[f45b1953] | 1 | <sect3 id="postlfs-security-fw-persFw" xreflabel="Personal Firewall">
|
---|
| 2 | <title>Personal Firewall</title>
|
---|
| 3 |
|
---|
| 4 | <para>A Personal Firewall is supposed to let you access the all services
|
---|
[5e18c49c] | 5 | offered on the Internet, but keep your box secure and your data private.</para>
|
---|
[f45b1953] | 6 |
|
---|
| 7 | <para>Below is a slightly modified version of Rusty Russell's
|
---|
| 8 | recommendation from the <ulink
|
---|
| 9 | url="http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc-5.html">Linux
|
---|
| 10 | 2.4 Packet Filtering HOWTO</ulink>:</para>
|
---|
| 11 |
|
---|
[1aacd4b5] | 12 | <screen><userinput><command>cat > /etc/rc.d/init.d/firewall << "EOF"</command>
|
---|
[f45b1953] | 13 | #!/bin/sh
|
---|
| 14 |
|
---|
| 15 | # Begin $rc_base/init.d/firewall
|
---|
| 16 |
|
---|
| 17 | # Insert connection-tracking modules (not needed if built into the kernel).
|
---|
| 18 | modprobe ip_tables
|
---|
| 19 | modprobe iptable_filter
|
---|
| 20 | modprobe ip_conntrack
|
---|
| 21 | modprobe ip_conntrack_ftp
|
---|
| 22 | modprobe ipt_state
|
---|
| 23 | modprobe ipt_LOG
|
---|
| 24 |
|
---|
| 25 | # allow local-only connections
|
---|
| 26 | iptables -A INPUT -i lo -j ACCEPT
|
---|
| 27 | # free output on any interface to any ip for any service (equal to -P ACCEPT)
|
---|
| 28 | iptables -A OUTPUT -j ACCEPT
|
---|
| 29 |
|
---|
| 30 | # permit answers on already established connections
|
---|
| 31 | # and permit new connections related to established ones (eg active-ftp)
|
---|
| 32 | iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
---|
| 33 |
|
---|
| 34 | # Log everything else: What's Windows' latest exploitable vulnerability?
|
---|
| 35 | iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
|
---|
| 36 |
|
---|
| 37 | # set a sane policy: everything not accepted > /dev/null
|
---|
| 38 | iptables -P INPUT DROP
|
---|
| 39 | iptables -P FORWARD DROP
|
---|
| 40 | iptables -P OUTPUT DROP
|
---|
| 41 |
|
---|
| 42 | # be verbose on dynamic ip-addresses (not needed in case of static IP)
|
---|
| 43 | echo 2 > /proc/sys/net/ipv4/ip_dynaddr
|
---|
| 44 |
|
---|
| 45 | # disable ExplicitCongestionNotification - too many routers are still ignorant
|
---|
| 46 | echo 0 > /proc/sys/net/ipv4/tcp_ecn
|
---|
| 47 |
|
---|
| 48 | # End $rc_base/init.d/firewall
|
---|
[1aacd4b5] | 49 | <command>EOF</command></userinput></screen>
|
---|
[f45b1953] | 50 |
|
---|
| 51 | <para>His script is quite simple, it drops all traffic coming in into your
|
---|
| 52 | computer that wasn't initiated from your box, but as long as you are simply
|
---|
[5e18c49c] | 53 | surfing the Internet you are unlikely to exceed its limits.</para>
|
---|
[f45b1953] | 54 |
|
---|
| 55 | <para>If you frequently encounter certain delays at accessing ftp-servers,
|
---|
| 56 | please have a look at <xref linkend="postlfs-security-fw-busybox"/> -
|
---|
| 57 | <xref linkend="postlfs-security-fw-BB-4"/>.</para>
|
---|
| 58 |
|
---|
| 59 | <para>Even if you have daemons / services running on your box, these
|
---|
| 60 | should be inaccessible everywhere but from your box itself.
|
---|
| 61 | If you want to allow access to services on your machine, such as ssh or pinging,
|
---|
| 62 | take a look at <xref linkend="postlfs-security-fw-busybox"/>.</para>
|
---|
| 63 |
|
---|
| 64 | </sect3>
|
---|