Changeset dd362e5


Ignore:
Timestamp:
01/13/2005 01:25:45 AM (17 years ago)
Author:
Randy McMurchy <randy@…>
Branches:
10.0, 10.1, 11.0, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, krejzi/svn, lazarus, nosym, perl-modules, qt5new, systemd-11177, systemd-13485, trunk, xry111/git-date, xry111/git-date-for-trunk, xry111/git-date-test
Children:
77d9f1c
Parents:
4ee1c44
Message:

Fixed instructions in the first 110 pages of the PDF version so that line lengths don't exceed the viewable area

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3272 af4574ff-66df-0310-9fd7-8a98e5e911e0

Location:
postlfs
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • postlfs/config/profile.xml

    r4ee1c44 rdd362e5  
    220220
    221221<screen><userinput><command>cat &gt; /etc/profile.d/tinker-term.sh &lt;&lt; "EOF"</command>
    222 # This will tinker with the value of TERM in order to convince certain apps
    223 # that we can, indeed, display color in their window.
     222# This will tinker with the value of TERM in order to convince certain
     223# apps that we can, indeed, display color in their window.
    224224 
    225225if [ -n "$COLORTERM" ]; then
     
    275275 
    276276<screen><userinput><command>cat &gt; /etc/profile.d/xterm-titlebars.sh &lt;&lt; "EOF"</command>
    277 # The substring match ensures this will work for "xterm" and "xterm-xfree86".
     277# The substring match ensures this works for "xterm" and "xterm-xfree86".
    278278if [ "${TERM:0:5}" = "xterm" ]; then
    279279  PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME} : ${PWD}\007"'
     
    383383# Provides prompt for non-login shells, specifically shells started
    384384# in the <application>X</application> environment. [Review the LFS archive thread titled
    385 # PS1 Environment Variable for a great case study behind this script addendum.]
     385# PS1 Environment Variable for a great case study behind this script
     386# addendum.]
    386387
    387388#export PS1="[\u@\h \w]\\$ "
  • postlfs/security/firewalling.xml

    r4ee1c44 rdd362e5  
    66]>
    77
    8 <sect1 id="postlfs-security-fw-firewall" xreflabel="Firewalling">
     8<sect1 id="fw-firewall" xreflabel="Firewalling">
    99<sect1info>
    1010<othername>$LastChangedBy$</othername>
     
    1717have already installed iptables as described in the previous section.</para>
    1818
    19 
    20 <sect2 id="postlfs-security-fw-intro" xreflabel="Firewalling Introduction">
     19<sect2 id="fw-intro" xreflabel="Firewalling Introduction">
    2120<title>Introduction to Firewall Creation</title>
    2221
     
    3534may wish to choose which services are accessible by certain machines,
    3635you may wish to limit which machines or applications are allowed
    37 to have Internet access, or you may simply  not trust some of your
    38 apps or users.
    39 In these situations you might  benefit by using a firewall.</para>
     36to have Internet access, or you may simply not trust some of your
     37apps or users. In these situations you might benefit by using a
     38firewall.</para>
    4039
    4140<para>Don't assume however, that having a firewall makes careful
     
    5453<para>The word firewall can have several different meanings.</para>
    5554
    56 <sect3><title><xref linkend="postlfs-security-fw-persFw"/></title>
     55<sect3><title><xref linkend="fw-persFw"/></title>
    5756
    5857<para>This is a setup or program, for Windows commercially sold by
     
    6463broadband links.</para></sect3>
    6564
    66 <sect3><title><xref linkend="postlfs-security-fw-masqRouter"/></title>
     65<sect3><title><xref linkend="fw-masqRouter"/></title>
    6766<para>This is a box placed between the Internet and an intranet.
    6867To minimize the risk of compromising the firewall itself it
     
    7473itself) are commonly considered harmless.</para></sect3>
    7574
    76 <sect3><title><xref linkend="postlfs-security-fw-busybox"/></title>
     75<sect3><title><xref linkend="fw-busybox"/></title>
    7776<para>This is often an old box you may have retired and nearly forgotten,
    7877performing masquerading or routing functions, but offering a bunch of
     
    9291
    9392<sect3><title>Packetfilter / partly accessible net [partly described
    94 here, see <xref linkend="postlfs-security-fw-busybox"/>]</title>
     93here, see <xref linkend="fw-busybox"/>]</title>
    9594<para>Doing routing or masquerading, but permitting only selected
    9695services to be accessible, sometimes only by selected internal users or boxes;
     
    121120<para>Customization of these scripts for your specific situation will
    122121be necessary for an optimal configuration, but you should make a serious
    123 study of the iptables documentation and creating firewalls in general before hacking
    124 away.  Have a look at the list of <xref linkend="postlfs-security-fw-library"/> at the end
    125 of this section for more details.  Here you will find a list of URLs that
    126 contain quite comprehensive information about building your own firewall.</para>
     122study of the iptables documentation and creating firewalls in general before
     123hacking away.  Have a look at the list of
     124<xref linkend="fw-library"/> at the end of this section for
     125more details.  Here you will find a list of URLs that contain quite
     126comprehensive information about building your own firewall.</para>
    127127
    128128</sect2>
    129129
    130 
    131 <sect2 id="postlfs-security-fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
     130<sect2 id="fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
    132131<title>Getting a firewall enabled Kernel</title>
    133132
    134133<para>If you want your Linux-Box to have a firewall, you must first ensure
    135134that your kernel has been compiled with the relevant options turned on.
    136 <!-- <footnote><para>If you needed assistance how to configure, compile and install
    137 a new kernel, refer back to chapter VIII of the LinuxFromScratch book,
    138 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink>
    139  and eventually
    140 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink>
    141 ; note, that you'll need to reboot
     135<!-- <footnote><para>If you needed assistance how to configure, compile and
     136install a new kernel, refer back to chapter VIII of the LinuxFromScratch book,
     137<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">
     138Installing a kernel</ulink> and eventually
     139<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">
     140Making the LFS system bootable</ulink>; note, that you'll need to reboot
    142141to actually run your new kernel.</para></footnote>-->
    143142</para>
     
    266265</sect2>
    267266
    268 
    269 <sect2 id="postlfs-security-fw-writing" xreflabel="writing the firewalling-setup-scripts">
     267<sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
    270268<title>Now you can start to build your Firewall</title>
    271269
    272 
    273 <sect3 id="postlfs-security-fw-persFw" xreflabel="Personal Firewall">
     270<sect3 id="fw-persFw" xreflabel="Personal Firewall">
    274271<title>Personal Firewall</title>
    275272
     
    278275
    279276<para>Below is a slightly modified version of Rusty Russell's recommendation
    280 from the <ulink
    281 url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">Linux
    282 2.4 Packet Filtering HOWTO</ulink>:</para>
     277from the <ulink 
     278url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
     279Linux 2.4 Packet Filtering HOWTO</ulink>:</para>
    283280
    284281<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
     
    287284# Begin $rc_base/init.d/firewall
    288285
    289 # Insert connection-tracking modules (not needed if built into the kernel).
     286# Insert connection-tracking modules
     287# (not needed if built into the kernel)
    290288modprobe ip_tables
    291289modprobe iptable_filter
     
    297295# allow local-only connections
    298296iptables -A INPUT  -i lo -j ACCEPT
    299 # free output on any interface to any ip for any service (equal to -P ACCEPT)
     297
     298# free output on any interface to any ip for any service
     299# (equal to -P ACCEPT)
    300300iptables -A OUTPUT -j ACCEPT
    301301
    302302# permit answers on already established connections
    303 # and permit new connections related to established ones (eg active-ftp)
     303# and permit new connections related to established ones
     304# (eg active-ftp)
    304305iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    305306
     
    312313iptables -P OUTPUT   DROP
    313314
    314 # be verbose on dynamic ip-addresses     (not needed in case of static IP)
     315# be verbose on dynamic ip-addresses  (not needed in case of static IP)
    315316echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
    316317
    317 # disable ExplicitCongestionNotification - too many routers are still ignorant
     318# disable ExplicitCongestionNotification
     319# too many routers are still ignorant
    318320echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
    319321
     
    326328
    327329<para>If you frequently encounter certain delays at accessing ftp-servers,
    328 please have a look at <xref linkend="postlfs-security-fw-busybox"/> -
    329 <xref linkend="postlfs-security-fw-BB-4"/>.</para>
     330please have a look at <xref linkend="fw-busybox"/> -
     331<xref linkend="fw-BB-4"/>.</para>
    330332
    331333<para>Even if you have daemons or services running on your box, these
    332334should be inaccessible everywhere but from your box itself.
    333 If you want to allow access to services on your machine, such as ssh or pinging,
    334 take a look at <xref linkend="postlfs-security-fw-busybox"/>.</para>
     335If you want to allow access to services on your machine, such as ssh or
     336pinging, take a look at <xref linkend="fw-busybox"/>.</para>
    335337
    336338</sect3>
    337339
    338340
    339 <sect3 id="postlfs-security-fw-masqRouter" xreflabel="Masquerading Router">
     341<sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
    340342<title>Masquerading Router</title>
    341343
     
    346348make sure that there are no servers running on it, especially not
    347349<application>X11</application> et
    348 al.  And, as a general principle, the box itself should not access any untrusted
    349 service (Think of a name server giving answers that make your
     350al.  And, as a general principle, the box itself should not access any
     351untrusted service (Think of a name server giving answers that make your
    350352bind crash, or, even worse, that implement a worm via a
    351353buffer-overflow).</para>
     
    389391iptables -A FORWARD -m state --state NEW -i ! ppp+       -j ACCEPT
    390392
    391 # do masquerading    (not needed if intranet is not using private ip-addresses)
     393# do masquerading
     394# (not needed if intranet is not using private ip-addresses)
    392395iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
    393396
    394 # Log everything for debugging (last of all rules, but before DROP/REJECT)
     397# Log everything for debugging
     398# (last of all rules, but before DROP/REJECT)
    395399iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT  "
    396400iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
     
    402406iptables -P OUTPUT  DROP
    403407
    404 # be verbose on dynamic ip-addresses (not needed in case of static IP)
     408# be verbose on dynamic ip-addresses
     409# (not needed in case of static IP)
    405410echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
    406411
     
    436441<para>If you need stronger security (e.g., against DOS, connection
    437442highjacking, spoofing, etc.), have a look at the list of
    438 <xref linkend="postlfs-security-fw-library"/> at the end of this section.</para>
     443<xref linkend="fw-library"/> at the end of this section.</para>
    439444
    440445</sect3>
    441446
    442 <sect3 id="postlfs-security-fw-busybox" xreflabel="BusyBox">
     447<sect3 id="fw-busybox" xreflabel="BusyBox">
    443448<title>BusyBox</title>
    444449
    445 <para>This scenario isn't too different from (<xref linkend="postlfs-security-fw-masqRouter"/>),
     450<para>This scenario isn't too different from (<xref linkend="fw-masqRouter"/>),
    446451but in this case you want to offer some services to your intranet.
    447452Examples of this can be when you want to admin your box from another host
     
    453458<para>Be cautious.  Every service you offer and have enabled makes your
    454459setup more complex and your box less secure. You induce the risks of
    455 misconfigured services or running a service with an exploitable bug.  A firewall
    456 should generally not run any extra services.  See the introduction to
    457 <xref linkend="postlfs-security-fw-masqRouter"/> for some more details.</para>
     460misconfigured services or running a service with an exploitable bug.  A
     461firewall should generally not run any extra services.  See the introduction to
     462<xref linkend="fw-masqRouter"/> for some more details.</para>
    458463
    459464<para>If the services you'd like to offer do not need to access the Internet
     
    470475
    471476<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED  -j ACCEPT
    472 iptables -A OUTPUT                                      -j ACCEPT</screen>
    473 
    474 <para>However, it is generally not advisable to leave OUTPUT unrestricted. You lose
    475 any control over trojans who'd like to "call home", and a bit of redundancy in case
    476 you've (mis-)configured a service so that it does broadcast its existence to the
    477 world.</para>
     477iptables -A OUTPUT                                     -j ACCEPT</screen>
     478
     479<para>However, it is generally not advisable to leave OUTPUT unrestricted. You
     480lose any control over trojans who'd like to "call home", and a bit of
     481redundancy in case you've (mis-)configured a service so that it does broadcast
     482its existence to the world.</para>
    478483
    479484<para>If you prefer to have this protection, you may restrict INPUT and OUTPUT
     
    486491
    487492<listitem><para>Squid is caching the web:</para>
    488 <screen>iptables -A OUTPUT -p tcp --dport 80                              -j ACCEPT
    489 iptables -A INPUT  -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
     493<screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
     494iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \
     495-j ACCEPT</screen>
     496</listitem>
    490497
    491498<listitem><para>Your caching name server (e.g., dnscache) does its
    492499lookups via udp:</para>
    493 <screen>iptables -A OUTPUT -p udp --dport 53                              -j ACCEPT
    494 iptables -A INPUT  -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
    495 
    496 <listitem><para>Alternatively, if you want to be able to ping your box to ensure
    497 it's still alive:</para>
     500<screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
     501iptables -A INPUT  -p udp --sport 53 -m state --state ESTABLISHED \
     502-j ACCEPT</screen>
     503</listitem>
     504
     505<listitem><para>Alternatively, if you want to be able to ping your box to
     506ensure it's still alive:</para>
     507
    498508<screen>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
    499 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</screen></listitem>
    500 
    501 <listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are
     509iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</screen>
     510</listitem>
     511
     512<listitem><para><anchor id='fw-BB-4' xreflabel="example no. 4"/>If you are
    502513frequently accessing ftp-servers or enjoy chatting, you might notice certain
    503514delays because some implementations of these daemons have the feature of
     
    510521
    511522<screen>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset
    512 iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></listitem>
     523iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen>
     524</listitem>
    513525
    514526<listitem><para>To log and drop invalid packets (harmless packets
    515527that came in after netfilter's timeout or some types of network scans):</para>
    516528
    517 <screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \
    518 "FIREWALL:INVALID"
     529<screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG \
     530--log-prefix "FIREWALL:INVALID"
    519531iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></listitem>
    520532
     
    524536<screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8     -j DROP
    525537iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12  -j DROP
    526 iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></listitem>
     538iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen>
     539</listitem>
    527540
    528541<listitem><para>To simplify debugging and be fair to anyone who'd like to
     
    548561maybe even in FORWARD and for intranet-communication, and delete the
    549562general clauses, you get an old fashioned packet filter.</para>
    550 
    551 
    552563</sect3>
    553564
    554565</sect2>
    555566
    556 
    557 <sect2 id="postlfs-security-fw-finale" xreflabel="Conclusion">
     567<sect2 id="fw-finale" xreflabel="Conclusion">
    558568<title>Conclusion</title>
    559569
     
    579589</sect2>
    580590
    581 
    582591<sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
    583592<title>Extra Information</title>
    584593
    585 <sect3 id="postlfs-security-fw-library" xreflabel="Links for further reading">
     594<sect3 id="fw-library" xreflabel="Links for further reading">
    586595<title>Where to start with further reading on firewalls.</title>
    587596
     
    611620<ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
    612621</literallayout></blockquote></para>
    613 
    614 <!-- <para>If a link proves to be dead or if you think I missed one,
    615 please mail!</para> -->
    616 
    617622</sect3>
    618623
    619 <sect3 id="postlfs-security-fw-status" xreflabel="/etc/rc.d/init.d/firewall.status">
     624<sect3 id="fw-status" xreflabel="/etc/rc.d/init.d/firewall.status">
    620625<title>firewall.status</title>
    621626
     
    666671iptables -P OUTPUT      ACCEPT
    667672<command>EOF</command></userinput></screen>
    668 
    669673</sect3>
    670674
    671675</sect2>
     676
    672677</sect1>
    673678
  • postlfs/security/iptables.xml

    r4ee1c44 rdd362e5  
    3535to configure the relevant options into your kernel.  This is discussed
    3636in the next part of this chapter &ndash;
    37 <xref linkend="postlfs-security-fw-kernel"/>.</para>
     37<xref linkend="fw-kernel"/>.</para>
    3838
    3939<para>If you intend to use <acronym>IP</acronym>v6 you might consider extending
  • postlfs/security/tripwire.xml

    r4ee1c44 rdd362e5  
    6868<title>Command explanations</title>
    6969
    70 <para><command>sed -i -e 's@TWDB="${prefix}@TWDB="/var/lib@' install/install.cfg</command>:
    71 This command tells the package to install the program database and reports in
     70<para><command>sed -i -e 's@TWDB="${prefix}@TWDB="/var/lib@'
     71install/install.cfg</command>: This command tells the package to install the
     72program database and reports in
    7273<filename>/var/lib/tripwire</filename>.</para>
    7374
     
    119120configuration steps:</para>
    120121
    121 <screen><userinput><command>twadmin --create-polfile --site-keyfile=/etc/tripwire site.key /etc/tripwire/twpol.txt &amp;&amp;
     122<screen><userinput><command>twadmin --create-polfile --site-keyfile=/etc/tripwire site.key \
     123    /etc/tripwire/twpol.txt &amp;&amp;
    122124tripwire --init</command></userinput></screen>
    123125
     
    147149substitutions for <replaceable>[?]</replaceable>:</para>
    148150
    149 <screen><userinput><command>tripwire --update -twrfile /var/lib/tripwire/report/linux-<replaceable>[???????]</replaceable>-<replaceable>[??????]</replaceable>.twr</command></userinput></screen>
     151<screen><userinput><command>tripwire --update -twrfile \
     152    /var/lib/tripwire/report/linux-<replaceable>[???????]</replaceable>-<replaceable>[??????]</replaceable>.twr</command></userinput></screen>
    150153
    151154<para>You will be placed into <application>vim</application> with a copy of
Note: See TracChangeset for help on using the changeset viewer.