Re: Basic firewall questions

To: debian-firewall@lists.debian.org
Subject: Re: Basic firewall questions
From: Jason McCarty <bclg@iup.edu>
Date: Sat, 29 Jun 2002 18:41:46 -0400
Message-id: <[🔎] 20020629224146.GA309@iup.edu>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 20020629015435.GA7420@oz.net>
References: <[🔎] 20020629015435.GA7420@oz.net>

On Fri, Jun 28, 2002 at 06:54:35PM -0700, Bob Nielsen wrote:
> [...]

> For instance, I would like to forward a few ports from my router to a
> more powerful machine on the network (intuitively I feel that a
> firewall box should not also function as a server).  In the HOWTO it
> mentions how to set up port forwarding by adding some IPTABLES
> statements in /etc/rc.d/rc.firewall, but this file does not exist.  
> 
> Is there an equivalent configuration file in Debian?  I tried creating
> a new file in /etc/ipmasq/rules to contain the same statements, but
> that does not work.  I am sure that it is possible, but haven't yet
> found the magic token enabling me to accomplish this.

Personally, I think there's no need to use an init.d script. I use
/etc/network/interfaces to start and stop my firewall, and ignore the
supplied script completely. In /etc/network/interfaces I have:

  iface eth1 inet dhcp
    leasetime 7200

    pre-up iptables-restore -c < /etc/firewall-rules
    pre-up echo 1 > /proc/sys/net/ipv4/ip_forward
    #set up firewall and forwarding

    down iptables-save -c > /etc/firewall-rules
    #save firewall rules when disabling the interface

This means that the firewall is set up when the network is set up, and
is shut down when the interface is brought down. This is IMO better than
starting/stopping it when the machine boots/halts. See interfaces(5) for
details on the pre-up and down commands, as well as
iptables-{save,restore}(8). There's no need for a script with this
setup, although I maintain one anyway, in case I want to reload my rules
from scratch.

> The comments in etc/default/iptables about not using the init.d script
> which iptables provides leave me somewhat confused, as well.

On the other hand, if you really want to use an init.d script, you can
either use the supplied one and modify it, or write your own. To make
your own, simply make a script that accepts the arguments start and
stop, put it in /etc/init.d, and run update-rc.d on it to create the
SysV links. rc.firewall is IMO a poor idea, because iptables-restore
provides a better alternative, and it wouldn't run at the most
appropriate time in the boot sequence.

> I also saw that there are several other packages which handle
> firewalls, such as ferm, firewall-easy and fwbuilder.  Do these
> co-exist with ipmasq or replace it?  Any recommendations?

I haven't tried any firewall builders, but the best way to see how they
work is probably to test them yourself. I hope this helps.

Jason

-- 
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Basic firewall questions
  - From: Bob Nielsen <nielsen@oz.net>

Prev by Date: Re: Basic firewall questions
Next by Date: Unidentified subject!
Previous by thread: Re: Basic firewall questions
Index(es):
- Date
- Thread