Changes in postlfs/security/iptables.xml [92d18a9:da54a62]
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/iptables.xml
r92d18a9 rda54a62 7 7 <!ENTITY iptables-download-http "http://www.netfilter.org/projects/iptables/files/iptables-&iptables-version;.tar.bz2"> 8 8 <!ENTITY iptables-download-ftp "ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2"> 9 <!ENTITY iptables-md5sum " bc0f0adccc93c09dc5b7507ccba93148">10 <!ENTITY iptables-size "70 0KB">11 <!ENTITY iptables-buildsize " 17MB">12 <!ENTITY iptables-time "0. 2SBU">9 <!ENTITY iptables-md5sum "602ba7e937c72fbb7b1c2b71c3b0004b"> 10 <!ENTITY iptables-size "704 KB"> 11 <!ENTITY iptables-buildsize "22 MB"> 12 <!ENTITY iptables-time "0.1 SBU"> 13 13 ]> 14 14 … … 17 17 18 18 <sect1info> 19 <othername>$LastChangedBy$</othername>20 19 <date>$Date$</date> 21 20 </sect1info> … … 32 31 <para> 33 32 <application>iptables</application> is a userspace command line program 34 used to configure Linux 2.4 and later kernel packet filtering ruleset.33 used to configure the Linux 2.4 and later kernel packet filtering ruleset. 35 34 </para> 36 35 37 &lfs1 0_checked;36 &lfs110a_checked; 38 37 39 38 <bridgehead renderas="sect3">Package Information</bridgehead> … … 78 77 <xref linkend="libpcap"/> (required for nfsypproxy support), 79 78 <ulink url="https://github.com/tadamdam/bpf-utils">bpf-utils</ulink> 80 (required for Berkel y Packet Filter support),79 (required for Berkeley Packet Filter support), 81 80 <ulink url="https://netfilter.org/projects/libnfnetlink/">libnfnetlink</ulink> 82 81 (required for connlabel support), 83 <ulink url="https://netfilter.org/projects/libnetfilter_conntrack/">libnetfilter_conntrack "</ulink>, and84 (required for connlabel support) 82 <ulink url="https://netfilter.org/projects/libnetfilter_conntrack/">libnetfilter_conntrack</ulink> 83 (required for connlabel support), and 85 84 <ulink url="https://netfilter.org/projects/nftables/">nftables</ulink> 86 85 </para> … … 149 148 150 149 <screen><userinput>./configure --prefix=/usr \ 151 --sbindir=/sbin \152 150 --disable-nftables \ 153 --enable-libipq \ 154 --with-xtlibdir=/lib/xtables && 151 --enable-libipq && 155 152 make</userinput></screen> 156 153 … … 168 165 </para> 169 166 170 <screen role="root"><userinput>make install && 171 ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml && 172 173 for file in ip4tc ip6tc ipq xtables 174 do 175 mv -v /usr/lib/lib${file}.so.* /lib && 176 ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so 177 done</userinput></screen> 167 <screen role="root"><userinput>make install</userinput></screen> 178 168 179 169 </sect2> … … 184 174 <para> 185 175 <parameter>--disable-nftables</parameter>: This switch disables building 186 nftables compat . <!--Omit this switch if you have installed176 nftables compatibility. <!--Omit this switch if you have installed 187 177 <xref linkend="nftables"/>.--> 188 178 </para> … … 195 185 196 186 <para> 197 <parameter>--with-xtlibdir=/lib/xtables</parameter>: Ensure all198 <application>iptables</application> modules are installed in the199 <filename class="directory">/lib/xtables</filename> directory.200 </para>201 202 <para>203 187 <option>--enable-nfsynproxy</option>: This switch enables installation 204 188 of <application>nfsynproxy</application> SYNPROXY configuration tool. 205 </para>206 207 <para>208 <command>ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml</command>:209 Ensure the symbolic link for <command>iptables-xml</command> is relative.210 189 </para> 211 190 … … 241 220 <para> 242 221 A Personal Firewall is designed to let you access all the 243 services offered on the Internet , but keep your boxsecure and222 services offered on the Internet while keeping your computer secure and 244 223 your data private. 245 224 </para> … … 250 229 url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html"> 251 230 Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable 252 to the Linux 3.x kernels.231 to the Linux 5.x kernels. 253 232 </para> 254 233 … … 322 301 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 323 302 324 # Log everything else. What's Windows' latest exploitable vulnerability?303 # Log everything else. 325 304 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 326 305 … … 400 379 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 401 380 402 # Log everything else. What's Windows' latest exploitable vulnerability?381 # Log everything else. 403 382 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 404 383 … … 434 413 435 414 <para> 436 A network Firewall has two interfaces, one connected to an415 A Network Firewall has two interfaces, one connected to an 437 416 intranet, in this example <emphasis role="strong">LAN1</emphasis>, 438 417 and one connected to the Internet, here <emphasis 439 418 role="strong">WAN1</emphasis>. To provide the maximum security 440 419 for the firewall itself, make sure that there are no unnecessary 441 servers running on it such as <application>X11</application> et al.420 servers running on it such as <application>X11</application>. 442 421 As a general principle, the firewall itself should not access 443 422 any untrusted service (think of a remote server giving answers that … … 460 439 echo "You can find additional information" 461 440 echo "about firewalls in Chapter 4 of the BLFS book." 462 echo "http ://www.&lfs-domainname;/blfs"441 echo "https://www.&lfs-domainname;/blfs" 463 442 echo 464 443 … … 756 735 </listitem> 757 736 <listitem> 758 <para id='fw-BB-4-ipt' xreflabel="BusyBox with iptable example number 4">737 <para id='fw-BB-4-ipt' xreflabel="BusyBox with iptables example number 4"> 759 738 If you are frequently accessing FTP servers or enjoy chatting, you 760 739 might notice delays because some implementations of these daemons … … 874 853 <seglistitem> 875 854 <seg> 876 ip6tables, ip6tables-restore, ip6tables-save, iptables, iptables-restore, 877 iptables-save, iptables-xml, nfsynproxy (optional) and xtables-multi 855 ip6tables, 856 ip6tables-apply, 857 ip6tables-legacy, 858 ip6tables-legacy-restore, 859 ip6tables-legacy-save, 860 ip6tables-restore, 861 ip6tables-save, 862 iptables, 863 iptables-apply, 864 iptables-legacy, 865 iptables-legacy-restore, 866 iptables-legacy-apply, 867 iptables-restore, 868 iptables-save, 869 iptables-xml, 870 nfsynproxy (optional), 871 and xtables-multi 878 872 </seg> 879 873 <seg> 880 libip4tc.so, libip6tc.so, libipq.so, libiptc.so, and libxtables.so 874 libip4tc.so, 875 libip6tc.so, 876 libipq.so, 877 libiptc.so, 878 and libxtables.so 881 879 </seg> 882 880 <seg> 883 /lib/xtables and /usr/include/libiptc 881 /lib/xtables and 882 /usr/include/libiptc 884 883 </seg> 885 884 </seglistitem> … … 896 895 <para> 897 896 is used to set up, maintain, and inspect the tables of 898 IP packet filter rules in the Linux kernel .897 IP packet filter rules in the Linux kernel 899 898 </para> 900 899 <indexterm zone="iptables iptables-prog"> … … 904 903 </varlistentry> 905 904 905 <varlistentry id="iptables-apply"> 906 <term><command>iptables-apply</command></term> 907 <listitem> 908 <para> 909 is a safer way to update iptables remotely 910 </para> 911 <indexterm zone="iptables iptables-apply"> 912 <primary sortas="b-iptables-apply">iptables-apply</primary> 913 </indexterm> 914 </listitem> 915 </varlistentry> 916 917 <varlistentry id="iptables-legacy"> 918 <term><command>iptables-legacy</command></term> 919 <listitem> 920 <para> 921 is used to interact with iptables using the legacy command set 922 </para> 923 <indexterm zone="iptables iptables-legacy"> 924 <primary sortas="b-iptables-legacy">iptables-legacy</primary> 925 </indexterm> 926 </listitem> 927 </varlistentry> 928 929 <varlistentry id="iptables-legacy-restore"> 930 <term><command>iptables-legacy-restore</command></term> 931 <listitem> 932 <para> 933 is used to restore a set of legacy iptables rules 934 </para> 935 <indexterm zone="iptables iptables-legacy-restore"> 936 <primary sortas="b-iptables-legacy-restore">iptables-legacy-restore</primary> 937 </indexterm> 938 </listitem> 939 </varlistentry> 940 941 <varlistentry id="iptables-legacy-save"> 942 <term><command>iptables-legacy-save</command></term> 943 <listitem> 944 <para> 945 is used to save a set of legacy iptables rules 946 </para> 947 <indexterm zone="iptables iptables-legacy-save"> 948 <primary sortas="b-iptables-legacy-save">iptables-legacy-save</primary> 949 </indexterm> 950 </listitem> 951 </varlistentry> 952 906 953 <varlistentry id="iptables-restore"> 907 954 <term><command>iptables-restore</command></term> … … 910 957 is used to restore IP Tables from data specified on 911 958 STDIN. Use I/O redirection provided by your 912 shell to read from a file .959 shell to read from a file 913 960 </para> 914 961 <indexterm zone="iptables iptables-restore"> … … 924 971 is used to dump the contents of an IP Table in easily 925 972 parseable format to STDOUT. Use I/O-redirection 926 provided by your shell to write to a file .973 provided by your shell to write to a file 927 974 </para> 928 975 <indexterm zone="iptables iptables-save"> … … 939 986 <command>iptables-save</command> to an XML format. Using the 940 987 <filename>iptables.xslt</filename> stylesheet converts the XML 941 back to the format of <command>iptables-restore</command> .988 back to the format of <command>iptables-restore</command> 942 989 </para> 943 990 <indexterm zone="iptables iptables-xml"> … … 952 999 <para> 953 1000 are a set of commands for IPV6 that parallel the iptables 954 commands above .1001 commands above 955 1002 </para> 956 1003 <indexterm zone="iptables ip6tables"> … … 966 1013 (optional) configuration tool. SYNPROXY target makes handling of 967 1014 large SYN floods possible without the large performance penalties 968 imposed by the connection tracking in such cases .1015 imposed by the connection tracking in such cases 969 1016 </para> 970 1017 <indexterm zone="iptables nfsynproxy"> … … 978 1025 <listitem> 979 1026 <para> 980 is a binary that behaves according to the name it is called by .1027 is a binary that behaves according to the name it is called by 981 1028 </para> 982 1029 <indexterm zone="iptables xtables-multi">
Note:
See TracChangeset
for help on using the changeset viewer.