Index: general/prog/decorator.xml =================================================================== --- general/prog/decorator.xml (nonexistent) +++ general/prog/decorator.xml (working copy) @@ -0,0 +1,117 @@ + + + %general-entities; + + + + + + + +]> + + + + decorator-&decorator-version; + + + decorator + + + + Introduction to decorator Module + + + The goal of the decorator module is to make + it easy to define signature-preserving function decorators and + decorator factories. + + + &lfs90_checked; + + Package Information + + + + Download (HTTP): + + + + + Download (FTP): + + + + + Download MD5 sum: &decorator-md5sum; + + + + + Download size: &decorator-size; + + + + + Estimated disk space required: &decorator-buildsize; + + + + + Estimated build time: &decorator-time; + + + + + User Notes: + + + + + + Installation of decorator + + Install decorator with the following commands: + +python3 setup.py build + + + This package does not come with a test suite. + + + + To install the decorator package with the following command as the + root user: + + +python3 setup.py install --optimize=1 + + + + + Contents + + + Installed Programs + Installed Libraries + Installed Directories + + + + None + + + /usr/lib/python&python3-majorver;/site-packages/decorator/decorator-&decorator-version;-py3.7.egg-info + + + /usr/lib/python&python3-majorver;/site-packages/decorator + + + + + + + + Property changes on: general/prog/decorator.xml ___________________________________________________________________ Added: svn:keywords ## -0,0 +1 ## +Date LastChangedBy \ No newline at end of property Index: general/prog/python-modules.xml =================================================================== --- general/prog/python-modules.xml (revision 22257) +++ general/prog/python-modules.xml (working copy) @@ -36,6 +36,11 @@ + + + + + @@ -126,6 +131,11 @@ + + + + + @@ -136,6 +146,9 @@ href="dbus-python.xml"/> + + + + Index: general/prog/slip.xml =================================================================== --- general/prog/slip.xml (nonexistent) +++ general/prog/slip.xml (working copy) @@ -0,0 +1,127 @@ + + + %general-entities; + + + + + + + +]> + + + + slip-&slip-version; + + + slip + + + + Introduction to slip Module + + + slip provides convenience, extension + and workaround code for Python and some Python modules. + + + &lfs90_checked; + + Package Information + + + + Download (HTTP): + + + + + Download (FTP): + + + + + Download MD5 sum: &slip-md5sum; + + + + + Download size: &slip-size; + + + + + Estimated disk space required: &slip-buildsize; + + + + + Estimated build time: &slip-time; + + + + + slip Dependencies + + Required + + and + + + + User Notes: + + + + + + Installation of slip + + + To build the slip module, run the + following commands: + + +sed 's/@VERSION@/0.6.5/' setup.py.in > setup.py && +python3 setup.py build + + + To install the slip module, + run the following command as the + root user: + + +python3 setup.py install --optimize=1 + + + + + Contents + + + Installed Programs + Installed Libraries + Installed Directories + + + + None + + + usr/lib/python&python3-majorver;/site-packages/slip-&slip-version;-py&python3-majorver;.egg-info + and + usr/lib/python&python3-majorver;/site-packages/slip.dbus-&slip-version;-py&python3-majorver;.egg-info + + + /usr/lib/python&python3-majorver;/site-packages/slip + + + + + + + + Property changes on: general/prog/slip.xml ___________________________________________________________________ Added: svn:keywords ## -0,0 +1 ## +Date LastChangedBy \ No newline at end of property Index: networking/netlibs/libmnl.xml =================================================================== --- networking/netlibs/libmnl.xml (nonexistent) +++ networking/netlibs/libmnl.xml (working copy) @@ -0,0 +1,152 @@ + + + %general-entities; + + + + + + + +]> + + + + + + $LastChangedBy$ + $Date$ + + + libmnl-&libmnl-version; + + + libmnl + + + + Introduction to libmnl + + + The libmnl library provides a minimalistic + user-space library oriented to Netlink developers. There are a lot of + common tasks in parsing, validating, constructing of both the Netlink + header and TLVs that are repetitive and easy to get wrong. This library + aims to provide simple helpers that allows you to re-use code and to + avoid re-inventing the wheel. + + + &lfs90_checked; + + Package Information + + + + Download (HTTP): + + + + + Download (FTP): + + + + + Download MD5 sum: &libmnl-md5sum; + + + + + Download size: &libmnl-size; + + + + + Estimated disk space required: &libmnl-buildsize; + + + + + Estimated build time: &libmnl-time; + + + + + User Notes: + + + + + + Installation of libmnl + + + Install libmnl by running the following + commands: + + +./configure --prefix=/usr && +make + + + This package does not come with a test suite. + + + + Now, as the root user: + + +make install && +mv /usr/lib/libmnl.so.* /lib && +ln -sfv ../../lib/$(readlink /usr/lib/libmnl.so) /usr/lib/libmnl.so + + + + + Command Explanations + + + mv -v /usr/lib/libmnl.so.* ...: Move shared + libraries into /lib so they are available before /usr is mounted. + + + + + + Contents + + + Installed Library + + + + libmnl.so + + + + + + Short Descriptions + + + + + libmnl.so + + + provides functions for parsing, validating, constructing of both + the Netlink header and TLVs. + + + libmnl.so + + + + + + + + + Property changes on: networking/netlibs/libmnl.xml ___________________________________________________________________ Added: svn:keywords ## -0,0 +1 ## +Date LastChangedBy \ No newline at end of property Index: networking/netlibs/libnftnl.xml =================================================================== --- networking/netlibs/libnftnl.xml (nonexistent) +++ networking/netlibs/libnftnl.xml (working copy) @@ -0,0 +1,178 @@ + + + %general-entities; + + + + + + + +]> + + + + + + $LastChangedBy$ + $Date$ + + + libnftnl-&libnftnl-version; + + + libnftnl + + + + Introduction to libnftnl + + + The libnftnl library provides a low-level + netlink programming interface (API) to the in-kernel nf_tables subsystem. + + + &lfs90_checked; + + Package Information + + + + Download (HTTP): + + + + + Download (FTP): + + + + + Download MD5 sum: &libnftnl-md5sum; + + + + + Download size: &libnftnl-size; + + + + + Estimated disk space required: &libnftnl-buildsize; + + + + + Estimated build time: &libnftnl-time; + + + + + libnftnl Dependencies + + Required + + + + + User Notes: + + + + + + Kernel Configuration + + + Enable the following options in the kernel configuration and recompile the + kernel if necessary: + + +[*] Networking support [CONFIG_NET] ---> + Networking options ---> + [*] Network packet filtering framework (Netfilter) [CONFIG_NETFILTER] ---> + Core Netfilter Configuration ---> + <*> Netfilter nf_tables support [CONFIG_NF_TABLES] + + + + + Installation of libnftnl + + + Install libnftnl by running the following + commands: + + +./configure --prefix=/usr && +make + + + This package does not come with a test suite. + + + + Now, as the root user: + + +make install && +mv /usr/lib/libnftnl.so.* /lib && +ln -sfv ../../lib/$(readlink /usr/lib/libnftnl.so) /usr/lib/libnftnl.so + + + + + Command Explanations + + + mv -v /usr/lib/libnftnl.so.* ...: Move shared + libraries into /lib so they are available before /usr is mounted. + + + + + + Contents + + + Installed Programs + Installed Libraries + Installed Directories + + + + None + + + libnftnl.so + + + None + + + + + + Short Descriptions + + + + + libnftnl.so + + + provides a netlink interface to the in-kernel nf_tables subsystem. + + + libnftnl.so + + + + + + + + + Property changes on: networking/netlibs/libnftnl.xml ___________________________________________________________________ Added: svn:keywords ## -0,0 +1 ## +Date LastChangedBy \ No newline at end of property Index: networking/netlibs/netlibs.xml =================================================================== --- networking/netlibs/netlibs.xml (revision 22257) +++ networking/netlibs/netlibs.xml (working copy) @@ -28,6 +28,8 @@ + + Index: packages.ent =================================================================== --- packages.ent (revision 22257) +++ packages.ent (working copy) @@ -11,6 +11,7 @@ + @@ -23,6 +24,7 @@ + @@ -515,6 +517,7 @@ + @@ -533,6 +536,7 @@ + @@ -577,6 +581,8 @@ + + Index: postlfs/security/firewalld.xml =================================================================== --- postlfs/security/firewalld.xml (nonexistent) +++ postlfs/security/firewalld.xml (working copy) @@ -0,0 +1,309 @@ + + + %general-entities; + + + + + + + +]> + + + + + + $LastChangedBy$ + $Date$ + + + Firewalld-&firewalld-version; + + + Firewalld + + + + Introduction to Firewalld + + + The Firewalld package provides a dynamically + managed firewall with support for network or firewall zones to define the + trust level of network connections or interfaces. It has support for + IPv4, IPv6 firewall settings and for ethernet bridges and a separation of + runtime and permanent configuration options. It also provides an + interface for services or applications to add nftables or iptables and + ebtables rules directly. + + + &lfs90_checked; + + Package Information + + + + Download (HTTP): + + + + + Download (FTP): + + + + + Download MD5 sum: &firewalld-md5sum; + + + + + Download size: &firewalld-size; + + + + + Estimated disk space required: &firewalld-buildsize; + + + + + Estimated build time: &firewalld-time; + + + + + Additional Downloads + + + + Required patch: + + + + + + Firewalld Dependencies + + Required + + or , + and + + + Recommended + + and (for building + the manual pages), and + ipset + for ipset support (only when used with iptables) + + + User Notes: + + + + + + Installation of Firewalld + + + Fix an issue with use of built-in kernel modules: + + +patch -Np1 -i ../firewalld-&firewalld-version;-builtin-1.patch + + + Install Firewalld by + running the following commands: + + +PYTHON=/usr/bin/python3 \ + ./configure --sysconfdir=/etc \ + --without-ipset && +make + +PYTHON=/usr/bin/python3 \ + ./configure --sysconfdir=/etc \ + --without-ipset \ + --disable-systemd && +make + + + To run the testsuite, isssue the command make test. + + + + + Prevent installation of the distributed firewalld init script with the + following command: + + +sed '/^am__append_3/,+1d' -i config/Makefile + + + Now, as the root user: + + +make install + + + + + Command Explanations + + + --without-ipset: This switch disables use of the + ipset utility. Omit if it is installed. + + + + --without-systemd: This command prevents + installation of systemd services. + + + + + + Configuring Firewalld + + + Config Files + + + /etc/sysconfig/firewalld + and /etc/firewalld/firewalld.conf + + + + /etc/firewalld/firewalld.conf + + + + + + <phrase revision="sysv">Init Script</phrase> + <phrase revision="systemd">Systemd Unit</phrase> + + + If you need to run the firewalld daemon at system + startup, install the /etc/rc.d/init.d/firewalld + init script included in the + package using the following command: + + + + If you need to run the firewalld daemon at system + startup, enable the previously installed + firewalld.service unit with the following command: + + + + firewalld + + +make install-firewalld + +systemctl enable firewalld + + + + + + + Contents + + + Installed Programs + Installed Libraries + Installed Directories + + + + firewall-applet, firewall-cmd, firewall-config, firewall-offline-cmd, + and firewalld + + + None + + + /etc/firewalld, + /etc/firewall, + /usr/lib/firewalld, and + /usr/lib/python-&python3-version;/site-packages/firewall + + + + + + Short Descriptions + + + + + firewall-applet + + + GUI frontend. + + + firwall-applet + + + + + + firewall-cmd + + + cli frontend. + + + firewall-cmd + + + + + + firewall-config + + + config dumper. + + + firewall-config + + + + + + firewall-offline-cmd + + + command to take firewall offline. + + + firewall-offline-cmd + + + + + + firewalld + + + firewall daemon. + + + firewalld + + + + + + + + + Property changes on: postlfs/security/firewalld.xml ___________________________________________________________________ Added: svn:keywords ## -0,0 +1 ## +LastChangedBy Date \ No newline at end of property Index: postlfs/security/firewalling.xml =================================================================== --- postlfs/security/firewalling.xml (revision 22257) +++ postlfs/security/firewalling.xml (working copy) @@ -15,95 +15,114 @@ Setting Up a Network Firewall - Before you read this part of the chapter, you should have - already installed iptables as described in the previous section. - Introduction to Firewall Creation - The general purpose of a firewall is to protect a computer or - a network against malicious access. + + The purpose of a firewall is to protect a computer or a network against + malicious access. In a perfect world, every daemon or service, on every + machine, is perfectly configured and immune to security flaws, and all + users are trusted implicitly to use the equipment as intended. However, + this is rarely, if ever, the case. Daemons may be misconfigured, or + updates may not have been applied for known exploits against essential + services. Additionally, you may wish to choose which services are + accessible by certain machines or users, or you may wish to limit which + machines or applications are allowed external access. Alternatively, you + simply may not trust some of your applications or users. For these + reasons, a carefully designed firewall should be an essential part of + system security. + - In a perfect world, every daemon or service on every machine - is perfectly configured and immune to flaws such as buffer overflows - or other problems regarding its security. Furthermore, you trust - every user accessing your services. In this world, you do not need - to have a firewall. + + While a firewall can greatly limit the scope of the above issues, do not + assume that having a firewall makes careful configuration redundant, or + that any negligent misconfiguration is harmless. A firewall does not + prevent exploitation of any service you offer outside of it. Despite + having a firewall, you need to keep applications and daemons properly + configured and up to date. + - In the real world however, daemons may be misconfigured and - exploits against essential services are freely available. You may - wish to choose which services are accessible by certain machines or - you may wish to limit which machines or applications are allowed - external access. Alternatively, you may simply not trust some of - your applications or users. You are probably connected to the - Internet. In this world, a firewall is essential. - - Don't assume however, that having a firewall makes careful - configuration redundant, or that it makes any negligent - misconfiguration harmless. It doesn't prevent anyone from exploiting - a service you intentionally offer but haven't recently updated or - patched after an exploit went public. Despite having a firewall, you - need to keep applications and daemons on your system properly - configured and up to date. A firewall is not a cure all, but should - be an essential part of your overall security strategy. - Meaning of the Word "Firewall" - The word firewall can have several different meanings. + + The word firewall can have several different meanings. + - <xref linkend="fw-persFw"/> + Personal Firewall - This is a hardware device or software program commercially sold (or - offered via freeware) by companies such as Symantec which claims that - it secures a home or desktop computer connected to the Internet. This - type of firewall is highly relevant for users who do not know how their - computers might be accessed via the Internet or how to disable - that access, especially if they are always online and connected - via broadband links. + + This is a hardware device or software program, intended to secure a + home or desktop computer connected to the Internet. This type of + firewall is highly relevant for users who do not know how their + computers might be accessed via the Internet or how to disable + that access, especially if they are always online and connected + via broadband links. + + + An example configuration for a personal firewall is provided at + . + + - <xref linkend="fw-masqRouter"/> + Masquerading Router - This is a system placed between the Internet and an intranet. - To minimize the risk of compromising the firewall itself, it should - generally have only one role—that of protecting the intranet. - Although not completely risk free, the tasks of doing the routing and - IP masquerading (rewriting IP headers of the packets it routes from - clients with private IP addresses onto the Internet so that they seem - to come from the firewall itself) are commonly considered relatively - secure. + + This is a system placed between the Internet and an intranet. + To minimize the risk of compromising the firewall itself, it should + generally have only one role—that of protecting the intranet. + Although not completely risk free, the tasks of doing the routing and + IP masquerading (rewriting IP headers of the packets it routes from + clients with private IP addresses onto the Internet so that they seem + to come from the firewall itself) are commonly considered relatively + secure. + + + Example configurations for a masquerading firewall are provided at + and + . + + - <xref linkend="fw-busybox"/> + BusyBox - This is often an old computer you may have retired and nearly - forgotten, performing masquerading or routing functions, but offering - non-firewall services such as a web-cache or mail. This may be used - for home networks, but is not to be considered as secure as a firewall - only machine because the combination of server and router/firewall on - one machine raises the complexity of the setup. + + This is often an old computer you may have retired and nearly + forgotten, performing masquerading or routing functions, but offering + non-firewall services such as a web-cache or mail. This may be used + for home networks, but is not to be considered as secure as a firewall + only machine because the combination of server and router/firewall on + one machine raises the complexity of the setup. + + + An example configuration for a BusyBox is provided at + . + + - Firewall with a Demilitarized Zone [Not Further - Described Here] + Firewall with a Demilitarized Zone - This box performs masquerading or routing, but grants public - access to some branch of your network which, because of public IPs - and a physically separated structure, is essentially a separate - network with direct Internet access. The servers on this network are - those which must be easily accessible from both the Internet and - intranet. The firewall protects both networks. This type of firewall - has a minimum of three network interfaces. + + This type of firewall performs masquerading or routing, but grants + public access to some branch of your network that is physically + separated from your regular intranet, and is essentially a separate + network with direct Internet access. The servers on this network are + those which must be easily accessible from both the Internet and + intranet. The firewall protects both networks. This type of firewall + has a minimum of three network interfaces. + @@ -110,632 +129,60 @@ Packetfilter - This type of firewall does routing or masquerading, but does - not maintain a state table of ongoing communication streams. It is - fast, but quite limited in its ability to block undesired packets - without blocking desired packets. + + This type of firewall does routing or masquerading, but does + not maintain a state table of ongoing communication streams. It is + fast, but quite limited in its ability to block undesired packets + without blocking desired packets. + - - Now You Can Start to Build your Firewall + + Conclusion - This introduction on how to setup a firewall is not a - complete guide to securing systems. Firewalling is a complex - issue that requires careful configuration. The scripts quoted - here are simply intended to give examples of how a firewall - works. They are not intended to fit into any particular - configuration and may not provide complete protection from - an attack. - - Customization of these scripts for your specific situation - will be necessary for an optimal configuration, but you should - make a serious study of the iptables documentation and creating - firewalls in general before hacking away. Have a look at the - list of at the end of this section for - more details. There you will find a list of URLs that contain quite - comprehensive information about building your own firewall. + + The example configurations provided for and + are not intended to be a complete guide to + securing systems. Firewalling is a complex issue that requires careful + configuration. The configurations provided by BLFS are intended only to + give examples of how a firewall works. They are not intended to fit any + particular configuration and may not provide complete protection from + an attack. + - The firewall configuration script installed in the - iptables section differs from the standard configuration script. It only - has two of the standard targets: start and status. The other targets are - clear and lock. For instance if you issue: + + BLFS provides two utilities to manage the kernel netfilter interface, the + tried and true , and its newer replacment, + . Both pages include very simple example + configurations, and customization of the provided configurations for your + specific environment will be necessary. Additionally, a firewall + management tool, , is provided to greatly + ease firewall configuration for both simple and complex environments. + If you elect to configure manually, have a look at the + list of further reading below for more details. Here you will find a + list of URLs that contain comprehensive information about building + firewalls and further securing your system. + -/etc/rc.d/init.d/iptables start - - the firewall will be restarted just as it is upon - system startup. The status target will present a list of all currently - implemented rules. The clear target turns off all firewall rules and the - lock target will block all packets in and out of the computer with the - exception of the loopback interface. - - The main startup firewall is located in the file - /etc/rc.d/rc.iptables. The sections below provide - three different approaches that can be used for a system. - - The main startup firewall is located in the file - /etc/systemd/scripts/iptables. The sections below - provide three different approaches that can be used for a system. - - - You should always run your firewall rules from a script. - This ensures consistency and a record of what was done. It also - allows retention of comments that are essential for understanding - the rules long after they were written. - - - - Personal Firewall - - A Personal Firewall is designed to let you access all the - services offered on the Internet, but keep your box secure and - your data private. - - Below is a slightly modified version of Rusty Russell's - recommendation from the - Linux 2.4 Packet Filtering HOWTO. It is still applicable - to the Linux 2.6 kernels. - -cat > /etc/rc.d/rc.iptables << "EOF" -#!/bin/sh - -# Begin rc.iptables - -# Insert connection-tracking modules -# (not needed if built into the kernel) -modprobe nf_conntrack -modprobe xt_LOG - -# Enable broadcast echo Protection -echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts - -# Disable Source Routed Packets -echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route -echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route - -# Enable TCP SYN Cookie Protection -echo 1 > /proc/sys/net/ipv4/tcp_syncookies - -# Disable ICMP Redirect Acceptance -echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects - -# Do not send Redirect Messages -echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects -echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects - -# Drop Spoofed Packets coming in on an interface, where responses -# would result in the reply going out a different interface. -echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter -echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter - -# Log packets with impossible addresses. -echo 1 > /proc/sys/net/ipv4/conf/all/log_martians -echo 1 > /proc/sys/net/ipv4/conf/default/log_martians - -# be verbose on dynamic ip-addresses (not needed in case of static IP) -echo 2 > /proc/sys/net/ipv4/ip_dynaddr - -# disable Explicit Congestion Notification -# too many routers are still ignorant -echo 0 > /proc/sys/net/ipv4/tcp_ecn - -# Set a known state -iptables -P INPUT DROP -iptables -P FORWARD DROP -iptables -P OUTPUT DROP - -# These lines are here in case rules are already in place and the -# script is ever rerun on the fly. We want to remove all rules and -# pre-existing user defined chains before we implement new rules. -iptables -F -iptables -X -iptables -Z - -iptables -t nat -F - -# Allow local-only connections -iptables -A INPUT -i lo -j ACCEPT - -# Free output on any interface to any ip for any service -# (equal to -P ACCEPT) -iptables -A OUTPUT -j ACCEPT - -# Permit answers on already established connections -# and permit new connections related to established ones -# (e.g. port mode ftp) -iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - -# Log everything else. What's Windows' latest exploitable vulnerability? -iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " - -# End $rc_base/rc.iptables -EOF -chmod 700 /etc/rc.d/rc.iptables - - -install -v -dm755 /etc/systemd/scripts - -cat > /etc/systemd/scripts/iptables << "EOF" -#!/bin/sh - -# Begin /etc/systemd/scripts/iptables - -# Insert connection-tracking modules -# (not needed if built into the kernel) -modprobe nf_conntrack -modprobe xt_LOG - -# Enable broadcast echo Protection -echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts - -# Disable Source Routed Packets -echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route -echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route - -# Enable TCP SYN Cookie Protection -echo 1 > /proc/sys/net/ipv4/tcp_syncookies - -# Disable ICMP Redirect Acceptance -echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects - -# Do not send Redirect Messages -echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects -echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects - -# Drop Spoofed Packets coming in on an interface, where responses -# would result in the reply going out a different interface. -echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter -echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter - -# Log packets with impossible addresses. -echo 1 > /proc/sys/net/ipv4/conf/all/log_martians -echo 1 > /proc/sys/net/ipv4/conf/default/log_martians - -# be verbose on dynamic ip-addresses (not needed in case of static IP) -echo 2 > /proc/sys/net/ipv4/ip_dynaddr - -# disable Explicit Congestion Notification -# too many routers are still ignorant -echo 0 > /proc/sys/net/ipv4/tcp_ecn - -# Set a known state -iptables -P INPUT DROP -iptables -P FORWARD DROP -iptables -P OUTPUT DROP - -# These lines are here in case rules are already in place and the -# script is ever rerun on the fly. We want to remove all rules and -# pre-existing user defined chains before we implement new rules. -iptables -F -iptables -X -iptables -Z - -iptables -t nat -F - -# Allow local-only connections -iptables -A INPUT -i lo -j ACCEPT - -# Free output on any interface to any ip for any service -# (equal to -P ACCEPT) -iptables -A OUTPUT -j ACCEPT - -# Permit answers on already established connections -# and permit new connections related to established ones -# (e.g. port mode ftp) -iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - -# Log everything else. What's Windows' latest exploitable vulnerability? -iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " - -# End /etc/systemd/scripts/iptables -EOF -chmod 700 /etc/systemd/scripts/iptables - - This script is quite simple, it drops all traffic coming - into your computer that wasn't initiated from your computer, but - as long as you are simply surfing the Internet you are unlikely - to exceed its limits. - - If you frequently encounter certain delays at accessing - FTP servers, take a look at . - - Even if you have daemons or services running on your system, - these will be inaccessible everywhere but from your computer itself. - If you want to allow access to services on your machine, such as - ssh or ping, take a look at - . - - - - - Masquerading Router - - A true Firewall has two interfaces, one connected to an - intranet, in this example eth0, - and one connected to the Internet, here ppp0. To provide the maximum security - for the firewall itself, make sure that there are no unnecessary - servers running on it such as X11 et - al. As a general principle, the firewall itself should not access - any untrusted service (think of a remote server giving answers that - makes a daemon on your system crash, or even worse, that implements - a worm via a buffer-overflow). - -cat > /etc/rc.d/rc.iptables << "EOF" -#!/bin/sh - -# Begin rc.iptables - -echo -echo "You're using the example configuration for a setup of a firewall" -echo "from Beyond Linux From Scratch." -echo "This example is far from being complete, it is only meant" -echo "to be a reference." -echo "Firewall security is a complex issue, that exceeds the scope" -echo "of the configuration rules below." -echo "You can find additional information" -echo "about firewalls in Chapter 4 of the BLFS book." -echo "http://www.&lfs-domainname;/blfs" -echo - -# Insert iptables modules (not needed if built into the kernel). - -modprobe nf_conntrack -modprobe nf_conntrack_ftp -modprobe xt_conntrack -modprobe xt_LOG -modprobe xt_state - -# Enable broadcast echo Protection -echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts - -# Disable Source Routed Packets -echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route - -# Enable TCP SYN Cookie Protection -echo 1 > /proc/sys/net/ipv4/tcp_syncookies - -# Disable ICMP Redirect Acceptance -echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects - -# Don't send Redirect Messages -echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects - -# Drop Spoofed Packets coming in on an interface where responses -# would result in the reply going out a different interface. -echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter - -# Log packets with impossible addresses. -echo 1 > /proc/sys/net/ipv4/conf/all/log_martians - -# Be verbose on dynamic ip-addresses (not needed in case of static IP) -echo 2 > /proc/sys/net/ipv4/ip_dynaddr - -# Disable Explicit Congestion Notification -# Too many routers are still ignorant -echo 0 > /proc/sys/net/ipv4/tcp_ecn - -# Set a known state -iptables -P INPUT DROP -iptables -P FORWARD DROP -iptables -P OUTPUT DROP - -# These lines are here in case rules are already in place and the -# script is ever rerun on the fly. We want to remove all rules and -# pre-existing user defined chains before we implement new rules. -iptables -F -iptables -X -iptables -Z - -iptables -t nat -F - -# Allow local connections -iptables -A INPUT -i lo -j ACCEPT -iptables -A OUTPUT -o lo -j ACCEPT - -# Allow forwarding if the initiated on the intranet -iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW -j ACCEPT - -# Do masquerading -# (not needed if intranet is not using private ip-addresses) -iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE - -# Log everything for debugging -# (last of all rules, but before policy rules) -iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " -iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD " -iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " - -# Enable IP Forwarding -echo 1 > /proc/sys/net/ipv4/ip_forward -EOF -chmod 700 /etc/rc.d/rc.iptables - -install -v -dm755 /etc/systemd/scripts - -cat > /etc/systemd/scripts/iptables << "EOF" -#!/bin/sh - -# Begin /etc/systemd/scripts/iptables - -echo -echo "You're using the example configuration for a setup of a firewall" -echo "from Beyond Linux From Scratch." -echo "This example is far from being complete, it is only meant" -echo "to be a reference." -echo "Firewall security is a complex issue, that exceeds the scope" -echo "of the configuration rules below." - -echo "You can find additional information" -echo "about firewalls in Chapter 4 of the BLFS book." -echo "http://www.&lfs-domainname;/blfs" -echo - -# Insert iptables modules (not needed if built into the kernel). - -modprobe nf_conntrack -modprobe nf_conntrack_ftp -modprobe xt_conntrack -modprobe xt_LOG -modprobe xt_state - -# Enable broadcast echo Protection -echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts - -# Disable Source Routed Packets -echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route - -# Enable TCP SYN Cookie Protection -echo 1 > /proc/sys/net/ipv4/tcp_syncookies - -# Disable ICMP Redirect Acceptance -echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects - -# Don't send Redirect Messages -echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects - -# Drop Spoofed Packets coming in on an interface where responses -# would result in the reply going out a different interface. -echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter - -# Log packets with impossible addresses. -echo 1 > /proc/sys/net/ipv4/conf/all/log_martians - -# Be verbose on dynamic ip-addresses (not needed in case of static IP) -echo 2 > /proc/sys/net/ipv4/ip_dynaddr - -# Disable Explicit Congestion Notification -# Too many routers are still ignorant -echo 0 > /proc/sys/net/ipv4/tcp_ecn - -# Set a known state -iptables -P INPUT DROP -iptables -P FORWARD DROP -iptables -P OUTPUT DROP - -# These lines are here in case rules are already in place and the -# script is ever rerun on the fly. We want to remove all rules and -# pre-existing user defined chains before we implement new rules. -iptables -F -iptables -X -iptables -Z - -iptables -t nat -F - -# Allow local connections -iptables -A INPUT -i lo -j ACCEPT -iptables -A OUTPUT -o lo -j ACCEPT - -# Allow forwarding if the initiated on the intranet -iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW -j ACCEPT - -# Do masquerading -# (not needed if intranet is not using private ip-addresses) -iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE - -# Log everything for debugging -# (last of all rules, but before policy rules) -iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " -iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD " -iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " - -# Enable IP Forwarding -echo 1 > /proc/sys/net/ipv4/ip_forward - -# End /etc/systemd/scripts/iptables -EOF -chmod 700 /etc/systemd/scripts/iptables - - With this script your intranet should be reasonably secure - against external attacks. No one should be able to setup a new - connection to any internal service and, if it's masqueraded, - makes your intranet invisible to the Internet. Furthermore, your - firewall should be relatively safe because there are no services - running that a cracker could attack. - - - If the interface you're connecting to the Internet - doesn't connect via PPP, you will need to change - <ppp+> to the name of the interface - (e.g., eth1) which you are - using. - - - - - - BusyBox - - This scenario isn't too different from the , but additionally offers some - services to your intranet. Examples of this can be when - you want to administer your firewall from another host on - your intranet or use it as a proxy or a name server. - - - Outlining a true concept of how to protect a server that - offers services on the Internet goes far beyond the scope of - this document. See the references at the end of this section - for more information. - - - Be cautious. Every service you have enabled makes your - setup more complex and your firewall less secure. You are - exposed to the risks of misconfigured services or running - a service with an exploitable bug. A firewall should generally - not run any extra services. See the introduction to the - for some more details. - - If you want to add services such as internal Samba or - name servers that do not need to access the Internet themselves, - the additional statements are quite simple and should still be - acceptable from a security standpoint. Just add the following lines - into the script before the logging rules. - -iptables -A INPUT -i ! ppp+ -j ACCEPT -iptables -A OUTPUT -o ! ppp+ -j ACCEPT - - If daemons, such as squid, have to access the Internet - themselves, you could open OUTPUT generally and restrict - INPUT. - -iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -iptables -A OUTPUT -j ACCEPT - - However, it is generally not advisable to leave OUTPUT - unrestricted. You lose any control over trojans who would like - to "call home", and a bit of redundancy in case you've - (mis-)configured a service so that it broadcasts its existence - to the world. - - To accomplish this, you should restrict INPUT and OUTPUT - on all ports except those that it's absolutely necessary to have - open. Which ports you have to open depends on your needs: mostly - you will find them by looking for failed accesses in your log - files. - - - Have a Look at the Following Examples: - - Squid is caching the web: - -iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT -iptables -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \ - -j ACCEPT - - - - Your caching name server (e.g., named) does its - lookups via UDP: - -iptables -A OUTPUT -p udp --dport 53 -j ACCEPT - - - - You want to be able to ping your computer to - ensure it's still alive: - -iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT -iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT - - - - If - you are frequently accessing FTP servers or enjoy chatting, you might - notice certain delays because some implementations of these daemons - have the feature of querying an identd on your system to obtain - usernames. Although there's really little harm in this, having an - identd running is not recommended because many security experts feel - the service gives out too much additional information. - - To avoid these delays you could reject the requests - with a 'tcp-reset': - -iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset - - - - To log and drop invalid packets (packets - that came in after netfilter's timeout or some types of - network scans) insert these rules at the top of the chain: - -iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \ - -j LOG --log-prefix "FIREWALL:INVALID " -iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP - - - - Anything coming from the outside should not have a - private address, this is a common attack called IP-spoofing: - -iptables -A INPUT -i ppp+ -s 10.0.0.0/8 -j DROP -iptables -A INPUT -i ppp+ -s 172.16.0.0/12 -j DROP -iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP - - There are other addresses that you may also want to - drop: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and - experimental), 169.254.0.0/16 (Link Local Networks), and - 192.0.2.0/24 (IANA defined test network). - - - If your firewall is a DHCP client, you need to allow - those packets: - -iptables -A INPUT -i ppp0 -p udp -s 0.0.0.0 --sport 67 \ - -d 255.255.255.255 --dport 68 -j ACCEPT - - - - To simplify debugging and be fair to anyone who'd like - to access a service you have disabled, purposely or by mistake, - you could REJECT those packets that are dropped. - - Obviously this must be done directly after logging as the very - last lines before the packets are dropped by policy: - -iptables -A INPUT -j REJECT - - - - - These are only examples to show you some of the capabilities - of the firewall code in Linux. Have a look at the man page of iptables. - There you will find much more information. The port numbers needed for - this can be found in /etc/services, in case you - didn't find them by trial and error in your log file. - - - - - Conclusion - - Finally, there is one fact you must not forget: The effort spent - attacking a system corresponds to the value the cracker expects to gain - from it. If you are responsible for valuable information, you need to - spend the time to protect it properly. - - - - + Extra Information - - Where to Start with Further Reading on Firewalls + + Further Reading on Firewalls
-www.netfilter.org - Homepage of the netfilter/iptables project +www.netfilter.org - Homepage of the netfilter/iptables/nftables projects Netfilter related FAQ Netfilter related HOWTO's +nftables HOWTO en.tldp.org/LDP/nag2/x-087-2-firewall.html en.tldp.org/HOWTO/Security-HOWTO.html en.tldp.org/HOWTO/Firewall-HOWTO.html @@ -752,20 +199,6 @@
- - Index: postlfs/security/iptables.xml =================================================================== --- postlfs/security/iptables.xml (revision 22257) +++ postlfs/security/iptables.xml (working copy) @@ -30,10 +30,8 @@ Introduction to Iptables - The next part of this chapter deals with firewalls. The principal - firewall tool for Linux is Iptables. You will - need to install Iptables if you intend on using - any form of a firewall. + Iptables is a userspace command line program + used to configure Linux 2.4 and later kernel packet filtering ruleset. &lfs90_checked; @@ -76,7 +74,7 @@ Optional - nftables + @@ -89,10 +87,9 @@ Kernel Configuration - A firewall in Linux is accomplished through a portion of the - kernel called netfilter. The interface to netfilter is - Iptables. To use it, the appropriate - kernel configuration parameters are found in: + A firewall in Linux is accomplished through the netfilter interface. To + use Iptables to configure netfilter, the + following kernel configuration parameters are required: [*] Networking support ---> [CONFIG_NET] @@ -118,16 +115,9 @@ how to change the KERNEL_DIR= parameter to point at the Linux source code. Note that if you upgrade the kernel version, you may also need to recompile - Iptables and that the BLFS team has not tested - using the raw kernel headers. + Iptables and that the BLFS team has not + tested using the raw kernel headers. - - - For some non-x86 architectures, the raw kernel headers may be - required. In that case, modify the KERNEL_DIR= - parameter to point at the Linux source - code. - @@ -142,9 +132,13 @@ --with-xtlibdir=/lib/xtables && make - This package does not come with a test suite. + + This package does not come with a test suite. + - Now, as the root user: + + Now, as the root user: + make install && ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml && @@ -162,7 +156,8 @@ --disable-nftables: This switch disables building - nftables compat. Omit this switch if you have installed nftables. + nftables compat. Omit this switch if you have installed + . @@ -192,11 +187,619 @@ Configuring Iptables - - Introductory instructions for configuring your firewall are - presented in the next section: - + + + In the follwoing example configurations, LAN1 is used for the internal LAN interface, + and WAN1 is used for the external + interaces connected to the internet. You will need to replace these + values with appropriate interface names for your system. + + + + Personal Firewall + + + A Personal Firewall is designed to let you access all the + services offered on the Internet, but keep your box secure and + your data private. + + + + Below is a slightly modified version of Rusty Russell's + recommendation from the + Linux 2.4 Packet Filtering HOWTO. It is still applicable + to the Linux 3.x kernels. + + +cat > /etc/rc.d/rc.iptables << "EOF" +#!/bin/sh + +# Begin rc.iptables + +# Insert connection-tracking modules +# (not needed if built into the kernel) +modprobe nf_conntrack +modprobe xt_LOG + +# Enable broadcast echo Protection +echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts + +# Disable Source Routed Packets +echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route +echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route + +# Enable TCP SYN Cookie Protection +echo 1 > /proc/sys/net/ipv4/tcp_syncookies + +# Disable ICMP Redirect Acceptance +echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects + +# Do not send Redirect Messages +echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects +echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects + +# Drop Spoofed Packets coming in on an interface, where responses +# would result in the reply going out a different interface. +echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter +echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter + +# Log packets with impossible addresses. +echo 1 > /proc/sys/net/ipv4/conf/all/log_martians +echo 1 > /proc/sys/net/ipv4/conf/default/log_martians + +# be verbose on dynamic ip-addresses (not needed in case of static IP) +echo 2 > /proc/sys/net/ipv4/ip_dynaddr + +# disable Explicit Congestion Notification +# too many routers are still ignorant +echo 0 > /proc/sys/net/ipv4/tcp_ecn + +# Set a known state +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT DROP + +# These lines are here in case rules are already in place and the +# script is ever rerun on the fly. We want to remove all rules and +# pre-existing user defined chains before we implement new rules. +iptables -F +iptables -X +iptables -Z + +iptables -t nat -F + +# Allow local-only connections +iptables -A INPUT -i lo -j ACCEPT + +# Free output on any interface to any ip for any service +# (equal to -P ACCEPT) +iptables -A OUTPUT -j ACCEPT + +# Permit answers on already established connections +# and permit new connections related to established ones +# (e.g. port mode ftp) +iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + +# Log everything else. What's Windows' latest exploitable vulnerability? +iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " + +# End $rc_base/rc.iptables +EOF +chmod 700 /etc/rc.d/rc.iptables + +install -v -dm755 /etc/systemd/scripts + +cat > /etc/systemd/scripts/iptables << "EOF" +#!/bin/sh + +# Begin /etc/systemd/scripts/iptables + +# Insert connection-tracking modules +# (not needed if built into the kernel) +modprobe nf_conntrack +modprobe xt_LOG + +# Enable broadcast echo Protection +echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts + +# Disable Source Routed Packets +echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route +echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route + +# Enable TCP SYN Cookie Protection +echo 1 > /proc/sys/net/ipv4/tcp_syncookies + +# Disable ICMP Redirect Acceptance +echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects + +# Do not send Redirect Messages +echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects +echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects + +# Drop Spoofed Packets coming in on an interface, where responses +# would result in the reply going out a different interface. +echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter +echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter + +# Log packets with impossible addresses. +echo 1 > /proc/sys/net/ipv4/conf/all/log_martians +echo 1 > /proc/sys/net/ipv4/conf/default/log_martians + +# be verbose on dynamic ip-addresses (not needed in case of static IP) +echo 2 > /proc/sys/net/ipv4/ip_dynaddr + +# disable Explicit Congestion Notification +# too many routers are still ignorant +echo 0 > /proc/sys/net/ipv4/tcp_ecn + +# Set a known state +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT DROP + +# These lines are here in case rules are already in place and the +# script is ever rerun on the fly. We want to remove all rules and +# pre-existing user defined chains before we implement new rules. +iptables -F +iptables -X +iptables -Z + +iptables -t nat -F + +# Allow local-only connections +iptables -A INPUT -i lo -j ACCEPT + +# Free output on any interface to any ip for any service +# (equal to -P ACCEPT) +iptables -A OUTPUT -j ACCEPT + +# Permit answers on already established connections +# and permit new connections related to established ones +# (e.g. port mode ftp) +iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + +# Log everything else. What's Windows' latest exploitable vulnerability? +iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " + +# End /etc/systemd/scripts/iptables +EOF +chmod 700 /etc/systemd/scripts/iptables + + + This script is quite simple, it drops all traffic coming + into your computer that wasn't initiated from your computer, but + as long as you are simply surfing the Internet you are unlikely + to exceed its limits. + + + + If you frequently encounter certain delays at accessing + FTP servers, take a look at . + + + + Even if you have daemons or services running on your system, + these will be inaccessible everywhere but from your computer itself. + If you want to allow access to services on your machine, such as + ssh or ping, take a look at + . + + + + + + Masquerading Router + + + A network Firewall has two interfaces, one connected to an + intranet, in this example LAN1, + and one connected to the Internet, here WAN1. To provide the maximum security + for the firewall itself, make sure that there are no unnecessary + servers running on it such as X11 et al. + As a general principle, the firewall itself should not access + any untrusted service (think of a remote server giving answers that + makes a daemon on your system crash, or even worse, that implements + a worm via a buffer-overflow). + + +cat > /etc/rc.d/rc.iptables << "EOF" +#!/bin/sh + +# Begin rc.iptables + +echo +echo "You're using the example configuration for a setup of a firewall" +echo "from Beyond Linux From Scratch." +echo "This example is far from being complete, it is only meant" +echo "to be a reference." +echo "Firewall security is a complex issue, that exceeds the scope" +echo "of the configuration rules below." +echo "You can find additional information" +echo "about firewalls in Chapter 4 of the BLFS book." +echo "http://www.&lfs-domainname;/blfs" +echo + +# Insert iptables modules (not needed if built into the kernel). + +modprobe nf_conntrack +modprobe nf_conntrack_ftp +modprobe xt_conntrack +modprobe xt_LOG +modprobe xt_state + +# Enable broadcast echo Protection +echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts + +# Disable Source Routed Packets +echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route + +# Enable TCP SYN Cookie Protection +echo 1 > /proc/sys/net/ipv4/tcp_syncookies + +# Disable ICMP Redirect Acceptance +echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects + +# Don't send Redirect Messages +echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects + +# Drop Spoofed Packets coming in on an interface where responses +# would result in the reply going out a different interface. +echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter + +# Log packets with impossible addresses. +echo 1 > /proc/sys/net/ipv4/conf/all/log_martians + +# Be verbose on dynamic ip-addresses (not needed in case of static IP) +echo 2 > /proc/sys/net/ipv4/ip_dynaddr + +# Disable Explicit Congestion Notification +# Too many routers are still ignorant +echo 0 > /proc/sys/net/ipv4/tcp_ecn + +# Set a known state +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT DROP + +# These lines are here in case rules are already in place and the +# script is ever rerun on the fly. We want to remove all rules and +# pre-existing user defined chains before we implement new rules. +iptables -F +iptables -X +iptables -Z + +iptables -t nat -F + +# Allow local connections +iptables -A INPUT -i lo -j ACCEPT +iptables -A OUTPUT -o lo -j ACCEPT + +# Allow forwarding if the initiated on the intranet +iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW -j ACCEPT + +# Do masquerading +# (not needed if intranet is not using private ip-addresses) +iptables -t nat -A POSTROUTING -o WAN1 -j MASQUERADE + +# Log everything for debugging +# (last of all rules, but before policy rules) +iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " +iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD " +iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " + +# Enable IP Forwarding +echo 1 > /proc/sys/net/ipv4/ip_forward +EOF +chmod 700 /etc/rc.d/rc.iptables + +install -v -dm755 /etc/systemd/scripts + +cat > /etc/systemd/scripts/iptables << "EOF" +#!/bin/sh + +# Begin /etc/systemd/scripts/iptables + +echo +echo "You're using the example configuration for a setup of a firewall" +echo "from Beyond Linux From Scratch." +echo "This example is far from being complete, it is only meant" +echo "to be a reference." +echo "Firewall security is a complex issue, that exceeds the scope" +echo "of the configuration rules below." + +echo "You can find additional information" +echo "about firewalls in Chapter 4 of the BLFS book." +echo "http://www.&lfs-domainname;/blfs" +echo + +# Insert iptables modules (not needed if built into the kernel). + +modprobe nf_conntrack +modprobe nf_conntrack_ftp +modprobe xt_conntrack +modprobe xt_LOG +modprobe xt_state + +# Enable broadcast echo Protection +echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts + +# Disable Source Routed Packets +echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route + +# Enable TCP SYN Cookie Protection +echo 1 > /proc/sys/net/ipv4/tcp_syncookies + +# Disable ICMP Redirect Acceptance +echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects + +# Don't send Redirect Messages +echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects + +# Drop Spoofed Packets coming in on an interface where responses +# would result in the reply going out a different interface. +echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter + +# Log packets with impossible addresses. +echo 1 > /proc/sys/net/ipv4/conf/all/log_martians + +# Be verbose on dynamic ip-addresses (not needed in case of static IP) +echo 2 > /proc/sys/net/ipv4/ip_dynaddr + +# Disable Explicit Congestion Notification +# Too many routers are still ignorant +echo 0 > /proc/sys/net/ipv4/tcp_ecn + +# Set a known state +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT DROP + +# These lines are here in case rules are already in place and the +# script is ever rerun on the fly. We want to remove all rules and +# pre-existing user defined chains before we implement new rules. +iptables -F +iptables -X +iptables -Z + +iptables -t nat -F + +# Allow local connections +iptables -A INPUT -i lo -j ACCEPT +iptables -A OUTPUT -o lo -j ACCEPT + +# Allow forwarding if the initiated on the intranet +iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW -j ACCEPT + +# Do masquerading +# (not needed if intranet is not using private ip-addresses) +iptables -t nat -A POSTROUTING -o WAN1 -j MASQUERADE + +# Log everything for debugging +# (last of all rules, but before policy rules) +iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " +iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD " +iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " + +# Enable IP Forwarding +echo 1 > /proc/sys/net/ipv4/ip_forward + +# The following sections allow inbound packets for specific examples +# Uncomment the example lines and adjust as necessary + +# Allow ping on the external interface +#iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT +#iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT + +# Reject ident packets with TCP reset to avoid delays with FTP or IRC +#iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset + +# Allow HTTP and HTTPS to 192.168.0.2 +#iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 80 -j DNAT --to 192.168.0.2 +#iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 443 -j DNAT --to 192.168.0.2 +#iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 80 -j ACCEPT +#iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 443 -j ACCEPT + +# End /etc/systemd/scripts/iptables +EOF +chmod 700 /etc/systemd/scripts/iptables + + + With this script your intranet should be reasonably secure + against external attacks. No one should be able to setup a new + connection to any internal service and, if it's masqueraded, + makes your intranet invisible to the Internet. Furthermore, your + firewall should be relatively safe because there are no services + running that a cracker could attack. + + + + + + BusyBox + + + This scenario isn't too different from the , but additionally offers some + services to your intranet. Examples of this can be when + you want to administer your firewall from another host on + your intranet or use it as a proxy or a name server. + + + + + Outlining specifically how to protect a server that + offers services on the Internet goes far beyond the scope of + this document. See the references in + for more information. + + + + + Be cautious. Every service you have enabled makes your + setup more complex and your firewall less secure. You are + exposed to the risks of misconfigured services or running + a service with an exploitable bug. A firewall should generally + not run any extra services. See the introduction to the + for some more details. + + + + If you want to add services such as internal Samba or + name servers that do not need to access the Internet themselves, + the additional statements are quite simple and should still be + acceptable from a security standpoint. Just add the following lines + into the script before the logging rules. + + +iptables -A INPUT -i ! WAN1 -j ACCEPT +iptables -A OUTPUT -o ! WAN1 -j ACCEPT + + + If daemons, such as squid, have to access the Internet + themselves, you could open OUTPUT generally and restrict + INPUT. + + +iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +iptables -A OUTPUT -j ACCEPT + + + However, it is generally not advisable to leave OUTPUT + unrestricted. You lose any control over trojans who would like + to "call home", and a bit of redundancy in case you've + (mis-)configured a service so that it broadcasts its existence + to the world. + + + + To accomplish this, you should restrict INPUT and OUTPUT + on all ports except those that it's absolutely necessary to have + open. Which ports you have to open depends on your needs: mostly + you will find them by looking for failed accesses in your log + files. + + + + Have a Look at the Following Examples: + + + Squid is caching the web: + + +iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT +iptables -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \ + -j ACCEPT + + + + + Your caching name server (e.g., named) does its lookups via UDP: + + +iptables -A OUTPUT -p udp --dport 53 -j ACCEPT + + + + + You want to be able to ping your computer to ensure it's still + alive: + + +iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT +iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT + + + + + If you are frequently accessing FTP servers or enjoy chatting, you + might notice delays because some implementations of these daemons + query an identd daemon on your system to obtain usernames. Although + there's really little harm in this, having an identd running is not + recommended because many security experts feel the service gives + out too much additional information. + + + + To avoid these delays you could reject the requests with a + 'tcp-reset' response: + + +iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset + + + + + To log and drop invalid packets (packets + that came in after netfilter's timeout or some types of + network scans) insert these rules at the top of the chain: + + +iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \ + -j LOG --log-prefix "FIREWALL:INVALID " +iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP + + + + + Anything coming from the outside should not have a + private address, this is a common attack called IP-spoofing: + + +iptables -A INPUT -i WAN1 -s 10.0.0.0/8 -j DROP +iptables -A INPUT -i WAN1 -s 172.16.0.0/12 -j DROP +iptables -A INPUT -i WAN1 -s 192.168.0.0/16 -j DROP + + + There are other addresses that you may also want to drop: + 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and + experimental), 169.254.0.0/16 (Link Local Networks), and + 192.0.2.0/24 (IANA defined test network). + + + + + If your firewall is a DHCP client, you need to allow those packets: + + +iptables -A INPUT -i WAN1 -p udp -s 0.0.0.0 --sport 67 \ + -d 255.255.255.255 --dport 68 -j ACCEPT + + + + + To simplify debugging and be fair to anyone who'd like + to access a service you have disabled, purposely or by mistake, + you could REJECT those packets that are dropped. + + + + Obviously this must be done directly after logging as the very + last lines before the packets are dropped by policy: + + +iptables -A INPUT -j REJECT + + + + + + These are only examples to show you some of the capabilities + of the firewall code in Linux. Have a look at the man page of iptables. + There you will find much more information. The port numbers needed for + this can be found in /etc/services, in case you + didn't find them by trial and error in your log file. + + + + <phrase revision="sysv">Boot Script</phrase> <phrase revision="systemd">Systemd Unit</phrase> Index: postlfs/security/nftables.xml =================================================================== --- postlfs/security/nftables.xml (nonexistent) +++ postlfs/security/nftables.xml (working copy) @@ -0,0 +1,396 @@ + + + %general-entities; + + + + + + + +]> + + + + + + $LastChangedBy: $ + $Date: $ + + + nftables-&nftables-version; + + + nftables + + + + Introduction to nftables + + + The nftables package, intended to be the + successor to , provides a low-level netlink + programming interface (API), and userspace uitlities for the in-kernel + nf_tables subsystem. + + + &lfs90_checked; + + Package Information + + + + Download (HTTP): + + + + + Download (FTP): + + + + + Download MD5 sum: &nftables-md5sum; + + + + + Download size: &nftables-size; + + + + + Estimated disk space required: &nftables-buildsize; + + + + + Estimated build time: &nftables-time; + + + + + nftables Dependencies + + Required + + + + + Optional + + , + , and + + + + Optional (runtime) + + + + contrack-tools + + nfacct + + ulogd + + + User Notes: + + + + + + Kernel Configuration + + + Enable the following options in the kernel configuration and recompile the + kernel if necessary (add any additional nf_tables features as needed): + + +[*] Networking support [CONFIG_NET] ---> + Networking options ---> + [*] Network packet filtering framework (Netfilter) [CONFIG_NETFILTER] ---> + Core Netfilter Configuration ---> + <*> Netfilter nf_tables support [CONFIG_NF_TABLES] + [*] Netfilter nf_tables mixed IPv4/IPv6 tables support [CONFIG_NF_TABLES_INET] + + + + + Installation of nftables + + + Install nftables by running the following + commands: + + +./configure --prefix=/usr \ + --sbindir=/sbin \ + --sysconfdir=/etc \ + --with-python-bin=/usr/bin/python3 && +make + + + This package does not come with a test suite. + + + + Now, as the root user: + + +make install && +mv /usr/lib/nftables.so.* /lib && +ln -sfv ../../lib/$(readlink /usr/lib/nftables.so) /usr/lib/nftables.so + + + + + Command Explanations + + + + + --with-python-bin=/usr/bin/python3: force use of + Python3. + + + + : build man pages if + is installed. + + + + --with-json: build with support for JSON output if + is available. + + + + --with-xtables: build with + libxtables support. + + + + mv -v /usr/lib/nftables.so.* ...: Move shared + libraries into /lib so they are available before /usr is mounted. + + + + + + Configuring nftables + + + Masquerading Router + + + A network Firewall has two interfaces, one connected to an + intranet, in this example LAN1, + and one connected to the Internet, here WAN1. You will need to adjust these value to + match your particular system. To provide the maximum security + for the firewall itself, make sure that there are no unnecessary + servers running on it such as X11 et al. + As a general principle, the firewall itself should not access + any untrusted service (think of a remote server giving answers that + makes a daemon on your system crash, or even worse, that implements + a worm via a buffer-overflow). + + +cat > /etc/nftables/nftables.conf << "EOF" +#!/sbin/nft -f + +# You're using the example configuration for a setup of a firewall +# from Beyond Linux From Scratch. +# +# This example is far from being complete, it is only meant +# to be a reference. +# +# Firewall security is a complex issue, that exceeds the scope +# of the configuration rules below. +# +# You can find additional information +# about firewalls in Chapter 4 of the BLFS book. +# http://www.&lfs-domainname;/blfs + +# Drop all existing rules +flush ruleset + +# Filter for both ip4 and ip6 (inet) +table inet filter { + + # filter incomming packets + chain input { + + # Drop everything that doesn't match policy + type filter hook input priority 0; policy drop; + + # accept packets for established connections + ct state { established, related } accept + + # Drop packets that have a connection state of invalid + ct state invalid drop + + # Allow connections to the loopback adapter + iifname "lo" accept + + # Allow connections to the LAN1 interface + iifname "LAN1" accept + + # Accept icmp requests + ip protocol icmp accept + + # Allow ssh connections on LAN1 + iifname "LAN1" tcp dport ssh accept + + # Drop everything else + drop + } + + # Allow forwarding for external connections to WAN1 + chain forward { + + # Drop if it doesn't match policy + type filter hook forward priority 0; policy drop; + + # Accept connections on WAN1 + oifname "WAN1" accept + + # Allow forwarding to another host via this interface + # Uncomment the following line to allow connections + # ip daddr 192.168.0.2 ct status dnat accept + + # Allow established and related connections + iifname "WAN1" ct state { established, related } accept + } + + # Filter output traffic + chain output { + + # Allow everything outbound + type filter hook output priority 0; policy accept; + } +} + +# Allow NAT for ip protocol (both ip4 and ip6) +table ip nat { + + chain prerouting { + + # Accept on inbound interace for policy match + type nat hook prerouting priority 0; policy accept; + + # Accept http and https on 192.168.0.2 + # Uncomment the following line to allow http and https + #iifname "WAN1" tcp dport { http, https } dnat to 192.168.0.2 + } + + chain postrouting { + + # accept outbound + type nat hook postrouting priority 0; policy accept; + + # Masquerade on WAN1 outbound + oifname "WAN1" masquerade + } +} +EOF + + + With this configuration your intranet should be reasonably secure + against external attacks. No one should be able to setup a new + connection to any internal service not configured above. + + + + There are several other examples in the + /etc/nftables directory. + + + + + + <phrase revision="sysv">Boot Script</phrase> + <phrase revision="systemd">Systemd Unit</phrase> + + + To set up the nftables firewall at boot, install the + /etc/rc.d/init.d/nftables init script included + in the package. + + + + To set up the nftables firewall at boot, install the + nftables.service unit included in the + package. + + + + nftables + + +make install-nftables + + + + + + + Contents + + + Installed Programs + Installed Libraries + Installed Directories + + + + nft + + + libnftables.{a,so} + + + /etc/nftables + + + + + + Short Descriptions + + + + + nft + + + command line interface for the nf_tables subsystem. + + + nft + + + + + + libnftables.{a,so} + + + provides functions for manipulating the nf_tables subsystem. + + + libnftables.so + + + + + + + + + Index: postlfs/security/security.xml =================================================================== --- postlfs/security/security.xml (revision 22257) +++ postlfs/security/security.xml (working copy) @@ -53,8 +53,6 @@ - - @@ -76,5 +74,9 @@ + + + +