[f45b1953] | 1 | <sect2 id="postlfs-security-fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
|
---|
[c2ee009c] | 2 | <title>Getting a firewall enabled Kernel</title>
|
---|
[f45b1953] | 3 |
|
---|
[c2ee009c] | 4 | <para>If you want your Linux-Box to have a firewall, you must first ensure
|
---|
[1ea79a1] | 5 | that your kernel has been compiled with the relevant options turned on.
|
---|
[c2ee009c] | 6 | <!-- <footnote><para>If you needed assistance how to configure, compile and install
|
---|
[f45b1953] | 7 | a new kernel, refer back to chapter VIII of the LinuxFromScratch book,
|
---|
| 8 | <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink>
|
---|
| 9 | and eventually
|
---|
| 10 | <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink>
|
---|
| 11 | ; note, that you'll need to reboot
|
---|
[1ea79a1] | 12 | to actually run your new kernel.</para></footnote>-->
|
---|
| 13 | </para>
|
---|
[f45b1953] | 14 |
|
---|
| 15 | <para>How to configure your kernel, with enabling the options to be
|
---|
| 16 | either compiled into the kernel or as modules, depends on your personal
|
---|
| 17 | preferences and experience. Note, that for the quoted scripts it is assumed
|
---|
| 18 | that the modules need to be loaded at first.</para>
|
---|
| 19 |
|
---|
[1aacd4b5] | 20 | <screen>Network options menu
|
---|
[666f6de] | 21 | Network packet filtering: Y
|
---|
[1aacd4b5] | 22 | Unix domain sockets: Y or M
|
---|
| 23 | TCP/IP networking: Y
|
---|
| 24 | IP: advanced router: Y
|
---|
| 25 | IP: verbose route monitoring: Y
|
---|
| 26 | IP: TCP Explicit Congestion Notification support: Y
|
---|
| 27 | IP: TCP syncookie support: Y
|
---|
| 28 | IP: Netfilter Configuration menu
|
---|
[30f1425] | 29 | Every option except: Y or M
|
---|
| 30 | ipchains (2.2-style) support N
|
---|
| 31 | ipfwadm (2.0-style) support N
|
---|
[1aacd4b5] | 32 | Fast switching: N</screen>
|
---|
| 33 |
|
---|
| 34 | <!--
|
---|
[f45b1953] | 35 | <table frame='none'>
|
---|
[c2ee009c] | 36 | <title>Essential config-options for a firewall enabled Kernel</title>
|
---|
[f45b1953] | 37 |
|
---|
| 38 | <tgroup cols='5'>
|
---|
| 39 | <colspec colnum='1' colwidth='8*' align='center'/>
|
---|
| 40 | <colspec colnum='2' colwidth='19*' align='left'/>
|
---|
| 41 | <colspec colnum='3' colwidth='11*' align='center'/>
|
---|
| 42 | <colspec colnum='4' colwidth='1*' align='center'/>
|
---|
| 43 | <colspec colnum='5' colwidth='14*' align='left'/>
|
---|
| 44 |
|
---|
| 45 | <tbody>
|
---|
| 46 |
|
---|
| 47 | <row>
|
---|
| 48 | <entry><emphasis><userinput>Networking options:</userinput></emphasis></entry>
|
---|
| 49 | <entry><userinput>Network packet filtering</userinput></entry>
|
---|
| 50 | <entry></entry>
|
---|
| 51 | <entry>=</entry>
|
---|
| 52 | <entry>CONFIG_NETFILTER</entry>
|
---|
| 53 | </row>
|
---|
| 54 |
|
---|
| 55 | <row>
|
---|
| 56 | <entry></entry>
|
---|
| 57 | <entry><userinput>Unix domain sockets</userinput></entry>
|
---|
| 58 | <entry></entry>
|
---|
| 59 | <entry>=</entry>
|
---|
| 60 | <entry>CONFIG_UNIX</entry>
|
---|
| 61 | </row>
|
---|
| 62 |
|
---|
| 63 | <row>
|
---|
| 64 | <entry></entry>
|
---|
| 65 | <entry><userinput>IP: TCP/IP networking</userinput></entry>
|
---|
| 66 | <entry></entry>
|
---|
| 67 | <entry>=</entry>
|
---|
| 68 | <entry>CONFIG_INET</entry>
|
---|
| 69 | </row>
|
---|
| 70 |
|
---|
| 71 | <row>
|
---|
| 72 | <entry></entry>
|
---|
| 73 | <entry><userinput>IP: advanced router</userinput></entry>
|
---|
| 74 | <entry></entry>
|
---|
| 75 | <entry>=</entry>
|
---|
| 76 | <entry>CONFIG_IP_ADVANCED_ROUTER</entry>
|
---|
| 77 | </row>
|
---|
| 78 |
|
---|
| 79 | <row>
|
---|
| 80 | <entry></entry>
|
---|
| 81 | <entry><userinput>IP: verbose route monitoring</userinput></entry>
|
---|
| 82 | <entry></entry>
|
---|
| 83 | <entry>=</entry>
|
---|
| 84 | <entry>CONFIG_IP_ROUTE_VERBOSE</entry>
|
---|
| 85 | </row>
|
---|
| 86 |
|
---|
| 87 | <row>
|
---|
| 88 | <entry></entry>
|
---|
| 89 | <entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry>
|
---|
| 90 | <entry></entry>
|
---|
| 91 | <entry>=</entry>
|
---|
| 92 | <entry>CONFIG_INET_ECN</entry>
|
---|
| 93 | </row>
|
---|
| 94 |
|
---|
| 95 | <row>
|
---|
| 96 | <entry></entry>
|
---|
| 97 | <entry><userinput>IP: TCP syncookie support</userinput></entry>
|
---|
| 98 | <entry></entry>
|
---|
| 99 | <entry>=</entry>
|
---|
| 100 | <entry>CONFIG_SYN_COOKIES</entry>
|
---|
| 101 | </row>
|
---|
| 102 |
|
---|
| 103 | <row>
|
---|
| 104 | <entry></entry>
|
---|
| 105 | <entry align='center'>
|
---|
| 106 | <emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry>
|
---|
| 107 | <entry align='left'><userinput>every option</userinput></entry>
|
---|
| 108 | <entry>=</entry>
|
---|
| 109 | <entry>CONFIG_IP_NF_*</entry>
|
---|
| 110 | </row>
|
---|
| 111 |
|
---|
| 112 | <row>
|
---|
| 113 | <entry></entry>
|
---|
| 114 | <entry align='right'><emphasis>WITHOUT:</emphasis></entry>
|
---|
| 115 | <entry align='left'><literallayout><userinput>ipchains (2.2-style) support
|
---|
| 116 | ipfw-adm (2.0-style) support</userinput></literallayout></entry>
|
---|
| 117 | <entry>w\</entry>
|
---|
| 118 | <entry>CONFIG_IP_NF_COMPAT_*</entry>
|
---|
| 119 | </row>
|
---|
| 120 |
|
---|
| 121 | <row>
|
---|
| 122 | <entry></entry>
|
---|
| 123 | <entry><userinput>Fast switching</userinput></entry>
|
---|
| 124 | <entry>Make sure to disable it because it would setup a bypass around
|
---|
[c2ee009c] | 125 | your firewall rules.</entry>
|
---|
[f45b1953] | 126 | <entry>w\</entry>
|
---|
| 127 | <entry>CONFIG_NET_FASTROUTE</entry>
|
---|
| 128 | </row>
|
---|
| 129 |
|
---|
| 130 | </tbody>
|
---|
| 131 |
|
---|
| 132 | </tgroup>
|
---|
| 133 |
|
---|
[1aacd4b5] | 134 | </table> -->
|
---|
[f45b1953] | 135 |
|
---|
| 136 | </sect2>
|
---|