The firewall is started with the following command:
firewall [-t] [-v] [-s] start | stop
Command | Options | Description |
firewall | start | Start the firewall with all defined services. |
stop | Stop the firewall. All is allowed, nothing will be filtered. | |
-t | run in testmode. Create the ./log/<logfile>. Don't create the setup/*.rules files! | |
-v | run in verbose mode, print each command. | |
-s | use setup-files from './setup' dir instead of 'rules' files. | |
fw_rules | [-t][-v] <service> [del] | add/delete the rules for a single service to the firewall (execute
rules!)
use Firewall/<service> to test a service on firewall. |
create_rules | read configuration files and create the <service.rules> file | |
[all] | create _all_ rules which are actual in the rules directory (Update all rules) | |
[<service>] | only create rule for <service>, default is "all" | |
[Firewall] | only create rules for Firewall | |
save_config | [filename] | save the configuration files in a tar-file, thus you can put them on
another host
FCT-config.tar is the default |
-i [-cgi] filename | install configuration files for FCT | |
-cgi sets acces rights for CGI | ||
reset | Reset all Rules, same as firewall stop |
You can start,stop every service by hand with the following command:
The Firewall Configuration Tool uses different types of
(/bin/sh) config files:
etc/net.cfg | Main network definitions like domainname etc. |
etc/fw.cfg | Connections allowed from/to the firewall |
etc/services.cfg | Connections allowed from/to the internal / perimeter networks |
etc/trusted.cfg | Definition of some trusted IP´s - there are no restrictions for them |
etc/aliases.cfg | Definition of some variables that are used in the FCT |
etc/config/<service>.def | The necessary IP-connections for each service |
etc/config/<service>.flt | source and destination for each service |
rules/<service>.rules | rules to setup the services |
setup/<service>.rules | scripts/commands to setup the services |
The necessary IP-connections (Definition) for each service are defined in (/bin/sh) config files - they reside in etc/config/<service>.def. The definitions can be edited and also new definitions may be added.
In order to be more flexible than to enable/disable services, we define a source and destination (Screening) for each service in the (/bin/sh) config files etc/config/<service>.flt. These definitions are used to setup a screened subnet architecture.
Now we have config files with information about
We have to create the rules files (Rules) for each service we want to use. We need all of the above information to be able to do that.
Additionally it should be possible to define external hosts of our network. These are Trusted hosts and are defined in etc/trusted.cfg. They are not restricted in any service - be careful using them.
There is a difference between the service-rules for the firewall and the service rules to other hosts. The firewall works as a gateway if either the source nor the destination of the connection is the firewall itself. A gateway has to different network interfaces and needs IP-forwarding between these two interfaces. That´s the reason for the different setup of these types.
In general a firewall shouldn´t be used much as a normal host - it´s primary focus should be a very secure firewall host and nothing else. And a working firewall shouldn´t need to be changed very often. You should only setup a minimal set of services on the firewall itself - maybe an incoming ssh from a special host to administrate the firewall is enough. So the setup of the servcies for the firewall itself isn´t very comfortable, you don´t want to use it very often ;-)
Because all config files are shell scripts, it is possible to define variables (Aliases) and use them in the configuration masks. See the file etc/aliases.cfg for some variables.
The only function that remains is the testing (Test) of the current setup. You have to evaluate the ipfwadm commands by hand. And you should do that acribic!
As described above, the etc/rules directory contains all executable scripts to setup the firewall. These scripts are executed by the firewall command in a specific order:
Directory | Remark | Example |
. | executable commands | firewall |
html | the html-files | index.htm, firewall.htm, archit.htm, ... |
cgi-bin | process the html-forms
fill the html-forms with the definitions create the IP-filtering rules other stuff |
form_xxx.cgi,
fill_xxx.cgi, create_xxx.cgi, ... |
log | all IP-filter commands
all services which are processed |
ipfwadm.log, ipchains.log, ipF.log
services.log |
etc/config | the definition of the service
the screening rules for the service |
telnet.def, html.def, ...
telnet.flt, html.flt, ... |
etc | config-files for basic configuration | net.cfg, fw.cfg, aliases.cfg, ... |
rules | the IP-filtering rules | telnet.rules, html.rules, ... |
setup | the IP-filter commands for each service | telnet.rules, html.rules, ... |
You have to setup a directory '/FCT'
on your HTTP-Server which points
to the installation directory. If you use the apache http-server
insert the
following lines in
- conf/srm.conf:
ScriptAlias /FCT/cgi-bin/ /var/adm/FCT/cgi-bin/
Alias /FCT /var/adm/FCT
- conf/access.conf:
<Directory /var/adm/FCT/cgi-bin>
Options ExecCGI
</Directory>
Send your httpd a SIGHUP signal to re-read the config-files.
Set the access-rights for the directories where the configuration/log
-files
will be stored:
cd /var/adm/FCT
./Install.sh [-strict]
[-cgi] [<httpid>]
Now visit the file '/FCT/html/index.htm' and configure your firewall.
|
reflects my personal configuration at home which handles dynamic IP with PPP! |
|
firewall with own IP and an internal network on device eth0 |
root:/var/adm/FCT# ./save_config -i -cgi samples/single-dynamic-IP.tar root:/var/adm/FCT# ./create_rules allChoose the configuration wich fits best your network and edit it in a HTML-Browser like Netscapes Communicator.
root:/var/adm/FCT# ./save_config [filename]The default filename is ´FCT-config.tar´.
If you don´t want to activate a HTTP-Server on your firewall to setup the firewall configuration files, it´s a good idea to install the FCT twice on your HTTP-Server and your firewall. Configure your firewall with your HTTP-Server and save the resulting configuration as mentioned above. Then install the saved configuration on your firewall and you´re done.
Btw.: Don´t forget to create the "rules"-files, because these
files are executed by the firewall shell script!