Freerunner Firewall

Wed Sep 17 07:59:37 CEST 2008

For anyone interested, I've posted two articles on my blog (I hate blogs)
regarding firewalling on the Freerunner -
http://jthinks.com/freerunner-simple-firewall and
http://jthinks.com/freerunner-advanced-firewall - that link to the required
package(s) and include the scripts and support to firewall your Freerunner,
as well as explaining some concepts and options including NAT & FORWARD to
use the Freerunner as a gateway for another computer.

Note that by default, only three ports apparently are open on OM2008 -
TCP22 (SSH), TCP111 (rpcbind/portmap) and possibly TCP6000 (remote X11 -
I've seen it open before but it's not right now, on OM2008.8-update on my
Freerunner), so firewalling of the default system doesn't gain much.
('netstat -ln'
to see what ports YOUR Freerunner is listening on)

The gist of the 'freerunner-simple-firewall' article is a script that lives
in /etc/init.d and on startup (or manual invocation) installs a set of
firewall rules using the netfilter firewalling support in the Linux 2.6.x
kernel.  The 'simple' firewall requires only the iptables binary, which can
be obtained from either
http://www.angstrom-distribution.org/feeds/2008/ipk/glibc/armv4t/base/iptables_1.3.8-r4_armv4t.ipk
or http://newkirk.us/om/iptables_1.4.2-rc1_armv4t.ipk - the ipk on my site
excludes ip6tables (ipv6 firewall control - packaged separately by me but
bundled with iptables in Angstrom feed) but includes the iptables-save and
iptables-restore binaries (actually symlinks to the iptables-multipurpose
binary, whereas those two binaries are a separate package in the Angstrom
feed called 'iptables-utils') plus includes the script and ruleset
incorporated in the 'freerunner-advanced-firewall' article.

For anyone who wants to firewall their Freerunner but isn't interested in
reading the articles, you can either install my ipk, or install the
Angstrom ipk plus the script attached to this message, which should be
placed in /etc/init.d/iptables and then configured to run just after
networking is started with 'update-rc.d iptables defaults 42'.  (note that
I do NOT currently have a feed set up, you can install with 'opkg install
http://newkirk.us/om/iptables_1.4.2-rc1_armv4t.ipk' or download and install
locally)  Using my ipk results in the 'advanced firewall' while the
attached script plus the Angstrom ipk results in the 'simple firewall' -
rulesets are essentially the same, but management (IE, adding rules) is
easier with the 'advanced' solution.

Enjoy your pocket protector.

j

PS - the scripts and rulesets are released free of copyright - do with them
as you will.  The two articles themselves are copyrighted, but I hereby
declare an explicit exception for any portions of them to be incorporated
into the Openmoko wiki if that is desirable, understanding that they will
then fall under the license (or non-license) applicable to the wiki
contents.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iptables
Type: application/octet-stream
Size: 1806 bytes
Desc: not available
Url : http://lists.openmoko.org/pipermail/community/attachments/20080917/0acf3c7d/attachment.obj 