linux-from-scratch/glfs
1
0
Fork 0
mirror of https://github.com/Zeckmathederg/glfs.git synced 2025-01-24 23:32:12 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Tagged firewalling.xml

Browse Source 
git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@4197 af4574ff-66df-0310-9fd7-8a98e5e911e0
This commit is contained in:
Manuel Canales Esparcia 2005-05-13 21:53:44 +00:00
parent 1cc07529f8
commit 8920dfafdc
1 changed files with 319 additions and 263 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

582
postlfs/security/firewalling.xml
View File

@ -6,156 +6,179 @@
]>
<sect1 id="fw-firewall" xreflabel="Firewalling">
<sect1info>
<othername>$LastChangedBy$</othername>
<date>$Date$</date>
</sect1info>
<?dbhtml filename="firewall.html"?>
<title>Setting up a network firewall</title>
<?dbhtml filename="firewall.html"?>
<para>Before you read this part of the chapter, you should
have already installed iptables as described in the previous section.</para>
<sect1info>
<othername>$LastChangedBy$</othername>
<date>$Date$</date>
</sect1info>
<sect2 id="fw-intro" xreflabel="Firewalling Introduction">
<title>Introduction to Firewall Creation</title>
<title>Setting Up a Network Firewall</title>
<para>The general purpose of a firewall is to protect a computer or a network
against malicious access.</para>
<para>Before you read this part of the chapter, you should have
already installed iptables as described in the previous section.</para>
<para>In a perfect world, every daemon or service
on every machine is perfectly configured and immune to flaws such as
buffer overflows or other problems regarding its
security. Furthermore, you trust every user accessing your services.
In this world, you do not need to have a firewall.</para>
<sect2 id="fw-intro" xreflabel="Firewalling Introduction">
<title>Introduction to Firewall Creation</title>
<para>In the real world however, daemons may be misconfigured
and exploits against essential services are freely available. You
may wish to choose which services are accessible by certain machines or
you may wish to limit which machines or applications are allowed external
access. Alternatively, you may simply not trust some of your
applications or users. You are probably connected to the Internet. In this
world, a firewall is essential.</para>
<para>The general purpose of a firewall is to protect a computer or
a network against malicious access.</para>
<para>Don't assume however, that having a firewall makes careful configuration
redundant, or that it makes any negligent misconfiguration harmless. It doesn't
prevent anyone from exploiting a service you intentionally offer but haven't
recently updated or patched after an exploit went public. Despite having a
firewall, you need to keep applications and daemons on your system properly
configured and up to date. A firewall is not a cure all, but should be an
essential part of your overall security startegy.</para>
<para>In a perfect world, every daemon or service on every machine
is perfectly configured and immune to flaws such as buffer overflows
or other problems regarding its security. Furthermore, you trust
every user accessing your services. In this world, you do not need
to have a firewall.</para>
</sect2>
<para>In the real world however, daemons may be misconfigured and
exploits against essential services are freely available. You may
wish to choose which services are accessible by certain machines or
you may wish to limit which machines or applications are allowed
external access. Alternatively, you may simply not trust some of
your applications or users. You are probably connected to the
Internet. In this world, a firewall is essential.</para>
<sect2>
<title>Meaning of the word "firewall"</title>
<para>Don't assume however, that having a firewall makes careful
configuration redundant, or that it makes any negligent
misconfiguration harmless. It doesn't prevent anyone from exploiting
a service you intentionally offer but haven't recently updated or
patched after an exploit went public. Despite having a firewall, you
need to keep applications and daemons on your system properly
configured and up to date. A firewall is not a cure all, but should
be an essential part of your overall security startegy.</para>
<para>The word firewall can have several different meanings.</para>
</sect2>
<sect3><title><xref linkend="fw-persFw"/></title>
<sect2>
<title>Meaning of the Word "Firewall"</title>
<para>This is a hardware device or software program commercially sold by
companies such as Symantec which claims that it
secures a home or desktop computer with Internet access. This type of firewall is
highly relevant for users who do not know how their computers
might be accessed via the Internet or how to disable that access,
especially if they are always online and connected via
broadband links.</para></sect3>
<para>The word firewall can have several different meanings.</para>
<sect3>
<title><xref linkend="fw-masqRouter"/></title>
<sect3>
<title><xref linkend="fw-persFw"/></title>
<para>This is a system placed between the Internet and an intranet. To minimize
the risk of compromising the firewall itself, it should generally have only one
role&mdash;that of protecting the intranet. Although not completely risk free,
the tasks of doing the routing and IP masquerading (rewriting IP headers of
the packets it routes from clients with private IP addresses onto the Internet
so that they seem to come from the firewall itself) are commonly considered
relatively secure.</para>
</sect3>
<para>This is a hardware device or software program commercially
sold by companies such as Symantec which claims that it secures
a home or desktop computer with Internet access. This type of
firewall is highly relevant for users who do not know how their
computers might be accessed via the Internet or how to disable
that access, especially if they are always online and connected
via broadband links.</para>
<sect3>
<title><xref linkend="fw-busybox"/></title>
</sect3>
<para>This is often an old computer you may have retired and nearly forgotten,
performing masquerading or routing functions, but offering non-firewall
services such as a web-cache or mail. This may be used for home
networks, but is not be considered as secure as a firewall only
machine because the combination of server and router/firewall on one machine
raises the complexity of the setup.</para>
</sect3>
<sect3>
<title><xref linkend="fw-masqRouter"/></title>
<sect3>
<title>Firewall with a demilitarized zone [not further described here]</title>
<para>This box performs masquerading or routing, but grants public access to
some branch of your network which, because of public IP's and a physically
separated structure, is essentially a separate network with direct Internet access.
The servers on this network are those which must be easily accessible
from both the Internet and intranet. The firewall protects
both networks. This type of firewall has a minimum of three network interfaces.</para>
</sect3>
<para>This is a system placed between the Internet and an intranet.
To minimize the risk of compromising the firewall itself, it should
generally have only one role&mdash;that of protecting the intranet.
Although not completely risk free, the tasks of doing the routing and
IP masquerading (rewriting IP headers of the packets it routes from
clients with private IP addresses onto the Internet so that they seem
to come from the firewall itself) are commonly considered relatively
secure.</para>
<sect3>
<title>Packetfilter</title>
<para>This type of firewall does routing or masquerading, but does not maintain
a state table of ongoing communication streams. It is fast, but quite limited
in its ability to block inappropriate packets without blocking desired
packets.</para>
</sect3>
</sect2>
</sect3>
<sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
<title>Now you can start to build your Firewall</title>
<sect3>
<title><xref linkend="fw-busybox"/></title>
<caution><para>This introduction on how to setup a firewall
is not a complete guide to securing systems. Firewalling is a complex issue
that requires careful configuration. The scripts quoted here are simply
intended to give examples of how a firewall works. They are not intended to
fit into any particular configuration and may not provide complete protection
from an attack.</para>
<para>This is often an old computer you may have retired and nearly
forgotten, performing masquerading or routing functions, but offering
non-firewall services such as a web-cache or mail. This may be used
for home networks, but is not be considered as secure as a firewall
only machine because the combination of server and router/firewall on
one machine raises the complexity of the setup.</para>
<para>Customization of these scripts for your specific situation will
be necessary for an optimal configuration, but you should make a serious
study of the iptables documentation and creating firewalls in general before
hacking away. Have a look at the list of
<xref linkend="fw-library"/> at the end of this section for
more details. There you will find a list of URLs that contain quite
comprehensive information about building your own firewall.</para>
</caution>
</sect3>
<para>The firewall configuration script installed in the last section differs
from the standard configuration script. It only has two of the standard
targets: start and status. The other targets are clear and lock. For instance when you
run:
<sect3>
<title>Firewall with a Demilitarized Zone [Not Further
Described Here]</title>
<screen><userinput><command>/etc/rc.d/init.d/iptables start</command></userinput></screen>
<para>This box performs masquerading or routing, but grants public
access to some branch of your network which, because of public IP's
and a physically separated structure, is essentially a separate
network with direct Internet access. The servers on this network are
those which must be easily accessible from both the Internet and
intranet. The firewall protects both networks. This type of firewall
has a minimum of three network interfaces.</para>
the firewall will be restarted just as it is upon system startup. The status target
will present a list of all currently implemented rules. The clear target turns off all
firewall rules and the lock target will block all packets in and out of the computer
with the exception of the loopback interface.</para>
</sect3>
<para>The main startup firewall is located in the file
<filename>/etc/rc.d/rc.iptables</filename>. The sections below provide three different
approaches that can be used for a system.</para>
<sect3>
<title>Packetfilter</title>
<note><para>You should always run your firewall rules from a script. This ensures
consistency and a record of what was done. It also allows retention of comments
that are essential for understanding the rules long after they were written.
</para></note>
<para>This type of firewall does routing or masquerading, but does
not maintain a state table of ongoing communication streams. It is
fast, but quite limited in its ability to block inappropriate packets
without blocking desired packets.</para>
<sect3 id="fw-persFw" xreflabel="Personal Firewall">
<title>Personal Firewall</title>
</sect3>
<para>A Personal Firewall is designed to let you access all the services
offered on the Internet, but keep your box secure and your data private.</para>
</sect2>
<para>Below is a slightly modified version of Rusty Russell's recommendation
from the
<ulink url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable to the Linux 2.6 kernels.</para>
<sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
<title>Now You Can Start to Build your Firewall</title>
<screen><userinput><command>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"</command>
#!/bin/sh
<caution>
<para>This introduction on how to setup a firewall is not a
complete guide to securing systems. Firewalling is a complex
issue that requires careful configuration. The scripts quoted
here are simply intended to give examples of how a firewall
works. They are not intended to fit into any particular
configuration and may not provide complete protection from
an attack.</para>
<para>Customization of these scripts for your specific situation
will be necessary for an optimal configuration, but you should
make a serious study of the iptables documentation and creating
firewalls in general before hacking away. Have a look at the
list of <xref linkend="fw-library"/> at the end of this section for
more details. There you will find a list of URLs that contain quite
comprehensive information about building your own firewall.</para>
</caution>
<para>The firewall configuration script installed in the last section
differs from the standard configuration script. It only has two of
the standard targets: start and status. The other targets are clear
and lock. For instance when you run:</para>
<screen role="root"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen>
<para>the firewall will be restarted just as it is upon system startup.
The status target will present a list of all currently implemented
rules. The clear target turns off all firewall rules and the lock
target will block all packets in and out of the computer with the
exception of the loopback interface.</para>
<para>The main startup firewall is located in the file
<filename>/etc/rc.d/rc.iptables</filename>. The sections below provide
three different approaches that can be used for a system.</para>
<note>
<para>You should always run your firewall rules from a script.
This ensures consistency and a record of what was done. It also
allows retention of comments that are essential for understanding
the rules long after they were written.</para>
</note>
<sect3 id="fw-persFw" xreflabel="Personal Firewall">
<title>Personal Firewall</title>
<para>A Personal Firewall is designed to let you access all the
services offered on the Internet, but keep your box secure and
your data private.</para>
<para>Below is a slightly modified version of Rusty Russell's
recommendation from the <ulink
url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable
to the Linux 2.6 kernels.</para>
<screen role="root"><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
<literal>#!/bin/sh
# Begin $rc_base/rc.iptables
@ -226,38 +249,41 @@ iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log everything else. What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
# End $rc_base/rc.iptables
<command>EOF</command></userinput></screen>
# End $rc_base/rc.iptables</literal>
EOF</userinput></screen>
<para>This script is quite simple, it drops all traffic coming in into your
computer that wasn't initiated from your box, but as long as you are simply
surfing the Internet you are unlikely to exceed its limits.</para>
<para>This script is quite simple, it drops all traffic coming
in into your computer that wasn't initiated from your box, but
as long as you are simply surfing the Internet you are unlikely
to exceed its limits.</para>
<para>If you frequently encounter certain delays at accessing ftp-servers,
take a look at <xref linkend="fw-BB-4"/>.</para>
<para>If you frequently encounter certain delays at accessing
ftp-servers, take a look at <xref linkend="fw-BB-4"/>.</para>
<para>Even if you have daemons or services running on your system, these
will be inaccessible everywhere but from your computer itself.
If you want to allow access to services on your machine, such as ssh or
ping, take a look at <xref linkend="fw-busybox"/>.</para>
<para>Even if you have daemons or services running on your system,
these will be inaccessible everywhere but from your computer itself.
If you want to allow access to services on your machine, such as
<command>ssh</command> or <command>ping</command>, take a look at
<xref linkend="fw-busybox"/>.</para>
</sect3>
</sect3>
<sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
<title>Masquerading Router</title>
<sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
<title>Masquerading Router</title>
<para>A true Firewall has two interfaces, one connected to an intranet, in this
example <emphasis role="strong">eth0</emphasis>, and one connected to the
Internet, here <emphasis role="strong">ppp0</emphasis>. To provide the
maximum security for the firewall itself, make sure that there
are no unnecessary servers running on it such as <application>X11</application> et
al. As a general principle, the firewall itself should not access any
untrusted service (Think of a remote server giving answers that makes a daemon on
your system
crash, or, even worse, that implements a worm via a buffer-overflow).</para>
<para>A true Firewall has two interfaces, one connected to an
intranet, in this example <emphasis role="strong">eth0</emphasis>,
and one connected to the Internet, here <emphasis
role="strong">ppp0</emphasis>. To provide the maximum security
for the firewall itself, make sure that there are no unnecessary
servers running on it such as <application>X11</application> et
al. As a general principle, the firewall itself should not access
any untrusted service (Think of a remote server giving answers that
makes a daemon on your system crash, or, even worse, that implements
a worm via a buffer-overflow).</para>
<screen><userinput><command>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"</command>
#!/bin/sh
<screen role="root"><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
<literal>#!/bin/sh
# Begin $rc_base/rc.iptables
@ -348,162 +374,189 @@ iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
# Enable IP Forwarding
echo 1 &gt; /proc/sys/net/ipv4/ip_forward
<command>EOF</command></userinput></screen>
echo 1 &gt; /proc/sys/net/ipv4/ip_forward</literal>
EOF</userinput></screen>
<para>With this script your intranet should be reasonably secure against
external attacks. No one should be able to setup a new connection to any
internal service and, if it's masqueraded, makes your intranet invisible to the
Internet. Furthermore, your firewall should be relatively safe because there
are no services running that a cracker could attack.</para>
<para>With this script your intranet should be reasonably secure
against external attacks. No one should be able to setup a new
connection to any internal service and, if it's masqueraded,
makes your intranet invisible to the Internet. Furthermore, your
firewall should be relatively safe because there are no services
running that a cracker could attack.</para>
<note><para>If the interface you're connecting to the Internet doesn't connect
via ppp, you will need to change <replaceable>ppp+</replaceable> to the name of
the interface, e.g. <emphasis role="strong">eth1</emphasis>, which you are using.
</para></note>
<note>
<para>If the interface you're connecting to the Internet
doesn't connect via ppp, you will need to change
<replaceable>ppp+</replaceable> to the name of the interface,
e.g. <emphasis role="strong">eth1</emphasis>, which you are
using.</para>
</note>
</sect3>
</sect3>
<sect3 id="fw-busybox" xreflabel="BusyBox">
<title>BusyBox</title>
<sect3 id="fw-busybox" xreflabel="BusyBox">
<title>BusyBox</title>
<para>This scenario isn't too different from the <xref linkend="fw-masqRouter"/>,
but additionally offers some services to your intranet.
Examples of this can be when you want to administer your firewall from another host
on your intranet or use it as a proxy or a name server.</para>
<para>This scenario isn't too different from the <xref
linkend="fw-masqRouter"/>, but additionally offers some
services to your intranet. Examples of this can be when
you want to administer your firewall from another host on
your intranet or use it as a proxy or a name server.</para>
<note><para>Outlining a true concept of how to protect a server that offers
services on the Internet goes far beyond the scope of this document. See the references
at the end of this section for more information.</para></note>
<note>
<para>Outlining a true concept of how to protect a server that
offers services on the Internet goes far beyond the scope of
this document. See the references at the end of this section
for more information.</para>
</note>
<para>Be cautious. Every service you have enabled makes your
setup more complex and your firewall less secure. You are exposed to the risks of
misconfigured services or running a service with an exploitable bug. A
firewall should generally not run any extra services. See the introduction to
the <xref linkend="fw-masqRouter"/> for some more details.</para>
<para>Be cautious. Every service you have enabled makes your
setup more complex and your firewall less secure. You are
exposed to the risks of misconfigured services or running
a service with an exploitable bug. A firewall should generally
not run any extra services. See the introduction to the
<xref linkend="fw-masqRouter"/> for some more details.</para>
<para>If you want to add services such as internal samba or name servers that do not
need to access the Internet themselves, the additional statements are quite
simple and should still be acceptable from a security standpoint.
Just add the following lines
into the script <emphasis>before</emphasis> the logging rules.</para>
<para>If you want to add services such as internal samba or
name servers that do not need to access the Internet themselves,
the additional statements are quite simple and should still be
acceptable from a security standpoint. Just add the following lines
into the script <emphasis>before</emphasis> the logging rules.</para>
<screen>iptables -A INPUT -i ! ppp+ -j ACCEPT
iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen>
<screen><literal>iptables -A INPUT -i ! ppp+ -j ACCEPT
iptables -A OUTPUT -o ! ppp+ -j ACCEPT</literal></screen>
<para>If daemons, such as squid, have to access the Internet themselves,
you could open OUTPUT generally and restrict INPUT.</para>
<para>If daemons, such as squid, have to access the Internet
themselves, you could open OUTPUT generally and restrict
INPUT.</para>
<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT</screen>
<screen><literal>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT</literal></screen>
<para>However, it is generally not advisable to leave OUTPUT unrestricted. You
lose any control over trojans who would like to "call home", and a bit of
redundancy in case you've (mis-)configured a service so that it broadcasts
its existence to the world.</para>
<para>However, it is generally not advisable to leave OUTPUT
unrestricted. You lose any control over trojans who would like
to "call home", and a bit of redundancy in case you've
(mis-)configured a service so that it broadcasts its existence
to the world.</para>
<para>To accomplish this, you should restrict INPUT and OUTPUT
on all ports except those that it's absolutely necessary to have open.
Which ports you have to open depends on your needs: mostly you will find them
by looking for failed accesses in your log files.</para>
<itemizedlist spacing="compact" role='iptables'>
<para>To accomplish this, you should restrict INPUT and OUTPUT
on all ports except those that it's absolutely necessary to have
open. Which ports you have to open depends on your needs: mostly
you will find them by looking for failed accesses in your log
files.</para>
<title>Have a look at the following examples:</title>
<itemizedlist spacing="compact" role='iptables'>
<title>Have a Look at the Following Examples:</title>
<listitem>
<para>Squid is caching the web:</para>
<listitem><para>Squid is caching the web:</para>
<screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
<screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \
-j ACCEPT</screen>
</listitem>
-j ACCEPT</literal></screen>
<listitem><para>Your caching name server (e.g., named) does its
lookups via udp:</para>
<screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</screen>
</listitem>
</listitem>
<listitem>
<para>Your caching name server (e.g., named) does its
lookups via udp:</para>
<listitem><para>You want to be able to ping your box to
ensure it's still alive:</para>
<screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen>
<screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen>
</listitem>
</listitem>
<listitem>
<para>You want to be able to ping your box to
ensure it's still alive:</para>
<listitem><para><anchor id='fw-BB-4' xreflabel="BusyBox example number 4"/>If you are
frequently accessing ftp servers or enjoy chatting, you might notice certain
delays because some implementations of these daemons have the feature of
querying an identd on your system to obtain usernames. Although there's really
little harm in this, having an identd running is not recommended because many
security experts feel the service gives out too much additional information.</para>
<screen><literal>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</literal></screen>
<para>To avoid these delays you could reject the requests
with a 'tcp-reset':</para>
</listitem>
<listitem>
<para><anchor id='fw-BB-4' xreflabel="BusyBox example number 4"/>If
you are frequently accessing ftp servers or enjoy chatting, you might
notice certain delays because some implementations of these daemons
have the feature of querying an identd on your system to obtain
usernames. Although there's really little harm in this, having an
identd running is not recommended because many security experts feel
the service gives out too much additional information.</para>
<screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset</screen>
</listitem>
<para>To avoid these delays you could reject the requests
with a 'tcp-reset':</para>
<listitem><para>To log and drop invalid packets (packets
that came in after netfilter's timeout or some types of network scans):</para>
<screen><literal>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen>
<screen>iptables -I INPUT -p tcp -m state --state INVALID \
</listitem>
<listitem>
<para>To log and drop invalid packets (packets
that came in after netfilter's timeout or some types of
network scans):</para>
<screen><literal>iptables -I INPUT -p tcp -m state --state INVALID \
-j LOG --log-prefix "FIREWALL:INVALID"
iptables -I INPUT -p tcp -m state --state INVALID -j DROP</screen></listitem>
iptables -I INPUT -p tcp -m state --state INVALID -j DROP</literal></screen>
<listitem><para>Anything coming from the outside should not have a
private address, this is a common attack called IP-spoofing:
</listitem>
<listitem>
<para>Anything coming from the outside should not have a
private address, this is a common attack called IP-spoofing:</para>
<screen>iptables -A INPUT -i ppp+ -s 10.0.0.0/8 -j DROP
<screen><literal>iptables -A INPUT -i ppp+ -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ppp+ -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</screen>
iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</literal></screen>
There are other addresses that you may also want to drop: 0.0.0.0/8,
127.0.0.0/8, 224.0.0.0/3 (multicast and experimental), 169.254.0.0/16 (Link
Local Networks), and 192.0.2.0/24 (IANA defined test network).</para>
</listitem>
<para>There are other addresses that you may also want to
drop: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and
experimental), 169.254.0.0/16 (Link Local Networks), and
192.0.2.0/24 (IANA defined test network).</para>
</listitem>
<listitem>
<para>If your firewall is a DHCP client, you need to allow
those packets:</para>
<listitem><para>If your firewall is a DHCP client, you need to allow
those packets:</para>
<screen><literal>iptables -A INPUT -i ppp0 -p udp -s 0.0.0.0 --sport 67 \
-d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen>
<screen>iptables -A INPUT -i ppp0 -p udp -s 0.0.0.0 --sport 67 \
-d 255.255.255.255 --dport 68 -j ACCEPT</screen>
</listitem>
</listitem>
<listitem>
<para>To simplify debugging and be fair to anyone who'd like
to access a service you have disabled, purposely or by mistake,
you could REJECT those packets that are dropped.</para>
<listitem><para>To simplify debugging and be fair to anyone who'd like to
access a service you have disabled, purposely or by mistake, you could REJECT
those packets that are dropped.</para>
<para>Obviously this must be done directly after logging as the very
last lines before the packets are dropped by policy:</para>
<para>Obviously this must be done directly after logging as the very
last lines before the packets are dropped by policy:</para>
<screen><literal>iptables -A INPUT -j REJECT</literal></screen>
<screen>iptables -A INPUT -j REJECT</screen>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
<para>These are only examples to show you some of the capabilities of the
firewall code in Linux. Have a look at the man page of iptables.
There you will find much more information. The port numbers needed for this can be
found in <filename>/etc/services</filename>, in case you didn't find them by
trial and error in your log file.</para>
<para>These are only examples to show you some of the capabilities
of the firewall code in Linux. Have a look at the man page of iptables.
There you will find much more information. The port numbers needed for
this can be found in <filename>/etc/services</filename>, in case you
didn't find them by trial and error in your log file.</para>
</sect3>
</sect2>
</sect3>
<sect2 id="fw-finale" xreflabel="Conclusion">
<title>Conclusion</title>
</sect2>
<para>Finally, there is one fact you must not forget: The effort spent
attacking a system corresponds to the value the cracker expects to gain from
it. If you are responsible for valuable information, you need to spend the
time to protect it properly.</para>
<sect2 id="fw-finale" xreflabel="Conclusion">
<title>Conclusion</title>
</sect2>
<para>Finally, there is one fact you must not forget: The effort spent
attacking a system corresponds to the value the cracker expects to gain
from it. If you are responsible for valuable information, you need to
spend the time to protect it properly.</para>
<sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
<title>Extra Information</title>
</sect2>
<sect3 id="fw-library" xreflabel="Links for further reading">
<title>Where to start with further reading on firewalls.</title>
<sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
<title>Extra Information</title>
<para><blockquote><literallayout>
<sect3 id="fw-library" xreflabel="Links for further reading">
<title>Where to Start with Further Reading on Firewalls.</title>
<blockquote>
<literallayout>
<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>
<ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
<ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
@ -527,9 +580,12 @@ time to protect it properly.</para>
<ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink>
<ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
<ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
</literallayout></blockquote></para>
</sect3>
</literallayout>
</blockquote>
</sect3>
</sect2>
</sect2>
</sect1>