cvs commit: ALFS/profiles/BLFS/chapter04 iptables.xml linuxpam.xml shadow.xml

vdzuba at linuxfromscratch.org vdzuba at linuxfromscratch.org
Sun Nov 16 14:55:24 PST 2003


vdzuba      03/11/16 15:55:23

  Modified:    profiles/BLFS BLFS.xml packages.ent
               profiles/BLFS/chapter04 iptables.xml linuxpam.xml shadow.xml
  Log:
  updated chapter 04
  
  Revision  Changes    Path
  1.5       +2 -2      ALFS/profiles/BLFS/BLFS.xml
  
  Index: BLFS.xml
  ===================================================================
  RCS file: /home/cvsroot/ALFS/profiles/BLFS/BLFS.xml,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- BLFS.xml	30 Oct 2003 22:39:36 -0000	1.4
  +++ BLFS.xml	16 Nov 2003 22:55:22 -0000	1.5
  @@ -60,10 +60,10 @@
   
   <stage name="chapter 4 (security)">
   
  +    &linuxpam;
       &shadow;
  -    &gnupg;
       &iptables;
  -    &linuxpam;
  +    &gnupg;
   
   </stage>
   
  
  
  
  1.6       +10 -8     ALFS/profiles/BLFS/packages.ent
  
  Index: packages.ent
  ===================================================================
  RCS file: /home/cvsroot/ALFS/profiles/BLFS/packages.ent,v
  retrieving revision 1.5
  retrieving revision 1.6
  diff -u -r1.5 -r1.6
  --- packages.ent	30 Oct 2003 22:39:36 -0000	1.5
  +++ packages.ent	16 Nov 2003 22:55:23 -0000	1.6
  @@ -1,22 +1,24 @@
   <!--************* packages for chapter 4 *************-->
   
  +<!ENTITY linuxpam-version   "0.77">
  +<!ENTITY linuxpam-package   "Linux-PAM-0.77.tar.bz2">
  +<!ENTITY linuxpam-directory "Linux-PAM-0.77">
  +
  +<!ENTITY linuxpam-patch     "Linux-PAM-0.77-linkage-1.patch">
  +
   <!ENTITY shadow-version   "4.0.3">
   <!ENTITY shadow-package   "shadow-4.0.3.tar.bz2">
   <!ENTITY shadow-directory "shadow-4.0.3">
   
  -<!ENTITY shadow-patch     "shadow-4.0.3.patch">
  -
  -<!ENTITY gnupg-version      "1.2.3">
  -<!ENTITY gnupg-package      "gnupg-1.2.3.tar.bz2">
  -<!ENTITY gnupg-directory    "gnupg-1.2.3">
  +<!ENTITY shadow-patch     "shadow-4.0.3-pam-2.patch">
   
   <!ENTITY iptables-version   "1.2.8">
   <!ENTITY iptables-package   "iptables-1.2.8.tar.bz2">
   <!ENTITY iptables-directory "iptables-1.2.8">
   
  -<!ENTITY linuxpam-version   "0.77">
  -<!ENTITY linuxpam-package   "Linux-PAM-0.77.tar.bz2">
  -<!ENTITY linuxpam-directory "Linux-PAM-0.77">
  +<!ENTITY gnupg-version      "1.2.3">
  +<!ENTITY gnupg-package      "gnupg-1.2.3.tar.bz2">
  +<!ENTITY gnupg-directory    "gnupg-1.2.3">
   
   <!--************* packages for chapter 5 *************-->
   
  
  
  
  1.2       +91 -0     ALFS/profiles/BLFS/chapter04/iptables.xml
  
  Index: iptables.xml
  ===================================================================
  RCS file: /home/cvsroot/ALFS/profiles/BLFS/chapter04/iptables.xml,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- iptables.xml	29 Sep 2003 18:11:25 -0000	1.1
  +++ iptables.xml	16 Nov 2003 22:55:23 -0000	1.2
  @@ -20,6 +20,97 @@
   		        <param>PREFIX=/usr</param>
   			<param>install</param>
   		</make>
  +
  +
  +	<!-- set-up for personnal firewall -->
  +	<!-- other set-ups are available in the Book -->
  +
  +	<textdump base="/etc/rc.d/init.d">
  +	<file>firewall</file>
  +	<content>
  +	=#!/bin/sh
  +	=
  +	=# Begin $rc_base/init.d/firewall
  +	=
  +	=# Insert connection-tracking modules (not needed if built into the kernel).
  +	=modprobe ip_tables
  +	=modprobe iptable_filter
  +	=modprobe ip_conntrack
  +	=modprobe ip_conntrack_ftp
  +	=modprobe ipt_state
  +	=modprobe ipt_LOG
  +	=
  +	=# allow local-only connections
  +	=iptables -A INPUT  -i lo -j ACCEPT
  +	=# free output on any interface to any ip for any service (equal to -P ACCEPT)
  +	=iptables -A OUTPUT -j ACCEPT
  +	=
  +	=# permit answers on already established connections
  +	=# and permit new connections related to established ones (eg active-ftp)
  +	=iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  +	=
  +	=# Log everything else:  What's Windows' latest exploitable vulnerability?
  +	=iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
  +	=
  +	=# set a sane policy:    everything not accepted > /dev/null
  +	=iptables -P INPUT    DROP
  +	=iptables -P FORWARD  DROP
  +	=iptables -P OUTPUT   DROP
  +	=
  +	=# be verbose on dynamic ip-addresses     (not needed in case of static IP)
  +	=echo 2 > /proc/sys/net/ipv4/ip_dynaddr
  +	=
  +	=# disable ExplicitCongestionNotification - too many routers are still ignorant
  +	=echo 0 > /proc/sys/net/ipv4/tcp_ecn
  +	=
  +	=# End $rc_base/init.d/firewall
  +	</content>
  +	</textdump>
  +
  +	<textdump base="/etc/rc.d/init.d">
  +	<file>firewall.status</file>
  +	<content>
  +	=#!/bin/sh
  +	=
  +	=# Begin $rc_base/init.d/firewall.status
  +	=
  +	=echo "iptables.mangling:"
  +	=iptables -t mangle  -v -L -n --line-numbers
  +	=
  +	=echo
  +	=echo "iptables.nat:"
  +	=iptables -t nat	    -v -L -n --line-numbers
  +	=
  +	=echo
  +	=echo "iptables.filter:"
  +	=iptables	    -v -L -n --line-numbers
  +	</content>
  +	</textdump>
  +
  +	<textdump base="/etc/rc.d/init.d">
  +	<file>firewall.status</file>
  +	<content>
  +	=#!/bin/sh
  +	=
  +	=# Being $rc_base/init.d/firewall.stop
  +	=
  +	=# deactivate IP-Forwarding 
  +	=echo 0 > /proc/sys/net/ipv4/ip_forward
  +	=
  +	=iptables -Z
  +	=iptables -F
  +	=iptables -t nat         -F PREROUTING
  +	=iptables -t nat         -F OUTPUT
  +	=iptables -t nat         -F POSTROUTING
  +	=iptables -t mangle      -F PREROUTING
  +	=iptables -t mangle      -F OUTPUT
  +	=iptables -X
  +	=iptables -P INPUT       ACCEPT
  +	=iptables -P FORWARD     ACCEPT
  +	=iptables -P OUTPUT      ACCEPT
  +	</content>
  +	</textdump>
  +
   	</stage>
   
   	<stage name="Clean-up.">
  
  
  
  1.2       +11 -0     ALFS/profiles/BLFS/chapter04/linuxpam.xml
  
  Index: linuxpam.xml
  ===================================================================
  RCS file: /home/cvsroot/ALFS/profiles/BLFS/chapter04/linuxpam.xml,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- linuxpam.xml	29 Sep 2003 18:11:25 -0000	1.1
  +++ linuxpam.xml	16 Nov 2003 22:55:23 -0000	1.2
  @@ -9,12 +9,23 @@
   			<archive>&packages_dir;/&linuxpam-package;</archive>
   			<destination>&build_dir;</destination>
   		</unpack>
  +
  +		<copy>
  +		        <source>&packages_dir;/&linuxpam-patch;</source>
  +		        <destination>&build_dir;</destination>
  +		</copy>
   	</stage>
   
   	<stage name="Installing a package.">
   		<stageinfo>
   			<base>&build_dir;/&linuxpam-directory;</base>
   		</stageinfo>
  +
  +		<patch>
  +			<param>-N</param>
  +			<param>-p1</param>
  +			<param>-i ../&linuxpam-patch;</param>
  +		</patch>
   
   		<configure>
   		        <param>--enable-static-libpam</param>
  
  
  
  1.2       +16 -24    ALFS/profiles/BLFS/chapter04/shadow.xml
  
  Index: shadow.xml
  ===================================================================
  RCS file: /home/cvsroot/ALFS/profiles/BLFS/chapter04/shadow.xml,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- shadow.xml	29 Sep 2003 18:11:25 -0000	1.1
  +++ shadow.xml	16 Nov 2003 22:55:23 -0000	1.2
  @@ -21,30 +21,15 @@
   			<base>&build_dir;/&shadow-directory;</base>
   		</stageinfo>
   
  -		<!-- for first install -->
  -		<search_replace base="/etc">
  -		        <file>/etc/login.defs</file>
  -			<find>#MD5_CRYPT_ENAB	no</find>
  -			<replace>MD5_CRYPT_ENAB	yes</replace>
  -		</search_replace>
  -
  -		<!-- for subsequent installs -->
  -		<search_replace base="/etc">
  -		        <file>/etc/login.defs</file>
  -			<find>#MD5_CRYPT_ENAB</find>
  -			<replace>MD5_CRYPT_ENAB</replace>
  -		</search_replace>
  -
   		<patch>
   			<param>-N</param>
   			<param>-p1</param>
   			<param>-i ../&shadow-patch;</param>
   		</patch>
   
  -		<execute command="autoconf" />
  -
  -		<configure command='LDFLAGS="-lpam -lpam_misc" ./configure'>
  +		<configure>
   			<param>--prefix=/usr</param>
  +			<param>--libdir=/usr/lib</param>
   			<param>--enable-shared</param>
   			<param>--with-libpam</param>
   		</configure>
  @@ -55,17 +40,22 @@
   			<param>install</param>
   		</make>
   
  +		<link>
  +		       <option>force</option>
  +		       <target>vipw</target>
  +		       <name>/usr/sbin/vigr</name>
  +		</link>
  +
   		<remove>/bin/vipw</remove>
  -		<remove>/bin/sg</remove>
   
   		<move>
  -		        <source>/lib/{libmisc.*a,libshadow.*a}</source>
  -			<destination>/usr/lib</destination>
  +		        <source>/bin/sg</source>
  +			<destination>/usr/bin</destination>
   		</move>
   
   		<move>
  -		        <source>/lib/{libmisc.so,libshadow.so}</source>
  -			<destination>/usr/lib</destination>
  +		        <source>/usr/lib/lib{misc,shadow}.so.0*</source>
  +			<destination>/lib</destination>
   		</move>
   
   		<link>
  @@ -178,6 +168,9 @@
   		       </content>
   		</textdump>
   
  +<!--
  +  uncomment after checking PAM for proper configuration
  +
   		<textdump base="/etc/pam.d">
   		       <file>other</file>
   		       <content>
  @@ -193,7 +186,7 @@
                              =# End /etc/pam.d/other
   		       </content>
   		</textdump>
  -
  +-->
   
   
   		<search_replace base="/etc">
  @@ -267,7 +260,6 @@
   			<find>ENVIRON_FILE</find>
   			<replace>#ENVIRON_FILE</replace>
   		</search_replace>
  -
   	</stage>
   
   	<stage name="Clean-up.">
  
  
  



More information about the alfs-log mailing list