Ignore:
Timestamp:
09/11/2003 07:44:39 PM (21 years ago)
Author:
Larry Lawrence <larry@…>
Branches:
10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, v5_0, v5_0-pre1, v5_1, v5_1-pre1, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
Children:
acfc391
Parents:
945f944
Message:

add imlib2 and openquicktime, edited firewalling chapter

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@1047 af4574ff-66df-0310-9fd7-8a98e5e911e0

File:
1 edited

Legend:

Unmodified
Added
Removed

  • postlfs/security/firewalling/busybox.xml

    r945f944 r1aacd4b5  
    2222into the script.
    2323
    24 <screen>iptables -A INPUT       -i ! ppp+                               -j ACCEPT
    25 iptables -A OUTPUT      -o ! ppp+                               -j ACCEPT</screen></para>
     24<screen>iptables -A INPUT  -i ! ppp+  -j ACCEPT
     25iptables -A OUTPUT -o ! ppp+  -j ACCEPT</screen></para>
    2626
    2727<para>If your daemons have to access the web themselves, like squid would need
    2828to, you could open OUTPUT generally and restrict INPUT.
    2929
    30 <screen>iptables -A INPUT       -m state --state ESTABLISHED,RELATED    -j ACCEPT
    31 iptables -A OUTPUT                                              -j ACCEPT</screen></para>
     30<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED  -j ACCEPT
     31iptables -A OUTPUT                                      -j ACCEPT</screen></para>
    3232
    3333<para>However, it is generally not advisable to leave OUTPUT unrestricted: you lose
     
    4040Which ports you have to open depends on your needs: mostly you will find them
    4141by looking for failed accesses in your log-files.</para>
    42 
    43 <orderedlist numeration="arabic" spacing="compact">
     42<itemizedlist spacing="compact">
     43<!-- <orderedlist numeration="arabic" spacing="compact"> -->
    4444<title>Have a look at the following examples:</title>
    4545
    46 <listitem><para>Squid is caching the web:</para>
    47 <para><screen>iptables -A OUTPUT        -p tcp --dport 80                       -j ACCEPT
    48 iptables -A INPUT       -p tcp --sport 80       -m state --state ESTABLISHED \
    49 &nbsp;&nbsp;&nbsp;-j ACCEPT</screen></para></listitem>
     46<listitem><para>Squid is caching the web:
     47<screen>iptables -A OUTPUT -p tcp --dport 80                              -j ACCEPT
     48iptables -A INPUT  -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></para></listitem>
    5049
    5150<listitem><para>Your caching name server (e.g., dnscache) does its
    52 lookups via udp:</para>
    53 <para><screen>iptables -A OUTPUT        -p udp --dport 53                       -j ACCEPT
    54 iptables -A INPUT       -p udp --sport 53       -m state --state ESTABLISHED \
    55 &nbsp;&nbsp;&nbsp;-j ACCEPT</screen></para></listitem>
     51lookups via udp:
     52<screen>iptables -A OUTPUT -p udp --dport 53                              -j ACCEPT
     53iptables -A INPUT  -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></para></listitem>
    5654
    5755<listitem><para>Alternatively, if you want to be able to ping your box to ensure
    58 it's still alive:</para>
    59 <para><screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request        \
    60 &nbsp;&nbsp;&nbsp;-j ACCEPT
    61 iptables -A OUTPUT      -p icmp -m icmp --icmp-type echo-reply  -j ACCEPT</screen></para></listitem>
     56it's still alive:
     57<screen>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
     58iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</screen></para></listitem>
    6259
    6360<listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are
     
    6966
    7067<para>To avoid these delays you could reject the requests
    71 with a 'tcp-reset':</para>
     68with a 'tcp-reset':
    7269
    73 <para><screen>iptables -A INPUT -p tcp --dport 113                      -j REJECT \
    74 &nbsp;&nbsp;&nbsp;--reject-with tcp-reset
    75 iptables -A OUTPUT      -p tcp --sport 113      -m state --state RELATED \
    76 &nbsp;&nbsp;&nbsp;-j ACCEPT</screen></para></listitem>
     70<screen>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset
     71iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></para></listitem>
    7772
    7873<listitem><para>To log and drop invalid packets, mostly harmless packets
    79 that came in after netfilter's timeout, sometimes scans:</para>
     74that came in after netfilter's timeout, sometimes scans:
    8075
    81 <para><screen>iptables -I INPUT 1       -p tcp  -m state --state INVALID        -j LOG \
    82 &nbsp;&nbsp;&nbsp;--log-prefix "FIREWALL:INVALID"
    83 iptables -I INPUT 2     -p tcp  -m state --state INVALID        -j DROP</screen></para></listitem>
     76<screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \
     77"FIREWALL:INVALID"
     78iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></para></listitem>
    8479
    8580<listitem><para>Anything coming from the outside should not have a
    86 private address, this is a common attack called IP-spoofing:</para>
     81private address, this is a common attack called IP-spoofing:
    8782
    88 <para><screen>iptables -t nat -A PREROUTING     -i ppp+ -s 10.0.0.0/8           -j DROP
    89 iptables -t nat -A PREROUTING   -i ppp+ -s 172.16.0.0/12        -j DROP
    90 iptables -t nat -A PREROUTING   -i ppp+ -s 192.168.0.0/16       -j DROP</screen></para></listitem>
     83<screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8     -j DROP
     84iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12  -j DROP
     85iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j
     86DROP</screen></para></listitem>
    9187
    9288<listitem><para>To simplify debugging and be fair to anyone who'd like to
     
    9591
    9692<para>Obviously this must be done directly after logging as the very
    97 last lines before the packets are dropped by policy:</para>
     93last lines before the packets are dropped by policy:
    9894
    99 <para><screen>iptables -A INPUT                                         -j REJECT
    100 iptables -A OUTPUT              -p icmp --icmp-type 3           -j ACCEPT</screen></para></listitem>
    101 
    102 </orderedlist>
     95<screen>iptables -A INPUT                        -j REJECT
     96iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></para></listitem>
     97</itemizedlist>
     98<!--</orderedlist>-->
    10399
    104100<para>These are only examples to show you some of the capabilities of the new
     
    106102iptables.
    107103There you will find more of them. The port-numbers you'll need for this
    108 can be found in /etc/services, in case you didn't find them via "try'n'error"
    109 in your logfile.</para>
     104can be found in <filename>/etc/services</filename>, in case you didn't
     105find them by trial and error in your logfile.</para>
    110106
    111107<para>If you add any of your offered or accessed services such as the above,
Note: See TracChangeset for help on using the changeset viewer.