[Grml] documentation on kwfirewall..

Kai Wilke kiste at netzworkk.de
Mon Dec 5 20:08:11 CET 2005


High, high ...
* Ishwar Rattan <ishwar at pali.cps.cmich.edu> schrieb am [05.12.05 17:45]:
> 
> 
> On Sun, 4 Dec 2005, Kai Wilke wrote:
> 
> > Sorry for my english
> > kwfirewall starts from ppp, script /etc/ppp/ip-up.d/1kwfirewall.
> > 1kwfirewall starts the Script /etc/init.d/kwfirewall start.
> > /etc/init.d/kwfirewall starts /sbin/kwfirewall_start.
> > The script kwfirewall_starts configurate all tcp/udp ports from
> > configurations file /etc/kwtools/firewall.cf.
> >
> > I have the manpage from firewall.cf appended. This is in the
> > Release kwtools-0.4.2 to come and config is extended. See man -l
> > firewall.5
> 
> Your English is fine. Let me rephrase my question. I want to use
> a rules similar to:
Tahnk you:)
> 
> /sbin/iptables -A INPUT -j ACCEPT -i ppp0 -m state --state \
> ESTABLISHED,RELATED
> /sbin/iptables -A INPUT -p icmp -j ACCEPT -i ppp0 -m state --state NEW

Oh je. In Script /sbin/kwfirewall_start at line 170 is the chain
icmp_acc defined.
At the Line 262 - 269 is the chain for every
interface defined.
$IPTABLES -A icmp_acc -p icmp --icmp-type destination-unreachable \
    -j ACCEPT
$IPTABLES -A icmp_acc -p icmp --icmp-type source-quench -j ACCEPT
$IPTABLES -A icmp_acc -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A icmp_acc -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A icmp_acc -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A icmp_acc -j LOG --log-prefix "ICMP-ACC " \
    -m limit --limit 4/m
$IPTABLES -A icmp_acc -j DROP
#
At the line 458 - 479 is the chain int_in (from Internet to
Router/Lokalhost defined) defined. Change this to:
$IPTABLES -A int_in -p icmp -j icmp_acc -m state \
    --state ESTABLISHED,RELATED
$IPTABLES -A int_in -p icmp -j icmp_acc -m state \
    --state NEW
$IPTABLES -A int_in -j LOG --log-prefix "INT-IN " \
    -m limit --limit 4/m
$IPTABLES -A int_in -j DROP

Can you me this to explain? Why you needs this? I'm straightly out
from this topic.

kind regards, Kiste
-- 
#######################################################################
Netzworkk
Kai Wilke
kiste at netzworkk.de
http://www.netzworkk.de
http://netzworkk.berlios.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.mur.at/pipermail/grml/attachments/20051205/b8dafa0b/attachment-0001.pgp 


More information about the Grml mailing list