source: postlfs/security/firewalling/persfw.xml@ 8bf4c67

10.0 10.1 11.0 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk v5_1 xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since 8bf4c67 was 8bf4c67, checked in by Igor Živković <igor@…>, 17 years ago

removed broken links (fixed where possible)

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2234 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 2.4 KB
Line 
1<sect3 id="postlfs-security-fw-persFw" xreflabel="Personal Firewall">
2<title>Personal Firewall</title>
3
4<para>A Personal Firewall is supposed to let you access the all services
5offered on the Internet, but keep your box secure and your data private.</para>
6
7<para>Below is a slightly modified version of Rusty Russell's
8recommendation from the <ulink url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">Linux
92.4 Packet Filtering HOWTO</ulink>:</para>
10
11<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
12#!/bin/sh
13
14# Begin $rc_base/init.d/firewall
15
16# Insert connection-tracking modules (not needed if built into the kernel).
17modprobe ip_tables
18modprobe iptable_filter
19modprobe ip_conntrack
20modprobe ip_conntrack_ftp
21modprobe ipt_state
22modprobe ipt_LOG
23
24# allow local-only connections
25iptables -A INPUT -i lo -j ACCEPT
26# free output on any interface to any ip for any service (equal to -P ACCEPT)
27iptables -A OUTPUT -j ACCEPT
28
29# permit answers on already established connections
30# and permit new connections related to established ones (eg active-ftp)
31iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
32
33# Log everything else: What's Windows' latest exploitable vulnerability?
34iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
35
36# set a sane policy: everything not accepted &gt; /dev/null
37iptables -P INPUT DROP
38iptables -P FORWARD DROP
39iptables -P OUTPUT DROP
40
41# be verbose on dynamic ip-addresses (not needed in case of static IP)
42echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
43
44# disable ExplicitCongestionNotification - too many routers are still ignorant
45echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
46
47# End $rc_base/init.d/firewall
48<command>EOF</command></userinput></screen>
49
50<para>His script is quite simple, it drops all traffic coming in into your
51computer that wasn't initiated from your box, but as long as you are simply
52surfing the Internet you are unlikely to exceed its limits.</para>
53
54<para>If you frequently encounter certain delays at accessing ftp-servers,
55please have a look at <xref linkend="postlfs-security-fw-busybox"/> -
56<xref linkend="postlfs-security-fw-BB-4"/>.</para>
57
58<para>Even if you have daemons / services running on your box, these
59should be inaccessible everywhere but from your box itself.
60If you want to allow access to services on your machine, such as ssh or pinging,
61take a look at <xref linkend="postlfs-security-fw-busybox"/>.</para>
62
63</sect3>
Note: See TracBrowser for help on using the repository browser.