Note - this file is, unfortunately, a mix of old and new designs. I have not taken the time to clean it up and clear out the cruft. -- WLS, 11/20/2003 Modwall - the modular approach to Linux' iptables firewalling. Files: - /etc/modwall/modwall.conf shared config file enable="module1 module7..." are the modules you wish to use disable="module2, module3..." are the modules you do not wish to use. Any modules not listed in either of the above are flagged. - /etc/modwall/*.conf individual config files - /usr/lib/modwall/* individual scripts One config file per script, module goober has a config file goober.conf. Each module creates and does all its work in one or more chains whose names start with the name of the module. Command line parameters to each module: - action: link, unlink, create, destroy, start=create+link (default), stop=unlink+destroy, status (make sure configuration OK and show which of the previous states is in place), or version - target: LOG, DROP, REJECT, or user supplied string (such as 'TOS --set-tos 0x0'; user supplied not implemented yet). - other: dryrun (just echo commands) Supplied variables: - $Ipt is '{sudo} path-to-iptables' - $NEWACC is 'state new accept' - ModwallLibDir='/usr/lib/modwall/' #Static scripts only - ModwallConfDir='/etc/modwall/' #global config file modwall.conf and local NN.conf files - ModwallStateDir='/var/lib/modwall/' #Dynamic content, bogon list, tcpservers, etc. Load order: 00: Lockdown 01-09: Setup 11-19: NAT/Mangle 21-29: Mustblock 31-39: Learn 41-49: Mustallow 51-59: Punish/recent 61-69: Established,related 71-79: Block (local policy) 81-89: Allow (local policy) 91-94: Log 95-98: Policy 99: Remove lockdown Modules: - 03loadmodules #Load all modules, increase conntrack and recent max - 05lockdown #For "/etc/rc.d/init.d/modwall stop" - 15stripecn - 15masq - 15settos - 15ipv4optsstrip - 25tcpflags - 25rpfilter - 25invalidaddr - 25darkspace - 25invalid - 25lowttl - 35adminssh - 43recordrecent #by service (22/tcp, 53/udp) record the other end IP of incoming and outgoing connections - 45psd #-> recent/scanners - 45getright #-> recent/hogs - 45sshscanners #-> recent/scanners - 45nimda #-> recent/virus - 45codered #-> recent/virus - 45shun - 48punish - 55established - 65snort #Individual modules for each snort file, probably? - 65localblock #Leave skeleton - 65blackhole - 75localallow #Leave skeleton - 85logrest #prefix on command line - 95policy #Actual default policy on command line - psd? Issues: On module reload, there should never be a point where neither the old or new rules are there. Get a list of old rules, append new rules, delete old rules should work. Steps for replacing rules: IOF->Me Me old renamechain: rename the old chain to $Me-$RANDOM IOF->Me-RANDOM Me-RANDOM old create: create the new rules in $Me IOF->Me-RANDOM Me Me-RANDOM new old replacelinks: replace the links IOF->Me Me Me-RANDOM new old replacelinks: destroy the temporary chain IOF->Me Me new