[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-ipchains
Subject: [ipchains] Re: ipfwadmin question.
From: William Stearns <wstearns () pobox ! com>
Date: 1998-10-25 4:55:14
[Download RAW message or body]
Good day,
On Sun, 25 Oct 1998, NetList wrote:
> For a along time I am using ipfwadm filtering rules. But now I need to
> disable some rules using cron on some given time. Does anybody knows how
> to disable any rule without rebooting?
This question has a couple of different answers - you choose the
one you like.
1) Not directly. The ipfwadm rules are a straight list of rules.
It isn't possible to temporarily disable an arbitrary rule in the list
without removing it entirely.
2) You can simulate disabling and re-enabling a rule by deleting
it and reinstating it. For example, lets say you want to block access to
outside Usenet news servers between 7pm and 6am. Put these in root's
cron (/var/spool/cron/root on my system):
0 19 * * * /sbin/ipfwadm -O -i deny -D 0/0 nntp -P tcp >/dev/null
0 6 * * * /sbin/ipfwadm -O -d deny -D 0/0 nntp -P tcp >/dev/null
The rule can go at the top of the list (-i = insert) or at the
bottom (-a = append). This works reasonably well. You need to think about
the ordering of the rules in your list. Can the rules you're adding and
deleting exist at the top or the bottom, or do they have to be somewhere
in the middle? If they must be in the middle of the list, you'll have to
keep reading.
3) An approach that allows you to keep rules in the original order
is the following. Create a single shell script that runs all of your
firewall rules that calls another shell script that will hold the rules
you want to be able to occasionally disable. Here's an implementation of
the above example:
---- /var/spool/cron/root ----
0 19 * * * /my/firewall/dir/firewall.block >/dev/null
0 6 * * * /my/firewall/dir/firewall.unblock >/dev/null
----------------------
---- /my/firewall/dir/firewall.block ----
echo "/sbin/ipfwadm -O -i deny -D 0/0 nntp -P tcp" >/my/firewall/dir/firewall.dynamic
/my/firewall/dir/firewall.main
/bin/mail -s "News is blocked now" firewalladmin@my.domain.tr </dev/null
----------------------
---- /my/firewall/dir/firewall.unblock ----
cat /dev/null >/my/firewall/dir/firewall.dynamic #erase the file completely
/my/firewall/dir/firewall.main
/bin/mail -s "News is available now" firewalladmin@my.domain.tr </dev/null
----------------------
---- /my/firewall/dir/firewall.main ----
#!/bin/bash
#erase the existing firewall and recreate it.
/sbin/ipfwadm -I -p my_policy ; /sbin/ipfwadm -I -p my_policy ;
/sbin/ipfwadm -I -p my_policy #set your policy
/sbin/ipfwadm -I -f ; /sbin/ipfwadm -O -f ; /sbin/ipfwadm -F -f #flush existing rules
[setup and initial firewall rules]
. /my/firewall/dir/firewall.dynamic #This file has the rule or doesn't,
#depending on the time of day.
[rest of the firewall rules]
----------------------
In short, at 7pm firewall.block places the rule you need in
firewall.dynamic and restarts the firewall with this rule in the middle.
At 6am firewall.unblock erases firewall.dynamic and restarts the firewall
without this rule.
The ". /my/firewall/dir/firewall.dynamic" line allows you to
include the contents of another file in your shell script - in this case,
it's a file whose contents change twice a day.
For firewall purists, this has the disadvantage that there are two
times during the day where the firewall is under construction, even if for
a few seconds.
If there's a chance the system might be down at 7pm or 6am, you
might want to run /my/firewall/dir/firewall.block (or unblock) at boot
time, possibly running one or the other depending on what time the
machine is being booted.
4) There is a replacement for ipfwadm firewalling called ipchains.
Ipchains allows you to make changes to the internal structure of the
firewall while it's running, including disabling and reenabling rules.
The 2.0 kernels do not include ipchains by default but there is a
patch available that provides ipchain support. The recent linux 2.1
kernels include it by default.
The ipchains home page is at:
http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html
There's a howto there and at:
http://sunsite.unc.edu/linux/HOWTO/
There is also a mailing list. To subscribe send email to:
majordomo@wantree.com.au with 'subscribe ipchains <email address>' in the
message body.
Even if one of the previous approaches does what you need, you
might still want to take a look at the ipchains howto; this tool has a
number of features that make it a worthy successor to ipfwadm firewalling.
Moving to ipchains will be required if you decide to use the 2.2 kernels
in the future.
> BTW - I remember people was talking about a tool called MASON can it solve
> my problem?
While I'd like to think Mason can solve a number of linux
firewalling problems[*], I don't think it can help with this one. Mason
can help you with creating your initial ruleset that goes into your
firewall, and it can be used to create a firewall dynamically - it lets
you create new rules as new traffic types pass through your firewall. Once
Mason has created the rule, however, it lets you decide when and how to
implement it. See my signature if you'd like to give it a try.
I'd be happy to help if you have other questions about ipfwadm
firewalls. Best of luck!
Cheers,
- Bill
* I wrote it, so I'm a little biased. :-)
---------------------------------------------------------------------------
Unix _is_ user friendly. It's just very selective about who its friends
are. And sometimes even best friends have fights.
William Stearns (wstearns@pobox.com)
Mason, buildkernel, and named2hosts are at: http://www.pobox.com/~wstearns
---------------------------------------------------------------------------
==========================================================================
To unsubscribe send email to: majordomo@wantree.com.au with
'unsubscribe ipchains <email address>' in the message body.
(replace <email address> with your email address :)
==========================================================================
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic