ipfwadm

ipfwadm

Post by spiv » Fri, 08 Jan 1999 04:00:00



Howdy,

        I would like to set up a Linux Box as a firewall. I have
installed  Redhat 5.2 on a 486 with a dial up connection and a NIC
which is on a LAN with a Win95 box. My kernal is 2.0.36 and I found
ipfwadm 2.3.0. at /sbin. I currently can ping on my LAN. From the
Linux Box I can ping my ISP and other domains with IP address and
Domain Names.
        I have found many postings with advice, maybe too many. I'm
getting info overload. I would first just like to get something going
and address security later. I'm not running any servers (in).
        I took this file:
--------------------------begin-rc.firewall-----------------------------

  #!/bin/sh
  #
  # /etc/rc.d/rc.firewall, define the firewall configuration, invoked
from
  # rc.local.

  PATH=/sbin:/bin:/usr/sbin:/usr/bin

  # Accept icmp from trusted hosts
  ipfwadm -I -a accept -P icmp -S 125.179.213.0/24 -D
125.179.213.230/32

  # Deny icmp from untrusted hosts
  ipfwadm -I -a deny -P icmp -S 0.0.0.0/0 -D 125.179.213.230/32

  # Deny all connections from  malicious/evil hosts
  ipfwadm -I -a deny -D 125.179.213.230/32 -S 210.111.213.66/32

  # Forward connections from trusted hosts on your LAN
  ipfwadm -F -a masquerade -S 10.1.1.1/2 -D 0.0.0.0/0

  # Accept tcp/udp packets from trusted hosts on certain ports
  ipfwadm -I -a accept -P tcp -S 125.179.213.0/24 -D
125.179.213.230/32 23
  ipfwadm -I -a accept -P udp -S 125.179.213.0/24 -D
125.179.213.230/32 23
  # Do this for all your ports that you have been attacked on

  # Deny tcp/udp packets from untrusted hosts
  ipfwadm -I -a deny -P tcp -D 125.179.213.230/32 23 -S 0.0.0.0/0
  ipfwadm -I -a deny -P udp -D 125.179.213.230/32 23 -S 0.0.0.0/0
  # Do this for all your ports that you have been attacked on

--------------------------end-rc.firewall-----------------------------

    ...... and made it /etc/rc.d/rc.firewall. My LAN is 10.1.1.1/2.

Now from http://rlz.ne.mediaone.net/linux/index3.shtml I started to
compile my kernel. So I --

cd /usr/src/linux
make mrproper
make xconfig

and got error-

Error in starup script: invalid command line name "button"
    while executing
"button .ref:
         (file "scripts/kconfig.tk" line26)
mahe:*** [xconfig] error 1

My next steps were to be -

 enable these:

?loadable module support ?kernel daemon support (for autoloading
modules) ?networking support ?network firewalls ?TCP/IP networking
?<your driver(s)> ?IP: forwarding/gatewaying ?IP: syn cookies ?IP:
firewall packet logging ?IP: masquerading ?ICMP: masquerading (if you
want to ping from an internal machine) ?IP: accounting ?IP: drop
source routed frames

 then;

make dep
make clean
make boot
make modules
cd /lib/modules
mv <the current version directory> <the current version
directory>.original
cd /usr/src/linux
make modules_install
cd /boot
mv vmlinuz.<version> vmlinuz.original
cp /usr/src/linux/arch/i386/boot/zImage ./vmlinuz.new
ln -fs vmlinuz.new vmlinuz
mv System.map.<version> System.map.original
cp /usr/src/linux/System.map ./System.map.new
ln -fs System.map.new System.map
cd /etc

My questions are-

    Do I have a clue?

   What does that error mean and did it do any damage?

   How does the file rc.firewall get started? Do I do a chmod? Does it
get linked to something?

    Does _mv <the current version directory> <the current version
directory>.original_ mean _mv 2.0.36 2.0.36.original_?

thanks
M B
bold at city-net com

 
 
 

1. ANNOUNCE: ipfwadm-dotfile-0.25b: the ipfwadm Dotfile Generator module

The dotfile module for Linux firewall and IP Masquerade configuration is
now available for download. The current version is 0.25b (stable beta).

For details see the ipfwadm Dotfile Module home page at
    http://www.wolfenet.com/~jhardin/ipfwadm.html
The package is also available via anonymous FTP at
    ftp://ftp.rubyriver.com/pub/jhardin/ipfwadm

This module for Jesper Pedersen's Dotfile Generator allows you to generate
a Linux firewall and IP Masquerade configuration file that will work well
for most applications where a single computer or small network is accessing
the Internet via dialup (including support for diald) or over a dedicated
connection.

This module is NOT intended as a substitute for an experienced network
administrator in a critical application (though experienced network
administrators may find it a timesaving tool), but for small networks it
makes it easier to set up masquerading and a basic firewall and enjoy at
least a little security.

Changes:
 more antispoofing and anti-attack rules
 better handling and logging when default policy is DENY
 more intelligent handling of ethernet Internet service

--

 pgpk -a finger://gonzo.wolfenet.com/jhardin    PGP key ID: 0x41EA94F5
 PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
   39 days until Netscape releases source code

2. c question , stdio.h , unistd.h

3. *make* errors with sendpage7a

4. ipfwadm-dotfile-0.10b: the ipfwadm Dotfile Generator module

5. IP to process network interface?

6. Problems using ipfwadm: Linux 1.2.13 with ipfwadm 1.2

7. 3COM PCICIA ethernet card offer

8. ANNOUNCE: ipfwadm-dotfile-0.24b: the ipfwadm Dotfile Generator module

9. Please critique my ipchains/ipfwadm script

10. ms pptp and ipfwadm

11. ipfwadm question

12. ipfwadm - I don't get it