source: postlfs/security/firewalling/persfw.xml@ f45b1953

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 12.2 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gimp3 gnome initial-import kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition reorg systemd-11177 systemd-13485 trunk upgradedb v1_0 v5_0 v5_0-pre1 v5_1 v5_1-pre1 xry111/for-12.3 xry111/intltool xry111/llvm18 xry111/soup3 xry111/spidermonkey128 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since f45b1953 was f45b1953, checked in by Mark Hymers <markh@…>, 22 years ago

Initial revision

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 2.5 KB
Line 
1<sect3 id="postlfs-security-fw-persFw" xreflabel="Personal Firewall">
2<title>Personal Firewall</title>
3
4<para>A Personal Firewall is supposed to let you access the all services
5offered on the internet, but keep your box secure and your data private.</para>
6
7<para>Below is a slightly modified version of Rusty Russell's
8recommendation from the <ulink
9url="http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc-5.html">Linux
102.4 Packet Filtering HOWTO</ulink>:</para>
11
12<para><screen><userinput>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</userinput>
13#!/bin/sh
14
15# Begin $rc_base/init.d/firewall
16
17# Insert connection-tracking modules (not needed if built into the kernel).
18modprobe ip_tables
19modprobe iptable_filter
20modprobe ip_conntrack
21modprobe ip_conntrack_ftp
22modprobe ipt_state
23modprobe ipt_LOG
24
25# allow local-only connections
26iptables -A INPUT -i lo -j ACCEPT
27# free output on any interface to any ip for any service (equal to -P ACCEPT)
28iptables -A OUTPUT -j ACCEPT
29
30# permit answers on already established connections
31# and permit new connections related to established ones (eg active-ftp)
32iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
33
34# Log everything else: What's Windows' latest exploitable vulnerability?
35iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
36
37# set a sane policy: everything not accepted &gt; /dev/null
38iptables -P INPUT DROP
39iptables -P FORWARD DROP
40iptables -P OUTPUT DROP
41
42# be verbose on dynamic ip-addresses (not needed in case of static IP)
43echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
44
45# disable ExplicitCongestionNotification - too many routers are still ignorant
46echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
47
48# End $rc_base/init.d/firewall
49<userinput>EOF</userinput></screen></para>
50
51<para>His script is quite simple, it drops all traffic coming in into your
52computer that wasn't initiated from your box, but as long as you are simply
53surfing the internet you are unlikely to exceed its limits.</para>
54
55<para>If you frequently encounter certain delays at accessing ftp-servers,
56please have a look at <xref linkend="postlfs-security-fw-busybox"/> -
57<xref linkend="postlfs-security-fw-BB-4"/>.</para>
58
59<para>Even if you have daemons / services running on your box, these
60should be inaccessible everywhere but from your box itself.
61If you want to allow access to services on your machine, such as ssh or pinging,
62take a look at <xref linkend="postlfs-security-fw-busybox"/>.</para>
63
64</sect3>
Note: See TracBrowser for help on using the repository browser.