security-fw-disclaimer" xreflabel="Disclaimer">
104<title>Disclaimer</title>
105
106<!-- <para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM
107ARE RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS
108DOCUMENT.</emphasis></para> -->
109
110<para>This document is meant as an introduction to how to setup a firewall. It
111is not a complete guide to securing systems. Firewalling is a complex issue
112that requires careful configuration. The scripts quoted here are simply
113intended to give examples as to how a firewall works, they are not intended to
114fit into any imaginable configuration and may not prevent any imaginable
115attack.</para>
116
117<para>The purpose of this text is simply to give you a hint on how to get
118started with a firewall.</para>
119
120<para>Customization of these scripts for your specific situation will
121be necessary for an optimal configuration, but you should make a serious
122study of the iptables documentation and creating firewalls in general before
123hacking away. Have a look at the list of
124<xref linkend="fw-library"/> at the end of this section for
125more details. Here you will find a list of URLs that contain quite
126comprehensive information about building your own firewall.</para>
127
128</sect2>
129
130<sect2 id="fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
131<title>Getting a firewall enabled Kernel</title>
132<indexterm zone="fw-kernel">
133<primary sortas="d-Firewalls">Firewalls (using iptables)</primary>
134</indexterm>
135
136<para>If you want your Linux-Box to have a firewall, you must first ensure
137that your kernel has been compiled with the relevant options turned on.
138<!-- <footnote><para>If you needed assistance how to configure, compile and
139install a new kernel, refer back to chapter VIII of the LinuxFromScratch book,
140<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">
141Installing a kernel</ulink> and eventually
142<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">
143Making the LFS system bootable</ulink>; note, that you'll need to reboot
144to actually run your new kernel.</para></footnote>-->
145</para>
146
147<para>How to configure your kernel, with enabling the options to be
148either compiled into the kernel or as modules, depends on your personal
149preferences and experience. Note, that for the quoted scripts it is assumed
150that the modules need to be loaded at first.</para>
151
152<screen>Network options menu
153 Network packet filtering: Y
154 Unix domain sockets: Y or M
155 TCP/IP networking: Y
156 IP: advanced router: Y
157 IP: verbose route monitoring: Y
158 IP: TCP Explicit Congestion Notification support: Y
159 IP: TCP syncookie support: Y
160 IP: Netfilter Configuration menu
161 Every option except: Y or M
162 ipchains (2.2-style) support N
163 ipfwadm (2.0-style) support N
164 Fast switching: N</screen>
165
166<!--
167<table frame='none'>
168<title>Essential config-options for a firewall enabled Kernel</title>
169
170<tgroup cols='5'>
171<colspec colnum='1' colwidth='8*' align='center'/>
172<colspec colnum='2' colwidth='19*' align='left'/>
173<colspec colnum='3' colwidth='11*' align='center'/>
174<colspec colnum='4' colwidth='1*' align='center'/>
175<colspec colnum='5' colwidth='14*' align='left'/>
176
177<tbody>
178
179<row>
180<entry><emphasis><userinput>Networking options:</userinput></emphasis></entry>
181<entry><userinput>Network packet filtering</userinput></entry>
182<entry></entry>
183<entry>=</entry>
184<entry>CONFIG_NETFILTER</entry>
185</row>
186
187<row>
188<entry></entry>
189<entry><userinput>Unix domain sockets</userinput></entry>
190<entry></entry>
191<entry>=</entry>
192<entry>CONFIG_UNIX</entry>
193</row>
194
195<row>
196<entry></entry>
197<entry><userinput>IP: TCP/IP networking</userinput></entry>
198<entry></entry>
199<entry>=</entry>
200<entry>CONFIG_INET</entry>
201</row>
202
203<row>
204<entry></entry>
205<entry><userinput>IP: advanced router</userinput></entry>
206<entry></entry>
207<entry>=</entry>
208<entry>CONFIG_IP_ADVANCED_ROUTER</entry>
209</row>
210
211<row>
212<entry></entry>
213<entry><userinput>IP: verbose route monitoring</userinput></entry>
214<entry></entry>
215<entry>=</entry>
216<entry>CONFIG_IP_ROUTE_VERBOSE</entry>
217</row>
218
219<row>
220<entry></entry>
221<entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry>
222<entry></entry>
223<entry>=</entry>
224<entry>CONFIG_INET_ECN</entry>
225</row>
226
227<row>
228<entry></entry>
229<entry><userinput>IP: TCP syncookie support</userinput></entry>
230<entry></entry>
231<entry>=</entry>
232<entry>CONFIG_SYN_COOKIES</entry>
233</row>
234
235<row>
236<entry></entry>
237<entry align='center'>
238<emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry>
239<entry align='left'><userinput>every option</userinput></entry>
240<entry>=</entry>
241<entry>CONFIG_IP_NF_*</entry>
242</row>
243
244<row>
245<entry></entry>
246<entry align='right'><emphasis>WITHOUT:</emphasis></entry>
247<entry align='left'><literallayout><userinput>ipchains (2.2-style) support
248ipfw-adm (2.0-style) support</userinput></literallayout></entry>
249<entry>w\</entry>
250<entry>CONFIG_IP_NF_COMPAT_*</entry>
251</row>
252
253<row>
254<entry></entry>
255<entry><userinput>Fast switching</userinput></entry>
256<entry>Make sure to disable it because it would setup a bypass around
257your firewall rules.</entry>
258<entry>w\</entry>
259<entry>CONFIG_NET_FASTROUTE</entry>
260</row>
261
262</tbody>
263
264</tgroup>
265
266</table> -->
267
268</sect2>
269
270<sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
271<title>Now you can start to build your Firewall</title>
272
273<sect3 id="fw-persFw" xreflabel="Personal Firewall">
274<title>Personal Firewall</title>
275
276<para>A Personal Firewall is supposed to let you access all the services
277offered on the Internet, but keep your box secure and your data private.</para>
278
279<para>Below is a slightly modified version of Rusty Russell's recommendation
280from the <ulink
281url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
282Linux 2.4 Packet Filtering HOWTO</ulink>:</para>
283
284<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
285#!/bin/sh
286
287# Begin $rc_base/init.d/firewall
288
289# Insert connection-tracking modules
290# (not needed if built into the kernel)
291modprobe ip_tables
292modprobe iptable_filter
293modprobe ip_conntrack
294modprobe ip_conntrack_ftp
295modprobe ipt_state
296modprobe ipt_LOG
297
298# allow local-only connections
299iptables -A INPUT -i lo -j ACCEPT
300
301# free output on any interface to any ip for any service
302# (equal to -P ACCEPT)
303iptables -A OUTPUT -j ACCEPT
304
305# permit answers on already established connections
306# and permit new connections related to established ones
307# (eg active-ftp)
308iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
309
310# Log everything else: What's Windows' latest exploitable vulnerability?
311iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
312
313# set a sane policy: everything not accepted &gt; /dev/null
314iptables -P INPUT DROP
315iptables -P FORWARD DROP
316iptables -P OUTPUT DROP
317
318# be verbose on dynamic ip-addresses (not needed in case of static IP)
319echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
320
321# disable ExplicitCongestionNotification
322# too many routers are still ignorant
323echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
324
325# End $rc_base/init.d/firewall
326<command>EOF</command></userinput></screen>
327
328<para>His script is quite simple, it drops all traffic coming in into your
329computer that wasn't initiated from your box, but as long as you are simply
330surfing the Internet you are unlikely to exceed its limits.</para>
331
332<para>If you frequently encounter certain delays at accessing ftp-servers,
333please have a look at <xref linkend="fw-busybox"/> -
334<xref linkend="fw-BB-4"/>.</para>
335
336<para>Even if you have daemons or services running on your box, these
337should be inaccessible everywhere but from your box itself.
338If you want to allow access to services on your machine, such as ssh or
339pinging, take a look at <xref linkend="fw-busybox"/>.</para>
340
341</sect3>
342
343
344<sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
345<title>Masquerading Router</title>
346
347<para>A true Firewall has two interfaces, one connected to an intranet,
348in this example, <emphasis role="strong">eth0</emphasis>, and one
349connected to the Internet, here, <emphasis role="strong">ppp0</emphasis>.
350To provide the maximum security against the box itself being broken into,
351make sure that there are no servers running on it, especially not
352<application>X11</application> et
353al. And, as a general principle, the box itself should not access any
354untrusted service (Think of a name server giving answers that make your
355bind crash, or, even worse, that implement a worm via a
356buffer-overflow).</para>
357
358<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
359#!/bin/sh
360
361# Begin $rc_base/init.d/firewall
362
363echo
364echo "You're using the example-config for a setup of a firewall"
365echo "from the firewalling-hint written for LinuxFromScratch."
366echo "This example is far from being complete, it is only meant"
367echo "to be a reference."
368echo "Firewall security is a complex issue, that exceeds the scope"
369echo "of the quoted configuration rules."
370echo "You can find some quite comprehensive information"
371echo "about firewalls in Chapter 4 of the BLFS book."
372echo "http://www.linuxfromscratch.org/blfs"
373echo
374
375# Insert iptables modules (not needed if built into the kernel).
376
377modprobe ip_tables
378modprobe iptable_filter
379modprobe ip_conntrack
380modprobe ip_conntrack_ftp
381modprobe ipt_state
382modprobe iptable_nat
383modprobe ip_nat_ftp
384modprobe ipt_MASQUERADE
385modprobe ipt_LOG
386modprobe ipt_REJECT
387
388# allow local-only connections
389iptables -A INPUT -i lo -j ACCEPT
390iptables -A OUTPUT -o lo -j ACCEPT
391
392# allow forwarding
393iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
394iptables -A FORWARD -m state --state NEW -i ! ppp+ -j ACCEPT
395
396# do masquerading
397# (not needed if intranet is not using private ip-addresses)
398iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
399
400# Log everything for debugging
401# (last of all rules, but before DROP/REJECT)
402iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
403iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
404iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
405
406# set a sane policy
407iptables -P INPUT DROP
408iptables -P FORWARD DROP
409iptables -P OUTPUT DROP
410
411# be verbose on dynamic ip-addresses
412# (not needed in case of static IP)
413echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
414
415# disable ExplicitCongestionNotification
416echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
417
418# activate TCPsyncookies
419echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
420
421# activate Route-Verification = IP-Spoofing_protection
422for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
423 echo 1 &gt; $f
424done
425
426# activate IP-Forwarding
427echo 1 &gt; /proc/sys/net/ipv4/ip_forward
428<command>EOF</command></userinput></screen>
429
430<para>With this script your intranet should be sufficiently secure against
431external attacks. No one should be able to setup a new connection to any
432internal service and, if it's masqueraded, it's even invisible. Furthermore,
433your firewall should be nearly immune because there are no services running
434that a cracker could attack.</para>
435
436<para>Note: if the interface you're connecting to the Internet
437doesn't connect via ppp, you will need to change
438<replaceable>ppp+</replaceable> to the name of the interface which you are
439using. If you are using the same interface type to connect to both your
440intranet and the Internet, you need to use the actual name of the
441interface such as <emphasis role="strong">eth0</emphasis>,
442on both interfaces.</para>
443
444<para>If you need stronger security (e.g., against DOS, connection
445highjacking, spoofing, etc.), have a look at the list of
446<xref linkend="fw-library"/> at the end of this section.</para>
447
448</sect3>
449
450<sect3 id="fw-busybox" xreflabel="BusyBox">
451<title>BusyBox</title>
452
453<para>This scenario isn't too different from (<xref linkend="fw-masqRouter"/>),
454but in this case you want to offer some services to your intranet.
455Examples of this can be when you want to admin your box from another host
456on your intranet or use it as a proxy or a name server. Note: Outlining a true
457concept of how to protect a server that offers services on the Internet
458goes far beyond the scope of this document,
459see <xref linkend="postlfs-security-fw-disclaimer"/>.</para>
460
461<para>Be cautious. Every service you offer and have enabled makes your
462setup more complex and your box less secure. You induce the risks of
463misconfigured services or running a service with an exploitable bug. A
464firewall should generally not run any extra services. See the introduction to
465<xref linkend="fw-masqRouter"/> for some more details.</para>
466
467<para>If the services you'd like to offer do not need to access the Internet
468themselves, like internal-only samba- or name-servers, it's quite
469simple and should still be acceptable from a security standpoint.
470Just add the following lines <emphasis>before</emphasis> the logging-rules
471into the script.</para>
472
473<screen>iptables -A INPUT -i ! ppp+ -j ACCEPT
474iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen>
475
476<para>If your daemons have to access the web themselves, like squid would need
477to, you could open OUTPUT generally and restrict INPUT.</para>
478
479<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
480iptables -A OUTPUT -j ACCEPT</screen>
481
482<para>However, it is generally not advisable to leave OUTPUT unrestricted. You
483lose any control over trojans who'd like to "call home", and a bit of
484redundancy in case you've (mis-)configured a service so that it does broadcast
485its existence to the world.</para>
486
487<para>If you prefer to have this protection, you may restrict INPUT and OUTPUT
488on all ports except those that it's absolutely necessary to have open.
489Which ports you have to open depends on your needs: mostly you will find them
490by looking for failed accesses in your log-files.</para>
491<itemizedlist spacing="compact">
492<!-- <orderedlist numeration="arabic" spacing="compact"> -->
493<title>Have a look at the following examples:</title>
494
495<listitem><para>Squid is caching the web:</para>
496<screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
497iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \
498-j ACCEPT</screen>
499</listitem>
500
501<listitem><para>Your caching name server (e.g., dnscache) does its
502lookups via udp:</para>
503<screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
504iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED \
505-j ACCEPT</screen>
506</listitem>
507
508<listitem><para>Alternatively, if you want to be able to ping your box to
509ensure it's still alive:</para>
510
511<screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
512iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen>
513</listitem>
514
515<listitem><para><anchor id='fw-BB-4' xreflabel="example no. 4"/>If you are
516frequently accessing ftp-servers or enjoy chatting, you might notice certain
517delays because some implementations of these daemons have the feature of
518querying an identd on your box for logging usernames.
519Although there's really no harm in this, having an identd running is not
520recommended because some implementations are known to be vulnerable.</para>
521
522<para>To avoid these delays you could reject the requests
523with a 'tcp-reset':</para>
524
525<screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
526iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen>
527</listitem>
528
529<listitem><para>To log and drop invalid packets (harmless packets
530that came in after netfilter's timeout or some types of network scans):</para>
531
532<screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG \
533--log-prefix "FIREWALL:INVALID"
534iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></listitem>
535
536<listitem><para>Anything coming from the outside should not have a
537private address, this is a common attack called IP-spoofing:</para>
538
539<screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP
540iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP
541iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen>
542</listitem>
543
544<listitem><para>To simplify debugging and be fair to anyone who'd like to
545access a service you have disabled, purposely or by mistake, you should REJECT
546those packets that are dropped.</para>
547
548<para>Obviously this must be done directly after logging as the very
549last lines before the packets are dropped by policy:</para>
550
551<screen>iptables -A INPUT -j REJECT
552iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></listitem>
553</itemizedlist>
554<!--</orderedlist>-->
555
556<para>These are only examples to show you some of the capabilities of the new
557firewall code in Linux-Kernel 2.4. Have a look at the man page of
558iptables.
559There you will find more of them. The port-numbers you'll need for this
560can be found in <filename>/etc/services</filename>, in case you didn't
561find them by trial and error in your log file.</para>
562
563<para>If you add any of your offered or accessed services such as the above,
564maybe even in FORWARD and for intranet-communication, and delete the
565general clauses, you get an old fashioned packet filter.</para>
566</sect3>
567
568</sect2>
569
570<sect2 id="fw-finale" xreflabel="Conclusion">
571<title>Conclusion</title>
572
573<para>Finally, I'd like to remind you of one fact we must not forget:
574The effort spent attacking a system corresponds to the value the cracker
575expects to gain from it.
576If you are responsible for such valuable assets that you expect great
577effort to be made by potential crackers, you hopefully won't be in the
578need of this hint!</para>
579
580<!-- <para><literallayout>Be cautious!
581
582 Henning Rohde
583<email>Henning.Rohde@uni-bayreuth.de</email></literallayout></para>
584
585<para>PS: And always do remember:
586SecureIT is not a matter of a status-quo but one of never stopping
587to take care!</para>
588
589<para>PPS: If any of these scripts fail, please tell me. I will try to trace
590any faults.</para> -->
591
592</sect2>
593
594<sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
595<title>Extra Information</title>
596
597<sect3 id="fw-library" xreflabel="Links for further reading">
598<title>Where to start with further reading on firewalls.</title>
599
600<para><blockquote><literallayout>
601<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>
602<ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
603<ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
604<ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
605<ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
606<ulink url="http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
607<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink>
608<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink>
609<ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink>
610<ulink url="http://www.linuxsecurity.com/docs/">www.linuxsecurity.com/docs/</ulink>
611<ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German &amp; outdated, but very comprehensive)</ulink>
612<ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink>
613<ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>
614<ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink>
615<ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink>
616<ulink url="http://www.circlemud.org/~jelson/writings/security/index.htm">www.circlemud.org/~jelson/writings/security/index.htm</ulink>
617<ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink>
618<ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink>
619<ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink>
620<ulink url="http://www.linux-firewall-tools.com/linux/">www.linux-firewall-tools.com/linux/</ulink>
621<ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink>
622<ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
623<ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
624</literallayout></blockquote></para>
625</sect3>
626
627<sect3 id="fw-status" xreflabel="/etc/rc.d/init.d/firewall.status">
628<title>firewall.status</title>
629
630<para>If you'd like to have a look at the chains your firewall consists of and
631the order in which the rules take effect:</para>
632
633<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.status &lt;&lt; "EOF"</command>
634#!/bin/sh
635
636# Begin $rc_base/init.d/firewall.status
637
638echo "iptables.mangling:"
639iptables -t mangle -v -L -n --line-numbers
640
641echo
642echo "iptables.nat:"
643iptables -t nat -v -L -n --line-numbers
644
645echo
646echo "iptables.filter:"
647iptables -v -L -n --line-numbers
648<command>EOF</command></userinput></screen>
649</sect3>
650
651<sect3 id="postlfs-security-fw-stop" xreflabel="/etc/rc.d/init.d/firewall.stop">
652<title>firewall.stop</title>
653
654<para>If you need to turn the firewall off, this script will do it:</para>
655
656<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.stop &lt;&lt; "EOF"</command>
657#!/bin/sh
658
659# Being $rc_base/init.d/firewall.stop
660
661# deactivate IP-Forwarding
662echo 0 > /proc/sys/net/ipv4/ip_forward
663
664iptables -Z
665iptables -F
666iptables -t nat -F PREROUTING
667iptables -t nat -F OUTPUT
668iptables -t nat -F POSTROUTING
669iptables -t mangle -F PREROUTING
670iptables -t mangle -F OUTPUT
671iptables -X
672iptables -P INPUT ACCEPT
673iptables -P FORWARD ACCEPT
674iptables -P OUTPUT ACCEPT
675<command>EOF</command></userinput></screen>
676</sect3>
677
678</sect2>
679
680</sect1>
681
Note: See TracBrowser for help on using the repository browser.