On Mon, Dec 04, 2000 at 10:11:54AM -0600, Carlo U. Segre wrote:
> 
> Hello All:
> 
> I wanted to know what the proper way would be to set up firewalling rules
> in a potato system.  Putting the ipfwadm or ipchains lines in
> /etc/init.d/networking (I have used /etc/init.d/netbase in slink) is the
> most direct way I can think of but that may not be the "right" way to do
> it.  Any suggestions?

I just got done with YAFI (Yet another Firewall Installation) this
weekend.  I've been making an init.d script of my own that will save
or restore the firewall rules out of the /etc/firewall directory.
It's a real simple script that takes advantage of four applications:
ipchains, ipchains-save, ipchains-restore, and date.  I've attached it
to the end of this email message.  Perhaps it'll help you out.

Personally, I like the IPChains rules that you find in Section 7 of
the IPCHAINS-HOWTO.  You can reference this at
http://www.linuxdoc.org/. 

Ultimately, I'd like to tie in my firewall rules to ifup/ifdown
scripts and take advantage of Debian's clean network interface
scripts.  It would involve something like adding the lines:

   {up|pre-up|down|post-down} {command} 

where {command} may be something like 

    run-parts {if-up.d|if-pre-up.d|if-down.d|if-post-down.d}

or a specific script for that interface:

    up /etc/firewall/eth0.rules up
    post-down /etc/firewall/eth0.rules post-down
    # etc...

The Debian package 'ipmasq' does something similar, but examines your
interfaces for you, making some decisions based on the routing as to
which interfaces are external and which interfaces are internal.  It
seems more specialized for ppp dialup situations where you don't have
dial-on-demand set up.  (I had no few troubles trying to get this
package to bend to my will.)  The 'run-parts' scripts will only work
in a generic manner if we can grab info about the interface that is
being brought up or down.  I'll need to do more research to find out
what tyoe of environment variables the ifup/ifdown scripts pass on to
it's child scripts.

If you have interfaces constantly going up and down or changing their
IP addresses, you SHOULD use the interfaces(5) file to launch
respective interface-specific firewall scripts.  Anyway, here's my
init.d script.  Hope it helps:

#--------------- BEGIN SCRIPT HERE --------------
#!/bin/sh
# Firewall rules
# by Chad Walstrom <[EMAIL PROTECTED]>
# Last update: 2000/12/03

IPCHAINS=/sbin/ipchains
RESTORE=/sbin/ipchains-restore
SAVE=/sbin/ipchains-save
RULES=/etc/firewall/firewall.rules
RULESDIR=/etc/firewall

test -d ${RULESDIR} || mkdir ${RULESDIR}

flush() {
    ${IPCHAINS} -F
}

noforward() {
    echo "0" > /proc/sys/net/ipv4/ip_forward
}

# For masquerade support
forward() {
    echo "1" > /proc/sys/net/ipv4/ip_forward
}

saverules() {
    cp ${RULES} ${RULES}.`date +%s`
    ${SAVE} > ${RULES}
}

restorerules() {
    ${RESTORE} -f < ${RULES}
}

case $1 in
    start)
        echo -n "Initializing firewall..."
        flush
        # Change this to nofoward if you're not masquerading or
        # bridging
        forward
        restorerules
        echo "done."
    ;;
    stop)
        echo -n "Halting all traffic..."
        noforward

        # Uncomment to save rules on stop -- POTENTIALLY DANGEROUS
        #saverules
        
        flush
        echo "done."
    ;;
    save)
        echo "Saving firewall rules..."
        saverules
        echo "Done."
    ;;
    restart|reload|forced-reload)
        $0 stop
        $0 start
    ;;
    *)
        echo "Useage: $0 {start|stop|restart|reload|forced-reload|save}"
        echo ""
        echo "See also: ipchains(8), ipchains-save(8), ipchains-restore(8),"
        echo "    IPCHAINS-HOWTO (http://www.linuxdoc.org)"
    ;;
esac

# vi:et:ai:tw=70:ts=4:sw=4:
#--------------- END SCRIPT HERE --------------

-- 
Chad "^chewie, gunnarr" Walstrom <[EMAIL PROTECTED]>
             http://www.wookimus.net/

Attachment: pgppIB9SQHPrN.pgp
Description: PGP signature

Reply via email to