Using fw.rule

This command uses various options to manipulate the firewall application's packet filtering rules. You can change the action or service or both by writing new rules, deleting old rules, and moving rules to the position that you want. Use fw.rule to:

• Add a rule with a new action (ALLOW or DENY) or a different service or both. ALLOW means permit the packet that meets the qualifications in the rule through. DENY means reject the packet. You also add new port numbers with this command.

• Delete a rule from the list of rules.

• List the ordered rules governing the firewall application or to list the interface that the firewall application is using.

• Move a rule from one position to another in the ordered list of rules, thus changing the order in which it will take effect.

Services and Service Groups

The basic firewall application is shipped with a number of predefined network services, such ftp, telnet, dns, and rsh, as well as predefined service groups.

Standard Services

Besides the basic services, every TCP/IP implementation provides services such as echo, discard, daytime, chargen, and time. Each service use a state engine, a sort of protocol checker. For example, the FTP state engine checks port numbers when the ftp service is being used.

Service Groups

In addition to the basics services, the basic firewall application is shipped with predefined service group. One such group, for example, is common services, which consists of tcp traffic on port 0 to 3850 or port 3855 to 65535, udp traffic on all ports, syslog, dns, rpc, nfs, icmp, route, ftp, rsh, real audio, pmap udp all, nis, archie, traceroute, and ping.

To List the Services

1. Type the following to list the services:

   # fw.rule list service

   You use this command with the option list service to list the available services and with the option list interface to list the interface that the firewall application is using.

To Add a Port

1. As root, type the following to add a new port:

   # fw.rule add ALLOW port-number from host to host

This rule allows to add a new port from a remote host to a local host. if a service is not defined, tcp is the service used. If the new port is not in the services file, it is added.

For example, if you use this rule to add port 3000 from a-remote-host to ALL, a new tcp service on port 30000 is added to the service table and the i-Planet gateway would accept communication on port 30000 from a named remote host.

Rules

The configurations for the basic firewall application are based on sets of ordered rules. The default rules that are installed with the basic firewall establish a security policy that works well with i-Planet. These rules specify the action to be taken for services between two addresses that are on different interfaces of the firewall.

To List the Rules

1. As root, type the following to list the rules:

   # fw.rule list rule

   The rules (in this case, the default rules) are listed in the order in which they examine incoming packets.

   1 ALLOW "ssl" from "le0" to "localhost" 2 ALLOW "common services" from "localhost" to "*" 3 ALLOW "rip" from "*" to "*"

To Add a Rule

1. As root, type the following to add a rule:

   # fw.rule add ALLOW service from host to host

This rule allows you to add a service from a named remote host to a local host. Use the list option to see the new list of rules.

To Delete a Rule

1. As root, type the following to delete a rule:

   # fw.rule delete 4

Rule number 4 is deleted. Use the list option to see the new list of rules.

To Move a Rule

1. As root, type the following to move a rule:

   # fw.rule move 5 4

Rules 5 and 4 are reordered. Use the list option to see the new ordering.