source: postlfs/security/firewalling/persfw.xml@ 8bf4c67

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb v5_1 xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 8bf4c67 was 8bf4c67, checked in by Igor Živković <igor@…>, 20 years ago

removed broken links (fixed where possible)

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2234 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 2.4 KB
RevLine 
[f45b1953]1<sect3 id="postlfs-security-fw-persFw" xreflabel="Personal Firewall">
2<title>Personal Firewall</title>
3
4<para>A Personal Firewall is supposed to let you access the all services
[5e18c49c]5offered on the Internet, but keep your box secure and your data private.</para>
[f45b1953]6
7<para>Below is a slightly modified version of Rusty Russell's
[8bf4c67]8recommendation from the <ulink url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">Linux
[f45b1953]92.4 Packet Filtering HOWTO</ulink>:</para>
10
[1aacd4b5]11<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
[f45b1953]12#!/bin/sh
13
14# Begin $rc_base/init.d/firewall
15
16# Insert connection-tracking modules (not needed if built into the kernel).
17modprobe ip_tables
18modprobe iptable_filter
19modprobe ip_conntrack
20modprobe ip_conntrack_ftp
21modprobe ipt_state
22modprobe ipt_LOG
23
24# allow local-only connections
25iptables -A INPUT -i lo -j ACCEPT
26# free output on any interface to any ip for any service (equal to -P ACCEPT)
27iptables -A OUTPUT -j ACCEPT
28
29# permit answers on already established connections
30# and permit new connections related to established ones (eg active-ftp)
31iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
32
33# Log everything else: What's Windows' latest exploitable vulnerability?
34iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
35
36# set a sane policy: everything not accepted &gt; /dev/null
37iptables -P INPUT DROP
38iptables -P FORWARD DROP
39iptables -P OUTPUT DROP
40
41# be verbose on dynamic ip-addresses (not needed in case of static IP)
42echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
43
44# disable ExplicitCongestionNotification - too many routers are still ignorant
45echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
46
47# End $rc_base/init.d/firewall
[1aacd4b5]48<command>EOF</command></userinput></screen>
[f45b1953]49
50<para>His script is quite simple, it drops all traffic coming in into your
51computer that wasn't initiated from your box, but as long as you are simply
[5e18c49c]52surfing the Internet you are unlikely to exceed its limits.</para>
[f45b1953]53
54<para>If you frequently encounter certain delays at accessing ftp-servers,
55please have a look at <xref linkend="postlfs-security-fw-busybox"/> -
56<xref linkend="postlfs-security-fw-BB-4"/>.</para>
57
58<para>Even if you have daemons / services running on your box, these
59should be inaccessible everywhere but from your box itself.
60If you want to allow access to services on your machine, such as ssh or pinging,
61take a look at <xref linkend="postlfs-security-fw-busybox"/>.</para>
62
63</sect3>
Note: See TracBrowser for help on using the repository browser.