DOCSLIB.ORG

Firehol + Fireqos Reference

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Firehol + Fireqos Reference FireHOL + FireQOS Reference FireHOL Team Release 2.0.0-pre7 Built 13 Apr 2014 FireHOL + FireQOS Reference Release 2.0.0-pre7 i Copyright © 2012-2014 Phil Whineray <[email protected]> Copyright © 2004, 2013-2014 Costa Tsaousis <[email protected]> FireHOL + FireQOS Reference Release 2.0.0-pre7 ii Contents 1 Introduction 1 1.1 Latest version........................................1 1.2 Who should read this manual................................1 1.3 Where to get help......................................1 1.4 Manual Organisation....................................1 1.5 Installation.........................................2 1.6 Licence...........................................2 I FireHOL3 2 Configuration 4 2.1 Getting started........................................4 2.2 Language..........................................4 2.2.1 Use of bash.....................................4 2.2.1.1 What to avoid..............................4 3 Security 6 3.1 Important Security Note..................................6 3.2 What happens when FireHOL Runs?............................6 3.3 Where to learn more....................................7 4 Troubleshooting 8 4.1 Reading log output.....................................8 FireHOL + FireQOS Reference Release 2.0.0-pre7 iii II FireQOS 11 5 Configuration 12 III FireHOL Reference 13 6 Running and Configuring 14 6.1 FireHOL program: firehol................................. 15 6.2 FireHOL configuration: firehol.conf............................ 18 6.3 control variables: firehol-variables............................. 23 6.4 ipv4/ipv6 selection: firehol-modifiers............................ 31 7 Definition Commands 33 7.1 interface definition: firehol-interface............................ 34 7.2 router definition: firehol-router............................... 36 8 Rule Subcommands 39 8.1 policy command: firehol-policy............................... 40 8.2 protection command: firehol-protection.......................... 41 8.3 server, route commands: firehol-server........................... 44 8.4 client command: firehol-client............................... 46 8.5 group command: firehol-group............................... 48 9 Optional Parameters and Actions 50 9.1 optional rule parameters: firehol-rule-params....................... 51 9.2 actions for rules: firehol-actions.............................. 57 10 Helper Commands 63 10.1 iptables helper: firehol-iptables............................... 64 10.2 masquerade helper: firehol-masquerade.......................... 65 10.3 tcpmss helper: firehol-tcpmss................................ 67 FireHOL + FireQOS Reference Release 2.0.0-pre7 iv 11 Configuration Helper Commands 68 11.1 version config helper: firehol-version............................ 69 11.2 action config helper: firehol-action............................. 70 11.3 blacklist config helper: firehol-blacklist.......................... 72 11.4 classify config helper: firehol-classify........................... 73 11.5 connmark config helper: firehol-connmark......................... 74 11.6 dscp config helper: firehol-dscp............................... 76 11.7 mac config helper: firehol-mac............................... 78 11.8 mark config helper: firehol-mark.............................. 79 11.9 nat, snat, dnat, redirect config helpers: firehol-nat..................... 81 11.10transparent_proxy, transparent_squid helpers: firehol-transparent_proxy......... 84 11.11tos config helper: firehol-tos................................ 86 11.12tosfix config helper: firehol-tosfix............................. 88 12 Services Reference 89 12.1 services list: firehol-services................................ 90 12.2 services list a: firehol-services-a.............................. 91 12.3 services list b: firehol-services-b.............................. 96 12.4 services list c: firehol-services-c.............................. 97 12.5 services list d: firehol-services-d.............................. 99 12.6 services list e: firehol-services-e.............................. 105 12.7 services list f: firehol-services-f............................... 108 12.8 services list g: firehol-services-g.............................. 110 12.9 services list h: firehol-services-h.............................. 113 12.10services list i: firehol-services-i............................... 117 12.11services list j: firehol-services-j............................... 126 12.12services list k: firehol-services-k.............................. 128 12.13services list l: firehol-services-l............................... 129 12.14services list m: firehol-services-m............................. 132 12.15services list n: firehol-services-n.............................. 136 FireHOL + FireQOS Reference Release 2.0.0-pre7 v 12.16services list o: firehol-services-o.............................. 144 12.17services list p: firehol-services-p.............................. 146 12.18services list q: firehol-services-q.............................. 150 12.19services list r: firehol-services-r............................... 151 12.20services list s: firehol-services-s.............................. 155 12.21services list t: firehol-services-t............................... 163 12.22services list u: firehol-services-u.............................. 166 12.23services list v: firehol-services-v.............................. 168 12.24services list w: firehol-services-w............................. 171 12.25services list x: firehol-services-x.............................. 173 12.26services list y: firehol-services-y.............................. 175 12.27services list z: firehol-services-z.............................. 176 IV FireQOS Reference 177 13 Running and Configuring 178 13.1 FireQOS program: fireqos................................. 179 13.2 FireQOS configuration: fireqos.conf............................ 181 14 Organising Traffic 184 14.1 interface definition: fireqos-interface............................ 185 14.2 traffic class: fireqos-class.................................. 187 14.3 traffic match: fireqos-match................................. 190 15 Optional Parameters 192 15.1 class/match parameters: fireqos-shared-params...................... 193 15.2 optional class parameters: fireqos-class-params...................... 194 15.3 optional match parameters: fireqos-match-params..................... 199 FireHOL + FireQOS Reference Release 2.0.0-pre7 vi V Appendices 203 A ICMPv6 Firewall Recommendations 204 A.1 Introduction......................................... 204 A.2 Allow outbound echo requests from prefixes which belong to the site........... 204 A.3 Allow inbound echo requests towards only predetermined hosts.............. 204 A.4 Allow incoming and outgoing echo reply messages only for existing sessions...... 205 A.5 Deny icmps to/from link local addresses.......................... 205 A.6 Drop echo replies which have a multicast address as a destination............. 205 A.7 Allow incoming destination unreachable messages only for existing sessions....... 205 A.8 Allow outgoing destination unreachable messages..................... 205 A.9 Allow incoming Packet Too Big messages only for existing sessions........... 206 A.10 Allow outgoing Packet Too Big messages......................... 206 A.11 Allow incoming time exceeded code 0 messages only for existing sessions........ 206 A.12 Allow incoming time exceeded code 1 messages...................... 206 A.13 Allow outgoing time exceeded code 0 messages...................... 206 A.14 Allow outgoing time exceeded code 1 messages...................... 206 A.15 Allow incoming parameter problem code 1 and 2 messages for an existing session.... 207 A.16 Allow outgoing parameter problem code 1 and code 2 messages............. 207 A.17 Allow incoming and outgoing parameter problem code 0 messages............ 207 A.18 Drop NS/NA messages both incoming and outgoing.................... 207 A.19 Drop RS/RA messages both incoming and outgoing.................... 207 A.20 Drop Redirect messages both incoming and outgoing................... 208 A.21 Drop incoming and outgoing Multicast Listener queries (MLDv1 and MLDv2)..... 208 A.22 Drop incoming and outgoing Multicast Listener reports (MLDv1)............ 208 A.23 Drop incoming and outgoing Multicast Listener Done messages (MLDv1)........ 209 A.24 Drop incoming and outgoing Multicast Listener reports (MLDv2)............ 209 A.25 Drop router renumbering messages............................. 209 A.26 Drop node information queries (139) and replies (140).................. 210 A.27 If there are mobile ipv6 home agents present on the trusted side allow.......... 210 A.28 If there are roaming mobile nodes present on the trusted side allow............ 210 A.29 Drop everything else.................................... 211 FireHOL + FireQOS Reference Release 2.0.0-pre7 vii 16 Index 212 FireHOL + FireQOS Reference Release 2.0.0-pre7 viii List of Tables 6.1 iptables/klogd levels.................................... 25 FireHOL + FireQOS Reference Release 2.0.0-pre7 1 / 215 Chapter 1 Introduction 1.1 Latest version The latest version of this document will always be available here. There are PDF and HTML versions. 1.2 Who should read this manual This manual is aimed at those who wish to create and maintain firewalls with FireHOL or perform traffic shaping with FireQOS. For more information and tutorials, see the FireHOL website. 1.3 Where to get help The FireHOL website. The mailing lists and archives. The package comes with a complete set of manpages, a README and a brief INSTALL guide. 1.4 Manual Organisation FireHOL, the package, consists of two principal
Load more

Recommended publications
  • Computer Security Administration
    Information Security Group Information + Technology Services University of Toronto Endpoint Security Policy System A Network Access Control System with Vulnerability Detection and User Remediation Evgueni Martynov UNIX Systems Group Mike Wiseman Computer Security Administration Endpoint Security Policy System Table of Contents Acknowledgements............................................................................. 3 Change History .................................................................................... 4 Summary ............................................................................................. 5 Overview .............................................................................................. 5 Network Isolation ............................................................................... 6 Vulnerability Detection ....................................................................... 6 User Remediation ................................................................................ 8 Administering ESP ............................................................................... 8 ESP Operations Experience ................................................................ 9 Appendix I – Installation and Configuration of ESP server ........... 10 Using init.sh ..................................................................................... 10 Post-Installation ................................................................................ 11 Configuring an ESP Server to Work with an ESP Agent .......................
    [Show full text]
  • Hostscan 4.8.01064 Antimalware and Firewall Support Charts
    HostScan 4.8.01064 Antimalware and Firewall Support Charts 10/1/19 © 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco public. Page 1 of 76 Contents HostScan Version 4.8.01064 Antimalware and Firewall Support Charts ............................................................................... 3 Antimalware and Firewall Attributes Supported by HostScan .................................................................................................. 3 OPSWAT Version Information ................................................................................................................................................. 5 Cisco AnyConnect HostScan Antimalware Compliance Module v4.3.890.0 for Windows .................................................. 5 Cisco AnyConnect HostScan Firewall Compliance Module v4.3.890.0 for Windows ........................................................ 44 Cisco AnyConnect HostScan Antimalware Compliance Module v4.3.824.0 for macos .................................................... 65 Cisco AnyConnect HostScan Firewall Compliance Module v4.3.824.0 for macOS ........................................................... 71 Cisco AnyConnect HostScan Antimalware Compliance Module v4.3.730.0 for Linux ...................................................... 73 Cisco AnyConnect HostScan Firewall Compliance Module v4.3.730.0 for Linux .............................................................. 76 ©201 9 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
    [Show full text]
  • Lecture 11 Firewalls
    BSc in Telecommunications Engineering TEL3214 Computer Communication Networks Lecture 11 Firewalls Eng Diarmuid O'Briain, CEng, CISSP 11-2 TEL3214 - Computer Communication Networks Copyright © 2017 Diarmuid Ó Briain Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back- Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". TEL3214 Firewalls 09 May 2017 TEL3214 - Computer Communication Networks 11-3 Table of Contents 1. AN INTRODUCTION TO FIREWALLS........................................................................................................................5 2. THE DIGITAL SECURITY PROBLEM...........................................................................................................................5 2.1 HOME......................................................................................................................................................................5 2.2 ENTERPRISE...............................................................................................................................................................6 2.3 ROAMING INDIVIDUAL.................................................................................................................................................6 2.4 PERIMETER DEFENCE AND FIREWALLS.............................................................................................................................6
    [Show full text]
  • Comodo Korugan UTM Security Target Lite
    Comodo Yazılım A.Ş. Tasnif Dışı/Unclassified Comodo Korugan UTM Security Target Lite Comodo Yazılım A.Ş. Comodo Korugan UTM 1.10 Security Target Lite COMODO YAZILIM A.Ş. The copyright and design right in this document are vested in Comodo Yazılım A.Ş. and the document is supplied to you for a limited purpose and only in connection with this project. No information as to the contents or the subject matter of this document or any part thereof shall be communicated in any manner to any third party without the prior consent in writing of Comodo Yazılım A.Ş. Copyright © Comodo Yazılım A.Ş., 2014-2017 Comodo Yazılım A.Ş. 1 / 48 Author: Onur Özardıç Comodo Yazılım A.Ş. Tasnif Dışı/Unclassified Comodo Korugan UTM Security Target Lite List of Tables Table 1 ST and TOE References ........................................................................................ 6 Table 2 Functional features of TOE ..................................................................................... 8 Table 3 Major Security Features of TOE ............................................................................. 8 Table 4 Assets using TOE resources .................................................................................15 Table 5 Threats addressed by TOE only ............................................................................16 Table 6 Threats met by TOE and TOE Security Environment ............................................16 Table 7 Threats Addressed by TOE Security Environment .................................................16 Table
    [Show full text]
  • Migrazione Da Iptables a Nftables
    UNIVERSITÀ DEGLI STUDI DI GENOVA MASTER IN CYBER SECURITY AND DATA PROTECTION Migrazione da iptables a nftables Autore: Tutor accademico: dott. Marco DE BENEDETTO prof. Mario MARCHESE Tutor aziendale: dott. Carlo BERUTTI BERGOTTO Project Work finale del Master di secondo livello in Cyber Security and Data Protection III edizione (a.a. 2016/17) 10 marzo 2019 iii Indice 1 Introduzione 1 2 Packet Filtering in Linux 3 2.1 Storia ...................................... 3 2.2 Netfilter .................................... 4 2.3 Nftables successore di iptables? ....................... 6 3 Firewall Linux nella rete Galliera 7 3.1 Cenni storici .................................. 7 3.2 Architettura attuale .............................. 7 3.3 Problemi dell’infrastruttura ......................... 9 3.4 Opportunità di migrazione a nftables ................... 9 4 Nftables 11 4.1 Caratteristiche di nftables .......................... 11 4.2 Packet flow in nftables ............................ 12 4.3 Strumenti di debug e tracing ......................... 15 5 Migrazione del Captive Portal 17 5.1 Captive Portal con iptables .......................... 17 5.2 Captive Portal nella versione nftables ................... 19 5.3 Autorizzazioni temporizzate ........................ 20 5.4 Aggiornamento del timeout ......................... 21 5.5 Limitazione della banda ........................... 22 6 Strumenti di sviluppo e test 25 6.1 Virtualizzazione ................................ 25 6.2 Debug ..................................... 26 7 Considerazioni finali
    [Show full text]
  • Pipenightdreams Osgcal-Doc Mumudvb Mpg123-Alsa Tbb
    pipenightdreams osgcal-doc mumudvb mpg123-alsa tbb-examples libgammu4-dbg gcc-4.1-doc snort-rules-default davical cutmp3 libevolution5.0-cil aspell-am python-gobject-doc openoffice.org-l10n-mn libc6-xen xserver-xorg trophy-data t38modem pioneers-console libnb-platform10-java libgtkglext1-ruby libboost-wave1.39-dev drgenius bfbtester libchromexvmcpro1 isdnutils-xtools ubuntuone-client openoffice.org2-math openoffice.org-l10n-lt lsb-cxx-ia32 kdeartwork-emoticons-kde4 wmpuzzle trafshow python-plplot lx-gdb link-monitor-applet libscm-dev liblog-agent-logger-perl libccrtp-doc libclass-throwable-perl kde-i18n-csb jack-jconv hamradio-menus coinor-libvol-doc msx-emulator bitbake nabi language-pack-gnome-zh libpaperg popularity-contest xracer-tools xfont-nexus opendrim-lmp-baseserver libvorbisfile-ruby liblinebreak-doc libgfcui-2.0-0c2a-dbg libblacs-mpi-dev dict-freedict-spa-eng blender-ogrexml aspell-da x11-apps openoffice.org-l10n-lv openoffice.org-l10n-nl pnmtopng libodbcinstq1 libhsqldb-java-doc libmono-addins-gui0.2-cil sg3-utils linux-backports-modules-alsa-2.6.31-19-generic yorick-yeti-gsl python-pymssql plasma-widget-cpuload mcpp gpsim-lcd cl-csv libhtml-clean-perl asterisk-dbg apt-dater-dbg libgnome-mag1-dev language-pack-gnome-yo python-crypto svn-autoreleasedeb sugar-terminal-activity mii-diag maria-doc libplexus-component-api-java-doc libhugs-hgl-bundled libchipcard-libgwenhywfar47-plugins libghc6-random-dev freefem3d ezmlm cakephp-scripts aspell-ar ara-byte not+sparc openoffice.org-l10n-nn linux-backports-modules-karmic-generic-pae
    [Show full text]
  • The Book of PF Covers the Most • Stay in Control of Your Traffic with Monitoring and Up-To-Date Developments in PF, Including New Content PETER N.M
    EDITION3RD BUILD A Covers OpenBSD 5.6, MORE SECURE FreeBSD 10.x, and NETWORK EDITION NETWORK 3RD NetBSD 6.x WITH PF THETHE BOOKBOOK THE BOOK OF PF OF THE BOOK THE BOOK OF PF OF THE BOOK OFOF PFPF OpenBSD’s stateful packet filter, PF, is the heart of • Build adaptive firewalls to proactively defend against A GUIDE TO THE the OpenBSD firewall. With more and more services attackers and spammers NO-NONSENSE placing high demands on bandwidth and an increas- OPENBSD FIREWALL • Harness OpenBSD’s latest traffic-shaping system ingly hostile Internet environment, no sysadmin can to keep your network responsive, and convert your afford to be without PF expertise. existing ALTQ configurations to the new system The third edition of The Book of PF covers the most • Stay in control of your traffic with monitoring and up-to-date developments in PF, including new content PETER N.M. HANSTEEN visualization tools (including NetFlow) on IPv6, dual stack configurations, the “queues and priorities” traffic-shaping system, NAT and redirection, The Book of PF is the essential guide to building a secure wireless networking, spam fighting, failover provision- network with PF. With a little effort and this book, you’ll ing, logging, and more. be well prepared to unlock PF’s full potential. You’ll also learn how to: ABOUT THE AUTHOR • Create rule sets for all kinds of network traffic, whether Peter N.M. Hansteen is a consultant, writer, and crossing a simple LAN, hiding behind NAT, traversing sysadmin based in Bergen, Norway. A longtime DMZs, or spanning bridges or wider networks Freenix advocate, Hansteen is a frequent lecturer on OpenBSD and FreeBSD topics, an occasional • Set up wireless networks with access points, and contributor to BSD Magazine, and the author of an lock them down using authpf and special access often-slashdotted blog (http://bsdly.blogspot.com/ ).
    [Show full text]
  • Nftables Och Iptables En Jämförelse Av Latens Nftables and Iptables a Comparison in Latency
    NFtables and IPtables Jonas Svensson Eidsheim NFtables och IPtables En jämförelse av latens NFtables and IPtables A Comparison in Latency Bachelors Degree Project in Computer Science Network and Systems Administration, G2E, 22.5 hp IT604G Jonas Svensson Eidsheim [email protected] Examiner Jonas Gamalielsson Supervisor Johan Zaxmy Abstract Firewalls are one of the essential tools to secure any network. IPtables has been the de facto firewall in all Linux systems, and the developers behind IPtables are also responsible for its intended replacement, NFtables. Both IPtables and NFtables are firewalls developed to filter packets. Some services are heavily dependent on low latency transport of packets, such as VoIP, cloud gaming, storage area networks and stock trading. This work is aiming to compare the latency between the selected firewalls while under generated network load. The network traffic is generated by iPerf and the latency is measured by using ping. The measurement of the latency is done on ping packets between two dedicated hosts, one on either side of the firewall. The measurement was done on two configurations one with regular forwarding and another with PAT (Port Address Translation). Both configurations are measured while under network load and while not under network load. Each test is repeated ten times to increase the statistical power behind the conclusion. The results gathered in the experiment resulted in NFtables being the firewall with overall lower latency both while under network load and not under network load. Abstrakt Brandväggen är ett av de viktigaste verktygen för att säkra upp nätverk. IPtables har varit den främst använda brandväggen i alla Linux-system och utvecklarna bakom IPtables är också ansvariga för den avsedda ersättaren, NFtables.
    [Show full text]
  • Netfilter:Making Large Iptables Rulesets Scale
    Netfilter:Netfilter: MakingMaking largelarge iptablesiptables rulesetsrulesets scalescale Netfilter Developers Workshop 2008 d.1/10-2008 by Jesper Dangaard Brouer <[email protected]> Master of Computer Science ComX Networks A/S Who am I Name: Jesper Dangaard Brouer Edu: Computer Science for Uni. Copenhagen Focus on Network, Dist. sys and OS Linux user since 1996, professional since 1998 Sysadm, Developer, Embedded OpenSource projects Author of ADSL-optimizer CPAN IPTables::libiptc Patches accepted into Kernel, iproute2 and iptables Netfilter: Making large iptables rulesets scale 2/29 Physical surroundings ComX delivers fiber based solutions Our primary customers are apartment buildings but with end-user relation Ring based network topology with POPs (Point Of Presence) POPs have fiber strings to apartment buildings CPE box in apartment performs service separation into VLANs Netfilter: Making large iptables rulesets scale 3/29 The Linux box The iptables box(es), this talk is all about placed at each POP (near the core routers) high-end server PC, with only two netcards Internet traffic: from several apartment buildings, layer2 terminated via VLANs on one netcard, routed out the other. Cost efficient but needs to scale to a large number of customers goal is to scale to 5000 customers per machine Netfilter: Making large iptables rulesets scale 4/29 Issues and limitations First generation solution was in production. business grew and customers where added; several scalability issues arose The two primary were: Routing performance reduced (20 kpps)
    [Show full text]
  • Server Firewall
    Linux Firewall ad opera d'arte Pagina 1 di 43 Documentazione basata su openskills.info. Linux Firewall ad opera d'arte ( C ) Coresis e autori vari Linux Firewall ad opera d'arte P ROGRAMMA Linux Firewalling Linux firewalling: Introduzione a Iptables Obiettivo: Overview, gestione, utilizzo di iptables su Linux per packet Comprendere Iptables: filtering - La sintassi del comando - La logica di gestione di un pacchetto nel kernel iptables - Linux natting e packet mangling - I campi di applicazione e le soluzioni possibili Approfondimenti su funzionalità sperimentali Utilizzo di iptables per natting, masquerading e mangling di Sistemi di logging e gestione pacchetti. Soluzioni di alta affidabilità Esempi di configurazione di Iptables Esempi di configurazioni di un firewall Linux con iptables Iptables Avanzato Funzionalità avanzate di iptables. Linux Firewalling Linux Firewall ad opera d'arte Pagina 2 di 43 L INUX FIREWALLING: INTRODUZIONE A Overview, gestione, utilizzo di iptables su Linux per I PTABLES packet filtering NetFilter e il firewalling su Linux Il codice di firewalling nel kernel Linux ha una sua storia: Nel kernel 2.0 ( 1996 ) si usava ipfwadm Nel kernel 2.2 ( 1999 ) si sono usate le ipchains Dal kernel 2.4 ( 2001 ) sono state introdotte le iptables Tutt'ora utilizzate nel ramo 2.6 ( 2002 ) Il framework netfilter/iptables gestisce tutte le attività di firewalling su Linux: - Netfilter comprende i moduli del kernel - iptables è il comando con cui si gestisce netfilter Feature principali: - Packet filtering stateless e stateful - Supporto IPv4 e IPv6 - Ogni tipo di natting (NAT/NAPT) - Infrastruttura flessibile ed estendibile - Numerosi plug-in e moduli aggiuntivi per funzionalità aggiuntive Sito ufficiale: http://www.netfilter.org Linux Firewall ad opera d'arte Pagina 3 di 43 Logica di Iptables: tabelle, catene, regole, target Iptables lavora su 3 tabelle (tables) di default: filter - Regola il firewalling: quali pacchetti accettare, quali bloccare nat - Regola le attività di natting mangle - Interviene sulla alterazione dei pacchetti.
    [Show full text]
  • Suse Linux Enterprise Server Benchmark V1.0
    CIS SuSE Linux Benchmark SuSE Linux Enterprise Server Benchmark v1.0 (SuSE Linux Enterprise Server 9.0) March, 2006 Copyright 2001-2005, The Center for Internet Security http://www.CISecurity.org/ 1 CIS SuSE Linux Benchmark TERMS OF USE AGREEMENT Background. The Center for Internet Security ("CIS") provides benchmarks, scoring tools, software, data, information, suggestions, ideas, and other services and materials from the CIS website or elsewhere ("Products") as a public service to Internet users worldwide. Recommendations contained in the Products ("Recommendations") result from a consensus-building process that involves many security experts and are generally generic in nature. The Recommendations are intended to provide helpful information to organizations attempting to evaluate or improve the security of their networks, systems, and devices. Proper use of the Recommendations requires careful analysis and adaptation to specific user requirements. The Recommendations are not in any way intended to be a "quick fix" for anyone's information security needs. No Representations, Warranties, or Covenants. CIS makes no representations, warranties, or covenants whatsoever as to (i) the positive or negative effect of the Products or the Recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness, or completeness of the Products or the Recommendations. CIS is providing the Products and the Recommendations "as is" and "as available" without representations, warranties, or covenants of any kind. User Agreements. By using the Products and/or the Recommendations, I and/or my organization ("We") agree and acknowledge that: 1.
    [Show full text]
  • Firewall En GNU/Linux Netfilter/Iptables
    Firewall en GNU/Linux netfilter/iptables SEGURIDAD EN SISTEMAS INFORMATICOS 4o Grado en Ing. Inform´atica http://ccia.ei.uvigo.es/docencia/SSI-grado/ 6 de noviembre de 2012 { FJRP, FMBR 2012 ccia SSI { 1. Introducci´ona netfilter/iptables netfilter (http://www.netfilter.org) es un componente del n´ucleoLinux (desde la versi´on2.4) encargado de la manipulaci´onde paquetes de red, que permite: • filtrado de paquetes • traducci´onde direcciones (NAT) • modificaci´onde paquetes iptables es una herramienta/aplicaci´on (forma parte del proyecto net- filter) que hace uso de la infraestructura que ofrece netfilter para construir y configurar firewalls • permite definir pol´ıticasde filtrado, de NAT y realizar logs • remplaza a herramientas anteriores: ifwadmin, ipchains • puede usar las capacidades de seguimiento de conexiones net- filter para definir firewalls con estado Las posibles tareas a realizar sobre los paquetes (filtrado, NAT, modificaci´on)se controlan mediante distintos conjuntos de reglas, en funci´onde la situaci´on/momentoen la que se encuentre un paquete durante su procesamiento dentro de netfilter. • Las listas de reglas y dem´as datos residen en el espacio de memoria del kernel • La herramienta de nivel de usuario iptables permite al adminis- trador configurar las listas de reglas que usa el kernel para decidir qu´ehacer con los paquetes de red que maneja. • En la pr´actica un ”firewall" iptables consistir´aen un script de shell conteniendo los comandos iptables para configurar convenientemente las listas de reglas. ◦ tipicamente ese script residir´a en el directorio '/etc/init.d' ´o en '/etc/rc.d' para que sea ejecutado cada vez que arranca el sistema • Otras utilidades (guardar/recuperar reglas en memoria): iptables-save, iptable-restore { FJRP, FMBR 2012 ccia SSI { 1 (a) Elementos TABLAS.
    [Show full text]