Changeset 1ea79a1 for postlfs/security/firewalling/busybox.xml
- Timestamp:
- 05/30/2004 05:30:47 AM (20 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, v5_1, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 1dad4a4
- Parents:
- 4ea49a31
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/firewalling/busybox.xml
r4ea49a31 r1ea79a1 11 11 12 12 <para>Be cautious. Every service you offer and have enabled makes your 13 setup more complex and your box less secure :You induce the risks of14 misconfigured services or running a service with an exploitable bug , both risks15 that a firewall principally should be immune of.See the introduction to13 setup more complex and your box less secure. You induce the risks of 14 misconfigured services or running a service with an exploitable bug. A firewall 15 should generally not run any extra services. See the introduction to 16 16 <xref linkend="postlfs-security-fw-masqRouter"/> for some more details.</para> 17 17 … … 31 31 iptables -A OUTPUT -j ACCEPT</screen> 32 32 33 <para>However, it is generally not advisable to leave OUTPUT unrestricted : you lose34 any control o ntrojans who'd like to "call home", and a bit of redundancy in case33 <para>However, it is generally not advisable to leave OUTPUT unrestricted. You lose 34 any control over trojans who'd like to "call home", and a bit of redundancy in case 35 35 you've (mis-)configured a service so that it does broadcast its existence to the 36 36 world.</para> … … 59 59 60 60 <listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are 61 frequently accessing ftp-servers or enjoy chatting you might notice certain61 frequently accessing ftp-servers or enjoy chatting, you might notice certain 62 62 delays because some implementations of these daemons have the feature of 63 querying an identd on your box for your username for logging.63 querying an identd on your box for logging usernames. 64 64 Although there's really no harm in this, having an identd running is not 65 65 recommended because some implementations are known to be vulnerable.</para> … … 71 71 iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></listitem> 72 72 73 <listitem><para>To log and drop invalid packets , mostlyharmless packets74 that came in after netfilter's timeout , sometimes scans:</para>73 <listitem><para>To log and drop invalid packets (harmless packets 74 that came in after netfilter's timeout or some types of network scans):</para> 75 75 76 76 <screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \
Note:
See TracChangeset
for help on using the changeset viewer.