Ignore:
Timestamp:
02/26/2020 04:20:10 PM (4 years ago)
Author:
Bruce Dubbs <bdubbs@…>
Branches:
10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 9.1, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
Children:
44621c7
Parents:
8a9f48c
Message:

Comment out the nftables and firewalld sections until
we can make them a bit more usable.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22759 af4574ff-66df-0310-9fd7-8a98e5e911e0

File:
1 edited

Legend:

Unmodified
Added
Removed

  • postlfs/security/iptables.xml

    r8a9f48c rf7415c4d  
    7575    <bridgehead renderas="sect4">Optional</bridgehead>
    7676    <para role="optional">
    77       <xref linkend="nftables"/>,
     77 <!--     <xref linkend="nftables"/>, -->
    7878      <xref linkend="libpcap"/> (required for nfsypproxy support),
    7979      <ulink url="https://github.com/tadamdam/bpf-utils">bpf-utils</ulink>
     
    114114      Include any connection tracking protocols that will be used, as well as
    115115      any protocols that you wish to use for match support under the
    116       "Core Netfilter Configuration" section. The above options are enough
    117       for running <xref linkend="fw-persFw-ipt"/> below.
     116      "Core Netfilter Configuration" section. <!--The above options are enough
     117      for running <xref linkend="fw-persFw-ipt"/> below.-->
    118118    </para>
    119119
     
    183183    <para>
    184184      <parameter>--disable-nftables</parameter>: This switch disables building
    185       nftables compat. Omit this switch if you have installed
    186       <xref linkend="nftables"/>.
     185      nftables compat. <!--Omit this switch if you have installed
     186      <xref linkend="nftables"/>.-->
    187187    </para>
    188188
     
    210210
    211211  </sect2>
    212 
     212<!--
    213213  <sect2 role="configuration">
    214214    <title>Configuring iptables</title>
     
    319319# and permit new connections related to established ones
    320320# (e.g. port mode ftp)
    321 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
     321
     322iptables -A INPUT -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT
    322323
    323324# Log everything else. What's Windows' latest exploitable vulnerability?
    324 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
     325iptables -A INPUT -j LOG - -log-prefix "FIREWALL:INPUT "
    325326
    326327# End $rc_base/rc.iptables</literal>
     
    397398# and permit new connections related to established ones
    398399# (e.g. port mode ftp)
    399 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
     400iptables -A INPUT -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT
    400401
    401402# Log everything else. What's Windows' latest exploitable vulnerability?
    402 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
     403iptables -A INPUT -j LOG - -log-prefix "FIREWALL:INPUT "
    403404
    404405# End /etc/systemd/scripts/iptables</literal>
     
    518519
    519520# Allow forwarding if the initiated on the intranet
    520 iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    521 iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW       -j ACCEPT
     521iptables -A FORWARD -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT
     522iptables -A FORWARD ! -i WAN1 -m conntrack - -ctstate NEW       -j ACCEPT
    522523
    523524# Do masquerading
     
    527528# Log everything for debugging
    528529# (last of all rules, but before policy rules)
    529 iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT "
    530 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
    531 iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
     530iptables -A INPUT   -j LOG - -log-prefix "FIREWALL:INPUT "
     531iptables -A FORWARD -j LOG - -log-prefix "FIREWALL:FORWARD "
     532iptables -A OUTPUT  -j LOG - -log-prefix "FIREWALL:OUTPUT "
    532533
    533534# Enable IP Forwarding
     
    612613
    613614# Allow forwarding if the initiated on the intranet
    614 iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    615 iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW       -j ACCEPT
     615iptables -A FORWARD -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT
     616iptables -A FORWARD ! -i WAN1 -m conntrack - -ctstate NEW       -j ACCEPT
    616617
    617618# Do masquerading
     
    621622# Log everything for debugging
    622623# (last of all rules, but before policy rules)
    623 iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT "
    624 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
    625 iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
     624iptables -A INPUT   -j LOG - -log-prefix "FIREWALL:INPUT "
     625iptables -A FORWARD -j LOG - -log-prefix "FIREWALL:FORWARD "
     626iptables -A OUTPUT  -j LOG - -log-prefix "FIREWALL:OUTPUT "
    626627
    627628# Enable IP Forwarding
     
    632633
    633634# Allow ping on the external interface
    634 #iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
    635 #iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT
     635#iptables -A INPUT  -p icmp -m icmp - -icmp-type echo-request -j ACCEPT
     636#iptables -A OUTPUT -p icmp -m icmp - -icmp-type echo-reply   -j ACCEPT
    636637
    637638# Reject ident packets with TCP reset to avoid delays with FTP or IRC
    638 #iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset
     639#iptables -A INPUT  -p tcp - -dport 113 -j REJECT - -reject-with tcp-reset
    639640
    640641# Allow HTTP and HTTPS to 192.168.0.2
    641 #iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 80 -j DNAT --to 192.168.0.2
    642 #iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 443 -j DNAT --to 192.168.0.2
    643 #iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 80 -j ACCEPT
    644 #iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 443 -j ACCEPT
     642#iptables -A PREROUTING -t nat -i WAN1 -p tcp - -dport 80 -j DNAT - -to 192.168.0.2
     643#iptables -A PREROUTING -t nat -i WAN1 -p tcp - -dport 443 -j DNAT - -to 192.168.0.2
     644#iptables -A FORWARD -p tcp -d 192.168.0.2 - -dport 80 -j ACCEPT
     645#iptables -A FORWARD -p tcp -d 192.168.0.2 - -dport 443 -j ACCEPT
    645646
    646647# End /etc/systemd/scripts/iptables</literal>
     
    705706      </para>
    706707
    707 <screen><literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
     708<screen><literal>iptables -A INPUT -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT
    708709iptables -A OUTPUT -j ACCEPT</literal></screen>
    709710
     
    731732          </para>
    732733
    733 <screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
    734 iptables -A INPUT  -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \
     734<screen><literal>iptables -A OUTPUT -p tcp - -dport 80 -j ACCEPT
     735iptables -A INPUT  -p tcp - -sport 80 -m conntrack - -ctstate ESTABLISHED \
    735736  -j ACCEPT</literal></screen>
    736737
     
    741742          </para>
    742743
    743 <screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen>
     744<screen><literal>iptables -A OUTPUT -p udp - -dport 53 -j ACCEPT</literal></screen>
    744745
    745746        </listitem>
     
    750751          </para>
    751752
    752 <screen><literal>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
    753 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</literal></screen>
     753<screen><literal>iptables -A INPUT  -p icmp -m icmp - -icmp-type echo-request -j ACCEPT
     754iptables -A OUTPUT -p icmp -m icmp - -icmp-type echo-reply   -j ACCEPT</literal></screen>
    754755
    755756        </listitem>
     
    769770          </para>
    770771
    771 <screen><literal>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen>
     772<screen><literal>iptables -A INPUT  -p tcp - -dport 113 -j REJECT - -reject-with tcp-reset</literal></screen>
    772773
    773774        </listitem>
     
    779780          </para>
    780781
    781 <screen><literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \
    782   -j LOG --log-prefix "FIREWALL:INVALID "
    783 iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</literal></screen>
     782<screen><literal>iptables -I INPUT 0 -p tcp -m conntrack - -ctstate INVALID \
     783  -j LOG - -log-prefix "FIREWALL:INVALID "
     784iptables -I INPUT 1 -p tcp -m conntrack - -ctstate INVALID -j DROP</literal></screen>
    784785
    785786        </listitem>
     
    806807          </para>
    807808
    808 <screen><literal>iptables -A INPUT  -i WAN1 -p udp -s 0.0.0.0 --sport 67 \
    809    -d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen>
     809<screen><literal>iptables -A INPUT  -i WAN1 -p udp -s 0.0.0.0 - -sport 67 \
     810   -d 255.255.255.255 - -dport 68 -j ACCEPT</literal></screen>
    810811
    811812        </listitem>
     
    862863
    863864  </sect2>
    864 
     865-->
    865866  <sect2 role="content">
    866867    <title>Contents</title>
Note: See TracChangeset for help on using the changeset viewer.