source: postlfs/security/firewalling/busybox.xml@ 64d97b7c

10.0 10.1 11.0 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk v1_0 v5_0 v5_0-pre1 v5_1 v5_1-pre1 xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since 64d97b7c was 64d97b7c, checked in by Larry Lawrence <larry@…>, 19 years ago

update to sawfish-1.3, librep-0.16.2 and first round spell check

git-svn-id: svn:// af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 5.5 KB
1<sect3 id="postlfs-security-fw-busybox" xreflabel="BusyBox">
4<para>This scenario isn't too different from (<xref linkend="postlfs-security-fw-masqRouter"/>),
5but in this case you want to offer some services to your intranet.
6Examples of this can be when you want to admin your box from another host
7on your intranet or use it as a proxy or a nameserver. Note: Outlining a true
8concept howto protect a server that offers services on the internet
9goes far beyond the scope of this document,
10see <xref linkend="postlfs-security-fw-disclaimer"/>.</para>
12<para>Be cautious. Every service you offer and have enabled makes your
13setup more complex and your box less secure: You induce the risks of
14misconfigured services or running a service with an exploitable bug, both risks
15that a firewall principally should be immune of. See the introduction to
16<xref linkend="postlfs-security-fw-masqRouter"/> for some more details.</para>
18<para>If the services you'd like to offer do not need to access the internet
19themselves, like internal-only samba- or name-servers, it's quite
20simple and should still be acceptable from a security standpoint.
21Just add the following lines <emphasis>before</emphasis> the logging-rules
22into the script.
24<screen>iptables -A INPUT -i ! ppp+ -j ACCEPT
25iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen></para>
27<para>If your daemons have to access the web themselves, like squid would need
28to, you could open OUTPUT generally and restrict INPUT.
30<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
31iptables -A OUTPUT -j ACCEPT</screen></para>
33<para>However, it is generally not advisable to leave OUTPUT unrestricted: you lose
34any control on trojans who'd like to "call home", and a bit of redundancy in case
35you've (mis-)configured a service so that it does broadcast its existence to the
38<para>If you prefer to have this protection, you may restrict INPUT and OUTPUT
39on all ports except those that it's absolutely necessary to have open.
40Which ports you have to open depends on your needs: mostly you will find them
41by looking for failed accesses in your log-files.</para>
43<orderedlist numeration="arabic" spacing="compact">
44<title>Have a look at the following examples:</title>
46<listitem><para>Squid is caching the web:</para>
47<para><screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
48iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \
49&nbsp;&nbsp;&nbsp;-j ACCEPT</screen></para></listitem>
51<listitem><para>Your caching-nameserver (e.g., dnscache) does its
52lookups via udp:</para>
53<para><screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
54iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED \
55&nbsp;&nbsp;&nbsp;-j ACCEPT</screen></para></listitem>
57<listitem><para>Alternatively, if you want to be able to ping your box to ensure
58it's still alive:</para>
59<para><screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request \
60&nbsp;&nbsp;&nbsp;-j ACCEPT
61iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen></para></listitem>
63<listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are
64frequently accessing ftp-servers or enjoy chatting you might notice certain
65delays because some implementations of these daemons have the feature of
66querying an identd on your box for your username for logging.
67Although there's really no harm in this, having an identd running is not
68recommended because some implementions are known to be vulnerable.</para>
70<para>To avoid these delays you could reject the requests
71with a 'tcp-reset':</para>
73<para><screen>iptables -A INPUT -p tcp --dport 113 -j REJECT \
74&nbsp;&nbsp;&nbsp;--reject-with tcp-reset
75iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED \
76&nbsp;&nbsp;&nbsp;-j ACCEPT</screen></para></listitem>
78<listitem><para>To log and drop invalid packets, mostly harmless packets
79that came in after netfilter's timeout, sometimes scans:</para>
81<para><screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG \
82&nbsp;&nbsp;&nbsp;--log-prefix "FIREWALL:INVALID"
83iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></para></listitem>
85<listitem><para>Anything coming from the outside should not have a
86private address, this is a common attack called IP-spoofing:</para>
88<para><screen>iptables -t nat -A PREROUTING -i ppp+ -s -j DROP
89iptables -t nat -A PREROUTING -i ppp+ -s -j DROP
90iptables -t nat -A PREROUTING -i ppp+ -s -j DROP</screen></para></listitem>
92<listitem><para>To simplify debugging and be fair to anyone who'd like to
93access a service you have disabled, purposely or by mistake, you should REJECT
94those packets that are dropped.</para>
96<para>Obviously this must be done directly after logging as the very
97last lines before the packets are dropped by policy:</para>
99<para><screen>iptables -A INPUT -j REJECT
100iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></para></listitem>
104<para>These are only examples to show you some of the capabilities of the new
105firewalling-code in Linux-Kernel 2.4. Have a look at the man-page of
107There you will find more of them. The port-numbers you'll need for this
108can be found in /etc/services, in case you didn't find them via "try'n'error"
109in your logfile.</para>
111<para>If you add any of your offered or accessed services such as the above,
112maybe even in FORWARD and for intranet-communication, and delete the
113general clauses, you get an old fashioned packet filter.</para>
Note: See TracBrowser for help on using the repository browser.