Good day, all,
I have occasionally seen references to the difficulty of creating
a linux ipfwadm-based firewall. Remebering my own difficulty in figuring
out the syntax of the command and how it related to what I wanted the
firewall to actually _do_, I created a shell script called Mason - a
semi-automated (fire)wall builder.
Here's the cook's tour, so you can decide if you want to read on.
Imagine sitting down at a machine that you want to be a firewall. You
inform the machine that you're about to teach it which kinds of traffic
you want to allow. You then go to other machines in the building and view
web pages, read mail, send mail, ftp, and all the other things you want to
have happen. After you tell your firewall you're going to teach it what
kinds of traffic you want to _block_, you create those traffic types by,
for example, NFS'ing and tftp'ing in from the outside world.
When you're done, the firewall machine provides a file that
appropriately allows and disallows those traffic types.
As could be pointed out, this is not a finished firewall, nor is
it an automatic converter of your security policy, but it is a starting
point that you can use to make those.
The Mason shell script does exactly what I just described. The
ipfwadm command has, IMHO, logical but not obvious syntax. Complex
traffic flows can be difficult to convert to ipfwadm command lines. With
Mason, you just run it while you're actively creating those traffic flows
and Mason gives you the command line(s) that you can generalize as
appropriate.
Even if you decide that you're not going to use Mason's output as
your firewall, the output should give you an understanding of how to
convert specific traffic flows to ipfwadm commands.
Hmmm... I think I 've given the cook and Pastry Chef's tours. :-)
The documentation for the program covers a number of other topics:
Background and motivation:
Basic theory of operation:
Special considerations:
Kernel:
DNS:
Rule order:
Generalization:
Router or end node: (works equally well on any Linux box)
Slow machines or fast nics
Active hacking while mason running: (and how to handle it)
Masquerading: (works fine)
Offline and non-root creation:
/etc/services:
ftp:
Insert vs. append:
Allow versus deny and reject:
Input, Output, and Forwarding:
Namecache:
Remote firewall creation - Telnet/ssh lockout:
Limitations, Ideas and future enhancements: (among others,
ipchains is not yet supported, but is definitely planned for 1.1)
Quick start:
The quick start is a set of step by step instructions that leads
you through creating a firewall with Mason.
Mason, itself, is a bash shell script that's resonably short,
sufficiently commented and clear enough that you can read it in a few
minutes to understand what it's doing. It uses standard Unix utilities
such as awk, sed, cat, grep and internal bash constructs.
If you don't trust me enough to run Mason as root, no problem.
The instructions tell you how to run it as non-root, or even on an
entirely different machine.
When it's done, it is still assumed that you'll look over the
rules and generalize them, order them, and generally check them for
appropriateness, but that's true of any firewall.
The "version 0.7.9" designation means that it seems to work well
for me, but needs more testing and feedback before it's released as 1.0.
Quick success reports, detailed bug reports, questions, suggestions, and
reasonable complaints (:-) are gratefully received at [EMAIL PROTECTED] .
It can be found at:
http://users.dhp.com/~whisper/mason/mason-0.7.9.tar.gz
The permanent URL is http://www.pobox.com/~wstearns/mason/ , but
this is temporarily down.
Cheers,
- Bill
<offtopic>
Is there a mailing list specifically for ipfwadm firewalls? I
know there's one for ipchains, but Mason isn't there yet; I'm still
learning how those work.
Finally, can anyone give me a hand with the format of the flag
fields in ipfwadm packet logging? I'd like to be able to use those to
even more completely lock down the direction in which tcp connections can
be created. I can sometimes figure out how to use "-k" without the help
of the flag fields, but would like to be able to do it all the time.
Thanks in advance.
</offtopic>
---------------------------------------------------------------------------
Unix _is_ user friendly. It's just very selective about who its friends
are. And sometimes even best friends have fights.
William Stearns ([EMAIL PROTECTED])
---------------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
