Changeset a4acd463 for postlfs/security


Ignore:
Timestamp:
10/14/2003 04:25:20 PM (21 years ago)
Author:
Larry Lawrence <larry@…>
Branches:
10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, v5_0, v5_1, v5_1-pre1, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
Children:
9dc71fc
Parents:
27d830e
Message:

whitespace patches, bootdisk patch

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@1384 af4574ff-66df-0310-9fd7-8a98e5e911e0

File:
1 edited

Legend:

Unmodified
Added
Removed

  • postlfs/security/firewalling/busybox.xml

    r27d830e ra4acd463  
    2020simple and should still be acceptable from a security standpoint.
    2121Just add the following lines <emphasis>before</emphasis> the logging-rules
    22 into the script.
     22into the script.</para>
    2323
    2424<screen>iptables -A INPUT  -i ! ppp+  -j ACCEPT
    25 iptables -A OUTPUT -o ! ppp+  -j ACCEPT</screen></para>
     25iptables -A OUTPUT -o ! ppp+  -j ACCEPT</screen>
    2626
    2727<para>If your daemons have to access the web themselves, like squid would need
    28 to, you could open OUTPUT generally and restrict INPUT.
     28to, you could open OUTPUT generally and restrict INPUT.</para>
    2929
    3030<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED  -j ACCEPT
    31 iptables -A OUTPUT                                      -j ACCEPT</screen></para>
     31iptables -A OUTPUT                                      -j ACCEPT</screen>
    3232
    3333<para>However, it is generally not advisable to leave OUTPUT unrestricted: you lose
     
    4444<title>Have a look at the following examples:</title>
    4545
    46 <listitem><para>Squid is caching the web:
     46<listitem><para>Squid is caching the web:</para>
    4747<screen>iptables -A OUTPUT -p tcp --dport 80                              -j ACCEPT
    48 iptables -A INPUT  -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></para></listitem>
     48iptables -A INPUT  -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
    4949
    5050<listitem><para>Your caching name server (e.g., dnscache) does its
    51 lookups via udp:
     51lookups via udp:</para>
    5252<screen>iptables -A OUTPUT -p udp --dport 53                              -j ACCEPT
    53 iptables -A INPUT  -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></para></listitem>
     53iptables -A INPUT  -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
    5454
    5555<listitem><para>Alternatively, if you want to be able to ping your box to ensure
    56 it's still alive:
     56it's still alive:</para>
    5757<screen>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
    58 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</screen></para></listitem>
     58iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</screen></listitem>
    5959
    6060<listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are
     
    6666
    6767<para>To avoid these delays you could reject the requests
    68 with a 'tcp-reset':
     68with a 'tcp-reset':</para>
    6969
    7070<screen>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset
    71 iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></para></listitem>
     71iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></listitem>
    7272
    7373<listitem><para>To log and drop invalid packets, mostly harmless packets
    74 that came in after netfilter's timeout, sometimes scans:
     74that came in after netfilter's timeout, sometimes scans:</para>
    7575
    7676<screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \
    7777"FIREWALL:INVALID"
    78 iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></para></listitem>
     78iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></listitem>
    7979
    8080<listitem><para>Anything coming from the outside should not have a
    81 private address, this is a common attack called IP-spoofing:
     81private address, this is a common attack called IP-spoofing:</para>
    8282
    8383<screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8     -j DROP
    8484iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12  -j DROP
    85 iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></para></listitem>
     85iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></listitem>
    8686
    8787<listitem><para>To simplify debugging and be fair to anyone who'd like to
     
    9090
    9191<para>Obviously this must be done directly after logging as the very
    92 last lines before the packets are dropped by policy:
     92last lines before the packets are dropped by policy:</para>
    9393
    9494<screen>iptables -A INPUT                        -j REJECT
    95 iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></para></listitem>
     95iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></listitem>
    9696</itemizedlist>
    9797<!--</orderedlist>-->
Note: See TracChangeset for help on using the changeset viewer.