NAME

genfw - Generate a firewall script

SYNOPSIS

genfw

DESCRIPTION

This script generates a firewall script based on a rules file and the network configuration of a system.

OPTIONS

The rules file should contain one line for each interface on the system. Like most standard Unix configuration files, \ is used to continue lines and # is used to begin comments.

Directives

internal interface

An ``internal'' interface tends to be able to connect out, but nothing can connect in to it.

int interface

Equivalent to internal.

dmz interface

A ``dmz'' interface tends allow connections from the outside world, but can't connect to ``internal'' interfaces, and can sometimes connect out to the world.

outside interface

An ``outside'' interface usually can't connect to ``internal'' interfaces but can connect to some things on ``dmz'' interfaces. Also, traffic is not allowed between ``outside'' interfaces.

output interface

Equivalent to outside.

out interface

Equivalent to outside.

append [table:]chain rule

This appends rule to a chain in a specified table. If table (and the colon (:) after it) is omitted, the filter table is assumed.

For example, the following would redirect outgoing connections on port 80 to port 3128 (for transparent proxying with squid):

 append nat:PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to 3128

no logging

Modifies generated rules so that dropped packets are not logged.

limit logging

Dropped packets are logged, but rate-limited. This adds -m limit to all -j LOG lines. This is the default.

full logging

Modifies generated rules so that all dropped packets are logged.

Flags

Any of the interface definition lines can include any number of the following whitespace-separated options:

ignore

Don't generate rules for this interface.

allow=port/proto[:src[:dest[:interface]]]>[,...]

Allow specific traffic to this interface. This option can take many including any of the following:

allow=port: Checks for port/tcp and port/udp in /etc/services. Rules are generated for each one that is defined. An example might be allow=domain to allow traffic to UDP or TCP port 53.
allow=protocol: Checks for protocol in /etc/protocols. A rule is generated if the protocol is defined. For example, allow=gre.
allow=port/protocol: Allows traffic to the specified port on the specified protocol. port can be numeric. (protocol may also be numeric, although this is untested at the moment.) Examples might be allow=smtp/tcp or allow=25/tcp. Both are equivalent.

Any number of protocols, ports, etc. can be included after an allow= in a comma-separated list.

Any of the above can also be followed by a colon-separated list including the source address, destination address, and source interface. Any of the three can be left blank.

For example, allow=ssh/tcp:::eth0 would allow ssh access from eth0, but nowhere else.

label=label

Use label in the names of chains, log messages, etc. instead of the interface name.

trusted

Only used for ``dmz'' and ``internal'' interfaces. Any ``trusted'' interface is allowed full outgoing network access. Also, ``internal'' networks that are ``trusted'' can connect to anything on a ``dmz'' network.

nat

Do Network Address Translation on packets going out from this interface. This only applies to traffic from an ``internal'' or ``dmz'' interface to an ``outside'' interface.

FILES

/etc/sysconfig/rules The rules used to generate the firewall script.

/etc/sysconfig/network-scripts/ifcfg-* The network configuration.

NOTES

A good firewall should restrict traffic on a per-interface basis as much as possible. This script tends to encourage this behavior...

BUGS

Currently this script only knows how to read the configuration from a Red Hat system.

AUTHOR

Steven Pritchard <steve@silug.org>