source: postlfs/security/firewalling/kernel.xml@ 1ea79a1

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb v5_1 xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 1ea79a1 was 1ea79a1, checked in by Bruce Dubbs <bdubbs@…>, 20 years ago

Typos and punctuation

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2236 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 4.0 KB
RevLine 
[f45b1953]1<sect2 id="postlfs-security-fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
[c2ee009c]2<title>Getting a firewall enabled Kernel</title>
[f45b1953]3
[c2ee009c]4<para>If you want your Linux-Box to have a firewall, you must first ensure
[1ea79a1]5that your kernel has been compiled with the relevant options turned on.
[c2ee009c]6<!-- <footnote><para>If you needed assistance how to configure, compile and install
[f45b1953]7a new kernel, refer back to chapter VIII of the LinuxFromScratch book,
8<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink>
9 and eventually
10<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink>
11; note, that you'll need to reboot
[1ea79a1]12to actually run your new kernel.</para></footnote>-->
13</para>
[f45b1953]14
15<para>How to configure your kernel, with enabling the options to be
16either compiled into the kernel or as modules, depends on your personal
17preferences and experience. Note, that for the quoted scripts it is assumed
18that the modules need to be loaded at first.</para>
19
[1aacd4b5]20<screen>Network options menu
[666f6de]21 Network packet filtering: Y
[1aacd4b5]22 Unix domain sockets: Y or M
23 TCP/IP networking: Y
24 IP: advanced router: Y
25 IP: verbose route monitoring: Y
26 IP: TCP Explicit Congestion Notification support: Y
27 IP: TCP syncookie support: Y
28 IP: Netfilter Configuration menu
[30f1425]29 Every option except: Y or M
30 ipchains (2.2-style) support N
31 ipfwadm (2.0-style) support N
[1aacd4b5]32 Fast switching: N</screen>
33
34<!--
[f45b1953]35<table frame='none'>
[c2ee009c]36<title>Essential config-options for a firewall enabled Kernel</title>
[f45b1953]37
38<tgroup cols='5'>
39<colspec colnum='1' colwidth='8*' align='center'/>
40<colspec colnum='2' colwidth='19*' align='left'/>
41<colspec colnum='3' colwidth='11*' align='center'/>
42<colspec colnum='4' colwidth='1*' align='center'/>
43<colspec colnum='5' colwidth='14*' align='left'/>
44
45<tbody>
46
47<row>
48<entry><emphasis><userinput>Networking options:</userinput></emphasis></entry>
49<entry><userinput>Network packet filtering</userinput></entry>
50<entry></entry>
51<entry>=</entry>
52<entry>CONFIG_NETFILTER</entry>
53</row>
54
55<row>
56<entry></entry>
57<entry><userinput>Unix domain sockets</userinput></entry>
58<entry></entry>
59<entry>=</entry>
60<entry>CONFIG_UNIX</entry>
61</row>
62
63<row>
64<entry></entry>
65<entry><userinput>IP: TCP/IP networking</userinput></entry>
66<entry></entry>
67<entry>=</entry>
68<entry>CONFIG_INET</entry>
69</row>
70
71<row>
72<entry></entry>
73<entry><userinput>IP: advanced router</userinput></entry>
74<entry></entry>
75<entry>=</entry>
76<entry>CONFIG_IP_ADVANCED_ROUTER</entry>
77</row>
78
79<row>
80<entry></entry>
81<entry><userinput>IP: verbose route monitoring</userinput></entry>
82<entry></entry>
83<entry>=</entry>
84<entry>CONFIG_IP_ROUTE_VERBOSE</entry>
85</row>
86
87<row>
88<entry></entry>
89<entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry>
90<entry></entry>
91<entry>=</entry>
92<entry>CONFIG_INET_ECN</entry>
93</row>
94
95<row>
96<entry></entry>
97<entry><userinput>IP: TCP syncookie support</userinput></entry>
98<entry></entry>
99<entry>=</entry>
100<entry>CONFIG_SYN_COOKIES</entry>
101</row>
102
103<row>
104<entry></entry>
105<entry align='center'>
106<emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry>
107<entry align='left'><userinput>every option</userinput></entry>
108<entry>=</entry>
109<entry>CONFIG_IP_NF_*</entry>
110</row>
111
112<row>
113<entry></entry>
114<entry align='right'><emphasis>WITHOUT:</emphasis></entry>
115<entry align='left'><literallayout><userinput>ipchains (2.2-style) support
116ipfw-adm (2.0-style) support</userinput></literallayout></entry>
117<entry>w\</entry>
118<entry>CONFIG_IP_NF_COMPAT_*</entry>
119</row>
120
121<row>
122<entry></entry>
123<entry><userinput>Fast switching</userinput></entry>
124<entry>Make sure to disable it because it would setup a bypass around
[c2ee009c]125your firewall rules.</entry>
[f45b1953]126<entry>w\</entry>
127<entry>CONFIG_NET_FASTROUTE</entry>
128</row>
129
130</tbody>
131
132</tgroup>
133
[1aacd4b5]134</table> -->
[f45b1953]135
136</sect2>
Note: See TracBrowser for help on using the repository browser.