~ubuntu-branches/ubuntu/trusty/uruk/trusty-proposed

« back to all changes in this revision

Viewing changes to man/uruk.azm

Committer: Bazaar Package Importer
Author(s): Joost van Baal
Date: 2005-10-30 18:44:05 UTC
Revision ID: james.westby@ubuntu.com-20051030184405-18qmgrz4vzlw589a

Tags: upstream-20051027

Import upstream version 20051027

files added:

AUTHORS

COPYING

ChangeLog

ChangeLog.2003

INSTALL

Makefile.am

Makefile.in

NEWS

README

THANKS

TODO

VERSION

VERSION.m4

acinclude.m4

aclocal.m4

bootstrap

configure

configure.ac

doc/Makefile.am

doc/Makefile.in

doc/default

doc/rc

init

init/Makefile.am

init/Makefile.in

init/uruk.in

install-sh

man/Makefile.am

man/Makefile.in

man/include.zmm.in

man/uruk-rc.azm

man/uruk-save.azm

man/uruk.azm

missing

script

script/Makefile.am

script/Makefile.in

script/uruk-save.in

script/uruk.in

setversion

stamp.day

stamp.month

stamp.year

Show diffs side-by-side

added added

removed removed

man/uruk.azm

\: vim:syntax=tex

\: this file maintained using arch at http://arch.gna.org/uruk/

\: this is a manpage in zoem format. see http://micans.org/zoem/ and man_zmm(7)

\def{"man::synstyle"}{long}

\def{"man::defstyle"}{long}

\import{man.zmm}

\import{./include.zmm}

\set{"man::name"}{uruk}

\set{"man::html-title"}{uruk}

\set{"man::section"}{8}

\"man::preamble"

\${html}{\"man::maketoc"}

\sec{name}{NAME}

\NAME{uruk}{wrapper for Linux iptables, for managing firewall rules}

\sec{synopsis}{SYNOPSIS}

\par

\uruk

\sec{description}{DESCRIPTION}

\uruk loads an \rc file (see \sibref{uruk-rc}{uruk-rc(5)}) which defines

network service access policy, and invokes \bf{iptables(8)} to set up firewall

rules implementing this policy. By default the file \ttrcpath is used; one can

overrule this by specifying another file in the URUK_CONFIG environment

variable. Under some circumstances, it's useful to use another command for

iptables; this can be achieved by setting the URUK_IPTABLES (and/or

URUK_IP6TABLES) environment variables. See \sibref{uruk-rc}{uruk-rc(5)} for

details.

\sec{quick setup guide}{QUICK SETUP GUIDE}

Uruk will \it{not} "just work" out of the box. It needs manual configuration.

For those of you who don't like reading lots of documentation:

\verbatim{\

# cp \expath \rcpath

# vi \rcpath

# /etc/init.d/uruk start}

\sec{getting started}{GETTING STARTED}

Once the \uruk script is installed, you want to go use it, of course. We'll

give a detailed description of what to do here.

\par

First, create an \rc file. See \sibref{uruk-rc}{uruk-rc(5)} for info on how to

do this. Once this file is created and installed (this script looks in

\ttrcpath by default), you're ready to run \uruk. You might want to test your

\rc file by running \uruk in debug mode, see \sibref{uruk-rc}{uruk-rc(5)}.

\cpar{Vanilla iptables}

After editing \rc, load your rules like this. First flush your current rules:

\verbatim{\

# iptables -F}

Then enable your \rc rules

\verbatim{\

# uruk}

. Inspect the rules by doing:

\verbatim{\

# iptables -L}

If you want to make these changes survive a reboot, use the init script as

shipped with this package. If you'd rather write your own init script, the

\bf{iptables-restore(8)} and \bf{iptables-save(8)} commands from the iptables

package might be helpful.

\cpar{Using the Uruk init script}

Assumed is the Uruk init script is installed as explained in the README file.

Optionally, install /etc/default/uruk (or /etc/sysconfig/uruk) and tweak it.

An example file is in \tt{\defpath} (You might like to enable support for IPv6

rules, or for \uruk_save.) Now activate uruk by doing:

\verbatim{\

# \initpath start}

Now your pre-uruk iptables rules (if any) are saved as the "inactive" ruleset.

While executing \tt{\initpath start}, your box is open during a short while.

If you don't like this, read about \uruk_save.

\par

When rebooting, everything will be fine: \ttinitpath stores

state in \tt{\statepath/iptables}, using

100

iptables-save(8), which comes with Linux iptables.

101

102

103

\cpar{Using ifupdown}

104

105

In case you have just one network interface which should get protected, you

106

could use \bf{interfaces(5)} from the ifupdown package instead

107

of the init script:

108

109

\verbatim{\

110

# mkdir -p \statepath/iptables

111

112

# iptables -F

113

114

# iptables-save -c > \statepath/iptables/down

115

# uruk

116

# iptables-save -c > \statepath/iptables/up}

117

118

Add

119

120

\verbatim{\

121

pre-up iptables-restore < \statepath/iptables/up

122

post-down iptables-restore < \statepath/iptables/down}

123

124

to your interfaces stanza, in your \tt{/etc/network/interfaces} .

125

126

\par

127

128

However, beware! Uruk will fiddle with the global iptables rules. Some

129

default uruk rules affect \it{all} network interfaces.

130

131

132

\sec{loading a new rc file}{LOADING A NEW \rc FILE}

133

134

Need to change your rules?

135

136

\cpar{Using the Uruk init script}

137

138

139

140

\verbatim{\

141

# vi \rcpath

142

# \initpath force-reload}

143

144

While executing \ttinitpath force-reload, your box is open during a short

145

while. If you don't like this, read about \uruk_save.

146

147

\sec{using uruk-save as the initscript backend}{USING uruk-save AS THE INITSCRIPT BACKEND}

148

149

By default, \uruk_save is not used by the uruk init script. You might want to

150

use it, though. The \uruk_save script is faster and when using \uruk_save,

151

your box won't be open while loading new rules. But beware: \uruk_save is not

152

as robust as using \uruk itself. However, if you don't use any hooks in your

153

\rc file, you're save.

154

155

\par

156

157

The init script will use \uruk_save only if asked to do so in /etc/default/uruk

158

(or /etc/sysconfig/uruk). If this file features

159

160

\verbatim{\

161

162

enable_uruk_save=true

163

enable_uruk_save_warning=false}

164

165

\uruk_save is used whenever appropriate. The \tt{enable_uruk_save_warning}

166

variable controls whether a warning should get displayed whenever \uruk_save is

167

called.

168

169

See \sibref{uruk-save}{uruk-save(8)} for more details.

170

171

\sec{policy}{DEFAULT POLICY}

172

173

By default, \uruk drops packets which have unknown private network addresses in

174

their source or destination.

175

176

\par

177

178

By default, \uruk drops all ICMP packets with type other than

179

180

\begin{itemize}{

181

{contiguous}{1}

182

{compact}{1}

183

{type}{mark}

184

}

185

\item address-mask-reply

186

\item address-mask-request

187

\item destination-unreachable (this is a catch-all for a lot of types)

188

\item echo-request

189

\item echo-reply

190

\item parameter-problem (catch-all for ip-header-bad and required-option-missing)

191

\item timestamp-reply

192

\item timestamp-request

193

\item ttl-zero-during-transit

194

\item ttl-zero-during-reassembly

195

\end{itemize}

196

197

\par

198

199

By default, the FORWARD chain is left untouched, so has policy ACCEPT. (This

200

won't do much harm, since packet forwarding is disabled by default in the Linux

201

kernel. However, if you don't mind being paranoid, you might want to add a

202

203

\verbatim{\

204

iptables --policy FORWARD REJECT}

205

206

to your $rc_a uruk hook. See \sibref{uruk-rc}{uruk-rc(5)}.)

207

208

\par

209

210

By default, \uruk logs all UDP and TCP packets which are blocked by the user

211

defined policies. Loglevel is debug, logprefix is "iptables:". See

212

also the notes on \it{loglevel} in \sibref{uruk-rc}{uruk-rc(5)}.

213

214

\par

215

216

Blocked TCP packets are answered with a tcp-reset.

217

218

\sec{warning}{WARNING}

219

220

In order to keep the \uruk script small and simple, the script does very little

221

error handling. It does not check the contents of the \rc file in any way

222

before executing it. When your \rc file contains bogus stuff, \uruk will very

223

likely behave in unexpected ways. Caveat emptor.

224

225

\sec{environment}{ENVIRONMENT}

226

227

\uruk honors environment variables URUK_IPTABLES (\tt{/sbin/iptables} by

228

default) and URUK_CONFIG (\ttrcpath by default).

229

230

\sec{see also}{SEE ALSO}

231

232

\sibref{uruk-rc}{uruk-rc(5)}, The Uruk homepage is at

233

\httpref{http://mdcc.cx/uruk/} .

234

\par

235

\bf{iptables(8)}, \bf{iptables-save(8)},

236

\bf{iptables-restore(8)}, \httpref{http://www.netfilter.org/}

237

\: (no manpage online :( )

238

\: http://lists.mdcc.cx/mcl-devel/msg00297.html

239

\par

240

\bf{interfaces(5)}, \httpref{http://ifupdown.sourceforge.net/}

241

242

\sec{copyright}{COPYRIGHT}

243

244

245

246

247

248

\par

249

250

This program is free software; you can redistribute it and/or modify

251

it under the terms of the GNU General Public License as published by

252

the Free Software Foundation; either version 2 of the License, or

253

(at your option) any later version.

254

255

\par

256

257

This program is distributed in the hope that it will be useful,

258

but WITHOUT ANY WARRANTY; without even the implied warranty of

259

MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

260

GNU General Public License for more details.

261

262

\par

263

264

You should have received a copy of the GNU General Public License along with

265

this program (see COPYING); if not, check with

266

http://www.gnu.org/copyleft/gpl.html or write to the Free Software Foundation,

267

Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

268

269

\sec{author}{AUTHOR}

270

271

\"man::author"

272

273

\"man::postamble"

274

Older »