Context Navigation

← Previous Changeset
Next Changeset →

Changeset 14c0be2f

Timestamp:

10/25/2019 06:28:45 AM (5 years ago)

Author:

DJ Lucas <dj@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 9.1, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

3d5a675

Parents:

6914a417

Message:

Add nftables-0.9.2. Fixes #4620.
Add firewalld-0.7.2.
Add libnftnl-1.1.4.
Add libmnl-1.0.4.
Add decorator-4.4.0.
Add python-slip-0.6.5.
Update to blfs-bootscripts-20191025.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22301 af4574ff-66df-0310-9fd7-8a98e5e911e0

Files:

: 6 added
: 8 edited

general.ent (modified) (3 diffs)
general/prog/decorator.xml (added)
general/prog/python-modules.xml (modified) (4 diffs)
general/prog/python-slip.xml (added)
introduction/welcome/changelog.xml (modified) (1 diff)
networking/netlibs/libmnl.xml (added)
networking/netlibs/libnftnl.xml (added)
networking/netlibs/netlibs.xml (modified) (1 diff)
packages.ent (modified) (5 diffs)
postlfs/security/firewalld.xml (added)
postlfs/security/firewalling.xml (modified) (4 diffs)
postlfs/security/iptables.xml (modified) (10 diffs)
postlfs/security/nftables.xml (added)
postlfs/security/security.xml (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

general.ent

-              r6914a417
+              r14c0be2f
 <!-- $LastChangedBy$ $Date$ -->
 <!ENTITY day          "24">                   <!-- Always 2 digits -->
+<!ENTITY day          "25">                   <!-- Always 2 digits -->
 <!ENTITY month        "10">                   <!-- Always 2 digits -->
 <!ENTITY year         "2019">
 …
 <!ENTITY copyholder   "The BLFS Development Team">
 <!ENTITY version      "&year;-&month;-&day;">
 <!ENTITY releasedate  "October 24th, &year;">
+<!ENTITY releasedate  "October 25th, &year;">
 <!ENTITY pubdate      "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
 <!ENTITY blfs-version "svn">                  <!-- svn|[release #] -->
 …
 <!-- End LFS versions -->
 <!ENTITY blfs-bootscripts-version     "20190908">
+<!ENTITY blfs-bootscripts-version     "20191025">
 <!ENTITY systemd-units-version        "20180105">

general/prog/python-modules.xml

-              r6914a417
+              r14c0be2f
       <listitem>
         <para>
+          <xref linkend="decorator"/>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
           <xref linkend="docutils"/>
         </para>
 …
       <listitem>
         <para>
+          <xref linkend="python-slip"/>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
           <xref linkend="scour"/>
         </para>
 …
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+    href="decorator.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
     href="docutils.xml"/>
 …
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+    href="python-slip.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
     href="pyyaml.xml"/>

introduction/welcome/changelog.xml

-              r6914a417
+              r14c0be2f
        -->
     <listitem>
+      <para>October 25th, 2019</para>
+      <itemizedlist>
+        <listitem>
+          <para>[dj] - Add nftables-0.9.2. Fixes
+          <ulink url="&blfs-ticket-root;4620">#4620</ulink>.</para>
+        </listitem>
+        <listitem>
+          <para>[dj] - Add firewalld-0.7.2.</para>
+        </listitem>
+        <listitem>
+          <para>[dj] - Add libnftnl-1.1.4.</para>
+        </listitem>
+        <listitem>
+          <para>[dj] - Add libmnl-1.0.4.</para>
+        </listitem>
+        <listitem>
+          <para>[dj] - Add decorator-4.4.0.</para>
+        </listitem>
+        <listitem>
+          <para>[dj] - Add python-slip-0.6.5.</para>
+        </listitem>
+        <listitem>
+          <para>[dj] - Update to blfs-bootscripts-20191025.</para>
+        </listitem>
+      </itemizedlist>
+    </listitem>
+    <listitem>
       <para>October 24th, 2019</para>
       <itemizedlist>

networking/netlibs/netlibs.xml

r6914a417	r14c0be2f
29	29	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="ldns.xml"/>
30	30	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libevent.xml"/>
	31	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libmnl.xml"/>
	32	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libnftnl.xml"/>
31	33	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libnl.xml"/>
32	34	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libnsl.xml"/>

packages.ent

-              r6914a417
+              r14c0be2f
 <!ENTITY cyrus-sasl-version           "2.1.27">
 <!ENTITY gnupg2-version               "2.2.17">
+<!ENTITY firewalld-version            "0.7.2">
 <!ENTITY gnutls-version               "3.6.10">
 <!ENTITY gpgme-version                "1.13.1">
 …
 <!ENTITY mitkrb-major-version         "1.17">
 <!ENTITY mitkrb-version               "1.17">
+<!ENTITY nftables-version             "0.9.2">
 <!ENTITY nettle-version               "3.5.1">
 …
 <!ENTITY dbus-python-version          "1.2.12">
 <!-- <!ENTITY funcsigs-version             "1.0.2"> -->
+<!ENTITY decorator-version            "4.4.0">
 <!ENTITY Jinja2-version               "2.10.3">
 <!-- libxml2 for Python2 shares the version of libxml2 -->
 …
 <!ENTITY scour-version                "0.37">
 <!ENTITY six-version                  "1.12.0">
+<!ENTITY python-slip-version          "0.6.5">
 <!-- <!ENTITY setuptools-version           "30.2.0"> -->
 …
 <!ENTITY ldns-version                 "1.7.1">
 <!ENTITY libevent-version             "2.1.11">
+<!ENTITY libmnl-version               "1.0.4">
+<!ENTITY libnftnl-version             "1.1.4">
 <!ENTITY libnl-version                "3.5.0">
 <!ENTITY libnl-dl-version             "3_5_0">

postlfs/security/firewalling.xml

-              r6914a417
+              r14c0be2f
   <title>Setting Up a Network Firewall</title>
-  <para>Before you read this part of the chapter, you should have
-  already installed iptables as described in the previous section.</para>
   <sect2 id="fw-intro" xreflabel="Firewalling Introduction">
     <title>Introduction to Firewall Creation</title>
+    <para>The general purpose of a firewall is to protect a computer or
+    a network against malicious access.</para>
+    <para>In a perfect world, every daemon or service on every machine
+    is perfectly configured and immune to flaws such as buffer overflows
+    or other problems regarding its security. Furthermore, you trust
+    every user accessing your services. In this world, you do not need
+    to have a firewall.</para>
+    <para>In the real world however, daemons may be misconfigured and
+    exploits against essential services are freely available. You may
+    wish to choose which services are accessible by certain machines or
+    you may wish to limit which machines or applications are allowed
+    external access. Alternatively, you may simply not trust some of
+    your applications or users. You are probably connected to the
+    Internet. In this world, a firewall is essential.</para>
+    <para>Don't assume however, that having a firewall makes careful
+    configuration redundant, or that it makes any negligent
+    misconfiguration harmless. It doesn't prevent anyone from exploiting
+    a service you intentionally offer but haven't recently updated or
+    patched after an exploit went public.  Despite having a firewall, you
+    need to keep applications and daemons on your system properly
+    configured and up to date.  A firewall is not a cure all, but should
+    be an essential part of your overall security strategy.</para>
+    <para>
+      The purpose of a firewall is to protect a computer or a network against
+      malicious access. In a perfect world every daemon or service, on every
+      machine, is perfectly configured and immune to security flaws, and all
+      users are trusted implicitly to use the equipment as intended. However,
+      this is rarely, if ever, the case. Daemons may be misconfigured, or
+      updates may not have been applied for known exploits against essential
+      services. Additionally, you may wish to choose which services are
+      accessible by certain machines or users, or you may wish to limit which
+      machines or applications are allowed external access. Alternatively, you
+      simply may not trust some of your applications or users. For these
+      reasons, a carefully designed firewall should be an essential part of
+      system security.
+    </para>
+    <para>
+      While a firewall can greatly limit the scope of the above issues, do not
+      assume that having a firewall makes careful configuration redundant, or
+      that any negligent misconfiguration is harmless. A firewall does not
+      prevent the exploitation of any service you offer outside of it. Despite
+      having a firewall, you need to keep applications and daemons properly
+      configured and up to date.
+    </para>
   </sect2>
 …
     <title>Meaning of the Word "Firewall"</title>
+    <para>The word firewall can have several different meanings.</para>
+    <sect3>
+      <title><xref linkend="fw-persFw"/></title>
+      <para>This is a hardware device or software program commercially sold (or
+      offered via freeware) by companies such as Symantec which claims that
+      it secures a home or desktop computer connected to the Internet. This
+      type of firewall is highly relevant for users who do not know how their
+      computers might be accessed via the Internet or how to disable
+      that access, especially if they are always online and connected
+      via broadband links.</para>
+    </sect3>
+    <sect3>
+      <title><xref linkend="fw-masqRouter"/></title>
+      <para>This is a system placed between the Internet and an intranet.
+      To minimize the risk of compromising the firewall itself, it should
+      generally have only one role&mdash;that of protecting the intranet.
+      Although not completely risk free, the tasks of doing the routing and
+      IP masquerading (rewriting IP headers of the packets it routes from
+      clients with private IP addresses onto the Internet so that they seem
+      to come from the firewall itself) are commonly considered relatively
+      secure.</para>
+    </sect3>
+    <sect3>
+      <title><xref linkend="fw-busybox"/></title>
+      <para>This is often an old computer you may have retired and nearly
+      forgotten, performing masquerading or routing functions, but offering
+      non-firewall services such as a web-cache or mail.  This may be used
+      for home networks, but is not to be considered as secure as a firewall
+      only machine because the combination of server and router/firewall on
+      one machine raises the complexity of the setup.</para>
+    </sect3>
+    <sect3>
+      <title>Firewall with a Demilitarized Zone [Not Further
+      Described Here]</title>
+      <para>This box performs masquerading or routing, but grants public
+      access to some branch of your network which, because of public IPs
+      and a physically separated structure, is essentially a separate
+      network with direct Internet access. The servers on this network are
+      those which must be easily accessible from both the Internet and
+      intranet. The firewall protects both networks. This type of firewall
+      has a minimum of three network interfaces.</para>
+    <para>
+      The word firewall can have several different meanings.
+    </para>
+    <sect3>
+      <title>Personal Firewall</title>
+      <para>
+        This is a hardware device or software program, intended to secure a
+        home or desktop computer connected to the Internet. This type of
+        firewall is highly relevant for users who do not know how their
+        computers might be accessed via the Internet or how to disable
+        that access, especially if they are always online and connected
+        via broadband links.
+      </para>
+      <para>
+        An example configuration for a personal firewall is provided at
+        <xref linkend="fw-persFw-ipt"/>.
+      </para>
+    </sect3>
+    <sect3>
+      <title>Masquerading Router</title>
+      <para>
+        This is a system placed between the Internet and an intranet.
+        To minimize the risk of compromising the firewall itself, it should
+        generally have only one role&mdash;that of protecting the intranet.
+        Although not completely risk-free, the tasks of doing the routing and
+        IP masquerading (rewriting IP headers of the packets it routes from
+        clients with private IP addresses onto the Internet so that they seem
+        to come from the firewall itself) are commonly considered relatively
+        secure.
+      </para>
+      <para>
+        Example configurations for a masquerading firewall are provided at
+        <xref linkend="fw-masqRouter-ipt"/> and
+        <xref linkend="fw-masqRouter-nft"/>.
+      </para>
+    </sect3>
+    <sect3>
+      <title>BusyBox</title>
+      <para>
+        This is often an old computer you may have retired and nearly
+        forgotten, performing masquerading or routing functions, but offering
+        non-firewall services such as a web-cache or mail. This may be used
+        for home networks, but is not to be considered as secure as a firewall
+        only machine because the combination of server and router/firewall on
+        one machine raises the complexity of the setup.
+      </para>
+      <para>
+        An example configuration for a BusyBox is provided at
+        <xref linkend="fw-busybox-ipt"/>.
+      </para>
+    </sect3>
+    <sect3>
+      <title>Firewall with a Demilitarized Zone</title>
+      <para>
+        This type of firewall performs masquerading or routing, but grants
+        public access to some branch of your network that is physically
+        separated from your regular intranet and is essentially a separate
+        network with direct Internet access. The servers on this network are
+        those which must be easily accessible from both the Internet and
+        intranet. The firewall protects both networks. This type of firewall
+        has a minimum of three network interfaces.
+      </para>
     </sect3>
 …
       <title>Packetfilter</title>
+      <para>This type of firewall does routing or masquerading, but does
+      not maintain a state table of ongoing communication streams. It is
+      fast, but quite limited in its ability to block undesired packets
+      without blocking desired packets.</para>
+    </sect3>
+  </sect2>
+  <sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
+    <title>Now You Can Start to Build your Firewall</title>
+      <para>
+        This type of firewall does routing or masquerading but does
+        not maintain a state table of ongoing communication streams. It is
+        fast but quite limited in its ability to block undesired packets
+        without blocking desired packets.
+      </para>
+    </sect3>
+  </sect2>
+  <sect2>
+    <title>Conclusion</title>
     <caution>
+      <para>This introduction on how to setup a firewall is not a
+      complete guide to securing systems. Firewalling is a complex
+      issue that requires careful configuration. The scripts quoted
+      here are simply intended to give examples of how a firewall
+      works. They are not intended to fit into any particular
+      configuration and may not provide complete protection from
+      an attack.</para>
+      <para>Customization of these scripts for your specific situation
+      will be necessary for an optimal configuration, but you should
+      make a serious study of the iptables documentation and creating
+      firewalls in general before hacking away. Have a look at the
+      list of <xref linkend="fw-library"/> at the end of this section for
+      more details. There you will find a list of URLs that contain quite
+      comprehensive information about building your own firewall.</para>
+      <para>
+        The example configurations provided for <xref linkend="iptables"/> and
+        <xref linkend="nftables"/> are not intended to be a complete guide to
+        securing systems. Firewalling is a complex issue that requires careful
+        configuration. The configurations provided by BLFS are intended only to
+        give examples of how a firewall works. They are not intended to fit any
+        particular configuration and may not provide complete protection from
+        an attack.
+      </para>
     </caution>
+    <para revision="sysv">The firewall configuration script installed in the
+    iptables section differs from the standard configuration script. It only
+    has two of the standard targets: start and status. The other targets are
+    clear and lock. For instance if you issue:</para>
+<screen role="root" revision="sysv"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen>
+    <para revision="sysv">the firewall will be restarted just as it is upon
+    system startup. The status target will present a list of all currently
+    implemented rules. The clear target turns off all firewall rules and the
+    lock target will block all packets in and out of the computer with the
+    exception of the loopback interface.</para>
+    <para revision="sysv">The main startup firewall is located in the file
+    <filename>/etc/rc.d/rc.iptables</filename>. The sections below provide
+    three different approaches that can be used for a system.</para>
+    <para revision="systemd">The main startup firewall is located in the file
+    <filename>/etc/systemd/scripts/iptables</filename>. The sections below
+    provide three different approaches that can be used for a system.</para>
+    <note>
+      <para>You should always run your firewall rules from a script.
+      This ensures consistency and a record of what was done. It also
+      allows retention of comments that are essential for understanding
+      the rules long after they were written.</para>
+    </note>
+    <sect3 id="fw-persFw" xreflabel="Personal Firewall">
+      <title>Personal Firewall</title>
+      <para>A Personal Firewall is designed to let you access all the
+      services offered on the Internet, but keep your box secure and
+      your data private.</para>
+      <para>Below is a slightly modified version of Rusty Russell's
+      recommendation from the <ulink
+      url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
+      Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable
+      to the Linux 2.6 kernels.</para>
+<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
+<literal>#!/bin/sh
+# Begin rc.iptables
+# Insert connection-tracking modules
+# (not needed if built into the kernel)
+modprobe nf_conntrack
+modprobe xt_LOG
+# Enable broadcast echo Protection
+echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+# Disable Source Routed Packets
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
+# Enable TCP SYN Cookie Protection
+echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
+# Disable ICMP Redirect Acceptance
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
+# Do not send Redirect Messages
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
+# Drop Spoofed Packets coming in on an interface, where responses
+# would result in the reply going out a different interface.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
+echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
+# Log packets with impossible addresses.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
+echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
+# be verbose on dynamic ip-addresses  (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+# disable Explicit Congestion Notification
+# too many routers are still ignorant
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+# Set a known state
+iptables -P INPUT   DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT  DROP
+# These lines are here in case rules are already in place and the
+# script is ever rerun on the fly. We want to remove all rules and
+# pre-existing user defined chains before we implement new rules.
+iptables -F
+iptables -X
+iptables -Z
+iptables -t nat -F
+# Allow local-only connections
+iptables -A INPUT  -i lo -j ACCEPT
+# Free output on any interface to any ip for any service
+# (equal to -P ACCEPT)
+iptables -A OUTPUT -j ACCEPT
+# Permit answers on already established connections
+# and permit new connections related to established ones
+# (e.g. port mode ftp)
+iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+# Log everything else. What's Windows' latest exploitable vulnerability?
+iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
+# End $rc_base/rc.iptables</literal>
+EOF
+chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
+<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
+cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
+<literal>#!/bin/sh
+# Begin /etc/systemd/scripts/iptables
+# Insert connection-tracking modules
+# (not needed if built into the kernel)
+modprobe nf_conntrack
+modprobe xt_LOG
+# Enable broadcast echo Protection
+echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+# Disable Source Routed Packets
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
+# Enable TCP SYN Cookie Protection
+echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
+# Disable ICMP Redirect Acceptance
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
+# Do not send Redirect Messages
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
+# Drop Spoofed Packets coming in on an interface, where responses
+# would result in the reply going out a different interface.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
+echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
+# Log packets with impossible addresses.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
+echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
+# be verbose on dynamic ip-addresses  (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+# disable Explicit Congestion Notification
+# too many routers are still ignorant
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+# Set a known state
+iptables -P INPUT   DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT  DROP
+# These lines are here in case rules are already in place and the
+# script is ever rerun on the fly. We want to remove all rules and
+# pre-existing user defined chains before we implement new rules.
+iptables -F
+iptables -X
+iptables -Z
+iptables -t nat -F
+# Allow local-only connections
+iptables -A INPUT  -i lo -j ACCEPT
+# Free output on any interface to any ip for any service
+# (equal to -P ACCEPT)
+iptables -A OUTPUT -j ACCEPT
+# Permit answers on already established connections
+# and permit new connections related to established ones
+# (e.g. port mode ftp)
+iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+# Log everything else. What's Windows' latest exploitable vulnerability?
+iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
+# End /etc/systemd/scripts/iptables</literal>
+EOF
+chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
+      <para>This script is quite simple, it drops all traffic coming
+      into your computer that wasn't initiated from your computer, but
+      as long as you are simply surfing the Internet you are unlikely
+      to exceed its limits.</para>
+      <para>If you frequently encounter certain delays at accessing
+      FTP servers, take a look at <xref linkend="fw-BB-4"/>.</para>
+      <para>Even if you have daemons or services running on your system,
+      these will be inaccessible everywhere but from your computer itself.
+      If you want to allow access to services on your machine, such as
+      <command>ssh</command> or <command>ping</command>, take a look at
+      <xref linkend="fw-busybox"/>.</para>
+    </sect3>
+    <sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
+      <title>Masquerading Router</title>
+      <para>A true Firewall has two interfaces, one connected to an
+      intranet, in this example <emphasis role="strong">eth0</emphasis>,
+      and one connected to the Internet, here <emphasis
+      role="strong">ppp0</emphasis>. To provide the maximum security
+      for the firewall itself, make sure that there are no unnecessary
+      servers running on it such as <application>X11</application> et
+      al. As a general principle, the firewall itself should not access
+      any untrusted service (think of a remote server giving answers that
+      makes a daemon on your system crash, or even worse, that implements
+      a worm via a buffer-overflow).</para>
+<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
+<literal>#!/bin/sh
+# Begin rc.iptables
+echo
+echo "You're using the example configuration for a setup of a firewall"
+echo "from Beyond Linux From Scratch."
+echo "This example is far from being complete, it is only meant"
+echo "to be a reference."
+echo "Firewall security is a complex issue, that exceeds the scope"
+echo "of the configuration rules below."
+echo "You can find additional information"
+echo "about firewalls in Chapter 4 of the BLFS book."
+echo "http://www.&lfs-domainname;/blfs"
+echo
+# Insert iptables modules (not needed if built into the kernel).
+modprobe nf_conntrack
+modprobe nf_conntrack_ftp
+modprobe xt_conntrack
+modprobe xt_LOG
+modprobe xt_state
+# Enable broadcast echo Protection
+echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+# Disable Source Routed Packets
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
+# Enable TCP SYN Cookie Protection
+echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
+# Disable ICMP Redirect Acceptance
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
+# Don't send Redirect Messages
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
+# Drop Spoofed Packets coming in on an interface where responses
+# would result in the reply going out a different interface.
+echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
+# Log packets with impossible addresses.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
+# Be verbose on dynamic ip-addresses  (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+# Disable Explicit Congestion Notification
+# Too many routers are still ignorant
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+# Set a known state
+iptables -P INPUT   DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT  DROP
+# These lines are here in case rules are already in place and the
+# script is ever rerun on the fly. We want to remove all rules and
+# pre-existing user defined chains before we implement new rules.
+iptables -F
+iptables -X
+iptables -Z
+iptables -t nat -F
+# Allow local connections
+iptables -A INPUT  -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+# Allow forwarding if the initiated on the intranet
+iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW       -j ACCEPT
+# Do masquerading
+# (not needed if intranet is not using private ip-addresses)
+iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
+# Log everything for debugging
+# (last of all rules, but before policy rules)
+iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT "
+iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
+iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
+# Enable IP Forwarding
+echo 1 &gt; /proc/sys/net/ipv4/ip_forward</literal>
+EOF
+chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
+<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
+cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
+<literal>#!/bin/sh
+# Begin /etc/systemd/scripts/iptables
+echo
+echo "You're using the example configuration for a setup of a firewall"
+echo "from Beyond Linux From Scratch."
+echo "This example is far from being complete, it is only meant"
+echo "to be a reference."
+echo "Firewall security is a complex issue, that exceeds the scope"
+echo "of the configuration rules below."
+echo "You can find additional information"
+echo "about firewalls in Chapter 4 of the BLFS book."
+echo "http://www.&lfs-domainname;/blfs"
+echo
+# Insert iptables modules (not needed if built into the kernel).
+modprobe nf_conntrack
+modprobe nf_conntrack_ftp
+modprobe xt_conntrack
+modprobe xt_LOG
+modprobe xt_state
+# Enable broadcast echo Protection
+echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+# Disable Source Routed Packets
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
+# Enable TCP SYN Cookie Protection
+echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
+# Disable ICMP Redirect Acceptance
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
+# Don't send Redirect Messages
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
+# Drop Spoofed Packets coming in on an interface where responses
+# would result in the reply going out a different interface.
+echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
+# Log packets with impossible addresses.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
+# Be verbose on dynamic ip-addresses  (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+# Disable Explicit Congestion Notification
+# Too many routers are still ignorant
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+# Set a known state
+iptables -P INPUT   DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT  DROP
+# These lines are here in case rules are already in place and the
+# script is ever rerun on the fly. We want to remove all rules and
+# pre-existing user defined chains before we implement new rules.
+iptables -F
+iptables -X
+iptables -Z
+iptables -t nat -F
+# Allow local connections
+iptables -A INPUT  -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+# Allow forwarding if the initiated on the intranet
+iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW       -j ACCEPT
+# Do masquerading
+# (not needed if intranet is not using private ip-addresses)
+iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
+# Log everything for debugging
+# (last of all rules, but before policy rules)
+iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT "
+iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
+iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
+# Enable IP Forwarding
+echo 1 &gt; /proc/sys/net/ipv4/ip_forward
+# End /etc/systemd/scripts/iptables</literal>
+EOF
+chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
+      <para>With this script your intranet should be reasonably secure
+      against external attacks. No one should be able to setup a new
+      connection to any internal service and, if it's masqueraded,
+      makes your intranet invisible to the Internet. Furthermore, your
+      firewall should be relatively safe because there are no services
+      running that a cracker could attack.</para>
+      <note>
+        <para>If the interface you're connecting to the Internet
+        doesn't connect via PPP, you will need to change
+        <replaceable>&lt;ppp+&gt;</replaceable> to the name of the interface
+        (e.g., <emphasis role="strong">eth1</emphasis>) which you are
+        using.</para>
+      </note>
+    </sect3>
+    <sect3 id="fw-busybox" xreflabel="BusyBox">
+      <title>BusyBox</title>
+      <para>This scenario isn't too different from the <xref
+      linkend="fw-masqRouter"/>, but additionally offers some
+      services to your intranet. Examples of this can be when
+      you want to administer your firewall from another host on
+      your intranet or use it as a proxy or a name server.</para>
+      <note>
+        <para>Outlining a true concept of how to protect a server that
+        offers services on the Internet goes far beyond the scope of
+        this document. See the references at the end of this section
+        for more information.</para>
+      </note>
+      <para>Be cautious. Every service you have enabled makes your
+      setup more complex and your firewall less secure. You are
+      exposed to the risks of misconfigured services or running
+      a service with an exploitable bug. A firewall should generally
+      not run any extra services.  See the introduction to the
+      <xref linkend="fw-masqRouter"/> for some more details.</para>
+      <para>If you want to add services such as internal Samba or
+      name servers that do not need to access the Internet themselves,
+      the additional statements are quite simple and should still be
+      acceptable from a security standpoint. Just add the following lines
+      into the script <emphasis>before</emphasis> the logging rules.</para>
+<screen><literal>iptables -A INPUT  -i ! ppp+  -j ACCEPT
+iptables -A OUTPUT -o ! ppp+  -j ACCEPT</literal></screen>
+      <para>If daemons, such as squid, have to access the Internet
+      themselves, you could open OUTPUT generally and restrict
+      INPUT.</para>
+<screen><literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A OUTPUT -j ACCEPT</literal></screen>
+      <para>However, it is generally not advisable to leave OUTPUT
+      unrestricted. You lose any control over trojans who would like
+      to "call home", and a bit of redundancy in case you've
+      (mis-)configured a service so that it broadcasts its existence
+      to the world.</para>
+      <para>To accomplish this, you should restrict INPUT and OUTPUT
+      on all ports except those that it's absolutely necessary to have
+      open. Which ports you have to open depends on your needs: mostly
+      you will find them by looking for failed accesses in your log
+      files.</para>
+      <itemizedlist spacing="compact" role='iptables'>
+        <title>Have a Look at the Following Examples:</title>
+        <listitem>
+          <para>Squid is caching the web:</para>
+<screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
+iptables -A INPUT  -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \
+  -j ACCEPT</literal></screen>
+        </listitem>
+        <listitem>
+          <para>Your caching name server (e.g., named) does its
+          lookups via UDP:</para>
+<screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen>
+        </listitem>
+        <listitem>
+          <para>You want to be able to ping your computer to
+          ensure it's still alive:</para>
+<screen><literal>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
+iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</literal></screen>
+        </listitem>
+        <listitem>
+          <para id='fw-BB-4' xreflabel="BusyBox example number 4">If
+          you are frequently accessing FTP servers or enjoy chatting, you might
+          notice certain delays because some implementations of these daemons
+          have the feature of querying an identd on your system to obtain
+          usernames. Although there's really little harm in this, having an
+          identd running is not recommended because many security experts feel
+          the service gives out too much additional information.</para>
+          <para>To avoid these delays you could reject the requests
+          with a 'tcp-reset':</para>
+<screen><literal>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen>
+        </listitem>
+        <listitem>
+          <para>To log and drop invalid packets (packets
+          that came in after netfilter's timeout or some types of
+          network scans) insert these rules at the top of the chain:</para>
+<screen><literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \
+  -j LOG --log-prefix "FIREWALL:INVALID "
+iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</literal></screen>
+        </listitem>
+        <listitem>
+          <para>Anything coming from the outside should not have a
+          private address, this is a common attack called IP-spoofing:</para>
+<screen><literal>iptables -A INPUT -i ppp+ -s 10.0.0.0/8     -j DROP
+iptables -A INPUT -i ppp+ -s 172.16.0.0/12  -j DROP
+iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</literal></screen>
+          <para>There are other addresses that you may also want to
+          drop: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and
+          experimental), 169.254.0.0/16 (Link Local Networks), and
+.0.2.0/24 (IANA defined test network).</para>
+        </listitem>
+        <listitem>
+          <para>If your firewall is a DHCP client, you need to allow
+          those packets:</para>
+<screen><literal>iptables -A INPUT  -i ppp0 -p udp -s 0.0.0.0 --sport 67 \
+   -d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen>
+        </listitem>
+        <listitem>
+          <para>To simplify debugging and be fair to anyone who'd like
+          to access a service you have disabled, purposely or by mistake,
+          you could REJECT those packets that are dropped.</para>
+          <para>Obviously this must be done directly after logging as the very
+          last lines before the packets are dropped by policy:</para>
+<screen><literal>iptables -A INPUT -j REJECT</literal></screen>
+        </listitem>
+      </itemizedlist>
+      <para>These are only examples to show you some of the capabilities
+      of the firewall code in Linux. Have a look at the man page of iptables.
+      There you will find much more information. The port numbers needed for
+      this can be found in <filename>/etc/services</filename>, in case you
+      didn't find them by trial and error in your log file.</para>
+    </sect3>
+  </sect2>
+  <sect2 id="fw-finale" xreflabel="Conclusion">
+    <title>Conclusion</title>
+    <para>Finally, there is one fact you must not forget: The effort spent
+    attacking a system corresponds to the value the cracker expects to gain
+    from it. If you are responsible for valuable information, you need to
+    spend the time to protect it properly.</para>
+  </sect2>
+  <sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
+    <para>
+      BLFS provides two utilities to manage the kernel Netfilter interface,
+      <xref linkend="iptables"/> and <xref linkend="nftables"/>.
+    </para>
+    <para>
+      <xref linkend="iptables"/> has been around since early 2.4 kernels, and
+      has been the standard since. If you plan not to use a configuration
+      utility, this is likely the set of tools that will be most familiar to
+      existing admins.
+    </para>
+    <para>
+      <xref linkend="nftables"/> is the successor to <xref linkend="iptables"/>
+      and provies all of the same functionality with a single userspace tool,
+      <command>nft</command>, that uses similar syntax to BSD's
+      <application>pf</application> utility, and may be easier for new users or
+      admins already familiar with that platform.
+    </para>
+    <para>
+      While both can be used in tandem, that is an advanced configuration and
+      you should decide on one or the other. Both pages include very simple
+      example configurations, and customization of the provided configurations
+      for your specific environment will be necessary if you elect to use
+      either without a configuration tool.
+    </para>
+    <para>
+      Additionally, a firewall management tool, <xref linkend="firewalld"/>, is
+      provided to greatly ease firewall configuration for both simple and
+      complex environments, and can be used with either tool. You should not
+      use the example configurations if you intend to use
+      <application>firewalld</application> to manage your firewall rules.
+    </para>
+    <para>
+      If you elect to configure manually, have a look at the
+      list of further reading below for more details. Here you will find a
+      list of URLs that contain comprehensive information about building
+      firewalls and further securing your system.
+    </para>
+  </sect2>
+  <sect2 id="fw-extra-info">
     <title>Extra Information</title>
     <sect3 id="fw-library" xreflabel="links for further reading">
       <title>Where to Start with Further Reading on Firewalls</title>
+    <sect3>
+      <title>Further Reading on Firewalls</title>
       <blockquote>
         <literallayout>
 <ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>
+<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables/nftables projects</ulink>
 <ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
 <ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
+<ulink url="https://wiki.nftables.org/wiki-nftables/index.php/Main_Page">nftables HOWTO</ulink>
 <ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
 <ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
 …
       </blockquote>
-      <!-- The following are all dead links from the section above. They are
-           moved out of the section so the literallayout won't produce blank
-           lines in the rendered text
-<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink>
-<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink>
-<ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink>
-<ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink>
-<ulink url="http://www.linux-firewall-tools.com/linux/">www.linux-firewall-tools.com/linux/</ulink>
-<ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink>
-<ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
-      -->
     </sect3>

postlfs/security/iptables.xml

-              r6914a417
+              r14c0be2f
 ]>
 <sect1 id="iptables" xreflabel="Iptables-&iptables-version;">
+<sect1 id="iptables" xreflabel="iptables-&iptables-version;">
   <?dbhtml filename="iptables.html"?>
 …
   </sect1info>
   <title>Iptables-&iptables-version;</title>
+  <title>iptables-&iptables-version;</title>
   <indexterm zone="iptables">
     <primary sortas="a-Iptables">Iptables</primary>
+    <primary sortas="a-iptables">iptables</primary>
   </indexterm>
   <sect2 role="package">
+    <title>Introduction to Iptables</title>
+    <para>
+      The next part of this chapter deals with firewalls. The principal
+      firewall tool for Linux is <application>Iptables</application>. You will
+      need to install <application>Iptables</application> if you intend on using
+      any form of a firewall.
+    <title>Introduction to iptables</title>
+    <para>
+      <application>iptables</application> is a userspace command line program
+      used to configure Linux 2.4 and later kernel packet filtering ruleset.
     </para>
 …
     </itemizedlist>
     <bridgehead renderas="sect3">Iptables Dependencies</bridgehead>
+    <bridgehead renderas="sect3">iptables Dependencies</bridgehead>
     <bridgehead renderas="sect4">Optional</bridgehead>
     <para role="optional">
       <ulink url="http://www.netfilter.org/projects/nftables/index.html">nftables</ulink>
+      <xref linkend="nftables"/>
     </para>
 …
     <para>
+      A firewall in Linux is accomplished through a portion of the
+      kernel called netfilter. The interface to netfilter is
+      <application>Iptables</application>. To use it, the appropriate
+      kernel configuration parameters are found in:
+      A firewall in Linux is accomplished through the netfilter interface. To
+      use <application>iptables</application> to configure netfilter, the
+      following kernel configuration parameters are required:
     </para>
 <screen><literal>[*] Networking support  ---&gt;                                    [CONFIG_NET]
       Networking Options  ---&gt;
+        [*] Network packet filtering framework (Netfilter) ---&gt; [CONFIG_NETFILTER]</literal></screen>
+        [*] Network packet filtering framework (Netfilter) ---&gt; [CONFIG_NETFILTER]
+          Core Netfilter Configuration ---&gt;</literal></screen>
+    <para>
+      Include any connection tracking protocols that will be used, as well as
+      any protocols that you wish to use for match suppport under the
+      "Core Netfilter Configuration" section.
+    </para>
     <indexterm zone="iptables iptables-kernel">
       <primary sortas="d-iptables">Iptables</primary>
+      <primary sortas="d-iptables">iptables</primary>
     </indexterm>
 …
     <sect2 role="installation">
       <title>Installation of Iptables</title>
+      <title>Installation of iptables</title>
     <note>
 …
         at the <application>Linux</application> source code. Note that if you
         upgrade the kernel version, you may also need to recompile
+        <application>Iptables</application> and that the BLFS team has not tested
+        using the raw kernel headers.
+      </para>
+      <para>
+        For some non-x86 architectures, the raw kernel headers may be
+        required. In that case, modify the <parameter>KERNEL_DIR=</parameter>
+        parameter to point at the <application>Linux</application> source
+        code.
+        <application>iptables</application> and that the BLFS team has not
+        tested using the raw kernel headers.
       </para>
     </note>
     <para>
       Install <application>Iptables</application> by running the following
+      Install <application>iptables</application> by running the following
       commands:
     </para>
 …
 make</userinput></screen>
+    <para>This package does not come with a test suite.</para>
+    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
+    <para>
+      This package does not come with a test suite.
+    </para>
+    <para>
+      Now, as the <systemitem class="username">root</systemitem> user:
+    </para>
 <screen role="root"><userinput>make install &amp;&amp;
 …
     <para>
       <parameter>--disable-nftables</parameter>: This switch disables building
+      nftables compat. Omit this switch if you have installed nftables.
+      nftables compat. Omit this switch if you have installed
+      <xref linkend="nftables"/>.
     </para>
 …
     <para>
       <parameter>--with-xtlibdir=/lib/xtables</parameter>: Ensure all
       <application>Iptables</application> modules are installed in the
+      <application>iptables</application> modules are installed in the
       <filename class="directory">/lib/xtables</filename> directory.
     </para>
 …
   <sect2 role="configuration">
+    <title>Configuring Iptables</title>
+    <para>
+      Introductory instructions for configuring your firewall are
+      presented in the next section: <xref linkend="fw-firewall"/>
+    </para>
+    <title>Configuring iptables</title>
+    <note>
+      <para>
+        If you intend to use <xref linkend="firewalld"/> to configure your
+        firewall rules, you should not use the example configurations provided
+        here, nor should you enable the
+        <phrase revision="sysv">bootscript</phrase>
+        <phrase revision="systemd">systemd unit</phrase>.
+      </para>
+    </note>
+    <note>
+      <para>
+        In the follwoing example configurations, <emphasis
+        role="strong">LAN1</emphasis> is used for the internal LAN interface,
+        and <emphasis role="strong">WAN1</emphasis> is used for the external
+        interace connected to the internet. You will need to replace these
+        values with appropriate interface names for your system.
+      </para>
+    </note>
+    <sect3 id="fw-persFw-ipt"
+    xreflabel="Creating a Personal Firewall With iptables">
+      <title>Personal Firewall</title>
+      <para>
+        A Personal Firewall is designed to let you access all the
+        services offered on the Internet, but keep your box secure and
+        your data private.
+      </para>
+      <para>
+        Below is a slightly modified version of Rusty Russell's
+        recommendation from the <ulink
+        url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
+        Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable
+        to the Linux 3.x kernels.
+      </para>
+<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
+<literal>#!/bin/sh
+# Begin rc.iptables
+# Insert connection-tracking modules
+# (not needed if built into the kernel)
+modprobe nf_conntrack
+modprobe xt_LOG
+# Enable broadcast echo Protection
+echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+# Disable Source Routed Packets
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
+# Enable TCP SYN Cookie Protection
+echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
+# Disable ICMP Redirect Acceptance
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
+# Do not send Redirect Messages
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
+# Drop Spoofed Packets coming in on an interface, where responses
+# would result in the reply going out a different interface.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
+echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
+# Log packets with impossible addresses.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
+echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
+# be verbose on dynamic ip-addresses  (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+# disable Explicit Congestion Notification
+# too many routers are still ignorant
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+# Set a known state
+iptables -P INPUT   DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT  DROP
+# These lines are here in case rules are already in place and the
+# script is ever rerun on the fly. We want to remove all rules and
+# pre-existing user defined chains before we implement new rules.
+iptables -F
+iptables -X
+iptables -Z
+iptables -t nat -F
+# Allow local-only connections
+iptables -A INPUT  -i lo -j ACCEPT
+# Free output on any interface to any ip for any service
+# (equal to -P ACCEPT)
+iptables -A OUTPUT -j ACCEPT
+# Permit answers on already established connections
+# and permit new connections related to established ones
+# (e.g. port mode ftp)
+iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+# Log everything else. What's Windows' latest exploitable vulnerability?
+iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
+# End $rc_base/rc.iptables</literal>
+EOF
+chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
+<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
+cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
+<literal>#!/bin/sh
+# Begin /etc/systemd/scripts/iptables
+# Insert connection-tracking modules
+# (not needed if built into the kernel)
+modprobe nf_conntrack
+modprobe xt_LOG
+# Enable broadcast echo Protection
+echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+# Disable Source Routed Packets
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
+# Enable TCP SYN Cookie Protection
+echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
+# Disable ICMP Redirect Acceptance
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
+# Do not send Redirect Messages
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
+# Drop Spoofed Packets coming in on an interface, where responses
+# would result in the reply going out a different interface.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
+echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
+# Log packets with impossible addresses.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
+echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
+# be verbose on dynamic ip-addresses  (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+# disable Explicit Congestion Notification
+# too many routers are still ignorant
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+# Set a known state
+iptables -P INPUT   DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT  DROP
+# These lines are here in case rules are already in place and the
+# script is ever rerun on the fly. We want to remove all rules and
+# pre-existing user defined chains before we implement new rules.
+iptables -F
+iptables -X
+iptables -Z
+iptables -t nat -F
+# Allow local-only connections
+iptables -A INPUT  -i lo -j ACCEPT
+# Free output on any interface to any ip for any service
+# (equal to -P ACCEPT)
+iptables -A OUTPUT -j ACCEPT
+# Permit answers on already established connections
+# and permit new connections related to established ones
+# (e.g. port mode ftp)
+iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+# Log everything else. What's Windows' latest exploitable vulnerability?
+iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
+# End /etc/systemd/scripts/iptables</literal>
+EOF
+chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
+      <para>
+        This script is quite simple, it drops all traffic coming
+        into your computer that wasn't initiated from your computer, but
+        as long as you are simply surfing the Internet you are unlikely
+        to exceed its limits.
+      </para>
+      <para>
+        If you frequently encounter certain delays at accessing
+        FTP servers, take a look at <xref linkend="fw-BB-4-ipt"/>.
+      </para>
+      <para>
+        Even if you have daemons or services running on your system,
+        these will be inaccessible everywhere but from your computer itself.
+        If you want to allow access to services on your machine, such as
+        <command>ssh</command> or <command>ping</command>, take a look at
+        <xref linkend="fw-busybox-ipt"/>.
+      </para>
+    </sect3>
+    <sect3 id="fw-masqRouter-ipt"
+     xreflabel="Creating a Masquerading Router With iptables">
+      <title>Masquerading Router</title>
+      <para>
+        A network Firewall has two interfaces, one connected to an
+        intranet, in this example <emphasis role="strong">LAN1</emphasis>,
+        and one connected to the Internet, here <emphasis
+        role="strong">WAN1</emphasis>. To provide the maximum security
+        for the firewall itself, make sure that there are no unnecessary
+        servers running on it such as <application>X11</application> et al.
+        As a general principle, the firewall itself should not access
+        any untrusted service (think of a remote server giving answers that
+        makes a daemon on your system crash, or even worse, that implements
+        a worm via a buffer-overflow).
+      </para>
+<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
+<literal>#!/bin/sh
+# Begin rc.iptables
+echo
+echo "You're using the example configuration for a setup of a firewall"
+echo "from Beyond Linux From Scratch."
+echo "This example is far from being complete, it is only meant"
+echo "to be a reference."
+echo "Firewall security is a complex issue, that exceeds the scope"
+echo "of the configuration rules below."
+echo "You can find additional information"
+echo "about firewalls in Chapter 4 of the BLFS book."
+echo "http://www.&lfs-domainname;/blfs"
+echo
+# Insert iptables modules (not needed if built into the kernel).
+modprobe nf_conntrack
+modprobe nf_conntrack_ftp
+modprobe xt_conntrack
+modprobe xt_LOG
+modprobe xt_state
+# Enable broadcast echo Protection
+echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+# Disable Source Routed Packets
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
+# Enable TCP SYN Cookie Protection
+echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
+# Disable ICMP Redirect Acceptance
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
+# Don't send Redirect Messages
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
+# Drop Spoofed Packets coming in on an interface where responses
+# would result in the reply going out a different interface.
+echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
+# Log packets with impossible addresses.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
+# Be verbose on dynamic ip-addresses  (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+# Disable Explicit Congestion Notification
+# Too many routers are still ignorant
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+# Set a known state
+iptables -P INPUT   DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT  DROP
+# These lines are here in case rules are already in place and the
+# script is ever rerun on the fly. We want to remove all rules and
+# pre-existing user defined chains before we implement new rules.
+iptables -F
+iptables -X
+iptables -Z
+iptables -t nat -F
+# Allow local connections
+iptables -A INPUT  -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+# Allow forwarding if the initiated on the intranet
+iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW       -j ACCEPT
+# Do masquerading
+# (not needed if intranet is not using private ip-addresses)
+iptables -t nat -A POSTROUTING -o WAN1 -j MASQUERADE
+# Log everything for debugging
+# (last of all rules, but before policy rules)
+iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT "
+iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
+iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
+# Enable IP Forwarding
+echo 1 &gt; /proc/sys/net/ipv4/ip_forward</literal>
+EOF
+chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
+<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
+cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
+<literal>#!/bin/sh
+# Begin /etc/systemd/scripts/iptables
+echo
+echo "You're using the example configuration for a setup of a firewall"
+echo "from Beyond Linux From Scratch."
+echo "This example is far from being complete, it is only meant"
+echo "to be a reference."
+echo "Firewall security is a complex issue, that exceeds the scope"
+echo "of the configuration rules below."
+echo "You can find additional information"
+echo "about firewalls in Chapter 4 of the BLFS book."
+echo "http://www.&lfs-domainname;/blfs"
+echo
+# Insert iptables modules (not needed if built into the kernel).
+modprobe nf_conntrack
+modprobe nf_conntrack_ftp
+modprobe xt_conntrack
+modprobe xt_LOG
+modprobe xt_state
+# Enable broadcast echo Protection
+echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+# Disable Source Routed Packets
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
+# Enable TCP SYN Cookie Protection
+echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
+# Disable ICMP Redirect Acceptance
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
+# Don't send Redirect Messages
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
+# Drop Spoofed Packets coming in on an interface where responses
+# would result in the reply going out a different interface.
+echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
+# Log packets with impossible addresses.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
+# Be verbose on dynamic ip-addresses  (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+# Disable Explicit Congestion Notification
+# Too many routers are still ignorant
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+# Set a known state
+iptables -P INPUT   DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT  DROP
+# These lines are here in case rules are already in place and the
+# script is ever rerun on the fly. We want to remove all rules and
+# pre-existing user defined chains before we implement new rules.
+iptables -F
+iptables -X
+iptables -Z
+iptables -t nat -F
+# Allow local connections
+iptables -A INPUT  -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+# Allow forwarding if the initiated on the intranet
+iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW       -j ACCEPT
+# Do masquerading
+# (not needed if intranet is not using private ip-addresses)
+iptables -t nat -A POSTROUTING -o WAN1 -j MASQUERADE
+# Log everything for debugging
+# (last of all rules, but before policy rules)
+iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT "
+iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
+iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
+# Enable IP Forwarding
+echo 1 &gt; /proc/sys/net/ipv4/ip_forward
+# The following sections allow inbound packets for specific examples
+# Uncomment the example lines and adjust as necessary
+# Allow ping on the external interface
+#iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
+#iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT
+# Reject ident packets with TCP reset to avoid delays with FTP or IRC
+#iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset
+# Allow HTTP and HTTPS to 192.168.0.2
+#iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 80 -j DNAT --to 192.168.0.2
+#iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 443 -j DNAT --to 192.168.0.2
+#iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 80 -j ACCEPT
+#iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 443 -j ACCEPT
+# End /etc/systemd/scripts/iptables</literal>
+EOF
+chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
+      <para>
+        With this script your intranet should be reasonably secure
+        against external attacks. No one should be able to setup a new
+        connection to any internal service and, if it's masqueraded,
+        makes your intranet invisible to the Internet. Furthermore, your
+        firewall should be relatively safe because there are no services
+        running that a cracker could attack.
+      </para>
+    </sect3>
+    <sect3 id="fw-busybox-ipt" xreflabel="Creating a BusyBox With iptables">
+      <title>BusyBox</title>
+      <para>
+        This scenario isn't too different from the <xref
+        linkend="fw-masqRouter-ipt"/>, but additionally offers some
+        services to your intranet. Examples of this can be when
+        you want to administer your firewall from another host on
+        your intranet or use it as a proxy or a name server.
+      </para>
+      <note>
+        <para>
+          Outlining specifically how to protect a server that
+          offers services on the Internet goes far beyond the scope of
+          this document. See the references in <xref linkend="fw-extra-info"/>
+          for more information.
+        </para>
+      </note>
+      <para>
+        Be cautious. Every service you have enabled makes your
+        setup more complex and your firewall less secure. You are
+        exposed to the risks of misconfigured services or running
+        a service with an exploitable bug. A firewall should generally
+        not run any extra services.  See the introduction to the
+        <xref linkend="fw-masqRouter-ipt"/> for some more details.
+      </para>
+      <para>
+        If you want to add services such as internal Samba or
+        name servers that do not need to access the Internet themselves,
+        the additional statements are quite simple and should still be
+        acceptable from a security standpoint. Just add the following lines
+        into the script <emphasis>before</emphasis> the logging rules.
+      </para>
+<screen><literal>iptables -A INPUT  -i ! WAN1  -j ACCEPT
+iptables -A OUTPUT -o ! WAN1  -j ACCEPT</literal></screen>
+      <para>
+        If daemons, such as squid, have to access the Internet
+        themselves, you could open OUTPUT generally and restrict
+        INPUT.
+      </para>
+<screen><literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A OUTPUT -j ACCEPT</literal></screen>
+      <para>
+        However, it is generally not advisable to leave OUTPUT
+        unrestricted. You lose any control over trojans who would like
+        to "call home", and a bit of redundancy in case you've
+        (mis-)configured a service so that it broadcasts its existence
+        to the world.
+      </para>
+      <para>
+        To accomplish this, you should restrict INPUT and OUTPUT
+        on all ports except those that it's absolutely necessary to have
+        open. Which ports you have to open depends on your needs: mostly
+        you will find them by looking for failed accesses in your log
+        files.
+      </para>
+      <itemizedlist spacing="compact" role='iptables'>
+        <title>Have a Look at the Following Examples:</title>
+        <listitem>
+          <para>
+            Squid is caching the web:
+          </para>
+<screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
+iptables -A INPUT  -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \
+  -j ACCEPT</literal></screen>
+        </listitem>
+        <listitem>
+          <para>
+            Your caching name server (e.g., named) does its lookups via UDP:
+          </para>
+<screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen>
+        </listitem>
+        <listitem>
+          <para>
+            You want to be able to ping your computer to ensure it's still
+            alive:
+          </para>
+<screen><literal>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
+iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</literal></screen>
+        </listitem>
+        <listitem>
+          <para id='fw-BB-4-ipt' xreflabel="BusyBox with iptable example number 4">
+            If you are frequently accessing FTP servers or enjoy chatting, you
+            might notice delays because some implementations of these daemons
+            query an identd daemon on your system to obtain usernames. Although
+            there's really little harm in this, having an identd running is not
+            recommended because many security experts feel the service gives
+            out too much additional information.
+          </para>
+          <para>
+            To avoid these delays you could reject the requests with a
+            'tcp-reset' response:
+          </para>
+<screen><literal>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen>
+        </listitem>
+        <listitem>
+          <para>
+            To log and drop invalid packets (packets
+            that came in after netfilter's timeout or some types of
+            network scans) insert these rules at the top of the chain:
+          </para>
+<screen><literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \
+  -j LOG --log-prefix "FIREWALL:INVALID "
+iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</literal></screen>
+        </listitem>
+        <listitem>
+          <para>
+            Anything coming from the outside should not have a
+            private address, this is a common attack called IP-spoofing:
+          </para>
+<screen><literal>iptables -A INPUT -i WAN1 -s 10.0.0.0/8     -j DROP
+iptables -A INPUT -i WAN1 -s 172.16.0.0/12  -j DROP
+iptables -A INPUT -i WAN1 -s 192.168.0.0/16 -j DROP</literal></screen>
+          <para>
+            There are other addresses that you may also want to drop:
+.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and
+            experimental), 169.254.0.0/16 (Link Local Networks), and
+.0.2.0/24 (IANA defined test network).
+          </para>
+        </listitem>
+        <listitem>
+          <para>
+            If your firewall is a DHCP client, you need to allow those packets:
+          </para>
+<screen><literal>iptables -A INPUT  -i WAN1 -p udp -s 0.0.0.0 --sport 67 \
+   -d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen>
+        </listitem>
+        <listitem>
+          <para>
+            To simplify debugging and be fair to anyone who'd like
+            to access a service you have disabled, purposely or by mistake,
+            you could REJECT those packets that are dropped.
+          </para>
+          <para>
+            Obviously this must be done directly after logging as the very
+            last lines before the packets are dropped by policy:
+          </para>
+<screen><literal>iptables -A INPUT -j REJECT</literal></screen>
+        </listitem>
+      </itemizedlist>
+      <para>
+        These are only examples to show you some of the capabilities
+        of the firewall code in Linux. Have a look at the man page of iptables.
+        There you will find much more information. The port numbers needed for
+        this can be found in <filename>/etc/services</filename>, in case you
+        didn't find them by trial and error in your log file.
+      </para>
+    </sect3>
     <sect3  id="iptables-init">

postlfs/security/security.xml

-              r6914a417
+              r14c0be2f
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gpgme.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="haveged.xml"/>
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="iptables.xml"/>
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libcap.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="linux-pam.xml"/>
 …
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="tripwire.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="volume_key.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="iptables.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="nftables.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalld.xml"/>
 </chapter>

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 14c0be2f

Legend:

Download in other formats: