linux-from-scratch/glfs
1
0
Fork 0
mirror of https://github.com/Zeckmathederg/glfs.git synced 2025-02-01 21:12:12 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
ff0741276b
glfs/postlfs/security/firewalling/kernel.xml
Mark Hymers f45b195302 Initial revision 
git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3 af4574ff-66df-0310-9fd7-8a98e5e911e0
2002-07-07 20:28:42 +00:00

121 lines
3.3 KiB
XML
Raw Blame History

<sect2 id="postlfs-security-fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
<title>Getting a firewalling-enabled Kernel</title>
<para>If you want your Linux-Box to do firewalling you must first ensure
that your kernel has been compiled with the relevant options turned on
<footnote><para>If you needed assistance howto configure, compile and install
a new kernel, refer back to chapter VIII of the LinuxFromScratch book,
<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink>
and eventually
<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink>
; note, that you'll need to reboot
to actually run your new kernel.</para></footnote>.</para>
<para>How to configure your kernel, with enabling the options to be
either compiled into the kernel or as modules, depends on your personal
preferences and experience. Note, that for the quoted scripts it is assumed
that the modules need to be loaded at first.</para>
<table frame='none'>
<title>Essential config-options for a firewalling-enabled Kernel</title>
<tgroup cols='5'>
<colspec colnum='1' colwidth='8*' align='center'/>
<colspec colnum='2' colwidth='19*' align='left'/>
<colspec colnum='3' colwidth='11*' align='center'/>
<colspec colnum='4' colwidth='1*' align='center'/>
<colspec colnum='5' colwidth='14*' align='left'/>
<tbody>
<row>
<entry><emphasis><userinput>Networking options:</userinput></emphasis></entry>
<entry><userinput>Network packet filtering</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_NETFILTER</entry>
</row>
<row>
<entry></entry>
<entry><userinput>Unix domain sockets</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_UNIX</entry>
</row>
<row>
<entry></entry>
<entry><userinput>IP: TCP/IP networking</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_INET</entry>
</row>
<row>
<entry></entry>
<entry><userinput>IP: advanced router</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_IP_ADVANCED_ROUTER</entry>
</row>
<row>
<entry></entry>
<entry><userinput>IP: verbose route monitoring</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_IP_ROUTE_VERBOSE</entry>
</row>
<row>
<entry></entry>
<entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_INET_ECN</entry>
</row>
<row>
<entry></entry>
<entry><userinput>IP: TCP syncookie support</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_SYN_COOKIES</entry>
</row>
<row>
<entry></entry>
<entry align='center'>
<emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry>
<entry align='left'><userinput>every option</userinput></entry>
<entry>=</entry>
<entry>CONFIG_IP_NF_*</entry>
</row>
<row>
<entry></entry>
<entry align='right'><emphasis>WITHOUT:</emphasis></entry>
<entry align='left'><literallayout><userinput>ipchains (2.2-style) support
ipfw-adm (2.0-style) support</userinput></literallayout></entry>
<entry>w\</entry>
<entry>CONFIG_IP_NF_COMPAT_*</entry>
</row>
<row>
<entry></entry>
<entry><userinput>Fast switching</userinput></entry>
<entry>Make sure to disable it because it would setup a bypass around
your firewalling-rules.</entry>
<entry>w\</entry>
<entry>CONFIG_NET_FASTROUTE</entry>
</row>
</tbody>
</tgroup>
</table>
</sect2>
Reference in New Issue View Git Blame Copy Permalink