1 | <sect2 id="postlfs-security-fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
|
---|
2 | <title>Getting a firewalling-enabled Kernel</title>
|
---|
3 |
|
---|
4 | <para>If you want your Linux-Box to do firewalling you must first ensure
|
---|
5 | that your kernel has been compiled with the relevant options turned on
|
---|
6 | <footnote><para>If you needed assistance howto configure, compile and install
|
---|
7 | a new kernel, refer back to chapter VIII of the LinuxFromScratch book,
|
---|
8 | <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink>
|
---|
9 | and eventually
|
---|
10 | <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink>
|
---|
11 | ; note, that you'll need to reboot
|
---|
12 | to actually run your new kernel.</para></footnote>.</para>
|
---|
13 |
|
---|
14 | <para>How to configure your kernel, with enabling the options to be
|
---|
15 | either compiled into the kernel or as modules, depends on your personal
|
---|
16 | preferences and experience. Note, that for the quoted scripts it is assumed
|
---|
17 | that the modules need to be loaded at first.</para>
|
---|
18 |
|
---|
19 | <table frame='none'>
|
---|
20 | <title>Essential config-options for a firewalling-enabled Kernel</title>
|
---|
21 |
|
---|
22 | <tgroup cols='5'>
|
---|
23 | <colspec colnum='1' colwidth='8*' align='center'/>
|
---|
24 | <colspec colnum='2' colwidth='19*' align='left'/>
|
---|
25 | <colspec colnum='3' colwidth='11*' align='center'/>
|
---|
26 | <colspec colnum='4' colwidth='1*' align='center'/>
|
---|
27 | <colspec colnum='5' colwidth='14*' align='left'/>
|
---|
28 |
|
---|
29 | <tbody>
|
---|
30 |
|
---|
31 | <row>
|
---|
32 | <entry><emphasis><userinput>Networking options:</userinput></emphasis></entry>
|
---|
33 | <entry><userinput>Network packet filtering</userinput></entry>
|
---|
34 | <entry></entry>
|
---|
35 | <entry>=</entry>
|
---|
36 | <entry>CONFIG_NETFILTER</entry>
|
---|
37 | </row>
|
---|
38 |
|
---|
39 | <row>
|
---|
40 | <entry></entry>
|
---|
41 | <entry><userinput>Unix domain sockets</userinput></entry>
|
---|
42 | <entry></entry>
|
---|
43 | <entry>=</entry>
|
---|
44 | <entry>CONFIG_UNIX</entry>
|
---|
45 | </row>
|
---|
46 |
|
---|
47 | <row>
|
---|
48 | <entry></entry>
|
---|
49 | <entry><userinput>IP: TCP/IP networking</userinput></entry>
|
---|
50 | <entry></entry>
|
---|
51 | <entry>=</entry>
|
---|
52 | <entry>CONFIG_INET</entry>
|
---|
53 | </row>
|
---|
54 |
|
---|
55 | <row>
|
---|
56 | <entry></entry>
|
---|
57 | <entry><userinput>IP: advanced router</userinput></entry>
|
---|
58 | <entry></entry>
|
---|
59 | <entry>=</entry>
|
---|
60 | <entry>CONFIG_IP_ADVANCED_ROUTER</entry>
|
---|
61 | </row>
|
---|
62 |
|
---|
63 | <row>
|
---|
64 | <entry></entry>
|
---|
65 | <entry><userinput>IP: verbose route monitoring</userinput></entry>
|
---|
66 | <entry></entry>
|
---|
67 | <entry>=</entry>
|
---|
68 | <entry>CONFIG_IP_ROUTE_VERBOSE</entry>
|
---|
69 | </row>
|
---|
70 |
|
---|
71 | <row>
|
---|
72 | <entry></entry>
|
---|
73 | <entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry>
|
---|
74 | <entry></entry>
|
---|
75 | <entry>=</entry>
|
---|
76 | <entry>CONFIG_INET_ECN</entry>
|
---|
77 | </row>
|
---|
78 |
|
---|
79 | <row>
|
---|
80 | <entry></entry>
|
---|
81 | <entry><userinput>IP: TCP syncookie support</userinput></entry>
|
---|
82 | <entry></entry>
|
---|
83 | <entry>=</entry>
|
---|
84 | <entry>CONFIG_SYN_COOKIES</entry>
|
---|
85 | </row>
|
---|
86 |
|
---|
87 | <row>
|
---|
88 | <entry></entry>
|
---|
89 | <entry align='center'>
|
---|
90 | <emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry>
|
---|
91 | <entry align='left'><userinput>every option</userinput></entry>
|
---|
92 | <entry>=</entry>
|
---|
93 | <entry>CONFIG_IP_NF_*</entry>
|
---|
94 | </row>
|
---|
95 |
|
---|
96 | <row>
|
---|
97 | <entry></entry>
|
---|
98 | <entry align='right'><emphasis>WITHOUT:</emphasis></entry>
|
---|
99 | <entry align='left'><literallayout><userinput>ipchains (2.2-style) support
|
---|
100 | ipfw-adm (2.0-style) support</userinput></literallayout></entry>
|
---|
101 | <entry>w\</entry>
|
---|
102 | <entry>CONFIG_IP_NF_COMPAT_*</entry>
|
---|
103 | </row>
|
---|
104 |
|
---|
105 | <row>
|
---|
106 | <entry></entry>
|
---|
107 | <entry><userinput>Fast switching</userinput></entry>
|
---|
108 | <entry>Make sure to disable it because it would setup a bypass around
|
---|
109 | your firewalling-rules.</entry>
|
---|
110 | <entry>w\</entry>
|
---|
111 | <entry>CONFIG_NET_FASTROUTE</entry>
|
---|
112 | </row>
|
---|
113 |
|
---|
114 | </tbody>
|
---|
115 |
|
---|
116 | </tgroup>
|
---|
117 |
|
---|
118 | </table>
|
---|
119 |
|
---|
120 | </sect2>
|
---|