Context Navigation

-              rf8d632a
+              rb4b71892
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
+  <!ENTITY % general-entities SYSTEM "../../general.ent">
+  %general-entities;
+]>
 <sect1 id="postlfs-security-fw-firewall" xreflabel="Firewalling">
 <?dbhtml filename="firewall.html"?>
 …
 have already installed iptables as described in the previous section.</para>
+&postlfs-security-fw-intro;
+&postlfs-security-fw-disclaimer;
+&postlfs-security-fw-kernel;
+&postlfs-security-fw-writing;
+&postlfs-security-fw-finale;
+&postlfs-security-fw-extrainfo;
+<sect2 id="postlfs-security-fw-intro" xreflabel="Firewalling Introduction">
+<title>Introduction to Firewall Creation</title>
+<para>The general purpose of a firewall is to protect a network
+against malicious access by using a single machine as a firewall.
+This does imply that the firewall is to be considered a single point
+of failure, but it can make the administrator's life a lot easier.</para>
+<para>In a perfect world where you knew that every daemon or service
+on every machine was perfectly configured and was immune to, e.g.,
+buffer-overflows and any other imaginable problem regarding its
+security, and where you trusted every user accessing your services
+to aim no harm, you wouldn't need to have a firewall!
+In the real world however, daemons may be misconfigured,
+exploits against essential services are freely available, you
+may wish to choose which services are accessible by certain machines,
+you may wish to limit which machines or applications are allowed
+to have Internet access, or you may simply  not trust some of your
+apps or users.
+In these situations you might  benefit by using a firewall.</para>
+<para>Don't assume however, that having a firewall makes careful
+configuration redundant, or that it makes any negligent
+misconfiguration harmless. It also doesn't prevent anyone from exploiting a
+service you intentionally offer but haven't recently updated or patched
+after an exploit went public.  Despite having a firewall, you need to
+keep applications and daemons on your system well-configured and
+up-to-date; a firewall is not a cure-all!</para>
+</sect2>
+<sect2>
+<title>Meaning of the word firewall.</title>
+<para>The word firewall can have several different meanings.</para>
+<sect3><title><xref linkend="postlfs-security-fw-persFw"/></title>
+<para>This is a setup or program, for Windows commercially sold by
+companies such as Symantec, of which they claim or pretend that it
+secures a home or desktop-pc with Internet access. This topic is
+highly relevant for users who do not know the methods their computers
+might be accessed via the Internet or how to disable them,
+especially if they are always online and connected via
+broadband links.</para></sect3>
+<sect3><title><xref linkend="postlfs-security-fw-masqRouter"/></title>
+<para>This is a box placed between the Internet and an intranet.
+To minimize the risk of compromising the firewall itself it
+should generally have only one role, that of protecting the intranet.
+Although not completely risk free, the tasks of doing the routing
+and eventually IP masquerading (rewriting IP-headers
+of the packets it routes from clients with private IP-addresses onto
+the Internet so that they seem to come from the firewall
+itself) are commonly considered harmless.</para></sect3>
+<sect3><title><xref linkend="postlfs-security-fw-busybox"/></title>
+<para>This is often an old box you may have retired and nearly forgotten,
+performing masquerading or routing functions, but offering a bunch of
+services, e.g., web-cache, mail, etc.  This may be very commonly used
+for home networks, but can definitely not be considered as secure
+anymore because the combining of server and router on one machine raises
+the complexity of the setup.</para></sect3>
+<sect3><title>Firewall with a demilitarized zone [not further described
+here]</title>
+<para>This box performs masquerading or routing, but grants public access to
+some branch of your network which, because of public IP's and a physically
+separated structure, is neither considered to be part of the inter- nor
+intranet.  These servers are those which must be easily accessible
+from both the inter- and intranet. The firewall protects
+them all.</para></sect3>
+<sect3><title>Packetfilter / partly accessible net [partly described
+here, see <xref linkend="postlfs-security-fw-busybox"/>]</title>
+<para>Doing routing or masquerading, but permitting only selected
+services to be accessible, sometimes only by selected internal users or boxes;
+mostly used in highly secure business contexts, sometimes by distrusting
+employers.  This was the common configuration of a firewall at the time of
+the Linux 2.2 kernel.  It's still possible to configure a firewall this way,
+but it makes the rules quite complex and lengthy.</para></sect3>
+</sect2>
+<sect2 id="postlfs-security-fw-disclaimer" xreflabel="Disclaimer">
+<title>Disclaimer</title>
+<!-- <para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM
+ARE RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS
+DOCUMENT.</emphasis></para> -->
+<para>This document is meant as an introduction to how to setup a firewall.  It
+is not a complete guide to securing systems.  Firewalling is a complex issue
+that requires careful configuration.  The scripts quoted here are simply
+intended to give examples as to how a firewall works, they are not intended to
+fit into any imaginable configuration and may not prevent any imaginable
+attack.</para>
+<para>The purpose of this text is simply to give you a hint on how to get
+started with a firewall.</para>
+<para>Customization of these scripts for your specific situation will
+be necessary for an optimal configuration, but you should make a serious
+study of the iptables documentation and creating firewalls in general before hacking
+away.  Have a look at the list of <xref linkend="postlfs-security-fw-library"/> at the end
+of this section for more details.  Here you will find a list of URLs that
+contain quite comprehensive information about building your own firewall.</para>
+</sect2>
+<sect2 id="postlfs-security-fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
+<title>Getting a firewall enabled Kernel</title>
+<para>If you want your Linux-Box to have a firewall, you must first ensure
+that your kernel has been compiled with the relevant options turned on.
+<!-- <footnote><para>If you needed assistance how to configure, compile and install
+a new kernel, refer back to chapter VIII of the LinuxFromScratch book,
+<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink>
+ and eventually
+<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink>
+; note, that you'll need to reboot
+to actually run your new kernel.</para></footnote>-->
+</para>
+<para>How to configure your kernel, with enabling the options to be
+either compiled into the kernel or as modules, depends on your personal
+preferences and experience. Note, that for the quoted scripts it is assumed
+that the modules need to be loaded at first.</para>
+<screen>Network options menu
+  Network packet filtering:                         Y
+  Unix domain sockets:                         Y or M
+  TCP/IP networking:                                Y
+  IP: advanced router:                              Y
+  IP: verbose route monitoring:                     Y
+  IP: TCP Explicit Congestion Notification support: Y
+  IP: TCP syncookie support:                        Y
+  IP: Netfilter Configuration menu
+    Every option except:                       Y or M
+      ipchains (2.2-style) support                  N
+      ipfwadm (2.0-style) support                   N
+  Fast switching:                                   N</screen>
+<!--
+<table frame='none'>
+<title>Essential config-options for a firewall enabled Kernel</title>
+<tgroup cols='5'>
+<colspec colnum='1' colwidth='8*'  align='center'/>
+<colspec colnum='2' colwidth='19*' align='left'/>
+<colspec colnum='3' colwidth='11*' align='center'/>
+<colspec colnum='4' colwidth='1*'  align='center'/>
+<colspec colnum='5' colwidth='14*' align='left'/>
+<tbody>
+<row>
+<entry><emphasis><userinput>Networking options:</userinput></emphasis></entry>
+<entry><userinput>Network packet filtering</userinput></entry>
+<entry></entry>
+<entry>=</entry>
+<entry>CONFIG_NETFILTER</entry>
+</row>
+<row>
+<entry></entry>
+<entry><userinput>Unix domain sockets</userinput></entry>
+<entry></entry>
+<entry>=</entry>
+<entry>CONFIG_UNIX</entry>
+</row>
+<row>
+<entry></entry>
+<entry><userinput>IP: TCP/IP networking</userinput></entry>
+<entry></entry>
+<entry>=</entry>
+<entry>CONFIG_INET</entry>
+</row>
+<row>
+<entry></entry>
+<entry><userinput>IP: advanced router</userinput></entry>
+<entry></entry>
+<entry>=</entry>
+<entry>CONFIG_IP_ADVANCED_ROUTER</entry>
+</row>
+<row>
+<entry></entry>
+<entry><userinput>IP: verbose route monitoring</userinput></entry>
+<entry></entry>
+<entry>=</entry>
+<entry>CONFIG_IP_ROUTE_VERBOSE</entry>
+</row>
+<row>
+<entry></entry>
+<entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry>
+<entry></entry>
+<entry>=</entry>
+<entry>CONFIG_INET_ECN</entry>
+</row>
+<row>
+<entry></entry>
+<entry><userinput>IP: TCP syncookie support</userinput></entry>
+<entry></entry>
+<entry>=</entry>
+<entry>CONFIG_SYN_COOKIES</entry>
+</row>
+<row>
+<entry></entry>
+<entry align='center'>
+<emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry>
+<entry align='left'><userinput>every option</userinput></entry>
+<entry>=</entry>
+<entry>CONFIG_IP_NF_*</entry>
+</row>
+<row>
+<entry></entry>
+<entry align='right'><emphasis>WITHOUT:</emphasis></entry>
+<entry align='left'><literallayout><userinput>ipchains (2.2-style) support
+ipfw-adm (2.0-style) support</userinput></literallayout></entry>
+<entry>w\</entry>
+<entry>CONFIG_IP_NF_COMPAT_*</entry>
+</row>
+<row>
+<entry></entry>
+<entry><userinput>Fast switching</userinput></entry>
+<entry>Make sure to disable it because it would setup a bypass around
+your firewall rules.</entry>
+<entry>w\</entry>
+<entry>CONFIG_NET_FASTROUTE</entry>
+</row>
+</tbody>
+</tgroup>
+</table> -->
+</sect2>
+<sect2 id="postlfs-security-fw-writing" xreflabel="writing the firewalling-setup-scripts">
+<title>Now you can start to build your Firewall</title>
+<sect3 id="postlfs-security-fw-persFw" xreflabel="Personal Firewall">
+<title>Personal Firewall</title>
+<para>A Personal Firewall is supposed to let you access all the services
+offered on the Internet, but keep your box secure and your data private.</para>
+<para>Below is a slightly modified version of Rusty Russell's recommendation
+from the <ulink
+url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">Linux
+.4 Packet Filtering HOWTO</ulink>:</para>
+<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
+#!/bin/sh
+# Begin $rc_base/init.d/firewall
+# Insert connection-tracking modules (not needed if built into the kernel).
+modprobe ip_tables
+modprobe iptable_filter
+modprobe ip_conntrack
+modprobe ip_conntrack_ftp
+modprobe ipt_state
+modprobe ipt_LOG
+# allow local-only connections
+iptables -A INPUT  -i lo -j ACCEPT
+# free output on any interface to any ip for any service (equal to -P ACCEPT)
+iptables -A OUTPUT -j ACCEPT
+# permit answers on already established connections
+# and permit new connections related to established ones (eg active-ftp)
+iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+# Log everything else:  What's Windows' latest exploitable vulnerability?
+iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
+# set a sane policy:    everything not accepted &gt; /dev/null
+iptables -P INPUT    DROP
+iptables -P FORWARD  DROP
+iptables -P OUTPUT   DROP
+# be verbose on dynamic ip-addresses     (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+# disable ExplicitCongestionNotification - too many routers are still ignorant
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+# End $rc_base/init.d/firewall
+<command>EOF</command></userinput></screen>
+<para>His script is quite simple, it drops all traffic coming in into your
+computer that wasn't initiated from your box, but as long as you are simply
+surfing the Internet you are unlikely to exceed its limits.</para>
+<para>If you frequently encounter certain delays at accessing ftp-servers,
+please have a look at <xref linkend="postlfs-security-fw-busybox"/> -
+<xref linkend="postlfs-security-fw-BB-4"/>.</para>
+<para>Even if you have daemons or services running on your box, these
+should be inaccessible everywhere but from your box itself.
+If you want to allow access to services on your machine, such as ssh or pinging,
+take a look at <xref linkend="postlfs-security-fw-busybox"/>.</para>
+</sect3>
+<sect3 id="postlfs-security-fw-masqRouter" xreflabel="Masquerading Router">
+<title>Masquerading Router</title>
+<para>A true Firewall has two interfaces, one connected to an intranet,
+in this example, <emphasis role="strong">eth0</emphasis>, and one
+connected to the Internet, here, <emphasis role="strong">ppp0</emphasis>.
+To provide the maximum security against the box itself being broken into,
+make sure that there are no servers running on it, especially not
+<application>X11</application> et
+al.  And, as a general principle, the box itself should not access any untrusted
+service (Think of a name server giving answers that make your
+bind crash, or, even worse, that implement a worm via a
+buffer-overflow).</para>
+<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
+#!/bin/sh
+# Begin $rc_base/init.d/firewall
+echo
+echo "You're using the example-config for a setup of a firewall"
+echo "from the firewalling-hint written for LinuxFromScratch."
+echo "This example is far from being complete, it is only meant"
+echo "to be a reference."
+echo "Firewall security is a complex issue, that exceeds the scope"
+echo "of the quoted configuration rules."
+echo "You can find some quite comprehensive information"
+echo "about firewalls in Chapter 4 of the BLFS book."
+echo "http://www.linuxfromscratch.org/blfs"
+echo
+# Insert iptables modules (not needed if built into the kernel).
+modprobe ip_tables
+modprobe iptable_filter
+modprobe ip_conntrack
+modprobe ip_conntrack_ftp
+modprobe ipt_state
+modprobe iptable_nat
+modprobe ip_nat_ftp
+modprobe ipt_MASQUERADE
+modprobe ipt_LOG
+modprobe ipt_REJECT
+# allow local-only connections
+iptables -A INPUT  -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+# allow forwarding
+iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD -m state --state NEW -i ! ppp+       -j ACCEPT
+# do masquerading    (not needed if intranet is not using private ip-addresses)
+iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
+# Log everything for debugging (last of all rules, but before DROP/REJECT)
+iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT  "
+iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
+iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
+# set a sane policy
+iptables -P INPUT   DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT  DROP
+# be verbose on dynamic ip-addresses (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+# disable ExplicitCongestionNotification
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+# activate TCPsyncookies
+echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
+# activate Route-Verification = IP-Spoofing_protection
+for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
+        echo 1 &gt; $f
+done
+# activate IP-Forwarding
+echo 1 &gt; /proc/sys/net/ipv4/ip_forward
+<command>EOF</command></userinput></screen>
+<para>With this script your intranet should be sufficiently secure against
+external attacks. No one should be able to setup a new connection to any
+internal service and, if it's masqueraded, it's even invisible. Furthermore,
+your firewall should be nearly immune because there are no services running
+that a cracker could attack.</para>
+<para>Note: if the interface you're connecting to the Internet
+doesn't connect via ppp, you will need to change
+<replaceable>ppp+</replaceable> to the name of the interface which you are
+using.  If you are using the same interface type to connect to both your
+intranet and the Internet, you need to use the actual name of the
+interface such as <emphasis role="strong">eth0</emphasis>,
+on both interfaces.</para>
+<para>If you need stronger security (e.g., against DOS, connection
+highjacking, spoofing, etc.), have a look at the list of
+<xref linkend="postlfs-security-fw-library"/> at the end of this section.</para>
+</sect3>
+<sect3 id="postlfs-security-fw-busybox" xreflabel="BusyBox">
+<title>BusyBox</title>
+<para>This scenario isn't too different from (<xref linkend="postlfs-security-fw-masqRouter"/>),
+but in this case you want to offer some services to your intranet.
+Examples of this can be when you want to admin your box from another host
+on your intranet or use it as a proxy or a name server. Note: Outlining a true
+concept of how to protect a server that offers services on the Internet
+goes far beyond the scope of this document,
+see <xref linkend="postlfs-security-fw-disclaimer"/>.</para>
+<para>Be cautious.  Every service you offer and have enabled makes your
+setup more complex and your box less secure. You induce the risks of
+misconfigured services or running a service with an exploitable bug.  A firewall
+should generally not run any extra services.  See the introduction to
+<xref linkend="postlfs-security-fw-masqRouter"/> for some more details.</para>
+<para>If the services you'd like to offer do not need to access the Internet
+themselves, like internal-only samba- or name-servers, it's quite
+simple and should still be acceptable from a security standpoint.
+Just add the following lines <emphasis>before</emphasis> the logging-rules
+into the script.</para>
+<screen>iptables -A INPUT  -i ! ppp+  -j ACCEPT
+iptables -A OUTPUT -o ! ppp+  -j ACCEPT</screen>
+<para>If your daemons have to access the web themselves, like squid would need
+to, you could open OUTPUT generally and restrict INPUT.</para>
+<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED  -j ACCEPT
+iptables -A OUTPUT                                      -j ACCEPT</screen>
+<para>However, it is generally not advisable to leave OUTPUT unrestricted. You lose
+any control over trojans who'd like to "call home", and a bit of redundancy in case
+you've (mis-)configured a service so that it does broadcast its existence to the
+world.</para>
+<para>If you prefer to have this protection, you may restrict INPUT and OUTPUT
+on all ports except those that it's absolutely necessary to have open.
+Which ports you have to open depends on your needs: mostly you will find them
+by looking for failed accesses in your log-files.</para>
+<itemizedlist spacing="compact">
+<!-- <orderedlist numeration="arabic" spacing="compact"> -->
+<title>Have a look at the following examples:</title>
+<listitem><para>Squid is caching the web:</para>
+<screen>iptables -A OUTPUT -p tcp --dport 80                              -j ACCEPT
+iptables -A INPUT  -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
+<listitem><para>Your caching name server (e.g., dnscache) does its
+lookups via udp:</para>
+<screen>iptables -A OUTPUT -p udp --dport 53                              -j ACCEPT
+iptables -A INPUT  -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
+<listitem><para>Alternatively, if you want to be able to ping your box to ensure
+it's still alive:</para>
+<screen>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
+iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</screen></listitem>
+<listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are
+frequently accessing ftp-servers or enjoy chatting, you might notice certain
+delays because some implementations of these daemons have the feature of
+querying an identd on your box for logging usernames.
+Although there's really no harm in this, having an identd running is not
+recommended because some implementations are known to be vulnerable.</para>
+<para>To avoid these delays you could reject the requests
+with a 'tcp-reset':</para>
+<screen>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset
+iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></listitem>
+<listitem><para>To log and drop invalid packets (harmless packets
+that came in after netfilter's timeout or some types of network scans):</para>
+<screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \
+"FIREWALL:INVALID"
+iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></listitem>
+<listitem><para>Anything coming from the outside should not have a
+private address, this is a common attack called IP-spoofing:</para>
+<screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8     -j DROP
+iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12  -j DROP
+iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></listitem>
+<listitem><para>To simplify debugging and be fair to anyone who'd like to
+access a service you have disabled, purposely or by mistake, you should REJECT
+those packets that are dropped.</para>
+<para>Obviously this must be done directly after logging as the very
+last lines before the packets are dropped by policy:</para>
+<screen>iptables -A INPUT                        -j REJECT
+iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></listitem>
+</itemizedlist>
+<!--</orderedlist>-->
+<para>These are only examples to show you some of the capabilities of the new
+firewall code in Linux-Kernel 2.4. Have a look at the man page of
+iptables.
+There you will find more of them. The port-numbers you'll need for this
+can be found in <filename>/etc/services</filename>, in case you didn't
+find them by trial and error in your log file.</para>
+<para>If you add any of your offered or accessed services such as the above,
+maybe even in FORWARD and for intranet-communication, and delete the
+general clauses, you get an old fashioned packet filter.</para>
+</sect3>
+</sect2>
+<sect2 id="postlfs-security-fw-finale" xreflabel="Conclusion">
+<title>Conclusion</title>
+<para>Finally, I'd like to remind you of one fact we must not forget:
+The effort spent attacking a system corresponds to the value the cracker
+expects to gain from it.
+If you are responsible for such valuable assets that you expect great
+effort to be made by potential crackers, you hopefully won't be in the
+need of this hint!</para>
+<!-- <para><literallayout>Be cautious!
+    Henning Rohde
+<email>Henning.Rohde@uni-bayreuth.de</email></literallayout></para>
+<para>PS: And always do remember:
+SecureIT is not a matter of a status-quo but one of never stopping
+to take care!</para>
+<para>PPS: If any of these scripts fail, please tell me. I will try to trace
+any faults.</para> -->
+</sect2>
+<sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
+<title>Extra Information</title>
+<sect3 id="postlfs-security-fw-library" xreflabel="Links for further reading">
+<title>Where to start with further reading on firewalls.</title>
+<para><blockquote><literallayout>
+<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>
+<ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
+<ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
+<ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
+<ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
+<ulink url="http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
+<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink>
+<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink>
+<ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink>
+<ulink url="http://www.linuxsecurity.com/docs/">www.linuxsecurity.com/docs/</ulink>
+<ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German &amp; outdated, but very comprehensive)</ulink>
+<ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink>
+<ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>
+<ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink>
+<ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink>
+<ulink url="http://www.circlemud.org/~jelson/writings/security/index.htm">www.circlemud.org/~jelson/writings/security/index.htm</ulink>
+<ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink>
+<ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink>
+<ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink>
+<ulink url="http://www.linux-firewall-tools.com/linux/">www.linux-firewall-tools.com/linux/</ulink>
+<ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink>
+<ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
+<ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
+</literallayout></blockquote></para>
+<!-- <para>If a link proves to be dead or if you think I missed one,
+please mail!</para> -->
+</sect3>
+<sect3 id="postlfs-security-fw-status" xreflabel="/etc/rc.d/init.d/firewall.status">
+<title>firewall.status</title>
+<para>If you'd like to have a look at the chains your firewall consists of and
+the order in which the rules take effect:</para>
+<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.status &lt;&lt; "EOF"</command>
+#!/bin/sh
+# Begin $rc_base/init.d/firewall.status
+echo "iptables.mangling:"
+iptables -t mangle  -v -L -n --line-numbers
+echo
+echo "iptables.nat:"
+iptables -t nat     -v -L -n --line-numbers
+echo
+echo "iptables.filter:"
+iptables            -v -L -n --line-numbers
+<command>EOF</command></userinput></screen>
+</sect3>
+<sect3 id="postlfs-security-fw-stop" xreflabel="/etc/rc.d/init.d/firewall.stop">
+<title>firewall.stop</title>
+<para>If you need to turn the firewall off, this script will do it:</para>
+<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.stop &lt;&lt; "EOF"</command>
+#!/bin/sh
+# Being $rc_base/init.d/firewall.stop
+# deactivate IP-Forwarding
+echo 0 > /proc/sys/net/ipv4/ip_forward
+iptables -Z
+iptables -F
+iptables -t nat         -F PREROUTING
+iptables -t nat         -F OUTPUT
+iptables -t nat         -F POSTROUTING
+iptables -t mangle      -F PREROUTING
+iptables -t mangle      -F OUTPUT
+iptables -X
+iptables -P INPUT       ACCEPT
+iptables -P FORWARD     ACCEPT
+iptables -P OUTPUT      ACCEPT
+<command>EOF</command></userinput></screen>
+</sect3>
+</sect2>
 </sect1>

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset b4b71892 for postlfs/security/firewalling.xml

Legend:

postlfs/security/firewalling.xml

Download in other formats: