Changeset dd362e5 for postlfs/security
- Timestamp:
- 01/13/2005 01:25:45 AM (19 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 77d9f1c
- Parents:
- 4ee1c44
- Location:
- postlfs/security
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/firewalling.xml
r4ee1c44 rdd362e5 6 6 ]> 7 7 8 <sect1 id=" postlfs-security-fw-firewall" xreflabel="Firewalling">8 <sect1 id="fw-firewall" xreflabel="Firewalling"> 9 9 <sect1info> 10 10 <othername>$LastChangedBy$</othername> … … 17 17 have already installed iptables as described in the previous section.</para> 18 18 19 20 <sect2 id="postlfs-security-fw-intro" xreflabel="Firewalling Introduction"> 19 <sect2 id="fw-intro" xreflabel="Firewalling Introduction"> 21 20 <title>Introduction to Firewall Creation</title> 22 21 … … 35 34 may wish to choose which services are accessible by certain machines, 36 35 you may wish to limit which machines or applications are allowed 37 to have Internet access, or you may simply 38 apps or users. 39 In these situations you might benefit by using afirewall.</para>36 to have Internet access, or you may simply not trust some of your 37 apps or users. In these situations you might benefit by using a 38 firewall.</para> 40 39 41 40 <para>Don't assume however, that having a firewall makes careful … … 54 53 <para>The word firewall can have several different meanings.</para> 55 54 56 <sect3><title><xref linkend=" postlfs-security-fw-persFw"/></title>55 <sect3><title><xref linkend="fw-persFw"/></title> 57 56 58 57 <para>This is a setup or program, for Windows commercially sold by … … 64 63 broadband links.</para></sect3> 65 64 66 <sect3><title><xref linkend=" postlfs-security-fw-masqRouter"/></title>65 <sect3><title><xref linkend="fw-masqRouter"/></title> 67 66 <para>This is a box placed between the Internet and an intranet. 68 67 To minimize the risk of compromising the firewall itself it … … 74 73 itself) are commonly considered harmless.</para></sect3> 75 74 76 <sect3><title><xref linkend=" postlfs-security-fw-busybox"/></title>75 <sect3><title><xref linkend="fw-busybox"/></title> 77 76 <para>This is often an old box you may have retired and nearly forgotten, 78 77 performing masquerading or routing functions, but offering a bunch of … … 92 91 93 92 <sect3><title>Packetfilter / partly accessible net [partly described 94 here, see <xref linkend=" postlfs-security-fw-busybox"/>]</title>93 here, see <xref linkend="fw-busybox"/>]</title> 95 94 <para>Doing routing or masquerading, but permitting only selected 96 95 services to be accessible, sometimes only by selected internal users or boxes; … … 121 120 <para>Customization of these scripts for your specific situation will 122 121 be necessary for an optimal configuration, but you should make a serious 123 study of the iptables documentation and creating firewalls in general before hacking 124 away. Have a look at the list of <xref linkend="postlfs-security-fw-library"/> at the end 125 of this section for more details. Here you will find a list of URLs that 126 contain quite comprehensive information about building your own firewall.</para> 122 study of the iptables documentation and creating firewalls in general before 123 hacking away. Have a look at the list of 124 <xref linkend="fw-library"/> at the end of this section for 125 more details. Here you will find a list of URLs that contain quite 126 comprehensive information about building your own firewall.</para> 127 127 128 128 </sect2> 129 129 130 131 <sect2 id="postlfs-security-fw-kernel" xreflabel="getting a firewalling-enabled Kernel"> 130 <sect2 id="fw-kernel" xreflabel="getting a firewalling-enabled Kernel"> 132 131 <title>Getting a firewall enabled Kernel</title> 133 132 134 133 <para>If you want your Linux-Box to have a firewall, you must first ensure 135 134 that your kernel has been compiled with the relevant options turned on. 136 <!-- <footnote><para>If you needed assistance how to configure, compile and install137 a new kernel, refer back to chapter VIII of the LinuxFromScratch book,138 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html"> Installing a kernel</ulink>139 and eventually140 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html"> Making the LFS system bootable</ulink>141 ; note, that you'll need to reboot135 <!-- <footnote><para>If you needed assistance how to configure, compile and 136 install a new kernel, refer back to chapter VIII of the LinuxFromScratch book, 137 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html"> 138 Installing a kernel</ulink> and eventually 139 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html"> 140 Making the LFS system bootable</ulink>; note, that you'll need to reboot 142 141 to actually run your new kernel.</para></footnote>--> 143 142 </para> … … 266 265 </sect2> 267 266 268 269 <sect2 id="postlfs-security-fw-writing" xreflabel="writing the firewalling-setup-scripts"> 267 <sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts"> 270 268 <title>Now you can start to build your Firewall</title> 271 269 272 273 <sect3 id="postlfs-security-fw-persFw" xreflabel="Personal Firewall"> 270 <sect3 id="fw-persFw" xreflabel="Personal Firewall"> 274 271 <title>Personal Firewall</title> 275 272 … … 278 275 279 276 <para>Below is a slightly modified version of Rusty Russell's recommendation 280 from the <ulink 281 url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html"> Linux282 2.4 Packet Filtering HOWTO</ulink>:</para>277 from the <ulink 278 url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html"> 279 Linux 2.4 Packet Filtering HOWTO</ulink>:</para> 283 280 284 281 <screen><userinput><command>cat > /etc/rc.d/init.d/firewall << "EOF"</command> … … 287 284 # Begin $rc_base/init.d/firewall 288 285 289 # Insert connection-tracking modules (not needed if built into the kernel). 286 # Insert connection-tracking modules 287 # (not needed if built into the kernel) 290 288 modprobe ip_tables 291 289 modprobe iptable_filter … … 297 295 # allow local-only connections 298 296 iptables -A INPUT -i lo -j ACCEPT 299 # free output on any interface to any ip for any service (equal to -P ACCEPT) 297 298 # free output on any interface to any ip for any service 299 # (equal to -P ACCEPT) 300 300 iptables -A OUTPUT -j ACCEPT 301 301 302 302 # permit answers on already established connections 303 # and permit new connections related to established ones (eg active-ftp) 303 # and permit new connections related to established ones 304 # (eg active-ftp) 304 305 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 305 306 … … 312 313 iptables -P OUTPUT DROP 313 314 314 # be verbose on dynamic ip-addresses 315 # be verbose on dynamic ip-addresses (not needed in case of static IP) 315 316 echo 2 > /proc/sys/net/ipv4/ip_dynaddr 316 317 317 # disable ExplicitCongestionNotification - too many routers are still ignorant 318 # disable ExplicitCongestionNotification 319 # too many routers are still ignorant 318 320 echo 0 > /proc/sys/net/ipv4/tcp_ecn 319 321 … … 326 328 327 329 <para>If you frequently encounter certain delays at accessing ftp-servers, 328 please have a look at <xref linkend=" postlfs-security-fw-busybox"/> -329 <xref linkend=" postlfs-security-fw-BB-4"/>.</para>330 please have a look at <xref linkend="fw-busybox"/> - 331 <xref linkend="fw-BB-4"/>.</para> 330 332 331 333 <para>Even if you have daemons or services running on your box, these 332 334 should be inaccessible everywhere but from your box itself. 333 If you want to allow access to services on your machine, such as ssh or pinging,334 take a look at <xref linkend="postlfs-security-fw-busybox"/>.</para>335 If you want to allow access to services on your machine, such as ssh or 336 pinging, take a look at <xref linkend="fw-busybox"/>.</para> 335 337 336 338 </sect3> 337 339 338 340 339 <sect3 id=" postlfs-security-fw-masqRouter" xreflabel="Masquerading Router">341 <sect3 id="fw-masqRouter" xreflabel="Masquerading Router"> 340 342 <title>Masquerading Router</title> 341 343 … … 346 348 make sure that there are no servers running on it, especially not 347 349 <application>X11</application> et 348 al. And, as a general principle, the box itself should not access any untrusted349 service (Think of a name server giving answers that make your350 al. And, as a general principle, the box itself should not access any 351 untrusted service (Think of a name server giving answers that make your 350 352 bind crash, or, even worse, that implement a worm via a 351 353 buffer-overflow).</para> … … 389 391 iptables -A FORWARD -m state --state NEW -i ! ppp+ -j ACCEPT 390 392 391 # do masquerading (not needed if intranet is not using private ip-addresses) 393 # do masquerading 394 # (not needed if intranet is not using private ip-addresses) 392 395 iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE 393 396 394 # Log everything for debugging (last of all rules, but before DROP/REJECT) 397 # Log everything for debugging 398 # (last of all rules, but before DROP/REJECT) 395 399 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 396 400 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD" … … 402 406 iptables -P OUTPUT DROP 403 407 404 # be verbose on dynamic ip-addresses (not needed in case of static IP) 408 # be verbose on dynamic ip-addresses 409 # (not needed in case of static IP) 405 410 echo 2 > /proc/sys/net/ipv4/ip_dynaddr 406 411 … … 436 441 <para>If you need stronger security (e.g., against DOS, connection 437 442 highjacking, spoofing, etc.), have a look at the list of 438 <xref linkend=" postlfs-security-fw-library"/> at the end of this section.</para>443 <xref linkend="fw-library"/> at the end of this section.</para> 439 444 440 445 </sect3> 441 446 442 <sect3 id=" postlfs-security-fw-busybox" xreflabel="BusyBox">447 <sect3 id="fw-busybox" xreflabel="BusyBox"> 443 448 <title>BusyBox</title> 444 449 445 <para>This scenario isn't too different from (<xref linkend=" postlfs-security-fw-masqRouter"/>),450 <para>This scenario isn't too different from (<xref linkend="fw-masqRouter"/>), 446 451 but in this case you want to offer some services to your intranet. 447 452 Examples of this can be when you want to admin your box from another host … … 453 458 <para>Be cautious. Every service you offer and have enabled makes your 454 459 setup more complex and your box less secure. You induce the risks of 455 misconfigured services or running a service with an exploitable bug. A firewall456 should generally not run any extra services. See the introduction to457 <xref linkend=" postlfs-security-fw-masqRouter"/> for some more details.</para>460 misconfigured services or running a service with an exploitable bug. A 461 firewall should generally not run any extra services. See the introduction to 462 <xref linkend="fw-masqRouter"/> for some more details.</para> 458 463 459 464 <para>If the services you'd like to offer do not need to access the Internet … … 470 475 471 476 <screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 472 iptables -A OUTPUT 473 474 <para>However, it is generally not advisable to leave OUTPUT unrestricted. You lose475 any control over trojans who'd like to "call home", and a bit of redundancy in case476 you've (mis-)configured a service so that it does broadcast its existence to the477 world.</para>477 iptables -A OUTPUT -j ACCEPT</screen> 478 479 <para>However, it is generally not advisable to leave OUTPUT unrestricted. You 480 lose any control over trojans who'd like to "call home", and a bit of 481 redundancy in case you've (mis-)configured a service so that it does broadcast 482 its existence to the world.</para> 478 483 479 484 <para>If you prefer to have this protection, you may restrict INPUT and OUTPUT … … 486 491 487 492 <listitem><para>Squid is caching the web:</para> 488 <screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT 489 iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></listitem> 493 <screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT 494 iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \ 495 -j ACCEPT</screen> 496 </listitem> 490 497 491 498 <listitem><para>Your caching name server (e.g., dnscache) does its 492 499 lookups via udp:</para> 493 <screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT 494 iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></listitem> 495 496 <listitem><para>Alternatively, if you want to be able to ping your box to ensure 497 it's still alive:</para> 500 <screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT 501 iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED \ 502 -j ACCEPT</screen> 503 </listitem> 504 505 <listitem><para>Alternatively, if you want to be able to ping your box to 506 ensure it's still alive:</para> 507 498 508 <screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT 499 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen></listitem> 500 501 <listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are 509 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen> 510 </listitem> 511 512 <listitem><para><anchor id='fw-BB-4' xreflabel="example no. 4"/>If you are 502 513 frequently accessing ftp-servers or enjoy chatting, you might notice certain 503 514 delays because some implementations of these daemons have the feature of … … 510 521 511 522 <screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset 512 iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></listitem> 523 iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen> 524 </listitem> 513 525 514 526 <listitem><para>To log and drop invalid packets (harmless packets 515 527 that came in after netfilter's timeout or some types of network scans):</para> 516 528 517 <screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \518 "FIREWALL:INVALID"529 <screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG \ 530 --log-prefix "FIREWALL:INVALID" 519 531 iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></listitem> 520 532 … … 524 536 <screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP 525 537 iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP 526 iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></listitem> 538 iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen> 539 </listitem> 527 540 528 541 <listitem><para>To simplify debugging and be fair to anyone who'd like to … … 548 561 maybe even in FORWARD and for intranet-communication, and delete the 549 562 general clauses, you get an old fashioned packet filter.</para> 550 551 552 563 </sect3> 553 564 554 565 </sect2> 555 566 556 557 <sect2 id="postlfs-security-fw-finale" xreflabel="Conclusion"> 567 <sect2 id="fw-finale" xreflabel="Conclusion"> 558 568 <title>Conclusion</title> 559 569 … … 579 589 </sect2> 580 590 581 582 591 <sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information"> 583 592 <title>Extra Information</title> 584 593 585 <sect3 id=" postlfs-security-fw-library" xreflabel="Links for further reading">594 <sect3 id="fw-library" xreflabel="Links for further reading"> 586 595 <title>Where to start with further reading on firewalls.</title> 587 596 … … 611 620 <ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink> 612 621 </literallayout></blockquote></para> 613 614 <!-- <para>If a link proves to be dead or if you think I missed one,615 please mail!</para> -->616 617 622 </sect3> 618 623 619 <sect3 id=" postlfs-security-fw-status" xreflabel="/etc/rc.d/init.d/firewall.status">624 <sect3 id="fw-status" xreflabel="/etc/rc.d/init.d/firewall.status"> 620 625 <title>firewall.status</title> 621 626 … … 666 671 iptables -P OUTPUT ACCEPT 667 672 <command>EOF</command></userinput></screen> 668 669 673 </sect3> 670 674 671 675 </sect2> 676 672 677 </sect1> 673 678 -
postlfs/security/iptables.xml
r4ee1c44 rdd362e5 35 35 to configure the relevant options into your kernel. This is discussed 36 36 in the next part of this chapter – 37 <xref linkend=" postlfs-security-fw-kernel"/>.</para>37 <xref linkend="fw-kernel"/>.</para> 38 38 39 39 <para>If you intend to use <acronym>IP</acronym>v6 you might consider extending -
postlfs/security/tripwire.xml
r4ee1c44 rdd362e5 68 68 <title>Command explanations</title> 69 69 70 <para><command>sed -i -e 's@TWDB="${prefix}@TWDB="/var/lib@' install/install.cfg</command>: 71 This command tells the package to install the program database and reports in 70 <para><command>sed -i -e 's@TWDB="${prefix}@TWDB="/var/lib@' 71 install/install.cfg</command>: This command tells the package to install the 72 program database and reports in 72 73 <filename>/var/lib/tripwire</filename>.</para> 73 74 … … 119 120 configuration steps:</para> 120 121 121 <screen><userinput><command>twadmin --create-polfile --site-keyfile=/etc/tripwire site.key /etc/tripwire/twpol.txt && 122 <screen><userinput><command>twadmin --create-polfile --site-keyfile=/etc/tripwire site.key \ 123 /etc/tripwire/twpol.txt && 122 124 tripwire --init</command></userinput></screen> 123 125 … … 147 149 substitutions for <replaceable>[?]</replaceable>:</para> 148 150 149 <screen><userinput><command>tripwire --update -twrfile /var/lib/tripwire/report/linux-<replaceable>[???????]</replaceable>-<replaceable>[??????]</replaceable>.twr</command></userinput></screen> 151 <screen><userinput><command>tripwire --update -twrfile \ 152 /var/lib/tripwire/report/linux-<replaceable>[???????]</replaceable>-<replaceable>[??????]</replaceable>.twr</command></userinput></screen> 150 153 151 154 <para>You will be placed into <application>vim</application> with a copy of
Note:
See TracChangeset
for help on using the changeset viewer.