+++ INTRODUCTION +++ The aim of Firewall-Config is to help the network administrator to configure a firewalling system based on Iptables/Netfilter (2.4 kernels). It's often very difficult to face complex networks' structures using iptables. The script will grow and grow and if something goes wrong it'll not easy to find out where is the problem within hundreds of lines. Firewall-Config offers a confortable console-based User Interface using the Dialog program and ncurses libraries. In order to configure your firewall you have to follow these steps: - Install all the software necessary to Firewall-Config to be run (see the INSTALL file) - Run Firewall-Config as root - Configure your firewall using the program's user interface (see below for details) - Save your configuration (/etc/firewall-config.conf if not specified elsewhere) - Check the init script file and add new custom rules if needed (/usr/local/bin/firewall-init.rc if not specified elsewhere) - Run the init script file with 'start' as argument in order to activate the firewall +++ USAGE +++ Firewall-Config is structured in the followings menus: + Devices Management: you can use this menu to bring up your ethernet cards. + Services Definitions: define some services which will be prompted into the 'Enable Services' menu. Most common services are already defined. + Networks Definitions: give a network a symbolic name. You can use the alias when creating a rule writing '$ALIAS'. + Interfaces Configuration: tell the program how is structured your network. Give each link a symbolic name and specify what will be its job: LAN (private network, no public IP addresses inside), WAN (external interface), DMZ (demilitarized zone with public IP addresses inside). + NAT Rules: allow private networks to browse the Internet (SNAT). + Public IP Mapping: allow connections from the WAN interface to private IP addresses inside a DMZ mapping a public IP into a private one (DNAT, only if IP aliasing is used). + Enable Services: choose to which services the access is granted from the outside world. + Interconnections Configuration: choose a policy and create some rules for all the interconnections between the interfaces previously configured. + Firewall Options: set some options (about ICMP packets, Netbios ports, iptables modules etc.). + Blacklist: put some bad networks or IP addresses into the local blacklist. + Show Actual Configuration: show what has been configurered till now. + Save Configuration: save the current configuration in /etc/firewall-config.conf. + Apply Saved Configuration: run the init script file /usr/local/bin/firewall-init.rc generated from the previously saved configuration +++ THE CONFIGURATION FILE +++ All the configuration will be saved into /etc/firewall-config.conf; the init script file will be generated dinammically from that file and this is only a one-way action. The configuration file as a standard syntax. In fact you can easily move it to an other machine without loosing all the informations. This file can also be changed by hand and a new init script file could be generated directly, without using the User Interface. firewall-config.conf is divided in sections. The structure it's very similar to tha one presented to the user. create_interface { ip netmask [ip_alias ] } interface { device ip type [network ] [ip_alias ] [nat ] [dmz ] [public_ip private_ip1>] [public_ip private_ip2>] ... [service ] [service ] ... } 'public_ip' can be used only with a DMZ interface configured with IP aliasing. 'services' can be used only with a DMZ interface 'nat' can be used only with a DMZ or a LAN interface. interconnection -> { policy [ ] } Where has the following structure: |*:|*->|*:|*() '*' means all networks or all ports. definitions { \$alias ... } services { () () ... } blacklist { ... } options { option1 option2 option3 ... } -- Davide Veneziano (postmaster@vene.ws) http://www.vene.ws