	Note - this file is, unfortunately, a mix of old and new
designs.  I have not taken the time to clean it up and clear out the
cruft.  -- WLS, 11/20/2003



 	Firebricks - the modular approach to Linux' iptables
firewalling.

Files:
- /etc/firebricks/firebricks.conf	shared config file
  enable="module1 module7..." are the modules you wish to use
  disable="module2, module3..." are the modules you do not wish to use.
  Any modules not listed in either of the above are flagged.

- /etc/firebricks/*.conf		individual config files
- /usr/lib/firebricks/*		individual scripts
  One config file per script, module goober has a config file
goober.conf.


	Each module creates and does all its work in one or more chains
whose names start with the name of the module.

Command line parameters to each module:

- action: link, unlink, create, destroy, start=create+link (default),
  stop=unlink+destroy, status (make sure configuration OK and show which
  of the previous states is in place), or version

- target: LOG, DROP, REJECT, or user supplied string
  (such as 'TOS --set-tos 0x0'; user supplied not implemented yet).

- other: dryrun (just echo commands)

Supplied variables:
- $Ipt is '{sudo} path-to-iptables'
- $NEWACC is 'state new accept'
- FirebricksLibDir='/usr/lib/firebricks/'	#Static scripts only
- FirebricksConfDir='/etc/firebricks/'		#global config file firebricks.conf and local NN.conf files
- FirebricksStateDir='/var/lib/firebricks/'	#Dynamic content, bogon list, tcpservers, etc.

Load order:
00:	Lockdown
01-09:	Setup
11-19:	NAT/Mangle
21-29:	Mustblock
31-39:	Learn
41-49:	Mustallow
51-59:	Punish/recent
61-69:	Established,related
71-79:	Block (local policy)
81-89:	Allow (local policy)
91-94:	Log
95-98:	Policy
99:	Remove lockdown	

Modules:
- 03loadmodules		#Load all modules, increase conntrack and recent max
- 05lockdown		#For "/etc/rc.d/init.d/firebricks stop"
- 15stripecn
- 15masq
- 15settos
- 15ipv4optsstrip
- 25tcpflags
- 25rpfilter
- 25invalidaddr
- 25darkspace
- 25invalid
- 25lowttl
- 35adminssh
- 43recordrecent	#by service (22/tcp, 53/udp) record the other end IP of incoming and outgoing connections
- 45psd			#-> recent/scanners
- 45getright		#-> recent/hogs
- 45sshscanners		#-> recent/scanners
- 45nimda		#-> recent/virus
- 45codered		#-> recent/virus
- 45shun
- 48punish
- 55established
- 65snort		#Individual modules for each snort file, probably?
- 65localblock		#Leave skeleton
- 65blackhole
- 75localallow		#Leave skeleton
- 85logrest		#prefix on command line
- 95policy		#Actual default policy on command line

- psd?



Issues:

	On module reload, there should never be a point where neither
the old or new rules are there.  Get a list of old rules, append new
rules, delete old rules should work.

	Steps for replacing rules:

		IOF->Me
				Me
				old
renamechain: rename the old chain to $Me-$RANDOM
		IOF->Me-RANDOM
					Me-RANDOM
					old
create: create the new rules in $Me
		IOF->Me-RANDOM
				Me	Me-RANDOM
				new	old
replacelinks: replace the links
		IOF->Me
				Me	Me-RANDOM
				new	old
replacelinks: destroy the temporary chain
		IOF->Me
				Me
				new





























