^chewie <[EMAIL PROTECTED]> writes: > On Mon, Dec 04, 2000 at 10:11:54AM -0600, Carlo U. Segre wrote: > > > > Hello All: > > > > I wanted to know what the proper way would be to set up firewalling rules > > in a potato system. Putting the ipfwadm or ipchains lines in > > /etc/init.d/networking (I have used /etc/init.d/netbase in slink) is the > > most direct way I can think of but that may not be the "right" way to do > > it. Any suggestions? > > I just got done with YAFI (Yet another Firewall Installation) this > weekend. I've been making an init.d script of my own that will save > or restore the firewall rules out of the /etc/firewall directory. > It's a real simple script that takes advantage of four applications: > ipchains, ipchains-save, ipchains-restore, and date. I've attached it > to the end of this email message. Perhaps it'll help you out. > > Personally, I like the IPChains rules that you find in Section 7 of > the IPCHAINS-HOWTO. You can reference this at > http://www.linuxdoc.org/. > > Ultimately, I'd like to tie in my firewall rules to ifup/ifdown > scripts and take advantage of Debian's clean network interface > scripts. It would involve something like adding the lines: > > {up|pre-up|down|post-down} {command} > > where {command} may be something like > > run-parts {if-up.d|if-pre-up.d|if-down.d|if-post-down.d} > > or a specific script for that interface: > > up /etc/firewall/eth0.rules up > post-down /etc/firewall/eth0.rules post-down > # etc... > > The Debian package 'ipmasq' does something similar, but examines your > interfaces for you, making some decisions based on the routing as to > which interfaces are external and which interfaces are internal. It > seems more specialized for ppp dialup situations where you don't have > dial-on-demand set up. (I had no few troubles trying to get this > package to bend to my will.) The 'run-parts' scripts will only work > in a generic manner if we can grab info about the interface that is > being brought up or down. I'll need to do more research to find out > what tyoe of environment variables the ifup/ifdown scripts pass on to > it's child scripts. > > If you have interfaces constantly going up and down or changing their > IP addresses, you SHOULD use the interfaces(5) file to launch > respective interface-specific firewall scripts. [snip script]
I've done something similar but I used PMFirewall (http://www.pointman.org) instead. It was very simple to set up and I tied it to the interfaces(5) interface(?). So in my /etc/network/interfaces file I have: iface eth1 inet static address 10.0.0.2 netmask 255.255.255.0 gateway 10.0.0.1 broadcast 10.0.0.255 pre-up /usr/local/etc/pmfirewall/pmfirewall start post-down /usr/local/etc/pmfirewall/pmfirewall stop and it works like a champ! This is on an ADSL connection so it's on pretty much 24/7, but I bring the external interface down occasionally to do security audits. The only problem is that PMFirewall isn't a Debian package, but it's very small and it's ease of use overshadowed the lack of a Debian package, for me. Gary
