Linux Firewalls / Edition 3

Paperback (Print)
Buy New
Buy New from BN.com
$31.98
Used and New from Other Sellers
Used and New from Other Sellers
from $11.03
Usually ships in 1-2 business days
(Save 79%)
Other sellers (Paperback)
  • All (8) from $11.03   
  • New (5) from $32.27   
  • Used (3) from $11.03   

Overview

An Internet-connected Linux machine is in a high-risk situation. Linux Firewalls, Third Edition details security steps that any sized implementation--from home use to enterprise level--might take to protect itself from potential remote attackers. As with the first two editions, this book is especially useful for its explanations of iptables, packet filtering, and firewall optimization along with some advanced concepts including customizing the Linux kernel to enhance security.The third edition, while distribution neutral, has been updated for the current Linux Kernel and provides code examples for Red Hat, SUSE, and Debian implementations. Don't miss out on the third edition of the critically acclaimed Linux Firewalls.

Read More Show Less

Product Details

  • ISBN-13: 9780672327711
  • Publisher: Sybex, Incorporated
  • Publication date: 9/14/2005
  • Series: Novell Press Series
  • Edition description: REV
  • Edition number: 3
  • Pages: 552
  • Sales rank: 1,023,207
  • Product dimensions: 5.98 (w) x 8.89 (h) x 1.26 (d)

Meet the Author

Steve Suehring is the Linux Security Editor for Linux World Magazine and uses firewalls and firewall technologies on a variety of linux systems.

A renowned firewall architect and consultant, Bob Ziegler has worked for such companies as Nokia, collaborating with a router and access groups. He is well known as the author of the two previous editions of Linux Firewalls (0735709009 and 0735710996). Ziegler operates a firewall resource site, www.linux-firewall-tools/linux to share his design skills and evaluations of tools.

Read More Show Less

Read an Excerpt

Introduction

This book is essentially about creating a software-based firewall using Netfilter and iptables in the Linux operating system. Beyond the basics of a firewall, this book also looks at the firewall in the context of a networked computing environment. To that end, topics such as intrusion detection and system security are also covered.

Computer security is an expansive subject area. Volumes have been written about it and volumes will continue to be written about it. Computer security is centered around protection of data assets using three principles: confidentiality, integrity, and availability. Confidentiality means that data is accessible only by those who are authorized to access the data and no one else. Integrity ensures that the data is verifiably good and is not tainted. Availability means that the data can be accessed when it needs to be accessed. These three principles guide the discussion of computer security and provide the framework for this book.

In addition to the three principles of confidentiality, integrity, and availability, I subscribe to an in-depth, risk-assessed approach to computer security. This means that I don't consider any single option to be an endpoint when it comes to securing data, rather that each item such as a firewall or antivirus software plays a role in securing data. However, there is a cost involved with each measure of security. Therefore, each additional measure or layer of security must be assessed to ensure that the cost of that layer doesn't exceed the benefit of being protected from that risk.

Consider this example: I use two firewalls, a choke and gateway (see Chapter 6, "Packet Forwarding"), for my home network. I consider the benefit of having a dual-firewall approach to outweigh the cost of operating and maintaining the firewalls. Other people use a single firewall or no firewall at all. They consider the risk of their data or systems being unavailable or attacked to be less costly than running a dual-firewall setup or even a single firewall for some. Many more examples of this cost/benefit assessment could be done. Unfortunately, this analysis is often overlooked for many areas of security, not just computer security. For more information on this type of analysis and a good read on top of it, see Bruce Schneier's works Secrets and Lies and Beyond Fear.

The Purpose of This Book

The goal of this book is to give the reader enough information that they may configure a firewall using iptables in Linux. A secondary goal is to educate the reader about system and network security. However, because this isn't a book on system and network security, those topics are indeed secondary even though they do consume a large portion of the book. There are also topics in this book that I haven't seen (yet) in other books to any great degree.

You are reading the third revision of this book and the first revision with a new author, Steve Suehring. Bob Ziegler wrote the original material and also revised the work into its second revision in 2001. Bob did an excellent job and I've built upon his solid foundation to bring you the third revision. In addition, the previous revision had some material contributed by Carl B. Constantine. You'll find Carl's contribution, though updated, in Appendix C of this revision, "VPNs."

I learned much of what I know about Linux security while working at an Internet service provider (ISP), beginning in 1995. Resisting the temptation to recite a "back when I was young" tale, I'll just say that most of what I learned was done with security in mind. It had to be. By definition at an ISP, you must run publicly available services and those services must be available 24x7. Having publicly available services means that there's a constant threat (and frequent execution) of attacks against the network and the systems therein. If we wouldn't have considered security to be central to our operation, we simply could not have ensured the reliability that our customers demanded, nor could we have guaranteed the integrity of the data that we housed. None of this takes into account the general lack of security tools, software, and books like this back in 1995, either.

That background also helps to answer the question "Why Linux?" The answer was and is quite simple: Linux and open-source tools were the only solution when I was tasked with solving these problems. There simply was no other way to provide Internet services with anywhere near the reliability that Linux and open-source software provided. No other operating system provided the same set of reliability and security while at the same time keeping down the Total Cost of Ownership (TCO). The same can largely be said today. With a pure technological decision, Linux wins. Factor in TCO and the picture only gets better for Linux and open-source software, regardless of the results from funded and paid studies. Why Linux? Because it works.

Who Should Read This Book

I've usually found these "Who Should Read This Book" sections to be somewhat useless simply because the goal is to get you to think that you should read the book. Therefore, to satisfy the publisher I'll tell you that everyone should read this book. In fact, everyone should read this book multiple times, buying a separate copy each time.

In all seriousness, I can't tell you whether you should be reading this book, but I can tell you about the book.

This book assumes that you have already chosen a Linux distribution and that you've already installed it. This book also assumes that you're not looking for an introductory "HOWTO" on Linux or *nix security such as the chmod command. There are many great resources about those topics already, many of them on the Internet, and I feel as though coverage of those issues gets away from the focus of this book. However, this book does deal rather extensively with introductory material on network security, packet filtering, and the layers in the OSI model (if you're unfamiliar with the OSI model, it's explained in the book).

This book tries to be helpful to those who know nothing about firewalls as well as to those who know a bit about Linux and Linux security but want to carry that to the next level. This book could be used successfully by home users and enterprise security administrators alike.

To get the most out of this book, you should be comfortable with, or at least not afraid of, the Linux command line, or shell. You should know how to move about in the file system and perform basic shell commands.

Linux Distribution

Linux and open-source books need to be more distribution neutral or cover more than one distribution. This book does both. A Linux firewall is built using the iptables firewall administration program on top of the Netfilter core software that resides in the Linux kernel. As such, the Linux distribution you choose is largely irrelevant. The book does, however, cover some commands and issues as seen through the eyes of SUSE, Red Hat/Fedora, and Debian. Yes, there are other distributions, many of them very good. Favoring those three distributions is certainly not meant to take away from any other distribution.

The second edition of this book covered only Red Hat. However, I undertook an effort early on in the revision process to remove the distribution-centric tone where it did show up. This was not done to intentionally favor any one distribution or to reject another. Rather, this was a pragmatic decision to provide material applicable to a larger audience and to prevent confusion as to file and command locations if you don't happen to be using the same distribution as the author.

Errors in This Book

Although every effort is made to check facts and figures, files and syntax, some errors will inevitably slip through the writing, technical editing, copyediting, and review process. Let me apologize in advance for any such errors as exist within these pages. I invite the reader to visit my web site at http://www.braingia.org/ for updates and other information about this book. I also invite you to send me feedback at steve.suehring@braingia.com. Although I can't guarantee that I'll have the answer, I will definitely try to respond and point you in the right direction.

Companion Website

Visit http://www.braingia.org/ for up-to-date information on this book and links to interesting security articles. Included on the website are the latest versions of some of the same scripts you'll see within the text.

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Table of Contents

Introduction.

The Purpose of This Book.

Who Should Read This Book.

Linux Distribution.

Errors in This Book.

Companion Website.

I. PACKET-FILTERING AND BASIC SECURITY MEASURES.

1. Preliminary Concepts Underlying Packet-Filtering Firewalls.

The OSI Networking Model.

Connectionless Versus Connection-Oriented Protocols.

Next Steps.

The IP.

IP Addressing and Subnetting.

IP Fragmentation.

Broadcasting and Multicasting.

ICMP.

Transport Mechanisms.

UDP.

TCP.

Don’t Forget ARP.

Hostnames and IP Addresses.

IP Addresses and Ethernet Addresses.

Routing: Getting a Packet from Here to There.

Service Ports: The Door to the Programs on Your System.

A Typical TCP Connection: Visiting a Remote Website.

Summary.

2. Packet-Filtering Concepts.

A Packet-Filtering Firewall.

Choosing a Default Packet-Filtering Policy.

Rejecting Versus Denying a Packet.

Filtering Incoming Packets.

Remote Source Address Filtering.

Local Destination Address Filtering.

Remote Source Port Filtering.

Local Destination Port Filtering.

Incoming TCP Connection-State Filtering.

Probes and Scans.

Denial-of-Service Attacks.

Source-Routed Packets.

Filtering Outgoing Packets.

Local Source Address Filtering.

Remote Destination Address Filtering.

Local Source Port Filtering.

Remote Destination Port Filtering.

Outgoing TCP Connection-State Filtering.

Private Versus Public Network Services.

Protecting Nonsecure Local Services.

Selecting Services to Run.

Summary.

3. iptables: The Linux Firewall Administration Program.

Differences Between IPFW and Netfilter Firewall Mechanisms.

IPFW Packet Traversal.

Netfilter Packet Traversal.

Basic iptables Syntax.

iptables Features.

NAT Table Features.

mangle Table Features.

iptables Syntax.

filter Table Commands.

filter Table Target Extensions.

filter Table Match Extensions.

NAT Table Target Extensions.

mangle Table Commands.

Summary.

4. Building and Installing a Standalone Firewall.

iptables: The Linux Firewall Administration Program.

Build Versus Buy: The Linux Kernel.

Source and Destination Addressing Options.

Initializing the Firewall.

Symbolic Constants Used in the Firewall Examples.

Enabling Kernel-Monitoring Support.

Removing Any Preexisting Rules.

Resetting Default Policies and Stopping the Firewall.

Enabling the loopback Interface.

Defining the Default Policy.

Stealth Scans and TCP State Flags.

Using Connection State to Bypass Rule Checking.

Source Address Spoofing and Other Bad Addresses.

Protecting Services on Assigned Unprivileged Ports.

Common Local TCP Services Assigned to Unprivileged Ports.

Common Local UDP Services Assigned to Unprivileged Ports.

Enabling Basic, Required Internet Services.

Allowing DNS (UDP/TCP Port 53).

Filtering the AUTH User Identification Service (TCP Port 113).

Enabling Common TCP Services.

Email (TCP SMTP Port 25, POP Port 110, IMAP Port 143).

Accessing Usenet News Services (TCP NNTP Port 119).

Telnet (TCP Port 23).

SSH (TCP Port 22).

FTP (TCP Ports 21, 20).

Web Services.

Whois (TCP Port 43).

RealAudio, RealVideo, and QuickTime (TCP Ports 554 and 7070).

Enabling Common UDP Services.

traceroute (UDP Port 33434).

Accessing Your ISP’s DHCP Server (UDP Ports 67, 68).

Accessing Remote Network Time Servers (UDP Port 123).

Filtering ICMP Control and Status Messages.

Error Status and Control Messages.

ping Echo Request (Type 8) and Echo Reply (Type 0) Control Messages.

Logging Dropped Incoming Packets.

Logging Dropped Outgoing Packets.

Denying Access to Problem Sites Up Front.

Installing the Firewall.

Tips for Debugging the Firewall Script.

Starting the Firewall on Boot with Red Hat and SUSE.

Starting the Firewall on Boot with Debian.

Installing a Firewall with a Dynamic IP Address.

Summary.

II. ADVANCED ISSUES, MULTIPLE FIREWALLS, AND PERIMETER NETWORKS.

5. Firewall Optimization.

Rule Organization.

Begin with Rules That Block Traffic on High Ports.

Use the State Module for ESTABLISHED and RELATED Matches.

Consider the Transport Protocol.

Place Firewall Rules for Heavily Used Services as Early as Possible.

Use the Multiport Module to Specify Port Lists.

Use Traffic Flow to Determine Where to Place Rules for Multiple Network Interfaces.

User-Defined Chains.

Optimized Example.

User-Defined Chains in the Script.

Firewall Initialization.

Installing the Chains.

Building the User-Defined EXT-input and EXT-output Chains.

tcp-state-flags.

connection-tracking.

local_dhcp_client_query and remote_dhcp_server_response.

source-address-check.

destination-address-check.

Logging Dropped Packets.

What Did Optimization Buy?

Summary.

6. Packet Forwarding.

The Limitations of a Standalone Firewall.

Basic Gateway Firewall Setups.

LAN Security Issues.

Configuration Options for a Trusted Home LAN.

LAN Access to the Gateway Firewall.

LAN Access to Other LANs: Forwarding Local Traffic Among Multiple LANs.

Configuration Options for a Larger or Less Trusted LAN.

Dividing Address Space to Create Multiple Networks.

Selective Internal Access by Host, Address Range, or Port.

A Formal Screened-Subnet Firewall Example.

Symbolic Constants Used in the Firewall Examples.

Setting the Stage on the Choke Firewall.

Removing Any Preexisting Rules from the Choke Firewall.

Defining the Choke Firewall’s Default Policy.

Enabling the Choke Machine’s Loopback Interface.

Stealth Scans and TCP State Flags.

Using Connection State to Bypass Rule Checking.

Source-Address Spoofing and Other Bad Addresses.

Filtering ICMP Control and Status Messages.

Enabling DNS (UDP/TCP Port 53).

Filtering the AUTH User Identification Service (TCP Port 113).

Email (TCP SMTP Port 25, POP3 Port 110, IMAP Port 143).

Accessing Usenet News Services (TCP NNTP Port 119).

Telnet (TCP Port 23).

SSH (TCP Port 22).

FTP (TCP Ports 21 and 20).

Web Services.

Choke as a Local DHCP Server (UDP Ports 67 and 68).

Logging.

Converting the Gateway from Local Services to Forwarding.

Summary.

7. NAT—Network Address Translation.

The Conceptual Background of NAT.

iptables NAT Semantics.

Source NAT.

Destination NAT.

Examples of SNAT and Private LANs.

Masquerading LAN Traffic to the Internet.

Applying Standard NAT to LAN Traffic to the Internet.

Examples of DNAT, LANs, and Proxies.

Host Forwarding.

Host Forwarding and Port Redirection.

Host Forwarding to a Server Farm.

Host Forwarding to Servers in a Privately Addressed DMZ.

Local Port Redirection—Transparent Proxying.

Summary.

8. Debugging the Firewall Rules.

General Firewall-Development Tips.

Listing the Firewall Rules.

filter Table Listing Formats.

nat Table Listing Formats.

mangle Table Listing Formats.

Checking the Input, Output, and Forwarding Rules.

Checking the Input Rules.

Checking the Output Rules.

Checking the Forwarding Rules.

Interpreting the System Logs.

syslog Configuration.

Firewall Log Messages: What Do They Mean?

Checking for Open Ports.

netstat -a [ -n -p -A inet ].

Checking a Process Bound to a Particular Port with fuser.

strobe.

nmap.

Summary.

III. BEYOND IPTABLES.

9. Intrusion Detection and Response.

Detecting Intrusions.

Symptoms Suggesting That the System Might Be Compromised.

System Log Indications.

System Configuration Indications.

Filesystem Indications.

User Account Indications.

Security Audit Tool Indications.

System Performance Indications.

What to Do If Your System Is Compromised.

Incident Reporting.

Why Report an Incident?

What Kinds of Incidents Might You Report?

To Whom Do You Report an Incident?

What Information Do You Supply?

Where Do You Find More Information?

Summary.

10. Intrusion Detection Tools.

Intrusion Detection Toolkit: Network Tools.

Switches and Hubs and Why You Care.

Sniffer Placement.

ARPWatch.

Rootkit Checkers.

Running Chkrootkit.

What If Chkrootkit Says the Computer Is Infected?

Limitations of Chkrootkit and Similar Tools.

Using Chkrootkit Securely.

When Should Chkrootkit Be Run?

Filesystem Integrity.

Log Monitoring.

Swatch.

How to Not Become Compromised.

Secure Often.

Update Often.

Test Often.

Summary.

11. Network Monitoring and Attack Detection.

Listening to the Ether.

Three Valuable Tools.

TCPDump: A Simple Overview.

Obtaining and Installing TCPDump.

TCPDump Options.

TCPDump Expressions.

Beyond the Basics with TCPDump.

Using TCPDump to Capture Specific Protocols.

Using TCPDump in the Real World.

Attacks Through the Eyes of TCPDump.

Recording Traffic with TCPDump.

Automated Intrusion Monitoring with Snort.

Obtaining and Installing Snort.

Configuring Snort.

Testing Snort.

Receiving Alerts.

Final Thoughts on Snort.

Monitoring with ARPWatch.

Summary.

12. Filesystem Integrity.

Filesystem Integrity Defined.

Practical Filesystem Integrity.

Installing AIDE.

Configuring AIDE.

Creating an AIDE Configuration File.

A Sample AIDE Configuration File.

Initializing the AIDE DB.

Scheduling AIDE to Run Automatically.

Monitoring AIDE for Bad Things.

Cleaning Up the AIDE Database.

Changing the Output of the AIDE Report.

Obtaining More Verbose Output.

Defining Macros in AIDE.

The Types of AIDE Checks.

Summary.

13. Kernel Enhancements.

Security Enhanced Linux.

SELinux Architecture.

Greater Security with GrSecurity.

A Quick Look Around the Kernel.

What’d You Call That?

What’s Your Number?

The Kernel: From 20,000 Feet.

To Patch or Not to Patch.

Enhanced Security Without Grsec.

Using a GrSecurity Kernel.

Downloading Grsec and a Fresh Kernel.

Compiling Your First Kernel.

Improving the Kernel Build.

GrSecurity.

Applying the Grsec Patch.

Choosing Grsec Features.

Building the Grsec Kernel.

Beyond the Basics with GrSecurity.

Conclusion: Custom Kernels.

IV. APPENDICES.

Appendix A. Security Resources.

Security Information Sources.

Reference Papers and FAQs.

Books.

Appendix B. Firewall Examples and Support Scripts.

iptables Firewall for a Standalone System from Chapter 4.

Optimized iptables Firewall from Chapter 5.

iptables Firewall for a Choke Firewall from Chapter 6.

Appendix C. VPNs.

Overview of Virtual Private Networks.

VPN Protocols.

PPTP.

IPSec.

Linux and VPN Products.

Openswan.

FreeS/WAN.

Virtual Private Network Daemon.

PPTP Linux Solutions.

Virtual Tunnel.

VPN Configurations.

Roaming User.

Connecting Networks.

VPN and Firewalls.

Summary.

Appendix D. Glossary.

Read More Show Less

Preface

Introduction

This book is essentially about creating a software-based firewall using Netfilter and iptables in the Linux operating system. Beyond the basics of a firewall, this book also looks at the firewall in the context of a networked computing environment. To that end, topics such as intrusion detection and system security are also covered.

Computer security is an expansive subject area. Volumes have been written about it and volumes will continue to be written about it. Computer security is centered around protection of data assets using three principles: confidentiality, integrity, and availability. Confidentiality means that data is accessible only by those who are authorized to access the data and no one else. Integrity ensures that the data is verifiably good and is not tainted. Availability means that the data can be accessed when it needs to be accessed. These three principles guide the discussion of computer security and provide the framework for this book.

In addition to the three principles of confidentiality, integrity, and availability, I subscribe to an in-depth, risk-assessed approach to computer security. This means that I don't consider any single option to be an endpoint when it comes to securing data, rather that each item such as a firewall or antivirus software plays a role in securing data. However, there is a cost involved with each measure of security. Therefore, each additional measure or layer of security must be assessed to ensure that the cost of that layer doesn't exceed the benefit of being protected from that risk.

Consider this example: I use two firewalls, a choke and gateway (see Chapter 6, "Packet Forwarding"), for my home network. I consider the benefit of having a dual-firewall approach to outweigh the cost of operating and maintaining the firewalls. Other people use a single firewall or no firewall at all. They consider the risk of their data or systems being unavailable or attacked to be less costly than running a dual-firewall setup or even a single firewall for some. Many more examples of this cost/benefit assessment could be done. Unfortunately, this analysis is often overlooked for many areas of security, not just computer security. For more information on this type of analysis and a good read on top of it, see Bruce Schneier's works Secrets and Lies and Beyond Fear.

The Purpose of This Book

The goal of this book is to give the reader enough information that they may configure a firewall using iptables in Linux. A secondary goal is to educate the reader about system and network security. However, because this isn't a book on system and network security, those topics are indeed secondary even though they do consume a large portion of the book. There are also topics in this book that I haven't seen (yet) in other books to any great degree.

You are reading the third revision of this book and the first revision with a new author, Steve Suehring. Bob Ziegler wrote the original material and also revised the work into its second revision in 2001. Bob did an excellent job and I've built upon his solid foundation to bring you the third revision. In addition, the previous revision had some material contributed by Carl B. Constantine. You'll find Carl's contribution, though updated, in Appendix C of this revision, "VPNs."

I learned much of what I know about Linux security while working at an Internet service provider (ISP), beginning in 1995. Resisting the temptation to recite a "back when I was young" tale, I'll just say that most of what I learned was done with security in mind. It had to be. By definition at an ISP, you must run publicly available services and those services must be available 24x7. Having publicly available services means that there's a constant threat (and frequent execution) of attacks against the network and the systems therein. If we wouldn't have considered security to be central to our operation, we simply could not have ensured the reliability that our customers demanded, nor could we have guaranteed the integrity of the data that we housed. None of this takes into account the general lack of security tools, software, and books like this back in 1995, either.

That background also helps to answer the question "Why Linux?" The answer was and is quite simple: Linux and open-source tools were the only solution when I was tasked with solving these problems. There simply was no other way to provide Internet services with anywhere near the reliability that Linux and open-source software provided. No other operating system provided the same set of reliability and security while at the same time keeping down the Total Cost of Ownership (TCO). The same can largely be said today. With a pure technological decision, Linux wins. Factor in TCO and the picture only gets better for Linux and open-source software, regardless of the results from funded and paid studies. Why Linux? Because it works.

Who Should Read This Book

I've usually found these "Who Should Read This Book" sections to be somewhat useless simply because the goal is to get you to think that you should read the book. Therefore, to satisfy the publisher I'll tell you that everyone should read this book. In fact, everyone should read this book multiple times, buying a separate copy each time.

In all seriousness, I can't tell you whether you should be reading this book, but I can tell you about the book.

This book assumes that you have already chosen a Linux distribution and that you've already installed it. This book also assumes that you're not looking for an introductory "HOWTO" on Linux or *nix security such as the chmod command. There are many great resources about those topics already, many of them on the Internet, and I feel as though coverage of those issues gets away from the focus of this book. However, this book does deal rather extensively with introductory material on network security, packet filtering, and the layers in the OSI model (if you're unfamiliar with the OSI model, it's explained in the book).

This book tries to be helpful to those who know nothing about firewalls as well as to those who know a bit about Linux and Linux security but want to carry that to the next level. This book could be used successfully by home users and enterprise security administrators alike.

To get the most out of this book, you should be comfortable with, or at least not afraid of, the Linux command line, or shell. You should know how to move about in the file system and perform basic shell commands.

Linux Distribution

Linux and open-source books need to be more distribution neutral or cover more than one distribution. This book does both. A Linux firewall is built using the iptables firewall administration program on top of the Netfilter core software that resides in the Linux kernel. As such, the Linux distribution you choose is largely irrelevant. The book does, however, cover some commands and issues as seen through the eyes of SUSE, Red Hat/Fedora, and Debian. Yes, there are other distributions, many of them very good. Favoring those three distributions is certainly not meant to take away from any other distribution.

The second edition of this book covered only Red Hat. However, I undertook an effort early on in the revision process to remove the distribution-centric tone where it did show up. This was not done to intentionally favor any one distribution or to reject another. Rather, this was a pragmatic decision to provide material applicable to a larger audience and to prevent confusion as to file and command locations if you don't happen to be using the same distribution as the author.

Errors in This Book

Although every effort is made to check facts and figures, files and syntax, some errors will inevitably slip through the writing, technical editing, copyediting, and review process. Let me apologize in advance for any such errors as exist within these pages. I invite the reader to visit my web site at http://www.braingia.org/ for updates and other information about this book. I also invite you to send me feedback at steve.suehring@braingia.com. Although I can't guarantee that I'll have the answer, I will definitely try to respond and point you in the right direction.

Companion Website

Visit http://www.braingia.org/ for up-to-date information on this book and links to interesting security articles. Included on the website are the latest versions of some of the same scripts you'll see within the text.

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Customer Reviews

Average Rating 5
( 1 )
Rating Distribution

5 Star

(1)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Anonymous

    Posted October 24, 2005

    Excellent addition to the SysAdmin's bookshelf

    If you are a system or network administrator, then you're concerned about security. If you're concerned about security, then you will want a copy of 'Linux Firewalls' handy. In spite of its title, 'Linux Firewalls' is about more than just firewalling. After introductory material about firewalls, and how packet-filtering firewalls work, Suehring and Ziegler dive into creating firewalls with iptables: Enabling services, blocking attacks, optimizing firewall rules, etc. They spend a decent amount of time looking at forwarding and NAT. They demonstrate some possible network setups of varying complexity, and show how to write iptables rules for those environments. The remaining third of the book explores other security tools, such as TCPDump, Snort, and AIDE. Kernel 'enhancements' SELinux and GrSecurity are discussed briefly. If that sounds like a lot of material to cover, it is. The book weighs in at over 500 pages, but it's laid out such that it's pretty easy to get to the information you need quickly. The authors have done a good job presenting such a large amount of material in a clear, easy-to-grasp fashion. Also, the book includes links to further resources in highlighted boxes is the text, and collected in an appendix, if you need to go into greater depth on a particular topic. The book is full of useful tips. For example,in the discussion of the LOG target, they explain the technique for extracting the iptables messages from the noise in /var/log/messages and directing them to their own log. This is a question that comes up repeatedly on the iptables mailing list. The trick is to use the '--log-level' switch and configure syslog to write items that come through with the specified log-level to a seperate log. You still get the occasional false positive this way, but it sure beats slogging through all the noise in /var/log/messages. I do have a couple of criticisms to make of the book. For example, to start the firewall at boot time, the authors recommend ieither using the 'iptables save' function (Red Hat), or adding a line to rc.local. The problem with the former is that 'iptables save' is, as the authors point out, not terribly reliable. Furthermore, if you're using a script to generate your firewall rules, then your rules are already saved. The problem with rc.local is that then the firewall will start after the network is up and services are listening. I prefer to write an init script and use the chkconfig utility (Red Hat/SuSE) to bring up the firewall rules before the network. The biggest omission from the book is any information on bridge firewalls. A bridge can be very useful for putting a transparent firewall onto your network. I am surprised that there is not even a mention of bridging, or ebtables (the userspace bridge tools), since bridging is now part of the standard kernel. Iptables can also be made to work with the bridge module. Pointing out this omission may not be a completely fair criticism: I have yet to see a firewall book that covers bridging with Linux and ebtables (or iptables). Nonetheless, 'Linux Firewalls' is a very nice addition to my library. This book will live either on my desk, or on any easily-accessed shelf nearby. DISCLOSURE: The publisher sent me a copy of this book for review.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)