Hi, I only just found this great script. I took the liberty of fixing a couple of the 'TO-DOs' in it. Patch for the latest version (0.9) is attached for anybody that's interested.
Rgds Pete
diff -Naur firewall-0.9/firewall firewall-0.9.1/firewall --- firewall-0.9/firewall 2003-06-20 23:58:26.000000000 +0100 +++ firewall-0.9.1/firewall 2003-10-05 01:41:13.000000000 +0100 @@ -115,44 +115,70 @@ echo "Unload ipchains module and rerun." exit 1 fi - - #Check for ip forwarding - if [ 1 != "`cat /proc/sys/net/ipv4/ip_forward`" ]; then -# TODO: fix this. if the script is only going to be run as a firewall -# there is no need for this to be set, as there is no routing. -# Perhaps a check to see if internal networks are defined? - - echo "Routing has not been enabled." >&2 - if [ -e /etc/sysctl.conf ] ; then - echo "Set net.ipv4.ip_forward and" >&2 - echo " net.ipv4.ip_always_defrag = 1 " >&2 - echo " in /etc/sysctl.conf" >&2 - else - echo "Please set FORWARD_IPV4=\"yes\" " >&2 - echo " in /etc/sysconfig/network" >&2 - fi - echo " or use your network configuration tool" >&2 - echo " to enable ip forwarding." >&2 - exit 1 - fi + #Check to see if there are any other than system default interfaces + # (3 standard, + pppx) - #Check for spoof protection -# TODO: How is this done for iptables???? - -# TODO: Check to see if any of the requested interfaces are found + if [ `ls /proc/sys/net/ipv4/conf | wc -l` -gt 4 ]; then + + #Check for ip forwarding + if [ 1 != "`cat /proc/sys/net/ipv4/ip_forward`" ]; then + echo "Routing has not been enabled." >&2 + if [ -e /etc/sysctl.conf ] ; then + echo "Set net.ipv4.ip_forward and" >&2 + echo " net.ipv4.ip_always_defrag = 1 " >&2 + echo " in /etc/sysctl.conf" >&2 + else + echo "Please set FORWARD_IPV4=\"yes\" " >&2 + echo " in /etc/sysconfig/network" >&2 + fi + echo " or use your network configuration tool" >&2 + echo " to enable ip forwarding." >&2 + exit 1 + fi + else echo "Cannot find internal interface - assuming firewall only config" + fi + + #Check for spoofing protection + + if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then + for f in /proc/sys/net/ipv4/conf/*/rp_filter + do + if [ 1 != "`cat $f`" ]; then + echo "No Spoofing Protection - Set " $f " = 1" + fi + done + else + echo "Kernel does not have spoofing protection support" + exit 1 + fi + + + # Check to see if all of the requested interfaces are found + + for EXT_INTERFACE in $EXT_INTERFACES; + do + if [ ! -e /proc/sys/net/ipv4/conf/$EXT_INTERFACE ]; then + echo "Requested interface " $EXT_INTERFACE" does not exist" + exit 1 + fi + done # if we made it this far, then things are good # make sure that ip_tables is loaded -# TODO: Adjust this to check for the presence of the capability not -# the module. This may be compiled into the kernel not as a module. + # Check for iptables capability in kernel - if [ 1 != `/sbin/lsmod | grep -c ip_tables` 2>/dev/null ]; then - #doesn't appear to be loaded - /sbin/modprobe ip_tables - fi -} + if [ ! -e /proc/net/ip_tables_names ]; then + echo "No iptables Capability Loaded - Checking for module..." + if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ]; then + echo "Module found - loading....." + /sbin/modprobe ip_tables + else + echo "Kernel has no capability for iptables - giving up!" + exit 1 + fi + fi logging() { # rules to log all traffic about to be dropped