Re: Firewalling in potato

To: "Debian Users List" <debian-user@lists.debian.org>
Subject: Re: Firewalling in potato
From: "Gary Hennigan" <glhenni@sandia.gov>
Date: 06 Dec 2000 08:13:51 -0700
Message-id: <[🔎] nhx1yvlr39s.fsf@sasg955.sandia.gov>
In-reply-to: ^chewie's message of "Mon, 4 Dec 2000 11:15:47 -0600"
References: <[🔎] Pine.LNX.4.21.0012041008560.30551-100000@oxide.phys.iit.edu> <[🔎] 20001204111547.B31176@wookimus.net>

^chewie <chewie@wookimus.net> writes:
> On Mon, Dec 04, 2000 at 10:11:54AM -0600, Carlo U. Segre wrote:
> > 
> > Hello All:
> > 
> > I wanted to know what the proper way would be to set up firewalling rules
> > in a potato system.  Putting the ipfwadm or ipchains lines in
> > /etc/init.d/networking (I have used /etc/init.d/netbase in slink) is the
> > most direct way I can think of but that may not be the "right" way to do
> > it.  Any suggestions?
> 
> I just got done with YAFI (Yet another Firewall Installation) this
> weekend.  I've been making an init.d script of my own that will save
> or restore the firewall rules out of the /etc/firewall directory.
> It's a real simple script that takes advantage of four applications:
> ipchains, ipchains-save, ipchains-restore, and date.  I've attached it
> to the end of this email message.  Perhaps it'll help you out.
> 
> Personally, I like the IPChains rules that you find in Section 7 of
> the IPCHAINS-HOWTO.  You can reference this at
> http://www.linuxdoc.org/. 
> 
> Ultimately, I'd like to tie in my firewall rules to ifup/ifdown
> scripts and take advantage of Debian's clean network interface
> scripts.  It would involve something like adding the lines:
> 
>    {up|pre-up|down|post-down} {command} 
> 
> where {command} may be something like 
> 
>     run-parts {if-up.d|if-pre-up.d|if-down.d|if-post-down.d}
> 
> or a specific script for that interface:
> 
>     up /etc/firewall/eth0.rules up
>     post-down /etc/firewall/eth0.rules post-down
>     # etc...
> 
> The Debian package 'ipmasq' does something similar, but examines your
> interfaces for you, making some decisions based on the routing as to
> which interfaces are external and which interfaces are internal.  It
> seems more specialized for ppp dialup situations where you don't have
> dial-on-demand set up.  (I had no few troubles trying to get this
> package to bend to my will.)  The 'run-parts' scripts will only work
> in a generic manner if we can grab info about the interface that is
> being brought up or down.  I'll need to do more research to find out
> what tyoe of environment variables the ifup/ifdown scripts pass on to
> it's child scripts.
> 
> If you have interfaces constantly going up and down or changing their
> IP addresses, you SHOULD use the interfaces(5) file to launch
> respective interface-specific firewall scripts.  
[snip script]

I've done something similar but I used PMFirewall
(http://www.pointman.org) instead. It was very simple to set up and I
tied it to the interfaces(5) interface(?). So in my
/etc/network/interfaces file I have:

iface eth1 inet static
        address 10.0.0.2
        netmask 255.255.255.0
        gateway 10.0.0.1
        broadcast 10.0.0.255
        pre-up /usr/local/etc/pmfirewall/pmfirewall start
        post-down /usr/local/etc/pmfirewall/pmfirewall stop

and it works like a champ! This is on an ADSL connection so it's on
pretty much 24/7, but I bring the external interface down occasionally
to do security audits.

The only problem is that PMFirewall isn't a Debian package, but it's
very small and it's ease of use overshadowed the lack of a Debian
package, for me.

Gary

Reply to:

References:
- Firewalling in potato
  - From: "Carlo U. Segre" <segre@iit.edu>
- Re: Firewalling in potato
  - From: ^chewie <chewie@wookimus.net>

Prev by Date: Re: bind & sendmail both as non-root
Next by Date: Xemacs 21.1 and Gnus 5.8.3
Previous by thread: Re: Firewalling in potato
Next by thread: Pkg XFree86-common 4.0.1-9
Index(es):
- Date
- Thread