source: postlfs/security/firewalling.xml@ dd362e5

10.0 10.1 11.0 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since dd362e5 was dd362e5, checked in by Randy McMurchy <randy@…>, 17 years ago

Fixed instructions in the first 110 pages of the PDF version so that line lengths don't exceed the viewable area

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3272 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 26.4 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6]>
7
8<sect1 id="fw-firewall" xreflabel="Firewalling">
9<sect1info>
10<othername>$LastChangedBy$</othername>
11<date>$Date$</date>
12</sect1info>
13<?dbhtml filename="firewall.html"?>
14<title>Setting up a network firewall</title>
15
16<para>Before you read this part of the chapter, note that we assume that you
17have already installed iptables as described in the previous section.</para>
18
19<sect2 id="fw-intro" xreflabel="Firewalling Introduction">
20<title>Introduction to Firewall Creation</title>
21
22<para>The general purpose of a firewall is to protect a network
23against malicious access by using a single machine as a firewall.
24This does imply that the firewall is to be considered a single point
25of failure, but it can make the administrator's life a lot easier.</para>
26
27<para>In a perfect world where you knew that every daemon or service
28on every machine was perfectly configured and was immune to, e.g.,
29buffer-overflows and any other imaginable problem regarding its
30security, and where you trusted every user accessing your services
31to aim no harm, you wouldn't need to have a firewall!
32In the real world however, daemons may be misconfigured,
33exploits against essential services are freely available, you
34may wish to choose which services are accessible by certain machines,
35you may wish to limit which machines or applications are allowed
36to have Internet access, or you may simply not trust some of your
37apps or users. In these situations you might benefit by using a
38firewall.</para>
39
40<para>Don't assume however, that having a firewall makes careful
41configuration redundant, or that it makes any negligent
42misconfiguration harmless. It also doesn't prevent anyone from exploiting a
43service you intentionally offer but haven't recently updated or patched
44after an exploit went public. Despite having a firewall, you need to
45keep applications and daemons on your system well-configured and
46up-to-date; a firewall is not a cure-all!</para>
47
48</sect2>
49
50<sect2>
51<title>Meaning of the word firewall.</title>
52
53<para>The word firewall can have several different meanings.</para>
54
55<sect3><title><xref linkend="fw-persFw"/></title>
56
57<para>This is a setup or program, for Windows commercially sold by
58companies such as Symantec, of which they claim or pretend that it
59secures a home or desktop-pc with Internet access. This topic is
60highly relevant for users who do not know the methods their computers
61might be accessed via the Internet or how to disable them,
62especially if they are always online and connected via
63broadband links.</para></sect3>
64
65<sect3><title><xref linkend="fw-masqRouter"/></title>
66<para>This is a box placed between the Internet and an intranet.
67To minimize the risk of compromising the firewall itself it
68should generally have only one role, that of protecting the intranet.
69Although not completely risk free, the tasks of doing the routing
70and eventually IP masquerading (rewriting IP-headers
71of the packets it routes from clients with private IP-addresses onto
72the Internet so that they seem to come from the firewall
73itself) are commonly considered harmless.</para></sect3>
74
75<sect3><title><xref linkend="fw-busybox"/></title>
76<para>This is often an old box you may have retired and nearly forgotten,
77performing masquerading or routing functions, but offering a bunch of
78services, e.g., web-cache, mail, etc. This may be very commonly used
79for home networks, but can definitely not be considered as secure
80anymore because the combining of server and router on one machine raises
81the complexity of the setup.</para></sect3>
82
83<sect3><title>Firewall with a demilitarized zone [not further described
84here]</title>
85<para>This box performs masquerading or routing, but grants public access to
86some branch of your network which, because of public IP's and a physically
87separated structure, is neither considered to be part of the inter- nor
88intranet. These servers are those which must be easily accessible
89from both the inter- and intranet. The firewall protects
90them all.</para></sect3>
91
92<sect3><title>Packetfilter / partly accessible net [partly described
93here, see <xref linkend="fw-busybox"/>]</title>
94<para>Doing routing or masquerading, but permitting only selected
95services to be accessible, sometimes only by selected internal users or boxes;
96mostly used in highly secure business contexts, sometimes by distrusting
97employers. This was the common configuration of a firewall at the time of
98the Linux 2.2 kernel. It's still possible to configure a firewall this way,
99but it makes the rules quite complex and lengthy.</para></sect3>
100
101</sect2>
102
103<sect2 id="postlfs-security-fw-disclaimer" xreflabel="Disclaimer">
104<title>Disclaimer</title>
105
106<!-- <para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM
107ARE RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS
108DOCUMENT.</emphasis></para> -->
109
110<para>This document is meant as an introduction to how to setup a firewall. It
111is not a complete guide to securing systems. Firewalling is a complex issue
112that requires careful configuration. The scripts quoted here are simply
113intended to give examples as to how a firewall works, they are not intended to
114fit into any imaginable configuration and may not prevent any imaginable
115attack.</para>
116
117<para>The purpose of this text is simply to give you a hint on how to get
118started with a firewall.</para>
119
120<para>Customization of these scripts for your specific situation will
121be necessary for an optimal configuration, but you should make a serious
122study of the iptables documentation and creating firewalls in general before
123hacking away. Have a look at the list of
124<xref linkend="fw-library"/> at the end of this section for
125more details. Here you will find a list of URLs that contain quite
126comprehensive information about building your own firewall.</para>
127
128</sect2>
129
130<sect2 id="fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
131<title>Getting a firewall enabled Kernel</title>
132
133<para>If you want your Linux-Box to have a firewall, you must first ensure
134that your kernel has been compiled with the relevant options turned on.
135<!-- <footnote><para>If you needed assistance how to configure, compile and
136install a new kernel, refer back to chapter VIII of the LinuxFromScratch book,
137<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">
138Installing a kernel</ulink> and eventually
139<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">
140Making the LFS system bootable</ulink>; note, that you'll need to reboot
141to actually run your new kernel.</para></footnote>-->
142</para>
143
144<para>How to configure your kernel, with enabling the options to be
145either compiled into the kernel or as modules, depends on your personal
146preferences and experience. Note, that for the quoted scripts it is assumed
147that the modules need to be loaded at first.</para>
148
149<screen>Network options menu
150 Network packet filtering: Y
151 Unix domain sockets: Y or M
152 TCP/IP networking: Y
153 IP: advanced router: Y
154 IP: verbose route monitoring: Y
155 IP: TCP Explicit Congestion Notification support: Y
156 IP: TCP syncookie support: Y
157 IP: Netfilter Configuration menu
158 Every option except: Y or M
159 ipchains (2.2-style) support N
160 ipfwadm (2.0-style) support N
161 Fast switching: N</screen>
162
163<!--
164<table frame='none'>
165<title>Essential config-options for a firewall enabled Kernel</title>
166
167<tgroup cols='5'>
168<colspec colnum='1' colwidth='8*' align='center'/>
169<colspec colnum='2' colwidth='19*' align='left'/>
170<colspec colnum='3' colwidth='11*' align='center'/>
171<colspec colnum='4' colwidth='1*' align='center'/>
172<colspec colnum='5' colwidth='14*' align='left'/>
173
174<tbody>
175
176<row>
177<entry><emphasis><userinput>Networking options:</userinput></emphasis></entry>
178<entry><userinput>Network packet filtering</userinput></entry>
179<entry></entry>
180<entry>=</entry>
181<entry>CONFIG_NETFILTER</entry>
182</row>
183
184<row>
185<entry></entry>
186<entry><userinput>Unix domain sockets</userinput></entry>
187<entry></entry>
188<entry>=</entry>
189<entry>CONFIG_UNIX</entry>
190</row>
191
192<row>
193<entry></entry>
194<entry><userinput>IP: TCP/IP networking</userinput></entry>
195<entry></entry>
196<entry>=</entry>
197<entry>CONFIG_INET</entry>
198</row>
199
200<row>
201<entry></entry>
202<entry><userinput>IP: advanced router</userinput></entry>
203<entry></entry>
204<entry>=</entry>
205<entry>CONFIG_IP_ADVANCED_ROUTER</entry>
206</row>
207
208<row>
209<entry></entry>
210<entry><userinput>IP: verbose route monitoring</userinput></entry>
211<entry></entry>
212<entry>=</entry>
213<entry>CONFIG_IP_ROUTE_VERBOSE</entry>
214</row>
215
216<row>
217<entry></entry>
218<entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry>
219<entry></entry>
220<entry>=</entry>
221<entry>CONFIG_INET_ECN</entry>
222</row>
223
224<row>
225<entry></entry>
226<entry><userinput>IP: TCP syncookie support</userinput></entry>
227<entry></entry>
228<entry>=</entry>
229<entry>CONFIG_SYN_COOKIES</entry>
230</row>
231
232<row>
233<entry></entry>
234<entry align='center'>
235<emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry>
236<entry align='left'><userinput>every option</userinput></entry>
237<entry>=</entry>
238<entry>CONFIG_IP_NF_*</entry>
239</row>
240
241<row>
242<entry></entry>
243<entry align='right'><emphasis>WITHOUT:</emphasis></entry>
244<entry align='left'><literallayout><userinput>ipchains (2.2-style) support
245ipfw-adm (2.0-style) support</userinput></literallayout></entry>
246<entry>w\</entry>
247<entry>CONFIG_IP_NF_COMPAT_*</entry>
248</row>
249
250<row>
251<entry></entry>
252<entry><userinput>Fast switching</userinput></entry>
253<entry>Make sure to disable it because it would setup a bypass around
254your firewall rules.</entry>
255<entry>w\</entry>
256<entry>CONFIG_NET_FASTROUTE</entry>
257</row>
258
259</tbody>
260
261</tgroup>
262
263</table> -->
264
265</sect2>
266
267<sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
268<title>Now you can start to build your Firewall</title>
269
270<sect3 id="fw-persFw" xreflabel="Personal Firewall">
271<title>Personal Firewall</title>
272
273<para>A Personal Firewall is supposed to let you access all the services
274offered on the Internet, but keep your box secure and your data private.</para>
275
276<para>Below is a slightly modified version of Rusty Russell's recommendation
277from the <ulink
278url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
279Linux 2.4 Packet Filtering HOWTO</ulink>:</para>
280
281<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
282#!/bin/sh
283
284# Begin $rc_base/init.d/firewall
285
286# Insert connection-tracking modules
287# (not needed if built into the kernel)
288modprobe ip_tables
289modprobe iptable_filter
290modprobe ip_conntrack
291modprobe ip_conntrack_ftp
292modprobe ipt_state
293modprobe ipt_LOG
294
295# allow local-only connections
296iptables -A INPUT -i lo -j ACCEPT
297
298# free output on any interface to any ip for any service
299# (equal to -P ACCEPT)
300iptables -A OUTPUT -j ACCEPT
301
302# permit answers on already established connections
303# and permit new connections related to established ones
304# (eg active-ftp)
305iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
306
307# Log everything else: What's Windows' latest exploitable vulnerability?
308iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
309
310# set a sane policy: everything not accepted &gt; /dev/null
311iptables -P INPUT DROP
312iptables -P FORWARD DROP
313iptables -P OUTPUT DROP
314
315# be verbose on dynamic ip-addresses (not needed in case of static IP)
316echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
317
318# disable ExplicitCongestionNotification
319# too many routers are still ignorant
320echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
321
322# End $rc_base/init.d/firewall
323<command>EOF</command></userinput></screen>
324
325<para>His script is quite simple, it drops all traffic coming in into your
326computer that wasn't initiated from your box, but as long as you are simply
327surfing the Internet you are unlikely to exceed its limits.</para>
328
329<para>If you frequently encounter certain delays at accessing ftp-servers,
330please have a look at <xref linkend="fw-busybox"/> -
331<xref linkend="fw-BB-4"/>.</para>
332
333<para>Even if you have daemons or services running on your box, these
334should be inaccessible everywhere but from your box itself.
335If you want to allow access to services on your machine, such as ssh or
336pinging, take a look at <xref linkend="fw-busybox"/>.</para>
337
338</sect3>
339
340
341<sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
342<title>Masquerading Router</title>
343
344<para>A true Firewall has two interfaces, one connected to an intranet,
345in this example, <emphasis role="strong">eth0</emphasis>, and one
346connected to the Internet, here, <emphasis role="strong">ppp0</emphasis>.
347To provide the maximum security against the box itself being broken into,
348make sure that there are no servers running on it, especially not
349<application>X11</application> et
350al. And, as a general principle, the box itself should not access any
351untrusted service (Think of a name server giving answers that make your
352bind crash, or, even worse, that implement a worm via a
353buffer-overflow).</para>
354
355<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
356#!/bin/sh
357
358# Begin $rc_base/init.d/firewall
359
360echo
361echo "You're using the example-config for a setup of a firewall"
362echo "from the firewalling-hint written for LinuxFromScratch."
363echo "This example is far from being complete, it is only meant"
364echo "to be a reference."
365echo "Firewall security is a complex issue, that exceeds the scope"
366echo "of the quoted configuration rules."
367echo "You can find some quite comprehensive information"
368echo "about firewalls in Chapter 4 of the BLFS book."
369echo "http://www.linuxfromscratch.org/blfs"
370echo
371
372# Insert iptables modules (not needed if built into the kernel).
373
374modprobe ip_tables
375modprobe iptable_filter
376modprobe ip_conntrack
377modprobe ip_conntrack_ftp
378modprobe ipt_state
379modprobe iptable_nat
380modprobe ip_nat_ftp
381modprobe ipt_MASQUERADE
382modprobe ipt_LOG
383modprobe ipt_REJECT
384
385# allow local-only connections
386iptables -A INPUT -i lo -j ACCEPT
387iptables -A OUTPUT -o lo -j ACCEPT
388
389# allow forwarding
390iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
391iptables -A FORWARD -m state --state NEW -i ! ppp+ -j ACCEPT
392
393# do masquerading
394# (not needed if intranet is not using private ip-addresses)
395iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
396
397# Log everything for debugging
398# (last of all rules, but before DROP/REJECT)
399iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
400iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
401iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
402
403# set a sane policy
404iptables -P INPUT DROP
405iptables -P FORWARD DROP
406iptables -P OUTPUT DROP
407
408# be verbose on dynamic ip-addresses
409# (not needed in case of static IP)
410echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
411
412# disable ExplicitCongestionNotification
413echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
414
415# activate TCPsyncookies
416echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
417
418# activate Route-Verification = IP-Spoofing_protection
419for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
420 echo 1 &gt; $f
421done
422
423# activate IP-Forwarding
424echo 1 &gt; /proc/sys/net/ipv4/ip_forward
425<command>EOF</command></userinput></screen>
426
427<para>With this script your intranet should be sufficiently secure against
428external attacks. No one should be able to setup a new connection to any
429internal service and, if it's masqueraded, it's even invisible. Furthermore,
430your firewall should be nearly immune because there are no services running
431that a cracker could attack.</para>
432
433<para>Note: if the interface you're connecting to the Internet
434doesn't connect via ppp, you will need to change
435<replaceable>ppp+</replaceable> to the name of the interface which you are
436using. If you are using the same interface type to connect to both your
437intranet and the Internet, you need to use the actual name of the
438interface such as <emphasis role="strong">eth0</emphasis>,
439on both interfaces.</para>
440
441<para>If you need stronger security (e.g., against DOS, connection
442highjacking, spoofing, etc.), have a look at the list of
443<xref linkend="fw-library"/> at the end of this section.</para>
444
445</sect3>
446
447<sect3 id="fw-busybox" xreflabel="BusyBox">
448<title>BusyBox</title>
449
450<para>This scenario isn't too different from (<xref linkend="fw-masqRouter"/>),
451but in this case you want to offer some services to your intranet.
452Examples of this can be when you want to admin your box from another host
453on your intranet or use it as a proxy or a name server. Note: Outlining a true
454concept of how to protect a server that offers services on the Internet
455goes far beyond the scope of this document,
456see <xref linkend="postlfs-security-fw-disclaimer"/>.</para>
457
458<para>Be cautious. Every service you offer and have enabled makes your
459setup more complex and your box less secure. You induce the risks of
460misconfigured services or running a service with an exploitable bug. A
461firewall should generally not run any extra services. See the introduction to
462<xref linkend="fw-masqRouter"/> for some more details.</para>
463
464<para>If the services you'd like to offer do not need to access the Internet
465themselves, like internal-only samba- or name-servers, it's quite
466simple and should still be acceptable from a security standpoint.
467Just add the following lines <emphasis>before</emphasis> the logging-rules
468into the script.</para>
469
470<screen>iptables -A INPUT -i ! ppp+ -j ACCEPT
471iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen>
472
473<para>If your daemons have to access the web themselves, like squid would need
474to, you could open OUTPUT generally and restrict INPUT.</para>
475
476<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
477iptables -A OUTPUT -j ACCEPT</screen>
478
479<para>However, it is generally not advisable to leave OUTPUT unrestricted. You
480lose any control over trojans who'd like to "call home", and a bit of
481redundancy in case you've (mis-)configured a service so that it does broadcast
482its existence to the world.</para>
483
484<para>If you prefer to have this protection, you may restrict INPUT and OUTPUT
485on all ports except those that it's absolutely necessary to have open.
486Which ports you have to open depends on your needs: mostly you will find them
487by looking for failed accesses in your log-files.</para>
488<itemizedlist spacing="compact">
489<!-- <orderedlist numeration="arabic" spacing="compact"> -->
490<title>Have a look at the following examples:</title>
491
492<listitem><para>Squid is caching the web:</para>
493<screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
494iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \
495-j ACCEPT</screen>
496</listitem>
497
498<listitem><para>Your caching name server (e.g., dnscache) does its
499lookups via udp:</para>
500<screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
501iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED \
502-j ACCEPT</screen>
503</listitem>
504
505<listitem><para>Alternatively, if you want to be able to ping your box to
506ensure it's still alive:</para>
507
508<screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
509iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen>
510</listitem>
511
512<listitem><para><anchor id='fw-BB-4' xreflabel="example no. 4"/>If you are
513frequently accessing ftp-servers or enjoy chatting, you might notice certain
514delays because some implementations of these daemons have the feature of
515querying an identd on your box for logging usernames.
516Although there's really no harm in this, having an identd running is not
517recommended because some implementations are known to be vulnerable.</para>
518
519<para>To avoid these delays you could reject the requests
520with a 'tcp-reset':</para>
521
522<screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
523iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen>
524</listitem>
525
526<listitem><para>To log and drop invalid packets (harmless packets
527that came in after netfilter's timeout or some types of network scans):</para>
528
529<screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG \
530--log-prefix "FIREWALL:INVALID"
531iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></listitem>
532
533<listitem><para>Anything coming from the outside should not have a
534private address, this is a common attack called IP-spoofing:</para>
535
536<screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP
537iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP
538iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen>
539</listitem>
540
541<listitem><para>To simplify debugging and be fair to anyone who'd like to
542access a service you have disabled, purposely or by mistake, you should REJECT
543those packets that are dropped.</para>
544
545<para>Obviously this must be done directly after logging as the very
546last lines before the packets are dropped by policy:</para>
547
548<screen>iptables -A INPUT -j REJECT
549iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></listitem>
550</itemizedlist>
551<!--</orderedlist>-->
552
553<para>These are only examples to show you some of the capabilities of the new
554firewall code in Linux-Kernel 2.4. Have a look at the man page of
555iptables.
556There you will find more of them. The port-numbers you'll need for this
557can be found in <filename>/etc/services</filename>, in case you didn't
558find them by trial and error in your log file.</para>
559
560<para>If you add any of your offered or accessed services such as the above,
561maybe even in FORWARD and for intranet-communication, and delete the
562general clauses, you get an old fashioned packet filter.</para>
563</sect3>
564
565</sect2>
566
567<sect2 id="fw-finale" xreflabel="Conclusion">
568<title>Conclusion</title>
569
570<para>Finally, I'd like to remind you of one fact we must not forget:
571The effort spent attacking a system corresponds to the value the cracker
572expects to gain from it.
573If you are responsible for such valuable assets that you expect great
574effort to be made by potential crackers, you hopefully won't be in the
575need of this hint!</para>
576
577<!-- <para><literallayout>Be cautious!
578
579 Henning Rohde
580<email>Henning.Rohde@uni-bayreuth.de</email></literallayout></para>
581
582<para>PS: And always do remember:
583SecureIT is not a matter of a status-quo but one of never stopping
584to take care!</para>
585
586<para>PPS: If any of these scripts fail, please tell me. I will try to trace
587any faults.</para> -->
588
589</sect2>
590
591<sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
592<title>Extra Information</title>
593
594<sect3 id="fw-library" xreflabel="Links for further reading">
595<title>Where to start with further reading on firewalls.</title>
596
597<para><blockquote><literallayout>
598<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>
599<ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
600<ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
601<ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
602<ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
603<ulink url="http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
604<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink>
605<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink>
606<ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink>
607<ulink url="http://www.linuxsecurity.com/docs/">www.linuxsecurity.com/docs/</ulink>
608<ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German &amp; outdated, but very comprehensive)</ulink>
609<ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink>
610<ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>
611<ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink>
612<ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink>
613<ulink url="http://www.circlemud.org/~jelson/writings/security/index.htm">www.circlemud.org/~jelson/writings/security/index.htm</ulink>
614<ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink>
615<ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink>
616<ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink>
617<ulink url="http://www.linux-firewall-tools.com/linux/">www.linux-firewall-tools.com/linux/</ulink>
618<ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink>
619<ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
620<ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
621</literallayout></blockquote></para>
622</sect3>
623
624<sect3 id="fw-status" xreflabel="/etc/rc.d/init.d/firewall.status">
625<title>firewall.status</title>
626
627<para>If you'd like to have a look at the chains your firewall consists of and
628the order in which the rules take effect:</para>
629
630<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.status &lt;&lt; "EOF"</command>
631#!/bin/sh
632
633# Begin $rc_base/init.d/firewall.status
634
635echo "iptables.mangling:"
636iptables -t mangle -v -L -n --line-numbers
637
638echo
639echo "iptables.nat:"
640iptables -t nat -v -L -n --line-numbers
641
642echo
643echo "iptables.filter:"
644iptables -v -L -n --line-numbers
645<command>EOF</command></userinput></screen>
646</sect3>
647
648<sect3 id="postlfs-security-fw-stop" xreflabel="/etc/rc.d/init.d/firewall.stop">
649<title>firewall.stop</title>
650
651<para>If you need to turn the firewall off, this script will do it:</para>
652
653<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.stop &lt;&lt; "EOF"</command>
654#!/bin/sh
655
656# Being $rc_base/init.d/firewall.stop
657
658# deactivate IP-Forwarding
659echo 0 > /proc/sys/net/ipv4/ip_forward
660
661iptables -Z
662iptables -F
663iptables -t nat -F PREROUTING
664iptables -t nat -F OUTPUT
665iptables -t nat -F POSTROUTING
666iptables -t mangle -F PREROUTING
667iptables -t mangle -F OUTPUT
668iptables -X
669iptables -P INPUT ACCEPT
670iptables -P FORWARD ACCEPT
671iptables -P OUTPUT ACCEPT
672<command>EOF</command></userinput></screen>
673</sect3>
674
675</sect2>
676
677</sect1>
678
Note: See TracBrowser for help on using the repository browser.