- Timestamp:
- 07/21/2005 08:18:59 PM (19 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 91a3570
- Parents:
- 2bc0646
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/firewalling.xml
r2bc0646 r1ef78bc 46 46 need to keep applications and daemons on your system properly 47 47 configured and up to date. A firewall is not a cure all, but should 48 be an essential part of your overall security st artegy.</para>48 be an essential part of your overall security strategy.</para> 49 49 50 50 </sect2> … … 58 58 <title><xref linkend="fw-persFw"/></title> 59 59 60 <para>This is a hardware device or software program commercially 61 sold by companies such as Symantec which claims that it secures62 a home or desktop computer with Internet access. This type of63 firewall is highly relevant for users who do not know how their60 <para>This is a hardware device or software program commercially sold (or 61 offered via freeware) by companies such as Symantec which claims that 62 it secures a home or desktop computer connected to the Internet. This 63 type of firewall is highly relevant for users who do not know how their 64 64 computers might be accessed via the Internet or how to disable 65 65 that access, especially if they are always online and connected … … 88 88 forgotten, performing masquerading or routing functions, but offering 89 89 non-firewall services such as a web-cache or mail. This may be used 90 for home networks, but is not be considered as secure as a firewall90 for home networks, but is not to be considered as secure as a firewall 91 91 only machine because the combination of server and router/firewall on 92 92 one machine raises the complexity of the setup.</para> … … 99 99 100 100 <para>This box performs masquerading or routing, but grants public 101 access to some branch of your network which, because of public IP 's101 access to some branch of your network which, because of public IPs 102 102 and a physically separated structure, is essentially a separate 103 103 network with direct Internet access. The servers on this network are … … 113 113 <para>This type of firewall does routing or masquerading, but does 114 114 not maintain a state table of ongoing communication streams. It is 115 fast, but quite limited in its ability to block inappropriatepackets115 fast, but quite limited in its ability to block undesired packets 116 116 without blocking desired packets.</para> 117 117 … … 141 141 </caution> 142 142 143 <para>The firewall configuration script installed in the lastsection143 <para>The firewall configuration script installed in the iptables section 144 144 differs from the standard configuration script. It only has two of 145 145 the standard targets: start and status. The other targets are clear 146 and lock. For instance when you run:</para>146 and lock. For instance if you issue:</para> 147 147 148 148 <screen role="root"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen> … … 255 255 256 256 <para>This script is quite simple, it drops all traffic coming 257 in into your computer that wasn't initiated from your box, but257 into your computer that wasn't initiated from your computer, but 258 258 as long as you are simply surfing the Internet you are unlikely 259 259 to exceed its limits.</para> 260 260 261 261 <para>If you frequently encounter certain delays at accessing 262 ftp-servers, take a look at <xref linkend="fw-BB-4"/>.</para>262 FTP servers, take a look at <xref linkend="fw-BB-4"/>.</para> 263 263 264 264 <para>Even if you have daemons or services running on your system, … … 280 280 servers running on it such as <application>X11</application> et 281 281 al. As a general principle, the firewall itself should not access 282 any untrusted service ( Think of a remote server giving answers that283 makes a daemon on your system crash, or ,even worse, that implements282 any untrusted service (think of a remote server giving answers that 283 makes a daemon on your system crash, or even worse, that implements 284 284 a worm via a buffer-overflow).</para> 285 285 … … 389 389 <note> 390 390 <para>If the interface you're connecting to the Internet 391 doesn't connect via ppp, you will need to change392 <replaceable>ppp+</replaceable> to the name of the interface ,393 e.g. <emphasis role="strong">eth1</emphasis>,which you are391 doesn't connect via PPP, you will need to change 392 <replaceable>ppp+</replaceable> to the name of the interface 393 (e.g., <emphasis role="strong">eth1</emphasis>) which you are 394 394 using.</para> 395 395 </note> … … 420 420 <xref linkend="fw-masqRouter"/> for some more details.</para> 421 421 422 <para>If you want to add services such as internal samba or422 <para>If you want to add services such as internal Samba or 423 423 name servers that do not need to access the Internet themselves, 424 424 the additional statements are quite simple and should still be … … 460 460 <listitem> 461 461 <para>Your caching name server (e.g., named) does its 462 lookups via udp:</para>462 lookups via UDP:</para> 463 463 464 464 <screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen> … … 466 466 </listitem> 467 467 <listitem> 468 <para>You want to be able to ping your boxto468 <para>You want to be able to ping your computer to 469 469 ensure it's still alive:</para> 470 470 … … 475 475 <listitem> 476 476 <para><anchor id='fw-BB-4' xreflabel="BusyBox example number 4"/>If 477 you are frequently accessing ftpservers or enjoy chatting, you might477 you are frequently accessing FTP servers or enjoy chatting, you might 478 478 notice certain delays because some implementations of these daemons 479 479 have the feature of querying an identd on your system to obtain … … 555 555 <title>Extra Information</title> 556 556 557 <sect3 id="fw-library" xreflabel=" Links for further reading">558 <title>Where to Start with Further Reading on Firewalls .</title>557 <sect3 id="fw-library" xreflabel="links for further reading"> 558 <title>Where to Start with Further Reading on Firewalls</title> 559 559 560 560 <blockquote> … … 591 591 592 592 </sect1> 593
Note:
See TracChangeset
for help on using the changeset viewer.