Changeset 1aacd4b5

Timestamp:

09/11/2003 07:44:39 PM (21 years ago)

Author:

Larry Lawrence <larry@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gimp3, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, v5_0, v5_0-pre1, v5_1, v5_1-pre1, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

acfc391

Parents:

945f944

Message:

add imlib2 and openquicktime, edited firewalling chapter

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@1047 af4574ff-66df-0310-9fd7-8a98e5e911e0

Files:

• appendices/old/old.xml (modified) (1 diff)
• appendices/symlinks/symlinks.xml (modified) (1 diff)
• basicnet/textweb/w3m/w3m-intro.xml (modified) (1 diff)
• book/book.ent (modified) (1 diff)
• general/general.ent (modified) (2 diffs)
• general/graphlib/directfb/directfb-inst.xml (modified) (2 diffs)
• general/graphlib/directfb/directfb-intro.xml (modified) (2 diffs)
• general/graphlib/graphlib.xml (modified) (1 diff)
• general/graphlib/imlib2.xml (added)
• general/graphlib/imlib2/imlib2-config.xml (added)
• general/graphlib/imlib2/imlib2-desc.xml (added)
• general/graphlib/imlib2/imlib2-inst.xml (added)
• general/graphlib/imlib2/imlib2-intro.xml (added)
• general/graphlib/imlib2/imlib2.ent (added)
• index.xml (modified) (1 diff)
• introduction/welcome/changelog.xml (modified) (1 diff)
• multimedia/libdriv/libdriv.xml (modified) (1 diff)
• multimedia/libdriv/openquicktime.xml (added)
• multimedia/libdriv/openquicktime/openquicktime-desc.xml (added)
• multimedia/libdriv/openquicktime/openquicktime-inst.xml (added)
• multimedia/libdriv/openquicktime/openquicktime-intro.xml (added)
• multimedia/libdriv/openquicktime/openquicktime.ent (added)
• multimedia/multimedia.ent (modified) (2 diffs)
• postlfs/security/firewalling/busybox.xml (modified) (5 diffs)
• postlfs/security/firewalling/disclaimer.xml (modified) (1 diff)
• postlfs/security/firewalling/finale.xml (modified) (3 diffs)
• postlfs/security/firewalling/intro.xml (modified) (1 diff)
• postlfs/security/firewalling/kernel.xml (modified) (4 diffs)
• postlfs/security/firewalling/library.xml (modified) (1 diff)
• postlfs/security/firewalling/masqrouter.xml (modified) (2 diffs)
• postlfs/security/firewalling/persfw.xml (modified) (2 diffs)
• postlfs/security/firewalling/status.xml (modified) (2 diffs)
• postlfs/security/firewalling/stop.xml (modified) (2 diffs)
• pst/printing/espgs.xml (modified) (1 diff)
• pst/printing/gs.xml (modified) (1 diff)

appendices/old/old.xml

@@ -1 @@
-<appendix id="appendices-old">
+<appendix role="dsssl" id="appendices-old">
 <?dbhtml filename="old.html" dir="appendices"?>
 <title>Packages which are no longer in the main BLFS Book</title>

appendices/symlinks/symlinks.xml

@@ -1 @@
-<appendix id="appendices-symlinks">
+<appendix role="dsssl" id="appendices-symlinks">
 <?dbhtml filename="symlinks.html" dir="appendices"?>
 <title>List of rc?.d symlinks used in LFS/BLFS</title>

basicnet/textweb/w3m/w3m-intro.xml

@@ -17 +17 @@
 <sect4><title>Optional</title>
 <para><xref linkend="gpm"/>, <xref linkend="openssl"/>, <xref
-linkend="imlib"/>, <xref linkend="gdk"/> and <xref
+linkend="imlib"/>, <xref linkend="imlib2"/>, <xref linkend="gdk"/> and <xref
 linkend="compface"/></para></sect4>
 </sect3>

book/book.ent

@@ -23 +23 @@
 <!ENTITY hints-root "http://hints.linuxfromscratch.org">
 <!ENTITY nbsp " ">
+<!ENTITY publisher "Unknown">

general/general.ent

@@ -54 +54 @@
 <!ENTITY % svgalib SYSTEM "graphlib/svgalib/svgalib.ent">
 <!ENTITY % directfb SYSTEM "graphlib/directfb/directfb.ent">
+<!ENTITY % imlib2 SYSTEM "graphlib/imlib2/imlib2.ent">
 %lcms;
 %libjpeg;
@@ -64 +65 @@
 %svgalib;
 %directfb;
+%imlib2;
 
 <!-- General Utilities -->

general/graphlib/directfb/directfb-inst.xml

@@ -2 +2 @@
 <title>Installation of <application>DirectFB</application></title>
 
-<note><para>
-DirectFB needs a Linux kernel with frame buffer support. Check
+<note><para>DirectFB needs a Linux kernel with frame buffer support. Check
 the documentation in the kernel tree
 (<filename class="directory">/usr/src/linux/Documentation/fb/</filename>)
@@ -16 +15 @@
 make install</command></userinput></screen>
 
+<para>If you decided to add optional image and video providers then you
+have to install DirectFB-extra package too:</para>
+
+<screen><userinput><command>./configure --prefix=/usr &amp;&amp;
+make &amp;&amp;
+make install</command></userinput></screen>
+
 </sect2>

general/graphlib/directfb/directfb-intro.xml

@@ -15 +15 @@
 </sect3>
 
+<sect3><title>Additional downloads</title>
+<itemizedlist spacing='compact'>
+<listitem><para>Optional image and video providers: <ulink
+url="http://www.directfb.org/download/DirectFB-extra/DirectFB-extra-0.9.16.tar.gz"/>
+</para></listitem>
+</itemizedlist></sect3>
+
 <sect3><title><application>DirectFB</application> dependencies</title>
 <sect4><title>Required</title>
@@ -21 +28 @@
 </para></sect4>
 <sect4><title>Optional</title>
-<para><xref linkend="SDL"/>, <xref linkend="libmpeg3"/> and
-<xref linkend="pkgconfig"/></para></sect4>
+<para><xref linkend="SDL"/>, <xref linkend="libmpeg3"/>
+<xref linkend="pkgconfig"/>, <xref linkend="imlib2"/>, <xref
+linkend="openquicktime"/> and <xref linkend="avifile"/>
+</para></sect4>
 </sect3>
 

general/graphlib/graphlib.xml

@@ -18 +18 @@
 &SVGAlib;
 &DirectFB;
+&imlib2;
 
 </chapter>

index.xml

@@ -3 +3 @@
                         "/usr/share/docbook/docbookx.dtd" [
 
-<!ENTITY version "20030909">
-<!ENTITY releasedate "September 9th, 2003">
+<!ENTITY version "20030911">
+<!ENTITY releasedate "September 11th, 2003">
 
 <!ENTITY % book SYSTEM "book/book.ent">

introduction/welcome/changelog.xml

@@ -10 +10 @@
 
 <itemizedlist>
+
+<listitem><para>September 11th, 2003 [lary]: added imlib2 and
+openquicktime submitted by Igor.</para></listitem>
+
+<listitem><para>September 11th, 2003 [larry]: edited firewalling to
+conform to the rest of book.  Used 'screen' for kernel settings instead
+of 'table'. Changed from 'orderlist' to 'itemizedlist'. Converted
+footnotes to inline notation, except kernel which was inconsistent with
+the rest of the book.</para></listitem>
 
 <listitem><para>September 9th, 2003 [larry]: update to esp

multimedia/libdriv/libdriv.xml

@@ -20 +20 @@
 &libmpeg3;
 &libmad;
+&openquicktime;
 
 </chapter>

multimedia/multimedia.ent

@@ -14 +14 @@
 <!ENTITY % libmpeg3 SYSTEM "libdriv/libmpeg3/libmpeg3.ent">
 <!ENTITY % libmad SYSTEM "libdriv/libmad/libmad.ent">
+<!ENTITY % openquicktime SYSTEM "libdriv/openquicktime/openquicktime.ent">
 %alsa;
 <!-- %arts; -->
@@ -24 +25 @@
 %libmpeg3;
 %libmad;
+%openquicktime;
 
 <!-- Audio utilities -->

postlfs/security/firewalling/busybox.xml

@@ -22 +22 @@
 into the script.
 
-<screen>iptables -A INPUT       -i ! ppp+                               -j ACCEPT
-iptables -A OUTPUT      -o ! ppp+                               -j ACCEPT</screen></para>
+<screen>iptables -A INPUT  -i ! ppp+  -j ACCEPT
+iptables -A OUTPUT -o ! ppp+  -j ACCEPT</screen></para>
 
 <para>If your daemons have to access the web themselves, like squid would need
 to, you could open OUTPUT generally and restrict INPUT.
 
-<screen>iptables -A INPUT       -m state --state ESTABLISHED,RELATED    -j ACCEPT
-iptables -A OUTPUT                                              -j ACCEPT</screen></para>
+<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED  -j ACCEPT
+iptables -A OUTPUT                                      -j ACCEPT</screen></para>
 
 <para>However, it is generally not advisable to leave OUTPUT unrestricted: you lose 
@@ -40 +40 @@
 Which ports you have to open depends on your needs: mostly you will find them 
 by looking for failed accesses in your log-files.</para>
-
-<orderedlist numeration="arabic" spacing="compact">
+<itemizedlist spacing="compact">
+<!-- <orderedlist numeration="arabic" spacing="compact"> -->
 <title>Have a look at the following examples:</title>
 
-<listitem><para>Squid is caching the web:</para>
-<para><screen>iptables -A OUTPUT        -p tcp --dport 80                       -j ACCEPT
-iptables -A INPUT       -p tcp --sport 80       -m state --state ESTABLISHED \
-&nbsp;&nbsp;&nbsp;-j ACCEPT</screen></para></listitem>
+<listitem><para>Squid is caching the web:
+<screen>iptables -A OUTPUT -p tcp --dport 80                              -j ACCEPT
+iptables -A INPUT  -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></para></listitem>
 
 <listitem><para>Your caching name server (e.g., dnscache) does its
-lookups via udp:</para>
-<para><screen>iptables -A OUTPUT        -p udp --dport 53                       -j ACCEPT
-iptables -A INPUT       -p udp --sport 53       -m state --state ESTABLISHED \
-&nbsp;&nbsp;&nbsp;-j ACCEPT</screen></para></listitem>
+lookups via udp:
+<screen>iptables -A OUTPUT -p udp --dport 53                              -j ACCEPT
+iptables -A INPUT  -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></para></listitem>
 
 <listitem><para>Alternatively, if you want to be able to ping your box to ensure
-it's still alive:</para>
-<para><screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request        \
-&nbsp;&nbsp;&nbsp;-j ACCEPT
-iptables -A OUTPUT      -p icmp -m icmp --icmp-type echo-reply  -j ACCEPT</screen></para></listitem>
+it's still alive:
+<screen>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
+iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</screen></para></listitem>
 
 <listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are 
@@ -69 +66 @@
 
 <para>To avoid these delays you could reject the requests 
-with a 'tcp-reset':</para>
+with a 'tcp-reset':
 
-<para><screen>iptables -A INPUT -p tcp --dport 113                      -j REJECT \
-&nbsp;&nbsp;&nbsp;--reject-with tcp-reset
-iptables -A OUTPUT      -p tcp --sport 113      -m state --state RELATED \
-&nbsp;&nbsp;&nbsp;-j ACCEPT</screen></para></listitem>
+<screen>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset
+iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></para></listitem>
 
 <listitem><para>To log and drop invalid packets, mostly harmless packets
-that came in after netfilter's timeout, sometimes scans:</para>
+that came in after netfilter's timeout, sometimes scans:
 
-<para><screen>iptables -I INPUT 1       -p tcp  -m state --state INVALID        -j LOG \ 
-&nbsp;&nbsp;&nbsp;--log-prefix "FIREWALL:INVALID"
-iptables -I INPUT 2     -p tcp  -m state --state INVALID        -j DROP</screen></para></listitem>
+<screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \ 
+"FIREWALL:INVALID"
+iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></para></listitem>
 
 <listitem><para>Anything coming from the outside should not have a
-private address, this is a common attack called IP-spoofing:</para>
+private address, this is a common attack called IP-spoofing:
 
-<para><screen>iptables -t nat -A PREROUTING     -i ppp+ -s 10.0.0.0/8           -j DROP
-iptables -t nat -A PREROUTING   -i ppp+ -s 172.16.0.0/12        -j DROP
-iptables -t nat -A PREROUTING   -i ppp+ -s 192.168.0.0/16       -j DROP</screen></para></listitem>
+<screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8     -j DROP
+iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12  -j DROP
+iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j
+DROP</screen></para></listitem>
 
 <listitem><para>To simplify debugging and be fair to anyone who'd like to 
@@ -95 +91 @@
 
 <para>Obviously this must be done directly after logging as the very
-last lines before the packets are dropped by policy:</para>
+last lines before the packets are dropped by policy:
 
-<para><screen>iptables -A INPUT                                         -j REJECT
-iptables -A OUTPUT              -p icmp --icmp-type 3           -j ACCEPT</screen></para></listitem>
-
-</orderedlist>
+<screen>iptables -A INPUT                        -j REJECT
+iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></para></listitem>
+</itemizedlist>
+<!--</orderedlist>-->
 
 <para>These are only examples to show you some of the capabilities of the new 
@@ -106 +102 @@
 iptables.
 There you will find more of them. The port-numbers you'll need for this
-can be found in /etc/services, in case you didn't find them via "try'n'error" 
-in your logfile.</para>
+can be found in <filename>/etc/services</filename>, in case you didn't
+find them by trial and error in your logfile.</para>
 
 <para>If you add any of your offered or accessed services such as the above,

postlfs/security/firewalling/disclaimer.xml

@@ -2 +2 @@
 <title>Disclaimer</title>
 
-<para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM 
+<!-- <para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM 
 ARE RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS 
-DOCUMENT.</emphasis></para>
+DOCUMENT.</emphasis></para> -->
 
 <para>This document is meant as an introduction to how to setup a

postlfs/security/firewalling/finale.xml

@@ -1 +1 @@
 <sect2 id="postlfs-security-fw-finale" xreflabel="Conclusion">
-<title>Editor's Note</title>
+<title>Conclusion</title>
 
 <para>Finally, I'd like to remind you of one fact we must not forget:
@@ -9 +9 @@
 need of this hint!</para>
 
-<para><literallayout>Be cautious!
+<!-- <para><literallayout>Be cautious!
 
     Henning Rohde
@@ -19 +19 @@
 
 <para>PPS: If any of these scripts fail, please tell me. I will try to trace 
-any faults.</para>
+any faults.</para> -->
 
 </sect2>

postlfs/security/firewalling/intro.xml

@@ -50 +50 @@
 should generally have only one role, that of protecting the intranet.
 Although not completely riskless, the tasks of doing the routing 
-and eventually IP masquerading<footnote><para>rewriting IP-headers 
+and eventually IP masquerading (rewriting IP-headers 
 of the packets it routes from clients with private IP-addresses onto 
 the internet so that they seem to come from the firewall 
-itself</para></footnote> are commonly considered harmless.</para></sect3>
+itself) are commonly considered harmless.</para></sect3>
 
 <sect3><title><xref linkend="postlfs-security-fw-busybox"/></title>

postlfs/security/firewalling/kernel.xml

@@ -4 +4 @@
 <para>If you want your Linux-Box to do firewalling you must first ensure 
 that your kernel has been compiled with the relevant options turned on
-<footnote><para>If you needed assistance howto configure, compile and install 
+<!-- <footnote><para>If you needed assistance howto configure, compile and install 
 a new kernel, refer back to chapter VIII of the LinuxFromScratch book, 
 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink>
@@ -10 +10 @@
 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink>
 ; note, that you'll need to reboot 
-to actually run your new kernel.</para></footnote>.</para>
+to actually run your new kernel.</para></footnote>-->.</para>
 
 <para>How to configure your kernel, with enabling the options to be 
@@ -17 +17 @@
 that the modules need to be loaded at first.</para>
 
+<screen>Network options menu
+  Network paket filtering:                          Y
+  Unix domain sockets:                         Y or M
+  TCP/IP networking:                                Y
+  IP: advanced router:                              Y
+  IP: verbose route monitoring:                     Y
+  IP: TCP Explicit Congestion Notification support: Y
+  IP: TCP syncookie support:                        Y
+  IP: Netfilter Configuration menu
+    Every option except:
+      ipchains (2.2-style) support
+      ipfwadm (2.0-style) support              Y or M
+  Fast switching:                                   N</screen>
+
+<!--
 <table frame='none'>
 <title>Essential config-options for a firewalling-enabled Kernel</title>
@@ -116 +131 @@
 </tgroup>
 
-</table>
+</table> -->
 
 </sect2>

postlfs/security/firewalling/library.xml

@@ -6 +6 @@
 <ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">FAQ</ulink>
 <ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">List of Netfilter-related HOWTO's</ulink>
-<ulink url="http://www.linuxdoc.org/LDP/nag2/x-087-2-firewall.html"></ulink>
+<ulink url="http://www.linuxdoc.org/LDP/nag2/x-087-2-firewall.html"/>
 <ulink url="http://www.linuxdoc.org/HOWTO/Security-HOWTO.html"></ulink>
 <ulink url="http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html"></ulink>

postlfs/security/firewalling/masqrouter.xml

@@ -7 +7 @@
 make sure that there are no servers running on it, especially not X11 et
 al.  And, as a general principle, the box itself should not access any untrusted
-service<footnote><para>Think of a name server giving answers that make your
+service (Think of a name server giving answers that make your
 bind crash, or, even worse, that implement a worm via a 
-buffer-overflow.</para></footnote>.</para>
+buffer-overflow).</para>
 
-<para><screen><userinput>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</userinput>
+<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
 #!/bin/sh
 
@@ -78 +78 @@
 # activate IP-Forwarding 
 echo 1 &gt; /proc/sys/net/ipv4/ip_forward
-<userinput>EOF</userinput></screen></para>
+<command>EOF</command></userinput></screen>
 
 <para>With this script your intranet should be sufficiently 

postlfs/security/firewalling/persfw.xml

@@ -10 +10 @@
 2.4 Packet Filtering HOWTO</ulink>:</para>
 
-<para><screen><userinput>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</userinput>
+<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
 #!/bin/sh
 
@@ -47 +47 @@
 
 # End $rc_base/init.d/firewall
-<userinput>EOF</userinput></screen></para>
+<command>EOF</command></userinput></screen>
 
 <para>His script is quite simple, it drops all traffic coming in into your 

postlfs/security/firewalling/status.xml

@@ -5 +5 @@
 the order in which the rules take effect:</para>
 
-<para><screen><userinput>cat &gt; /etc/rc.d/init.d/firewall.status &lt;&lt; "EOF"</userinput>
+<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.status &lt;&lt; "EOF"</command>
 #!/bin/sh
 
@@ -20 +20 @@
 echo "iptables.filter:"
 iptables            -v -L -n --line-numbers
-<userinput>EOF</userinput></screen></para>
+<command>EOF</command></userinput></screen>
 </sect3>

postlfs/security/firewalling/stop.xml

@@ -4 +4 @@
 <para>If you need to turn firewalling off, this script will do it:</para>
 
-<para><screen><userinput>cat &gt; /etc/rc.d/init.d/firewall.stop &lt;&lt; "EOF"</userinput>
+<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.stop &lt;&lt; "EOF"</command>
 #!/bin/sh
 
@@ -23 +23 @@
 iptables -P FORWARD     ACCEPT
 iptables -P OUTPUT      ACCEPT
-<userinput>EOF</userinput></screen></para>
+<command>EOF</command></userinput></screen>
 
 </sect3>

pst/printing/espgs.xml

@@ -1 @@
-<sect1 id="espgs" xreflabel="GhostScript-&espgs-version;">
+<sect1 id="espgs" xreflabel="ESP GhostScript-&espgs-version;">
 <?dbhtml filename="espgs.html" dir="pst"?>
 <title>ESP Ghostscript-&espgs-version;</title>

pst/printing/gs.xml

@@ -1 @@
-<sect1 id="gs" xreflabel="GhostScript-&gs-version;">
+<sect1 id="gs" xreflabel="AFPL GhostScript-&gs-version;">
 <?dbhtml filename="gs.html" dir="pst"?>
 <title>AFPL Ghostscript-&gs-version;</title>