firewall security
Sponsored Links
Sponsored Links
Secleted [ 0 ] software to compare
Results 1 - 15 of about 1474
UTIN Firewall script
UTIN Firewall script project is a script for Linux 2.4.x and iptables. more>>
UTIN Firewall script project is a script for Linux 2.4.x and iptables.
###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.
#
# your LANs IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# INET_IP is used by me to allow myself to do anything to myself, might
# be a security risc but sometimes I want this. If you dont have a static
# IP, I suggest not using this option at all for now but its still
# enabled per default and will add some really nifty security bugs for all
# those who skips reading the documentation=)
LAN_IP="192.168.0.2"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"
LO_IFACE="lo"
LO_IP="127.0.0.1"
INET_IP="194.236.50.155"
INET_IFACE="eth0"
IPTABLES="/usr/local/sbin/iptables"
#########
# Load all required IPTables modules
#
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
#
# Support for owner matching
#
#/sbin/modprobe ipt_owner
#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#
# Enable ip_forward, this is critical since it is turned off as defaul in
# Linux.
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
# Enable simple IP Forwarding and Network Address Translation
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we dont want.
#
$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# Do some checks for obviously spoofed IPs
#
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP
$IPTABLES -A bad_tcp_packets -i $LAN_IFACE ! -s 192.168.0.0/16 -j DROP
#
# Bad TCP packets we dont want
#
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
# Accept the packets we actually want to forward between interfaces.
#
$IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets
#
# The allowed chain for TCP connections
#
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# ICMP rules
#
# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# TCP rules
#
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
#
# UDP ports
#
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
#
# INPUT chain
#
# Bad TCP packets we dont want
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
# Rules for incoming packets from anywhere
#
$IPTABLES -A INPUT -p ICMP -j icmp_packets
$IPTABLES -A INPUT -p TCP -j tcp_packets
$IPTABLES -A INPUT -p UDP -j udpincoming_packets
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3
-j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
#
# OUTPUT chain
#
#
# Bad TCP packets we dont want
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3
-j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
<<less###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.
#
# your LANs IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# INET_IP is used by me to allow myself to do anything to myself, might
# be a security risc but sometimes I want this. If you dont have a static
# IP, I suggest not using this option at all for now but its still
# enabled per default and will add some really nifty security bugs for all
# those who skips reading the documentation=)
LAN_IP="192.168.0.2"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"
LO_IFACE="lo"
LO_IP="127.0.0.1"
INET_IP="194.236.50.155"
INET_IFACE="eth0"
IPTABLES="/usr/local/sbin/iptables"
#########
# Load all required IPTables modules
#
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
#
# Support for owner matching
#
#/sbin/modprobe ipt_owner
#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#
# Enable ip_forward, this is critical since it is turned off as defaul in
# Linux.
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
# Enable simple IP Forwarding and Network Address Translation
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we dont want.
#
$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# Do some checks for obviously spoofed IPs
#
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP
$IPTABLES -A bad_tcp_packets -i $LAN_IFACE ! -s 192.168.0.0/16 -j DROP
#
# Bad TCP packets we dont want
#
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
# Accept the packets we actually want to forward between interfaces.
#
$IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets
#
# The allowed chain for TCP connections
#
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# ICMP rules
#
# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# TCP rules
#
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
#
# UDP ports
#
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
#
# INPUT chain
#
# Bad TCP packets we dont want
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
# Rules for incoming packets from anywhere
#
$IPTABLES -A INPUT -p ICMP -j icmp_packets
$IPTABLES -A INPUT -p TCP -j tcp_packets
$IPTABLES -A INPUT -p UDP -j udpincoming_packets
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3
-j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
#
# OUTPUT chain
#
#
# Bad TCP packets we dont want
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3
-j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
Download (MB)
Added: 2007-02-13 License: GPL (GNU General Public License) Price:
985 downloads
DMZ IP Firewall script
DMZ IP Firewall script project is a script for Linux 2.4.x and iptables. more>>
DMZ IP Firewall script project is a script for Linux 2.4.x and iptables.
Sample:
# Configuration options, these will speed you up getting this script to work with your own setup.
# your LANs IP range and localhost IP. /24 means to only use the first 24 bits of the 32 bit IP adress. the same as netmask 255.255.255.0
# STATIC_IP is used by me to allow myself to do anything to myself, might be a security risc but sometimes I want this. If you dont have a static IP, I suggest not using this option at all for now but its still enabled per default and will add some really nifty security bugs for all those who skips reading the documentation
LAN_IP="192.168.0.2"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"
INET_IP="194.236.50.152"
INET_IFACE="eth0"
HTTP_IP="194.236.50.153"
DNS_IP="194.236.50.154"
DMZ_HTTP_IP="192.168.1.2"
DMZ_DNS_IP="192.168.1.3"
DMZ_IP="192.168.1.1"
DMZ_IFACE="eth2"
LO_IP="127.0.0.1"
LO_IFACE="lo"
IPTABLES="/usr/local/sbin/iptables"
<<lessSample:
# Configuration options, these will speed you up getting this script to work with your own setup.
# your LANs IP range and localhost IP. /24 means to only use the first 24 bits of the 32 bit IP adress. the same as netmask 255.255.255.0
# STATIC_IP is used by me to allow myself to do anything to myself, might be a security risc but sometimes I want this. If you dont have a static IP, I suggest not using this option at all for now but its still enabled per default and will add some really nifty security bugs for all those who skips reading the documentation
LAN_IP="192.168.0.2"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"
INET_IP="194.236.50.152"
INET_IFACE="eth0"
HTTP_IP="194.236.50.153"
DNS_IP="194.236.50.154"
DMZ_HTTP_IP="192.168.1.2"
DMZ_DNS_IP="192.168.1.3"
DMZ_IP="192.168.1.1"
DMZ_IFACE="eth2"
LO_IP="127.0.0.1"
LO_IFACE="lo"
IPTABLES="/usr/local/sbin/iptables"
Download (MB)
Added: 2007-02-13 License: GPL (GNU General Public License) Price:
997 downloads
DHCP IP Firewall script
DHCP IP Firewall script project is a script for Linux 2.4.x and iptables. more>>
DHCP IP Firewall script project is a script for Linux 2.4.x and iptables.
Sample:
1. Configuration options - use these to quicken up the set up.
####################################
# Local Area Network configuration.
#
# your LANs IP range and localhost IP. /24 means to only use the first 24 bits of the 32 bit IP adress. the same as netmask 255.255.255.0
LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"
######################################
#
# Localhost configuration.
#
# Localhost Interface and IP. Should not need any changes.
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
#######################################
#
# Internet configuration.
#
# All information pertaining to the Internet and the Internet connection.
#
INET_IFACE="eth0"
#######################################
#
# DHCP Configuration.
#
# Information pertaining to DHCP over the Internet, if needed.
#
# Set DHCP variable to No if you dont get IP from DHCP. If you get DHCP over the Internet set this variable to Yes, and set up the proper IP adress for the DHCP server in the DHCP_SERVER variable.
DHCP="No"
DHCP_SERVER="195.22.90.65"
#########################################
#
# PPPOE Configuration.
#
# Configuration options pertaining to PPPoE.
#
# If you have problem with your PPPoE connection, such as large mails not getting through while small mail get through properly etc, you may set this option to "yes" which may fix the problem. This option will set a rule in the PREROUTING chain of the mangle table which will clamp (resize) all routed packets to PMTU (Path Maximum Transmit Unit).
#
# Note that it is better to set this up in the PPPoE package itself, since the PPPoE configuration option will give less overhead.
PPPOE_PMTU="No"
##########################################
#
# IPTABLES configuration.
#
# Options pertaining to iptables such as searchpath, etc.
#
IPTABLES="/usr/sbin/iptables"
<<lessSample:
1. Configuration options - use these to quicken up the set up.
####################################
# Local Area Network configuration.
#
# your LANs IP range and localhost IP. /24 means to only use the first 24 bits of the 32 bit IP adress. the same as netmask 255.255.255.0
LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"
######################################
#
# Localhost configuration.
#
# Localhost Interface and IP. Should not need any changes.
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
#######################################
#
# Internet configuration.
#
# All information pertaining to the Internet and the Internet connection.
#
INET_IFACE="eth0"
#######################################
#
# DHCP Configuration.
#
# Information pertaining to DHCP over the Internet, if needed.
#
# Set DHCP variable to No if you dont get IP from DHCP. If you get DHCP over the Internet set this variable to Yes, and set up the proper IP adress for the DHCP server in the DHCP_SERVER variable.
DHCP="No"
DHCP_SERVER="195.22.90.65"
#########################################
#
# PPPOE Configuration.
#
# Configuration options pertaining to PPPoE.
#
# If you have problem with your PPPoE connection, such as large mails not getting through while small mail get through properly etc, you may set this option to "yes" which may fix the problem. This option will set a rule in the PREROUTING chain of the mangle table which will clamp (resize) all routed packets to PMTU (Path Maximum Transmit Unit).
#
# Note that it is better to set this up in the PPPoE package itself, since the PPPoE configuration option will give less overhead.
PPPOE_PMTU="No"
##########################################
#
# IPTABLES configuration.
#
# Options pertaining to iptables such as searchpath, etc.
#
IPTABLES="/usr/sbin/iptables"
Download (MB)
Added: 2007-02-13 License: GPL (GNU General Public License) Price:
986 downloads
Firewall Generator 3.0
Firewall Generator is a CGI script that generates a firewall. more>>
Firewall Generator is a CGI script that generates a bash shell script that contains a list of commands for configuring a set of firewall rules.
It is the best solution to know something about system security.
<<lessIt is the best solution to know something about system security.
Download (0.002MB)
Added: 2006-07-13 License: GPL (GNU General Public License) Price:
1206 downloads
iptables firewall script 0.5
iptables firewall script is an Linux firewall based on the iptables software. more>>
iptables firewall script is an Linux firewall based on the iptables software.
Sample:
######## START FUNCTIONS #########
scripthelp () {
cat /dev/null 2>&1
Every 5 minutes
*/5 * * * * /path/to/this/script restart > /dev/null 2>&1
refresh
-------
Dumps current rules and reloads them.
stop
----
Dumps current rules and halts firewall.
---------------------------------------------------------
Usage: $0 [start|restart|refresh|stop]
SCRIPTHELP
}
fireme () {
if [ -z "`lsmod|grep iptable_filter`" ];
then
modprobe iptable_filter
fi
#######################################
#---------- Start predefined target rulesets ----------#
#######################################
# On the fly
$PROG -N ONTHEFLY
$PROG -A ONTHEFLY -j LOG --log-level 5 --log-prefix "TL0G_ONTHEFLY: "
$PROG -A ONTHEFLY -j DROP
# DENIED PORTS Privileged (1-1023) Target Ruleset
$PROG -N DENIED_PORT_PRIV
$PROG -A DENIED_PORT_PRIV -m state --state RELATED,ESTABLISHED -j ACCEPT
$PROG -A DENIED_PORT_PRIV -j LOG --log-level 5 --log-prefix "TL0G_DENIED_PORT_PRIV: "
$PROG -A DENIED_PORT_PRIV -j DROP
# DENIED PORTS Unprivileged TCP (1024+) Target Ruleset
$PROG -N DENIED_PORT_UNPRIV_TCP
$PROG -A DENIED_PORT_UNPRIV_TCP -m state --state RELATED,ESTABLISHED -j ACCEPT
$PROG -A DENIED_PORT_UNPRIV_TCP -j LOG --log-level 5 --log-prefix "TL0G_DENIED_PORT_T-UNPRIV: "
$PROG -A DENIED_PORT_UNPRIV_TCP -m state --state NEW,INVALID -j DROP
# DENIED PORTS Unprivileged UDP (1024+) Target Ruleset
$PROG -N DENIED_PORT_UNPRIV_UDP
$PROG -A DENIED_PORT_UNPRIV_UDP -j LOG --log-level 5 --log-prefix "TL0G_DENIED_PORT_U-UNPRIV: "
$PROG -A DENIED_PORT_UNPRIV_UDP -j DROP
#######################################
#---------- End predefined target rulesets ----------#
######################################
# Services
$PROG -A INPUT -p tcp --dport 0:112 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_PRIV
$PROG -A INPUT -p udp --dport 0:112 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_PRIV
$PROG -A INPUT -p tcp --dport 114:1023 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_PRIV
$PROG -A INPUT -p udp --dport 114:1023 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_PRIV
# NFS
$PROG -A INPUT -p tcp --dport 2049 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_TCP
$PROG -A INPUT -p udp --dport 2049 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_UDP
# X11
$PROG -A INPUT -p tcp --dport 6000:6005 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_TCP
$PROG -A INPUT -p udp --dport 6000:6005 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_UDP
# Netbus
$PROG -A INPUT -p tcp --dport 12345:12346 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_TCP
$PROG -A INPUT -p udp --dport 12345:12346 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_UDP
# Deny all else on TCP unless initiated from local machine/network.
# This rule covers NFS, X11, and Netbus listed above, its a catch-all for any TCP
# ports you may have services running on, but dont know what ports they use.
# Prevents an accidental crack attempt via TCP services.
# If you wish to allow any services, or alter the existing rules, they must be
# added BEFORE the rule below.
$PROG -A INPUT -p tcp --dport 1024:65535 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_TCP
echo "[ [32;01mOK [0m]"
echo "rc.firewall loaded with IP: $IP and interface: $IFACE."
}
########################### END FUNCTIONS ##########################
##############################################
#----------------- START CONFIGURATION SECTION --------------------#
##############################################
# Set path to iptables program
PROG=/path/to/iptables
# Set interface type, ie; eth0, ppp0
IFACE=""
###############################################
#------------------ END CONFIGURATION SECTION ---------------------#
##############################################
# Test to make sure configuration variables are set, die if not.
if [ ! -x "$PROG" ] || [ -z "$IFACE" ];
then
echo "$PROG is not executable, or interface is not set, exiting."
exit 0
else
# Get current IP address
IP=`ifconfig $IFACE| grep inet| cut -f2 -d:| cut -f1 -d" "`
# Get old IP from last firewall load (if any).
# The purpose of getting OLDIP is so you can use this script in a cron
# job to update the firewall with the current IP, great for dialups
# and other dynamic connections.
# Examples:
# Check every 15 minutes:
# */15 * * * * /path/to/this/script restart > /dev/null 2>&1
# Check every 5 minutes:
# */5 * * * * /path/to/this/script restart > /dev/null 2>&1
OLDIP=`$PROG -n -L INPUT| grep 6005|grep udp| cut -b55-|cut -f1 -d u`
case $1 in
start)
if [ -z "$OLDIP" ];
then
echo -n "Starting firewall..."
fireme
elif [ $IP = $OLDIP ];
then
echo "FIREWALL IS UPDATED."
fi
;;
restart)
echo -n "Restarting firewall..."
if [ -z "`$PROG -n -L INPUT| grep 6005`" ];
then
fireme
elif [ $IP = $OLDIP ];
then
echo "FIREWALL IS UPDATED."
else
for i in DENIED_PORT_PRIV DENIED_PORT_UNPRIV_TCP DENIED_PORT_UNPRIV_UDP ONTHEFLY
do
$PROG -F $i
$PROG -F INPUT
$PROG -F FORWARD
$PROG -X $i
done
fireme
fi
;;
refresh)
echo -n "Resetting firewall..."
if [ -z "`$PROG -n -L INPUT| grep 6005`" ];
then
fireme
else
for i in DENIED_PORT_PRIV DENIED_PORT_UNPRIV_TCP DENIED_PORT_UNPRIV_UDP ONTHEFLY
do
$PROG -F $i
$PROG -F INPUT
$PROG -F FORWARD
$PROG -X $i
done
fireme
fi
;;
stop)
for i in DENIED_PORT_PRIV DENIED_PORT_UNPRIV_TCP DENIED_PORT_UNPRIV_UDP ONTHEFLY
do
$PROG -F $i
$PROG -F INPUT
$PROG -F FORWARD
$PROG -X $i
done
echo "Firewall stopped...[ [32;01mOK [0m]"
;;
*)
echo
scripthelp
;;
esac
fi
<<lessSample:
######## START FUNCTIONS #########
scripthelp () {
cat /dev/null 2>&1
Every 5 minutes
*/5 * * * * /path/to/this/script restart > /dev/null 2>&1
refresh
-------
Dumps current rules and reloads them.
stop
----
Dumps current rules and halts firewall.
---------------------------------------------------------
Usage: $0 [start|restart|refresh|stop]
SCRIPTHELP
}
fireme () {
if [ -z "`lsmod|grep iptable_filter`" ];
then
modprobe iptable_filter
fi
#######################################
#---------- Start predefined target rulesets ----------#
#######################################
# On the fly
$PROG -N ONTHEFLY
$PROG -A ONTHEFLY -j LOG --log-level 5 --log-prefix "TL0G_ONTHEFLY: "
$PROG -A ONTHEFLY -j DROP
# DENIED PORTS Privileged (1-1023) Target Ruleset
$PROG -N DENIED_PORT_PRIV
$PROG -A DENIED_PORT_PRIV -m state --state RELATED,ESTABLISHED -j ACCEPT
$PROG -A DENIED_PORT_PRIV -j LOG --log-level 5 --log-prefix "TL0G_DENIED_PORT_PRIV: "
$PROG -A DENIED_PORT_PRIV -j DROP
# DENIED PORTS Unprivileged TCP (1024+) Target Ruleset
$PROG -N DENIED_PORT_UNPRIV_TCP
$PROG -A DENIED_PORT_UNPRIV_TCP -m state --state RELATED,ESTABLISHED -j ACCEPT
$PROG -A DENIED_PORT_UNPRIV_TCP -j LOG --log-level 5 --log-prefix "TL0G_DENIED_PORT_T-UNPRIV: "
$PROG -A DENIED_PORT_UNPRIV_TCP -m state --state NEW,INVALID -j DROP
# DENIED PORTS Unprivileged UDP (1024+) Target Ruleset
$PROG -N DENIED_PORT_UNPRIV_UDP
$PROG -A DENIED_PORT_UNPRIV_UDP -j LOG --log-level 5 --log-prefix "TL0G_DENIED_PORT_U-UNPRIV: "
$PROG -A DENIED_PORT_UNPRIV_UDP -j DROP
#######################################
#---------- End predefined target rulesets ----------#
######################################
# Services
$PROG -A INPUT -p tcp --dport 0:112 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_PRIV
$PROG -A INPUT -p udp --dport 0:112 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_PRIV
$PROG -A INPUT -p tcp --dport 114:1023 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_PRIV
$PROG -A INPUT -p udp --dport 114:1023 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_PRIV
# NFS
$PROG -A INPUT -p tcp --dport 2049 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_TCP
$PROG -A INPUT -p udp --dport 2049 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_UDP
# X11
$PROG -A INPUT -p tcp --dport 6000:6005 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_TCP
$PROG -A INPUT -p udp --dport 6000:6005 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_UDP
# Netbus
$PROG -A INPUT -p tcp --dport 12345:12346 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_TCP
$PROG -A INPUT -p udp --dport 12345:12346 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_UDP
# Deny all else on TCP unless initiated from local machine/network.
# This rule covers NFS, X11, and Netbus listed above, its a catch-all for any TCP
# ports you may have services running on, but dont know what ports they use.
# Prevents an accidental crack attempt via TCP services.
# If you wish to allow any services, or alter the existing rules, they must be
# added BEFORE the rule below.
$PROG -A INPUT -p tcp --dport 1024:65535 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_TCP
echo "[ [32;01mOK [0m]"
echo "rc.firewall loaded with IP: $IP and interface: $IFACE."
}
########################### END FUNCTIONS ##########################
##############################################
#----------------- START CONFIGURATION SECTION --------------------#
##############################################
# Set path to iptables program
PROG=/path/to/iptables
# Set interface type, ie; eth0, ppp0
IFACE=""
###############################################
#------------------ END CONFIGURATION SECTION ---------------------#
##############################################
# Test to make sure configuration variables are set, die if not.
if [ ! -x "$PROG" ] || [ -z "$IFACE" ];
then
echo "$PROG is not executable, or interface is not set, exiting."
exit 0
else
# Get current IP address
IP=`ifconfig $IFACE| grep inet| cut -f2 -d:| cut -f1 -d" "`
# Get old IP from last firewall load (if any).
# The purpose of getting OLDIP is so you can use this script in a cron
# job to update the firewall with the current IP, great for dialups
# and other dynamic connections.
# Examples:
# Check every 15 minutes:
# */15 * * * * /path/to/this/script restart > /dev/null 2>&1
# Check every 5 minutes:
# */5 * * * * /path/to/this/script restart > /dev/null 2>&1
OLDIP=`$PROG -n -L INPUT| grep 6005|grep udp| cut -b55-|cut -f1 -d u`
case $1 in
start)
if [ -z "$OLDIP" ];
then
echo -n "Starting firewall..."
fireme
elif [ $IP = $OLDIP ];
then
echo "FIREWALL IS UPDATED."
fi
;;
restart)
echo -n "Restarting firewall..."
if [ -z "`$PROG -n -L INPUT| grep 6005`" ];
then
fireme
elif [ $IP = $OLDIP ];
then
echo "FIREWALL IS UPDATED."
else
for i in DENIED_PORT_PRIV DENIED_PORT_UNPRIV_TCP DENIED_PORT_UNPRIV_UDP ONTHEFLY
do
$PROG -F $i
$PROG -F INPUT
$PROG -F FORWARD
$PROG -X $i
done
fireme
fi
;;
refresh)
echo -n "Resetting firewall..."
if [ -z "`$PROG -n -L INPUT| grep 6005`" ];
then
fireme
else
for i in DENIED_PORT_PRIV DENIED_PORT_UNPRIV_TCP DENIED_PORT_UNPRIV_UDP ONTHEFLY
do
$PROG -F $i
$PROG -F INPUT
$PROG -F FORWARD
$PROG -X $i
done
fireme
fi
;;
stop)
for i in DENIED_PORT_PRIV DENIED_PORT_UNPRIV_TCP DENIED_PORT_UNPRIV_UDP ONTHEFLY
do
$PROG -F $i
$PROG -F INPUT
$PROG -F FORWARD
$PROG -X $i
done
echo "Firewall stopped...[ [32;01mOK [0m]"
;;
*)
echo
scripthelp
;;
esac
fi
Download (MB)
Added: 2007-02-14 License: GPL (GNU General Public License) Price:
986 downloads
Other version of iptables firewall script
IPTables Firewall Script contains two example firewall scripts ...IPTables Firewall Script contains two example firewall scripts "rcLicense:GPL (GNU General Public License)
Endian Firewall 2.1.2 Community
Endian Firewall is a turn-key linux security distribution based on IPCop. more>>
Endian Firewall is a "turn-key" linux security distribution based on IPCop that turns every system into a full featured security appliance. Endian Firewall has been designed with "usability in mind" and is very easy to install, use and mange, without loosing its flexibility.
The features include a stateful packet inspection firewall, application-level proxies for variuos protocols (HTTP, POP3, SMTP) with antivirus support, virus and spamfiltering for email traffic (POP and SMTP), content filtering of Web traffic and a "hassle free" VPN solution (based on OpenVPN). The main advantage of Endian Firewall is that it is a pure "Open Source" solution that is commercially supported by Endian.
Main features:
Based Module:
- Firewall (statefull inspection)
- Outgoing Firewall
- IPSec Gateway to gateway VPN
- IPSec Remote client to gateway VPN (roadwarrior)
- NAT
- Multi-IP address support (aliases)
- Dynamic DNS
- DMZ support
- HTTPS Web Interface
- Detailed network traffic graphs
- View currently active connections
- Event log management
- Log redirection to external server
- Server DHCP
- Server NTP
- Traffic Shaping / QoS
- Transparent POP3 antivirus/antispam proxy
- Transparent HTTP proxy
- Web Proxy with local users, windows domain, samba, LDAP, radius server management
- Intrusion Detection System
- ADSL modem support
- Configuration backup and restore
- Remote update
Advanced Antivirus Module:
- HTTP Antivirus
- Endian Security Tools for Windows Desktop
- Transparent SMTP antivirus/antispam proxy
VPN Gateway Module:
- Gateway to gateway VPN with OpenVPN (http://openvpn.net/)
- Remote client to gateway VPN (roadwarrior) with OpenVPN (http://openvpn.net/)
- Bridged and Routed VPN mode
- Endian Client VPN ? Windows, Linux, MacOSX
Web Content Filter Module:
- URL filter
- Web content analysis/filter
- Whitelists and blacklists management
- Web surfing time limits
Enhancements:
- SATA support is now again working
- A wizard after installation asks to set the passwords (root, admin)
- Added possibility to restore a backup directly after installation
- Fix for blocking incoming connections coming in through the VPN [#210]
<<lessThe features include a stateful packet inspection firewall, application-level proxies for variuos protocols (HTTP, POP3, SMTP) with antivirus support, virus and spamfiltering for email traffic (POP and SMTP), content filtering of Web traffic and a "hassle free" VPN solution (based on OpenVPN). The main advantage of Endian Firewall is that it is a pure "Open Source" solution that is commercially supported by Endian.
Main features:
Based Module:
- Firewall (statefull inspection)
- Outgoing Firewall
- IPSec Gateway to gateway VPN
- IPSec Remote client to gateway VPN (roadwarrior)
- NAT
- Multi-IP address support (aliases)
- Dynamic DNS
- DMZ support
- HTTPS Web Interface
- Detailed network traffic graphs
- View currently active connections
- Event log management
- Log redirection to external server
- Server DHCP
- Server NTP
- Traffic Shaping / QoS
- Transparent POP3 antivirus/antispam proxy
- Transparent HTTP proxy
- Web Proxy with local users, windows domain, samba, LDAP, radius server management
- Intrusion Detection System
- ADSL modem support
- Configuration backup and restore
- Remote update
Advanced Antivirus Module:
- HTTP Antivirus
- Endian Security Tools for Windows Desktop
- Transparent SMTP antivirus/antispam proxy
VPN Gateway Module:
- Gateway to gateway VPN with OpenVPN (http://openvpn.net/)
- Remote client to gateway VPN (roadwarrior) with OpenVPN (http://openvpn.net/)
- Bridged and Routed VPN mode
- Endian Client VPN ? Windows, Linux, MacOSX
Web Content Filter Module:
- URL filter
- Web content analysis/filter
- Whitelists and blacklists management
- Web surfing time limits
Enhancements:
- SATA support is now again working
- A wizard after installation asks to set the passwords (root, admin)
- Added possibility to restore a backup directly after installation
- Fix for blocking incoming connections coming in through the VPN [#210]
Download (110MB)
Added: 2007-07-12 License: GPL (GNU General Public License) Price:
875 downloads
Firewall Admin 0.4
Firewall Admin is not a firewall generator. more>>
Firewall Admin is not a firewall generator. This tool allows network administrators to manage iptables rules from anywhere though a simple administration interface through a Web browser. Any user can put some extra plug-ins to interact with netfilter modules.
Main features:
- View rules of Filter, NAT and Mangle tables
- Create and delete chains
- Create, replace and delete rules (filter, nat and mangle)
- Modules: tcp, udp, icmp, limit, mac, multiport, state, iprange, string, owner, comment, quota, mport, time, dscp, ecn, pktype, connmark and random
- Packets/bytes counter
- Rename userchains
- Mangle targets: TOS, MARK and DSCP
- Up and Down rules
- Change policy (ACCEPT and DROP)
- Flush chains
- Configuration
- Backup and Restore firewall rules and chains
Enhancements:
- fixed userchains targets to support no targets (default: ACCEPT)
- ruleoptions directory was removed (performance impact)
- support for patch-o-matic modules comment and quota
- support for native modules mport, time, string, dscp, ecn, pktype and connmark
- support for native modules random
- packages/bytes counter support
- rename userchains
- added support to mangle targets: MARK and DSCP
- disabled notices in php
<<lessMain features:
- View rules of Filter, NAT and Mangle tables
- Create and delete chains
- Create, replace and delete rules (filter, nat and mangle)
- Modules: tcp, udp, icmp, limit, mac, multiport, state, iprange, string, owner, comment, quota, mport, time, dscp, ecn, pktype, connmark and random
- Packets/bytes counter
- Rename userchains
- Mangle targets: TOS, MARK and DSCP
- Up and Down rules
- Change policy (ACCEPT and DROP)
- Flush chains
- Configuration
- Backup and Restore firewall rules and chains
Enhancements:
- fixed userchains targets to support no targets (default: ACCEPT)
- ruleoptions directory was removed (performance impact)
- support for patch-o-matic modules comment and quota
- support for native modules mport, time, string, dscp, ecn, pktype and connmark
- support for native modules random
- packages/bytes counter support
- rename userchains
- added support to mangle targets: MARK and DSCP
- disabled notices in php
Download (0.056MB)
Added: 2006-07-12 License: GPL (GNU General Public License) Price:
1211 downloads
Firewall Monitor 1.1.0
Firewall Monitor allows you to monitor ipchains/iptables output in realtime. more>>
Firewall Monitor allows you to monitor ipchains/iptables output in realtime. It supports both logging to a file/stdout and/or to tcpdump format capture logs. It also supports security features such as running non-root, and chrooting itself.
Fwmon can easily be integrated into an existing ipchains ruleset. As an example, fwmon can be easily integrated into the excellently commented TrinityOS ruleset available from http://www.ecst.csuchico.edu/~dranch/LINUX. The enhanced logging may be selectively added to specific existing rules by adding a new user-defined rule to the default ACCEPT, REJECT and DENY rules..This program has been known in the past as "Firestorm Firewall Monitor", however it shares nothing with firestorm.
If you wish to retain current ipchains logging features which RedHat and TurboLinux among other distributions make to /var/log/messages and add the additional features of fwmon, keep the -l option (or the $LOGGING equivalent used in TrinityOS) for those rules of interest. Fwmon data will be placed in a separate file (user-configurable) via a new target of those rules for which the capability is desired. Note that this new rule will not contain the -l (or $LOGGING) flag so packets trapped by a primary rule are not logged twice by ipchains. Additionally, by retaining the ipchains logging in primary rules, the rule number that caused the logging is contained in the ipchains log entries, and not the rule number of the new chain.
As a guide for adding this new chain, the TrinityOS rule set begins with setting of various parameters used with firewalls (flag settinga in the /proc directory, loading of modules, etc) then rules are grouped in INPUT, OUTPUT and FORWARD sections. Since this new rule will be a target of other rules, it must be placed BEFORE the first rule which references it to avoid errors the first time the ruleset is loaded. We suggest that a new
section defining the rule be placed just before the INPUT rules section and consist of:
Enhancements:
- Fixed logrotate problems with libpcap files. There is still a race condition but under normal circumstances you shouldnt encounter it, Ill think about fixing it all the same.
<<lessFwmon can easily be integrated into an existing ipchains ruleset. As an example, fwmon can be easily integrated into the excellently commented TrinityOS ruleset available from http://www.ecst.csuchico.edu/~dranch/LINUX. The enhanced logging may be selectively added to specific existing rules by adding a new user-defined rule to the default ACCEPT, REJECT and DENY rules..This program has been known in the past as "Firestorm Firewall Monitor", however it shares nothing with firestorm.
If you wish to retain current ipchains logging features which RedHat and TurboLinux among other distributions make to /var/log/messages and add the additional features of fwmon, keep the -l option (or the $LOGGING equivalent used in TrinityOS) for those rules of interest. Fwmon data will be placed in a separate file (user-configurable) via a new target of those rules for which the capability is desired. Note that this new rule will not contain the -l (or $LOGGING) flag so packets trapped by a primary rule are not logged twice by ipchains. Additionally, by retaining the ipchains logging in primary rules, the rule number that caused the logging is contained in the ipchains log entries, and not the rule number of the new chain.
As a guide for adding this new chain, the TrinityOS rule set begins with setting of various parameters used with firewalls (flag settinga in the /proc directory, loading of modules, etc) then rules are grouped in INPUT, OUTPUT and FORWARD sections. Since this new rule will be a target of other rules, it must be placed BEFORE the first rule which references it to avoid errors the first time the ruleset is loaded. We suggest that a new
section defining the rule be placed just before the INPUT rules section and consist of:
Enhancements:
- Fixed logrotate problems with libpcap files. There is still a race condition but under normal circumstances you shouldnt encounter it, Ill think about fixing it all the same.
Download (0.027MB)
Added: 2006-07-07 License: GPL (GNU General Public License) Price:
1204 downloads
Firewall-1 Response 1.0
Firewall-1 Response is a Perl script for performing simple active responses based on a Checkpoint Firewall-1. more>>
Firewall-1 Response is a Perl script for performing simple active responses based on a Checkpoint Firewall-1. It is good for closing off your network against people who do port scans or network sweeps.
fw sam provides a command line interface to a limited feature-set of the firewall security policy. The purpose of this is to allow scripts such as this a way to dynamically change the security policy of one or more firewalls without administrator intervention. This should scare you, because of the potential of these changes allowing bad guys to run a DoS attack against you.
<<lessfw sam provides a command line interface to a limited feature-set of the firewall security policy. The purpose of this is to allow scripts such as this a way to dynamically change the security policy of one or more firewalls without administrator intervention. This should scare you, because of the potential of these changes allowing bad guys to run a DoS attack against you.
Download (0.029MB)
Added: 2006-07-12 License: GPL (GNU General Public License) Price:
1201 downloads
PHP firewall generator 2.0
The PHP Firewall Generator is a simple PHP script that generates a firewall script for iptables or ipchains based firewalls. more>>
The PHP Firewall Generator is a simple PHP script that generates a firewall script for iptables or ipchains based firewalls. The script is created based on configuration rules entered by the user. The aim is to support a rule set similar to those supported by commercial Firewall systems, and make it easy to configure.
Make sure that you have apache and PHP installed (tested with apache-1.3.19-5 and php-4.0.4 from Red Hat 7.1 but shouldwork with others).
Make sure that PHP is actually running.
Make sure that you have iptables installed. Tested with iptables-1.2.1a-1 from Red Hat 7.1
Run this as root:
make install
If you dont have make installed on your system, then you could just run:
installme
Make sure that the files in /var/www/html/phpfwgen/ are readable by the HTTP daemon user (often httpd or apache) and that the files in /var/lib/phpfwgen are readable AND writeable by this user.
The script gets copied into /var/www/html/phpfwgen/ so you should be able to access it as http:// /phpfwgen/
Make sure that the files created in /var/lib/phpfwgen make sense, particularly the "interfaces" file.
<<lessMake sure that you have apache and PHP installed (tested with apache-1.3.19-5 and php-4.0.4 from Red Hat 7.1 but shouldwork with others).
Make sure that PHP is actually running.
Make sure that you have iptables installed. Tested with iptables-1.2.1a-1 from Red Hat 7.1
Run this as root:
make install
If you dont have make installed on your system, then you could just run:
installme
Make sure that the files in /var/www/html/phpfwgen/ are readable by the HTTP daemon user (often httpd or apache) and that the files in /var/lib/phpfwgen are readable AND writeable by this user.
The script gets copied into /var/www/html/phpfwgen/ so you should be able to access it as http:// /phpfwgen/
Make sure that the files created in /var/lib/phpfwgen make sense, particularly the "interfaces" file.
Download (0.035MB)
Added: 2006-07-08 License: GPL (GNU General Public License) Price:
1211 downloads
Firewall Tester 1.0
The Firewall Tester (FTester) is a tool designed for testing firewalls filtering policies and Intrusion Detection System (IDS) c more>>
The Firewall Tester (FTester) is a tool designed for testing firewalls filtering policies and Intrusion Detection System (IDS) capabilities.The tool consists of two perl scripts, a packet injector (ftest) and the listening sniffer (ftestd). The first script injects custom packets, defined in ftest.conf, with a signature in the data part while the sniffer listens for such marked packets. The scripts both write a log file which is in the same form for both scripts. A diff of the two produced files (ftest.log and ftestd.log) shows the packets that were unable to reach the sniffer due to filtering rules if these two scripts are ran on hosts placed on two different sides of a firewall. Stateful inspection firewalls are handled with the connection spoofing option. A script called freport is also available for automatically write to log files.
Of course this is not an automated process, ftest.conf must be crafted for every different situation. Examples and rules are included in the attached configuration file.
The IDS (Intrusion Detection System) testing feature can be used either with ftest only or with the additional support of ftestd for handling stateful inspection IDS, ftest can also use common IDS evasion techniques. Instead of using the configuration syntax currently the script can also process snort rule definition file.
These two scripts were written because I was tired of doing this by hand (with packet-crafting tools and tcpdump), I know that there are at least two dozens of other methods to do this but another reason was to learn some perl ;). I hope that you enjoy them.
Main features:
- firewall testing
- IDS testing
- simulation of real tcp connections for stateful inspection firewalls and IDS
- connection spoofing
- IP fragmentation / TCP segmentation
- IDS evasion techniques
<<lessOf course this is not an automated process, ftest.conf must be crafted for every different situation. Examples and rules are included in the attached configuration file.
The IDS (Intrusion Detection System) testing feature can be used either with ftest only or with the additional support of ftestd for handling stateful inspection IDS, ftest can also use common IDS evasion techniques. Instead of using the configuration syntax currently the script can also process snort rule definition file.
These two scripts were written because I was tired of doing this by hand (with packet-crafting tools and tcpdump), I know that there are at least two dozens of other methods to do this but another reason was to learn some perl ;). I hope that you enjoy them.
Main features:
- firewall testing
- IDS testing
- simulation of real tcp connections for stateful inspection firewalls and IDS
- connection spoofing
- IP fragmentation / TCP segmentation
- IDS evasion techniques
Download (0.030MB)
Added: 2006-07-07 License: GPL (GNU General Public License) Price:
1206 downloads
Firewall Builder 2.1.13
Firewall Builder is a multi-platform firewall configuration and management system. more>>
Firewall Builder is a multi-platform firewall configuration and management system. It consists of a GUI and set of policy compilers for various firewall platforms.
Firewall Builder helps users maintain a database of objects and allows policy editing using simple drag-and-drop operations.
The GUI and policy compilers are completely independent, this provides for a consistent abstract model and the same GUI for different firewall platforms. It currently supports iptables, ipfilter, ipfw, OpenBSD pf and Cisco PIX.
Whats New in This Release:
Improvements and bug fixes in the GUI
* fixed bug #1740766: "lock not saved". This method now copies the value
of "ro" attribute (read-only). Clear it in the caller if neccessary.
Method duplicate() clears it after calling shallowDuplicate in order
to be able to modify the object, then restores this attribute to its
original value.
* fixed bug #1743117: "crash while editing any". Added check, user
should not be able to unlock Standard objects library
* fixed bug #1753188: "policy activation fails on PIX and IOS".
Installer failed if account used to authenticate to the router or PIX
went straight to enable mode after login.
* added simple template object for Cisco router 36xx
Improvements and bug fixes in policy compiler for iptables
* fixed bug #1746257: "fwbuilder breaks IPv6". Added an option to the
firewall settings dialog for iptables that controls whether compiler
should skip generation of the code to set default policy of all ipv6
chains to DROP. This option is off by default, that is compiler puts
the code in. This helps maintain backwards compatibility with old data
files that do not have this option, which is equivalent to this option
being "off".
* fixed bug #1747332: "missing CONNMARK/ restore mark in Output Chain"
* compiler permits setting direction in the rule while interface field
is "All". This generates iptables command in chain INPUT or OUTPUT
with "-i +" or "-o +" interface specification to match all interfaces.
Improvements and bug fixes in policy compiler for PF
* fixed bug #1747828: "anchors generation - "log" not supported". "Log"
keyword is not allowed in "anchor" rules; compiler should not generate
it even if user turned logging on in a rule with action Branch
* implemented support for PF limit options "src-nodes", "tables" and
"table-entries". Feature Req. #1674919: "Support "set limit
table-entries""
* better compliance with PF 4.x. Feature Req. #1679793: "add no state
and flags any". If version is set to 4.x, compiler skips "flags S/SA
keep state" for rules mathcing tcp services. However, according to the
section "1.2. Operational changes" in PF FAQ at
http://www.openbsd.org/faq/upgrade41.html , there should be a way to
add "keep state" explicitly for rules on interface enc0. Added this
option to the rule options dialog.
* Added support for "set skip on " command for PF. If an interface is
marked as "unprotected" in the GUI, compiler generates this command
for it. This is useful for loopback or other virtual interfaces.
Improvements and bug fixes in policy compilers for Cisco IOS ACL
* Fixed bug that caused compiler to exit abnormally while compiling a
rule with interface field "all". Compiler should generate ACL lines
for all interfaces of the router (except those marked "unprotected")
<<lessFirewall Builder helps users maintain a database of objects and allows policy editing using simple drag-and-drop operations.
The GUI and policy compilers are completely independent, this provides for a consistent abstract model and the same GUI for different firewall platforms. It currently supports iptables, ipfilter, ipfw, OpenBSD pf and Cisco PIX.
Whats New in This Release:
Improvements and bug fixes in the GUI
* fixed bug #1740766: "lock not saved". This method now copies the value
of "ro" attribute (read-only). Clear it in the caller if neccessary.
Method duplicate() clears it after calling shallowDuplicate in order
to be able to modify the object, then restores this attribute to its
original value.
* fixed bug #1743117: "crash while editing any". Added check, user
should not be able to unlock Standard objects library
* fixed bug #1753188: "policy activation fails on PIX and IOS".
Installer failed if account used to authenticate to the router or PIX
went straight to enable mode after login.
* added simple template object for Cisco router 36xx
Improvements and bug fixes in policy compiler for iptables
* fixed bug #1746257: "fwbuilder breaks IPv6". Added an option to the
firewall settings dialog for iptables that controls whether compiler
should skip generation of the code to set default policy of all ipv6
chains to DROP. This option is off by default, that is compiler puts
the code in. This helps maintain backwards compatibility with old data
files that do not have this option, which is equivalent to this option
being "off".
* fixed bug #1747332: "missing CONNMARK/ restore mark in Output Chain"
* compiler permits setting direction in the rule while interface field
is "All". This generates iptables command in chain INPUT or OUTPUT
with "-i +" or "-o +" interface specification to match all interfaces.
Improvements and bug fixes in policy compiler for PF
* fixed bug #1747828: "anchors generation - "log" not supported". "Log"
keyword is not allowed in "anchor" rules; compiler should not generate
it even if user turned logging on in a rule with action Branch
* implemented support for PF limit options "src-nodes", "tables" and
"table-entries". Feature Req. #1674919: "Support "set limit
table-entries""
* better compliance with PF 4.x. Feature Req. #1679793: "add no state
and flags any". If version is set to 4.x, compiler skips "flags S/SA
keep state" for rules mathcing tcp services. However, according to the
section "1.2. Operational changes" in PF FAQ at
http://www.openbsd.org/faq/upgrade41.html , there should be a way to
add "keep state" explicitly for rules on interface enc0. Added this
option to the rule options dialog.
* Added support for "set skip on " command for PF. If an interface is
marked as "unprotected" in the GUI, compiler generates this command
for it. This is useful for loopback or other virtual interfaces.
Improvements and bug fixes in policy compilers for Cisco IOS ACL
* Fixed bug that caused compiler to exit abnormally while compiling a
rule with interface field "all". Compiler should generate ACL lines
for all interfaces of the router (except those marked "unprotected")
Download (MB)
Added: 2007-07-23 License: GPL (GNU General Public License) Price:
835 downloads
Firewall by Jim 1.30
Firewall by Jim is a firewall that takes advantage of tcp_wrappers information to block users. more>>
Firewall by Jim is a firewall that takes advantage of tcp_wrappers information to block users. I got tired of the firewall scripts out there not doing what I wanted them to.. I wanted a firewall that was flexible to use, but did its job. I wanted one that could be configured to any circumstance easily without changing the script itself. That is why I designed my firewall to use simple text files for configuration ease.
I have built in mutlple mean of protection into the firewall itself. Of the most notable is the hacker, trojan, spam, and blacklist capabilities.
The hacker protection will prevent the outside world from running unwanted commands. If you choose to enable this function.
The hacker protection will prevent the outside world from running unwanted commands. The trojan protection has two different levels. Standard and Intensive. The standard protection only protections from known linux and unix trojans. Where as the intensive will protect from all known trojans from windows, linux, and unix based.
The spam protection will block any IP address which is in list, from sending mail to your SMTP server.
The blacklist protection will block total communications to a site. I have also included a blacklist update script which will pull blacklist information from http://www.dshield.org .
<<lessI have built in mutlple mean of protection into the firewall itself. Of the most notable is the hacker, trojan, spam, and blacklist capabilities.
The hacker protection will prevent the outside world from running unwanted commands. If you choose to enable this function.
The hacker protection will prevent the outside world from running unwanted commands. The trojan protection has two different levels. Standard and Intensive. The standard protection only protections from known linux and unix trojans. Where as the intensive will protect from all known trojans from windows, linux, and unix based.
The spam protection will block any IP address which is in list, from sending mail to your SMTP server.
The blacklist protection will block total communications to a site. I have also included a blacklist update script which will pull blacklist information from http://www.dshield.org .
Download (0.043MB)
Added: 2006-07-11 License: GPL (GNU General Public License) Price:
1202 downloads
firewall 20020626
firewall is a set of scripts (firewall, fwup and fwdown) for ipchains. more>>
Firewall is a set of scripts (firewall, fwup and fwdown) that implement an ipchains firewall and various forms of network address and port translation. All you have to do is read the policy file and edit it to reflect your topology and filtering policy.
The policy file is composed of sections in which you need to specify: this hosts trusted and untrusted network interfaces; this hosts role and function within the network topology; the incoming and outgoing services to allow and the internal and external hosts that may take part in them. It has been designed to make this as painless and flexible as possible.
Each section contains detailed explanations and advice on things such as when to start the firewall and the security implications of various well known internet services and advice on how to allow them safely. It is intended to introduce administrators to some subtleties of packet filtering quickly so that they can make better informed security decisions and achieve and maintain effective network security (at least the packet filtering part) in a very short time. Of course, it will not prevent you from making bad network security, but you will have been warned.
Main features:
- Single Host (no forwarding, no address/port translation)
- Forwarding (no address/port translation)
- Masquerading (outgoing M:1 NAPT)
- Port Forwarding (Masquerading + incoming 1:M NAPT)
- Alias Port Forwarding (Masquerading + incoming N:M NAPT)
- Static NAT (incoming and outgoing 1:1 NAT)
<<lessThe policy file is composed of sections in which you need to specify: this hosts trusted and untrusted network interfaces; this hosts role and function within the network topology; the incoming and outgoing services to allow and the internal and external hosts that may take part in them. It has been designed to make this as painless and flexible as possible.
Each section contains detailed explanations and advice on things such as when to start the firewall and the security implications of various well known internet services and advice on how to allow them safely. It is intended to introduce administrators to some subtleties of packet filtering quickly so that they can make better informed security decisions and achieve and maintain effective network security (at least the packet filtering part) in a very short time. Of course, it will not prevent you from making bad network security, but you will have been warned.
Main features:
- Single Host (no forwarding, no address/port translation)
- Forwarding (no address/port translation)
- Masquerading (outgoing M:1 NAPT)
- Port Forwarding (Masquerading + incoming 1:M NAPT)
- Alias Port Forwarding (Masquerading + incoming N:M NAPT)
- Static NAT (incoming and outgoing 1:1 NAT)
Download (0.18MB)
Added: 2006-07-11 License: GPL (GNU General Public License) Price:
1349 downloads
PCX Firewall 2.24
PCX Firewall is an IPTables firewalling solution. more>>
PCX Firewall is an IPTables firewalling solution that uses Perl to generate static shell scripts based upon the users configuration settings.
This allows the firewall to startup quickly, as it does not have to parse config files every time it starts.
Enhancements:
- All known bugs have been fixed. Support has been added for Debian Sarge and Red Hat FC[1-3] as "official" distributions to work with when generating init scripts. The ability has been added to just install the generated firewall script into /etc/init.d or /etc/pcx-firewall without starting it.
<<lessThis allows the firewall to startup quickly, as it does not have to parse config files every time it starts.
Enhancements:
- All known bugs have been fixed. Support has been added for Debian Sarge and Red Hat FC[1-3] as "official" distributions to work with when generating init scripts. The ability has been added to just install the generated firewall script into /etc/init.d or /etc/pcx-firewall without starting it.
Download (0.036MB)
Added: 2005-06-29 License: GPL (GNU General Public License) Price:
1579 downloads
Secleted [ 0 ] software to compare
Copyright Notice:
Software piracy is theft, Using crack, password, serial numbers, registration codes, key generators is illegal and prevent future software development. The above firewall security search only lists software in full, demo and trial versions for free download. Download links are directly from our mirror sites or publisher sites, torrent files or links from rapidshare.com, yousendit.com or megaupload.com are not allowed
