Linux Security HOWTO
: Kernel Security
: 2.2 Kernel Compile Options
Previous: 2.0 Kernel Compile Options
Next: Kernel Devices
7.2. 2.2 Kernel Compile Options
For 2.2.x kernels, many of the options are the same, but a few new
ones have been developed. Many of the comments here are from
./linux/Documentation/Configure.help
, which is the same
document that is referenced while using the Help facility during
the make config
stage of compiling the kernel. Only the newly-
added options are listed below. Consult the 2.0 description for a
list of other necessary options. The most significant change in the
2.2 kernel series is the IP firewalling code. The ipchains
program is now used to install IP firewalling, instead of the
ipfwadm
program used in the 2.0 kernel.
- Socket Filtering
(CONFIG_FILTER)
For most people, it's safe to say no to this option. This option
allows you to connect a userspace filter to any socket and determine
if packets should be allowed or denied. Unless you have a very
specific need and are capable of programming such a filter, you should
say no. Also note that as of this writing, all protocols were
supported except TCP.
- Port Forwarding
Port Forwarding is an addition to IP Masquerading which allows some
forwarding of packets from outside to inside a firewall on given
ports. This could be useful if, for example, you want to run a web
server behind the firewall or masquerading host and that web server
should be accessible from the outside world. An external client
sends a request to port 80 of the firewall, the firewall forwards
this request to the web server, the web server handles the request
and the results are sent through the firewall to the original
client. The client thinks that the firewall machine itself is
running the web server. This can also be used for load balancing if
you have a farm of identical web servers behind the firewall.
Information about this feature is available from
http://www.monmouth.demon.co.uk/ipsubs/portforwarding.html (to
browse the WWW, you need to have access to a machine on the Internet
that has a program like lynx or netscape). For general info, please
see ftp://ftp.compsoc.net/users/steve/ipportfw/linux21/
- Socket Filtering
(CONFIG_FILTER)
Using this option, user-space programs can attach a filter to any
socket and thereby tell the kernel that it should allow or disallow
certain types of data to get through the socket. Linux socket
filtering works on all socket types except TCP for now. See the
text file
./linux/Documentation/networking/filter.txt
for
more information.
- IP: Masquerading
The 2.2 kernel masquerading has been improved. It provides additional
support for masquerading special protocols, etc. Be sure to read
the IP Chains HOWTO for more information.
Linux Security HOWTO
: Kernel Security
: 2.2 Kernel Compile Options
Previous: 2.0 Kernel Compile Options
Next: Kernel Devices