RCF (AKA rc.firewall) FAQ

Purpose: answer general questions on RCF. Provides a starting point for more information/research.

"Being paranoid doesn't guarantee they're not after you to get you."
- Unknown

Index

0. About

1. HELP! - It doesn't work!

2. What does this warning mean?

3. How, who, what, where, why...?

4. How should I configure my kernel?

5. More information

0. About

What is RCF (rc.firewall)?

RCF (AKA rc.firewall) is an ipchains-based firewall with support for over 50 network services (including vtun, DHCP, NFS, SMB, napster, proxies, online games, etc.), masquerading, port forwarding, and IP accounting. All services are self-contained modules which can be prioritized easily in the ipchains stack. Protections include spoofing, stuffed routing/masqerading, DoS, smurf attacks, outgoing port scans, and many more. RCF also supports multiple public, private (masqu'ed), dmz, and mz (non-masqu'ed) networks and interfaces. Access rules are defined per interface and dmz/mz server groups.

What is this document all about?

"If all else fails, read the manual"
- Unknown

RCF is designed to be as user-friendly as such a complex matter like firewalling can be. Nevertheless, it is possible you have questions about or problems with it. This FAQ was made to assist you in times of need. I hope no-one needs to read it. :-) Reality mostly proves otherwise: People who need it generally don't read it.

Please read this document carefully before asking any of the authors or the mailing list. It saves you a lot of RTFM (read the fine manual) answers. People usually refer to this document or the man pages.

Maintainer:
Edwin ten Brink
E-mail:
For remarks on this document only edwin@privateer.student.utwente.nl.
PLEASE: Questions on RCF should be directed to the 'users' mailing list. You'll get more and better answers there, since I only collect experiences.
Last revision date:
April 3, 2001 (Version under development can be found in the dev directory)
RCF version:
5.1.1
License:
GPL
Homepage:
http://rcf.mvlan.net/
Thanks to:
All people who posed questions... and those who provided answers.
This document will never be complete. Feedback, also positive, is highly appreciated.

1. HELP! - It doesn't work!

Q: RCF gives an error/warning.
A: See the error messages for more details.

Q: RCF generated a new firewall.conf for me but there are no variables in it!
A: RCF determines all interfaces when it starts up. If you're building a box, but haven't all the network interfaces installed, (ethernet cards, PPP links etc.), edit the firewall.conf file and update the pub and pri interface variables with what you will have on the completed machine. Then re-run '/sbin/rcf --update-config'. This will create all the variables and interfaces if they exist yet or not. As long as they're not installed, RCF will report that they are down and remove them temporarily.

Q: I'm unable to ping my box!
A: Hosts which should be able to ping you can be put in the accept-[int]-ping-clients. Pings and traceroutes are denied by default.

Q: I can't do a traceroute or a portscan from the firewall. I get messages like this:
traceroute: sendto: Operation not permitted
A: You're running in strict mode or higher. Outgoing portscans are only allowed in open or relaxed mode. Since outgoing UDP traffic is blocked in strict mode and better, you can either switch to relaxed mode, or use icmp traceroute (traceroute -I HOST).
Note: relaxed mode in 5.0.1 doesn't allow outgoing UDP. Upgrade to 5.1b7 or better.

Q: My favorite game/application doesn't work!
A: See section 3 on how to make it work. And I really mean all of section 3.

Q: I downloaded a custom port script and it doesn't work!
A: You should have placed it in the correct directory. Then run RCF with --update-config, change the generated /etc/firewall.conf to suit your needs. Last but not least, restart the firewall. See again section 3. Also look if RCF reports the script being loaded.

Q: RCF hangs when I do an --update-config. I'm logged in via telnet or SSH to the firewall.
A: Telnet connections mostly get lost, SSH pauses until the rules for SSH are set up. Invoke RCF like this, so RCF will keep going even if you lose the connection:
nohup /sbin/rcf & ; tail -f nohup.out

Q: RCF works fine when I start it by hand, but my computer hangs when I start it through the initscripts when my computer boots. I'm using RedHat 6.1 or older (initscripts older than 5.0).
A: RCF conforms to initscripts 5.0. You should upgrade your initscripts to 5.0 or better.

Q: I can't get the virtual interfaces to work!
A: It seems that the code is flawed at least as far as 5.1b7. You should upgrade to a better version.

Q: I can't get the DMZ stuff to work. I'm using RCF 5.0.1 or below.
A: The DMZ support in 5.0.1 is broken, unfortunately. As of the development version 5.1b4 it was fixed, so the only possibility is to upgrade.

Q: When I try to use the SMB module, I can't browse a Windows 2000 box from my backend boxes, but I can connect to other Windows versions correctly.
A: That's a limitation of Samba. There's a patch for Samba available.

Q: It still doesn't work!
A: If you still can't find the cause of your problem, after reading this document, join & post a question to the mailing list, But read this FAQ first!

2. What does this warning mean?

Since RCF checks the safety of the environment before calling external programs, there are some warnings you might get if your system is configured 'insecure'. Some other common warnings and errors are listed in this chapter too.


Your PATH variable contains relative directories (doesn't start with '/').
For security reasons, you should remove these directories from your PATH
permanently.

Relative PATH variables, such as ".", or "./bin" have proven to be security risks, therefore it cannot accept those. As the warning says, the script will strip those paths temporarily, but it is highly recommended to remove them completely. (e.g. in /etc/profile, /etc/bashrc, or where you put your PATH statement at your system.)


Unable to locate XXXXX in any PATH directory!

The binary XXXXX is missing! The named binary is needed for correct functioning of your firewall, so make sure you install it, or complete you PATH variable to include it, then re-run the script.


The owners and/or permissions for XXXXX are incorrect.
Please execute the following commands:
chmod XXXXX
chown root:root XXXXX

The firewall script should be protected from users who don't have any rights to modify the rules. It is therefore required to set the permissions accordingly, with the suggested statements.


The /etc/firewall.conf file is missing - a new one will be created.
Edit this new configuration file and re-run the firewall script.

This warning is self-explanatory. Review and edit the /etc/firewall.conf file to suit your needs.


Both /etc/firewall.conf and rc.firewall.conf exist!
The correct configuration file path is /etc/firewall.conf.
Please remove the old rc.firewall.conf file.

rc.firewall-4.1 and earlier had a /etc/rc.d/rc.firewall.conf file. It is moved to /etc/firewall.conf when upgrading to rc.firewall-5.0. When running two different versions, you might get this message. Remove the old file, and upgrade to the newest version.


Version mismatch between script and configuration file! You must
execute RCF with the --update-config parameter to fix this problem.
Since all variables and options are backwards compatible, the script will
continue.
A version check is performed to ensure you have the correct config file. Make sure you upgrade your configuration, since new parameters may be added. Don't forget to review your configuration before restarting!


WARNING: Please enable XXXXX in your kernel!
See chapter 4. How should I configure my kernel?


The configuration file has moved to /etc/firewall.conf since version 5.0.
Moving rc.firewall.conf to /etc/firewall.conf...
This one is self-explanatory. No intervention is needed.


The rc.firewall.custom-ports file was renamed in version 5.0.
Moving rc.firewall.custom-ports to rc.firewall.custom-pub-ports...
This one is self-explanatory. No intervention is needed.


Removing XXXXX (down) Interface from INT_INTERFACES
It seems that the specified internal interface is down. Make sure it's up and execute the script again.


Removing XXXXX (down) Interface from EXT_INTERFACES
It seems that the specified external interface is down. Make sure it's up and execute the script again.


modprobe: Can't locate module XXXXX
The specified module cannot be found. They are usually located in /lib/modules/your_current_kernel_version/ipv4/
Make sure you compiled your kernel correctly (see chapter 4. How should I configure my kernel?). Also, for ip_masq_icq you need to obtain, compile and install a separate module, as explained in the firewall.conf file.


Note: /etc/conf.modules is more recent than /lib/modules/(your kernel version)/modules.dep
This is a message from modprobe. Apparently there's an inconsistency between those two files.

3. How, who, what, where, why...?

Getting started

How do I get RCF going?



I'm confused. How do I fill in the options?

First: You only need to fill in the options present. You don't have to cerate new ones. If you add or remove interfaces or change the security level, or add new modules, execute RCF with the --update-config parameter so it will update the options for you. You'll of course need to review the config file.
Most of the options consist of this structure:
Example 1:
You want to be able to surf the web, and don't want to be restricted in your movements (I assume eth0 to be your public interface, it may be ppp0 or something else for you):

accept-eth0-http-servers = any/0
ignore-eth0-http-servers =
  deny-eth0-http-servers =


Example 2:
You're running a webserver on your box, which needs to be available for your companies subnets (a.b.c.0/255.255.255.0 and x.y.0.0/255.255.0.0) only. Also, it shouldn't be available to the subnet x.y.z.0/255.255.255.0, but we don't need logging of this.

accept-eth0-http-clients = a.b.c.0/255.255.255.0 x.y.0.0/255.255.0.0
ignore-eth0-http-clients = x.y.z.0/255.255.255.0
  deny-eth0-http-clients =


I'm still confused. Could you show an example configuration?

Consider this setup (RCF 5.1). One external interface (eth0), two backends (eth1, eth2). The firewall offers limited services (DNS, SMTP, SSH, POP3, FTP, SMB, Squid, Ident and RC5 personal proxy). Entries which don't show up below are empty. The options are listed in the order they appear in the config file.

We'll need to declare those interfaces:
public-interfaces = eth0
private-interfaces = eth1 eth2

Since the firewall itself offers almost no services (as it should), I'll be very strict on security. Because users on my backend use some exotic configurations, it's very hard to use paranoid mode on the external interface (though it's highly recommended).
public-interfaces-security = strict
private-interfaces-security = paranoid

For the external interface, I need to enable some services.
My backend users need this to join IRC channels.
accept-eth0-auth-clients = any/0

A contrib module to ignore all packets sent to the universal broadcast address (255.255.255.255).
ignore-eth0-broadcast-clients = any/0
And I don't want to log DHCP info on my subnet
ignore-eth0-dhcp-clients = 130.89.0.0/16

Another contrib module (IP removed) to accomodate some external users to use my RC5 personal proxy.
accept-eth0-dnetproxy-clients = a.x.y.z

I'm running my own DNS server, so I'll need to accept the responses from outgoing queries.
accept-eth0-dns-servers = any/0

Sometimes I need to FTP something from my server when I'm not on my backend.
accept-eth0-ftpactv-clients = a.y.x.z

From the firewall and backend, I want to be able to initiate an FTP connection to any host
accept-eth0-ftpactv-servers = any/0

I only want my firewall to appear on my local subnet.
accept-eth0-ping-clients = 130.89.0.0/16

To be able to ICQ on my backend, I've set this port range. My clients are configured to take a subrange, so each client can have it's own ports forwarded:
accept-eth0-icqdirect-clients = any/0
accept-eth0-icqdirect-ports = 47101:47130
accept-eth0-icq-servers = 205.188.0.0/16

Sometimes I need to be able to read my mail externally:
accept-eth0-pop3-clients = a.x.y.z

To make use of file sharing, I want a number of hosts to be able to connect. Since the list is too long to fit on one line, I decided to put the into a group file in the groups directory (/etc/firewall/groups).
accept-eth0-smb-hosts = ./smb-hosts

I have a local mailserver, which needs to be able to deliver and receive my e-mail.
accept-eth0-smtp-clients = any/0

When I'm away, I may need to contact my server, so again one specific host is allowed.
accept-eth0-ssh-clients = a.x.y.z

Some annoying port 513 traffic should be ignored.
ignore-eth0-who-clients = any/0

This one is default. It ignores the IP's which are not officially in use (and therefore shouldn't be used).
iana-reserved-networks = ./iana-reserved-networks

My backend users occasionally play Quake, so they can play wherever they want to.
accept-eth0-quake-servers = any/0

Now I'll need to define the services the backend users can connect to on the firewall. So this doesn't control the access to the outside!
Since I've set the security to paranoid, I need to open every service I need.
From my first subnet, all boxes may connect to my RC5 proxy.
accept-eth1-dnetproxy-clients = 192.168.1.0/24

All boxes may use the DNS server.
accept-eth1-dns-clients = 192.168.1.0/24
accept-eth2-dns-clients = 192.168.2.0/24

Sometimes I want to connect from the firewall to an internal host.
accept-eth1-ftpactv-servers = 192.168.1.2

All boxes may ping the firewall internally. Mostly for testing purposes.
accept-eth1-ping-clients = 192.168.1.0/24
accept-eth2-ping-clients = 192.168.2.0/24

Sometimes I want to do a security sweep of my network. Therefore I have a Nessus server, located on the firewall which sweeps the internal networks. This one is not permanently active of course, since paranoid and strict mode do not allow portscans etc. The daemon is off by default, started by hand when a sweep is to be made, and the internal security lowered to open mode to allow the scan. Only one host is allowed to use it, since the sweep contains exploits which may crash a box. Obviously, not many people may use it. :-)
accept-eth1-nessus-clients = 192.168.1.2

Only one host which makes use of the POP server.
accept-eth1-pop3-clients = 192.168.1.2

On the firewall I have a Squid proxy (mostly because it zaps the ads out of the web pages. ;-)
accept-eth1-proxy-clients = 192.168.1.0/24
accept-eth2-proxy-clients = 192.168.2.0/24
accept-eth1-proxy-ports = 3128
accept-eth2-proxy-ports = 3128

Internally, it's perfectly safe to use Windoze file sharing, and so we allow so for the Windoze boxes.
accept-eth1-smb-hosts = any/0
accept-eth2-smb-hosts = any/0

The mailserver may be used by one subnet only.
accept-eth1-smtp-clients = 192.168.1.0/24

And we'll need to be able to log into the firewall from one box only.
accept-eth1-ssh-clients = 192.168.1.2

Here I assign the ICQ ports I want to forward to the different hosts (also see the section on ICQ in chapter 3, Configuring for more information.) 10 ports per client seems to be on the high side. Fewer ports per client (say, 5) should also work without any problems.
forward-eth0-tcp-hostports = 192.168.1.2 47101:47110, 192.168.2.13 47111:47120, 192.168.2.5 47121:47130

To make use of the protocols I've enable at the public interface for my backend users, I'll need some special modules. Also the timeouts are set to defaults. Note that I don't use the icq masq module.
masq-modules = ftp irc quake
masq-timeouts = 7200 10 160

I want to forward both internal networks so they have outside access.
forward-eth0-masq-networks = 192.168.1.0/24 192.168.2.0/24

Some miscellaneous things
I don't run debug mode unless necessary.
debug = no
To keep track of traffic I've installed IPAC with some accounting rules. RCF starts them automagically for me.
ipac-bindir = /usr/bin/scripts

Installing / upgrading

Where can I get the latest version of RCF?

The latest stable version will be available at the homepage and at Freshmeat. If you feel the need to have the latest version, for development, or because you need the state-of-the-art, you can download the development version at: http://rcf.mvlan.net/dist/dev/
Be advised that the development version may contain bugs, doesn't function correctly etc.
It is not recommended to run the development version on a production machine!
The latest version of this FAQ can also be found in the development directory.

How do I upgrade from an earlier version?

Save the original RCF and it's configuration file (just in case). Execute the new RCF with the --update-config parameter. Review the new configuration file (some options may have been added).


How do I upgrade from rc.firewall to RCF without losing my config?

You should first do an uninstall of rc.firewall before installing RCF. To prevent the loss of your config file, use the following commands: cp /etc/firewall.conf /etc/firewall.conf.old ; rpm -e rc.firewall ; cp /etc/firewall.conf.old /etc/firewall.conf ; rpm -i rcf-[version].noarch.rpm


How can I run a script every time I connect and get a new IP address?

Put the script in /etc/ppp/ip-up. See the pppd(8) man page.


How can I see what RCF will do beforehand?

RCF has a test mode. Because the normal comments are piped to standard output, and the commands are piped to standard error, the output is best viewed when RCF is invoked as follows:
/sbin/rcf --test 2>&1


Configuring

Which RCF man pages are available?



How can I determine which services to open?

The firewall.conf file lists several services you offer, or accept from the public Internet. It's easy to get lost in it. Generally: If you don't know what the specific service is, you don't need it. Specify no hosts, just leave the quotes empty ("").
Look at your firewall logs if you don't know the host, protocol or port number or can't find them in http://www.isi.edu/in-notes/iana/assignments/


How do I enable support for protocol XXXXX?

Enable all protocols you'll be needing by setting the accept-[int]-XXX-[servers-clients] accordingly. Hosts and networks can be in IP or hostname format, subnets might only be entered in IP format (for example 192.168.1.0/24 or 192.168.1.0/255.255.255.0) for a class C (private) network).


How do I open specific ports for my favorite game/application?

Since this script cannot possibly include every service out there, you can easily create your own script with the example provided in the file: /etc/firewall/modules/public/services/tcp-clients-template Copy the file to the relevant directory in the firewall-modules hierarchy and edit it to suit your needs. Run RCF with the --update-config parameter and edit your newly created options in /etc/firewall.conf. Upon restart of the firewall, your script should be executed. After you've fine-tuned your new service rules, please send the list a copy of your script. If this is a widely used application, and your rules look secure, they'll be added to RCF. You can also post your custom script and/or get some help from our developers mailing list.
Some earlier developed scripts are available in /etc/firewall/modules/contrib. Link them (with the ln command) to the appropriate (private or public) direcory.


How do I open certain ports when RCF has already started?

Use the --[accept|deny|forward]-[int]-[serv]-[hosts|servers|clients|ports|hostports] {host|ip|subnet} {...} switch. Adds a temporary entry to a configuration option; Useful when you want to open-up a service "on the fly". These settings will be lost the next time the firewall is executed.


How do I open all ports (i.e. tear down my firewall)?

Use the --accept-all switch. This sets the default policy to "accept"; flushes all firewall rules and removes chains. This allows any incoming and outgoing traffic.


How do I pass options to the modules to be loaded, e.g. ICQ?

Modprobe should be used to pass options to modules. The options should be entered in /etc/modules.conf or /etc/conf.modules. See man modprobe and man modules.conf for more information.


How do I determine whether I have enough firewall rules?

"That which is not strictly allowed, is prohibited." Keep that in mind. Deny everything that should not be allowed.
As to the amount of rules as reported by RCF: There's no general rule of thumb. I depends on your configuration. If need to open lots of services to the outside world, your rule-count will increase. The strict mode will also add a lot of rules (+/- 60) for added security. Counts have been reported in the range of 180 - 330 rules.


How can I be certain I am hacker-proof?

You can't. Simple as that. Nothing can be made 100% hacker-proof. Even Fort Knox can be cracked, but the effort might be more costly than the rewards. If you want to be certain no-one enters your box from the Internet, there's one solution: pull the plug. Don't connect. That's however not an option for most of us, so try to make as little services available to the outside world as possible. Comment them out in /etc/inetd.conf and block them with RCF. Don't start any unnecessary services in /etc/rc.d/rcX.d and block them with RCF. Be as secure on every level of configuration as you can possibly be. Read the guides mentioned in the websites section of this document.
You may also probe your security from other boxes with portscanners. They won't tell if it's vulnerable, but they can show you the strength of your firewall.


How do I set up RCF to use my one ethernet card for both public and private traffic?

You can't. Private traffic is just what it says it is: private. It must not be allowed on the public Internet, since there's no way a packet sent to a private IP will ever arrive. It just pollutes the net. You should buy yourself a second ethernet card.


How do I enable support for IRC?

Make sure you have the right masquerading module installed in your firewall.conf:
masq-modules = irc


How do I enable support for ICQ?

Previously, it was suggested to just open a port range for your clients to use and load the icq kernel module to take care of the forwarding. This method became more and more obsolete with the introduction of ICQ 2000, since that version wasn't supported. Development on the kernel module seems to have stopped.
The current best practice, is to forward a small port range per client, and configure the client accordingly. This way, the special functions (file transfer, chat, etc.) will also work.
How can this be accomplished? In my example configuration, we have three hosts on the backend with their own ICQ clients. They're divided over two subnets:
192.168.1.2 on subnet 1, and 192.168.2.5 and 192.168.2.13 on subnet 2.
For the special functions of ICQ we need to allow direct connections:
accept-eth0-icqdirect-clients = any/0
The port range to cover all clients. (You may choose any range, as long as you don't pick one already occupied by standard programs. Check with IANA assignments first.)
accept-eth0-icqdirect-ports = 47101:47130
Of course we'll need to allow contact with the ICQ servers:
accept-eth0-icq-servers = 205.188.0.0/16
And the masq-modules will not be required an option 'icq':
masq-modules = (does not contain 'icq')
Now we'll divide the ports among the clients. I used 10 ports per client,which seems to be a little too much. Using a smaller number of ports should work fine:
forward-eth0-tcp-hostports = 192.168.1.2 47101:47110, 192.168.2.13 47111:47120, 192.168.2.5 47121:47130
To make this work, configure the clients to use the same port ranges (instead of the default 'random ports' setting.) as you entered above. Restart the clients and the firewall, and you should be able to chat, receive files etc.


How do I enable support for pcAnywhere?

You'll need the PcAnywhere modules (can be found in /etc/firewall/modules/contrib/services) linked to you private or public section (depending on your requirements). Run RCF with the --update-config parameter. After that reload RCF and it should work, unless your PCAnywhere is not using TCP/IP Compatibility mode. If it isn't working visit symantec.com and search for "How to change the pcAywhere IP ports". There is a short section on "Restricting pcAnywhere ports". Follow those instructions (it's a registry change on the host and remote) and then it should be working ok.


Logging

How can I see what my firewall is doing?

On several occasions you might wonder what traffic is being blocked -- to debug something, spot hacker activity, etc. I recommend you save syslog messages generated by ipchains to a seperate log file. Add something like this to your /etc/syslog.conf file "kern.=info /var/log/firewall/ipchains.log". 'Normal' kernel logging can then be redirected by "kern.notice /var/log/kernel" Remember to use only TABS as whitespace, NOT spaces, or else it will not work. The directory /var/log/firewall needs to exist, of course. You can follow it realtime with "tail -f /var/log/firewall/ipchains.log"


What do all those syslog log entries mean?

An typical log entry looks like this:
Sep 25 09:18:19 privateer kernel: Packet log: eth0i DENY eth0 PROTO=17
130.89.XXX.XXX:513 130.89.255.255:513 L=232 S=0x00 I=45818 F=0x0000 T=64
(#141)

Sep 25 09:18:19
The date and time the packet hit the firewall

privateer
It occured on host 'privateer'

kernel
Was logged by the kernel

Packet log
Describes a packet log entry

eth0i
It matched a rule in the ruleset for 'eth0', 'i'nbound

DENY
The packet was denied (i.e. discarded without notice to the sender) You can have REJECT here as well, this discards the packet and acknowledges to the sender that it was discarded. We mostly DENY on the outside, and REJECT on the inside. That's because a sender must wait until the packet has expired, and will make the life of portscanners a little more difficult. This does reveal you have a strong firewall in place, though.

eth0
Occured on 'eth0' (my external interface). Other devices might be ppp for a dialup link

PROTO=17
It was a packet with protocol 17, i.e. it was an UDP packet. (These protocol numbers can be found in /etc/protocols, or at http://www.isi.edu/in-notes/iana/assignments/protocol-numbers) Other common numbers are for example 1 (ICMP) or 6 (TCP).

130.89.XXX.XXX
It originated at the host with IP 130.89.XXX.XXX (IP erased for privacy reasons)

513
On it's port 513.
The numbers can be found in /etc/services, or far more exhaustive at http://www.isi.edu/in-notes/iana/assignments/port-numbers

130.89.255.255
It was sent to IP 130.89.255.255, the broadcast on this (class B) subnet

513
With destination port 513

L=232
It had a length of 232 bytes

S=0x00
It had no type of service set.
In theory, you can tell the Internet how to handle your traffic, be it sensitive to delay, throughput, etc.
  • 0x10 = Minimum Delay
  • 0x08 = Maximum Throughput
  • 0x04 = Maximum Reliability
  • 0x02 = Minimum Cost
  • 0x00 = not set

I=45818
Had this ID number, which is not important to firewalls.

F=0x0000
It had a 16bit fragment offset including any TCP/IP packet flags of "0x0000"
"0x2..." or "0x3..." means the "More Fragments" bit was set so more fragmented packet will be coming in to complete this one big packet.
"0x4..." or "0x5..." means that the "Don't Fragment" bit is set. Any other values is the Fragment offset (divided by 8) to be later used to recombine into the original big packet.

T=64
It's TTL (Time To Live) was 64. Each hop on the internet subtracts 1 from this number. If it reaches zero, we assume that it was lost and it will be dropped/discarded.

#141
And matched my firewall rule number 141 (as present in the kernel). If you want to know exactly which rule it was, use "ipchains -L -n --line-numbers".

Well, what do we know then? It was a packet denied from some host, broadcasted at 513/UDP. This was, according to the IANA numbers, a communication which "maintains databases showing who's logged in to machines on a local net and the load average of the machine", AKA r-services. Nice to know, nothing threatening. But I personally think it gives away too much about his box, even though it might be cool to report your fabulous uptime.


How do I log the screen output of RCF?

Invoke the script as:
/sbin/rcf 2>&1 | logger
This will log all output on level user.info. Make sure you have a rule in /etc/syslog.conf to do something with that level. (On my system it will by default be logged to /var/log/messages). If your not comfortable with that level, use the '-p' flag to specify the desired level.

If you use SysV startup scripts (e.g. /etc/rc.d/rc3.d/S11firewall) screen output is logged automatically when you change runlevels.


How do I log the screen output of RCF to a file, instead of syslog?

Invoke the script as:
/sbin/rcf 2>&1 | tee -a rcf.log
This will append (hence the '-a' flag) all output to the file rcf.log.


What are those martians in my logs?

Ask Mulder & Scully... Serious, these are entries where packets were dropped because they were spoofed, source-routed, or redirect packets.


Advanced

How do I set up a DMZ (De-Militarized Zone) using RCF?

The architecture suggested with RCF is this:

--INTERNET--> firewall --DMZ--> router --MZ--|

The router should (of course) make use of ACLs to control DMZ->MZ traffic. Typically, databases would be located on the MZ.
Let's not forget, the 'standard' definition of a DMZ is a network with servers offering their services on the Internet. MZ servers should not communicate directly with the Internet, but only with DMZ servers in a very restricted fashion.
Using RCF, you have to keep your public IPs on the firewall, so you can't really load balance with RCF.
Note: DMZ support is not working correctly with RCF 5.0.1 and below. Use 5.1b7 or higher instead.

To accomplish this, you need to set in /etc/firewall.conf:

# De-Militarized Zones (DMZs) are public network segments connected to
# the firewall. DMZ servers typically offer public services such as
# http, ftp, etc. IP addresses on these segments should be routable on
# the internet (no private IPs like 10.0.0.0, 192.168.0.0, etc.).
#
dmz-interfaces = (your interface)

If you do an --update-config, you'll get a new option "dmz-(your inteface)-clusters =" with a lot of extra information. If you defined clusters for your machines, you will have to do a second --update-config and get new options, so you can enable the protocols you need for your clusters.


How would a MZ config look like?

This is JS's setup (using 5.1b9):
public-interfaces = eth1
private-interfaces = eth0:1 eth0:2 eth0:3

My network's gateway (10.1.1.1) is on eth0:1. eth0:2 is my DNS IP and eth0:3 is my SMTP server. I plan to move the DNS and SMTP services onto another server in a few weeks.

mz-interfaces = eth0

I want to control where LAN PCs can go, so eth0 (my private interface) is listed as an MZ interface instead.

public-interfaces-security = paranoid

I don't even trust myself! :-)

private-interfaces-security = paranoid
mz-interfaces-security = paranoid
mz-clusters-security = paranoid

In paranoid mode, I'll have to specify where LAN traffic can go. For example, if I have a proxy (which I do) and I want to prevent PCs from by-passing it...

mz-eth0-clusters = lan 10.1.1.0/24

I just create a single cluster for my whole LAN.

ignore-eth1-auth-clients = any/0

Don't log auth/identd denied traffic.

accept-eth1-dhcp-servers = 10.16.96.1 10.16.96.2 10.16.128.1 10.23.128.2

My ISP uses private IPs on their network! Ugly...

accept-eth1-dns-servers = any/0

My DNS must be able to reach-out to other DNSs...

accept-eth1-ftpactv-clients = any/0
accept-eth1-ftpactv-servers = ./ftpactv-servers
accept-eth1-http-clients = any/0
ignore-eth1-http-clients = a.x.y.z
accept-eth1-https-clients = any/0
accept-eth1-http-servers = any/0
accept-eth1-https-servers = any/0

Since I run in paranoid mode, I have specify which services are allowed out.

ignore-eth1-ping-clients = any/0
accept-eth1-icqdirect-clients = ./icqdirect-clients
accept-eth1-icqdirect-ports = 4020:4030
accept-eth1-icqdirect-servers = any/0
accept-eth1-icq-servers = 205.188.0.0/16
accept-eth1-irc-servers = a.x.y.z
accept-eth1-nntp-servers = ./nntp-servers
accept-eth1-ntp-servers = time.risq.qc.ca clock.uregina.ca
accept-eth1-pop3-servers = pop.videotron.ca
accept-eth1-proxy-ports = 8000
ignore-eth1-smb-hosts = any/0
accept-eth1-smtp-clients = any/0
accept-eth1-smtp-servers = any/0
accept-eth1-ssh-clients = any/0
accept-eth1-ssh-servers = any/0
accept-eth1-time-servers = time.risq.qc.ca
accept-eth1-wmstream-servers = 208.184.229.0/24
iana-reserved-networks = ./iana-reserved-networks
accept-eth0-dhcp-clients = 10.1.1.0/24

I run a DHCP server on my private/MZ interface...

accept-eth0:2-dns-clients = 10.1.1.0/24
accept-eth0-nfs-servers = arthur.localdomain
accept-eth0:3-pop3-clients = trillian.localdomain
accept-eth0-proxy-clients = 10.1.1.0/24
accept-eth0:1-proxy-ports = 8000
accept-eth0:2-proxy-ports = 8000
accept-eth0:3-proxy-ports = 8000
accept-eth0-proxy-ports = 8000
accept-eth0:lan-proxy-ports = 8000
accept-eth0-smb-hosts = trillian.localdomain
ignore-eth0-smb-hosts = arthur.localdomain

arthur is another linux box so I don't want to see it's smb broadcasts.

accept-eth0:3-smtp-clients = 10.1.1.0/24
accept-eth0-smtp-clients = 10.1.1.0/24
accept-eth0-ssh-clients = 10.1.1.0/24
masq-modules = ftp irc raudio
masq-timeouts = 7200 10 160
forward-eth1-masq-networks = 10.1.1.0/24
debug = no
ipac-bindir = /opt/ipac/bin

You'll note that I didn't use any "*-eth0:lan-*" options. This is because opening a service for the interface, accept-eth0-ssh-clients for example, is equivalent to using accept-eth0:lan-ssh-servers. It all depends on your perspective. The difference would come when going from one interface to another, like in a DMZ/MZ setup. You'd have to open the outgoing service on one end and open it for incoming on the other.


How do I set up VPN (Virtual Private Networking) using RCF?

Setting up a Virtual Private Network is not an every day job, but if you follow these steps correctly, it should be a piece of cake. I'm assuming your interface will be eth0, but your situation may be different. Use the name of your VPN interface where I say [int] or eth0. Your ISP will give you an IP to use for your VPN connection.

How do I forward ports to a server on my internal LAN?

In some cases, you may want to forward a port from your firewall directly to an internal (LAN) host. You can enter multiple hosts and ports in these variables (seperated by commas). You'll also need to install the ipmasqadm tool (available from http://juanjox.kernelnotes.org/).

Syntax:
forward-[int]-[prot]-hostports = [host/ip] [ports],[...]

The [ports] field can be a simple port number (25), a port range (3010:3020), or a local->remote port match (25->60 or 3010:3020->4010:4020). Multiple [ports] can also be entered for each host/ip.

Example:
forward-eth1-tcp-hostports = zaphod.localdomain 80 81
forward-eth1-tcp-hostports = zaphod.localdomain 80->8080
forward-eth1-tcp-hostports = zaphod.localdomain 6100:6200
forward-eth1-tcp-hostports = zaphod.localdomain 80, trillian.localdomain 23 25


How can I determine what ports should be forwarded to a server on my internal LAN?

If the protocol isn't already supported, you might find some valuable tips at http://www.tsmservices.com/masq/


How do I protect Windows machines on my internal LAN from trojans?

There are a few contrib modules which can be linked from /etc/firewall/modules/contrib/block-remote-ports to /etc/firewall/modules/public/block-remote-ports. No --update-config is necessary, the firewall does need to be restarted however for the changes to take effect.


How do I use iptables / kernel 2.4.x and RCF?

RCF doesn't support iptables yet. Not to worry, ipchains will be supported for quite some time in the 2.4 kernels. (Refer to http://netfilter.filewatcher.org/unreliable-guides/packet-filtering-HOWTO-8.html) RCF will be ported to iptables eventually, but since defining a firewall with iptables is a far more complex matter than with ipchains, don't expect a reliable version (of any firewall for that matter) to come out soon.
Besides, you wouldn't see much difference either...
To use RCF with a 2.4 kernel you need to compile support for ipchains. Refer to the kernel configuration for the details.


How can I pipe all commands RCF will be executing to a custom script tailored to my setup?

Some users expressed the need for a tailored script, which improves execution speed. To create such a script, invoke RCF as follows: /sbin/rcf --test >/dev/null 2>script.sh
Mind you, the new shell script will not reflect any changes in the config file. You'll need to create a new one each time you upgrade RCF, add or remove interfaces or change something in your configuration file.


Speed and performance

Is it possible that RCF slows down my connection?

No. Given the speed of computers nowadays, you shouldn't experience any performance loss, not even on an old 486. If you experience delays, it's possible due to a parallel protocol which has to time out, such as an ident lookup with smtp. You may need enable/add support for the component which can't connect if you feel like it.


How come protocol XYZ takes much longer when I use RCF?

This is due to the fact that you forgot to enable support for a part of the particular protocol you experience problems with. This is similar to the previous question.


How come my box runs out of memory/CPU time etc.?

First of all: RCF is not a program, in the sense that it's running. RCF is merely a script to feed ipchains commands to the kernel. As soon as it exits, it's no longer running/sleeping whatsoever. It exited.
The only thing running then (regarding firewalling) is the kernel. The kernel reads the headers from incoming and outgoing packets, and verifies them with the table of rules we (RCF) have setup. This is a process which costs relatively little CPU time and memory.

Trashing (the process which occurs when programs are continuously swap each other out to enable them to run) occurs on memory-low systems, but cannot be caused by RCF. If you experience this type of problem and you run a box with, say, 16 MB's or less RAM, you'll need to disable large windows in your kernel (Networking options - IP: Allow large windows).

CONFIG_SKB_LARGE:
On high speed, long distance networks the performance limit on networking becomes the amount of data the sending machine can buffer until the other end confirms its reception. (At 45 Mbit/second there are a lot of bits between New York and London...). If you say Y here, bigger buffers can be used which allows larger amounts of data to be "in flight" at any given time. It also means a user process can require a lot more memory for network buffers and thus this option is best used only on machines with 16 MB of memory or higher. Unless you are using long links with end to end speeds of over 2 Mbit a second or satellite links this option will make no difference to performance.

There's one other problem you may run in to: syslogd can't cope with all entries that should be made. Normally this only occurs on a busy network running in debug mode, but there are other situations which can cause this problem. For instance:


Miscellaneous

How does the numbering scheme work (e.g. 110-modulename)?

The numbering scheme has nothing to do with port numbers! Instead, they're in the order they'll be loaded into the kernel. Services which transfer a lot of stuff should be upper most.


How do I block SPAM with my firewall?

A firewall is not the most suitable tool for dealing with spam. There are enough anti-spam features in for example sendmail to deal with it. If you're interested in blocking SPAM, have a look at http://mail-abuse.org/rss/


How do I block annoying ads (e.g. from doubleclick.net)?

A firewall is not the most suitable tool for dealing with that. There are some programs which can do it for you, e.g. junkbuster.


How do I report a bug?

About the RCF script:
Send a message to the author, Jean-Sébastien Morisset, or to the 'users' mailing list.

About the RCF FAQ:
Send a message to the author, Edwin ten Brink, or to the 'users' mailing list.


How do I contribute to the evolution of RCF?

Join the 'developers' mailing list.

Mailing lists

How do I pose a question to a mailing list?

If you want to contribute a custom module, you should direct your mail towards the developers list.
If you have a question on the current version of RCF, your mail should be addressed towards the users list. If you want to have a quick answer to your question, include the version number of RCF you're using, a few relevant lines of your logs and your configuration (obtained with the --show-config parameter).
Be sure your problem isn't described in the man pages, this FAQ or the mailing list archives already.


How do I unsubscribe from one of the mailing lists?

See the section on mailing lists for instructions


Why is nobody answering my question on the list?

There may be several causes for this problem. Either no one knows the answer, or your problem is not formulated very clearly or lacks enough information to give an answer. Or simply no one has had time to have a look at your problem. Remember that all members of the list are volunteers and may have something other at their hands...

4. How should I configure my kernel?

A list of the options needed is below. Unless you have an urgent reason not to, I recommend you enable all options below. The ones marked 'recommended' should only be disabled if you know what your doing, or when you're very low on memory.

2.0.x and earlier kernels

Kernels prior to 2.2.x are not capable of running ipchains, but use ipfwadm instead. There is currently no version of RCF which supports ipfwadm.

2.2.x kernels

In General Setup:
Needed:
Networking support: CONFIG_NET
Recommended:
Sysctl support: CONFIG_SYSCTL

In Networking options:
Needed:
Network firewalls: CONFIG_FIREWALL
Needed:
TCP/IP Networking: CONFIG_INET
Recommended:
IP: advanced router: CONFIG_IP_ADVANCED_ROUTER
Recommended (speed):
IP: use TOS value as routing key: CONFIG_IP_ROUTE_TOS
Recommended (security):
IP: verbose route monitoring: CONFIG_IP_ROUTE_VERBOSE
Needed:
IP: firewalling: CONFIG_IP_FIREWALL
Needed (masquerading):
IP: masquerading: CONFIG_IP_MASQUERADE
Recommended (security):
IP: ICMP masquerading: CONFIG_IP_MASQUERADE_ICMP
Needed (port forwarding, ICQ etc.):
IP: masquerading special modules support: CONFIG_IP_MASQUERADE_MOD
Recommended (speed when routing mostly):
IP: optimize as router not host: CONFIG_IP_ROUTER
Recommended (security):
IP: TCP syncookie support: CONFIG_SYN_COOKIES

In Network device support:
Needed:
Network device support: CONFIG_NETDEVICES
Needed:
Support for your network card or dialup connection

In Filesystems:
Recommended:
/proc filesystem support: CONFIG_PROC_FS
Don't forget to save the options, compile, copy, install and reboot with that kernel.

2.4.x kernels

In General Setup:
Needed:
Networking support: CONFIG_NET
Recommended:
Sysctl support: CONFIG_SYSCTL

In Networking options:
Needed:
Network packet filtering (replaces ipchains): CONFIG_NETFILTER
Needed:
Unix domain sockets: CONFIG_UNIX
Needed:
TCP/IP Networking: CONFIG_INET
Recommended:
IP: advanced router: CONFIG_IP_ADVANCED_ROUTER
Recommended (speed):
IP: use TOS value as routing key: CONFIG_IP_ROUTE_TOS
Recommended (security):
IP: verbose route monitoring: CONFIG_IP_ROUTE_VERBOSE
Recommended (security):
IP: TCP syncookie support: CONFIG_SYN_COOKIES
Needed:
ipchains (2.2-style) support: CONFIG_IP_NF_COMPAT_IPCHAINS

In Network device support:
Needed:
Network device support: CONFIG_NETDEVICES
Needed:
Support for your network card or dialup connection

In Filesystems:
Recommended:
/proc filesystem support: CONFIG_PROC_FS
Don't forget to save the options, compile, copy, install and reboot with that kernel.

5. More information

5.1 Websites

As everyone knows, nothing changes faster than the Internet, so the links below may have changed. If you find a broken link or a site of which you feel it really should be in here, please report it to me.
There are tons of information out there. This list is not, and will not be, complete. It merely provides useful references.

RCF Homepage

Main page: Mirrors:

HOWTO's

http://linux.seva.net/LDP/HOWTO/HOWTO-INDEX/howtos.html
For a list of all available Linux Documentation Projects HOWTO's.
Some specific HOWTO's are listed below.

http://linux.seva.net/LDP/HOWTO/Ethernet-HOWTO.html
This is the Ethernet-Howto, which is a compilation of information about which ethernet devices can be used for Linux, and how to set them up.
Note that this Howto is focused on the hardware and low level driver aspect of the ethernet cards, and does not cover the software end of things like ifconfig and route. See the Network Howto for that stuff.

http://linux.seva.net/LDP/HOWTO/Firewall-HOWTO.html
http://www.grennan.com/Firewall-HOWTO.html
This document is designed to describe the basics of firewall systems and give you some detail on setting up both a filtering and proxy firewall on a Linux based system.

http://linux.seva.net/LDP/HOWTO/IP-Masquerade-HOWTO.html
This document describes how to enable the Linux IP Masquerade feature on a given Linux host. IP Masq is a form of Network Address Translation or NAT that allows internally connected computers that do not have one or more registered Internet IP addresses to have the ability to communicate to the Internet via your Linux box's single Internet IP address.

http://linux.seva.net/LDP/HOWTO/IPCHAINS-HOWTO.html
This document aims to describe how to obtain, install and configure the enhanced IP firewalling chains software for Linux, and some ideas on how you might use them.

http://linux.seva.net/LDP/HOWTO/Net-HOWTO/index.html
General information about networking for Linux.

http://linux.seva.net/LDP/HOWTO/Networking-Overview-HOWTO.html
The purpose of this document is to give an overview of the networking capabilities of the Linux Operating System and to provide pointers for further information and implementation details.

http://linux.seva.net/LDP/HOWTO/Securing-Domain-HOWTO.html
This document outlines the things you will probably have to do when you want to set up a network of computers under your own domain. It covers configuration of network para meters, network services, and security settings.

http://linux.seva.net/LDP/HOWTO/Security-HOWTO.html
This document is a general overview of security issues that face the administrator of Linux systems. It covers general security philosophy and a number of specific examples of how to better secure your Linux system from intruders. Also included are pointers to security-related material and programs.

Linux Documentation Project (LDP)

http://www.linuxdoc.org/LDP/nag2/
The Linux Network Administrators Guide

http://www.linuxdoc.org/LDP/sag/index.html
The Linux System Administrators Guide

Clarification of protocol/port/network/rfc numbers

http://www.isi.edu/in-notes/iana/assignments/ipv4-address-space
List of allocated networks.

http://www.isi.edu/in-notes/iana/assignments/port-numbers
List of port numbers and their usual application.

http://www.isi.edu/in-notes/iana/assignments/protocol-numbers
List of protocol numbers.

http://www.cis.ohio-state.edu/htbin/rfc/INDEX.rfc.html
http://info.internet.isi.edu/in-notes/rfc/
List of RFC's (protocol specifications)

Assessing your security

http://www.nessus.org/
Downloadable scanner which also probes for security exploits.

http://grc.com/default.htm
Probes your ports remotely.
Doesn't cover everything, but quickly checks the basics.
Mainly Windoze-oriented.

http://www.insecure.org/nmap/index.html
Great downloadable portscanner. Determines remote OS and uptime as well.

http://www.insecure.org/nmap/index.html
Commercial remote portscanner. One free try.

Host information

http://www.whois.org/
Provides information on a domain names

http://www.traceroute.org/
Performs a traceroute to a selected host

http://www.norid.no/domreg.html
Domain name registries around the world

Other information

http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/cHTML/TrinityOS-c.html
TrinityOS: A Guide to Configuring Your Linux Server for Performance, Security, and Managability

http://www.rcf-tools.com/linux/
The Linux Firewall and Security Site
Tons of links to several security sites

http://www.tsmservices.com/masq/
List of ports which need to be forwarded for a lot of protocols.

Sites where RCF is advertised

Freshmeat
http://freshmeat.net/projects/rcf

SecurityFocus
http://www.securityfocus.com/tools/1654
You can vote for RCF here too!

New version announces will also be made on these newsgroups:
comp.os.linux.announce
comp.os.linux.networking
comp.os.linux.security
comp.security.firewalls

5.2 Mailing lists

The RCF mailing lists

Read this FAQ and the archives of the mailing lists first before posting a question to any of the mailing lists!
There are three mailing lists, all with different audiences. You may subscribe to any combination of them.
Linux ipchains firewall announce mailing list
Audience:
All users who want to be notified of updates
About the list:
http://lists.mvlan.net/mailman/listinfo/rcf-announce
Archive of previous posts:
http://www.mvlan.net/pipermail/rcf-announce/
Help about the list:
Mail to: rcf-announce-request@lists.mvlan.net
With the subject: "help"
Subscribe:
Mail to: rcf-announce-request@lists.mvlan.net
With the subject: "subscribe"
Unsubscribe:
Mail to: rcf-announce-request@lists.mvlan.net
With the subject: "unsubscribe"

Linux ipchains firewall users mailing list
Audience:
Users who want to ask or answer general user questions about the current production version.
So no development questions!
About the list:
http://www.mvlan.net/mailman/listinfo/rcf-users
Archive of previous posts:
http://www.mvlan.net/pipermail/rcf-users/
Help about the list:
Mail to: rcf-users-request@lists.mvlan.net
With the subject: "help"
Subscribe:
Mail to: rcf-users-request@lists.mvlan.net
With the subject: "subscribe"
Unsubscribe:
Mail to: rcf-users-request@lists.mvlan.net
With the subject: "unsubscribe"
Posting a message:
Mail to: rcf-users@lists.mvlan.net

Linux ipchains firewall developers mailing list
Audience:
Users who want to participate in or stay informed about developments of RCF
About the list:
http://www.mvlan.net/mailman/listinfo/rcf-dev
Archive of previous posts:
http://www.mvlan.net/pipermail/rcf-dev/
Help about the list:
Mail to: rcf-dev-request@lists.mvlan.net
With the subject: "help"
Subscribe:
Mail to: rcf-dev-request@lists.mvlan.net
With the subject: "subscribe"
Unsubscribe:
Mail to: rcf-dev-request@lists.mvlan.net
With the subject: "unsubscribe"
Posting a message:
Mail to: rcf-dev@lists.mvlan.net

Other, security- or firewall related mailing-lists

Various lists can be found at SecurityFocus, among them the famous BugTraq.

5.3 Newsgroups

comp.os.linux.networking
Deals with Linux networking

comp.os.linux.security
Deals with Linux security

comp.protocols.tcp-ip
Deals with the TCP/IP protocol

comp.protocols.tcp-ip.domains
Deals with Internet domains

comp.security.firewalls
Deals with firewalling in general



"Note that if I can get you to "su and say" something just by asking, you have a very serious security problem on your system and you should look into it."
(By Paul Vixie, vixie-cron 3.0.1 installation notes)