1
1
Fork
You've already forked fwup
0
Linux-2.2 ipchains firewall/NAPT/NAT administration https://fwup.org
  • Shell 81.7%
  • Perl 17.1%
  • Makefile 1.2%
2004年12月31日 16:40:15 +11:00
examples 20041231 2004年12月31日 16:40:15 +11:00
patches 20020626 2002年06月26日 22:11:47 +10:00
tools 20041231 2004年12月31日 16:40:15 +11:00
firewall 20041231 2004年12月31日 16:40:15 +11:00
firewall.policy 20041231 2004年12月31日 16:40:15 +11:00
fwdown 20041231 2004年12月31日 16:40:15 +11:00
fwprobe 20041231 2004年12月31日 16:40:15 +11:00
fwup 20041231 2004年12月31日 16:40:15 +11:00
make-install 20041231 2004年12月31日 16:40:15 +11:00
make-lrpkg 20041231 2004年12月31日 16:40:15 +11:00
make-ls 20041231 2004年12月31日 16:40:15 +11:00
make-meta-install 20041231 2004年12月31日 16:40:15 +11:00
make-meta-ls 20041231 2004年12月31日 16:40:15 +11:00
make-meta-uninstall 20041231 2004年12月31日 16:40:15 +11:00
make-policy 20041231 2004年12月31日 16:40:15 +11:00
make-uninstall 20041231 2004年12月31日 16:40:15 +11:00
Makefile 20041231 2004年12月31日 16:40:15 +11:00
meta-firewall 20041231 2004年12月31日 16:40:15 +11:00
migrate-policy 20041231 2004年12月31日 16:40:15 +11:00
README 20041231 2004年12月31日 16:40:15 +11:00
update-reserved-networks 20041231 2004年12月31日 16:40:15 +11:00

README
~~~~~~
firewall - Linux-2.2 ipchains firewall/NAPT/NAT administration
Firewall is a set of scripts (firewall, fwup and fwdown) that implement one
or more ipchains firewalls that support various forms of network address and
port translation. All you have to do is read the heavily documented policy
file and edit it to reflect your network topology and filtering policy.
The policy file is composed of sections in which you need to specify: this
host's trusted and untrusted network interfaces; this host's role and
function within the network topology; and the incoming and outgoing services
to allow and the internal and external hosts that may take part in them. It
has been designed so as to make this as painless and flexible as possible
but you must be willing to do some reading. There are several examples to
look at in the examples directory.
Each section contains detailed explanations and advice on things such as
when to start the firewall and the security implications of various well
known internet services and advice on how to allow them safely. It is
intended to introduce administrators to some subtleties of packet
filtering quickly so that they can make better informed security decisions
and achieve and maintain effective network security (at least the packet
filtering part) in a very short time. Of course, it will not prevent you
from achieving bad network security, but you will have been warned.
Each section also contains commented out variables that can be uncommented
and possibly edited to supply policy information to the firewall. Most of
them show the default values used by the firewall. Others are choices.
Others still are just examples. Hopefully it's clear which is which. Each
policy variable is explained when encountered.
Various network topologies are supported:
 Single Host (no forwarding, no address/port translation)
 Forwarding (no address/port translation)
 Masquerading (outgoing M:1 NAPT)
 Port Forwarding (Masquerading + incoming 1:M NAPT)
 Alias Port Forwarding (Masquerading + incoming N:M NAPT)
 Static NAT (incoming and outgoing 1:1 NAT)
Up to 10 untrusted network interfaces are supported, each with a distinct
policy. There can be as much or as little policy sharing between untrusted
interfaces as you like.
Centralised administration of multiple remote firewalls is supported.
The policy is specified in the firewall.policy file.
Read it carefully. It contains much necessary information.
Here is the list of currently supported services:
 icdns - incoming Client DNS
 ocdns - outgoing Client DNS
 isdns - incoming Server DNS
 osdns - outgoing Server DNS
 ismtp - incoming SMTP
 osmtp - outgoing SMTP
 ipop - incoming POP
 opop - outgoing POP
 iimap - incoming IMAP
 oimap - outgoing IMAP
 ildap - incoming LDAP
 oldap - outgoing LDAP
 ispop - incoming SSL-POP
 ospop - outgoing SSL-POP
 isimap - incoming SSL-IMAP
 osimap - outgoing SSL-IMAP
 isldap - incoming SSL-LDAP
 osldap - outgoing SSL-LDAP
 issh1 - incoming SSH1
 ossh1 - outgoing SSH1
 issh2 - incoming SSH2/LSH
 ossh2 - outgoing SSH2/LSH
 inftp - incoming FTP (normal mode)
 onftp - outgoing FTP (normal mode)
 ipftp - incoming FTP (passive mode)
 opftp - outgoing FTP (passive mode)
 iteln - incoming TELNET
 oteln - outgoing TELNET
 ihttp - incoming HTTP
 ohttp - outgoing HTTP
 ihttps - incoming HTTPS
 ohttps - outgoing HTTPS
 iproxy - incoming HTTP PROXY
 oproxy - outgoing HTTP PROXY
 isquid - incoming SQUID
 osquid - outgoing SQUID
 inntp - incoming NNTP
 onntp - outgoing NNTP
 irsync - incoming RSYNC
 orsync - outgoing RSYNC
 icvs - incoming CVS
 ocvs - outgoing CVS
 ignats - incoming GNATS
 ognats - outgoing GNATS
 imysql - incoming MYSQL
 omysql - outgoing MYSQL
 ismb - incoming SMB
 osmb - outgoing SMB
 iirc - incoming IRC
 oirc - outgoing IRC
 iicq - incoming ICQ
 oicq - outgoing ICQ
 ireal - incoming RealAudio/QuickTime
 oreal - outgoing RealAudio/QuickTime
 ivnc - incoming VNC
 ovnc - outgoing VNC
 ireach - incoming REACHOUT
 oreach - outgoing REACHOUT
 ipcany - incoming PC ANYWHERE
 opcany - outgoing PC ANYWHERE
 iwterm - incoming WINDOWS TERMINAL SERVER
 owterm - outgoing WINDOWS TERMINAL SERVER
 intp - incoming NTP
 ontp - outgoing NTP
 idayt - incoming DAYTIME
 odayt - outgoing DAYTIME
 itime - incoming TIME
 otime - outgoing TIME
 igoph - incoming GOPHER
 ogoph - outgoing GOPHER
 iwais - incoming WAIS
 owais - outgoing WAIS
 oarch - outgoing ARCHIE
 ifing - incoming FINGER
 ofing - outgoing FINGER
 owhois - outgoing WHOIS
 iauth - incoming AUTH
 oauth - outgoing AUTH
 inotes - incoming NOTES
 onotes - outgoing NOTES
 cdial - DIALPAD Client
 cwbfn - WEBPHONE Client
 cnt2fn - NET2PHONE Client
 chotel - HOTTELEPHONE/WEB2CALL Client
 intmt - Incoming NETMEETING
 ontmt - Outgoing NETMEETING
 ilog - incoming SYSLOG
 olog - outgoing SYSLOG
 sdhcp - DHCP Server
 cdhcp - DHCP Client
 itacacs - Incoming TACACS+
 otacacs - Outgoing TACACS+
 isnmp - incoming SNMP
 osnmp - outgoing SNMP
 isnmpt - incoming SNMP TRAP
 osnmpt - outgoing SNMP TRAP
 ibgp - incoming BGP
 obgp - outgoing BGP
 ospf - OSPF
 irip - incoming RIP
 orip - outgoing RIP
 ikerb - incoming KERBEROS
 okerb - outgoing KERBEROS
 ipptp - incoming PPTP
 opptp - outgoing PPTP
 iipsec - incoming IPSEC
 oipsec - outgoing IPSEC
 iping - incoming PING
 oping - outgoing PING
 itrace - incoming TRACEROUTE
 otrace - outgoing TRACEROUTE
 idanger - incoming X11 connections, trojans
 odanger - outgoing X11 connections, trojans
Note: Don't trust it. Test it. Audit it. Many services haven't been tested yet.
Please send me any success reports, bug reports, criticism, comments,
corrections, suggestions, patches, pointers to more information, ...
INSTALL
~~~~~~~
This should install on any linux system. Please let me know if it doesn't.
See REQUIREMENTS for runtime requirements.
Unpack the distribution:
 tar xzf firewall-20041231.tar.gz
 cd firewall-20041231
If you are upgrading and have an existing firewall.policy, you could try to
migrate your existing policy into the new policy file (as root):
 ./migrate-policy firewall.policy /etc/firewall.policy
If you do this, make sure that you check the result carefully, comparing it
to both your existing policy file and to the backup of the new policy file.
Read the policy file and edit it to reflect your filtering policy and topology:
 vi firewall.policy
Install scripts and policy (as root):
 make uninstall # if a previous version is installed
 make install
 make policy
If make is not installed (as root):
 make-uninstall # if a previous version is installed
 make-install
 make-policy
For more details:
 make help
This will cause the firewall to be started at boot time before the
network starts and after each new IP address is received via PPP
or DHCP (if applicable). The firewall will be stopped at shutdown
time after networking is stopped.
To start the firewall before the next reboot, run one of (depends on system)
(as root):
 /etc/rc.d/init.d/firewall start
 /etc/init.d/firewall start
 /etc/firewall start
After setting up a firewall, don't forget to audit it with nmap (as root
from the inside and the outside) to make sure that you got what you wanted.
The tools/portscan script may be useful here. If there are any surprises,
investigate. It is imperative that you know what your firewall does and
doesn't do.
REMOTE INSTALL
~~~~~~~~~~~~~~
You can also install scripts that allow you to subsequently install and
manage multiple remote firewalls.
Unpack the distribution:
 tar xzf firewall-20041231.tar.gz
 cd firewall-20041231
Install (as root):
 make meta-install
If make is not installed (as root):
 make-meta-install
This creates the /etc/firewall.d directory and installs the meta-firewall
script in either /etc/rc.d/init.d, /etc/rc.d or /etc depending on your system.
If upgrading, you could try to migrate an existing remote policy into the
new policy file (as root):
 meta-firewall migrate <fw>
Prepare for a remote install (if not upgrading) (as root):
 meta-firewall prepare <fw>
Read the policy file and edit it to reflect your filtering policy and
topology (as root):
 meta-firewall edit <fw>
Install the firewall scripts onto the remote firewall host (as root):
 meta-firewall install <fw>
Install the remote firewall's policy file (as root):
 meta-firewall policy <fw>
Start the firewall remotely (as root):
 meta-firewall start <fw>
For more details:
 meta-firewall --help
Where <fw> is the hostname of a remote firewall host
You will need root access via openssh to all remote firewall hosts. You will
need to either use ssh-agent(1) or enter remote root passwords or your local
passphrase when managing the remote firewalls.
Shell tracing is turned on during the execution of all scp and ssh commands
to the remote firewall hosts so you can see what's going on before you type
in the root password. If you don't want to see what's going on, set the
environment variable verbose=no.
Make sure you don't install a remote firewall that doesn't allow incoming
ssh from the administration host or you won't be able to update it later :)
LRP PACKAGE INSTALL
~~~~~~~~~~~~~~~~~~~
You can create an Linux Router Project (LRP) package after defining your
firewall policy and install it onto an LRP system.
Unpack the distribution (on a non-LRP system):
 tar xzf firewall-20041231.tar.gz
 cd firewall-20041231
If you are upgrading and have an existing firewall.policy, you could try to
migrate your existing policy into the new policy file (as root):
 ./migrate-policy firewall.policy /etc/firewall.policy
If you do this, make sure that you check the result carefully, comparing it
to both your existing policy file and to the backup of the new policy file.
Read the policy file and edit it to reflect your filtering policy and topology:
 vi firewall.policy
Build the LRP package (as root):
 make lrpkg
The package "firewall.lrp" will be created in the current directory.
Then transfer this package to your LRP system (See LRP documentation
for details).
This will cause the firewall to be started at boot time before the
network starts and after each new IP address is received via PPP
or DHCP (if applicable). The firewall will be stopped at shutdown
time after networking is stopped.
Note: The current (mid-2002) version of the Oxygen LRP distribution doesn't
have expr compiled into the busybox version of ash so you will need to
install expr somehow or use any other LRP distribution (including previous
versions of Oxygen).
To start the firewall before the next reboot, run (as root):
 /etc/init.d/firewall start
After setting up a firewall, don't forget to audit it with nmap (as root
from the inside and the outside) to make sure that you got what you wanted.
The tools/portscan script may be useful here. If there are any surprises,
investigate. It is imperative that you know what your firewall does and
doesn't do.
UPDATING
~~~~~~~~
The firewall uses the IANA's list of reserved networks. This list changes
over time. Therefore, the firewall needs to be kept up to date with the
current version of the list. The script "update-reserved-networks" downloads
the latest version of the list from the IANA's website and then modifies the
script that brings up the firewall accordingly. This is not automated. I
wonder if it should be. I don't think I could bare the thought of re-writing
it in shell. When you notice that some packets are being dropped as spoof
packets, it probably means that it's time to run update-reserved-networks on
the firewall scripts.
EXTRAS
~~~~~~
The examples directory contains several example policy files. They
demonstrate all supported types of network topology, some with detailed
policies. They should be considered mandatory reading.
The tools directory contains the following utilities:
 dns2ip - a filter that translates domain names into IP addresses
 fwhelper - ipchains troubleshooting script (ipchains -C with tracing)
 portscan - performs a thorough port scan using nmap
 tcpdump-histogram - prints a histogram of packets in tcpdump output
The patches directory contains two patches that you might find useful:
 ipchains-1.3.*-Q.patch
 ~~~~~~~~~~~~~~~~~~~~~~
 This is a patch for ipchains-1.3.9 and ipchains-1.3.10 which adds the
 -Q option. This option takes a filename or ``-'' as an argument.
 If a filename is given, ipchains reads its commands from the file.
 If ``-'' is given, ipchains reads its commands from standard input.
 Blank lines and shell-style comments are ignored so it is possible
 to write executable #!/sbin/ipchains scripts.
 This allows ipchains to perform all of it's tasks in a single process
 instead of several hundred invocations of the same process so starting
 an ipchains packet filtering firewall can now be done instantaneously.
 Written by raf <raf@raf.org>
 masq-demasq.patch
 ~~~~~~~~~~~~~~~~~
 This is a patch for linux-2.2.13 which makes port forwarding
 work when initiated from inside the masqueraded network(s).
 Written by Michael Best <michael@com.org>
REQUIREMENTS
~~~~~~~~~~~~
- Linux-2.2.x and ipchains
- See firewall.policy file for kernel configuration and module requirements
- ipmasqadm iff doing port forwarding or alias port porwarding
- ip (iproute2) iff doing alias port porwarding or static NAT
- nmap used by the portscan utility
- root privileges for ipchains, ipmasqadm, ip
- root privileges inside and outside for auditing with nmap
- perl used by most of the utilities (dns2ip also requires Net-DNS)
- perl, diff and patch used by migrate-policy
Note: perl is not needed for the firewall itself!
These can be found at:
 Linux-2.2 - http://www.kernel.org/ (2.2.19)
 ipchains - http://netfilter.kernelnotes.org/ipchains/ (1.3.10)
 ipmasqadm - http://juanjox.kernelnotes.org/ (0.4.2)
 iproute2 - ftp://ftp.inr.ac.ru/ (000305)
 nmap - http://www.insecure.org/nmap/ (2.53)
 perl - http://www.perl.com/ (5.005_03)
 Net-DNS - http://www.perl.org/CPAN/modules/by-module/Net/ (0.12)
 diff - ftp://ftp.gnu.org/pub/gnu/diffutils/ (2.7)
 patch - ftp://ftp.gnu.org/pub/gnu/patch/ (2.5)
COPYING
~~~~~~~
firewall - Linux-2.2 ipchains firewall/NAPT/NAT administration
Copyright (C) 1999-2004 raf <raf@raf.org>
 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation; either version 2 of the License, or
 (at your option) any later version.
 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with this program; if not, write to the Free Software
 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 or visit http://www.gnu.org/copyleft/gpl.html
HISTORY
~~~~~~~
19991231
 - Initial version
20000309
 - Incorporated linux-firewall-tools.com:
 - Added more protection against spoofing and dangerous services
 - Added more kernel protection (source routing, redirects, syn cookie,
 defrag, icmp broadcast echo, bogus error response, martian logging)
 - Added services (DHCP, HTTPS, HTTP PROXY, IMAP, ICQ, Real Audio)
 - Changed default forward policy from deny to reject
 - Added "untrusted networks"
 - Added configuration of masquerade timeouts
 - Split SSH into SSH1 and SSH2
 - Added BGP and RSYNC
 - Fixed DNS policy variables and doco
 - Cleaned up, fixed bugs
 - Modified fwup to run on non redhat systems
 - Added "make decent"
 - Started logging incoming ping and traceroute even if accepted
 - IP forwarding only started/stopped if masquerading requested
 - Started denying/rejecting fragments (kernel must always defrag)
 - Started using local and masqueraded port ranges (from Mike A. Harris)
 - Added SMB, PPTP and IPSEC (from Yan Seiner)
 - Added support for multiple untrusted interfaces with differing policies
 - Added automatic identification of local networks
20000321
 - Added dynamic IP address hacking in IP MASQ (for non-routers only!)
 - Added the ability to deny/reject selected ports without logging them
 - Added Kerberos, CVS, GNATS, MySql, SSL-POP, SSL-IMAP, SSL-LDAP, OSPF
 - Fixed bug: was masquerading traffic between multiple internal networks
 - Added the dns2ip utility to translate domain names in policy files into ip addresses
20000402
 - Shortened/cleaned up fwup a bit with more functions
 - Fixed bug: SSH1 rules were allowing SSH2 as well
 - Fixed doco: outgoing SSH2 note was stupid
 - Fixed bug: SDNS rules were allowing CDNS as well
 - Fixed bug: masqueraded UDP (e.g. CDNS!) failed (func vars weren't local)
 - Fixed bug: SNMP[T] rules from Chapman & Zwicky disagreed with RFC 1157
 - Fixed bug: typo in DHCP Client rules allowed incoming address updates even when $DHCP_SERVERS is empty
 - Added the ability to specify more simple tcp services in the policy file
20000421
 - Added LDAP, NOTES
 - Added the ability to deny/reject other protocols without logging them
 - Added loading/unloading of IP masquerading modules
 - Deny/Reject fragments iff $IPV4_FRAGMENT_PROTECT != "no"
 - Made ICMP configurable (default behaviour remains the same)
 - Added portsummary utility to display connection tuples in tcpdump output
 - Included some archie server addresses in firewall.policy as a comment
 - Started determining masquerade ports directly from kernel source
 - Added support for forwarding to internal hosts with individual policies
 - Fixed bug: Stopped creating chains that were never used (thanks to
 forwarding changes, starting the firewall is now twice as fast!)
 - Fixed bug: Outgoing ICQ rules were wrong (udp rules reversed)
 - Fixed bug: The extra tcp services weren't being included
 - Fixed bug: Was doing spoof protection on internal untrusted interfaces
 - Rewrote/reorganised the initial doco in firewall.policy and README
 - Added detailed open port profiles to the notes on each service
 - Added support for port forwarding (incoming and outgoing M:1 NAPT)
 - Added portscan utility to perform comprehensive portscans
 - Added an example policy file for each type of supported network tpology
 - Made chain policies configurable (some like DENY, others like REJECT)
20000430
 - Fixed bug: make install was creating too many links in /etc/rc.d/rc?.d
 - Fixed bug: success/error messages sent to /var/log/messages were pathetic
 - Added portfw to the list of loadable masq modules in the policy file
 - Added "ipchains -M -L -v -n" to "firewall probe"
 - Made it possible to specify untrusted addresses in policy if all are static
 - Removed all uses of perl from fwup (no longer determines masquerade ports
 directly from kernel source but that was a silly idea anyway)
20000601
 - Added "make [un]install" support for most systems and ppp and dhcp
 (inspired by PMfirewall)
 - Added the ability to recognise dangerous udp ports and block them early
 (and added the trojan cavalry (from mason) as comments in the policy file)
 - Fixed bug: didn't support preferences (load sharing) when port forwarding
 - Fixed bug: target names couldn't be used with identical service names
 - Added support for alias port porwarding and static NAT
 - Added support for "ipchains -Q" if available (twice as fast again!)
 - Added patches directory to distribution: ipchains-Q and masq-demasq
 - Added the ability to set ip_masq_udp_dloose for linux-2.2.15
 - Fixed bug: service chains for multiple targets were added multiple times
 - Added ACK and Window scans to the portscan utility (for nmap-2.53)
 - Added SQUID
 - Added check to ensure that BLOCK{IN|OUT|FWD} are set to DENY or REJECT
 - Renamed portsummary to tuplegram and added icmp and udp support
 - Fixed bug: make [un]install didn't work with recent version of bash
20000914
 - Updated the ipchains url in README
 - Fixed the explanation why internally initiated port forwarding
 doesn't work (in the BUGS section below) thanks to Michael Best
 - Added DIALPAD, WEBPHONE, NET2PHONE, HOTTELEPHONE/WEB2CALL, NETMEETING
 - Added port range forwarding in $PORTRANGEFW
 - Made outgoing server dns (when masquerading) more strict
20010211
 - Added VNC service
 - Exposed $ILLEGAL_NETWORKS to policy file (for partitioning private nets)
 - Added support for REDIRECT (transparent proxying)
 - Updated and optimised $RESERVED_NETWORKS (bs@axysdesign.com, jshin@pantheon.yale.edu)
 - Added search in $PATH for programs (bs@axysdesign.com)
 - Stopped dns2ip from translating in shell comments (jshin@pantheon.yale.edu)
 - Added TIME, DAYTIME services (jshin@pantheon.yale.edu)
20010214
 - Fixed security bug: bad tempfile creation for ipchains-Q (dynamo@ime.net)
20010507
 - Fixed typo in policy file (OUTGOING_VNC_PORTS -> INCOMING_VNC_PORTS)
 - Added PC ANYWHERE, WINDOWS TERMINAL SERVER
 - Added support for chkconfig (but you must verify it for your system)
 - Fixed bug: was logging all forwarded packets when FORWARDING="yes" (dos!)
 - Removed installation dependency on make (cesar@rotnet.com.br)
 - Added kernel config, module and software requirements doco to policy file
 - Fixed tuplegram bugs, added arp support, renamed it to tcpdump-histogram
 - Fixed icmp parsing and added fragment support in fwhelper
 - Added centralised administration of multiple remote firewalls
20010801
 - Fixed SNMP TRAP rules (source port 161, no return packets)
 - Fixed X11 client rules (dj@head-cfa.harvard.edu)
 - Added X11 server rules
20010815
 - Fixed bug: redirect code never executed (ckhui@school.net.hk)
 - Updated IANA reserved networks (20010619 - 67, 68, 80 and 81 allocated)
20020626
 - Added support for multicast sessions
 - Added rejecting specific ports when policy is DENY (for inacker@informatik.uni-freiburg.de)
 - Added support for PPTP server on localhost (nick@abssys.com)
 - Updated URL for ip_masq_h323 module (martin@kos.li)
 - Updated -Q patch for ipchains-1.3.10 (rmrpms@usa.net)
 - Added REACHOUT service
 - Added TACACS+ service
 - Updated list of trojan ports (www.neohapsis.com, www.seifried.org)
 - Removed the need for bash (LRP only has ash)
 - Removed the need for awk (LRP doesn't have awk by default)
 - Added migrate-policy (suggested by inacker@informatik.uni-freiburg.de)
 - Added meta-firewall migrate/diff/revert
 - Added more doco on SERVICES and TARGET_* variables (bs@axysdesign.com)
 - Updated IANA reserved networks (20011201 - 219, 220 allocated to APNIC)
 - Fixed firewall lockfile for Debian (jejc@free.fr)
 - Made to work with ash, bsh, bash, ksh or (in the unlikely event) zsh
 - Added installation support for more dhcp clients (i.e. pump and dhclient)
 - Ported to LRP/busybox-ash (wont-i@wkh.org)
 - Added "make lrpkg" (creates an LRP package after you define your policy)
 - Added installation support for systems with /etc/ppp/ip-{up,down}.d
 - Added "firewall reconf <config>"
 - Added "firewall help"
20041215
 - Added doco about perimeter networks and demilitarised zones
 - Added $MASQUERADED_NETWORKS to masquerade selected internal networks
 - Updated IANA reserved networks (2003年11月14日)
20041231
 - Updated examples/policy.* to include earlier changes to firewall.policy
 - Made messages conform to Debian standards (except when on Redhat)
 - Updated IANA reserved networks (2004年08月03日)
 - Added update-reserved-networks script so users can update them easily
 - Extracted fwprobe as a separate command from "firewall probe"
REFERENCES
~~~~~~~~~~
Building Internet Firewalls by Chapman & Zwicky
IPCHAINS-HOWTO by Paul Russell
http://linux-firewall-tools.com by Robert L. Ziegler
The ipchains mailing list. Particularly Yan Seiner, Mike Harris and Michael Best
IP-Masquerade-HOWTO by David Ranch
IP Command Reference by Alexey N. Kuznetsov
PMfirewall (http://www.pointman.org) by Rick Johnson (installation)
mason (http://www.pobox.com/~wstearns/mason) by Willian Stearns (trojan list)
TCP/IP Illustrated Volume 1 by W Richard Stevens
Network Intrusion Detection - An Analyst's Handbook by Stephen Northcutt and Judy Novak
RFC 2588 IP Multicast and Firewalls by Ross Finlayson
www.neohapsis.com ports list
www.seifried.org ports list
BUGS
~~~~
- I've been told that masquerading the H.323 services (e.g. HOTTELEPHONE)
 doesn't work but wasn't given any details and the person who reported it
 didn't seem interested in helping me fix whatever the problem might have
 been. If anyone would like to help me test it and get it working (if indeed
 it doesn't work), please contact me.
- The *SERVERS* and *CLIENTS* policy variables for a given service apply to all
 instances of a service across a given interface. This means that if you have
 something like: SERVICES="oservice.targeta oservice.targetb", then the hosts
 in both targeta and targetb are restricted to connecting to the same set of
 external servers for the given service. Let me know if this is a problem.
 It can be fixed but the policy file will get a bit uglier.
- Masquerading across multiple interfaces is not supported.
 If you have multiple untrusted interfaces and you are masquerading,
 then masquerading occurs for packets leaving via the first untrusted
 interface only. Let me know if this is a problem. It's easy to fix.
- When port forwarding, internal hosts shouldn't try to make connections to
 the forwarded port on the external interface because it doesn't work with
 a stock kernel. Michael Best has written a patch to linux-2.2.13 to fix this.
 It's in the patches directory under masq-demasq. Here is his explanation of
 the problem:
 Michael Best (michael@com.org) wrote:
 > What happens is that the first packet is forwarded to the correct host,
 > but only its destination info has been changed. For example:
 >
 > Host A: 10.101.2.1 (firewall; external address is 216.324.11.123)
 > Host B: 10.101.2.2 (running web server on port 80)
 > Host C: 10.101.2.3 (client)
 >
 > Host A has 216.324.11.123/80 forwarded to Host B.
 > Host C tries to connect to 216.324.11.123/80.
 >
 > First packet looks like this:
 > From 10.101.2.3/1056 to 216.324.11.123/80
 > It is forwarded:
 > From 10.101.2.3/1056 to 10.101.2.2/80
 > Reply looks like this:
 > From 10.101.2.2/80 to 10.101.2.3/1056
 > It is ignored by the client since it doesn't match any active connection.
 > Thus the connection is never fully established and appears hung.
 >
 > My patch modifies the kernel so that it can modify both the destination and
 > source addresses of a packet. It still requires that your rules are correct.
 > Here is what the above would look like with my patch:
 >
 > First packet looks like this:
 > From 10.101.2.3/1056 to 216.324.11.123/80
 > It is forwarded:
 > From to 10.101.2.2/80
 > Here's the reply:
 > From 10.101.2.2/80 to 216.324.11.123/64234
 > This one goes back to the firewall and it forward:
 > From 216.324.11.123/80 to 10.101.2.3/1056
 >
 > Note that this patch also make possible Starcraft and Warcraft Battle-net
 > games between two people behind the same firewall.
 >
 > I've put my patch at http://www.com.org/~michael/masq-demasq.zip
- There is no support for static NAT between internal networks. Let me know
 if this is a problem. This should be fixed. In the meantime, you can just
 execute the necessary ip commands separately using priorities below 10000.
- Port forwarding port ranges isn't supported when using Alias Port Forwarding.
 Let me know if this is a problem. It's easy to fix.
- Stopping the firewall stops packet forwarding in general. This is intentional.
 However, on redhat systems with FORWARD_IPV4="yes" in /etc/sysconfig/network,
 packet forwarding isn't stopped when the firewall is stopped. This is a
 convenience (but it is unsafe). Note that for most small sites like a single
 host or a single lan dialing up to the net, forwarding should be off when
 not connected to the net anyway, so this won't be a problem.
 If you have a system that uses a different configuration file/method to
 determine whether or not to forward packets, let me know and i'll add
 detection for that system.
- "make install" on systems with BSD style init scripts appends a
 "firewall reload" command to the rc.local file. So the firewall will
 start after the network is up. You should change this so the firewall
 starts before the network is up. If this is a problem, tell me how to
 determine where the command needs to go.
- There is no installation support for Richard Gooch's simpleinit scripts. :(
TODO
~~~~
Add implementations for iptables, ipf and cisco ios/cbac
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
URL: http://fwup.org/
Date: 20041231
Author: raf <raf@raf.org>