[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

PROPOSAL: simple masquerading and filtering firewall setup



Hi,

	[ please read through this longish message; code included]

	Recently, an upgrade to ipmasq having shredded my firewall set
 up (I had a beautiful, hand crafted filtering firewall in
 /etc/rc.boot/ipmasq), which got me thinking about how better to
 customize the setup to be more accesible to advanced users, while
 retaining the ease of use that the current setup has achieved (Kudos
 to the maintainer!)

	Well, I looked at /sbin/ipmasq, and liked the infrastructure
 (again, wonderful work). However, I did not agree with some of the
 rules in there --- like this one:
	$IPFWADM -I -a accept -W $EXTERNAL -D `ipofif $EXTERNAL`/32
 Paint me paranoid, but I do not accept anything that comes to
 my doorstep from the outside, just becuase they happen to be directed
 at my IP address; though it may well be all that others may want.

	Well, even though the current script allows additional rules
 to be specified, there is no easy way of getting rid of the rules I
 don't like (short of flushiung all rules and restarting, which I
 found inelegant).

	Therefore I came up with this proposal, which I think allows
 for all that. I would appreciate it if this were incorporated in the
 package. 

 ITEM: the package ipmasq contains the directory /etc/ipmasq/ which
       contains rules in separate files with suffixes .def or .rl.
	Using known sufixes means that old ~ files are also not run as
	forewal rules (which is a concern, you would not like older
	buggy rules to be sourced, do you?) Also, README's could be
	provided t help novices, without any fear of creating a
	strange firewall. 

 ITEM: The package only contains files with the .def (default) suffix,
       these are the defaults. The files have comments explaining that
       the sysadmin should not edit the files, instead, they should
       create new files with the same name but with a .rl suffix

         in01.def       --> in01.rl
         ino2.def       --> in02.rl
         out01.def      --> out01.rl
         forward01.def  --> forward02.rl

       Of course more meaningful names can be used (in05web.rl) [I use
       the numbers in there to get them to sort correctly]

	An advantage is that people can then swap individual rules
	files (Hey -- how do I allow ssh packets only from
	master.debian.org? -- rules file follows) 

  ITEM: the files are sourced in alphabetical order, except that if a
        .rl file exists, the .def file is ignored:

         Maybe the code shall be easier to read: 
----------------------------------------------------------------------
    RULESDIR=/etc/ipmasq/                   # where all the rules are kept
    RULES=$(cd $RULESDIR; ls *.rl *.def)    # Get all the rules files
    RULENAMES=$(echo $RULES | sed -e 's/\.def//g' -e 's/\.rl//g' | sort -u)
    
    set X $RULENAMES
    shift
    for rulefile
    do
	if [ -f $rulefile.rl ]; then
	    . $rulefile.rl
	else
	    . $rulefile.def
	fi
    done
----------------------------------------------------------------------

	The full /sbin/ipmasq fi=ollows my signature.

	manoj
-- 
 "Oh dear, I think you'll find reality's on the blink again." Marvin
 The Paranoid Android
Manoj Srivastava  <srivasta@acm.org> <http://www.datasync.com/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E


#! /bin/sh

#
# ipmasq	Set up IP Masquerading for Debian systems
#

IPFWADM=/sbin/ipfwadm
IPCHAINS=/sbin/ipchains


RULESDIR=/etc/ipmasq/                   # where all the rules are kept
RULES=$(cd $RULESDIR; ls *.rl *.def)    # Get all the rules
RULENAMES=$(echo $RULES | sed -e 's/\.def//g' -e 's/\.rl//g' | sort -u)


# add helper script directory to path
PATH=/usr/lib/ipmasq/bin:$PATH

# find interface names
EXTERNAL=`default-if`
if [ -z "$EXTERNAL" ]; then
    INTERNAL=`enumerate-if | grep -v lo`
else
    INTERNAL=`enumerate-if | grep -v lo | grep -v $EXTERNAL`
fi

# determine rule method
if [ -e /proc/net/ip_fwchains ]; then
    test -x $IPCHAINS || exit 1
    MASQMETHOD=ipchains
else
    test -x $IPFWADM || exit 1
    MASQMETHOD=ipfwadm
fi
######################################################################
# flush all and set default policy of deny.
######################################################################
case $MASQMETHOD in
    ipfwadm)
	$IPFWADM -I -f
	$IPFWADM -I -p deny
	$IPFWADM -O -f
	$IPFWADM -O -p deny
	$IPFWADM -F -f
	$IPFWADM -F -p deny
	;;
    ipchains)
	$IPCHAINS -F input
	$IPCHAINS -P input DENY
	$IPCHAINS -F output
	$IPCHAINS -P output DENY
	$IPCHAINS -F forward
	$IPCHAINS -P forward DENY
	;;
esac

set X $RULENAMES
shift
for rulefile
do
    if [ -f $rulefile.rl ]; then
	. $rulefile.rl
    else
	. $rulefile.def
    fi
done

# turn on forwarding for 2.1 kernels
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
        echo "1" > /proc/sys/net/ipv4/ip_forward
fi


##########
# End of ipmasq


--  
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


Reply to: