Copyright (C) 2000-2001, Jean-Sebastien Morisset rcf - the most secure and complete ipchains Firewall for Linux. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License (LICENSE file in archive) for more details. ************************************************************************ PLEASE SEE FOR PRIVATE AND COMMERCIAL USE. ************************************************************************ DESCRIPTION rcf (aka rc.firewall) is an ipchains-based firewall with support for over 50 network service modules (including vtun, dhcp, nfs, smb, napster, proxies, online games, etc.), masquerading, port forwarding, and ip accounting. All services are self-contained modules which can be prioritized in the ipchains stack. Protections include spoofing, stuffed routing/masqerading, DoS, smurf attacks, outgoing port scans, and many more. rcf also supports unlimited public, private (masqu'ed), dmz, and mz (non-masq'ed) interface and their subnets. Access rules are defined per interface and dmz/mz server "clusters". rcf is compatible with Red Hat, Slackware, Debian, Linux Router Project (LRP), and many other distros. rcf is distributed under the General Public License (GPL) terms. UPGRADING AUTOMATED You can follow the automated installation instructions. Existing files and directories will be saved with a "-yymmddHHMM" extension. !!! WARNING !!! Version 5.1+ introduces access rules on the firewall's private interfaces. If you are using telnet or ssh to access your firewall by it's private interface, don't forget to review the accept-{int}- telnet-clients and accept-{int}-ssh-clients options for your private interfaces! 5.x -> 5.1+ MANUAL The /etc/firewall-modules directory has been changed to /etc/firewall/modules. MODULES If you have written your own custom modules (and plan to use them for DMZ clusters) you'll have to rename the $INTERFACE variables to $INTOPT. This new variable contains cluster information necessary to retrieve host information. The first parameter to the Accept_Hostports function has been changed to "local" or "remote" instead of $INTERFACE. The first parameter ($INTERFACE variable) to the Forward_Hostports function has been removed. INSTALLATION AUTOMATED As root, execute make in the following order: # umask 077 # make backup # make install You can follow the backup and install options with an installation prefix. i.e. "make backup PREFIX=/usr/local/rcf". By default, all files and directories are created from the root directory (/etc/firewall/, /usr/man/, /sbin/rcf, etc.). MANUAL Backup your /etc/firewall.conf, /sbin/rcf, and /etc/firewall directory. Copy the ChangeLog, FAQ.html, INSTALL, LICENSE, and TODO files to /usr/doc/rcf-5.2.1 (make sure the directory exists first). Create missing files and/or symbolic links in the distribution directory. # umask 077 # make all Copy the function, group, module, and man page directories. # tar --exclude CVS -cvf - ./etc ./usr/man/*/*.gz ./sbin \ | tar -C / -xpf - Cleanup the temporary installation files. # make clean If your system has an /etc/rc.d directory, you'll probably want to add a symbolic link for rcf. # ln -s /sbin/rcf /etc/rc.d/rc.firewall You could also setup some init scripts, call rcf from rc.local, or let your dhcpcd client execute it when your IP address changes. A sample startup script (named fwinit) has been included for Red Hat and Debian users. Red Hat users can copy it to /etc/rc.d/init.d/firewall and create symlinks in their startup directories. # cp fwinit /etc/rc.d/init.d/firewall # chkconfig --add firewall To create the initial configuration file, execute rcf using the -uc parameter, then edit the resulting /etc/filewall.conf file. CONFIGURATION NOTES Don't forget to review the accept-{pub}-dns-servers option. If you have a DNS on your firewall, you'll have to set your public interface's option to "any/0". If you use your ISP's DNS, you can enter it's IP address here instead. If the the DNS doesn't support recursive lookups, you'll have to use "any/0". PARAMETERS A few command line arguments are available. Execute "rcf --help" (or "man rcf") to view the summary. LOG FILE On several occasions you might wonder what traffic is being blocked -- to debug something, spot hacker activity, etc. I recommend you save syslog messages generated by ipchains to a seperate log file. Add something like this to your /etc/syslog.conf file "kern.=info /var/log/firewall/ipchains.log". MODULES rcf comes with an extensive list of modules which support the most common services. If the service you need isn't listed in the configuration file, check the /etc/firewall/modules/contrib directory for additional user-contributed modules. You simply need to link the new module in the same (relative) public or private sub-directory, then execute rcf using the "--update-config" parameter. The new module options will be added to the configuration file. You can also shorten the time --update-config takes to execute by removing module links in the public and/or private directories. If you'd like to try your hand at creating a new module, take a look at the tcp-clients-template file under /etc/firewall/modules/common/ services/. FAQ The FAQ is available at . MAILING LIST If you need help, would like to know when new versions are released, or contribute to the general evolution of this script, subscribe to our mailing lists: http://lists.mvlan.net/mailman/listinfo/rcf-users http://lists.mvlan.net/mailman/listinfo/rcf-dev http://lists.mvlan.net/mailman/listinfo/rcf-announce