Ftp Web Hosting - J2Ee Hosting Sun Java Developing Blog

The IP filtering ruleset is made up of many combinations of the criteria listed previously. For example, let’s imagine that you wanted to allow World Wide Web users within the Virtual Brewery network to have no access to the Internet except to use other sites’ web servers. You would configure your firewall to allow forwarding of: datagrams with a source address on Virtual Brewery network, a destination address of anywhere, and with a destination port of 80 (WWW) datagrams with a destination address of Virtual Brewery network and a source port of 80 (WWW) from a source address of anywhere Note that we’ve used two rules here. We have to allow our data to go out, but also the corresponding reply data to come back in. In practice, as we’ll see shortly, Linux simplifies this and allows us to specify this in one command. Setting Up Linux for Firewalling To build a Linux IP firewall, it is necessary to have a kernel built with IP firewall support and the appropriate configuration utility. In all production kernels prior to the 2.2 series, you would use the ipfwadm utility. The 2.2.x kernels marked the release of the third generation of IP firewall for Linux called IP Chains. IP chains use a program similar to ipfwadmcalled ipchains. Linux kernels 2.3.15 and later support the fourth generation of Linux IP firewall called netfilter. The netfilter code is the result of a large redesign of the packet handling flow in Linux. The netfilter is a multifaceted creature, providing direct backward-compatible support for both ipfwadm and ipchains as well as a new alternative command called iptables. We’ll talk about the differences between the three in the next few sections. Kernel Configured with IP Firewall The Linux kernel must be configured to support IP firewalling. There isn’t much more to it than selecting the appropriate options when performing a make menuconfig of your kernel.60 We described how to do this is in Chapter 3, Configuring the Networking Hardware”. In 2.2 kernels you should select the following options: Networking options —> [*] Network firewalls [*] TCP/IP networking [*] IP: firewalling [*] IP: firewall packet logging In kernels 2.4.0 and later you should select this option instead: Networking options —> [*] Network packet filtering (replaces ipchains) IP: Netfilter Configuration —> . Userspace queueing via NETLINK (EXPERIMENTAL) IP tables support (required for filtering/masq/NAT) limit match support MAC address match support netfilter MARK match support Multiple port match support TOS match support Connection state match support Unclean match support (EXPERIMENTAL) Owner match support (EXPERIMENTAL) Packet filtering REJECT target support MIRROR target support (EXPERIMENTAL) . Packet mangling Firewall packet logging is a special feature that writes a line of information about each datagram that matches a particular firewall rule out to a special device so you can see them.

This entry was posted on Sunday, August 12th, 2007 at 9:25 pm and is filed under Domain. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.