-
Notifications
You must be signed in to change notification settings - Fork 4
/
firewall.1
159 lines (159 loc) · 2.84 KB
/
firewall.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
.\" Automatically generated by Pandoc 1.17.2
.\"
.TH "FIREWALL" "1" "January 2019" "iptables configuration generator" "hostfw 0.6.4"
.hy
.SH NAME
.PP
firewall \- an easy to use front\-end to iptables
.SH SYNOPSIS
.PP
firewall [OPTIONS]
.SH DESCRIPTION
.PP
This utility is designed to generate iptables\-based rulesets quickly
and easily.
.PP
The default is to allow any outbound traffic and drop any unsolicited
inbound traffic.
DHCP and some ICMP types are also allowed.
All other traffic will be dropped.
.SH OPTIONS
.SS Script behavior.
.TP
.B \-q
Makes changes without displaying status messages.
.RS
.RE
.TP
.B \-s
Simulates actions, showing commands that\[aq]d be run.
Combine with \-q to generate an iptables script.
.RS
.RE
.TP
.B \-S
Show rules after configuration.
.RS
.RE
.SS Absolutes.
.TP
.B \-A
Allows everything.
All other options are ignored.
.RS
.RE
.TP
.B \-D
Denies everything.
All other options are ignored.
.RS
.RE
.SS Ports
.TP
.B \-ot <...>
Only allow the specified TCP ports outbound.
Ports should be comma separated.
Example: 80,443
.RS
.RE
.TP
.B \-it <...>
Only allow the specified TCP ports inbound.
.RS
.RE
.TP
.B \-ou <...>
Only allow the specified UDP ports outbound.
.RS
.RE
.TP
.B \-iu <...>
Only allow the specified UDP ports inbound.
.RS
.RE
.SS Hosts
.TP
.B \-ih <file>
Limit inbound traffic to only the hosts specified in the file.
This affects all traffic except DHCP.
The file should consist of one IP or CIDR range per line.
.RS
.RE
.TP
.B \-oh <file>
Limit outbound traffic to only the hosts specified in the file.
.RS
.RE
.TP
.B \-tt
Automatically set rules based on trusts.
.RS
.RE
.PP
Equivalent to: \-ih /etc/trusted.hosts \-oh $(cat /etc/trusted.hosts
/etc/target.hosts)
.TP
.B \-eh <file>
Excludes the target regardless of they\[aq]re specified in either target
or trusted files.
.RS
.RE
.SS Other
.TP
.B \-r
Change the default action from DROP to REJECT, kindly sending the
connecting host a TCP "reset" if they do not connect to an allowed port.
.RS
.RE
.TP
.B \-p
Disable inbound ICMP Echo Request.
Note: This does not disable the host\[aq]s ability to respond, so
trusted hosts will still receive a response.
.RS
.RE
.TP
.B \-i
Enable responses for all types of ICMP.
.RS
.RE
.TP
.B \-d
Disable DHCP.
If the host is configured to use a static IP, then there is no need to
have those ports open.
Note: This will disable a servers ability to offer DHCP as well.
.RS
.RE
.TP
.B \-l
Log all exceptions.
.RS
.RE
.SH EXAMPLE
.PP
Only allow tcp/22 inbound (like to allow remote management of a system).
.IP
.nf
\f[C]
#\ firewall\ \-it\ 22
\f[]
.fi
.PP
Only allow a host to connect to a proxy (tcp/8888) on a specific host
(192.168.0.3).
.IP
.nf
\f[C]
#\ firewall\ \-oh\ <(echo\ 192.168.0.3)\ \-ot\ 8888
\f[]
.fi
.SH AUTHORS
.IP \[bu] 2
Andrew Benson.
.IP \[bu] 2
Contributions from Austin Taylor, et al.
.SH COPYRIGHT
.PP
Copyright © 2016 Andrew Benson.
License: MIT