Changeset af8e1cb5
- Timestamp:
- 07/20/2014 03:55:27 PM (10 years ago)
- Branches:
- systemd-11177
- Children:
- d131a8a
- Parents:
- 4321c68
- Files:
-
- 3 added
- 4 deleted
- 3 edited
- 2 moved
Legend:
- Unmodified
- Added
- Removed
-
TODO
r4321c68 raf8e1cb5 1 1 gpm 2 2 svn server 3 sendmail4 3 iptables 5 4 wpa_supplicant -
postlfs/security/firewalling-systemd.xml
r4321c68 raf8e1cb5 141 141 </caution> 142 142 143 <para>The firewall configuration script installed in the iptables section144 differs from the standard configuration script. It only has two of145 the standard targets: start and status. The other targets are clear146 and lock. For instance if you issue:</para>147 148 <screen role="root"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen>149 150 <para>the firewall will be restarted just as it is upon system startup.151 The status target will present a list of all currently implemented152 rules. The clear target turns off all firewall rules and the lock153 target will block all packets in and out of the computer with the154 exception of the loopback interface.</para>155 156 143 <para>The main startup firewall is located in the file 157 <filename>/etc/ rc.d/rc.iptables</filename>. The sections below provide144 <filename>/etc/systemd/scripts/iptables</filename>. The sections below provide 158 145 three different approaches that can be used for a system.</para> 159 146 … … 178 165 to the Linux 2.6 kernels.</para> 179 166 180 <screen role="root"><?dbfo keep-together="auto"?><userinput>cat > /etc/rc.d/rc.iptables << "EOF" 167 <screen role="root"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts 168 169 cat > /etc/systemd/scripts/iptables << "EOF" 181 170 <literal>#!/bin/sh 182 171 183 # Begin rc.iptables172 # Begin /etc/systemd/scripts/iptables 184 173 185 174 # Insert connection-tracking modules … … 250 239 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 251 240 252 # End $rc_base/rc.iptables</literal>241 # End /etc/systemd/scripts/iptables</literal> 253 242 EOF 254 chmod 700 /etc/ rc.d/rc.iptables</userinput></screen>243 chmod 700 /etc/systemd/scripts/iptables</userinput></screen> 255 244 256 245 <para>This script is quite simple, it drops all traffic coming … … 284 273 a worm via a buffer-overflow).</para> 285 274 286 <screen role="root"><?dbfo keep-together="auto"?><userinput>cat > /etc/rc.d/rc.iptables << "EOF" 275 <screen role="root"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts 276 277 cat > /etc/systemd/scripts/iptables << "EOF" 287 278 <literal>#!/bin/sh 288 279 289 # Begin rc.iptables280 # Begin /etc/systemd/scripts/iptables 290 281 291 282 echo … … 371 362 372 363 # Enable IP Forwarding 373 echo 1 > /proc/sys/net/ipv4/ip_forward</literal> 364 echo 1 > /proc/sys/net/ipv4/ip_forward 365 366 # End /etc/systemd/scripts/iptables</literal> 374 367 EOF 375 chmod 700 /etc/ rc.d/rc.iptables</userinput></screen>368 chmod 700 /etc/systemd/scripts/iptables</userinput></screen> 376 369 377 370 <para>With this script your intranet should be reasonably secure -
postlfs/security/haveged-systemd.xml
r4321c68 raf8e1cb5 104 104 105 105 <sect3 id="haveged-init"> 106 <title> Boot Script</title>106 <title>Systemd Units</title> 107 107 108 108 <para> 109 If you want the <application>Haveged</application> daemon to110 start automatically when the system is booted, install the111 <filename>/etc/rc.d/init.d/haveged</filename> init script included112 in the <xref linkend="bootscripts"/> package.109 To start the <command>haveged</command> daemon at boot, 110 install the systemd unit from the <xref linkend="bootscripts"/> 111 package by running the following command as the 112 <systemitem class="username">root</systemitem> user: 113 113 </para> 114 114 -
postlfs/security/security.xml
r4321c68 raf8e1cb5 48 48 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gnutls.xml"/> 49 49 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gpgme.xml"/> 50 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="haveged .xml"/>51 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="iptables .xml"/>52 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling .xml"/>50 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="haveged-systemd.xml"/> 51 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="iptables-systemd.xml"/> 52 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling-systemd.xml"/> 53 53 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libcap.xml"/> 54 54 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="linux-pam.xml"/> -
systemd-units/Makefile
r4321c68 raf8e1cb5 58 58 systemctl enable gpm.service 59 59 60 install-haveged: create-dirs 61 install -m ${CONFMODE} blfs/units/haveged.service ${UNITSDIR}/ 62 systemctl enable haveged.service 63 60 64 install-httpd: create-dirs 61 65 install -m ${CONFMODE} blfs/tmpfiles/httpd.conf ${TMPFILESDIR}/ … … 63 67 systemd-tmpfiles --create httpd.conf 64 68 systemctl enable httpd.service 69 70 install-iptables: create-dirs 71 install -m ${CONFMODE} blfs/units/iptables.service ${UNITSDIR}/ 72 systemctl enable iptables.service 65 73 66 74 install-kdm: create-dirs … … 217 225 rm -f ${UNITSDIR}/gpm.service 218 226 227 uninstall-haveged: 228 systemctl stop haveged.service 229 systemctl disable haveged.service 230 rm -f ${UNITSDIR}/haveged.service 231 219 232 uninstall-httpd: 220 233 systemctl stop httpd.service 221 234 systemctl disable httpd.service 222 235 rm -f ${TMPFILESDIR}/httpd.conf ${UNITSDIR}/httpd.service 236 237 uninstall-iptables: 238 systemctl disable iptables.service 239 rm -f ${UNITSDIR}/iptables.service 223 240 224 241 uninstall-kdm: … … 363 380 install-gpm \ 364 381 install-httpd \ 382 install-iptables \ 365 383 install-kdm \ 366 384 install-krb5 \ … … 391 409 uninstall-gpm \ 392 410 uninstall-httpd \ 411 uninstall-iptables \ 393 412 uninstall-kdm \ 394 413 uninstall-krb5 \
Note:
See TracChangeset
for help on using the changeset viewer.