(C) Martin Väth This project is under the BSD license 2.0 (“3-clause BSD license”). SPDX-License-Identifier: BSD-3-Clause

A collection of POSIX shell scripts to initialize iptables and net-related sysctl variables of Linux.

These POSIX scripts set some typical iptables commands for a dialup PC, optionally including a simple portknocking solution and router functionality. The usage is somewhat similar to SuSEfirewall2, but the approach has some essential differences. In particular, packets are usually not DROP-ed but REJECT-ed until a rate-limit is reached. It is not necessary to restart the firewall after a connection is established. Currently, IPv6 is practically not supported (except for closing everything).

The setting of the kernel variables is done with a separate script sysctl.net

By default, firewall makes use of the functions from firewall-scripted.sh which allow a "scripted" use of iptables-restore and ip6tables-restore. This means that all iptables rules are created in one command. This has not only the advantage that it is much faster, but, moreover, it avoids race conditions when creating the rules,see

• http://inai.de/documents/Perfect_Ruleset.pdf

See the instruction at the end how to use firewall-scripted.sh.

To install this project easily, run make (and make install as root). For manual installation, copy the scripts from sbin/ into your PATH. etc/firewall.config can be copied into /etc or /usr/lib/firewall or /lib/firewall (if it is readable in a former directory, it is used; thus, the latter can be used to provide distribution-wide defaults). You should modify firewall.config to your needs (for the default, copy etc/firewall.d to the /etc directory and follow etc/firewall.d/README). For zsh completion support copy the content of zsh into your $fpath.

You also need push.sh from https://github.com/vaeth/push (v2.0 or newer) in your PATH.

Before you run firewall, please edit firewall.config to your needs: You have to create it in /etc/firewall.config to override the sample default from /usr/lib/firewall or /lib/firewall. The example firewall.config sets the default based on the existence of some magic files in /etc. It assumes that the original eth* interfaces have been renamed to net* (e.g. by eudev or udev rules).

The firewall script reads your firewall.config and then (by default) runs sysctl.net and initializes iptables according to the content of firewall.config.

sysctl.net initializes some net-related Linux sysctl variables.

To get help, run firewall -h or sysctl.net -h, respectively.

If you use systemd, you can copy the content of systemd into your systemd system folder and (after systemctl daemon-reload) enable the scripts with

	systemctl enable firewall.service

For openrc (the Gentoo init system) there are some scripts provided in the openrc folder. Copy these scripts and their configs to /etc/init.d or /etc/conf.d, respectively and edit /etc/conf.d. To activate the firewall with openrc, call e.g. (the runlevels might depend on your configuration):

	rc-config add fireclose boot
	rc-config add firewall default

Instead of adding fireclose to your boot runlevel, you might also want to add to your relevant /etc/conf.d/net* file(s):

rc_need=fireclose

To load the required kernel modules with systemd or openrc, copy e.g. the content of modules-load.d/ to /etc/modules-load.d/ or /usr/lib/modules-load.d/ and edit it for your needs. Systemd and openrc-0.21.7 (or newer) automatically support these directories. For older versions of openrc, you can use the conf.d/modules file to get at least some rudimentary support of these directories.

For Gentoo, there is an ebuild in the mv overlay (available by layman) (but you might still have to configure the firewall.config, see above).

Evaluate the output of firewall-scripted.sh in a POSIX compliant shell, e.g.

if SOME_VARIABLE=`firewall-scripted.sh 2>/dev/null`
then	eval "$SOME_VARIABLE"
else	echo "firewall-scripted.sh not installed" >&2
fi

Remark: An obsoleted method was to use instead

. firewall-scripted.sh

The latter works for older versions of firwall-mv or if one installs manually, but unless an appropriate PATH before sourcing is set, it fails when firewall-scripted.sh is replaced by a wrapper script which happens with the provided Makefile. Moreover, if firwell-scripted.sh is not available it stops the script.

All functions and variables used internally by firewall-scripted.sh have the form Fwmv[A-Z]* or fwmv_*, respectively, so do not use these. All these variables are cleaned up by firewall-scripted.sh when possible.

Call FwmvTable 4 or FwmvTable 6 instead of iptables or ip6tables, respectively. You can pass most options of iptables or ip6tables in exactly the same form; if you use the option -t, it must be the first one.

When you are done, you can execute the "stored" commands in one step using FwmvSet 4 or FwmvSet 6, respectively. If you pass additionally the parameter Echo (possibly combined with Exec), the command is printed instead (and only executed if you also passed Exec). In this case, firewall-scripted.sh requires the push.sh script (and uses the functions/variables used by push.sh in addition to those from Step 1.)

After Step 3 all variables are reset so that you can start over with Step 2.

Not all options for FwmvTable in firewall-scripted.sh are tested; essentially only those used by the firewall script are tested. In particular, ip6tables is not tested at all with firewall-scripted.sh.