1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
|
Global control of firewalling
There are various tools out there to configure and control firewall.
This dialog allows you to decide if Linuxconf should control your
firewall and how.
1�1.�. P�Pr�ri�in�nc�ci�ip�pl�le�es�s
Linux firewall controls IP packets at they are entering, flowing
through and exiting the machine. Each step is controlled by a set of
rules. We have the _�i_�n_�p_�u_�t, _�f_�o_�r_�w_�a_�r_�d, and _�o_�u_�t_�p_�u_�t rules.
Each rule set is configured independantly and may be enabled
independantly. Even if a rule set if configured, it may be turned off
in the current dialog, generally for testing purpose.
1�1.�.1�1.�. F�Fi�ir�re�ew�wa�al�ll�l i�in�nt�te�eg�gr�ri�it�ty�y
If you enable one rule set, _�L_�i_�n_�u_�x_�c_�o_�n_�f assumes it is in charge of the
firewall and will make sure it is current (the kernel state match the
configuration) every time you exit from Linuxconf (this is
interactive, so you will notice).
If you do not enable any rule set, then you are on your own. This
means you can use any tool you want to handle this task.
2�2.�. D�Di�ia�al�lo�og�g d�de�es�sc�cr�ri�ip�pt�ti�io�on�n
The dialog has four sections
2�2.�.1�1.�. R�Ru�ul�le�es�s c�co�on�nt�tr�ro�ol�l
You can turn on an off each rule set. When you turn on a rule set, the
default policy is set to _�d_�e_�n_�y. You must provide rules to allow some
traffic.
The accounting rule set is a feature to turn on packet accounting
without affecting the logic of the firewall. Not that any rule has two
counters: packet and bytes counter. Each counter is full 64 bits so
you can get interesting statistic of of them and they won't overflow.
So packet accounting is not strictly needed since other rules will do
their accounting).
Uses the ipchains command to review the various counters.
/sbin/ipchains -L -nv
2�2.�.2�2.�. S�Sp�pe�ec�ci�ia�al�l k�ke�er�rn�ne�el�l m�mo�od�du�ul�le�es�s
You have one check-box for each masquerading helper module. IP
masquerading in forwarding rules, is used as a general proxy for
Intranet, hiding private IP address. It works for most protocol. But
for the few special ones, you have some kernel modules. You enable
each one here.
2�2.�.3�3.�. E�Ex�xt�tr�ra�a k�ke�er�rn�ne�el�l m�mo�od�du�ul�le�es�s
You can enter the name of various modules unknown to linuxconf.
Linuxconf will make sure the kernel module is loaded.
2�2.�.4�4.�. F�Fe�ea�at�tu�ur�re�es�s
2�2.�.4�4.�.1�1.�. U�Up�pd�da�at�te�e t�th�he�e k�ke�er�rn�ne�el�l g�gr�ra�ac�ce�ef�fu�ul�ll�ly�y
This check-box controls how the firewalling rules are installed in the
kernel.
2�2.�.4�4.�.1�1.�.1�1.�. D�De�ef�fa�au�ul�lt�t w�wa�ay�y
Normally, Linuxconf wipes the kernel firewall rules and put the new
ones in place. It performs the following steps:
+�o Change the default policy to _�A_�C_�C_�E_�P_�T.
+�o Erase the old rules in the kernel.
+�o Put the new one in place.
+�o Set the default polity to _�D_�E_�N_�Y.
This strategy allows one to change the firewalling rules, even from a
network connection, without locking yourself out in the middle of the
update.
This "not so graceful" update has the following advantages:
+�o Reliable: It brings the firewall to a known state, whichever was
the previous state.
+�o Good chance of not locking you out (except if you have not provided
suitable rules).
It has the following disadvantage
+�o It is slow.
On very large firewall, with 10,000 rules or more it takes several
seconds to put the firewall rules in place.
+�o It is insecure.
During the update, the firewall is not a firewall any more. This is
not really a bug, since firewall are generally seldom updated (at
boot time, and once in a while when the admin sees fit).
If you are using a module like userfirewall, or your firewall is
updated from the PPP connection/disconnection (the dialout,
pppdialin and redhatppp can interact with the firewall), then the
firewall may be updated on a regular basis, potentially several
times per minute.
2�2.�.4�4.�.1�1.�.2�2.�. G�Gr�ra�ac�ce�ef�fu�ul�l m�mo�od�de�e
In graceful mode, linuxconf will only update the firewall chains which
have to be updated. Further, it will potentially only affect a subset
of a chain. This is much faster. Also, during the update, it does not
change the default policy. So even if you change you firewall rules
often, you will only see a very short service interuption (potentially
few packet losses).
This mode while faster and smarter is somewhat less reliable. It
assumes it has been in control of the firewall at all time. The
current kernel interface is rather slow and it takes a while to
extract its current state. So instead, the module keeps the current
state in /var/run/firewall.chains and reread that to tell how to
update the firewall. If this file falls out of sync with the kernel,
then the firewall won't be updated properly. If it ever happens, just
do:
linuxconf --modulemain firewall --resetfw
linuxconf --modulemain firewall --update
|
