Hi,
I think I have quite a clever firewall script. Actually, I am using
/sbin/ifup-local (and I added a call to /sbin/ifdown-local whenever an
interface is brought down). This script is called every time an
interface is brought up and so I set up ipchains rules specific to the
interface (lo, eth0, eth0:0, and ppp0). For ppp0, I am getting the
dynamic IP via /sbin/ifconfig ppp0. Note that setting the default
policies to DENY will prevent any packet to go through ppp0 before you
specifically allow them to.
Also, as I am using a local DNS, for intranet web server and mailer and
such, everytime ppp0 is up, I allow recursion for bind, and restart
bind. I also restart it, without recursion, when ppp0 is down. This
shortens offline DNS lookups. You can recurse to worlwide DNS servers,
or to your ISPs by using the "forwaders" directed in /etc/named.conf.
The only drawback of this method is that postfix won't run normally
now. You'll have to tell it to defer transport. That is, you'll have to
call sendmail -q whenever you want you are online and you want your
mail to be sent, otherwise, when offline, DNS lookups will fail, and
the messages will be bounced. But a call to sendmail -q in
/sbin/ifup-local does the trick quite well. Note that local mail will
still be delivered.
Well, that's it, I think I've explained most of my firewalling scripts.
If someone want to have a look at my scripts, just contact me. I will
happily make them available. When online, you can change rules using
gfcc quite easily. For permanent changes you'll have to changethe
scripts.
Gwen
PGP signature
