Changeset 1aacd4b5
- Timestamp:
- 09/11/2003 07:44:39 PM (21 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 12.2, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gimp3, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, v5_0, v5_0-pre1, v5_1, v5_1-pre1, xry111/for-12.3, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/spidermonkey128, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- acfc391
- Parents:
- 945f944
- Files:
-
- 11 added
- 24 edited
Legend:
- Unmodified
- Added
- Removed
-
appendices/old/old.xml
r945f944 r1aacd4b5 1 <appendix id="appendices-old">1 <appendix role="dsssl" id="appendices-old"> 2 2 <?dbhtml filename="old.html" dir="appendices"?> 3 3 <title>Packages which are no longer in the main BLFS Book</title> -
appendices/symlinks/symlinks.xml
r945f944 r1aacd4b5 1 <appendix id="appendices-symlinks">1 <appendix role="dsssl" id="appendices-symlinks"> 2 2 <?dbhtml filename="symlinks.html" dir="appendices"?> 3 3 <title>List of rc?.d symlinks used in LFS/BLFS</title> -
basicnet/textweb/w3m/w3m-intro.xml
r945f944 r1aacd4b5 17 17 <sect4><title>Optional</title> 18 18 <para><xref linkend="gpm"/>, <xref linkend="openssl"/>, <xref 19 linkend="imlib"/>, <xref linkend=" gdk"/> and <xref19 linkend="imlib"/>, <xref linkend="imlib2"/>, <xref linkend="gdk"/> and <xref 20 20 linkend="compface"/></para></sect4> 21 21 </sect3> -
book/book.ent
r945f944 r1aacd4b5 23 23 <!ENTITY hints-root "http://hints.linuxfromscratch.org"> 24 24 <!ENTITY nbsp " "> 25 <!ENTITY publisher "Unknown"> -
general/general.ent
r945f944 r1aacd4b5 54 54 <!ENTITY % svgalib SYSTEM "graphlib/svgalib/svgalib.ent"> 55 55 <!ENTITY % directfb SYSTEM "graphlib/directfb/directfb.ent"> 56 <!ENTITY % imlib2 SYSTEM "graphlib/imlib2/imlib2.ent"> 56 57 %lcms; 57 58 %libjpeg; … … 64 65 %svgalib; 65 66 %directfb; 67 %imlib2; 66 68 67 69 <!-- General Utilities --> -
general/graphlib/directfb/directfb-inst.xml
r945f944 r1aacd4b5 2 2 <title>Installation of <application>DirectFB</application></title> 3 3 4 <note><para> 5 DirectFB needs a Linux kernel with frame buffer support. Check 4 <note><para>DirectFB needs a Linux kernel with frame buffer support. Check 6 5 the documentation in the kernel tree 7 6 (<filename class="directory">/usr/src/linux/Documentation/fb/</filename>) … … 16 15 make install</command></userinput></screen> 17 16 17 <para>If you decided to add optional image and video providers then you 18 have to install DirectFB-extra package too:</para> 19 20 <screen><userinput><command>./configure --prefix=/usr && 21 make && 22 make install</command></userinput></screen> 23 18 24 </sect2> -
general/graphlib/directfb/directfb-intro.xml
r945f944 r1aacd4b5 15 15 </sect3> 16 16 17 <sect3><title>Additional downloads</title> 18 <itemizedlist spacing='compact'> 19 <listitem><para>Optional image and video providers: <ulink 20 url="http://www.directfb.org/download/DirectFB-extra/DirectFB-extra-0.9.16.tar.gz"/> 21 </para></listitem> 22 </itemizedlist></sect3> 23 17 24 <sect3><title><application>DirectFB</application> dependencies</title> 18 25 <sect4><title>Required</title> … … 21 28 </para></sect4> 22 29 <sect4><title>Optional</title> 23 <para><xref linkend="SDL"/>, <xref linkend="libmpeg3"/> and 24 <xref linkend="pkgconfig"/></para></sect4> 30 <para><xref linkend="SDL"/>, <xref linkend="libmpeg3"/> 31 <xref linkend="pkgconfig"/>, <xref linkend="imlib2"/>, <xref 32 linkend="openquicktime"/> and <xref linkend="avifile"/> 33 </para></sect4> 25 34 </sect3> 26 35 -
general/graphlib/graphlib.xml
r945f944 r1aacd4b5 18 18 &SVGAlib; 19 19 &DirectFB; 20 &imlib2; 20 21 21 22 </chapter> -
index.xml
r945f944 r1aacd4b5 3 3 "/usr/share/docbook/docbookx.dtd" [ 4 4 5 <!ENTITY version "200309 09">6 <!ENTITY releasedate "September 9th, 2003">5 <!ENTITY version "20030911"> 6 <!ENTITY releasedate "September 11th, 2003"> 7 7 8 8 <!ENTITY % book SYSTEM "book/book.ent"> -
introduction/welcome/changelog.xml
r945f944 r1aacd4b5 10 10 11 11 <itemizedlist> 12 13 <listitem><para>September 11th, 2003 [lary]: added imlib2 and 14 openquicktime submitted by Igor.</para></listitem> 15 16 <listitem><para>September 11th, 2003 [larry]: edited firewalling to 17 conform to the rest of book. Used 'screen' for kernel settings instead 18 of 'table'. Changed from 'orderlist' to 'itemizedlist'. Converted 19 footnotes to inline notation, except kernel which was inconsistent with 20 the rest of the book.</para></listitem> 12 21 13 22 <listitem><para>September 9th, 2003 [larry]: update to esp -
multimedia/libdriv/libdriv.xml
r945f944 r1aacd4b5 20 20 &libmpeg3; 21 21 &libmad; 22 &openquicktime; 22 23 23 24 </chapter> -
multimedia/multimedia.ent
r945f944 r1aacd4b5 14 14 <!ENTITY % libmpeg3 SYSTEM "libdriv/libmpeg3/libmpeg3.ent"> 15 15 <!ENTITY % libmad SYSTEM "libdriv/libmad/libmad.ent"> 16 <!ENTITY % openquicktime SYSTEM "libdriv/openquicktime/openquicktime.ent"> 16 17 %alsa; 17 18 <!-- %arts; --> … … 24 25 %libmpeg3; 25 26 %libmad; 27 %openquicktime; 26 28 27 29 <!-- Audio utilities --> -
postlfs/security/firewalling/busybox.xml
r945f944 r1aacd4b5 22 22 into the script. 23 23 24 <screen>iptables -A INPUT -i ! ppp+-j ACCEPT25 iptables -A OUTPUT -o ! ppp+-j ACCEPT</screen></para>24 <screen>iptables -A INPUT -i ! ppp+ -j ACCEPT 25 iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen></para> 26 26 27 27 <para>If your daemons have to access the web themselves, like squid would need 28 28 to, you could open OUTPUT generally and restrict INPUT. 29 29 30 <screen>iptables -A INPUT 31 iptables -A OUTPUT 30 <screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 31 iptables -A OUTPUT -j ACCEPT</screen></para> 32 32 33 33 <para>However, it is generally not advisable to leave OUTPUT unrestricted: you lose … … 40 40 Which ports you have to open depends on your needs: mostly you will find them 41 41 by looking for failed accesses in your log-files.</para> 42 43 < orderedlist numeration="arabic" spacing="compact">42 <itemizedlist spacing="compact"> 43 <!-- <orderedlist numeration="arabic" spacing="compact"> --> 44 44 <title>Have a look at the following examples:</title> 45 45 46 <listitem><para>Squid is caching the web:</para> 47 <para><screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT 48 iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \ 49 -j ACCEPT</screen></para></listitem> 46 <listitem><para>Squid is caching the web: 47 <screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT 48 iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></para></listitem> 50 49 51 50 <listitem><para>Your caching name server (e.g., dnscache) does its 52 lookups via udp:</para> 53 <para><screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT 54 iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED \ 55 -j ACCEPT</screen></para></listitem> 51 lookups via udp: 52 <screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT 53 iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></para></listitem> 56 54 57 55 <listitem><para>Alternatively, if you want to be able to ping your box to ensure 58 it's still alive:</para> 59 <para><screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request \ 60 -j ACCEPT 61 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen></para></listitem> 56 it's still alive: 57 <screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT 58 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen></para></listitem> 62 59 63 60 <listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are … … 69 66 70 67 <para>To avoid these delays you could reject the requests 71 with a 'tcp-reset': </para>68 with a 'tcp-reset': 72 69 73 <para><screen>iptables -A INPUT -p tcp --dport 113 -j REJECT \ 74 --reject-with tcp-reset 75 iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED \ 76 -j ACCEPT</screen></para></listitem> 70 <screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset 71 iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></para></listitem> 77 72 78 73 <listitem><para>To log and drop invalid packets, mostly harmless packets 79 that came in after netfilter's timeout, sometimes scans: </para>74 that came in after netfilter's timeout, sometimes scans: 80 75 81 < para><screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG\82 --log-prefix"FIREWALL:INVALID"83 iptables -I INPUT 2 -p tcp -m state --state INVALID-j DROP</screen></para></listitem>76 <screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \ 77 "FIREWALL:INVALID" 78 iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></para></listitem> 84 79 85 80 <listitem><para>Anything coming from the outside should not have a 86 private address, this is a common attack called IP-spoofing: </para>81 private address, this is a common attack called IP-spoofing: 87 82 88 <para><screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP 89 iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP 90 iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></para></listitem> 83 <screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP 84 iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP 85 iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j 86 DROP</screen></para></listitem> 91 87 92 88 <listitem><para>To simplify debugging and be fair to anyone who'd like to … … 95 91 96 92 <para>Obviously this must be done directly after logging as the very 97 last lines before the packets are dropped by policy: </para>93 last lines before the packets are dropped by policy: 98 94 99 < para><screen>iptables -A INPUT-j REJECT100 iptables -A OUTPUT -p icmp --icmp-type 3-j ACCEPT</screen></para></listitem>101 102 < /orderedlist>95 <screen>iptables -A INPUT -j REJECT 96 iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></para></listitem> 97 </itemizedlist> 98 <!--</orderedlist>--> 103 99 104 100 <para>These are only examples to show you some of the capabilities of the new … … 106 102 iptables. 107 103 There you will find more of them. The port-numbers you'll need for this 108 can be found in /etc/services, in case you didn't find them via "try'n'error"109 in your logfile.</para>104 can be found in <filename>/etc/services</filename>, in case you didn't 105 find them by trial and error in your logfile.</para> 110 106 111 107 <para>If you add any of your offered or accessed services such as the above, -
postlfs/security/firewalling/disclaimer.xml
r945f944 r1aacd4b5 2 2 <title>Disclaimer</title> 3 3 4 < para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM4 <!-- <para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM 5 5 ARE RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS 6 DOCUMENT.</emphasis></para> 6 DOCUMENT.</emphasis></para> --> 7 7 8 8 <para>This document is meant as an introduction to how to setup a -
postlfs/security/firewalling/finale.xml
r945f944 r1aacd4b5 1 1 <sect2 id="postlfs-security-fw-finale" xreflabel="Conclusion"> 2 <title> Editor's Note</title>2 <title>Conclusion</title> 3 3 4 4 <para>Finally, I'd like to remind you of one fact we must not forget: … … 9 9 need of this hint!</para> 10 10 11 < para><literallayout>Be cautious!11 <!-- <para><literallayout>Be cautious! 12 12 13 13 Henning Rohde … … 19 19 20 20 <para>PPS: If any of these scripts fail, please tell me. I will try to trace 21 any faults.</para> 21 any faults.</para> --> 22 22 23 23 </sect2> -
postlfs/security/firewalling/intro.xml
r945f944 r1aacd4b5 50 50 should generally have only one role, that of protecting the intranet. 51 51 Although not completely riskless, the tasks of doing the routing 52 and eventually IP masquerading <footnote><para>rewriting IP-headers52 and eventually IP masquerading (rewriting IP-headers 53 53 of the packets it routes from clients with private IP-addresses onto 54 54 the internet so that they seem to come from the firewall 55 itself </para></footnote>are commonly considered harmless.</para></sect3>55 itself) are commonly considered harmless.</para></sect3> 56 56 57 57 <sect3><title><xref linkend="postlfs-security-fw-busybox"/></title> -
postlfs/security/firewalling/kernel.xml
r945f944 r1aacd4b5 4 4 <para>If you want your Linux-Box to do firewalling you must first ensure 5 5 that your kernel has been compiled with the relevant options turned on 6 < footnote><para>If you needed assistance howto configure, compile and install6 <!-- <footnote><para>If you needed assistance howto configure, compile and install 7 7 a new kernel, refer back to chapter VIII of the LinuxFromScratch book, 8 8 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink> … … 10 10 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink> 11 11 ; note, that you'll need to reboot 12 to actually run your new kernel.</para></footnote> .</para>12 to actually run your new kernel.</para></footnote>-->.</para> 13 13 14 14 <para>How to configure your kernel, with enabling the options to be … … 17 17 that the modules need to be loaded at first.</para> 18 18 19 <screen>Network options menu 20 Network paket filtering: Y 21 Unix domain sockets: Y or M 22 TCP/IP networking: Y 23 IP: advanced router: Y 24 IP: verbose route monitoring: Y 25 IP: TCP Explicit Congestion Notification support: Y 26 IP: TCP syncookie support: Y 27 IP: Netfilter Configuration menu 28 Every option except: 29 ipchains (2.2-style) support 30 ipfwadm (2.0-style) support Y or M 31 Fast switching: N</screen> 32 33 <!-- 19 34 <table frame='none'> 20 35 <title>Essential config-options for a firewalling-enabled Kernel</title> … … 116 131 </tgroup> 117 132 118 </table> 133 </table> --> 119 134 120 135 </sect2> -
postlfs/security/firewalling/library.xml
r945f944 r1aacd4b5 6 6 <ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">FAQ</ulink> 7 7 <ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">List of Netfilter-related HOWTO's</ulink> 8 <ulink url="http://www.linuxdoc.org/LDP/nag2/x-087-2-firewall.html" ></ulink>8 <ulink url="http://www.linuxdoc.org/LDP/nag2/x-087-2-firewall.html"/> 9 9 <ulink url="http://www.linuxdoc.org/HOWTO/Security-HOWTO.html"></ulink> 10 10 <ulink url="http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html"></ulink> -
postlfs/security/firewalling/masqrouter.xml
r945f944 r1aacd4b5 7 7 make sure that there are no servers running on it, especially not X11 et 8 8 al. And, as a general principle, the box itself should not access any untrusted 9 service <footnote><para>Think of a name server giving answers that make your9 service (Think of a name server giving answers that make your 10 10 bind crash, or, even worse, that implement a worm via a 11 buffer-overflow .</para></footnote>.</para>11 buffer-overflow).</para> 12 12 13 < para><screen><userinput>cat > /etc/rc.d/init.d/firewall << "EOF"</userinput>13 <screen><userinput><command>cat > /etc/rc.d/init.d/firewall << "EOF"</command> 14 14 #!/bin/sh 15 15 … … 78 78 # activate IP-Forwarding 79 79 echo 1 > /proc/sys/net/ipv4/ip_forward 80 < userinput>EOF</userinput></screen></para>80 <command>EOF</command></userinput></screen> 81 81 82 82 <para>With this script your intranet should be sufficiently -
postlfs/security/firewalling/persfw.xml
r945f944 r1aacd4b5 10 10 2.4 Packet Filtering HOWTO</ulink>:</para> 11 11 12 < para><screen><userinput>cat > /etc/rc.d/init.d/firewall << "EOF"</userinput>12 <screen><userinput><command>cat > /etc/rc.d/init.d/firewall << "EOF"</command> 13 13 #!/bin/sh 14 14 … … 47 47 48 48 # End $rc_base/init.d/firewall 49 < userinput>EOF</userinput></screen></para>49 <command>EOF</command></userinput></screen> 50 50 51 51 <para>His script is quite simple, it drops all traffic coming in into your -
postlfs/security/firewalling/status.xml
r945f944 r1aacd4b5 5 5 the order in which the rules take effect:</para> 6 6 7 < para><screen><userinput>cat > /etc/rc.d/init.d/firewall.status << "EOF"</userinput>7 <screen><userinput><command>cat > /etc/rc.d/init.d/firewall.status << "EOF"</command> 8 8 #!/bin/sh 9 9 … … 20 20 echo "iptables.filter:" 21 21 iptables -v -L -n --line-numbers 22 < userinput>EOF</userinput></screen></para>22 <command>EOF</command></userinput></screen> 23 23 </sect3> -
postlfs/security/firewalling/stop.xml
r945f944 r1aacd4b5 4 4 <para>If you need to turn firewalling off, this script will do it:</para> 5 5 6 < para><screen><userinput>cat > /etc/rc.d/init.d/firewall.stop << "EOF"</userinput>6 <screen><userinput><command>cat > /etc/rc.d/init.d/firewall.stop << "EOF"</command> 7 7 #!/bin/sh 8 8 … … 23 23 iptables -P FORWARD ACCEPT 24 24 iptables -P OUTPUT ACCEPT 25 < userinput>EOF</userinput></screen></para>25 <command>EOF</command></userinput></screen> 26 26 27 27 </sect3> -
pst/printing/espgs.xml
r945f944 r1aacd4b5 1 <sect1 id="espgs" xreflabel=" GhostScript-&espgs-version;">1 <sect1 id="espgs" xreflabel="ESP GhostScript-&espgs-version;"> 2 2 <?dbhtml filename="espgs.html" dir="pst"?> 3 3 <title>ESP Ghostscript-&espgs-version;</title> -
pst/printing/gs.xml
r945f944 r1aacd4b5 1 <sect1 id="gs" xreflabel=" GhostScript-&gs-version;">1 <sect1 id="gs" xreflabel="AFPL GhostScript-&gs-version;"> 2 2 <?dbhtml filename="gs.html" dir="pst"?> 3 3 <title>AFPL Ghostscript-&gs-version;</title>
Note:
See TracChangeset
for help on using the changeset viewer.