|
Fwctl is a Perl module to configure the Linux kernel packet filtering firewall. SYNOPSIS use Fwctl; my $fwctl = new Fwctl( %opts ); $fwctl->dump_acct; $fwctl->reset_fw; $fwctl->configure; Fwctl is a module to configure the Linux kernel packet filtering firewall using higher level abstraction than rules on input, output and forward chains. It supports masquerading and accounting as well. Why Fwctl ? Well, say you are the kind of paranoid firewall administrator which likes his firewalls rules tight. Very tight. Say the kind, that likes to distinguish between a SYN and ACK packet when accepting a TCP connection (anybody configuring packet filters should care about that last point), or like to specify the interface name on each rules. (Whether this is really need, or such a stance is relevant, is not the point.) How would such an administrator proceed ? First of all you deny everything on all interfaces and on all chains (input, forward and output) and turn on logging. Now starting from this configuration (in which Fwctl puts the firewall on initialization), say you want to enable ping from the internal network to the internal ip. What rules do you need ? You need a rule on the input chain to accept the echo-request packet and a rule on the output chain to accept the echo-reply request. Right ? Well, what about the loopback. For sure, when we say from local net to local ip, this imply local ip to local ip ? Then you add a rule to the output chain with the loopback interface, and a rule on the input rule to the loopback chain. And we didnt even start forwarding yet ! Add masquerading to the lot and multi connections protocols like FTP and you got something unmanageable. So you start accepting things you shouldnt to get your job done and in the end your filters look like emmenthal. Fwctl handles all the complexity of this, so that when you say accept ftp -src FTP_PROXY -dst INTERNET -noport you dont accept too much of what you didnt intend. (Well you just opened arbitrary TCP connections to unprivileged ports on the Internet from your proxy server, but thats because of the FTP protocol, not because your cheating on the firewall rules.) Fwctl works with entity known as service. A service can be ftp, netbios, ping or anything else. The service abstraction handles all the communication necessary for that application. (The UDP and TCP communication in DNS, or the control, data and passive connections for FTP.) Additionally, to handle all the special case with ANY specification, when the src of dst imply a local IP, or masquerading, in short for Fwctl to be able to deduce the interface implicated by the src and dst portion of a rules you need to provide it with your network topology. Fwctl must guess from your topology the routing decision that will be made in the kernel. In the best of worlds, Fwctl should contains the same routing algorithm as the one in the kernel. Well, it doesnt so if you are using fancy routing feature, Fwctl wont work. In fact, it can only handle something equivalent to simple static routing. You have been warned. So in short, to configure your packet filters with Fwctl you need to Define your network topology using the interfaces file. (Optional) Define meaningful aliases for hosts and networks which are part of your configuration. Implement your security policy using high level abstract rules in the rules file. Finally, Fwctl is extensible. You can easily add services modules using the Fwctl::RuleSet module which contains all the primitive you need to handle all the special cases involved in the input, forward and output chain selection..
| Requirements: |
No special requirements
|
| Platforms: |
Linux |
| Keyword: |
Configure, Ftp, Fwctl, Kernel, Libraries, Linux Kernel, Local Ip, Module, Need, Packet, Packet Filtering, Perl Module, Rules, Tcp |
| Users rating: |
0/10 |
|
Windows Software
Albina Merfyn - I find this to be really easy to use. I can...
