Easy Firewall Generator: /tools/efg.php
IP Aggregation Utility: /tools/aggregate.php
GPL Downloads: (the following files have been compressed using 7-Zip)
/files/efg-2.04_GPL.7z (161.3 kB)
/files/efg-2.03_GPL.7z (160.0 kB)
/files/efg-2.02_GPL.7z (154.9 kB)
/files/efg-2.01_GPL.7z (150.9 kB)
/files/efg-2.00_GPL.7z (97.8 kB)
/files/iptables-fwgen-1.17.tar.gz (37.5 kB)
/files/Conteg.include-0.13.13.7z (27.7 kB)
/files/Conteg.include-0.13.12.7z (27.7 kB)
Audience:
You are likely to be interested in this if you are a Webmaster/Webmistress, Network Engineer, etc.; for a Linux server and/or Linux desktop computer.
Comment:
All that you needed to hack into a Windows computer in the 20th Century was it’s public IP Address, since the NetBIOS protocol (used by default to handle network traffic in every Windows 95, 98 & Me computer) was trivial to exploit & impossible to fix. Because of that, script-kiddies spent their time pinging every IP on the planet & running an access hack-script against that computer if it responded. The one thing that might protect you in such situations was to use a user-space Firewall such as ZoneAlarm. At last, Microsoft acted by placing a Firewall into Windows XP (released August 24, 2001), but NetBIOS was finally removed only with the release of Vista on January 30, 2007.
Most embedded devices such as Network Routers are actually small computers running the Linux OS. Alcatel was forced to deploy a Firewall with it’s routers after their early experience with the Alcatel A1000 + Alcatel Home/Pro routers, also in 2001. A firewall is now a standard component of every home router. Indeed, if your broadband router does not have a firewall then get one that does.
What is a Firewall?:
Access to a home is via paths & roads whereas with a networked computer/server access is via the network & Internet. A firewall, then, is best described as placing a lock, or possibly a remote intercom + lock, upon the doors & windows of your server. Or, if your mindset is of a more medieval disposition, it may be viewed as a portcullis that protects the entrance door. But, whatever your mindset & however you view it, the fundamentals of a Firewall are--based upon a set of rules that you give it--that it accepts or rejects requests for network access from other IPs.
Basic Concepts:
Starting at the easy-to-understand end of this game, these are the basic concepts that it will help to understand:
CIDR | Range | Number of IPs | Description |
---|---|---|---|
10.0.0.0/8 (2002:a00::/24) [2001:0:a00::/40] |
10.0.0.0 – 10.255.255.255 | 16,777,216 | 24-bit Private IPv4 block; rfc-1918 (February 1996) |
100.64.0.0/10 | 100.64.0.0 – 100.127.255.255 | 4,194,304 | 22-bit Private IPv4 block; rfc-6598 (April 2012); intended for use by carrier network operators only, typically within Metropolitan areas |
172.16.0.0/12 (2002:ac10::/28) [2001:0:ac10::/44] |
172.16.0.0 – 172.31.255.255 | 1,048,576 | 20-bit Private IPv4 block; rfc-1918 (February 1996) |
192.88.99.0/24 | 192.88.99.0 – 192.88.99.255 | 256 | 8-bit IPv4 Specialist-function block, reserved for 6to4 anycast relays, internet routable; rfc-3068 (June 2001) |
192.168.0.0/16 (2002:c0a8::/32) [2001:0:c0a8::/48] |
192.168.0.0 – 192.168.255.255 | 65,536 | 16-bit Private IPv4 block; rfc-1918 (February 1996) |
fc00::/7 | fc00:: – fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | 2121 | IPv6 Unique Local Addresses (ULA); rfc-4193 (October 2005) |
CIDR | Range | Number of IPs | Description |
---|---|---|---|
0.0.0.0/8 (2002::/24) [2001::/40] |
0.0.0.0 – 0.255.255.255 | 16,777,216 | 24-bit IPv4 block, used for broadcast messages to the current network; rfc-1700 (October 1994) |
127.0.0.0/8 (2002:7f00::/24) [2001:0:7f00::/40] |
127.0.0.0 – 127.255.255.255 | 16,777,216 | 24-bit IPv4 block, used for loopback addresses within the local host; rfc-990 (November 1986) |
169.254.0.0/16 (2002:a9fe::/32) [2001:0:a9fe::/48] |
169.254.0.0 – 169.254.255.255 | 65,536 | 16-bit IPv4 block, used for link-local addresses between two hosts on a single link (eg computers connected to the same switch, or to a single wireless network); rfc-3927 (May 2005) |
192.0.0.0/24 (2002:c000::/40) [2001:0:c000::/56] |
192.0.0.0 – 192.0.0.255 | 256 | 8-bit IPv4 block, IANA IPv4 Special Purpose Address Registry; rfc-5736 (January 2010) |
192.0.2.0/24 (2002:c000:200::/40) [2001:0:c000:200::/56] |
192.0.2.0 – 192.0.2.255 | 256 | 8-bit IPv4 block, TEST-NET (use only in documentation and example source code; no network use); rfc-5737 (January 2010) |
198.18.0.0/15 (2002:c612::/31) [2001:0:c612::/47] |
198.18.0.0 – 198.19.255.255 | 131,072 | 17-bit IPv4 block, for inter-network communication testing; rfc-2544 (March 1999) |
198.51.100.0/24 (2002:c633:6400::/40) [2001:0:c633:6400::/56] |
198.51.100.0 – 198.51.100.255 | 256 | 8-bit IPv4 block, TEST-NET-2 (use only in documentation and example source code; no network use); rfc-5737 (January 2010) |
203.0.113.0/24 (2002:cb00:7100::/40) [2001:0:cb00:7100::/56] |
203.0.113.0 – 203.0.113.255 | 256 | 8-bit IPv4 block, TEST-NET-3 (use only in documentation and example source code; no network use); rfc-5737 (January 2010) |
224.0.0.0/4 (2002:e000::/20) [2001:0:e000::/36] |
224.0.0.0 – 239.255.255.255 | 268,435,456 | 28-bit IPv4 block, for multicast assignments (233.252.0.0/24 is assigned as “MCAST-TEST-NET” for use solely in documentation and example source code); rfc-5771 (March 2010) |
240.0.0.0/4 (2002:f000::/20) [2001:0:f000::/36] |
240.0.0.0 – 240.255.255.254 | 268,435,455 | 28-bit IPv4 block, reserved for future use; rfc-6890 (April 2013) |
255.255.255.255/32 (2002:ffff:ffff::/48) [2001:0:ffff:ffff::/64] |
255.255.255.255 | 1 | 0-bit IPv4 block, reserved for the “limited broadcast” destination address; rfc-6890 (April 2013) |
::/128 | :: | 1 | IPv6 Unspecified address (???); rfc-4291 (February 2006) |
::1/128 | ::1 | 1 | IPv6 Loopback address to localhost; rfc-4291 (February 2006) |
::ffff:0:0/96 | ::ffff:0.0.0.0 – ::ffff:255.255.255.255 | 232 | IPv6 IPv4-mapped addresses; rfc-4291 (February 2006) |
::/96 | – | – | IPv6 IPv4-compatible addresses; rfc-4291 (February 2006) |
100::/64 | 100:: – 100::ffff:ffff:ffff:ffff | 264 | IPv6 Remotely Triggered Black Hole addresses; rfc-6666 (August 2012) |
2001:10::/28 | 2001:10:: – 2001:1f:ffff:ffff:ffff:ffff:ffff:ffff | 2100 | IPv6 Overlay Routable Cryptographic Hash IDentifiers (ORCHID) (deprecated); rfc-4843 (April 2007) |
2001:db8::/32 | 2001:db8:: – 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff | 296 | IPv6 Addresses used in documentation; rfc-4843 (April 2007) |
fc00::/7 | fc00:: – fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | 2121 | IPv6 Unique Local Addresses (ULA); rfc-4193 (October 2005) |
fe80::/10 | fe80:: - febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff | 2118 | IPv6 Link-local unicast; rfc-4291 (February 2006) |
fec0::/10 | fec0:: - feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | 2118 | IPv6 Site-local unicast (deprecated); rfc-3879 (September 2004) |
ff00::/8 | ff00:: – ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | 2120 | IPv6 Multicast; rfc-4291 (February 2006) Note: the ff0e:/16 CIDR is global scope and may appear on the global internet. |
The Linux Firewall:
The Linux Firewall is based on the work of the Netfilter project & iptables. Netfilter built on the work started in the r2.2 kernel with ipchains (and earlier) and managed to solve the condundrum that the packet-filtering required by a Firewall needs to occur within the Kernel & thus requires root-access to configure it during startup, whilst ease-of-use demands a software user-space application.
iptables:
iptables is software issued by netfilter.org, and first became available with the 2.4.x Kernel. All of the hard-work of IP packet-matching & filtering occurs within the kernel, and thus is performed at the highest speeds possible. iptables is a generic table structure for the definition of rulesets. The simplest way to handle these (and the way that the EFG does it) is to build the table of firewall rulesets offline, and to then load/unload them via a BASH-script at startup using standard System V init.d methods. Thus, any user may build the rulesets, but only the root user may change, load and/or unload those rulesets. iptables is also the software used by the script that actually loads/unloads each rule into the kernel.
History:
This EFG is based on the original EFG written by Scott Morizot (abandoned at v1.17). That, in it’s turn, was based on early work by Oskar Andreasson. The hosts for my very first server used that EFG in 2003, and it worked very well as I developed it across the years, moving from one useless host to another.
v2 was begun on 18 February 2014; the aim was to produce a html5 + css3 + utf-8 + js templated version that produced an identical output to the v1.17 original. My main problem with that original was that it was serial in nature. It asked a series of questions & produced a result at the end. It was not possible to go back to change earlier answers. v2 was released to the web on 11 March.
v2 makes use of Conteg, a Content Negotiation PHP Class that makes it easy to add back in to PHP/HTML output the plethora of 304, cacheing & compression, etc. available as standard with modern webservers for static HTML files (but not PHP unless you add it yourself).
This is the ChangeLog:
ChangeLog
- 2014-Mar-11: v2.0.0 Released to web; EN, ES + FR translations
- 2014-Mar-25: v2.0.1 Added DA, DE + NL translations
- 2014-Mar-27: v2.0.2 Added $SELF_IN, $SELF_NET, etc. (“Let me in”)
- 2014-Mar-28: v2.0.3 Added $DICT, etc. (“Dictionary Attack prevention”)
- 2014-Mar-28: v2.0.4 Added $BRAINDEAD, etc. (“Braindead GoogleBot SMTP accesses”)
--------- Alex Kemp