mirror of
https://github.com/firehol/firehol.git
synced 2024-06-30 19:02:21 +00:00
Minor changes in 'helpme' and changes in documentation to reflect the
'helpme' feature addition.
This commit is contained in:
parent
bd333fd563
commit
3a1e6ef72d
@ -97,7 +97,7 @@ The optional rule parameters given to the primary commands are <b>indirectly</b>
|
||||
<p>
|
||||
<H4>Parameters</H4>
|
||||
<ul>
|
||||
<li> <b>real interface</b> is the interface name as shown by <b>ifconfig</b>.
|
||||
<li> <b>real interface</b> is the interface name as shown by <b>ip link show</b>.
|
||||
Generally anything iptables accepts, including the pattern character + (the plus sign), is valid.
|
||||
<br>The plus sign after some text will match all interfaces that start with this text.
|
||||
<br>It is allowed to use more than one interfaces separated by spaces, but all of them should be
|
||||
@ -1082,7 +1082,7 @@ about optional rule parameters that should not be used in certain commands.
|
||||
<tr><td align=center valign=middle>
|
||||
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A>
|
||||
</td><td align=center valign=middle>
|
||||
<small>$Id: commands.html,v 1.20 2003/02/11 22:27:06 ktsaou Exp $</small>
|
||||
<small>$Id: commands.html,v 1.21 2003/02/26 22:26:19 ktsaou Exp $</small>
|
||||
<p>
|
||||
<b>FireHOL</b>, a firewall for humans...<br>
|
||||
© Copyright 2002
|
||||
|
@ -91,16 +91,31 @@ FireHOL has been designed to be a startup service. As such, FireHOL accepts all
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
<tr> <td><b><a filename></td>
|
||||
<td> a different configuration file.
|
||||
<tr> <td><b>helpme</td>
|
||||
<td> Tries to guess the FireHOL configuration needed for the current machine.
|
||||
<br>
|
||||
FireHOL will not stop or alter the running firewall. The configuration
|
||||
file is given in the standard output of FireHOL, thus
|
||||
<p>
|
||||
<b>/etc/init.d/firehol helpme >/tmp/firehol.conf</b>
|
||||
<p>
|
||||
will produce the output in /tmp/firehol.conf.
|
||||
<p>
|
||||
The generated FireHOL configuration <b>should</b> and <b>must</b> be edited
|
||||
before used on your systems. You are required to take many decisions and the
|
||||
comments of the generated file will instruct you for many of them.
|
||||
</td>
|
||||
</tr>
|
||||
<tr> <td bgcolor="#EEEEEE"><b><a filename></td>
|
||||
<td bgcolor="#EEEEEE"> a different configuration file.
|
||||
If no other argument is given, the configuration
|
||||
file will be "tried" (default = try).
|
||||
Otherwise the argument next to the filename can
|
||||
be one of <b>start</b>, <b>debug</b>, <b>try</b>.
|
||||
</td>
|
||||
</tr>
|
||||
<tr> <td bgcolor="#EEEEEE"><nothing></td>
|
||||
<td bgcolor="#EEEEEE">Presents help about FireHOL usage.</td>
|
||||
<tr> <td><nothing></td>
|
||||
<td>Presents help about FireHOL usage.</td>
|
||||
</tr>
|
||||
</table>
|
||||
</center>
|
||||
@ -168,7 +183,7 @@ its line number in the original configuration file.
|
||||
<tr><td align=center valign=middle>
|
||||
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A>
|
||||
</td><td align=center valign=middle>
|
||||
<small>$Id: invoking.html,v 1.7 2003/01/06 00:41:10 ktsaou Exp $</small>
|
||||
<small>$Id: invoking.html,v 1.8 2003/02/26 22:26:20 ktsaou Exp $</small>
|
||||
<p>
|
||||
<b>FireHOL</b>, a firewall for humans...<br>
|
||||
© Copyright 2002
|
||||
|
@ -6,9 +6,18 @@
|
||||
|
||||
<BODY bgcolor="#FFFFFF">
|
||||
|
||||
This quick tutorial will give you an idea of how to design your firewall, based on real life examples.
|
||||
Since R5 v1.97 of FireHOL there is the command line argument <b>helpme</b> that will try to guess
|
||||
your configuration on the running machine. To use it, simply run:<p>
|
||||
|
||||
<b>/etc/init.d/firehol helpme >/tmp/firehol.conf</b> <font color="gray">(installed from RPM)</font>, or
|
||||
<p>
|
||||
Even if you don't use FireHOL, designing a firewall requires a few steps:
|
||||
<b>firehol.sh helpme >/tmp/firehol.conf</b> <font color="gray">(installed from .tar.bz2)</font>
|
||||
<p>
|
||||
The purpose of the <b>helpme</b> feature is to give you a configuration file that you can modify to get an
|
||||
operational firewall quickly, especially if your firewalling and iptables knowledge is limited. This feature
|
||||
does not stop or alter the running firewall of your machine.
|
||||
<p>
|
||||
Bellow is the procedure you should follow to manually design a secure FireHOL firewall.
|
||||
<p>
|
||||
<table border=0 cellpadding=10 cellspacing=0 width="100%">
|
||||
<tr><td bgcolor="#EEEEEE"><b>1. Identify all the network interfaces your firewall host has</td></tr></table>
|
||||
@ -19,36 +28,18 @@ with traffic on this interface. By default FireHOL will <b>drop</b> all traffic
|
||||
so the network interface will have no meaning to be up and running. This is a common mistake on some ADSL configurations, where users
|
||||
ignore the loop device that connects the linux router with the ADSL device.
|
||||
<p>
|
||||
To identify your network interfaces use the <b>ifconfig</b> command. The example bellow shows my home router ifconfig output:
|
||||
To identify your network interfaces use the <b>ip link show</b> command. The example bellow shows my home router <b>ip link show</b> output:
|
||||
|
||||
<center><table border=0 cellpadding=15 cellspacing=20 width="70%">
|
||||
<tr><td bgcolor="#F0F0F0">
|
||||
<b><pre><font color="gray">
|
||||
[root@gateway /]# ifconfig
|
||||
<font color="red">eth0</font> Link encap:Ethernet HWaddr 00:50:FC:21:9A:AB
|
||||
inet addr:195.97.5.193 Bcast:195.97.5.207 Mask:255.255.255.240
|
||||
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
|
||||
RX packets:273856 errors:0 dropped:0 overruns:0 frame:0
|
||||
TX packets:197377 errors:0 dropped:0 overruns:1 carrier:0
|
||||
collisions:0 txqueuelen:100
|
||||
RX bytes:311341519 (296.9 Mb) TX bytes:93281783 (88.9 Mb)
|
||||
Interrupt:9 Base address:0x3f00
|
||||
|
||||
<font color="red">lo</font> Link encap:Local Loopback
|
||||
inet addr:127.0.0.1 Mask:255.0.0.0
|
||||
UP LOOPBACK RUNNING MTU:16436 Metric:1
|
||||
RX packets:7041 errors:0 dropped:0 overruns:0 frame:0
|
||||
TX packets:7041 errors:0 dropped:0 overruns:0 carrier:0
|
||||
collisions:0 txqueuelen:0
|
||||
RX bytes:2079959 (1.9 Mb) TX bytes:2079959 (1.9 Mb)
|
||||
|
||||
<font color="red">ppp0</font> Link encap:Point-to-Point Protocol
|
||||
inet addr:195.97.5.206 P-t-P:194.30.220.213 Mask:255.255.255.255
|
||||
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:572 Metric:1
|
||||
RX packets:8883 errors:0 dropped:0 overruns:0 frame:0
|
||||
TX packets:8807 errors:0 dropped:45 overruns:0 carrier:0
|
||||
collisions:0 txqueuelen:3
|
||||
RX bytes:5652345 (5.3 Mb) TX bytes:1077765 (1.0 Mb)
|
||||
[root@gateway /]# ip link show
|
||||
1: <font color="red">lo</font>: <LOOPBACK,UP> mtu 16436 qdisc noqueue
|
||||
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
|
||||
2: <font color="red">eth0</font>: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
|
||||
link/ether 00:50:fc:21:9a:ab brd ff:ff:ff:ff:ff:ff
|
||||
12: <font color="red">ppp0</font>: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 3
|
||||
link/ppp
|
||||
</font></pre></b>
|
||||
</td></tr>
|
||||
</table>
|
||||
@ -353,7 +344,8 @@ To save typing time, you can use this:
|
||||
<p>
|
||||
Note that we can remove any router statements not having any rules in them, so the <b>internet2home</b> router has been eliminated.
|
||||
<p>
|
||||
We might want to have extra checks on each interface to prevent spoofing:
|
||||
We might want to have extra checks on each interface to prevent spoofing. To find the IPs of your network interfaces use
|
||||
<b>ip addr show</b> and to find the IP networks behind each interface use <b>ip route show</b>.
|
||||
|
||||
<center><table border=0 cellpadding=15 cellspacing=20 width="70%">
|
||||
<tr><td bgcolor="#F0F0F0">
|
||||
@ -557,7 +549,7 @@ We could use the first router (home2internet) to do everything, but then the cli
|
||||
<tr><td align=center valign=middle>
|
||||
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A>
|
||||
</td><td align=center valign=middle>
|
||||
<small>$Id: tutorial.html,v 1.9 2002/12/31 11:57:40 ktsaou Exp $</small>
|
||||
<small>$Id: tutorial.html,v 1.10 2003/02/26 22:26:20 ktsaou Exp $</small>
|
||||
<p>
|
||||
<b>FireHOL</b>, a firewall for humans...<br>
|
||||
© Copyright 2002
|
||||
|
12
firehol.sh
12
firehol.sh
@ -10,7 +10,7 @@
|
||||
#
|
||||
# config: /etc/firehol.conf
|
||||
#
|
||||
# $Id: firehol.sh,v 1.97 2003/02/25 21:35:06 ktsaou Exp $
|
||||
# $Id: firehol.sh,v 1.98 2003/02/26 22:26:16 ktsaou Exp $
|
||||
#
|
||||
|
||||
|
||||
@ -3189,7 +3189,7 @@ case "${arg}" in
|
||||
else
|
||||
|
||||
cat <<"EOF"
|
||||
$Id: firehol.sh,v 1.97 2003/02/25 21:35:06 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.98 2003/02/26 22:26:16 ktsaou Exp $
|
||||
(C) Copyright 2002, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
|
||||
@ -3360,7 +3360,7 @@ then
|
||||
|
||||
cat <<"EOF"
|
||||
|
||||
$Id: firehol.sh,v 1.97 2003/02/25 21:35:06 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.98 2003/02/26 22:26:16 ktsaou Exp $
|
||||
(C) Copyright 2002, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
Home Page: http://firehol.sourceforge.net
|
||||
@ -3523,7 +3523,7 @@ then
|
||||
|
||||
cat >&2 <<"EOF"
|
||||
|
||||
$Id: firehol.sh,v 1.97 2003/02/25 21:35:06 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.98 2003/02/26 22:26:16 ktsaou Exp $
|
||||
(C) Copyright 2002, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
Home Page: http://firehol.sourceforge.net
|
||||
@ -3615,7 +3615,7 @@ EOF
|
||||
echo "# "
|
||||
|
||||
cat <<"EOF"
|
||||
# $Id: firehol.sh,v 1.97 2003/02/25 21:35:06 ktsaou Exp $
|
||||
# $Id: firehol.sh,v 1.98 2003/02/26 22:26:16 ktsaou Exp $
|
||||
# (C) Copyright 2002, Costa Tsaousis <costa@tsaousis.gr>
|
||||
# FireHOL is distributed under GPL.
|
||||
# Home Page: http://firehol.sourceforge.net
|
||||
@ -3827,7 +3827,7 @@ EOF
|
||||
else
|
||||
echo
|
||||
echo
|
||||
echo "# No router statements have been produced, because your server"
|
||||
echo "# No router statements have been produced, because your server"
|
||||
echo "# is not configured for forwarding traffic."
|
||||
echo
|
||||
fi
|
||||
|
Loading…
Reference in New Issue
Block a user