Changeset f7415c4d


Ignore:
Timestamp:
02/26/2020 04:20:10 PM (20 months ago)
Author:
Bruce Dubbs <bdubbs@…>
Branches:
10.0, 10.1, 11.0, 9.1, ken/refactor-virt, lazarus, qt5new, trunk, xry111/git-date, xry111/git-date-for-trunk, xry111/git-date-test
Children:
44621c7
Parents:
8a9f48c
Message:

Comment out the nftables and firewalld sections until
we can make them a bit more usable.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22759 af4574ff-66df-0310-9fd7-8a98e5e911e0

Location:
postlfs/security
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • postlfs/security/firewalling.xml

    r8a9f48c rf7415c4d  
    1616  <title>Setting Up a Network Firewall</title>
    1717
     18  <para>Before you read this part of the chapter, you should have
     19  already installed iptables as described in the previous section.</para>
     20
    1821  <sect2 id="fw-intro" xreflabel="Firewalling Introduction">
    1922    <title>Introduction to Firewall Creation</title>
    2023
    21     <para>
    22       The purpose of a firewall is to protect a computer or a network against
    23       malicious access. In a perfect world every daemon or service, on every
    24       machine, is perfectly configured and immune to security flaws, and all
    25       users are trusted implicitly to use the equipment as intended. However,
    26       this is rarely, if ever, the case. Daemons may be misconfigured, or
    27       updates may not have been applied for known exploits against essential
    28       services. Additionally, you may wish to choose which services are
    29       accessible by certain machines or users, or you may wish to limit which
    30       machines or applications are allowed external access. Alternatively, you
    31       simply may not trust some of your applications or users. For these
    32       reasons, a carefully designed firewall should be an essential part of
    33       system security.
    34     </para>
    35 
    36     <para>
    37       While a firewall can greatly limit the scope of the above issues, do not
    38       assume that having a firewall makes careful configuration redundant, or
    39       that any negligent misconfiguration is harmless. A firewall does not
    40       prevent the exploitation of any service you offer outside of it. Despite
    41       having a firewall, you need to keep applications and daemons properly
    42       configured and up to date.
    43     </para>
     24    <para>The general purpose of a firewall is to protect a computer or
     25    a network against malicious access.</para>
     26
     27    <para>In a perfect world, every daemon or service on every machine
     28    is perfectly configured and immune to flaws such as buffer overflows
     29    or other problems regarding its security. Furthermore, you trust
     30    every user accessing your services. In this world, you do not need
     31    to have a firewall.</para>
     32
     33    <para>In the real world however, daemons may be misconfigured and
     34    exploits against essential services are freely available. You may
     35    wish to choose which services are accessible by certain machines or
     36    you may wish to limit which machines or applications are allowed
     37    external access. Alternatively, you may simply not trust some of
     38    your applications or users. You are probably connected to the
     39    Internet. In this world, a firewall is essential.</para>
     40
     41    <para>Don't assume however, that having a firewall makes careful
     42    configuration redundant, or that it makes any negligent
     43    misconfiguration harmless. It doesn't prevent anyone from exploiting
     44    a service you intentionally offer but haven't recently updated or
     45    patched after an exploit went public.  Despite having a firewall, you
     46    need to keep applications and daemons on your system properly
     47    configured and up to date.  A firewall is not a cure all, but should
     48    be an essential part of your overall security strategy.</para>
    4449
    4550  </sect2>
     
    4853    <title>Meaning of the Word "Firewall"</title>
    4954
    50     <para>
    51       The word firewall can have several different meanings.
    52     </para>
     55    <para>The word firewall can have several different meanings.</para>
    5356
    5457    <sect3>
    55       <title>Personal Firewall</title>
    56 
    57       <para>
    58         This is a hardware device or software program, intended to secure a
    59         home or desktop computer connected to the Internet. This type of
    60         firewall is highly relevant for users who do not know how their
    61         computers might be accessed via the Internet or how to disable
    62         that access, especially if they are always online and connected
    63         via broadband links.
    64       </para>
    65 
    66       <para>
    67         An example configuration for a personal firewall is provided at
    68         <xref linkend="fw-persFw-ipt"/>.
    69       </para>
     58      <title><xref linkend="fw-persFw"/></title>
     59
     60      <para>This is a hardware device or software program commercially sold (or
     61      offered via freeware) by companies such as Symantec which claims that
     62      it secures a home or desktop computer connected to the Internet. This
     63      type of firewall is highly relevant for users who do not know how their
     64      computers might be accessed via the Internet or how to disable
     65      that access, especially if they are always online and connected
     66      via broadband links.</para>
    7067
    7168    </sect3>
    7269
    7370    <sect3>
    74       <title>Masquerading Router</title>
    75 
    76       <para>
    77         This is a system placed between the Internet and an intranet.
    78         To minimize the risk of compromising the firewall itself, it should
    79         generally have only one role&mdash;that of protecting the intranet.
    80         Although not completely risk-free, the tasks of doing the routing and
    81         IP masquerading (rewriting IP headers of the packets it routes from
    82         clients with private IP addresses onto the Internet so that they seem
    83         to come from the firewall itself) are commonly considered relatively
    84         secure.
    85       </para>
    86 
    87       <para>
    88         Example configurations for a masquerading firewall are provided at
    89         <xref linkend="fw-masqRouter-ipt"/> and
    90         <xref linkend="fw-masqRouter-nft"/>.
    91       </para>
     71      <title><xref linkend="fw-masqRouter"/></title>
     72
     73      <para>This is a system placed between the Internet and an intranet.
     74      To minimize the risk of compromising the firewall itself, it should
     75      generally have only one role&mdash;that of protecting the intranet.
     76      Although not completely risk free, the tasks of doing the routing and
     77      IP masquerading (rewriting IP headers of the packets it routes from
     78      clients with private IP addresses onto the Internet so that they seem
     79      to come from the firewall itself) are commonly considered relatively
     80      secure.</para>
    9281
    9382    </sect3>
    9483
    9584    <sect3>
    96       <title>BusyBox</title>
    97 
    98       <para>
    99         This is often an old computer you may have retired and nearly
    100         forgotten, performing masquerading or routing functions, but offering
    101         non-firewall services such as a web-cache or mail. This may be used
    102         for home networks, but is not to be considered as secure as a firewall
    103         only machine because the combination of server and router/firewall on
    104         one machine raises the complexity of the setup.
    105       </para>
    106 
    107       <para>
    108         An example configuration for a BusyBox is provided at
    109         <xref linkend="fw-busybox-ipt"/>.
    110       </para>
     85      <title><xref linkend="fw-busybox"/></title>
     86
     87      <para>This is often an old computer you may have retired and nearly
     88      forgotten, performing masquerading or routing functions, but offering
     89      non-firewall services such as a web-cache or mail.  This may be used
     90      for home networks, but is not to be considered as secure as a firewall
     91      only machine because the combination of server and router/firewall on
     92      one machine raises the complexity of the setup.</para>
    11193
    11294    </sect3>
    11395
    11496    <sect3>
    115       <title>Firewall with a Demilitarized Zone</title>
    116 
    117       <para>
    118         This type of firewall performs masquerading or routing, but grants
    119         public access to some branch of your network that is physically
    120         separated from your regular intranet and is essentially a separate
    121         network with direct Internet access. The servers on this network are
    122         those which must be easily accessible from both the Internet and
    123         intranet. The firewall protects both networks. This type of firewall
    124         has a minimum of three network interfaces.
    125       </para>
     97      <title>Firewall with a Demilitarized Zone [Not Further
     98      Described Here]</title>
     99
     100      <para>This box performs masquerading or routing, but grants public
     101      access to some branch of your network which, because of public IPs
     102      and a physically separated structure, is essentially a separate
     103      network with direct Internet access. The servers on this network are
     104      those which must be easily accessible from both the Internet and
     105      intranet. The firewall protects both networks. This type of firewall
     106      has a minimum of three network interfaces.</para>
    126107
    127108    </sect3>
     
    130111      <title>Packetfilter</title>
    131112
    132       <para>
    133         This type of firewall does routing or masquerading but does
    134         not maintain a state table of ongoing communication streams. It is
    135         fast but quite limited in its ability to block undesired packets
    136         without blocking desired packets.
    137       </para>
     113      <para>This type of firewall does routing or masquerading, but does
     114      not maintain a state table of ongoing communication streams. It is
     115      fast, but quite limited in its ability to block undesired packets
     116      without blocking desired packets.</para>
    138117
    139118    </sect3>
     
    141120  </sect2>
    142121
    143   <sect2>
     122  <sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
     123    <title>Now You Can Start to Build your Firewall</title>
     124
     125    <caution>
     126      <para>This introduction on how to setup a firewall is not a
     127      complete guide to securing systems. Firewalling is a complex
     128      issue that requires careful configuration. The scripts quoted
     129      here are simply intended to give examples of how a firewall
     130      works. They are not intended to fit into any particular
     131      configuration and may not provide complete protection from
     132      an attack.</para>
     133
     134      <para>Customization of these scripts for your specific situation
     135      will be necessary for an optimal configuration, but you should
     136      make a serious study of the iptables documentation and creating
     137      firewalls in general before hacking away. Have a look at the
     138      list of <xref linkend="fw-library"/> at the end of this section for
     139      more details. There you will find a list of URLs that contain quite
     140      comprehensive information about building your own firewall.</para>
     141    </caution>
     142
     143    <para revision="sysv">The firewall configuration script installed in the
     144    iptables section differs from the standard configuration script. It only
     145    has two of the standard targets: start and status. The other targets are
     146    clear and lock. For instance if you issue:</para>
     147
     148<screen role="root" revision="sysv"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen>
     149
     150    <para revision="sysv">the firewall will be restarted just as it is upon
     151    system startup. The status target will present a list of all currently
     152    implemented rules. The clear target turns off all firewall rules and the
     153    lock target will block all packets in and out of the computer with the
     154    exception of the loopback interface.</para>
     155
     156    <para revision="sysv">The main startup firewall is located in the file
     157    <filename>/etc/rc.d/rc.iptables</filename>. The sections below provide
     158    three different approaches that can be used for a system.</para>
     159
     160    <para revision="systemd">The main startup firewall is located in the file
     161    <filename>/etc/systemd/scripts/iptables</filename>. The sections below
     162    provide three different approaches that can be used for a system.</para>
     163
     164    <note>
     165      <para>You should always run your firewall rules from a script.
     166      This ensures consistency and a record of what was done. It also
     167      allows retention of comments that are essential for understanding
     168      the rules long after they were written.</para>
     169    </note>
     170
     171    <sect3 id="fw-persFw" xreflabel="Personal Firewall">
     172      <title>Personal Firewall</title>
     173
     174      <para>A Personal Firewall is designed to let you access all the
     175      services offered on the Internet, but keep your box secure and
     176      your data private.</para>
     177
     178      <para>Below is a slightly modified version of Rusty Russell's
     179      recommendation from the <ulink
     180      url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
     181      Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable
     182      to the Linux 2.6 kernels.</para>
     183
     184<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
     185<literal>#!/bin/sh
     186
     187# Begin rc.iptables
     188
     189# Insert connection-tracking modules
     190# (not needed if built into the kernel)
     191modprobe nf_conntrack
     192modprobe xt_LOG
     193
     194# Enable broadcast echo Protection
     195echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
     196
     197# Disable Source Routed Packets
     198echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
     199echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
     200
     201# Enable TCP SYN Cookie Protection
     202echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
     203
     204# Disable ICMP Redirect Acceptance
     205echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
     206
     207# Do not send Redirect Messages
     208echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
     209echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
     210
     211# Drop Spoofed Packets coming in on an interface, where responses
     212# would result in the reply going out a different interface.
     213echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
     214echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
     215
     216# Log packets with impossible addresses.
     217echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
     218echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
     219
     220# be verbose on dynamic ip-addresses  (not needed in case of static IP)
     221echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
     222
     223# disable Explicit Congestion Notification
     224# too many routers are still ignorant
     225echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
     226
     227# Set a known state
     228iptables -P INPUT   DROP
     229iptables -P FORWARD DROP
     230iptables -P OUTPUT  DROP
     231
     232# These lines are here in case rules are already in place and the
     233# script is ever rerun on the fly. We want to remove all rules and
     234# pre-existing user defined chains before we implement new rules.
     235iptables -F
     236iptables -X
     237iptables -Z
     238
     239iptables -t nat -F
     240
     241# Allow local-only connections
     242iptables -A INPUT  -i lo -j ACCEPT
     243
     244# Free output on any interface to any ip for any service
     245# (equal to -P ACCEPT)
     246iptables -A OUTPUT -j ACCEPT
     247
     248# Permit answers on already established connections
     249# and permit new connections related to established ones
     250# (e.g. port mode ftp)
     251iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
     252
     253# Log everything else. What's Windows' latest exploitable vulnerability?
     254iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
     255
     256# End $rc_base/rc.iptables</literal>
     257EOF
     258chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
     259
     260
     261<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
     262
     263cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
     264<literal>#!/bin/sh
     265
     266# Begin /etc/systemd/scripts/iptables
     267
     268# Insert connection-tracking modules
     269# (not needed if built into the kernel)
     270modprobe nf_conntrack
     271modprobe xt_LOG
     272
     273# Enable broadcast echo Protection
     274echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
     275
     276# Disable Source Routed Packets
     277echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
     278echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
     279
     280# Enable TCP SYN Cookie Protection
     281echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
     282
     283# Disable ICMP Redirect Acceptance
     284echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
     285
     286# Do not send Redirect Messages
     287echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
     288echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
     289
     290# Drop Spoofed Packets coming in on an interface, where responses
     291# would result in the reply going out a different interface.
     292echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
     293echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
     294
     295# Log packets with impossible addresses.
     296echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
     297echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
     298
     299# be verbose on dynamic ip-addresses  (not needed in case of static IP)
     300echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
     301
     302# disable Explicit Congestion Notification
     303# too many routers are still ignorant
     304echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
     305
     306# Set a known state
     307iptables -P INPUT   DROP
     308iptables -P FORWARD DROP
     309iptables -P OUTPUT  DROP
     310
     311# These lines are here in case rules are already in place and the
     312# script is ever rerun on the fly. We want to remove all rules and
     313# pre-existing user defined chains before we implement new rules.
     314iptables -F
     315iptables -X
     316iptables -Z
     317
     318iptables -t nat -F
     319
     320# Allow local-only connections
     321iptables -A INPUT  -i lo -j ACCEPT
     322
     323# Free output on any interface to any ip for any service
     324# (equal to -P ACCEPT)
     325iptables -A OUTPUT -j ACCEPT
     326
     327# Permit answers on already established connections
     328# and permit new connections related to established ones
     329# (e.g. port mode ftp)
     330iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
     331
     332# Log everything else. What's Windows' latest exploitable vulnerability?
     333iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
     334
     335# End /etc/systemd/scripts/iptables</literal>
     336EOF
     337chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
     338
     339      <para>This script is quite simple, it drops all traffic coming
     340      into your computer that wasn't initiated from your computer, but
     341      as long as you are simply surfing the Internet you are unlikely
     342      to exceed its limits.</para>
     343
     344      <para>If you frequently encounter certain delays at accessing
     345      FTP servers, take a look at <xref linkend="fw-BB-4"/>.</para>
     346
     347      <para>Even if you have daemons or services running on your system,
     348      these will be inaccessible everywhere but from your computer itself.
     349      If you want to allow access to services on your machine, such as
     350      <command>ssh</command> or <command>ping</command>, take a look at
     351      <xref linkend="fw-busybox"/>.</para>
     352
     353    </sect3>
     354
     355    <sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
     356      <title>Masquerading Router</title>
     357
     358      <para>A true Firewall has two interfaces, one connected to an
     359      intranet, in this example <emphasis role="strong">eth0</emphasis>,
     360      and one connected to the Internet, here <emphasis
     361      role="strong">ppp0</emphasis>. To provide the maximum security
     362      for the firewall itself, make sure that there are no unnecessary
     363      servers running on it such as <application>X11</application> et
     364      al. As a general principle, the firewall itself should not access
     365      any untrusted service (think of a remote server giving answers that
     366      makes a daemon on your system crash, or even worse, that implements
     367      a worm via a buffer-overflow).</para>
     368
     369<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
     370<literal>#!/bin/sh
     371
     372# Begin rc.iptables
     373
     374echo
     375echo "You're using the example configuration for a setup of a firewall"
     376echo "from Beyond Linux From Scratch."
     377echo "This example is far from being complete, it is only meant"
     378echo "to be a reference."
     379echo "Firewall security is a complex issue, that exceeds the scope"
     380echo "of the configuration rules below."
     381echo "You can find additional information"
     382echo "about firewalls in Chapter 4 of the BLFS book."
     383echo "http://www.&lfs-domainname;/blfs"
     384echo
     385
     386# Insert iptables modules (not needed if built into the kernel).
     387
     388modprobe nf_conntrack
     389modprobe nf_conntrack_ftp
     390modprobe xt_conntrack
     391modprobe xt_LOG
     392modprobe xt_state
     393
     394# Enable broadcast echo Protection
     395echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
     396
     397# Disable Source Routed Packets
     398echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
     399
     400# Enable TCP SYN Cookie Protection
     401echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
     402
     403# Disable ICMP Redirect Acceptance
     404echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
     405
     406# Don't send Redirect Messages
     407echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
     408
     409# Drop Spoofed Packets coming in on an interface where responses
     410# would result in the reply going out a different interface.
     411echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
     412
     413# Log packets with impossible addresses.
     414echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
     415
     416# Be verbose on dynamic ip-addresses  (not needed in case of static IP)
     417echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
     418
     419# Disable Explicit Congestion Notification
     420# Too many routers are still ignorant
     421echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
     422
     423# Set a known state
     424iptables -P INPUT   DROP
     425iptables -P FORWARD DROP
     426iptables -P OUTPUT  DROP
     427
     428# These lines are here in case rules are already in place and the
     429# script is ever rerun on the fly. We want to remove all rules and
     430# pre-existing user defined chains before we implement new rules.
     431iptables -F
     432iptables -X
     433iptables -Z
     434
     435iptables -t nat -F
     436
     437# Allow local connections
     438iptables -A INPUT  -i lo -j ACCEPT
     439iptables -A OUTPUT -o lo -j ACCEPT
     440
     441# Allow forwarding if the initiated on the intranet
     442iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
     443iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW       -j ACCEPT
     444
     445# Do masquerading
     446# (not needed if intranet is not using private ip-addresses)
     447iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
     448
     449# Log everything for debugging
     450# (last of all rules, but before policy rules)
     451iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT "
     452iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
     453iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
     454
     455# Enable IP Forwarding
     456echo 1 &gt; /proc/sys/net/ipv4/ip_forward</literal>
     457EOF
     458chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
     459
     460<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
     461
     462cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
     463<literal>#!/bin/sh
     464
     465# Begin /etc/systemd/scripts/iptables
     466
     467echo
     468echo "You're using the example configuration for a setup of a firewall"
     469echo "from Beyond Linux From Scratch."
     470echo "This example is far from being complete, it is only meant"
     471echo "to be a reference."
     472echo "Firewall security is a complex issue, that exceeds the scope"
     473echo "of the configuration rules below."
     474
     475echo "You can find additional information"
     476echo "about firewalls in Chapter 4 of the BLFS book."
     477echo "http://www.&lfs-domainname;/blfs"
     478echo
     479
     480# Insert iptables modules (not needed if built into the kernel).
     481
     482modprobe nf_conntrack
     483modprobe nf_conntrack_ftp
     484modprobe xt_conntrack
     485modprobe xt_LOG
     486modprobe xt_state
     487
     488# Enable broadcast echo Protection
     489echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
     490
     491# Disable Source Routed Packets
     492echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
     493
     494# Enable TCP SYN Cookie Protection
     495echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
     496
     497# Disable ICMP Redirect Acceptance
     498echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
     499
     500# Don't send Redirect Messages
     501echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
     502
     503# Drop Spoofed Packets coming in on an interface where responses
     504# would result in the reply going out a different interface.
     505echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
     506
     507# Log packets with impossible addresses.
     508echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
     509
     510# Be verbose on dynamic ip-addresses  (not needed in case of static IP)
     511echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
     512
     513# Disable Explicit Congestion Notification
     514# Too many routers are still ignorant
     515echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
     516
     517# Set a known state
     518iptables -P INPUT   DROP
     519iptables -P FORWARD DROP
     520iptables -P OUTPUT  DROP
     521
     522# These lines are here in case rules are already in place and the
     523# script is ever rerun on the fly. We want to remove all rules and
     524# pre-existing user defined chains before we implement new rules.
     525iptables -F
     526iptables -X
     527iptables -Z
     528
     529iptables -t nat -F
     530
     531# Allow local connections
     532iptables -A INPUT  -i lo -j ACCEPT
     533iptables -A OUTPUT -o lo -j ACCEPT
     534
     535# Allow forwarding if the initiated on the intranet
     536iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
     537iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW       -j ACCEPT
     538
     539# Do masquerading
     540# (not needed if intranet is not using private ip-addresses)
     541iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
     542
     543# Log everything for debugging
     544# (last of all rules, but before policy rules)
     545iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT "
     546iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
     547iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
     548
     549# Enable IP Forwarding
     550echo 1 &gt; /proc/sys/net/ipv4/ip_forward
     551
     552# End /etc/systemd/scripts/iptables</literal>
     553EOF
     554chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
     555
     556      <para>With this script your intranet should be reasonably secure
     557      against external attacks. No one should be able to setup a new
     558      connection to any internal service and, if it's masqueraded,
     559      makes your intranet invisible to the Internet. Furthermore, your
     560      firewall should be relatively safe because there are no services
     561      running that a cracker could attack.</para>
     562
     563      <note>
     564        <para>If the interface you're connecting to the Internet
     565        doesn't connect via PPP, you will need to change
     566        <replaceable>&lt;ppp+&gt;</replaceable> to the name of the interface
     567        (e.g., <emphasis role="strong">eth1</emphasis>) which you are
     568        using.</para>
     569      </note>
     570
     571    </sect3>
     572
     573    <sect3 id="fw-busybox" xreflabel="BusyBox">
     574      <title>BusyBox</title>
     575
     576      <para>This scenario isn't too different from the <xref
     577      linkend="fw-masqRouter"/>, but additionally offers some
     578      services to your intranet. Examples of this can be when
     579      you want to administer your firewall from another host on
     580      your intranet or use it as a proxy or a name server.</para>
     581
     582      <note>
     583        <para>Outlining a true concept of how to protect a server that
     584        offers services on the Internet goes far beyond the scope of
     585        this document. See the references at the end of this section
     586        for more information.</para>
     587      </note>
     588
     589      <para>Be cautious. Every service you have enabled makes your
     590      setup more complex and your firewall less secure. You are
     591      exposed to the risks of misconfigured services or running
     592      a service with an exploitable bug. A firewall should generally
     593      not run any extra services.  See the introduction to the
     594      <xref linkend="fw-masqRouter"/> for some more details.</para>
     595
     596      <para>If you want to add services such as internal Samba or
     597      name servers that do not need to access the Internet themselves,
     598      the additional statements are quite simple and should still be
     599      acceptable from a security standpoint. Just add the following lines
     600      into the script <emphasis>before</emphasis> the logging rules.</para>
     601
     602<screen><literal>iptables -A INPUT  -i ! ppp+  -j ACCEPT
     603iptables -A OUTPUT -o ! ppp+  -j ACCEPT</literal></screen>
     604
     605      <para>If daemons, such as squid, have to access the Internet
     606      themselves, you could open OUTPUT generally and restrict
     607      INPUT.</para>
     608
     609<screen><literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
     610iptables -A OUTPUT -j ACCEPT</literal></screen>
     611
     612      <para>However, it is generally not advisable to leave OUTPUT
     613      unrestricted. You lose any control over trojans who would like
     614      to "call home", and a bit of redundancy in case you've
     615      (mis-)configured a service so that it broadcasts its existence
     616      to the world.</para>
     617
     618      <para>To accomplish this, you should restrict INPUT and OUTPUT
     619      on all ports except those that it's absolutely necessary to have
     620      open. Which ports you have to open depends on your needs: mostly
     621      you will find them by looking for failed accesses in your log
     622      files.</para>
     623
     624      <itemizedlist spacing="compact" role='iptables'>
     625        <title>Have a Look at the Following Examples:</title>
     626        <listitem>
     627          <para>Squid is caching the web:</para>
     628
     629<screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
     630iptables -A INPUT  -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \
     631  -j ACCEPT</literal></screen>
     632
     633        </listitem>
     634        <listitem>
     635          <para>Your caching name server (e.g., named) does its
     636          lookups via UDP:</para>
     637
     638<screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen>
     639
     640        </listitem>
     641        <listitem>
     642          <para>You want to be able to ping your computer to
     643          ensure it's still alive:</para>
     644
     645<screen><literal>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
     646iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</literal></screen>
     647
     648        </listitem>
     649        <listitem>
     650          <para id='fw-BB-4' xreflabel="BusyBox example number 4">If
     651          you are frequently accessing FTP servers or enjoy chatting, you might
     652          notice certain delays because some implementations of these daemons
     653          have the feature of querying an identd on your system to obtain
     654          usernames. Although there's really little harm in this, having an
     655          identd running is not recommended because many security experts feel
     656          the service gives out too much additional information.</para>
     657
     658          <para>To avoid these delays you could reject the requests
     659          with a 'tcp-reset':</para>
     660
     661<screen><literal>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen>
     662
     663        </listitem>
     664        <listitem>
     665          <para>To log and drop invalid packets (packets
     666          that came in after netfilter's timeout or some types of
     667          network scans) insert these rules at the top of the chain:</para>
     668
     669<screen><literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \
     670  -j LOG --log-prefix "FIREWALL:INVALID "
     671iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</literal></screen>
     672
     673        </listitem>
     674        <listitem>
     675          <para>Anything coming from the outside should not have a
     676          private address, this is a common attack called IP-spoofing:</para>
     677
     678<screen><literal>iptables -A INPUT -i ppp+ -s 10.0.0.0/8     -j DROP
     679iptables -A INPUT -i ppp+ -s 172.16.0.0/12  -j DROP
     680iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</literal></screen>
     681
     682          <para>There are other addresses that you may also want to
     683          drop: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and
     684          experimental), 169.254.0.0/16 (Link Local Networks), and
     685          192.0.2.0/24 (IANA defined test network).</para>
     686        </listitem>
     687        <listitem>
     688          <para>If your firewall is a DHCP client, you need to allow
     689          those packets:</para>
     690
     691<screen><literal>iptables -A INPUT  -i ppp0 -p udp -s 0.0.0.0 --sport 67 \
     692   -d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen>
     693
     694        </listitem>
     695        <listitem>
     696          <para>To simplify debugging and be fair to anyone who'd like
     697          to access a service you have disabled, purposely or by mistake,
     698          you could REJECT those packets that are dropped.</para>
     699
     700          <para>Obviously this must be done directly after logging as the very
     701          last lines before the packets are dropped by policy:</para>
     702
     703<screen><literal>iptables -A INPUT -j REJECT</literal></screen>
     704
     705        </listitem>
     706      </itemizedlist>
     707
     708      <para>These are only examples to show you some of the capabilities
     709      of the firewall code in Linux. Have a look at the man page of iptables.
     710      There you will find much more information. The port numbers needed for
     711      this can be found in <filename>/etc/services</filename>, in case you
     712      didn't find them by trial and error in your log file.</para>
     713
     714    </sect3>
     715
     716  </sect2>
     717
     718  <sect2 id="fw-finale" xreflabel="Conclusion">
    144719    <title>Conclusion</title>
    145720
    146     <caution>
    147       <para>
    148         The example configurations provided for <xref linkend="iptables"/> and
    149         <xref linkend="nftables"/> are not intended to be a complete guide to
    150         securing systems. Firewalling is a complex issue that requires careful
    151         configuration. The configurations provided by BLFS are intended only to
    152         give examples of how a firewall works. They are not intended to fit any
    153         particular configuration and may not provide complete protection from
    154         an attack.
    155       </para>
    156     </caution>
    157 
    158     <para>
    159       BLFS provides two utilities to manage the kernel Netfilter interface,
    160       <xref linkend="iptables"/> and <xref linkend="nftables"/>.
    161     </para>
    162 
    163     <para>
    164       <xref linkend="iptables"/> has been around since early 2.4 kernels, and
    165       has been the standard since. If you plan not to use a configuration
    166       utility, this is likely the set of tools that will be most familiar to
    167       existing admins.
    168     </para>
    169 
    170     <para>
    171       <xref linkend="nftables"/> is the successor to <xref linkend="iptables"/>
    172       and provies all of the same functionality with a single userspace tool,
    173       <command>nft</command>, that uses similar syntax to BSD's
    174       <application>pf</application> utility, and may be easier for new users or
    175       admins already familiar with that platform.
    176     </para>
    177 
    178     <para>
    179       While both can be used in tandem, that is an advanced configuration and
    180       you should decide on one or the other. Both pages include very simple
    181       example configurations, and customization of the provided configurations
    182       for your specific environment will be necessary if you elect to use
    183       either without a configuration tool.
    184     </para>
    185 
    186     <para>
    187       Additionally, a firewall management tool, <xref linkend="firewalld"/>, is
    188       provided to greatly ease firewall configuration for both simple and
    189       complex environments, and can be used with either tool. You should not
    190       use the example configurations if you intend to use
    191       <application>firewalld</application> to manage your firewall rules.
    192     </para>
    193 
    194     <para>
    195       If you elect to configure manually, have a look at the
    196       list of further reading below for more details. Here you will find a
    197       list of URLs that contain comprehensive information about building
    198       firewalls and further securing your system.
    199     </para>
     721    <para>Finally, there is one fact you must not forget: The effort spent
     722    attacking a system corresponds to the value the cracker expects to gain
     723    from it. If you are responsible for valuable information, you need to
     724    spend the time to protect it properly.</para>
    200725
    201726  </sect2>
    202727
    203   <sect2 id="fw-extra-info">
     728  <sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
    204729    <title>Extra Information</title>
    205730
    206     <sect3>
    207       <title>Further Reading on Firewalls</title>
     731    <sect3 id="fw-library" xreflabel="links for further reading">
     732      <title>Where to Start with Further Reading on Firewalls</title>
    208733
    209734      <blockquote>
    210735        <literallayout>
    211 <ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables/nftables projects</ulink>
     736<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>
    212737<ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
    213738<ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
    214 <ulink url="https://wiki.nftables.org/wiki-nftables/index.php/Main_Page">nftables HOWTO</ulink>
    215739<ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
    216740<ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
     
    229753      </blockquote>
    230754
     755      <!-- The following are all dead links from the section above. They are
     756           moved out of the section so the literallayout won't produce blank
     757           lines in the rendered text
     758
     759<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink>
     760<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink>
     761<ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink>
     762<ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink>
     763<ulink url="http://www.linux-firewall-tools.com/linux/">www.linux-firewall-tools.com/linux/</ulink>
     764<ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink>
     765<ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
     766
     767      -->
     768
    231769    </sect3>
    232770
  • postlfs/security/iptables.xml

    r8a9f48c rf7415c4d  
    7575    <bridgehead renderas="sect4">Optional</bridgehead>
    7676    <para role="optional">
    77       <xref linkend="nftables"/>,
     77 <!--     <xref linkend="nftables"/>, -->
    7878      <xref linkend="libpcap"/> (required for nfsypproxy support),
    7979      <ulink url="https://github.com/tadamdam/bpf-utils">bpf-utils</ulink>
     
    114114      Include any connection tracking protocols that will be used, as well as
    115115      any protocols that you wish to use for match support under the
    116       "Core Netfilter Configuration" section. The above options are enough
    117       for running <xref linkend="fw-persFw-ipt"/> below.
     116      "Core Netfilter Configuration" section. <!--The above options are enough
     117      for running <xref linkend="fw-persFw-ipt"/> below.-->
    118118    </para>
    119119
     
    183183    <para>
    184184      <parameter>--disable-nftables</parameter>: This switch disables building
    185       nftables compat. Omit this switch if you have installed
    186       <xref linkend="nftables"/>.
     185      nftables compat. <!--Omit this switch if you have installed
     186      <xref linkend="nftables"/>.-->
    187187    </para>
    188188
     
    210210
    211211  </sect2>
    212 
     212<!--
    213213  <sect2 role="configuration">
    214214    <title>Configuring iptables</title>
     
    319319# and permit new connections related to established ones
    320320# (e.g. port mode ftp)
    321 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
     321
     322iptables -A INPUT -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT
    322323
    323324# Log everything else. What's Windows' latest exploitable vulnerability?
    324 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
     325iptables -A INPUT -j LOG - -log-prefix "FIREWALL:INPUT "
    325326
    326327# End $rc_base/rc.iptables</literal>
     
    397398# and permit new connections related to established ones
    398399# (e.g. port mode ftp)
    399 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
     400iptables -A INPUT -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT
    400401
    401402# Log everything else. What's Windows' latest exploitable vulnerability?
    402 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
     403iptables -A INPUT -j LOG - -log-prefix "FIREWALL:INPUT "
    403404
    404405# End /etc/systemd/scripts/iptables</literal>
     
    518519
    519520# Allow forwarding if the initiated on the intranet
    520 iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    521 iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW       -j ACCEPT
     521iptables -A FORWARD -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT
     522iptables -A FORWARD ! -i WAN1 -m conntrack - -ctstate NEW       -j ACCEPT
    522523
    523524# Do masquerading
     
    527528# Log everything for debugging
    528529# (last of all rules, but before policy rules)
    529 iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT "
    530 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
    531 iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
     530iptables -A INPUT   -j LOG - -log-prefix "FIREWALL:INPUT "
     531iptables -A FORWARD -j LOG - -log-prefix "FIREWALL:FORWARD "
     532iptables -A OUTPUT  -j LOG - -log-prefix "FIREWALL:OUTPUT "
    532533
    533534# Enable IP Forwarding
     
    612613
    613614# Allow forwarding if the initiated on the intranet
    614 iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    615 iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW       -j ACCEPT
     615iptables -A FORWARD -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT
     616iptables -A FORWARD ! -i WAN1 -m conntrack - -ctstate NEW       -j ACCEPT
    616617
    617618# Do masquerading
     
    621622# Log everything for debugging
    622623# (last of all rules, but before policy rules)
    623 iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT "
    624 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
    625 iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
     624iptables -A INPUT   -j LOG - -log-prefix "FIREWALL:INPUT "
     625iptables -A FORWARD -j LOG - -log-prefix "FIREWALL:FORWARD "
     626iptables -A OUTPUT  -j LOG - -log-prefix "FIREWALL:OUTPUT "
    626627
    627628# Enable IP Forwarding
     
    632633
    633634# Allow ping on the external interface
    634 #iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
    635 #iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT
     635#iptables -A INPUT  -p icmp -m icmp - -icmp-type echo-request -j ACCEPT
     636#iptables -A OUTPUT -p icmp -m icmp - -icmp-type echo-reply   -j ACCEPT
    636637
    637638# Reject ident packets with TCP reset to avoid delays with FTP or IRC
    638 #iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset
     639#iptables -A INPUT  -p tcp - -dport 113 -j REJECT - -reject-with tcp-reset
    639640
    640641# Allow HTTP and HTTPS to 192.168.0.2
    641 #iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 80 -j DNAT --to 192.168.0.2
    642 #iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 443 -j DNAT --to 192.168.0.2
    643 #iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 80 -j ACCEPT
    644 #iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 443 -j ACCEPT
     642#iptables -A PREROUTING -t nat -i WAN1 -p tcp - -dport 80 -j DNAT - -to 192.168.0.2
     643#iptables -A PREROUTING -t nat -i WAN1 -p tcp - -dport 443 -j DNAT - -to 192.168.0.2
     644#iptables -A FORWARD -p tcp -d 192.168.0.2 - -dport 80 -j ACCEPT
     645#iptables -A FORWARD -p tcp -d 192.168.0.2 - -dport 443 -j ACCEPT
    645646
    646647# End /etc/systemd/scripts/iptables</literal>
     
    705706      </para>
    706707
    707 <screen><literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
     708<screen><literal>iptables -A INPUT -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT
    708709iptables -A OUTPUT -j ACCEPT</literal></screen>
    709710
     
    731732          </para>
    732733
    733 <screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
    734 iptables -A INPUT  -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \
     734<screen><literal>iptables -A OUTPUT -p tcp - -dport 80 -j ACCEPT
     735iptables -A INPUT  -p tcp - -sport 80 -m conntrack - -ctstate ESTABLISHED \
    735736  -j ACCEPT</literal></screen>
    736737
     
    741742          </para>
    742743
    743 <screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen>
     744<screen><literal>iptables -A OUTPUT -p udp - -dport 53 -j ACCEPT</literal></screen>
    744745
    745746        </listitem>
     
    750751          </para>
    751752
    752 <screen><literal>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
    753 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</literal></screen>
     753<screen><literal>iptables -A INPUT  -p icmp -m icmp - -icmp-type echo-request -j ACCEPT
     754iptables -A OUTPUT -p icmp -m icmp - -icmp-type echo-reply   -j ACCEPT</literal></screen>
    754755
    755756        </listitem>
     
    769770          </para>
    770771
    771 <screen><literal>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen>
     772<screen><literal>iptables -A INPUT  -p tcp - -dport 113 -j REJECT - -reject-with tcp-reset</literal></screen>
    772773
    773774        </listitem>
     
    779780          </para>
    780781
    781 <screen><literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \
    782   -j LOG --log-prefix "FIREWALL:INVALID "
    783 iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</literal></screen>
     782<screen><literal>iptables -I INPUT 0 -p tcp -m conntrack - -ctstate INVALID \
     783  -j LOG - -log-prefix "FIREWALL:INVALID "
     784iptables -I INPUT 1 -p tcp -m conntrack - -ctstate INVALID -j DROP</literal></screen>
    784785
    785786        </listitem>
     
    806807          </para>
    807808
    808 <screen><literal>iptables -A INPUT  -i WAN1 -p udp -s 0.0.0.0 --sport 67 \
    809    -d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen>
     809<screen><literal>iptables -A INPUT  -i WAN1 -p udp -s 0.0.0.0 - -sport 67 \
     810   -d 255.255.255.255 - -dport 68 -j ACCEPT</literal></screen>
    810811
    811812        </listitem>
     
    862863
    863864  </sect2>
    864 
     865-->
    865866  <sect2 role="content">
    866867    <title>Contents</title>
  • postlfs/security/security.xml

    r8a9f48c rf7415c4d  
    5454  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gpgme.xml"/>
    5555  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="haveged.xml"/>
     56<!-- Leave in alphabetical order of now -->
     57  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="iptables.xml"/>
     58  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling.xml"/>
     59
    5660  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libcap.xml"/>
    5761  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="linux-pam.xml"/>
     
    7579  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="tripwire.xml"/>
    7680  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="volume_key.xml"/>
    77   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling.xml"/>
     81<!--  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling.xml"/>
    7882  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="iptables.xml"/>
    7983  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="nftables.xml"/>
    80   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalld.xml"/>
     84  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalld.xml"/>-->
    8185
    8286</chapter>
Note: See TracChangeset for help on using the changeset viewer.