You have probably heard that the Internet is the world at your fingertips. Your parents also probably told you to never take
anything from strangers. Yet, being on the Internet and functioning in any reasonable manner means that you are going to receive
all kinds of things from strangers. It cannot be avoided.
I am placing this here for those of you that do not have a firewall in place. If you know what a firewall is for your computer
system, then you probably also know that it will help to keep you from receiving things from strangers that you do not want
to have. If you do not have a firewall in place for some reason, then you need this script. If you are one of those that
do not know what a firewall is, then you really need this script!
What it is:
It is the conjuring of a program called Firewall Builder (and, hence, named fwbuilder). It is a very simple
firewall that makes your Mandrake Linux box invisible to those that do have any priviledges to be accessing your sytem. That
is commonly referred to as "stealth mode" and is about as good as you can get without a heck of a lot of customizations.
It is a very basic firewall meant for a standalone Mandrake Linux v.9 system which uses eth0 and ppp0 that has a dynamically
assigned address from the ISP of choice.. Combined with the fact the your address is dynamically assigned, most rude people
are going to leave you alone. After all, they have plenty of MSwindows boxes to choose from that are, relatively, easy
It allows me to surf as freely as if there was no firewall in place and allows all my local connections to be accessed on
demand. Any connection that is made is allowed to return data to me as is needed. It blocks and drops everything else.
It is currently setup to log all "drops" under the "CatchAll" rule to /var/log/syslog. I monitor syslog fairly often to see
if someone is hammering my box. Yes, it does happen but fortunately, not very often. I will add that the frequency
of that has dropped off since the firewall has been in place.
It has the beginnings of masquerading if you have a system that is connected to one or more computers at your location
via an ethernet card(NIC) but it will require you to use fwbuilder to complete the design for your special circumstances,
protocols, network interfaces, etc. if you need to use it that way. IOW, masquerading is not needed for a Standalone
system and therefore it is not usable without modification for a system that has other systems connected to it(Intranet) if
you want those systems to access your box. You can use the XML source(near bottom of this doc) and fwbuilder to fix that
What it is not:
It is not an expert or "professionally" designed firewall. You can either pay somebody a lot of money to set up a firewall
for you(it takes quite a bit of time for even simple intranets) or you can spend the time yourself to figure out what and
how all the pieces fit together. I am not a security expert and will not do that for you, so do not ask.
It is not guaranteed in any way whatsoever!
It may allow someone to access you system without permission; It may bring your system to its knees; It may not work at all,
etc. Although it is unlikely that it will do anymore than protect your system, I have no idea what you will do or how you
will implement the script and make no warranty of any kind. It works absolutely flawlessly here so far. I have been using
it and various modifications for about a month(as of Jan 2003).
What it needs:
Other than the normal stuff(bash, etc.), Linux 2.4.x and iptables (V4) are required. You may also need " logger " from the
util-linux-2.11u-1mdk RPM package. Mandrake Linux 9 has all of that as a typical install, but you might want to make sure
those are installed. Your system should be using PPPoE to make your connections.
I have not tested it with a normal serial port modem (yet) but the principles are the same and you can massage it a bit if
you are having trouble.
If you want to modify it for masquerading, etc. you will need at least the rc.firewall.01.xml document(near bottom of this
page), fwbuilder, libfwbuilder4 and fwbuilder-ipt files. The Firewall Builder developers are currently posting Mandrake Linux
9 versions so you can just get the ones I listed from their site(nice guys, huh!). If you have older versions already installed,
UNinstall them first before installing the newest version from the FWB site. Uninstall, here, did not remove the files that
I had already built with fwbuilder so it should be safe to uninstall it. Version 1.0.8 fixes some rather old and ugly bugs
that are in the 1.0.7 version distributed with ML9. Believe me, it is worth the effort to get it and install it.
Since time is ticking, the script source follows and the instructions to get it running are below it.
Here's a link you can use if you do not want to copy and paste the script:
Name Your Firewall!.fw
Please note:It will NOT run with the current information! It has to be very slightly modified (two
places) for your system.
All you have to do is modify the IP address to match your system and then run the script. Logging to syslog is enabled
and you can see what the firewall is doing by tailing syslog in a shell.
A little better explanation is that you need to replace the " WWW.XXX.Y.ZZ " in the above script with your eth0 address.
You can get your eth0 address by typing
at a CLI prompt in a bash shell.
It will return with a display of some information similar to the following:
eth0 Link encap:Ethernet HWaddr 00:01:3A:00:BB:BB
(some details omitted for brevity)
inet addr:WWW.XXX.Y.ZZ Bcast:WWW.XXX.Y.zzz Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
ppp0 Link encap:Point-to-Point Protocol
inet addr:184.108.40.206 P-t-P:220.127.116.11 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
The address following "inet addr:" on your system's display is the address you need to substitute into the script for the
two places that have WWW.XXX.Y.ZZ shown in the script.
You can also change "guessWho" in the two spots of the script to your name.
If you happen to be using ethX where X is not equal to 0, then you will have to change that too for all occurrences in the
Otherwise, leave it alone if you want it to work!
You can use the rc.firewall.01.xml document that follows to modify the script with fwbuilder anyway you want, if you so choose
and need to do it to get a firewall running for your specific configuration.
AFTER you have made the address changes, you can run the script from any bash shell. If the script is named yourMachineName.fw,
and the script will install an iptables basic firewall for you. ( Yes, you need to be in the same directory where you saved
the NameYourFirewall.fw script. )
That's it! Your system is protected.
If you want to check it, you can go to get your "shield" tested at various places. The easiest I have found is GRC:
Scroll down a bit and find the "ShieldsUp!" link; click on it to open that page and select the "Probe My Ports". All ports
should be reported as "Stealth" mode, i.e., you are invisible to anyone that does not know your box is on the net. Although
the site is designed for MSwindows users, it does not matter for the test.
If you execute
tail -n152 -f /var/log/syslog
in a shell, you can see who is bouncing signals off of your box which are subsequently being DROPPED in a realtime display.
(note: Use CTRL-C to quit.)
Why is it:
Everyone needs a basic firewall in place before accessing the Internet. Unfortunately, the various firewalls
that are out there are meant to be unusually complicated and designed for SOHO and medium to large businesses. When I tried
to use Shorewall as supplied in the Mandrake Control Center(MCC) it worked so good that I could not even connect to my own
local system -or- it allowed everything and EvERryBoDy to access the system. IOW, it did not work. Shorewall is a complicated
firewall system to learn. I was able to find a "Standalone" version that Mandrake Linux has installed but it allowed some
ports to be closed rather than dropped(Most notably, IDENT port 113). Closed ports mean your box exists but you are not 'open
for business', so to speak. Well, some people do not care whether you are 'open for business' or not and will try
to access your box regardless.
Because of those things, I had to spend a lot of time surfing, reading and learning just to get a good iptables firewall inplace
that would DROP all connections except the ones I wanted. Portsentry had done that for versions of Linux before 2.4 but with
the many advantages of iptables and Linux 2.4 plus some other reasons, I decided not to use Portsentry.
I, of course, want my local loopback and Intranet to work and I need to be able to contact any http or ftp site via browser
or some other means as long as I initiate the connection. In particular, I needed for my Folding@home projects to be able
to upload and download work units without any problems or personal intervention. Although I am working on an Apache Extranet
server, qmail, and a few other projects, they are not ready and I do not want anyone other than myself to acess them. IOW,
my needs are not complicated at this time. Your mileage will vary and mine will change in the future. :)
By far and large, I think the majority of people that need protection are the single system, "standalone", surfers. Reading
page after page of acronym filled documents is frustrating even for someone who normally reads technical literature. I think
it may cause the normal person to just give up and "hope for the best". The latter is a very dangerous thing to do. Your
box can be oWnED by a stranger in less than FIFTEEN minutes!
That script, above, is here to get you some protection right away.
For the future, now or later, you can get fwbuilder-1.0.8 (or greater) and spend some time designing the firewall you really
need or want. You can get it from the Firewall builder site http://www.fwbuilder.org/ at:
In other words, I think this is a good firewall to start with but everybody's needs are different and you can (and should)
adjust it to meet your needs.
In order for you to make those adjustments I have posted the source for the XML file which was used by the fwbuilder complier
to create the script that was posted above. The xml document is what is loaded into fwbuilder when you do an "Open" file.
The version that I have posted below has been spayed, :), meaning personally identifiable information for me and my system
have been changed to protect the innocent(me). You can use this xml document as a guide when building the firewall you need.
It should decrease the time spent considerably. At least it would have for me if I could have found such a document somewhere...
If you want to inspect the source after you get it onto your box, I'm putting a link here to download it. However,
there is no guarantee that you can get it. There are bandwidth and other limitations for the Lycos "free with ads" sites.
Right click on the following link and "Save As" or, in Galeon, "Download Link":
However, even if that does not work, you can "Select All" and copy it from below. Then paste it into a blank document created
with a text editor and save it as rc.firewall.01.xml (or whatever you want).
Either way, I hope it helps. Here's the source:
Yep, it is a long script to be posted. Okay, it is really long.:) It's about 50KB in size. I placed it here because
it is the source and you need to be secure in the fact that you know exactly what you are getting for the security of your
In order to use it, you can load it the way it is into fwbuilder and then modify it to change the names to whatever suits
you - should not take more than a few minutes.
However, it will be easier and faster if you will open the rc.firewall.01.xml file in nedit, xemacs, gedit or some
other text editor and do a "Search and Replace" for all occurrences of " Name Your Firewall! ", " your.box.name " and " 01.01.01.01
" to replace them with the appropriate information and then save it. When you open up the file in fwbuilder, there will not
be much to change.
Either way, you are, obviously, going to need to change the name "your.box.name" to the name you get when you type " hostname
" at a CLI shell prompt. That's in two places in the xml file. And you will need to change the 01.01.01.01 to the eth0 address
of your box (also two places). The firewall name, currently "Name Your Firewall!", should be changed to the name you want
to use for your machine. That is, if you have a Dell xyz computer, then call it DellxyzFW (or whatever... something like that)
which will identify the machine among the others in your Intranet.
Once again, if you are not using eth0 for your internet connection, you will also have to change that to match your specific
configuration in all occurrences in the file.
The current names are
Name Your Firewall! for the Firewall Machine Name and will also be the script's executable name;
your.box.name for address 01.01.01.01 ;
lo for localhost.localdomain address 127.0.0.1 ;
ppp0 for a 'dynamic address' .
As long as all the changes have been made correctly, fwbuilder will compile the xml document successfully.
Here's what the fwbuilder will look like if you do not change the script before opening it. The link will open in a new widow:
After you make any other changes you need, save the file with a new name of your choice and then "compile" it. If we did
not screeeww-up, you will have a brand new firewall ready to run and modify any way you need. The new firewall's executable
name will be what you substituted for the "Name Your Firewall!" (it is in the fwbuilder "General" box-widget). Just execute
it ( ./theNameYouChose.fw ) to get it started.
After you are satisfied that your box is protected and you can Work&Play as normal, you can then work on putting the script
into the /etc/init.d scripts so that it will start up every time you start your Linux system and so that you can start, status
and stop it with a web interface such as Webmin or from the CLI. There are some samples of how to do that at the Firewall Builder site and other places.
One last thing, Remember this command:
If all goes haywire and the firewall you designed is keeping you from getting anywhere, that will "flush" all the chains and
reset the iptables rules to "ACCEPT" all connections in, forwarding and out. I would not suggest being connected to the internet
if you do that as your box will be as bare-ass as a new born baby. :)
Oh yea, updates? I will modify the layout of this(do not like it much) and, if necessary, update the script(s) when I get
a chance but right now, I have to get a _paying_ job.
Enter supporting content here