Firewall

I am using a shell script called "rc.firewall" to set up the firewalls on nettle and sage. This script was originally obtained from projectfiles.com, but apparently it is no longer officially supported by its author and now has a new home at http://lfw.sourceforge.net/. There was a new version (2.0 final) of the script released on 25 July 2006, and this is what is installed on sage and nettle.

The rc.firewall script should be put in /etc/rc.d and made executable. The Slackware script /etc/rc.d/rc.inet2 is already set up to run rc.firewall when the system is booted, but you will need to re-run rc.firewall if you edit it.

There are 3 shell variables near the beginning of rc.firewall that need setting to configure the firewall. The comments in rc.firewall explain what the variables do and the possible values. There is full documentation at the project's new website.

On nettle, I've set up the the firewall to allow anything from Wingpath's private network and to deny everything else:

PERMIT="192.168.183.0/24"
INTERNAL_INTERFACES=""
DYNAMIC_INTERFACES="ppp0"

Note that it should be safe to plug nettle into someone else's network, provided that it doesn't use the same network address.

On sage, since it is intended to be a server/router, I'm allowing ssh from anywhere and anything from the local network:

PERMIT="22/tcp"
INTERNAL_INTERFACES="ra0"
DYNAMIC_INTERFACES="ppp0"

where "ra0" is the name of sage's wireless interface.

I've also enabled logging in the rc.firewall script on both nettle and sage, by changing the line:

LOGGING="no"

to:

LOGGING="yes"

This causes packets that are blocked by the firewall to be logged to /var/log/messages. There shouldn't normally be any if fennel is doing its job properly.

The kernel configuration has to have a lot of iptable/netfilter options enabled for the firewall to work. These options should be enabled by default, but the rc.firewall script is supposed to warn you if they are not. These kernel options are listed on the website.