firejar

README

#
# INTRODUCTION
#

firejar is firewall script which design points have been in security and
simpleness. Security is consiquence of simpleness and carefull design of
rules. Many firewall-scripts will fail if you have multiple networking
interfaces and worst will leave all but first interface unprotected. firejar
protects all of your interfaces by default - unless you configure them to be
unprotected or partially protected. One design point has also been maximum
usability - firejar is standard sh script probably runnable in all
enivronments having iptables support and some kind of sh-compatible shell.  

Flexibility is perhaps somehow limited because maximum security but still
firejar is suitable for most servers and user desktops, however not for
routers. Every port is closed by default but you can open specific protocols
and ports for specified IP-addresses with single configuration directive.
Different ports can be opened for WAN and LAN (if got one) and LAN can be
NATted. Also 'wild' interfaces can be specified in example for trusted LAN
or for OpenVPN tun/tap interface.

In general level firejar uses few simple iptables rules to accomplish all
this. Like stated, firejar makes difference about LAN and WAN. If LAN
interfaces are specified, all incoming traffic to those interfaces are
forwarded to INPUTLAN chain. All rest traffic is forwarded to INPUTWAN chain
- this guarandees that new interfaces are considered as WAN by default.
INPUTLAN and INPUTWAN chains will accept traffic specified in configuration
and rest are forwarded to LOGDROP chain. LOGDROP chain then logs and refuses
traffic. There are two exceptions:  traffic incoming to lo interface is
always accepted and ICMP traffic is forwarded to INPUTICMP chain which
accepts all ICMP traffic but limits it's rate in order to prevent
ICMP-flood. All outgoing traffic is always accepted and all forwarded
traffic is refused. Every chain will filter out packets having invalid state
(iptables option --state INVALID) - if that causes problems please contact me. 

This basic bahaviour can be adjusted a little in configuration. Please
browse configuration file and read exaplanations to get idea what you can do. 


#
# REQUIREMENTS
#

  * iptables support (which limits your operating system pretty much to GNU/Linux)
  * sh-shell
  * awk (if using UNLOAD configuration)
  * basic shell commands like lsmod, modprobe, grep, cut and echo
  * ulogd (if using ulogd logging)


#
# INSTALLATION
#

If you use Debian or Debian-based Linux distirbution you can use .deb
package available from firejar website which will install firejar for you.  

If using some other system, place this script (firejar) to your init-script
folder (/etc/init.d) and make any preparations your system will in order to
get this script to be runned in system boot or whenever you want. Copy
configuration file (firejar.conf) to /etc/firejar.conf (or edit CONFFILE
variable below to point to the configuration). Edit configuration file
according to your needs.   



#
# CONFIGURATION
#

If you use Debian or Debian-based Linux distribution debconf should ask
needed questions from you and create suitable configuration file.  

If using some other system, edit configuration file using your favorite
editor and set everything up. Configuration options should be pretty
decently documented. 

Please notice that firewall is not fool-proof and does not check every
configuration directive syntax etc. So you may get pretty interesting 
error messages if you do typing error or something.


#
# USAGE
#

firejar {start|stop|restart}


#
# CONTACT
#

firejar has been written by Jari Eskelinen . 
Please contact if you have any problems, ideas, patches or something like 
that. Or just send me some greetings if you have spare time :)

You should find latest version of firejar from
http://keitin.net/jarpatus/projects/firejar/ 

CHANGELOG

0.3.19 - 2006-09-04
 * Fixed NAT support which didn't work at all
 * Removed unload after stop functionality (unloading did fail 
   occasionally breaking remote connections).
 * Added default policy after stop functionality which
   should replace unload after stop.
 * Now setting default policy to ACCEPT at first and in the 
   end setting it to DROP. In case of configurate error
   netowrk connections should not break due to default DROP
   policy.

0.3.18 - 2005-10-10
 * Fixed bug regarding inproper LAN_INTS handling 

0.3.17.1 - 2005-09-25
 * Fixed documentation flaws.

0.3.17 - 2005-09-24
 * Better documentation.
 * Better Debianizing.
 * Some polishing.

0.3.16 - 2005-09-23
 * Mainly bugfixes, .deb building and debconf support added

0.3.15 - 2005-09-11
 * Lot's of improvements like wild_ints support

0.3.14 
 * First public version

TODO

QoS? Not likely with iptables, more likely with some kind of traffic shaper.
IPv6 perhaps?
WILD_INTS and FORWARD chain? Ie. OpenVPN needs forwarding.
Log INVALID packets and log what chain caused drop for better debugging.
Does NAT support work with multi-lan setup? Haven't been tested.
Figure out some way to open ports with some kind of upnp daemon.
Syntax checking for configuration.
Stopping firejar fter removing LAN_NAT fails.

DOWNLOAD

firejar tarball
firejar .deb

You can also use my Debian repository and add following-line to /etc/apt/sources.list:
deb http://keitin.net/debian/ binary/