[f45b1953] | 1 | <sect2 id="postlfs-security-fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
|
---|
[c2ee009c] | 2 | <title>Getting a firewall enabled Kernel</title>
|
---|
[f45b1953] | 3 |
|
---|
[c2ee009c] | 4 | <para>If you want your Linux-Box to have a firewall, you must first ensure
|
---|
[f45b1953] | 5 | that your kernel has been compiled with the relevant options turned on
|
---|
[c2ee009c] | 6 | <!-- <footnote><para>If you needed assistance how to configure, compile and install
|
---|
[f45b1953] | 7 | a new kernel, refer back to chapter VIII of the LinuxFromScratch book,
|
---|
| 8 | <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink>
|
---|
| 9 | and eventually
|
---|
| 10 | <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink>
|
---|
| 11 | ; note, that you'll need to reboot
|
---|
[1aacd4b5] | 12 | to actually run your new kernel.</para></footnote>-->.</para>
|
---|
[f45b1953] | 13 |
|
---|
| 14 | <para>How to configure your kernel, with enabling the options to be
|
---|
| 15 | either compiled into the kernel or as modules, depends on your personal
|
---|
| 16 | preferences and experience. Note, that for the quoted scripts it is assumed
|
---|
| 17 | that the modules need to be loaded at first.</para>
|
---|
| 18 |
|
---|
[1aacd4b5] | 19 | <screen>Network options menu
|
---|
[666f6de] | 20 | Network packet filtering: Y
|
---|
[1aacd4b5] | 21 | Unix domain sockets: Y or M
|
---|
| 22 | TCP/IP networking: Y
|
---|
| 23 | IP: advanced router: Y
|
---|
| 24 | IP: verbose route monitoring: Y
|
---|
| 25 | IP: TCP Explicit Congestion Notification support: Y
|
---|
| 26 | IP: TCP syncookie support: Y
|
---|
| 27 | IP: Netfilter Configuration menu
|
---|
[30f1425] | 28 | Every option except: Y or M
|
---|
| 29 | ipchains (2.2-style) support N
|
---|
| 30 | ipfwadm (2.0-style) support N
|
---|
[1aacd4b5] | 31 | Fast switching: N</screen>
|
---|
| 32 |
|
---|
| 33 | <!--
|
---|
[f45b1953] | 34 | <table frame='none'>
|
---|
[c2ee009c] | 35 | <title>Essential config-options for a firewall enabled Kernel</title>
|
---|
[f45b1953] | 36 |
|
---|
| 37 | <tgroup cols='5'>
|
---|
| 38 | <colspec colnum='1' colwidth='8*' align='center'/>
|
---|
| 39 | <colspec colnum='2' colwidth='19*' align='left'/>
|
---|
| 40 | <colspec colnum='3' colwidth='11*' align='center'/>
|
---|
| 41 | <colspec colnum='4' colwidth='1*' align='center'/>
|
---|
| 42 | <colspec colnum='5' colwidth='14*' align='left'/>
|
---|
| 43 |
|
---|
| 44 | <tbody>
|
---|
| 45 |
|
---|
| 46 | <row>
|
---|
| 47 | <entry><emphasis><userinput>Networking options:</userinput></emphasis></entry>
|
---|
| 48 | <entry><userinput>Network packet filtering</userinput></entry>
|
---|
| 49 | <entry></entry>
|
---|
| 50 | <entry>=</entry>
|
---|
| 51 | <entry>CONFIG_NETFILTER</entry>
|
---|
| 52 | </row>
|
---|
| 53 |
|
---|
| 54 | <row>
|
---|
| 55 | <entry></entry>
|
---|
| 56 | <entry><userinput>Unix domain sockets</userinput></entry>
|
---|
| 57 | <entry></entry>
|
---|
| 58 | <entry>=</entry>
|
---|
| 59 | <entry>CONFIG_UNIX</entry>
|
---|
| 60 | </row>
|
---|
| 61 |
|
---|
| 62 | <row>
|
---|
| 63 | <entry></entry>
|
---|
| 64 | <entry><userinput>IP: TCP/IP networking</userinput></entry>
|
---|
| 65 | <entry></entry>
|
---|
| 66 | <entry>=</entry>
|
---|
| 67 | <entry>CONFIG_INET</entry>
|
---|
| 68 | </row>
|
---|
| 69 |
|
---|
| 70 | <row>
|
---|
| 71 | <entry></entry>
|
---|
| 72 | <entry><userinput>IP: advanced router</userinput></entry>
|
---|
| 73 | <entry></entry>
|
---|
| 74 | <entry>=</entry>
|
---|
| 75 | <entry>CONFIG_IP_ADVANCED_ROUTER</entry>
|
---|
| 76 | </row>
|
---|
| 77 |
|
---|
| 78 | <row>
|
---|
| 79 | <entry></entry>
|
---|
| 80 | <entry><userinput>IP: verbose route monitoring</userinput></entry>
|
---|
| 81 | <entry></entry>
|
---|
| 82 | <entry>=</entry>
|
---|
| 83 | <entry>CONFIG_IP_ROUTE_VERBOSE</entry>
|
---|
| 84 | </row>
|
---|
| 85 |
|
---|
| 86 | <row>
|
---|
| 87 | <entry></entry>
|
---|
| 88 | <entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry>
|
---|
| 89 | <entry></entry>
|
---|
| 90 | <entry>=</entry>
|
---|
| 91 | <entry>CONFIG_INET_ECN</entry>
|
---|
| 92 | </row>
|
---|
| 93 |
|
---|
| 94 | <row>
|
---|
| 95 | <entry></entry>
|
---|
| 96 | <entry><userinput>IP: TCP syncookie support</userinput></entry>
|
---|
| 97 | <entry></entry>
|
---|
| 98 | <entry>=</entry>
|
---|
| 99 | <entry>CONFIG_SYN_COOKIES</entry>
|
---|
| 100 | </row>
|
---|
| 101 |
|
---|
| 102 | <row>
|
---|
| 103 | <entry></entry>
|
---|
| 104 | <entry align='center'>
|
---|
| 105 | <emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry>
|
---|
| 106 | <entry align='left'><userinput>every option</userinput></entry>
|
---|
| 107 | <entry>=</entry>
|
---|
| 108 | <entry>CONFIG_IP_NF_*</entry>
|
---|
| 109 | </row>
|
---|
| 110 |
|
---|
| 111 | <row>
|
---|
| 112 | <entry></entry>
|
---|
| 113 | <entry align='right'><emphasis>WITHOUT:</emphasis></entry>
|
---|
| 114 | <entry align='left'><literallayout><userinput>ipchains (2.2-style) support
|
---|
| 115 | ipfw-adm (2.0-style) support</userinput></literallayout></entry>
|
---|
| 116 | <entry>w\</entry>
|
---|
| 117 | <entry>CONFIG_IP_NF_COMPAT_*</entry>
|
---|
| 118 | </row>
|
---|
| 119 |
|
---|
| 120 | <row>
|
---|
| 121 | <entry></entry>
|
---|
| 122 | <entry><userinput>Fast switching</userinput></entry>
|
---|
| 123 | <entry>Make sure to disable it because it would setup a bypass around
|
---|
[c2ee009c] | 124 | your firewall rules.</entry>
|
---|
[f45b1953] | 125 | <entry>w\</entry>
|
---|
| 126 | <entry>CONFIG_NET_FASTROUTE</entry>
|
---|
| 127 | </row>
|
---|
| 128 |
|
---|
| 129 | </tbody>
|
---|
| 130 |
|
---|
| 131 | </tgroup>
|
---|
| 132 |
|
---|
[1aacd4b5] | 133 | </table> -->
|
---|
[f45b1953] | 134 |
|
---|
| 135 | </sect2>
|
---|