diff options
Diffstat (limited to 'security/examples')
| -rw-r--r-- | security/examples/Kconfig | 13 | ||||
| -rw-r--r-- | security/examples/Makefile | 1 | ||||
| -rw-r--r-- | security/examples/pres_ex_firewall.tex | 315 |
3 files changed, 0 insertions, 329 deletions
diff --git a/security/examples/Kconfig b/security/examples/Kconfig deleted file mode 100644 index 43350ef..0000000 --- a/security/examples/Kconfig +++ /dev/null @@ -1,13 +0,0 @@ -menuconfig SECURITY_EX - bool "Security Examples" - -if SECURITY_EX - -config SECURITY_EX_FW - bool "Linux Firewall Example" - default y - help - Content: - - Example for Firewall - -endif diff --git a/security/examples/Makefile b/security/examples/Makefile deleted file mode 100644 index d834f36..0000000 --- a/security/examples/Makefile +++ /dev/null @@ -1 +0,0 @@ -obj-$(CONFIG_SECURITY_EX_FW) += pres_ex_firewall.pdf diff --git a/security/examples/pres_ex_firewall.tex b/security/examples/pres_ex_firewall.tex deleted file mode 100644 index e6bc755..0000000 --- a/security/examples/pres_ex_firewall.tex +++ /dev/null @@ -1,315 +0,0 @@ -\def\lximg{/usr/share/lx/icons/fueller.png} - -\input{configpres} - -\subsection{Firewall Examples} - -\title{Example Firewall} -\maketitle - -\def\lximg{none} - -% ---------------------------- -\subsubsection{Initialization} - -\begin{frame}[fragile] -\frametitle{iptables config} -\begin{itemize} -\item Create and change to new directory ex\_ipt -\item Get root (su) -\item Print current iptables configuration (iptables) -\item Save current configuration (iptables-save) -\item Reset iptables configuration (iptables) -\end{itemize} - -\pause - -\begin{beamerboxesrounded}[shadow=true]{Solution:} -\begin{tiny} -\begin{verbatim} -mkdir ex_ipt -cd ex_ipt -su -iptables -L -iptables-save > start.conf -iptables -X -iptables -F -iptables -Z -\end{verbatim} -\end{tiny} -\end{beamerboxesrounded} -\end{frame} - -% ---------------------------- -\subsubsection{Policy} - -\begin{frame}[fragile] -\frametitle{Default Policy} -\begin{itemize} -\item Drop all incoming, outgoing and forwarding traffic -\item Save this default policies to file -\item Reset iptables and restore saved config -\end{itemize} - -\pause - -\begin{beamerboxesrounded}[shadow=true]{Solution:} -\begin{tiny} -\begin{verbatim} -iptables -P INPUT DROP -iptables -P OUTPUT DROP -iptables -P FORWARD DROP -iptables-save > step1 -iptables -F -iptables-restore < step1 -\end{verbatim} -\end{tiny} -\end{beamerboxesrounded} -\end{frame} - -% ---------------------------- -\subsubsection{User-defined Chains} - -\begin{frame}[fragile] -\frametitle{LOGDROP} -\begin{itemize} -\item From now on, edit stepX file and load with iptables-restore -\item Create new Chain LOGDROP -\item Log and drop INPUT and OUTPUT traffic with new chain -\item Check with ping -\end{itemize} - -\pause - -\begin{beamerboxesrounded}[shadow=true]{Solution:} -\begin{tiny} -\begin{verbatim} -# New chain -:LOGDROP - [0:0] --A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "LOGDROP: " --A LOGDROP -j DROP - -# Catch all falling through --A INPUT -i eth0 -j LOGDROP --A OUTPUT -o eth0 -j LOGDROP -\end{verbatim} -\end{tiny} -\end{beamerboxesrounded} -\end{frame} - -% ---------------------------- -\subsubsection{Traffic Filter} - -\begin{frame}[fragile] -\frametitle{Allow loopback traffic} -\begin{itemize} -\item Allow INPUT and OUTPUT traffic on interface lo -\end{itemize} - -\pause - -\begin{beamerboxesrounded}[shadow=true]{Solution:} -\begin{tiny} -\begin{verbatim} -# loopback --A INPUT -i lo -j ACCEPT --A OUTPUT -o lo -j ACCEPT -\end{verbatim} -\end{tiny} -\end{beamerboxesrounded} -\end{frame} - -% ---------------------------- -\begin{frame}[fragile] -\frametitle{DNS} -\begin{itemize} -\item Allow DNS requests from this machine (UDP, Port 53) -\item Allow DNS responses -\end{itemize} - -\pause - -\begin{beamerboxesrounded}[shadow=true]{Solution:} -\begin{tiny} -\begin{verbatim} -# DNS --A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT -\end{verbatim} -\end{tiny} -\end{beamerboxesrounded} -\end{frame} - -% ---------------------------- -\begin{frame}[fragile] -\frametitle{ICMP} -\begin{itemize} -\item Allow simple ping requests (icmp-type 0 and 8) -\item Limit to 2 requests per second -\end{itemize} - -\pause - -\begin{beamerboxesrounded}[shadow=true]{Solution:} -\begin{tiny} -\begin{verbatim} -# PING limited accept --A INPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT --A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT --A INPUT -p icmp -j DROP -# Limit outgoing PING as well --A OUTPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT --A OUTPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT --A OUTPUT -p icmp -j DROP -\end{verbatim} -\end{tiny} -\end{beamerboxesrounded} -\end{frame} - -% ---------------------------- -\begin{frame}[fragile] -\frametitle{Established Connections} -\begin{itemize} -\item Allow INPUT and OUTPUT traffic for all ESTABLISHed connections -\item Remove obsolete rules (DNS) -\end{itemize} - -\pause - -\begin{beamerboxesrounded}[shadow=true]{Solution:} -\begin{tiny} -\begin{verbatim} -# Allow established connections in and out --A INPUT -m state --state ESTABLISHED -j ACCEPT --A OUTPUT -m state --state ESTABLISHED -j ACCEPT -[...] -# DNS --A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -# -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT -\end{verbatim} -\end{tiny} -\end{beamerboxesrounded} -\end{frame} - -% ---------------------------- -\begin{frame}[fragile] -\frametitle{Log new connections} -\begin{itemize} -\item Create new Chain LOGNEW\_ACCEPT -\item New Connections should be logged with prefix ''New: '' -\item Traffic should be accepted -\end{itemize} - -\pause - -\begin{beamerboxesrounded}[shadow=true]{Solution:} -\begin{tiny} -\begin{verbatim} -# LOGNEW_ACCEPT Chain -:LOGNEW_ACCEPT - [0:0] --A LOGNEW_ACCEPT -m state --state NEW -j LOG --log-prefix "New: " --A LOGNEW_ACCEPT -j ACCEPT -\end{verbatim} -\end{tiny} -\end{beamerboxesrounded} -\end{frame} - -% ---------------------------- -\begin{frame}[fragile] -\frametitle{Log new DNS connections} -\begin{itemize} -\item Log new DNS connection with rule LOGNEW\_ACCEPT -\end{itemize} - -\pause - -\begin{beamerboxesrounded}[shadow=true]{Solution:} -\begin{tiny} -\begin{verbatim} -# DNS --A OUTPUT -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED \ - -j LOGNEW_ACCEPT -\end{verbatim} -\end{tiny} -\end{beamerboxesrounded} -\end{frame} - -% ---------------------------- -\subsubsection{Summary} - -\begin{frame}[fragile] -\frametitle{Full example with Ping, DNS, and SSH} -\begin{tiny} -\begin{verbatim} -# Generated by iptables-save v1.4.14 on Sat Apr 6 19:47:41 2013 -*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT DROP [0:0] - -# New chain -:LOGDROP - [0:0] --A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "LOGDROP: " --A LOGDROP -j DROP - -# DNS Chain -:LOGNEW_ACCEPT - [0:0] --A LOGNEW_ACCEPT -m state --state NEW -j LOG --log-prefix "New: " --A LOGNEW_ACCEPT -j ACCEPT -\end{verbatim} -\end{tiny} -\end{frame} - -% ---------------------------- -\begin{frame}[fragile] -\frametitle{Full example with Ping, DNS, and SSH} -\begin{tiny} -\begin{verbatim} -# loopback --A INPUT -i lo -j ACCEPT --A OUTPUT -o lo -j ACCEPT - -# PING limited accept --A INPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT --A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT --A INPUT -p icmp -j LOGDROP --A OUTPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT --A OUTPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT --A OUTPUT -p icmp -j LOGDROP - -# Allow established connections in and out --A INPUT -m state --state ESTABLISHED -j ACCEPT --A OUTPUT -m state --state ESTABLISHED -j ACCEPT -\end{verbatim} -\end{tiny} -\end{frame} - -% ---------------------------- -\begin{frame}[fragile] -\frametitle{Full example with Ping, DNS, and SSH} -\begin{tiny} -\begin{verbatim} -# DNS --A OUTPUT -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED \ - -j LOGNEW_ACCEPT - -# Outgoing SSH --A OUTPUT -p tcp --dport ssh --sport 1024:65535 -m state --state NEW,ESTABLISHED \ - -j LOGNEW_ACCEPT - -# Incoming SSH --A INPUT -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j LOGNEW_ACCEPT - -# Catch all falling through --A INPUT -i eth0 -j LOGDROP --A OUTPUT -o eth0 -j LOGDROP - -COMMIT -# Completed on Sat Apr 6 19:47:41 2013 -\end{verbatim} -\end{tiny} -\end{frame} - -% ---------------------------- -\subsection{} -\input{tailpres} |