Re: Freerunner Firewall
Where I can find the module for load? Regards Dan -- View this message in context: http://openmoko-public-mailinglists.1958.n2.nabble.com/Freerunner-Firewall-tp1094490p5196601.html Sent from the Openmoko Community mailing list archive at Nabble.com. ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: Freerunner Firewall
It is possible to use this script with SHR unstable? I tried but I found this error: Starting iptables firewall: iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. -- View this message in context: http://openmoko-public-mailinglists.1958.n2.nabble.com/Freerunner-Firewall-tp1094490p5192033.html Sent from the Openmoko Community mailing list archive at Nabble.com. ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: Freerunner Firewall
Em 17-06-2010 18:59, Shosholoza escreveu: It is possible to use this script with SHR unstable? I tried but I found this error: Starting iptables firewall: iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. Yes, but you may have to load the right modules. I have this *very* basic script to setup my Neo's firewall (see attachment). Hope it helps. Rui #!/bin/sh iptables=/usr/sbin/iptables $iptables -F INPUT $iptables -F OUTPUT $iptables -F FORWARD $iptables -P INPUT DROP $iptables -P OUTPUT DROP $iptables -P FORWARD DROP # prepare for accounting $iptables -F GPRS $iptables -N GPRS # my laptop and me $iptables -A INPUT -i usb0 -s 192.168.0.200 -j ACCEPT $iptables -A OUTPUT -o usb0 -d 192.168.0.200 -j ACCEPT # allow outgoing NEW traffic regardless of interface $iptables -A OUTPUT -m state --state NEW,ESTABLISHED-j ACCEPT # allow incoming related traffic regardless of interface $iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # accounting $iptables -A OUTPUT -o ppp0 -j GPRS $iptables -A FORWARD -o ppp0 -j GPRS $iptables -A INPUT -i ppp0 -j GPRS # forward and masquerade traffic from my computer $iptables -A FORWARD -i usb0 -o ppp0 -s 192.168.0.200 -m state --state NEW,ESTABLISHED -j ACCEPT $iptables -A FORWARD -i ppp0 -o usb0 -d 192.168.0.200 -m state --state RELATED,ESTABLISHED -j ACCEPT $iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: Freerunner Firewall
Your firewall it would be good for me. How can I load the right module? I think it is necessary module ipt_state. -- View this message in context: http://openmoko-public-mailinglists.1958.n2.nabble.com/Freerunner-Firewall-tp1094490p5192341.html Sent from the Openmoko Community mailing list archive at Nabble.com. ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: Freerunner Firewall
On 18 June 2010 07:05, Shosholoza caval...@tin.it wrote: Your firewall it would be good for me. How can I load the right module? I think it is necessary module ipt_state. this might help. http://edoceo.com/liber/linux-kernel-modules ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Freerunner Firewall
For anyone interested, I've posted two articles on my blog (I hate blogs) regarding firewalling on the Freerunner - http://jthinks.com/freerunner-simple-firewall and http://jthinks.com/freerunner-advanced-firewall - that link to the required package(s) and include the scripts and support to firewall your Freerunner, as well as explaining some concepts and options including NAT FORWARD to use the Freerunner as a gateway for another computer. Note that by default, only three ports apparently are open on OM2008 - TCP22 (SSH), TCP111 (rpcbind/portmap) and possibly TCP6000 (remote X11 - I've seen it open before but it's not right now, on OM2008.8-update on my Freerunner), so firewalling of the default system doesn't gain much. ('netstat -ln' to see what ports YOUR Freerunner is listening on) The gist of the 'freerunner-simple-firewall' article is a script that lives in /etc/init.d and on startup (or manual invocation) installs a set of firewall rules using the netfilter firewalling support in the Linux 2.6.x kernel. The 'simple' firewall requires only the iptables binary, which can be obtained from either http://www.angstrom-distribution.org/feeds/2008/ipk/glibc/armv4t/base/iptables_1.3.8-r4_armv4t.ipk or http://newkirk.us/om/iptables_1.4.2-rc1_armv4t.ipk - the ipk on my site excludes ip6tables (ipv6 firewall control - packaged separately by me but bundled with iptables in Angstrom feed) but includes the iptables-save and iptables-restore binaries (actually symlinks to the iptables-multipurpose binary, whereas those two binaries are a separate package in the Angstrom feed called 'iptables-utils') plus includes the script and ruleset incorporated in the 'freerunner-advanced-firewall' article. For anyone who wants to firewall their Freerunner but isn't interested in reading the articles, you can either install my ipk, or install the Angstrom ipk plus the script attached to this message, which should be placed in /etc/init.d/iptables and then configured to run just after networking is started with 'update-rc.d iptables defaults 42'. (note that I do NOT currently have a feed set up, you can install with 'opkg install http://newkirk.us/om/iptables_1.4.2-rc1_armv4t.ipk' or download and install locally) Using my ipk results in the 'advanced firewall' while the attached script plus the Angstrom ipk results in the 'simple firewall' - rulesets are essentially the same, but management (IE, adding rules) is easier with the 'advanced' solution. Enjoy your pocket protector. j PS - the scripts and rulesets are released free of copyright - do with them as you will. The two articles themselves are copyrighted, but I hereby declare an explicit exception for any portions of them to be incorporated into the Openmoko wiki if that is desirable, understanding that they will then fall under the license (or non-license) applicable to the wiki contents. iptables Description: Binary data ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community