source: postlfs/security/firewalling.xml@ f8962fe

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;
]>

<sect1 id="fw-firewall" xreflabel="Firewalling">
<sect1info>
<othername>$LastChangedBy$</othername>
<date>$Date$</date>
</sect1info>
<?dbhtml filename="firewall.html"?>
<title>Setting up a network firewall</title>

<para>Before you read this part of the chapter, note that we assume that you
have already installed iptables as described in the previous section.</para>

<sect2 id="fw-intro" xreflabel="Firewalling Introduction">
<title>Introduction to Firewall Creation</title>

<para>The general purpose of a firewall is to protect a network 
against malicious access by using a single machine as a firewall. 
This does imply that the firewall is to be considered a single point 
of failure, but it can make the administrator's life a lot easier.</para>

<para>In a perfect world where you knew that every daemon or service 
on every machine was perfectly configured and was immune to, e.g., 
buffer-overflows and any other imaginable problem regarding its 
security, and where you trusted every user accessing your services 
to aim no harm, you wouldn't need to have a firewall!  
In the real world however, daemons may be misconfigured, 
exploits against essential services are freely available, you 
may wish to choose which services are accessible by certain machines, 
you may wish to limit which machines or applications are allowed 
to have Internet access, or you may simply not trust some of your 
apps or users. In these situations you might benefit by using a 
firewall.</para>

<para>Don't assume however, that having a firewall makes careful
configuration redundant, or that it makes any negligent
misconfiguration harmless. It also doesn't prevent anyone from exploiting a
service you intentionally offer but haven't recently updated or patched
after an exploit went public.  Despite having a firewall, you need to
keep applications and daemons on your system well-configured and
up-to-date; a firewall is not a cure-all!</para>

</sect2>

<sect2>
<title>Meaning of the word firewall.</title>

<para>The word firewall can have several different meanings.</para>

<sect3><title><xref linkend="fw-persFw"/></title>

<para>This is a setup or program, for Windows commercially sold by 
companies such as Symantec, of which they claim or pretend that it
secures a home or desktop-pc with Internet access. This topic is 
highly relevant for users who do not know the methods their computers 
might be accessed via the Internet or how to disable them, 
especially if they are always online and connected via 
broadband links.</para></sect3>

<sect3><title><xref linkend="fw-masqRouter"/></title>
<para>This is a box placed between the Internet and an intranet. 
To minimize the risk of compromising the firewall itself it
should generally have only one role, that of protecting the intranet.
Although not completely risk free, the tasks of doing the routing 
and eventually IP masquerading (rewriting IP-headers 
of the packets it routes from clients with private IP-addresses onto 
the Internet so that they seem to come from the firewall 
itself) are commonly considered harmless.</para></sect3>

<sect3><title><xref linkend="fw-busybox"/></title>
<para>This is often an old box you may have retired and nearly forgotten, 
performing masquerading or routing functions, but offering a bunch of 
services, e.g., web-cache, mail, etc.  This may be very commonly used 
for home networks, but can definitely not be considered as secure 
anymore because the combining of server and router on one machine raises 
the complexity of the setup.</para></sect3>

<sect3><title>Firewall with a demilitarized zone [not further described
here]</title>
<para>This box performs masquerading or routing, but grants public access to 
some branch of your network which, because of public IP's and a physically 
separated structure, is neither considered to be part of the inter- nor 
intranet.  These servers are those which must be easily accessible 
from both the inter- and intranet. The firewall protects 
them all.</para></sect3>

<sect3><title>Packetfilter / partly accessible net [partly described
here, see <xref linkend="fw-busybox"/>]</title>
<para>Doing routing or masquerading, but permitting only selected 
services to be accessible, sometimes only by selected internal users or boxes; 
mostly used in highly secure business contexts, sometimes by distrusting 
employers.  This was the common configuration of a firewall at the time of 
the Linux 2.2 kernel.  It's still possible to configure a firewall this way, 
but it makes the rules quite complex and lengthy.</para></sect3>

</sect2>

<sect2 id="postlfs-security-fw-disclaimer" xreflabel="Disclaimer">
<title>Disclaimer</title>

<!-- <para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM 
ARE RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS 
DOCUMENT.</emphasis></para> -->

<para>This document is meant as an introduction to how to setup a firewall.  It
is not a complete guide to securing systems.  Firewalling is a complex issue
that requires careful configuration.  The scripts quoted here are simply
intended to give examples as to how a firewall works, they are not intended to
fit into any imaginable configuration and may not prevent any imaginable
attack.</para>

<para>The purpose of this text is simply to give you a hint on how to get
started with a firewall.</para>

<para>Customization of these scripts for your specific situation will
be necessary for an optimal configuration, but you should make a serious
study of the iptables documentation and creating firewalls in general before 
hacking away.  Have a look at the list of 
<xref linkend="fw-library"/> at the end of this section for 
more details.  Here you will find a list of URLs that contain quite 
comprehensive information about building your own firewall.</para>

</sect2>

<sect2 id="fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
<title>Getting a firewall enabled Kernel</title>
<indexterm zone="fw-kernel">
<primary sortas="d-Firewalls">Firewalls (using iptables)</primary>
</indexterm>

<para>If you want your Linux-Box to have a firewall, you must first ensure 
that your kernel has been compiled with the relevant options turned on.
<!-- <footnote><para>If you needed assistance how to configure, compile and 
install a new kernel, refer back to chapter VIII of the LinuxFromScratch book, 
<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">
Installing a kernel</ulink>  and eventually 
<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">
Making the LFS system bootable</ulink>; note, that you'll need to reboot 
to actually run your new kernel.</para></footnote>-->
</para>

<para>How to configure your kernel, with enabling the options to be 
either compiled into the kernel or as modules, depends on your personal 
preferences and experience. Note, that for the quoted scripts it is assumed 
that the modules need to be loaded at first.</para>

<screen>Network options menu
  Network packet filtering:                         Y
  Unix domain sockets:                         Y or M
  TCP/IP networking:                                Y
  IP: advanced router:                              Y
  IP: verbose route monitoring:                     Y
  IP: TCP Explicit Congestion Notification support: Y
  IP: TCP syncookie support:                        Y
  IP: Netfilter Configuration menu
    Every option except:                       Y or M
      ipchains (2.2-style) support                  N
      ipfwadm (2.0-style) support                   N
  Fast switching:                                   N</screen>

<!--
<table frame='none'>
<title>Essential config-options for a firewall enabled Kernel</title>

<tgroup cols='5'>
<colspec colnum='1' colwidth='8*'  align='center'/>
<colspec colnum='2' colwidth='19*' align='left'/>
<colspec colnum='3' colwidth='11*' align='center'/>
<colspec colnum='4' colwidth='1*'  align='center'/>
<colspec colnum='5' colwidth='14*' align='left'/>

<tbody>

<row>
<entry><emphasis><userinput>Networking options:</userinput></emphasis></entry>
<entry><userinput>Network packet filtering</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_NETFILTER</entry>
</row>

<row>
<entry></entry>
<entry><userinput>Unix domain sockets</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_UNIX</entry>
</row>

<row>
<entry></entry>
<entry><userinput>IP: TCP/IP networking</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_INET</entry>
</row>

<row>
<entry></entry>
<entry><userinput>IP: advanced router</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_IP_ADVANCED_ROUTER</entry>
</row>

<row>
<entry></entry>
<entry><userinput>IP: verbose route monitoring</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_IP_ROUTE_VERBOSE</entry>
</row>

<row>
<entry></entry>
<entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_INET_ECN</entry>
</row>

<row>
<entry></entry>
<entry><userinput>IP: TCP syncookie support</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_SYN_COOKIES</entry>
</row>

<row>
<entry></entry>
<entry align='center'>
<emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry>
<entry align='left'><userinput>every option</userinput></entry>
<entry>=</entry>
<entry>CONFIG_IP_NF_*</entry>
</row>

<row>
<entry></entry>
<entry align='right'><emphasis>WITHOUT:</emphasis></entry>
<entry align='left'><literallayout><userinput>ipchains (2.2-style) support
ipfw-adm (2.0-style) support</userinput></literallayout></entry>
<entry>w\</entry>
<entry>CONFIG_IP_NF_COMPAT_*</entry>
</row>

<row>
<entry></entry>
<entry><userinput>Fast switching</userinput></entry>
<entry>Make sure to disable it because it would setup a bypass around
your firewall rules.</entry>
<entry>w\</entry>
<entry>CONFIG_NET_FASTROUTE</entry>
</row>

</tbody>

</tgroup>

</table> -->

</sect2>

<sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
<title>Now you can start to build your Firewall</title>

<sect3 id="fw-persFw" xreflabel="Personal Firewall">
<title>Personal Firewall</title>

<para>A Personal Firewall is supposed to let you access all the services
offered on the Internet, but keep your box secure and your data private.</para>

<para>Below is a slightly modified version of Rusty Russell's recommendation
from the <ulink 
url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
Linux 2.4 Packet Filtering HOWTO</ulink>:</para>

<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
#!/bin/sh

# Begin $rc_base/init.d/firewall

# Insert connection-tracking modules 
# (not needed if built into the kernel)
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe ipt_LOG

# allow local-only connections
iptables -A INPUT  -i lo -j ACCEPT

# free output on any interface to any ip for any service 
# (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT

# permit answers on already established connections
# and permit new connections related to established ones 
# (eg active-ftp)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log everything else:  What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "

# set a sane policy:    everything not accepted &gt; /dev/null
iptables -P INPUT    DROP
iptables -P FORWARD  DROP
iptables -P OUTPUT   DROP

# be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr

# disable ExplicitCongestionNotification 
# too many routers are still ignorant
echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn

# End $rc_base/init.d/firewall
<command>EOF</command></userinput></screen>

<para>His script is quite simple, it drops all traffic coming in into your 
computer that wasn't initiated from your box, but as long as you are simply 
surfing the Internet you are unlikely to exceed its limits.</para> 

<para>If you frequently encounter certain delays at accessing ftp-servers,
please have a look at <xref linkend="fw-busybox"/> - 
<xref linkend="fw-BB-4"/>.</para>

<para>Even if you have daemons or services running on your box, these
should be inaccessible everywhere but from your box itself.
If you want to allow access to services on your machine, such as ssh or 
pinging, take a look at <xref linkend="fw-busybox"/>.</para> 

</sect3>


<sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
<title>Masquerading Router</title>

<para>A true Firewall has two interfaces, one connected to an intranet,
in this example, <emphasis role="strong">eth0</emphasis>, and one
connected to the Internet, here, <emphasis role="strong">ppp0</emphasis>. 
To provide the maximum security against the box itself being broken into,
make sure that there are no servers running on it, especially not
<application>X11</application> et
al.  And, as a general principle, the box itself should not access any 
untrusted service (Think of a name server giving answers that make your
bind crash, or, even worse, that implement a worm via a 
buffer-overflow).</para>

<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
#!/bin/sh

# Begin $rc_base/init.d/firewall

echo
echo "You're using the example-config for a setup of a firewall"
echo "from the firewalling-hint written for LinuxFromScratch."
echo "This example is far from being complete, it is only meant"
echo "to be a reference."
echo "Firewall security is a complex issue, that exceeds the scope"
echo "of the quoted configuration rules."
echo "You can find some quite comprehensive information"
echo "about firewalls in Chapter 4 of the BLFS book."
echo "http://www.linuxfromscratch.org/blfs"
echo

# Insert iptables modules (not needed if built into the kernel).

modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_MASQUERADE
modprobe ipt_LOG
modprobe ipt_REJECT

# allow local-only connections
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# allow forwarding
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -i ! ppp+       -j ACCEPT

# do masquerading
# (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE

# Log everything for debugging 
# (last of all rules, but before DROP/REJECT)
iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT  "
iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "

# set a sane policy
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP

# be verbose on dynamic ip-addresses 
# (not needed in case of static IP)
echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr

# disable ExplicitCongestionNotification
echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn

# activate TCPsyncookies
echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies

# activate Route-Verification = IP-Spoofing_protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 &gt; $f
done

# activate IP-Forwarding 
echo 1 &gt; /proc/sys/net/ipv4/ip_forward
<command>EOF</command></userinput></screen>

<para>With this script your intranet should be sufficiently secure against
external attacks. No one should be able to setup a new connection to any
internal service and, if it's masqueraded, it's even invisible. Furthermore,
your firewall should be nearly immune because there are no services running
that a cracker could attack.</para>

<para>Note: if the interface you're connecting to the Internet 
doesn't connect via ppp, you will need to change
<replaceable>ppp+</replaceable> to the name of the interface which you are
using.  If you are using the same interface type to connect to both your
intranet and the Internet, you need to use the actual name of the
interface such as <emphasis role="strong">eth0</emphasis>, 
on both interfaces.</para>

<para>If you need stronger security (e.g., against DOS, connection 
highjacking, spoofing, etc.), have a look at the list of 
<xref linkend="fw-library"/> at the end of this section.</para>

</sect3>

<sect3 id="fw-busybox" xreflabel="BusyBox">
<title>BusyBox</title>

<para>This scenario isn't too different from (<xref linkend="fw-masqRouter"/>), 
but in this case you want to offer some services to your intranet.
Examples of this can be when you want to admin your box from another host 
on your intranet or use it as a proxy or a name server. Note: Outlining a true 
concept of how to protect a server that offers services on the Internet 
goes far beyond the scope of this document, 
see <xref linkend="postlfs-security-fw-disclaimer"/>.</para>

<para>Be cautious.  Every service you offer and have enabled makes your
setup more complex and your box less secure. You induce the risks of 
misconfigured services or running a service with an exploitable bug.  A 
firewall should generally not run any extra services.  See the introduction to 
<xref linkend="fw-masqRouter"/> for some more details.</para>

<para>If the services you'd like to offer do not need to access the Internet 
themselves, like internal-only samba- or name-servers, it's quite
simple and should still be acceptable from a security standpoint.
Just add the following lines <emphasis>before</emphasis> the logging-rules 
into the script.</para>

<screen>iptables -A INPUT  -i ! ppp+  -j ACCEPT
iptables -A OUTPUT -o ! ppp+  -j ACCEPT</screen>

<para>If your daemons have to access the web themselves, like squid would need
to, you could open OUTPUT generally and restrict INPUT.</para>

<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED  -j ACCEPT
iptables -A OUTPUT                                     -j ACCEPT</screen>

<para>However, it is generally not advisable to leave OUTPUT unrestricted. You 
lose any control over trojans who'd like to "call home", and a bit of 
redundancy in case you've (mis-)configured a service so that it does broadcast 
its existence to the world.</para>

<para>If you prefer to have this protection, you may restrict INPUT and OUTPUT
on all ports except those that it's absolutely necessary to have open.
Which ports you have to open depends on your needs: mostly you will find them 
by looking for failed accesses in your log-files.</para>
<itemizedlist spacing="compact">
<!-- <orderedlist numeration="arabic" spacing="compact"> -->
<title>Have a look at the following examples:</title>

<listitem><para>Squid is caching the web:</para>
<screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \
-j ACCEPT</screen>
</listitem>

<listitem><para>Your caching name server (e.g., dnscache) does its
lookups via udp:</para>
<screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT  -p udp --sport 53 -m state --state ESTABLISHED \
-j ACCEPT</screen>
</listitem>

<listitem><para>Alternatively, if you want to be able to ping your box to 
ensure it's still alive:</para>

<screen>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</screen>
</listitem>

<listitem><para><anchor id='fw-BB-4' xreflabel="example no. 4"/>If you are 
frequently accessing ftp-servers or enjoy chatting, you might notice certain 
delays because some implementations of these daemons have the feature of 
querying an identd on your box for logging usernames.
Although there's really no harm in this, having an identd running is not 
recommended because some implementations are known to be vulnerable.</para>

<para>To avoid these delays you could reject the requests 
with a 'tcp-reset':</para>

<screen>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen>
</listitem>

<listitem><para>To log and drop invalid packets (harmless packets
that came in after netfilter's timeout or some types of network scans):</para>

<screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG \
--log-prefix "FIREWALL:INVALID"
iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></listitem>

<listitem><para>Anything coming from the outside should not have a
private address, this is a common attack called IP-spoofing:</para>

<screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8     -j DROP
iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12  -j DROP
iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen>
</listitem>

<listitem><para>To simplify debugging and be fair to anyone who'd like to 
access a service you have disabled, purposely or by mistake, you should REJECT 
those packets that are dropped.</para>

<para>Obviously this must be done directly after logging as the very
last lines before the packets are dropped by policy:</para>

<screen>iptables -A INPUT                        -j REJECT
iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></listitem>
</itemizedlist>
<!--</orderedlist>-->

<para>These are only examples to show you some of the capabilities of the new 
firewall code in Linux-Kernel 2.4. Have a look at the man page of
iptables.
There you will find more of them. The port-numbers you'll need for this
can be found in <filename>/etc/services</filename>, in case you didn't
find them by trial and error in your log file.</para>

<para>If you add any of your offered or accessed services such as the above,
maybe even in FORWARD and for intranet-communication, and delete the
general clauses, you get an old fashioned packet filter.</para>
</sect3>

</sect2>

<sect2 id="fw-finale" xreflabel="Conclusion">
<title>Conclusion</title>

<para>Finally, I'd like to remind you of one fact we must not forget:
The effort spent attacking a system corresponds to the value the cracker
expects to gain from it.
If you are responsible for such valuable assets that you expect great
effort to be made by potential crackers, you hopefully won't be in the 
need of this hint!</para>

<!-- <para><literallayout>Be cautious!

    Henning Rohde
<email>Henning.Rohde@uni-bayreuth.de</email></literallayout></para>

<para>PS: And always do remember:
SecureIT is not a matter of a status-quo but one of never stopping 
to take care!</para>

<para>PPS: If any of these scripts fail, please tell me. I will try to trace 
any faults.</para> -->

</sect2>

<sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
<title>Extra Information</title>

<sect3 id="fw-library" xreflabel="Links for further reading">
<title>Where to start with further reading on firewalls.</title>

<para><blockquote><literallayout>
<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>
<ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
<ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
<ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
<ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
<ulink url="http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink>
<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink>
<ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink>
<ulink url="http://www.linuxsecurity.com/docs/">www.linuxsecurity.com/docs/</ulink>
<ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German &amp; outdated, but very comprehensive)</ulink>
<ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink>
<ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>
<ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink>
<ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink>
<ulink url="http://www.circlemud.org/~jelson/writings/security/index.htm">www.circlemud.org/~jelson/writings/security/index.htm</ulink>
<ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink>
<ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink>
<ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink>
<ulink url="http://www.linux-firewall-tools.com/linux/">www.linux-firewall-tools.com/linux/</ulink>
<ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink>
<ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
<ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
</literallayout></blockquote></para>
</sect3>

<sect3 id="fw-status" xreflabel="/etc/rc.d/init.d/firewall.status">
<title>firewall.status</title>

<para>If you'd like to have a look at the chains your firewall consists of and 
the order in which the rules take effect:</para>

<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.status &lt;&lt; "EOF"</command>
#!/bin/sh

# Begin $rc_base/init.d/firewall.status

echo "iptables.mangling:"
iptables -t mangle  -v -L -n --line-numbers

echo
echo "iptables.nat:"
iptables -t nat     -v -L -n --line-numbers

echo
echo "iptables.filter:"
iptables            -v -L -n --line-numbers
<command>EOF</command></userinput></screen>
</sect3>

<sect3 id="postlfs-security-fw-stop" xreflabel="/etc/rc.d/init.d/firewall.stop">
<title>firewall.stop</title>

<para>If you need to turn the firewall off, this script will do it:</para>

<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.stop &lt;&lt; "EOF"</command>
#!/bin/sh

# Being $rc_base/init.d/firewall.stop

# deactivate IP-Forwarding 
echo 0 > /proc/sys/net/ipv4/ip_forward

iptables -Z
iptables -F
iptables -t nat         -F PREROUTING
iptables -t nat         -F OUTPUT
iptables -t nat         -F POSTROUTING
iptables -t mangle      -F PREROUTING
iptables -t mangle      -F OUTPUT
iptables -X
iptables -P INPUT       ACCEPT
iptables -P FORWARD     ACCEPT
iptables -P OUTPUT      ACCEPT
<command>EOF</command></userinput></screen>
</sect3>

</sect2>

</sect1>