Changeset 8920dfa
- Timestamp:
- 05/13/2005 09:53:44 PM (19 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 07d11f5
- Parents:
- 1cc0752
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/firewalling.xml
r1cc0752 r8920dfa 7 7 8 8 <sect1 id="fw-firewall" xreflabel="Firewalling"> 9 <sect1info> 10 <othername>$LastChangedBy$</othername> 11 <date>$Date$</date> 12 </sect1info> 13 <?dbhtml filename="firewall.html"?> 14 <title>Setting up a network firewall</title> 15 16 <para>Before you read this part of the chapter, you should 17 have already installed iptables as described in the previous section.</para> 18 19 <sect2 id="fw-intro" xreflabel="Firewalling Introduction"> 20 <title>Introduction to Firewall Creation</title> 21 22 <para>The general purpose of a firewall is to protect a computer or a network 23 against malicious access.</para> 24 25 <para>In a perfect world, every daemon or service 26 on every machine is perfectly configured and immune to flaws such as 27 buffer overflows or other problems regarding its 28 security. Furthermore, you trust every user accessing your services. 29 In this world, you do not need to have a firewall.</para> 30 31 <para>In the real world however, daemons may be misconfigured 32 and exploits against essential services are freely available. You 33 may wish to choose which services are accessible by certain machines or 34 you may wish to limit which machines or applications are allowed external 35 access. Alternatively, you may simply not trust some of your 36 applications or users. You are probably connected to the Internet. In this 37 world, a firewall is essential.</para> 38 39 <para>Don't assume however, that having a firewall makes careful configuration 40 redundant, or that it makes any negligent misconfiguration harmless. It doesn't 41 prevent anyone from exploiting a service you intentionally offer but haven't 42 recently updated or patched after an exploit went public. Despite having a 43 firewall, you need to keep applications and daemons on your system properly 44 configured and up to date. A firewall is not a cure all, but should be an 45 essential part of your overall security startegy.</para> 46 47 </sect2> 48 49 <sect2> 50 <title>Meaning of the word "firewall"</title> 51 52 <para>The word firewall can have several different meanings.</para> 53 54 <sect3><title><xref linkend="fw-persFw"/></title> 55 56 <para>This is a hardware device or software program commercially sold by 57 companies such as Symantec which claims that it 58 secures a home or desktop computer with Internet access. This type of firewall is 59 highly relevant for users who do not know how their computers 60 might be accessed via the Internet or how to disable that access, 61 especially if they are always online and connected via 62 broadband links.</para></sect3> 63 64 <sect3> 65 <title><xref linkend="fw-masqRouter"/></title> 66 67 <para>This is a system placed between the Internet and an intranet. To minimize 68 the risk of compromising the firewall itself, it should generally have only one 69 role—that of protecting the intranet. Although not completely risk free, 70 the tasks of doing the routing and IP masquerading (rewriting IP headers of 71 the packets it routes from clients with private IP addresses onto the Internet 72 so that they seem to come from the firewall itself) are commonly considered 73 relatively secure.</para> 74 </sect3> 75 76 <sect3> 77 <title><xref linkend="fw-busybox"/></title> 78 79 <para>This is often an old computer you may have retired and nearly forgotten, 80 performing masquerading or routing functions, but offering non-firewall 81 services such as a web-cache or mail. This may be used for home 82 networks, but is not be considered as secure as a firewall only 83 machine because the combination of server and router/firewall on one machine 84 raises the complexity of the setup.</para> 85 </sect3> 86 87 <sect3> 88 <title>Firewall with a demilitarized zone [not further described here]</title> 89 <para>This box performs masquerading or routing, but grants public access to 90 some branch of your network which, because of public IP's and a physically 91 separated structure, is essentially a separate network with direct Internet access. 92 The servers on this network are those which must be easily accessible 93 from both the Internet and intranet. The firewall protects 94 both networks. This type of firewall has a minimum of three network interfaces.</para> 95 </sect3> 96 97 <sect3> 98 <title>Packetfilter</title> 99 <para>This type of firewall does routing or masquerading, but does not maintain 100 a state table of ongoing communication streams. It is fast, but quite limited 101 in its ability to block inappropriate packets without blocking desired 102 packets.</para> 103 </sect3> 104 </sect2> 105 106 <sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts"> 107 <title>Now you can start to build your Firewall</title> 108 109 <caution><para>This introduction on how to setup a firewall 110 is not a complete guide to securing systems. Firewalling is a complex issue 111 that requires careful configuration. The scripts quoted here are simply 112 intended to give examples of how a firewall works. They are not intended to 113 fit into any particular configuration and may not provide complete protection 114 from an attack.</para> 115 116 <para>Customization of these scripts for your specific situation will 117 be necessary for an optimal configuration, but you should make a serious 118 study of the iptables documentation and creating firewalls in general before 119 hacking away. Have a look at the list of 120 <xref linkend="fw-library"/> at the end of this section for 121 more details. There you will find a list of URLs that contain quite 122 comprehensive information about building your own firewall.</para> 123 </caution> 124 125 <para>The firewall configuration script installed in the last section differs 126 from the standard configuration script. It only has two of the standard 127 targets: start and status. The other targets are clear and lock. For instance when you 128 run: 129 130 <screen><userinput><command>/etc/rc.d/init.d/iptables start</command></userinput></screen> 131 132 the firewall will be restarted just as it is upon system startup. The status target 133 will present a list of all currently implemented rules. The clear target turns off all 134 firewall rules and the lock target will block all packets in and out of the computer 135 with the exception of the loopback interface.</para> 136 137 <para>The main startup firewall is located in the file 138 <filename>/etc/rc.d/rc.iptables</filename>. The sections below provide three different 139 approaches that can be used for a system.</para> 140 141 <note><para>You should always run your firewall rules from a script. This ensures 142 consistency and a record of what was done. It also allows retention of comments 143 that are essential for understanding the rules long after they were written. 144 </para></note> 145 146 <sect3 id="fw-persFw" xreflabel="Personal Firewall"> 147 <title>Personal Firewall</title> 148 149 <para>A Personal Firewall is designed to let you access all the services 150 offered on the Internet, but keep your box secure and your data private.</para> 151 152 <para>Below is a slightly modified version of Rusty Russell's recommendation 153 from the 154 <ulink url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html"> 155 Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable to the Linux 2.6 kernels.</para> 156 157 <screen><userinput><command>cat > /etc/rc.d/rc.iptables << "EOF"</command> 158 #!/bin/sh 9 <?dbhtml filename="firewall.html"?> 10 11 <sect1info> 12 <othername>$LastChangedBy$</othername> 13 <date>$Date$</date> 14 </sect1info> 15 16 <title>Setting Up a Network Firewall</title> 17 18 <para>Before you read this part of the chapter, you should have 19 already installed iptables as described in the previous section.</para> 20 21 <sect2 id="fw-intro" xreflabel="Firewalling Introduction"> 22 <title>Introduction to Firewall Creation</title> 23 24 <para>The general purpose of a firewall is to protect a computer or 25 a network against malicious access.</para> 26 27 <para>In a perfect world, every daemon or service on every machine 28 is perfectly configured and immune to flaws such as buffer overflows 29 or other problems regarding its security. Furthermore, you trust 30 every user accessing your services. In this world, you do not need 31 to have a firewall.</para> 32 33 <para>In the real world however, daemons may be misconfigured and 34 exploits against essential services are freely available. You may 35 wish to choose which services are accessible by certain machines or 36 you may wish to limit which machines or applications are allowed 37 external access. Alternatively, you may simply not trust some of 38 your applications or users. You are probably connected to the 39 Internet. In this world, a firewall is essential.</para> 40 41 <para>Don't assume however, that having a firewall makes careful 42 configuration redundant, or that it makes any negligent 43 misconfiguration harmless. It doesn't prevent anyone from exploiting 44 a service you intentionally offer but haven't recently updated or 45 patched after an exploit went public. Despite having a firewall, you 46 need to keep applications and daemons on your system properly 47 configured and up to date. A firewall is not a cure all, but should 48 be an essential part of your overall security startegy.</para> 49 50 </sect2> 51 52 <sect2> 53 <title>Meaning of the Word "Firewall"</title> 54 55 <para>The word firewall can have several different meanings.</para> 56 57 <sect3> 58 <title><xref linkend="fw-persFw"/></title> 59 60 <para>This is a hardware device or software program commercially 61 sold by companies such as Symantec which claims that it secures 62 a home or desktop computer with Internet access. This type of 63 firewall is highly relevant for users who do not know how their 64 computers might be accessed via the Internet or how to disable 65 that access, especially if they are always online and connected 66 via broadband links.</para> 67 68 </sect3> 69 70 <sect3> 71 <title><xref linkend="fw-masqRouter"/></title> 72 73 <para>This is a system placed between the Internet and an intranet. 74 To minimize the risk of compromising the firewall itself, it should 75 generally have only one role—that of protecting the intranet. 76 Although not completely risk free, the tasks of doing the routing and 77 IP masquerading (rewriting IP headers of the packets it routes from 78 clients with private IP addresses onto the Internet so that they seem 79 to come from the firewall itself) are commonly considered relatively 80 secure.</para> 81 82 </sect3> 83 84 <sect3> 85 <title><xref linkend="fw-busybox"/></title> 86 87 <para>This is often an old computer you may have retired and nearly 88 forgotten, performing masquerading or routing functions, but offering 89 non-firewall services such as a web-cache or mail. This may be used 90 for home networks, but is not be considered as secure as a firewall 91 only machine because the combination of server and router/firewall on 92 one machine raises the complexity of the setup.</para> 93 94 </sect3> 95 96 <sect3> 97 <title>Firewall with a Demilitarized Zone [Not Further 98 Described Here]</title> 99 100 <para>This box performs masquerading or routing, but grants public 101 access to some branch of your network which, because of public IP's 102 and a physically separated structure, is essentially a separate 103 network with direct Internet access. The servers on this network are 104 those which must be easily accessible from both the Internet and 105 intranet. The firewall protects both networks. This type of firewall 106 has a minimum of three network interfaces.</para> 107 108 </sect3> 109 110 <sect3> 111 <title>Packetfilter</title> 112 113 <para>This type of firewall does routing or masquerading, but does 114 not maintain a state table of ongoing communication streams. It is 115 fast, but quite limited in its ability to block inappropriate packets 116 without blocking desired packets.</para> 117 118 </sect3> 119 120 </sect2> 121 122 <sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts"> 123 <title>Now You Can Start to Build your Firewall</title> 124 125 <caution> 126 <para>This introduction on how to setup a firewall is not a 127 complete guide to securing systems. Firewalling is a complex 128 issue that requires careful configuration. The scripts quoted 129 here are simply intended to give examples of how a firewall 130 works. They are not intended to fit into any particular 131 configuration and may not provide complete protection from 132 an attack.</para> 133 134 <para>Customization of these scripts for your specific situation 135 will be necessary for an optimal configuration, but you should 136 make a serious study of the iptables documentation and creating 137 firewalls in general before hacking away. Have a look at the 138 list of <xref linkend="fw-library"/> at the end of this section for 139 more details. There you will find a list of URLs that contain quite 140 comprehensive information about building your own firewall.</para> 141 </caution> 142 143 <para>The firewall configuration script installed in the last section 144 differs from the standard configuration script. It only has two of 145 the standard targets: start and status. The other targets are clear 146 and lock. For instance when you run:</para> 147 148 <screen role="root"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen> 149 150 <para>the firewall will be restarted just as it is upon system startup. 151 The status target will present a list of all currently implemented 152 rules. The clear target turns off all firewall rules and the lock 153 target will block all packets in and out of the computer with the 154 exception of the loopback interface.</para> 155 156 <para>The main startup firewall is located in the file 157 <filename>/etc/rc.d/rc.iptables</filename>. The sections below provide 158 three different approaches that can be used for a system.</para> 159 160 <note> 161 <para>You should always run your firewall rules from a script. 162 This ensures consistency and a record of what was done. It also 163 allows retention of comments that are essential for understanding 164 the rules long after they were written.</para> 165 </note> 166 167 <sect3 id="fw-persFw" xreflabel="Personal Firewall"> 168 <title>Personal Firewall</title> 169 170 <para>A Personal Firewall is designed to let you access all the 171 services offered on the Internet, but keep your box secure and 172 your data private.</para> 173 174 <para>Below is a slightly modified version of Rusty Russell's 175 recommendation from the <ulink 176 url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html"> 177 Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable 178 to the Linux 2.6 kernels.</para> 179 180 <screen role="root"><userinput>cat > /etc/rc.d/rc.iptables << "EOF" 181 <literal>#!/bin/sh 159 182 160 183 # Begin $rc_base/rc.iptables … … 227 250 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 228 251 229 # End $rc_base/rc.iptables 230 <command>EOF</command></userinput></screen> 231 232 <para>This script is quite simple, it drops all traffic coming in into your 233 computer that wasn't initiated from your box, but as long as you are simply 234 surfing the Internet you are unlikely to exceed its limits.</para> 235 236 <para>If you frequently encounter certain delays at accessing ftp-servers, 237 take a look at <xref linkend="fw-BB-4"/>.</para> 238 239 <para>Even if you have daemons or services running on your system, these 240 will be inaccessible everywhere but from your computer itself. 241 If you want to allow access to services on your machine, such as ssh or 242 ping, take a look at <xref linkend="fw-busybox"/>.</para> 243 244 </sect3> 245 246 <sect3 id="fw-masqRouter" xreflabel="Masquerading Router"> 247 <title>Masquerading Router</title> 248 249 <para>A true Firewall has two interfaces, one connected to an intranet, in this 250 example <emphasis role="strong">eth0</emphasis>, and one connected to the 251 Internet, here <emphasis role="strong">ppp0</emphasis>. To provide the 252 maximum security for the firewall itself, make sure that there 253 are no unnecessary servers running on it such as <application>X11</application> et 254 al. As a general principle, the firewall itself should not access any 255 untrusted service (Think of a remote server giving answers that makes a daemon on 256 your system 257 crash, or, even worse, that implements a worm via a buffer-overflow).</para> 258 259 <screen><userinput><command>cat > /etc/rc.d/rc.iptables << "EOF"</command> 260 #!/bin/sh 252 # End $rc_base/rc.iptables</literal> 253 EOF</userinput></screen> 254 255 <para>This script is quite simple, it drops all traffic coming 256 in into your computer that wasn't initiated from your box, but 257 as long as you are simply surfing the Internet you are unlikely 258 to exceed its limits.</para> 259 260 <para>If you frequently encounter certain delays at accessing 261 ftp-servers, take a look at <xref linkend="fw-BB-4"/>.</para> 262 263 <para>Even if you have daemons or services running on your system, 264 these will be inaccessible everywhere but from your computer itself. 265 If you want to allow access to services on your machine, such as 266 <command>ssh</command> or <command>ping</command>, take a look at 267 <xref linkend="fw-busybox"/>.</para> 268 269 </sect3> 270 271 <sect3 id="fw-masqRouter" xreflabel="Masquerading Router"> 272 <title>Masquerading Router</title> 273 274 <para>A true Firewall has two interfaces, one connected to an 275 intranet, in this example <emphasis role="strong">eth0</emphasis>, 276 and one connected to the Internet, here <emphasis 277 role="strong">ppp0</emphasis>. To provide the maximum security 278 for the firewall itself, make sure that there are no unnecessary 279 servers running on it such as <application>X11</application> et 280 al. As a general principle, the firewall itself should not access 281 any untrusted service (Think of a remote server giving answers that 282 makes a daemon on your system crash, or, even worse, that implements 283 a worm via a buffer-overflow).</para> 284 285 <screen role="root"><userinput>cat > /etc/rc.d/rc.iptables << "EOF" 286 <literal>#!/bin/sh 261 287 262 288 # Begin $rc_base/rc.iptables … … 349 375 350 376 # Enable IP Forwarding 351 echo 1 > /proc/sys/net/ipv4/ip_forward 352 <command>EOF</command></userinput></screen> 353 354 <para>With this script your intranet should be reasonably secure against 355 external attacks. No one should be able to setup a new connection to any 356 internal service and, if it's masqueraded, makes your intranet invisible to the 357 Internet. Furthermore, your firewall should be relatively safe because there 358 are no services running that a cracker could attack.</para> 359 360 <note><para>If the interface you're connecting to the Internet doesn't connect 361 via ppp, you will need to change <replaceable>ppp+</replaceable> to the name of 362 the interface, e.g. <emphasis role="strong">eth1</emphasis>, which you are using. 363 </para></note> 364 365 </sect3> 366 367 <sect3 id="fw-busybox" xreflabel="BusyBox"> 368 <title>BusyBox</title> 369 370 <para>This scenario isn't too different from the <xref linkend="fw-masqRouter"/>, 371 but additionally offers some services to your intranet. 372 Examples of this can be when you want to administer your firewall from another host 373 on your intranet or use it as a proxy or a name server.</para> 374 375 <note><para>Outlining a true concept of how to protect a server that offers 376 services on the Internet goes far beyond the scope of this document. See the references 377 at the end of this section for more information.</para></note> 378 379 <para>Be cautious. Every service you have enabled makes your 380 setup more complex and your firewall less secure. You are exposed to the risks of 381 misconfigured services or running a service with an exploitable bug. A 382 firewall should generally not run any extra services. See the introduction to 383 the <xref linkend="fw-masqRouter"/> for some more details.</para> 384 385 <para>If you want to add services such as internal samba or name servers that do not 386 need to access the Internet themselves, the additional statements are quite 387 simple and should still be acceptable from a security standpoint. 388 Just add the following lines 389 into the script <emphasis>before</emphasis> the logging rules.</para> 390 391 <screen>iptables -A INPUT -i ! ppp+ -j ACCEPT 392 iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen> 393 394 <para>If daemons, such as squid, have to access the Internet themselves, 395 you could open OUTPUT generally and restrict INPUT.</para> 396 397 <screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 398 iptables -A OUTPUT -j ACCEPT</screen> 399 400 <para>However, it is generally not advisable to leave OUTPUT unrestricted. You 401 lose any control over trojans who would like to "call home", and a bit of 402 redundancy in case you've (mis-)configured a service so that it broadcasts 403 its existence to the world.</para> 404 405 <para>To accomplish this, you should restrict INPUT and OUTPUT 406 on all ports except those that it's absolutely necessary to have open. 407 Which ports you have to open depends on your needs: mostly you will find them 408 by looking for failed accesses in your log files.</para> 409 <itemizedlist spacing="compact" role='iptables'> 410 411 <title>Have a look at the following examples:</title> 412 413 <listitem><para>Squid is caching the web:</para> 414 <screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT 377 echo 1 > /proc/sys/net/ipv4/ip_forward</literal> 378 EOF</userinput></screen> 379 380 <para>With this script your intranet should be reasonably secure 381 against external attacks. No one should be able to setup a new 382 connection to any internal service and, if it's masqueraded, 383 makes your intranet invisible to the Internet. Furthermore, your 384 firewall should be relatively safe because there are no services 385 running that a cracker could attack.</para> 386 387 <note> 388 <para>If the interface you're connecting to the Internet 389 doesn't connect via ppp, you will need to change 390 <replaceable>ppp+</replaceable> to the name of the interface, 391 e.g. <emphasis role="strong">eth1</emphasis>, which you are 392 using.</para> 393 </note> 394 395 </sect3> 396 397 <sect3 id="fw-busybox" xreflabel="BusyBox"> 398 <title>BusyBox</title> 399 400 <para>This scenario isn't too different from the <xref 401 linkend="fw-masqRouter"/>, but additionally offers some 402 services to your intranet. Examples of this can be when 403 you want to administer your firewall from another host on 404 your intranet or use it as a proxy or a name server.</para> 405 406 <note> 407 <para>Outlining a true concept of how to protect a server that 408 offers services on the Internet goes far beyond the scope of 409 this document. See the references at the end of this section 410 for more information.</para> 411 </note> 412 413 <para>Be cautious. Every service you have enabled makes your 414 setup more complex and your firewall less secure. You are 415 exposed to the risks of misconfigured services or running 416 a service with an exploitable bug. A firewall should generally 417 not run any extra services. See the introduction to the 418 <xref linkend="fw-masqRouter"/> for some more details.</para> 419 420 <para>If you want to add services such as internal samba or 421 name servers that do not need to access the Internet themselves, 422 the additional statements are quite simple and should still be 423 acceptable from a security standpoint. Just add the following lines 424 into the script <emphasis>before</emphasis> the logging rules.</para> 425 426 <screen><literal>iptables -A INPUT -i ! ppp+ -j ACCEPT 427 iptables -A OUTPUT -o ! ppp+ -j ACCEPT</literal></screen> 428 429 <para>If daemons, such as squid, have to access the Internet 430 themselves, you could open OUTPUT generally and restrict 431 INPUT.</para> 432 433 <screen><literal>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 434 iptables -A OUTPUT -j ACCEPT</literal></screen> 435 436 <para>However, it is generally not advisable to leave OUTPUT 437 unrestricted. You lose any control over trojans who would like 438 to "call home", and a bit of redundancy in case you've 439 (mis-)configured a service so that it broadcasts its existence 440 to the world.</para> 441 442 <para>To accomplish this, you should restrict INPUT and OUTPUT 443 on all ports except those that it's absolutely necessary to have 444 open. Which ports you have to open depends on your needs: mostly 445 you will find them by looking for failed accesses in your log 446 files.</para> 447 448 <itemizedlist spacing="compact" role='iptables'> 449 <title>Have a Look at the Following Examples:</title> 450 <listitem> 451 <para>Squid is caching the web:</para> 452 453 <screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT 415 454 iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \ 416 -j ACCEPT</screen> 417 </listitem> 418 419 <listitem><para>Your caching name server (e.g., named) does its 420 lookups via udp:</para> 421 <screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</screen> 422 </listitem> 423 424 <listitem><para>You want to be able to ping your box to 425 ensure it's still alive:</para> 426 427 <screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT 428 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen> 429 </listitem> 430 431 <listitem><para><anchor id='fw-BB-4' xreflabel="BusyBox example number 4"/>If you are 432 frequently accessing ftp servers or enjoy chatting, you might notice certain 433 delays because some implementations of these daemons have the feature of 434 querying an identd on your system to obtain usernames. Although there's really 435 little harm in this, having an identd running is not recommended because many 436 security experts feel the service gives out too much additional information.</para> 437 438 <para>To avoid these delays you could reject the requests 439 with a 'tcp-reset':</para> 440 441 <screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset</screen> 442 </listitem> 443 444 <listitem><para>To log and drop invalid packets (packets 445 that came in after netfilter's timeout or some types of network scans):</para> 446 447 <screen>iptables -I INPUT -p tcp -m state --state INVALID \ 455 -j ACCEPT</literal></screen> 456 457 </listitem> 458 <listitem> 459 <para>Your caching name server (e.g., named) does its 460 lookups via udp:</para> 461 462 <screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen> 463 464 </listitem> 465 <listitem> 466 <para>You want to be able to ping your box to 467 ensure it's still alive:</para> 468 469 <screen><literal>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT 470 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</literal></screen> 471 472 </listitem> 473 <listitem> 474 <para><anchor id='fw-BB-4' xreflabel="BusyBox example number 4"/>If 475 you are frequently accessing ftp servers or enjoy chatting, you might 476 notice certain delays because some implementations of these daemons 477 have the feature of querying an identd on your system to obtain 478 usernames. Although there's really little harm in this, having an 479 identd running is not recommended because many security experts feel 480 the service gives out too much additional information.</para> 481 482 <para>To avoid these delays you could reject the requests 483 with a 'tcp-reset':</para> 484 485 <screen><literal>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen> 486 487 </listitem> 488 <listitem> 489 <para>To log and drop invalid packets (packets 490 that came in after netfilter's timeout or some types of 491 network scans):</para> 492 493 <screen><literal>iptables -I INPUT -p tcp -m state --state INVALID \ 448 494 -j LOG --log-prefix "FIREWALL:INVALID" 449 iptables -I INPUT -p tcp -m state --state INVALID -j DROP</screen></listitem> 450 451 <listitem><para>Anything coming from the outside should not have a 452 private address, this is a common attack called IP-spoofing: 453 454 <screen>iptables -A INPUT -i ppp+ -s 10.0.0.0/8 -j DROP 495 iptables -I INPUT -p tcp -m state --state INVALID -j DROP</literal></screen> 496 497 </listitem> 498 <listitem> 499 <para>Anything coming from the outside should not have a 500 private address, this is a common attack called IP-spoofing:</para> 501 502 <screen><literal>iptables -A INPUT -i ppp+ -s 10.0.0.0/8 -j DROP 455 503 iptables -A INPUT -i ppp+ -s 172.16.0.0/12 -j DROP 456 iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</screen> 457 458 There are other addresses that you may also want to drop: 0.0.0.0/8, 459 127.0.0.0/8, 224.0.0.0/3 (multicast and experimental), 169.254.0.0/16 (Link 460 Local Networks), and 192.0.2.0/24 (IANA defined test network).</para> 461 </listitem> 462 463 <listitem><para>If your firewall is a DHCP client, you need to allow 464 those packets:</para> 465 466 <screen>iptables -A INPUT -i ppp0 -p udp -s 0.0.0.0 --sport 67 \ 467 -d 255.255.255.255 --dport 68 -j ACCEPT</screen> 468 </listitem> 469 470 <listitem><para>To simplify debugging and be fair to anyone who'd like to 471 access a service you have disabled, purposely or by mistake, you could REJECT 472 those packets that are dropped.</para> 473 474 <para>Obviously this must be done directly after logging as the very 475 last lines before the packets are dropped by policy:</para> 476 477 <screen>iptables -A INPUT -j REJECT</screen> 478 </listitem> 479 </itemizedlist> 480 481 <para>These are only examples to show you some of the capabilities of the 482 firewall code in Linux. Have a look at the man page of iptables. 483 There you will find much more information. The port numbers needed for this can be 484 found in <filename>/etc/services</filename>, in case you didn't find them by 485 trial and error in your log file.</para> 486 487 </sect3> 488 </sect2> 489 490 <sect2 id="fw-finale" xreflabel="Conclusion"> 491 <title>Conclusion</title> 492 493 <para>Finally, there is one fact you must not forget: The effort spent 494 attacking a system corresponds to the value the cracker expects to gain from 495 it. If you are responsible for valuable information, you need to spend the 496 time to protect it properly.</para> 497 498 </sect2> 499 500 <sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information"> 501 <title>Extra Information</title> 502 503 <sect3 id="fw-library" xreflabel="Links for further reading"> 504 <title>Where to start with further reading on firewalls.</title> 505 506 <para><blockquote><literallayout> 504 iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</literal></screen> 505 506 <para>There are other addresses that you may also want to 507 drop: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and 508 experimental), 169.254.0.0/16 (Link Local Networks), and 509 192.0.2.0/24 (IANA defined test network).</para> 510 </listitem> 511 <listitem> 512 <para>If your firewall is a DHCP client, you need to allow 513 those packets:</para> 514 515 <screen><literal>iptables -A INPUT -i ppp0 -p udp -s 0.0.0.0 --sport 67 \ 516 -d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen> 517 518 </listitem> 519 <listitem> 520 <para>To simplify debugging and be fair to anyone who'd like 521 to access a service you have disabled, purposely or by mistake, 522 you could REJECT those packets that are dropped.</para> 523 524 <para>Obviously this must be done directly after logging as the very 525 last lines before the packets are dropped by policy:</para> 526 527 <screen><literal>iptables -A INPUT -j REJECT</literal></screen> 528 529 </listitem> 530 </itemizedlist> 531 532 <para>These are only examples to show you some of the capabilities 533 of the firewall code in Linux. Have a look at the man page of iptables. 534 There you will find much more information. The port numbers needed for 535 this can be found in <filename>/etc/services</filename>, in case you 536 didn't find them by trial and error in your log file.</para> 537 538 </sect3> 539 540 </sect2> 541 542 <sect2 id="fw-finale" xreflabel="Conclusion"> 543 <title>Conclusion</title> 544 545 <para>Finally, there is one fact you must not forget: The effort spent 546 attacking a system corresponds to the value the cracker expects to gain 547 from it. If you are responsible for valuable information, you need to 548 spend the time to protect it properly.</para> 549 550 </sect2> 551 552 <sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information"> 553 <title>Extra Information</title> 554 555 <sect3 id="fw-library" xreflabel="Links for further reading"> 556 <title>Where to Start with Further Reading on Firewalls.</title> 557 558 <blockquote> 559 <literallayout> 507 560 <ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink> 508 561 <ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink> … … 528 581 <ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink> 529 582 <ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink> 530 </literallayout></blockquote></para> 531 </sect3> 532 533 </sect2> 583 </literallayout> 584 </blockquote> 585 586 </sect3> 587 588 </sect2> 589 534 590 </sect1> 535 591
Note:
See TracChangeset
for help on using the changeset viewer.