Amazon.co.uk Review
O'Reilly has worked with the authors to improve the quality and accessibility of the NAG for this book version. All the improvements have been fed back into the original, which means you can download this book for free. In practice, a printed version is so useful--and it costs so much more to produce an inferior print copy for yourself--that you'll want to buy it. But download the digital version to prove it.
Linux is primarily a networking operating system and supports a multitude of networking protocols as well as the near ubiquitous TCP/IP. The NAG tells you everything about TCP/IP, from how to set up networking cards to setting up and deploying DNS. It also goes into the depths of UUCP (the store and forward protocol), Novell's IPX and NCP, SLIP and PPP for dial up networking, firewalls, IP masquerading, routing, Sun's NIS, NFS, Sendmail and Exim for e-mail, NNTP for newsgroups and more besides. What it doesn't cover is interfacing with Windows on networks, which is a function of Samba. If this is what you need, buy O'Reilly's Using Samba as well.
The NAG is the definitive guide to Linux networking whether you're coming to it cold or have previous experience. --Steve Patient
Rory Beaton, First Monday, April, 2002
Steven Gibson, DDJ.com
Steven Gibson, DDJ.com
Product Description
Linux, a Unix-compatible operating system that runs on personal computers and larger servers, is valued above all for its networking strengths. The Linux Network Administrator's Guide spells out all the information needed for joining a network, whether it's a simple UUCP connection or a full LAN with a Linux system serving as a firewall, an NFS or NIS file server, and a mail and news hub.
This book, which is one of the most successful to come from the Linux Documentation Project and remains freely distributable under its license, touches on all the essential networking software included with the operating system, plus some hardware considerations. Fully updated, the book now covers firewalls, including the use of ipchains and iptables (netfilter), masquerading, and accounting. Other new topics include Novell (NCP/IPX) support and INN (news administration). Original material on serial connections, UUCP, routing and DNS, mail and News, SLIP and PPP, NFS, and NIS has been thoroughly updated. Kernel options reflect the 2.2 kernel. However, some topics covered in other books (notably Samba and web server administration) are not in this book.
Topics include:
- Introduction to TCP/IP
- Configuring network and serial hardware
- Domain Name Service
- Serial line communications using SLIP and PPP
- NIS and NFS
- Taylor UUCP
- Administering electronic mail, including sendmail and Exim
- Administering Netnews, including INN and several news readers
- Firewalling using ipfwadm, ipchains, and iptables (netfilter)
- Masquerading and accounting
- IPX configuration for a Novell Netware network
From the Publisher
About the Author
Olaf Kirch has a degree in Mathematics from Technische Universitaet Darmstadt. He presently works as a UNIX programmer for a company producing a CAD system. A Linux fan for a couple of years now, he is amazed at the pace its development continues to progress. For relaxation, Olaf likes painting, drawing, and reading (anything from nineteenth century poetry to detective novels and Japanese manga). He likes to spend time outdoors whenever possible. He doesn't have a driver's license (never had one), so he goes about most of his daily routine by bicycle. When he gets away from his keyboard for more than a few days, he likes to go mountain-walking.
Terry Dawson is an amateur radio operator and long time Linux enthusiast. He is the author of a number of network related HOWTO documents for the Linux Documentation Project, co-author the 2nd edition of O'Reilly's Linux Network Administrators Guide and is an active participant in a number of other Linux projects. Terry has 15 years professional experience in telecommunications and is currently engaged in network management research in the Telstra Research Laboratories.
Excerpted from Linux Network Administrator's Guide by Olaf Kirch, Terry Dawson. Copyright © 2000. Reprinted by permission. All rights reserved.
Contents:
Methods of Attack
What Is a Firewall?
What Is IP Filtering?
Setting Up Linux for Firewalling
Three Ways We Can Do Filtering
Original IP Firewall (2.0 Kernels)
IP Firewall Chains (2.2 Kernels)
Netfilter and IP Tables (2.4 Kernels)
TOS Bit Manipulation
Testing a Firewall Configuration
A Sample Firewall Configuration
Security is increasingly important for companies and individuals alike. The Internet has provided them with a powerful tool to distribute information about themselves and obtain information from others, but it has also exposed them to dangers that they have previously been exempt from. Computer crime, information theft, and malicious damage are all potential dangers.
An unauthorized and unscrupulous person who gains access to a computer system may guess system passwords or exploit the bugs and idiosyncratic behavior of certain programs to obtain a working account on that machine. Once they are able to log in to the machine, they may have access to information that may be damaging, such as commercially sensitive information like marketing plans, new project details, or customer information databases. Damaging or modifying this type of data can cause severe setbacks to the company.
The safest way to avoid such widespread damage is to prevent unauthorized people from gaining network access to the machine. This is where firewalls come in.
WARNING: Constructing secure firewalls is an art. It involves a good understanding of technology, but equally important, it requires an understanding of the philosophy behind firewall designs. We won't cover everything you need to know in this book; we strongly recommend you do some additional research before trusting any particular firewall design, including any we present here.
There is enough material on firewall configuration and design to fill a whole book, and indeed there are some good resources that you might like to read to expand your knowledge on the subject. Two of these are:
Building Internet Firewalls
by D. Chapman and E. Zwicky (O'Reilly). A guide explaining how to design and install firewalls for Unix, Linux, and Windows NT, and how to configure Internet services to work with the firewalls.
Firewalls and Internet Security
by W. Cheswick and S. Bellovin (Addison Wesley). This book covers the philosophy of firewall design and implementation.
We will focus on the Linux-specific technical issues in this chapter. Later we will present a sample firewall configuration that should serve as a useful starting point in your own configuration, but as with all security-related matters, trust no one. Double check the design, make sure you understand it, and then modify it to suit your requirements. To be safe, be sure.
Methods of Attack
As a network administrator, it is important that you understand the nature of potential attacks on computer security. We'll briefly describe the most important types of attacks so that you can better understand precisely what the Linux IP firewall will protect you against. You should do some additional reading to ensure that you are able to protect your network against other types of attacks. Here are some of the more important methods of attack and ways of protecting yourself against them:
Unauthorized access
This simply means that people who shouldn't use your computer services are able to connect and use them. For example, people outside your company might try to connect to your company accounting machine or to your NFS server.
There are various ways to avoid this attack by carefully specifying who can gain access through these services. You can prevent network access to all except the intended users.
Exploitation of known weaknesses in programs
Some programs and network services were not originally designed with strong security in mind and are inherently vulnerable to attack. The BSD remote services (rlogin, rexec, etc.) are an example.
The best way to protect yourself against this type of attack is to disable any vulnerable services or find alternatives. With Open Source, it is sometimes possible to repair the weaknesses in the software.
Denial of service
Denial of service attacks cause the service or program to cease functioning or prevent others from making use of the service or program. These may be performed at the network layer by sending carefully crafted and malicious datagrams that cause network connections to fail. They may also be performed at the application layer, where carefully crafted application commands are given to a program that cause it to become extremely busy or stop functioning.
Preventing suspicious network traffic from reaching your hosts and preventing suspicious program commands and requests are the best ways of minimizing the risk of a denial of service attack. It's useful to know the details of the attack method, so you should educate yourself about each new attack as it gets publicized.
Spoofing
This type of attack causes a host or application to mimic the actions of another. Typically the attacker pretends to be an innocent host by following IP addresses in network packets. For example, a well-documented exploit of the BSD rlogin service can use this method to mimic a TCP connection from another host by guessing TCP sequence numbers.
To protect against this type of attack, verify the authenticity of datagrams and commands. Prevent datagram routing with invalid source addresses. Introduce unpredictablility into connection control mechanisms, such as TCP sequence numbers and the allocation of dynamic port addresses.
