By Kurt Seifried [email protected]
If you are still using ipfwadm it is time to upgrade from 2.0 to a 2.2 kernel. Seriously, stop reading and upgrade to at least a 2.2 kernel or preferably a 2.4 kernel.
Ipfwadm is a solid packet filter for Linux, although it lacks a lot of features available in IPChains. Ipfwadm only supports 3 targets for a packet: accept, deny or reject, whereas ipchains rules can be targeted at 6 built-in targets, or a user defined target. Ipfwadm is really only appropriate for a simple IP-level firewall, IP masquerading and if you plan to use FreeS/WAN (which currently does not support kernel 2.2.x). The basic options are: specify a direction (in, out, or both, useful with the interface flag), input rules, output rules, forwarding rules (say you have multiple interfaces, also covers the masquerading rules) and masquerade rules which control the behavior of masquerading (timeouts, etc). You can insert, append and delete rules, set default policies, and list all the rules. Other then that it is very similar to ipchains, with some minor variations. The following is a script appropriate for a server bridging 2 networks (10.0.0.x on eth0, 10.0.0.1 and 192.168.0.x on eth1, 192.168.0.1) with a mail server running.
#!/bin/bash # # Flush all the rule sets first # ipfwadm -f -I ipfwadm -f -O ipfwadm -f -F # # Allow forwarding between the two networks and otherwise deny it for security # ipfwadm -F -a accept -P all -S 10.0.0.0/24 -i eth0 -D 192.168.0.0/24 ipfwadm -F -a accept -P all -S 192.168.0.0/24 -i eth1 -D 10.0.0.0/24 ipfwadm -F -p deny # # And of course we have to allow those packets in # ipfwadm -I -a accept -P tcp -S 10.0.0.0/24 -i eth0 -D 192.168.0.0/24 ipfwadm -I -a accept -P tcp -S 192.168.0.0/24 -i eth1 -D 10.0.0.0/24 # # Let them access the mail server port on the server but nothing else # ipfwadm -I -a accept -P tcp -S 10.0.0.0/24 -i eth0 -D 10.0.0.1 25 ipfwadm -I -a accept -P tcp -S 192.168.0.0/24 -i eth0 -D 192.168.0.1 25 ipfwadm -I -p deny
From the site:
The ipfwadm dotfile module is intended to make setting up IP Masquerade and basic firewalling on a small network easier for Linux users who aren't professional network administrators. It utilizes Jesper Pedersen's Dotfile Generator to provide a GUI shell around the ipfwadm command. It also automates some of the confusing and obscure details of firewall and IP Masquerade configuration.
ftp://ftp.rubyriver.com/pub/jhardin/ipfwadm/ipfwadm.html
From the site:
Kfirewall is an GUI application for X, using the KDE/QT widgets. You need to have KDE installed on your system, and qt-devel-1.44 installed. You can find the KDE packages at ftp://ftp.kde.org and the QT packages at ftp://ftp.troll.no.
http://kfirewall.kila.intratech.no/
Last updated on 27/9/2001
Copyright Kurt Seifried 2001 [email protected]