Context Navigation

← Previous Change
Next Change →

Changeset f7415c4d for postlfs/security

Timestamp:

02/26/2020 04:20:10 PM (4 years ago)

Author:

Bruce Dubbs <bdubbs@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 9.1, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

Parents:

Message:

Comment out the nftables and firewalld sections until
we can make them a bit more usable.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22759 af4574ff-66df-0310-9fd7-8a98e5e911e0

Location:

postlfs/security

Files:

: 3 edited

firewalling.xml (modified) (5 diffs)
iptables.xml (modified) (19 diffs)
security.xml (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

postlfs/security/firewalling.xml

-              r8a9f48c
+              rf7415c4d
   <title>Setting Up a Network Firewall</title>
+  <para>Before you read this part of the chapter, you should have
+  already installed iptables as described in the previous section.</para>
   <sect2 id="fw-intro" xreflabel="Firewalling Introduction">
     <title>Introduction to Firewall Creation</title>
+    <para>
+      The purpose of a firewall is to protect a computer or a network against
+      malicious access. In a perfect world every daemon or service, on every
+      machine, is perfectly configured and immune to security flaws, and all
+      users are trusted implicitly to use the equipment as intended. However,
+      this is rarely, if ever, the case. Daemons may be misconfigured, or
+      updates may not have been applied for known exploits against essential
+      services. Additionally, you may wish to choose which services are
+      accessible by certain machines or users, or you may wish to limit which
+      machines or applications are allowed external access. Alternatively, you
+      simply may not trust some of your applications or users. For these
+      reasons, a carefully designed firewall should be an essential part of
+      system security.
+    </para>
+    <para>
+      While a firewall can greatly limit the scope of the above issues, do not
+      assume that having a firewall makes careful configuration redundant, or
+      that any negligent misconfiguration is harmless. A firewall does not
+      prevent the exploitation of any service you offer outside of it. Despite
+      having a firewall, you need to keep applications and daemons properly
+      configured and up to date.
+    </para>
+    <para>The general purpose of a firewall is to protect a computer or
+    a network against malicious access.</para>
+    <para>In a perfect world, every daemon or service on every machine
+    is perfectly configured and immune to flaws such as buffer overflows
+    or other problems regarding its security. Furthermore, you trust
+    every user accessing your services. In this world, you do not need
+    to have a firewall.</para>
+    <para>In the real world however, daemons may be misconfigured and
+    exploits against essential services are freely available. You may
+    wish to choose which services are accessible by certain machines or
+    you may wish to limit which machines or applications are allowed
+    external access. Alternatively, you may simply not trust some of
+    your applications or users. You are probably connected to the
+    Internet. In this world, a firewall is essential.</para>
+    <para>Don't assume however, that having a firewall makes careful
+    configuration redundant, or that it makes any negligent
+    misconfiguration harmless. It doesn't prevent anyone from exploiting
+    a service you intentionally offer but haven't recently updated or
+    patched after an exploit went public.  Despite having a firewall, you
+    need to keep applications and daemons on your system properly
+    configured and up to date.  A firewall is not a cure all, but should
+    be an essential part of your overall security strategy.</para>
   </sect2>
 …
     <title>Meaning of the Word "Firewall"</title>
+    <para>
+      The word firewall can have several different meanings.
+    </para>
+    <para>The word firewall can have several different meanings.</para>
     <sect3>
+      <title>Personal Firewall</title>
+      <para>
+        This is a hardware device or software program, intended to secure a
+        home or desktop computer connected to the Internet. This type of
+        firewall is highly relevant for users who do not know how their
+        computers might be accessed via the Internet or how to disable
+        that access, especially if they are always online and connected
+        via broadband links.
+      </para>
+      <para>
+        An example configuration for a personal firewall is provided at
+        <xref linkend="fw-persFw-ipt"/>.
+      </para>
+      <title><xref linkend="fw-persFw"/></title>
+      <para>This is a hardware device or software program commercially sold (or
+      offered via freeware) by companies such as Symantec which claims that
+      it secures a home or desktop computer connected to the Internet. This
+      type of firewall is highly relevant for users who do not know how their
+      computers might be accessed via the Internet or how to disable
+      that access, especially if they are always online and connected
+      via broadband links.</para>
     </sect3>
     <sect3>
+      <title>Masquerading Router</title>
+      <para>
+        This is a system placed between the Internet and an intranet.
+        To minimize the risk of compromising the firewall itself, it should
+        generally have only one role&mdash;that of protecting the intranet.
+        Although not completely risk-free, the tasks of doing the routing and
+        IP masquerading (rewriting IP headers of the packets it routes from
+        clients with private IP addresses onto the Internet so that they seem
+        to come from the firewall itself) are commonly considered relatively
+        secure.
+      </para>
+      <para>
+        Example configurations for a masquerading firewall are provided at
+        <xref linkend="fw-masqRouter-ipt"/> and
+        <xref linkend="fw-masqRouter-nft"/>.
+      </para>
+      <title><xref linkend="fw-masqRouter"/></title>
+      <para>This is a system placed between the Internet and an intranet.
+      To minimize the risk of compromising the firewall itself, it should
+      generally have only one role&mdash;that of protecting the intranet.
+      Although not completely risk free, the tasks of doing the routing and
+      IP masquerading (rewriting IP headers of the packets it routes from
+      clients with private IP addresses onto the Internet so that they seem
+      to come from the firewall itself) are commonly considered relatively
+      secure.</para>
     </sect3>
     <sect3>
+      <title>BusyBox</title>
+      <para>
+        This is often an old computer you may have retired and nearly
+        forgotten, performing masquerading or routing functions, but offering
+        non-firewall services such as a web-cache or mail. This may be used
+        for home networks, but is not to be considered as secure as a firewall
+        only machine because the combination of server and router/firewall on
+        one machine raises the complexity of the setup.
+      </para>
+      <para>
+        An example configuration for a BusyBox is provided at
+        <xref linkend="fw-busybox-ipt"/>.
+      </para>
+      <title><xref linkend="fw-busybox"/></title>
+      <para>This is often an old computer you may have retired and nearly
+      forgotten, performing masquerading or routing functions, but offering
+      non-firewall services such as a web-cache or mail.  This may be used
+      for home networks, but is not to be considered as secure as a firewall
+      only machine because the combination of server and router/firewall on
+      one machine raises the complexity of the setup.</para>
     </sect3>
     <sect3>
+      <title>Firewall with a Demilitarized Zone</title>
+      <para>
+        This type of firewall performs masquerading or routing, but grants
+        public access to some branch of your network that is physically
+        separated from your regular intranet and is essentially a separate
+        network with direct Internet access. The servers on this network are
+        those which must be easily accessible from both the Internet and
+        intranet. The firewall protects both networks. This type of firewall
+        has a minimum of three network interfaces.
+      </para>
+      <title>Firewall with a Demilitarized Zone [Not Further
+      Described Here]</title>
+      <para>This box performs masquerading or routing, but grants public
+      access to some branch of your network which, because of public IPs
+      and a physically separated structure, is essentially a separate
+      network with direct Internet access. The servers on this network are
+      those which must be easily accessible from both the Internet and
+      intranet. The firewall protects both networks. This type of firewall
+      has a minimum of three network interfaces.</para>
     </sect3>
 …
       <title>Packetfilter</title>
+      <para>
+        This type of firewall does routing or masquerading but does
+        not maintain a state table of ongoing communication streams. It is
+        fast but quite limited in its ability to block undesired packets
+        without blocking desired packets.
+      </para>
+      <para>This type of firewall does routing or masquerading, but does
+      not maintain a state table of ongoing communication streams. It is
+      fast, but quite limited in its ability to block undesired packets
+      without blocking desired packets.</para>
     </sect3>
 …
   </sect2>
+  <sect2>
+  <sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
+    <title>Now You Can Start to Build your Firewall</title>
+    <caution>
+      <para>This introduction on how to setup a firewall is not a
+      complete guide to securing systems. Firewalling is a complex
+      issue that requires careful configuration. The scripts quoted
+      here are simply intended to give examples of how a firewall
+      works. They are not intended to fit into any particular
+      configuration and may not provide complete protection from
+      an attack.</para>
+      <para>Customization of these scripts for your specific situation
+      will be necessary for an optimal configuration, but you should
+      make a serious study of the iptables documentation and creating
+      firewalls in general before hacking away. Have a look at the
+      list of <xref linkend="fw-library"/> at the end of this section for
+      more details. There you will find a list of URLs that contain quite
+      comprehensive information about building your own firewall.</para>
+    </caution>
+    <para revision="sysv">The firewall configuration script installed in the
+    iptables section differs from the standard configuration script. It only
+    has two of the standard targets: start and status. The other targets are
+    clear and lock. For instance if you issue:</para>
+<screen role="root" revision="sysv"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen>
+    <para revision="sysv">the firewall will be restarted just as it is upon
+    system startup. The status target will present a list of all currently
+    implemented rules. The clear target turns off all firewall rules and the
+    lock target will block all packets in and out of the computer with the
+    exception of the loopback interface.</para>
+    <para revision="sysv">The main startup firewall is located in the file
+    <filename>/etc/rc.d/rc.iptables</filename>. The sections below provide
+    three different approaches that can be used for a system.</para>
+    <para revision="systemd">The main startup firewall is located in the file
+    <filename>/etc/systemd/scripts/iptables</filename>. The sections below
+    provide three different approaches that can be used for a system.</para>
+    <note>
+      <para>You should always run your firewall rules from a script.
+      This ensures consistency and a record of what was done. It also
+      allows retention of comments that are essential for understanding
+      the rules long after they were written.</para>
+    </note>
+    <sect3 id="fw-persFw" xreflabel="Personal Firewall">
+      <title>Personal Firewall</title>
+      <para>A Personal Firewall is designed to let you access all the
+      services offered on the Internet, but keep your box secure and
+      your data private.</para>
+      <para>Below is a slightly modified version of Rusty Russell's
+      recommendation from the <ulink
+      url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
+      Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable
+      to the Linux 2.6 kernels.</para>
+<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
+<literal>#!/bin/sh
+# Begin rc.iptables
+# Insert connection-tracking modules
+# (not needed if built into the kernel)
+modprobe nf_conntrack
+modprobe xt_LOG
+# Enable broadcast echo Protection
+echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+# Disable Source Routed Packets
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
+# Enable TCP SYN Cookie Protection
+echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
+# Disable ICMP Redirect Acceptance
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
+# Do not send Redirect Messages
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
+# Drop Spoofed Packets coming in on an interface, where responses
+# would result in the reply going out a different interface.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
+echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
+# Log packets with impossible addresses.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
+echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
+# be verbose on dynamic ip-addresses  (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+# disable Explicit Congestion Notification
+# too many routers are still ignorant
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+# Set a known state
+iptables -P INPUT   DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT  DROP
+# These lines are here in case rules are already in place and the
+# script is ever rerun on the fly. We want to remove all rules and
+# pre-existing user defined chains before we implement new rules.
+iptables -F
+iptables -X
+iptables -Z
+iptables -t nat -F
+# Allow local-only connections
+iptables -A INPUT  -i lo -j ACCEPT
+# Free output on any interface to any ip for any service
+# (equal to -P ACCEPT)
+iptables -A OUTPUT -j ACCEPT
+# Permit answers on already established connections
+# and permit new connections related to established ones
+# (e.g. port mode ftp)
+iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+# Log everything else. What's Windows' latest exploitable vulnerability?
+iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
+# End $rc_base/rc.iptables</literal>
+EOF
+chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
+<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
+cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
+<literal>#!/bin/sh
+# Begin /etc/systemd/scripts/iptables
+# Insert connection-tracking modules
+# (not needed if built into the kernel)
+modprobe nf_conntrack
+modprobe xt_LOG
+# Enable broadcast echo Protection
+echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+# Disable Source Routed Packets
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
+# Enable TCP SYN Cookie Protection
+echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
+# Disable ICMP Redirect Acceptance
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
+# Do not send Redirect Messages
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
+# Drop Spoofed Packets coming in on an interface, where responses
+# would result in the reply going out a different interface.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
+echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
+# Log packets with impossible addresses.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
+echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
+# be verbose on dynamic ip-addresses  (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+# disable Explicit Congestion Notification
+# too many routers are still ignorant
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+# Set a known state
+iptables -P INPUT   DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT  DROP
+# These lines are here in case rules are already in place and the
+# script is ever rerun on the fly. We want to remove all rules and
+# pre-existing user defined chains before we implement new rules.
+iptables -F
+iptables -X
+iptables -Z
+iptables -t nat -F
+# Allow local-only connections
+iptables -A INPUT  -i lo -j ACCEPT
+# Free output on any interface to any ip for any service
+# (equal to -P ACCEPT)
+iptables -A OUTPUT -j ACCEPT
+# Permit answers on already established connections
+# and permit new connections related to established ones
+# (e.g. port mode ftp)
+iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+# Log everything else. What's Windows' latest exploitable vulnerability?
+iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
+# End /etc/systemd/scripts/iptables</literal>
+EOF
+chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
+      <para>This script is quite simple, it drops all traffic coming
+      into your computer that wasn't initiated from your computer, but
+      as long as you are simply surfing the Internet you are unlikely
+      to exceed its limits.</para>
+      <para>If you frequently encounter certain delays at accessing
+      FTP servers, take a look at <xref linkend="fw-BB-4"/>.</para>
+      <para>Even if you have daemons or services running on your system,
+      these will be inaccessible everywhere but from your computer itself.
+      If you want to allow access to services on your machine, such as
+      <command>ssh</command> or <command>ping</command>, take a look at
+      <xref linkend="fw-busybox"/>.</para>
+    </sect3>
+    <sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
+      <title>Masquerading Router</title>
+      <para>A true Firewall has two interfaces, one connected to an
+      intranet, in this example <emphasis role="strong">eth0</emphasis>,
+      and one connected to the Internet, here <emphasis
+      role="strong">ppp0</emphasis>. To provide the maximum security
+      for the firewall itself, make sure that there are no unnecessary
+      servers running on it such as <application>X11</application> et
+      al. As a general principle, the firewall itself should not access
+      any untrusted service (think of a remote server giving answers that
+      makes a daemon on your system crash, or even worse, that implements
+      a worm via a buffer-overflow).</para>
+<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
+<literal>#!/bin/sh
+# Begin rc.iptables
+echo
+echo "You're using the example configuration for a setup of a firewall"
+echo "from Beyond Linux From Scratch."
+echo "This example is far from being complete, it is only meant"
+echo "to be a reference."
+echo "Firewall security is a complex issue, that exceeds the scope"
+echo "of the configuration rules below."
+echo "You can find additional information"
+echo "about firewalls in Chapter 4 of the BLFS book."
+echo "http://www.&lfs-domainname;/blfs"
+echo
+# Insert iptables modules (not needed if built into the kernel).
+modprobe nf_conntrack
+modprobe nf_conntrack_ftp
+modprobe xt_conntrack
+modprobe xt_LOG
+modprobe xt_state
+# Enable broadcast echo Protection
+echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+# Disable Source Routed Packets
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
+# Enable TCP SYN Cookie Protection
+echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
+# Disable ICMP Redirect Acceptance
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
+# Don't send Redirect Messages
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
+# Drop Spoofed Packets coming in on an interface where responses
+# would result in the reply going out a different interface.
+echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
+# Log packets with impossible addresses.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
+# Be verbose on dynamic ip-addresses  (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+# Disable Explicit Congestion Notification
+# Too many routers are still ignorant
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+# Set a known state
+iptables -P INPUT   DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT  DROP
+# These lines are here in case rules are already in place and the
+# script is ever rerun on the fly. We want to remove all rules and
+# pre-existing user defined chains before we implement new rules.
+iptables -F
+iptables -X
+iptables -Z
+iptables -t nat -F
+# Allow local connections
+iptables -A INPUT  -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+# Allow forwarding if the initiated on the intranet
+iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW       -j ACCEPT
+# Do masquerading
+# (not needed if intranet is not using private ip-addresses)
+iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
+# Log everything for debugging
+# (last of all rules, but before policy rules)
+iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT "
+iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
+iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
+# Enable IP Forwarding
+echo 1 &gt; /proc/sys/net/ipv4/ip_forward</literal>
+EOF
+chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
+<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
+cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
+<literal>#!/bin/sh
+# Begin /etc/systemd/scripts/iptables
+echo
+echo "You're using the example configuration for a setup of a firewall"
+echo "from Beyond Linux From Scratch."
+echo "This example is far from being complete, it is only meant"
+echo "to be a reference."
+echo "Firewall security is a complex issue, that exceeds the scope"
+echo "of the configuration rules below."
+echo "You can find additional information"
+echo "about firewalls in Chapter 4 of the BLFS book."
+echo "http://www.&lfs-domainname;/blfs"
+echo
+# Insert iptables modules (not needed if built into the kernel).
+modprobe nf_conntrack
+modprobe nf_conntrack_ftp
+modprobe xt_conntrack
+modprobe xt_LOG
+modprobe xt_state
+# Enable broadcast echo Protection
+echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+# Disable Source Routed Packets
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
+# Enable TCP SYN Cookie Protection
+echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
+# Disable ICMP Redirect Acceptance
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
+# Don't send Redirect Messages
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
+# Drop Spoofed Packets coming in on an interface where responses
+# would result in the reply going out a different interface.
+echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
+# Log packets with impossible addresses.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
+# Be verbose on dynamic ip-addresses  (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+# Disable Explicit Congestion Notification
+# Too many routers are still ignorant
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+# Set a known state
+iptables -P INPUT   DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT  DROP
+# These lines are here in case rules are already in place and the
+# script is ever rerun on the fly. We want to remove all rules and
+# pre-existing user defined chains before we implement new rules.
+iptables -F
+iptables -X
+iptables -Z
+iptables -t nat -F
+# Allow local connections
+iptables -A INPUT  -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+# Allow forwarding if the initiated on the intranet
+iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW       -j ACCEPT
+# Do masquerading
+# (not needed if intranet is not using private ip-addresses)
+iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
+# Log everything for debugging
+# (last of all rules, but before policy rules)
+iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT "
+iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
+iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
+# Enable IP Forwarding
+echo 1 &gt; /proc/sys/net/ipv4/ip_forward
+# End /etc/systemd/scripts/iptables</literal>
+EOF
+chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
+      <para>With this script your intranet should be reasonably secure
+      against external attacks. No one should be able to setup a new
+      connection to any internal service and, if it's masqueraded,
+      makes your intranet invisible to the Internet. Furthermore, your
+      firewall should be relatively safe because there are no services
+      running that a cracker could attack.</para>
+      <note>
+        <para>If the interface you're connecting to the Internet
+        doesn't connect via PPP, you will need to change
+        <replaceable>&lt;ppp+&gt;</replaceable> to the name of the interface
+        (e.g., <emphasis role="strong">eth1</emphasis>) which you are
+        using.</para>
+      </note>
+    </sect3>
+    <sect3 id="fw-busybox" xreflabel="BusyBox">
+      <title>BusyBox</title>
+      <para>This scenario isn't too different from the <xref
+      linkend="fw-masqRouter"/>, but additionally offers some
+      services to your intranet. Examples of this can be when
+      you want to administer your firewall from another host on
+      your intranet or use it as a proxy or a name server.</para>
+      <note>
+        <para>Outlining a true concept of how to protect a server that
+        offers services on the Internet goes far beyond the scope of
+        this document. See the references at the end of this section
+        for more information.</para>
+      </note>
+      <para>Be cautious. Every service you have enabled makes your
+      setup more complex and your firewall less secure. You are
+      exposed to the risks of misconfigured services or running
+      a service with an exploitable bug. A firewall should generally
+      not run any extra services.  See the introduction to the
+      <xref linkend="fw-masqRouter"/> for some more details.</para>
+      <para>If you want to add services such as internal Samba or
+      name servers that do not need to access the Internet themselves,
+      the additional statements are quite simple and should still be
+      acceptable from a security standpoint. Just add the following lines
+      into the script <emphasis>before</emphasis> the logging rules.</para>
+<screen><literal>iptables -A INPUT  -i ! ppp+  -j ACCEPT
+iptables -A OUTPUT -o ! ppp+  -j ACCEPT</literal></screen>
+      <para>If daemons, such as squid, have to access the Internet
+      themselves, you could open OUTPUT generally and restrict
+      INPUT.</para>
+<screen><literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A OUTPUT -j ACCEPT</literal></screen>
+      <para>However, it is generally not advisable to leave OUTPUT
+      unrestricted. You lose any control over trojans who would like
+      to "call home", and a bit of redundancy in case you've
+      (mis-)configured a service so that it broadcasts its existence
+      to the world.</para>
+      <para>To accomplish this, you should restrict INPUT and OUTPUT
+      on all ports except those that it's absolutely necessary to have
+      open. Which ports you have to open depends on your needs: mostly
+      you will find them by looking for failed accesses in your log
+      files.</para>
+      <itemizedlist spacing="compact" role='iptables'>
+        <title>Have a Look at the Following Examples:</title>
+        <listitem>
+          <para>Squid is caching the web:</para>
+<screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
+iptables -A INPUT  -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \
+  -j ACCEPT</literal></screen>
+        </listitem>
+        <listitem>
+          <para>Your caching name server (e.g., named) does its
+          lookups via UDP:</para>
+<screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen>
+        </listitem>
+        <listitem>
+          <para>You want to be able to ping your computer to
+          ensure it's still alive:</para>
+<screen><literal>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
+iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</literal></screen>
+        </listitem>
+        <listitem>
+          <para id='fw-BB-4' xreflabel="BusyBox example number 4">If
+          you are frequently accessing FTP servers or enjoy chatting, you might
+          notice certain delays because some implementations of these daemons
+          have the feature of querying an identd on your system to obtain
+          usernames. Although there's really little harm in this, having an
+          identd running is not recommended because many security experts feel
+          the service gives out too much additional information.</para>
+          <para>To avoid these delays you could reject the requests
+          with a 'tcp-reset':</para>
+<screen><literal>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen>
+        </listitem>
+        <listitem>
+          <para>To log and drop invalid packets (packets
+          that came in after netfilter's timeout or some types of
+          network scans) insert these rules at the top of the chain:</para>
+<screen><literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \
+  -j LOG --log-prefix "FIREWALL:INVALID "
+iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</literal></screen>
+        </listitem>
+        <listitem>
+          <para>Anything coming from the outside should not have a
+          private address, this is a common attack called IP-spoofing:</para>
+<screen><literal>iptables -A INPUT -i ppp+ -s 10.0.0.0/8     -j DROP
+iptables -A INPUT -i ppp+ -s 172.16.0.0/12  -j DROP
+iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</literal></screen>
+          <para>There are other addresses that you may also want to
+          drop: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and
+          experimental), 169.254.0.0/16 (Link Local Networks), and
+.0.2.0/24 (IANA defined test network).</para>
+        </listitem>
+        <listitem>
+          <para>If your firewall is a DHCP client, you need to allow
+          those packets:</para>
+<screen><literal>iptables -A INPUT  -i ppp0 -p udp -s 0.0.0.0 --sport 67 \
+   -d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen>
+        </listitem>
+        <listitem>
+          <para>To simplify debugging and be fair to anyone who'd like
+          to access a service you have disabled, purposely or by mistake,
+          you could REJECT those packets that are dropped.</para>
+          <para>Obviously this must be done directly after logging as the very
+          last lines before the packets are dropped by policy:</para>
+<screen><literal>iptables -A INPUT -j REJECT</literal></screen>
+        </listitem>
+      </itemizedlist>
+      <para>These are only examples to show you some of the capabilities
+      of the firewall code in Linux. Have a look at the man page of iptables.
+      There you will find much more information. The port numbers needed for
+      this can be found in <filename>/etc/services</filename>, in case you
+      didn't find them by trial and error in your log file.</para>
+    </sect3>
+  </sect2>
+  <sect2 id="fw-finale" xreflabel="Conclusion">
     <title>Conclusion</title>
+    <caution>
+      <para>
+        The example configurations provided for <xref linkend="iptables"/> and
+        <xref linkend="nftables"/> are not intended to be a complete guide to
+        securing systems. Firewalling is a complex issue that requires careful
+        configuration. The configurations provided by BLFS are intended only to
+        give examples of how a firewall works. They are not intended to fit any
+        particular configuration and may not provide complete protection from
+        an attack.
+      </para>
+    </caution>
+    <para>
+      BLFS provides two utilities to manage the kernel Netfilter interface,
+      <xref linkend="iptables"/> and <xref linkend="nftables"/>.
+    </para>
+    <para>
+      <xref linkend="iptables"/> has been around since early 2.4 kernels, and
+      has been the standard since. If you plan not to use a configuration
+      utility, this is likely the set of tools that will be most familiar to
+      existing admins.
+    </para>
+    <para>
+      <xref linkend="nftables"/> is the successor to <xref linkend="iptables"/>
+      and provies all of the same functionality with a single userspace tool,
+      <command>nft</command>, that uses similar syntax to BSD's
+      <application>pf</application> utility, and may be easier for new users or
+      admins already familiar with that platform.
+    </para>
+    <para>
+      While both can be used in tandem, that is an advanced configuration and
+      you should decide on one or the other. Both pages include very simple
+      example configurations, and customization of the provided configurations
+      for your specific environment will be necessary if you elect to use
+      either without a configuration tool.
+    </para>
+    <para>
+      Additionally, a firewall management tool, <xref linkend="firewalld"/>, is
+      provided to greatly ease firewall configuration for both simple and
+      complex environments, and can be used with either tool. You should not
+      use the example configurations if you intend to use
+      <application>firewalld</application> to manage your firewall rules.
+    </para>
+    <para>
+      If you elect to configure manually, have a look at the
+      list of further reading below for more details. Here you will find a
+      list of URLs that contain comprehensive information about building
+      firewalls and further securing your system.
+    </para>
+    <para>Finally, there is one fact you must not forget: The effort spent
+    attacking a system corresponds to the value the cracker expects to gain
+    from it. If you are responsible for valuable information, you need to
+    spend the time to protect it properly.</para>
   </sect2>
   <sect2 id="fw-extra-info">
+  <sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
     <title>Extra Information</title>
     <sect3>
       <title>Further Reading on Firewalls</title>
+    <sect3 id="fw-library" xreflabel="links for further reading">
+      <title>Where to Start with Further Reading on Firewalls</title>
       <blockquote>
         <literallayout>
 <ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables/nftables projects</ulink>
+<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>
 <ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
 <ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
-<ulink url="https://wiki.nftables.org/wiki-nftables/index.php/Main_Page">nftables HOWTO</ulink>
 <ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
 <ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
 …
       </blockquote>
+      <!-- The following are all dead links from the section above. They are
+           moved out of the section so the literallayout won't produce blank
+           lines in the rendered text
+<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink>
+<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink>
+<ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink>
+<ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink>
+<ulink url="http://www.linux-firewall-tools.com/linux/">www.linux-firewall-tools.com/linux/</ulink>
+<ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink>
+<ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
+      -->
     </sect3>

postlfs/security/iptables.xml

-              r8a9f48c
+              rf7415c4d
     <bridgehead renderas="sect4">Optional</bridgehead>
     <para role="optional">
       <xref linkend="nftables"/>,
+ <!--     <xref linkend="nftables"/>, -->
       <xref linkend="libpcap"/> (required for nfsypproxy support),
       <ulink url="https://github.com/tadamdam/bpf-utils">bpf-utils</ulink>
 …
       Include any connection tracking protocols that will be used, as well as
       any protocols that you wish to use for match support under the
       "Core Netfilter Configuration" section. The above options are enough
       for running <xref linkend="fw-persFw-ipt"/> below.
+      "Core Netfilter Configuration" section. <!--The above options are enough
+      for running <xref linkend="fw-persFw-ipt"/> below.-->
     </para>
 …
     <para>
       <parameter>--disable-nftables</parameter>: This switch disables building
       nftables compat. Omit this switch if you have installed
       <xref linkend="nftables"/>.
+      nftables compat. <!--Omit this switch if you have installed
+      <xref linkend="nftables"/>.-->
     </para>
 …
   </sect2>
+<!--
   <sect2 role="configuration">
     <title>Configuring iptables</title>
 …
 # and permit new connections related to established ones
 # (e.g. port mode ftp)
+iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A INPUT -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT
 # Log everything else. What's Windows' latest exploitable vulnerability?
 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
+iptables -A INPUT -j LOG - -log-prefix "FIREWALL:INPUT "
 # End $rc_base/rc.iptables</literal>
 …
 # and permit new connections related to established ones
 # (e.g. port mode ftp)
 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A INPUT -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT
 # Log everything else. What's Windows' latest exploitable vulnerability?
 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
+iptables -A INPUT -j LOG - -log-prefix "FIREWALL:INPUT "
 # End /etc/systemd/scripts/iptables</literal>
 …
 # Allow forwarding if the initiated on the intranet
 iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW       -j ACCEPT
+iptables -A FORWARD -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD ! -i WAN1 -m conntrack - -ctstate NEW       -j ACCEPT
 # Do masquerading
 …
 # Log everything for debugging
 # (last of all rules, but before policy rules)
 iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT "
 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
 iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
+iptables -A INPUT   -j LOG - -log-prefix "FIREWALL:INPUT "
+iptables -A FORWARD -j LOG - -log-prefix "FIREWALL:FORWARD "
+iptables -A OUTPUT  -j LOG - -log-prefix "FIREWALL:OUTPUT "
 # Enable IP Forwarding
 …
 # Allow forwarding if the initiated on the intranet
 iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW       -j ACCEPT
+iptables -A FORWARD -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD ! -i WAN1 -m conntrack - -ctstate NEW       -j ACCEPT
 # Do masquerading
 …
 # Log everything for debugging
 # (last of all rules, but before policy rules)
 iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT "
 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
 iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
+iptables -A INPUT   -j LOG - -log-prefix "FIREWALL:INPUT "
+iptables -A FORWARD -j LOG - -log-prefix "FIREWALL:FORWARD "
+iptables -A OUTPUT  -j LOG - -log-prefix "FIREWALL:OUTPUT "
 # Enable IP Forwarding
 …
 # Allow ping on the external interface
 #iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
 #iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT
+#iptables -A INPUT  -p icmp -m icmp - -icmp-type echo-request -j ACCEPT
+#iptables -A OUTPUT -p icmp -m icmp - -icmp-type echo-reply   -j ACCEPT
 # Reject ident packets with TCP reset to avoid delays with FTP or IRC
 #iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset
+#iptables -A INPUT  -p tcp - -dport 113 -j REJECT - -reject-with tcp-reset
 # Allow HTTP and HTTPS to 192.168.0.2
 #iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 80 -j DNAT --to 192.168.0.2
 #iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 443 -j DNAT --to 192.168.0.2
 #iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 80 -j ACCEPT
 #iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 443 -j ACCEPT
+#iptables -A PREROUTING -t nat -i WAN1 -p tcp - -dport 80 -j DNAT - -to 192.168.0.2
+#iptables -A PREROUTING -t nat -i WAN1 -p tcp - -dport 443 -j DNAT - -to 192.168.0.2
+#iptables -A FORWARD -p tcp -d 192.168.0.2 - -dport 80 -j ACCEPT
+#iptables -A FORWARD -p tcp -d 192.168.0.2 - -dport 443 -j ACCEPT
 # End /etc/systemd/scripts/iptables</literal>
 …
       </para>
 <screen><literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+<screen><literal>iptables -A INPUT -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -A OUTPUT -j ACCEPT</literal></screen>
 …
           </para>
 <screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
 iptables -A INPUT  -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \
+<screen><literal>iptables -A OUTPUT -p tcp - -dport 80 -j ACCEPT
+iptables -A INPUT  -p tcp - -sport 80 -m conntrack - -ctstate ESTABLISHED \
   -j ACCEPT</literal></screen>
 …
           </para>
 <screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen>
+<screen><literal>iptables -A OUTPUT -p udp - -dport 53 -j ACCEPT</literal></screen>
         </listitem>
 …
           </para>
 <screen><literal>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</literal></screen>
+<screen><literal>iptables -A INPUT  -p icmp -m icmp - -icmp-type echo-request -j ACCEPT
+iptables -A OUTPUT -p icmp -m icmp - -icmp-type echo-reply   -j ACCEPT</literal></screen>
         </listitem>
 …
           </para>
 <screen><literal>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen>
+<screen><literal>iptables -A INPUT  -p tcp - -dport 113 -j REJECT - -reject-with tcp-reset</literal></screen>
         </listitem>
 …
           </para>
 <screen><literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \
   -j LOG --log-prefix "FIREWALL:INVALID "
 iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</literal></screen>
+<screen><literal>iptables -I INPUT 0 -p tcp -m conntrack - -ctstate INVALID \
+  -j LOG - -log-prefix "FIREWALL:INVALID "
+iptables -I INPUT 1 -p tcp -m conntrack - -ctstate INVALID -j DROP</literal></screen>
         </listitem>
 …
           </para>
 <screen><literal>iptables -A INPUT  -i WAN1 -p udp -s 0.0.0.0 --sport 67 \
    -d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen>
+<screen><literal>iptables -A INPUT  -i WAN1 -p udp -s 0.0.0.0 - -sport 67 \
+   -d 255.255.255.255 - -dport 68 -j ACCEPT</literal></screen>
         </listitem>
 …
   </sect2>
+-->
   <sect2 role="content">
     <title>Contents</title>

postlfs/security/security.xml

-              r8a9f48c
+              rf7415c4d
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gpgme.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="haveged.xml"/>
+<!-- Leave in alphabetical order of now -->
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="iptables.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libcap.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="linux-pam.xml"/>
 …
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="tripwire.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="volume_key.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling.xml"/>
+<!--  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="iptables.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="nftables.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalld.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalld.xml"/>-->
 </chapter>

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats: