source: postlfs/security/firewalling/kernel.xml@ 1ea79a1

10.0 10.1 11.0 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk v5_1 xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since 1ea79a1 was 1ea79a1, checked in by Bruce Dubbs <bdubbs@…>, 17 years ago

Typos and punctuation

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2236 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 4.0 KB
Line 
1<sect2 id="postlfs-security-fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
2<title>Getting a firewall enabled Kernel</title>
3
4<para>If you want your Linux-Box to have a firewall, you must first ensure
5that your kernel has been compiled with the relevant options turned on.
6<!-- <footnote><para>If you needed assistance how to configure, compile and install
7a new kernel, refer back to chapter VIII of the LinuxFromScratch book,
8<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink>
9 and eventually
10<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink>
11; note, that you'll need to reboot
12to actually run your new kernel.</para></footnote>-->
13</para>
14
15<para>How to configure your kernel, with enabling the options to be
16either compiled into the kernel or as modules, depends on your personal
17preferences and experience. Note, that for the quoted scripts it is assumed
18that the modules need to be loaded at first.</para>
19
20<screen>Network options menu
21 Network packet filtering: Y
22 Unix domain sockets: Y or M
23 TCP/IP networking: Y
24 IP: advanced router: Y
25 IP: verbose route monitoring: Y
26 IP: TCP Explicit Congestion Notification support: Y
27 IP: TCP syncookie support: Y
28 IP: Netfilter Configuration menu
29 Every option except: Y or M
30 ipchains (2.2-style) support N
31 ipfwadm (2.0-style) support N
32 Fast switching: N</screen>
33
34<!--
35<table frame='none'>
36<title>Essential config-options for a firewall enabled Kernel</title>
37
38<tgroup cols='5'>
39<colspec colnum='1' colwidth='8*' align='center'/>
40<colspec colnum='2' colwidth='19*' align='left'/>
41<colspec colnum='3' colwidth='11*' align='center'/>
42<colspec colnum='4' colwidth='1*' align='center'/>
43<colspec colnum='5' colwidth='14*' align='left'/>
44
45<tbody>
46
47<row>
48<entry><emphasis><userinput>Networking options:</userinput></emphasis></entry>
49<entry><userinput>Network packet filtering</userinput></entry>
50<entry></entry>
51<entry>=</entry>
52<entry>CONFIG_NETFILTER</entry>
53</row>
54
55<row>
56<entry></entry>
57<entry><userinput>Unix domain sockets</userinput></entry>
58<entry></entry>
59<entry>=</entry>
60<entry>CONFIG_UNIX</entry>
61</row>
62
63<row>
64<entry></entry>
65<entry><userinput>IP: TCP/IP networking</userinput></entry>
66<entry></entry>
67<entry>=</entry>
68<entry>CONFIG_INET</entry>
69</row>
70
71<row>
72<entry></entry>
73<entry><userinput>IP: advanced router</userinput></entry>
74<entry></entry>
75<entry>=</entry>
76<entry>CONFIG_IP_ADVANCED_ROUTER</entry>
77</row>
78
79<row>
80<entry></entry>
81<entry><userinput>IP: verbose route monitoring</userinput></entry>
82<entry></entry>
83<entry>=</entry>
84<entry>CONFIG_IP_ROUTE_VERBOSE</entry>
85</row>
86
87<row>
88<entry></entry>
89<entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry>
90<entry></entry>
91<entry>=</entry>
92<entry>CONFIG_INET_ECN</entry>
93</row>
94
95<row>
96<entry></entry>
97<entry><userinput>IP: TCP syncookie support</userinput></entry>
98<entry></entry>
99<entry>=</entry>
100<entry>CONFIG_SYN_COOKIES</entry>
101</row>
102
103<row>
104<entry></entry>
105<entry align='center'>
106<emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry>
107<entry align='left'><userinput>every option</userinput></entry>
108<entry>=</entry>
109<entry>CONFIG_IP_NF_*</entry>
110</row>
111
112<row>
113<entry></entry>
114<entry align='right'><emphasis>WITHOUT:</emphasis></entry>
115<entry align='left'><literallayout><userinput>ipchains (2.2-style) support
116ipfw-adm (2.0-style) support</userinput></literallayout></entry>
117<entry>w\</entry>
118<entry>CONFIG_IP_NF_COMPAT_*</entry>
119</row>
120
121<row>
122<entry></entry>
123<entry><userinput>Fast switching</userinput></entry>
124<entry>Make sure to disable it because it would setup a bypass around
125your firewall rules.</entry>
126<entry>w\</entry>
127<entry>CONFIG_NET_FASTROUTE</entry>
128</row>
129
130</tbody>
131
132</tgroup>
133
134</table> -->
135
136</sect2>
Note: See TracBrowser for help on using the repository browser.