security: firewall_ex: move content to a separate file

Signed-off-by: Holger Dengler <dengler@linutronix.de>

1 files changed, 2 insertions, 299 deletions

diff --git a/security/firewall_ex/pres_ex_firewall.tex b/security/firewall_ex/pres_ex_firewall.tex
index 89d2b36..e4fad99 100644
--- a/security/firewall_ex/pres_ex_firewall.tex
+++ b/security/firewall_ex/pres_ex_firewall.tex
@@ -2,309 +2,12 @@
 
 \subsection{Firewall Examples}
 
+% ----------------------------
 \title{Example Firewall}
 \maketitle
 
 % ----------------------------
-\subsubsection{Initialization}
-
-\begin{frame}[fragile]
-\frametitle{iptables config}
-\begin{itemize}
-\item Create and change to new directory ex\_ipt
-\item Get root (su)
-\item Print current iptables configuration (iptables)
-\item Save current configuration (iptables-save)
-\item Reset iptables configuration (iptables)
-\end{itemize}
-
-\pause
-
-\begin{beamerboxesrounded}[shadow=true]{Solution:}
-\begin{scriptsize}
-\begin{verbatim}
-mkdir ex_ipt
-cd ex_ipt
-su
-iptables -L
-iptables-save > start.conf
-iptables -X
-iptables -F
-iptables -Z
-\end{verbatim}
-\end{scriptsize}
-\end{beamerboxesrounded}
-\end{frame}
-
-% ----------------------------
-\subsubsection{Policy}
-
-\begin{frame}[fragile]
-\frametitle{Default Policy}
-\begin{itemize}
-\item Drop all incoming, outgoing and forwarding traffic
-\item Save this default policies to file
-\item Reset iptables and restore saved config
-\end{itemize}
-
-\pause
-
-\begin{beamerboxesrounded}[shadow=true]{Solution:}
-\begin{scriptsize}
-\begin{verbatim}
-iptables -P INPUT DROP
-iptables -P OUTPUT DROP
-iptables -P FORWARD DROP
-iptables-save > step1
-iptables -F
-iptables-restore < step1
-\end{verbatim}
-\end{scriptsize}
-\end{beamerboxesrounded}
-\end{frame}
-
-% ----------------------------
-\subsubsection{User-defined Chains}
-
-\begin{frame}[fragile]
-\frametitle{LOGDROP}
-\begin{itemize}
-\item From now on, edit stepX file and load with iptables-restore
-\item Create new Chain LOGDROP
-\item Log and drop INPUT and OUTPUT traffic with new chain
-\item Check with ping
-\end{itemize}
-
-\pause
-
-\begin{beamerboxesrounded}[shadow=true]{Solution:}
-\begin{scriptsize}
-\begin{verbatim}
-# New chain
-:LOGDROP - [0:0]
--A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "LOGDROP: "
--A LOGDROP -j DROP
-
-# Catch all falling through
--A INPUT -i eth0 -j LOGDROP
--A OUTPUT -o eth0 -j LOGDROP
-\end{verbatim}
-\end{scriptsize}
-\end{beamerboxesrounded}
-\end{frame}
-
-% ----------------------------
-\subsubsection{Traffic Filter}
-
-\begin{frame}[fragile]
-\frametitle{Allow loopback traffic}
-\begin{itemize}
-\item Allow INPUT and OUTPUT traffic on interface lo
-\end{itemize}
-
-\pause
-
-\begin{beamerboxesrounded}[shadow=true]{Solution:}
-\begin{scriptsize}
-\begin{verbatim}
-# loopback
--A INPUT -i lo -j ACCEPT
--A OUTPUT -o lo -j ACCEPT
-\end{verbatim}
-\end{scriptsize}
-\end{beamerboxesrounded}
-\end{frame}
-
-% ----------------------------
-\begin{frame}[fragile]
-\frametitle{DNS}
-\begin{itemize}
-\item Allow DNS requests from this machine (UDP, Port 53)
-\item Allow DNS responses
-\end{itemize}
-
-\pause
-
-\begin{beamerboxesrounded}[shadow=true]{Solution:}
-\begin{scriptsize}
-\begin{verbatim}
-# DNS
--A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
--A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
-\end{verbatim}
-\end{scriptsize}
-\end{beamerboxesrounded}
-\end{frame}
-
-% ----------------------------
-\begin{frame}[fragile]
-\frametitle{ICMP}
-\begin{itemize}
-\item Allow simple ping requests (icmp-type 0 and 8)
-\item Limit to 2 requests per second
-\end{itemize}
-
-\pause
-
-\begin{beamerboxesrounded}[shadow=true]{Solution:}
-\begin{scriptsize}
-\begin{verbatim}
-# PING limited accept
--A INPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
--A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
--A INPUT -p icmp -j DROP
-# Limit outgoing PING as well
--A OUTPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
--A OUTPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
--A OUTPUT -p icmp -j DROP
-\end{verbatim}
-\end{scriptsize}
-\end{beamerboxesrounded}
-\end{frame}
-
-% ----------------------------
-\begin{frame}[fragile]
-\frametitle{Established Connections}
-\begin{itemize}
-\item Allow INPUT and OUTPUT traffic for all ESTABLISHed connections
-\item Remove obsolete rules (DNS)
-\end{itemize}
-
-\pause
-
-\begin{beamerboxesrounded}[shadow=true]{Solution:}
-\begin{scriptsize}
-\begin{verbatim}
-# Allow established connections in and out
--A INPUT -m state --state ESTABLISHED -j ACCEPT
--A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-[...]
-# DNS
--A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-# -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
-\end{verbatim}
-\end{scriptsize}
-\end{beamerboxesrounded}
-\end{frame}
-
-% ----------------------------
-\begin{frame}[fragile]
-\frametitle{Log new connections}
-\begin{itemize}
-\item Create new Chain LOGNEW\_ACCEPT
-\item New Connections should be logged with prefix ''New: ''
-\item Traffic should be accepted
-\end{itemize}
-
-\pause
-
-\begin{beamerboxesrounded}[shadow=true]{Solution:}
-\begin{scriptsize}
-\begin{verbatim}
-# LOGNEW_ACCEPT Chain
-:LOGNEW_ACCEPT - [0:0]
--A LOGNEW_ACCEPT -m state --state NEW -j LOG --log-prefix "New: "
--A LOGNEW_ACCEPT -j ACCEPT
-\end{verbatim}
-\end{scriptsize}
-\end{beamerboxesrounded}
-\end{frame}
-
-% ----------------------------
-\begin{frame}[fragile]
-\frametitle{Log new DNS connections}
-\begin{itemize}
-\item Log new DNS connection with rule LOGNEW\_ACCEPT
-\end{itemize}
-
-\pause
-
-\begin{beamerboxesrounded}[shadow=true]{Solution:}
-\begin{scriptsize}
-\begin{verbatim}
-# DNS
--A OUTPUT -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED \
-          -j LOGNEW_ACCEPT
-\end{verbatim}
-\end{scriptsize}
-\end{beamerboxesrounded}
-\end{frame}
-
-% ----------------------------
-\subsubsection{Summary}
-
-\begin{frame}[fragile]
-\frametitle{Full example with Ping, DNS, and SSH}
-\begin{scriptsize}
-\begin{verbatim}
-# Generated by iptables-save v1.4.14 on Sat Apr  6 19:47:41 2013
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT DROP [0:0]
-
-# New chain
-:LOGDROP - [0:0]
--A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "LOGDROP: "
--A LOGDROP -j DROP
-
-# DNS Chain
-:LOGNEW_ACCEPT - [0:0]
--A LOGNEW_ACCEPT -m state --state NEW -j LOG --log-prefix "New: "
--A LOGNEW_ACCEPT -j ACCEPT
-\end{verbatim}
-\end{scriptsize}
-\end{frame}
-
-% ----------------------------
-\begin{frame}[fragile]
-\frametitle{Full example with Ping, DNS, and SSH}
-\begin{scriptsize}
-\begin{verbatim}
-# loopback
--A INPUT -i lo -j ACCEPT
--A OUTPUT -o lo -j ACCEPT
-
-# PING limited accept
--A INPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
--A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
--A INPUT -p icmp -j LOGDROP
--A OUTPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
--A OUTPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
--A OUTPUT -p icmp -j LOGDROP
-
-# Allow established connections in and out
--A INPUT -m state --state ESTABLISHED -j ACCEPT
--A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-\end{verbatim}
-\end{scriptsize}
-\end{frame}
-
-% ----------------------------
-\begin{frame}[fragile]
-\frametitle{Full example with Ping, DNS, and SSH}
-\begin{scriptsize}
-\begin{verbatim}
-# DNS
--A OUTPUT -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED \
-          -j LOGNEW_ACCEPT
-
-# Outgoing SSH
--A OUTPUT -p tcp --dport ssh --sport 1024:65535 -m state --state NEW,ESTABLISHED \
-          -j LOGNEW_ACCEPT
-
-# Incoming SSH
--A INPUT -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j LOGNEW_ACCEPT
-
-# Catch all falling through
--A INPUT -i eth0 -j LOGDROP
--A OUTPUT -o eth0 -j LOGDROP
-
-COMMIT
-# Completed on Sat Apr  6 19:47:41 2013
-\end{verbatim}
-\end{scriptsize}
-\end{frame}
+\input{frm_ex_firewall}
 
 % ----------------------------
 \subsection{}