I looked it over and it seems to cover it all as far as I can see. However, because of
my lack of
expertise it would take me quite sometime to really analyze the whole thing.
I'd like to know more about it and any updated or more in depth information on it. It
looks
pretty cool to me. I might use it myself since I already use ipchains but not even
close to this
extent.
-steve
The subject line was changed in this message for my convenience. Thanks for your
understanding.
:)
"M.Giles" wrote:
> 13/04/00 11:09:22 PM
> I know you won't be able to make it go for me.. but I'd like some "experts" to look
>it over..
> Can anyone see anything immediatly wrong with this firewall?
>
> #/bin/sh
> #
> # firewall Install firewall rules.
> # Note: these rules are ordered by most frequently
> # accessed to the least frequent. This saves kernel
> # processing time in finding the rule to match an incoming
> # packet.
> #
> # Version: @(#) /etc/init.d/firewall 1.02 November 18th 1999
> #
> # Author: Patrick D'Cruze,
> # Modified by: Paul Raj Khangure
> #
>
> # Source function library.
> . /etc/rc.d/init.d/functions
>
> [ -f /sbin/ipchains ] || exit 0
>
> # See how we were called.
> case "$1" in
> start)
> # First, let's turn on Source Address Verification
> if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
> echo -n "Setting up IP spoofing protection..."
> for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo 1 > $file
> done
> echo "done."
> else
> echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED.
> fi
>
> # By default DENY all incoming services
> /sbin/ipchains --flush
> /sbin/ipchains --flush
> /sbin/ipchains --flush
> /sbin/ipchains --delete-chain eth-in
>
> # Create a new chain
> /sbin/ipchains --new-chain eth-in
>
> # Some definitions
> INT_IP="192.168.100.1/24" # Internal Network.
> EXT_IP="203.57.131.0/32" # Here be hackers.
> INTLAN="192.168.100.0/24" # Internal LAN.
> LOKI="192.168.100.2/24" # Marcus machine.
> IPCHAIN_IN="/sbin/ipchains --append eth-in"
> ACC1="--proto tcp --interface eth+ --jump ACCEPT"
> ACC2="--proto udp --interface eth+ --jump ACCEPT"
> ACC3="--proto icmp --interface eth+ --jump ACCEPT"
> DEN1="--proto tcp --interface eth+ --jump DENY"
> DEN2="--proto udp --interface eth+ --jump DENY"
> DEN3="--proto icmp --interface eth+ --jump DENY"
>
> echo "Def's done"
>
>
> # Let local host contact itself
> /sbin/ipchains -A input -s 127.0.0.0/8 -d 0/0 -p all --jump ACCEPT
>
>
> # Allow ICMP for the moment for MTU discovery
> ${IPCHAIN_IN} -s 0/0 -d 0/0 ${ACC3}
>
>
> # Allow this machine to receive web pages.
> ${IPCHAIN_IN} -s 0/0 80 -d ${EXT_IP} ${ACC1}
> # ${IPCHAIN_IN} -s 0/0 80 -d ${INT_IP} ${ACC1}
>
> echo "part 1 done"
>
> # Allow DNS traffic - the local LAN to use this server, and
> # this server to make DNS requests of others.
> ${IPCHAIN_IN} -s ${INTLAN} -d ${INT_IP} 53 ${ACC1}
> ${IPCHAIN_IN} -s ${INTLAN} -d ${INT_IP} 53 ${ACC2}
> ${IPCHAIN_IN} -s 0/0 53 -d ${EXT_IP} ${ACC1}
> ${IPCHAIN_IN} -s 0/0 53 -d ${EXT_IP} ${ACC2}
>
>
> # Allow the dirty side to use this server as a DNS server
> ${IPCHAIN_IN} -s ${EXTLAN} -d ${EXT_IP} 53 ${ACC1}
> ${IPCHAIN_IN} -s ${EXTLAN} -d ${EXT_IP} 53 ${ACC2}
>
>
> # Block any other DNS
> ${IPCHAIN_IN} -s 0/0 -d 0/0 53 -l ${DEN1}
> ${IPCHAIN_IN} -s 0/0 -d 0/0 53 -l ${DEN2}
>
>
> # Allow FTP and Telnet out.
> ${IPCHAIN_IN} -s ${INTLAN} -d 0/0 20:21 ${ACC1}
> ${IPCHAIN_IN} -s ${INTLAN} -d 0/0 23 ${ACC1}
> ${IPCHAIN_IN} -s 0/0 20:21 -d ${EXT_IP} ${ACC1}
> ${IPCHAIN_IN} -s 0/0 23 -d ${EXT_IP} ${ACC1}
>
> # This lan is allowed to access the LAN
> ${IPCHAIN_IN} -s ${INTLAN} -d ${INTLAN} ${ACC1}
> ${IPCHAIN_IN} -s ${INTLAN} -d ${INTLAN} ${ACC2}
>
>
> # Nothing else should get into the LAN.
> ${IPCHAIN_IN} -s 0/0 -d ${INTLAN} -l ${DEN1}
> ${IPCHAIN_IN} -s 0/0 -d ${INTLAN} -l ${DEN2}
>
>
> # Now add the rules and set the default policy
> /sbin/ipchains --append input --interface eth+ --jump eth-in
> /sbin/ipchains --policy input REJECT
> /sbin/ipchains --policy output ACCEPT
> /sbin/ipchains --policy forward ACCEPT
>
>
> # Firewall has been configured
> echo "B AWARE, stay alert and trust no-one. Protection is active."
> touch /var/lock/subsys/firewall
> ;;
> stop)
> /sbin/ipchains -F
> /sbin/ipchains --policy input ACCEPT
> /sbin/ipchains --policy output ACCEPT
> /sbin/ipchains --policy forward ACCEPT
> echo "You've dropped your guard. Death is but a soul away..."
> rm -f /var/lock/subsys/firewall
> ;;
> *)
> echo "Usage: firewall {start|stop}"
> exit 1
> esac
>
> exit 0
>
> ================Sig Start==================
> Motto for the I.T. Industry:
> BIGGER, <i>faster</i>, <b>more</b>, <u>NOW!</u>
> Thought for the future:
> If you thought the Y2k Bug was a media frenzie,
> just you wait till the IPv6 issue is announced...
> ================Sig Stop==================
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
> the body of a message to [EMAIL PROTECTED]
> Please read the FAQ at http://www.linux-learn.org/faqs
begin:vcard
n:Ackerman;Steven
x-mozilla-html:FALSE
adr:;;;;;;
version:2.1
email;internet:[EMAIL PROTECTED]
note;quoted-printable:This electronic email message together with any attachments is=0D=0Aconfidential. If you are not the intended recipient please reply =0D=0Aimmediately and destroy the message. You may not print, copy,=0D=0Adisclose or use the contents in any way.
fn:Steven Ackerman
end:vcard
