So you have installed your very own firewall and you think you're ready to go and nobody can hurt you?
Think again. No way you are able to build a system that's completely secure. The only thing you can do
is doing your upmost best and try to build the most secure system you're able to. But never the 100%
A helpfull thing in building a secure system is the /proc filesystem. This does not replace your firewall ruleset
but merely offers some significant enhancements.
Some further reading can be found at http://hr.uoregon.edu/davidrl/Documentation/filesystems/proc.txt
Before you can make use of the /proc filesystem, you should check your kernel-config and check for
two settings : CONFIG_PROC_FS (this setting offers you the possibility
to view what's in the proc-system)and CONFIG_SYSCTL (with this you can actually change the settings)
Ping scanning is a way to determine which hosts on a network are up. You can protect yourself from a ping scan with
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
Other ICMP messages are for example route redirect message. If your host isn't acting as a router, disable them
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
IP forwarding is enabled by default on many systems. If you're not using this host as a gateway you can disable forwarding.
if [ -r /proc/sys/net/ipv4/ip_forward ]; then echo "Disabling IP forwarding"
On the contrary, if you want to enable IP-forwarding you'll also need to modify the
echo "0" > /proc/sys/net/ipv4/ip_forward fi
This setting can prevent, in a minor way, IP-spoofing.
if [ -r /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo "Enabling rp_filter"
When you have compÓled CONFIG_SYNCOOKIES in your kernel, you'll also be able to turn on or off
the protection against SYN-flood attacks.
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter fi
if [ -r /proc/sys/net/ipv4/tcp_syncookies ]; then echo "Enabling tcp_syncookies"
Normally you have no control on the route a packet follows. IP Source Routing (SRR) is a method of
specifying the exact path that a packet should take. Enabling this is generally a bad idea. Disabling goes as follows :
echo "1" > /proc/sys/net/ipv4/tcp_syncookies fi
if [ -r /proc/sys/net/ipv4/conf/all/accept_source_route ]; then echo "Disabling source routing"
When a packet arrives on an interface and the host doesn't know any route to the source address, this packet is called
a 'martian'. You can log these packets (that should never arrive in fact)
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route fi
if [ -r /proc/sys/net/ipv4/conf/all/log_martians ]; then echo "Enabling logging of martians"
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians fi