Securing-Optimizing-RH-Linux-1_2_130
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
130
To read:
FORWARD_IPV4="yes"
You must restart your network for the change to take effect:
[root@deep /]# /etc/rc.d/init.d/network restart
So you can either add the echo 1 > /proc/sys/net/ipv4/ip_forward command line to your
rc.local script file or you change the value of the line FORWARD_IPV4=false to yes in the
network file to set this feature to ON. Personally I prefer the second choice.
NOTE: The IP forwarding line above is only require when you answer Yes to the kernel option
IP:Masquerading (CONFIG_IP_MASQUERADE) and choose to have a server act as a Gateway
and masquerade for your inside network.
If you enable IP Masquerading, then the modules ip_masq_ftp.o (for ftp file transfers),
ip_masq_irc.o (for irc chats), ip_masq_quake.o (you guessed it), ip_masq_vdolive.o (for VDOLive
video connections), ip_masq_cuseeme.o (for CU-SeeMe broadcasts) and ip_masq_raudio.o (for
RealAudio downloads) will automatically be compiled. They are needed to make masquerading
for these protocols work. Also, youll need to build a modularized kernel and answer Yes to the
Enable loadable module support (CONFIG_MODULES) option instead of a monolithic kernel to
be able to use masquerading functions and modules like ip_masq_ftp.o on your Gateway server
(see the Linux Kernel section above for more information).
The basic masquerade code described for "IP: masquerading" above only handles TCP or UDP
packets (and ICMP errors for existing connections). IP:ICMP Masquerading option adds
additional support for masquerading ICMP packets, such as ping or the probes used by the
Windows 95 tracer program.
NOTE: Remember, other servers like Web Server and Mail Server doesnt need to have these
options enable since there have a real IP address assigned or doesnt act as a Gateway for the
inside network.
Some Points to Consider
You can safely assume that you are potentially at risk if you connect your system to the Internet.
Your gateway to the Internet is your greatest exposure, so we recommend the following:
·
The gateway should not run any more applications than are absolutely necessary.
·
The gateway should strictly limit the type and number of protocols allowed to flow through
it (protocols potentially provide security holes, such as FTP and telnet).
·
Any system containing confidential or sensitive information should not be directly
accessible from the Internet.
Configuration of the /etc/rc.d/init.d/firewall script file for the Gateway
Server
This is the configuration script file for our Gateway Server machine. This configuration allow,
unlimited traffic on the Loopback interface, ICMP, DNS Server and Client (53), SSH Server and
Client (22), HTTP Server and Client (80), HTTPS Server and Client (443), POP Client (110),
NNTP NEWS Client (119), SMTP Server and Client (25), IMAP Server (143), IRC Client (6667),
ICQ Client (4000), FTP Client (20, 21), RealAudio / QuickTime Client, and OUTGOING
TRACEROUTE requests by default.