Frequently Asked Questions (FAQ)
firewall-config.pl is a utility to configure (or only generate) a configuration's file for Jay's Iptables Firewall. It works with dialog and perl.
firewall-config.pl also helps you to update the configuration's file when you update the firewall (when new variables appears)
Configure the firewall for the first time
# firewall-config.pl --new
Configure the firewall
# firewall-config.pl
Configure the firewall with an other configuration's file
# firewall-config.pl --config <filename>
Generate an empty configuration's file and configure it by hand
# firewall-config.pl --generate
Update your configuration's file to the latest version (when you upgrade the firewall)
# firewall-config.pl --update
Dialog is a utility to create nice user interfaces to shell scripts, or other scripting languages, such as perl. It is non-graphical (it uses curses) so it can be run in the console or an xterm.
Dialog version 0.9a-20020309a is used for the 'firewall-config.pl'.
Don't be sad, you can neverless use the firewall by generating a configuration's file without graphic assistance and configure it by hand (like an other firewall).
Simply run # firewall-config.pl --generate and edit
/etc/firewall-jay/firewall.config
There are no problems, the firewall is completely configurable by hand.
Use # firewall-config.pl --generate and edit
/etc/firewall-jay/firewall.config
Yes.
Your rules will be loaded at the end of the firewall.
Keep in mind that these rules can corrupt the firewall security, please be careful of what you insert.
Add your own iptables rules in /var/lib/firewall-jay/firewall-custom.rules (default)
Next you must enable the option in the firewall's configuration.
In the config's file
CUSTOM_RULES="1" CUSTOM_RULES_FILE="/var/lib/firewall-jay/firewall-custom.rules" (default)
Or with firewall-config.pl
# firewall-config.plGo on Features (optional) => Custom Rules
Next, answer the two questions
-
1. Enable = Yes
2. Path to custom rules = /var/lib/firewall-jay/firewall-custom.rules (default)
Redhat 7.3 use an older version of dialog, but as this version did not differ much from the 0.9a-20020309a, a support has been added in the firewall-config.pl tool version 0.9b-1.
But now, I really need these missing options (like to rename some buttons) and I had to withdraw this support, so, please update 'dialog' to 0.9a-20020309a.
If you don't have time for this, an alternative way is to configure the firewall by hand with
# firewall-config.pl --generateNext, edit the new file /etc/firewall-jay/firewall.config
Note1: This section explain only how to use eDonkey/KaZaa on the LAN, if you want to use eDonkey on the firewall box itself, just open the 4662/tcp and 4666/udp ports in the configuration.
For KaZaa, open the 1214/tcp port.
Note2: We will explain how to use eDonkey on the LAN, for KaZaa, follow the same steps but with the 1214/tcp port only.
First, forward the 4662/tcp and 4666/udp ports to the eDonkey box.
In the config's file
TCP_FORWARD="ppp0>4662>192.168.x.y" UDP_FORWARD="ppp0>4666>192.168.x.y"Where ppp0 is your internet connection and 192.168.x.y is your eDonkey box.
Or with firewall-config.pl
# firewall-config.plGo on Forwarding TCP Ports => Add TCP Forward rule
Next, answer the four questions
-
1. Incoming interface = ppp0
2. Ports to forward = 4662
3. Destination's ip = 192.168.x.y
4. New destination's port (optional) =
Where ppp0 is your internet connection and 192.168.x.y is your eDonkey box (you don't need to modify the destination's port).
Repeat the last steps for UPD Port (4666)
Restart the firewall
Take a tcp port range, in the example we take 50200 -> 50210 and use licq.
Go to your Licq configuration and set "I can recieve direct connections" to 50200 -> 50210
Now Forward 50200:50210/tcp ports to the licq host.
In the config's file
TCP_FORWARD="ppp0>50200:50210>192.168.x.y"Where ppp0 is your internet connection and 192.168.x.y is your licq host.
Or with firewall-config.pl
# firewall-config.plGo on Forwarding TCP Ports => Add TCP Forward rule
Next, answer the four questions
-
1. Incoming interface = ppp0
2. Ports to forward = 50200:50210
3. Destination's ip = 192.168.x.y
4. New destination's port (optional) =
Where ppp0 is your internet connection and 192.168.x.y is your licq host (you don't need to modify the destination's port).
Restart the firewall
To deny some hosts from your domain, use the 'block-*' files.
Go on /var/lib/firewall-jay/
-
edit block-ip-in.user to deny all access from IPs address
edit block-ip-out.user to deny all access to IPs address
edit block-mac-in.user to deny all access from MACs address
Here is the syntax for IPs:
[!]<ip or subnet>:<description>
· Subnet can be "host.domain.xxx", "1.1.1.1", "1.1.1.0/24" or "1.1.1.0/255.255.255.0"
· Description : must be less than 24 characters and no spaces allowed
Example:
!10.0.0.1:good-guy !10.0.0.5:good-guy 10.0.0.0/8:bad-guysIn this example, all subnet '10.0.0.0/8' is denied except 10.0.0.1 and 10.0.0.5
Here is the syntax for MACs:
<mac address>-<description>· MAC address must be like XX:XX:XX:XX:XX:XX
· Description : must be less than 24 characters and no spaces allowed
Next you must configure the firewall for enable the blocking feature
In the config's file
DENY_DIR="/var/lib/firewall-jay" DENY_IP_IN="1" DENY_IP_IN_FILES="block-ip-in.user" DENY_IP_IN_LOG="1" DENY_IP_OUT="1" DENY_IP_OUT_FILES="block-ip-out.user" DENY_IP_OUT_LOG="1" DENY_MAC_IN="1" DENY_MAC_IN_FILES="block-mac-in.user" DENY_MAC_IN_LOG="1"Where DENY_DIR is the directory where are located the files. DENY_IP_IN, DENY_IP_OUT and DENY_MAC_IN take "1" (enabled) or "0" (disabled) values.
Restart the firewall.
Or with firewall-config.pl
# firewall-config.plGo on Features (optional) => Denying Hosts
-
=> Denying IPs source for example
Save the new config and restart the firewall.
You can reload the block-{ip|mac} files without restarting the firewall with
# /etc/init.d/fw-jay reload-block-ipor
# /etc/init.d/fw-jay reload-block-mac
The spywares feature use the block-ip-out.* files.
See How to deny some hosts (IP or MAC address) ?
The firewall provide a script named firewall-spy-update.pl. This script will generate a spywares ip file (block-ip-out.spywares) which you can insert in the How to deny some hosts (IP or MAC address) ? feature
Yes.
Netfilter reads the rules sequentially. So a TCP traffic should not pass by UDP tests, just like a connection coming from the LAN should not be tested like 'Internet'.
With the structure of Jay's Iptables Firewall, the number of tests in the netfilter is minimized in order to increase the speed.
Here is a dump part of the INPUT chain
target prot opt in out source destination JAY_LANIN all -- eth0 any anywhere anywhere JAY_LANIN all -- eth1 any anywhere anywhere JAY_INETIN all -- eth2 any anywhere anywhere JAY_INETIN all -- eth3 any anywhere anywhere JAY_LDROP all -- any any anywhere anywhere(where eth0 and eth1 are LAN interfaces and eth2 and eth3 are internet interfaces)
As you can see, we look at first for the incoming interface. The internet traffic jump into JAY_INETIN.
Next, view the JAY_INETIN chain
target prot opt in out JAY_SPOOFING all -- any any JAY_INETIN_TCP tcp -- any any JAY_INETIN_UDP udp -- any any JAY_CHECK_ICMP icmp -- any any ACCEPT all -- any any state ESTABLISHEDNext we look for the protocol.
And finally, the JAY_INETIN_TCP chain
target prot in out JAY_SYNFLOOD tcp any any tcp flags:SYN,RST,ACK/SYN JAY_CHECK_TCP all any any ACCEPT tcp any any tcp dpt:ftp state NEW,ESTABLISHED ACCEPT tcp any any tcp dpt:ssh state NEW,ESTABLISHED ACCEPT tcp any any tcp dpt:www state NEW,ESTABLISHED ACCEPT tcp any any tcp dpts:1024:65535 state RELATED,ESTABLISHED
Yes.
The LANs connected to the Linux/Firewall box can be restricted in tcp/udp port(s) access, but between the LAN, there is no restrictions.
Not yet.
For the moment, you can use the custom rules files for allow the Ipsec tunnels.
The firewall needs the ips of your network's cards and/or your internet connection.
The firewall needs to be started after the network and other script's connections, if not, it will not want to start.
Verify your runlevel links,
Example with rc3.d
# ls -l /etc/rc3.d/ ... lrwxrwxrwx 1 root root S40network -> ../init.d/network lrwxrwxrwx 1 root root S45adsl-start -> ../init.d/adsl-start ...The network start in position 40 and the adsl-start in position 45
Start the firewall in position 46
# cd /etc/rc3.d/ # ln -s ../init.d/fw-jay S46fw-jay # ls -l /etc/rc3.d/ ... lrwxrwxrwx 1 root root S40network -> ../init.d/network lrwxrwxrwx 1 root root S45adsl-start -> ../init.d/adsl-start lrwxrwxrwx 1 root root S46fw-jay -> ../init.d/fw-jay ...Remember to remove the old links
-
You have a very very old version of dialog (ex: 0.6)
Your 'dialog' unknown the parameter --version :-)
Please update to version 0.9a-20020309a
-
This firewall use the 'which' command to get the full path of a command.
Example:
[root@firewall ~]$ which iptables /sbin/iptables [root@firewall ~]$Please check that which is installed on your system.
The problem was found on Redhat Fedora.
-
Please verify that you have a valid PATH in your ip-up's script. If not, add these two lines at the begining of the file.
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin export PATHThe problem was found on slackware 9.0