Linux-2.2 ipchains firewall/NAPT/NAT administration
https://fwup.org
- Shell 81.7%
- Perl 17.1%
- Makefile 1.2%
|
|
||
|---|---|---|
| examples | 20041231 | |
| patches | 20020626 | |
| tools | 20041231 | |
| firewall | 20041231 | |
| firewall.policy | 20041231 | |
| fwdown | 20041231 | |
| fwprobe | 20041231 | |
| fwup | 20041231 | |
| make-install | 20041231 | |
| make-lrpkg | 20041231 | |
| make-ls | 20041231 | |
| make-meta-install | 20041231 | |
| make-meta-ls | 20041231 | |
| make-meta-uninstall | 20041231 | |
| make-policy | 20041231 | |
| make-uninstall | 20041231 | |
| Makefile | 20041231 | |
| meta-firewall | 20041231 | |
| migrate-policy | 20041231 | |
| README | 20041231 | |
| update-reserved-networks | 20041231 | |
README
~~~~~~
firewall - Linux-2.2 ipchains firewall/NAPT/NAT administration
Firewall is a set of scripts (firewall, fwup and fwdown) that implement one
or more ipchains firewalls that support various forms of network address and
port translation. All you have to do is read the heavily documented policy
file and edit it to reflect your network topology and filtering policy.
The policy file is composed of sections in which you need to specify: this
host's trusted and untrusted network interfaces; this host's role and
function within the network topology; and the incoming and outgoing services
to allow and the internal and external hosts that may take part in them. It
has been designed so as to make this as painless and flexible as possible
but you must be willing to do some reading. There are several examples to
look at in the examples directory.
Each section contains detailed explanations and advice on things such as
when to start the firewall and the security implications of various well
known internet services and advice on how to allow them safely. It is
intended to introduce administrators to some subtleties of packet
filtering quickly so that they can make better informed security decisions
and achieve and maintain effective network security (at least the packet
filtering part) in a very short time. Of course, it will not prevent you
from achieving bad network security, but you will have been warned.
Each section also contains commented out variables that can be uncommented
and possibly edited to supply policy information to the firewall. Most of
them show the default values used by the firewall. Others are choices.
Others still are just examples. Hopefully it's clear which is which. Each
policy variable is explained when encountered.
Various network topologies are supported:
Single Host (no forwarding, no address/port translation)
Forwarding (no address/port translation)
Masquerading (outgoing M:1 NAPT)
Port Forwarding (Masquerading + incoming 1:M NAPT)
Alias Port Forwarding (Masquerading + incoming N:M NAPT)
Static NAT (incoming and outgoing 1:1 NAT)
Up to 10 untrusted network interfaces are supported, each with a distinct
policy. There can be as much or as little policy sharing between untrusted
interfaces as you like.
Centralised administration of multiple remote firewalls is supported.
The policy is specified in the firewall.policy file.
Read it carefully. It contains much necessary information.
Here is the list of currently supported services:
icdns - incoming Client DNS
ocdns - outgoing Client DNS
isdns - incoming Server DNS
osdns - outgoing Server DNS
ismtp - incoming SMTP
osmtp - outgoing SMTP
ipop - incoming POP
opop - outgoing POP
iimap - incoming IMAP
oimap - outgoing IMAP
ildap - incoming LDAP
oldap - outgoing LDAP
ispop - incoming SSL-POP
ospop - outgoing SSL-POP
isimap - incoming SSL-IMAP
osimap - outgoing SSL-IMAP
isldap - incoming SSL-LDAP
osldap - outgoing SSL-LDAP
issh1 - incoming SSH1
ossh1 - outgoing SSH1
issh2 - incoming SSH2/LSH
ossh2 - outgoing SSH2/LSH
inftp - incoming FTP (normal mode)
onftp - outgoing FTP (normal mode)
ipftp - incoming FTP (passive mode)
opftp - outgoing FTP (passive mode)
iteln - incoming TELNET
oteln - outgoing TELNET
ihttp - incoming HTTP
ohttp - outgoing HTTP
ihttps - incoming HTTPS
ohttps - outgoing HTTPS
iproxy - incoming HTTP PROXY
oproxy - outgoing HTTP PROXY
isquid - incoming SQUID
osquid - outgoing SQUID
inntp - incoming NNTP
onntp - outgoing NNTP
irsync - incoming RSYNC
orsync - outgoing RSYNC
icvs - incoming CVS
ocvs - outgoing CVS
ignats - incoming GNATS
ognats - outgoing GNATS
imysql - incoming MYSQL
omysql - outgoing MYSQL
ismb - incoming SMB
osmb - outgoing SMB
iirc - incoming IRC
oirc - outgoing IRC
iicq - incoming ICQ
oicq - outgoing ICQ
ireal - incoming RealAudio/QuickTime
oreal - outgoing RealAudio/QuickTime
ivnc - incoming VNC
ovnc - outgoing VNC
ireach - incoming REACHOUT
oreach - outgoing REACHOUT
ipcany - incoming PC ANYWHERE
opcany - outgoing PC ANYWHERE
iwterm - incoming WINDOWS TERMINAL SERVER
owterm - outgoing WINDOWS TERMINAL SERVER
intp - incoming NTP
ontp - outgoing NTP
idayt - incoming DAYTIME
odayt - outgoing DAYTIME
itime - incoming TIME
otime - outgoing TIME
igoph - incoming GOPHER
ogoph - outgoing GOPHER
iwais - incoming WAIS
owais - outgoing WAIS
oarch - outgoing ARCHIE
ifing - incoming FINGER
ofing - outgoing FINGER
owhois - outgoing WHOIS
iauth - incoming AUTH
oauth - outgoing AUTH
inotes - incoming NOTES
onotes - outgoing NOTES
cdial - DIALPAD Client
cwbfn - WEBPHONE Client
cnt2fn - NET2PHONE Client
chotel - HOTTELEPHONE/WEB2CALL Client
intmt - Incoming NETMEETING
ontmt - Outgoing NETMEETING
ilog - incoming SYSLOG
olog - outgoing SYSLOG
sdhcp - DHCP Server
cdhcp - DHCP Client
itacacs - Incoming TACACS+
otacacs - Outgoing TACACS+
isnmp - incoming SNMP
osnmp - outgoing SNMP
isnmpt - incoming SNMP TRAP
osnmpt - outgoing SNMP TRAP
ibgp - incoming BGP
obgp - outgoing BGP
ospf - OSPF
irip - incoming RIP
orip - outgoing RIP
ikerb - incoming KERBEROS
okerb - outgoing KERBEROS
ipptp - incoming PPTP
opptp - outgoing PPTP
iipsec - incoming IPSEC
oipsec - outgoing IPSEC
iping - incoming PING
oping - outgoing PING
itrace - incoming TRACEROUTE
otrace - outgoing TRACEROUTE
idanger - incoming X11 connections, trojans
odanger - outgoing X11 connections, trojans
Note: Don't trust it. Test it. Audit it. Many services haven't been tested yet.
Please send me any success reports, bug reports, criticism, comments,
corrections, suggestions, patches, pointers to more information, ...
INSTALL
~~~~~~~
This should install on any linux system. Please let me know if it doesn't.
See REQUIREMENTS for runtime requirements.
Unpack the distribution:
tar xzf firewall-20041231.tar.gz
cd firewall-20041231
If you are upgrading and have an existing firewall.policy, you could try to
migrate your existing policy into the new policy file (as root):
./migrate-policy firewall.policy /etc/firewall.policy
If you do this, make sure that you check the result carefully, comparing it
to both your existing policy file and to the backup of the new policy file.
Read the policy file and edit it to reflect your filtering policy and topology:
vi firewall.policy
Install scripts and policy (as root):
make uninstall # if a previous version is installed
make install
make policy
If make is not installed (as root):
make-uninstall # if a previous version is installed
make-install
make-policy
For more details:
make help
This will cause the firewall to be started at boot time before the
network starts and after each new IP address is received via PPP
or DHCP (if applicable). The firewall will be stopped at shutdown
time after networking is stopped.
To start the firewall before the next reboot, run one of (depends on system)
(as root):
/etc/rc.d/init.d/firewall start
/etc/init.d/firewall start
/etc/firewall start
After setting up a firewall, don't forget to audit it with nmap (as root
from the inside and the outside) to make sure that you got what you wanted.
The tools/portscan script may be useful here. If there are any surprises,
investigate. It is imperative that you know what your firewall does and
doesn't do.
REMOTE INSTALL
~~~~~~~~~~~~~~
You can also install scripts that allow you to subsequently install and
manage multiple remote firewalls.
Unpack the distribution:
tar xzf firewall-20041231.tar.gz
cd firewall-20041231
Install (as root):
make meta-install
If make is not installed (as root):
make-meta-install
This creates the /etc/firewall.d directory and installs the meta-firewall
script in either /etc/rc.d/init.d, /etc/rc.d or /etc depending on your system.
If upgrading, you could try to migrate an existing remote policy into the
new policy file (as root):
meta-firewall migrate <fw>
Prepare for a remote install (if not upgrading) (as root):
meta-firewall prepare <fw>
Read the policy file and edit it to reflect your filtering policy and
topology (as root):
meta-firewall edit <fw>
Install the firewall scripts onto the remote firewall host (as root):
meta-firewall install <fw>
Install the remote firewall's policy file (as root):
meta-firewall policy <fw>
Start the firewall remotely (as root):
meta-firewall start <fw>
For more details:
meta-firewall --help
Where <fw> is the hostname of a remote firewall host
You will need root access via openssh to all remote firewall hosts. You will
need to either use ssh-agent(1) or enter remote root passwords or your local
passphrase when managing the remote firewalls.
Shell tracing is turned on during the execution of all scp and ssh commands
to the remote firewall hosts so you can see what's going on before you type
in the root password. If you don't want to see what's going on, set the
environment variable verbose=no.
Make sure you don't install a remote firewall that doesn't allow incoming
ssh from the administration host or you won't be able to update it later :)
LRP PACKAGE INSTALL
~~~~~~~~~~~~~~~~~~~
You can create an Linux Router Project (LRP) package after defining your
firewall policy and install it onto an LRP system.
Unpack the distribution (on a non-LRP system):
tar xzf firewall-20041231.tar.gz
cd firewall-20041231
If you are upgrading and have an existing firewall.policy, you could try to
migrate your existing policy into the new policy file (as root):
./migrate-policy firewall.policy /etc/firewall.policy
If you do this, make sure that you check the result carefully, comparing it
to both your existing policy file and to the backup of the new policy file.
Read the policy file and edit it to reflect your filtering policy and topology:
vi firewall.policy
Build the LRP package (as root):
make lrpkg
The package "firewall.lrp" will be created in the current directory.
Then transfer this package to your LRP system (See LRP documentation
for details).
This will cause the firewall to be started at boot time before the
network starts and after each new IP address is received via PPP
or DHCP (if applicable). The firewall will be stopped at shutdown
time after networking is stopped.
Note: The current (mid-2002) version of the Oxygen LRP distribution doesn't
have expr compiled into the busybox version of ash so you will need to
install expr somehow or use any other LRP distribution (including previous
versions of Oxygen).
To start the firewall before the next reboot, run (as root):
/etc/init.d/firewall start
After setting up a firewall, don't forget to audit it with nmap (as root
from the inside and the outside) to make sure that you got what you wanted.
The tools/portscan script may be useful here. If there are any surprises,
investigate. It is imperative that you know what your firewall does and
doesn't do.
UPDATING
~~~~~~~~
The firewall uses the IANA's list of reserved networks. This list changes
over time. Therefore, the firewall needs to be kept up to date with the
current version of the list. The script "update-reserved-networks" downloads
the latest version of the list from the IANA's website and then modifies the
script that brings up the firewall accordingly. This is not automated. I
wonder if it should be. I don't think I could bare the thought of re-writing
it in shell. When you notice that some packets are being dropped as spoof
packets, it probably means that it's time to run update-reserved-networks on
the firewall scripts.
EXTRAS
~~~~~~
The examples directory contains several example policy files. They
demonstrate all supported types of network topology, some with detailed
policies. They should be considered mandatory reading.
The tools directory contains the following utilities:
dns2ip - a filter that translates domain names into IP addresses
fwhelper - ipchains troubleshooting script (ipchains -C with tracing)
portscan - performs a thorough port scan using nmap
tcpdump-histogram - prints a histogram of packets in tcpdump output
The patches directory contains two patches that you might find useful:
ipchains-1.3.*-Q.patch
~~~~~~~~~~~~~~~~~~~~~~
This is a patch for ipchains-1.3.9 and ipchains-1.3.10 which adds the
-Q option. This option takes a filename or ``-'' as an argument.
If a filename is given, ipchains reads its commands from the file.
If ``-'' is given, ipchains reads its commands from standard input.
Blank lines and shell-style comments are ignored so it is possible
to write executable #!/sbin/ipchains scripts.
This allows ipchains to perform all of it's tasks in a single process
instead of several hundred invocations of the same process so starting
an ipchains packet filtering firewall can now be done instantaneously.
Written by raf <raf@raf.org>
masq-demasq.patch
~~~~~~~~~~~~~~~~~
This is a patch for linux-2.2.13 which makes port forwarding
work when initiated from inside the masqueraded network(s).
Written by Michael Best <michael@com.org>
REQUIREMENTS
~~~~~~~~~~~~
- Linux-2.2.x and ipchains
- See firewall.policy file for kernel configuration and module requirements
- ipmasqadm iff doing port forwarding or alias port porwarding
- ip (iproute2) iff doing alias port porwarding or static NAT
- nmap used by the portscan utility
- root privileges for ipchains, ipmasqadm, ip
- root privileges inside and outside for auditing with nmap
- perl used by most of the utilities (dns2ip also requires Net-DNS)
- perl, diff and patch used by migrate-policy
Note: perl is not needed for the firewall itself!
These can be found at:
Linux-2.2 - http://www.kernel.org/ (2.2.19)
ipchains - http://netfilter.kernelnotes.org/ipchains/ (1.3.10)
ipmasqadm - http://juanjox.kernelnotes.org/ (0.4.2)
iproute2 - ftp://ftp.inr.ac.ru/ (000305)
nmap - http://www.insecure.org/nmap/ (2.53)
perl - http://www.perl.com/ (5.005_03)
Net-DNS - http://www.perl.org/CPAN/modules/by-module/Net/ (0.12)
diff - ftp://ftp.gnu.org/pub/gnu/diffutils/ (2.7)
patch - ftp://ftp.gnu.org/pub/gnu/patch/ (2.5)
COPYING
~~~~~~~
firewall - Linux-2.2 ipchains firewall/NAPT/NAT administration
Copyright (C) 1999-2004 raf <raf@raf.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
or visit http://www.gnu.org/copyleft/gpl.html
HISTORY
~~~~~~~
19991231
- Initial version
20000309
- Incorporated linux-firewall-tools.com:
- Added more protection against spoofing and dangerous services
- Added more kernel protection (source routing, redirects, syn cookie,
defrag, icmp broadcast echo, bogus error response, martian logging)
- Added services (DHCP, HTTPS, HTTP PROXY, IMAP, ICQ, Real Audio)
- Changed default forward policy from deny to reject
- Added "untrusted networks"
- Added configuration of masquerade timeouts
- Split SSH into SSH1 and SSH2
- Added BGP and RSYNC
- Fixed DNS policy variables and doco
- Cleaned up, fixed bugs
- Modified fwup to run on non redhat systems
- Added "make decent"
- Started logging incoming ping and traceroute even if accepted
- IP forwarding only started/stopped if masquerading requested
- Started denying/rejecting fragments (kernel must always defrag)
- Started using local and masqueraded port ranges (from Mike A. Harris)
- Added SMB, PPTP and IPSEC (from Yan Seiner)
- Added support for multiple untrusted interfaces with differing policies
- Added automatic identification of local networks
20000321
- Added dynamic IP address hacking in IP MASQ (for non-routers only!)
- Added the ability to deny/reject selected ports without logging them
- Added Kerberos, CVS, GNATS, MySql, SSL-POP, SSL-IMAP, SSL-LDAP, OSPF
- Fixed bug: was masquerading traffic between multiple internal networks
- Added the dns2ip utility to translate domain names in policy files into ip addresses
20000402
- Shortened/cleaned up fwup a bit with more functions
- Fixed bug: SSH1 rules were allowing SSH2 as well
- Fixed doco: outgoing SSH2 note was stupid
- Fixed bug: SDNS rules were allowing CDNS as well
- Fixed bug: masqueraded UDP (e.g. CDNS!) failed (func vars weren't local)
- Fixed bug: SNMP[T] rules from Chapman & Zwicky disagreed with RFC 1157
- Fixed bug: typo in DHCP Client rules allowed incoming address updates even when $DHCP_SERVERS is empty
- Added the ability to specify more simple tcp services in the policy file
20000421
- Added LDAP, NOTES
- Added the ability to deny/reject other protocols without logging them
- Added loading/unloading of IP masquerading modules
- Deny/Reject fragments iff $IPV4_FRAGMENT_PROTECT != "no"
- Made ICMP configurable (default behaviour remains the same)
- Added portsummary utility to display connection tuples in tcpdump output
- Included some archie server addresses in firewall.policy as a comment
- Started determining masquerade ports directly from kernel source
- Added support for forwarding to internal hosts with individual policies
- Fixed bug: Stopped creating chains that were never used (thanks to
forwarding changes, starting the firewall is now twice as fast!)
- Fixed bug: Outgoing ICQ rules were wrong (udp rules reversed)
- Fixed bug: The extra tcp services weren't being included
- Fixed bug: Was doing spoof protection on internal untrusted interfaces
- Rewrote/reorganised the initial doco in firewall.policy and README
- Added detailed open port profiles to the notes on each service
- Added support for port forwarding (incoming and outgoing M:1 NAPT)
- Added portscan utility to perform comprehensive portscans
- Added an example policy file for each type of supported network tpology
- Made chain policies configurable (some like DENY, others like REJECT)
20000430
- Fixed bug: make install was creating too many links in /etc/rc.d/rc?.d
- Fixed bug: success/error messages sent to /var/log/messages were pathetic
- Added portfw to the list of loadable masq modules in the policy file
- Added "ipchains -M -L -v -n" to "firewall probe"
- Made it possible to specify untrusted addresses in policy if all are static
- Removed all uses of perl from fwup (no longer determines masquerade ports
directly from kernel source but that was a silly idea anyway)
20000601
- Added "make [un]install" support for most systems and ppp and dhcp
(inspired by PMfirewall)
- Added the ability to recognise dangerous udp ports and block them early
(and added the trojan cavalry (from mason) as comments in the policy file)
- Fixed bug: didn't support preferences (load sharing) when port forwarding
- Fixed bug: target names couldn't be used with identical service names
- Added support for alias port porwarding and static NAT
- Added support for "ipchains -Q" if available (twice as fast again!)
- Added patches directory to distribution: ipchains-Q and masq-demasq
- Added the ability to set ip_masq_udp_dloose for linux-2.2.15
- Fixed bug: service chains for multiple targets were added multiple times
- Added ACK and Window scans to the portscan utility (for nmap-2.53)
- Added SQUID
- Added check to ensure that BLOCK{IN|OUT|FWD} are set to DENY or REJECT
- Renamed portsummary to tuplegram and added icmp and udp support
- Fixed bug: make [un]install didn't work with recent version of bash
20000914
- Updated the ipchains url in README
- Fixed the explanation why internally initiated port forwarding
doesn't work (in the BUGS section below) thanks to Michael Best
- Added DIALPAD, WEBPHONE, NET2PHONE, HOTTELEPHONE/WEB2CALL, NETMEETING
- Added port range forwarding in $PORTRANGEFW
- Made outgoing server dns (when masquerading) more strict
20010211
- Added VNC service
- Exposed $ILLEGAL_NETWORKS to policy file (for partitioning private nets)
- Added support for REDIRECT (transparent proxying)
- Updated and optimised $RESERVED_NETWORKS (bs@axysdesign.com, jshin@pantheon.yale.edu)
- Added search in $PATH for programs (bs@axysdesign.com)
- Stopped dns2ip from translating in shell comments (jshin@pantheon.yale.edu)
- Added TIME, DAYTIME services (jshin@pantheon.yale.edu)
20010214
- Fixed security bug: bad tempfile creation for ipchains-Q (dynamo@ime.net)
20010507
- Fixed typo in policy file (OUTGOING_VNC_PORTS -> INCOMING_VNC_PORTS)
- Added PC ANYWHERE, WINDOWS TERMINAL SERVER
- Added support for chkconfig (but you must verify it for your system)
- Fixed bug: was logging all forwarded packets when FORWARDING="yes" (dos!)
- Removed installation dependency on make (cesar@rotnet.com.br)
- Added kernel config, module and software requirements doco to policy file
- Fixed tuplegram bugs, added arp support, renamed it to tcpdump-histogram
- Fixed icmp parsing and added fragment support in fwhelper
- Added centralised administration of multiple remote firewalls
20010801
- Fixed SNMP TRAP rules (source port 161, no return packets)
- Fixed X11 client rules (dj@head-cfa.harvard.edu)
- Added X11 server rules
20010815
- Fixed bug: redirect code never executed (ckhui@school.net.hk)
- Updated IANA reserved networks (20010619 - 67, 68, 80 and 81 allocated)
20020626
- Added support for multicast sessions
- Added rejecting specific ports when policy is DENY (for inacker@informatik.uni-freiburg.de)
- Added support for PPTP server on localhost (nick@abssys.com)
- Updated URL for ip_masq_h323 module (martin@kos.li)
- Updated -Q patch for ipchains-1.3.10 (rmrpms@usa.net)
- Added REACHOUT service
- Added TACACS+ service
- Updated list of trojan ports (www.neohapsis.com, www.seifried.org)
- Removed the need for bash (LRP only has ash)
- Removed the need for awk (LRP doesn't have awk by default)
- Added migrate-policy (suggested by inacker@informatik.uni-freiburg.de)
- Added meta-firewall migrate/diff/revert
- Added more doco on SERVICES and TARGET_* variables (bs@axysdesign.com)
- Updated IANA reserved networks (20011201 - 219, 220 allocated to APNIC)
- Fixed firewall lockfile for Debian (jejc@free.fr)
- Made to work with ash, bsh, bash, ksh or (in the unlikely event) zsh
- Added installation support for more dhcp clients (i.e. pump and dhclient)
- Ported to LRP/busybox-ash (wont-i@wkh.org)
- Added "make lrpkg" (creates an LRP package after you define your policy)
- Added installation support for systems with /etc/ppp/ip-{up,down}.d
- Added "firewall reconf <config>"
- Added "firewall help"
20041215
- Added doco about perimeter networks and demilitarised zones
- Added $MASQUERADED_NETWORKS to masquerade selected internal networks
- Updated IANA reserved networks (2003年11月14日)
20041231
- Updated examples/policy.* to include earlier changes to firewall.policy
- Made messages conform to Debian standards (except when on Redhat)
- Updated IANA reserved networks (2004年08月03日)
- Added update-reserved-networks script so users can update them easily
- Extracted fwprobe as a separate command from "firewall probe"
REFERENCES
~~~~~~~~~~
Building Internet Firewalls by Chapman & Zwicky
IPCHAINS-HOWTO by Paul Russell
http://linux-firewall-tools.com by Robert L. Ziegler
The ipchains mailing list. Particularly Yan Seiner, Mike Harris and Michael Best
IP-Masquerade-HOWTO by David Ranch
IP Command Reference by Alexey N. Kuznetsov
PMfirewall (http://www.pointman.org) by Rick Johnson (installation)
mason (http://www.pobox.com/~wstearns/mason) by Willian Stearns (trojan list)
TCP/IP Illustrated Volume 1 by W Richard Stevens
Network Intrusion Detection - An Analyst's Handbook by Stephen Northcutt and Judy Novak
RFC 2588 IP Multicast and Firewalls by Ross Finlayson
www.neohapsis.com ports list
www.seifried.org ports list
BUGS
~~~~
- I've been told that masquerading the H.323 services (e.g. HOTTELEPHONE)
doesn't work but wasn't given any details and the person who reported it
didn't seem interested in helping me fix whatever the problem might have
been. If anyone would like to help me test it and get it working (if indeed
it doesn't work), please contact me.
- The *SERVERS* and *CLIENTS* policy variables for a given service apply to all
instances of a service across a given interface. This means that if you have
something like: SERVICES="oservice.targeta oservice.targetb", then the hosts
in both targeta and targetb are restricted to connecting to the same set of
external servers for the given service. Let me know if this is a problem.
It can be fixed but the policy file will get a bit uglier.
- Masquerading across multiple interfaces is not supported.
If you have multiple untrusted interfaces and you are masquerading,
then masquerading occurs for packets leaving via the first untrusted
interface only. Let me know if this is a problem. It's easy to fix.
- When port forwarding, internal hosts shouldn't try to make connections to
the forwarded port on the external interface because it doesn't work with
a stock kernel. Michael Best has written a patch to linux-2.2.13 to fix this.
It's in the patches directory under masq-demasq. Here is his explanation of
the problem:
Michael Best (michael@com.org) wrote:
> What happens is that the first packet is forwarded to the correct host,
> but only its destination info has been changed. For example:
>
> Host A: 10.101.2.1 (firewall; external address is 216.324.11.123)
> Host B: 10.101.2.2 (running web server on port 80)
> Host C: 10.101.2.3 (client)
>
> Host A has 216.324.11.123/80 forwarded to Host B.
> Host C tries to connect to 216.324.11.123/80.
>
> First packet looks like this:
> From 10.101.2.3/1056 to 216.324.11.123/80
> It is forwarded:
> From 10.101.2.3/1056 to 10.101.2.2/80
> Reply looks like this:
> From 10.101.2.2/80 to 10.101.2.3/1056
> It is ignored by the client since it doesn't match any active connection.
> Thus the connection is never fully established and appears hung.
>
> My patch modifies the kernel so that it can modify both the destination and
> source addresses of a packet. It still requires that your rules are correct.
> Here is what the above would look like with my patch:
>
> First packet looks like this:
> From 10.101.2.3/1056 to 216.324.11.123/80
> It is forwarded:
> From to 10.101.2.2/80
> Here's the reply:
> From 10.101.2.2/80 to 216.324.11.123/64234
> This one goes back to the firewall and it forward:
> From 216.324.11.123/80 to 10.101.2.3/1056
>
> Note that this patch also make possible Starcraft and Warcraft Battle-net
> games between two people behind the same firewall.
>
> I've put my patch at http://www.com.org/~michael/masq-demasq.zip
- There is no support for static NAT between internal networks. Let me know
if this is a problem. This should be fixed. In the meantime, you can just
execute the necessary ip commands separately using priorities below 10000.
- Port forwarding port ranges isn't supported when using Alias Port Forwarding.
Let me know if this is a problem. It's easy to fix.
- Stopping the firewall stops packet forwarding in general. This is intentional.
However, on redhat systems with FORWARD_IPV4="yes" in /etc/sysconfig/network,
packet forwarding isn't stopped when the firewall is stopped. This is a
convenience (but it is unsafe). Note that for most small sites like a single
host or a single lan dialing up to the net, forwarding should be off when
not connected to the net anyway, so this won't be a problem.
If you have a system that uses a different configuration file/method to
determine whether or not to forward packets, let me know and i'll add
detection for that system.
- "make install" on systems with BSD style init scripts appends a
"firewall reload" command to the rc.local file. So the firewall will
start after the network is up. You should change this so the firewall
starts before the network is up. If this is a problem, tell me how to
determine where the command needs to go.
- There is no installation support for Richard Gooch's simpleinit scripts. :(
TODO
~~~~
Add implementations for iptables, ipf and cisco ios/cbac
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
URL: http://fwup.org/
Date: 20041231
Author: raf <raf@raf.org>