Firewalls: ipfwadm firewall for linux

Firewalls
(December 1996)

Indexed By Thread: [Previous] [Next]

Subject:	ipfwadm firewall for linux
From:	<winspace @ void . hell . net> (Norman Widders)
Date:	Wed, 18 Dec 1996 18:05:20 +1000
To:	<firewalls @ GreatCircle . COM>
Organisation:	W.C.E. Consulting
Reply-to:	<winspace @ geko . net . au>

in response to a recent posting i was wondering if someone can assist by pointing 
out if the following is a reasonable home-firewall setup, any recommendations or 
modifications would be appreciated as it is difficult to understand the manpages.

i took the previously mentioned script and added some additional rules, the system 
is a debian linux v2.0.27 with ip_masquerading as well. any fine tuning or 
errors pointed out, would be most helpful as this is my first attempt (have to 
start somewhere TIA   B)

#!/bin/sh

FW=/sbin/ipfwadm
IN=192.168.0.0	
IM=24 			

for i in I O F
do
    $FW -$i -f
		$FW -$i -p accept
done
$FW -F -p reject

# /////////////////////////////////////////////
# DENY all INCOMING 
# ////////////////////////////////////////////
$FW -I -p reject

$FW -F -a deny -o -S $IN/$IM -D $IN/$IM

$FW -F -a accept -P tcp -S $IN/$IM -D 0.0.0.0/0

$FW -F -a accept -P tcp -b -k -S 0.0.0.0/0 -D $IN/$IM

ipfwadm -Fln | grep "acc/m all"
if ( test $? -ne 0 ) then
ipfwadm -F -i masquerade -P all -S $IN/$IM -D 0.0.0.0/0
fi


# //////////////////////////////////////////////////////////////////////
# our own firewall, only allow what we need as all others are blocked ?
# //////////////////////////////////////////////////////////////////////

# DNS
$FW -I -a accept -P tcp -b -S $IN/0 53 -D 0/0
$FW -I -a accept -P udp -b -S $IN/0 53 -D 0/0

# telnet
$FW -I -a accept -P tcp -b -S $IN/0 23 -D 0/0

# finger 
$FW -I -a accept -P tcp -b -S $IN/0 79 -D 0/0

#ident 
$FW -I -a accept -P tcp -b -S $IN/0 113 -D 0/0

# ssh
$FW -I -a accept -P tcp -b -S $IN/0 22 -D 0/0
$FW -I -a accept -P udp -b -S $IN/0 22 -D 0/0

# ftp 20, 21
$FW -I -a accept -P tcp -b -S $IN/0 20 -D 0/0
$FW -I -a accept -P tcp -b -S $IN/0 21 -D 0/0

# irc
$FW -I -a accept -P tcp -b -S $IN/0 6660:6667 -D 0/0

# ping
$FW -I -a accept -P icmp -b -S 0.0.0.0/0 -D $IN/0

# smtp
$FW -I -a accept -P tcp -b -S $IN/0 25 -D 0/0

# pop3
$FW -I -a accept -P tcp -b -S $IN/0 110 -D 0/0

# nntp
$FW -I -a accept -P tcp -b -S $IN/0 119 -D 0/0

# www
$FW -I -a accept -P tcp -b -S $IN/0 80 -D 0/0
$FW -I -a accept -P udp -b -S $IN/0 80 -D 0/0


# list the firewall entries
$FW -M -lvn
$FW -I -lvn
$FW -O -lvn
$FW -F -lvn

cheers


+------------------------------------------------------------+
|                                                            |
|   _/_/         _/_/     _/_/_/_/_/_/      _/_/_/_/_/_/     |
|   _/_/        _/_/     _/_/_/            _/_/              |
|    _/_/ _/_/ _/_/      _/_/              _/_/_/            |
|     _/_/_/_/_/_/       _/_/_/            _/_/              |
|      _/_/  _/_/         _/_/_/_/_/_/      _/_/_/_/_/_/     |
|                                                            |
|                                                            |
| winspace @
 geko .
 net .
 au - Software Engineering in C++ and SQL |
+------------------------------------------------------------+

Indexed By Date	Previous:	How strong is RC4 with 40bit key? From: "Tong, Aaron" <aaron @ hkpo . hongkong . ncr . com>
Indexed By Date	Next:	Re: smap delays From: gunni @ if . is (Gunnar Ingvi Thorisson)
Indexed By Thread	Previous:	Re: How strong is RC4 with 40bit key? From: Adam Shostack <adam @ homeport . org>
Indexed By Thread	Next:	Re: ipfwadm firewall for linux From: Dan Boulet <danny @ obtuse . com>