efg-1.17/ 0040755 0000764 0000764 00000000000 10240521007 012546 5 ustar tmorizot tmorizot efg-1.17/COPYING 0100644 0000000 0000000 00000043131 10240521006 011725 0 ustar root root GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
This program generates an iptables firewall script\n");
print("for use with the 2.4 or later linux kernel. It is intended for use on a single\n");
print("system connected to the Internet or a gateway system for a private, internal\n");
print("network. It provides a range of options, but is not intended to cover\n");
print("every possible situation. Make sure you understand what each option in the\n");
print("generator does and take the time to read the comments in the resulting\n");
print("firewall. This generator will not, for example, generate a firewall\n");
print("suitable for use with a DMZ, but it can provide a starting point.\n");
print("For the most common uses the generator should produce a firewall\n");
print("ready for use. Read here for more information\n");
print("on iptables firewalls. Easy Firewall Generator implements \n");
print("\n");
print("several ideas presented in Oskar Andreasson's iptables-tutorial.\n");
print("The link to his tutorial is maintained on the resources page below. Links to additional firewall resources. Select the desired options and click the Generate Firewall!\n");
print("button. If your choices require additional input, the Options will redisplay,\n");
print("perhaps with more options displayed. When the options are in a completed state\n");
print("the firewall will be returned as a text document. Save the result as iptables\n");
print("for redhat systems or rc.firewall for many others.Easy Firewall Generator for IPTables
\n");
print("Version 1.17
\n");
print("Release Date: 05/11/2005 - ");
print("CHANGELOG");
print("
\n");
print("
Advanced Network Options \n");
print("Help\n");
if ($_POST['SPECIAL_LAN'] == "true") //Provide advanced options
{
print("
\n
Allow Inbound Services \n");
print("Help\n");
if ($_POST['INBOUND_ALLOW'] == "true")
{
//Individual services
print("
\n
Log entries in a Fireparse format? \n"); print("Help\n"); // Allow an option for irc users to reject ident requests print("
Do you use Internet Relay Chat (IRC)? \n"); print("Help\n"); //Submit button print("
\n"); //Close form print("\n"); //Close document print("\n\n"); } ?> efg-1.17/help-advanced.html 0100644 0000000 0000000 00000001535 10240521007 014256 0 ustar root rootIf you are using the firewall on an Internet gateway, this option will provide several advanced options that effect the way the gateway services the internal network. Once you select this option and click the Generate Firewall! button, the form will display the specific options. While selected, at least one advanced feature must be selected for the firewall to generate successfully.
efg-1.17/help-allowin.html 0100644 0000000 0000000 00000001636 10240521007 014160 0 ustar root rootThis option is for use when you wish to allow access to certain services running on the firewall system to the Internet. This option should be used with care and any exposed service needs to be kept patched and configured properly. When this option is selected, a list of services will be displayed the next time the Generate Firewall! button is clicked. If it is selected, at least one service must be selected for the firewall to successfully generate.
efg-1.17/help-blockout.html 0100644 0000000 0000000 00000001626 10240521007 014334 0 ustar root rootThis option exists if you wish to prevent your firewall from forwarding requests from internal systems for specific services to the Internet. This will effectively disable that service for internal systems, so use this option only if you wish to limit Internet access for your internal users. If the option is selected, a number of common services are displayed. At least one service must be selected for the firewall to successfully generate.
efg-1.17/help-broadcast.html 0100644 0000000 0000000 00000001533 10240521007 014451 0 ustar root rootA network broadcast uses the largest allowed value in the portion of the network address space that is not reserved for the network. The broadcast for a Class A network is, for example, 10.255.255.255. The broadcast for a Class B network is, for example, 172.20.255.255. Finally, the broadcast for a Class C network is, for example, 192.168.50.255.
efg-1.17/help-dynamic.html 0100644 0000000 0000000 00000002114 10240521007 014127 0 ustar root rootA computer has a static address on the Internet if the address is manually added to the configuration and never changes. If you have a static IP address, select this option. You will be prompted for an IP address after you click the Generate Firewall! button.
If your computer receives its Internet address dynamically from a provider, it has a dynamic address instead. Most computers that connect to the Internet do so dynamically. DSL and cable broadband connections generally use DHCP. Dial-up connections typically use PPP or SLIP. All of these options are types of dynamic IP address assignment.
efg-1.17/help-gateway.html 0100644 0000000 0000000 00000003060 10240521007 014145 0 ustar root rootIf your linux computer is also your orkstation and is not connected to another network while you are connected to the Internet, select the Single System option.
If your linux computer connects a network of computers to the Internet, it is a gateway system. Further, if your internal systems cannot directly connect to the Internet and do not allow external systems to connect to them, they form a private internal network. RFC 1918, Address Allocation for Private Internets, specifies certain address ranges for use on private networks. This is the configuration the firewall generator is designed to support when you select the Gateway/Firewall option.
For most home and small office networks, a network in the Class C private address range is adequate. This includes network addresses from 192.168.0.0 to 192.168.255.255. By convention, the gateway system is normally given the first usable address on the selected network. Thus, if you select 192.168.50.0 for your internal network, you would normally assign the address 192.168.50.1 to the internal interface of the gateway computer.
efg-1.17/help-interface.html 0100644 0000000 0000000 00000002355 10240521007 014452 0 ustar root rootThe interfaces are the network devices that connect to the Internet or a local network. Typically, the first ethernet card, eth0, is connected to the Internet. However, with a dial-up connection, the ppp interface might be used instead.
If your firewall runs on a gateway for an internal network, the internal interface is typically connected to the second ethernet card, eth1.
Finally, the '+' symbol may be used instead of the interface number to refer to all instances of that interface type. For example, using ppp+ instead of ppp0 or ppp1 will apply the rules to all the ppp interfaces. If you are generating a script for a single system that sometimes uses a dail-up connection and other times uses a network connection, just specify + for the interface to match every interface.
efg-1.17/help-ipaddress.html 0100644 0000000 0000000 00000001244 10240521007 014464 0 ustar root rootAn IP Address is the address by which a computer is known on a network. An IP address is formed with four numbers from 0 to 255 separated by a '.' For example, 192.168.254.4 is a valid IP address rendered in decimal notation.
efg-1.17/help-manglettl.html 0100644 0000000 0000000 00000004064 10240521007 014500 0 ustar root rootThis advanced option will set the Time to Live or TTL embedded in every IP packet. The TTL is used to tell when a packet has traveled too far without reaching its destination. This prevents it from traveling in infinite loops. Normally this value is set by the operating system and should not be changed. However, some providers, particularly broadband providers, do not want networks connected to the Internet through a single gateway/firewall system. Packets with varying TTLs apparently coming from a single system are evidence of a private network. This option will allow you to set one TTL on all outbound packets.
If this option is selected, the TTL field will appear the next time the Generate Firewall! button is clicked. If the Mangle TTL option is checked, a value must be entered in the TTL field for the firewall to successfully generate. The default value is 128 hops. I suggest that you not change the default unless you really know what you're doing. A bad choice could have serious consequences.
Note: Broadband providers are beginning to look at traffic as the sole measure and charge heavy users more whether they use a single system or service a network. This is a more reasonable approach than attempting to prohibit networks attached through a gateway. If your provider does not restrict subscribers from using private networks, you probably have no need to use this option.
Note: The TTL target may not be included in the distribution on your system. If it is not and you require it, you will have to add it. That may require that you build from source.
efg-1.17/help-network.html 0100644 0000000 0000000 00000002404 10240521007 014176 0 ustar root rootOne notation for describing a network range lists an address on the network followed by a forward slash and the number of bits in the address that describe the network. For a Class A network, the network designation would look like 10.0.0.0/8. For a Class B network, the network designation would look like 172.20.0.0/16. And for a Class C, it would like 192.168.50.0/24.
As a side note, in situations where network notation is required and a single address is not allowed, the notation can still be used to specify a single address. Use the notation 192.168.50.100/32. This specifies that all 32 bits of the address form the network. This is not relevant to the firewall generated by this program, but is a useful tidbit of information.
efg-1.17/help-redirect.html 0100644 0000000 0000000 00000001601 10240521007 014304 0 ustar root rootThis option is designed to redirect outbound web requests to a proxy server running on the firewall system. This approach is called a transparent proxy because it does not require any proxy settings in the client system. If this option is selected, the port number of the proxy server on the internal interface must be entered in the Redirect Port field that will display. If no port number is entered, the firewall will not generate.
efg-1.17/help-template.html 0100644 0000000 0000000 00000000634 10240521007 014323 0 ustar root rootThis document is intended to provide a brief overview of iptables, the concepts involved, and the manner in which those concepts are implemented in this Firewall Generator. IPTables replaces IPChains as the firewall of choice in the 2.4 linux kernel. IPChains is a stateless firewall. It examines each packet as a separate entity and each packet must therefore have a rule associated with it. IPTables is a stateful firewall. It tracks the state of a connection during its life. Therefore each packet can be associated with a state. Either it is attempting to establish a NEW connection, it is part of an ESTABLISHED connection or RELATED to a connection, or the packet is in an INVALID state. A stateless firewall can be bypassed if an allowed protocol is discerned. A stateful firewall, by comparison, detects that the packet is not part of an ongoing session and can be configured to prevent entry to the packet. A stateful firewall is therefore more secure than a stateless firewall. Since many of the rules can rely on the state of the packet, a stateful firewall generally requires fewer rules than a stateless firewall. This reduces the chances of human error as well.
An iptables firewall consists of several tables, each with a default policy and builtin chains of rules. Further rule chains can optionally be created in each table. Different tables and chains are traversed according to the source and destination of the packet. A packet that is received via a network interface on the system goes through a sequence of steps before it is handled locally or forwarded to another host.
The filter table is the default table for any rule. It is where the bulk of the work in an iptables firewall occurs. Avoid filtering in any other table as it may not work. It has three commonly used builtin chains. Those chains are INPUT, OUTPUT, and FORWARD. Packets destined for the host traverse the INPUT chain. Packets created by the host to send to another system traverse the OUTPUT chain. Packets received by the host that are destined for another host traverse the FORWARD chain.
The Network Address Translation or nat table is used to translate the source or destination field in packets. A system with a static IP should use Source Network Address Translation (snat) since it uses fewer system resources. However, iptables also supports hosts with a dynamic connection to the Internet with a masquerade feature. Masquerade uses the current address on the interface for address translation.
The mangle table is used to alter certain fields in the headers of IP packets. It can be used to change the Time to Live or TTL, change the Type of Service or TOS field, or mark packets for later filtering.
A packet that is intended for another host is called a forwarded packet. It first passes through the PREROUTING chain in the mangle table. It then traverses the PREROUTING chain in the nat table. This is where dnat rules are applied. The packet then traverses the FORWARD chain in the filter table. This is the only chain where filtering rules should be applied to the packet. The packet then passes to the POSTROUTING chain in the nat table. In this chain, snat and masquerading rules are applied. The packet then passes out the outgoing interface.
Packets addressed to the localhost first traverse the PREROUTING chain in the mangle table. Next they pass through the PREROUTING chain in the nat table. This is where dnat rules are applied. After the dnat rules, a routing decision must be made. If the packet is really intended for the localhost, the INPUT chain in the filter table is traversed. All filtering is done in this chain. Packets that are accepted are then passed to the local process or application for which it is intended.
Packets that are generated on the localhost first traverse the OUTPUT chain of the mangle table. They then pass through the OUTPUT chain of the nat table. Next, they pass through the OUTPUT chain of the filter table. Once the packet has passed those chains, the system must determine where the packet should be routed. Once that decision is made, the packet traverses the POSTROUTING chain in the nat table. This where snat and masquerading rules are applied. The packet then passes through the appropriate network interface.
The firewall scripts generated by this program use several conventions. Filter table rules are mostly divided among several user-defined rule chains. This is intended to make the firewall easier to follow and to minimize the number of rules each individual packet must traverse. Bad packets are defined as packets in an INVALID state or any packets other than syn packets that are in a NEW state. Packets that are in an ESTABLISHED or RELATED state are accepted. They are part of an ongoing session. Inbound TCP, UDP, and ICMP packets are passed to a separate chains to determine if they should be accepted. By default, they are accepted from the internal interface and dropped from the external interface. TCP requests from the internal network for forwarding are passes through an outbound chain to see if it should be refused. By default, those requests are accepted.
NOTE: The /etc/init.d/iptables script can be modified to run this script instead. If you do so, save a copy so you can reapply your modifications after upgrading the iptables package. The advantage of using this script for the ongoing operation of the firewall is it gives you greater control over the modules and rulesets used. The above is simpler, however.
efg-1.17/resources.html 0100644 0000000 0000000 00000005341 10240521007 013574 0 ustar root rootThese resources provide further information on iptables/netfiter or are otherwise a resource for use while administering a firewall.
Netfilter/IPTables Home
http://www.netfilter.org/
RFC 1918 - Address Allocation for Private Internets
http://www.faqs.org/rfcs/rfc1918.html
IANA Assigned Port Numbers
http://www.iana.org/assignments/port-numbers
Ports for Internet Services - another port list
http://www.chebucto.ns.ca/~rakerman/port-table.html
Practically Networked's Special Port List - useful for port forwarding
http://www.practicallynetworked.com/sharing/app_port_list.htm
Oskar Andreasson's IP-Tables Tutorial
http://iptables-tutorial.frozentux.net/
Linux IP Masquerade HOWTO
http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html
Firewalling with netfilter/iptables
http://www.knowplace.org/netfilter/
Fireparse - Firewall log parser
http://aaron.marasco.com/linux.html
http://freshmeat.net/releases/47719/
IPTables Firewall Scripts and Configuration Files
http://www.malibyte.net/iptables/scripts/fwscripts.html
IPTables Connection Tracking
http://www.cs.princeton.edu/~jns/security/iptables/iptables_conntrack.html
Configuring NFS under Linux for Firewall control
http://www.lowth.com/LinWiz/nfs_help.html
Select this option if you operate a DHCP server on the gateway for your private internal network. This option will add rules needed to support dhcp broadcasts from unconfigured systems and systems configured with auto-config addresses.
efg-1.17/credits.html 0100644 0000000 0000000 00000003706 10240521006 013221 0 ustar root rootA closer look at the ideas and approaches gleaned from Oskar Andreasson's IPTables-Tutorial is warranted. His tutorial influenced the direction of the Easy Firewall Generator more than any other single work. That's not surprising. The IPTables-Tutorial was one of the first works produced after the original netfilter HOWTOs. It has significantly impacted many subsequent works.
The three most significant influences on Easy Firewall Generator are listed below.
If you have questions or issues with iptables that are not addressed by this generator, the IPTables-Tutorial is the best starting point for additional research. A link to it is maintained in the Resources page.
efg-1.17/help-imports.html 0100644 0000000 0000000 00000002031 10240521007 014176 0 ustar root rootICQ and AIM support a number of options beyond simple instant messaging. These options include direct chat and file transfers. For those to function, the instant messaging system must allow new connections initiated from remote systems. This option will open a specified port range on the firewalled system. The client on the firewalled system must also be configured to use the specified port range. This option allows inbound ports to a client running on the firewalled computer. It does not enable port forwarding to a computer on an internal network behind the firewall.
efg-1.17/help-passiveftp.html 0100644 0000000 0000000 00000003111 10240521007 014665 0 ustar root rootWith passive FTP, the server provides a port to the client and allows the client to initiate the connection rather than initiating the connection with the client from the data port. Web browsers and clients operating behind a firewall generally use passive ftp transfers. A general purpose FTP server will need to support passive FTP requests.
However, by default an FTP server will select a port from the entire range of high ports. It is not particularly safe to open all high ports. Fortunately, that range can be restricted. This firewall presumes that the range has been restricted to a specific selected range. That range must also be configured in the ftp server.
Instructions for specifying the port range for the wu-ftpd server can be found here:
http://www.wu-ftpd.org/man/ftpaccess.html (See the passive ports option.)
Instructions for the ProFTPD server can be found here:
http://proftpd.linux.co.uk/localsite/Userguide/linked/x861.html
efg-1.17/help-portforward.html 0100644 0000000 0000000 00000003571 10240521007 015064 0 ustar root rootPort forwarding forwards all traffic on a specific port (or range of ports) from the firewall to a computer on the internal LAN. This can be required to support special situations. For instance, this is the only way to support file transfers with an ICQ client on an internal computer. It's also required if an internal system hosts a service such as a web server. However, it's also a dangerous option. It allows Internet computers access to your internal network. Use it carefully and only if you're certain you know what you're doing.
Easy Firewall Generator supports the creation of a single port forwarding rule (or two if both tcp and udp are selected). If you require additional rules, use the generated rules as a template to build the additional rules in the output script. Be sure to create the appropriate rule both in the PREROUTING chain of the NAT table and the FORWARD chain of the INPUT table.
The following lists may help you determine which ports to forward.
Fireparse is a firewall log parsing tool. It parses the syslog and extracts the firewall related events to a separate file. It then generates an email (text or html) or an html output file providing a summary of relevant events. By default, the messages are removed from the syslog messages file, making it somewhat less cluttered.
The iptables version of Fireparse requires a particular syntax in the log-prefix of logged events. Selected this option generates a script that records the logged events in that format. The default is to record log events in a more readable format. Select this option if you intend to use Fireparse.
efg-1.17/help-ircuser.html 0100644 0000000 0000000 00000002566 10240521007 014172 0 ustar root rootThe default policy for a firewall generated by this program drops requests rather than rejecting them. As a rule, that works fine. However, Internet Relay Chat (IRC) servers typically send an ident request when a client attempts to connect. If the client does not explicitly reject (or accept) the request, the server waits until it times out. That's obviously a problem.
Selecting this option causes the firewall to create the rules to explicitly reject all requests to the ident port (113). It also provides an alternative, commented rule to accept the requests if you wish to experiment with that option. Note that if you are applying this script to a gateway, the stock identd daemon included in most linux distributions is not sophisticated enough. There are other ident deamons that can. One such is oidentd available at: http://dev.ojnk.net/.
efg-1.17/help-messengerports.html 0100644 0000000 0000000 00000001762 10240521007 015573 0 ustar root rootThis option allows remote systems to initiate new connections in order to do file transfers through Messenger. This option will open the specified port range on the firewalled system. It defaults to ports 6891 through 6900. I'm not sure if Messenger can be configured to use different ports like ICQ and AIM, but if it can, the defaults can be modified. The Messenger protocol client must be running on the firewalled system. Use the advanced port forwarding option if you wish to support port forwarding to an internal system.
efg-1.17/help-otherin.html 0100644 0000000 0000000 00000001315 10240521007 014155 0 ustar root rootThis option allows you to specify an adhoc range of ports to allow. TCP, UDP, or both can be specified. If more than a single ad hoc range is desired, use the rule(s) generated by this option as a template for additional port ranges.
efg-1.17/CHANGELOG 0100644 0000000 0000000 00000017156 10240521006 012114 0 ustar root root Version 1.17 05/11/2005 - tsm: Added rule to do ingress filtering as suggested by Brian Buchanan 05/11/2005 - tsm: Changed the rule to drop broadcasts that would otherwise be dropped to a better rule als suggested by Brian Buchanan Version 1.16 04/27/2005 - tsm: Added rules in bad_tcp_packets to filter packets with illegal tcp flag combinations. This will block many stealth scans. 04/27/2005 - tsm: Added the option to support inbound mDNSResponder. Version 1.15 03/14/2004 - tsm: Added an option to configure inbound NFS. Used this web site and included a pointer in the help: http://www.lowth.com/LinWiz/nfs_help.html 03/14/2004 - tsm: Cleaned up the resources page. 03/14/2004 - tsm: Added a link to the CHANGELOG on the generator form. 03/14/2004 - tsm: Because of the worms blasting the 'net with pings, changed the icmp chain to drop echo requests without logging by default. (Earlier versions dropped them and logged them by default.) 03/14/2004 - tsm: Added EFG version number to generated firewall script. 03/14/2004 - tsm: Updated the Interfaces help to make sure people generating scripts for a single system know they can just specify '+' to match every interface. Version 1.14 05/24/2003 - tsm: Added an option to port forwarding to add rules to redirect requests from internal systems to the external IP of the firewall on the forwarded port(s) to the internal system. Only works if the firewall has a static and not a dynamic IP address. Of course, they really need a static IP if using port forwarding anyway. 05/24/2003 - tsm: Added the tcp_syncookies kernel parameter setting to ensure SYN flood protection is enabled. Suggested by Salim Badakhchani (and several others.) 05/24/2003 - tsm: Added the date the version was released under the version number. This was a request. 05/24/2003 - tsm: Added help for the inbound DNS server option that explains the udp rules and the optional tcp_inbound rule. 05/24/2003 - tsm: Pulled the separate little changelogs out of the files and into this application CHANGELOG 04/10/2003 - Jan Pavlik: Added SSL option to the inbound Web Server and Email options. Version 1.13 03/11/2003 - tsm: Added an option to allow a user-specified inbound port range. 03/11/2003 - tsm: Added an option to allow MSN Messenger file transfers. Expanded the port forwarding documentation as well. Suggested and researched by Nuno Justo. 02/28/2003 - tsm: Fixed bug in log rule for forward chain introduced version 1.11. Version 1.12 02/25/2003 - tsm: Added an option to reject (rather than drop) ident requests if the person uses irc. Also included some further tips for more sophisticated configurations. Suggested by Dan Barron. 02/25/2003 - tsm: Tweaked installation instruction comments in generated firewall script. 01/30/2003 - tsm: Added a rule in icmp_packets to drop initial ICMP fragments. Suggested by Alex Weeks. Version 1.11 01/30/2003 - tsm: Added option to set up log for use with Fireparse 01/30/2003 - tsm: Added kernel setting options suggested by Alex Weeks with additional explanation. (Thanks!) Version 1.10 01/23/2003 - tsm: Ensure each script section specifies php 01/21/2003 - tsm: Commented out ip_dynaddr kernel settings in all circumstances. Caused problems in RH 8.0. Not sure why yet. Version 1.09 12/06/2002 - tsm: Modified port forwarding to allow either TCP/UDP or both and an optional internal destination port. 12/06/2002 - tsm: Changed the port forwarding layout in the form 12/06/2002 - tsm: Altered tab index ranges by section to make easier to change the form in the future. 12/05/2002 - tsm: Modified to block all subnet multicasts on the internet interface. Version 1.08 11/30/2002 - tsm: Fixed a bug in FORWARD chain so bad_packets will be dropped. 11/30/2002 - tsm: Allowed port forwarding to an internal system 11/30/2002 - tsm: Add ICQ advanced inbound options 11/30/2002 - tsm: Changed to allow ports to be specified for passive ftp on inbound connections Version 1.07 10/16/2002 - tsm: Made transparent proxy comment out HTTPS option by default 10/16/2002 - tsm: Changed to use $_POST Version 1.06 06/27/2002 - tsm: Added rule options for the multicast packets seen from cable modems. Fixed the TTL rule. Version 1.05 05/23/2002 - tsm: Added credit section for Oskar Andreasson's iptables-tutorials 05/22/2002 - tsm: Modified default behavior of bad_tcp_packets chain so packets originating from the internal interface (if one exists) are not processed through the chain. Provided expanded comments and alternative rules. Ensured all lines in the resulting file are 80 columns or less. 05/21/2002 - tsm: Fixed bug that added postrouting rule for single system as well as gateway. Drop INPUT broadcasts immediately before logging. Version 1.04 05/20/2002 - tsm: Added logic to display Internal DHCP and External DHCP options in the form 05/20/2002 - tsm: Updated to check for internal dhcp and external dhcp options. 05/20/2002 - tsm: Fixed bug that failed to properly record static IP address. Added code to allow system to act a dhcp server. The autoconfig kludge is now more elegantly solved by an Internal DHCP setting that specifically allows DHCP packets from clients through the internal interface. Some of the explicit returns from chains were missing. Set internal output to internal interface to IP or IFACE. Corrected bug that printed literal value, not variable name. Version 1.03 05/20/2002 - tsm: Added sysctl option to change kernel parameters. Expanded the comments explaining the udp_inbound netbios rules. Added comments to allow script to work with Redhat's chkconfig implementation 05/17/2002 - tsm: Expand further on comments Fixed FTP Client inbound port rule Fixed OUTPUT chain rule for local_ip, only if there is one Explicitly drop inbound netbios (137,138) requests in udp_inbound without logging. Cuts down on noise in the logs if in an area with lots of windows machines. Only affects internet interface. Explicitly accept LO_IFACE on OUTPUT chain 05/16/2002 - tsm: Added detail to the kernel module and proc setting sections Added actions for arguments save and restore Added generic bad_packets chain - call it first everywhere except in OUTPUT chain. May add later. Added invalid ICMP packets to OUTPUT chain to remedy potential exploit. efg-1.17/help-dnsserver.html 0100644 0000000 0000000 00000002037 10240521007 014522 0 ustar root rootThis option will generate the rules that will allow inbound DNS queries. These are UDP queries to port 53. It will also generate a rule in the tcp_inbound chain to allow inbound tcp packets to port 53. However, this rule is commented by default. DNS queries are typically UDP and that's the most commonly used protocol. However, if you need to enable zone transfers, you will need to allow TCP connections. You can simply uncomment the rule in the tcp_inbound chain. However, you may wish to tweak it so only those servers you wish to allow to perform zone transfers are allowed in through the firewall.
efg-1.17/help-pfinternalredirect.html 0100644 0000000 0000000 00000001473 10240521007 016376 0 ustar root rootIf you select this option, a rule will be added to forward requests from internal systems to the forwarded port using the internet address of the firewall system to the internal system. In order for the response to be returned to the requestor, a rule enabling SNAT on the internal interface is also added.
efg-1.17/help-inboundnfs.html 0100644 0000000 0000000 00000004303 10240521007 014652 0 ustar root rootAllowing connections to an NFS server through a firewall requires a number of services that typically use random ports be configured to use specific ports. The generator will prompt for those port numbers. This help provides a quick look at each service. For more information, read this site by Chris Lowth: http://www.lowth.com/LinWiz/nfs_help.html. EFG uses a different suggested port range purely because I thought I had already used 4000 as a suggestion for something else.
The rpc.statd program must be configured to start with the correct port. Find the startup script that starts that daemon and add the -p option. On a redhat system, that would be the /etc/init.d/nfslock program. Change the startup line to: 'daemon rpc.statd -p 9400' (or whatever port you select).
The NFS lock manager is a kernel module. If your system loads it as a loadable module, add this line to /etc/modules.conf: 'options lockd nlm_udpport=9401 nlm_tcpport=9401'. Otherwise, the change has to be made as a kernel option to the system boot loader. See the above web site for more information.
The rpc.mountd program must be configured to use the specified port with the '-p' option. On a redhat system, that can be done in the /etc/sysconfig/nfs file with the line: MOUNTD_PORT=9402
Specifying a port for rquotad requires at least version 3.08 of the quota package. In order to implement the configuration, make sure the following line is in the /etc/rpc file (exactly as given):
rquotad 100011 rquotaprog quota rquota
Then add two lines to /etc/services:
mDNSResponder is a key portion of Apple's Bonjour. The purpose of Bonjour is to allow devices to configure themselves without required a DHCP server. Selecting this option allows the mDNSResponder protocol through the firewall.