Changes in postlfs/security/iptables.xml [92d18a9:da54a62]

File:

• postlfs/security/iptables.xml (modified) (24 diffs)

postlfs/security/iptables.xml

@@ -7 +7 @@
   <!ENTITY iptables-download-http "http://www.netfilter.org/projects/iptables/files/iptables-&iptables-version;.tar.bz2">
   <!ENTITY iptables-download-ftp  "ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2">
-  <!ENTITY iptables-md5sum        "bc0f0adccc93c09dc5b7507ccba93148">
-  <!ENTITY iptables-size          "700 KB">
-  <!ENTITY iptables-buildsize     "17 MB">
-  <!ENTITY iptables-time          "0.2 SBU">
+  <!ENTITY iptables-md5sum        "602ba7e937c72fbb7b1c2b71c3b0004b">
+  <!ENTITY iptables-size          "704 KB">
+  <!ENTITY iptables-buildsize     "22 MB">
+  <!ENTITY iptables-time          "0.1 SBU">
 ]>
 
@@ -17 +17 @@
 
   <sect1info>
-    <othername>$LastChangedBy$</othername>
     <date>$Date$</date>
   </sect1info>
@@ -32 +31 @@
     <para>
       <application>iptables</application> is a userspace command line program
-      used to configure Linux 2.4 and later kernel packet filtering ruleset.
+      used to configure the Linux 2.4 and later kernel packet filtering ruleset.
     </para>
 
-    &lfs10_checked;
+    &lfs110a_checked;
 
     <bridgehead renderas="sect3">Package Information</bridgehead>
@@ -78 +77 @@
       <xref linkend="libpcap"/> (required for nfsypproxy support),
       <ulink url="https://github.com/tadamdam/bpf-utils">bpf-utils</ulink>
-      (required for Berkely Packet Filter support),
+      (required for Berkeley Packet Filter support),
       <ulink url="https://netfilter.org/projects/libnfnetlink/">libnfnetlink</ulink>
       (required for connlabel support),
-      <ulink url="https://netfilter.org/projects/libnetfilter_conntrack/">libnetfilter_conntrack"</ulink>, and 
-      (required for connlabel support)
+      <ulink url="https://netfilter.org/projects/libnetfilter_conntrack/">libnetfilter_conntrack</ulink>
+      (required for connlabel support), and 
       <ulink url="https://netfilter.org/projects/nftables/">nftables</ulink>
     </para>
@@ -149 +148 @@
 
 <screen><userinput>./configure --prefix=/usr      \
-            --sbindir=/sbin    \
             --disable-nftables \
-            --enable-libipq    \
-            --with-xtlibdir=/lib/xtables &amp;&amp;
+            --enable-libipq    &amp;&amp;
 make</userinput></screen>
 
@@ -168 +165 @@
     </para>
 
-<screen role="root"><userinput>make install &amp;&amp;
-ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml &amp;&amp;
-
-for file in ip4tc ip6tc ipq xtables
-do
-  mv -v /usr/lib/lib${file}.so.* /lib &amp;&amp;
-  ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
-done</userinput></screen>
+<screen role="root"><userinput>make install</userinput></screen>
 
   </sect2>
@@ -184 +174 @@
     <para>
       <parameter>--disable-nftables</parameter>: This switch disables building
-      nftables compat. <!--Omit this switch if you have installed
+      nftables compatibility. <!--Omit this switch if you have installed
       <xref linkend="nftables"/>.-->
     </para>
@@ -195 +185 @@
 
     <para>
-      <parameter>--with-xtlibdir=/lib/xtables</parameter>: Ensure all
-      <application>iptables</application> modules are installed in the
-      <filename class="directory">/lib/xtables</filename> directory.
-    </para>
-
-    <para>
       <option>--enable-nfsynproxy</option>: This switch enables installation
       of <application>nfsynproxy</application> SYNPROXY configuration tool.
-    </para>
-
-    <para>
-      <command>ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml</command>:
-      Ensure the symbolic link for <command>iptables-xml</command> is relative.
     </para>
 
@@ -241 +220 @@
       <para>
         A Personal Firewall is designed to let you access all the
-        services offered on the Internet, but keep your box secure and
+        services offered on the Internet while keeping your computer secure and
         your data private.
       </para>
@@ -250 +229 @@
         url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
         Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable
-        to the Linux 3.x kernels.
+        to the Linux 5.x kernels.
       </para>
 
@@ -322 +301 @@
 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
-# Log everything else. What's Windows' latest exploitable vulnerability?
+# Log everything else.
 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
 
@@ -400 +379 @@
 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
-# Log everything else. What's Windows' latest exploitable vulnerability?
+# Log everything else.
 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
 
@@ -434 +413 @@
 
       <para>
-        A network Firewall has two interfaces, one connected to an
+        A Network Firewall has two interfaces, one connected to an
         intranet, in this example <emphasis role="strong">LAN1</emphasis>,
         and one connected to the Internet, here <emphasis
         role="strong">WAN1</emphasis>. To provide the maximum security
         for the firewall itself, make sure that there are no unnecessary
-        servers running on it such as <application>X11</application> et al.
+        servers running on it such as <application>X11</application>.
         As a general principle, the firewall itself should not access
         any untrusted service (think of a remote server giving answers that
@@ -460 +439 @@
 echo "You can find additional information"
 echo "about firewalls in Chapter 4 of the BLFS book."
-echo "http://www.&lfs-domainname;/blfs"
+echo "https://www.&lfs-domainname;/blfs"
 echo
 
@@ -756 +735 @@
         </listitem>
         <listitem>
-          <para id='fw-BB-4-ipt' xreflabel="BusyBox with iptable example number 4">
+          <para id='fw-BB-4-ipt' xreflabel="BusyBox with iptables example number 4">
             If you are frequently accessing FTP servers or enjoy chatting, you
             might notice delays because some implementations of these daemons
@@ -874 +853 @@
       <seglistitem>
         <seg>
-          ip6tables, ip6tables-restore, ip6tables-save, iptables, iptables-restore,
-          iptables-save, iptables-xml, nfsynproxy (optional) and xtables-multi
+          ip6tables, 
+          ip6tables-apply,
+          ip6tables-legacy,
+          ip6tables-legacy-restore,
+          ip6tables-legacy-save,
+          ip6tables-restore, 
+          ip6tables-save, 
+          iptables, 
+          iptables-apply,
+          iptables-legacy,
+          iptables-legacy-restore,
+          iptables-legacy-apply,
+          iptables-restore,
+          iptables-save, 
+          iptables-xml, 
+          nfsynproxy (optional),
+          and xtables-multi
         </seg>
         <seg>
-          libip4tc.so, libip6tc.so, libipq.so, libiptc.so, and libxtables.so
+          libip4tc.so, 
+          libip6tc.so, 
+          libipq.so, 
+          libiptc.so,
+          and libxtables.so
         </seg>
         <seg>
-          /lib/xtables and /usr/include/libiptc
+          /lib/xtables and 
+          /usr/include/libiptc
         </seg>
       </seglistitem>
@@ -896 +895 @@
           <para>
             is used to set up, maintain, and inspect the tables of
-            IP packet filter rules in the Linux kernel.
+            IP packet filter rules in the Linux kernel
           </para>
           <indexterm zone="iptables iptables-prog">
@@ -904 +903 @@
       </varlistentry>
 
+      <varlistentry id="iptables-apply">
+        <term><command>iptables-apply</command></term>
+        <listitem>
+          <para>
+            is a safer way to update iptables remotely
+          </para>
+          <indexterm zone="iptables iptables-apply">
+            <primary sortas="b-iptables-apply">iptables-apply</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry id="iptables-legacy">
+        <term><command>iptables-legacy</command></term>
+        <listitem>
+          <para>
+            is used to interact with iptables using the legacy command set
+          </para>
+          <indexterm zone="iptables iptables-legacy">
+            <primary sortas="b-iptables-legacy">iptables-legacy</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry id="iptables-legacy-restore">
+        <term><command>iptables-legacy-restore</command></term>
+        <listitem>
+          <para>
+            is used to restore a set of legacy iptables rules
+          </para>
+          <indexterm zone="iptables iptables-legacy-restore">
+            <primary sortas="b-iptables-legacy-restore">iptables-legacy-restore</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry id="iptables-legacy-save">
+        <term><command>iptables-legacy-save</command></term>
+        <listitem>
+          <para>
+            is used to save a set of legacy iptables rules
+          </para>
+          <indexterm zone="iptables iptables-legacy-save">
+            <primary sortas="b-iptables-legacy-save">iptables-legacy-save</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
       <varlistentry id="iptables-restore">
         <term><command>iptables-restore</command></term>
@@ -910 +957 @@
             is used to restore IP Tables from data specified on
             STDIN. Use I/O redirection provided by your
-            shell to read from a file.
+            shell to read from a file
           </para>
           <indexterm zone="iptables iptables-restore">
@@ -924 +971 @@
             is used to dump the contents of an IP Table in easily
             parseable format to STDOUT. Use I/O-redirection
-            provided by your shell to write to a file.
+            provided by your shell to write to a file
           </para>
           <indexterm zone="iptables iptables-save">
@@ -939 +986 @@
             <command>iptables-save</command> to an XML format. Using the
             <filename>iptables.xslt</filename> stylesheet converts the XML
-            back to the format of <command>iptables-restore</command>.
+            back to the format of <command>iptables-restore</command>
           </para>
           <indexterm zone="iptables iptables-xml">
@@ -952 +999 @@
           <para>
             are a set of commands for IPV6 that parallel the iptables
-            commands above.
+            commands above
           </para>
           <indexterm zone="iptables ip6tables">
@@ -966 +1013 @@
             (optional) configuration tool. SYNPROXY target makes handling of
             large SYN floods possible without the large performance penalties
-            imposed by the connection tracking in such cases.
+            imposed by the connection tracking in such cases
           </para>
           <indexterm zone="iptables nfsynproxy">
@@ -978 +1025 @@
         <listitem>
           <para>
-            is a binary that behaves according to the name it is called by.
+            is a binary that behaves according to the name it is called by
           </para>
           <indexterm zone="iptables xtables-multi">