source: postlfs/security/firewalling/persfw.xml@ 1af021dc

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb v5_1 xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 1af021dc was 1ea79a1, checked in by Bruce Dubbs <bdubbs@…>, 20 years ago

Typos and punctuation

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2236 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 2.4 KB
RevLine 
[f45b1953]1<sect3 id="postlfs-security-fw-persFw" xreflabel="Personal Firewall">
2<title>Personal Firewall</title>
3
[1ea79a1]4<para>A Personal Firewall is supposed to let you access all the services
[5e18c49c]5offered on the Internet, but keep your box secure and your data private.</para>
[f45b1953]6
[1ea79a1]7<para>Below is a slightly modified version of Rusty Russell's recommendation
8from the <ulink
9url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">Linux
[f45b1953]102.4 Packet Filtering HOWTO</ulink>:</para>
11
[1aacd4b5]12<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
[f45b1953]13#!/bin/sh
14
15# Begin $rc_base/init.d/firewall
16
17# Insert connection-tracking modules (not needed if built into the kernel).
18modprobe ip_tables
19modprobe iptable_filter
20modprobe ip_conntrack
21modprobe ip_conntrack_ftp
22modprobe ipt_state
23modprobe ipt_LOG
24
25# allow local-only connections
26iptables -A INPUT -i lo -j ACCEPT
27# free output on any interface to any ip for any service (equal to -P ACCEPT)
28iptables -A OUTPUT -j ACCEPT
29
30# permit answers on already established connections
31# and permit new connections related to established ones (eg active-ftp)
32iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
33
34# Log everything else: What's Windows' latest exploitable vulnerability?
35iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
36
37# set a sane policy: everything not accepted &gt; /dev/null
38iptables -P INPUT DROP
39iptables -P FORWARD DROP
40iptables -P OUTPUT DROP
41
42# be verbose on dynamic ip-addresses (not needed in case of static IP)
43echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
44
45# disable ExplicitCongestionNotification - too many routers are still ignorant
46echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
47
48# End $rc_base/init.d/firewall
[1aacd4b5]49<command>EOF</command></userinput></screen>
[f45b1953]50
51<para>His script is quite simple, it drops all traffic coming in into your
52computer that wasn't initiated from your box, but as long as you are simply
[5e18c49c]53surfing the Internet you are unlikely to exceed its limits.</para>
[f45b1953]54
55<para>If you frequently encounter certain delays at accessing ftp-servers,
56please have a look at <xref linkend="postlfs-security-fw-busybox"/> -
57<xref linkend="postlfs-security-fw-BB-4"/>.</para>
58
[1ea79a1]59<para>Even if you have daemons or services running on your box, these
[f45b1953]60should be inaccessible everywhere but from your box itself.
61If you want to allow access to services on your machine, such as ssh or pinging,
62take a look at <xref linkend="postlfs-security-fw-busybox"/>.</para>
63
64</sect3>
Note: See TracBrowser for help on using the repository browser.