Linux Firewalls, 3/e
暫譯: Linux 防火牆, 第3版

Description:

An Internet-connected Linux machine is in a high-risk situation. Linux Firewalls, Third Edition details security steps that any sized implementation from home use to enterprise level might take to protect itself from potential remote attackers. As with the first two editions, this book is especially useful for its explanations of iptables, packet filtering, and firewall optimization along with some advanced concepts including customizing the Linux kernel to enhance security.The third edition, while distribution neutral, has been updated for the current Linux Kernel and provides code examples for Red Hat, SUSE, and Debian implementations. Don't miss out on the third edition of the critically acclaimed Linux Firewalls.

 

Table of Contents:

Introduction.

    The Purpose of This Book.

    Who Should Read This Book.

    Linux Distribution.

    Errors in This Book.

    Companion Website.

I. PACKET-FILTERING AND BASIC SECURITY MEASURES.

1. Preliminary Concepts Underlying Packet-Filtering Firewalls.

    The OSI Networking Model.

      Connectionless Versus Connection-Oriented Protocols.

      Next Steps.

    The IP.

      IP Addressing and Subnetting.

      IP Fragmentation.

      Broadcasting and Multicasting.

      ICMP.

    Transport Mechanisms.

      UDP.

      TCP.

    Don’t Forget ARP.

    Hostnames and IP Addresses.

      IP Addresses and Ethernet Addresses.

    Routing: Getting a Packet from Here to There.

    Service Ports: The Door to the Programs on Your System.

      A Typical TCP Connection: Visiting a Remote Website.

    Summary.

2. Packet-Filtering Concepts.

    A Packet-Filtering Firewall.

    Choosing a Default Packet-Filtering Policy.

    Rejecting Versus Denying a Packet.

    Filtering Incoming Packets.

      Remote Source Address Filtering.

      Local Destination Address Filtering.

      Remote Source Port Filtering.

      Local Destination Port Filtering.

      Incoming TCP Connection-State Filtering.

      Probes and Scans.

      Denial-of-Service Attacks.

      Source-Routed Packets.

    Filtering Outgoing Packets.

      Local Source Address Filtering.

      Remote Destination Address Filtering.

      Local Source Port Filtering.

      Remote Destination Port Filtering.

      Outgoing TCP Connection-State Filtering.

    Private Versus Public Network Services.

      Protecting Nonsecure Local Services.

      Selecting Services to Run.

    Summary.

3. iptables: The Linux Firewall Administration Program.

    Differences Between IPFW and Netfilter Firewall Mechanisms.

      IPFW Packet Traversal.

      Netfilter Packet Traversal.

    Basic iptables Syntax.

    iptables Features.

      NAT Table Features.

      mangle Table Features.

    iptables Syntax.

      filter Table Commands.

      filter Table Target Extensions.

      filter Table Match Extensions.

      NAT Table Target Extensions.

      mangle Table Commands.

    Summary.

4. Building and Installing a Standalone Firewall.

    iptables: The Linux Firewall Administration Program.

      Build Versus Buy: The Linux Kernel.

      Source and Destination Addressing Options.

    Initializing the Firewall.

      Symbolic Constants Used in the Firewall Examples.

      Enabling Kernel-Monitoring Support.

      Removing Any Preexisting Rules.

      Resetting Default Policies and Stopping the Firewall.

      Enabling the loopback Interface.

      Defining the Default Policy.

      Stealth Scans and TCP State Flags.

      Using Connection State to Bypass Rule Checking.

      Source Address Spoofing and Other Bad Addresses.

    Protecting Services on Assigned Unprivileged Ports.

      Common Local TCP Services Assigned to Unprivileged Ports.

      Common Local UDP Services Assigned to Unprivileged Ports.

    Enabling Basic, Required Internet Services.

      Allowing DNS (UDP/TCP Port 53).

      Filtering the AUTH User Identification Service (TCP Port 113).

    Enabling Common TCP Services.

      Email (TCP SMTP Port 25, POP Port 110, IMAP Port 143).

      Accessing Usenet News Services (TCP NNTP Port 119).

      Telnet (TCP Port 23).

      SSH (TCP Port 22).

      FTP (TCP Ports 21, 20).

      Web Services.

      Whois (TCP Port 43).

      RealAudio, RealVideo, and QuickTime (TCP Ports 554 and 7070).

    Enabling Common UDP Services.

      traceroute (UDP Port 33434).

      Accessing Your ISP’s DHCP Server (UDP Ports 67, 68).

      Accessing Remote Network Time Servers (UDP Port 123).

    Filtering ICMP Control and Status Messages.

      Error Status and Control Messages.

      ping Echo Request (Type 8) and Echo Reply (Type 0) Control Messages.

    Logging Dropped Incoming Packets.

    Logging Dropped Outgoing Packets.

    Denying Access to Problem Sites Up Front.

    Installing the Firewall.

      Tips for Debugging the Firewall Script.

      Starting the Firewall on Boot with Red Hat and SUSE.

      Starting the Firewall on Boot with Debian.

      Installing a Firewall with a Dynamic IP Address.

    Summary.

II. ADVANCED ISSUES, MULTIPLE FIREWALLS, AND PERIMETER NETWORKS.

5. Firewall Optimization.

    Rule Organization.

      Begin with Rules That Block Traffic on High Ports.

      Use the State Module for ESTABLISHED and RELATED Matches.

      Consider the Transport Protocol.

      Place Firewall Rules for Heavily Used Services as Early as Possible.

      Use the Multiport Module to Specify Port Lists.

      Use Traffic Flow to Determine Where to Place Rules for Multiple Network Interfaces.

    User-Defined Chains.

    Optimized Example.

      User-Defined Chains in the Script.

      Firewall Initialization.

      Installing the Chains.

      Building the User-Defined EXT-input and EXT-output Chains.

      tcp-state-flags.

      connection-tracking.

      local_dhcp_client_query and remote_dhcp_server_response.

      source-address-check.

      destination-address-check.

      Logging Dropped Packets.

    What Did Optimization Buy?

    Summary.

6. Packet Forwarding.

    The Limitations of a Standalone Firewall.

    Basic Gateway Firewall Setups.

    LAN Security Issues.

    Configuration Options for a Trusted Home LAN.

      LAN Access to the Gateway Firewall.

      LAN Access to Other LANs: Forwarding Local Traffic Among Multiple LANs.

    Configuration Options for a Larger or Less Trusted LAN.

      Dividing Address Space to Create Multiple Networks.

      Selective Internal Access by Host, Address Range, or Port.

    A Formal Screened-Subnet Firewall Example.

      Symbolic Constants Used in the Firewall Examples.

      Setting the Stage on the Choke Firewall.

      Removing Any Preexisting Rules from the Choke Firewall.

      Defining the Choke Firewall’s Default Policy.

      Enabling the Choke Machine’s Loopback Interface.

      Stealth Scans and TCP State Flags.

      Using Connection State to Bypass Rule Checking.

      Source-Address Spoofing and Other Bad Addresses.

      Filtering ICMP Control and Status Messages.

      Enabling DNS (UDP/TCP Port 53).

      Filtering the AUTH User Identification Service (TCP Port 113).

      Email (TCP SMTP Port 25, POP3 Port 110, IMAP Port 143).

      Accessing Usenet News Services (TCP NNTP Port 119).

      Telnet (TCP Port 23).

      SSH (TCP Port 22).

      FTP (TCP Ports 21 and 20).

      Web Services.

      Choke as a Local DHCP Server (UDP Ports 67 and 68).

      Logging.

    Converting the Gateway from Local Services to Forwarding.

    Summary.

7. NAT—Network Address Translation.

    The Conceptual Background of NAT.

    iptables NAT Semantics.

      Source NAT.

      Destination NAT.

    Examples of SNAT and Private LANs.

      Masquerading LAN Traffic to the Internet.

      Applying Standard NAT to LAN Traffic to the Internet.

    Examples of DNAT, LANs, and Proxies.

      Host Forwarding.

      Host Forwarding and Port Redirection.

      Host Forwarding to a Server Farm.

      Host Forwarding to Servers in a Privately Addressed DMZ.

      Local Port Redirection—Transparent Proxying.

    Summary.

8. Debugging the Firewall Rules.

    General Firewall-Development Tips.

    Listing the Firewall Rules.

      filter Table Listing Formats.

      nat Table Listing Formats.

      mangle Table Listing Formats.

    Checking the Input, Output, and Forwarding Rules.

      Checking the Input Rules.

      Checking the Output Rules.

      Checking the Forwarding Rules.

    Interpreting the System Logs.

      syslog Configuration.

      Firewall Log Messages: What Do They Mean?

    Checking for Open Ports.

      netstat -a [ -n -p -A inet ].

      Checking a Process Bound to a Particular Port with fuser.

      strobe.

      nmap.

    Summary.

III. BEYOND IPTABLES.

9. Intrusion Detection and Response.

    Detecting Intrusions.

    Symptoms Suggesting That the System Might Be Compromised.

      System Log Indications.

      System Configuration Indications.

      Filesystem Indications.

      User Account Indications.

      Security Audit Tool Indications.

      System Performance Indications.

    What to Do If Your System Is Compromised.

    Incident Reporting.

      Why Report an Incident?

      What Kinds of Incidents Might You Report?

      To Whom Do You Report an Incident?

      What Information Do You Supply?

      Where Do You Find More Information?

    Summary.

10. Intrusion Detection Tools.

    Intrusion Detection Toolkit: Network Tools.

      Switches and Hubs and Why You Care.

      Sniffer Placement.

      ARPWatch.

    Rootkit Checkers.

      Running Chkrootkit.

      What If Chkrootkit Says the Computer Is Infected?

      Limitations of Chkrootkit and Similar Tools.

      Using Chkrootkit Securely.

      When Should Chkrootkit Be Run?

    Filesystem Integrity.

    Log Monitoring.

      Swatch.

    How to Not Become Compromised.

      Secure Often.

      Update Often.

      Test Often.

    Summary.

11. Network Monitoring and Attack Detection.

    Listening to the Ether.

      Three Valuable Tools.

    TCPDump: A Simple Overview.

      Obtaining and Installing TCPDump.

      TCPDump Options.

      TCPDump Expressions.

      Beyond the Basics with TCPDump.

    Using TCPDump to Capture Specific Protocols.

      Using TCPDump in the Real World.

      Attacks Through the Eyes of TCPDump.

      Recording Traffic with TCPDump.

    Automated Intrusion Monitoring with Snort.

      Obtaining and Installing Snort.

      Configuring Snort.

      Testing Snort.

      Receiving Alerts.

      Final Thoughts on Snort.

    Monitoring with ARPWatch.

    Summary.

12. Filesystem Integrity.

    Filesystem Integrity Defined.

      Practical Filesystem Integrity.

    Installing AIDE.

    Configuring AIDE.

      Creating an AIDE Configuration File.

      A Sample AIDE Configuration File.

      Initializing the AIDE DB.

      Scheduling AIDE to Run Automatically.

    Monitoring AIDE for Bad Things.

    Cleaning Up the AIDE Database.

    Changing the Output of the AIDE Report.

      Obtaining More Verbose Output.

    Defining Macros in AIDE.

    The Types of AIDE Checks.

    Summary.

13. Kernel Enhancements.

    Security Enhanced Linux.

      SELinux Architecture.

    Greater Security with GrSecurity.

    A Quick Look Around the Kernel.

      What’d You Call That?

      What’s Your Number?

      The Kernel: From 20,000 Feet.

    To Patch or Not to Patch.

      Enhanced Security Without Grsec.

    Using a GrSecurity Kernel.

      Downloading Grsec and a Fresh Kernel.

      Compiling Your First Kernel.

      Improving the Kernel Build.

    GrSecurity.

      Applying the Grsec Patch.

      Choosing Grsec Features.

      Building the Grsec Kernel.

      Beyond the Basics with GrSecurity.

    Conclusion: Custom Kernels.

IV. APPENDICES.

Appendix A. Security Resources.

    Security Information Sources.

    Reference Papers and FAQs.

    Books.

Appendix B. Firewall Examples and Support Scripts.

    iptables Firewall for a Standalone System from Chapter 4.

    Optimized iptables Firewall from Chapter 5.

    iptables Firewall for a Choke Firewall from Chapter 6.

Appendix C. VPNs.

    Overview of Virtual Private Networks.

    VPN Protocols.

      PPTP.

      IPSec.

    Linux and VPN Products.

      Openswan.

      FreeS/WAN.

      Virtual Private Network Daemon.

      PPTP Linux Solutions.

      Virtual Tunnel.

    VPN Configurations.

      Roaming User.

    Connecting Networks.

    VPN and Firewalls.

    Summary.

Appendix D. Glossary.