NAME
    server-firewall 1.0.1

DESCRIPTION
    server-firewall is a small iptables firewall script intended for linux
    servers with one interface to protect the server as much as possible
    using the power of the netfilter (iptables) possibilities.

FEATURES
    This firewall script protects a single interface in both directions. A
    minimum of services is enabled by default.

    Log-messages and ICMP in -and out-going traffic is limited.

    It protects the server from various scan-types, broadcasts,
    reserved-networks and some more spoofing and attacking techniques.

    Supports firewall rules for hosts with dynamic ip addresses using
    dynamic dns.

    Logs how many bytes are passing your interface in both directions, which
    you could use compare the bill of your provider or to charge someone
    using your server.

    Enables general traffic shaping on your server interface. Small
    packets(ssh) are getting guaranteed, small bandwith and bigger
    packets(www, ftp) are getting maximum available bandwith less the
    guaranteed bandwith for small packets.

    This allows you to connect to your server using ssh even if it is
    currently under attack by a denial of service.

    But note, that this is not totally sure. It will still be possible to
    disable the server completely. Don't feel secure.

REQUIREMENTS
    Linux operating system.
        One of the best choice is the totally free debian system.

    Kernel 2.4.x
        The kernel must be of version 2.4.x or higher. Netfilter support
        must be enabled. See the file samples/kernel.config how to configure
        this.

    netfilter
        The netfilter tool suite must be installed. On debian you can
        install netfilter by issuing the following command:

         # apt-get install iptables

        To make sure it is installed and the kernel is configured properly,
        issue this command:

         # iptables -nL

        It should list you 3 empty default chains which are unconfigured
        (default policy: ACCEPT):

         Chain INPUT (policy ACCEPT)
         target     prot opt source               destination

         Chain FORWARD (policy ACCEPT)
         target     prot opt source               destination

         Chain OUTPUT (policy ACCEPT)
         target     prot opt source               destination

    tc  tc is a part of the iproute tool suite. On debian you can install it
        by issuing:

         # apt-get install iproute

        To try if it works and QoS (*Quality of Service*) is enabled in your
        kernel:

         # tc qdisc

        Normally you should not receive any output. If you see something
        telling you about *RTNETLINK answers: Invalid argument* then you
        have probably not enabled QoS support.

    ipcalc
        Used to determine the IP configuration of your interface. You can
        find ipcalc here: http://jodies.de/ipcalc.

INSTALLATION
    Installing the server-firewall is quite simple.

    Just edit the Makefile to eventually change destinations and issue the
    following command as root:

     # make install

    The next step is to edit /etc/firewall.conf. There is not much to edit
    there, maybe your interface is not eth0 so change it. The ip address and
    netmask will be determined automatically. If you don't like this then
    comment the lines out and configure it manually.

    Afterwards cd to /etc/firewall.d. There are some files of interest:

    *firewall.rules*
        This is the most interesting file, which contains all the iptables
        commands which build the firewall ruleset. Edit it to suit your
        personal preferences. By default, no incoming services are enabled
        beside SSH. There are some services configured in the file, just
        remove the comments to accept it.

        Refer to the iptables manpage how to use iptables.

    *firewall.tc*
        Contains the QoS settings described in the FEATURES section.
        Normally you don't need to tune it. But if you need or want to do
        this, please refer to the tc manpage and the *Linux advanced routing
        HOWTO*: http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/.

    *firewall.kernel*
        This file adjusts some kernel parameters. Read the comments in the
        file for informations about what they do. The file
        /usr/src/linux/Documentation/networking/ip-sysctl.txt contains
        extensive descriptions of all possibilities.

    *hosts*
        This file contains hostnames of host with dynamic ip addresses. If
        you turn on the DYNAMIC chain in firewall.rules, then put the names
        of the dynamic hosts in this file, one hostname by line.

        You need then also to add a cronjob which creates the required file
        hosts.dynamic which will contain the current resolved ip's of the
        hosts and which will re-initialize the DYNAMIC chain. See
        samples/cron how to do this.

        To use the DYNAMIC chain, just use -j DYNAMIC as target for a
        service rule instead of -j $DENY which will feed the packet to this
        chain. if the corresponding address is accepted here it will pass
        the interface, if not it will be dropped, which is the default
        policy of the DYNAMIC chain.

MAINTENANCE
    If you are ready to try it out, first check the generated rules if they
    are correct:

     # /etc/init.d/firewall print

    This just prints the commands which would have been executed. If it
    looks ok, then do:

     # /etc/init.d/firewall start

    and check if it works. Use nmap to determine if your server remains
    unsecure or if it's almost closed.

    There were a script installed called flog, which makes it somewhat
    easier to view the firewall syslog messages:

     # tail -f /var/log/firewall.log | flog

    You may also install a crontab entry for fipaccounting which writes the
    accounting data to a logfile and clears the counters. Use faccsummarize
    to summarize the accounting log.

COPYRIGHT
     This file  is part of the  SERVER-FIREWALL.

     By  accessing  this software,  SERVER-FIREWALL, you  are  duly
     informed of and agree to be  bound by the conditions described
     below in this notice:

     This software product, SERVER-FIREWALL, is developed by Thomas
     Linden and   copyrighted (C) 1999-2002 by  Thomas Linden, with
     all rights reserved.

     There  is  no charge for the software.  You  can  redistribute
     it and/or  modify it under the terms of the GNU General Public
     License, which is incorporated by reference herein.

     SERVER-FIREWALL is distributed  WITHOUT ANY  WARRANTY, IMPLIED
     OR EXPRESS,  OF MERCHANTABILITY  OR FITNESS FOR  A  PARTICULAR
     PURPOSE or that the use  of it will  not infringe on any third
     party's intellectual property rights.

     You should have received a copy of  GNU General Public License
     along with SERVER-FIREWALL.  Copies can also be obtained from:

       http://www.gnu.org/copyleft/gpl.html

     or by writing to:

       Free Software Foundation, Inc.
       59 Temple Place, Suite 330
       Boston, MA 02111-1307
       USA

     Or contact:

       "Thomas Linden" <tom@daemon.de>

AUTHOR
    "Thomas Linden" <tom@daemon.de>

