Subversion Repositories svn LFS-FR

Rev

Rev 8145 | Rev 8147 | Go to most recent revision | Blame | Compare with Previous | Last modification | View Log | RSS feed

# SOME DESCRIPTIVE TITLE
# Copyright (C) YEAR Free Software Foundation, Inc.
# This file is distributed under the same license as the PACKAGE package.
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"POT-Creation-Date: 2019-10-26 20:02+0000\n"
"PO-Revision-Date: 2019-11-14 09:36+0000\n"
"Last-Translator: roptat <roptat@lepiller.eu>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: fr\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n > 1);\n"
"X-Generator: Pootle 2.8\n"
"X-POOTLE-MTIME: 1573724186.618013\n"

#. type: Content of the iptables-download-http entity
#: blfs-en/postlfs/security/iptables.xml:7
msgid ""
"http://www.netfilter.org/projects/iptables/files/iptables-&iptables-"
"version;.tar.bz2"
msgstr ""
"http://www.netfilter.org/projects/iptables/files/iptables-&iptables-"
"version;.tar.bz2"

#. type: Content of the iptables-download-ftp entity
#: blfs-en/postlfs/security/iptables.xml:8
msgid ""
"ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2"
msgstr ""
"ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2"

#. type: Content of the iptables-md5sum entity
#: blfs-en/postlfs/security/iptables.xml:9
msgid "29de711d15c040c402cf3038c69ff513"
msgstr "29de711d15c040c402cf3038c69ff513"

#. type: Content of the iptables-size entity
#: blfs-en/postlfs/security/iptables.xml:10
msgid "699 KB"
msgstr "699 Ko"

#. type: Content of the iptables-buildsize entity
#: blfs-en/postlfs/security/iptables.xml:11
msgid "17 MB"
msgstr "17 Mo"

#. type: Content of the iptables-time entity
#: blfs-en/postlfs/security/iptables.xml:12
msgid "0.2 SBU"
msgstr "0.2 SBU"

#. type: Content of: <sect1><sect1info>
#: blfs-en/postlfs/security/iptables.xml:19
#| msgid ""
#| "<othername>$LastChangedBy: dj $</othername> <date>$Date: 2019-10-26 04:32:55"
#| " +0000 (Sat, 26 Oct 2019) $</date>"
msgid ""
"<othername>$LastChangedBy: ken $</othername> <date>$Date: 2019-10-26 "
"17:41:52 +0000 (Sat, 26 Oct 2019) $</date>"
msgstr ""
"<othername>$LastChangedBy: ken $</othername> <date>$Date: 2019-10-26 "
"17:41:52 +0000 (Sat, 26 Oct 2019) $</date>"

#. type: Content of: <sect1><title>
#: blfs-en/postlfs/security/iptables.xml:23
msgid "iptables-&iptables-version;"
msgstr "iptables-&iptables-version;"

#. type: Content of:
#. <sect1><sect2><variablelist><varlistentry><listitem><indexterm><primary>
#: blfs-en/postlfs/security/iptables.xml:26
#: blfs-en/postlfs/security/iptables.xml:107
#: blfs-en/postlfs/security/iptables.xml:837
#: blfs-en/postlfs/security/iptables.xml:881
msgid "iptables"
msgstr "iptables"

#. type: Content of: <sect1><sect2><title>
#: blfs-en/postlfs/security/iptables.xml:30
msgid "Introduction to iptables"
msgstr "Introduction à iptables"

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/iptables.xml:33
msgid ""
"<application>iptables</application> is a userspace command line program used"
" to configure Linux 2.4 and later kernel packet filtering ruleset."
msgstr ""
"<application>iptables</application> est un programme en ligne de commande et"
" en espace utilisateur utilisé pour configurer l'ensemble de règles de "
"filtrage de paquets des noyaux Linux 2.4 et supérieurs."

#. type: Content of: <sect1><sect2><bridgehead>
#: blfs-en/postlfs/security/iptables.xml:39
msgid "Package Information"
msgstr "Informations sur le paquet"

#. type: Content of: <sect1><sect2><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:43
msgid "Download (HTTP): <ulink url=\"&iptables-download-http;\"/>"
msgstr "Téléchargement (HTTP)&nbsp;: <ulink url=\"&iptables-download-http;\"/>"

#. type: Content of: <sect1><sect2><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:48
msgid "Download (FTP): <ulink url=\"&iptables-download-ftp;\"/>"
msgstr "Téléchargement (FTP)&nbsp;: <ulink url=\"&iptables-download-ftp;\"/>"

#. type: Content of: <sect1><sect2><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:53
msgid "Download MD5 sum: &iptables-md5sum;"
msgstr "Somme de contrôle MD5 du téléchargement&nbsp;: &iptables-md5sum;"

#. type: Content of: <sect1><sect2><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:58
msgid "Download size: &iptables-size;"
msgstr "Taille du téléchargement&nbsp;: &iptables-size;"

#. type: Content of: <sect1><sect2><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:63
msgid "Estimated disk space required: &iptables-buildsize;"
msgstr "Estimation de l'espace disque requis&nbsp;: &iptables-buildsize;"

#. type: Content of: <sect1><sect2><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:68
msgid "Estimated build time: &iptables-time;"
msgstr "Estimation du temps de construction&nbsp;: &iptables-time;"

#. type: Content of: <sect1><sect2><bridgehead>
#: blfs-en/postlfs/security/iptables.xml:73
msgid "iptables Dependencies"
msgstr "Dépendances de iptables"

#. type: Content of: <sect1><sect2><bridgehead>
#: blfs-en/postlfs/security/iptables.xml:75
msgid "Optional"
msgstr "Facultatives"

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/iptables.xml:77
msgid "<xref linkend=\"nftables\"/>"
msgstr "<xref linkend=\"nftables\"/>"

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/iptables.xml:81
msgid "User Notes: <ulink url=\"&blfs-wiki;/iptables\"/>"
msgstr "Notes utilisateur&nbsp;: <ulink url=\"&blfs-wiki;/iptables\"/>"

#. type: Content of: <sect1><sect2><title>
#: blfs-en/postlfs/security/iptables.xml:87
msgid "Kernel Configuration"
msgstr "Configuration du noyau"

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/iptables.xml:90
#| msgid ""
#| "A firewall in Linux is accomplished through a portion of the kernel called "
#| "netfilter. The interface to netfilter is "
#| "<application>Iptables</application>. To use it, the appropriate kernel "
#| "configuration parameters are found in:"
msgid ""
"A firewall in Linux is accomplished through the netfilter interface. To use "
"<application>iptables</application> to configure netfilter, the following "
"kernel configuration parameters are required:"
msgstr ""
"Sur Linux, on a un pare-feu via l'interface netfilter. Pour utiliser "
"<application>iptables</application> pour configurer netfilter, les "
"paramètres du noyau suivants sont requis&nbsp;:"

#. type: Content of: <sect1><sect2><screen>
#: blfs-en/postlfs/security/iptables.xml:95
#, no-wrap
msgid ""
"<literal>[*] Networking support  ---&gt;                                    [CONFIG_NET]\n"
"      Networking Options  ---&gt;\n"
"        [*] Network packet filtering framework (Netfilter) ---&gt; [CONFIG_NETFILTER]\n"
"          Core Netfilter Configuration ---&gt;</literal>"
msgstr ""
"<literal>[*] Networking support  ---&gt;                                    [CONFIG_NET]\n"
"      Networking Options  ---&gt;\n"
"        [*] Network packet filtering framework (Netfilter) ---&gt; [CONFIG_NETFILTER]\n"
"          Core Netfilter Configuration ---&gt;</literal>"

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/iptables.xml:101
msgid ""
"Include any connection tracking protocols that will be used, as well as any "
"protocols that you wish to use for match suppport under the \"Core Netfilter"
" Configuration\" section."
msgstr ""
"Ajoutez tous les protocoles de suivi de connexion que vous utiliserez, ainsi"
" que tous les protocoles que vous voulez utiliser pour la prise en charge de"
" leur détection dans la section «&nbsp;Core Netfilter Configuration&nbsp;»"

#. type: Content of: <sect1><sect2><title>
#: blfs-en/postlfs/security/iptables.xml:113
msgid "Installation of iptables"
msgstr "Installation de iptables"

#. type: Content of: <sect1><sect2><note><para>
#: blfs-en/postlfs/security/iptables.xml:117
#| msgid ""
#| "The installation below does not include building some specialized extension "
#| "libraries which require the raw headers in the "
#| "<application>Linux</application> source code. If you wish to build the "
#| "additional extensions (if you aren't sure, then you probably don't), you can"
#| " look at the <filename>INSTALL</filename> file to see an example of how to "
#| "change the <parameter>KERNEL_DIR=</parameter> parameter to point at the "
#| "<application>Linux</application> source code. Note that if you upgrade the "
#| "kernel version, you may also need to recompile "
#| "<application>Iptables</application> and that the BLFS team has not tested "
#| "using the raw kernel headers."
msgid ""
"The installation below does not include building some specialized extension "
"libraries which require the raw headers in the "
"<application>Linux</application> source code. If you wish to build the "
"additional extensions (if you aren't sure, then you probably don't), you can"
" look at the <filename>INSTALL</filename> file to see an example of how to "
"change the <parameter>KERNEL_DIR=</parameter> parameter to point at the "
"<application>Linux</application> source code. Note that if you upgrade the "
"kernel version, you may also need to recompile "
"<application>iptables</application> and that the BLFS team has not tested "
"using the raw kernel headers."
msgstr ""
"L'installation ci-dessous n'inclut pas la construction de quelques "
"bibliothèques d'extension spécialisées qui exigent les en-têtes raw dans le "
"code source de <application>Linux</application>. Si vous souhaitez "
"construire des extensions supplémentaires (si vous n'êtes pas sûr, vous n'en"
" avez probablement pas besoin), vous pouvez regarder le fichier "
"<filename>INSTALL</filename> pour voir un exemple de la façon de modifier le"
" paramètre <parameter>KERNEL_DIR=</parameter> pour pointer vers le code "
"source de <application>Linux</application>. Remarquez que si vous mettez à "
"jour la version du noyau, il se peut que vous deviez aussi recompiler "
"<application>iptables</application> et que l'équipe BLFS n'a pas testé "
"l'utilisation des en-têtes du noyau raw."

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/iptables.xml:131
msgid ""
"Install <application>iptables</application> by running the following "
"commands:"
msgstr ""
"Installez <application>iptables</application> en lançant les commandes "
"suivantes&nbsp;:"

#. type: Content of: <sect1><sect2><screen>
#: blfs-en/postlfs/security/iptables.xml:135
#, no-wrap
msgid ""
"<userinput>./configure --prefix=/usr      \\\n"
"            --sbindir=/sbin    \\\n"
"            --disable-nftables \\\n"
"            --enable-libipq    \\\n"
"            --with-xtlibdir=/lib/xtables &amp;&amp;\n"
"make</userinput>"
msgstr ""
"<userinput>./configure --prefix=/usr      \\\n"
"            --sbindir=/sbin    \\\n"
"            --disable-nftables \\\n"
"            --enable-libipq    \\\n"
"            --with-xtlibdir=/lib/xtables &amp;&amp;\n"
"make</userinput>"

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/iptables.xml:143
msgid "This package does not come with a test suite."
msgstr "Ce paquet n'est pas fourni avec une suite de tests."

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/iptables.xml:147
msgid "Now, as the <systemitem class=\"username\">root</systemitem> user:"
msgstr ""
"Maintenant, en tant qu'utilisateur <systemitem "
"class=\"username\">root</systemitem>&nbsp;:"

#. type: Content of: <sect1><sect2><screen>
#: blfs-en/postlfs/security/iptables.xml:150
#, no-wrap
msgid ""
"<userinput>make install &amp;&amp;\n"
"ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml &amp;&amp;\n"
"\n"
"for file in ip4tc ip6tc ipq iptc xtables\n"
"do\n"
"  mv -v /usr/lib/lib${file}.so.* /lib &amp;&amp;\n"
"  ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so\n"
"done</userinput>"
msgstr ""
"<userinput>make install &amp;&amp;\n"
"ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml &amp;&amp;\n"
"\n"
"for file in ip4tc ip6tc ipq iptc xtables\n"
"do\n"
"  mv -v /usr/lib/lib${file}.so.* /lib &amp;&amp;\n"
"  ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so\n"
"done</userinput>"

#. type: Content of: <sect1><sect2><title>
#: blfs-en/postlfs/security/iptables.xml:162
msgid "Command Explanations"
msgstr "Explication des commandes"

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/iptables.xml:165
#| msgid ""
#| "<parameter>--disable-nftables</parameter>: This switch disables building "
#| "nftables compat. Omit this switch if you have installed nftables."
msgid ""
"<parameter>--disable-nftables</parameter>: This switch disables building "
"nftables compat. Omit this switch if you have installed <xref "
"linkend=\"nftables\"/>."
msgstr ""
"<parameter>--disable-nftables</parameter>&nbsp;: Ce paramètre désactive la "
"construction de la compatibilité nftables. Supprimez-le si vous avez "
"installé <xref linkend=\"nftables\"/>."

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/iptables.xml:171
msgid ""
"<parameter>--enable-libipq</parameter>: This switch enables building of "
"<filename class=\"libraryfile\">libipq.so</filename> which can be used by "
"some packages outside of BLFS."
msgstr ""
"<parameter>--enable-libipq</parameter>&nbsp;: Ce paramètre active la "
"construction de <filename class=\"libraryfile\">libipq.so</filename> qui "
"peut être utilisé par certains paquets extérieurs à BLFS."

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/iptables.xml:177
#| msgid ""
#| "<parameter>--with-xtlibdir=/lib/xtables</parameter>: Ensure all "
#| "<application>Iptables</application> modules are installed in the <filename "
#| "class=\"directory\">/lib/xtables</filename> directory."
msgid ""
"<parameter>--with-xtlibdir=/lib/xtables</parameter>: Ensure all "
"<application>iptables</application> modules are installed in the <filename "
"class=\"directory\">/lib/xtables</filename> directory."
msgstr ""
"<parameter>--with-xtlibdir=/lib/xtables</parameter>&nbsp;: s'assure que tous"
" les modules d'<application>Iptables</application> sont installés dans le "
"répertoire <filename class=\"directory\">/lib/xtables</filename>."

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/iptables.xml:183
msgid ""
"<option>--enable-nfsynproxy</option>: This switch enables installation of "
"<application>nfsynproxy</application> SYNPROXY configuration tool."
msgstr ""
"<option>--enable-nfsynproxy</option>&nbsp;: Ce paramètre active "
"l'installation de l'outil de configuration SYNPROXY de "
"<application>nfsynproxy</application>."

#. type: Content of: <sect1><sect2><para>
#: blfs-en/postlfs/security/iptables.xml:188
msgid ""
"<command>ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-"
"xml</command>: Ensure the symbolic link for <command>iptables-xml</command> "
"is relative."
msgstr ""
"<command>ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-"
"xml</command>&nbsp;: Assure que le lien symbolique de <command>iptables-"
"xml</command> est relatif."

#. type: Content of: <sect1><sect2><title>
#: blfs-en/postlfs/security/iptables.xml:195
msgid "Configuring iptables"
msgstr "Configuration de iptables"

#. type: Content of: <sect1><sect2><note><para>
#: blfs-en/postlfs/security/iptables.xml:199
msgid ""
"If you intend to use <xref linkend=\"firewalld\"/> to configure your "
"firewall rules, you should not use the example configurations provided here,"
" nor should you enable the <phrase revision=\"sysv\">bootscript.</phrase> "
"<phrase revision=\"systemd\">systemd unit.</phrase>"
msgstr ""
"Si vous voulez utiliser <xref linkend=\"firewalld\"/> pour configurer les "
"règles du pare-feu, vous ne devriez pas utiliser les exemples de "
"configuration fournis ici, ni activer <phrase revision=\"sysv\">le script de"
" démarrage.</phrase><phrase revision=\"systemd\">l'unité systemd.</phrase>"

#. type: Content of: <sect1><sect2><note><para>
#: blfs-en/postlfs/security/iptables.xml:209
msgid ""
"In the following example configurations, <emphasis "
"role=\"strong\">LAN1</emphasis> is used for the internal LAN interface, and "
"<emphasis role=\"strong\">WAN1</emphasis> is used for the external interace "
"connected to the Internet. You will need to replace these values with "
"appropriate interface names for your system."
msgstr ""
"Dans les exemples de configuration suivants, <emphasis "
"role=\"strong\">LAN1</emphasis> est utilisé pour l'interface interne au "
"réseau local et <emphasis role=\"strong\">WAN1</emphasis> pour l'interface "
"externe connectée à Internet. Vous devrez remplacer ces valeurs avec les "
"noms d'interfaces correspondants à votre système."

#. type: Content of: <sect1><sect2><sect3><title>
#: blfs-en/postlfs/security/iptables.xml:219
msgid "Personal Firewall"
msgstr "Pare-feu personnel"

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/iptables.xml:222
msgid ""
"A Personal Firewall is designed to let you access all the services offered "
"on the Internet, but keep your box secure and your data private."
msgstr ""
"Un pare-feu personnel est conçu pour vous permettre d'accéder à tous les "
"services offerts sur internet, mais de garder votre ordinateur sécurisé et "
"vos données privées."

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/iptables.xml:228
msgid ""
"Below is a slightly modified version of Rusty Russell's recommendation from "
"the <ulink url=\"http://www.netfilter.org/documentation/HOWTO/packet-"
"filtering-HOWTO.html\"> Linux 2.4 Packet Filtering HOWTO</ulink>. It is "
"still applicable to the Linux 3.x kernels."
msgstr ""
"Voici une version légèrement modifiée de la recommandation de Rusty Russell "
"sur <ulink url=\"http://www.netfilter.org/documentation/HOWTO/packet-"
"filtering-HOWTO.html\">le guide de Packet Filter de Linux 2.4</ulink>. Elle "
"est toujours d'actualité pour les noyaux 3.x."

#. type: Content of: <sect1><sect2><sect3><screen>
#: blfs-en/postlfs/security/iptables.xml:235
#, no-wrap
msgid ""
"<userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; \"EOF\"\n"
"<literal>#!/bin/sh\n"
"\n"
"# Begin rc.iptables\n"
"\n"
"# Insert connection-tracking modules\n"
"# (not needed if built into the kernel)\n"
"modprobe nf_conntrack\n"
"modprobe xt_LOG\n"
"\n"
"# Enable broadcast echo Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n"
"\n"
"# Disable Source Routed Packets\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route\n"
"\n"
"# Enable TCP SYN Cookie Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies\n"
"\n"
"# Disable ICMP Redirect Acceptance\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects\n"
"\n"
"# Do not send Redirect Messages\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects\n"
"\n"
"# Drop Spoofed Packets coming in on an interface, where responses\n"
"# would result in the reply going out a different interface.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter\n"
"\n"
"# Log packets with impossible addresses.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians\n"
"\n"
"# be verbose on dynamic ip-addresses  (not needed in case of static IP)\n"
"echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr\n"
"\n"
"# disable Explicit Congestion Notification\n"
"# too many routers are still ignorant\n"
"echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn\n"
"\n"
"# Set a known state\n"
"iptables -P INPUT   DROP\n"
"iptables -P FORWARD DROP\n"
"iptables -P OUTPUT  DROP\n"
"\n"
"# These lines are here in case rules are already in place and the\n"
"# script is ever rerun on the fly. We want to remove all rules and\n"
"# pre-existing user defined chains before we implement new rules.\n"
"iptables -F\n"
"iptables -X\n"
"iptables -Z\n"
"\n"
"iptables -t nat -F\n"
"\n"
"# Allow local-only connections\n"
"iptables -A INPUT  -i lo -j ACCEPT\n"
"\n"
"# Free output on any interface to any ip for any service\n"
"# (equal to -P ACCEPT)\n"
"iptables -A OUTPUT -j ACCEPT\n"
"\n"
"# Permit answers on already established connections\n"
"# and permit new connections related to established ones\n"
"# (e.g. port mode ftp)\n"
"iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n"
"\n"
"# Log everything else. What's Windows' latest exploitable vulnerability?\n"
"iptables -A INPUT -j LOG --log-prefix \"FIREWALL:INPUT \"\n"
"\n"
"# End $rc_base/rc.iptables</literal>\n"
"EOF\n"
"chmod 700 /etc/rc.d/rc.iptables</userinput>"
msgstr ""
"<userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; \"EOF\"\n"
"<literal>#!/bin/sh\n"
"\n"
"# Begin rc.iptables\n"
"\n"
"# Insert connection-tracking modules\n"
"# (not needed if built into the kernel)\n"
"modprobe nf_conntrack\n"
"modprobe xt_LOG\n"
"\n"
"# Enable broadcast echo Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n"
"\n"
"# Disable Source Routed Packets\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route\n"
"\n"
"# Enable TCP SYN Cookie Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies\n"
"\n"
"# Disable ICMP Redirect Acceptance\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects\n"
"\n"
"# Do not send Redirect Messages\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects\n"
"\n"
"# Drop Spoofed Packets coming in on an interface, where responses\n"
"# would result in the reply going out a different interface.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter\n"
"\n"
"# Log packets with impossible addresses.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians\n"
"\n"
"# be verbose on dynamic ip-addresses  (not needed in case of static IP)\n"
"echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr\n"
"\n"
"# disable Explicit Congestion Notification\n"
"# too many routers are still ignorant\n"
"echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn\n"
"\n"
"# Set a known state\n"
"iptables -P INPUT   DROP\n"
"iptables -P FORWARD DROP\n"
"iptables -P OUTPUT  DROP\n"
"\n"
"# These lines are here in case rules are already in place and the\n"
"# script is ever rerun on the fly. We want to remove all rules and\n"
"# pre-existing user defined chains before we implement new rules.\n"
"iptables -F\n"
"iptables -X\n"
"iptables -Z\n"
"\n"
"iptables -t nat -F\n"
"\n"
"# Allow local-only connections\n"
"iptables -A INPUT  -i lo -j ACCEPT\n"
"\n"
"# Free output on any interface to any ip for any service\n"
"# (equal to -P ACCEPT)\n"
"iptables -A OUTPUT -j ACCEPT\n"
"\n"
"# Permit answers on already established connections\n"
"# and permit new connections related to established ones\n"
"# (e.g. port mode ftp)\n"
"iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n"
"\n"
"# Log everything else. What's Windows' latest exploitable vulnerability?\n"
"iptables -A INPUT -j LOG --log-prefix \"FIREWALL:INPUT \"\n"
"\n"
"# End $rc_base/rc.iptables</literal>\n"
"EOF\n"
"chmod 700 /etc/rc.d/rc.iptables</userinput>"

#. type: Content of: <sect1><sect2><sect3><screen>
#: blfs-en/postlfs/security/iptables.xml:311
#, no-wrap
msgid ""
"<userinput>install -v -dm755 /etc/systemd/scripts\n"
"\n"
"cat &gt; /etc/systemd/scripts/iptables &lt;&lt; \"EOF\"\n"
"<literal>#!/bin/sh\n"
"\n"
"# Begin /etc/systemd/scripts/iptables\n"
"\n"
"# Insert connection-tracking modules\n"
"# (not needed if built into the kernel)\n"
"modprobe nf_conntrack\n"
"modprobe xt_LOG\n"
"\n"
"# Enable broadcast echo Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n"
"\n"
"# Disable Source Routed Packets\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route\n"
"\n"
"# Enable TCP SYN Cookie Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies\n"
"\n"
"# Disable ICMP Redirect Acceptance\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects\n"
"\n"
"# Do not send Redirect Messages\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects\n"
"\n"
"# Drop Spoofed Packets coming in on an interface, where responses\n"
"# would result in the reply going out a different interface.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter\n"
"\n"
"# Log packets with impossible addresses.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians\n"
"\n"
"# be verbose on dynamic ip-addresses  (not needed in case of static IP)\n"
"echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr\n"
"\n"
"# disable Explicit Congestion Notification\n"
"# too many routers are still ignorant\n"
"echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn\n"
"\n"
"# Set a known state\n"
"iptables -P INPUT   DROP\n"
"iptables -P FORWARD DROP\n"
"iptables -P OUTPUT  DROP\n"
"\n"
"# These lines are here in case rules are already in place and the\n"
"# script is ever rerun on the fly. We want to remove all rules and\n"
"# pre-existing user defined chains before we implement new rules.\n"
"iptables -F\n"
"iptables -X\n"
"iptables -Z\n"
"\n"
"iptables -t nat -F\n"
"\n"
"# Allow local-only connections\n"
"iptables -A INPUT  -i lo -j ACCEPT\n"
"\n"
"# Free output on any interface to any ip for any service\n"
"# (equal to -P ACCEPT)\n"
"iptables -A OUTPUT -j ACCEPT\n"
"\n"
"# Permit answers on already established connections\n"
"# and permit new connections related to established ones\n"
"# (e.g. port mode ftp)\n"
"iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n"
"\n"
"# Log everything else. What's Windows' latest exploitable vulnerability?\n"
"iptables -A INPUT -j LOG --log-prefix \"FIREWALL:INPUT \"\n"
"\n"
"# End /etc/systemd/scripts/iptables</literal>\n"
"EOF\n"
"chmod 700 /etc/systemd/scripts/iptables</userinput>"
msgstr ""
"<userinput>install -v -dm755 /etc/systemd/scripts\n"
"\n"
"cat &gt; /etc/systemd/scripts/iptables &lt;&lt; \"EOF\"\n"
"<literal>#!/bin/sh\n"
"\n"
"# Begin /etc/systemd/scripts/iptables\n"
"\n"
"# Insert connection-tracking modules\n"
"# (not needed if built into the kernel)\n"
"modprobe nf_conntrack\n"
"modprobe xt_LOG\n"
"\n"
"# Enable broadcast echo Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n"
"\n"
"# Disable Source Routed Packets\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route\n"
"\n"
"# Enable TCP SYN Cookie Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies\n"
"\n"
"# Disable ICMP Redirect Acceptance\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects\n"
"\n"
"# Do not send Redirect Messages\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects\n"
"\n"
"# Drop Spoofed Packets coming in on an interface, where responses\n"
"# would result in the reply going out a different interface.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter\n"
"\n"
"# Log packets with impossible addresses.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians\n"
"\n"
"# be verbose on dynamic ip-addresses  (not needed in case of static IP)\n"
"echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr\n"
"\n"
"# disable Explicit Congestion Notification\n"
"# too many routers are still ignorant\n"
"echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn\n"
"\n"
"# Set a known state\n"
"iptables -P INPUT   DROP\n"
"iptables -P FORWARD DROP\n"
"iptables -P OUTPUT  DROP\n"
"\n"
"# These lines are here in case rules are already in place and the\n"
"# script is ever rerun on the fly. We want to remove all rules and\n"
"# pre-existing user defined chains before we implement new rules.\n"
"iptables -F\n"
"iptables -X\n"
"iptables -Z\n"
"\n"
"iptables -t nat -F\n"
"\n"
"# Allow local-only connections\n"
"iptables -A INPUT  -i lo -j ACCEPT\n"
"\n"
"# Free output on any interface to any ip for any service\n"
"# (equal to -P ACCEPT)\n"
"iptables -A OUTPUT -j ACCEPT\n"
"\n"
"# Permit answers on already established connections\n"
"# and permit new connections related to established ones\n"
"# (e.g. port mode ftp)\n"
"iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n"
"\n"
"# Log everything else. What's Windows' latest exploitable vulnerability?\n"
"iptables -A INPUT -j LOG --log-prefix \"FIREWALL:INPUT \"\n"
"\n"
"# End /etc/systemd/scripts/iptables</literal>\n"
"EOF\n"
"chmod 700 /etc/systemd/scripts/iptables</userinput>"

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/iptables.xml:390
msgid ""
"This script is quite simple, it drops all traffic coming into your computer "
"that wasn't initiated from your computer, but as long as you are simply "
"surfing the Internet you are unlikely to exceed its limits."
msgstr ""
"Ce script est assez simple, il jette tout le trafic entrant dans votre "
"ordinateur s'il n'a pas été initié par votre ordinateur, mais tant que vous "
"vous contentez de surfer sur internet, vous ne dépasserez pas les limites."

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/iptables.xml:397
msgid ""
"If you frequently encounter certain delays at accessing FTP servers, take a "
"look at <xref linkend=\"fw-BB-4-ipt\"/>."
msgstr ""
"Si vous rencontrez régulièrement des délais lors de l'accès à des serveurs "
"FTP, regardez <xref linkend=\"fw-BB-4-ipt\"/>."

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/iptables.xml:402
msgid ""
"Even if you have daemons or services running on your system, these will be "
"inaccessible everywhere but from your computer itself.  If you want to allow"
" access to services on your machine, such as <command>ssh</command> or "
"<command>ping</command>, take a look at <xref linkend=\"fw-busybox-ipt\"/>."
msgstr ""
"Même si vous avez des démons ou des services qui tournent sur votre système,"
" ils seront inaccessibles de n'importe où en dehors de l'ordinateur lui-"
"même. Si vous voulez permettre l'accès aux services sur votre machine, comme"
" <command>ssh</command> ou <command>ping</command>, regardez <xref "
"linkend=\"fw-busybox-ipt\"/>."

#. type: Content of: <sect1><sect2><sect3><title>
#: blfs-en/postlfs/security/iptables.xml:413
msgid "Masquerading Router"
msgstr ""

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/iptables.xml:416
msgid ""
"A network Firewall has two interfaces, one connected to an intranet, in this"
" example <emphasis role=\"strong\">LAN1</emphasis>, and one connected to the"
" Internet, here <emphasis role=\"strong\">WAN1</emphasis>. To provide the "
"maximum security for the firewall itself, make sure that there are no "
"unnecessary servers running on it such as <application>X11</application> et "
"al.  As a general principle, the firewall itself should not access any "
"untrusted service (think of a remote server giving answers that makes a "
"daemon on your system crash, or even worse, that implements a worm via a "
"buffer-overflow)."
msgstr ""

#. type: Content of: <sect1><sect2><sect3><screen>
#: blfs-en/postlfs/security/iptables.xml:428
#, no-wrap
msgid ""
"<userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; \"EOF\"\n"
"<literal>#!/bin/sh\n"
"\n"
"# Begin rc.iptables\n"
"\n"
"echo\n"
"echo \"You're using the example configuration for a setup of a firewall\"\n"
"echo \"from Beyond Linux From Scratch.\"\n"
"echo \"This example is far from being complete, it is only meant\"\n"
"echo \"to be a reference.\"\n"
"echo \"Firewall security is a complex issue, that exceeds the scope\"\n"
"echo \"of the configuration rules below.\"\n"
"echo \"You can find additional information\"\n"
"echo \"about firewalls in Chapter 4 of the BLFS book.\"\n"
"echo \"http://www.&lfs-domainname;/blfs\"\n"
"echo\n"
"\n"
"# Insert iptables modules (not needed if built into the kernel).\n"
"\n"
"modprobe nf_conntrack\n"
"modprobe nf_conntrack_ftp\n"
"modprobe xt_conntrack\n"
"modprobe xt_LOG\n"
"modprobe xt_state\n"
"\n"
"# Enable broadcast echo Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n"
"\n"
"# Disable Source Routed Packets\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route\n"
"\n"
"# Enable TCP SYN Cookie Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies\n"
"\n"
"# Disable ICMP Redirect Acceptance\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects\n"
"\n"
"# Don't send Redirect Messages\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects\n"
"\n"
"# Drop Spoofed Packets coming in on an interface where responses\n"
"# would result in the reply going out a different interface.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter\n"
"\n"
"# Log packets with impossible addresses.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians\n"
"\n"
"# Be verbose on dynamic ip-addresses  (not needed in case of static IP)\n"
"echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr\n"
"\n"
"# Disable Explicit Congestion Notification\n"
"# Too many routers are still ignorant\n"
"echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn\n"
"\n"
"# Set a known state\n"
"iptables -P INPUT   DROP\n"
"iptables -P FORWARD DROP\n"
"iptables -P OUTPUT  DROP\n"
"\n"
"# These lines are here in case rules are already in place and the\n"
"# script is ever rerun on the fly. We want to remove all rules and\n"
"# pre-existing user defined chains before we implement new rules.\n"
"iptables -F\n"
"iptables -X\n"
"iptables -Z\n"
"\n"
"iptables -t nat -F\n"
"\n"
"# Allow local connections\n"
"iptables -A INPUT  -i lo -j ACCEPT\n"
"iptables -A OUTPUT -o lo -j ACCEPT\n"
"\n"
"# Allow forwarding if the initiated on the intranet\n"
"iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n"
"iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW       -j ACCEPT\n"
"\n"
"# Do masquerading\n"
"# (not needed if intranet is not using private ip-addresses)\n"
"iptables -t nat -A POSTROUTING -o WAN1 -j MASQUERADE\n"
"\n"
"# Log everything for debugging\n"
"# (last of all rules, but before policy rules)\n"
"iptables -A INPUT   -j LOG --log-prefix \"FIREWALL:INPUT \"\n"
"iptables -A FORWARD -j LOG --log-prefix \"FIREWALL:FORWARD \"\n"
"iptables -A OUTPUT  -j LOG --log-prefix \"FIREWALL:OUTPUT \"\n"
"\n"
"# Enable IP Forwarding\n"
"echo 1 &gt; /proc/sys/net/ipv4/ip_forward</literal>\n"
"EOF\n"
"chmod 700 /etc/rc.d/rc.iptables</userinput>"
msgstr ""
"<userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; \"EOF\"\n"
"<literal>#!/bin/sh\n"
"\n"
"# Begin rc.iptables\n"
"\n"
"echo\n"
"echo \"You're using the example configuration for a setup of a firewall\"\n"
"echo \"from Beyond Linux From Scratch.\"\n"
"echo \"This example is far from being complete, it is only meant\"\n"
"echo \"to be a reference.\"\n"
"echo \"Firewall security is a complex issue, that exceeds the scope\"\n"
"echo \"of the configuration rules below.\"\n"
"echo \"You can find additional information\"\n"
"echo \"about firewalls in Chapter 4 of the BLFS book.\"\n"
"echo \"http://www.&lfs-domainname;/blfs\"\n"
"echo\n"
"\n"
"# Insert iptables modules (not needed if built into the kernel).\n"
"\n"
"modprobe nf_conntrack\n"
"modprobe nf_conntrack_ftp\n"
"modprobe xt_conntrack\n"
"modprobe xt_LOG\n"
"modprobe xt_state\n"
"\n"
"# Enable broadcast echo Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n"
"\n"
"# Disable Source Routed Packets\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route\n"
"\n"
"# Enable TCP SYN Cookie Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies\n"
"\n"
"# Disable ICMP Redirect Acceptance\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects\n"
"\n"
"# Don't send Redirect Messages\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects\n"
"\n"
"# Drop Spoofed Packets coming in on an interface where responses\n"
"# would result in the reply going out a different interface.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter\n"
"\n"
"# Log packets with impossible addresses.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians\n"
"\n"
"# Be verbose on dynamic ip-addresses  (not needed in case of static IP)\n"
"echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr\n"
"\n"
"# Disable Explicit Congestion Notification\n"
"# Too many routers are still ignorant\n"
"echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn\n"
"\n"
"# Set a known state\n"
"iptables -P INPUT   DROP\n"
"iptables -P FORWARD DROP\n"
"iptables -P OUTPUT  DROP\n"
"\n"
"# These lines are here in case rules are already in place and the\n"
"# script is ever rerun on the fly. We want to remove all rules and\n"
"# pre-existing user defined chains before we implement new rules.\n"
"iptables -F\n"
"iptables -X\n"
"iptables -Z\n"
"\n"
"iptables -t nat -F\n"
"\n"
"# Allow local connections\n"
"iptables -A INPUT  -i lo -j ACCEPT\n"
"iptables -A OUTPUT -o lo -j ACCEPT\n"
"\n"
"# Allow forwarding if the initiated on the intranet\n"
"iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n"
"iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW       -j ACCEPT\n"
"\n"
"# Do masquerading\n"
"# (not needed if intranet is not using private ip-addresses)\n"
"iptables -t nat -A POSTROUTING -o WAN1 -j MASQUERADE\n"
"\n"
"# Log everything for debugging\n"
"# (last of all rules, but before policy rules)\n"
"iptables -A INPUT   -j LOG --log-prefix \"FIREWALL:INPUT \"\n"
"iptables -A FORWARD -j LOG --log-prefix \"FIREWALL:FORWARD \"\n"
"iptables -A OUTPUT  -j LOG --log-prefix \"FIREWALL:OUTPUT \"\n"
"\n"
"# Enable IP Forwarding\n"
"echo 1 &gt; /proc/sys/net/ipv4/ip_forward</literal>\n"
"EOF\n"
"chmod 700 /etc/rc.d/rc.iptables</userinput>"

#. type: Content of: <sect1><sect2><sect3><screen>
#: blfs-en/postlfs/security/iptables.xml:519
#, no-wrap
msgid ""
"<userinput>install -v -dm755 /etc/systemd/scripts\n"
"\n"
"cat &gt; /etc/systemd/scripts/iptables &lt;&lt; \"EOF\"\n"
"<literal>#!/bin/sh\n"
"\n"
"# Begin /etc/systemd/scripts/iptables\n"
"\n"
"echo\n"
"echo \"You're using the example configuration for a setup of a firewall\"\n"
"echo \"from Beyond Linux From Scratch.\"\n"
"echo \"This example is far from being complete, it is only meant\"\n"
"echo \"to be a reference.\"\n"
"echo \"Firewall security is a complex issue, that exceeds the scope\"\n"
"echo \"of the configuration rules below.\"\n"
"\n"
"echo \"You can find additional information\"\n"
"echo \"about firewalls in Chapter 4 of the BLFS book.\"\n"
"echo \"http://www.&lfs-domainname;/blfs\"\n"
"echo\n"
"\n"
"# Insert iptables modules (not needed if built into the kernel).\n"
"\n"
"modprobe nf_conntrack\n"
"modprobe nf_conntrack_ftp\n"
"modprobe xt_conntrack\n"
"modprobe xt_LOG\n"
"modprobe xt_state\n"
"\n"
"# Enable broadcast echo Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n"
"\n"
"# Disable Source Routed Packets\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route\n"
"\n"
"# Enable TCP SYN Cookie Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies\n"
"\n"
"# Disable ICMP Redirect Acceptance\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects\n"
"\n"
"# Don't send Redirect Messages\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects\n"
"\n"
"# Drop Spoofed Packets coming in on an interface where responses\n"
"# would result in the reply going out a different interface.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter\n"
"\n"
"# Log packets with impossible addresses.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians\n"
"\n"
"# Be verbose on dynamic ip-addresses  (not needed in case of static IP)\n"
"echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr\n"
"\n"
"# Disable Explicit Congestion Notification\n"
"# Too many routers are still ignorant\n"
"echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn\n"
"\n"
"# Set a known state\n"
"iptables -P INPUT   DROP\n"
"iptables -P FORWARD DROP\n"
"iptables -P OUTPUT  DROP\n"
"\n"
"# These lines are here in case rules are already in place and the\n"
"# script is ever rerun on the fly. We want to remove all rules and\n"
"# pre-existing user defined chains before we implement new rules.\n"
"iptables -F\n"
"iptables -X\n"
"iptables -Z\n"
"\n"
"iptables -t nat -F\n"
"\n"
"# Allow local connections\n"
"iptables -A INPUT  -i lo -j ACCEPT\n"
"iptables -A OUTPUT -o lo -j ACCEPT\n"
"\n"
"# Allow forwarding if the initiated on the intranet\n"
"iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n"
"iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW       -j ACCEPT\n"
"\n"
"# Do masquerading\n"
"# (not needed if intranet is not using private ip-addresses)\n"
"iptables -t nat -A POSTROUTING -o WAN1 -j MASQUERADE\n"
"\n"
"# Log everything for debugging\n"
"# (last of all rules, but before policy rules)\n"
"iptables -A INPUT   -j LOG --log-prefix \"FIREWALL:INPUT \"\n"
"iptables -A FORWARD -j LOG --log-prefix \"FIREWALL:FORWARD \"\n"
"iptables -A OUTPUT  -j LOG --log-prefix \"FIREWALL:OUTPUT \"\n"
"\n"
"# Enable IP Forwarding\n"
"echo 1 &gt; /proc/sys/net/ipv4/ip_forward\n"
"\n"
"# The following sections allow inbound packets for specific examples\n"
"# Uncomment the example lines and adjust as necessary\n"
"\n"
"# Allow ping on the external interface\n"
"#iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT\n"
"#iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT\n"
"\n"
"# Reject ident packets with TCP reset to avoid delays with FTP or IRC\n"
"#iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset\n"
"\n"
"# Allow HTTP and HTTPS to 192.168.0.2\n"
"#iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 80 -j DNAT --to 192.168.0.2\n"
"#iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 443 -j DNAT --to 192.168.0.2\n"
"#iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 80 -j ACCEPT\n"
"#iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 443 -j ACCEPT\n"
"\n"
"# End /etc/systemd/scripts/iptables</literal>\n"
"EOF\n"
"chmod 700 /etc/systemd/scripts/iptables</userinput>"
msgstr ""
"<userinput>install -v -dm755 /etc/systemd/scripts\n"
"\n"
"cat &gt; /etc/systemd/scripts/iptables &lt;&lt; \"EOF\"\n"
"<literal>#!/bin/sh\n"
"\n"
"# Begin /etc/systemd/scripts/iptables\n"
"\n"
"echo\n"
"echo \"You're using the example configuration for a setup of a firewall\"\n"
"echo \"from Beyond Linux From Scratch.\"\n"
"echo \"This example is far from being complete, it is only meant\"\n"
"echo \"to be a reference.\"\n"
"echo \"Firewall security is a complex issue, that exceeds the scope\"\n"
"echo \"of the configuration rules below.\"\n"
"\n"
"echo \"You can find additional information\"\n"
"echo \"about firewalls in Chapter 4 of the BLFS book.\"\n"
"echo \"http://www.&lfs-domainname;/blfs\"\n"
"echo\n"
"\n"
"# Insert iptables modules (not needed if built into the kernel).\n"
"\n"
"modprobe nf_conntrack\n"
"modprobe nf_conntrack_ftp\n"
"modprobe xt_conntrack\n"
"modprobe xt_LOG\n"
"modprobe xt_state\n"
"\n"
"# Enable broadcast echo Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n"
"\n"
"# Disable Source Routed Packets\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route\n"
"\n"
"# Enable TCP SYN Cookie Protection\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies\n"
"\n"
"# Disable ICMP Redirect Acceptance\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects\n"
"\n"
"# Don't send Redirect Messages\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects\n"
"\n"
"# Drop Spoofed Packets coming in on an interface where responses\n"
"# would result in the reply going out a different interface.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter\n"
"\n"
"# Log packets with impossible addresses.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians\n"
"\n"
"# Be verbose on dynamic ip-addresses  (not needed in case of static IP)\n"
"echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr\n"
"\n"
"# Disable Explicit Congestion Notification\n"
"# Too many routers are still ignorant\n"
"echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn\n"
"\n"
"# Set a known state\n"
"iptables -P INPUT   DROP\n"
"iptables -P FORWARD DROP\n"
"iptables -P OUTPUT  DROP\n"
"\n"
"# These lines are here in case rules are already in place and the\n"
"# script is ever rerun on the fly. We want to remove all rules and\n"
"# pre-existing user defined chains before we implement new rules.\n"
"iptables -F\n"
"iptables -X\n"
"iptables -Z\n"
"\n"
"iptables -t nat -F\n"
"\n"
"# Allow local connections\n"
"iptables -A INPUT  -i lo -j ACCEPT\n"
"iptables -A OUTPUT -o lo -j ACCEPT\n"
"\n"
"# Allow forwarding if the initiated on the intranet\n"
"iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n"
"iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW       -j ACCEPT\n"
"\n"
"# Do masquerading\n"
"# (not needed if intranet is not using private ip-addresses)\n"
"iptables -t nat -A POSTROUTING -o WAN1 -j MASQUERADE\n"
"\n"
"# Log everything for debugging\n"
"# (last of all rules, but before policy rules)\n"
"iptables -A INPUT   -j LOG --log-prefix \"FIREWALL:INPUT \"\n"
"iptables -A FORWARD -j LOG --log-prefix \"FIREWALL:FORWARD \"\n"
"iptables -A OUTPUT  -j LOG --log-prefix \"FIREWALL:OUTPUT \"\n"
"\n"
"# Enable IP Forwarding\n"
"echo 1 &gt; /proc/sys/net/ipv4/ip_forward\n"
"\n"
"# The following sections allow inbound packets for specific examples\n"
"# Uncomment the example lines and adjust as necessary\n"
"\n"
"# Allow ping on the external interface\n"
"#iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT\n"
"#iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT\n"
"\n"
"# Reject ident packets with TCP reset to avoid delays with FTP or IRC\n"
"#iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset\n"
"\n"
"# Allow HTTP and HTTPS to 192.168.0.2\n"
"#iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 80 -j DNAT --to 192.168.0.2\n"
"#iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 443 -j DNAT --to 192.168.0.2\n"
"#iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 80 -j ACCEPT\n"
"#iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 443 -j ACCEPT\n"
"\n"
"# End /etc/systemd/scripts/iptables</literal>\n"
"EOF\n"
"chmod 700 /etc/systemd/scripts/iptables</userinput>"

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/iptables.xml:632
msgid ""
"With this script your intranet should be reasonably secure against external "
"attacks. No one should be able to setup a new connection to any internal "
"service and, if it's masqueraded, makes your intranet invisible to the "
"Internet. Furthermore, your firewall should be relatively safe because there"
" are no services running that a cracker could attack."
msgstr ""

#. type: Content of: <sect1><sect2><sect3><title>
#: blfs-en/postlfs/security/iptables.xml:643
msgid "BusyBox"
msgstr "BusyBox"

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/iptables.xml:646
msgid ""
"This scenario isn't too different from the <xref linkend=\"fw-masqRouter-"
"ipt\"/>, but additionally offers some services to your intranet. Examples of"
" this can be when you want to administer your firewall from another host on "
"your intranet or use it as a proxy or a name server."
msgstr ""

#. type: Content of: <sect1><sect2><sect3><note><para>
#: blfs-en/postlfs/security/iptables.xml:655
msgid ""
"Outlining specifically how to protect a server that offers services on the "
"Internet goes far beyond the scope of this document. See the references in "
"<xref linkend=\"fw-extra-info\"/> for more information."
msgstr ""

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/iptables.xml:663
msgid ""
"Be cautious. Every service you have enabled makes your setup more complex "
"and your firewall less secure. You are exposed to the risks of misconfigured"
" services or running a service with an exploitable bug. A firewall should "
"generally not run any extra services.  See the introduction to the <xref "
"linkend=\"fw-masqRouter-ipt\"/> for some more details."
msgstr ""

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/iptables.xml:672
msgid ""
"If you want to add services such as internal Samba or name servers that do "
"not need to access the Internet themselves, the additional statements are "
"quite simple and should still be acceptable from a security standpoint. Just"
" add the following lines into the script <emphasis>before</emphasis> the "
"logging rules."
msgstr ""

#. type: Content of: <sect1><sect2><sect3><screen>
#: blfs-en/postlfs/security/iptables.xml:679
#, no-wrap
msgid ""
"<literal>iptables -A INPUT  -i ! WAN1  -j ACCEPT\n"
"iptables -A OUTPUT -o ! WAN1  -j ACCEPT</literal>"
msgstr ""
"<literal>iptables -A INPUT  -i ! WAN1  -j ACCEPT\n"
"iptables -A OUTPUT -o ! WAN1  -j ACCEPT</literal>"

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/iptables.xml:683
msgid ""
"If daemons, such as squid, have to access the Internet themselves, you could"
" open OUTPUT generally and restrict INPUT."
msgstr ""

#. type: Content of: <sect1><sect2><sect3><screen>
#: blfs-en/postlfs/security/iptables.xml:688
#, no-wrap
msgid ""
"<literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n"
"iptables -A OUTPUT -j ACCEPT</literal>"
msgstr ""
"<literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n"
"iptables -A OUTPUT -j ACCEPT</literal>"

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/iptables.xml:692
msgid ""
"However, it is generally not advisable to leave OUTPUT unrestricted. You "
"lose any control over trojans who would like to \"call home\", and a bit of "
"redundancy in case you've (mis-)configured a service so that it broadcasts "
"its existence to the world."
msgstr ""

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/iptables.xml:700
msgid ""
"To accomplish this, you should restrict INPUT and OUTPUT on all ports except"
" those that it's absolutely necessary to have open. Which ports you have to "
"open depends on your needs: mostly you will find them by looking for failed "
"accesses in your log files."
msgstr ""

#. type: Content of: <sect1><sect2><sect3><itemizedlist><title>
#: blfs-en/postlfs/security/iptables.xml:708
msgid "Have a Look at the Following Examples:"
msgstr ""

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:711
msgid "Squid is caching the web:"
msgstr ""

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><screen>
#: blfs-en/postlfs/security/iptables.xml:714
#, no-wrap
msgid ""
"<literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT\n"
"iptables -A INPUT  -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \\\n"
"  -j ACCEPT</literal>"
msgstr ""
"<literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT\n"
"iptables -A INPUT  -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \\\n"
"  -j ACCEPT</literal>"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:721
msgid "Your caching name server (e.g., named) does its lookups via UDP:"
msgstr ""

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><screen>
#: blfs-en/postlfs/security/iptables.xml:724
#, no-wrap
msgid "<literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal>"
msgstr "<literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal>"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:729
msgid "You want to be able to ping your computer to ensure it's still alive:"
msgstr ""

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><screen>
#: blfs-en/postlfs/security/iptables.xml:733
#, no-wrap
msgid ""
"<literal>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT\n"
"iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</literal>"
msgstr ""
"<literal>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT\n"
"iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</literal>"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:739
msgid ""
"If you are frequently accessing FTP servers or enjoy chatting, you might "
"notice delays because some implementations of these daemons query an identd "
"daemon on your system to obtain usernames. Although there's really little "
"harm in this, having an identd running is not recommended because many "
"security experts feel the service gives out too much additional information."
msgstr ""

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:748
msgid ""
"To avoid these delays you could reject the requests with a 'tcp-reset' "
"response:"
msgstr ""

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><screen>
#: blfs-en/postlfs/security/iptables.xml:752
#, no-wrap
msgid ""
"<literal>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-"
"reset</literal>"
msgstr ""
"<literal>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-"
"reset</literal>"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:757
msgid ""
"To log and drop invalid packets (packets that came in after netfilter's "
"timeout or some types of network scans) insert these rules at the top of the"
" chain:"
msgstr ""

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><screen>
#: blfs-en/postlfs/security/iptables.xml:762
#, no-wrap
msgid ""
"<literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \\\n"
"  -j LOG --log-prefix \"FIREWALL:INVALID \"\n"
"iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</literal>"
msgstr ""
"<literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \\\n"
"  -j LOG --log-prefix \"FIREWALL:INVALID \"\n"
"iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</literal>"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:769
msgid ""
"Anything coming from the outside should not have a private address, this is "
"a common attack called IP-spoofing:"
msgstr ""

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><screen>
#: blfs-en/postlfs/security/iptables.xml:773
#, no-wrap
msgid ""
"<literal>iptables -A INPUT -i WAN1 -s 10.0.0.0/8     -j DROP\n"
"iptables -A INPUT -i WAN1 -s 172.16.0.0/12  -j DROP\n"
"iptables -A INPUT -i WAN1 -s 192.168.0.0/16 -j DROP</literal>"
msgstr ""
"<literal>iptables -A INPUT -i WAN1 -s 10.0.0.0/8     -j DROP\n"
"iptables -A INPUT -i WAN1 -s 172.16.0.0/12  -j DROP\n"
"iptables -A INPUT -i WAN1 -s 192.168.0.0/16 -j DROP</literal>"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:778
msgid ""
"There are other addresses that you may also want to drop: 0.0.0.0/8, "
"127.0.0.0/8, 224.0.0.0/3 (multicast and experimental), 169.254.0.0/16 (Link "
"Local Networks), and 192.0.2.0/24 (IANA defined test network)."
msgstr ""

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:786
msgid "If your firewall is a DHCP client, you need to allow those packets:"
msgstr ""

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><screen>
#: blfs-en/postlfs/security/iptables.xml:789
#, no-wrap
msgid ""
"<literal>iptables -A INPUT  -i WAN1 -p udp -s 0.0.0.0 --sport 67 \\\n"
"   -d 255.255.255.255 --dport 68 -j ACCEPT</literal>"
msgstr ""
"<literal>iptables -A INPUT  -i WAN1 -p udp -s 0.0.0.0 --sport 67 \\\n"
"   -d 255.255.255.255 --dport 68 -j ACCEPT</literal>"

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:795
msgid ""
"To simplify debugging and be fair to anyone who'd like to access a service "
"you have disabled, purposely or by mistake, you could REJECT those packets "
"that are dropped."
msgstr ""

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:801
msgid ""
"Obviously this must be done directly after logging as the very last lines "
"before the packets are dropped by policy:"
msgstr ""

#. type: Content of: <sect1><sect2><sect3><itemizedlist><listitem><screen>
#: blfs-en/postlfs/security/iptables.xml:805
#, no-wrap
msgid "<literal>iptables -A INPUT -j REJECT</literal>"
msgstr "<literal>iptables -A INPUT -j REJECT</literal>"

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/iptables.xml:811
msgid ""
"These are only examples to show you some of the capabilities of the firewall"
" code in Linux. Have a look at the man page of iptables.  There you will "
"find much more information. The port numbers needed for this can be found in"
" <filename>/etc/services</filename>, in case you didn't find them by trial "
"and error in your log file."
msgstr ""

#. type: Content of: <sect1><sect2><sect3><title>
#: blfs-en/postlfs/security/iptables.xml:821
msgid ""
"<phrase revision=\"sysv\">Boot Script</phrase> <phrase "
"revision=\"systemd\">Systemd Unit</phrase>"
msgstr ""
"<phrase revision=\"sysv\">Script de démarrage</phrase> <phrase "
"revision=\"systemd\">Unité Systemd</phrase>"

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/iptables.xml:825
msgid ""
"To set up the iptables firewall at boot, install the "
"<filename>/etc/rc.d/init.d/iptables</filename> init script included in the "
"<xref linkend=\"bootscripts\"/> package."
msgstr ""
"Pour paramétrer le pare-feu d'iptables au démarrage, installez le script "
"d'initialisation <filename>/etc/rc.d/init.d/iptables</filename> fourni dans "
"le paquet <xref linkend=\"bootscripts\"/>."

#. type: Content of: <sect1><sect2><sect3><para>
#: blfs-en/postlfs/security/iptables.xml:831
msgid ""
"To set up the iptables firewall at boot, install the "
"<filename>iptables.service</filename> unit included in the <xref "
"linkend=\"systemd-units\"/> package."
msgstr ""
"Pour paramétrer le pare-feu d'iptables au démarrage, installez l'unité "
"<filename>iptables.service</filename> fournie dans le paquet <xref "
"linkend=\"systemd-units\"/>."

#. type: Content of: <sect1><sect2><sect3><screen>
#: blfs-en/postlfs/security/iptables.xml:840
#, no-wrap
msgid "<userinput>make install-iptables</userinput>"
msgstr "<userinput>make install-iptables</userinput>"

#. type: Content of: <sect1><sect2><title>
#: blfs-en/postlfs/security/iptables.xml:847
msgid "Contents"
msgstr "Contenu"

#. type: Content of: <sect1><sect2><segmentedlist><segtitle>
#: blfs-en/postlfs/security/iptables.xml:850
msgid "Installed Programs"
msgstr "Programmes installés"

#. type: Content of: <sect1><sect2><segmentedlist><segtitle>
#: blfs-en/postlfs/security/iptables.xml:851
msgid "Installed Libraries"
msgstr "Bibliothèques installées"

#. type: Content of: <sect1><sect2><segmentedlist><segtitle>
#: blfs-en/postlfs/security/iptables.xml:852
msgid "Installed Directories"
msgstr "Répertoires installés"

#. type: Content of: <sect1><sect2><segmentedlist><seglistitem><seg>
#: blfs-en/postlfs/security/iptables.xml:856
msgid ""
"ip6tables, ip6tables-restore, ip6tables-save, iptables, iptables-restore, "
"iptables-save, iptables-xml, nfsynproxy (optional) and xtables-multi"
msgstr ""
"ip6tables, ip6tables-restore, ip6tables-save, iptables, iptables-restore, "
"iptables-save, iptables-xml, nfsynproxy (facultatif) et xtables-multi"

#. type: Content of: <sect1><sect2><segmentedlist><seglistitem><seg>
#: blfs-en/postlfs/security/iptables.xml:860
msgid "libip4tc.so, libip6tc.so, libipq.so, libiptc.so, and libxtables.so"
msgstr "libip4tc.so, libip6tc.so, libipq.so, libiptc.so et libxtables.so"

#. type: Content of: <sect1><sect2><segmentedlist><seglistitem><seg>
#: blfs-en/postlfs/security/iptables.xml:863
msgid "/lib/xtables and /usr/include/libiptc"
msgstr "/lib/xtables et /usr/include/libiptc"

#. type: Content of: <sect1><sect2><variablelist><bridgehead>
#: blfs-en/postlfs/security/iptables.xml:869
msgid "Short Descriptions"
msgstr "Descriptions courtes"

#. type: Content of: <sect1><sect2><variablelist><varlistentry><term>
#: blfs-en/postlfs/security/iptables.xml:874
msgid "<command>iptables</command>"
msgstr "<command>iptables</command>"

#. type: Content of:
#. <sect1><sect2><variablelist><varlistentry><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:877
msgid ""
"is used to set up, maintain, and inspect the tables of IP packet filter "
"rules in the Linux kernel."
msgstr ""
"est utilisé pour paramétrer, maintenir et inspecter les tables de règles de "
"filtrage de paquets IP du noyau Linux."

#. type: Content of: <sect1><sect2><variablelist><varlistentry><term>
#: blfs-en/postlfs/security/iptables.xml:887
msgid "<command>iptables-restore</command>"
msgstr "<command>iptables-restore</command>"

#. type: Content of:
#. <sect1><sect2><variablelist><varlistentry><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:890
msgid ""
"is used to restore IP Tables from data specified on STDIN. Use I/O "
"redirection provided by your shell to read from a file."
msgstr ""
"est utilisé pour restaurer des tables IP à partir de données spécifiées sur "
"STDIN. Utilise la redirection E/S fournie par votre shell pour lire un "
"fichier."

#. type: Content of:
#. <sect1><sect2><variablelist><varlistentry><listitem><indexterm><primary>
#: blfs-en/postlfs/security/iptables.xml:895
msgid "iptables-restore"
msgstr "iptables-restore"

#. type: Content of: <sect1><sect2><variablelist><varlistentry><term>
#: blfs-en/postlfs/security/iptables.xml:901
msgid "<command>iptables-save</command>"
msgstr "<command>iptables-save</command>"

#. type: Content of:
#. <sect1><sect2><variablelist><varlistentry><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:904
msgid ""
"is used to dump the contents of an IP Table in easily parseable format to "
"STDOUT. Use I/O-redirection provided by your shell to write to a file."
msgstr ""
"est utilisé pour envoyer le contenu d'une table IP dans un format facilement"
" analysable vers STDOUT. Utilisez la redirection E/S fournie par votre shell"
" pour écrire dans un fichier."

#. type: Content of:
#. <sect1><sect2><variablelist><varlistentry><listitem><indexterm><primary>
#: blfs-en/postlfs/security/iptables.xml:909
msgid "iptables-save"
msgstr "iptables-save"

#. type: Content of: <sect1><sect2><variablelist><varlistentry><term>
#: blfs-en/postlfs/security/iptables.xml:915
msgid "<command>iptables-xml</command>"
msgstr "<command>iptables-xml</command>"

#. type: Content of:
#. <sect1><sect2><variablelist><varlistentry><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:918
msgid ""
"is used to convert the output of <command>iptables-save</command> to an XML "
"format. Using the <filename>iptables.xslt</filename> stylesheet converts the"
" XML back to the format of <command>iptables-restore</command>."
msgstr ""
"est utilisé pour convertir la sortie de <command>iptables-save</command> au "
"format XML. L'utilisation de la feuille de style "
"<filename>iptables.xslt</filename> convertit le fond XML au format "
"<command>iptables-restore</command>."

#. type: Content of:
#. <sect1><sect2><variablelist><varlistentry><listitem><indexterm><primary>
#: blfs-en/postlfs/security/iptables.xml:924
msgid "iptables-xml"
msgstr "iptables-xml"

#. type: Content of: <sect1><sect2><variablelist><varlistentry><term>
#: blfs-en/postlfs/security/iptables.xml:930
msgid "<command>ip6tables*</command>"
msgstr "<command>ip6tables*</command>"

#. type: Content of:
#. <sect1><sect2><variablelist><varlistentry><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:933
msgid ""
"are a set of commands for IPV6 that parallel the iptables commands above."
msgstr ""
"sont un ensemble de commandes pour IPV6 qui sont similaires aux commandes "
"iptables vu précédemment."

#. type: Content of:
#. <sect1><sect2><variablelist><varlistentry><listitem><indexterm><primary>
#: blfs-en/postlfs/security/iptables.xml:937
msgid "ip6tables"
msgstr "ip6tables"

#. type: Content of: <sect1><sect2><variablelist><varlistentry><term>
#: blfs-en/postlfs/security/iptables.xml:943
msgid "<command>nfsynproxy</command>"
msgstr "<command>nfsynproxy</command>"

#. type: Content of:
#. <sect1><sect2><variablelist><varlistentry><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:946
msgid ""
"(optional) configuration tool. SYNPROXY target makes handling of large SYN "
"floods possible without the large performance penalties imposed by the "
"connection tracking in such cases."
msgstr ""
"(facultatif) outil de configuration.  La cible synproxy facilite la "
"manipulation des grands afflux de SYN sans les lourdes pertes de performance"
" imposées par le suivi des connexions dans de tels cas."

#. type: Content of:
#. <sect1><sect2><variablelist><varlistentry><listitem><indexterm><primary>
#: blfs-en/postlfs/security/iptables.xml:951
msgid "nfsynproxy"
msgstr "nfsynproxy"

#. type: Content of: <sect1><sect2><variablelist><varlistentry><term>
#: blfs-en/postlfs/security/iptables.xml:957
msgid "<command>xtables-multi</command>"
msgstr "<command>xtables-multi</command>"

#. type: Content of:
#. <sect1><sect2><variablelist><varlistentry><listitem><para>
#: blfs-en/postlfs/security/iptables.xml:960
msgid "is a binary that behaves according to the name it is called by."
msgstr ""
"est un binaire qui se comporte en fonction du nom par lequel il est appelé."

#. type: Content of:
#. <sect1><sect2><variablelist><varlistentry><listitem><indexterm><primary>
#: blfs-en/postlfs/security/iptables.xml:963
msgid "xtables-multi"
msgstr "xtables-multi"

#~ msgid "Iptables"
#~ msgstr "Iptables"

#~ msgid ""
#~ "The next part of this chapter deals with firewalls. The principal firewall "
#~ "tool for Linux is <application>Iptables</application>. You will need to "
#~ "install <application>Iptables</application> if you intend on using any form "
#~ "of a firewall."
#~ msgstr ""
#~ "La partie suivante de ce chapitre traite des pare-feux. L'outil principal de"
#~ " pare-feu pour Linux est <application>iptables</application>. Vous devrez "
#~ "installer <application>iptables</application> si vous souhaitez utiliser une"
#~ " forme de pare-feu."

#~ msgid ""
#~ "<ulink "
#~ "url=\"http://www.netfilter.org/projects/nftables/index.html\">nftables</ulink>"
#~ msgstr ""
#~ "<ulink "
#~ "url=\"http://www.netfilter.org/projects/nftables/index.html\">nftables</ulink>"

#~ msgid ""
#~ "For some non-x86 architectures, the raw kernel headers may be required. In "
#~ "that case, modify the <parameter>KERNEL_DIR=</parameter> parameter to point "
#~ "at the <application>Linux</application> source code."
#~ msgstr ""
#~ "Pour certaines architectures non x86, il se peut qu'il faille les en-têtes "
#~ "du noyau raw. Dans ce cas, modifiez le paramètre "
#~ "<parameter>KERNEL_DIR=</parameter> pour pointer vers le code source de "
#~ "<application>Linux</application>."

#~ msgid ""
#~ "Introductory instructions for configuring your firewall are presented in the"
#~ " next section: <xref linkend=\"fw-firewall\"/>"
#~ msgstr ""
#~ "Des instructions d'introduction de configuration de votre pare-feu sont "
#~ "présentées dans la prochaine section&nbsp;: <xref linkend=\"fw-firewall\"/>"

#~ msgid "944558e88ddcc3b9b0d9550070fa3599"
#~ msgstr "944558e88ddcc3b9b0d9550070fa3599"

#~ msgid "664 KB"
#~ msgstr "664 Ko"

#~ msgid "b5b0b43afc245176c36a14c4fca6e661"
#~ msgstr "b5b0b43afc245176c36a14c4fca6e661"

#~ msgid "662 KB"
#~ msgstr "662 Ko"

#~ msgid "11 MB"
#~ msgstr "11 Mo"

#~ msgid ""
#~ "Fix a build failure if <ulink "
#~ "url=\"http://www.netfilter.org/projects/nftables/index.html\">nftables</ulink>"
#~ " is not installed:"
#~ msgstr ""
#~ "Corrigez une erreur de construction si <ulink "
#~ "url=\"http://www.netfilter.org/projects/nftables/index.html\">nftables</ulink>"
#~ " n'est pas installé&nbsp;:"

#~ msgid ""
#~ "<userinput>sed -e \"/iptables\\/nft\\.h/d\" \\\n"
#~ "    -i extensions/libxt_limit.c\n"
#~ "sed -e \"/^struct nftnl_rule;/a struct iptables_command_state;\" \\\n"
#~ "    -i iptables/nft-bridge.h</userinput>"
#~ msgstr ""
#~ "<userinput>sed -e \"/iptables\\/nft\\.h/d\" \\\n"
#~ "    -i extensions/libxt_limit.c\n"
#~ "sed -e \"/^struct nftnl_rule;/a struct iptables_command_state;\" \\\n"
#~ "    -i iptables/nft-bridge.h</userinput>"

#~ msgid "3874ca08438be68cd793558283df48d1"
#~ msgstr "3874ca08438be68cd793558283df48d1"

#~ msgid ""
#~ "Disable libebt/libarp extensions if <ulink "
#~ "url=\"http://www.netfilter.org/projects/nftables/index.html\">nftables</ulink>"
#~ " is not installed to prevent a build failure:"
#~ msgstr ""
#~ "Désactivez les extensions libebt et libarp si <ulink "
#~ "url=\"http://www.netfilter.org/projects/nftables/index.html\">nftables</ulink>"
#~ " n'est pas installé pour éviter un échec à construction.la "

#~ msgid ""
#~ "<userinput>sed -i -e '/libebt_/s/^/#/' \\\n"
#~ "       -e '/libarpt_/s/^/#/' extensions/GNUmakefile.in\n"
#~ "</userinput>"
#~ msgstr ""
#~ "<userinput>sed -i -e '/libebt_/s/^/#/' \\\n"
#~ "       -e '/libarpt_/s/^/#/' extensions/GNUmakefile.in\n"
#~ "</userinput>"

#~ msgid "7d2b7847e4aa8832a18437b8a4c1873d"
#~ msgstr "7d2b7847e4aa8832a18437b8a4c1873d"

#~ msgid "628 KB"
#~ msgstr "628 Ko"

#~ msgid "15 MB"
#~ msgstr "15 Mo"

#~ msgid "ab38a33806b6182c6f53d6afb4619add"
#~ msgstr "ab38a33806b6182c6f53d6afb4619add"

#~ msgid "27ba3451cb622467fc9267a176f19a31"
#~ msgstr "27ba3451cb622467fc9267a176f19a31"

#~ msgid "596 KB"
#~ msgstr "596 Ko"

#~ msgid "19 MB"
#~ msgstr "19 Mo"

#~ msgid "Boot Script"
#~ msgstr "Script de démarrage"