README ~~~~~~ firewall - Linux-2.2 ipchains firewall/NAPT/NAT administration Firewall is a set of scripts (firewall, fwup and fwdown) that implement one or more ipchains firewalls that support various forms of network address and port translation. All you have to do is read the heavily documented policy file and edit it to reflect your network topology and filtering policy. The policy file is composed of sections in which you need to specify: this host's trusted and untrusted network interfaces; this host's role and function within the network topology; and the incoming and outgoing services to allow and the internal and external hosts that may take part in them. It has been designed so as to make this as painless and flexible as possible but you must be willing to do some reading. There are several examples to look at in the examples directory. Each section contains detailed explanations and advice on things such as when to start the firewall and the security implications of various well known internet services and advice on how to allow them safely. It is intended to introduce administrators to some subtleties of packet filtering quickly so that they can make better informed security decisions and achieve and maintain effective network security (at least the packet filtering part) in a very short time. Of course, it will not prevent you from achieving bad network security, but you will have been warned. Each section also contains commented out variables that can be uncommented and possibly edited to supply policy information to the firewall. Most of them show the default values used by the firewall. Others are choices. Others still are just examples. Hopefully it's clear which is which. Each policy variable is explained when encountered. Various network topologies are supported: Single Host (no forwarding, no address/port translation) Forwarding (no address/port translation) Masquerading (outgoing M:1 NAPT) Port Forwarding (Masquerading + incoming 1:M NAPT) Alias Port Forwarding (Masquerading + incoming N:M NAPT) Static NAT (incoming and outgoing 1:1 NAT) Up to 10 untrusted network interfaces are supported, each with a distinct policy. There can be as much or as little policy sharing between untrusted interfaces as you like. Centralised administration of multiple remote firewalls is supported. The policy is specified in the firewall.policy file. Read it carefully. It contains much necessary information. Here is the list of currently supported services: icdns - incoming Client DNS ocdns - outgoing Client DNS isdns - incoming Server DNS osdns - outgoing Server DNS ismtp - incoming SMTP osmtp - outgoing SMTP ipop - incoming POP opop - outgoing POP iimap - incoming IMAP oimap - outgoing IMAP ildap - incoming LDAP oldap - outgoing LDAP ispop - incoming SSL-POP ospop - outgoing SSL-POP isimap - incoming SSL-IMAP osimap - outgoing SSL-IMAP isldap - incoming SSL-LDAP osldap - outgoing SSL-LDAP issh1 - incoming SSH1 ossh1 - outgoing SSH1 issh2 - incoming SSH2/LSH ossh2 - outgoing SSH2/LSH inftp - incoming FTP (normal mode) onftp - outgoing FTP (normal mode) ipftp - incoming FTP (passive mode) opftp - outgoing FTP (passive mode) iteln - incoming TELNET oteln - outgoing TELNET ihttp - incoming HTTP ohttp - outgoing HTTP ihttps - incoming HTTPS ohttps - outgoing HTTPS iproxy - incoming HTTP PROXY oproxy - outgoing HTTP PROXY isquid - incoming SQUID osquid - outgoing SQUID inntp - incoming NNTP onntp - outgoing NNTP irsync - incoming RSYNC orsync - outgoing RSYNC icvs - incoming CVS ocvs - outgoing CVS ignats - incoming GNATS ognats - outgoing GNATS imysql - incoming MYSQL omysql - outgoing MYSQL ismb - incoming SMB osmb - outgoing SMB iirc - incoming IRC oirc - outgoing IRC iicq - incoming ICQ oicq - outgoing ICQ ireal - incoming RealAudio/QuickTime oreal - outgoing RealAudio/QuickTime ivnc - incoming VNC ovnc - outgoing VNC ireach - incoming REACHOUT oreach - outgoing REACHOUT ipcany - incoming PC ANYWHERE opcany - outgoing PC ANYWHERE iwterm - incoming WINDOWS TERMINAL SERVER owterm - outgoing WINDOWS TERMINAL SERVER intp - incoming NTP ontp - outgoing NTP idayt - incoming DAYTIME odayt - outgoing DAYTIME itime - incoming TIME otime - outgoing TIME igoph - incoming GOPHER ogoph - outgoing GOPHER iwais - incoming WAIS owais - outgoing WAIS oarch - outgoing ARCHIE ifing - incoming FINGER ofing - outgoing FINGER owhois - outgoing WHOIS iauth - incoming AUTH oauth - outgoing AUTH inotes - incoming NOTES onotes - outgoing NOTES cdial - DIALPAD Client cwbfn - WEBPHONE Client cnt2fn - NET2PHONE Client chotel - HOTTELEPHONE/WEB2CALL Client intmt - Incoming NETMEETING ontmt - Outgoing NETMEETING ilog - incoming SYSLOG olog - outgoing SYSLOG sdhcp - DHCP Server cdhcp - DHCP Client itacacs - Incoming TACACS+ otacacs - Outgoing TACACS+ isnmp - incoming SNMP osnmp - outgoing SNMP isnmpt - incoming SNMP TRAP osnmpt - outgoing SNMP TRAP ibgp - incoming BGP obgp - outgoing BGP ospf - OSPF irip - incoming RIP orip - outgoing RIP ikerb - incoming KERBEROS okerb - outgoing KERBEROS ipptp - incoming PPTP opptp - outgoing PPTP iipsec - incoming IPSEC oipsec - outgoing IPSEC iping - incoming PING oping - outgoing PING itrace - incoming TRACEROUTE otrace - outgoing TRACEROUTE idanger - incoming X11 connections, trojans odanger - outgoing X11 connections, trojans Note: Don't trust it. Test it. Audit it. Many services haven't been tested yet. Please send me any success reports, bug reports, criticism, comments, corrections, suggestions, patches, pointers to more information, ... INSTALL ~~~~~~~ This should install on any linux system. Please let me know if it doesn't. See REQUIREMENTS for runtime requirements. Unpack the distribution: tar xzf firewall-20041231.tar.gz cd firewall-20041231 If you are upgrading and have an existing firewall.policy, you could try to migrate your existing policy into the new policy file (as root): ./migrate-policy firewall.policy /etc/firewall.policy If you do this, make sure that you check the result carefully, comparing it to both your existing policy file and to the backup of the new policy file. Read the policy file and edit it to reflect your filtering policy and topology: vi firewall.policy Install scripts and policy (as root): make uninstall # if a previous version is installed make install make policy If make is not installed (as root): make-uninstall # if a previous version is installed make-install make-policy For more details: make help This will cause the firewall to be started at boot time before the network starts and after each new IP address is received via PPP or DHCP (if applicable). The firewall will be stopped at shutdown time after networking is stopped. To start the firewall before the next reboot, run one of (depends on system) (as root): /etc/rc.d/init.d/firewall start /etc/init.d/firewall start /etc/firewall start After setting up a firewall, don't forget to audit it with nmap (as root from the inside and the outside) to make sure that you got what you wanted. The tools/portscan script may be useful here. If there are any surprises, investigate. It is imperative that you know what your firewall does and doesn't do. REMOTE INSTALL ~~~~~~~~~~~~~~ You can also install scripts that allow you to subsequently install and manage multiple remote firewalls. Unpack the distribution: tar xzf firewall-20041231.tar.gz cd firewall-20041231 Install (as root): make meta-install If make is not installed (as root): make-meta-install This creates the /etc/firewall.d directory and installs the meta-firewall script in either /etc/rc.d/init.d, /etc/rc.d or /etc depending on your system. If upgrading, you could try to migrate an existing remote policy into the new policy file (as root): meta-firewall migrate Prepare for a remote install (if not upgrading) (as root): meta-firewall prepare Read the policy file and edit it to reflect your filtering policy and topology (as root): meta-firewall edit Install the firewall scripts onto the remote firewall host (as root): meta-firewall install Install the remote firewall's policy file (as root): meta-firewall policy Start the firewall remotely (as root): meta-firewall start For more details: meta-firewall --help Where is the hostname of a remote firewall host You will need root access via openssh to all remote firewall hosts. You will need to either use ssh-agent(1) or enter remote root passwords or your local passphrase when managing the remote firewalls. Shell tracing is turned on during the execution of all scp and ssh commands to the remote firewall hosts so you can see what's going on before you type in the root password. If you don't want to see what's going on, set the environment variable verbose=no. Make sure you don't install a remote firewall that doesn't allow incoming ssh from the administration host or you won't be able to update it later :) LRP PACKAGE INSTALL ~~~~~~~~~~~~~~~~~~~ You can create an Linux Router Project (LRP) package after defining your firewall policy and install it onto an LRP system. Unpack the distribution (on a non-LRP system): tar xzf firewall-20041231.tar.gz cd firewall-20041231 If you are upgrading and have an existing firewall.policy, you could try to migrate your existing policy into the new policy file (as root): ./migrate-policy firewall.policy /etc/firewall.policy If you do this, make sure that you check the result carefully, comparing it to both your existing policy file and to the backup of the new policy file. Read the policy file and edit it to reflect your filtering policy and topology: vi firewall.policy Build the LRP package (as root): make lrpkg The package "firewall.lrp" will be created in the current directory. Then transfer this package to your LRP system (See LRP documentation for details). This will cause the firewall to be started at boot time before the network starts and after each new IP address is received via PPP or DHCP (if applicable). The firewall will be stopped at shutdown time after networking is stopped. Note: The current (mid-2002) version of the Oxygen LRP distribution doesn't have expr compiled into the busybox version of ash so you will need to install expr somehow or use any other LRP distribution (including previous versions of Oxygen). To start the firewall before the next reboot, run (as root): /etc/init.d/firewall start After setting up a firewall, don't forget to audit it with nmap (as root from the inside and the outside) to make sure that you got what you wanted. The tools/portscan script may be useful here. If there are any surprises, investigate. It is imperative that you know what your firewall does and doesn't do. UPDATING ~~~~~~~~ The firewall uses the IANA's list of reserved networks. This list changes over time. Therefore, the firewall needs to be kept up to date with the current version of the list. The script "update-reserved-networks" downloads the latest version of the list from the IANA's website and then modifies the script that brings up the firewall accordingly. This is not automated. I wonder if it should be. I don't think I could bare the thought of re-writing it in shell. When you notice that some packets are being dropped as spoof packets, it probably means that it's time to run update-reserved-networks on the firewall scripts. EXTRAS ~~~~~~ The examples directory contains several example policy files. They demonstrate all supported types of network topology, some with detailed policies. They should be considered mandatory reading. The tools directory contains the following utilities: dns2ip - a filter that translates domain names into IP addresses fwhelper - ipchains troubleshooting script (ipchains -C with tracing) portscan - performs a thorough port scan using nmap tcpdump-histogram - prints a histogram of packets in tcpdump output The patches directory contains two patches that you might find useful: ipchains-1.3.*-Q.patch ~~~~~~~~~~~~~~~~~~~~~~ This is a patch for ipchains-1.3.9 and ipchains-1.3.10 which adds the -Q option. This option takes a filename or ``-'' as an argument. If a filename is given, ipchains reads its commands from the file. If ``-'' is given, ipchains reads its commands from standard input. Blank lines and shell-style comments are ignored so it is possible to write executable #!/sbin/ipchains scripts. This allows ipchains to perform all of it's tasks in a single process instead of several hundred invocations of the same process so starting an ipchains packet filtering firewall can now be done instantaneously. Written by raf masq-demasq.patch ~~~~~~~~~~~~~~~~~ This is a patch for linux-2.2.13 which makes port forwarding work when initiated from inside the masqueraded network(s). Written by Michael Best REQUIREMENTS ~~~~~~~~~~~~ - Linux-2.2.x and ipchains - See firewall.policy file for kernel configuration and module requirements - ipmasqadm iff doing port forwarding or alias port porwarding - ip (iproute2) iff doing alias port porwarding or static NAT - nmap used by the portscan utility - root privileges for ipchains, ipmasqadm, ip - root privileges inside and outside for auditing with nmap - perl used by most of the utilities (dns2ip also requires Net-DNS) - perl, diff and patch used by migrate-policy Note: perl is not needed for the firewall itself! These can be found at: Linux-2.2 - http://www.kernel.org/ (2.2.19) ipchains - http://netfilter.kernelnotes.org/ipchains/ (1.3.10) ipmasqadm - http://juanjox.kernelnotes.org/ (0.4.2) iproute2 - ftp://ftp.inr.ac.ru/ (000305) nmap - http://www.insecure.org/nmap/ (2.53) perl - http://www.perl.com/ (5.005_03) Net-DNS - http://www.perl.org/CPAN/modules/by-module/Net/ (0.12) diff - ftp://ftp.gnu.org/pub/gnu/diffutils/ (2.7) patch - ftp://ftp.gnu.org/pub/gnu/patch/ (2.5) COPYING ~~~~~~~ firewall - Linux-2.2 ipchains firewall/NAPT/NAT administration Copyright (C) 1999-2004 raf This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA or visit http://www.gnu.org/copyleft/gpl.html HISTORY ~~~~~~~ 19991231 - Initial version 20000309 - Incorporated linux-firewall-tools.com: - Added more protection against spoofing and dangerous services - Added more kernel protection (source routing, redirects, syn cookie, defrag, icmp broadcast echo, bogus error response, martian logging) - Added services (DHCP, HTTPS, HTTP PROXY, IMAP, ICQ, Real Audio) - Changed default forward policy from deny to reject - Added "untrusted networks" - Added configuration of masquerade timeouts - Split SSH into SSH1 and SSH2 - Added BGP and RSYNC - Fixed DNS policy variables and doco - Cleaned up, fixed bugs - Modified fwup to run on non redhat systems - Added "make decent" - Started logging incoming ping and traceroute even if accepted - IP forwarding only started/stopped if masquerading requested - Started denying/rejecting fragments (kernel must always defrag) - Started using local and masqueraded port ranges (from Mike A. Harris) - Added SMB, PPTP and IPSEC (from Yan Seiner) - Added support for multiple untrusted interfaces with differing policies - Added automatic identification of local networks 20000321 - Added dynamic IP address hacking in IP MASQ (for non-routers only!) - Added the ability to deny/reject selected ports without logging them - Added Kerberos, CVS, GNATS, MySql, SSL-POP, SSL-IMAP, SSL-LDAP, OSPF - Fixed bug: was masquerading traffic between multiple internal networks - Added the dns2ip utility to translate domain names in policy files into ip addresses 20000402 - Shortened/cleaned up fwup a bit with more functions - Fixed bug: SSH1 rules were allowing SSH2 as well - Fixed doco: outgoing SSH2 note was stupid - Fixed bug: SDNS rules were allowing CDNS as well - Fixed bug: masqueraded UDP (e.g. CDNS!) failed (func vars weren't local) - Fixed bug: SNMP[T] rules from Chapman & Zwicky disagreed with RFC 1157 - Fixed bug: typo in DHCP Client rules allowed incoming address updates even when $DHCP_SERVERS is empty - Added the ability to specify more simple tcp services in the policy file 20000421 - Added LDAP, NOTES - Added the ability to deny/reject other protocols without logging them - Added loading/unloading of IP masquerading modules - Deny/Reject fragments iff $IPV4_FRAGMENT_PROTECT != "no" - Made ICMP configurable (default behaviour remains the same) - Added portsummary utility to display connection tuples in tcpdump output - Included some archie server addresses in firewall.policy as a comment - Started determining masquerade ports directly from kernel source - Added support for forwarding to internal hosts with individual policies - Fixed bug: Stopped creating chains that were never used (thanks to forwarding changes, starting the firewall is now twice as fast!) - Fixed bug: Outgoing ICQ rules were wrong (udp rules reversed) - Fixed bug: The extra tcp services weren't being included - Fixed bug: Was doing spoof protection on internal untrusted interfaces - Rewrote/reorganised the initial doco in firewall.policy and README - Added detailed open port profiles to the notes on each service - Added support for port forwarding (incoming and outgoing M:1 NAPT) - Added portscan utility to perform comprehensive portscans - Added an example policy file for each type of supported network tpology - Made chain policies configurable (some like DENY, others like REJECT) 20000430 - Fixed bug: make install was creating too many links in /etc/rc.d/rc?.d - Fixed bug: success/error messages sent to /var/log/messages were pathetic - Added portfw to the list of loadable masq modules in the policy file - Added "ipchains -M -L -v -n" to "firewall probe" - Made it possible to specify untrusted addresses in policy if all are static - Removed all uses of perl from fwup (no longer determines masquerade ports directly from kernel source but that was a silly idea anyway) 20000601 - Added "make [un]install" support for most systems and ppp and dhcp (inspired by PMfirewall) - Added the ability to recognise dangerous udp ports and block them early (and added the trojan cavalry (from mason) as comments in the policy file) - Fixed bug: didn't support preferences (load sharing) when port forwarding - Fixed bug: target names couldn't be used with identical service names - Added support for alias port porwarding and static NAT - Added support for "ipchains -Q" if available (twice as fast again!) - Added patches directory to distribution: ipchains-Q and masq-demasq - Added the ability to set ip_masq_udp_dloose for linux-2.2.15 - Fixed bug: service chains for multiple targets were added multiple times - Added ACK and Window scans to the portscan utility (for nmap-2.53) - Added SQUID - Added check to ensure that BLOCK{IN|OUT|FWD} are set to DENY or REJECT - Renamed portsummary to tuplegram and added icmp and udp support - Fixed bug: make [un]install didn't work with recent version of bash 20000914 - Updated the ipchains url in README - Fixed the explanation why internally initiated port forwarding doesn't work (in the BUGS section below) thanks to Michael Best - Added DIALPAD, WEBPHONE, NET2PHONE, HOTTELEPHONE/WEB2CALL, NETMEETING - Added port range forwarding in $PORTRANGEFW - Made outgoing server dns (when masquerading) more strict 20010211 - Added VNC service - Exposed $ILLEGAL_NETWORKS to policy file (for partitioning private nets) - Added support for REDIRECT (transparent proxying) - Updated and optimised $RESERVED_NETWORKS (bs@axysdesign.com, jshin@pantheon.yale.edu) - Added search in $PATH for programs (bs@axysdesign.com) - Stopped dns2ip from translating in shell comments (jshin@pantheon.yale.edu) - Added TIME, DAYTIME services (jshin@pantheon.yale.edu) 20010214 - Fixed security bug: bad tempfile creation for ipchains-Q (dynamo@ime.net) 20010507 - Fixed typo in policy file (OUTGOING_VNC_PORTS -> INCOMING_VNC_PORTS) - Added PC ANYWHERE, WINDOWS TERMINAL SERVER - Added support for chkconfig (but you must verify it for your system) - Fixed bug: was logging all forwarded packets when FORWARDING="yes" (dos!) - Removed installation dependency on make (cesar@rotnet.com.br) - Added kernel config, module and software requirements doco to policy file - Fixed tuplegram bugs, added arp support, renamed it to tcpdump-histogram - Fixed icmp parsing and added fragment support in fwhelper - Added centralised administration of multiple remote firewalls 20010801 - Fixed SNMP TRAP rules (source port 161, no return packets) - Fixed X11 client rules (dj@head-cfa.harvard.edu) - Added X11 server rules 20010815 - Fixed bug: redirect code never executed (ckhui@school.net.hk) - Updated IANA reserved networks (20010619 - 67, 68, 80 and 81 allocated) 20020626 - Added support for multicast sessions - Added rejecting specific ports when policy is DENY (for inacker@informatik.uni-freiburg.de) - Added support for PPTP server on localhost (nick@abssys.com) - Updated URL for ip_masq_h323 module (martin@kos.li) - Updated -Q patch for ipchains-1.3.10 (rmrpms@usa.net) - Added REACHOUT service - Added TACACS+ service - Updated list of trojan ports (www.neohapsis.com, www.seifried.org) - Removed the need for bash (LRP only has ash) - Removed the need for awk (LRP doesn't have awk by default) - Added migrate-policy (suggested by inacker@informatik.uni-freiburg.de) - Added meta-firewall migrate/diff/revert - Added more doco on SERVICES and TARGET_* variables (bs@axysdesign.com) - Updated IANA reserved networks (20011201 - 219, 220 allocated to APNIC) - Fixed firewall lockfile for Debian (jejc@free.fr) - Made to work with ash, bsh, bash, ksh or (in the unlikely event) zsh - Added installation support for more dhcp clients (i.e. pump and dhclient) - Ported to LRP/busybox-ash (wont-i@wkh.org) - Added "make lrpkg" (creates an LRP package after you define your policy) - Added installation support for systems with /etc/ppp/ip-{up,down}.d - Added "firewall reconf " - Added "firewall help" 20041215 - Added doco about perimeter networks and demilitarised zones - Added $MASQUERADED_NETWORKS to masquerade selected internal networks - Updated IANA reserved networks (2003-11-14) 20041231 - Updated examples/policy.* to include earlier changes to firewall.policy - Made messages conform to Debian standards (except when on Redhat) - Updated IANA reserved networks (2004-08-03) - Added update-reserved-networks script so users can update them easily - Extracted fwprobe as a separate command from "firewall probe" REFERENCES ~~~~~~~~~~ Building Internet Firewalls by Chapman & Zwicky IPCHAINS-HOWTO by Paul Russell http://linux-firewall-tools.com by Robert L. Ziegler The ipchains mailing list. Particularly Yan Seiner, Mike Harris and Michael Best IP-Masquerade-HOWTO by David Ranch IP Command Reference by Alexey N. Kuznetsov PMfirewall (http://www.pointman.org) by Rick Johnson (installation) mason (http://www.pobox.com/~wstearns/mason) by Willian Stearns (trojan list) TCP/IP Illustrated Volume 1 by W Richard Stevens Network Intrusion Detection - An Analyst's Handbook by Stephen Northcutt and Judy Novak RFC 2588 IP Multicast and Firewalls by Ross Finlayson www.neohapsis.com ports list www.seifried.org ports list BUGS ~~~~ - I've been told that masquerading the H.323 services (e.g. HOTTELEPHONE) doesn't work but wasn't given any details and the person who reported it didn't seem interested in helping me fix whatever the problem might have been. If anyone would like to help me test it and get it working (if indeed it doesn't work), please contact me. - The *SERVERS* and *CLIENTS* policy variables for a given service apply to all instances of a service across a given interface. This means that if you have something like: SERVICES="oservice.targeta oservice.targetb", then the hosts in both targeta and targetb are restricted to connecting to the same set of external servers for the given service. Let me know if this is a problem. It can be fixed but the policy file will get a bit uglier. - Masquerading across multiple interfaces is not supported. If you have multiple untrusted interfaces and you are masquerading, then masquerading occurs for packets leaving via the first untrusted interface only. Let me know if this is a problem. It's easy to fix. - When port forwarding, internal hosts shouldn't try to make connections to the forwarded port on the external interface because it doesn't work with a stock kernel. Michael Best has written a patch to linux-2.2.13 to fix this. It's in the patches directory under masq-demasq. Here is his explanation of the problem: Michael Best (michael@com.org) wrote: > What happens is that the first packet is forwarded to the correct host, > but only its destination info has been changed. For example: > > Host A: 10.101.2.1 (firewall; external address is 216.324.11.123) > Host B: 10.101.2.2 (running web server on port 80) > Host C: 10.101.2.3 (client) > > Host A has 216.324.11.123/80 forwarded to Host B. > Host C tries to connect to 216.324.11.123/80. > > First packet looks like this: > From 10.101.2.3/1056 to 216.324.11.123/80 > It is forwarded: > From 10.101.2.3/1056 to 10.101.2.2/80 > Reply looks like this: > From 10.101.2.2/80 to 10.101.2.3/1056 > It is ignored by the client since it doesn't match any active connection. > Thus the connection is never fully established and appears hung. > > My patch modifies the kernel so that it can modify both the destination and > source addresses of a packet. It still requires that your rules are correct. > Here is what the above would look like with my patch: > > First packet looks like this: > From 10.101.2.3/1056 to 216.324.11.123/80 > It is forwarded: > From to 10.101.2.2/80 > Here's the reply: > From 10.101.2.2/80 to 216.324.11.123/64234 > This one goes back to the firewall and it forward: > From 216.324.11.123/80 to 10.101.2.3/1056 > > Note that this patch also make possible Starcraft and Warcraft Battle-net > games between two people behind the same firewall. > > I've put my patch at http://www.com.org/~michael/masq-demasq.zip - There is no support for static NAT between internal networks. Let me know if this is a problem. This should be fixed. In the meantime, you can just execute the necessary ip commands separately using priorities below 10000. - Port forwarding port ranges isn't supported when using Alias Port Forwarding. Let me know if this is a problem. It's easy to fix. - Stopping the firewall stops packet forwarding in general. This is intentional. However, on redhat systems with FORWARD_IPV4="yes" in /etc/sysconfig/network, packet forwarding isn't stopped when the firewall is stopped. This is a convenience (but it is unsafe). Note that for most small sites like a single host or a single lan dialing up to the net, forwarding should be off when not connected to the net anyway, so this won't be a problem. If you have a system that uses a different configuration file/method to determine whether or not to forward packets, let me know and i'll add detection for that system. - "make install" on systems with BSD style init scripts appends a "firewall reload" command to the rc.local file. So the firewall will start after the network is up. You should change this so the firewall starts before the network is up. If this is a problem, tell me how to determine where the command needs to go. - There is no installation support for Richard Gooch's simpleinit scripts. :( TODO ~~~~ Add implementations for iptables, ipf and cisco ios/cbac ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ URL: http://fwup.org/ Date: 20041231 Author: raf