On Mon, Dec 04, 2000 at 10:11:54AM -0600, Carlo U. Segre wrote: > > Hello All: > > I wanted to know what the proper way would be to set up firewalling rules > in a potato system. Putting the ipfwadm or ipchains lines in > /etc/init.d/networking (I have used /etc/init.d/netbase in slink) is the > most direct way I can think of but that may not be the "right" way to do > it. Any suggestions?
I just got done with YAFI (Yet another Firewall Installation) this weekend. I've been making an init.d script of my own that will save or restore the firewall rules out of the /etc/firewall directory. It's a real simple script that takes advantage of four applications: ipchains, ipchains-save, ipchains-restore, and date. I've attached it to the end of this email message. Perhaps it'll help you out. Personally, I like the IPChains rules that you find in Section 7 of the IPCHAINS-HOWTO. You can reference this at http://www.linuxdoc.org/. Ultimately, I'd like to tie in my firewall rules to ifup/ifdown scripts and take advantage of Debian's clean network interface scripts. It would involve something like adding the lines: {up|pre-up|down|post-down} {command} where {command} may be something like run-parts {if-up.d|if-pre-up.d|if-down.d|if-post-down.d} or a specific script for that interface: up /etc/firewall/eth0.rules up post-down /etc/firewall/eth0.rules post-down # etc... The Debian package 'ipmasq' does something similar, but examines your interfaces for you, making some decisions based on the routing as to which interfaces are external and which interfaces are internal. It seems more specialized for ppp dialup situations where you don't have dial-on-demand set up. (I had no few troubles trying to get this package to bend to my will.) The 'run-parts' scripts will only work in a generic manner if we can grab info about the interface that is being brought up or down. I'll need to do more research to find out what tyoe of environment variables the ifup/ifdown scripts pass on to it's child scripts. If you have interfaces constantly going up and down or changing their IP addresses, you SHOULD use the interfaces(5) file to launch respective interface-specific firewall scripts. Anyway, here's my init.d script. Hope it helps: #--------------- BEGIN SCRIPT HERE -------------- #!/bin/sh # Firewall rules # by Chad Walstrom <[EMAIL PROTECTED]> # Last update: 2000/12/03 IPCHAINS=/sbin/ipchains RESTORE=/sbin/ipchains-restore SAVE=/sbin/ipchains-save RULES=/etc/firewall/firewall.rules RULESDIR=/etc/firewall test -d ${RULESDIR} || mkdir ${RULESDIR} flush() { ${IPCHAINS} -F } noforward() { echo "0" > /proc/sys/net/ipv4/ip_forward } # For masquerade support forward() { echo "1" > /proc/sys/net/ipv4/ip_forward } saverules() { cp ${RULES} ${RULES}.`date +%s` ${SAVE} > ${RULES} } restorerules() { ${RESTORE} -f < ${RULES} } case $1 in start) echo -n "Initializing firewall..." flush # Change this to nofoward if you're not masquerading or # bridging forward restorerules echo "done." ;; stop) echo -n "Halting all traffic..." noforward # Uncomment to save rules on stop -- POTENTIALLY DANGEROUS #saverules flush echo "done." ;; save) echo "Saving firewall rules..." saverules echo "Done." ;; restart|reload|forced-reload) $0 stop $0 start ;; *) echo "Useage: $0 {start|stop|restart|reload|forced-reload|save}" echo "" echo "See also: ipchains(8), ipchains-save(8), ipchains-restore(8)," echo " IPCHAINS-HOWTO (http://www.linuxdoc.org)" ;; esac # vi:et:ai:tw=70:ts=4:sw=4: #--------------- END SCRIPT HERE -------------- -- Chad "^chewie, gunnarr" Walstrom <[EMAIL PROTECTED]> http://www.wookimus.net/
pgppIB9SQHPrN.pgp
Description: PGP signature