Changeset 8920dfa

Timestamp:

05/13/2005 09:53:44 PM (19 years ago)

Author:

Manuel Canales Esparcia <manuel@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

07d11f5

Parents:

1cc0752

Message:

Tagged firewalling.xml

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@4197 af4574ff-66df-0310-9fd7-8a98e5e911e0

File:

• postlfs/security/firewalling.xml (modified) (4 diffs)

postlfs/security/firewalling.xml

@@ -7 +7 @@
 
 <sect1 id="fw-firewall" xreflabel="Firewalling">
-<sect1info>
-<othername>$LastChangedBy$</othername>
-<date>$Date$</date>
-</sect1info>
-<?dbhtml filename="firewall.html"?>
-<title>Setting up a network firewall</title>
-
-<para>Before you read this part of the chapter, you should
-have already installed iptables as described in the previous section.</para>
-
-<sect2 id="fw-intro" xreflabel="Firewalling Introduction">
-<title>Introduction to Firewall Creation</title>
-
-<para>The general purpose of a firewall is to protect a computer or a network
-against malicious access.</para> 
-
-<para>In a perfect world, every daemon or service 
-on every machine is perfectly configured and immune to flaws such as 
-buffer overflows or other problems regarding its 
-security. Furthermore, you trust every user accessing your services.
-In this world, you do not need to have a firewall.</para>
-
-<para>In the real world however, daemons may be misconfigured
-and exploits against essential services are freely available.  You 
-may wish to choose which services are accessible by certain machines or 
-you may wish to limit which machines or applications are allowed external
-access. Alternatively, you may simply not trust some of your 
-applications or users. You are probably connected to the Internet.  In this
-world, a firewall is essential.</para>
-
-<para>Don't assume however, that having a firewall makes careful configuration
-redundant, or that it makes any negligent misconfiguration harmless. It doesn't
-prevent anyone from exploiting a service you intentionally offer but haven't
-recently updated or patched after an exploit went public.  Despite having a
-firewall, you need to keep applications and daemons on your system properly
-configured and up to date.  A firewall is not a cure all, but should be an
-essential part of your overall security startegy.</para>
-
-</sect2>
-
-<sect2>
-<title>Meaning of the word "firewall"</title>
-
-<para>The word firewall can have several different meanings.</para>
-
-<sect3><title><xref linkend="fw-persFw"/></title>
-
-<para>This is a hardware device or software program commercially sold by 
-companies such as Symantec which claims that it
-secures a home or desktop computer with Internet access. This type of firewall is 
-highly relevant for users who do not know how their computers 
-might be accessed via the Internet or how to disable that access, 
-especially if they are always online and connected via 
-broadband links.</para></sect3>
-
-<sect3>
-<title><xref linkend="fw-masqRouter"/></title>
-
-<para>This is a system placed between the Internet and an intranet.  To minimize
-the risk of compromising the firewall itself, it should generally have only one
-role&mdash;that of protecting the intranet.  Although not completely risk free,
-the tasks of doing the routing and  IP masquerading (rewriting IP headers of
-the packets it routes from clients with private IP addresses onto the Internet
-so that they seem to come from the firewall itself) are commonly considered
-relatively secure.</para>
-</sect3>
-
-<sect3> 
-<title><xref linkend="fw-busybox"/></title> 
-
-<para>This is often an old computer you may have retired and nearly forgotten,
-performing masquerading or routing functions, but offering non-firewall
-services such as a web-cache or mail.  This may be used for home
-networks, but is not be considered as secure as a firewall only
-machine because the combination of server and router/firewall on one machine
-raises the complexity of the setup.</para>
-</sect3>
-
-<sect3>
-<title>Firewall with a demilitarized zone [not further described here]</title>
-<para>This box performs masquerading or routing, but grants public access to 
-some branch of your network which, because of public IP's and a physically 
-separated structure, is essentially a separate network with direct Internet access.  
-The servers on this network are those which must be easily accessible 
-from both the Internet and intranet. The firewall protects 
-both networks. This type of firewall has a minimum of three network interfaces.</para>
-</sect3>
-
-<sect3>
-<title>Packetfilter</title>
-<para>This type of firewall does routing or masquerading, but does not maintain
-a state table of ongoing communication streams. It is fast, but quite limited
-in its ability to block inappropriate packets without blocking desired
-packets.</para>
-</sect3>
-</sect2>
-
-<sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
-<title>Now you can start to build your Firewall</title>
-
-<caution><para>This introduction on how to setup a firewall
-is not a complete guide to securing systems.  Firewalling is a complex issue
-that requires careful configuration.  The scripts quoted here are simply
-intended to give examples of how a firewall works. They are not intended to
-fit into any particular configuration and may not provide complete protection 
-from an attack.</para>
-
-<para>Customization of these scripts for your specific situation will
-be necessary for an optimal configuration, but you should make a serious
-study of the iptables documentation and creating firewalls in general before 
-hacking away.  Have a look at the list of 
-<xref linkend="fw-library"/> at the end of this section for 
-more details.  There you will find a list of URLs that contain quite 
-comprehensive information about building your own firewall.</para>
-</caution>
-
-<para>The firewall configuration script installed in the last section differs
-from the standard configuration script.  It only has two of the standard
-targets: start and status.  The other targets are clear and lock.  For instance when you
-run:
-
-<screen><userinput><command>/etc/rc.d/init.d/iptables start</command></userinput></screen>
-
-the firewall will be restarted just as it is upon system startup.  The status target
-will present a list of all currently implemented rules.  The clear target turns off all 
-firewall rules and the lock target will block all packets in and out of the computer
-with the exception of the loopback interface.</para>
-
-<para>The main startup firewall is located in the file 
-<filename>/etc/rc.d/rc.iptables</filename>.  The sections below provide three different
-approaches that can be used for a system.</para>
-
-<note><para>You should always run your firewall rules from a script.  This ensures
-consistency and a record of what was done.  It also allows retention of comments
-that are essential for understanding the rules long after they were written.
-</para></note>
-
-<sect3 id="fw-persFw" xreflabel="Personal Firewall">
-<title>Personal Firewall</title>
-
-<para>A Personal Firewall is designed to let you access all the services
-offered on the Internet, but keep your box secure and your data private.</para>
-
-<para>Below is a slightly modified version of Rusty Russell's recommendation
-from the 
-<ulink url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
-Linux 2.4 Packet Filtering HOWTO</ulink>.  It is still applicable to the Linux 2.6 kernels.</para>
-
-<screen><userinput><command>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"</command>
-#!/bin/sh
+  <?dbhtml filename="firewall.html"?>
+
+  <sect1info>
+    <othername>$LastChangedBy$</othername>
+    <date>$Date$</date>
+  </sect1info>
+
+  <title>Setting Up a Network Firewall</title>
+
+  <para>Before you read this part of the chapter, you should have 
+  already installed iptables as described in the previous section.</para>
+
+  <sect2 id="fw-intro" xreflabel="Firewalling Introduction">
+    <title>Introduction to Firewall Creation</title>
+
+    <para>The general purpose of a firewall is to protect a computer or 
+    a network against malicious access.</para> 
+
+    <para>In a perfect world, every daemon or service on every machine 
+    is perfectly configured and immune to flaws such as buffer overflows 
+    or other problems regarding its security. Furthermore, you trust 
+    every user accessing your services. In this world, you do not need 
+    to have a firewall.</para>
+
+    <para>In the real world however, daemons may be misconfigured and 
+    exploits against essential services are freely available. You may 
+    wish to choose which services are accessible by certain machines or 
+    you may wish to limit which machines or applications are allowed 
+    external access. Alternatively, you may simply not trust some of 
+    your applications or users. You are probably connected to the 
+    Internet. In this world, a firewall is essential.</para>
+
+    <para>Don't assume however, that having a firewall makes careful 
+    configuration redundant, or that it makes any negligent 
+    misconfiguration harmless. It doesn't prevent anyone from exploiting 
+    a service you intentionally offer but haven't recently updated or 
+    patched after an exploit went public.  Despite having a firewall, you 
+    need to keep applications and daemons on your system properly 
+    configured and up to date.  A firewall is not a cure all, but should 
+    be an essential part of your overall security startegy.</para>
+
+  </sect2>
+
+  <sect2>
+    <title>Meaning of the Word "Firewall"</title>
+
+    <para>The word firewall can have several different meanings.</para>
+
+    <sect3>
+      <title><xref linkend="fw-persFw"/></title>
+
+      <para>This is a hardware device or software program commercially 
+      sold by companies such as Symantec which claims that it secures 
+      a home or desktop computer with Internet access. This type of 
+      firewall is highly relevant for users who do not know how their 
+      computers might be accessed via the Internet or how to disable 
+      that access, especially if they are always online and connected 
+      via broadband links.</para>
+
+    </sect3>
+
+    <sect3>
+      <title><xref linkend="fw-masqRouter"/></title>
+
+      <para>This is a system placed between the Internet and an intranet.  
+      To minimize the risk of compromising the firewall itself, it should 
+      generally have only one role&mdash;that of protecting the intranet.  
+      Although not completely risk free, the tasks of doing the routing and  
+      IP masquerading (rewriting IP headers of the packets it routes from 
+      clients with private IP addresses onto the Internet so that they seem 
+      to come from the firewall itself) are commonly considered relatively 
+      secure.</para>
+
+    </sect3>
+
+    <sect3> 
+      <title><xref linkend="fw-busybox"/></title> 
+
+      <para>This is often an old computer you may have retired and nearly 
+      forgotten, performing masquerading or routing functions, but offering 
+      non-firewall services such as a web-cache or mail.  This may be used 
+      for home networks, but is not be considered as secure as a firewall 
+      only machine because the combination of server and router/firewall on 
+      one machine raises the complexity of the setup.</para>
+
+    </sect3>
+
+    <sect3>
+      <title>Firewall with a Demilitarized Zone [Not Further 
+      Described Here]</title>
+
+      <para>This box performs masquerading or routing, but grants public 
+      access to some branch of your network which, because of public IP's 
+      and a physically separated structure, is essentially a separate 
+      network with direct Internet access. The servers on this network are 
+      those which must be easily accessible from both the Internet and 
+      intranet. The firewall protects both networks. This type of firewall 
+      has a minimum of three network interfaces.</para>
+
+    </sect3>
+
+    <sect3>
+      <title>Packetfilter</title>
+
+      <para>This type of firewall does routing or masquerading, but does 
+      not maintain a state table of ongoing communication streams. It is 
+      fast, but quite limited in its ability to block inappropriate packets 
+      without blocking desired packets.</para>
+
+    </sect3>
+
+  </sect2>
+
+  <sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
+    <title>Now You Can Start to Build your Firewall</title>
+
+    <caution>
+      <para>This introduction on how to setup a firewall is not a 
+      complete guide to securing systems. Firewalling is a complex 
+      issue that requires careful configuration. The scripts quoted 
+      here are simply intended to give examples of how a firewall 
+      works. They are not intended to fit into any particular 
+      configuration and may not provide complete protection from 
+      an attack.</para>
+
+      <para>Customization of these scripts for your specific situation 
+      will be necessary for an optimal configuration, but you should 
+      make a serious study of the iptables documentation and creating 
+      firewalls in general before hacking away. Have a look at the 
+      list of <xref linkend="fw-library"/> at the end of this section for 
+      more details. There you will find a list of URLs that contain quite 
+      comprehensive information about building your own firewall.</para>
+    </caution>
+
+    <para>The firewall configuration script installed in the last section 
+    differs from the standard configuration script. It only has two of 
+    the standard targets: start and status. The other targets are clear 
+    and lock. For instance when you run:</para>
+
+<screen role="root"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen>
+
+    <para>the firewall will be restarted just as it is upon system startup. 
+    The status target will present a list of all currently implemented 
+    rules. The clear target turns off all firewall rules and the lock 
+    target will block all packets in and out of the computer with the 
+    exception of the loopback interface.</para>
+
+    <para>The main startup firewall is located in the file 
+    <filename>/etc/rc.d/rc.iptables</filename>. The sections below provide 
+    three different approaches that can be used for a system.</para>
+
+    <note>
+      <para>You should always run your firewall rules from a script.  
+      This ensures consistency and a record of what was done. It also 
+      allows retention of comments that are essential for understanding 
+      the rules long after they were written.</para>
+    </note>
+
+    <sect3 id="fw-persFw" xreflabel="Personal Firewall">
+      <title>Personal Firewall</title>
+
+      <para>A Personal Firewall is designed to let you access all the 
+      services offered on the Internet, but keep your box secure and 
+      your data private.</para>
+
+      <para>Below is a slightly modified version of Rusty Russell's 
+      recommendation from the <ulink 
+      url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
+      Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable 
+      to the Linux 2.6 kernels.</para>
+
+<screen role="root"><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
+<literal>#!/bin/sh
 
 # Begin $rc_base/rc.iptables
@@ -227 +250 @@
 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
 
-# End $rc_base/rc.iptables
-<command>EOF</command></userinput></screen>
-
-<para>This script is quite simple, it drops all traffic coming in into your 
-computer that wasn't initiated from your box, but as long as you are simply 
-surfing the Internet you are unlikely to exceed its limits.</para> 
-
-<para>If you frequently encounter certain delays at accessing ftp-servers,
-take a look at <xref linkend="fw-BB-4"/>.</para>
-
-<para>Even if you have daemons or services running on your system, these
-will be inaccessible everywhere but from your computer itself.
-If you want to allow access to services on your machine, such as ssh or 
-ping, take a look at <xref linkend="fw-busybox"/>.</para> 
-
-</sect3>
-
-<sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
-<title>Masquerading Router</title>
-
-<para>A true Firewall has two interfaces, one connected to an intranet, in this
-example <emphasis role="strong">eth0</emphasis>, and one connected to the
-Internet, here <emphasis role="strong">ppp0</emphasis>.  To provide the
-maximum security for the firewall itself, make sure that there
-are no unnecessary servers running on it such as <application>X11</application> et
-al.  As a general principle, the firewall itself should not access any
-untrusted service (Think of a remote server giving answers that makes a daemon on 
-your system
-crash, or, even worse, that implements a worm via a buffer-overflow).</para>
-
-<screen><userinput><command>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"</command>
-#!/bin/sh
+# End $rc_base/rc.iptables</literal>
+EOF</userinput></screen>
+
+      <para>This script is quite simple, it drops all traffic coming 
+      in into your computer that wasn't initiated from your box, but 
+      as long as you are simply surfing the Internet you are unlikely 
+      to exceed its limits.</para> 
+
+      <para>If you frequently encounter certain delays at accessing 
+      ftp-servers, take a look at <xref linkend="fw-BB-4"/>.</para>
+
+      <para>Even if you have daemons or services running on your system, 
+      these will be inaccessible everywhere but from your computer itself. 
+      If you want to allow access to services on your machine, such as 
+      <command>ssh</command> or <command>ping</command>, take a look at 
+      <xref linkend="fw-busybox"/>.</para> 
+
+    </sect3>
+
+    <sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
+      <title>Masquerading Router</title>
+
+      <para>A true Firewall has two interfaces, one connected to an 
+      intranet, in this example <emphasis role="strong">eth0</emphasis>, 
+      and one connected to the Internet, here <emphasis 
+      role="strong">ppp0</emphasis>. To provide the maximum security 
+      for the firewall itself, make sure that there are no unnecessary 
+      servers running on it such as <application>X11</application> et
+      al. As a general principle, the firewall itself should not access 
+      any untrusted service (Think of a remote server giving answers that 
+      makes a daemon on your system crash, or, even worse, that implements 
+      a worm via a buffer-overflow).</para>
+
+<screen role="root"><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
+<literal>#!/bin/sh
 
 # Begin $rc_base/rc.iptables
@@ -349 +375 @@
 
 # Enable IP Forwarding 
-echo 1 &gt; /proc/sys/net/ipv4/ip_forward
-<command>EOF</command></userinput></screen>
-
-<para>With this script your intranet should be reasonably secure against
-external attacks. No one should be able to setup a new connection to any
-internal service and, if it's masqueraded, makes your intranet invisible to the
-Internet. Furthermore, your firewall should be relatively safe because there
-are no services running that a cracker could attack.</para>
-
-<note><para>If the interface you're connecting to the Internet doesn't connect
-via ppp, you will need to change <replaceable>ppp+</replaceable> to the name of
-the interface, e.g. <emphasis role="strong">eth1</emphasis>, which you are using.
-</para></note>
-
-</sect3>
-
-<sect3 id="fw-busybox" xreflabel="BusyBox">
-<title>BusyBox</title>
-
-<para>This scenario isn't too different from the <xref linkend="fw-masqRouter"/>, 
-but additionally offers some services to your intranet.
-Examples of this can be when you want to administer your firewall from another host 
-on your intranet or use it as a proxy or a name server.</para>
-
-<note><para>Outlining a true concept of how to protect a server that offers
-services on the Internet goes far beyond the scope of this document. See the references
-at the end of this section for more information.</para></note>
-
-<para>Be cautious.  Every service you have enabled makes your
-setup more complex and your firewall less secure. You are exposed to the risks of 
-misconfigured services or running a service with an exploitable bug.  A 
-firewall should generally not run any extra services.  See the introduction to 
-the <xref linkend="fw-masqRouter"/> for some more details.</para>
-
-<para>If you want to add services such as internal samba or name servers that do not 
-need to access the Internet themselves,  the additional statements are quite
-simple and should still be acceptable from a security standpoint.
-Just add the following lines
-into the script <emphasis>before</emphasis> the logging rules.</para>
-
-<screen>iptables -A INPUT  -i ! ppp+  -j ACCEPT
-iptables -A OUTPUT -o ! ppp+  -j ACCEPT</screen>
-
-<para>If daemons, such as squid, have to access the Internet themselves, 
-you could open OUTPUT generally and restrict INPUT.</para>
-
-<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-iptables -A OUTPUT                                     -j ACCEPT</screen>
-
-<para>However, it is generally not advisable to leave OUTPUT unrestricted. You 
-lose any control over trojans who would like to "call home", and a bit of 
-redundancy in case you've (mis-)configured a service so that it broadcasts 
-its existence to the world.</para>
-
-<para>To accomplish this, you should restrict INPUT and OUTPUT
-on all ports except those that it's absolutely necessary to have open.
-Which ports you have to open depends on your needs: mostly you will find them 
-by looking for failed accesses in your log files.</para>
-<itemizedlist spacing="compact" role='iptables'>
-
-<title>Have a look at the following examples:</title>
-
-<listitem><para>Squid is caching the web:</para>
-<screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
+echo 1 &gt; /proc/sys/net/ipv4/ip_forward</literal>
+EOF</userinput></screen>
+
+      <para>With this script your intranet should be reasonably secure 
+      against external attacks. No one should be able to setup a new 
+      connection to any internal service and, if it's masqueraded, 
+      makes your intranet invisible to the Internet. Furthermore, your 
+      firewall should be relatively safe because there are no services 
+      running that a cracker could attack.</para>
+
+      <note>
+        <para>If the interface you're connecting to the Internet 
+        doesn't connect via ppp, you will need to change 
+        <replaceable>ppp+</replaceable> to the name of the interface, 
+        e.g. <emphasis role="strong">eth1</emphasis>, which you are 
+        using.</para>
+      </note>
+
+    </sect3>
+
+    <sect3 id="fw-busybox" xreflabel="BusyBox">
+      <title>BusyBox</title>
+
+      <para>This scenario isn't too different from the <xref 
+      linkend="fw-masqRouter"/>, but additionally offers some 
+      services to your intranet. Examples of this can be when 
+      you want to administer your firewall from another host on 
+      your intranet or use it as a proxy or a name server.</para>
+
+      <note>
+        <para>Outlining a true concept of how to protect a server that 
+        offers services on the Internet goes far beyond the scope of 
+        this document. See the references at the end of this section 
+        for more information.</para>
+      </note>
+
+      <para>Be cautious. Every service you have enabled makes your
+      setup more complex and your firewall less secure. You are 
+      exposed to the risks of misconfigured services or running 
+      a service with an exploitable bug. A firewall should generally 
+      not run any extra services.  See the introduction to the 
+      <xref linkend="fw-masqRouter"/> for some more details.</para>
+
+      <para>If you want to add services such as internal samba or 
+      name servers that do not need to access the Internet themselves,  
+      the additional statements are quite simple and should still be 
+      acceptable from a security standpoint. Just add the following lines
+      into the script <emphasis>before</emphasis> the logging rules.</para>
+
+<screen><literal>iptables -A INPUT  -i ! ppp+  -j ACCEPT
+iptables -A OUTPUT -o ! ppp+  -j ACCEPT</literal></screen>
+
+      <para>If daemons, such as squid, have to access the Internet 
+      themselves, you could open OUTPUT generally and restrict 
+      INPUT.</para>
+
+<screen><literal>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A OUTPUT -j ACCEPT</literal></screen>
+
+      <para>However, it is generally not advisable to leave OUTPUT 
+      unrestricted. You lose any control over trojans who would like 
+      to "call home", and a bit of redundancy in case you've 
+      (mis-)configured a service so that it broadcasts its existence 
+      to the world.</para>
+
+      <para>To accomplish this, you should restrict INPUT and OUTPUT
+      on all ports except those that it's absolutely necessary to have 
+      open. Which ports you have to open depends on your needs: mostly 
+      you will find them by looking for failed accesses in your log 
+      files.</para>
+
+      <itemizedlist spacing="compact" role='iptables'>
+        <title>Have a Look at the Following Examples:</title>
+        <listitem>
+          <para>Squid is caching the web:</para>
+
+<screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
 iptables -A INPUT  -p tcp --sport 80 -m state --state ESTABLISHED \
-  -j ACCEPT</screen>
-</listitem>
-
-<listitem><para>Your caching name server (e.g., named) does its
-lookups via udp:</para>
-<screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</screen>
-</listitem>
-
-<listitem><para>You want to be able to ping your box to 
-ensure it's still alive:</para>
-
-<screen>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</screen>
-</listitem>
-
-<listitem><para><anchor id='fw-BB-4' xreflabel="BusyBox example number 4"/>If you are
-frequently accessing ftp servers or enjoy chatting, you might notice certain
-delays because some implementations of these daemons have the feature of
-querying an identd on your system to obtain usernames.  Although there's really
-little harm in this, having an identd running is not recommended because many
-security experts feel the service gives out too much additional information.</para>
-
-<para>To avoid these delays you could reject the requests 
-with a 'tcp-reset':</para>
-
-<screen>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset</screen>
-</listitem>
-
-<listitem><para>To log and drop invalid packets (packets
-that came in after netfilter's timeout or some types of network scans):</para>
-
-<screen>iptables -I INPUT -p tcp -m state --state INVALID \
+  -j ACCEPT</literal></screen>
+  
+        </listitem>
+        <listitem>
+          <para>Your caching name server (e.g., named) does its
+          lookups via udp:</para>
+
+<screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen>
+
+        </listitem>
+        <listitem>
+          <para>You want to be able to ping your box to 
+          ensure it's still alive:</para>
+
+<screen><literal>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
+iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</literal></screen>
+
+        </listitem>
+        <listitem>
+          <para><anchor id='fw-BB-4' xreflabel="BusyBox example number 4"/>If 
+          you are frequently accessing ftp servers or enjoy chatting, you might 
+          notice certain delays because some implementations of these daemons 
+          have the feature of querying an identd on your system to obtain 
+          usernames. Although there's really little harm in this, having an 
+          identd running is not recommended because many security experts feel 
+          the service gives out too much additional information.</para>
+
+          <para>To avoid these delays you could reject the requests 
+          with a 'tcp-reset':</para>
+
+<screen><literal>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen>
+
+        </listitem>
+        <listitem>
+          <para>To log and drop invalid packets (packets
+          that came in after netfilter's timeout or some types of 
+          network scans):</para>
+
+<screen><literal>iptables -I INPUT -p tcp -m state --state INVALID \
   -j LOG --log-prefix "FIREWALL:INVALID"
-iptables -I INPUT -p tcp -m state --state INVALID -j DROP</screen></listitem>
-
-<listitem><para>Anything coming from the outside should not have a
-private address, this is a common attack called IP-spoofing:
-
-<screen>iptables -A INPUT -i ppp+ -s 10.0.0.0/8     -j DROP
+iptables -I INPUT -p tcp -m state --state INVALID -j DROP</literal></screen>
+
+        </listitem>
+        <listitem>
+          <para>Anything coming from the outside should not have a
+          private address, this is a common attack called IP-spoofing:</para>
+
+<screen><literal>iptables -A INPUT -i ppp+ -s 10.0.0.0/8     -j DROP
 iptables -A INPUT -i ppp+ -s 172.16.0.0/12  -j DROP
-iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</screen>
-
-There are other addresses that you may also want to drop: 0.0.0.0/8,
-127.0.0.0/8, 224.0.0.0/3 (multicast and experimental), 169.254.0.0/16 (Link 
-Local Networks), and  192.0.2.0/24 (IANA defined test network).</para>
-</listitem>
-
-<listitem><para>If your firewall is a DHCP client, you need to allow 
-those packets:</para>
-
-<screen>iptables -A INPUT  -i ppp0 -p udp -s 0.0.0.0 --sport 67 \
-   -d 255.255.255.255 --dport 68 -j ACCEPT</screen>
-</listitem>
-
-<listitem><para>To simplify debugging and be fair to anyone who'd like to 
-access a service you have disabled, purposely or by mistake, you could REJECT 
-those packets that are dropped.</para>
-
-<para>Obviously this must be done directly after logging as the very
-last lines before the packets are dropped by policy:</para>
-
-<screen>iptables -A INPUT -j REJECT</screen>
-</listitem>
-</itemizedlist>
-
-<para>These are only examples to show you some of the capabilities of the
-firewall code in Linux. Have a look at the man page of iptables.
-There you will find much more information. The port numbers needed for this can be
-found in <filename>/etc/services</filename>, in case you didn't find them by
-trial and error in your log file.</para>
-
-</sect3>
-</sect2>
-
-<sect2 id="fw-finale" xreflabel="Conclusion">
-<title>Conclusion</title>
-
-<para>Finally, there is one fact you must not forget: The effort spent
-attacking a system corresponds to the value the cracker expects to gain from
-it.  If you are responsible for valuable information, you need to spend the
-time to protect it properly.</para>
-
-</sect2>
-
-<sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
-<title>Extra Information</title>
-
-<sect3 id="fw-library" xreflabel="Links for further reading">
-<title>Where to start with further reading on firewalls.</title>
-
-<para><blockquote><literallayout>
+iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</literal></screen>
+
+          <para>There are other addresses that you may also want to 
+          drop: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and 
+          experimental), 169.254.0.0/16 (Link Local Networks), and  
+          192.0.2.0/24 (IANA defined test network).</para>
+        </listitem>
+        <listitem>
+          <para>If your firewall is a DHCP client, you need to allow 
+          those packets:</para>
+
+<screen><literal>iptables -A INPUT  -i ppp0 -p udp -s 0.0.0.0 --sport 67 \
+   -d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen>
+
+        </listitem>
+        <listitem>
+          <para>To simplify debugging and be fair to anyone who'd like 
+          to access a service you have disabled, purposely or by mistake, 
+          you could REJECT those packets that are dropped.</para>
+
+          <para>Obviously this must be done directly after logging as the very
+          last lines before the packets are dropped by policy:</para>
+
+<screen><literal>iptables -A INPUT -j REJECT</literal></screen>
+
+        </listitem>
+      </itemizedlist>
+
+      <para>These are only examples to show you some of the capabilities 
+      of the firewall code in Linux. Have a look at the man page of iptables.
+      There you will find much more information. The port numbers needed for 
+      this can be found in <filename>/etc/services</filename>, in case you 
+      didn't find them by trial and error in your log file.</para>
+
+    </sect3>
+
+  </sect2>
+
+  <sect2 id="fw-finale" xreflabel="Conclusion">
+    <title>Conclusion</title>
+
+    <para>Finally, there is one fact you must not forget: The effort spent
+    attacking a system corresponds to the value the cracker expects to gain 
+    from it. If you are responsible for valuable information, you need to 
+    spend the time to protect it properly.</para>
+
+  </sect2>
+
+  <sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
+    <title>Extra Information</title>
+
+    <sect3 id="fw-library" xreflabel="Links for further reading">
+      <title>Where to Start with Further Reading on Firewalls.</title>
+
+      <blockquote>
+        <literallayout>
 <ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>
 <ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
@@ -528 +581 @@
 <ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
 <ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
-</literallayout></blockquote></para>
-</sect3>
-
-</sect2>
+        </literallayout>
+      </blockquote>
+
+    </sect3>
+
+  </sect2>
+
 </sect1>