Changeset dd362e5 for postlfs/security

Timestamp:

01/13/2005 01:25:45 AM (19 years ago)

Author:

Randy McMurchy <randy@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

77d9f1c

Parents:

4ee1c44

Message:

Fixed instructions in the first 110 pages of the PDF version so that line lengths don't exceed the viewable area

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3272 af4574ff-66df-0310-9fd7-8a98e5e911e0

Location:

postlfs/security

Files:

• firewalling.xml (modified) (27 diffs)
• iptables.xml (modified) (1 diff)
• tripwire.xml (modified) (3 diffs)

postlfs/security/firewalling.xml

@@ -6 +6 @@
 ]>
 
-<sect1 id="postlfs-security-fw-firewall" xreflabel="Firewalling">
+<sect1 id="fw-firewall" xreflabel="Firewalling">
 <sect1info>
 <othername>$LastChangedBy$</othername>
@@ -17 +17 @@
 have already installed iptables as described in the previous section.</para>
 
-
-<sect2 id="postlfs-security-fw-intro" xreflabel="Firewalling Introduction">
+<sect2 id="fw-intro" xreflabel="Firewalling Introduction">
 <title>Introduction to Firewall Creation</title>
 
@@ -35 +34 @@
 may wish to choose which services are accessible by certain machines, 
 you may wish to limit which machines or applications are allowed 
-to have Internet access, or you may simply  not trust some of your 
-apps or users.
-In these situations you might  benefit by using a firewall.</para>
+to have Internet access, or you may simply not trust some of your 
+apps or users. In these situations you might benefit by using a 
+firewall.</para>
 
 <para>Don't assume however, that having a firewall makes careful
@@ -54 +53 @@
 <para>The word firewall can have several different meanings.</para>
 
-<sect3><title><xref linkend="postlfs-security-fw-persFw"/></title>
+<sect3><title><xref linkend="fw-persFw"/></title>
 
 <para>This is a setup or program, for Windows commercially sold by 
@@ -64 +63 @@
 broadband links.</para></sect3>
 
-<sect3><title><xref linkend="postlfs-security-fw-masqRouter"/></title>
+<sect3><title><xref linkend="fw-masqRouter"/></title>
 <para>This is a box placed between the Internet and an intranet. 
 To minimize the risk of compromising the firewall itself it
@@ -74 +73 @@
 itself) are commonly considered harmless.</para></sect3>
 
-<sect3><title><xref linkend="postlfs-security-fw-busybox"/></title>
+<sect3><title><xref linkend="fw-busybox"/></title>
 <para>This is often an old box you may have retired and nearly forgotten, 
 performing masquerading or routing functions, but offering a bunch of 
@@ -92 +91 @@
 
 <sect3><title>Packetfilter / partly accessible net [partly described
-here, see <xref linkend="postlfs-security-fw-busybox"/>]</title>
+here, see <xref linkend="fw-busybox"/>]</title>
 <para>Doing routing or masquerading, but permitting only selected 
 services to be accessible, sometimes only by selected internal users or boxes; 
@@ -121 +120 @@
 <para>Customization of these scripts for your specific situation will
 be necessary for an optimal configuration, but you should make a serious
-study of the iptables documentation and creating firewalls in general before hacking
-away.  Have a look at the list of <xref linkend="postlfs-security-fw-library"/> at the end 
-of this section for more details.  Here you will find a list of URLs that 
-contain quite comprehensive information about building your own firewall.</para>
+study of the iptables documentation and creating firewalls in general before 
+hacking away.  Have a look at the list of 
+<xref linkend="fw-library"/> at the end of this section for 
+more details.  Here you will find a list of URLs that contain quite 
+comprehensive information about building your own firewall.</para>
 
 </sect2>
 
-
-<sect2 id="postlfs-security-fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
+<sect2 id="fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
 <title>Getting a firewall enabled Kernel</title>
 
 <para>If you want your Linux-Box to have a firewall, you must first ensure 
 that your kernel has been compiled with the relevant options turned on.
-<!-- <footnote><para>If you needed assistance how to configure, compile and install 
-a new kernel, refer back to chapter VIII of the LinuxFromScratch book, 
-<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink>
- and eventually 
-<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink>
-; note, that you'll need to reboot 
+<!-- <footnote><para>If you needed assistance how to configure, compile and 
+install a new kernel, refer back to chapter VIII of the LinuxFromScratch book, 
+<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">
+Installing a kernel</ulink>  and eventually 
+<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">
+Making the LFS system bootable</ulink>; note, that you'll need to reboot 
 to actually run your new kernel.</para></footnote>-->
 </para>
@@ -266 +265 @@
 </sect2>
 
-
-<sect2 id="postlfs-security-fw-writing" xreflabel="writing the firewalling-setup-scripts">
+<sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
 <title>Now you can start to build your Firewall</title>
 
-
-<sect3 id="postlfs-security-fw-persFw" xreflabel="Personal Firewall">
+<sect3 id="fw-persFw" xreflabel="Personal Firewall">
 <title>Personal Firewall</title>
 
@@ -278 +275 @@
 
 <para>Below is a slightly modified version of Rusty Russell's recommendation
-from the <ulink
-url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">Linux
-2.4 Packet Filtering HOWTO</ulink>:</para>
+from the <ulink 
+url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
+Linux 2.4 Packet Filtering HOWTO</ulink>:</para>
 
 <screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
@@ -287 +284 @@
 # Begin $rc_base/init.d/firewall
 
-# Insert connection-tracking modules (not needed if built into the kernel).
+# Insert connection-tracking modules 
+# (not needed if built into the kernel)
 modprobe ip_tables
 modprobe iptable_filter
@@ -297 +295 @@
 # allow local-only connections
 iptables -A INPUT  -i lo -j ACCEPT
-# free output on any interface to any ip for any service (equal to -P ACCEPT)
+
+# free output on any interface to any ip for any service 
+# (equal to -P ACCEPT)
 iptables -A OUTPUT -j ACCEPT
 
 # permit answers on already established connections
-# and permit new connections related to established ones (eg active-ftp)
+# and permit new connections related to established ones 
+# (eg active-ftp)
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
@@ -312 +313 @@
 iptables -P OUTPUT   DROP
 
-# be verbose on dynamic ip-addresses     (not needed in case of static IP)
+# be verbose on dynamic ip-addresses  (not needed in case of static IP)
 echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
 
-# disable ExplicitCongestionNotification - too many routers are still ignorant
+# disable ExplicitCongestionNotification 
+# too many routers are still ignorant
 echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
 
@@ -326 +328 @@
 
 <para>If you frequently encounter certain delays at accessing ftp-servers,
-please have a look at <xref linkend="postlfs-security-fw-busybox"/> - 
-<xref linkend="postlfs-security-fw-BB-4"/>.</para>
+please have a look at <xref linkend="fw-busybox"/> - 
+<xref linkend="fw-BB-4"/>.</para>
 
 <para>Even if you have daemons or services running on your box, these
 should be inaccessible everywhere but from your box itself.
-If you want to allow access to services on your machine, such as ssh or pinging, 
-take a look at <xref linkend="postlfs-security-fw-busybox"/>.</para> 
+If you want to allow access to services on your machine, such as ssh or 
+pinging, take a look at <xref linkend="fw-busybox"/>.</para> 
 
 </sect3>
 
 
-<sect3 id="postlfs-security-fw-masqRouter" xreflabel="Masquerading Router">
+<sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
 <title>Masquerading Router</title>
 
@@ -346 +348 @@
 make sure that there are no servers running on it, especially not
 <application>X11</application> et
-al.  And, as a general principle, the box itself should not access any untrusted
-service (Think of a name server giving answers that make your
+al.  And, as a general principle, the box itself should not access any 
+untrusted service (Think of a name server giving answers that make your
 bind crash, or, even worse, that implement a worm via a 
 buffer-overflow).</para>
@@ -389 +391 @@
 iptables -A FORWARD -m state --state NEW -i ! ppp+       -j ACCEPT
 
-# do masquerading    (not needed if intranet is not using private ip-addresses)
+# do masquerading
+# (not needed if intranet is not using private ip-addresses)
 iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
 
-# Log everything for debugging (last of all rules, but before DROP/REJECT)
+# Log everything for debugging 
+# (last of all rules, but before DROP/REJECT)
 iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT  "
 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
@@ -402 +406 @@
 iptables -P OUTPUT  DROP
 
-# be verbose on dynamic ip-addresses (not needed in case of static IP)
+# be verbose on dynamic ip-addresses 
+# (not needed in case of static IP)
 echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
 
@@ -436 +441 @@
 <para>If you need stronger security (e.g., against DOS, connection 
 highjacking, spoofing, etc.), have a look at the list of 
-<xref linkend="postlfs-security-fw-library"/> at the end of this section.</para>
+<xref linkend="fw-library"/> at the end of this section.</para>
 
 </sect3>
 
-<sect3 id="postlfs-security-fw-busybox" xreflabel="BusyBox">
+<sect3 id="fw-busybox" xreflabel="BusyBox">
 <title>BusyBox</title>
 
-<para>This scenario isn't too different from (<xref linkend="postlfs-security-fw-masqRouter"/>), 
+<para>This scenario isn't too different from (<xref linkend="fw-masqRouter"/>), 
 but in this case you want to offer some services to your intranet.
 Examples of this can be when you want to admin your box from another host 
@@ -453 +458 @@
 <para>Be cautious.  Every service you offer and have enabled makes your
 setup more complex and your box less secure. You induce the risks of 
-misconfigured services or running a service with an exploitable bug.  A firewall
-should generally not run any extra services.  See the introduction to 
-<xref linkend="postlfs-security-fw-masqRouter"/> for some more details.</para>
+misconfigured services or running a service with an exploitable bug.  A 
+firewall should generally not run any extra services.  See the introduction to 
+<xref linkend="fw-masqRouter"/> for some more details.</para>
 
 <para>If the services you'd like to offer do not need to access the Internet 
@@ -470 +475 @@
 
 <screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED  -j ACCEPT
-iptables -A OUTPUT                                      -j ACCEPT</screen>
-
-<para>However, it is generally not advisable to leave OUTPUT unrestricted. You lose 
-any control over trojans who'd like to "call home", and a bit of redundancy in case 
-you've (mis-)configured a service so that it does broadcast its existence to the 
-world.</para>
+iptables -A OUTPUT                                     -j ACCEPT</screen>
+
+<para>However, it is generally not advisable to leave OUTPUT unrestricted. You 
+lose any control over trojans who'd like to "call home", and a bit of 
+redundancy in case you've (mis-)configured a service so that it does broadcast 
+its existence to the world.</para>
 
 <para>If you prefer to have this protection, you may restrict INPUT and OUTPUT
@@ -486 +491 @@
 
 <listitem><para>Squid is caching the web:</para>
-<screen>iptables -A OUTPUT -p tcp --dport 80                              -j ACCEPT
-iptables -A INPUT  -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
+<screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
+iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \
+-j ACCEPT</screen>
+</listitem>
 
 <listitem><para>Your caching name server (e.g., dnscache) does its
 lookups via udp:</para>
-<screen>iptables -A OUTPUT -p udp --dport 53                              -j ACCEPT
-iptables -A INPUT  -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
-
-<listitem><para>Alternatively, if you want to be able to ping your box to ensure
-it's still alive:</para>
+<screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+iptables -A INPUT  -p udp --sport 53 -m state --state ESTABLISHED \
+-j ACCEPT</screen>
+</listitem>
+
+<listitem><para>Alternatively, if you want to be able to ping your box to 
+ensure it's still alive:</para>
+
 <screen>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</screen></listitem>
-
-<listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are 
+iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</screen>
+</listitem>
+
+<listitem><para><anchor id='fw-BB-4' xreflabel="example no. 4"/>If you are 
 frequently accessing ftp-servers or enjoy chatting, you might notice certain 
 delays because some implementations of these daemons have the feature of 
@@ -510 +521 @@
 
 <screen>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset
-iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></listitem>
+iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen>
+</listitem>
 
 <listitem><para>To log and drop invalid packets (harmless packets
 that came in after netfilter's timeout or some types of network scans):</para>
 
-<screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \ 
-"FIREWALL:INVALID"
+<screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG \
+--log-prefix "FIREWALL:INVALID"
 iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></listitem>
 
@@ -524 +536 @@
 <screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8     -j DROP
 iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12  -j DROP
-iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></listitem>
+iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen>
+</listitem>
 
 <listitem><para>To simplify debugging and be fair to anyone who'd like to 
@@ -548 +561 @@
 maybe even in FORWARD and for intranet-communication, and delete the
 general clauses, you get an old fashioned packet filter.</para>
-
-
 </sect3>
 
 </sect2>
 
-
-<sect2 id="postlfs-security-fw-finale" xreflabel="Conclusion">
+<sect2 id="fw-finale" xreflabel="Conclusion">
 <title>Conclusion</title>
 
@@ -579 +589 @@
 </sect2>
 
-
 <sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
 <title>Extra Information</title>
 
-<sect3 id="postlfs-security-fw-library" xreflabel="Links for further reading">
+<sect3 id="fw-library" xreflabel="Links for further reading">
 <title>Where to start with further reading on firewalls.</title>
 
@@ -611 +620 @@
 <ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
 </literallayout></blockquote></para>
-
-<!-- <para>If a link proves to be dead or if you think I missed one, 
-please mail!</para> -->
-
 </sect3>
 
-<sect3 id="postlfs-security-fw-status" xreflabel="/etc/rc.d/init.d/firewall.status">
+<sect3 id="fw-status" xreflabel="/etc/rc.d/init.d/firewall.status">
 <title>firewall.status</title>
 
@@ -666 +671 @@
 iptables -P OUTPUT      ACCEPT
 <command>EOF</command></userinput></screen>
-
 </sect3>
 
 </sect2>
+
 </sect1>
 

postlfs/security/iptables.xml

@@ -35 +35 @@
 to configure the relevant options into your kernel.  This is discussed
 in the next part of this chapter – 
-<xref linkend="postlfs-security-fw-kernel"/>.</para>
+<xref linkend="fw-kernel"/>.</para>
 
 <para>If you intend to use <acronym>IP</acronym>v6 you might consider extending

postlfs/security/tripwire.xml

@@ -68 +68 @@
 <title>Command explanations</title>
 
-<para><command>sed -i -e 's@TWDB="${prefix}@TWDB="/var/lib@' install/install.cfg</command>: 
-This command tells the package to install the program database and reports in
+<para><command>sed -i -e 's@TWDB="${prefix}@TWDB="/var/lib@' 
+install/install.cfg</command>: This command tells the package to install the 
+program database and reports in
 <filename>/var/lib/tripwire</filename>.</para>
 
@@ -119 +120 @@
 configuration steps:</para>
 
-<screen><userinput><command>twadmin --create-polfile --site-keyfile=/etc/tripwire site.key /etc/tripwire/twpol.txt &amp;&amp;
+<screen><userinput><command>twadmin --create-polfile --site-keyfile=/etc/tripwire site.key \
+    /etc/tripwire/twpol.txt &amp;&amp;
 tripwire --init</command></userinput></screen>
 
@@ -147 +149 @@
 substitutions for <replaceable>[?]</replaceable>:</para>
 
-<screen><userinput><command>tripwire --update -twrfile /var/lib/tripwire/report/linux-<replaceable>[???????]</replaceable>-<replaceable>[??????]</replaceable>.twr</command></userinput></screen>
+<screen><userinput><command>tripwire --update -twrfile \
+    /var/lib/tripwire/report/linux-<replaceable>[???????]</replaceable>-<replaceable>[??????]</replaceable>.twr</command></userinput></screen>
 
 <para>You will be placed into <application>vim</application> with a copy of