NAME
----

 aovfirewall - Angel Ortega's firewall script

SYNOPSIS
--------

 aovfirewall [-n] [start|stop|try|restart]

DESCRIPTION
-----------

This is the firewall script I use in all servers I maintain. It's designed
to be as simple as possible. In its default configuration, it drops all
incoming connections except for ssh (with a maximum of 5 connections per
minute), allows all outgoing connections, filters many kinds of malformed
packets, limits icmp pings and logs all rejected things (taking care of not
flooding logfiles).

If the `/etc/network/if-up.d' and `/etc/network/if-down.d' directories exist
(as on Debian systems) this script is also installed there, so touching the
file `/etc/network/interfaces' is no longer needed.

CONFIGURATION
-------------

The `/etc/aovfirewall.conf' file is processed if existent and can be used to set
any of the following shell variables:

 * ALLOW_TCP: A blank separated list of TCP services, ports or port ranges which
   connection will be allowed (default: ssh).
 * ALLOW_UDP: The same for UDP services (default: domain).
 * LIMIT_5MIN: A blank separated list of TCP services to be filtered to allow
   a maximum of 5 new connections per minute (default: ssh).
 * FORWARDING: If forwarding is wanted (default: no, values: 0/1).
 * NAT: If NAT is wanted (default: no, values: 0/1).
 * DHCP: If DHCP packets are allowed. If set, all DHCP packets are logged
   (default: no, values: 0/1).
 * ALLOW_NET: A blank separated list of networks that will be blindly
   accepted (default: none).
 * IFACE: The network interface (default: eth0).
 * LOG_CHAIN: The iptables chain that does logging. The only useful values
   here are LOG (the default) or ULOG. In the latter case, you'll need to
   have the `ulogd' server installed to receive any useful logging (this
   option is worth a look, as it confines all firewall logs without the
   need to tweak the settings in `/etc/syslogd.conf').
 * REDIRECT_TCP: A blank separated list of port=ip pairs that will be
   used as DNAT redirections (default: none).
 * REDIRECT_UDP: The same for UDP services (default: none).

EXAMPLES
--------

Copy and paste these examples to `/etc/aovfirewall.conf'.

For a desktop computer directly connected to Internet, static IP, with
only ssh remotely accessible (these are the defaults, so there is no real
need to create the configuration file):

	ALLOW_TCP="ssh"
	ALLOW_UDP="domain"
	LIMIT_5MIN="ssh"
	FORWARDING=0
	NAT=0
	DHCP=0
	ALLOW_NET=""

For a desktop computer directly connected to Internet, an IP address
dinamically assigned by a DHCP server (as the ones in ADSL routers) on a
wireless connection, that have an smtp server and do ocassional BitTorrent
connections:

	ALLOW_TCP="ssh smtp 6881:6889"
	ALLOW_UDP="domain"
	LIMIT_5MIN="ssh"
	FORWARDING=0
	NAT=0
	DHCP=1
	ALLOW_NET=""
	IFACE=wifi0

For a home Linux firewall/router on the 192.168.1.* network, that does NAT,
have a web and smtp servers and a DHIS client (that uses UDP), serves DHCP
leases (with dnsmasq(8) or similar), serves other network services to
the internal network (as printing), and redirects Bittorrent and eMule
connections to an internal machine:

	ALLOW_TCP="ssh www smtp"
	ALLOW_UDP="domain 58800"
	LIMIT_5MIN="ssh"
	FORWARDING=1
	NAT=1
	DHCP=1
	ALLOW_NET="192.168.1.0/24"
	REDIRECT_TCP="6881:6889=192.168.1.48 4662=192.168.1.48"

For a server on the Internet, that serve all kinds of daemons and has the
`ulogd' daemon installed:

	ALLOW_TCP="ssh www https domain smtp imap2 ftp ftp-data"
	ALLOW_UDP="domain"
	LIMIT_5MIN="ssh smtp"
	FORWARDING=0
	NAT=0
	DHCP=0
	ALLOW_NET=""
	LOG_CHAIN="ULOG"

AUTHOR
------

*aovfirewall* has been written by Angel Ortega <angel@triptico.com>.

FILES
-----

 * /etc/aovfirewall.conf (configuration file).

SEE ALSO
--------

http://www.triptico.com/software/aovfirewall.html (aovfirewall home page).

LICENSE
-------

This  program  is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License as
published by the Free Software  Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

See the GNU General Public License for more details.
