[TCLUG] Firewall for RH6.2

Tue Mar 19 07:56:02 CST 2002

On Tue, Mar 19, 2002 at 06:40:05AM -0600, Perry Hoekstra wrote:
> Anybody have recommendations for firewall software for a RH6.2 box?  I
> am digging through the ipchains material as we speak and was hoping
> for a piece of software that would abstract some of the nitty-gritty
> details for a rookie like me.

Check out freshmeat.  There are a number of perl, python, bash, <insert
your favorite scripting language> firewall scripts out there.  Some
simply build a start/stop style script.  Others manage the firewall
entirely.  Shop around.

Here's a hint when you're playing with ipchains remotely.  Add a cron
job to save the current ruleset, flush all rules, and set the default
policy to ACCEPT.  That way, if you're screwing around with them
remotely and lock yourself out, in let's say 15 minutes, you can get
access again.

    #!/bin/sh
    #
    # ipchains-cronflush -- save rule set to backup file.  Flush!
    #
    # Add this to your cron with something like:
    #
    #     */15 * * * *
    #
    ipchains=/usr/bin/ipchains              # ipchains
    save=/usr/bin/ipchains-save             # save ruleset tool
    bkdir=/tmp                              # Backup ruleset
    datetime=`date +%s`                     # Seconds since 1/1/1970

    # First, backup ruleset
    $save > $bkdir/ipchains-$datetime

    # Flush rulesets
    $ipchains -F input
    $ipchains -F output
    $ipchains -F forward

    # end script

Then, all you need to do is use ipchains-restore to restore the ruleset.
If you've made an error, edit the ruleset file before you do
ipchains-restore.

You really can do this without helper scripts, but little tricks like
these are very helpful.  Now, if you're using Debian, you can tie in
your rules with the ifup/down scripts in /etc/network/if-{up,down}.d.
That way, you can add rules specific to the interface when it goes up or
down.  You can even hack a bit to get different network schemes (i.e.
home v.s. work), very nice if you have a laptop.

Good luck!

-- 
Chad Walstrom <chewie at wookimus.net>                 | a.k.a. ^chewie
http://www.wookimus.net/                            | s.k.a. gunnarr
Get my public key, ICQ#, etc. $(mailx -s 'get info' chewie at wookimus.net)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20020319/7d9df2a0/attachment.pgp