mirror of
https://github.com/firehol/firehol.git
synced 2024-06-30 19:02:21 +00:00
iptables for retards...
![]() Added support for integration with knockd (http://www.zeroflux.org/knock/) This integration comes as part of the ACCEPT action: accept [with knock <name>] The optional parameter 'with knock' allows easy integration with knockd, a server that allows you to control access to services, by sending certain packets to "knock" the door, before the door is open for service. This parameter accepts just a name. This name is used to build a special chain knock_<name> which will contain no rules, so that the traffic entering this chain will just return back and continue to match against the other rules until the end of the firewall. As an example, lets say that you want to allow https traffic based on a knock. In FireHOL you write: server https accept with knock hidden and you configure knockd so that it runs: iptables -A knock_hidden -s %IP% -j ACCEPT to enable the https service (notice that there is no need to match anything else than the IP. FireHOL already matches everything needed for its rules to work), and: iptables -D knock_hidden -s %IP% -j ACCEPT to disable this service for the given IP. |
||
---|---|---|
doc | ||
examples | ||
man | ||
.cvs | ||
.spec | ||
adblock.sh | ||
buildrpm.sh | ||
ChangeLog | ||
COPYING | ||
firehol.sh | ||
get-iana.sh | ||
prettyconf.sh | ||
README | ||
TODO | ||
WhatIsNew |
$Id: README,v 1.7 2004/10/31 20:28:02 ktsaou Exp $ FireHOL, an iptables stateful packet filtering firewall for humans! Copyright (C) 2003 Costa Tsaousis <costa@tsaousis.gr> LICENSE ------- This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA DOCUMENTATION ------------- If you received this program in as a RPM, documentation should be installed at /usr/share/doc/firehol-X.XX. Otherwise, documentation should be available in the doc/ directory of the .tar.bz2 archive you received. In any case, you can also find the documentation online, at: http://firehol.sf.net INSTALLATION ------------ RPM ~~~ RPM distributions automatically install the program. After a RPM installation, FireHOL should be available at /etc/init.d/firehol and its default configuration at /etc/firehol/firehol.conf. Please use the chkconfig system utility to enable/disable firehol's activity at boot time. TAR.BZ2 ~~~~~~~ This type of distribution includes all the files in the directory where you uncompress it. To make FireHOL start at boot time you have to add it to the startup procedure of your operating system. Three things are needed to start FireHOL properly: 1. Move firehol.sh to the directory where your startup scripts exist and rename it to firehol (i.e. remove the .sh). 2. Make sure FireHOL is called with something like: /path/to/startup/scripts/firehol start 3. Make sure there is a valid configuration file in /etc/firehol/firehol.conf This is it. Note, that the .tar.bz2 releases can also be used to build an .rpm using: rpmbuild -tb firehol-XX-YY.tar.bz2 However, CVS versions - firehol.tar.gz - should not be used this way. IMPORTANT NOTES --------------- If you decide to use FireHOL regularly (or permanently) you have to understand that it will control your firewall and therefore be a key point of your security. You should do something to be notified of bugs or other kind of problems as soon as they appear. I suggest to subscribe to the notification engine of freshmeat.net under this project or to monitor FireHOL's file releases at sourceforge.net. Both of these services will keep you anonymous (to me) but will update you if and when new releases become available. CONTRIBUTING ------------ I'll be glad to receive your ideas, patches, case studies, service definitions, etc. Here is my e-mail: costa@tsaousis.gr Please note however that this is my personal e-mail that I read just once per day and in some cases, once every a few days. If you want some faster response, you can always use the mailing lists and forums under this project at sourceforge. Kind Regards Costa Tsaousis