------------------------------ INTRODUCTION ------------------------------ en-firewall is designed to allow you to configure your firewall rules using a fairly natural language (for English speakers, anyway). It does not expose the full functionality of netfilter, but provides a wrapper around the most commonly used options so that you can write rules which are readable for easy maintenance. The commands are intended to be smart. They'll try to put the firewall rules in the correct chain, and where more than on iptables rule is required, they'll be entered. This keeps your configuration concise, and should lead to quicker development of working firewall rules. Among the interesting features of the script is that the configuration file is actually a shell script. Where the init script doesn't expose the full functionality of netfilter, you can put in your own iptables commands directly. You can also write functions which combine the natural language commands from the init script. ------------------------------ Syntax ------------------------------ * Common arguments: Most commands will understand the following arguments: - tcp: this rule matches tcp protocol packets - udp: this rule matches udp protocol packets - all: the word is ignored, it makes some rules read better - from, host, or net : this rule matches packets originating from the argument - to : this rule matches packets destined for the argument - port : this rule matches packets destined for the port argument - connections: this rule matches packets in the NEW state - replies: this rule matches packets which are related to an established connection - on : this rule matches packets which have come in the argument - through : this rule matches packets being forwarded out through the argument * specific You can set the policies of your INPUT, FORWARDING, or for the very paranoid, OUTPUT chains to "DROP" using the "specific" command. This command only takes one argument: either "input", "output" or "forwarding". * deny Drop packets which match the description of the arguments that follow. * allow Allow packets which match the description of the arguments that follow to either be accepted or forwarded on, as appropriate. * masquerade Forward and masquerade packets which match the description of the arguments that follow. * forward Forward packets which match the description of the arguments that follow by normal routing methods. * proxy arp This command understands the arguments: - for: word is ignored - host or net : sets the IP numbers that this machine will answer queries for - on : sets the interface on which arp queries will be answered. This command is useful when building a transparent firewall for a host or set of hosts. You can place this firewall between the host and the rest of the network, and proxy arp requests for its address. The firewall will receive packets destined for the host given, and decide whether or not to pass them on. * proxy ip This command, also useful for firewalling, is not yet implemented. * forward port This command, for NAT port forwarding, is not yet implemented. ------------------------------ Example ------------------------------ As an example, your configuration might include a function to drop packets from IPv4 reserved networks, which should never come in through public interfaces. Such packets might be used to attack your system by exploiting flaws in your routing or IP stacks. The following function can be used to block reserved networks from a specified interface. If combined with filters which discard packets which appear to come from your own internal IP networks (unless your internal nets are one of the reserved numbers already included), this provides effective ingress filtering on an interface.: function deny_martians_on () { local IF=$1 # antispoof deny host 0.0.0.0 on $IF # lan area -- set up deny rules for your internal nets # deny ip xxx.xxx.xxx.0 0.0.0.255 # reserved deny net 10.0.0.0/8 on $IF # reserved deny net 127.0.0.0/8 on $IF # link-local network. deny net 169.254.0.0/16 on $IF # reserved deny net 172.16.0.0/12 on $IF # reserved deny net 192.168.0.0/16 on $IF # test network deny net 192.0.2.0/24 on $IF # multicast deny net 224.0.0.0/3 on $IF # unless MBGP-learned routes deny net 224.0.0.0/4 on $IF # Unallocated deny net 248.0.0.0/5 on $IF # Broadcast deny host 255.255.255.255/32 on $IF } The following example will set the forwarding policy to DROP, so that only networks specifically allowed to be forwarded will be handled by this machine: specific forwarding A trusted network interface is one that is hard wired (no wireless) where all ports and devices are either under your control or the control of trusted parties. These interfaces will probably have access to resources not intended for the public, or which rely on trust security, such as NFS. A trusted network will probably have full access to all ports open on an interface, and will be forwarded or masqueraded to the outside world. As such, the rules will be very simple. The following example will allow the network attached to the trusted interface "eth0" to be masqueraded to the public internet, which is connected to the "eth2" interface with no additional controls: masquerade net 192.168.1.0/24 on eth0 through eth2 A semi-trusted network is one that may not be entirely under your control, or a likely target for intrusion, such as a wireless network. You probably have a specific IP network connected to this interface which you want to grant access to. Other IP numbers (such as those on your other, trusted networks) shouldn't be useable on this interface, because that could lead to a malicious user directing attacks at your machine using trusted numbers, or sending out packets with forged source addresses as part of a DOS attack on another network (dropping the latter is known as egress filtering): The following example will allow the network attached to the semi trusted interface "eth1" to access a few selected services which reside on the server, and masquerade it to the public internet. All IP packets which aren't destined for the specified services, or which don't come from the specified IP network will be dropped. allow net 192.168.2.0/24 on eth1 to 192.168.1.5 tcp port 22 allow net 192.168.2.0/24 on eth1 to 192.168.1.5 tcp port 25 allow net 192.168.2.0/24 on eth1 to 192.168.1.5 tcp port 443 allow net 192.168.2.0/24 on eth1 to 192.168.1.5 tcp port 993 allow net 192.168.2.0/24 on eth1 to 192.168.2.254 udp port 53 allow all on eth1 tcp port 67 allow all on eth1 udp port 67 masquerade net 192.168.2.0/24 on eth1 through eth2 allow replies on eth1 deny all on eth1 The public network (internet) is usually not to be trusted at all. You may choose to allow the public to access service running on your machine or in your network, but should be very selective about these. The following example will drop packets with bad source addresses by calling the function "deny_martians_on", which was defined above. It grants the public access to a few services on the public interface, and allows reply packets so that this machine is usable as a client on the internet (this may not be necessary when this machine is purely a router). Everything else is dropped. deny_martians_on eth2 allow all on eth2 tcp port 22 allow all on eth2 tcp port 443 allow replies on eth2 deny all on eth2