[NLUUG]   Welcome to ftp.vim.org,
Hosted by ftp.nluug.nl
Current directory: /pub/ftp/ftp/ftp/ftp/security/coast/firewalls/gshield/v2/
Contents of README:
gShield is a iptables firewall script which should run
"out of the box" for most folks with minimal fuss.

gShield has the following features:

- handles dynamic or static IP's without problem
- can selectively enable NAT for multiple private ranges
- adds tcpwrapper-like functionality for access to services
- aggressive defaults; only default 'open' service is auth
- easily configurable via a well commented BSD-style conf file.


A few things to help folks along:

All major configuration settings are stored in /etc/firewall/gShield.conf
You WILL need to look over this file before running the firewall,
but for most cases, the defaults should work fine for most
folks. Go ahead, open another term and take a peek.

gShield itself has some runtime options you can use
to ease some typical administrative tasks.  These
are detailed below and in USAGE.


gShield tries to incorporate Access Control lists in a more
direct manner than the "usual" approach with firewall scripts. 

An ACL is simply a list of hosts which are allowed to connect
to pre-defined services. In this way, we can protect core
services (such as POP, SMTP, FTP, etc) from "the world", while
still having unrestricted access to "trusted" hosts.

A good example:

You wish to have access to your home machine from work,
but worry about leaving the sorts of services you'd
like access to open to the world. One way to accomplish
protecting these services would be via tcpwrappers or xinetd.

gShield takes this a bit further by allowing you to set what
hosts even get to have a packet touch the service in the first

In the case of our "I want to have access to my home machine
from work" scenerio, we simply drop the ip (or range) of
our work machine into /etc/firewall/conf/client_hosts.

Any ip (or range) in client-hosts is allowed access
to those services as defined in /etc/firewall/conf/client_services, while
"other" hosts cannot. So one can easily restrict access to services
by distinguishing between "clients" and "the public".


Other ACL's

/etc/firewall/conf contains the following 'other' files:


client_hosts and client_services we've touched on already.

	should contain the private addresses you wish to provide NAT services
	for. You can specify multiple ranges here.

* black_listed_hosts

	drop "problem" hosts in here. gShield will drop -all-
	connections from these hosts (and log them at no extra cost!)

* highport_access

	IRC bots like to connect to high (unreserved) ports, which gShield
	drops by default. 

	Many services like to establish high TCP connections as well -- simply
	drop those hosts in here (if you need unrestricted access from
	the public to high ports, this can be configured in gShield.conf).

* closed_ports

	These are ports you simply want -fully- closed off for whatever
	reason. In most cases, this is over-kill given gShield's defaults.
	These ports are closed to -everyone-, even those hosts listed as
	clients, so be aware.

* reserved_addresses

	These are ip ranges which have no business hitting the external interface
	in the first place (i.e., private ranges)

* time_servers

	Having your time synced is a good thing. Having that port open
	to the whole world may not be. Dump the time-servers you tend
	to favor in here to allow them to have access to time services.
	For example, I use chrony to keep my time accurate, and the servers
	chrony uses for this are also listed here. This allows them to do
	their time-sych'n magic.	

* open_ports

	Sometimes, you just want that port open. 
        Add those ports you want open ON the firewall machine.
	gShield will open both tcp and udp on those specified ports.

* blocked_outgoing

	ports which you wish to -prevent- access to (both for the firewall
   	itself, as well as NAT'd clients

* no_log_ports

	ports which you do not wish logged, regardless of the default
	logging policy 


RUNTIME options

Beginning with 2.4, gShield adds additional
run-time options to make some tasks easier.

From ./gShield help

gShield run-time options:
flush: flush all rulesets and disable firewall
client x: add ip "x" to clientlist
blacklist x: add ip  "x" to blacklist
highport x: add ip "x" to highport access list
help: this list

Briefly put, you can add ips to the client list, highport list
or blacklist all from the command line without having to re-load
gShield to re-read the ACL for that service.

For example, say I want to allow as a client.  Starting with
gShield 2.4, this is a single step:

/etc/firewall/gShield.rc client

gShield will:

- add to the -current- client list for immediate access
- add to /etc/firewall/conf/client_hosts (for next time) and date its
There ARE some limitations:

- you have to use an -ip- address; hostnames are no good
- you can only use -single- ip addresses, not ranges or nets

Feel free to contact me with suggestions and/or problems

Godot (godot@mindspring.com)

I can also generally be found on EFNet, #Linuxhelp

Icon  Name                                                   Last modified      Size  
[DIR] Parent Directory - [DIR] patches/ 10-Oct-2007 15:14 - [DIR] tools/ 10-Oct-2007 15:14 - [   ] CHANGELOG 28-May-2002 00:43 6.9K [TXT] INSTALL 29-Apr-2001 00:00 1.4K [TXT] README 25-Apr-2001 00:00 5.3K [TXT] UPGRADE 08-Jan-2001 00:00 496 [TXT] USAGE 25-Apr-2001 00:00 1.0K [   ] gShield-2.0.0.tgz 22-Jul-2002 13:35 13K [   ] gShield-2.0.0.tgz.md5.sign 22-Jul-2002 13:35 331 [   ] gShield-2.0.1.tgz 22-Jul-2002 13:35 15K [   ] gShield-2.0.1.tgz.md5.sign 22-Jul-2002 13:35 331 [   ] gShield-2.0.2.tgz 22-Jul-2002 13:35 15K [   ] gShield-2.0.2.tgz.md5.sign 22-Jul-2002 13:35 331 [   ] gShield-2.0.3.tgz 22-Jul-2002 13:35 15K [   ] gShield-2.0.3.tgz.md5.sign 22-Jul-2002 13:35 331 [   ] gShield-2.0.4.tgz 22-Jul-2002 13:35 16K [   ] gShield-2.0.4.tgz.md5.sign 22-Jul-2002 13:35 331 [   ] gShield-2.1.tgz 22-Jul-2002 13:35 17K [   ] gShield-2.1.tgz.md5.sign 22-Jul-2002 13:35 329 [   ] gShield-2.2.tgz 22-Jul-2002 13:35 18K [   ] gShield-2.2.tgz.md5.sign 22-Jul-2002 13:35 329 [   ] gShield-2.3.tgz 22-Jul-2002 13:35 18K [   ] gShield-2.3.tgz.md5.sign 22-Jul-2002 13:35 329 [   ] gShield-2.4.tgz 22-Jul-2002 13:35 20K [   ] gShield-2.4.tgz.md5.sign 22-Jul-2002 13:35 329 [   ] gShield-2.5.1.tgz 22-Jul-2002 13:35 21K [   ] gShield-2.5.1.tgz.md5.sign 22-Jul-2002 13:35 331 [   ] gShield-2.5.tgz 22-Jul-2002 13:35 21K [   ] gShield-2.5.tgz.md5.sign 22-Jul-2002 13:35 329 [   ] gShield-2.6.1.tgz 22-Jul-2002 13:35 23K [   ] gShield-2.6.1.tgz.md5.sign 22-Jul-2002 13:35 331 [   ] gShield-2.6.2.tgz 22-Jul-2002 13:35 24K [   ] gShield-2.6.2.tgz.md5.sign 22-Jul-2002 13:35 331 [   ] gShield-2.6.3.tgz 22-Jul-2002 13:35 24K [   ] gShield-2.6.3.tgz.md5.sign 22-Jul-2002 13:35 331 [   ] gShield-2.6.4.tgz 22-Jul-2002 13:35 24K [   ] gShield-2.6.4.tgz.md5.sign 22-Jul-2002 13:35 331 [   ] gShield-2.6.5.tgz 22-Jul-2002 13:35 26K [   ] gShield-2.6.5.tgz.md5.sign 22-Jul-2002 13:35 331 [   ] gShield-2.6.6.tgz 22-Jul-2002 13:35 35K [   ] gShield-2.6.6.tgz.md5.sign 22-Jul-2002 13:35 331 [   ] gShield-2.6.7.tgz 22-Jul-2002 13:35 37K [   ] gShield-2.6.7.tgz.md5.sign 22-Jul-2002 13:35 331 [   ] gShield-2.6.8.tgz 22-Jul-2002 13:35 37K [   ] gShield-2.6.8.tgz.md5.sign 22-Jul-2002 13:35 331 [   ] gShield-2.6.9.tgz 22-Jul-2002 13:35 38K [   ] gShield-2.6.9.tgz.md5.sign 22-Jul-2002 13:35 331 [   ] gShield-2.6.tgz 22-Jul-2002 13:35 22K [   ] gShield-2.6.tgz.md5.sign 22-Jul-2002 13:35 329 [   ] gShield-2.7.1.tgz 22-Jul-2002 13:35 40K [   ] gShield-2.7.1.tgz.md5.sign 22-Jul-2002 13:35 331 [   ] gShield-2.7.tgz 22-Jul-2002 13:35 39K [   ] gShield-2.7.tgz.md5.sign 22-Jul-2002 13:35 329 [   ] gShield-2.8.tgz 22-Jul-2002 13:35 46K [   ] gShield-2.8.tgz.md5.sign 22-Jul-2002 13:35 329 [TXT] gforward.pl 28-May-2002 03:49 4.2K

NLUUG - Open Systems. Open Standards
Become a member and get discounts on conferences and more, see the NLUUG website!