Q:
Exact email quote: "Your firewall doesn't work, howcome?"
A: First of all: this type of message doesn't really
help me much in solving your problem!
I'm always willing to help but some people still want me to guess whatever
problem they have. Second note is RTFM (Read-The-F*cking-Manual = the README-file and this page!) before
contacting me, most problems are caused by people who think that a piece of software should just work
without reading the documentation. Also check the question below!
Q:
I can't get it to work.
A: Always first check whether there's an updated version of my firewall.
If you experience strange iptables/kernel errors, see whether there is an updated version of iptables
or the kernel for your distribution, a lot of problems are caused by an
out-of-date iptables/kernel which conflicts with my script. If you still
cannot find the problem and you tried really, really hard than you should
post your question on my firewall-mailing list, where either I or others may
be able to help you. At least provide the following info:
- Linux distribution
- Kernel version
- iptables version
- firewall version
- (relevant) firewall logs
- attach your (firewall) configuration file
Furthermore provide as much (relevant) and detailed information as
possible (ie. dumps of 'ifconfig', 'iproute' and/or the output of the 'start'-command).
Q:
I emailed you but I don't get any answer! Are you too lame to answer
me back?
A: Like other people who make free software, I don't
make any money with it (but feel free to do so and I will give it to charity),
so in the first place I don't owe you anything. But as I am simply too busy to
manage a free helpdesk I had to make some rules:
- First of all, plain (helpdesk) questions should always be posted to the mailing list.
As I stated earlier I am simply too busy to help everybody out. People that do NOT
honour this will NOT get any answer nor reply.
- Stuff like security issue's/bugs may be emailed to me directly, everything else should be posted
on the mailinglist (first). "How do I ...." questions (helpdesk questions) should always go to the mailinglist
- Note that often I don't have the time (the delay could be as long as 2 weeks) to answer back.
- Also note that some emails don't require an answer, though the information is USED
(I think it's always better to use the time to actually implement the
feature and/or fix the bug than answer somebody back that I will implement it).
- Stupid questions of people who are too lazy to read or of people who
don't deserve to own a Linux machine (meaning they own one but don't know
sh*t about it) also don't get any response. Some people still think a
"one-line"-email to me can resolve their problem -> IT CAN'T!
Q:
I can't get it to work, there seems to be a problem with the module
dependencies. What can I try to fix this?
A: Try to run "depmod -a" to update the module
dependecies list of the OS. Note that most distributions already
perform this action during boottime.
Q:
How does your version numbering work?
A: The main version number constists of 3 digits. The first one
tells you the major version number (1). The second one tells the minor version and
whether it's a development-branch or not. Odd numbers are development, even numbers are
mainline. The third one tells the subminor version. The last one also tells you whether it's
a stable version or not. When using an even number, it's a stable version, when using
odd numbers it's unstable. Unstable is always followed by "RC" or "BETA" and an
additional number. This tells you how "stable" an unstable version is, RC should normally
be quite stable, as it's a "Release-Candidate". Stable versions are sometimes also followed
by a single character (a-z), this is used for minor changes (but still means it's stable).
Q:
How can I forward port 21 and 25 to 192.168.0.5 and forward port 5000-5010
to 192.168.0.6?
A: Use NAT_TCP_FORWARD and/or NAT_UDP_FORWARD variable(s) in
this way:
NAT_TCP_FORWARD="21,25>192.168.0.5 5000:5010>192.168.0.6"
NAT_UDP_FORWARD="21,25>192.168.0.5 5000:5010>192.168.0.6"
Q:
How can I make eDonkey/eMule work so that I don't get low ID (firewalled)?
A: You need to forward TCP/UDP port 4662 and UDP port 4672 to
your internal host (eg. 192.168.0.5):
NAT_TCP_FORWARD="4662>192.168.0.5"
NAT_UDP_FORWARD="4662,4672>192.168.0.5"
Q:
How can I enter multiple ports in any of the variables?
A: You can enter multiple ports seperated by spaces except
for the xxx_FORWARD variables. Normally the comment in the config file shows a good example
on how the use the variables.
Q:
How can restrict the access of certain forwarded ports? I only want to allow IP's
1.2.3.4 and 5.6.7.8 for the forwarded HTTP(port 80) service.
A: Enter the allowed source IP address(es) in front of a forward
specification. Example:
NAT_TCP_FORWARD="1.2.3.4,5.6.7.8:80>192.168.0.5"
NAT_UDP_FORWARD="1.2.3.4,5.6.7.8:80>192.168.0.5"
Q:
How can I enter port ranges in the variables?
A: Port ranges sbould be written with the ':' seperator. ie. "5000:5010"
would include ports 5000 through 5010.
Q:
Why don't you block any trojans by default?
A: Because the list of existing trojans is simply too
large (and growing). The default policy of the firewall blocks any trojans by default,
except for full access subnets! The fwfilter script DOES know all common trojans
however.
Q:
Where does the name XMAS-scan came from?
A: The name XMAS came from the first time someone caught
such a packet. All the tcp flags were up like a fully
lighted xmas tree. It also probably happened around xmas, I presume. But
that is networking legend! (Arch@os)
Q:
How can I use the script with chkconfig (Redhat)?
A: Just copy or (soft) link the script to "/etc/init.d"
(that's it).
Q:
How can I add custom iptables rules?
A: Just put your custom iptables rules in "/etc/iptables-custom-rules"
(default location). CAUTION!: All custom rules are
loaded at the beginning of the script so you could break some of security
of my script if you don't exactly know what
you're doing.
Q:
What's the proper way to use the blocked hosts file?
A: Just put the hostname or IP of the host(s) you want
to block in "/etc/iptables-blocked-hosts" (default location).
You can use comments (starting with the #-character) but it can only be
used when the whole line is a comment!
Q:
When I turn on host resolving, I get an error saying that 'dig' can not be found.
A: You must install the bind-utilities (package), which
contains the 'dig'-utility
Q:
I want to forward (DNAT) from port 81 on my the firewall machine to port
80 on a local host (192.168.0.3). How can
I do this?
A: You can do this in almost the same way is a normal
forward, only thing you need to add is :81 to the destination host
in the TCP_FORWARD / UDP_FORWARD variables. In this case it would become
"81>192.168.0.3:80"
Q:
The script shows an error saying something like "info is ambiguous,
...". What's the cause and how can I fix this?
A: The cause is a bug in older versions of iptables (<1.2.3)
which doesn't understand strings passed to the iptables
option "--loglevel". The best thing you can do
is upgrade to a newer (or latest) version of iptables. If you really can't,
you can also fix it by using the number
associated with the required loglevel. For the default value, "info",
the variable "LOGLEVEL" should equal "6" in the configuration file (LOGLEVEL=6).
Q:
How can I use an internal (masqueraded) machine as a VPN server?
A: First you need NAT (masquerading) enabled. Second
you need to configure the following variables:
- IP_FORWARD=47>YOUR_LOCAL_HOST"
-> example "TCP_FORWARD=47>192.168.0.2"
- TCP_FORWARD="500,1723,3389>YOUR_LOCAL_HOST"
-> example
"TCP_FORWARD="500,1723,3389>192.168.0.2"
- UDP_FORWARD="500,1723,3389>YOUR_LOCAL_HOST"
-> example
"UDP_FORWARD="500,1723,3389>192.168.0.2"
Q:
Does your firewall work with IPSEC VPN (KAME/Racoon)?
A: Yep :-) There is a plugin available to get it to work.
Q:
Does your firewall work with CIPE?
A: Yes. Here's how you should do it, it's actually
quite easy with my script.
You need to configure the following variables:
- OPEN_UDP="1119" # 1119 = CIPE tunnel
- TRUSTED_IF="cpcb0" # This allows the actual VPN traffic
to your gateway/network.
- RP_FILTER=0 # If we don't do this the private external addresses won't
be routed into our net
Q:
I'm seeing INVALID packets being dropped (with a nested ICMP packet) with
error "INCOMPLETE". What causes this?
A: Well, there's not much I could find about this issue
but it seems to be caused by congested routers which cannot
handle the traffic but it could also be caused by eDonkey servers which
are abused (for DoS attacks). For now
there's not much I can do about it as I'm still not certain about its
causes. If someone can provide me with more
information please contact me.
Q:
How can enable the use of protocols like UPnP for my internal network?
A: You should install "LINUX UPNP INTERNET GATEWAY DEVICE"
which is available from
http://linux-igd.sourceforge.net/.
To enable support for it in my firewall you should make FORWARD_LOOSE=1. This will
allow any FORWARD (not INPUT) packet from the outside world into the local
network. Note that it's less secure when you use this feature.
Q:
I did a nmap(port scan) from my internal network against my public IP
and everything is open!!! I thought your
firewall was very secure by default! Shouldn't it block all ports then?
A: This is caused by the fact that many people
still don't understand that for security reasons some actions
are only performed on the network interfaces for which it should actually
apply. Portforwarding & default portblocking
is only performed on the EXTERNAL interface. In other words: performing tests
on your public IP from your internal network
will NEVER,EVER work -> you should always use another public machine!
Q:
I configured your script with a portforward of port
80 to an internal machine running a webserver. It works when I connect from
another public machine but it doesn't work when try to connect from an
internal host. How can I make this work?
A:The problem is caused by the fact that port forwards
in principle only work for the external internet interface (EXT_IF). The reason
why this can't work is simple: to connect to a public IP you need ANOTHER public IP,
and an internal (NAT) host lacks this. You can fix this by using my DNAT-plugin
for my firewall, this will reroute and traffic from the internal hosts to
YOUR the external IP of your gateway-machien to its internal IP.
Q:
Could you tell me how I can use PoPToP VPN with your firewall?
A: Here's how you should do it.
You need to configure the following variables:
- OPEN_IP="47" # 47=GRE protocol
- OPEN_TCP="1723" # 1723=pptp
Q:
Is there a way to define 2 or more ethernet adapters for internal networks?
A: Yes you can! You can actually specify as many internal
nets as you want. There are two ways to accomplish this:
1) Only specify multiple local interfaces in INT_IF (space seperated)
and specify one(!) big local subnet in
INTERNAL_NET. In this way you only need to make sure that both subnet
"fit" in the large one. For example:
- INT_IF="eth0 eth1 eth2"
- INTERNAL_NET="192.168.0.0/16"
or
2) Specify multiple local interfaces in INT_IF (space seperated) and specify
an equal amount of subnets in
INTERNAL_NET. This means that the each entry of INTERNAL_NET & INT_IF
form a combined interface/subnet pair!
For example:
- INT_IF="eth0 eth1 eth2"
- INTERNAL_NET="192.168.0.0/24 192.168.1.0/24 192.168.2.0/24"
Note that my script figures out itself which method you (want to) use!
Q:
Is there a way to define 2 or more ethernet adapters for external networks?
A: Yes, simply add ALL interfaces to your EXT_IF.
Q:
How can I make IRC work?
A: First enable the variable USE_IRC(=1). Second make sure IDENT is enabled
on your server by opening TCP port 113 (OPEN_TCP="113"), if you don't do this any new connections to
an IRC server will be extremly slow! Note that it seems that the current
IRC kernel modules don't seem to support DCC filesend (or does somebody know a work-around?).
To be able to also do filesends you should (probably) setup TCP portforwards to your internal
client (NAT_TCP_FORWARD) instead(!) of using kernel module IRC support (USE_IRC=0).
Q:
I don't want our students on our internal NATed network to use IRC. How
can I block this?
A: Configure these variables:
- $BLOCK_TCP_FORWARD="6666:6669"
- $BLOCK_UDP_FORWARD="6666:6669"
Q:
It seems that your firewall blocks traffic on ANY network interface. How
can I fix this?
A: In some rare cases people have additional network
interfaces, next to the default internal and external interface.
Because of the way iptables works, it's easier to first block all traffic
(deny) and then start allowing things for
the internal and external interfaces (this is also a lot more secure).
This issue can by solved by adding the
network interface to "TRUSTED_IF". CAUTION!: This will allow
ANY traffic to and from that specific
interface without any checking whatsoever.
Q:
What is a DMZ?
A: "DMZ" is an abbreviation for "de-militarized
zone". In the context of firewalls, this refers to a part of the
network
that is neither part of the internal network nor directly part of the
Internet. Typically, this is the area between
your Internet access router and your bastion host, though it can be between
any two policy-enforcing components of
your architecture (Info obtained from Cisco).
Q:
How can I implement a DMZ with your firewall?
A: To accomplish this you should add an additional
ethernet adapter to the computer (gateway) running my
firewall and this interface to the DMZ_IF-variable. You can also create multiple DMZ
interfaces (although I doubt the benefit of having more than one) by adding multiple
interfaces to DMZ_IF (space seperated).
Q:
I use ppp (Point-To-Point) for my internet connection. Why should I use
'ppp+' instead of 'ppp0' for my EXT_IF?
A: The use of the '+' functions as a wildcard and has
2 advantages:
1) It automatically matches ANY ppp network interface.
2) The firewall can be started without the restriction that the network
interface (ppp0) should already exist.
Q:
I see packets with IP protocol 2 (PROTO=2) being dropped what's causing this?
A: I couldn't find much about IP protocol 2(=IGMP) but it seems to be
caused when your route-daemon(routed) is NOT running (properly) or it's misconfigured (which
is required for PPPoA)
Q:
What does IPSEC mean?
A: IPSEC means Internet Protocol SECurity. It uses strong cryptography to provide both
authentication and encryption services. Authentication ensures that packets are from the right sender
and have not been altered in transit. Encryption prevents unauthorised reading of packet contents.
Q:
I want to masquarade(NAT) from 10.0.0.0/24 *and* 192.168.0.0/24 which are both connected
to network interface eth1. I've set INT_IF="eth1" and INTERNAL_NET="10.0.0.0/24 192.168.0.0/24".
Now it works for 10.0.0.0/24 but it does not with 192.168.0.0/24. Howcome?
A: A single (physical) network interface was never meant to route absolute different
IP subnets. However you can make it work like this (although it's dirty):
INT_IF="eth1 eth1"
INTERNAL_NET="10.0.0.0/24 192.168.0.0/24" .
Q:
How can I use IP address masks in the configuration file and/or the block hosts file?
A: You should use the /x , which is a bitwise-masker. Example: Selecting
all addresses of 192.168.x.x it would become 192.168.0.0/16 . The /16 masks (selects)
the 16 most significant bits of the address (from left-to-right, the first 2 figures),
meaning these should match and all others are "don't cares".
Q:
How can I use IP address ranges in the configuration file and/or the block hosts file?
A: Version 1.8 does NOT support IP ranges (except for the blocked hosts file),
and never will. However starting with version 1.9, you can use class C IPv4 ranges like ie.
192.168.1.10-20, which would include all IP's between 192.168.1.10 en 192.168.1.20.
Q:
How can I block KaZaa (and/or MSN, ICQ etc.) for my internal clients?
A: You can't completely, as far as I know. KaZaa binds
to almost any unpriviliged port if necessary. The only thing that
helps a little is blocking remote port 1214 (KaZaa) with $LAN_INET_DENY_TCP.
But the only thing that really helps is using a proxy.
Q:
(How) can I use a proxy with your firewall then?
A: Yes, you can. You should use the $PROXY_PORT variable for this.
You should set this variable to the value of the port your proxy is listening on.
Note that the proxy should run on the gateway itself!
Q:
Since I configured your firewall to use debug level for logging, my console gets
filled with firewall messages. (How) can I fix this?
A: This problem is distribution-dependent. It's caused by the fact that
some systems have their syslogd configured to also log debug messages to the console.
To disable any non-crucial logging to the console, you should execute "dmesg -n 1"
on the console. You can (of course) also modify your /etc/syslog.conf to fix this.
Q:
When I run your script I get (a lot of) "iptables: No chain/target/match by that name"
error-messages. How can I solve this?
A: This problem is probably caused by a non-modular kernel which misses
some of the used iptables-targets compiled-in. You should either find a modular-kernel (normally
the one that comes with your distribution) or you should compile (or find) a kernel with the proper
targets build-in.
Q:
What"s the difference between REJECT en DENY?
A: When DENYING packets, you are dropping incoming packets of which the sender
doesn't know it gets discarded (stealth). But when REJECTING you are letting the other side know
that you don't ACCEPT the packet sent.
Q:
When I perform an UDP portscan everything is open? Is your firewall not working properly?
A: It"s working fine. The problem is that because of the way UDP works, portscanners (nmap)
assume that a port is open when they don"t get any rejection (aka icmp-reject) from the target host.