Step Four - PMFirewall

Step Four - PMFirewall Next Previous Contents

5. Step Four

A description from the homepage of PMFirewall on what PMFirewall is/does: "PMFirewall is an Ipchains Firewall and Masquerading Configuration Utility for Linux. It was designed to allow a beginner to build a custom firewall with little or no ipchains experience. This firewall should work for most Workstations, Servers and Dual NIC routers using either a dialup, DSL, Cable or LAN setup. It is restrictive to outside attacks while still being transparent to those inside. Autodetection of the IP Address and Netmask of each interface. Blocking of NetBIOS, NetBUS, Back Orifice and Samba attacks. Protection against IP Spoofing Attacks. Logging of DENY packets. Manipulation of TOS bits of the packet for optomizing transfers. You must have CONFIG_IP_ROUTE_TOS enabled in your kernel for this to be effective. Masquerading support is decided during install. Your own custom rules can be added to the pmfirewall.rules.local file." I honestly started out trying to use "firewall" scripts I found all over the internet, but this software is truly amazing. It's not what most people think, which is: "Oh, it's a program that acts as a firewall.. well I don't want that!" Believe me when I tell you that this is only a script to write IPCHAINS commands into a file. It is solely IPCHAINS based! You can add your own rules just as you please, it just "lays the foundation" per se.

Oh yeah, for people who have asked me questions on whether to REJECT or DENY, here is a basic answer:

When you REJECT something, you send a polite ICMP unreachable packet to the sender.
When you DENY something, you drop the offending packet, without giving notice to the sender, which is good because then they will think your host does not exist (from a first glance).

5.1 Installing PMFirewall

Go to the directory where you downloaded the latest version of pmfirewall.

mv pmfirewall* /tmp

cd /tmp

tar -zxvf pmfirewall*

cd pmfirewall-1.1.4 (or whatever the release you download is)

sh install.sh

Go through the installation script and set it up to suit your needs. If you have any questions, I have a logfile that you can look at while you are installing. Some of the entries the logfile I added in, but I went into the pmfirewall.rules.local file and # (commented) them out.. they are there just because 'for instance' if you were to want to add something later, and unsure, it's going to be in the file, and you can just edit it. Editing something is ten times easier than making something new, especially if you are unfamiliar with IPCHAINS.

For convenience sake, type:

cp /usr/local/pmfirewall/pmfirewall /usr/bin

This will allow you to type pmfirewall stop:start:restart from anywhere.

5.2 Running PMFirewall

Okay, let's start the script up by typing:

pmfirewall start

5.2.5 Messed anything up?

As a last resort, if you have somehow damaged your config files and can't get pmfirewall installed, I have mine on my website that I keep for when I destroy my system (on a monthly basis, at least):

pmfirewall (to copy to /usr/local/pmfirewall, or where you had pmfirewall installed)

pmfirewall.conf (to copy to /usr/local/pmfirewall, or where you had pmfirewall installed)

pmfirewall.rules.local (to copy to /usr/local/pmfirewall, or where you had pmfirewall installed)

5.3 Additional Tips, Tricks, and Solutions

I've had people ask me specifically how to get Icq working.. well, here's the IPCHAINS commands (these are listed in my pmfirewall.rules.local file as well, fyi):

Keep in mind that ICQ2000 and higher: Apparently, the developers of AIM and ICQ would really like their product to work, regardless of your security policy. According to Ronald Atkinson, they accomplish this by first using a default port (TCP 5190 in this case), and then supporting an option to "auto-detect" ports. This "auto-detect" feature will actually scan various ports for access to the AOL/ICQ servers, such as telnet, ftp, DNS, discard, http, etc. It will then reconfigure the local ICQ client to run over that port instead of the default. In this way, ICQ can be automatically "tunneled" through any port you have allowed to leave your network.

In other words, if you have a version of ICQ BELOW 2000, this is how to get it to work:

# ICQ for clients UNDER ICQ2000
/sbin/ipchains -A input -p UDP -s icq.mirabilis.com -j ACCEPT
/sbin/ipchains -A input -i ppp3 -p TCP -s any/0 1024:65535 -d 192.168.0.1/24 50
/sbin/ipchains -A output -i ppp3 -p TCP -s 192.168.0.1/24 1024:65535 -d any/0 1

#Disabling ICQ2000 or higher.
$IPCHAINS -A input -i ppp3 -p tcp -s 152.163.243.0/24 1024:65535 -d $REMOTENET 1024:65535 -j DENY -l
$IPCHAINS -A input -i ppp3 -p tcp -s $REMOTENET 1024:65535 -d 152.163.243.0/24 1024:65535 -j DENY -l
$IPCHAINS -A input -i ppp3 -p udp -s 152.163.243.0/24 1024:65535 -d $REMOTENET 1024:65535 -j DENY -l
$IPCHAINS -A input -i ppp3 -p udp -s $REMOTENET 1024:65535 -d 152.163.243.0/24 1024:65535 -j DENY -l

And if you want to speed up ftp and telnet.. (this should already be in pmfirewall.rules.masq)

#speed up telnet and ftp..

/sbin/ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10
/sbin/ipchains -A output -p tcp -d 0.0.0.0/0 ftp -t 0x01 0x10
/sbin/ipchains -A output -p tcp -s 0.0.0.0/0 ftp-data -t 0x01 0x08

And if you can't get services working behind your server.. try any of these:

## If you choose to load these modules, issue this command first, then load any of the modules.

/sbin/depmod -a >/dev/null 2>&1

## Modules to help certain services

/sbin/modprobe ip_masq_ftp >/dev/null 2>&1
/sbin/modprobe ip_masq_raudio >/dev/null 2>&1
/sbin/modprobe ip_masq_irc >/dev/null 2>&1
/sbin/modprobe ip_masq_icq >/dev/null 2>&1
/sbin/modprobe ip_masq_quake >/dev/null 2>&1
/sbin/modprobe ip_masq_user >/dev/null 2>&1
/sbin/modprobe ip_masq_vdolive >/dev/null 2>&1

Using DSL, and can't seem to get your firewall connected?

Thanks to Gaccm for informing me that if you have pppoe dsl (he's only tested with rp-pppoe, so he doesn't know if anything else causes problems) then you need to change a line in your pmfirewall.conf:

change the OUTERIF=eth0 to OUTERIF=ppp0

Allowing Napster (experimental for now)

Option 1:

/sbin/ipchains -A input -i $OUTERIF -p tcp -s any/0 1024:65535 -d $OUTERIP 6699 -j ACCEPT
/sbin/ipchains -A output -i $OUTERIF -p tcp -s $OUTERIP 1024:65535 -d any/0 1024:65535 -j ACCEPT

Option 2:

Okay, here's another workaround.. it seems to work excellent download this file (ipmasqadm-0.4.2-4.i386.rpm) first.

Install ipmasqadm:

rpm -ivh ipmasq*

load up your favorite editor (I use pico just because it's fast and easy)

pico /usr/local/pmfirewall/pmfirewall.rules.local

and add these lines:

IPMASQADM=/usr/sbin/ipmasqadm
$IPMASQADM portfw -a -P tcp -L $OUTERIP 6699 -R 192.168.0.0 6699

Restart pmfirewall (pmfirewall restart), and go disconnect/reconnect to napster on your windows box, and it should work a *lot* better! I have been told that newer versions of Napster (beta 6 and up) basically find any acceptable port on its own, but just like I remind my brother, who keeps complaining to me, "Napster doesn't work!" - We are configured properly, but they aren't - there could be a lot of reasons, but one of the main reasons would probably be that the other end-user is behind a firewall who does not allow Napster traffic.

Disabling "ping floods"

### BLOCK ICMP ATTACKS

#
#-----INCOMING-------
#
#echo reply (pong)
$IPCHAINS -A input  -p icmp --icmp-type  0 -j ACCEPT
#destination unreachable
$IPCHAINS -A input  -p icmp --icmp-type  3 -j ACCEPT
#source quench
$IPCHAINS -A input  -p icmp --icmp-type  4 -j ACCEPT
#time to live (TTL) for traceroute
$IPCHAINS -A input  -p icmp --icmp-type 11 -j ACCEPT
#now deny all other INCOMING icmp packets
$IPCHAINS -A input  -p icmp -j DENY -l
#
#-----OUTGOING------
#
#destination unreachable
$IPCHAINS -A output -p icmp --icmp-type  3 -j ACCEPT
#source quench
$IPCHAINS -A output -p icmp --icmp-type  4 -j ACCEPT
#echo request (ping)
$IPCHAINS -A output -p icmp --icmp-type  8 -j ACCEPT
#now deny all other OUTGOING icmp packets
$IPCHAINS -A output -p icmp -j DENY -l

How do I Forward a port in IPCHAINS?

Download this file (ipmasqadm-0.4.2-4.i386.rpm) first.

Install ipmasqadm:

rpm -ivh ipmasq*

load up your favorite editor (I use pico just because it's fast and easy)

pico /usr/local/pmfirewall/pmfirewall.rules.local

and add these lines (note, you can use this same syntax in ANY firewall script!):

IPMASQADM=/usr/sbin/ipmasqadm
#Okay, we've added an alias, now let's do some portforwarding
#First example, we will forward from our $OUTERIP on port 6699
#and (-R)redirect it to 192.168.0.2 on port 6699
$IPMASQADM portfw -a -P tcp -L $OUTERIP 6699 -R 192.168.0.2 6699
#Second example, we will forward from our $OUTERIP on port 51210
#and (-R)redirect it to our NETWORK address (ie. 192.168.0.0) on port 51210
$IPMASQADM portfw -a -P tcp -L $OUTERIP 51210 -R 192.168.0.0 51210

Allowing Diablo II through with ipmasqadm (thanks to Taylor)

First go back here to see how to install ipmasqadm if you don't have it and how to use it through your firewall scripts.

$IPMASQADM autofw -A -v -r tcp 4000 4000 -c tcp 4000
$IPMASQADM autofw -A -v -r udp 4000 4000 -c tcp 4000

If you have anything else that you have done to get any programs, games, or hardware (such as Cable Modems, DSL, etc) working through your firewall using IPCHAINS, please email me and I will update this page with your information provided.

Next Previous Contents