source: postlfs/security/firewalling.xml@ bfb7882

10.0 10.1 11.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since bfb7882 was bfb7882, checked in by Tushar Teredesai <tushar@…>, 16 years ago

More typo fixes

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@4841 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 24.2 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
3 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6]>
7
8<sect1 id="fw-firewall" xreflabel="Firewalling">
9 <?dbhtml filename="firewall.html"?>
10
11 <sect1info>
12 <othername>$LastChangedBy$</othername>
13 <date>$Date$</date>
14 </sect1info>
15
16 <title>Setting Up a Network Firewall</title>
17
18 <para>Before you read this part of the chapter, you should have
19 already installed iptables as described in the previous section.</para>
20
21 <sect2 id="fw-intro" xreflabel="Firewalling Introduction">
22 <title>Introduction to Firewall Creation</title>
23
24 <para>The general purpose of a firewall is to protect a computer or
25 a network against malicious access.</para>
26
27 <para>In a perfect world, every daemon or service on every machine
28 is perfectly configured and immune to flaws such as buffer overflows
29 or other problems regarding its security. Furthermore, you trust
30 every user accessing your services. In this world, you do not need
31 to have a firewall.</para>
32
33 <para>In the real world however, daemons may be misconfigured and
34 exploits against essential services are freely available. You may
35 wish to choose which services are accessible by certain machines or
36 you may wish to limit which machines or applications are allowed
37 external access. Alternatively, you may simply not trust some of
38 your applications or users. You are probably connected to the
39 Internet. In this world, a firewall is essential.</para>
40
41 <para>Don't assume however, that having a firewall makes careful
42 configuration redundant, or that it makes any negligent
43 misconfiguration harmless. It doesn't prevent anyone from exploiting
44 a service you intentionally offer but haven't recently updated or
45 patched after an exploit went public. Despite having a firewall, you
46 need to keep applications and daemons on your system properly
47 configured and up to date. A firewall is not a cure all, but should
48 be an essential part of your overall security strategy.</para>
49
50 </sect2>
51
52 <sect2>
53 <title>Meaning of the Word "Firewall"</title>
54
55 <para>The word firewall can have several different meanings.</para>
56
57 <sect3>
58 <title><xref linkend="fw-persFw"/></title>
59
60 <para>This is a hardware device or software program commercially sold (or
61 offered via freeware) by companies such as Symantec which claims that
62 it secures a home or desktop computer connected to the Internet. This
63 type of firewall is highly relevant for users who do not know how their
64 computers might be accessed via the Internet or how to disable
65 that access, especially if they are always online and connected
66 via broadband links.</para>
67
68 </sect3>
69
70 <sect3>
71 <title><xref linkend="fw-masqRouter"/></title>
72
73 <para>This is a system placed between the Internet and an intranet.
74 To minimize the risk of compromising the firewall itself, it should
75 generally have only one role&mdash;that of protecting the intranet.
76 Although not completely risk free, the tasks of doing the routing and
77 IP masquerading (rewriting IP headers of the packets it routes from
78 clients with private IP addresses onto the Internet so that they seem
79 to come from the firewall itself) are commonly considered relatively
80 secure.</para>
81
82 </sect3>
83
84 <sect3>
85 <title><xref linkend="fw-busybox"/></title>
86
87 <para>This is often an old computer you may have retired and nearly
88 forgotten, performing masquerading or routing functions, but offering
89 non-firewall services such as a web-cache or mail. This may be used
90 for home networks, but is not to be considered as secure as a firewall
91 only machine because the combination of server and router/firewall on
92 one machine raises the complexity of the setup.</para>
93
94 </sect3>
95
96 <sect3>
97 <title>Firewall with a Demilitarized Zone [Not Further
98 Described Here]</title>
99
100 <para>This box performs masquerading or routing, but grants public
101 access to some branch of your network which, because of public IPs
102 and a physically separated structure, is essentially a separate
103 network with direct Internet access. The servers on this network are
104 those which must be easily accessible from both the Internet and
105 intranet. The firewall protects both networks. This type of firewall
106 has a minimum of three network interfaces.</para>
107
108 </sect3>
109
110 <sect3>
111 <title>Packetfilter</title>
112
113 <para>This type of firewall does routing or masquerading, but does
114 not maintain a state table of ongoing communication streams. It is
115 fast, but quite limited in its ability to block undesired packets
116 without blocking desired packets.</para>
117
118 </sect3>
119
120 </sect2>
121
122 <sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
123 <title>Now You Can Start to Build your Firewall</title>
124
125 <caution>
126 <para>This introduction on how to setup a firewall is not a
127 complete guide to securing systems. Firewalling is a complex
128 issue that requires careful configuration. The scripts quoted
129 here are simply intended to give examples of how a firewall
130 works. They are not intended to fit into any particular
131 configuration and may not provide complete protection from
132 an attack.</para>
133
134 <para>Customization of these scripts for your specific situation
135 will be necessary for an optimal configuration, but you should
136 make a serious study of the iptables documentation and creating
137 firewalls in general before hacking away. Have a look at the
138 list of <xref linkend="fw-library"/> at the end of this section for
139 more details. There you will find a list of URLs that contain quite
140 comprehensive information about building your own firewall.</para>
141 </caution>
142
143 <para>The firewall configuration script installed in the iptables section
144 differs from the standard configuration script. It only has two of
145 the standard targets: start and status. The other targets are clear
146 and lock. For instance if you issue:</para>
147
148<screen role="root"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen>
149
150 <para>the firewall will be restarted just as it is upon system startup.
151 The status target will present a list of all currently implemented
152 rules. The clear target turns off all firewall rules and the lock
153 target will block all packets in and out of the computer with the
154 exception of the loopback interface.</para>
155
156 <para>The main startup firewall is located in the file
157 <filename>/etc/rc.d/rc.iptables</filename>. The sections below provide
158 three different approaches that can be used for a system.</para>
159
160 <note>
161 <para>You should always run your firewall rules from a script.
162 This ensures consistency and a record of what was done. It also
163 allows retention of comments that are essential for understanding
164 the rules long after they were written.</para>
165 </note>
166
167 <sect3 id="fw-persFw" xreflabel="Personal Firewall">
168 <title>Personal Firewall</title>
169
170 <para>A Personal Firewall is designed to let you access all the
171 services offered on the Internet, but keep your box secure and
172 your data private.</para>
173
174 <para>Below is a slightly modified version of Rusty Russell's
175 recommendation from the <ulink
176 url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
177 Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable
178 to the Linux 2.6 kernels.</para>
179
180<screen role="root"><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
181<literal>#!/bin/sh
182
183# Begin $rc_base/rc.iptables
184
185# Insert connection-tracking modules
186# (not needed if built into the kernel)
187modprobe ip_tables
188modprobe iptable_filter
189modprobe ip_conntrack
190modprobe ip_conntrack_ftp
191modprobe ipt_state
192modprobe ipt_LOG
193
194# Enable broadcast echo Protection
195echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
196
197# Disable Source Routed Packets
198echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
199
200# Enable TCP SYN Cookie Protection
201echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
202
203# Disable ICMP Redirect Acceptance
204echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
205
206# Don¹t send Redirect Messages
207echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
208
209# Drop Spoofed Packets coming in on an interface, where responses
210# would result in the reply going out a different interface.
211echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
212
213# Log packets with impossible addresses.
214echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
215
216# be verbose on dynamic ip-addresses (not needed in case of static IP)
217echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
218
219# disable Explicit Congestion Notification
220# too many routers are still ignorant
221echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
222
223# Set a known state
224iptables -P INPUT DROP
225iptables -P FORWARD DROP
226iptables -P OUTPUT DROP
227
228# These lines are here in case rules are already in place and the
229# script is ever rerun on the fly. We want to remove all rules and
230# pre-existing user defined chains before we implement new rules.
231iptables -F
232iptables -X
233iptables -Z
234
235iptables -t nat -F
236
237# Allow local-only connections
238iptables -A INPUT -i lo -j ACCEPT
239
240# Free output on any interface to any ip for any service
241# (equal to -P ACCEPT)
242iptables -A OUTPUT -j ACCEPT
243
244# Permit answers on already established connections
245# and permit new connections related to established ones
246# (e.g. port mode ftp)
247iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
248
249# Log everything else. What's Windows' latest exploitable vulnerability?
250iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
251
252# End $rc_base/rc.iptables</literal>
253EOF
254chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
255
256 <para>This script is quite simple, it drops all traffic coming
257 into your computer that wasn't initiated from your computer, but
258 as long as you are simply surfing the Internet you are unlikely
259 to exceed its limits.</para>
260
261 <para>If you frequently encounter certain delays at accessing
262 FTP servers, take a look at <xref linkend="fw-BB-4"/>.</para>
263
264 <para>Even if you have daemons or services running on your system,
265 these will be inaccessible everywhere but from your computer itself.
266 If you want to allow access to services on your machine, such as
267 <command>ssh</command> or <command>ping</command>, take a look at
268 <xref linkend="fw-busybox"/>.</para>
269
270 </sect3>
271
272 <sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
273 <title>Masquerading Router</title>
274
275 <para>A true Firewall has two interfaces, one connected to an
276 intranet, in this example <emphasis role="strong">eth0</emphasis>,
277 and one connected to the Internet, here <emphasis
278 role="strong">ppp0</emphasis>. To provide the maximum security
279 for the firewall itself, make sure that there are no unnecessary
280 servers running on it such as <application>X11</application> et
281 al. As a general principle, the firewall itself should not access
282 any untrusted service (think of a remote server giving answers that
283 makes a daemon on your system crash, or even worse, that implements
284 a worm via a buffer-overflow).</para>
285
286<screen role="root"><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
287<literal>#!/bin/sh
288
289# Begin $rc_base/rc.iptables
290
291echo
292echo "You're using the example configuration for a setup of a firewall"
293echo "from Beyond Linux From Scratch."
294echo "This example is far from being complete, it is only meant"
295echo "to be a reference."
296echo "Firewall security is a complex issue, that exceeds the scope"
297echo "of the configuration rules below."
298echo "You can find additional information"
299echo "about firewalls in Chapter 4 of the BLFS book."
300echo "http://www.linuxfromscratch.org/blfs"
301echo
302
303# Insert iptables modules (not needed if built into the kernel).
304
305modprobe ip_tables
306modprobe iptable_filter
307modprobe ip_conntrack
308modprobe ip_conntrack_ftp
309modprobe ipt_state
310modprobe iptable_nat
311modprobe ip_nat_ftp
312modprobe ipt_MASQUERADE
313modprobe ipt_LOG
314modprobe ipt_REJECT
315
316# Enable broadcast echo Protection
317echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
318
319# Disable Source Routed Packets
320echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
321
322# Enable TCP SYN Cookie Protection
323echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
324
325# Disable ICMP Redirect Acceptance
326echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
327
328# Don¹t send Redirect Messages
329echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
330
331# Drop Spoofed Packets coming in on an interface where responses
332# would result in the reply going out a different interface.
333echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
334
335# Log packets with impossible addresses.
336echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
337
338# Be verbose on dynamic ip-addresses (not needed in case of static IP)
339echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
340
341# Disable Explicit Congestion Notification
342# Too many routers are still ignorant
343echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
344
345# Set a known state
346iptables -P INPUT DROP
347iptables -P FORWARD DROP
348iptables -P OUTPUT DROP
349
350# These lines are here in case rules are already in place and the
351# script is ever rerun on the fly. We want to remove all rules and
352# pre-existing user defined chains before we implement new rules.
353iptables -F
354iptables -X
355iptables -Z
356
357iptables -t nat -F
358
359# Allow local connections
360iptables -A INPUT -i lo -j ACCEPT
361iptables -A OUTPUT -o lo -j ACCEPT
362
363# Allow forwarding if the initiated on the intranet
364iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
365iptables -A FORWARD -i ! ppp+ -m state --state NEW -j ACCEPT
366
367# Do masquerading
368# (not needed if intranet is not using private ip-addresses)
369iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
370
371# Log everything for debugging
372# (last of all rules, but before policy rules)
373iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
374iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
375iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
376
377# Enable IP Forwarding
378echo 1 &gt; /proc/sys/net/ipv4/ip_forward</literal>
379EOF
380chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
381
382 <para>With this script your intranet should be reasonably secure
383 against external attacks. No one should be able to setup a new
384 connection to any internal service and, if it's masqueraded,
385 makes your intranet invisible to the Internet. Furthermore, your
386 firewall should be relatively safe because there are no services
387 running that a cracker could attack.</para>
388
389 <note>
390 <para>If the interface you're connecting to the Internet
391 doesn't connect via PPP, you will need to change
392 <replaceable>ppp+</replaceable> to the name of the interface
393 (e.g., <emphasis role="strong">eth1</emphasis>) which you are
394 using.</para>
395 </note>
396
397 </sect3>
398
399 <sect3 id="fw-busybox" xreflabel="BusyBox">
400 <title>BusyBox</title>
401
402 <para>This scenario isn't too different from the <xref
403 linkend="fw-masqRouter"/>, but additionally offers some
404 services to your intranet. Examples of this can be when
405 you want to administer your firewall from another host on
406 your intranet or use it as a proxy or a name server.</para>
407
408 <note>
409 <para>Outlining a true concept of how to protect a server that
410 offers services on the Internet goes far beyond the scope of
411 this document. See the references at the end of this section
412 for more information.</para>
413 </note>
414
415 <para>Be cautious. Every service you have enabled makes your
416 setup more complex and your firewall less secure. You are
417 exposed to the risks of misconfigured services or running
418 a service with an exploitable bug. A firewall should generally
419 not run any extra services. See the introduction to the
420 <xref linkend="fw-masqRouter"/> for some more details.</para>
421
422 <para>If you want to add services such as internal Samba or
423 name servers that do not need to access the Internet themselves,
424 the additional statements are quite simple and should still be
425 acceptable from a security standpoint. Just add the following lines
426 into the script <emphasis>before</emphasis> the logging rules.</para>
427
428<screen><literal>iptables -A INPUT -i ! ppp+ -j ACCEPT
429iptables -A OUTPUT -o ! ppp+ -j ACCEPT</literal></screen>
430
431 <para>If daemons, such as squid, have to access the Internet
432 themselves, you could open OUTPUT generally and restrict
433 INPUT.</para>
434
435<screen><literal>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
436iptables -A OUTPUT -j ACCEPT</literal></screen>
437
438 <para>However, it is generally not advisable to leave OUTPUT
439 unrestricted. You lose any control over trojans who would like
440 to "call home", and a bit of redundancy in case you've
441 (mis-)configured a service so that it broadcasts its existence
442 to the world.</para>
443
444 <para>To accomplish this, you should restrict INPUT and OUTPUT
445 on all ports except those that it's absolutely necessary to have
446 open. Which ports you have to open depends on your needs: mostly
447 you will find them by looking for failed accesses in your log
448 files.</para>
449
450 <itemizedlist spacing="compact" role='iptables'>
451 <title>Have a Look at the Following Examples:</title>
452 <listitem>
453 <para>Squid is caching the web:</para>
454
455<screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
456iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \
457 -j ACCEPT</literal></screen>
458
459 </listitem>
460 <listitem>
461 <para>Your caching name server (e.g., named) does its
462 lookups via UDP:</para>
463
464<screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen>
465
466 </listitem>
467 <listitem>
468 <para>You want to be able to ping your computer to
469 ensure it's still alive:</para>
470
471<screen><literal>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
472iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</literal></screen>
473
474 </listitem>
475 <listitem>
476 <para><anchor id='fw-BB-4' xreflabel="BusyBox example number 4"/>If
477 you are frequently accessing FTP servers or enjoy chatting, you might
478 notice certain delays because some implementations of these daemons
479 have the feature of querying an identd on your system to obtain
480 usernames. Although there's really little harm in this, having an
481 identd running is not recommended because many security experts feel
482 the service gives out too much additional information.</para>
483
484 <para>To avoid these delays you could reject the requests
485 with a 'tcp-reset':</para>
486
487<screen><literal>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen>
488
489 </listitem>
490 <listitem>
491 <para>To log and drop invalid packets (packets
492 that came in after netfilter's timeout or some types of
493 network scans):</para>
494
495<screen><literal>iptables -I INPUT -p tcp -m state --state INVALID \
496 -j LOG --log-prefix "FIREWALL:INVALID"
497iptables -I INPUT -p tcp -m state --state INVALID -j DROP</literal></screen>
498
499 </listitem>
500 <listitem>
501 <para>Anything coming from the outside should not have a
502 private address, this is a common attack called IP-spoofing:</para>
503
504<screen><literal>iptables -A INPUT -i ppp+ -s 10.0.0.0/8 -j DROP
505iptables -A INPUT -i ppp+ -s 172.16.0.0/12 -j DROP
506iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</literal></screen>
507
508 <para>There are other addresses that you may also want to
509 drop: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and
510 experimental), 169.254.0.0/16 (Link Local Networks), and
511 192.0.2.0/24 (IANA defined test network).</para>
512 </listitem>
513 <listitem>
514 <para>If your firewall is a DHCP client, you need to allow
515 those packets:</para>
516
517<screen><literal>iptables -A INPUT -i ppp0 -p udp -s 0.0.0.0 --sport 67 \
518 -d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen>
519
520 </listitem>
521 <listitem>
522 <para>To simplify debugging and be fair to anyone who'd like
523 to access a service you have disabled, purposely or by mistake,
524 you could REJECT those packets that are dropped.</para>
525
526 <para>Obviously this must be done directly after logging as the very
527 last lines before the packets are dropped by policy:</para>
528
529<screen><literal>iptables -A INPUT -j REJECT</literal></screen>
530
531 </listitem>
532 </itemizedlist>
533
534 <para>These are only examples to show you some of the capabilities
535 of the firewall code in Linux. Have a look at the man page of iptables.
536 There you will find much more information. The port numbers needed for
537 this can be found in <filename>/etc/services</filename>, in case you
538 didn't find them by trial and error in your log file.</para>
539
540 </sect3>
541
542 </sect2>
543
544 <sect2 id="fw-finale" xreflabel="Conclusion">
545 <title>Conclusion</title>
546
547 <para>Finally, there is one fact you must not forget: The effort spent
548 attacking a system corresponds to the value the cracker expects to gain
549 from it. If you are responsible for valuable information, you need to
550 spend the time to protect it properly.</para>
551
552 </sect2>
553
554 <sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
555 <title>Extra Information</title>
556
557 <sect3 id="fw-library" xreflabel="links for further reading">
558 <title>Where to Start with Further Reading on Firewalls</title>
559
560 <blockquote>
561 <literallayout>
562<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>
563<ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
564<ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
565<ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
566<ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
567<ulink url="http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
568<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink>
569<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink>
570<ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink>
571<ulink url="http://www.linuxsecurity.com/docs/">www.linuxsecurity.com/docs/</ulink>
572<ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German &amp; outdated, but very comprehensive)</ulink>
573<ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink>
574<ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>
575<ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink>
576<ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink>
577<ulink url="http://www.circlemud.org/~jelson/writings/security/index.htm">www.circlemud.org/~jelson/writings/security/index.htm</ulink>
578<ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink>
579<ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink>
580<ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink>
581<ulink url="http://www.linux-firewall-tools.com/linux/">www.linux-firewall-tools.com/linux/</ulink>
582<ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink>
583<ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
584<ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
585 </literallayout>
586 </blockquote>
587
588 </sect3>
589
590 </sect2>
591
592</sect1>
Note: See TracBrowser for help on using the repository browser.