<?xml version="1.0" ?><!DOCTYPE book PUBLIC  "-//KDE//DTD DocBook XML V4.1-Based Variant V1.0//EN" "dtd/kdex.dtd" [  <!ENTITY kappname "Guarddog">  <!ENTITY % addindex "IGNORE">  <!ENTITY % English "INCLUDE">  <!-- Do not define any other entities; instead, use the entities       from kde-genent.entities and $LANG/user.entities. -->]><!-- kdoctemplate v0.8 October 1 1999      Minor update to "Credits and Licenses" section on August 24, 2000     Removed "Revision history" section on 22 January 2001   --><!-- ................................................................ --><!-- The language must NOT be changed here. --><book lang="&language;"><!-- This header contains all of the meta-information for the document suchas Authors, publish date, the abstract, and Keywords --><bookinfo><title>The &kappname; Handbook</title><authorgroup><author><firstname>Simon</firstname><surname>Edwards</surname><affiliation><address><email>simon@simonzone.com</email></address></affiliation></author></authorgroup><copyright><year>2000</year><year>2001</year><year>2002</year><year>2003</year><holder>Simon Edwards</holder></copyright><!-- Translators: put here the copyright notice of the translation --><!-- Put here the FDL notice.  Read the explanation in fdl-notice.docbook      and in the FDL itself on how to use it. --><legalnotice>&FDLNotice;</legalnotice><date>26/8/2003</date><releaseinfo>2.2.0</releaseinfo><abstract><para>&kappname; is user friendly firewall utility for KDE running on Linux. Thebest way to get started is to read the short tutorials starting withthe first one.</para></abstract><keywordset><keyword>KDE</keyword><keyword>&kappname;</keyword><keyword>firewall</keyword><keyword>linux</keyword><keyword>ipchains</keyword><keyword>iptables</keyword></keywordset></bookinfo><chapter id="introduction"><title>Introduction</title><para>&kappname; is a user friendly firewall generation and management utility for KDErunning on Linux. It allows you to simply specify which network protocols shouldbe allowed between which groups of computers without requiring you to haveknowledge of port numbers or packets. &kappname; is built on top of Linux's<command>ipchains</command> and <command>iptables</command> packetfiltering commands.</para><sect1 id="introduction-what"><title>What is a firewall and why do I need one?</title><para>A firewall is a software and/or hardware tool for defending a computer ornetwork of computers, from attacks via the network performed by malicious orcurious computer users. It protects by restricting what hostilecomputers are permitted to do to the protected computers.It does this by filtering and blocking the network communication between theprotected computers and the Internet at large.</para><para>With the arrival of fast, permanent, 24 hour/7 day, internet connections forhome users, your computer is now exposed to constant attacks from anywhere inthe world. You may ask yourself "why would anyone want to break into mycomputer? I don't have anything important". Actually you do, even a homecomputer stores usernames and passwords for connecting to the internet,personal email, possibly financial information and perhaps even credit cardinformation. Even without these things, your computer can be used as astepping stone by malicious users (often called 'crackers') to attack othercomputers. The worst part of this is that these further attacks will looklike they are coming from you!</para><para>For more introductory material about firewalls try the<ulink url="http://www.howstuffworks.com/firewall.htm">firewall</ulink> articleover at <ulink url="http://www.howstuffworks.com/">How Stuff Works</ulink>.</para></sect1><sect1 id="introduction-silverbullet"><title>A Warning: No Silver Bullet Here</title><para>I will now try to explain the nature of computer security and how afirewall fits into the picture. The majority of security holes are quitesimply caused by bad software. Security holes are not created by 'hackers'or 'crackers'. They merely find and exploit already existing flaws insoftware. Security holes are usually just bugs or flaws in software itselfthat can be taken advantage of for malicious purposes.</para><para>What a firewall does is try to put up a barrier with the bad guys onone side and your possibly vulnerable software and services on the other.It tries to stop attackers from gaining any kind of access to serversand software running on machines behind the firewall. With no access,attackers shouldn't be able to leverage flaws in the software you arerunning. Unfortunately this approach of protection by disconnection only goesso far because the whole point of having a network is to allow computerson the network to communicate with each other.  Simply put, for the networkto be useful you need to put 'holes' in the firewall to allow communicationor access between the protected computers and the outside world.  A firewalloffers no protection from accesses that occur via 'holes' in the firewall.For example, if you are operating a web server that can be accessed from theoutside, then the firewall will do nothing to protect you from attacksaimed at your webserver.</para><para>A firewall should be just a part of your approach to security, and notthe whole thing. Here is a quick list of effective tips to greatly increasethe system's security.  This advice will also apply to other computer systemstoo:</para><itemizedlist><listitem><para>Number one. Make sure you get and install security fixes forthe software you are using on your computer systems.  The best way to stopattackers from exploiting flaws in the software you use, is to remove theflaws.  Go to the website for the Linux distribution you are using and go tothe security section or updates section regularly to see if securityupdates, patches, or bug fixes are available. Most modern Linux distributionsthese days also include tools for automatically checking for software updates.Learn about and use these tools.</para></listitem><listitem><para>Don't install software that you don't need or use. This isespecially true for network oriented software like servers and networkclient software. Most Linux distributions install an incrediable amountsoftware by default. Most of it you won't need. Make sure you uninstallany unneeded software after installing a new Linux system. Another strategyis at install time to choose a 'minimumal' install if your distributionoffers that choice, and then after the installation install any additionalsoftware that you may need.</para></listitem><listitem><para>The maker of the Linux distribution that you are using willhave a security announcement mailing list. Find it on thier web site and joinit to hear about security fixes as soon as they become available.</para></listitem><listitem><para>If a piece of software you are using has a bad securityrecord and is still having security problems found in it, seriously considerchanging to a better, safer alternative.</para></listitem></itemizedlist><para>If you follow these tips, even without a firewall, your systems be aboutone hundred times more secure.</para></sect1><sect1 id="introduction-why"><title>Why use &kappname;</title><itemizedlist><listitem><para>Easy to use goal oriented user interface. You say what thefirewall should do without having to explain all the details of how it shoulddo it.</para></listitem><listitem><para>Application protocol based. Unlike other tools, &kappname; does not requireyou to understand the ins and outs of IP packets and ports. &kappname; takescare of this for you. This also reduces the chances of configurationmistakes being made which are a prime source of security holes in computersystems.</para></listitem><listitem><para>Doesn't just generate an initial firewall and forgets it. &kappname; is usedto maintain and modify the firewall in place.</para></listitem><listitem><para>Can be used in workstation and router configurations.</para></listitem><listitem><para>Allows you to divide your network into groups of machines and controlwhat network protocols are allowed between them.</para></listitem><listitem><para>Works on the older Linux kernel 2.2 series <command>ipchains</command>firewall subsystem, and also on newer Linux kernel 2.4 netfilter/<command>iptables</command> firewall subsystem.</para></listitem><listitem><para>Takes advantage of advanced Linux kernel 2.4 features such as connectiontracking and rate limited logging.</para></listitem><listitem><para>Licensed under the terms of the GPL. Is Free and will remain Free.</para></listitem></itemizedlist></sect1></chapter><chapter id="using-guarddog"><title>Using &kappname;</title><para></para><sect1 id="tutorial-basic"><title>Tutorial: Basic Configuration</title><para>In this tutorial I will explain some basic networking concepts and how toquickly setup &kappname; to protect a single workstation.</para><sect2><title>Starting &kappname;</title><para>First start up &kappname;. For recent Mandrake and Redhat systems thereshould be a &kappname; menu entry on the K menu under Configuration/Networking.You will then immediately be asked for the password for the 'root' user. This is required because &kappname; needs administrator access in order tomodify the computer's networking sub-system.</para><para>Once &kappname; has opened it's window you will see that the user interfaceis divided across four tabs. For this tutorial we will ignore the the<guilabel>Zone</guilabel>, <guilabel>Logging</guilabel> and<guilabel>Advanced</guilabel> tabs and concentrate on the<guilabel>Protocol</guilabel> tab.</para></sect2><sect2><title>Basic Networking Concepts</title><para>(Skip this section if you understand network protocols and the"Client Server Model".)</para><para>Now I must explain what a protocol is. Computer networks are all aboutcomputers talking to other computers. And just like when talking to otherperson in the real world, it helps if you both agree to speak the samelanguage, be it English, Dutch or Sign Language. The same thing appliesto computers on networks. They need to agree on what language they are goingto speak when talking to another computer. These 'languages' are know as networkprotocols.  An important difference between human languages and networkprotocols is that protocols are usually only intended for one particular task,like moving files (for example, FTP, the File Transfer Protocol), fetching webpages (for example, HTTP, the HyperText Transmission Protocol) or chattingwith other computer users (for example, IRC, Internet Relay Chat).</para><para>Attacks against computer systems across a network are performed by usingand abusing protocols and the software that implements them. All too oftenthe software implementing a protocol contains flaws that can beexploited by malicious people to gain access to a system, or to disrupt it.</para><para>One more important concept to understand about network protocols is the"Client Server Model". All network protocols involve at least two differentparties communicating. Although each party is using the same protocol,quite often they will have different roles to play in that protocol. The mostcommon model is where one party acts as a "client" while the other acts as a"server" who responds to requests from the "client". A very close analogyin the real world would be buying fries down at the local fast foodrestaurant. You and the person behind the counter would both be using Englishas the communication protocol, but in this situation you both have differentroles. You would have the role of "client" while the person serving you wouldbe acting as the "server", basically doing what the "client" requests. HTTP,the protocol used on the World Wide Web uses a the "Client Server Model".Your web browser acts as the client while the big web server at Slashdot orCNN acts as the server, delivering pages back to your browser when it asks forthem.</para></sect2><sect2><title>Permitting DNS</title><para>(Skip the next paragraph is you know what DNS is.)</para><para>The <guilabel>Protocol</guilabel> tab is where you specify which protocolsmay be used between your computer and the internet. The "Domain Name System"protocol, commonly known as DNS, is a very important protocol. All machineson the internet have what is known as an IP address, which is just a number.You may have seen some before. They are often written as a "dotted quad" like"195.231.34.5" for example. An IP address is sort of like a telephone number,except that it's for identifying computers on the internet and nottelephones. One problem with using IP addresses to identify machines is thatit's not very human friendly. This is why "Domain Names" were invented. A"Domain Name" is just a human friendly name for a machine. Some examples ofdomain names are www.simonzone.com, www.cnn.com and dot.kde.org. But to usethe internet your computer needs IP addresses, and not "domain names".This is where DNS comes in. It bridges the gap between "Domain Names" and IPaddresses. It is a system for turning human friendly names like www.simonzone.cominto computer friendly IP addresses. Machines on the internet known as DNSServers do nothing except answer queries from other machines wanting to knowwhat IP address matches which domain name. Much like how a telephone directorymatches people's names and address to telephone numbers. By using a DNS serveryour computer knows what you are talking about when you ask forwww.slashdot.org. Without DNS your web browser won't know where to findwww.cnn.com, and ICQ chat client won't be able to find the chat network aticq.com either. Without DNS most other protocols don't work.</para><para>Lets go through the steps involved for permitting our computer to use the DNSprotocol to communicate with DNS servers on the internet.</para><itemizedlist>