Context Navigation

← Previous Changeset
Next Changeset →

Changeset 0afcfa88

Timestamp:

05/30/2005 09:58:46 PM (19 years ago)

Author:

Randy McMurchy <randy@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

Parents:

Message:

Removed excess spaces from the ends of lines in the source files

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@4524 af4574ff-66df-0310-9fd7-8a98e5e911e0

Location:

postlfs/security

Files:

: 4 edited

cracklib.xml (modified) (6 diffs)
cyrus-sasl.xml (modified) (12 diffs)
firewalling.xml (modified) (28 diffs)
gnupg.xml (modified) (5 diffs)

Legend:

: Unmodified
: Added
: Removed

postlfs/security/cracklib.xml

-              r99b1c520
+              r0afcfa88
     <title>Introduction to Cracklib</title>
     <para>The <application>cracklib</application> package contains a
     library used to enforce strong passwords by comparing user selected
+    <para>The <application>cracklib</application> package contains a
+    library used to enforce strong passwords by comparing user selected
     passwords to words in a chosen wordlist.</para>
 …
     </itemizedlist>
     <para>You will also need to download a wordlist for use with
     <application>cracklib</application>. There are two wordlists
     to choose from at the following location.  Use the
     <filename>cracklib</filename> word list for good security, or
     opt for the <filename>allwords</filename> word list for
     lightweight machines short on RAM. You can of course choose
+    <para>You will also need to download a wordlist for use with
+    <application>cracklib</application>. There are two wordlists
+    to choose from at the following location.  Use the
+    <filename>cracklib</filename> word list for good security, or
+    opt for the <filename>allwords</filename> word list for
+    lightweight machines short on RAM. You can of course choose
     any other word list that you have at your disposal.</para>
     <itemizedlist spacing='compact'>
       <listitem>
         <para>cracklib (&crackdict-size;) at <ulink
+        <para>cracklib (&crackdict-size;) at <ulink
         url="http://www.cotse.com/tools/wordlists.htm"/></para>
       </listitem>
       <listitem>
         <para>allwords (&alldict-size;) at <ulink
+        <para>allwords (&alldict-size;) at <ulink
         url="http://www.cotse.com/tools/wordlists.htm"/></para>
       </listitem>
 …
     <para>First, as the <systemitem class="username">root</systemitem>
     user, install the chosen word list for
+    user, install the chosen word list for
     <application>cracklib</application>:</para>
 …
     <para>The wordlist is linked to <filename>/usr/share/dict/words</filename>
     as historically, <filename>words</filename> is the primary wordlist in the
     <filename class="directory">/usr/share/dict</filename> directory.
     Additionally, the value of <command>hostname</command> is echoed to a file
     called <filename>extra.words</filename>. This extra file is intended to be
     a site specific list which includes easy to guess passwords such as company
     or department names, user's names, product names, computer names, domain
+    as historically, <filename>words</filename> is the primary wordlist in the
+    <filename class="directory">/usr/share/dict</filename> directory.
+    Additionally, the value of <command>hostname</command> is echoed to a file
+    called <filename>extra.words</filename>. This extra file is intended to be
+    a site specific list which includes easy to guess passwords such as company
+    or department names, user's names, product names, computer names, domain
     names, etc.</para>
 …
     <title>Command Explanations</title>
     <para><command>rm -v /lib/libcrack.so; ln -v -sf ...
     /usr/lib/libcrack.so</command>: These two commands move the
+    <para><command>rm -v /lib/libcrack.so; ln -v -sf ...
+    /usr/lib/libcrack.so</command>: These two commands move the
     <filename class='symlink'>libcrack.so</filename>
     symlink from <filename class='directory'>/lib</filename> to
+    symlink from <filename class='directory'>/lib</filename> to
     <filename class='directory'>/usr/lib</filename>.</para>
 …
         <term><filename class='libraryfile'>libcrack.so</filename></term>
         <listitem>
           <para>provide a fast dictionary lookup method for strong
+          <para>provide a fast dictionary lookup method for strong
           password enforcement.</para>
           <indexterm zone="cracklib libcrack">

postlfs/security/cyrus-sasl.xml

-              r99b1c520
+              r0afcfa88
     <title>Introduction to Cyrus SASL</title>
     <para>The <application>Cyrus SASL</application> package contains a Simple
     Authentication and Security Layer, a method for adding authentication
     support to connection-based protocols. To use SASL, a protocol includes a
     command for identifying and authenticating a user to a server and for
     optionally negotiating protection of subsequent protocol interactions. If
     its use is negotiated, a security layer is inserted between the protocol
+    <para>The <application>Cyrus SASL</application> package contains a Simple
+    Authentication and Security Layer, a method for adding authentication
+    support to connection-based protocols. To use SASL, a protocol includes a
+    command for identifying and authenticating a user to a server and for
+    optionally negotiating protection of subsequent protocol interactions. If
+    its use is negotiated, a security layer is inserted between the protocol
     and the connection.</para>
 …
     <bridgehead renderas="sect4">Optional</bridgehead>
     <para><xref linkend="Linux_PAM"/>,
     <xref linkend="openldap"/>,
     <xref linkend="heimdal"/> or <xref linkend="mitkrb"/>,
     <xref linkend="jdk"/>,
     <xref linkend="mysql"/>,
     <xref linkend="postgresql"/>,
     <xref linkend="db"/>,
     <xref linkend="gdbm"/>,
     <xref linkend="courier"/>,
     <ulink url="http://www.pdc.kth.se/kth-krb/">krb4</ulink>,
     <ulink url="http://sqlite.org/">SQLite</ulink> and
+    <para><xref linkend="Linux_PAM"/>,
+    <xref linkend="openldap"/>,
+    <xref linkend="heimdal"/> or <xref linkend="mitkrb"/>,
+    <xref linkend="jdk"/>,
+    <xref linkend="mysql"/>,
+    <xref linkend="postgresql"/>,
+    <xref linkend="db"/>,
+    <xref linkend="gdbm"/>,
+    <xref linkend="courier"/>,
+    <ulink url="http://www.pdc.kth.se/kth-krb/">krb4</ulink>,
+    <ulink url="http://sqlite.org/">SQLite</ulink> and
     <ulink url="http://dmalloc.com/">Dmalloc</ulink></para>
 …
     <title>Installation of Cyrus SASL</title>
     <para>Install <application>Cyrus SASL</application> by
+    <para>Install <application>Cyrus SASL</application> by
     running the following commands:</para>
 …
     <title>Command Explanations</title>
     <para><parameter>--with-dbpath=/var/lib/sasl/sasldb2</parameter>: This
+    <para><parameter>--with-dbpath=/var/lib/sasl/sasldb2</parameter>: This
     parameter forces the <command>saslauthd</command> database to be created
     in <filename class='directory'>/var/lib/sasl</filename> instead of
+    in <filename class='directory'>/var/lib/sasl</filename> instead of
     <filename class='directory'>/etc</filename>.</para>
     <para><parameter>--with-saslauthd=/var/run</parameter>: This parameter
     forces <command>saslauthd</command> to use the FHS compliant
     directory <filename class='directory'>/var/run</filename> for variable
+    <para><parameter>--with-saslauthd=/var/run</parameter>: This parameter
+    forces <command>saslauthd</command> to use the FHS compliant
+    directory <filename class='directory'>/var/run</filename> for variable
     run-time data.</para>
 …
     with <application>OpenLDAP</application>.</para>
     <para><command>install -v -m644 ...</command>: These commands
     install documentation which is not installed by the
+    <para><command>install -v -m644 ...</command>: These commands
+    install documentation which is not installed by the
     <command>make install</command> command.</para>
     <para><command>install -v -d -m700 /var/lib/sasl</command>: This directory
     must exist when starting <command>saslauthd</command>. If you're not going
+    <para><command>install -v -d -m700 /var/lib/sasl</command>: This directory
+    must exist when starting <command>saslauthd</command>. If you're not going
     to be running the daemon, you may omit the creation of this directory.</para>
 …
       <title>Config Files</title>
       <para><filename>/etc/saslauthd.conf</filename> (for LDAP configuration)
       and <filename>/usr/lib/sasl2/Appname.conf</filename> (where "Appname"
+      <para><filename>/etc/saslauthd.conf</filename> (for LDAP configuration)
+      and <filename>/usr/lib/sasl2/Appname.conf</filename> (where "Appname"
       is the application defined name of the application)</para>
 …
       <title>Configuration Information</title>
       <para>See <ulink
+      <para>See <ulink
       url="file:///usr/share/doc/cyrus-sasl-&cyrus-sasl-version;/sysadmin.html"/>
       for information on what to include in the application configuration files.
       See <ulink
+      for information on what to include in the application configuration files.
+      See <ulink
       url="file:///usr/share/doc/cyrus-sasl-&cyrus-sasl-version;/LDAP_SASLAUTHD"/>
       for configuring <command>saslauthd</command> with LDAP.</para>
 …
       <title>Init Script</title>
       <para>If you need to run the <command>saslauthd</command> daemon at system
+      <para>If you need to run the <command>saslauthd</command> daemon at system
       startup, install the <filename>/etc/rc.d/init.d/cyrus-sasl</filename>
       init script included in the <xref linkend="intro-important-bootscripts"/>
 …
       <note>
         <para>You'll need to modify the init script and replace the
         <option><replaceable>[authmech]</replaceable></option> parameter
         to the <option>-a</option> switch with your desired authentication
+        <para>You'll need to modify the init script and replace the
+        <option><replaceable>[authmech]</replaceable></option> parameter
+        to the <option>-a</option> switch with your desired authentication
         mechanism.</para>
       </note>
 …
       <seglistitem>
         <seg>saslauthd, sasldblistusers2, and saslpasswd2</seg>
         <seg>libjavasasl.so, libsasl2.so, and SASL plugins/Java
+        <seg>libjavasasl.so, libsasl2.so, and SASL plugins/Java
         classes</seg>
         <seg>/usr/include/sasl, /usr/lib/java, /usr/lib/sasl2,
+        <seg>/usr/include/sasl, /usr/lib/java, /usr/lib/sasl2,
         /usr/share/doc/cyrus-sasl-&cyrus-sasl-version;, and /var/lib/sasl</seg>
       </seglistitem>
 …
         <term><command>saslpasswd2</command></term>
         <listitem>
           <para>is used to set and delete a user's SASL password and
+          <para>is used to set and delete a user's SASL password and
           mechanism specific secrets in the SASL password database.</para>
           <indexterm zone="cyrus-sasl saslpasswd2">
 …
         <term><filename class='libraryfile'>libsasl2.so</filename></term>
         <listitem>
           <para>is a general purpose authentication library for server and
+          <para>is a general purpose authentication library for server and
           client applications.</para>
           <indexterm zone="cyrus-sasl libsasl2">

postlfs/security/firewalling.xml

-              r99b1c520
+              r0afcfa88
   <title>Setting Up a Network Firewall</title>
   <para>Before you read this part of the chapter, you should have
+  <para>Before you read this part of the chapter, you should have
   already installed iptables as described in the previous section.</para>
 …
     <title>Introduction to Firewall Creation</title>
     <para>The general purpose of a firewall is to protect a computer or
+    <para>The general purpose of a firewall is to protect a computer or
     a network against malicious access.</para>
     <para>In a perfect world, every daemon or service on every machine
     is perfectly configured and immune to flaws such as buffer overflows
     or other problems regarding its security. Furthermore, you trust
     every user accessing your services. In this world, you do not need
+    <para>In a perfect world, every daemon or service on every machine
+    is perfectly configured and immune to flaws such as buffer overflows
+    or other problems regarding its security. Furthermore, you trust
+    every user accessing your services. In this world, you do not need
     to have a firewall.</para>
     <para>In the real world however, daemons may be misconfigured and
     exploits against essential services are freely available. You may
     wish to choose which services are accessible by certain machines or
     you may wish to limit which machines or applications are allowed
     external access. Alternatively, you may simply not trust some of
     your applications or users. You are probably connected to the
+    <para>In the real world however, daemons may be misconfigured and
+    exploits against essential services are freely available. You may
+    wish to choose which services are accessible by certain machines or
+    you may wish to limit which machines or applications are allowed
+    external access. Alternatively, you may simply not trust some of
+    your applications or users. You are probably connected to the
     Internet. In this world, a firewall is essential.</para>
     <para>Don't assume however, that having a firewall makes careful
     configuration redundant, or that it makes any negligent
     misconfiguration harmless. It doesn't prevent anyone from exploiting
     a service you intentionally offer but haven't recently updated or
     patched after an exploit went public.  Despite having a firewall, you
     need to keep applications and daemons on your system properly
     configured and up to date.  A firewall is not a cure all, but should
+    <para>Don't assume however, that having a firewall makes careful
+    configuration redundant, or that it makes any negligent
+    misconfiguration harmless. It doesn't prevent anyone from exploiting
+    a service you intentionally offer but haven't recently updated or
+    patched after an exploit went public.  Despite having a firewall, you
+    need to keep applications and daemons on your system properly
+    configured and up to date.  A firewall is not a cure all, but should
     be an essential part of your overall security startegy.</para>
 …
       <title><xref linkend="fw-persFw"/></title>
       <para>This is a hardware device or software program commercially
       sold by companies such as Symantec which claims that it secures
       a home or desktop computer with Internet access. This type of
       firewall is highly relevant for users who do not know how their
       computers might be accessed via the Internet or how to disable
       that access, especially if they are always online and connected
+      <para>This is a hardware device or software program commercially
+      sold by companies such as Symantec which claims that it secures
+      a home or desktop computer with Internet access. This type of
+      firewall is highly relevant for users who do not know how their
+      computers might be accessed via the Internet or how to disable
+      that access, especially if they are always online and connected
       via broadband links.</para>
 …
       <para>This is a system placed between the Internet and an intranet.
       To minimize the risk of compromising the firewall itself, it should
+      To minimize the risk of compromising the firewall itself, it should
       generally have only one role&mdash;that of protecting the intranet.
       Although not completely risk free, the tasks of doing the routing and
       IP masquerading (rewriting IP headers of the packets it routes from
       clients with private IP addresses onto the Internet so that they seem
       to come from the firewall itself) are commonly considered relatively
+      IP masquerading (rewriting IP headers of the packets it routes from
+      clients with private IP addresses onto the Internet so that they seem
+      to come from the firewall itself) are commonly considered relatively
       secure.</para>
 …
       <title><xref linkend="fw-busybox"/></title>
       <para>This is often an old computer you may have retired and nearly
       forgotten, performing masquerading or routing functions, but offering
       non-firewall services such as a web-cache or mail.  This may be used
       for home networks, but is not be considered as secure as a firewall
       only machine because the combination of server and router/firewall on
+      <para>This is often an old computer you may have retired and nearly
+      forgotten, performing masquerading or routing functions, but offering
+      non-firewall services such as a web-cache or mail.  This may be used
+      for home networks, but is not be considered as secure as a firewall
+      only machine because the combination of server and router/firewall on
       one machine raises the complexity of the setup.</para>
 …
     <sect3>
       <title>Firewall with a Demilitarized Zone [Not Further
+      <title>Firewall with a Demilitarized Zone [Not Further
       Described Here]</title>
       <para>This box performs masquerading or routing, but grants public
       access to some branch of your network which, because of public IP's
       and a physically separated structure, is essentially a separate
       network with direct Internet access. The servers on this network are
       those which must be easily accessible from both the Internet and
       intranet. The firewall protects both networks. This type of firewall
+      <para>This box performs masquerading or routing, but grants public
+      access to some branch of your network which, because of public IP's
+      and a physically separated structure, is essentially a separate
+      network with direct Internet access. The servers on this network are
+      those which must be easily accessible from both the Internet and
+      intranet. The firewall protects both networks. This type of firewall
       has a minimum of three network interfaces.</para>
 …
       <title>Packetfilter</title>
       <para>This type of firewall does routing or masquerading, but does
       not maintain a state table of ongoing communication streams. It is
       fast, but quite limited in its ability to block inappropriate packets
+      <para>This type of firewall does routing or masquerading, but does
+      not maintain a state table of ongoing communication streams. It is
+      fast, but quite limited in its ability to block inappropriate packets
       without blocking desired packets.</para>
 …
     <caution>
       <para>This introduction on how to setup a firewall is not a
       complete guide to securing systems. Firewalling is a complex
       issue that requires careful configuration. The scripts quoted
       here are simply intended to give examples of how a firewall
       works. They are not intended to fit into any particular
       configuration and may not provide complete protection from
+      <para>This introduction on how to setup a firewall is not a
+      complete guide to securing systems. Firewalling is a complex
+      issue that requires careful configuration. The scripts quoted
+      here are simply intended to give examples of how a firewall
+      works. They are not intended to fit into any particular
+      configuration and may not provide complete protection from
       an attack.</para>
       <para>Customization of these scripts for your specific situation
       will be necessary for an optimal configuration, but you should
       make a serious study of the iptables documentation and creating
       firewalls in general before hacking away. Have a look at the
       list of <xref linkend="fw-library"/> at the end of this section for
       more details. There you will find a list of URLs that contain quite
+      <para>Customization of these scripts for your specific situation
+      will be necessary for an optimal configuration, but you should
+      make a serious study of the iptables documentation and creating
+      firewalls in general before hacking away. Have a look at the
+      list of <xref linkend="fw-library"/> at the end of this section for
+      more details. There you will find a list of URLs that contain quite
       comprehensive information about building your own firewall.</para>
     </caution>
     <para>The firewall configuration script installed in the last section
     differs from the standard configuration script. It only has two of
     the standard targets: start and status. The other targets are clear
+    <para>The firewall configuration script installed in the last section
+    differs from the standard configuration script. It only has two of
+    the standard targets: start and status. The other targets are clear
     and lock. For instance when you run:</para>
 <screen role="root"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen>
     <para>the firewall will be restarted just as it is upon system startup.
     The status target will present a list of all currently implemented
     rules. The clear target turns off all firewall rules and the lock
     target will block all packets in and out of the computer with the
+    <para>the firewall will be restarted just as it is upon system startup.
+    The status target will present a list of all currently implemented
+    rules. The clear target turns off all firewall rules and the lock
+    target will block all packets in and out of the computer with the
     exception of the loopback interface.</para>
     <para>The main startup firewall is located in the file
     <filename>/etc/rc.d/rc.iptables</filename>. The sections below provide
+    <para>The main startup firewall is located in the file
+    <filename>/etc/rc.d/rc.iptables</filename>. The sections below provide
     three different approaches that can be used for a system.</para>
     <note>
       <para>You should always run your firewall rules from a script.
       This ensures consistency and a record of what was done. It also
       allows retention of comments that are essential for understanding
+      This ensures consistency and a record of what was done. It also
+      allows retention of comments that are essential for understanding
       the rules long after they were written.</para>
     </note>
 …
       <title>Personal Firewall</title>
       <para>A Personal Firewall is designed to let you access all the
       services offered on the Internet, but keep your box secure and
+      <para>A Personal Firewall is designed to let you access all the
+      services offered on the Internet, but keep your box secure and
       your data private.</para>
       <para>Below is a slightly modified version of Rusty Russell's
       recommendation from the <ulink
+      <para>Below is a slightly modified version of Rusty Russell's
+      recommendation from the <ulink
       url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
       Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable
+      Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable
       to the Linux 2.6 kernels.</para>
 …
 # Begin $rc_base/rc.iptables
 # Insert connection-tracking modules
+# Insert connection-tracking modules
 # (not needed if built into the kernel)
 modprobe ip_tables
 …
 echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
 # Drop Spoofed Packets coming in on an interface, where responses
+# Drop Spoofed Packets coming in on an interface, where responses
 # would result in the reply going out a different interface.
 echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
 …
 echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
 # disable Explicit Congestion Notification
+# disable Explicit Congestion Notification
 # too many routers are still ignorant
 echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
 …
 iptables -A INPUT  -i lo -j ACCEPT
 # Free output on any interface to any ip for any service
+# Free output on any interface to any ip for any service
 # (equal to -P ACCEPT)
 iptables -A OUTPUT -j ACCEPT
 # Permit answers on already established connections
 # and permit new connections related to established ones
+# and permit new connections related to established ones
 # (e.g. port mode ftp)
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 …
 EOF</userinput></screen>
       <para>This script is quite simple, it drops all traffic coming
       in into your computer that wasn't initiated from your box, but
       as long as you are simply surfing the Internet you are unlikely
+      <para>This script is quite simple, it drops all traffic coming
+      in into your computer that wasn't initiated from your box, but
+      as long as you are simply surfing the Internet you are unlikely
       to exceed its limits.</para>
       <para>If you frequently encounter certain delays at accessing
+      <para>If you frequently encounter certain delays at accessing
       ftp-servers, take a look at <xref linkend="fw-BB-4"/>.</para>
       <para>Even if you have daemons or services running on your system,
       these will be inaccessible everywhere but from your computer itself.
       If you want to allow access to services on your machine, such as
       <command>ssh</command> or <command>ping</command>, take a look at
+      <para>Even if you have daemons or services running on your system,
+      these will be inaccessible everywhere but from your computer itself.
+      If you want to allow access to services on your machine, such as
+      <command>ssh</command> or <command>ping</command>, take a look at
       <xref linkend="fw-busybox"/>.</para>
 …
       <title>Masquerading Router</title>
       <para>A true Firewall has two interfaces, one connected to an
       intranet, in this example <emphasis role="strong">eth0</emphasis>,
       and one connected to the Internet, here <emphasis
       role="strong">ppp0</emphasis>. To provide the maximum security
       for the firewall itself, make sure that there are no unnecessary
+      <para>A true Firewall has two interfaces, one connected to an
+      intranet, in this example <emphasis role="strong">eth0</emphasis>,
+      and one connected to the Internet, here <emphasis
+      role="strong">ppp0</emphasis>. To provide the maximum security
+      for the firewall itself, make sure that there are no unnecessary
       servers running on it such as <application>X11</application> et
       al. As a general principle, the firewall itself should not access
       any untrusted service (Think of a remote server giving answers that
       makes a daemon on your system crash, or, even worse, that implements
+      al. As a general principle, the firewall itself should not access
+      any untrusted service (Think of a remote server giving answers that
+      makes a daemon on your system crash, or, even worse, that implements
       a worm via a buffer-overflow).</para>
 …
 echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
 # Disable Explicit Congestion Notification
+# Disable Explicit Congestion Notification
 # Too many routers are still ignorant
 echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
 …
 iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
 # Log everything for debugging
+# Log everything for debugging
 # (last of all rules, but before policy rules)
 iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT  "
 …
 iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
 # Enable IP Forwarding
+# Enable IP Forwarding
 echo 1 &gt; /proc/sys/net/ipv4/ip_forward</literal>
 EOF</userinput></screen>
       <para>With this script your intranet should be reasonably secure
       against external attacks. No one should be able to setup a new
       connection to any internal service and, if it's masqueraded,
       makes your intranet invisible to the Internet. Furthermore, your
       firewall should be relatively safe because there are no services
+      <para>With this script your intranet should be reasonably secure
+      against external attacks. No one should be able to setup a new
+      connection to any internal service and, if it's masqueraded,
+      makes your intranet invisible to the Internet. Furthermore, your
+      firewall should be relatively safe because there are no services
       running that a cracker could attack.</para>
       <note>
         <para>If the interface you're connecting to the Internet
         doesn't connect via ppp, you will need to change
         <replaceable>ppp+</replaceable> to the name of the interface,
         e.g. <emphasis role="strong">eth1</emphasis>, which you are
+        <para>If the interface you're connecting to the Internet
+        doesn't connect via ppp, you will need to change
+        <replaceable>ppp+</replaceable> to the name of the interface,
+        e.g. <emphasis role="strong">eth1</emphasis>, which you are
         using.</para>
       </note>
 …
       <title>BusyBox</title>
       <para>This scenario isn't too different from the <xref
       linkend="fw-masqRouter"/>, but additionally offers some
       services to your intranet. Examples of this can be when
       you want to administer your firewall from another host on
+      <para>This scenario isn't too different from the <xref
+      linkend="fw-masqRouter"/>, but additionally offers some
+      services to your intranet. Examples of this can be when
+      you want to administer your firewall from another host on
       your intranet or use it as a proxy or a name server.</para>
       <note>
         <para>Outlining a true concept of how to protect a server that
         offers services on the Internet goes far beyond the scope of
         this document. See the references at the end of this section
+        <para>Outlining a true concept of how to protect a server that
+        offers services on the Internet goes far beyond the scope of
+        this document. See the references at the end of this section
         for more information.</para>
       </note>
       <para>Be cautious. Every service you have enabled makes your
       setup more complex and your firewall less secure. You are
       exposed to the risks of misconfigured services or running
       a service with an exploitable bug. A firewall should generally
       not run any extra services.  See the introduction to the
+      setup more complex and your firewall less secure. You are
+      exposed to the risks of misconfigured services or running
+      a service with an exploitable bug. A firewall should generally
+      not run any extra services.  See the introduction to the
       <xref linkend="fw-masqRouter"/> for some more details.</para>
       <para>If you want to add services such as internal samba or
+      <para>If you want to add services such as internal samba or
       name servers that do not need to access the Internet themselves,
       the additional statements are quite simple and should still be
+      the additional statements are quite simple and should still be
       acceptable from a security standpoint. Just add the following lines
       into the script <emphasis>before</emphasis> the logging rules.</para>
 …
 iptables -A OUTPUT -o ! ppp+  -j ACCEPT</literal></screen>
       <para>If daemons, such as squid, have to access the Internet
       themselves, you could open OUTPUT generally and restrict
+      <para>If daemons, such as squid, have to access the Internet
+      themselves, you could open OUTPUT generally and restrict
       INPUT.</para>
 …
 iptables -A OUTPUT -j ACCEPT</literal></screen>
       <para>However, it is generally not advisable to leave OUTPUT
       unrestricted. You lose any control over trojans who would like
       to "call home", and a bit of redundancy in case you've
       (mis-)configured a service so that it broadcasts its existence
+      <para>However, it is generally not advisable to leave OUTPUT
+      unrestricted. You lose any control over trojans who would like
+      to "call home", and a bit of redundancy in case you've
+      (mis-)configured a service so that it broadcasts its existence
       to the world.</para>
       <para>To accomplish this, you should restrict INPUT and OUTPUT
       on all ports except those that it's absolutely necessary to have
       open. Which ports you have to open depends on your needs: mostly
       you will find them by looking for failed accesses in your log
+      on all ports except those that it's absolutely necessary to have
+      open. Which ports you have to open depends on your needs: mostly
+      you will find them by looking for failed accesses in your log
       files.</para>
 …
         </listitem>
         <listitem>
           <para>You want to be able to ping your box to
+          <para>You want to be able to ping your box to
           ensure it's still alive:</para>
 …
         </listitem>
         <listitem>
           <para><anchor id='fw-BB-4' xreflabel="BusyBox example number 4"/>If
           you are frequently accessing ftp servers or enjoy chatting, you might
           notice certain delays because some implementations of these daemons
           have the feature of querying an identd on your system to obtain
           usernames. Although there's really little harm in this, having an
           identd running is not recommended because many security experts feel
+          <para><anchor id='fw-BB-4' xreflabel="BusyBox example number 4"/>If
+          you are frequently accessing ftp servers or enjoy chatting, you might
+          notice certain delays because some implementations of these daemons
+          have the feature of querying an identd on your system to obtain
+          usernames. Although there's really little harm in this, having an
+          identd running is not recommended because many security experts feel
           the service gives out too much additional information.</para>
           <para>To avoid these delays you could reject the requests
+          <para>To avoid these delays you could reject the requests
           with a 'tcp-reset':</para>
 …
         <listitem>
           <para>To log and drop invalid packets (packets
           that came in after netfilter's timeout or some types of
+          that came in after netfilter's timeout or some types of
           network scans):</para>
 …
 iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</literal></screen>
           <para>There are other addresses that you may also want to
           drop: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and
+          <para>There are other addresses that you may also want to
+          drop: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and
           experimental), 169.254.0.0/16 (Link Local Networks), and
 .0.2.0/24 (IANA defined test network).</para>
         </listitem>
         <listitem>
           <para>If your firewall is a DHCP client, you need to allow
+          <para>If your firewall is a DHCP client, you need to allow
           those packets:</para>
 …
         </listitem>
         <listitem>
           <para>To simplify debugging and be fair to anyone who'd like
           to access a service you have disabled, purposely or by mistake,
+          <para>To simplify debugging and be fair to anyone who'd like
+          to access a service you have disabled, purposely or by mistake,
           you could REJECT those packets that are dropped.</para>
 …
       </itemizedlist>
       <para>These are only examples to show you some of the capabilities
+      <para>These are only examples to show you some of the capabilities
       of the firewall code in Linux. Have a look at the man page of iptables.
       There you will find much more information. The port numbers needed for
       this can be found in <filename>/etc/services</filename>, in case you
+      There you will find much more information. The port numbers needed for
+      this can be found in <filename>/etc/services</filename>, in case you
       didn't find them by trial and error in your log file.</para>
 …
     <para>Finally, there is one fact you must not forget: The effort spent
     attacking a system corresponds to the value the cracker expects to gain
     from it. If you are responsible for valuable information, you need to
+    attacking a system corresponds to the value the cracker expects to gain
+    from it. If you are responsible for valuable information, you need to
     spend the time to protect it properly.</para>

postlfs/security/gnupg.xml

-              r99b1c520
+              r0afcfa88
     <title>Introduction to GnuPG</title>
     <para>The <application>GnuPG</application> package contains a
     public/private key encryptor. This is becoming useful for signing
     files or emails as proof of identity and preventing tampering with
+    <para>The <application>GnuPG</application> package contains a
+    public/private key encryptor. This is becoming useful for signing
+    files or emails as proof of identity and preventing tampering with
     contents of the file or email.</para>
 …
     <itemizedlist spacing='compact'>
       <listitem>
         <para>Required Patch: <ulink
+        <para>Required Patch: <ulink
         url="&patch-root;/gnupg-&gnupg-version;-po_install_fix-1.patch"/>
       </para>
 …
     <bridgehead renderas="sect4">Optional</bridgehead>
     <para><xref linkend="openldap"/>,
     <xref linkend="libusb"/>,
     <xref linkend="curl"/>,
     <ulink url="../server/mail.html">MTA</ulink>,
     <xref linkend="docbook-utils"/> and <ulink
+    <para><xref linkend="openldap"/>,
+    <xref linkend="libusb"/>,
+    <xref linkend="curl"/>,
+    <ulink url="../server/mail.html">MTA</ulink>,
+    <xref linkend="docbook-utils"/> and <ulink
     url="http://www.oasis-open.org/docbook/tools/dtm/">docbook-to-man</ulink></para>
 …
     <title>Installation of GnuPG</title>
     <para>Install <application>GnuPG</application> by running the following
+    <para>Install <application>GnuPG</application> by running the following
     commands:</para>
 …
     <filename class="directory">/usr/libexec</filename>.</para>
     <para><command>chmod -v 4755 /usr/bin/gpg</command>:
     <command>gpg</command> is installed setuid root to avoid swapping
+    <para><command>chmod -v 4755 /usr/bin/gpg</command>:
+    <command>gpg</command> is installed setuid root to avoid swapping
     out sensitive data.</para>

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats: