Invoking the ipfwadm script

Once you've generated your ipfwadm script using TDG, you need to invoke it somehow. How you do this depends on how you have your Internet access configured.

Note: the ipfwadm script generated by TDG is the file named ipfw.dotfile in your home directory.


Non ip-up:

The simplest way is to just run the ipfwadm script as root. This will work only if you have not used the ip-up option - for example, if you don't use PPP.

While fine for testing, this is not a permanent solution. If you wish the firewall to be configured automatically every time you boot the computer, you have to copy the ipfwadm script to the /etc/rc.d directory (perhaps naming it /etc/rc.d/rc.firewall), and edit /etc/rc.d/rc.local to include a line that runs it. Here's an excerpt from my /etc/rc.d/rc.local, with the added lines highlighted:

.
.
.
# This will overwrite /etc/issue at every boot. So, make any changes you
# want to make to /etc/issue here or you will lose them when you reboot.
echo "" > /etc/issue
echo "Red Hat Linux $R" >> /etc/issue
echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue

cp -f /etc/issue /etc/issue.net
echo >> /etc/issue

# set up the IP firewall and masquerade rules
/etc/rc.d/rc.firewall

# make serial port highest priority, ide0 highest priority cascaded
/sbin/irqtune -q 3 14
.
.
.


ip-up:

If you are using PPP and have selected the ip-up option, then the ipfwadm script is generated with the assumption that it will be run by the pppd daemon as part of the ip-up processing. The ipfwadm script cannot successfully be run from the command line without supplying the correct command-line arguments, emulating the arguments supplied by pppd.

There are two ways you can incorporate the ipfwadm script into the ip-up processing:

While inserting the ipfwadm script into the ip-up script works, I don't recommend it unless the firewall processing is the only thing the ip-up script is doing. Inserting the ipfwadm script directly into the ip-up script makes incorporating changes to the firewall much more difficult. Therefore I will only describe the second (indirect) method, which minimizes the changes to the ip-up script.

  1. Generate your ipfwadm script.
  2. Copy the ipfwadm script to /etc/ppp/firewall and set the permissions to:
                    r-x------ root root
    
    by running the command:
                    chmod 500 /etc/ppp/firewall
    
    (You need to be root to do things in /etc/ppp anyway, so the owner and group should take care of themselves when the file is created.)
  3. Edit /etc/ppp/ip-up or /etc/ppp/ip-up.local and insert the following command at or near the beginning:
                    . /etc/ppp/firewall $*
    
    If you don't have an /etc/ppp/ip-up script yet, here's the minimum you'll need:
                    #!/bin/bash
                    . /etc/ppp/firewall
    
    and give it the same permissions:
                    r-x------ root root
    
  4. Now incorporating changes to the firewall configuration is as simple as copying the new ipfwadm script to /etc/ppp/firewall.

Note that you may want to set up your firewall at boot-time anyway, even though you have the firewall being set up every time you dial out. This is simple to do: change the ISP configuration from ip-up to non-ip-up, generate a new ipfwadm script, and save that as /etc/rc.d/rc.firewall as described above. No other options need to be changed.

If you use diald and are masquerading other systems you must do this. If you don't, the masqueraded systems won't bring up the PPP link until it's been brought up once by some other means.

Making the firewall a PPP server

The ip-up option is the only way to have a reliable firewall if users connect to the firewall system using PPP (in other words, if the firewall system is also a PPP server).

In addition to the above steps, you need to have pppd pass an argument to ip-up so it can tell when the link being brought up is your link to the Internet (as opposed to an inbound PPP link). The ipfwadm script should only be executed for the Internet link.

If you use the diald demand-dial daemon, you might want to do the following:

If you manage your outbound PPP connection some other way, then you'll need to add ipparam internet to the pppd command line you run.


Go to the Ipfwadm Dotfile Module home page or my home page...
$Id: invocation.html,v 1.6 1998/03/22 03:29:00 jhardin Exp $