It's my first mail to a Debian list.
I've been working on a debian package with a basic iptables-based
I read some info regarding debian and firewalling here:
After deploy a bunch of local firewalls on linux servers and also as a
perimeter firewall based on linux & iptables, I discovered myself
always writing the same hierarchy of script files.
So, I decided to put all in a .deb package as a standar basic service
to the system, so the admin can easily write new rules and have a good
structure to start building a strong firewall from.
In RHEL & derivates distros, you can see some kind of "firewall"
service, all based on iptables, and here i've done the same, but in
the debian way.
By now, the package includes (adds) this to the system:
· An init.d script that manages iptables (including basic nat and
routing) as a service.
· The init.d script has his own /etc/defauld/firewall file with a few
directives for the admin to adapt the firewall. (such as change easily
the default policy in testing environments, the option to flush or not
nat rules when stopping the firewall and the option to stop routing or
not when stopping the firewall).
· Valid rsyslog conf to get firewall logs on /var/log/firewall.d/
· Reasonable logrotate conf to all files under /var/log/firewall.d
· Separates iptables files under /etc/firewall.d with this hierarchy:
local rules (input, output), external rules (forward), nat rules and
other rules (such as mangle ones). All files with no default
configuration other than permit traffic from and to the local machine.
· Full IPv6 support.
I see this basic approach a nice way to include a firewall as a
service in the system. No one of the packages listed in the debian
wiki seems to only deploy a structure where the system admin can build
his own firewall. This package just try to do that.
By contacting here I want to show you the package, seeking your
knowledge in sys admin and debian packaging.
If you see the package, you will notice that there are a lot of weird
things in some places, like the maintainer scripts. I know it. I'm new
writing .deb packages and i'm learning now the debian way. I know i
lack in knoledge of some d/files, like "rules", and there isn't any
references to copyright (absolutely GPL or something, of course)
All about the package itself could be subject of strong evolution, and
i would like to see it as fine-tuned as all others debian packages.
So, I ask you two things:
· What about the schema i'm talking on?
· What about the format of the package?
The package itself:
In addition, I've been working by now for a while with debian-based HA
firewall clusters. I have some interesting documentation developed by
me regarding this issues.
The doc covers some aspect like comparisons between technologies
(keepalived, VRRP, pacemaker, conntrakd, netfilter, corosync,
heartbeat, and so on..) and explains a basic deployment in several
The problem is that document is in my native language (spanish) and
the translation is pending.
Here I reference it if you like to take a look:
/* Arturo Borrero Gonzalez || email@example.com */
/* Use debian gnu/linux! Best OS ever! */