PROPOSAL: simple masquerading and filtering firewall setup
Hi,
[ please read through this longish message; code included]
Recently, an upgrade to ipmasq having shredded my firewall set
up (I had a beautiful, hand crafted filtering firewall in
/etc/rc.boot/ipmasq), which got me thinking about how better to
customize the setup to be more accesible to advanced users, while
retaining the ease of use that the current setup has achieved (Kudos
to the maintainer!)
Well, I looked at /sbin/ipmasq, and liked the infrastructure
(again, wonderful work). However, I did not agree with some of the
rules in there --- like this one:
$IPFWADM -I -a accept -W $EXTERNAL -D `ipofif $EXTERNAL`/32
Paint me paranoid, but I do not accept anything that comes to
my doorstep from the outside, just becuase they happen to be directed
at my IP address; though it may well be all that others may want.
Well, even though the current script allows additional rules
to be specified, there is no easy way of getting rid of the rules I
don't like (short of flushiung all rules and restarting, which I
found inelegant).
Therefore I came up with this proposal, which I think allows
for all that. I would appreciate it if this were incorporated in the
package.
ITEM: the package ipmasq contains the directory /etc/ipmasq/ which
contains rules in separate files with suffixes .def or .rl.
Using known sufixes means that old ~ files are also not run as
forewal rules (which is a concern, you would not like older
buggy rules to be sourced, do you?) Also, README's could be
provided t help novices, without any fear of creating a
strange firewall.
ITEM: The package only contains files with the .def (default) suffix,
these are the defaults. The files have comments explaining that
the sysadmin should not edit the files, instead, they should
create new files with the same name but with a .rl suffix
in01.def --> in01.rl
ino2.def --> in02.rl
out01.def --> out01.rl
forward01.def --> forward02.rl
Of course more meaningful names can be used (in05web.rl) [I use
the numbers in there to get them to sort correctly]
An advantage is that people can then swap individual rules
files (Hey -- how do I allow ssh packets only from
master.debian.org? -- rules file follows)
ITEM: the files are sourced in alphabetical order, except that if a
.rl file exists, the .def file is ignored:
Maybe the code shall be easier to read:
----------------------------------------------------------------------
RULESDIR=/etc/ipmasq/ # where all the rules are kept
RULES=$(cd $RULESDIR; ls *.rl *.def) # Get all the rules files
RULENAMES=$(echo $RULES | sed -e 's/\.def//g' -e 's/\.rl//g' | sort -u)
set X $RULENAMES
shift
for rulefile
do
if [ -f $rulefile.rl ]; then
. $rulefile.rl
else
. $rulefile.def
fi
done
----------------------------------------------------------------------
The full /sbin/ipmasq fi=ollows my signature.
manoj
--
"Oh dear, I think you'll find reality's on the blink again." Marvin
The Paranoid Android
Manoj Srivastava <srivasta@acm.org> <http://www.datasync.com/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
#! /bin/sh
#
# ipmasq Set up IP Masquerading for Debian systems
#
IPFWADM=/sbin/ipfwadm
IPCHAINS=/sbin/ipchains
RULESDIR=/etc/ipmasq/ # where all the rules are kept
RULES=$(cd $RULESDIR; ls *.rl *.def) # Get all the rules
RULENAMES=$(echo $RULES | sed -e 's/\.def//g' -e 's/\.rl//g' | sort -u)
# add helper script directory to path
PATH=/usr/lib/ipmasq/bin:$PATH
# find interface names
EXTERNAL=`default-if`
if [ -z "$EXTERNAL" ]; then
INTERNAL=`enumerate-if | grep -v lo`
else
INTERNAL=`enumerate-if | grep -v lo | grep -v $EXTERNAL`
fi
# determine rule method
if [ -e /proc/net/ip_fwchains ]; then
test -x $IPCHAINS || exit 1
MASQMETHOD=ipchains
else
test -x $IPFWADM || exit 1
MASQMETHOD=ipfwadm
fi
######################################################################
# flush all and set default policy of deny.
######################################################################
case $MASQMETHOD in
ipfwadm)
$IPFWADM -I -f
$IPFWADM -I -p deny
$IPFWADM -O -f
$IPFWADM -O -p deny
$IPFWADM -F -f
$IPFWADM -F -p deny
;;
ipchains)
$IPCHAINS -F input
$IPCHAINS -P input DENY
$IPCHAINS -F output
$IPCHAINS -P output DENY
$IPCHAINS -F forward
$IPCHAINS -P forward DENY
;;
esac
set X $RULENAMES
shift
for rulefile
do
if [ -f $rulefile.rl ]; then
. $rulefile.rl
else
. $rulefile.def
fi
done
# turn on forwarding for 2.1 kernels
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo "1" > /proc/sys/net/ipv4/ip_forward
fi
##########
# End of ipmasq
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: