r3272 - in trunk/BOOK/postlfs: config security

randy at linuxfromscratch.org randy at linuxfromscratch.org
Wed Jan 12 17:25:45 PST 2005


Author: randy
Date: 2005-01-12 18:25:45 -0700 (Wed, 12 Jan 2005)
New Revision: 3272

Modified:
   trunk/BOOK/postlfs/config/profile.xml
   trunk/BOOK/postlfs/security/firewalling.xml
   trunk/BOOK/postlfs/security/iptables.xml
   trunk/BOOK/postlfs/security/tripwire.xml
Log:
Fixed instructions in the first 110 pages of the PDF version so that line lengths don't exceed the viewable area

Modified: trunk/BOOK/postlfs/config/profile.xml
===================================================================
--- trunk/BOOK/postlfs/config/profile.xml	2005-01-12 23:53:33 UTC (rev 3271)
+++ trunk/BOOK/postlfs/config/profile.xml	2005-01-13 01:25:45 UTC (rev 3272)
@@ -219,8 +219,8 @@
 <para>Some applications need a specific <envar>TERM</envar> setting to support color.</para>
 
 <screen><userinput><command>cat > /etc/profile.d/tinker-term.sh << "EOF"</command>
-# This will tinker with the value of TERM in order to convince certain apps
-# that we can, indeed, display color in their window.
+# This will tinker with the value of TERM in order to convince certain 
+# apps that we can, indeed, display color in their window.
  
 if [ -n "$COLORTERM" ]; then
   export TERM=xterm-color
@@ -274,7 +274,7 @@
 issuing each primary prompt. </para>
  
 <screen><userinput><command>cat > /etc/profile.d/xterm-titlebars.sh << "EOF"</command>
-# The substring match ensures this will work for "xterm" and "xterm-xfree86".
+# The substring match ensures this works for "xterm" and "xterm-xfree86".
 if [ "${TERM:0:5}" = "xterm" ]; then
   PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME} : ${PWD}\007"'
   export PROMPT_COMMAND
@@ -382,7 +382,8 @@
 
 # Provides prompt for non-login shells, specifically shells started
 # in the <application>X</application> environment. [Review the LFS archive thread titled
-# PS1 Environment Variable for a great case study behind this script addendum.]
+# PS1 Environment Variable for a great case study behind this script 
+# addendum.]
 
 #export PS1="[\u@\h \w]\\$ "
 export PS1='\u@\h:\w\$ '

Modified: trunk/BOOK/postlfs/security/firewalling.xml
===================================================================
--- trunk/BOOK/postlfs/security/firewalling.xml	2005-01-12 23:53:33 UTC (rev 3271)
+++ trunk/BOOK/postlfs/security/firewalling.xml	2005-01-13 01:25:45 UTC (rev 3272)
@@ -5,7 +5,7 @@
   %general-entities;
 ]>
 
-<sect1 id="postlfs-security-fw-firewall" xreflabel="Firewalling">
+<sect1 id="fw-firewall" xreflabel="Firewalling">
 <sect1info>
 <othername>$LastChangedBy$</othername>
 <date>$Date$</date>
@@ -16,8 +16,7 @@
 <para>Before you read this part of the chapter, note that we assume that you
 have already installed iptables as described in the previous section.</para>
 
-
-<sect2 id="postlfs-security-fw-intro" xreflabel="Firewalling Introduction">
+<sect2 id="fw-intro" xreflabel="Firewalling Introduction">
 <title>Introduction to Firewall Creation</title>
 
 <para>The general purpose of a firewall is to protect a network 
@@ -34,9 +33,9 @@
 exploits against essential services are freely available, you 
 may wish to choose which services are accessible by certain machines, 
 you may wish to limit which machines or applications are allowed 
-to have Internet access, or you may simply  not trust some of your 
-apps or users.
-In these situations you might  benefit by using a firewall.</para>
+to have Internet access, or you may simply not trust some of your 
+apps or users. In these situations you might benefit by using a 
+firewall.</para>
 
 <para>Don't assume however, that having a firewall makes careful
 configuration redundant, or that it makes any negligent
@@ -53,7 +52,7 @@
 
 <para>The word firewall can have several different meanings.</para>
 
-<sect3><title><xref linkend="postlfs-security-fw-persFw"/></title>
+<sect3><title><xref linkend="fw-persFw"/></title>
 
 <para>This is a setup or program, for Windows commercially sold by 
 companies such as Symantec, of which they claim or pretend that it
@@ -63,7 +62,7 @@
 especially if they are always online and connected via 
 broadband links.</para></sect3>
 
-<sect3><title><xref linkend="postlfs-security-fw-masqRouter"/></title>
+<sect3><title><xref linkend="fw-masqRouter"/></title>
 <para>This is a box placed between the Internet and an intranet. 
 To minimize the risk of compromising the firewall itself it
 should generally have only one role, that of protecting the intranet.
@@ -73,7 +72,7 @@
 the Internet so that they seem to come from the firewall 
 itself) are commonly considered harmless.</para></sect3>
 
-<sect3><title><xref linkend="postlfs-security-fw-busybox"/></title>
+<sect3><title><xref linkend="fw-busybox"/></title>
 <para>This is often an old box you may have retired and nearly forgotten, 
 performing masquerading or routing functions, but offering a bunch of 
 services, e.g., web-cache, mail, etc.  This may be very commonly used 
@@ -91,7 +90,7 @@
 them all.</para></sect3>
 
 <sect3><title>Packetfilter / partly accessible net [partly described
-here, see <xref linkend="postlfs-security-fw-busybox"/>]</title>
+here, see <xref linkend="fw-busybox"/>]</title>
 <para>Doing routing or masquerading, but permitting only selected 
 services to be accessible, sometimes only by selected internal users or boxes; 
 mostly used in highly secure business contexts, sometimes by distrusting 
@@ -120,25 +119,25 @@
 
 <para>Customization of these scripts for your specific situation will
 be necessary for an optimal configuration, but you should make a serious
-study of the iptables documentation and creating firewalls in general before hacking
-away.  Have a look at the list of <xref linkend="postlfs-security-fw-library"/> at the end 
-of this section for more details.  Here you will find a list of URLs that 
-contain quite comprehensive information about building your own firewall.</para>
+study of the iptables documentation and creating firewalls in general before 
+hacking away.  Have a look at the list of 
+<xref linkend="fw-library"/> at the end of this section for 
+more details.  Here you will find a list of URLs that contain quite 
+comprehensive information about building your own firewall.</para>
 
 </sect2>
 
-
-<sect2 id="postlfs-security-fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
+<sect2 id="fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
 <title>Getting a firewall enabled Kernel</title>
 
 <para>If you want your Linux-Box to have a firewall, you must first ensure 
 that your kernel has been compiled with the relevant options turned on.
-<!-- <footnote><para>If you needed assistance how to configure, compile and install 
-a new kernel, refer back to chapter VIII of the LinuxFromScratch book, 
-<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink>
- and eventually 
-<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink>
-; note, that you'll need to reboot 
+<!-- <footnote><para>If you needed assistance how to configure, compile and 
+install a new kernel, refer back to chapter VIII of the LinuxFromScratch book, 
+<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">
+Installing a kernel</ulink>  and eventually 
+<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">
+Making the LFS system bootable</ulink>; note, that you'll need to reboot 
 to actually run your new kernel.</para></footnote>-->
 </para>
 
@@ -265,28 +264,27 @@
 
 </sect2>
 
-
-<sect2 id="postlfs-security-fw-writing" xreflabel="writing the firewalling-setup-scripts">
+<sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
 <title>Now you can start to build your Firewall</title>
 
-
-<sect3 id="postlfs-security-fw-persFw" xreflabel="Personal Firewall">
+<sect3 id="fw-persFw" xreflabel="Personal Firewall">
 <title>Personal Firewall</title>
 
 <para>A Personal Firewall is supposed to let you access all the services
 offered on the Internet, but keep your box secure and your data private.</para>
 
 <para>Below is a slightly modified version of Rusty Russell's recommendation
-from the <ulink
-url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">Linux
-2.4 Packet Filtering HOWTO</ulink>:</para>
+from the <ulink 
+url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
+Linux 2.4 Packet Filtering HOWTO</ulink>:</para>
 
 <screen><userinput><command>cat > /etc/rc.d/init.d/firewall << "EOF"</command>
 #!/bin/sh
 
 # Begin $rc_base/init.d/firewall
 
-# Insert connection-tracking modules (not needed if built into the kernel).
+# Insert connection-tracking modules 
+# (not needed if built into the kernel)
 modprobe ip_tables
 modprobe iptable_filter
 modprobe ip_conntrack
@@ -296,11 +294,14 @@
 
 # allow local-only connections
 iptables -A INPUT  -i lo -j ACCEPT
-# free output on any interface to any ip for any service (equal to -P ACCEPT)
+
+# free output on any interface to any ip for any service 
+# (equal to -P ACCEPT)
 iptables -A OUTPUT -j ACCEPT
 
 # permit answers on already established connections
-# and permit new connections related to established ones (eg active-ftp)
+# and permit new connections related to established ones 
+# (eg active-ftp)
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 # Log everything else:  What's Windows' latest exploitable vulnerability?
@@ -311,10 +312,11 @@
 iptables -P FORWARD  DROP
 iptables -P OUTPUT   DROP
 
-# be verbose on dynamic ip-addresses     (not needed in case of static IP)
+# be verbose on dynamic ip-addresses  (not needed in case of static IP)
 echo 2 > /proc/sys/net/ipv4/ip_dynaddr
 
-# disable ExplicitCongestionNotification - too many routers are still ignorant
+# disable ExplicitCongestionNotification 
+# too many routers are still ignorant
 echo 0 > /proc/sys/net/ipv4/tcp_ecn
 
 # End $rc_base/init.d/firewall
@@ -325,18 +327,18 @@
 surfing the Internet you are unlikely to exceed its limits.</para> 
 
 <para>If you frequently encounter certain delays at accessing ftp-servers,
-please have a look at <xref linkend="postlfs-security-fw-busybox"/> - 
-<xref linkend="postlfs-security-fw-BB-4"/>.</para>
+please have a look at <xref linkend="fw-busybox"/> - 
+<xref linkend="fw-BB-4"/>.</para>
 
 <para>Even if you have daemons or services running on your box, these
 should be inaccessible everywhere but from your box itself.
-If you want to allow access to services on your machine, such as ssh or pinging, 
-take a look at <xref linkend="postlfs-security-fw-busybox"/>.</para> 
+If you want to allow access to services on your machine, such as ssh or 
+pinging, take a look at <xref linkend="fw-busybox"/>.</para> 
 
 </sect3>
 
 
-<sect3 id="postlfs-security-fw-masqRouter" xreflabel="Masquerading Router">
+<sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
 <title>Masquerading Router</title>
 
 <para>A true Firewall has two interfaces, one connected to an intranet,
@@ -345,8 +347,8 @@
 To provide the maximum security against the box itself being broken into,
 make sure that there are no servers running on it, especially not
 <application>X11</application> et
-al.  And, as a general principle, the box itself should not access any untrusted
-service (Think of a name server giving answers that make your
+al.  And, as a general principle, the box itself should not access any 
+untrusted service (Think of a name server giving answers that make your
 bind crash, or, even worse, that implement a worm via a 
 buffer-overflow).</para>
 
@@ -388,10 +390,12 @@
 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -m state --state NEW -i ! ppp+	 -j ACCEPT
 
-# do masquerading    (not needed if intranet is not using private ip-addresses)
+# do masquerading
+# (not needed if intranet is not using private ip-addresses)
 iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
 
-# Log everything for debugging (last of all rules, but before DROP/REJECT)
+# Log everything for debugging 
+# (last of all rules, but before DROP/REJECT)
 iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT  "
 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
 iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
@@ -401,7 +405,8 @@
 iptables -P FORWARD DROP
 iptables -P OUTPUT  DROP
 
-# be verbose on dynamic ip-addresses (not needed in case of static IP)
+# be verbose on dynamic ip-addresses 
+# (not needed in case of static IP)
 echo 2 > /proc/sys/net/ipv4/ip_dynaddr
 
 # disable ExplicitCongestionNotification
@@ -435,14 +440,14 @@
 
 <para>If you need stronger security (e.g., against DOS, connection 
 highjacking, spoofing, etc.), have a look at the list of 
-<xref linkend="postlfs-security-fw-library"/> at the end of this section.</para>
+<xref linkend="fw-library"/> at the end of this section.</para>
 
 </sect3>
 
-<sect3 id="postlfs-security-fw-busybox" xreflabel="BusyBox">
+<sect3 id="fw-busybox" xreflabel="BusyBox">
 <title>BusyBox</title>
 
-<para>This scenario isn't too different from (<xref linkend="postlfs-security-fw-masqRouter"/>), 
+<para>This scenario isn't too different from (<xref linkend="fw-masqRouter"/>), 
 but in this case you want to offer some services to your intranet.
 Examples of this can be when you want to admin your box from another host 
 on your intranet or use it as a proxy or a name server. Note: Outlining a true 
@@ -452,9 +457,9 @@
 
 <para>Be cautious.  Every service you offer and have enabled makes your
 setup more complex and your box less secure. You induce the risks of 
-misconfigured services or running a service with an exploitable bug.  A firewall
-should generally not run any extra services.  See the introduction to 
-<xref linkend="postlfs-security-fw-masqRouter"/> for some more details.</para>
+misconfigured services or running a service with an exploitable bug.  A 
+firewall should generally not run any extra services.  See the introduction to 
+<xref linkend="fw-masqRouter"/> for some more details.</para>
 
 <para>If the services you'd like to offer do not need to access the Internet 
 themselves, like internal-only samba- or name-servers, it's quite
@@ -469,12 +474,12 @@
 to, you could open OUTPUT generally and restrict INPUT.</para>
 
 <screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED	-j ACCEPT
-iptables -A OUTPUT                                      -j ACCEPT</screen>
+iptables -A OUTPUT                                     -j ACCEPT</screen>
 
-<para>However, it is generally not advisable to leave OUTPUT unrestricted. You lose 
-any control over trojans who'd like to "call home", and a bit of redundancy in case 
-you've (mis-)configured a service so that it does broadcast its existence to the 
-world.</para>
+<para>However, it is generally not advisable to leave OUTPUT unrestricted. You 
+lose any control over trojans who'd like to "call home", and a bit of 
+redundancy in case you've (mis-)configured a service so that it does broadcast 
+its existence to the world.</para>
 
 <para>If you prefer to have this protection, you may restrict INPUT and OUTPUT
 on all ports except those that it's absolutely necessary to have open.
@@ -485,20 +490,26 @@
 <title>Have a look at the following examples:</title>
 
 <listitem><para>Squid is caching the web:</para>
-<screen>iptables -A OUTPUT -p tcp --dport 80                              -j ACCEPT
-iptables -A INPUT  -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
+<screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
+iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \
+-j ACCEPT</screen>
+</listitem>
 
 <listitem><para>Your caching name server (e.g., dnscache) does its
 lookups via udp:</para>
-<screen>iptables -A OUTPUT -p udp --dport 53                              -j ACCEPT
-iptables -A INPUT  -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
+<screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+iptables -A INPUT  -p udp --sport 53 -m state --state ESTABLISHED \
+-j ACCEPT</screen>
+</listitem>
 
-<listitem><para>Alternatively, if you want to be able to ping your box to ensure
-it's still alive:</para>
+<listitem><para>Alternatively, if you want to be able to ping your box to 
+ensure it's still alive:</para>
+
 <screen>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</screen></listitem>
+iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</screen>
+</listitem>
 
-<listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are 
+<listitem><para><anchor id='fw-BB-4' xreflabel="example no. 4"/>If you are 
 frequently accessing ftp-servers or enjoy chatting, you might notice certain 
 delays because some implementations of these daemons have the feature of 
 querying an identd on your box for logging usernames.
@@ -509,13 +520,14 @@
 with a 'tcp-reset':</para>
 
 <screen>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset
-iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></listitem>
+iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen>
+</listitem>
 
 <listitem><para>To log and drop invalid packets (harmless packets
 that came in after netfilter's timeout or some types of network scans):</para>
 
-<screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \ 
-"FIREWALL:INVALID"
+<screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG \
+--log-prefix "FIREWALL:INVALID"
 iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></listitem>
 
 <listitem><para>Anything coming from the outside should not have a
@@ -523,7 +535,8 @@
 
 <screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8     -j DROP
 iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12	-j DROP
-iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16	-j DROP</screen></listitem>
+iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16	-j DROP</screen>
+</listitem>
 
 <listitem><para>To simplify debugging and be fair to anyone who'd like to 
 access a service you have disabled, purposely or by mistake, you should REJECT 
@@ -547,14 +560,11 @@
 <para>If you add any of your offered or accessed services such as the above,
 maybe even in FORWARD and for intranet-communication, and delete the
 general clauses, you get an old fashioned packet filter.</para>
-
-
 </sect3>
 
 </sect2>
 
-
-<sect2 id="postlfs-security-fw-finale" xreflabel="Conclusion">
+<sect2 id="fw-finale" xreflabel="Conclusion">
 <title>Conclusion</title>
 
 <para>Finally, I'd like to remind you of one fact we must not forget:
@@ -578,11 +588,10 @@
 
 </sect2>
 
-
 <sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
 <title>Extra Information</title>
 
-<sect3 id="postlfs-security-fw-library" xreflabel="Links for further reading">
+<sect3 id="fw-library" xreflabel="Links for further reading">
 <title>Where to start with further reading on firewalls.</title>
 
 <para><blockquote><literallayout>
@@ -610,13 +619,9 @@
 <ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
 <ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
 </literallayout></blockquote></para>
-
-<!-- <para>If a link proves to be dead or if you think I missed one, 
-please mail!</para> -->
-
 </sect3>
 
-<sect3 id="postlfs-security-fw-status" xreflabel="/etc/rc.d/init.d/firewall.status">
+<sect3 id="fw-status" xreflabel="/etc/rc.d/init.d/firewall.status">
 <title>firewall.status</title>
 
 <para>If you'd like to have a look at the chains your firewall consists of and 
@@ -665,9 +670,9 @@
 iptables -P FORWARD     ACCEPT
 iptables -P OUTPUT      ACCEPT
 <command>EOF</command></userinput></screen>
-
 </sect3>
 
 </sect2>
+
 </sect1>
 

Modified: trunk/BOOK/postlfs/security/iptables.xml
===================================================================
--- trunk/BOOK/postlfs/security/iptables.xml	2005-01-12 23:53:33 UTC (rev 3271)
+++ trunk/BOOK/postlfs/security/iptables.xml	2005-01-13 01:25:45 UTC (rev 3272)
@@ -34,7 +34,7 @@
 <application>iptables</application>, you will need
 to configure the relevant options into your kernel.  This is discussed
 in the next part of this chapter – 
-<xref linkend="postlfs-security-fw-kernel"/>.</para>
+<xref linkend="fw-kernel"/>.</para>
 
 <para>If you intend to use <acronym>IP</acronym>v6 you might consider extending
 the kernel by running <command>make patch-o-matic</command> in the top-level

Modified: trunk/BOOK/postlfs/security/tripwire.xml
===================================================================
--- trunk/BOOK/postlfs/security/tripwire.xml	2005-01-12 23:53:33 UTC (rev 3271)
+++ trunk/BOOK/postlfs/security/tripwire.xml	2005-01-13 01:25:45 UTC (rev 3272)
@@ -67,8 +67,9 @@
 <sect2>
 <title>Command explanations</title>
 
-<para><command>sed -i -e 's at TWDB="${prefix}@TWDB="/var/lib@' install/install.cfg</command>: 
-This command tells the package to install the program database and reports in
+<para><command>sed -i -e 's at TWDB="${prefix}@TWDB="/var/lib@' 
+install/install.cfg</command>: This command tells the package to install the 
+program database and reports in
 <filename>/var/lib/tripwire</filename>.</para>
 
 <para><command>make install</command>: This command creates the
@@ -118,7 +119,8 @@
 <filename class="directory">/etc/tripwire/</filename> you may begin the 
 configuration steps:</para>
 
-<screen><userinput><command>twadmin --create-polfile --site-keyfile=/etc/tripwire site.key /etc/tripwire/twpol.txt &&
+<screen><userinput><command>twadmin --create-polfile --site-keyfile=/etc/tripwire site.key \
+    /etc/tripwire/twpol.txt &&
 tripwire --init</command></userinput></screen>
 
 </sect3>
@@ -146,7 +148,8 @@
 system. Then, type in the following command making the appropriate 
 substitutions for <replaceable>[?]</replaceable>:</para>
 
-<screen><userinput><command>tripwire --update -twrfile /var/lib/tripwire/report/linux-<replaceable>[???????]</replaceable>-<replaceable>[??????]</replaceable>.twr</command></userinput></screen>
+<screen><userinput><command>tripwire --update -twrfile \
+    /var/lib/tripwire/report/linux-<replaceable>[???????]</replaceable>-<replaceable>[??????]</replaceable>.twr</command></userinput></screen>
 
 <para>You will be placed into <application>vim</application> with a copy of 
 the report in front of you. If all the changes were good, then just type 




More information about the blfs-book mailing list