
 $Id: README,v 1.2 2001/07/29 21:23:35 scip Exp $



 README for scipfire
=============================================





 Introduction
---------------------------------------------

 scipfire is a set of scripts which together
 set up a firewall. This firewall is used on
 the HAL2001 camp by the "team 49" crew for
 protecting our laptops.

 However, it seems to be a nice configurable
 and customizable system, so it is provided
 to the community.






 What does it do
---------------------------------------------

 The "scipfire" firewall works the paranoid
 way: by default everything is closed and only
 certain stuff is allowed to pass the firewall.
 
 Every connection attempt destined to the
 internal LAN as well as the firewall itself
 is blocked.

 Answer packets destined to inside LAN are
 allowed.

 Answer packets can only be TCP packets. UDP
 is forbidden completely.

 Outgoing traffic is only allowed to special
 services (http, ftp, ssh, selected icmp stuff).

 The firewall does not log droped packets, and
 is therefore not vulnerable agains DOS attacks.

 A dns server is provided for internal dns as
 well as forwarder services. (sample config in
 the dns/ directory!)

 All listening services beside internal dns
 are disabled (which is not really scipfire-
 related, but important to mention anyway).

 Traffic going from or to the firewall itself
 is generally not allowed (beside dns stuff!).

 All traffic from inside to the outer world
 is masqueraded using source NAT.



 How to install
---------------------------------------------

 1. Linux
    
    The very first thing to do is a fresh setup.
    I recommend Debian GNU Linux, but you are
    of course free to choose another distribution.

    Keep the machine offline off the net during
    the whole installation process!

    Install only absolutely neccessary stuff, that
    means no games, no X and so forth.

    Disable all services by removing their start-
    scripts in /etc/rc?.d/S*  .
    This includes inetd, xinetd or tcpwrappers.
    You don't need services on a firewall at all!

    Grab the latest bind sources and install it.
    This is not a must, but this is what we did.
    Feel free to take a look to the dns/ directory
    which contains a sample setup for bind as
    well some usefull scripts.

    Configure your syslogd if you choose to use
    the logging capabilities of the firewall.
    see the syslog/ directory for an example.

 2. Kernel
    
    Download the latest kernel sources. Don't forget
    to verify it's authenticy using the provided
    signature!
    If you are choosing to use LIDS as well, then
    look at http://www.lids.org for the latest lids-
    patch and grab the appropriate kernel version
    for this patch. As of this writing this is 2.4.5.
    Take a look in the lids/ directory which contains
    a sample LIDS-setup, which we will use on the camp.

    Configure the kernel as neccessary. Don't forget
    to turn on the netfilter feature. Keep in mind,
    that if you compile iptables (and features) as
    modules you will need to edit the chains/KERNEL
    file (see below).


 3. Software

    run the supplied config script:

	# ./configure

    Note that this script assumes, that you have 2 nics,
    one for external and the other one for the internal
    network. configure will determine automatically
    your network configuration. This requires that the
    network is already configured and up and running.

    If you did not yet configure your network, or if
    you have more than 2 nics, then you must copy the
    supplied dist config file to the target destination
    by hand and manually edit it:

	# cp conf/scipfire.cfg.dist conf/scipfire.cfg

    The config file is well commented, you should normally
    not have any trouble with it.

    After that review the supplied Makefile. You might
    choose another destination directory for the scripts
    being installed.

    Now issue the following command to install scipfire:

	# make install

    The Makefile will install the firewall scripts and
    it will also create some links in /etc/rc?.d/ so
    that the firewall will be started automatically
    upon system startup.

    This is the point where you may try it out the
    first time:

	# /etc/init.d/scipfire start

    You shouldn't see any errors. If you encounter any
    error, then correct the problem. In most cases this
    is caused by incomplete configuration or by incorrect
    kernel/system setup. You may also drop me an email,
    perhaps I can help.




 Customizing
---------------------------------------------

 If you are required to allow additionaly services to
 get through the firewall, then you must edit one
 or more files in the chains directory. You could extend
 an existing chain file, or you could create a new
 one. In the latter case use the supplied file
 chains/template, copy it to a new file, i.e.:

	# cp chains/template chains/ORACLE

 and add your rules to this file. You need then also
 to refer to this new chain from an existing chain,
 normally you would do this from the INPUT_INTERNAL
 or from the INPUT_EXTERNAL chain.

 After this is done, you must also link to this
 new chain from the rc.d directory under scipfire.d/

	# cd /etc/scipfire.d/rc.d
	# ln -s ../chains/ORACLE S43oracle
	# ln -s ../chains/ORACLE K65oracle

 Refer to the design document, how this works at all.




 Debugging
---------------------------------------------

 If the firewall itself runs fine, but you see any problem,
 i.e.: someone cannot do this or that through your firewall,
 then you may decide to turn on logging. For this purpose
 an extra start parameter exists, which turns on logging
 in general. Issue the following commands:

	# /etc/init.d/scipfire stop
	# /etc/init.d/scipfire startlog

 This starts the firewall with the same rulesets as before
 but with logging turned on.

 Beside you can also run the startscript with the "print"
 or "printlog" parameters, which actually does nothing
 but printing the iptables commands used to set up
 the firewall. You can pipe the putput in a separate file
 for reviewing. 




 Authors
---------------------------------------------

 Thomas Linden <scip@daemon.de>





 Where to get
---------------------------------------------

 http://www.daemon.de/scipfire
 http://sourceforge.net/scipfire





 Last changed
---------------------------------------------

 29/07/2001
