Q - How do I maintain a firewall script, once generated.
If you want to insert/edit/delete/move any of the rules in your live firewall, you can
do it through the "View Options', 'View Firewall' area. Clicking the arrows will move
the rule. Click insert to insert a rule. Click Edit to edit or delete a rule.
If you want to add a rule to an empty chain or want to append a rule to the bottom of
a chain, you can click 'New Rule' from the 'Edit firewall' menu and create your new
rule.
Once all of your changes have been made, go back to the 'View Firewall' screen and
click 'Save Firewall' to save it and 'Export to rc.firewall' to create a rc.firewall
script that can be run at boot time.
Q - I am finding the creation of new rules very difficult because I am just
not that familiar with the ipchains and iptables lingo and low level
functionality. You product seems to work fine after going through the
firewall wizard, but I cant open other ports and don't really know how.
To create a rule, you have three options:
1 - You can always use the Wizard again to add items to your list of incoming and
outgoing rules. The Wizard will remember what you did the first time so that you don't
need to do everything again, only add the new services.
2 - You can use the Insert Rule from the 'view firewall' screen
3 - You can use 'New rule'
Basically the New Rule and Insert rule work the same except the New Rule allows
you to pick the chain and the rule gets appended to the end of the chain. The Insert
Rule will insert the rule to the location where you clicked 'insert' and, of course,
will be in that chain.
As for what goes where:
If you want services from the internet to come into that box (i.e - if you want to run
a web server on there) you would want to add an Input rule. If you want to get from
that box out (if you want view web pages on the internet) you would want an
output rule. If you want people to pass through that box (acting as a router) you will create Forward rule.
The nitty gritty:
If you want to just add access to the outside world on port 1234 for everyone on your
network, you can hit the insert button in the Forward chain, put 1024:65535 in your source ports,
1234 in Destination Ports, the target is ACCEPT, protocol is TCP,
in fBuilder 2.2.x you will want to check 'Create back traffic rule',
and finish by clicking 'add new rule'. With 2.4.x you will not need back traffice rules as this
is handled by state checking.
Obviously, I picked a very simple example to show you that it does almost everything
for you. If you only want to allow 1234 to a machine on the internet that has an
address of 123.123.123.123, you can just add that ip to the destination address. etc,
etc.
Q - I,m try to create multiple fixed NAT mappings between a fixed public
address and a fixed internal (private) address. How might I acheive this with fbuilder
plus 2.4? (ie: 123.123.1.100 >> 192.168.1.100)
This would be done through 'Edit Firewall' >> 'New Rule'. Once in this screen, Add the following items:
1 - Inbound interface: Set to the NIC that faces the internet (i.e - eth0)
2 - Destination IP Address: Set to the address that people on the outside will use (i.e - 123.123.1.100)
3 - Nat to IP address: Set to the address the packet is destined for (i.e. - 192.168.1.100)
4 - Rule Type = Prerouting
5 - Target = DNAT
6 - Protocol = ALL (you can make this TCP or UDP only if you don't want to redirect all packets)
7 - Click 'Add New Rule'
Once your edits are in place, click 'Save firewall' from the 'View Options' >> 'View Firewall' screen to save your script. You can also export your firewall to a rc.firewall script so you can launch it at boot time from the 'View Firewall' screen.
Q - After I run the Wizard, the firewall rules come up empty?
fBuilder expects to see your iptables command in the /sbin directory. If it is located
elsewhere (i.e. /usr/local/sbin) you will want to create a link in your /sbin directory
to point to your iptables command.