Welcome to FrankenWall Version 0.5.10
I have tried several firewall-building packages in my hunt for the one that carries all the features I need. I've tried fancy gui-based firewall builders, menu-driven ones, and web-interfaces for others. I honestly could care less about the interface. (Go figure, I'm a Slackware user.) When I did find a firewall I thought would cut it, I inevitably found one tiny little feature missing that I couldn't live without. So... You know what happened from there. It's the same story for just about any open-source product you have ever bothered reading the README from. I built my own to fill in the gaps.
This firewall works off the following concepts:
I have a desktop background I "Gimp'ed up" some time ago that says "Powered by Slackware, wimps need not apply." I like that...
So I wrote this firewall script with one basic principle in mind:
->->->->->->->->->->->->->->->->SECURITY<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-
Forget making it user-friendly, I wrote it to lock my network the hell down! That's exactly what this firewall will do. Therefore, if you don't want to have to carefully design your network requirements before plugging this thing into your network, don't use it.
You have been warned.
All general firewall settings are controlled in the firewall.conf file.
If ROUTER is set to "true", perform NAT and routing for all systems on any internal interfaces specified by INTLIST.
If DYNIP is set to "true", perform all NAT using MASQUERADE. Otherwise, the firewall will use SNAT.
if DENYBROADCAST is set to "true", all broadcast and subnet-broadcast traffic will be quietly dropped.
If INGRESS is set to "true", deny any inbound external traffic originating from IP addresses present in your internal networks. (Otherwise known as "spoofed" IP traffic.)
If EGRESS is set to "true", deny any outbound internal traffic originating from IP addresses not present in your internal networks. (Also known as "spoofed" IP traffic.)
If MAC_WLIST is set to "true", only the MAC addresses specified in allow_outbound_macs.conf are allowed outbound through the firewall. This will override EGRESS.
If EGRESS and MAC_WLIST are both false, permit any and all outbound internal traffic except for that which you specifically deny via the deny_outbound_hosts.conf file.
If IPSEC is set to "true", configure rules that will deny any and all traffic from IPSec links except for that which you specifically permit in the ipsec_networks.conf file. Currently, this has only been tested with OpenSWAN.
Deny any and all inbound external traffic except for that which you specifically permit via the allow_inbound_hosts.conf file. I HIGHLY recommend that you create a rule that allows return TCP traffic back in. You will most likely also want a rule to allow DNS responses too. If you don't, you're likely to think this firewall is borked when none of your internal systems can get to the 'net. Don't come crying to me about it.
Yes, I built it this way on purpose.
To learn about the rest of the feature sets in this firewall, read the *.conf files.
Requirements for this firewall are:
iptables (duh...)
dc (For the ipmask() function. Normally part of the bc package.)
grep (Most sane distros include this normally)
sed (Should already be on your system, see grep above)
awk (You should have this already, see sed above)
cut (Same as awk above)
tr (ditto...)
ip (Part of the iproute2 suite. Maintained by Stephen Hemminger.)
If you have all the prerequisites to this firewall installed, run the included install.sh script, edit the config files found in /etc/frankenwall.d, and run frankenwall to see the command-line options.
enjoy...
LinuxChuck