--- Begin Message ---
Hi,
Could someone kindly help me with firewall setup with my home cable
(dhcp) internet connection? I wish to use firewall-easy purely because
I know nothing about configuration of firewalls. I can't recall having
changed the firewall-easy.conf file (attached).
I'm using debian unstable, 2.6.7 kernel.
The output I currently see is below:
debian:/home/tim# firewall-easy start
Running kernel 2.6.7
2.4 kernel support
-> iptables list OK
2.2 kernel support
NO ipchains list, firewall kernel support?
NO ipmasqadm list, port forwarding kernel support?
2.0 kernel support
NO ipfwadm list, firewall kernel support?
firewall-easy: iptables support detected
firewall-easy: iptables support detected
----AUTODETECTION--------
loopback = 127.0.0.0/255.0.0.0
local net =
local IP =
DNS servers = 62.31.176.39 194.117.134.19 195.188.53.175
ADSL iface =
gw =
-> Securing kernel (secure-kernel-24)
-> Setting up firewall (firewall-iptables)
---- STATUS:1 --------
iptables -A ACCEPTLOG -m limit --limit 3/minute -j LOG
--log-prefix ACCEPT->
iptables: No chain/target/match by that name
---- STATUS:1 --------
iptables -A DROPLOG -m limit --limit 3/minute -j LOG
--log-prefix DROP->
iptables: No chain/target/match by that name
---- STATUS:1 --------
iptables -A RST -p tcp -j REJECT --reject-with tcp-reset
iptables: No chain/target/match by that name
---- STATUS:1 --------
iptables -A RST -p udp -j REJECT
iptables: No chain/target/match by that name
---- STATUS:1 --------
iptables -A RSTLOG -m limit --limit 3/minute -j LOG --log-prefix
REJECT->
iptables: No chain/target/match by that name
---- STATUS:1 --------
iptables -A RSTLOG -p tcp -j REJECT --reject-with tcp-reset
iptables: No chain/target/match by that name
---- STATUS:1 --------
iptables -A RSTLOG -p udp -j REJECT
iptables: No chain/target/match by that name
---- STATUS:1 --------
iptables -t mangle -A PREROUTING -j TOS --set-tos 0x10 -p tcp -d
0/0 --dport 1024:65535 -s 0/0 --sport www
iptables: No chain/target/match by that name
---- STATUS:1 --------
iptables -t mangle -A PREROUTING -j TOS --set-tos 0x10 -p tcp -s
0/0 --sport 1024:65535 -d 0/0 --dport www
iptables: No chain/target/match by that name
---- STATUS:1 --------
iptables -t mangle -A PREROUTING -j TOS --set-tos 0x08 -p tcp -d
0/0 --dport 1024:65535 -s 0/0 --sport rsync
iptables: No chain/target/match by that name
---- STATUS:1 --------
iptables -t mangle -A PREROUTING -j TOS --set-tos 0x08 -p tcp -s
0/0 --sport 1024:65535 -d 0/0 --dport rsync
iptables: No chain/target/match by that name
---- STATUS:1 --------
iptables -t mangle -A PREROUTING -j TOS --set-tos 0x08 -p tcp -d
0/0 --dport 1024:65535 -s 0/0 --sport 1024:65535
iptables: No chain/target/match by that name
---- STATUS:1 --------
iptables -t mangle -A PREROUTING -j TOS --set-tos 0x08 -p tcp -s
0/0 --sport 1024:65535 -d 0/0 --dport 1024:65535
iptables: No chain/target/match by that name
TESTING FIREWALL
debian:/home/tim#
(no error messages, just a command prompt)
My kernel .configs I think are relevant are:
CONFIG_SYSVIPC=y
CONFIG_SYSCTL=y
CONFIG_BLK_DEV_LOOP=y
CONFIG_SYN_COOKIES=y
CONFIG_INET_AH=y
CONFIG_INET_ESP=y
CONFIG_INET_IPCOMP=y
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_MANGLE=m
CONFIG_PROC_FS=y
CONFIG_PROC_KCORE=y
CONFIG_SYSFS=y
# firewall-easy.conf
#
# use vars as with bash format (no spaces allowed before/after the equal)
#
################################################################################
#### HOME USER CONFIG
LOCALNET_IFACES=
#LOCALNET_IFACES=eth0 # Interfaces without firewall (better none)
ADSL_IFACES=
#ADSL_IFACES=eth1 # To get ADSL config by DHCP
# HIGH SECURITY OPTION
FTP="" # active FTP not available
# MEDIUM SECURITY OPTION
#FTP="1.1.1.1 2.2.2.2" # My active FTP servers (FTP is usually passive)
# LOW SECURITY OPTION
#FTP="0/0" # NOT RECOMMENDED: This allow all active ftp at the
# price of being visible to scanings from port 20
NTP="" # Time servers (NTP) to access in Internet
NO_IP="" # Remote IPs to deny access to our system
#### CONFIG OPTIONS
# no matter their value, just if they exist or not
TESTFW=yes # Uncomment to do firewall test in start
#NOLOG=yes # Uncomment to NOT do ANY LOG (only 2.2 kernel)
#LOGALLDENY=yes # Uncomment to log all denied rule (debug)
#DEBUG=yes # Uncomment to debug
# STRATEGY NO SERVICES (only 2.4 kernel)
# Instead of being invisible which is the default config, you may want to look
# like having no services: you get this uncommenting the two following lines
#RSTALLDENY=yes # Uncomment to return RST in all denied rules
#RST_TO="0/0" # Allow outputs RST and icmp DEST UNREACHABLE to all IP
################################################################################
#### INTRANET SERVER CONFIG
MASQ_IFACES="ppp0 $ADSL_IFACES"
# Interfaces by which we have to masquerade
NO_PRIV="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" # private IP ranges
# Exclude range if used in Internet connection via DMZ
#### SSH Internet access
# ZERO RISK OPTION
ISSH="" # ssh not available
# HIGH SECURITY OPTION
#ISSH="1.1.1.1 2.2.2.2" # Only to my ssh clients (fix IPs needed)
# MEDIUM SECURITY OPTION
#ISSH="0/0" # ssh access from any IP, we are _NOT_ invisible
################################################################################
#### ADVANCED USERS
#### LOCAL OUTPUTS RESTRICTED BY OWNER OR GROUP
# This only works with 2.4 kernels (iptables required)
# Uncomment lines to active them
# Following vars can be as USERCONN="root user1 user2 user3"
# No owner output control for packets (default)
USERCONN=""
USERREPLY=""
# No users, no services, as in only firewall box
#USERCONN="root"
#USERREPLY="NO"
# No users, services but only answering
#USERCONN="root"
#USERREPLY="ALL"
# One user (user1), services, and some services starting connections:
# DNS/bind (woody:named), SMTP (postfix), POP3-retriever (woody:fetchmail)
# web-cache (proxy)
# NOTE: samba/netbios uses nobody via lo when printing in shared printer
# NOTE: In potato bind runs as root, and fetchmail as the user runing it
#USERCONN="root named postfix fetchmail proxy user1"
#USERREPLY="ALL"
################################################################################
#### KERNEL MODULES
#### kernel 2.2 modules
# Uncoment only what needed
#insmod ip_masq_ftp # FTP <-- suggested
#insmod ip_masq_raudio # REALAUDIO (radio via internet)
#insmod ip_masq_irc # IRC (chat)
#insmod ip_masq_vdolive # VDOlive video connection
#insmod ip_masq_cuseeme # CU-SeeMe broadcast
#insmod ip_masq_quake # QUAKE game
#insmod ip_masq_user # User space control ?
#### kernel 2.4 modules
# Uncoment only what needed
#insmod ip_conntrack # Autoloaded
#insmod ip_conntrack_ftp # Autoloaded if rule ">> ftp-data"
#insmod ip_nat_ftp # ftp NAT alteration, includes masquerade?
#insmod ip_queue # queue packets to use via netlink in user space
################################################################################
#### AUTODETECTION
#### values are autodetected from variables defined at the beginning
ALL_IPS="`list-iface-ip all`" # All our IP for antispoof
DNS="`list-dns-ip`" # My DNS servers
LO_NETS="`list-iface-net lo`" # Net/mask interface loopback
LOCALNETS="`list-iface-net $LOCALNET_IFACES`" # Net/mask local (intranet)
LOCALNET_IPS="`list-iface-ip $LOCALNET_IFACES`" # IP in iface local this server
ADSL_IPS="`list-iface-ip $ADSL_IFACES`" # Our IP in ADSL iface
ADSL_GWS="`list-iface-gw $ADSL_IFACES`" # IP of GW in ADSL router
echo ""
echo "----AUTODETECTION--------"
echo " loopback = $LO_NETS"
echo " local net $LOCALNET_IFACES = $LOCALNETS"
echo " local IP = $LOCALNET_IPS"
echo " DNS servers = $DNS"
echo " ADSL iface $ADSL_IFACES = $ADSL_IPS"
echo " gw = $ADSL_GWS"
echo ""
--- End Message ---