Subject: EFG HowTo
From: Alex Kemp
Date: Saturday, 13 February 2016 00:00:00 +0000
To: All

Easy Firewall Generator: /tools/efg.php
IP Aggregation Utility: /tools/aggregate.php

GPL Downloads: (the following files have been compressed using 7-Zip)
/files/efg-2.04_GPL.7z (161.3 kB)
/files/efg-2.03_GPL.7z (160.0 kB)
/files/efg-2.02_GPL.7z (154.9 kB)
/files/efg-2.01_GPL.7z (150.9 kB)
/files/efg-2.00_GPL.7z (97.8 kB)
/files/iptables-fwgen-1.17.tar.gz (37.5 kB)
/files/Conteg.include- (27.7 kB)
/files/Conteg.include- (27.7 kB)

Easy Firewall Generator

You are likely to be interested in this if you are a Webmaster/Webmistress, Network Engineer, etc.; for a Linux server and/or Linux desktop computer.

All that you needed to hack into a Windows computer in the 20th Century was it’s public IP Address, since the NetBIOS protocol (used by default to handle network traffic in every Windows 95, 98 & Me computer) was trivial to exploit & impossible to fix. Because of that, script-kiddies spent their time pinging every IP on the planet & running an access hack-script against that computer if it responded. The one thing that might protect you in such situations was to use a user-space Firewall such as ZoneAlarm. At last, Microsoft acted by placing a Firewall into Windows XP (released August 24, 2001), but NetBIOS was finally removed only with the release of Vista on January 30, 2007.

Most embedded devices such as Network Routers are actually small computers running the Linux OS. Alcatel was forced to deploy a Firewall with it’s routers after their early experience with the Alcatel A1000 + Alcatel Home/Pro routers, also in 2001. A firewall is now a standard component of every home router. Indeed, if your broadband router does not have a firewall then get one that does.

What is a Firewall?:
Access to a home is via paths & roads whereas with a networked computer/server access is via the network & Internet. A firewall, then, is best described as placing a lock, or possibly a remote intercom + lock, upon the doors & windows of your server. Or, if your mindset is of a more medieval disposition, it may be viewed as a portcullis that protects the entrance door. But, whatever your mindset & however you view it, the fundamentals of a Firewall are--based upon a set of rules that you give it--that it accepts or rejects requests for network access from other IPs.

EFG Firewall 101:

  1. The “Generate Firewall” button will lie to you until you make a change (even if just to change from ‘Dynamic’ to ‘Static IP’ & back again).
  2. The minimum that the EFG needs to know from you is:

  3. Those defaults are fine for Home users on a DHCP connection from their ISP. Web-servers are more likely to have a Static IP, and to be connected to their Host’s LAN (thus would choose “Gateway for LAN” & fill in the Network Details).
  4. The Firewall defaults are to DROP all new connection requests from the Internet (see “Set Policies” in the Firewall script).

    By default, connections established from inside the computer/server are accepted (see “Accept Established Connections” in the Firewall script). That is a function of the TCP 3-way Handshake which, together with “source validation by reversed path”, provides absolute proof that the IP that you are communicating with is who they say they are.

    Because of this, if you are operating a server you will need to open port(s) according to the services that your Server is providing (see “Allow Inbound Services” in the EFG utility)
  5. Access to a Server's services will require that you use the EFG “Allow Inbound Services” section (off by default). You will need to:-
    1) Click on the “Allow Inbound Services” checkbox
    2) Additionally choose a particular service/port checkbox
    3) (possibly, fill in extra details relating to that service)

    The Internet Assigned Numbers Authority (IANA) has assigned certain port numbers in the range from 0 to 1023 to specific TCP/IP services. Two classic examples are port-80 for HTTP (web-pages) & port-443 for HTTPS (secure web-pages). A list of pre-assigned ports/services is also here.

    Every TCP/IP connection requires both the IP-Address (for the Host to contact) and Port-Number (for the service required on that host). The fact that most folks are unaware of that fact is a testament to the success in the use of ‘official’ port numbers. In fact, any port number may be used for any service on a server. It is simply that to deviate from the ‘official’ numbers means extra difficulty in configuration both for the Hostmaster & often in use for every user, and most of the time it is not worth it.
  6. “Let Me In”: Unless you have console, or some other form of access that lets you appear on the server as localhost, you will need to make use of the EFG “Let Me In” section (connections from the localhost and internal interface — if one exists — are accepted by default whilst, as detailed above, the default is to DROP connections initiated from the Internet).

    “Let Me In” allows you to enter a CIDR. All IPs in that CIDR will be given full access to the server once logged in. There are one or two things to say about that:-

    1) For best, have a static IP, to reduce your server's exposure to the Internet.
    2) Use SSH, but forbid password login & use a certificate instead.

    If you do not understand why (2) is so important, spend 10 minutes reading about the XOR DDOS Trojan (a current threat to Linux servers) and chill your blood. That trojan makes Dictionary attacks to obtain an SSH root login. Do not access as root (su on the server once you have access). Get that access using a SSH password-less login (using public/private keys). It does not take very long to setup and is actually far easier to use in practice rather than having to enter a password twice.

Basic Concepts:
Starting at the easy-to-understand end of this game, these are the basic concepts that it will help to understand:

  1. Computers/servers communicate with other computers/servers using packets of data transmitted across network pipes
  2. These ‘pipes’ are broadly of 2 types:-
    1. Local: or, LAN == “Local Area Network” (usually a private network)
    2. Remote: or, WAN == “Wide Area Network” (this may be the Internet, or it may also be a private network)
  3. The protocols that matter in transmission of those packets are TCP/IP (v4 & v6 are the universally-accepted protocol for the Internet; ARPANET was migrated to TCP/IPv4 on January 1, 1983) (if you think about it, this paragraph is utterly remarkable)

    TCP == “Transmission Control Protocol”
     IP == “Internet Protocol”
  4. Each computer/server on a TCP/IP network is given a unique IP Address, which is a unique number by which it can be found & communicated with (the closest real-world analogy is probably the postcode/zipcode used by the Post Office in the UK/USA):

    IPv4 Address (rfc-791): 32-bit number; varies between 0 → 4,294,967,295 (decimal)
    IPv6 Address (rfc-2460): 128-bit number; varies between 0 → (2128 - 1)
  5. IPv4 is commonly represented in dotted-decimal format (4 sets of decimal numbers, each of which is 0→255 (28)).Most humans generally find it far easier to remember an IPv4 address in quad dotted-decimal format than they do in plain decimal. What is little realised is that browsers are happy to accept either (or, indeed, a hexadecimal format). See what you think with this example:-

    decimal: 4294967295
    hexadecimal: FFFFFFFF
  6. IP Addresses are split into ‘Private’, ‘Reserved’ & ‘Public’ networks:
    Note: ‘Reserved’ IPs are Specialist-function CIDR which — with one exception - are not public, and therefore should never appear on the Internet; if they do so they are referred to as ‘Martians’ and, by default, are always dropped:
    1. Private Networks: these will route exclusively across LANs & are commonly dropped by Internet routers; most can be freely used by any Network Operator for LAN purposes (+ 1 Specialist-function CIDR placed here as it is internet-routable & thus will never be a Martian):
      Note 1: the 2002::/16 CIDR is a IPv6 6to4 transition technology where each IPv4 Address is directly equivalent to a unique IPv6 /48 prefix. In the table below, 6to4 CIDR are placed within brackets below their equivalent IPv4 CIDR:
      Note 2: Toredo is yet another IPv6 transition technology, with it’s own wrinkles. Teredo server address prefixes follow the relevant IPv4 CIDR in square brackets []:
      Private IP Networks
      CIDR Range Number of IPs Description
      [2001:0:a00::/40] – 16,777,216 24-bit Private IPv4 block; rfc-1918 (February 1996) – 4,194,304 22-bit Private IPv4 block; rfc-6598 (April 2012); intended for use by carrier network operators only, typically within Metropolitan areas
      [2001:0:ac10::/44] – 1,048,576 20-bit Private IPv4 block; rfc-1918 (February 1996) – 256 8-bit IPv4 Specialist-function block, reserved for 6to4 anycast relays, internet routable; rfc-3068 (June 2001)
      [2001:0:c0a8::/48] – 65,536 16-bit Private IPv4 block; rfc-1918 (February 1996)
      fc00::/7 fc00:: – fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 2121 IPv6 Unique Local Addresses (ULA); rfc-4193 (October 2005)
    2. Martian Networks: these are reserved, specialist-function CIDR & should never appear on the Internet:
      Note 1: if private IPs (see above) appear within an Internet context, then they will also be classified as Martians & dropped
      Note 2: the 2002::/16 CIDR is a IPv6 6to4 transition technology where each IPv4 Address is directly equivalent to a unique IPv6 /48 prefix. Thus, if a IPv4 Address is a martian then the corresponding IPv6 address is also not routable across the Internet. In the table below, 6to4 Martians are placed within brackets below their equivalent IPv4 Martian:
      Note 3: Toredo is yet another IPv6 transition technology, with it’s own wrinkles. Teredo server address prefixes follow the relevant IPv4 CIDR in square brackets []:
      Martian IP Networks (Specialist-function CIDR)
      CIDR Range Number of IPs Description
      [2001::/40] – 16,777,216 24-bit IPv4 block, used for broadcast messages to the current network; rfc-1700 (October 1994)
      [2001:0:7f00::/40] – 16,777,216 24-bit IPv4 block, used for loopback addresses within the local host; rfc-990 (November 1986)
      [2001:0:a9fe::/48] – 65,536 16-bit IPv4 block, used for link-local addresses between two hosts on a single link (eg computers connected to the same switch, or to a single wireless network); rfc-3927 (May 2005)
      [2001:0:c000::/56] – 256 8-bit IPv4 block, IANA IPv4 Special Purpose Address Registry; rfc-5736 (January 2010)
      [2001:0:c000:200::/56] – 256 8-bit IPv4 block, TEST-NET (use only in documentation and example source code; no network use); rfc-5737 (January 2010)
      [2001:0:c612::/47] – 131,072 17-bit IPv4 block, for inter-network communication testing; rfc-2544 (March 1999)
      [2001:0:c633:6400::/56] – 256 8-bit IPv4 block, TEST-NET-2 (use only in documentation and example source code; no network use); rfc-5737 (January 2010)
      [2001:0:cb00:7100::/56] – 256 8-bit IPv4 block, TEST-NET-3 (use only in documentation and example source code; no network use); rfc-5737 (January 2010)
      [2001:0:e000::/36] – 268,435,456 28-bit IPv4 block, for multicast assignments ( is assigned as “MCAST-TEST-NET” for use solely in documentation and example source code); rfc-5771 (March 2010)
      [2001:0:f000::/36] – 268,435,455 28-bit IPv4 block, reserved for future use; rfc-6890 (April 2013)
      [2001:0:ffff:ffff::/64] 1 0-bit IPv4 block, reserved for the “limited broadcast” destination address; rfc-6890 (April 2013)
      ::/128 :: 1 IPv6 Unspecified address (???); rfc-4291 (February 2006)
      ::1/128 ::1 1 IPv6 Loopback address to localhost; rfc-4291 (February 2006)
      ::ffff:0:0/96 ::ffff: – ::ffff: 232 IPv6 IPv4-mapped addresses; rfc-4291 (February 2006)
      ::/96 IPv6 IPv4-compatible addresses; rfc-4291 (February 2006)
      100::/64 100:: – 100::ffff:ffff:ffff:ffff 264 IPv6 Remotely Triggered Black Hole addresses; rfc-6666 (August 2012)
      2001:10::/28 2001:10:: – 2001:1f:ffff:ffff:ffff:ffff:ffff:ffff 2100 IPv6 Overlay Routable Cryptographic Hash IDentifiers (ORCHID) (deprecated); rfc-4843 (April 2007)
      2001:db8::/32 2001:db8:: – 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff 296 IPv6 Addresses used in documentation; rfc-4843 (April 2007)
      fc00::/7 fc00:: – fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 2121 IPv6 Unique Local Addresses (ULA); rfc-4193 (October 2005)
      fe80::/10 fe80:: - febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff 2118 IPv6 Link-local unicast; rfc-4291 (February 2006)
      fec0::/10 fec0:: - feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 2118 IPv6 Site-local unicast (deprecated); rfc-3879 (September 2004)
      ff00::/8 ff00:: – ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 2120 IPv6 Multicast; rfc-4291 (February 2006)
      Note: the ff0e:/16 CIDR is global scope and may appear on the global internet.
    3. Public Networks: all other IP Addresses have been allocated by the IETF to RIR for allocation to Internet Hosts

The Linux Firewall:
The Linux Firewall is based on the work of the Netfilter project & iptables. Netfilter built on the work started in the r2.2 kernel with ipchains (and earlier) and managed to solve the condundrum that the packet-filtering required by a Firewall needs to occur within the Kernel & thus requires root-access to configure it during startup, whilst ease-of-use demands a software user-space application.

iptables is software issued by, and first became available with the 2.4.x Kernel. All of the hard-work of IP packet-matching & filtering occurs within the kernel, and thus is performed at the highest speeds possible. iptables is a generic table structure for the definition of rulesets. The simplest way to handle these (and the way that the EFG does it) is to build the table of firewall rulesets offline, and to then load/unload them via a BASH-script at startup using standard System V init.d methods. Thus, any user may build the rulesets, but only the root user may change, load and/or unload those rulesets. iptables is also the software used by the script that actually loads/unloads each rule into the kernel.

This EFG is based on the original EFG written by Scott Morizot (abandoned at v1.17). That, in it’s turn, was based on early work by Oskar Andreasson. The hosts for my very first server used that EFG in 2003, and it worked very well as I developed it across the years, moving from one useless host to another.

v2 was begun on 18 February 2014; the aim was to produce a html5 + css3 + utf-8 + js templated version that produced an identical output to the v1.17 original. My main problem with that original was that it was serial in nature. It asked a series of questions & produced a result at the end. It was not possible to go back to change earlier answers. v2 was released to the web on 11 March.

v2 makes use of Conteg, a Content Negotiation PHP Class that makes it easy to add back in to PHP/HTML output the plethora of 304, cacheing & compression, etc. available as standard with modern webservers for static HTML files (but not PHP unless you add it yourself).

This is the ChangeLog:

Alex Kemp