Subversion Repositories svn LFS-FR

Rev

Rev 7175 | Rev 7209 | Go to most recent revision | Blame | Compare with Previous | Last modification | View Log | RSS feed

# SOME DESCRIPTIVE TITLE
# Copyright (C) YEAR Free Software Foundation, Inc.
# This file is distributed under the same license as the PACKAGE package.
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"POT-Creation-Date: 2016-10-23 22:30+0200\n"
"PO-Revision-Date: 2016-10-15 08:45+0000\n"
"Last-Translator: roptat <roptat@lepiller.eu>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Language: fr\n"
"Plural-Forms: nplurals=2; plural=(n > 1);\n"
"X-Generator: Pootle 2.7\n"
"X-POOTLE-MTIME: 1476521155.695916\n"

#. type: Content of: <sect1><sect1info>
#: blfs-en/postlfs/security/firewalling.xml:12
msgid ""
"<othername>$LastChangedBy: dj $</othername> <date>$Date: 2016-06-05 07:57:10"
" +0200 (Sun, 05 Jun 2016) $</date>"
msgstr ""
"<othername>$LastChangedBy: dj $</othername> <date>$Date: 2016-06-05 07:57:10"
" +0200 (Sun, 05 Jun 2016) $</date>"

#. type: Content of: <sect1><title>
#: blfs-en/postlfs/security/firewalling.xml:16
msgid "Setting Up a Network Firewall"
msgstr "Paramétrer un pare-feu réseau"

#. type: Content of: <sect1><para>
#: blfs-en/postlfs/security/firewalling.xml:18
msgid ""
"Before you read this part of the chapter, you should have already installed "
"iptables as described in the previous section."
msgstr ""
"Avant de lire cette partie du chapitre, vous devriez avoir déjà installé "
"iptables comme décrit dans la section précédente."

#. type: Content of: <sect1><sect2><title>
#: blfs-en/postlfs/security/firewalling.xml:22
msgid "Introduction to Firewall Creation"
msgstr "Introduction à la création d'un pare-feu"

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/firewalling.xml:24
msgid ""
"The general purpose of a firewall is to protect a computer or a network "
"against malicious access."
msgstr ""
"L'objectif général d'un pare-feu est de protéger un ordinateur ou un réseau "
"contre les accès malveillants."

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/firewalling.xml:27
msgid ""
"In a perfect world, every daemon or service on every machine is perfectly "
"configured and immune to flaws such as buffer overflows or other problems "
"regarding its security. Furthermore, you trust every user accessing your "
"services. In this world, you do not need to have a firewall."
msgstr ""
"Dans un monde parfait, tout démon et tout service sur la machine est "
"parfaitement configuré et immunisé contre des fléaux tels que les "
"débordements de tampon ou d'autres problèmes liés à leur sécurité. De plus, "
"vous faites confiance aux utilisateurs qui accèdent à vos services. Dans ce "
"monde, vous n'avez pas besoin de pare-feu."

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/firewalling.xml:33
msgid ""
"In the real world however, daemons may be misconfigured and exploits against"
" essential services are freely available. You may wish to choose which "
"services are accessible by certain machines or you may wish to limit which "
"machines or applications are allowed external access. Alternatively, you may"
" simply not trust some of your applications or users. You are probably "
"connected to the Internet. In this world, a firewall is essential."
msgstr ""
"Mais dans le monde réel, les démons peuvent être mal configurés et les "
"exploits contre des services essentiels sont librement disponibles. Vous "
"pouvez souhaiter choisir les services qui sont accessibles à certaines "
"machines ou vous pourriez souhaiter limiter les machines ou les applications"
" qui sont autorisés à y accéder depuis l'extérieur. Sinon, vous pouvez tout "
"simplement ne pas faire confiance à certaines de vos applications ou à "
"certains de vos utilisateurs. Vous êtes probablement connectés à Internet. "
"Dans ce monde, un pare-feu est essentiel."

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/firewalling.xml:41
msgid ""
"Don't assume however, that having a firewall makes careful configuration "
"redundant, or that it makes any negligent misconfiguration harmless. It "
"doesn't prevent anyone from exploiting a service you intentionally offer but"
" haven't recently updated or patched after an exploit went public.  Despite "
"having a firewall, you need to keep applications and daemons on your system "
"properly configured and up to date.  A firewall is not a cure all, but "
"should be an essential part of your overall security strategy."
msgstr ""
"N'imaginez toutefois pas qu'un pare-feu rend redondante les mauvaises "
"configurations, ni qu'il ôte tout risque d'une mauvaise configuration par "
"négligence. Il n'empêche personne d'exploiter un service que vous offrez "
"intentionnellement, mais que vous n'avez pas mis à jour récemment ou que "
"vous n'avez pas corrigé après qu'un exploit a été publié. Bien qu'ayant un "
"pare-feu, vous avez besoin d'avoir sur votre système des applications et des"
" démons configurés correctement et à jour. Un pare-feu n'est pas le remède à"
" tout, mais il devrait être une partie essentielle de votre stratégie "
"globale de sécurité."

#. type: Content of: <sect1><sect2><title>
#: blfs-en/postlfs/security/firewalling.xml:53
msgid "Meaning of the Word \"Firewall\""
msgstr "Signification du mot «&nbsp;Pare-feu&nbsp;»"

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/firewalling.xml:55
msgid "The word firewall can have several different meanings."
msgstr "Le mot «&nbsp;pare-feu&nbsp;» peut avoir plusieurs sens différents."

#. type: Content of: <sect1><sect2><sect3><title>
#: blfs-en/postlfs/security/firewalling.xml:58
msgid "<xref linkend=\"fw-persFw\"/>"
msgstr "<xref linkend=\"fw-persFw\"/>"

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/firewalling.xml:60
msgid ""
"This is a hardware device or software program commercially sold (or offered "
"via freeware) by companies such as Symantec which claims that it secures a "
"home or desktop computer connected to the Internet. This type of firewall is"
" highly relevant for users who do not know how their computers might be "
"accessed via the Internet or how to disable that access, especially if they "
"are always online and connected via broadband links."
msgstr ""
"C'est un périphérique matériel ou un logiciel disponible sur le commerce (ou"
" offert gratuitement) par des sociétés telles que Symantec qui prétend que "
"cela sécurise un ordinateur familial ou de bureau connecté à Internet. Ce "
"type de pare-feu est fort pertinent pour les utilisateurs qui ne savent pas "
"comment on pourrait accéder à leur ordinateur par Internet ou comment "
"désactiver cet accès, surtout s'ils sont toujours en ligne et connectés par "
"des liens à connexion illimitée."

#. type: Content of: <sect1><sect2><sect3><title>
#: blfs-en/postlfs/security/firewalling.xml:71
msgid "<xref linkend=\"fw-masqRouter\"/>"
msgstr "<xref linkend=\"fw-masqRouter\"/>"

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/firewalling.xml:73
msgid ""
"This is a system placed between the Internet and an intranet.  To minimize "
"the risk of compromising the firewall itself, it should generally have only "
"one role&mdash;that of protecting the intranet.  Although not completely "
"risk free, the tasks of doing the routing and IP masquerading (rewriting IP "
"headers of the packets it routes from clients with private IP addresses onto"
" the Internet so that they seem to come from the firewall itself) are "
"commonly considered relatively secure."
msgstr ""
"C'est un système placé entre Internet et l'intranet. Pour minimiser le "
"risque de compromettre le pare-feu lui-même, il ne devrait en général jouer "
"qu'un rôle&mdash;celui de protéger l'intranet. Bien que cela ne soit pas "
"sans risques, la tâche de routage et de masquage d'IP (réécrire des en-têtes"
" IP de paquets qu'il route depuis les clients avec des adresses privées sur "
"Internet afin qu'elles semblent venir du pare-feu lui-même) est en général "
"considérée comme relativement sécurisée."

#. type: Content of: <sect1><sect2><sect3><title>
#: blfs-en/postlfs/security/firewalling.xml:85
msgid "<xref linkend=\"fw-busybox\"/>"
msgstr "<xref linkend=\"fw-busybox\"/>"

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/firewalling.xml:87
msgid ""
"This is often an old computer you may have retired and nearly forgotten, "
"performing masquerading or routing functions, but offering non-firewall "
"services such as a web-cache or mail.  This may be used for home networks, "
"but is not to be considered as secure as a firewall only machine because the"
" combination of server and router/firewall on one machine raises the "
"complexity of the setup."
msgstr ""
"C'est souvent un vieil ordinateur à la retraite et que vous avez presque "
"oublié, qui fait du masquage ou des fonctions de routage mais qui offre des "
"services de non pare-feu tels qu'un cache Web ou la messagerie. Cela peut "
"être utilisé pour des réseaux familiaux, mais ce n'est pas considéré comme "
"sécurisé en tant que machine uniquement dédiée au pare-feu car la "
"combinaison d'un serveur et d'un routeur/pare-feu sur une machine augmente "
"la complexité du paramétrage."

#. type: Content of: <sect1><sect2><sect3><title>
#: blfs-en/postlfs/security/firewalling.xml:97
msgid "Firewall with a Demilitarized Zone [Not Further Described Here]"
msgstr ""
"Pare-feu avec une zone démilitarisée [Pas de description supplémentaire ici]"

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/firewalling.xml:100
msgid ""
"This box performs masquerading or routing, but grants public access to some "
"branch of your network which, because of public IPs and a physically "
"separated structure, is essentially a separate network with direct Internet "
"access. The servers on this network are those which must be easily "
"accessible from both the Internet and intranet. The firewall protects both "
"networks. This type of firewall has a minimum of three network interfaces."
msgstr ""
"Cette machine effectue du masquage ou du routage mais elle autorise un accès"
" public à certaines branches de votre réseau qui, du fait des IP publiques "
"et d'une structure physique séparée, est essentiellement un réseau séparé "
"avec un accès direct à Internet. Les serveurs sur ce réseau sont les plus "
"facilement accessibles, tant par Internet que depuis l'intranet. Le pare-feu"
" protège les deux réseaux. Ce type de pare-feu a un minimum de trois "
"interfaces réseaux."

#. type: Content of: <sect1><sect2><sect3><title>
#: blfs-en/postlfs/security/firewalling.xml:111
msgid "Packetfilter"
msgstr "Packetfilter"

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/firewalling.xml:113
msgid ""
"This type of firewall does routing or masquerading, but does not maintain a "
"state table of ongoing communication streams. It is fast, but quite limited "
"in its ability to block undesired packets without blocking desired packets."
msgstr ""
"Ce type de pare-feu fait du routage et du masquage, mais il ne maintient pas"
" un tableaux d'état de flux de communication en cours. Il est rapide mais a "
"des capacités de blocage des paquets indésirés très limitées sans bloquer "
"les paquets désirés."

#. type: Content of: <sect1><sect2><title>
#: blfs-en/postlfs/security/firewalling.xml:123
msgid "Now You Can Start to Build your Firewall"
msgstr "Maintenant vous pouvez commencer à construire votre pare-feu"

#. type: Content of: <sect1><sect2><caution><para>
#: blfs-en/postlfs/security/firewalling.xml:126
msgid ""
"This introduction on how to setup a firewall is not a complete guide to "
"securing systems. Firewalling is a complex issue that requires careful "
"configuration. The scripts quoted here are simply intended to give examples "
"of how a firewall works. They are not intended to fit into any particular "
"configuration and may not provide complete protection from an attack."
msgstr ""
"Cette introduction sur la façon de paramétrer un pare-feu n'est pas un guide"
" complet pour sécuriser des systèmes. Le pare-feu est un sujet complexe qui "
"exige une configuration soignée. Les scripts cités ici ne visent qu'à donner"
" des exemples de la façon dont fonctionne un pare-feu. Ils n'ambitionnent "
"pas de convenir à toute configuration particulière et ils peuvent ne pas "
"offrir de protection complète contre une attaque."

#. type: Content of: <sect1><sect2><caution><para>
#: blfs-en/postlfs/security/firewalling.xml:134
msgid ""
"Customization of these scripts for your specific situation will be necessary"
" for an optimal configuration, but you should make a serious study of the "
"iptables documentation and creating firewalls in general before hacking "
"away. Have a look at the list of <xref linkend=\"fw-library\"/> at the end "
"of this section for more details. There you will find a list of URLs that "
"contain quite comprehensive information about building your own firewall."
msgstr ""
"Une personnalisation de ces scripts pour votre situation spécifique sera "
"nécessaire pour avoir une configuration optimale, mais vous devriez étudier "
"sérieusement la documentation d'iptables et la création de pare-feux en "
"général avant de toucher quoique ce soit. Jetez un œil sur la liste de <xref"
" linkend=\"fw-library\"/> à la fin de cette section pour plus de détails. "
"Vous y trouverez une liste de liens contenant des informations rapides et "
"complètes sur la construction de votre propre pare-feu."

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/firewalling.xml:143
msgid ""
"The firewall configuration script installed in the iptables section differs "
"from the standard configuration script. It only has two of the standard "
"targets: start and status. The other targets are clear and lock. For "
"instance if you issue:"
msgstr ""
"Le script de configuration de pare-feu installé dans la section sur iptables"
" diffère du script de configuration standard. Il n'a que deux des cibles "
"standards&nbsp;: start et status. Les autres cibles sont vides et "
"verrouillées. Par exemple, si vous lancez&nbsp;:"

#. type: Content of: <sect1><sect2><screen>
#: blfs-en/postlfs/security/firewalling.xml:148
#, no-wrap
msgid "<userinput>/etc/rc.d/init.d/iptables start</userinput>"
msgstr "<userinput>/etc/rc.d/init.d/iptables start</userinput>"

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/firewalling.xml:150
msgid ""
"the firewall will be restarted just as it is upon system startup. The status"
" target will present a list of all currently implemented rules. The clear "
"target turns off all firewall rules and the lock target will block all "
"packets in and out of the computer with the exception of the loopback "
"interface."
msgstr ""
"le pare-feu sera redémarré comme s'il s'agissait du démarrage du système. La"
" cible status présentera une liste de toutes les règles actuellement "
"implémentées. La cible clear désactive toutes les règles de pare-feu et la "
"cible lock bloquera tous les paquets entrant et sortant sur l'ordinateur "
"sauf l'interface loopback."

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/firewalling.xml:156
msgid ""
"The main startup firewall is located in the file "
"<filename>/etc/rc.d/rc.iptables</filename>. The sections below provide three"
" different approaches that can be used for a system."
msgstr ""
"Le pare-feu de démarrage principal se trouve dans le fichier "
"<filename>/etc/rc.d/rc.iptables</filename>. Les sections ci-dessous "
"présentent trois approches différentes qu'on peut utiliser sur un système."

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/firewalling.xml:160
msgid ""
"The main startup firewall is located in the file "
"<filename>/etc/systemd/scripts/iptables</filename>. The sections below "
"provide three different approaches that can be used for a system."
msgstr ""
"Le pare-feu de démarrage principal se trouve dans le fichier "
"<filename>/etc/systemd/scripts/iptables</filename>. Les sections ci-dessous "
"présentent trois approches différentes qu'on peut utiliser sur un système."

#. type: Content of: <sect1><sect2><note><para>
#: blfs-en/postlfs/security/firewalling.xml:165
msgid ""
"You should always run your firewall rules from a script.  This ensures "
"consistency and a record of what was done. It also allows retention of "
"comments that are essential for understanding the rules long after they were"
" written."
msgstr ""
"Vous devriez toujours exécuter vos règles de pare-feu à partir d'un script. "
"Cela vous assure d'être cohérent et de vous souvenir de ce que vous avez "
"fait. Cela permet aussi de mettre des commentaires essentiels à la "
"compréhension des règles longtemps après les avoir écrites."

#. type: Content of: <sect1><sect2><sect3><title>
#: blfs-en/postlfs/security/firewalling.xml:172
msgid "Personal Firewall"
msgstr "Pare-feu personnel"

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/firewalling.xml:174
msgid ""
"A Personal Firewall is designed to let you access all the services offered "
"on the Internet, but keep your box secure and your data private."
msgstr ""
"Un pare-feu personnel est conçu pour vous permettre un accès à tous les "
"services offerts sur Internet, mais il garde votre machine ainsi que vos "
"données privées en sécurité."

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/firewalling.xml:178
msgid ""
"Below is a slightly modified version of Rusty Russell's recommendation from "
"the <ulink url=\"http://www.netfilter.org/documentation/HOWTO/packet-"
"filtering-HOWTO.html\"> Linux 2.4 Packet Filtering HOWTO</ulink>. It is "
"still applicable to the Linux 2.6 kernels."
msgstr ""
"Voici ci-dessous une version légèrement modifiée de la recommandation de "
"Rusty Russell sur le <ulink "
"url=\"http://www.netfilter.org/documentation/HOWTO/packet-filtering-"
"HOWTO.html\">Linux 2.4 Packet Filtering HOWTO</ulink> (guide pratique sur le"
" filtrage des paquets avec Linux 2.4). Il s'applique encore aux noyaux Linux"
" 2.6."

#. type: Content of: <sect1><sect2><sect3><screen>
#: blfs-en/postlfs/security/firewalling.xml:184
#, no-wrap
msgid ""
"<userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; \"EOF\"\n"
"<literal>#!/bin/sh\n"
"\n"
"# Begin rc.iptables\n"
"\n"
"# Insert connection-tracking modules\n"
"# (not needed if built into the kernel)\n"
"modprobe nf_conntrack\n"
"modprobe xt_LOG\n"
"\n"
"# Enable broadcast echo Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n"
"\n"
"# Disable Source Routed Packets\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route\n"
"\n"
"# Enable TCP SYN Cookie Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies\n"
"\n"
"# Disable ICMP Redirect Acceptance\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects\n"
"\n"
"# Do not send Redirect Messages\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects\n"
"\n"
"# Drop Spoofed Packets coming in on an interface, where responses\n"
"# would result in the reply going out a different interface.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter\n"
"\n"
"# Log packets with impossible addresses.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians\n"
"\n"
"# be verbose on dynamic ip-addresses  (not needed in case of static IP)\n"
"echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr\n"
"\n"
"# disable Explicit Congestion Notification\n"
"# too many routers are still ignorant\n"
"echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn\n"
"\n"
"# Set a known state\n"
"iptables -P INPUT   DROP\n"
"iptables -P FORWARD DROP\n"
"iptables -P OUTPUT  DROP\n"
"\n"
"# These lines are here in case rules are already in place and the\n"
"# script is ever rerun on the fly. We want to remove all rules and\n"
"# pre-existing user defined chains before we implement new rules.\n"
"iptables -F\n"
"iptables -X\n"
"iptables -Z\n"
"\n"
"iptables -t nat -F\n"
"\n"
"# Allow local-only connections\n"
"iptables -A INPUT  -i lo -j ACCEPT\n"
"\n"
"# Free output on any interface to any ip for any service\n"
"# (equal to -P ACCEPT)\n"
"iptables -A OUTPUT -j ACCEPT\n"
"\n"
"# Permit answers on already established connections\n"
"# and permit new connections related to established ones\n"
"# (e.g. port mode ftp)\n"
"iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n"
"\n"
"# Log everything else. What's Windows' latest exploitable vulnerability?\n"
"iptables -A INPUT -j LOG --log-prefix \"FIREWALL:INPUT \"\n"
"\n"
"# End $rc_base/rc.iptables</literal>\n"
"EOF\n"
"chmod 700 /etc/rc.d/rc.iptables</userinput>"
msgstr ""
"<userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; \"EOF\"\n"
"<literal>#!/bin/sh\n"
"\n"
"# Begin rc.iptables\n"
"\n"
"# Insert connection-tracking modules\n"
"# (not needed if built into the kernel)\n"
"modprobe nf_conntrack\n"
"modprobe xt_LOG\n"
"\n"
"# Enable broadcast echo Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n"
"\n"
"# Disable Source Routed Packets\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route\n"
"\n"
"# Enable TCP SYN Cookie Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies\n"
"\n"
"# Disable ICMP Redirect Acceptance\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects\n"
"\n"
"# Do not send Redirect Messages\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects\n"
"\n"
"# Drop Spoofed Packets coming in on an interface, where responses\n"
"# would result in the reply going out a different interface.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter\n"
"\n"
"# Log packets with impossible addresses.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians\n"
"\n"
"# be verbose on dynamic ip-addresses  (not needed in case of static IP)\n"
"echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr\n"
"\n"
"# disable Explicit Congestion Notification\n"
"# too many routers are still ignorant\n"
"echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn\n"
"\n"
"# Set a known state\n"
"iptables -P INPUT   DROP\n"
"iptables -P FORWARD DROP\n"
"iptables -P OUTPUT  DROP\n"
"\n"
"# These lines are here in case rules are already in place and the\n"
"# script is ever rerun on the fly. We want to remove all rules and\n"
"# pre-existing user defined chains before we implement new rules.\n"
"iptables -F\n"
"iptables -X\n"
"iptables -Z\n"
"\n"
"iptables -t nat -F\n"
"\n"
"# Allow local-only connections\n"
"iptables -A INPUT  -i lo -j ACCEPT\n"
"\n"
"# Free output on any interface to any ip for any service\n"
"# (equal to -P ACCEPT)\n"
"iptables -A OUTPUT -j ACCEPT\n"
"\n"
"# Permit answers on already established connections\n"
"# and permit new connections related to established ones\n"
"# (e.g. port mode ftp)\n"
"iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n"
"\n"
"# Log everything else. What's Windows' latest exploitable vulnerability?\n"
"iptables -A INPUT -j LOG --log-prefix \"FIREWALL:INPUT \"\n"
"\n"
"# End $rc_base/rc.iptables</literal>\n"
"EOF\n"
"chmod 700 /etc/rc.d/rc.iptables</userinput>"

#. type: Content of: <sect1><sect2><sect3><screen>
#: blfs-en/postlfs/security/firewalling.xml:261
#, no-wrap
msgid ""
"<userinput>install -v -dm755 /etc/systemd/scripts\n"
"\n"
"cat &gt; /etc/systemd/scripts/iptables &lt;&lt; \"EOF\"\n"
"<literal>#!/bin/sh\n"
"\n"
"# Begin /etc/systemd/scripts/iptables\n"
"\n"
"# Insert connection-tracking modules\n"
"# (not needed if built into the kernel)\n"
"modprobe nf_conntrack\n"
"modprobe xt_LOG\n"
"\n"
"# Enable broadcast echo Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n"
"\n"
"# Disable Source Routed Packets\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route\n"
"\n"
"# Enable TCP SYN Cookie Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies\n"
"\n"
"# Disable ICMP Redirect Acceptance\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects\n"
"\n"
"# Do not send Redirect Messages\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects\n"
"\n"
"# Drop Spoofed Packets coming in on an interface, where responses\n"
"# would result in the reply going out a different interface.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter\n"
"\n"
"# Log packets with impossible addresses.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians\n"
"\n"
"# be verbose on dynamic ip-addresses  (not needed in case of static IP)\n"
"echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr\n"
"\n"
"# disable Explicit Congestion Notification\n"
"# too many routers are still ignorant\n"
"echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn\n"
"\n"
"# Set a known state\n"
"iptables -P INPUT   DROP\n"
"iptables -P FORWARD DROP\n"
"iptables -P OUTPUT  DROP\n"
"\n"
"# These lines are here in case rules are already in place and the\n"
"# script is ever rerun on the fly. We want to remove all rules and\n"
"# pre-existing user defined chains before we implement new rules.\n"
"iptables -F\n"
"iptables -X\n"
"iptables -Z\n"
"\n"
"iptables -t nat -F\n"
"\n"
"# Allow local-only connections\n"
"iptables -A INPUT  -i lo -j ACCEPT\n"
"\n"
"# Free output on any interface to any ip for any service\n"
"# (equal to -P ACCEPT)\n"
"iptables -A OUTPUT -j ACCEPT\n"
"\n"
"# Permit answers on already established connections\n"
"# and permit new connections related to established ones\n"
"# (e.g. port mode ftp)\n"
"iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n"
"\n"
"# Log everything else. What's Windows' latest exploitable vulnerability?\n"
"iptables -A INPUT -j LOG --log-prefix \"FIREWALL:INPUT \"\n"
"\n"
"# End /etc/systemd/scripts/iptables</literal>\n"
"EOF\n"
"chmod 700 /etc/systemd/scripts/iptables</userinput>"
msgstr ""
"<userinput>install -v -dm755 /etc/systemd/scripts\n"
"\n"
"cat &gt; /etc/systemd/scripts/iptables &lt;&lt; \"EOF\"\n"
"<literal>#!/bin/sh\n"
"\n"
"# Begin /etc/systemd/scripts/iptables\n"
"\n"
"# Insert connection-tracking modules\n"
"# (not needed if built into the kernel)\n"
"modprobe nf_conntrack\n"
"modprobe xt_LOG\n"
"\n"
"# Enable broadcast echo Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n"
"\n"
"# Disable Source Routed Packets\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route\n"
"\n"
"# Enable TCP SYN Cookie Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies\n"
"\n"
"# Disable ICMP Redirect Acceptance\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects\n"
"\n"
"# Do not send Redirect Messages\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects\n"
"\n"
"# Drop Spoofed Packets coming in on an interface, where responses\n"
"# would result in the reply going out a different interface.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter\n"
"\n"
"# Log packets with impossible addresses.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians\n"
"\n"
"# be verbose on dynamic ip-addresses  (not needed in case of static IP)\n"
"echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr\n"
"\n"
"# disable Explicit Congestion Notification\n"
"# too many routers are still ignorant\n"
"echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn\n"
"\n"
"# Set a known state\n"
"iptables -P INPUT   DROP\n"
"iptables -P FORWARD DROP\n"
"iptables -P OUTPUT  DROP\n"
"\n"
"# These lines are here in case rules are already in place and the\n"
"# script is ever rerun on the fly. We want to remove all rules and\n"
"# pre-existing user defined chains before we implement new rules.\n"
"iptables -F\n"
"iptables -X\n"
"iptables -Z\n"
"\n"
"iptables -t nat -F\n"
"\n"
"# Allow local-only connections\n"
"iptables -A INPUT  -i lo -j ACCEPT\n"
"\n"
"# Free output on any interface to any ip for any service\n"
"# (equal to -P ACCEPT)\n"
"iptables -A OUTPUT -j ACCEPT\n"
"\n"
"# Permit answers on already established connections\n"
"# and permit new connections related to established ones\n"
"# (e.g. port mode ftp)\n"
"iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n"
"\n"
"# Log everything else. What's Windows' latest exploitable vulnerability?\n"
"iptables -A INPUT -j LOG --log-prefix \"FIREWALL:INPUT \"\n"
"\n"
"# End /etc/systemd/scripts/iptables</literal>\n"
"EOF\n"
"chmod 700 /etc/systemd/scripts/iptables</userinput>"

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/firewalling.xml:339
msgid ""
"This script is quite simple, it drops all traffic coming into your computer "
"that wasn't initiated from your computer, but as long as you are simply "
"surfing the Internet you are unlikely to exceed its limits."
msgstr ""
"Ce script est très simple, il accepte tout le trafic venant dans votre "
"ordinateur qui a été initié par votre ordinateur, mais tant que vous surfez "
"simplement sur Internet, il y a peu de chances que vous dépassiez ses "
"limites."

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/firewalling.xml:344
msgid ""
"If you frequently encounter certain delays at accessing FTP servers, take a "
"look at <xref linkend=\"fw-BB-4\"/>."
msgstr ""
"Si vous rencontrez souvent un certains délais pour l'accès à vos serveurs "
"FTP, jetez un œil sur <xref linkend=\"fw-BB-4\"/>."

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/firewalling.xml:347
msgid ""
"Even if you have daemons or services running on your system, these will be "
"inaccessible everywhere but from your computer itself.  If you want to allow"
" access to services on your machine, such as <command>ssh</command> or "
"<command>ping</command>, take a look at <xref linkend=\"fw-busybox\"/>."
msgstr ""
"Même si vous avez des démons ou des services en fonction sur votre système, "
"il sera inaccessible partout sauf par l'ordinateur lui-même. Si vous voulez "
"permettre l'accès à des services sur votre machine tels que "
"<command>ssh</command> ou <command>ping</command>, jetez un œil sur <xref "
"linkend=\"fw-busybox\"/>."

#. type: Content of: <sect1><sect2><sect3><title>
#: blfs-en/postlfs/security/firewalling.xml:356
msgid "Masquerading Router"
msgstr "Routeur Masquerading"

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/firewalling.xml:358
msgid ""
"A true Firewall has two interfaces, one connected to an intranet, in this "
"example <emphasis role=\"strong\">eth0</emphasis>, and one connected to the "
"Internet, here <emphasis role=\"strong\">ppp0</emphasis>. To provide the "
"maximum security for the firewall itself, make sure that there are no "
"unnecessary servers running on it such as <application>X11</application> et "
"al. As a general principle, the firewall itself should not access any "
"untrusted service (think of a remote server giving answers that makes a "
"daemon on your system crash, or even worse, that implements a worm via a "
"buffer-overflow)."
msgstr ""
"Un vrai pare-feu a deux interfaces, une connectée à un intranet, dans cet "
"exemple <emphasis role=\"strong\">eth0</emphasis>, et une connectée à "
"Internet, ici <emphasis role=\"strong\">ppp0</emphasis>. Pour offrir le "
"maximum de sécurité au pare-feu lui-même, assurez-vous qu'il n'y a pas de "
"serveurs inutiles en fonction dessus tels que <application>X11</application>"
" et al. En principe, le pare-feu lui-même ne devrait pas accéder à un "
"service non routé (pensez à un serveur distant qui donne des réponses que "
"fait planter un démon sur votre système, ou même pire, ceci implémente un "
"travail par un débordement de mémoire)."

#. type: Content of: <sect1><sect2><sect3><screen>
#: blfs-en/postlfs/security/firewalling.xml:369
#, no-wrap
msgid ""
"<userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; \"EOF\"\n"
"<literal>#!/bin/sh\n"
"\n"
"# Begin rc.iptables\n"
"\n"
"echo\n"
"echo \"You're using the example configuration for a setup of a firewall\"\n"
"echo \"from Beyond Linux From Scratch.\"\n"
"echo \"This example is far from being complete, it is only meant\"\n"
"echo \"to be a reference.\"\n"
"echo \"Firewall security is a complex issue, that exceeds the scope\"\n"
"echo \"of the configuration rules below.\"\n"
"echo \"You can find additional information\"\n"
"echo \"about firewalls in Chapter 4 of the BLFS book.\"\n"
"echo \"http://www.&lfs-domainname;/blfs\"\n"
"echo\n"
"\n"
"# Insert iptables modules (not needed if built into the kernel).\n"
"\n"
"modprobe nf_conntrack\n"
"modprobe nf_conntrack_ftp\n"
"modprobe xt_conntrack\n"
"modprobe xt_LOG\n"
"modprobe xt_state\n"
"\n"
"# Enable broadcast echo Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n"
"\n"
"# Disable Source Routed Packets\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route\n"
"\n"
"# Enable TCP SYN Cookie Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies\n"
"\n"
"# Disable ICMP Redirect Acceptance\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects\n"
"\n"
"# Don't send Redirect Messages\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects\n"
"\n"
"# Drop Spoofed Packets coming in on an interface where responses\n"
"# would result in the reply going out a different interface.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter\n"
"\n"
"# Log packets with impossible addresses.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians\n"
"\n"
"# Be verbose on dynamic ip-addresses  (not needed in case of static IP)\n"
"echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr\n"
"\n"
"# Disable Explicit Congestion Notification\n"
"# Too many routers are still ignorant\n"
"echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn\n"
"\n"
"# Set a known state\n"
"iptables -P INPUT   DROP\n"
"iptables -P FORWARD DROP\n"
"iptables -P OUTPUT  DROP\n"
"\n"
"# These lines are here in case rules are already in place and the\n"
"# script is ever rerun on the fly. We want to remove all rules and\n"
"# pre-existing user defined chains before we implement new rules.\n"
"iptables -F\n"
"iptables -X\n"
"iptables -Z\n"
"\n"
"iptables -t nat -F\n"
"\n"
"# Allow local connections\n"
"iptables -A INPUT  -i lo -j ACCEPT\n"
"iptables -A OUTPUT -o lo -j ACCEPT\n"
"\n"
"# Allow forwarding if the initiated on the intranet\n"
"iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n"
"iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW       -j ACCEPT\n"
"\n"
"# Do masquerading\n"
"# (not needed if intranet is not using private ip-addresses)\n"
"iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE\n"
"\n"
"# Log everything for debugging\n"
"# (last of all rules, but before policy rules)\n"
"iptables -A INPUT   -j LOG --log-prefix \"FIREWALL:INPUT \"\n"
"iptables -A FORWARD -j LOG --log-prefix \"FIREWALL:FORWARD \"\n"
"iptables -A OUTPUT  -j LOG --log-prefix \"FIREWALL:OUTPUT \"\n"
"\n"
"# Enable IP Forwarding\n"
"echo 1 &gt; /proc/sys/net/ipv4/ip_forward</literal>\n"
"EOF\n"
"chmod 700 /etc/rc.d/rc.iptables</userinput>"
msgstr ""
"<userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; \"EOF\"\n"
"<literal>#!/bin/sh\n"
"\n"
"# Begin rc.iptables\n"
"\n"
"echo\n"
"echo \"You're using the example configuration for a setup of a firewall\"\n"
"echo \"from Beyond Linux From Scratch.\"\n"
"echo \"This example is far from being complete, it is only meant\"\n"
"echo \"to be a reference.\"\n"
"echo \"Firewall security is a complex issue, that exceeds the scope\"\n"
"echo \"of the configuration rules below.\"\n"
"echo \"You can find additional information\"\n"
"echo \"about firewalls in Chapter 4 of the BLFS book.\"\n"
"echo \"http://www.&lfs-domainname;/blfs\"\n"
"echo\n"
"\n"
"# Insert iptables modules (not needed if built into the kernel).\n"
"\n"
"modprobe nf_conntrack\n"
"modprobe nf_conntrack_ftp\n"
"modprobe xt_conntrack\n"
"modprobe xt_LOG\n"
"modprobe xt_state\n"
"\n"
"# Enable broadcast echo Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n"
"\n"
"# Disable Source Routed Packets\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route\n"
"\n"
"# Enable TCP SYN Cookie Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies\n"
"\n"
"# Disable ICMP Redirect Acceptance\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects\n"
"\n"
"# Don't send Redirect Messages\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects\n"
"\n"
"# Drop Spoofed Packets coming in on an interface where responses\n"
"# would result in the reply going out a different interface.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter\n"
"\n"
"# Log packets with impossible addresses.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians\n"
"\n"
"# Be verbose on dynamic ip-addresses  (not needed in case of static IP)\n"
"echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr\n"
"\n"
"# Disable Explicit Congestion Notification\n"
"# Too many routers are still ignorant\n"
"echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn\n"
"\n"
"# Set a known state\n"
"iptables -P INPUT   DROP\n"
"iptables -P FORWARD DROP\n"
"iptables -P OUTPUT  DROP\n"
"\n"
"# These lines are here in case rules are already in place and the\n"
"# script is ever rerun on the fly. We want to remove all rules and\n"
"# pre-existing user defined chains before we implement new rules.\n"
"iptables -F\n"
"iptables -X\n"
"iptables -Z\n"
"\n"
"iptables -t nat -F\n"
"\n"
"# Allow local connections\n"
"iptables -A INPUT  -i lo -j ACCEPT\n"
"iptables -A OUTPUT -o lo -j ACCEPT\n"
"\n"
"# Allow forwarding if the initiated on the intranet\n"
"iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n"
"iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW       -j ACCEPT\n"
"\n"
"# Do masquerading\n"
"# (not needed if intranet is not using private ip-addresses)\n"
"iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE\n"
"\n"
"# Log everything for debugging\n"
"# (last of all rules, but before policy rules)\n"
"iptables -A INPUT   -j LOG --log-prefix \"FIREWALL:INPUT \"\n"
"iptables -A FORWARD -j LOG --log-prefix \"FIREWALL:FORWARD \"\n"
"iptables -A OUTPUT  -j LOG --log-prefix \"FIREWALL:OUTPUT \"\n"
"\n"
"# Enable IP Forwarding\n"
"echo 1 &gt; /proc/sys/net/ipv4/ip_forward</literal>\n"
"EOF\n"
"chmod 700 /etc/rc.d/rc.iptables</userinput>"

#. type: Content of: <sect1><sect2><sect3><screen>
#: blfs-en/postlfs/security/firewalling.xml:460
#, no-wrap
msgid ""
"<userinput>install -v -dm755 /etc/systemd/scripts\n"
"\n"
"cat &gt; /etc/systemd/scripts/iptables &lt;&lt; \"EOF\"\n"
"<literal>#!/bin/sh\n"
"\n"
"# Begin /etc/systemd/scripts/iptables\n"
"\n"
"echo\n"
"echo \"You're using the example configuration for a setup of a firewall\"\n"
"echo \"from Beyond Linux From Scratch.\"\n"
"echo \"This example is far from being complete, it is only meant\"\n"
"echo \"to be a reference.\"\n"
"echo \"Firewall security is a complex issue, that exceeds the scope\"\n"
"echo \"of the configuration rules below.\"\n"
"\n"
"echo \"You can find additional information\"\n"
"echo \"about firewalls in Chapter 4 of the BLFS book.\"\n"
"echo \"http://www.&lfs-domainname;/blfs\"\n"
"echo\n"
"\n"
"# Insert iptables modules (not needed if built into the kernel).\n"
"\n"
"modprobe nf_conntrack\n"
"modprobe nf_conntrack_ftp\n"
"modprobe xt_conntrack\n"
"modprobe xt_LOG\n"
"modprobe xt_state\n"
"\n"
"# Enable broadcast echo Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n"
"\n"
"# Disable Source Routed Packets\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route\n"
"\n"
"# Enable TCP SYN Cookie Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies\n"
"\n"
"# Disable ICMP Redirect Acceptance\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects\n"
"\n"
"# Don't send Redirect Messages\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects\n"
"\n"
"# Drop Spoofed Packets coming in on an interface where responses\n"
"# would result in the reply going out a different interface.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter\n"
"\n"
"# Log packets with impossible addresses.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians\n"
"\n"
"# Be verbose on dynamic ip-addresses  (not needed in case of static IP)\n"
"echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr\n"
"\n"
"# Disable Explicit Congestion Notification\n"
"# Too many routers are still ignorant\n"
"echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn\n"
"\n"
"# Set a known state\n"
"iptables -P INPUT   DROP\n"
"iptables -P FORWARD DROP\n"
"iptables -P OUTPUT  DROP\n"
"\n"
"# These lines are here in case rules are already in place and the\n"
"# script is ever rerun on the fly. We want to remove all rules and\n"
"# pre-existing user defined chains before we implement new rules.\n"
"iptables -F\n"
"iptables -X\n"
"iptables -Z\n"
"\n"
"iptables -t nat -F\n"
"\n"
"# Allow local connections\n"
"iptables -A INPUT  -i lo -j ACCEPT\n"
"iptables -A OUTPUT -o lo -j ACCEPT\n"
"\n"
"# Allow forwarding if the initiated on the intranet\n"
"iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n"
"iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW       -j ACCEPT\n"
"\n"
"# Do masquerading\n"
"# (not needed if intranet is not using private ip-addresses)\n"
"iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE\n"
"\n"
"# Log everything for debugging\n"
"# (last of all rules, but before policy rules)\n"
"iptables -A INPUT   -j LOG --log-prefix \"FIREWALL:INPUT \"\n"
"iptables -A FORWARD -j LOG --log-prefix \"FIREWALL:FORWARD \"\n"
"iptables -A OUTPUT  -j LOG --log-prefix \"FIREWALL:OUTPUT \"\n"
"\n"
"# Enable IP Forwarding\n"
"echo 1 &gt; /proc/sys/net/ipv4/ip_forward\n"
"\n"
"# End /etc/systemd/scripts/iptables</literal>\n"
"EOF\n"
"chmod 700 /etc/systemd/scripts/iptables</userinput>"
msgstr ""
"<userinput>install -v -dm755 /etc/systemd/scripts\n"
"\n"
"cat &gt; /etc/systemd/scripts/iptables &lt;&lt; \"EOF\"\n"
"<literal>#!/bin/sh\n"
"\n"
"# Begin /etc/systemd/scripts/iptables\n"
"\n"
"echo\n"
"echo \"You're using the example configuration for a setup of a firewall\"\n"
"echo \"from Beyond Linux From Scratch.\"\n"
"echo \"This example is far from being complete, it is only meant\"\n"
"echo \"to be a reference.\"\n"
"echo \"Firewall security is a complex issue, that exceeds the scope\"\n"
"echo \"of the configuration rules below.\"\n"
"\n"
"echo \"You can find additional information\"\n"
"echo \"about firewalls in Chapter 4 of the BLFS book.\"\n"
"echo \"http://www.&lfs-domainname;/blfs\"\n"
"echo\n"
"\n"
"# Insert iptables modules (not needed if built into the kernel).\n"
"\n"
"modprobe nf_conntrack\n"
"modprobe nf_conntrack_ftp\n"
"modprobe xt_conntrack\n"
"modprobe xt_LOG\n"
"modprobe xt_state\n"
"\n"
"# Enable broadcast echo Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n"
"\n"
"# Disable Source Routed Packets\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route\n"
"\n"
"# Enable TCP SYN Cookie Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies\n"
"\n"
"# Disable ICMP Redirect Acceptance\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects\n"
"\n"
"# Don't send Redirect Messages\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects\n"
"\n"
"# Drop Spoofed Packets coming in on an interface where responses\n"
"# would result in the reply going out a different interface.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter\n"
"\n"
"# Log packets with impossible addresses.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians\n"
"\n"
"# Be verbose on dynamic ip-addresses  (not needed in case of static IP)\n"
"echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr\n"
"\n"
"# Disable Explicit Congestion Notification\n"
"# Too many routers are still ignorant\n"
"echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn\n"
"\n"
"# Set a known state\n"
"iptables -P INPUT   DROP\n"
"iptables -P FORWARD DROP\n"
"iptables -P OUTPUT  DROP\n"
"\n"
"# These lines are here in case rules are already in place and the\n"
"# script is ever rerun on the fly. We want to remove all rules and\n"
"# pre-existing user defined chains before we implement new rules.\n"
"iptables -F\n"
"iptables -X\n"
"iptables -Z\n"
"\n"
"iptables -t nat -F\n"
"\n"
"# Allow local connections\n"
"iptables -A INPUT  -i lo -j ACCEPT\n"
"iptables -A OUTPUT -o lo -j ACCEPT\n"
"\n"
"# Allow forwarding if the initiated on the intranet\n"
"iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n"
"iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW       -j ACCEPT\n"
"\n"
"# Do masquerading\n"
"# (not needed if intranet is not using private ip-addresses)\n"
"iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE\n"
"\n"
"# Log everything for debugging\n"
"# (last of all rules, but before policy rules)\n"
"iptables -A INPUT   -j LOG --log-prefix \"FIREWALL:INPUT \"\n"
"iptables -A FORWARD -j LOG --log-prefix \"FIREWALL:FORWARD \"\n"
"iptables -A OUTPUT  -j LOG --log-prefix \"FIREWALL:OUTPUT \"\n"
"\n"
"# Enable IP Forwarding\n"
"echo 1 &gt; /proc/sys/net/ipv4/ip_forward\n"
"\n"
"# End /etc/systemd/scripts/iptables</literal>\n"
"EOF\n"
"chmod 700 /etc/systemd/scripts/iptables</userinput>"

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/firewalling.xml:556
msgid ""
"With this script your intranet should be reasonably secure against external "
"attacks. No one should be able to setup a new connection to any internal "
"service and, if it's masqueraded, makes your intranet invisible to the "
"Internet. Furthermore, your firewall should be relatively safe because there"
" are no services running that a cracker could attack."
msgstr ""
"Avec ce script, votre intranet devrait être raisonnablement sécurisé contre "
"les attaques externes. Personne ne devrait pouvoir paramétrer de nouvelle "
"connexion pour n'importe quel service interne et, s'il est masqué, il rend "
"votre intranet invisible depuis Internet. En outre, votre pare-feu devrait "
"être relativement sécurisé car il n'y a pas de services en fonction qu'un "
"pirate pourrait attaquer."

#. type: Content of: <sect1><sect2><sect3><note><para>
#: blfs-en/postlfs/security/firewalling.xml:564
msgid ""
"If the interface you're connecting to the Internet doesn't connect via PPP, "
"you will need to change <replaceable>&lt;ppp+&gt;</replaceable> to the name "
"of the interface (e.g., <emphasis role=\"strong\">eth1</emphasis>) which you"
" are using."
msgstr ""
"Si l'interface par laquelle vous vous connectez à Internet ne se connecte "
"pas par PPP, vous devrez modifier <replaceable>&lt;ppp+&gt;</replaceable> "
"par le nom de l'interface (par exemple, <emphasis "
"role=\"strong\">eth1</emphasis>) que vous utilisez."

#. type: Content of: <sect1><sect2><sect3><title>
#: blfs-en/postlfs/security/firewalling.xml:574
msgid "BusyBox"
msgstr "BusyBox"

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/firewalling.xml:576
msgid ""
"This scenario isn't too different from the <xref linkend=\"fw-"
"masqRouter\"/>, but additionally offers some services to your intranet. "
"Examples of this can be when you want to administer your firewall from "
"another host on your intranet or use it as a proxy or a name server."
msgstr ""
"Ce scénario n'est pas très différent du <xref linkend=\"fw-masqRouter\"/>, "
"mais il offre en plus des services à votre intranet. On peut en avoir des "
"exemples quand vous voulez administrer votre pare-feu à partir d'un autre "
"hôte de votre Intranet ou l'utiliser en tant que proxy ou serveur DNS ou un "
"serveur de de noms."

#. type: Content of: <sect1><sect2><sect3><note><para>
#: blfs-en/postlfs/security/firewalling.xml:583
msgid ""
"Outlining a true concept of how to protect a server that offers services on "
"the Internet goes far beyond the scope of this document. See the references "
"at the end of this section for more information."
msgstr ""
"Faire le tour de la question du vrai concept de protéger un serveur offrant "
"des services sur Internet va beaucoup plus loin que l'objectif de ce "
"document. Voir les références à la fin de cette section pour plus "
"d'informations."

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/firewalling.xml:589
msgid ""
"Be cautious. Every service you have enabled makes your setup more complex "
"and your firewall less secure. You are exposed to the risks of misconfigured"
" services or running a service with an exploitable bug. A firewall should "
"generally not run any extra services.  See the introduction to the <xref "
"linkend=\"fw-masqRouter\"/> for some more details."
msgstr ""
"Faites attention. Chaque service que vous avez activé complexifie votre "
"configuration et rend moins sécurisé votre pare-feu. Vous êtes exposé aux "
"risques d'une mauvaise configuration des services ou d'exécution d'un "
"service ayant un bogue exploitable. En général, un pare-feu ne devrait "
"exécuter aucun service supplémentaire. Voir l'introduction au <xref linkend"
"=\"fw-masqRouter\"/> pour des détails supplémentaires."

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/firewalling.xml:596
msgid ""
"If you want to add services such as internal Samba or name servers that do "
"not need to access the Internet themselves, the additional statements are "
"quite simple and should still be acceptable from a security standpoint. Just"
" add the following lines into the script <emphasis>before</emphasis> the "
"logging rules."
msgstr ""
"Si vous voulez ajouter des services tels que Samba en interne ou un serveurs"
" de DNS qui n'ont pas besoin d'accéder eux-mêmes à Internet, les réglages "
"supplémentaires sont très simples et devraient être encore acceptables du "
"point de vue de la sécurité. Ajoutez simplement les lignes suivantes au "
"script <emphasis>avant</emphasis> les règles de connexion."

#. type: Content of: <sect1><sect2><sect3><screen>
#: blfs-en/postlfs/security/firewalling.xml:602
#, no-wrap
msgid ""
"<literal>iptables -A INPUT  -i ! ppp+  -j ACCEPT\n"
"iptables -A OUTPUT -o ! ppp+  -j ACCEPT</literal>"
msgstr ""
"<literal>iptables -A INPUT  -i ! ppp+  -j ACCEPT\n"
"iptables -A OUTPUT -o ! ppp+  -j ACCEPT</literal>"

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/firewalling.xml:605
msgid ""
"If daemons, such as squid, have to access the Internet themselves, you could"
" open OUTPUT generally and restrict INPUT."
msgstr ""
"Si des démons tels que squid, doivent accéder eux-mêmes à Internet, vous "
"pouvez en général ouvrir OUTPUT et restreindre INPUT."

#. type: Content of: <sect1><sect2><sect3><screen>
#: blfs-en/postlfs/security/firewalling.xml:609
#, no-wrap
msgid ""
"<literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n"
"iptables -A OUTPUT -j ACCEPT</literal>"
msgstr ""
"<literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n"
"iptables -A OUTPUT -j ACCEPT</literal>"

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/firewalling.xml:612
msgid ""
"However, it is generally not advisable to leave OUTPUT unrestricted. You "
"lose any control over trojans who would like to \"call home\", and a bit of "
"redundancy in case you've (mis-)configured a service so that it broadcasts "
"its existence to the world."
msgstr ""
"Il n'est toutefois pas conseillé de laisser OUTPUT sans restrictions.  Vous "
"perdez alors le contrôle des chevaux de Troie (trojan) qui voudraient "
"«&nbsp;appeler la maison&nbsp;» et c'est un peu redondant si vous avez mal "
"configuré un service pour qu'il broadcast son existence dans le monde."

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/firewalling.xml:618
msgid ""
"To accomplish this, you should restrict INPUT and OUTPUT on all ports except"
" those that it's absolutely necessary to have open. Which ports you have to "
"open depends on your needs: mostly you will find them by looking for failed "
"accesses in your log files."
msgstr ""
"Pour faire cela, vous devriez restreindre INPUT et OUTPUT sur tous les ports"
" sauf ceux qu'il vous faut absolument ouvrir. Les ports que vous devez "
"ouvrir dépendent de vos besoins&nbsp;: en général, vous les trouverez en "
"découvrant des échecs d'accès dans vos fichiers journaux."

#. type: Content of: <sect1><sect2><sect3><itemizedlist><title>
#: blfs-en/postlfs/security/firewalling.xml:625
msgid "Have a Look at the Following Examples:"
msgstr "Jetez un œil sur les exemples suivants&nbsp;:"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/firewalling.xml:627
msgid "Squid is caching the web:"
msgstr "Squid met en cache Internet&nbsp;:"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><screen>
#: blfs-en/postlfs/security/firewalling.xml:629
#, no-wrap
msgid ""
"<literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT\n"
"iptables -A INPUT  -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \\\n"
"  -j ACCEPT</literal>"
msgstr ""
"<literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT\n"
"iptables -A INPUT  -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \\\n"
"  -j ACCEPT</literal>"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/firewalling.xml:635
msgid "Your caching name server (e.g., named) does its lookups via UDP:"
msgstr "Votre serveur DNS effectue ses recherches à travers UDP&nbsp;:"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><screen>
#: blfs-en/postlfs/security/firewalling.xml:638
#, no-wrap
msgid "<literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal>"
msgstr "<literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal>"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/firewalling.xml:642
msgid "You want to be able to ping your computer to ensure it's still alive:"
msgstr ""
"Vous voulez pouvoir pinger votre ordinateur pour vérifier qu'il est toujours"
" en vie&nbsp;:"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><screen>
#: blfs-en/postlfs/security/firewalling.xml:645
#, no-wrap
msgid ""
"<literal>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT\n"
"iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</literal>"
msgstr ""
"<literal>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT\n"
"iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</literal>"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/firewalling.xml:650
msgid ""
"If you are frequently accessing FTP servers or enjoy chatting, you might "
"notice certain delays because some implementations of these daemons have the"
" feature of querying an identd on your system to obtain usernames. Although "
"there's really little harm in this, having an identd running is not "
"recommended because many security experts feel the service gives out too "
"much additional information."
msgstr ""
"Si vous accédez souvent à des serveurs FTP ou que vous aimez chatter, vous "
"pourriez remarquer certains délais car certaines implémentations de ces "
"démons ont une fonction de recherche d'un identd sur votre système pour "
"obtenir des noms d'utilisateur. Bien qu'il y ait très peu de dangers, le "
"fait d'avoir un identd en fonction n'est pas recommandé car de nombreux "
"experts en sécurité trouvent que le service donnent trop d'informations "
"supplémentaires."

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/firewalling.xml:658
msgid ""
"To avoid these delays you could reject the requests with a 'tcp-reset':"
msgstr ""
"Pour éviter ces délais, vous pourriez rejeter les requêtes avec un 'tcp-"
"reset'&nbsp;:"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><screen>
#: blfs-en/postlfs/security/firewalling.xml:661
#, no-wrap
msgid ""
"<literal>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-"
"reset</literal>"
msgstr ""
"<literal>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-"
"reset</literal>"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/firewalling.xml:665
msgid ""
"To log and drop invalid packets (packets that came in after netfilter's "
"timeout or some types of network scans) insert these rules at the top of the"
" chain:"
msgstr ""
"Pour enregistrer et rejeter des paquets invalides (des paquets qui sont "
"entrés après le timeout du netfilter ou certains types d'analyse de "
"paquets), insérez ces règles au début de la chaîne&nbsp;:"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><screen>
#: blfs-en/postlfs/security/firewalling.xml:669
#, no-wrap
msgid ""
"<literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \\\n"
"  -j LOG --log-prefix \"FIREWALL:INVALID \"\n"
"iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</literal>"
msgstr ""
"<literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \\\n"
"  -j LOG --log-prefix \"FIREWALL:INVALID \"\n"
"iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</literal>"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/firewalling.xml:675
msgid ""
"Anything coming from the outside should not have a private address, this is "
"a common attack called IP-spoofing:"
msgstr ""
"Tout ce qui vient de l'extérieur ne devrait pas avoir d'adresse privée, "
"c'est une attaque courante appelée IP-spoofing&nbsp;:"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><screen>
#: blfs-en/postlfs/security/firewalling.xml:678
#, no-wrap
msgid ""
"<literal>iptables -A INPUT -i ppp+ -s 10.0.0.0/8     -j DROP\n"
"iptables -A INPUT -i ppp+ -s 172.16.0.0/12  -j DROP\n"
"iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</literal>"
msgstr ""
"<literal>iptables -A INPUT -i ppp+ -s 10.0.0.0/8     -j DROP\n"
"iptables -A INPUT -i ppp+ -s 172.16.0.0/12  -j DROP\n"
"iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</literal>"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/firewalling.xml:682
msgid ""
"There are other addresses that you may also want to drop: 0.0.0.0/8, "
"127.0.0.0/8, 224.0.0.0/3 (multicast and experimental), 169.254.0.0/16 (Link "
"Local Networks), and 192.0.2.0/24 (IANA defined test network)."
msgstr ""
"Il y a d'autres adresses que vous pourriez aussi vouloir rejeter&nbsp;: "
"0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast et expérimental), "
"169.254.0.0/16 (Link Local Networks, lien réseaux locaux), et 192.0.2.0/24 "
"(réseau de test défini par IANA)."

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/firewalling.xml:688
msgid "If your firewall is a DHCP client, you need to allow those packets:"
msgstr ""
"Si votre pare-feu est un client, vous devez autoriser ces paquets&nbsp;:"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><screen>
#: blfs-en/postlfs/security/firewalling.xml:691
#, no-wrap
msgid ""
"<literal>iptables -A INPUT  -i ppp0 -p udp -s 0.0.0.0 --sport 67 \\\n"
"   -d 255.255.255.255 --dport 68 -j ACCEPT</literal>"
msgstr ""
"<literal>iptables -A INPUT  -i ppp0 -p udp -s 0.0.0.0 --sport 67 \\\n"
"   -d 255.255.255.255 --dport 68 -j ACCEPT</literal>"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/firewalling.xml:696
msgid ""
"To simplify debugging and be fair to anyone who'd like to access a service "
"you have disabled, purposely or by mistake, you could REJECT those packets "
"that are dropped."
msgstr ""
"Pour simplifier le débogage et éloigner ceux qui aimeraient accéder à un "
"service que vous avez désactivé, par erreur ou volontairement, vous pourriez"
" REJECT ces paquets qui sont rejetés."

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/firewalling.xml:700
msgid ""
"Obviously this must be done directly after logging as the very last lines "
"before the packets are dropped by policy:"
msgstr ""
"Cela doit évidemment se faire directement après avoir enregistré les toutes "
"dernières lignes avant que les paquets ne soient rejetés par les "
"règles&nbsp;:"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><screen>
#: blfs-en/postlfs/security/firewalling.xml:703
#, no-wrap
msgid "<literal>iptables -A INPUT -j REJECT</literal>"
msgstr "<literal>iptables -A INPUT -j REJECT</literal>"

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/firewalling.xml:708
msgid ""
"These are only examples to show you some of the capabilities of the firewall"
" code in Linux. Have a look at the man page of iptables.  There you will "
"find much more information. The port numbers needed for this can be found in"
" <filename>/etc/services</filename>, in case you didn't find them by trial "
"and error in your log file."
msgstr ""
"Ce ne sont que des exemples pour vous montrer quelques possibilités du code "
"de pare-feu de Linux. Jetez un œil sur la page de man d'iptables. Vous y "
"trouverez beaucoup plus d'informations. Vous pouvez trouver les numéros de "
"port qui sont nécessaires dans <filename>/etc/services</filename>, au cas où"
" vous ne les auriez pas trouvé à partir des compte-rendu et des erreurs dans"
" votre fichier journal."

#. type: Content of: <sect1><sect2><title>
#: blfs-en/postlfs/security/firewalling.xml:719
msgid "Conclusion"
msgstr "Conclusion"

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/firewalling.xml:721
msgid ""
"Finally, there is one fact you must not forget: The effort spent attacking a"
" system corresponds to the value the cracker expects to gain from it. If you"
" are responsible for valuable information, you need to spend the time to "
"protect it properly."
msgstr ""
"En fin de compte, vous devez vous souvenir d'une chose&nbsp;: l'effort "
"employé pour attaquer un système dépend de la valeur ajoutée que s'attend à "
"y trouver un pirate. Si vous êtes responsables d'informations de valeur, "
"vous devez passer du temps à les protéger correctement."

#. type: Content of: <sect1><sect2><title>
#: blfs-en/postlfs/security/firewalling.xml:729
msgid "Extra Information"
msgstr "Informations supplémentaires"

#. type: Content of: <sect1><sect2><sect3><title>
#: blfs-en/postlfs/security/firewalling.xml:732
msgid "Where to Start with Further Reading on Firewalls"
msgstr "Où commencer des lectures complémentaires sur les pare-feu"

#. type: Content of: <sect1><sect2><sect3><blockquote><literallayout>
#: blfs-en/postlfs/security/firewalling.xml:736
#, no-wrap
msgid ""
"<ulink url=\"http://www.netfilter.org/\">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>\n"
"<ulink url=\"http://www.netfilter.org/documentation/FAQ/netfilter-faq.html\">Netfilter related FAQ</ulink>\n"
"<ulink url=\"http://www.netfilter.org/documentation/index.html#HOWTO\">Netfilter related HOWTO's</ulink>\n"
"<ulink url=\"http://en.tldp.org/LDP/nag2/x-087-2-firewall.html\">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>\n"
"<ulink url=\"http://en.tldp.org/HOWTO/Security-HOWTO.html\">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>\n"
"<ulink url=\"http://en.tldp.org/HOWTO/Firewall-HOWTO.html\">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink>\n"
"<ulink url=\"http://www.linuxsecurity.com/docs/\">www.linuxsecurity.com/docs/</ulink>\n"
"<ulink url=\"http://www.little-idiot.de/firewall\">www.little-idiot.de/firewall (German &amp; outdated, but very comprehensive)</ulink>\n"
"<ulink url=\"http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html\">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>\n"
"<ulink url=\"http://staff.washington.edu/dittrich/misc/ddos\">staff.washington.edu/dittrich/misc/ddos</ulink>\n"
"<ulink url=\"http://www.e-infomax.com/ipmasq\">www.e-infomax.com/ipmasq</ulink>\n"
"<ulink url=\"http://www.circlemud.org/~jelson/writings/security/index.htm\">www.circlemud.org/~jelson/writings/security/index.htm</ulink>\n"
"<ulink url=\"http://www.securityfocus.com\">www.securityfocus.com</ulink>\n"
"<ulink url=\"http://www.cert.org/tech_tips/\">www.cert.org - tech_tips</ulink>\n"
"<ulink url=\"http://security.ittoolbox.com/\">security.ittoolbox.com</ulink>\n"
"<ulink url=\"http://www.insecure.org/reading.html\">www.insecure.org/reading.html</ulink>\n"
"        "
msgstr ""
"<ulink url=\"http://www.netfilter.org/\">www.netfilter.org - Page d'accueil du projet netfilter/iptables</ulink>\n"
"<ulink url=\"http://www.netfilter.org/documentation/FAQ/netfilter-faq.html\">FAQ liée à Netfilter</ulink>\n"
"<ulink url=\"http://www.netfilter.org/documentation/index.html#HOWTO\">guides pratiques liés à Netfilter</ulink>\n"
"<ulink url=\"http://en.tldp.org/LDP/nag2/x-087-2-firewall.html\">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>\n"
"<ulink url=\"http://en.tldp.org/HOWTO/Security-HOWTO.html\">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>\n"
"<ulink url=\"http://en.tldp.org/HOWTO/Firewall-HOWTO.html\">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink>\n"
"<ulink url=\"http://www.linuxsecurity.com/docs/\">www.linuxsecurity.com/docs/</ulink>\n"
"<ulink url=\"http://www.little-idiot.de/firewall\">www.little-idiot.de/firewall (en allemand &amp; obsolète, mais très complet)</ulink>\n"
"<ulink url=\"http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html\">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>\n"
"<ulink url=\"http://staff.washington.edu/dittrich/misc/ddos\">staff.washington.edu/dittrich/misc/ddos</ulink>\n"
"<ulink url=\"http://www.e-infomax.com/ipmasq\">www.e-infomax.com/ipmasq</ulink>\n"
"<ulink url=\"http://www.circlemud.org/~jelson/writings/security/index.htm\">www.circlemud.org/~jelson/writings/security/index.htm</ulink>\n"
"<ulink url=\"http://www.securityfocus.com\">www.securityfocus.com</ulink>\n"
"<ulink url=\"http://www.cert.org/tech_tips/\">www.cert.org - tech_tips</ulink>\n"
"<ulink url=\"http://security.ittoolbox.com/\">security.ittoolbox.com</ulink>\n"
"<ulink url=\"http://www.insecure.org/reading.html\">www.insecure.org/reading.html</ulink>\n"
"        "