Changeset 1aacd4b5 for postlfs/security

Timestamp:

09/11/2003 07:44:39 PM (21 years ago)

Author:

Larry Lawrence <larry@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, v5_0, v5_0-pre1, v5_1, v5_1-pre1, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

acfc391

Parents:

945f944

Message:

add imlib2 and openquicktime, edited firewalling chapter

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@1047 af4574ff-66df-0310-9fd7-8a98e5e911e0

Location:

postlfs/security/firewalling

Files:

• busybox.xml (modified) (5 diffs)
• disclaimer.xml (modified) (1 diff)
• finale.xml (modified) (3 diffs)
• intro.xml (modified) (1 diff)
• kernel.xml (modified) (4 diffs)
• library.xml (modified) (1 diff)
• masqrouter.xml (modified) (2 diffs)
• persfw.xml (modified) (2 diffs)
• status.xml (modified) (2 diffs)
• stop.xml (modified) (2 diffs)

postlfs/security/firewalling/busybox.xml

@@ -22 +22 @@
 into the script.
 
-<screen>iptables -A INPUT       -i ! ppp+                               -j ACCEPT
-iptables -A OUTPUT      -o ! ppp+                               -j ACCEPT</screen></para>
+<screen>iptables -A INPUT  -i ! ppp+  -j ACCEPT
+iptables -A OUTPUT -o ! ppp+  -j ACCEPT</screen></para>
 
 <para>If your daemons have to access the web themselves, like squid would need
 to, you could open OUTPUT generally and restrict INPUT.
 
-<screen>iptables -A INPUT       -m state --state ESTABLISHED,RELATED    -j ACCEPT
-iptables -A OUTPUT                                              -j ACCEPT</screen></para>
+<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED  -j ACCEPT
+iptables -A OUTPUT                                      -j ACCEPT</screen></para>
 
 <para>However, it is generally not advisable to leave OUTPUT unrestricted: you lose 
@@ -40 +40 @@
 Which ports you have to open depends on your needs: mostly you will find them 
 by looking for failed accesses in your log-files.</para>
-
-<orderedlist numeration="arabic" spacing="compact">
+<itemizedlist spacing="compact">
+<!-- <orderedlist numeration="arabic" spacing="compact"> -->
 <title>Have a look at the following examples:</title>
 
-<listitem><para>Squid is caching the web:</para>
-<para><screen>iptables -A OUTPUT        -p tcp --dport 80                       -j ACCEPT
-iptables -A INPUT       -p tcp --sport 80       -m state --state ESTABLISHED \
-&nbsp;&nbsp;&nbsp;-j ACCEPT</screen></para></listitem>
+<listitem><para>Squid is caching the web:
+<screen>iptables -A OUTPUT -p tcp --dport 80                              -j ACCEPT
+iptables -A INPUT  -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></para></listitem>
 
 <listitem><para>Your caching name server (e.g., dnscache) does its
-lookups via udp:</para>
-<para><screen>iptables -A OUTPUT        -p udp --dport 53                       -j ACCEPT
-iptables -A INPUT       -p udp --sport 53       -m state --state ESTABLISHED \
-&nbsp;&nbsp;&nbsp;-j ACCEPT</screen></para></listitem>
+lookups via udp:
+<screen>iptables -A OUTPUT -p udp --dport 53                              -j ACCEPT
+iptables -A INPUT  -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></para></listitem>
 
 <listitem><para>Alternatively, if you want to be able to ping your box to ensure
-it's still alive:</para>
-<para><screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request        \
-&nbsp;&nbsp;&nbsp;-j ACCEPT
-iptables -A OUTPUT      -p icmp -m icmp --icmp-type echo-reply  -j ACCEPT</screen></para></listitem>
+it's still alive:
+<screen>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
+iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</screen></para></listitem>
 
 <listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are 
@@ -69 +66 @@
 
 <para>To avoid these delays you could reject the requests 
-with a 'tcp-reset':</para>
+with a 'tcp-reset':
 
-<para><screen>iptables -A INPUT -p tcp --dport 113                      -j REJECT \
-&nbsp;&nbsp;&nbsp;--reject-with tcp-reset
-iptables -A OUTPUT      -p tcp --sport 113      -m state --state RELATED \
-&nbsp;&nbsp;&nbsp;-j ACCEPT</screen></para></listitem>
+<screen>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset
+iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></para></listitem>
 
 <listitem><para>To log and drop invalid packets, mostly harmless packets
-that came in after netfilter's timeout, sometimes scans:</para>
+that came in after netfilter's timeout, sometimes scans:
 
-<para><screen>iptables -I INPUT 1       -p tcp  -m state --state INVALID        -j LOG \ 
-&nbsp;&nbsp;&nbsp;--log-prefix "FIREWALL:INVALID"
-iptables -I INPUT 2     -p tcp  -m state --state INVALID        -j DROP</screen></para></listitem>
+<screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \ 
+"FIREWALL:INVALID"
+iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></para></listitem>
 
 <listitem><para>Anything coming from the outside should not have a
-private address, this is a common attack called IP-spoofing:</para>
+private address, this is a common attack called IP-spoofing:
 
-<para><screen>iptables -t nat -A PREROUTING     -i ppp+ -s 10.0.0.0/8           -j DROP
-iptables -t nat -A PREROUTING   -i ppp+ -s 172.16.0.0/12        -j DROP
-iptables -t nat -A PREROUTING   -i ppp+ -s 192.168.0.0/16       -j DROP</screen></para></listitem>
+<screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8     -j DROP
+iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12  -j DROP
+iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j
+DROP</screen></para></listitem>
 
 <listitem><para>To simplify debugging and be fair to anyone who'd like to 
@@ -95 +91 @@
 
 <para>Obviously this must be done directly after logging as the very
-last lines before the packets are dropped by policy:</para>
+last lines before the packets are dropped by policy:
 
-<para><screen>iptables -A INPUT                                         -j REJECT
-iptables -A OUTPUT              -p icmp --icmp-type 3           -j ACCEPT</screen></para></listitem>
-
-</orderedlist>
+<screen>iptables -A INPUT                        -j REJECT
+iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></para></listitem>
+</itemizedlist>
+<!--</orderedlist>-->
 
 <para>These are only examples to show you some of the capabilities of the new 
@@ -106 +102 @@
 iptables.
 There you will find more of them. The port-numbers you'll need for this
-can be found in /etc/services, in case you didn't find them via "try'n'error" 
-in your logfile.</para>
+can be found in <filename>/etc/services</filename>, in case you didn't
+find them by trial and error in your logfile.</para>
 
 <para>If you add any of your offered or accessed services such as the above,

postlfs/security/firewalling/disclaimer.xml

@@ -2 +2 @@
 <title>Disclaimer</title>
 
-<para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM 
+<!-- <para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM 
 ARE RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS 
-DOCUMENT.</emphasis></para>
+DOCUMENT.</emphasis></para> -->
 
 <para>This document is meant as an introduction to how to setup a

postlfs/security/firewalling/finale.xml

@@ -1 +1 @@
 <sect2 id="postlfs-security-fw-finale" xreflabel="Conclusion">
-<title>Editor's Note</title>
+<title>Conclusion</title>
 
 <para>Finally, I'd like to remind you of one fact we must not forget:
@@ -9 +9 @@
 need of this hint!</para>
 
-<para><literallayout>Be cautious!
+<!-- <para><literallayout>Be cautious!
 
     Henning Rohde
@@ -19 +19 @@
 
 <para>PPS: If any of these scripts fail, please tell me. I will try to trace 
-any faults.</para>
+any faults.</para> -->
 
 </sect2>

postlfs/security/firewalling/intro.xml

@@ -50 +50 @@
 should generally have only one role, that of protecting the intranet.
 Although not completely riskless, the tasks of doing the routing 
-and eventually IP masquerading<footnote><para>rewriting IP-headers 
+and eventually IP masquerading (rewriting IP-headers 
 of the packets it routes from clients with private IP-addresses onto 
 the internet so that they seem to come from the firewall 
-itself</para></footnote> are commonly considered harmless.</para></sect3>
+itself) are commonly considered harmless.</para></sect3>
 
 <sect3><title><xref linkend="postlfs-security-fw-busybox"/></title>

postlfs/security/firewalling/kernel.xml

@@ -4 +4 @@
 <para>If you want your Linux-Box to do firewalling you must first ensure 
 that your kernel has been compiled with the relevant options turned on
-<footnote><para>If you needed assistance howto configure, compile and install 
+<!-- <footnote><para>If you needed assistance howto configure, compile and install 
 a new kernel, refer back to chapter VIII of the LinuxFromScratch book, 
 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink>
@@ -10 +10 @@
 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink>
 ; note, that you'll need to reboot 
-to actually run your new kernel.</para></footnote>.</para>
+to actually run your new kernel.</para></footnote>-->.</para>
 
 <para>How to configure your kernel, with enabling the options to be 
@@ -17 +17 @@
 that the modules need to be loaded at first.</para>
 
+<screen>Network options menu
+  Network paket filtering:                          Y
+  Unix domain sockets:                         Y or M
+  TCP/IP networking:                                Y
+  IP: advanced router:                              Y
+  IP: verbose route monitoring:                     Y
+  IP: TCP Explicit Congestion Notification support: Y
+  IP: TCP syncookie support:                        Y
+  IP: Netfilter Configuration menu
+    Every option except:
+      ipchains (2.2-style) support
+      ipfwadm (2.0-style) support              Y or M
+  Fast switching:                                   N</screen>
+
+<!--
 <table frame='none'>
 <title>Essential config-options for a firewalling-enabled Kernel</title>
@@ -116 +131 @@
 </tgroup>
 
-</table>
+</table> -->
 
 </sect2>

postlfs/security/firewalling/library.xml

@@ -6 +6 @@
 <ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">FAQ</ulink>
 <ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">List of Netfilter-related HOWTO's</ulink>
-<ulink url="http://www.linuxdoc.org/LDP/nag2/x-087-2-firewall.html"></ulink>
+<ulink url="http://www.linuxdoc.org/LDP/nag2/x-087-2-firewall.html"/>
 <ulink url="http://www.linuxdoc.org/HOWTO/Security-HOWTO.html"></ulink>
 <ulink url="http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html"></ulink>

postlfs/security/firewalling/masqrouter.xml

@@ -7 +7 @@
 make sure that there are no servers running on it, especially not X11 et
 al.  And, as a general principle, the box itself should not access any untrusted
-service<footnote><para>Think of a name server giving answers that make your
+service (Think of a name server giving answers that make your
 bind crash, or, even worse, that implement a worm via a 
-buffer-overflow.</para></footnote>.</para>
+buffer-overflow).</para>
 
-<para><screen><userinput>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</userinput>
+<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
 #!/bin/sh
 
@@ -78 +78 @@
 # activate IP-Forwarding 
 echo 1 &gt; /proc/sys/net/ipv4/ip_forward
-<userinput>EOF</userinput></screen></para>
+<command>EOF</command></userinput></screen>
 
 <para>With this script your intranet should be sufficiently 

postlfs/security/firewalling/persfw.xml

@@ -10 +10 @@
 2.4 Packet Filtering HOWTO</ulink>:</para>
 
-<para><screen><userinput>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</userinput>
+<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
 #!/bin/sh
 
@@ -47 +47 @@
 
 # End $rc_base/init.d/firewall
-<userinput>EOF</userinput></screen></para>
+<command>EOF</command></userinput></screen>
 
 <para>His script is quite simple, it drops all traffic coming in into your 

postlfs/security/firewalling/status.xml

@@ -5 +5 @@
 the order in which the rules take effect:</para>
 
-<para><screen><userinput>cat &gt; /etc/rc.d/init.d/firewall.status &lt;&lt; "EOF"</userinput>
+<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.status &lt;&lt; "EOF"</command>
 #!/bin/sh
 
@@ -20 +20 @@
 echo "iptables.filter:"
 iptables            -v -L -n --line-numbers
-<userinput>EOF</userinput></screen></para>
+<command>EOF</command></userinput></screen>
 </sect3>

postlfs/security/firewalling/stop.xml

@@ -4 +4 @@
 <para>If you need to turn firewalling off, this script will do it:</para>
 
-<para><screen><userinput>cat &gt; /etc/rc.d/init.d/firewall.stop &lt;&lt; "EOF"</userinput>
+<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.stop &lt;&lt; "EOF"</command>
 #!/bin/sh
 
@@ -23 +23 @@
 iptables -P FORWARD     ACCEPT
 iptables -P OUTPUT      ACCEPT
-<userinput>EOF</userinput></screen></para>
+<command>EOF</command></userinput></screen>
 
 </sect3>