Re: Building a sound firewall...

From: Fredderic (fredderic@iprimus.com.au)
Date: 11/06/02 

From: "Fredderic" <fredderic@iprimus.com.au>
Date: Wed, 6 Nov 2002 13:19:59 +1000

> I use a chain called "ALLOW" to let in what I want, which happens to
> be ssh, smtp, and auth ...

Hmmm...... Like the idea. Might also be extendable for people who wish to
change their firewall. If they have a "WORKING" and "TESTING" chain pair,
and are flushing/loading the TESTING chain using discrete commands rather
than iptables-restore, then all they have to do is change the one and only
rule in INPUT to point to the proper one, then have a timed flip back to the
previous one. Leaves their rule set intact for them to tinker with, doesn't
expose the system while the script loads, and I'd expect that if the new
firewall rules bomb out, they'll be left with a default of DENY, rather than
an open system.

> #v+

Just out of curiosity, what is that and it's mate for?

> for SERVICE in 22 25 113 ; do
> iptables -A ALLOW -p tcp -i $EXTIF --dport $SERVICE -j ACCEPT
> done

> $EXTIF is of course your external interface. BTW, this example is
> lifted almost verbatim from the iptables docs.

Really? With or without the for loop? I was reading those docs (the
how-to's and so on?), and didn't see that kind of condensation. Simple but
eligant.

Although I've taken to using iptables-restore... So not quite applicable.
Well, I'm actually trying to build my own private firewall builder which
generates and pipes a suitable command stream into iptables-restore.
Currently it lets me view the current ruleset as of when it was opened, and
has some (as-of-yet unimplemented) firewall state settings: active (normal
useability ruleset), inactive (accept everything), lockdown (deny
everything), tightass (traffic to ISP and a few selected sites only). I
figure it's a good way to get the firewall I want, while maintaining the GUI
ease of firestarter and co.

Plus, it's a darned good way to learn how to do it! ;)

Relevant Pages
Quantcast