fwup 20020626

Firewall is a set of scripts (firewall, fwup and fwdown) that implement an ipchains firewall.
Firewall is a set of scripts (firewall, fwup and fwdown) that implement an ipchains firewall and various forms of network address and port translation. All you have to do is read the policy file and edit it to reflect your topology and filtering policy.

The policy file is composed of sections in which you need to specify: this host's trusted and untrusted network interfaces; this host's role and function within the network topology; the incoming and outgoing services to allow and the internal and external hosts that may take part in them. It has been designed to make this as painless and flexible as possible.

Each section contains detailed explanations and advice on things such as when to start the firewall and the security implications of various well known internet services and advice on how to allow them safely. It is intended to introduce administrators to some subtleties of packet filtering quickly so that they can make better informed security decisions and achieve and maintain effective network security (at least the packet filtering part) in a very short time. Of course, it will not prevent you from achieving bad network security, but you will have been warned.
Firewall is freely available under the GNU General Public License.

Here are some key features of "Firewall":

· The administrator only needs to read and edit the (heavily documented) firewall.policy file. There is no need to see any actual ipchains, ipmasqadm or ip commands.

Supports various network topologies:

· Single Host (no forwarding, no address/port translation)
· Forwarding (no address/port translation)
· Masquerading (outgoing M:1 NAPT)
· Port Forwarding (Masquerading + incoming 1:M NAPT)
· Alias Port Forwarding (Masquerading + incoming N:M NAPT)
· Static NAT (incoming and outgoing 1:1 NAT)
· Supports up to 10 untrusted network interfaces, each with a distinct policy. There can be as much or as little policy sharing between untrusted interfaces as you like.
· Supports centralised administration of multiple remote firewalls.
· Installation makes sure that the firewall starts at boot time before the network is brought up and automatically reloads whenever the host receives a dynamic address from PPP or DHCP.

Supports control of many services (incoming and outgoing):

· DNS Client
· DNS Server
· SMTP
· POP
· IMAP
· LDAP
· SSL-POP
· SSL-IMAP
· SSL-LDAP
· SSH1
· SSH2/LSH
· FTP (active)
· FTP (passive)
· TELNET
· HTTP
· HTTPS
· HTTP PROXY
· SQUID
· NNTP
· RSYNC
· CVS
· GNATS
· MYSQL
· SMB
· IRC
· ICQ
· RealAudio/QuickTime
· VNC
· REACHOUT
· PC Anywhere
· Windows Terminal Server
· NTP
· DAYTIME
· TIME
· GOPHER
· WAIS
· ARCHIE
· FINGER
· WHOIS
· AUTH
· NOTES
· DIALPAD
· WEBPHONE
· NET2PHONE
· HOTTELEPHONE/WEB2CALL
· NETMEETING
· SYSLOG
· DHCP Client/Server
· TACACS+
· SNMP
· SNMP TRAP
· BGP
· OSPF
· RIP
· KERBEROS
· PPTP
· IPSEC
· PING
· TRACEROUTE
· X11

Comes with example policy files for each supported network topology.

Comes with several utilities for developing, testing and maintaining firewall rules and policy files:

· dns2ip - a filter that translates domain names into IP addresses
· fwhelper - helps the testing and development of an ipchains firewall
· portscan - performs a thorough port scan
· tcpdump-histogram - prints a histogram of connection tuples in tcpdump output

Comes with two useful patches:

· ipchains-Q - Makes starting the packet filter much faster
· masq-demasq - Makes internally initiated port forwarding work

What's New in This Release:

· Added support for multicast sessions
· Added rejecting specific ports when policy is DENY (for inacker@informatik.uni-freiburg.de)
· Added support for PPTP server on localhost (nick@abssys.com)
· Updated URL for ip_masq_h323 module (martin@kos.li)
· Updated -Q patch for ipchains-1.3.10 (rmrpms@usa.net)
· Added REACHOUT service
· Added TACACS+ service
· Updated list of trojan ports (www.neohapsis.com, www.seifried.org)
· Removed the need for bash (LRP only has ash)
· Removed the need for awk (LRP doesn't have awk by default)
· Added migrate-policy (suggested by inacker@informatik.uni-freiburg.de)
· Added meta-firewall migrate/diff/revert
· Added more doco on SERVICES and TARGET_* variables (bs@axysdesign.com)
· Updated IANA reserved networks (20011201 - 219, 220 allocated to APNIC)
· Fixed firewall lockfile for Debian (jejc@free.fr)
· Made to work with ash, bsh, bash, ksh or (in the unlikely event) zsh
· Added installation support for more dhcp clients (i.e. pump and dhclient)
· Ported to LRP/busybox-ash (wont-i@wkh.org)
· Added "make lrpkg" (creates an LRP package after you define your policy)
· Added installation support for systems with /etc/ppp/ip-{up,down}.d
· Added "firewall reconf < config >"
· Added "firewall help"

last updated on:
July 31st, 2007, 21:15 GMT
price:
FREE!
developed by:
raf
homepage:
fwup.org
license type:
GPL (GNU General Public License) 
category:
ROOT \ Security

FREE!

In a hurry? Add it to your Download Basket!

user rating 17

4.1/5
 

0/5

Add your review!

SUBMIT