I've been threatening for a while, and here it is. Anyone interested in looking at my script, and commenting/criticizing, it can be found (for a few days at least) at http://newkirk.no-ip.org:83/firewall . It supports quite a few parameters, since I manually invoke it (shell alias fw='service firewall', then ie "fw list" from root console) to open/close Unreal Tournament ports, p2p fileshare ports, etc. It is fairly tight, IMHO (excessively so in some instances, like ping and traceroute :^), with drop policy on all filter chains, liberal logging (some optional, like the xlog parameter logging ALL traffic) and is moderately commented. It's still not complete (probably never will be - like many things in life it is really a process, evolving as needed to suit changing uses) but everything in it works AFAIK. Some parts, like the UT section, are not really precise. UT, for example, has to deal with running both as a client and a server, and I ended up probably opening more ports than necessary. Rather than using excessive logging to determine precisely which ports I really need (or repeatedly checking packet counts) I just open up the various port ranges that UT uses, then close them when I'm not running the game. Eventually I will tighten up those rules, and other manual-invokation parts like the p2p section, but since I only open those ports when needed, I haven't felt any urgency there. Any comments or criticisms are welcome. If anyone wants to rip a chunk out of it for their own use, (apart of course from resale, like anyone would want to resell my firewall!) be my guest. (but if doing so opens your network up and you end up with some hacker hosing every machine, I disclaim any and all liability :^) This script lives in /etc/rc.d/init.d/ on a RedHat 7.3 system, linked to run in rc3.d and rc5.d immediately following initialization of my ADSL connection, since I need to feed the IP address to the script for SNAT (masquerade) purposes. My system is really double-dual boot, since I have two hard drives, one with RH7.3/XPpro, the other RH8/XPpro, and this firewall is used on both RH installs. (Actually I have 7 hard drives for this machine, but currently have the 80gb and 40gb permanently installed, and sometimes swap the cabling on the 40 to a removable HD frame where I can slot in any of the others.) Everything after the "___end of main firewall rules___" comment is immaterial to normal function. Each of the functions above that point is invoked in sequence on start or restart while all functions beyond that point are only invoked manually. BTW, since this script isn't run at boot until S42 (S41 is ADSL start where I get the ppp0 IP needed for SNAT, S43 sends my updated dynamic IP to no-ip.com's DNS) I have also modified /etc/rc.d/init.d/S07iptables to set DROP policy on INPUT, OUTPUT, and FORWARD filter chains, in BOTH start and stop functions, before networking is started. Hmmm. Seems that I REALLY over-use parentheses. (even more so than usual :^) j
