1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
|
INTRODUCTION
Uruk is a simple shell script (uruk(5)) which calls Linux
iptables. It uses a template file to get lists of source addresses, allowed to
use specific network services.
REQUIREMENTS
Uruk is useful only on GNU/Linux systems. However, the rc file (see
uruk-rc(5)) could be used by other packet filtering engine wrappers
too.
For this script to work, your Linux kernel needs stuff from the
netfilter/iptables project ( http://www.netfilter.org/ ). The specific
needed settings are
.config variable module name description in ``make config''
CONFIG_IP_NF_IPTABLES ip_tables.o (``IP tables support'')
CONFIG_IP_NF_TARGET_LOG ipt_LOG.o (``LOG target support'')
CONFIG_IP_NF_MATCH_STATE ipt_state.o (``Connection state match support'')
CONFIG_IP_NF_TARGET_REJECT ipt_REJECT.o (``REJECT target support'')
for CONFIG_IP_NF_MATCH_STATE, you need
CONFIG_IP_NF_CONNTRACK (``Connection tracking'')
. Furthermore, you need the iptables(8) command, as shipped with the iptables
package from the netfilter project.
For typesetting the documentation (the uruk(8), uruk-rc(5) and uruk-save(8)
manpages), you'll need zoem >= 05-328. Zoem is a an interpretive macro
language, for creating mark-up languages, by Stijn van Dongen. Information
about zoem, as well as tarballs for download, can be found on the zoem webpage
at http://micans.org/zoem/ . Binary zoem packages are shipped with Debian
GNU/Linux. Pretypesetted uruk docs are not shipped, since their contents
depend on your ./configure settings.
INSTALL
See the INSTALL file for generic installation instructions. The Uruk init
script, in init/uruk, gets installed in /usr/local/etc/init.d/ by default.
Symlinks are _not_ created. You'll have to create them yourself, after running
'make install'. E.g. do:
root@nagy:/etc/init.d# ln -s /usr/local/etc/init.d/uruk
root@nagy:~# update-rc.d uruk defaults
.
(If you lack update-rc.d, do something like
root@kubl01:/etc# ln -s ../init.d/uruk rc0.d/K92uruk
root@kubl01:/etc# ln -s ../init.d/uruk rc1.d/K92uruk
root@kubl01:/etc# ln -s ../init.d/uruk rc2.d/S20uruk
root@kubl01:/etc# ln -s ../init.d/uruk rc3.d/S20uruk
root@kubl01:/etc# ln -s ../init.d/uruk rc4.d/S20uruk
root@kubl01:/etc# ln -s ../init.d/uruk rc5.d/S08uruk
root@kubl01:/etc# ln -s ../init.d/uruk rc6.d/K92uruk
)
UPGRADE
For upgrades from any version: run /etc/init.d/uruk force-reload after
installation. Read the NEWS file.
* upgrading from uruk <= 20050718
You might like to use the experimental IPv6 support. See the NEWS file.
Behaviour of the uruk init script has changed. Before 20050718, you were
advised to run
/etc/init.d/uruk stop; uruk; /etc/init.d/uruk save active
. This has changed. One now should run
/etc/init.d/uruk force-reload
after changing the uruk rc file.
Some details: To understand this, consider the uruk states: Iptables rules are
kept in:
liverules inactivestatefile activestatefile uruk-rc
. Actions on copying rules from one to the other are:
init.d/uruk stop
init.d/uruk start
init.d/uruk reload
sbin/uruk
uruk-save
The actions perform the following copies:
sbin/uruk : uruk-rc -> liverules
uruk-save : uruk-rc -> activestatefile
Uruk's init behaviour <= 20050718:
init.d/uruk stop : inactivestatefile -> liverules [1]
init.d/uruk start : activestatefile -> liverules [1]
init.d/uruk reload: activestatefile -> liverules [1]
Uruk's init behaviour > 20050718:
init.d/uruk stop : inactivestatefile -> liverules [1]
init.d/uruk start : liverules -> inactivestatefile;
uruk-rc -> activestatefile ;
uruk-rc -> liverules
init.d/uruk force-reload:
uruk-rc -> activestatefile ;
uruk-rc -> liverules
[1] depends on wether or not inactivestatefile and activestatefile are present.
* upgrading from uruk < 20031026
After uruk version 20031026, the hooks are no longer called rc_1, rc_2, ....
rc_10, but rc_a, ... rc_i. rc_1 is taken over by rc_a; rc_9 and rc_10 are
taken over by rc_i. For most situations, replacing ``-A block'' with ``-A
INPUT'' suffices to translate rc_<n> to rc_<a>. However, please take a look at
the uruk script itself to find out. uruk-rc(5) is updated and contains some
examples.
POST INSTALLATION STUFF
Uruk will _not_ "just work" out of the box. It needs manual configuration.
See the uruk(8) manpage for quick setup instructions.
HACKING
Uruk version control is handled using the GNU arch revision control system, on
http://arch.gna.org/uruk/ . You can get a fresh copy by running
tla register-archive my@address.org--2004-uruk \
http://arch.gna.org/uruk/archive-2004
tla get my@address.org--2004-uruk/uruk--mainline--0.1 uruk
See http://wiki.gnuarch.org/ and
http://regexps.srparish.net/tutorial-tla/arch.html for information about arch.
MORE INFORMATION, SIMILAR TOOLS
The uruk(8), uruk-rc(5) and uruk-save(8) manpages are available in HTML format
too. By default, they're installed in /usr/local/share/doc/uruk/html/ .
The Uruk webpage is at http://mdcc.cx/uruk/ .
See also http://www.openbsd.org/faq/faq6.html#6.2 and pf.conf(5) (online on
http://resin.csoft.net/cgi-bin/man.cgi?section=5&topic=pf.conf ) for general
ideas on packet filtering.
Tools doing similar stuff as this script are Auke Kok's ``ferm'', available
from http://www.geo.vu.nl/~koka/ferm/ and Arno van Amersfoort's
``arno-iptables-firewall'', available from
http://rocky.eld.leidenuniv.nl/page/iptables/iptframe.htm . Other tools, with
varying levels of userfriendlyness (or bloatedness) are: ipmasq, shorewall,
firestarter, ipmenu, fireflier, firewall-easy, fwbuilder, fwctl, gfcc, lokkit,
gnome-lokkit, gshield, guarddog, hlfl, knetfilter, mason and gshield. Another
list of alternatives is in the "Securing Debian Manual",
http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-pack
; this howto is also available via the Debian harden-doc package.
TRIVIA
Uruk is named after the city of Uruk in Mesopotamia (now Iraq), that Gilgamesh
ruled in the Epic of Gilgamesh. This epic reads something like:
View its strong walls, for which there is no equal.
(I only have access to a Dutch translation here, which reads:
De muren van Oeroek, het Oeroek van de schaapskooien, liet hij bouwen.
...
Bekijk zijn overgelijkelijke borstwering.
...
Bestijg de muren van Oeroek, loop erop.
Beproef de fundering, bekijk het tichelwerk.
Is zijn tichelwerk niet van baksteen?
.)
The city of Uruk is known under the name Erech in the bible:
9 He was a mighty hunter before the LORD: wherefore it is said, Even as
Nimrod the mighty hunter before the LORD.
10 And the beginning of his kingdom was Babel, and Erech, and Accad, and
Calneh, in the land of Shinar.
Gen10:9-10, KJV
It has nothing to do with http://www.uruk.org/ , where Erich Boleyn's Home Page
is.
# this file maintained using arch at http://arch.gna.org/uruk/
|
