Basic linux firewall

Basic linux firewall

[scarab]

Hi,
I don't know if I'm writing to right mailing list but I have problem and i 
hope you could help me solve it. I must write simple linux firewall. I tried 
find any information about how to start but most of them was useless. It is 
very important for me because in this year I'm finishing university and 
trying get engineering degree. It mustn't be advanced linux firewall, it can 
filter only TCP packets (although  I'd like to do it as advanced as it 
possible). Could anybody give me some information where can i find some 
documents, books or something like that about how to start etc? I knew that 
propably somebody asked for that here before and I tried to find something in 
netfilter-devel archive but i didn't success.
Thank you

PS. Sorry for my poor English 

Re: Basic linux firewall

[Max Kellermann]

On 2005/03/08 15:26, scarab@echostar.pl wrote:
[...]
> Could anybody give me some information where can i find some
> documents, books or something like that about how to start etc? I
> knew that propably somebody asked for that here before and I tried
> to find something in netfilter-devel archive but i didn't success.

Have you already tried the documentation on the netfilter home page?

 http://www.netfilter.org/documentation/

For writing rules, I recommend that you use ferm. Ferm is a frontend
for iptables which makes writing rules really easy. I joined the
project a few months ago.

 http://ferm.foo-projects.org/

Max

Re: Basic linux firewall

[Kenneth Porter]

--On Tuesday, March 08, 2005 3:44 PM +0100 Max Kellermann <max@duempel.org> 
wrote:

> For writing rules, I recommend that you use ferm. Ferm is a frontend
> for iptables which makes writing rules really easy. I joined the
> project a few months ago.
>
>  http://ferm.foo-projects.org/

That's pretty slick. Can it generate iptables-save files and generate ferm 
files from an existing iptables-save file? I've been maintaining my rules 
in that format because that's what Fedora uses to reload the tables at boot 
time.

Re: Basic linux firewall

[Max Kellermann]

On 2005/03/08 17:27, Kenneth Porter <shiva@sewingwitch.com> wrote:
> > http://ferm.foo-projects.org/
> 
> That's pretty slick. Can it generate iptables-save files and generate ferm 
> files from an existing iptables-save file? I've been maintaining my rules 
> in that format because that's what Fedora uses to reload the tables at boot 
> time.

No. but you can call ferm to generate new rules, and then call
iptables-save yourself if you really want it.

The idea of ferm is that you call "ferm /etc/ferm.conf" on bootup from
an init script, so you don't need iptables-save.

Max

Re: Basic linux firewall

[Kenneth Porter]

--On Tuesday, March 08, 2005 5:36 PM +0100 Max Kellermann <max@duempel.org> 
wrote:

> No. but you can call ferm to generate new rules, and then call
> iptables-save yourself if you really want it.

I mention iptables-save as an output format because it's been mentioned 
here that it's more efficient than individual iptables commands for 
building large firewalls. I think that's because it results in one kernel 
call instead of a multitude, and a lot less lock manipulation to add all 
the rules. The format is relatively simple and could easily be constructed 
from individual rule commands, so it's probably straightforward to add.

> The idea of ferm is that you call "ferm /etc/ferm.conf" on bootup from
> an init script, so you don't need iptables-save.

That makes sense. I was mostly thinking of the case where one already has a 
firewall produced with some other tool (or constructed by hand). Being able 
to reverse that into a ferm.conf file would allow people using other tools 
to easily migrate.

Re: Basic linux firewall

[Max Kellermann]

On 2005/03/08 18:07, Kenneth Porter <shiva@sewingwitch.com> wrote:
> I mention iptables-save as an output format because it's been mentioned 
> here that it's more efficient than individual iptables commands for 
> building large firewalls.

sure, interesting idea: let ferm generate an iptables-save file
instead of calling iptables many times in a row. I'm writing that on
my todo list.

> That makes sense. I was mostly thinking of the case where one already has a 
> firewall produced with some other tool (or constructed by hand). Being able 
> to reverse that into a ferm.conf file would allow people using other tools 
> to easily migrate.

That's not as easy as it sounds - ferm is for structured firewall
rules, iptables is flat. But a simple (flat) back-translation could
provide a good starting point for a ferm migration.

Max

Re: Basic linux firewall

[richard hauswald]

scarab@echostar.pl wrote:

>Hi,
>I don't know if I'm writing to right mailing list but I have problem and i 
>hope you could help me solve it. I must write simple linux firewall. I tried 
>find any information about how to start but most of them was useless. It is 
>very important for me because in this year I'm finishing university and 
>trying get engineering degree. It mustn't be advanced linux firewall, it can 
>filter only TCP packets (although  I'd like to do it as advanced as it 
>possible). Could anybody give me some information where can i find some 
>documents, books or something like that about how to start etc? I knew that 
>propably somebody asked for that here before and I tried to find something in 
>netfilter-devel archive but i didn't success.
>Thank you
>
>PS. Sorry for my poor English 
>
>
>  
>
ok, understand what you want. in generell man iptables give you all 
information for using the programm iptables. but you will also need a 
bit network brain...:-)
To solve this known problem, Robert R. Ziegler wrote a book:
http:// 
www.amazon.de/exec/obidos/ASIN/3827262577/qid=1110443595/sr=8-9/ref=sr_8_xs_ap_i9_xgl/302-8865415-2152020
ok, its the german part of amazon, but I'm shure you will also find it 
at amazon for poland...
Regards
Richard Hauswald

PS: I'm excusing your poor english, mine is not better. But i thought 
posting with real names is a question of cheerfulness ;-)

Some protection from DDOS with iptables.

[Vasilii Alferov]

I need to block a kind of http requests, containing filenames zoo.jpg and 
zo2.jpg. These requests go from virus Bagle and hardly load our web server.

Rejecting or dropping these requests with string match isn't a solution, since 
it leaves unfinished connection with apache and it spawns hige number of 
threads in just a second.

Another try was to limit incoming connections. But it denies legal users from 
accessing our websites, and allowing virii to do it.

I'd like to have a rule closing connection on receiving certain string or met 
another condition. Is it possible with iptables?

Some protection from DDOS with iptables.

[dukelion]

I need to block a kind of http requests, containing filenames zoo.jpg and 
zo2.jpg. These requests go from virus Bagle and hardly load our web server.

Rejecting or dropping these requests with string match isn't a solution, since 
it leaves unfinished connection with apache and it spawns hige number of 
threads in just a second.

Another try was to limit incoming connections. But it denies legal users from 
accessing our websites, and allowing virii to do it.

I'd like to have a rule closing connection on receiving certain string or met 
another condition. Is it possible with iptables?