Re: Freerunner Firewall
Where I can find the module for load? Regards Dan -- View this message in context: http://openmoko-public-mailinglists.1958.n2.nabble.com/Freerunner-Firewall-tp1094490p5196601.html Sent from the Openmoko Community mailing list archive at Nabble.com. ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: Freerunner Firewall
It is possible to use this script with SHR unstable? I tried but I found this error: Starting iptables firewall: iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. -- View this message in context: http://openmoko-public-mailinglists.1958.n2.nabble.com/Freerunner-Firewall-tp1094490p5192033.html Sent from the Openmoko Community mailing list archive at Nabble.com. ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: Freerunner Firewall
Em 17-06-2010 18:59, Shosholoza escreveu: It is possible to use this script with SHR unstable? I tried but I found this error: Starting iptables firewall: iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. Yes, but you may have to load the right modules. I have this *very* basic script to setup my Neo's firewall (see attachment). Hope it helps. Rui #!/bin/sh iptables=/usr/sbin/iptables $iptables -F INPUT $iptables -F OUTPUT $iptables -F FORWARD $iptables -P INPUT DROP $iptables -P OUTPUT DROP $iptables -P FORWARD DROP # prepare for accounting $iptables -F GPRS $iptables -N GPRS # my laptop and me $iptables -A INPUT -i usb0 -s 192.168.0.200 -j ACCEPT $iptables -A OUTPUT -o usb0 -d 192.168.0.200 -j ACCEPT # allow outgoing NEW traffic regardless of interface $iptables -A OUTPUT -m state --state NEW,ESTABLISHED-j ACCEPT # allow incoming related traffic regardless of interface $iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # accounting $iptables -A OUTPUT -o ppp0 -j GPRS $iptables -A FORWARD -o ppp0 -j GPRS $iptables -A INPUT -i ppp0 -j GPRS # forward and masquerade traffic from my computer $iptables -A FORWARD -i usb0 -o ppp0 -s 192.168.0.200 -m state --state NEW,ESTABLISHED -j ACCEPT $iptables -A FORWARD -i ppp0 -o usb0 -d 192.168.0.200 -m state --state RELATED,ESTABLISHED -j ACCEPT $iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: Freerunner Firewall
Your firewall it would be good for me. How can I load the right module? I think it is necessary module ipt_state. -- View this message in context: http://openmoko-public-mailinglists.1958.n2.nabble.com/Freerunner-Firewall-tp1094490p5192341.html Sent from the Openmoko Community mailing list archive at Nabble.com. ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: Freerunner Firewall
On 18 June 2010 07:05, Shosholoza caval...@tin.it wrote: Your firewall it would be good for me. How can I load the right module? I think it is necessary module ipt_state. this might help. http://edoceo.com/liber/linux-kernel-modules ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Freerunner Firewall
For anyone interested, I've posted two articles on my blog (I hate blogs)
regarding firewalling on the Freerunner -
http://jthinks.com/freerunner-simple-firewall and
http://jthinks.com/freerunner-advanced-firewall - that link to the required
package(s) and include the scripts and support to firewall your Freerunner,
as well as explaining some concepts and options including NAT FORWARD to
use the Freerunner as a gateway for another computer.
Note that by default, only three ports apparently are open on OM2008 -
TCP22 (SSH), TCP111 (rpcbind/portmap) and possibly TCP6000 (remote X11 -
I've seen it open before but it's not right now, on OM2008.8-update on my
Freerunner), so firewalling of the default system doesn't gain much.
('netstat -ln'
to see what ports YOUR Freerunner is listening on)
The gist of the 'freerunner-simple-firewall' article is a script that lives
in /etc/init.d and on startup (or manual invocation) installs a set of
firewall rules using the netfilter firewalling support in the Linux 2.6.x
kernel. The 'simple' firewall requires only the iptables binary, which can
be obtained from either
http://www.angstrom-distribution.org/feeds/2008/ipk/glibc/armv4t/base/iptables_1.3.8-r4_armv4t.ipk
or http://newkirk.us/om/iptables_1.4.2-rc1_armv4t.ipk - the ipk on my site
excludes ip6tables (ipv6 firewall control - packaged separately by me but
bundled with iptables in Angstrom feed) but includes the iptables-save and
iptables-restore binaries (actually symlinks to the iptables-multipurpose
binary, whereas those two binaries are a separate package in the Angstrom
feed called 'iptables-utils') plus includes the script and ruleset
incorporated in the 'freerunner-advanced-firewall' article.
For anyone who wants to firewall their Freerunner but isn't interested in
reading the articles, you can either install my ipk, or install the
Angstrom ipk plus the script attached to this message, which should be
placed in /etc/init.d/iptables and then configured to run just after
networking is started with 'update-rc.d iptables defaults 42'. (note that
I do NOT currently have a feed set up, you can install with 'opkg install
http://newkirk.us/om/iptables_1.4.2-rc1_armv4t.ipk' or download and install
locally) Using my ipk results in the 'advanced firewall' while the
attached script plus the Angstrom ipk results in the 'simple firewall' -
rulesets are essentially the same, but management (IE, adding rules) is
easier with the 'advanced' solution.
Enjoy your pocket protector.
j
PS - the scripts and rulesets are released free of copyright - do with them
as you will. The two articles themselves are copyrighted, but I hereby
declare an explicit exception for any portions of them to be incorporated
into the Openmoko wiki if that is desirable, understanding that they will
then fall under the license (or non-license) applicable to the wiki
contents.
iptables
Description: Binary data
___
Openmoko community mailing list
community@lists.openmoko.org
http://lists.openmoko.org/mailman/listinfo/community
