source: postlfs/security/firewalling/kernel.xml@ 0d1379a

<sect2 id="postlfs-security-fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
<title>Getting a firewalling-enabled Kernel</title>

<para>If you want your Linux-Box to do firewalling you must first ensure 
that your kernel has been compiled with the relevant options turned on
<footnote><para>If you needed assistance howto configure, compile and install 
a new kernel, refer back to chapter VIII of the LinuxFromScratch book, 
<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink>
 and eventually 
<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink>
; note, that you'll need to reboot 
to actually run your new kernel.</para></footnote>.</para>

<para>How to configure your kernel, with enabling the options to be 
either compiled into the kernel or as modules, depends on your personal 
preferences and experience. Note, that for the quoted scripts it is assumed 
that the modules need to be loaded at first.</para>

<table frame='none'>
<title>Essential config-options for a firewalling-enabled Kernel</title>

<tgroup cols='5'>
<colspec colnum='1' colwidth='8*'  align='center'/>
<colspec colnum='2' colwidth='19*' align='left'/>
<colspec colnum='3' colwidth='11*' align='center'/>
<colspec colnum='4' colwidth='1*'  align='center'/>
<colspec colnum='5' colwidth='14*' align='left'/>

<tbody>

<row>
<entry><emphasis><userinput>Networking options:</userinput></emphasis></entry>
<entry><userinput>Network packet filtering</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_NETFILTER</entry>
</row>

<row>
<entry></entry>
<entry><userinput>Unix domain sockets</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_UNIX</entry>
</row>

<row>
<entry></entry>
<entry><userinput>IP: TCP/IP networking</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_INET</entry>
</row>

<row>
<entry></entry>
<entry><userinput>IP: advanced router</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_IP_ADVANCED_ROUTER</entry>
</row>

<row>
<entry></entry>
<entry><userinput>IP: verbose route monitoring</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_IP_ROUTE_VERBOSE</entry>
</row>

<row>
<entry></entry>
<entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_INET_ECN</entry>
</row>

<row>
<entry></entry>
<entry><userinput>IP: TCP syncookie support</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_SYN_COOKIES</entry>
</row>

<row>
<entry></entry>
<entry align='center'>
<emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry>
<entry align='left'><userinput>every option</userinput></entry>
<entry>=</entry>
<entry>CONFIG_IP_NF_*</entry>
</row>

<row>
<entry></entry>
<entry align='right'><emphasis>WITHOUT:</emphasis></entry>
<entry align='left'><literallayout><userinput>ipchains (2.2-style) support
ipfw-adm (2.0-style) support</userinput></literallayout></entry>
<entry>w\</entry>
<entry>CONFIG_IP_NF_COMPAT_*</entry>
</row>

<row>
<entry></entry>
<entry><userinput>Fast switching</userinput></entry>
<entry>Make sure to disable it because it would setup a bypass around
your firewalling-rules.</entry>
<entry>w\</entry>
<entry>CONFIG_NET_FASTROUTE</entry>
</row>

</tbody>

</tgroup>

</table>

</sect2>