linux-from-scratch/glfs
1
0
Fork 0
mirror of https://github.com/Zeckmathederg/glfs.git synced 2025-02-01 21:12:12 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
ff0741276b
glfs/postlfs/security/firewalling/intro.xml
Larry Lawrence ff0741276b Ghostscript and w3m from Igor 
git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@1045 af4574ff-66df-0310-9fd7-8a98e5e911e0
2003-09-10 01:16:47 +00:00

85 lines
4.2 KiB
XML
Raw Blame History

<sect2 id="postlfs-security-fw-intro" xreflabel="Firewalling Introduction">
<title>Introduction to Firewalling</title>
<para>The general purpose of a firewall is to protect a network
against malicious access by using a single machine as a firewall.
This does imply that the firewall is to be considered a single point
of failure, but it can make the administrators life a lot easier.</para>
<para>In a perfect world where you knew that every daemon or service
on every machine was perfectly configured and was immune to, e.g.,
buffer-overflows and any other imaginable problem regarding its
security, and where you trusted every user accessing your services
to aim no harm, you wouldn't need to do firewalling!
In the real world however, daemons may be misconfigured,
exploits against essential services are freely available, you
may wish to choose which services are accessible by certain machines,
you may wish to limit which machines or applications are allowed
to have internet access, or you may simply not trust some of your
apps or users.
In these situations you might benefit by using a firewall.</para>
<para>Don't assume however, that having a firewall makes careful
configuration redundant, nor that it makes any negligent
misconfiguration harmless, nor that it prevents anyone from exploiting a
service you intentionally offer but haven't recently updated or patched
after an exploit went public. Despite having a firewall, you need to
keep applications and daemons on your system well-configured and
up-to-date; a firewall is not a cure-all!</para>
</sect2>
<sect2>
<title>Meaning of the word firewall.</title>
<para>The word firewall can have several different meanings.</para>
<sect3><title><xref linkend="postlfs-security-fw-persFw"/></title>
<para>This is a setup or program, for Windows commercially sold by
companies such as Symantec, of which they claim or pretend that it
secures a home or desktop-pc with internet access. This topic is
highly relevant for users who do not know the ways their computers
might be accessed via the internet and how to disable these,
especially if they are always online and if they are connected via
broadband links.</para></sect3>
<sect3><title><xref linkend="postlfs-security-fw-masqRouter"/></title>
<para>This is a box placed between the internet and an intranet.
To minimize the risk of compromising the firewall itself it
should generally have only one role, that of protecting the intranet.
Although not completely riskless, the tasks of doing the routing
and eventually IP masquerading<footnote><para>rewriting IP-headers
of the packets it routes from clients with private IP-addresses onto
the internet so that they seem to come from the firewall
itself</para></footnote> are commonly considered harmless.</para></sect3>
<sect3><title><xref linkend="postlfs-security-fw-busybox"/></title>
<para>This is often an old box you may have retired and nearly forgotten,
performing masquerading or routing functions, but offering a bunch of
services, e.g., web-cache, mail, etc. This may be very commonly used
for home networks, but can definitely not to be considered as secure
anymore because the combining of server and router on one machine raises
the complexity of the setup.</para></sect3>
<sect3><title>Firewall with a demilitarized zone [not further described
here]</title>
<para>This box performs masquerading or routing, but grants public access to
some branch of your network which, because of public IP's and a physically
separated structure, is neither considered to be part of the inter- nor
intranet. These servers are those which must be easily accessible
from both the inter- and intranet. The firewall protects
them all.</para></sect3>
<sect3><title>Packetfilter / partly accessible net [partly described
here, see <xref linkend="postlfs-security-fw-busybox"/></title>
<para>Doing routing or masquerading, but permitting only selected
services to be accessible, sometimes only by selected internal users or boxes;
mostly used in highly secure business contexts, sometimes by distrusting
employers. This was the common configuration of a firewall at the time of
the Linux 2.2 kernel. It's still possible to configure a firewall this way,
but it makes the rules quite complex and lengthy.</para></sect3>
</sect2>
Reference in New Issue View Git Blame Copy Permalink