Kernel Configuration

Listed below are just the Netfilter related kernel configurations. If you've never compiled a kernel before, it's probably about time. Detailed kernel compilation howto can be found at http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html.

Note: I'm often asked whether if loadable modules support should be disabled on a firewall (because of rootkits). Currently, I'm of the thought that if someone has rooted your firewall, you've got much bigger problems having them load modules. Either way, if you're rooted, the attacker will have access to /proc/kcore (and insert modules whether or not you've enabled loadable module support in your kernel).

Recommended (non-netfilter related) - These options affect the various networking functions of your Linux kernel but can be enabled/disabled at runtime

  • CONFIG_PROC_FS - enables the virtual /proc filesystem
  • CONFIG_INET_ECN - TCP Explicit Congestion Notification (ECN) support
  • CONFIG_SYN_COOKIES - SYN cookies provide protection against synfloods
  • CONFIG_IP_ADVANCED_ROUTER - enables the options below (and others not listed here)
    • CONFIG_IP_ROUTE_VERBOSE - enables verbose route monitoring
    • CONFIG_IP_ROUTE_LARGE_TABLES - improves routing performance for routing zones that grow to more than 64 entries

Required - Kernel v2.4.x (v2.4.5 recommended)

  • CONFIG_PACKET - also known as packet socket
  • CONFIG_NETFILTER - enables all of the netfilter related options below

Netfilter related - asterisked options are recommended

  • CONFIG_IP_NF_CONNTRACK*
  • CONFIG_IP_NF_FTP*
  • CONFIG_IP_NF_QUEUE
  • CONFIG_IP_NF_IPTABLES*
  • CONFIG_IP_NF_MATCH_LIMIT*
  • CONFIG_IP_NF_MATCH_MAC
  • CONFIG_IP_NF_MATCH_MARK
  • CONFIG_IP_NF_MATCH_MULTIPORT*
  • CONFIG_IP_NF_MATCH_TOS
  • CONFIG_IP_NF_MATCH_TCPMSS
  • CONFIG_IP_NF_MATCH_STATE*
  • CONFIG_IP_NF_MATCH_UNCLEAN*
  • CONFIG_IP_NF_MATCH_OWNER
  • CONFIG_IP_NF_FILTER*
  • CONFIG_IP_NF_TARGET_REJECT*
  • CONFIG_IP_NF_TARGET_MIRROR
  • CONFIG_IP_NF_NAT*
  • CONFIG_IP_NF_NAT_NEEDED*
  • CONFIG_IP_NF_TARGET_MASQUERADE*
  • CONFIG_IP_NF_TARGET_REDIRECT
  • CONFIG_IP_NF_NAT_FTP*
  • CONFIG_IP_NF_MANGLE*
  • CONFIG_IP_NF_TARGET_TOS
  • CONFIG_IP_NF_TARGET_MARK
  • CONFIG_IP_NF_TARGET_LOG*
  • CONFIG_IP_NF_TARGET_TCPMSS
  • CONFIG_IP_NF_COMPAT_IPCHAINS
  • CONFIG_IP_NF_COMPAT_IPFWADM

Experimental - See the previous page on compiling iptables. Note that these options are only available if you patch your standard kernel via the 'pending-patches' or 'patch-o-matic' compile options and apply the corresponding patches.

  • CONFIG_IP_NF_DROPTABLE
  • CONFIG_IP_NF_EGG
  • CONFIG_IP_NF_IRC
  • CONFIG_IP_NF_MATCH_AH_ESP
  • CONFIG_IP_NF_MATCH_IPLIMIT
  • CONFIG_IP_NF_MATCH_LENGTH
  • CONFIG_IP_NF_MATCH_PSD
  • CONFIG_IP_NF_MATCH_RPC
  • CONFIG_IP_NF_MATCH_TTL
  • CONFIG_IP_NF_NAT_SNMP_BASIC
  • CONFIG_IP_NF_POOL
  • CONFIG_IP_NF_TALK
  • CONFIG_IP_NF_TARGET_BALANCE
  • CONFIG_IP_NF_TARGET_FTOS
  • CONFIG_IP_NF_TARGET_NETLINK
  • CONFIG_IP_NF_TARGET_SAME
  • CONFIG_IP_NF_TARGET_TTL
  • CONFIG_IP_NF_TARGET_ULOG
  • CONFIG_IP6_NF_TARGET_LOG
  • CONFIG_IP6_NF_TARGET_REJECT