[f45b1953] | 1 | <sect2 id="postlfs-security-fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
|
---|
| 2 | <title>Getting a firewalling-enabled Kernel</title>
|
---|
| 3 |
|
---|
| 4 | <para>If you want your Linux-Box to do firewalling you must first ensure
|
---|
| 5 | that your kernel has been compiled with the relevant options turned on
|
---|
| 6 | <footnote><para>If you needed assistance howto configure, compile and install
|
---|
| 7 | a new kernel, refer back to chapter VIII of the LinuxFromScratch book,
|
---|
| 8 | <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink>
|
---|
| 9 | and eventually
|
---|
| 10 | <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink>
|
---|
| 11 | ; note, that you'll need to reboot
|
---|
| 12 | to actually run your new kernel.</para></footnote>.</para>
|
---|
| 13 |
|
---|
| 14 | <para>How to configure your kernel, with enabling the options to be
|
---|
| 15 | either compiled into the kernel or as modules, depends on your personal
|
---|
| 16 | preferences and experience. Note, that for the quoted scripts it is assumed
|
---|
| 17 | that the modules need to be loaded at first.</para>
|
---|
| 18 |
|
---|
| 19 | <table frame='none'>
|
---|
| 20 | <title>Essential config-options for a firewalling-enabled Kernel</title>
|
---|
| 21 |
|
---|
| 22 | <tgroup cols='5'>
|
---|
| 23 | <colspec colnum='1' colwidth='8*' align='center'/>
|
---|
| 24 | <colspec colnum='2' colwidth='19*' align='left'/>
|
---|
| 25 | <colspec colnum='3' colwidth='11*' align='center'/>
|
---|
| 26 | <colspec colnum='4' colwidth='1*' align='center'/>
|
---|
| 27 | <colspec colnum='5' colwidth='14*' align='left'/>
|
---|
| 28 |
|
---|
| 29 | <tbody>
|
---|
| 30 |
|
---|
| 31 | <row>
|
---|
| 32 | <entry><emphasis><userinput>Networking options:</userinput></emphasis></entry>
|
---|
| 33 | <entry><userinput>Network packet filtering</userinput></entry>
|
---|
| 34 | <entry></entry>
|
---|
| 35 | <entry>=</entry>
|
---|
| 36 | <entry>CONFIG_NETFILTER</entry>
|
---|
| 37 | </row>
|
---|
| 38 |
|
---|
| 39 | <row>
|
---|
| 40 | <entry></entry>
|
---|
| 41 | <entry><userinput>Unix domain sockets</userinput></entry>
|
---|
| 42 | <entry></entry>
|
---|
| 43 | <entry>=</entry>
|
---|
| 44 | <entry>CONFIG_UNIX</entry>
|
---|
| 45 | </row>
|
---|
| 46 |
|
---|
| 47 | <row>
|
---|
| 48 | <entry></entry>
|
---|
| 49 | <entry><userinput>IP: TCP/IP networking</userinput></entry>
|
---|
| 50 | <entry></entry>
|
---|
| 51 | <entry>=</entry>
|
---|
| 52 | <entry>CONFIG_INET</entry>
|
---|
| 53 | </row>
|
---|
| 54 |
|
---|
| 55 | <row>
|
---|
| 56 | <entry></entry>
|
---|
| 57 | <entry><userinput>IP: advanced router</userinput></entry>
|
---|
| 58 | <entry></entry>
|
---|
| 59 | <entry>=</entry>
|
---|
| 60 | <entry>CONFIG_IP_ADVANCED_ROUTER</entry>
|
---|
| 61 | </row>
|
---|
| 62 |
|
---|
| 63 | <row>
|
---|
| 64 | <entry></entry>
|
---|
| 65 | <entry><userinput>IP: verbose route monitoring</userinput></entry>
|
---|
| 66 | <entry></entry>
|
---|
| 67 | <entry>=</entry>
|
---|
| 68 | <entry>CONFIG_IP_ROUTE_VERBOSE</entry>
|
---|
| 69 | </row>
|
---|
| 70 |
|
---|
| 71 | <row>
|
---|
| 72 | <entry></entry>
|
---|
| 73 | <entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry>
|
---|
| 74 | <entry></entry>
|
---|
| 75 | <entry>=</entry>
|
---|
| 76 | <entry>CONFIG_INET_ECN</entry>
|
---|
| 77 | </row>
|
---|
| 78 |
|
---|
| 79 | <row>
|
---|
| 80 | <entry></entry>
|
---|
| 81 | <entry><userinput>IP: TCP syncookie support</userinput></entry>
|
---|
| 82 | <entry></entry>
|
---|
| 83 | <entry>=</entry>
|
---|
| 84 | <entry>CONFIG_SYN_COOKIES</entry>
|
---|
| 85 | </row>
|
---|
| 86 |
|
---|
| 87 | <row>
|
---|
| 88 | <entry></entry>
|
---|
| 89 | <entry align='center'>
|
---|
| 90 | <emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry>
|
---|
| 91 | <entry align='left'><userinput>every option</userinput></entry>
|
---|
| 92 | <entry>=</entry>
|
---|
| 93 | <entry>CONFIG_IP_NF_*</entry>
|
---|
| 94 | </row>
|
---|
| 95 |
|
---|
| 96 | <row>
|
---|
| 97 | <entry></entry>
|
---|
| 98 | <entry align='right'><emphasis>WITHOUT:</emphasis></entry>
|
---|
| 99 | <entry align='left'><literallayout><userinput>ipchains (2.2-style) support
|
---|
| 100 | ipfw-adm (2.0-style) support</userinput></literallayout></entry>
|
---|
| 101 | <entry>w\</entry>
|
---|
| 102 | <entry>CONFIG_IP_NF_COMPAT_*</entry>
|
---|
| 103 | </row>
|
---|
| 104 |
|
---|
| 105 | <row>
|
---|
| 106 | <entry></entry>
|
---|
| 107 | <entry><userinput>Fast switching</userinput></entry>
|
---|
| 108 | <entry>Make sure to disable it because it would setup a bypass around
|
---|
| 109 | your firewalling-rules.</entry>
|
---|
| 110 | <entry>w\</entry>
|
---|
| 111 | <entry>CONFIG_NET_FASTROUTE</entry>
|
---|
| 112 | </row>
|
---|
| 113 |
|
---|
| 114 | </tbody>
|
---|
| 115 |
|
---|
| 116 | </tgroup>
|
---|
| 117 |
|
---|
| 118 | </table>
|
---|
| 119 |
|
---|
| 120 | </sect2>
|
---|