Re: Firewalling in potato
^chewie <chewie@wookimus.net> writes:
> On Mon, Dec 04, 2000 at 10:11:54AM -0600, Carlo U. Segre wrote:
> >
> > Hello All:
> >
> > I wanted to know what the proper way would be to set up firewalling rules
> > in a potato system. Putting the ipfwadm or ipchains lines in
> > /etc/init.d/networking (I have used /etc/init.d/netbase in slink) is the
> > most direct way I can think of but that may not be the "right" way to do
> > it. Any suggestions?
>
> I just got done with YAFI (Yet another Firewall Installation) this
> weekend. I've been making an init.d script of my own that will save
> or restore the firewall rules out of the /etc/firewall directory.
> It's a real simple script that takes advantage of four applications:
> ipchains, ipchains-save, ipchains-restore, and date. I've attached it
> to the end of this email message. Perhaps it'll help you out.
>
> Personally, I like the IPChains rules that you find in Section 7 of
> the IPCHAINS-HOWTO. You can reference this at
> http://www.linuxdoc.org/.
>
> Ultimately, I'd like to tie in my firewall rules to ifup/ifdown
> scripts and take advantage of Debian's clean network interface
> scripts. It would involve something like adding the lines:
>
> {up|pre-up|down|post-down} {command}
>
> where {command} may be something like
>
> run-parts {if-up.d|if-pre-up.d|if-down.d|if-post-down.d}
>
> or a specific script for that interface:
>
> up /etc/firewall/eth0.rules up
> post-down /etc/firewall/eth0.rules post-down
> # etc...
>
> The Debian package 'ipmasq' does something similar, but examines your
> interfaces for you, making some decisions based on the routing as to
> which interfaces are external and which interfaces are internal. It
> seems more specialized for ppp dialup situations where you don't have
> dial-on-demand set up. (I had no few troubles trying to get this
> package to bend to my will.) The 'run-parts' scripts will only work
> in a generic manner if we can grab info about the interface that is
> being brought up or down. I'll need to do more research to find out
> what tyoe of environment variables the ifup/ifdown scripts pass on to
> it's child scripts.
>
> If you have interfaces constantly going up and down or changing their
> IP addresses, you SHOULD use the interfaces(5) file to launch
> respective interface-specific firewall scripts.
[snip script]
I've done something similar but I used PMFirewall
(http://www.pointman.org) instead. It was very simple to set up and I
tied it to the interfaces(5) interface(?). So in my
/etc/network/interfaces file I have:
iface eth1 inet static
address 10.0.0.2
netmask 255.255.255.0
gateway 10.0.0.1
broadcast 10.0.0.255
pre-up /usr/local/etc/pmfirewall/pmfirewall start
post-down /usr/local/etc/pmfirewall/pmfirewall stop
and it works like a champ! This is on an ADSL connection so it's on
pretty much 24/7, but I bring the external interface down occasionally
to do security audits.
The only problem is that PMFirewall isn't a Debian package, but it's
very small and it's ease of use overshadowed the lack of a Debian
package, for me.
Gary
Reply to: