1 | <sect3 id="postlfs-security-fw-persFw" xreflabel="Personal Firewall">
|
---|
2 | <title>Personal Firewall</title>
|
---|
3 |
|
---|
4 | <para>A Personal Firewall is supposed to let you access the all services
|
---|
5 | offered on the internet, but keep your box secure and your data private.</para>
|
---|
6 |
|
---|
7 | <para>Below is a slightly modified version of Rusty Russell's
|
---|
8 | recommendation from the <ulink
|
---|
9 | url="http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc-5.html">Linux
|
---|
10 | 2.4 Packet Filtering HOWTO</ulink>:</para>
|
---|
11 |
|
---|
12 | <para><screen><userinput>cat > /etc/rc.d/init.d/firewall << "EOF"</userinput>
|
---|
13 | #!/bin/sh
|
---|
14 |
|
---|
15 | # Begin $rc_base/init.d/firewall
|
---|
16 |
|
---|
17 | # Insert connection-tracking modules (not needed if built into the kernel).
|
---|
18 | modprobe ip_tables
|
---|
19 | modprobe iptable_filter
|
---|
20 | modprobe ip_conntrack
|
---|
21 | modprobe ip_conntrack_ftp
|
---|
22 | modprobe ipt_state
|
---|
23 | modprobe ipt_LOG
|
---|
24 |
|
---|
25 | # allow local-only connections
|
---|
26 | iptables -A INPUT -i lo -j ACCEPT
|
---|
27 | # free output on any interface to any ip for any service (equal to -P ACCEPT)
|
---|
28 | iptables -A OUTPUT -j ACCEPT
|
---|
29 |
|
---|
30 | # permit answers on already established connections
|
---|
31 | # and permit new connections related to established ones (eg active-ftp)
|
---|
32 | iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
---|
33 |
|
---|
34 | # Log everything else: What's Windows' latest exploitable vulnerability?
|
---|
35 | iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
|
---|
36 |
|
---|
37 | # set a sane policy: everything not accepted > /dev/null
|
---|
38 | iptables -P INPUT DROP
|
---|
39 | iptables -P FORWARD DROP
|
---|
40 | iptables -P OUTPUT DROP
|
---|
41 |
|
---|
42 | # be verbose on dynamic ip-addresses (not needed in case of static IP)
|
---|
43 | echo 2 > /proc/sys/net/ipv4/ip_dynaddr
|
---|
44 |
|
---|
45 | # disable ExplicitCongestionNotification - too many routers are still ignorant
|
---|
46 | echo 0 > /proc/sys/net/ipv4/tcp_ecn
|
---|
47 |
|
---|
48 | # End $rc_base/init.d/firewall
|
---|
49 | <userinput>EOF</userinput></screen></para>
|
---|
50 |
|
---|
51 | <para>His script is quite simple, it drops all traffic coming in into your
|
---|
52 | computer that wasn't initiated from your box, but as long as you are simply
|
---|
53 | surfing the internet you are unlikely to exceed its limits.</para>
|
---|
54 |
|
---|
55 | <para>If you frequently encounter certain delays at accessing ftp-servers,
|
---|
56 | please have a look at <xref linkend="postlfs-security-fw-busybox"/> -
|
---|
57 | <xref linkend="postlfs-security-fw-BB-4"/>.</para>
|
---|
58 |
|
---|
59 | <para>Even if you have daemons / services running on your box, these
|
---|
60 | should be inaccessible everywhere but from your box itself.
|
---|
61 | If you want to allow access to services on your machine, such as ssh or pinging,
|
---|
62 | take a look at <xref linkend="postlfs-security-fw-busybox"/>.</para>
|
---|
63 |
|
---|
64 | </sect3>
|
---|