linux-from-scratch/glfs
1
0
Fork 0
mirror of https://github.com/Zeckmathederg/glfs.git synced 2025-02-01 21:12:12 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
39f01ca989
glfs/postlfs/security/firewalling/persfw.xml
Larry Lawrence 1aacd4b52e add imlib2 and openquicktime, edited firewalling chapter 
git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@1047 af4574ff-66df-0310-9fd7-8a98e5e911e0
2003-09-11 19:44:39 +00:00

65 lines
2.5 KiB
XML
Raw Blame History

<sect3 id="postlfs-security-fw-persFw" xreflabel="Personal Firewall">
<title>Personal Firewall</title>
<para>A Personal Firewall is supposed to let you access the all services
offered on the internet, but keep your box secure and your data private.</para>
<para>Below is a slightly modified version of Rusty Russell's
recommendation from the <ulink
url="http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc-5.html">Linux
2.4 Packet Filtering HOWTO</ulink>:</para>
<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
#!/bin/sh
# Begin $rc_base/init.d/firewall
# Insert connection-tracking modules (not needed if built into the kernel).
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe ipt_LOG
# allow local-only connections
iptables -A INPUT -i lo -j ACCEPT
# free output on any interface to any ip for any service (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT
# permit answers on already established connections
# and permit new connections related to established ones (eg active-ftp)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log everything else: What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
# set a sane policy: everything not accepted &gt; /dev/null
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
# disable ExplicitCongestionNotification - too many routers are still ignorant
echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
# End $rc_base/init.d/firewall
<command>EOF</command></userinput></screen>
<para>His script is quite simple, it drops all traffic coming in into your
computer that wasn't initiated from your box, but as long as you are simply
surfing the internet you are unlikely to exceed its limits.</para>
<para>If you frequently encounter certain delays at accessing ftp-servers,
please have a look at <xref linkend="postlfs-security-fw-busybox"/> -
<xref linkend="postlfs-security-fw-BB-4"/>.</para>
<para>Even if you have daemons / services running on your box, these
should be inaccessible everywhere but from your box itself.
If you want to allow access to services on your machine, such as ssh or pinging,
take a look at <xref linkend="postlfs-security-fw-busybox"/>.</para>
</sect3>
Reference in New Issue View Git Blame Copy Permalink