"Fossies" - the Fresh Open Source Software Archive

Member "sshdfilter-1.5.7/INSTALL.ipfw" (13 Oct 2007, 3358 Bytes) of package /linux/privat/old/sshdfilter-1.5.7.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 Installing sshdfilter for ipfw can be acheived by changing a few 
    2 configuration options. This file describes all the differences
    3 required for using ipfw instead of iptables, to install sshdfilter
    4 you still need to read INSTALL.
    5 
    6 1. Decide what range the dynamically added block rules will occupy. For 
    7 example, the first tester of ipfw (on MacOSX) had a firewall that looked
    8 like this:
    9 $ ipfw show
   10 02000       0          0 allow ip from any to any via lo*
   11 02010       0          0 deny ip from 127.0.0.0/8 to any in
   12 02020       0          0 deny ip from any to 127.0.0.0/8 in
   13 02030       0          0 deny ip from 224.0.0.0/3 to any in
   14 02040       0          0 deny tcp from any to 224.0.0.0/3 in
   15 02050       0          0 allow tcp from any to any out
   16 02060       0          0 allow tcp from any to any established
   17 02070       0          0 allow tcp from any to any dst-port 548 in
   18 02080       0          0 allow tcp from any to any dst-port 427 in
   19 02090       0          0 allow tcp from any to any dst-port 443 in
   20 02100       0          0 allow tcp from any to any dst-port 80 in
   21 02110       0          0 allow tcp from any to any dst-port 427 in
   22 02120       0          0 allow tcp from any to any dst-port 443 in
   23 02130       0          0 allow tcp from any to any dst-port 1521 in
   24 02140       0          0 allow tcp from any to any dst-port 3689 in
   25 02150       0          0 allow tcp from any to any dst-port 80 in
   26 02160       0          0 allow tcp from any to any dst-port 22 in
   27 12190       0          0 deny log tcp from any to any
   28 20000       0          0 deny log icmp from any to me in icmptypes 8
   29 65535       0          0 allow ip from any to any
   30 
   31 This was (probably) the firewall generated by the Mac 'sharing control panel'. 
   32 It would best to leave this firewall as is and have sshdfilter work around 
   33 it. Notice rule number 2160 accepts incoming ssh connections, so sshdfilter
   34 block rules must appear before this.
   35 
   36 Also notice the rules start at 2000, so we can start our rules at 1000. As this
   37 early position will see all traffic, we can add skipto rules so the dynamic 
   38 block rules are only checked against ssh traffic. Such as:
   39 ipfw add 1000 skipto 2000 tcp from any to any not dst-port 22
   40 ipfw add 1001 skipto 2000 not tcp from any to any
   41 
   42 2. In /etc/sshdfilterrc, comment out firewalladd/firewalldel commands for iptables 
   43 and uncomment the ipfw commands. Uncomment and set ipfwmin/ipfwmax to the 
   44 appropriate range. Using the above ranges this would be:
   45 ipfwmin=1002
   46 ipfwmax=1999
   47 
   48 Which is a lot of potential rules, more than I have ever seen when using a 
   49 default USERPOLICY.
   50 
   51 3. If you have a firewall helper program that needs sole access to your firewall, 
   52 chances are it will disable itself when it sees the additions made by sshdfilter.
   53 The script scripts/ipfw.save will save and flush all dynamic rules created by 
   54 sshdfilter (to /etc/sshdfilter.ipfw), and scripts/ipfw.restore will read that
   55 file and restore the block rules. This will let you use your helper. 
   56 
   57 Beware, the scripts do not talk to sshdfilter, so there is a small chance that 
   58 a new block rule will be added between running ipfw.save and ipfw.restore. This
   59 will leave sshdfilter and the firewall in different states, and will lead to 
   60 error messages when non-existant rules are removed.
   61 
   62 You will need to edit scripts/ipfw.save to save the correct range of rules.
   63