TDG

The ipfwadm dotfile module home page

The ipfwadm dotfile module is intended to make setting up IP Masquerade and basic firewalling on a small network easier for Linux users who aren't professional network administrators. It utilizes Jesper Pedersen's Dotfile Generator to provide a GUI shell around the ipfwadm command. It also automates some of the confusing and obscure details of firewall and IP Masquerade configuration.

It is not, however, intended to be a replacement for an experienced network administrator in a critical environment. If you aren't familiar with the details of setting up a firewall and you have important data you need to protect then I strongly recommend you obtain a good book on firewalls. One such is O'Reilly & Associates' Building Internet Firewalls, ISBN 1-56592-124-0. Another is Firewalls and Internet Security: Repelling the Wily Hacker, ISBN 0-20163-357-4. A good book about general security is Practical Unix and Internet Security, ISBN 1-56592-148-8. In association with Amazon.com you can order these books online.


The ipfwadm dotfile module is currently in beta release.

You can download the stable beta (0.26b 10/06/98 26kb) (via HTTP), or try a snapshot of the current development state (03/13/99 28kb) (via HTTP) if you're interested. You can also get signed MD5 checksums of the tarballs (finger jhardin@gonzo.wolfenet.com or see my home page for my public key) and view a list of changes.

You'll also need version 2.0 or greater of the Dotfile Generator (download RPMs here), Tcl/Tk, X and ipfwadm, and support for IP firewalling, the /proc virtual filesystem, IP forwarding and (optionally) IP Masquerading compiled into your kernel.

Note that you do not necessarily have to have X windows installed on the system that is doing the firewalling - it is perfectly reasonable to install TDG and Tcl/Tk on the firewall system and telnet (or, better yet, SSH) in from an X workstation that is behind the firewall.


Installation

To install the ipfwadm module, you'll need to locate the dotfile modules directory - try looking in /usr/local/lib/dotfile-2.2 or /usr/lib/dotfile-2.0.

Once you've located the dotfile modules directory, extract the ipfwadm module files from the tarball - for example:

        cd /usr/local/lib/dotfile-2.2
        tar zxvf /tmp/ipfwadm-dotfile-*.tgz
        chmod 755 ipfwadm
        chmod 644 ipfwadm/*

At this point you should be able to run the command dotfile and see the ipfwadm module in the list of available modules.

Upgrading from an earlier version

Important: TDG save files are not robust enough to deal with certain types of changes in the data structures. When upgrading to a new version of this module, you must export your saved configurations before you upgrade, then upgrade the module, then import the exported configuration and save it. If you do not do this you risk having TDG choke while trying to save, which will result in loss of data.


Documentation

Documentation is, as yet, very sparse. As it is produced it will be made available here. If you haven't used TDG before, here's a tip: right-clicking on an object (e.g. a checkbox) will display some help text about that object.


Other Resources:

Other Notes:

The new IP Firewall Chains in the 2.1 and 2.2 kernels provides great improvement in the flexibility, power and efficiency of Linux packet filtering. I hope be incorporating support for ipchains firewalls soon, but it may take the form of a firewall policy tool that is more flexible than this is.


You can contact me at <jhardin@wolfenet.com>. I'd like to hear your comments and suggestions, and particularly your problems with this utility. You can also visit the current version of this document, and take a look at my home page...

Disclaimer: If you're protecting critical information, do not blindly trust the firewall configuration file that this tool produces!


The Linux Webring: [ Home | Index | Next | Prev | Random | Stats ]

Bobby approved    Fight spam!    Help stop spam - join CAUCE!

© 1999 by John Hardin. You may copy this page as long as the content is unchanged (you can change the formatting to fit your site if you want) and the link to the original page is left intact.
$Id: ipfwadm.html,v 1.92 1999-03-13 21:46:21-08 jhardin Exp jhardin $