PHP Firewall Generator: Help
 
Introduction Powered by PHP This a PHP based firewall script generator for ipchains based firewalls on Linux.

(c) Del 1999 under the GPL

Here are some very basic instructions:

  • Make sure that your /etc/services file and /etc/protocols file are correct. You can't define any rules in your firewall for services or protocols that don't exist in these files.
  • Make sure the interface list is correct. This is for reference purposes only and isn't actually used anywhere in the program, but it does give you a sanity check to make sure that everything is defined the way it should be.
  • Enter all of your network objects.
  • Enter your firewall rules, including port forwarding rules (used to hide a server behind the firewall) and redirector rules (used for transparent proxying of services to a proxy server on the firewall).
  • Once your firewall rules are entered, check the script at the bottom of the page. You can cut and paste this into a text editor and use it as your firewall script. You can also have it e-mailed to you. The script is also stored in /var/lib/phpfwgen/firewall if you want to install it into your system startup folders.

Index: Help Index:


TODO: To Do List:

  • Install the script automatically.
  • Start and stop the firewall.
  • Automatic VPN configuration.
  • Negation rules, when an object is prepended by "!" in the files.
  • Support for NAT/iptables/ipfilter
  • Currently a rule that allows all outgoing traffic on all ports also allows all incoming non-SYN traffic on all ports (for TCP responses). It'd be better to allow only incoming traffic on the ports that were actually in use for outgoing socket connections, but this isn't possible in ipchains. Currently this is attempted for UDP by allowing incoming packets packets on the high ports (1024:65535) but this is unsuitable since many programs now bind to UDP ports in this range for incoming connections, and also these ports are often used for hacks (eg: NetBus, BackOrifice). Find a good solution to this problem!
  • A partial solution is to DENY incoming connections on known bad UDP ports (eg: 12345 and 23456 for NetBus). These must be in place before other (legal) outgoing UDP connections (eg: for DNS).
  • A better solution might be to use the stateful packet filtering code at ftp://ftp.interlinx.bc.ca/pub/spf/
  • Find a more comprehensive /etc/services file somewhere.

Credits I got some ideas from various places, including Godot's Muse and IPCHAINS-FIREWALL V1.6.2m by Ian Hall-Beyer. Ed McLain took my code and used it in PHPChains, so I took parts of his ideas back and incorporated them.