Ignore:
Timestamp:
03/13/2005 07:24:56 AM (17 years ago)
Author:
Bruce Dubbs <bdubbs@…>
Branches:
10.0, 10.1, 11.0, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, ken/refactor-virt, krejzi/svn, lazarus, nosym, perl-modules, qt5new, systemd-11177, systemd-13485, trunk, upgradedb, xry111/git-date, xry111/git-date-for-trunk, xry111/git-date-test
Children:
ed1b95e
Parents:
f8962fe
Message:

Update firewalling section

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3539 af4574ff-66df-0310-9fd7-8a98e5e911e0

File:
1 edited

Legend:

Unmodified
Added
Removed
  • postlfs/security/firewalling.xml

    rf8962fe r0e3848e3  
    1414<title>Setting up a network firewall</title>
    1515
    16 <para>Before you read this part of the chapter, note that we assume that you
     16<para>Before you read this part of the chapter, you should
    1717have already installed iptables as described in the previous section.</para>
    1818
     
    2020<title>Introduction to Firewall Creation</title>
    2121
    22 <para>The general purpose of a firewall is to protect a network
    23 against malicious access by using a single machine as a firewall.
    24 This does imply that the firewall is to be considered a single point
    25 of failure, but it can make the administrator's life a lot easier.</para>
    26 
    27 <para>In a perfect world where you knew that every daemon or service
    28 on every machine was perfectly configured and was immune to, e.g.,
    29 buffer-overflows and any other imaginable problem regarding its
    30 security, and where you trusted every user accessing your services
    31 to aim no harm, you wouldn't need to have a firewall! 
    32 In the real world however, daemons may be misconfigured,
    33 exploits against essential services are freely available, you
    34 may wish to choose which services are accessible by certain machines,
    35 you may wish to limit which machines or applications are allowed
    36 to have Internet access, or you may simply not trust some of your
    37 apps or users. In these situations you might benefit by using a
    38 firewall.</para>
    39 
    40 <para>Don't assume however, that having a firewall makes careful
    41 configuration redundant, or that it makes any negligent
    42 misconfiguration harmless. It also doesn't prevent anyone from exploiting a
    43 service you intentionally offer but haven't recently updated or patched
    44 after an exploit went public.  Despite having a firewall, you need to
    45 keep applications and daemons on your system well-configured and
    46 up-to-date; a firewall is not a cure-all!</para>
     22<para>The general purpose of a firewall is to protect a computer or a network
     23against malicious access.</para>
     24
     25<para>In a perfect world, every daemon or service
     26on every machine is perfectly configured and immune to flaws such as
     27buffer overflows or other problems regarding its
     28security. Furthermore, you trust every user accessing your services.
     29In this world, you do not need to have a firewall.</para>
     30
     31<para>In the real world however, daemons may be misconfigured
     32and exploits against essential services are freely available.  You
     33may wish to choose which services are accessible by certain machines or
     34you may wish to limit which machines or applications are allowed external
     35access. Alternatively, you may simply not trust some of your
     36applications or users. You are probably connected to the Internet.  In this
     37world, a firewall is essential.</para>
     38
     39<para>Don't assume however, that having a firewall makes careful configuration
     40redundant, or that it makes any negligent misconfiguration harmless. It doesn't
     41prevent anyone from exploiting a service you intentionally offer but haven't
     42recently updated or patched after an exploit went public.  Despite having a
     43firewall, you need to keep applications and daemons on your system properly
     44configured and up to date.  A firewall is not a cure all, but should be an
     45essential part of your overall security startegy.</para>
    4746
    4847</sect2>
    4948
    5049<sect2>
    51 <title>Meaning of the word firewall.</title>
     50<title>Meaning of the word "firewall"</title>
    5251
    5352<para>The word firewall can have several different meanings.</para>
     
    5554<sect3><title><xref linkend="fw-persFw"/></title>
    5655
    57 <para>This is a setup or program, for Windows commercially sold by
    58 companies such as Symantec, of which they claim or pretend that it
    59 secures a home or desktop-pc with Internet access. This topic is
    60 highly relevant for users who do not know the methods their computers
    61 might be accessed via the Internet or how to disable them,
     56<para>This is a hardware device or software program commercially sold by
     57companies such as Symantec which claims that it
     58secures a home or desktop computer with Internet access. This type of firewall is
     59highly relevant for users who do not know how their computers
     60might be accessed via the Internet or how to disable that access,
    6261especially if they are always online and connected via
    6362broadband links.</para></sect3>
    6463
    65 <sect3><title><xref linkend="fw-masqRouter"/></title>
    66 <para>This is a box placed between the Internet and an intranet.
    67 To minimize the risk of compromising the firewall itself it
    68 should generally have only one role, that of protecting the intranet.
    69 Although not completely risk free, the tasks of doing the routing
    70 and eventually IP masquerading (rewriting IP-headers
    71 of the packets it routes from clients with private IP-addresses onto
    72 the Internet so that they seem to come from the firewall
    73 itself) are commonly considered harmless.</para></sect3>
    74 
    75 <sect3><title><xref linkend="fw-busybox"/></title>
    76 <para>This is often an old box you may have retired and nearly forgotten,
    77 performing masquerading or routing functions, but offering a bunch of
    78 services, e.g., web-cache, mail, etc.  This may be very commonly used
    79 for home networks, but can definitely not be considered as secure
    80 anymore because the combining of server and router on one machine raises
    81 the complexity of the setup.</para></sect3>
    82 
    83 <sect3><title>Firewall with a demilitarized zone [not further described
    84 here]</title>
     64<sect3>
     65<title><xref linkend="fw-masqRouter"/></title>
     66
     67<para>This is a system placed between the Internet and an intranet.  To minimize
     68the risk of compromising the firewall itself, it should generally have only one
     69role&mdash;that of protecting the intranet.  Although not completely risk free,
     70the tasks of doing the routing and  IP masquerading (rewriting IP headers of
     71the packets it routes from clients with private IP addresses onto the Internet
     72so that they seem to come from the firewall itself) are commonly considered
     73relatively secure.</para>
     74</sect3>
     75
     76<sect3>
     77<title><xref linkend="fw-busybox"/></title>
     78
     79<para>This is often an old computer you may have retired and nearly forgotten,
     80performing masquerading or routing functions, but offering non-firewall
     81services such as a web-cache or mail.  This may be used for home
     82networks, but is not be considered as secure as a firewall only
     83machine because the combination of server and router/firewall on one machine
     84raises the complexity of the setup.</para>
     85</sect3>
     86
     87<sect3>
     88<title>Firewall with a demilitarized zone [not further described here]</title>
    8589<para>This box performs masquerading or routing, but grants public access to
    8690some branch of your network which, because of public IP's and a physically
    87 separated structure, is neither considered to be part of the inter- nor
    88 intranet.  These servers are those which must be easily accessible
    89 from both the inter- and intranet. The firewall protects
    90 them all.</para></sect3>
    91 
    92 <sect3><title>Packetfilter / partly accessible net [partly described
    93 here, see <xref linkend="fw-busybox"/>]</title>
    94 <para>Doing routing or masquerading, but permitting only selected
    95 services to be accessible, sometimes only by selected internal users or boxes;
    96 mostly used in highly secure business contexts, sometimes by distrusting
    97 employers.  This was the common configuration of a firewall at the time of
    98 the Linux 2.2 kernel.  It's still possible to configure a firewall this way,
    99 but it makes the rules quite complex and lengthy.</para></sect3>
    100 
     91separated structure, is essentially a separate network with direct Internet access. 
     92The servers on this network are those which must be easily accessible
     93from both the Internet and intranet. The firewall protects
     94both networks. This type of firewall has a minimum of three network interfaces.</para>
     95</sect3>
     96
     97<sect3>
     98<title>Packetfilter</title>
     99<para>This type of firewall does routing or masquerading, but does not maintain
     100a state table of ongoing communication streams. It is fast, but quite limited
     101in its ability to block inappropriate packets without blocking desired
     102packets.</para>
     103</sect3>
    101104</sect2>
    102105
    103 <sect2 id="postlfs-security-fw-disclaimer" xreflabel="Disclaimer">
    104 <title>Disclaimer</title>
    105 
    106 <!-- <para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM
    107 ARE RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS
    108 DOCUMENT.</emphasis></para> -->
    109 
    110 <para>This document is meant as an introduction to how to setup a firewall.  It
     106<sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
     107<title>Now you can start to build your Firewall</title>
     108
     109<caution><para>This introduction on how to setup a firewall
    111110is not a complete guide to securing systems.  Firewalling is a complex issue
    112111that requires careful configuration.  The scripts quoted here are simply
    113 intended to give examples as to how a firewall works, they are not intended to
    114 fit into any imaginable configuration and may not prevent any imaginable
    115 attack.</para>
    116 
    117 <para>The purpose of this text is simply to give you a hint on how to get
    118 started with a firewall.</para>
     112intended to give examples of how a firewall works. They are not intended to
     113fit into any particular configuration and may not provide complete protection
     114from an attack.</para>
    119115
    120116<para>Customization of these scripts for your specific situation will
     
    123119hacking away.  Have a look at the list of
    124120<xref linkend="fw-library"/> at the end of this section for
    125 more details.  Here you will find a list of URLs that contain quite
     121more details.  There you will find a list of URLs that contain quite
    126122comprehensive information about building your own firewall.</para>
    127 
    128 </sect2>
    129 
    130 <sect2 id="fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
    131 <title>Getting a firewall enabled Kernel</title>
    132 <indexterm zone="fw-kernel">
    133 <primary sortas="d-Firewalls">Firewalls (using iptables)</primary>
    134 </indexterm>
    135 
    136 <para>If you want your Linux-Box to have a firewall, you must first ensure
    137 that your kernel has been compiled with the relevant options turned on.
    138 <!-- <footnote><para>If you needed assistance how to configure, compile and
    139 install a new kernel, refer back to chapter VIII of the LinuxFromScratch book,
    140 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">
    141 Installing a kernel</ulink>  and eventually
    142 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">
    143 Making the LFS system bootable</ulink>; note, that you'll need to reboot
    144 to actually run your new kernel.</para></footnote>-->
    145 </para>
    146 
    147 <para>How to configure your kernel, with enabling the options to be
    148 either compiled into the kernel or as modules, depends on your personal
    149 preferences and experience. Note, that for the quoted scripts it is assumed
    150 that the modules need to be loaded at first.</para>
    151 
    152 <screen>Network options menu
    153   Network packet filtering:                         Y
    154   Unix domain sockets:                         Y or M
    155   TCP/IP networking:                                Y
    156   IP: advanced router:                              Y
    157   IP: verbose route monitoring:                     Y
    158   IP: TCP Explicit Congestion Notification support: Y
    159   IP: TCP syncookie support:                        Y
    160   IP: Netfilter Configuration menu
    161     Every option except:                       Y or M
    162       ipchains (2.2-style) support                  N
    163       ipfwadm (2.0-style) support                   N
    164   Fast switching:                                   N</screen>
    165 
    166 <!--
    167 <table frame='none'>
    168 <title>Essential config-options for a firewall enabled Kernel</title>
    169 
    170 <tgroup cols='5'>
    171 <colspec colnum='1' colwidth='8*'  align='center'/>
    172 <colspec colnum='2' colwidth='19*' align='left'/>
    173 <colspec colnum='3' colwidth='11*' align='center'/>
    174 <colspec colnum='4' colwidth='1*'  align='center'/>
    175 <colspec colnum='5' colwidth='14*' align='left'/>
    176 
    177 <tbody>
    178 
    179 <row>
    180 <entry><emphasis><userinput>Networking options:</userinput></emphasis></entry>
    181 <entry><userinput>Network packet filtering</userinput></entry>
    182 <entry></entry>
    183 <entry>=</entry>
    184 <entry>CONFIG_NETFILTER</entry>
    185 </row>
    186 
    187 <row>
    188 <entry></entry>
    189 <entry><userinput>Unix domain sockets</userinput></entry>
    190 <entry></entry>
    191 <entry>=</entry>
    192 <entry>CONFIG_UNIX</entry>
    193 </row>
    194 
    195 <row>
    196 <entry></entry>
    197 <entry><userinput>IP: TCP/IP networking</userinput></entry>
    198 <entry></entry>
    199 <entry>=</entry>
    200 <entry>CONFIG_INET</entry>
    201 </row>
    202 
    203 <row>
    204 <entry></entry>
    205 <entry><userinput>IP: advanced router</userinput></entry>
    206 <entry></entry>
    207 <entry>=</entry>
    208 <entry>CONFIG_IP_ADVANCED_ROUTER</entry>
    209 </row>
    210 
    211 <row>
    212 <entry></entry>
    213 <entry><userinput>IP: verbose route monitoring</userinput></entry>
    214 <entry></entry>
    215 <entry>=</entry>
    216 <entry>CONFIG_IP_ROUTE_VERBOSE</entry>
    217 </row>
    218 
    219 <row>
    220 <entry></entry>
    221 <entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry>
    222 <entry></entry>
    223 <entry>=</entry>
    224 <entry>CONFIG_INET_ECN</entry>
    225 </row>
    226 
    227 <row>
    228 <entry></entry>
    229 <entry><userinput>IP: TCP syncookie support</userinput></entry>
    230 <entry></entry>
    231 <entry>=</entry>
    232 <entry>CONFIG_SYN_COOKIES</entry>
    233 </row>
    234 
    235 <row>
    236 <entry></entry>
    237 <entry align='center'>
    238 <emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry>
    239 <entry align='left'><userinput>every option</userinput></entry>
    240 <entry>=</entry>
    241 <entry>CONFIG_IP_NF_*</entry>
    242 </row>
    243 
    244 <row>
    245 <entry></entry>
    246 <entry align='right'><emphasis>WITHOUT:</emphasis></entry>
    247 <entry align='left'><literallayout><userinput>ipchains (2.2-style) support
    248 ipfw-adm (2.0-style) support</userinput></literallayout></entry>
    249 <entry>w\</entry>
    250 <entry>CONFIG_IP_NF_COMPAT_*</entry>
    251 </row>
    252 
    253 <row>
    254 <entry></entry>
    255 <entry><userinput>Fast switching</userinput></entry>
    256 <entry>Make sure to disable it because it would setup a bypass around
    257 your firewall rules.</entry>
    258 <entry>w\</entry>
    259 <entry>CONFIG_NET_FASTROUTE</entry>
    260 </row>
    261 
    262 </tbody>
    263 
    264 </tgroup>
    265 
    266 </table> -->
    267 
    268 </sect2>
    269 
    270 <sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
    271 <title>Now you can start to build your Firewall</title>
     123</caution>
     124
     125<para>The firewall configuration script installed in the last section differs
     126from the standard configuration script.  It only has two of the standard
     127targets: start and status.  The other targets are clear and lock.  For instance when you
     128run:
     129
     130<screen><userinput><command>/etc/rc.d/init.d/iptables start</command></userinput></screen>
     131
     132the firewall will be restarted just as it is upon system startup.  The status target
     133will present a list of all currently implemented rules.  The clear target turns off all
     134firewall rules and the lock target will block all packets in and out of the computer
     135with the exception of the loopback interface.</para>
     136
     137<para>The main startup firewall is located in the file
     138<filename>/etc/rc.d/rc.iptables</filename>.  The sections below provide three different
     139approaches that can be used for a system.</para>
     140
     141<note><para>You should always run your firewall rules from a script.  This ensures
     142consistency and a record of what was done.  It also allows retention of comments
     143that are essential for understanding the rules long after they were written.
     144</para></note>
    272145
    273146<sect3 id="fw-persFw" xreflabel="Personal Firewall">
    274147<title>Personal Firewall</title>
    275148
    276 <para>A Personal Firewall is supposed to let you access all the services
     149<para>A Personal Firewall is designed to let you access all the services
    277150offered on the Internet, but keep your box secure and your data private.</para>
    278151
    279152<para>Below is a slightly modified version of Rusty Russell's recommendation
    280 from the <ulink
    281 url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
    282 Linux 2.4 Packet Filtering HOWTO</ulink>:</para>
    283 
    284 <screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
     153from the
     154<ulink url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
     155Linux 2.4 Packet Filtering HOWTO</ulink>.  It is still applicable to the Linux 2.6 kernels.</para>
     156
     157<screen><userinput><command>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"</command>
    285158#!/bin/sh
    286159
    287 # Begin $rc_base/init.d/firewall
     160# Begin $rc_base/rc.iptables
    288161
    289162# Insert connection-tracking modules
     
    296169modprobe ipt_LOG
    297170
    298 # allow local-only connections
     171# Enable broadcast echo Protection
     172echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
     173
     174# Disable Source Routed Packets
     175echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
     176
     177# Enable TCP SYN Cookie Protection
     178echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
     179
     180# Disable ICMP Redirect Acceptance
     181echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
     182
     183# Don¹t send Redirect Messages
     184echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
     185
     186# Drop Spoofed Packets coming in on an interface, where responses
     187# would result in the reply going out a different interface.
     188echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
     189
     190# Log packets with impossible addresses.
     191echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
     192
     193# be verbose on dynamic ip-addresses  (not needed in case of static IP)
     194echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
     195
     196# disable Explicit Congestion Notification
     197# too many routers are still ignorant
     198echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
     199
     200# Set a known state
     201iptables -P INPUT   DROP
     202iptables -P FORWARD DROP
     203iptables -P OUTPUT  DROP
     204 
     205# These lines are here in case rules are already in place and the
     206# script is ever rerun on the fly. We want to remove all rules and
     207# pre-exisiting user defined chains before we implement new rules.
     208iptables -F
     209iptables -X
     210iptables -Z
     211 
     212iptables -t nat -F
     213
     214# Allow local-only connections
    299215iptables -A INPUT  -i lo -j ACCEPT
    300216
    301 # free output on any interface to any ip for any service
     217# Free output on any interface to any ip for any service
    302218# (equal to -P ACCEPT)
    303219iptables -A OUTPUT -j ACCEPT
    304220
    305 # permit answers on already established connections
     221# Permit answers on already established connections
    306222# and permit new connections related to established ones
    307 # (eg active-ftp)
     223# (e.g. port mode ftp)
    308224iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    309225
    310 # Log everything else: What's Windows' latest exploitable vulnerability?
     226# Log everything else. What's Windows' latest exploitable vulnerability?
    311227iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
    312228
    313 # set a sane policy:    everything not accepted &gt; /dev/null
    314 iptables -P INPUT    DROP
    315 iptables -P FORWARD  DROP
    316 iptables -P OUTPUT   DROP
    317 
    318 # be verbose on dynamic ip-addresses  (not needed in case of static IP)
    319 echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
    320 
    321 # disable ExplicitCongestionNotification
    322 # too many routers are still ignorant
    323 echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
    324 
    325 # End $rc_base/init.d/firewall
     229# End $rc_base/rc.iptables
    326230<command>EOF</command></userinput></screen>
    327231
    328 <para>His script is quite simple, it drops all traffic coming in into your
     232<para>This script is quite simple, it drops all traffic coming in into your
    329233computer that wasn't initiated from your box, but as long as you are simply
    330234surfing the Internet you are unlikely to exceed its limits.</para>
    331235
    332236<para>If you frequently encounter certain delays at accessing ftp-servers,
    333 please have a look at <xref linkend="fw-busybox"/> -
    334 <xref linkend="fw-BB-4"/>.</para>
    335 
    336 <para>Even if you have daemons or services running on your box, these
    337 should be inaccessible everywhere but from your box itself.
     237take a look at <xref linkend="fw-BB-4"/>.</para>
     238
     239<para>Even if you have daemons or services running on your system, these
     240will be inaccessible everywhere but from your computer itself.
    338241If you want to allow access to services on your machine, such as ssh or
    339 pinging, take a look at <xref linkend="fw-busybox"/>.</para>
    340 
    341 </sect3>
    342 
     242ping, take a look at <xref linkend="fw-busybox"/>.</para>
     243
     244</sect3>
    343245
    344246<sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
    345247<title>Masquerading Router</title>
    346248
    347 <para>A true Firewall has two interfaces, one connected to an intranet,
    348 in this example, <emphasis role="strong">eth0</emphasis>, and one
    349 connected to the Internet, here, <emphasis role="strong">ppp0</emphasis>.
    350 To provide the maximum security against the box itself being broken into,
    351 make sure that there are no servers running on it, especially not
    352 <application>X11</application> et
    353 al.  And, as a general principle, the box itself should not access any
    354 untrusted service (Think of a name server giving answers that make your
    355 bind crash, or, even worse, that implement a worm via a
    356 buffer-overflow).</para>
    357 
    358 <screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
     249<para>A true Firewall has two interfaces, one connected to an intranet, in this
     250example <emphasis role="strong">eth0</emphasis>, and one connected to the
     251Internet, here <emphasis role="strong">ppp0</emphasis>.  To provide the
     252maximum security for the firewall itself, make sure that there
     253are no unnecessary servers running on it such as <application>X11</application> et
     254al.  As a general principle, the firewall itself should not access any
     255untrusted service (Think of a remote server giving answers that makes a daemin on
     256your system
     257crash, or, even worse, that implements a worm via a buffer-overflow).</para>
     258
     259<screen><userinput><command>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"</command>
    359260#!/bin/sh
    360261
    361 # Begin $rc_base/init.d/firewall
     262# Begin $rc_base/rc.iptables
    362263
    363264echo
    364 echo "You're using the example-config for a setup of a firewall"
    365 echo "from the firewalling-hint written for LinuxFromScratch."
     265echo "You're using the example configuration for a setup of a firewall"
     266echo "from Beyond Linux From Scratch."
    366267echo "This example is far from being complete, it is only meant"
    367268echo "to be a reference."
    368269echo "Firewall security is a complex issue, that exceeds the scope"
    369 echo "of the quoted configuration rules."
    370 echo "You can find some quite comprehensive information"
     270echo "of the configuration rules below."
     271echo "You can find additional information"
    371272echo "about firewalls in Chapter 4 of the BLFS book."
    372273echo "http://www.linuxfromscratch.org/blfs"
     
    386287modprobe ipt_REJECT
    387288
    388 # allow local-only connections
     289# Enable broadcast echo Protection
     290echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
     291
     292# Disable Source Routed Packets
     293echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
     294
     295# Enable TCP SYN Cookie Protection
     296echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
     297
     298# Disable ICMP Redirect Acceptance
     299echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
     300
     301# Don¹t send Redirect Messages
     302echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
     303
     304# Drop Spoofed Packets coming in on an interface where responses
     305# would result in the reply going out a different interface.
     306echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
     307
     308# Log packets with impossible addresses.
     309echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
     310
     311# Be verbose on dynamic ip-addresses  (not needed in case of static IP)
     312echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
     313
     314# Disable Explicit Congestion Notification
     315# Too many routers are still ignorant
     316echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
     317
     318# Set a known state
     319iptables -P INPUT   DROP
     320iptables -P FORWARD DROP
     321iptables -P OUTPUT  DROP
     322 
     323# These lines are here in case rules are already in place and the
     324# script is ever rerun on the fly. We want to remove all rules and
     325# pre-exisiting user defined chains before we implement new rules.
     326iptables -F
     327iptables -X
     328iptables -Z
     329 
     330iptables -t nat -F
     331
     332# Allow local connections
    389333iptables -A INPUT  -i lo -j ACCEPT
    390334iptables -A OUTPUT -o lo -j ACCEPT
    391335
    392 # allow forwarding
     336# Allow forwarding if the initiated on the intranet
    393337iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    394 iptables -A FORWARD -m state --state NEW -i ! ppp+      -j ACCEPT
    395 
    396 # do masquerading
     338iptables -A FORWARD  -i ! ppp+ -m state --state NEW      -j ACCEPT
     339
     340# Do masquerading
    397341# (not needed if intranet is not using private ip-addresses)
    398342iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
    399343
    400344# Log everything for debugging
    401 # (last of all rules, but before DROP/REJECT)
     345# (last of all rules, but before policy rules)
    402346iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT  "
    403347iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
    404348iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
    405349
    406 # set a sane policy
    407 iptables -P INPUT   DROP
    408 iptables -P FORWARD DROP
    409 iptables -P OUTPUT  DROP
    410 
    411 # be verbose on dynamic ip-addresses
    412 # (not needed in case of static IP)
    413 echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
    414 
    415 # disable ExplicitCongestionNotification
    416 echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
    417 
    418 # activate TCPsyncookies
    419 echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
    420 
    421 # activate Route-Verification = IP-Spoofing_protection
    422 for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    423         echo 1 &gt; $f
    424 done
    425 
    426 # activate IP-Forwarding
     350# Enable IP Forwarding
    427351echo 1 &gt; /proc/sys/net/ipv4/ip_forward
    428352<command>EOF</command></userinput></screen>
    429353
    430 <para>With this script your intranet should be sufficiently secure against
     354<para>With this script your intranet should be reasonably secure against
    431355external attacks. No one should be able to setup a new connection to any
    432 internal service and, if it's masqueraded, it's even invisible. Furthermore,
    433 your firewall should be nearly immune because there are no services running
    434 that a cracker could attack.</para>
    435 
    436 <para>Note: if the interface you're connecting to the Internet
    437 doesn't connect via ppp, you will need to change
    438 <replaceable>ppp+</replaceable> to the name of the interface which you are
    439 using.  If you are using the same interface type to connect to both your
    440 intranet and the Internet, you need to use the actual name of the
    441 interface such as <emphasis role="strong">eth0</emphasis>,
    442 on both interfaces.</para>
    443 
    444 <para>If you need stronger security (e.g., against DOS, connection
    445 highjacking, spoofing, etc.), have a look at the list of
    446 <xref linkend="fw-library"/> at the end of this section.</para>
     356internal service and, if it's masqueraded, makes your intranet invisible to the
     357Internet. Furthermore, your firewall should be relatively safe because there
     358are no services running that a cracker could attack.</para>
     359
     360<note><para>If the interface you're connecting to the Internet doesn't connect
     361via ppp, you will need to change <replaceable>ppp+</replaceable> to the name of
     362the interface, e.g. <emphasis role="strong">eth1</emphasis>, which you are using.
     363</para></note>
    447364
    448365</sect3>
     
    451368<title>BusyBox</title>
    452369
    453 <para>This scenario isn't too different from (<xref linkend="fw-masqRouter"/>),
    454 but in this case you want to offer some services to your intranet.
    455 Examples of this can be when you want to admin your box from another host
    456 on your intranet or use it as a proxy or a name server. Note: Outlining a true
    457 concept of how to protect a server that offers services on the Internet
    458 goes far beyond the scope of this document,
    459 see <xref linkend="postlfs-security-fw-disclaimer"/>.</para>
    460 
    461 <para>Be cautious.  Every service you offer and have enabled makes your
    462 setup more complex and your box less secure. You induce the risks of
     370<para>This scenario isn't too different from the <xref linkend="fw-masqRouter"/>,
     371but additionally offers some services to your intranet.
     372Examples of this can be when you want to administer your firewall from another host
     373on your intranet or use it as a proxy or a name server.</para>
     374
     375<note><para>Outlining a true concept of how to protect a server that offers
     376services on the Internet goes far beyond the scope of this document. See the references
     377at the end of this section for more information.</para></note>
     378
     379<para>Be cautious.  Every service you have enabled makes your
     380setup more complex and your firewall less secure. You are exposed to the risks of
    463381misconfigured services or running a service with an exploitable bug.  A
    464382firewall should generally not run any extra services.  See the introduction to
    465 <xref linkend="fw-masqRouter"/> for some more details.</para>
    466 
    467 <para>If the services you'd like to offer do not need to access the Internet
    468 themselves, like internal-only samba- or name-servers, it's quite
     383the <xref linkend="fw-masqRouter"/> for some more details.</para>
     384
     385<para>If you want to add services such as internal samba or name servers that do not
     386need to access the Internet themselves,  the additional statements are quite
    469387simple and should still be acceptable from a security standpoint.
    470 Just add the following lines <emphasis>before</emphasis> the logging-rules
    471 into the script.</para>
     388Just add the following lines
     389into the script <emphasis>before</emphasis> the logging rules.</para>
    472390
    473391<screen>iptables -A INPUT  -i ! ppp+  -j ACCEPT
    474392iptables -A OUTPUT -o ! ppp+  -j ACCEPT</screen>
    475393
    476 <para>If your daemons have to access the web themselves, like squid would need
    477 to, you could open OUTPUT generally and restrict INPUT.</para>
    478 
    479 <screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED  -j ACCEPT
     394<para>If daemons, such as squid, have to access the Internet themselves,
     395you could open OUTPUT generally and restrict INPUT.</para>
     396
     397<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    480398iptables -A OUTPUT                                     -j ACCEPT</screen>
    481399
    482400<para>However, it is generally not advisable to leave OUTPUT unrestricted. You
    483 lose any control over trojans who'd like to "call home", and a bit of
    484 redundancy in case you've (mis-)configured a service so that it does broadcast
     401lose any control over trojans who would like to "call home", and a bit of
     402redundancy in case you've (mis-)configured a service so that it broadcasts
    485403its existence to the world.</para>
    486404
    487 <para>If you prefer to have this protection, you may restrict INPUT and OUTPUT
     405<para>To accomplish this, you should restrict INPUT and OUTPUT
    488406on all ports except those that it's absolutely necessary to have open.
    489407Which ports you have to open depends on your needs: mostly you will find them
    490 by looking for failed accesses in your log-files.</para>
    491 <itemizedlist spacing="compact">
    492 <!-- <orderedlist numeration="arabic" spacing="compact"> -->
     408by looking for failed accesses in your log files.</para>
     409<itemizedlist spacing="compact" role='iptables'>
     410
    493411<title>Have a look at the following examples:</title>
    494412
    495413<listitem><para>Squid is caching the web:</para>
    496414<screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
    497 iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \
    498 -j ACCEPT</screen>
    499 </listitem>
    500 
    501 <listitem><para>Your caching name server (e.g., dnscache) does its
     415iptables -A INPUT  -p tcp --sport 80 -m state --state ESTABLISHED \
     416  -j ACCEPT</screen>
     417</listitem>
     418
     419<listitem><para>Your caching name server (e.g., named) does its
    502420lookups via udp:</para>
    503 <screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
    504 iptables -A INPUT  -p udp --sport 53 -m state --state ESTABLISHED \
    505 -j ACCEPT</screen>
    506 </listitem>
    507 
    508 <listitem><para>Alternatively, if you want to be able to ping your box to
     421<screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</screen>
     422</listitem>
     423
     424<listitem><para>You want to be able to ping your box to
    509425ensure it's still alive:</para>
    510426
     
    513429</listitem>
    514430
    515 <listitem><para><anchor id='fw-BB-4' xreflabel="example no. 4"/>If you are
    516 frequently accessing ftp-servers or enjoy chatting, you might notice certain
    517 delays because some implementations of these daemons have the feature of 
    518 querying an identd on your box for logging usernames.
    519 Although there's really no harm in this, having an identd running is not
    520 recommended because some implementations are known to be vulnerable.</para>
     431<listitem><para><anchor id='fw-BB-4' xreflabel="BusyBox example number 4"/>If you are
     432frequently accessing ftp servers or enjoy chatting, you might notice certain
     433delays because some implementations of these daemons have the feature of
     434querying an identd on your system to obtain usernames.  Although there's really
     435little harm in this, having an identd running is not recommended because many
     436security experts feel the service gives out too much additional information.</para>
    521437
    522438<para>To avoid these delays you could reject the requests
    523439with a 'tcp-reset':</para>
    524440
    525 <screen>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset
    526 iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen>
    527 </listitem>
    528 
    529 <listitem><para>To log and drop invalid packets (harmless packets
     441<screen>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset</screen>
     442</listitem>
     443
     444<listitem><para>To log and drop invalid packets (packets
    530445that came in after netfilter's timeout or some types of network scans):</para>
    531446
    532 <screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG \
    533 --log-prefix "FIREWALL:INVALID"
    534 iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></listitem>
     447<screen>iptables -I INPUT -p tcp -m state --state INVALID \
     448  -j LOG --log-prefix "FIREWALL:INVALID"
     449iptables -I INPUT -p tcp -m state --state INVALID -j DROP</screen></listitem>
    535450
    536451<listitem><para>Anything coming from the outside should not have a
    537 private address, this is a common attack called IP-spoofing:</para>
    538 
    539 <screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8     -j DROP
    540 iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12  -j DROP
    541 iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen>
     452private address, this is a common attack called IP-spoofing:
     453
     454<screen>iptables -A INPUT -i ppp+ -s 10.0.0.0/8     -j DROP
     455iptables -A INPUT -i ppp+ -s 172.16.0.0/12  -j DROP
     456iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</screen>
     457
     458There are other addresses that you may also want to drop: 0.0.0.0/8,
     459127.0.0.0/8, 224.0.0.0/3 (multicast and experimental), 169.254.0.0/16 (Link
     460Local Networks), and  192.0.2.0/24 (IANA defined test network).</para>
     461</listitem>
     462
     463<listitem><para>If your firewall is a DHCP client, you need to allow
     464those packets:</para>
     465
     466<screen>iptables -A INPUT  -i ppp0 -p udp -s 0.0.0.0 --sport 67 \
     467   -d 255.255.255.255 --dport 68 -j ACCEPT</screen>
    542468</listitem>
    543469
    544470<listitem><para>To simplify debugging and be fair to anyone who'd like to
    545 access a service you have disabled, purposely or by mistake, you should REJECT
     471access a service you have disabled, purposely or by mistake, you could REJECT
    546472those packets that are dropped.</para>
    547473
     
    549475last lines before the packets are dropped by policy:</para>
    550476
    551 <screen>iptables -A INPUT                        -j REJECT
    552 iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></listitem>
     477<screen>iptables -A INPUT -j REJECT</screen>
     478</listitem>
    553479</itemizedlist>
    554 <!--</orderedlist>-->
    555 
    556 <para>These are only examples to show you some of the capabilities of the new
    557 firewall code in Linux-Kernel 2.4. Have a look at the man page of
    558 iptables.
    559 There you will find more of them. The port-numbers you'll need for this
    560 can be found in <filename>/etc/services</filename>, in case you didn't
    561 find them by trial and error in your log file.</para>
    562 
    563 <para>If you add any of your offered or accessed services such as the above,
    564 maybe even in FORWARD and for intranet-communication, and delete the
    565 general clauses, you get an old fashioned packet filter.</para>
    566 </sect3>
    567 
     480
     481<para>These are only examples to show you some of the capabilities of the
     482firewall code in Linux. Have a look at the man page of iptables.
     483There you will find much more information. The port numbers needed for this can be
     484found in <filename>/etc/services</filename>, in case you didn't find them by
     485trial and error in your log file.</para>
     486
     487</sect3>
    568488</sect2>
    569489
     
    571491<title>Conclusion</title>
    572492
    573 <para>Finally, I'd like to remind you of one fact we must not forget:
    574 The effort spent attacking a system corresponds to the value the cracker
    575 expects to gain from it.
    576 If you are responsible for such valuable assets that you expect great
    577 effort to be made by potential crackers, you hopefully won't be in the
    578 need of this hint!</para>
    579 
    580 <!-- <para><literallayout>Be cautious!
    581 
    582     Henning Rohde
    583 <email>Henning.Rohde@uni-bayreuth.de</email></literallayout></para>
    584 
    585 <para>PS: And always do remember:
    586 SecureIT is not a matter of a status-quo but one of never stopping
    587 to take care!</para>
    588 
    589 <para>PPS: If any of these scripts fail, please tell me. I will try to trace
    590 any faults.</para> -->
     493<para>Finally, there is one fact you must not forget: The effort spent
     494attacking a system corresponds to the value the cracker expects to gain from
     495it.  If you are responsible for valuable information, you need to spend the
     496time to protect it properly.</para>
    591497
    592498</sect2>
     
    625531</sect3>
    626532
    627 <sect3 id="fw-status" xreflabel="/etc/rc.d/init.d/firewall.status">
    628 <title>firewall.status</title>
    629 
    630 <para>If you'd like to have a look at the chains your firewall consists of and
    631 the order in which the rules take effect:</para>
    632 
    633 <screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.status &lt;&lt; "EOF"</command>
    634 #!/bin/sh
    635 
    636 # Begin $rc_base/init.d/firewall.status
    637 
    638 echo "iptables.mangling:"
    639 iptables -t mangle  -v -L -n --line-numbers
    640 
    641 echo
    642 echo "iptables.nat:"
    643 iptables -t nat     -v -L -n --line-numbers
    644 
    645 echo
    646 echo "iptables.filter:"
    647 iptables            -v -L -n --line-numbers
    648 <command>EOF</command></userinput></screen>
    649 </sect3>
    650 
    651 <sect3 id="postlfs-security-fw-stop" xreflabel="/etc/rc.d/init.d/firewall.stop">
    652 <title>firewall.stop</title>
    653 
    654 <para>If you need to turn the firewall off, this script will do it:</para>
    655 
    656 <screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.stop &lt;&lt; "EOF"</command>
    657 #!/bin/sh
    658 
    659 # Being $rc_base/init.d/firewall.stop
    660 
    661 # deactivate IP-Forwarding
    662 echo 0 > /proc/sys/net/ipv4/ip_forward
    663 
    664 iptables -Z
    665 iptables -F
    666 iptables -t nat         -F PREROUTING
    667 iptables -t nat         -F OUTPUT
    668 iptables -t nat         -F POSTROUTING
    669 iptables -t mangle      -F PREROUTING
    670 iptables -t mangle      -F OUTPUT
    671 iptables -X
    672 iptables -P INPUT       ACCEPT
    673 iptables -P FORWARD     ACCEPT
    674 iptables -P OUTPUT      ACCEPT
    675 <command>EOF</command></userinput></screen>
    676 </sect3>
    677 
    678533</sect2>
    679 
    680534</sect1>
    681535
Note: See TracChangeset for help on using the changeset viewer.