jsfirewall a framework for iptables
Author: Joerg Strehlau
Copyright (C) 2004-2005
E-mail: maintainer@jsfirewall.de
License: GNU/GPL v2, see http://www.gnu.org/licenses/licenses.html#GPL
README-EN for jsfirewall Version 0.7.2
- CONTENT
- 1. What are the features of jsfirewall? 2. New features in 0.7.2 3. Ports & special ports 4. Program help in detail 5. Appendix
1. What are the features of jsfirewall?
jsfirewall increases the safety for the desktop PC with one network card.
The program is quickly administrated and it is easy to generate an
iptables based firewall script.
It has no ROUTER function, but is a personal firewall and it is
developed for use behind a router or for direct
connections like ppp over ethernet.
jsfirewall uses the program "dialog", you can use it
either on the X server or on the console.
Advanced features are built in and you can save or view logging files,
tuning the logging and the kernel parameters, save and load, or delete,
generated firewall templates.
There is optional support for an additional portrange as the default
and you can give one command owner for every chosen port.
jsfirewall supports OpenVPN and can generate an OpenVPN styled firewall
script for you.
2. New features in 0.7.2
2.1 Sections
- global
- You can enable OpenVPN support and set 3 parameters inside the header menu.
- edit
- Now you will find a minimum of two "firewall sets", CLASSIC and ONLYOPENVPN. CLASSIC is the same as in 0.7.1 the edit menu. ONLYOPENVPN is the new feature and create an OpenVPN firewall script.
- Config
- I have written a completly new config section. Now you do not need to edit the file "jsfirewall.conf" manualy (only the variable PPATH, see APPENDIX). You can edit now in the "config" menu directly like in the "global" menu. After edit the configurations you dodn't need to restart jsfirewall.
- Help
- Help can now support all languages. jsfirewall currently provides this languages: English and German If you want to translate jsfirewall into another (interface - and README files) language, please send me an e-mail to discuss the details at maintainer_AT_jsfirewall_DOT_de
3. Ports & special ports
3.1 You can take all ports which jsfirewall finds in /etc/services.
HINT: dialog handles not more than 4096 lines in the list boxes, I use the entrys 1-4096 from /etc/services, if you have more entries a dialog box gives you information about this (edit CLASSIC box, see Section 4).
3.2 special ports:
Scroll down the "edit CLASSIC" menu and you can find some extra ports:
:ftp-passive,21,tcp - for a ftp-client
:real-support - RealNetworks(TM) audio/vidio tcp/udp ports (PROXY-SERVER)
:keys,11371,tcp - export/import keys to/from a keyserver
4. Programm help in detail
4.1 Hint:
The security of PCs depends on who you communicate with inside your
network, but if you are connected e.g. to the Internet you don't know
exactly who also uses your datastream. I recommend using a
personal and a hardware firewall for best protection results.
4.2 Main Menu:
Sections in detail
1 header
2 proc
3 edit
4 on
5 off
6 view
7 q
1 header - Firewall header settings
-----------------------------------
dev - The network interface device e.g. ppp0
mynet - A valid IPv4 or IPv6 netaddress + mask
e.g. IPv4 192.168.0.0/24
pora - Standard portrange, mostly 1024:65535
inso - Incomming network e.g 0.0.0.0/0 = all IPv4 networks
icmp - Enable icm protocol on LO and DEV (ONLY CLASSIC)
ipv4-state-tracking - Control the packages; I recommend
enabling this feature
logging - Enable logging at all network devices
advanced - Looging-options, -> new box:
log-level - Select one of the eight logging level (menu box).
HINT: See also "man syslog.conf".
log-prefix - Prefix log messages with the specified prefix;
up to 29 letters long, and useful for distinguishing messages in
the logs.* With jsfirewall you can use up to 28 letters.
log-tcp-options - Log options from the TCP packet header.*
log-ip-options - Log options from the IP packet header.*
limit rate - Maximum average matching rate: specified as a number,
with an optional `/second', `/minute', `/hour', or `/day' suffix;
the default is 3/hour.*
limit-burst number - Maximum initial number of packets to
match: this number gets recharged by one every time the limit
specified above is not reached, up to this number;
the default is 5.*
* source: man iptables, section LOG and MATCH EXTENSIONS, limit.
OpenVPN - If you see this smile [:-)] you can enable OpenVPN support
to generate an OpenVPN styled firewall script.
1. Askbox: Enable or disable this feature or, if no openvpn
is installed, you will get a message that you must install
OpenVPN.
2. Boxtitle: iptables basic settings for openvpn
dev - mostly tun+
port - mostly 1194
proto - mostly udp
This 3 settings are the basics and must be the same as
the settings in your /etc/openvpn/client.conf file.
2 proc - Sensitivity
--------------------
Tune the network features in the kernel in the proc-filesystem,
see also RFC 1122.
3 edit - CLASSIC Firewall
-------------------------
Press space key to toggle your ports on or off. You will
get a maximum of 4096 ports and when you scroll down to the
end of the list you will find 3 special ports.
If you have toggled at least one port, the next menu box will
appear:
"Edit the ports or press Cancel", here you can edit one port and
give it optional features like "command owner", "special portrange"
or open the port for a server with an optional command owner.
If you don't edit anything or your editing of the ports is
finished you have to press Cancel and the firewall template
generation is complete.
If you edit one port, you will get the optional menu
"Edit the ports or press Cancel":
PORTRANGE - pora [client] - enter another portrange then
the default portrange.
OWNER - command name [client] - (max. 16 letters), only IPv4.
SERVER - server [+ optional owner] - open the port and enter an
optional command owner, only IPv4.
The last box asks you if you want to save the generated firewall
template.
4 on - Firewall active
A) If you have a current firewall template, you can turn it on here.
If it starts successfully, the jsfirewall script will move to the
default directory /etc/init.d named as jsfirewall.
B) If jsfirewall finds no existing firewall template, a file browser
starts. You can load a saved firewall template and you have the
option to move it after loading to /etc/init.d.
5 off - Firewall inactive
Reset the currently running firewall and allow all nettraffic to
access all ports, protocols and all network devices.
Only the settings from "proc" are saved.
6 view - Logfiles/Ports/Chains/Templates
realtime - like the command "tail -f /var/log/messages".
Realtime logging of all syslogd/klogd messages
calendarlog - Pick a date to view logfiles.
Next you will get an advanced search option in an extra box,
searching for standard word "PROTO" or for your own
LOGPREFIX from the header settings.
logfile - open a file browser and you can view a saved
logfile.
ports - show a simple ASCII table of your port traffic
situation, for a quick overview only (only tcp + udp)
list - give the result of the command "iptables -L -n -v"
in a message box.
saved - open a file browser to view or delete saved firewall
templates.
When you press "Delete" the chosen template will be deleted
without warning.
7 q - quit
Exit the program, all temporary files will be deleted.
4.3 Important program hints:
- I programmed jsfirewall without hints like "Your IP is wrong" or similar ones, you are responsible for your settings and typings.
- An important part is to read my hints in all boxes e.g. "Max. 16 letters".
- I seperated most of the datafields with commas, so never type a comma in the input boxes.
- Program error messages: You will get error messages if you type nothing in the input boxes. If you have e.g. a wrong IPv4 address you can't start a firewall template. This is a critical error and you can fix the problem in most cases through checking the header settings.
- In the appendix section you can read what you need to run jsfirewall without any problems.
5. APPENDIX
5.1 jsfirewall.conf
PPATH : PROGRAM PATH (container directory, jsfirewall.conf, header, and
sensitivity file)
default path: /etc/jsfirewall
The rest is to configure in the config menu.
Please edit this file only when jsfirewall is NOT running.
5.2
A) File access permissions for all jsfirewall files >= 0.7.1:
permission (octal) | directory path | filename
0740 /usr/local/sbin jsfirewall 0740 /etc/init.d jsfirewall 0640 /var/log/jsfirewall jsfw-DATE.log 0640 /etc/jsfirewall jsfirewall.conf 0640 /etc/jsfirewall sensitivity 0640 /etc/jsfirewall jsfw_tmp_DATE
All inteface language files are under /etc/jsfirewall/container/language : 0640 See "man chmod" for more information about file permission.
B) Requirements for jsfirewall, LINUX :-) and:
NAME VERSION (>=)
-----------------------
dialog 1.0-20041222-1
iptables 1.2.11-8
gawk 3.1.4-2
sed 4.1.2-8
(Debian GNU/Linux testing)
And all the many small programs like "du", "head", "tail" and so on.
Hint: You need a "dialog" version 1.x but jsfirewall
can run on an old version like 0.9, too.
But with 0.9 you won't have the box
"view or delete template file" and the temp. file
will be deleted.
You need a Linuxkernel wich supports
automatic kernel module loading.
Be sure to have the up to date iptables programs.
Source: http://netfilter.org/
If you want to start your jsfirewallscript
permanently in the next reboot type
(Debian GNU/Linux, e.g Runlevel 5):
ln -s /etc/init.d/jsfirewall /etc/rc5.d/S23jsfirewall
proofread by Whitney Garner