Ubuntu Server Guide Changes, errors and bugs
Download 1.27 Mb. Pdf ko'rish
|
ubuntu-server-guide
- Bu sahifa navigatsiya:
- Firewall Introduction
|
Profile customization
Profiles are meant to provide security and thereby can’t be all too open. But quite often a very special setup would work with a profile if it wold just allow this one extra access. To handle that there are three ways. • modify the profile itself – always works, but has the drawback that profiles are in /etc and considered conffiles. So after modification on a related package update you might get a conffile prompt. Worst case depending on configuration automatic updates might even override it and your custom rule is gone. • use tunables – those provide variables that can be used in templates, for example if you want a custom dir considered as it would be a home directory you could modify /etc/apparmor.d/tunables/home which defines the base path rules use for home directories – by design those variables will only influence profiles that use them • modify a local override – to mitigate the drawbacks of above approaches local includes got introduced adding the ability to write arbitrary rules that will be used, and not get issues on upgrades that modify the packaged rule. – The files can be found in /etc/apparmor.d/local/ and exist for the packages that are known to sometimes need slight tweaks for special setups References • See the AppArmor Administration Guide for advanced configuration options. • For details using AppArmor with other Ubuntu releases see the AppArmor Community Wiki page. • The OpenSUSE AppArmor page is another introduction to AppArmor. • (https://wiki.debian.org/AppArmor) is another introduction and basic howto for AppArmor. • A great place to ask for AppArmor assistance, and get involved with the Ubuntu Server community, is the #ubuntu-hardened IRC channel on freenode. Firewall Introduction The Linux kernel includes the Netfilter subsystem, which is used to manipulate or decide the fate of network traffic headed into or through your server. All modern Linux firewall solutions use this system for packet filtering. The kernel’s packet filtering system would be of little use to administrators without a userspace interface to manage it. This is the purpose of iptables: When a packet reaches your server, it will be handed off to the Netfilter subsystem for acceptance, manipulation, or rejection based on the rules supplied to it from userspace via iptables. Thus, iptables is all you need to manage your firewall, if you’re familiar with it, but many frontends are available to simplify the task. 85 |
