source: postlfs/security/firewalling.xml@ b4b71892

10.0 10.1 11.0 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since b4b71892 was b4b71892, checked in by Bruce Dubbs <bdubbs@…>, 17 years ago

New XML Chapter 4

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2288 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 26.8 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6]>
7
8<sect1 id="postlfs-security-fw-firewall" xreflabel="Firewalling">
9<?dbhtml filename="firewall.html"?>
10<title>Setting up a network firewall</title>
11
12<para>Before you read this part of the chapter, note that we assume that you
13have already installed iptables as described in the previous section.</para>
14
15
16<sect2 id="postlfs-security-fw-intro" xreflabel="Firewalling Introduction">
17<title>Introduction to Firewall Creation</title>
18
19<para>The general purpose of a firewall is to protect a network
20against malicious access by using a single machine as a firewall.
21This does imply that the firewall is to be considered a single point
22of failure, but it can make the administrator's life a lot easier.</para>
23
24<para>In a perfect world where you knew that every daemon or service
25on every machine was perfectly configured and was immune to, e.g.,
26buffer-overflows and any other imaginable problem regarding its
27security, and where you trusted every user accessing your services
28to aim no harm, you wouldn't need to have a firewall!
29In the real world however, daemons may be misconfigured,
30exploits against essential services are freely available, you
31may wish to choose which services are accessible by certain machines,
32you may wish to limit which machines or applications are allowed
33to have Internet access, or you may simply not trust some of your
34apps or users.
35In these situations you might benefit by using a firewall.</para>
36
37<para>Don't assume however, that having a firewall makes careful
38configuration redundant, or that it makes any negligent
39misconfiguration harmless. It also doesn't prevent anyone from exploiting a
40service you intentionally offer but haven't recently updated or patched
41after an exploit went public. Despite having a firewall, you need to
42keep applications and daemons on your system well-configured and
43up-to-date; a firewall is not a cure-all!</para>
44
45</sect2>
46
47<sect2>
48<title>Meaning of the word firewall.</title>
49
50<para>The word firewall can have several different meanings.</para>
51
52<sect3><title><xref linkend="postlfs-security-fw-persFw"/></title>
53
54<para>This is a setup or program, for Windows commercially sold by
55companies such as Symantec, of which they claim or pretend that it
56secures a home or desktop-pc with Internet access. This topic is
57highly relevant for users who do not know the methods their computers
58might be accessed via the Internet or how to disable them,
59especially if they are always online and connected via
60broadband links.</para></sect3>
61
62<sect3><title><xref linkend="postlfs-security-fw-masqRouter"/></title>
63<para>This is a box placed between the Internet and an intranet.
64To minimize the risk of compromising the firewall itself it
65should generally have only one role, that of protecting the intranet.
66Although not completely risk free, the tasks of doing the routing
67and eventually IP masquerading (rewriting IP-headers
68of the packets it routes from clients with private IP-addresses onto
69the Internet so that they seem to come from the firewall
70itself) are commonly considered harmless.</para></sect3>
71
72<sect3><title><xref linkend="postlfs-security-fw-busybox"/></title>
73<para>This is often an old box you may have retired and nearly forgotten,
74performing masquerading or routing functions, but offering a bunch of
75services, e.g., web-cache, mail, etc. This may be very commonly used
76for home networks, but can definitely not be considered as secure
77anymore because the combining of server and router on one machine raises
78the complexity of the setup.</para></sect3>
79
80<sect3><title>Firewall with a demilitarized zone [not further described
81here]</title>
82<para>This box performs masquerading or routing, but grants public access to
83some branch of your network which, because of public IP's and a physically
84separated structure, is neither considered to be part of the inter- nor
85intranet. These servers are those which must be easily accessible
86from both the inter- and intranet. The firewall protects
87them all.</para></sect3>
88
89<sect3><title>Packetfilter / partly accessible net [partly described
90here, see <xref linkend="postlfs-security-fw-busybox"/>]</title>
91<para>Doing routing or masquerading, but permitting only selected
92services to be accessible, sometimes only by selected internal users or boxes;
93mostly used in highly secure business contexts, sometimes by distrusting
94employers. This was the common configuration of a firewall at the time of
95the Linux 2.2 kernel. It's still possible to configure a firewall this way,
96but it makes the rules quite complex and lengthy.</para></sect3>
97
98</sect2>
99
100<sect2 id="postlfs-security-fw-disclaimer" xreflabel="Disclaimer">
101<title>Disclaimer</title>
102
103<!-- <para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM
104ARE RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS
105DOCUMENT.</emphasis></para> -->
106
107<para>This document is meant as an introduction to how to setup a firewall. It
108is not a complete guide to securing systems. Firewalling is a complex issue
109that requires careful configuration. The scripts quoted here are simply
110intended to give examples as to how a firewall works, they are not intended to
111fit into any imaginable configuration and may not prevent any imaginable
112attack.</para>
113
114<para>The purpose of this text is simply to give you a hint on how to get
115started with a firewall.</para>
116
117<para>Customization of these scripts for your specific situation will
118be necessary for an optimal configuration, but you should make a serious
119study of the iptables documentation and creating firewalls in general before hacking
120away. Have a look at the list of <xref linkend="postlfs-security-fw-library"/> at the end
121of this section for more details. Here you will find a list of URLs that
122contain quite comprehensive information about building your own firewall.</para>
123
124</sect2>
125
126
127<sect2 id="postlfs-security-fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
128<title>Getting a firewall enabled Kernel</title>
129
130<para>If you want your Linux-Box to have a firewall, you must first ensure
131that your kernel has been compiled with the relevant options turned on.
132<!-- <footnote><para>If you needed assistance how to configure, compile and install
133a new kernel, refer back to chapter VIII of the LinuxFromScratch book,
134<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink>
135 and eventually
136<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink>
137; note, that you'll need to reboot
138to actually run your new kernel.</para></footnote>-->
139</para>
140
141<para>How to configure your kernel, with enabling the options to be
142either compiled into the kernel or as modules, depends on your personal
143preferences and experience. Note, that for the quoted scripts it is assumed
144that the modules need to be loaded at first.</para>
145
146<screen>Network options menu
147 Network packet filtering: Y
148 Unix domain sockets: Y or M
149 TCP/IP networking: Y
150 IP: advanced router: Y
151 IP: verbose route monitoring: Y
152 IP: TCP Explicit Congestion Notification support: Y
153 IP: TCP syncookie support: Y
154 IP: Netfilter Configuration menu
155 Every option except: Y or M
156 ipchains (2.2-style) support N
157 ipfwadm (2.0-style) support N
158 Fast switching: N</screen>
159
160<!--
161<table frame='none'>
162<title>Essential config-options for a firewall enabled Kernel</title>
163
164<tgroup cols='5'>
165<colspec colnum='1' colwidth='8*' align='center'/>
166<colspec colnum='2' colwidth='19*' align='left'/>
167<colspec colnum='3' colwidth='11*' align='center'/>
168<colspec colnum='4' colwidth='1*' align='center'/>
169<colspec colnum='5' colwidth='14*' align='left'/>
170
171<tbody>
172
173<row>
174<entry><emphasis><userinput>Networking options:</userinput></emphasis></entry>
175<entry><userinput>Network packet filtering</userinput></entry>
176<entry></entry>
177<entry>=</entry>
178<entry>CONFIG_NETFILTER</entry>
179</row>
180
181<row>
182<entry></entry>
183<entry><userinput>Unix domain sockets</userinput></entry>
184<entry></entry>
185<entry>=</entry>
186<entry>CONFIG_UNIX</entry>
187</row>
188
189<row>
190<entry></entry>
191<entry><userinput>IP: TCP/IP networking</userinput></entry>
192<entry></entry>
193<entry>=</entry>
194<entry>CONFIG_INET</entry>
195</row>
196
197<row>
198<entry></entry>
199<entry><userinput>IP: advanced router</userinput></entry>
200<entry></entry>
201<entry>=</entry>
202<entry>CONFIG_IP_ADVANCED_ROUTER</entry>
203</row>
204
205<row>
206<entry></entry>
207<entry><userinput>IP: verbose route monitoring</userinput></entry>
208<entry></entry>
209<entry>=</entry>
210<entry>CONFIG_IP_ROUTE_VERBOSE</entry>
211</row>
212
213<row>
214<entry></entry>
215<entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry>
216<entry></entry>
217<entry>=</entry>
218<entry>CONFIG_INET_ECN</entry>
219</row>
220
221<row>
222<entry></entry>
223<entry><userinput>IP: TCP syncookie support</userinput></entry>
224<entry></entry>
225<entry>=</entry>
226<entry>CONFIG_SYN_COOKIES</entry>
227</row>
228
229<row>
230<entry></entry>
231<entry align='center'>
232<emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry>
233<entry align='left'><userinput>every option</userinput></entry>
234<entry>=</entry>
235<entry>CONFIG_IP_NF_*</entry>
236</row>
237
238<row>
239<entry></entry>
240<entry align='right'><emphasis>WITHOUT:</emphasis></entry>
241<entry align='left'><literallayout><userinput>ipchains (2.2-style) support
242ipfw-adm (2.0-style) support</userinput></literallayout></entry>
243<entry>w\</entry>
244<entry>CONFIG_IP_NF_COMPAT_*</entry>
245</row>
246
247<row>
248<entry></entry>
249<entry><userinput>Fast switching</userinput></entry>
250<entry>Make sure to disable it because it would setup a bypass around
251your firewall rules.</entry>
252<entry>w\</entry>
253<entry>CONFIG_NET_FASTROUTE</entry>
254</row>
255
256</tbody>
257
258</tgroup>
259
260</table> -->
261
262</sect2>
263
264
265<sect2 id="postlfs-security-fw-writing" xreflabel="writing the firewalling-setup-scripts">
266<title>Now you can start to build your Firewall</title>
267
268
269<sect3 id="postlfs-security-fw-persFw" xreflabel="Personal Firewall">
270<title>Personal Firewall</title>
271
272<para>A Personal Firewall is supposed to let you access all the services
273offered on the Internet, but keep your box secure and your data private.</para>
274
275<para>Below is a slightly modified version of Rusty Russell's recommendation
276from the <ulink
277url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">Linux
2782.4 Packet Filtering HOWTO</ulink>:</para>
279
280<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
281#!/bin/sh
282
283# Begin $rc_base/init.d/firewall
284
285# Insert connection-tracking modules (not needed if built into the kernel).
286modprobe ip_tables
287modprobe iptable_filter
288modprobe ip_conntrack
289modprobe ip_conntrack_ftp
290modprobe ipt_state
291modprobe ipt_LOG
292
293# allow local-only connections
294iptables -A INPUT -i lo -j ACCEPT
295# free output on any interface to any ip for any service (equal to -P ACCEPT)
296iptables -A OUTPUT -j ACCEPT
297
298# permit answers on already established connections
299# and permit new connections related to established ones (eg active-ftp)
300iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
301
302# Log everything else: What's Windows' latest exploitable vulnerability?
303iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
304
305# set a sane policy: everything not accepted &gt; /dev/null
306iptables -P INPUT DROP
307iptables -P FORWARD DROP
308iptables -P OUTPUT DROP
309
310# be verbose on dynamic ip-addresses (not needed in case of static IP)
311echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
312
313# disable ExplicitCongestionNotification - too many routers are still ignorant
314echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
315
316# End $rc_base/init.d/firewall
317<command>EOF</command></userinput></screen>
318
319<para>His script is quite simple, it drops all traffic coming in into your
320computer that wasn't initiated from your box, but as long as you are simply
321surfing the Internet you are unlikely to exceed its limits.</para>
322
323<para>If you frequently encounter certain delays at accessing ftp-servers,
324please have a look at <xref linkend="postlfs-security-fw-busybox"/> -
325<xref linkend="postlfs-security-fw-BB-4"/>.</para>
326
327<para>Even if you have daemons or services running on your box, these
328should be inaccessible everywhere but from your box itself.
329If you want to allow access to services on your machine, such as ssh or pinging,
330take a look at <xref linkend="postlfs-security-fw-busybox"/>.</para>
331
332</sect3>
333
334
335<sect3 id="postlfs-security-fw-masqRouter" xreflabel="Masquerading Router">
336<title>Masquerading Router</title>
337
338<para>A true Firewall has two interfaces, one connected to an intranet,
339in this example, <emphasis role="strong">eth0</emphasis>, and one
340connected to the Internet, here, <emphasis role="strong">ppp0</emphasis>.
341To provide the maximum security against the box itself being broken into,
342make sure that there are no servers running on it, especially not
343<application>X11</application> et
344al. And, as a general principle, the box itself should not access any untrusted
345service (Think of a name server giving answers that make your
346bind crash, or, even worse, that implement a worm via a
347buffer-overflow).</para>
348
349<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
350#!/bin/sh
351
352# Begin $rc_base/init.d/firewall
353
354echo
355echo "You're using the example-config for a setup of a firewall"
356echo "from the firewalling-hint written for LinuxFromScratch."
357echo "This example is far from being complete, it is only meant"
358echo "to be a reference."
359echo "Firewall security is a complex issue, that exceeds the scope"
360echo "of the quoted configuration rules."
361echo "You can find some quite comprehensive information"
362echo "about firewalls in Chapter 4 of the BLFS book."
363echo "http://www.linuxfromscratch.org/blfs"
364echo
365
366# Insert iptables modules (not needed if built into the kernel).
367
368modprobe ip_tables
369modprobe iptable_filter
370modprobe ip_conntrack
371modprobe ip_conntrack_ftp
372modprobe ipt_state
373modprobe iptable_nat
374modprobe ip_nat_ftp
375modprobe ipt_MASQUERADE
376modprobe ipt_LOG
377modprobe ipt_REJECT
378
379# allow local-only connections
380iptables -A INPUT -i lo -j ACCEPT
381iptables -A OUTPUT -o lo -j ACCEPT
382
383# allow forwarding
384iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
385iptables -A FORWARD -m state --state NEW -i ! ppp+ -j ACCEPT
386
387# do masquerading (not needed if intranet is not using private ip-addresses)
388iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
389
390# Log everything for debugging (last of all rules, but before DROP/REJECT)
391iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
392iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
393iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
394
395# set a sane policy
396iptables -P INPUT DROP
397iptables -P FORWARD DROP
398iptables -P OUTPUT DROP
399
400# be verbose on dynamic ip-addresses (not needed in case of static IP)
401echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
402
403# disable ExplicitCongestionNotification
404echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
405
406# activate TCPsyncookies
407echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
408
409# activate Route-Verification = IP-Spoofing_protection
410for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
411 echo 1 &gt; $f
412done
413
414# activate IP-Forwarding
415echo 1 &gt; /proc/sys/net/ipv4/ip_forward
416<command>EOF</command></userinput></screen>
417
418<para>With this script your intranet should be sufficiently secure against
419external attacks. No one should be able to setup a new connection to any
420internal service and, if it's masqueraded, it's even invisible. Furthermore,
421your firewall should be nearly immune because there are no services running
422that a cracker could attack.</para>
423
424<para>Note: if the interface you're connecting to the Internet
425doesn't connect via ppp, you will need to change
426<replaceable>ppp+</replaceable> to the name of the interface which you are
427using. If you are using the same interface type to connect to both your
428intranet and the Internet, you need to use the actual name of the
429interface such as <emphasis role="strong">eth0</emphasis>,
430on both interfaces.</para>
431
432<para>If you need stronger security (e.g., against DOS, connection
433highjacking, spoofing, etc.), have a look at the list of
434<xref linkend="postlfs-security-fw-library"/> at the end of this section.</para>
435
436</sect3>
437
438<sect3 id="postlfs-security-fw-busybox" xreflabel="BusyBox">
439<title>BusyBox</title>
440
441<para>This scenario isn't too different from (<xref linkend="postlfs-security-fw-masqRouter"/>),
442but in this case you want to offer some services to your intranet.
443Examples of this can be when you want to admin your box from another host
444on your intranet or use it as a proxy or a name server. Note: Outlining a true
445concept of how to protect a server that offers services on the Internet
446goes far beyond the scope of this document,
447see <xref linkend="postlfs-security-fw-disclaimer"/>.</para>
448
449<para>Be cautious. Every service you offer and have enabled makes your
450setup more complex and your box less secure. You induce the risks of
451misconfigured services or running a service with an exploitable bug. A firewall
452should generally not run any extra services. See the introduction to
453<xref linkend="postlfs-security-fw-masqRouter"/> for some more details.</para>
454
455<para>If the services you'd like to offer do not need to access the Internet
456themselves, like internal-only samba- or name-servers, it's quite
457simple and should still be acceptable from a security standpoint.
458Just add the following lines <emphasis>before</emphasis> the logging-rules
459into the script.</para>
460
461<screen>iptables -A INPUT -i ! ppp+ -j ACCEPT
462iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen>
463
464<para>If your daemons have to access the web themselves, like squid would need
465to, you could open OUTPUT generally and restrict INPUT.</para>
466
467<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
468iptables -A OUTPUT -j ACCEPT</screen>
469
470<para>However, it is generally not advisable to leave OUTPUT unrestricted. You lose
471any control over trojans who'd like to "call home", and a bit of redundancy in case
472you've (mis-)configured a service so that it does broadcast its existence to the
473world.</para>
474
475<para>If you prefer to have this protection, you may restrict INPUT and OUTPUT
476on all ports except those that it's absolutely necessary to have open.
477Which ports you have to open depends on your needs: mostly you will find them
478by looking for failed accesses in your log-files.</para>
479<itemizedlist spacing="compact">
480<!-- <orderedlist numeration="arabic" spacing="compact"> -->
481<title>Have a look at the following examples:</title>
482
483<listitem><para>Squid is caching the web:</para>
484<screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
485iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
486
487<listitem><para>Your caching name server (e.g., dnscache) does its
488lookups via udp:</para>
489<screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
490iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
491
492<listitem><para>Alternatively, if you want to be able to ping your box to ensure
493it's still alive:</para>
494<screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
495iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen></listitem>
496
497<listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are
498frequently accessing ftp-servers or enjoy chatting, you might notice certain
499delays because some implementations of these daemons have the feature of
500querying an identd on your box for logging usernames.
501Although there's really no harm in this, having an identd running is not
502recommended because some implementations are known to be vulnerable.</para>
503
504<para>To avoid these delays you could reject the requests
505with a 'tcp-reset':</para>
506
507<screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
508iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></listitem>
509
510<listitem><para>To log and drop invalid packets (harmless packets
511that came in after netfilter's timeout or some types of network scans):</para>
512
513<screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \
514"FIREWALL:INVALID"
515iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></listitem>
516
517<listitem><para>Anything coming from the outside should not have a
518private address, this is a common attack called IP-spoofing:</para>
519
520<screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP
521iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP
522iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></listitem>
523
524<listitem><para>To simplify debugging and be fair to anyone who'd like to
525access a service you have disabled, purposely or by mistake, you should REJECT
526those packets that are dropped.</para>
527
528<para>Obviously this must be done directly after logging as the very
529last lines before the packets are dropped by policy:</para>
530
531<screen>iptables -A INPUT -j REJECT
532iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></listitem>
533</itemizedlist>
534<!--</orderedlist>-->
535
536<para>These are only examples to show you some of the capabilities of the new
537firewall code in Linux-Kernel 2.4. Have a look at the man page of
538iptables.
539There you will find more of them. The port-numbers you'll need for this
540can be found in <filename>/etc/services</filename>, in case you didn't
541find them by trial and error in your log file.</para>
542
543<para>If you add any of your offered or accessed services such as the above,
544maybe even in FORWARD and for intranet-communication, and delete the
545general clauses, you get an old fashioned packet filter.</para>
546
547
548</sect3>
549
550</sect2>
551
552
553<sect2 id="postlfs-security-fw-finale" xreflabel="Conclusion">
554<title>Conclusion</title>
555
556<para>Finally, I'd like to remind you of one fact we must not forget:
557The effort spent attacking a system corresponds to the value the cracker
558expects to gain from it.
559If you are responsible for such valuable assets that you expect great
560effort to be made by potential crackers, you hopefully won't be in the
561need of this hint!</para>
562
563<!-- <para><literallayout>Be cautious!
564
565 Henning Rohde
566<email>Henning.Rohde@uni-bayreuth.de</email></literallayout></para>
567
568<para>PS: And always do remember:
569SecureIT is not a matter of a status-quo but one of never stopping
570to take care!</para>
571
572<para>PPS: If any of these scripts fail, please tell me. I will try to trace
573any faults.</para> -->
574
575</sect2>
576
577
578<sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
579<title>Extra Information</title>
580
581<sect3 id="postlfs-security-fw-library" xreflabel="Links for further reading">
582<title>Where to start with further reading on firewalls.</title>
583
584<para><blockquote><literallayout>
585<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>
586<ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
587<ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
588<ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
589<ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
590<ulink url="http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
591<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink>
592<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink>
593<ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink>
594<ulink url="http://www.linuxsecurity.com/docs/">www.linuxsecurity.com/docs/</ulink>
595<ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German &amp; outdated, but very comprehensive)</ulink>
596<ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink>
597<ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>
598<ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink>
599<ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink>
600<ulink url="http://www.circlemud.org/~jelson/writings/security/index.htm">www.circlemud.org/~jelson/writings/security/index.htm</ulink>
601<ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink>
602<ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink>
603<ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink>
604<ulink url="http://www.linux-firewall-tools.com/linux/">www.linux-firewall-tools.com/linux/</ulink>
605<ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink>
606<ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
607<ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
608</literallayout></blockquote></para>
609
610<!-- <para>If a link proves to be dead or if you think I missed one,
611please mail!</para> -->
612
613</sect3>
614
615<sect3 id="postlfs-security-fw-status" xreflabel="/etc/rc.d/init.d/firewall.status">
616<title>firewall.status</title>
617
618<para>If you'd like to have a look at the chains your firewall consists of and
619the order in which the rules take effect:</para>
620
621<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.status &lt;&lt; "EOF"</command>
622#!/bin/sh
623
624# Begin $rc_base/init.d/firewall.status
625
626echo "iptables.mangling:"
627iptables -t mangle -v -L -n --line-numbers
628
629echo
630echo "iptables.nat:"
631iptables -t nat -v -L -n --line-numbers
632
633echo
634echo "iptables.filter:"
635iptables -v -L -n --line-numbers
636<command>EOF</command></userinput></screen>
637</sect3>
638
639<sect3 id="postlfs-security-fw-stop" xreflabel="/etc/rc.d/init.d/firewall.stop">
640<title>firewall.stop</title>
641
642<para>If you need to turn the firewall off, this script will do it:</para>
643
644<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.stop &lt;&lt; "EOF"</command>
645#!/bin/sh
646
647# Being $rc_base/init.d/firewall.stop
648
649# deactivate IP-Forwarding
650echo 0 > /proc/sys/net/ipv4/ip_forward
651
652iptables -Z
653iptables -F
654iptables -t nat -F PREROUTING
655iptables -t nat -F OUTPUT
656iptables -t nat -F POSTROUTING
657iptables -t mangle -F PREROUTING
658iptables -t mangle -F OUTPUT
659iptables -X
660iptables -P INPUT ACCEPT
661iptables -P FORWARD ACCEPT
662iptables -P OUTPUT ACCEPT
663<command>EOF</command></userinput></screen>
664
665</sect3>
666
667</sect2>
668</sect1>
669
Note: See TracBrowser for help on using the repository browser.