Index

0. About

What is RCF (rc.firewall)?
What is this document all about?

1. HELP! - It doesn't work!

2. What does this warning mean?

3. How, who, what, where, why...?

Getting started

How do I get RCF going?
I'm confused. How do I fill in the options?
I'm still confused. Could you show an example configuration?


Installing / upgrading

Where do I get the latest version of RCF?
How do I upgrade from an earlier version?
How do I upgrade from rc.firewall to RCF without losing my config?
How can I run a script every time I connect and get a new IP address?
How can I see what RCF will do beforehand?
How can I upgrade RCF safely when I don't have physical access to the box or when I am logged in remotely?


Configuring

Which RCF man pages are available?
How can I determine which services to open?
How do I enable support for protocol XXXXX?
How do I open specific ports for my favorite game/application?
How do I open certain ports when RCF has already started?
How do I open all ports (i.e. tear down my firewall)?
How do I pass options to the modules to be loaded, e.g. ICQ?
How do I determine whether I have enough firewall rules?
How can I be certain I am hacker-proof?
How do I set up RCF to use my one ethernet card for both public and private traffic?
How do I enable support for IRC?
How do I enable support for pcAnywhere?
How do I enable support for ICQ?
How do I get an IP address range for domains?
Can I use address ranges like 192.168.1.14-192.168.1.157 in the options?


Logging

How can I see what my firewall is doing?
What do all those syslog log entries mean?
How do I log the screen output of RCF?
How do I log the screen output of RCF to a file, instead of syslog?
What are those martians in my logs?


Advanced

How do I set up a DMZ (De-Militarized Zone) using RCF?
How would a MZ config look like?
How do I set up VPN (Virtual Private Networking) using RCF?
How do I forward ports to a server on my internal LAN?
How can I determine what ports should be forwarded to a server on my internal LAN?
How do I protect Windows machines on my internal LAN from trojans?
How do I use iptables / kernel 2.4.x and RCF?
How can I pipe all commands RCF will be executing to a custom script tailored to my setup?
How can I use multiple public connections in a fail-over setup?
How can I restart one interface only?


Speed and performance

Is it possible that RCF slows down my connection?
How come protocol XYZ takes much longer when I use RCF?
How come my box runs out of memory/CPU time etc.?


Development

How do I contribute to the evolution of RCF?
How can I contribute my module to the current sources through CVS?
How can I obtain a CVS account?


Miscellaneous

How does the numbering scheme work (e.g. 110-modulename)?
How do I block SPAM with my firewall?
How do I block annoying ads (e.g. from doubleclick.net)?
How do I report a bug?


Mailing lists

How do I pose a question to a mailing list?
How do I unsubscribe from one of the mailing lists?
Why is nobody answering my question on the list?

4. How should I configure my kernel?

• 2.0.x and earlier kernels
• 2.2.x kernels
• 2.4.x kernels

5. More information

• 5.1 Websites
  
  RCF Homepage
  HOWTO's
  Linux Documentation Project (LDP)
  Clarification of protocol/port/network numbers
  Assessing your security
  Host information
  Other information
  Sites where RCF is advertised
  
• 5.2 Mailing lists
  
  The RCF mailing lists
  Other, security- or firewall related mailing-lists
  
• 5.3 Newsgroups
  

0. About

What is RCF (rc.firewall)?

What is this document all about?

Maintainer:

Edwin ten Brink

E-mail:

For remarks on this document only edwin@privateer.student.utwente.nl.
PLEASE: Questions on RCF should be directed to the 'users' mailing list. You'll get more and better answers there, since I only collect experiences.

Last revision date:

December 14, 2001 (Version under development can be found in the dev directory)

RCF version:

5.2.1

License:

GPL

Homepage:

http://rcf.mvlan.net/

Thanks to:

All people who posed questions... and those who provided answers.

1. HELP! - It doesn't work!

• Make sure you have configured your kernel properly
  
• Make sure you are running that kernel.
  
• Read the man pages:
  • firewall.conf (5)
  • firewall-groups (5)
  • firewall-modules (5)
  • rcf-groups (5)
  • rcf-modules (5)
  • rcf (8)
  • rc.firewall (8)
• Enable all protocols you'll be needing (accept-[int]-[service]-[servers|clients])
• Read this entire document.
  
• Use all information quoted in the websites and documentation.
  
• Pose a question, on the mailing list
  
• The latest version of this FAQ is available in the dev directory
  

Q: RCF gives an error/warning.

A: See the error messages for more details.

Q: RCF generated a new firewall.conf for me but there are no variables in it!

A: RCF determines all interfaces when it starts up. If you're building a box, but haven't all the network interfaces installed, (ethernet cards, PPP links etc.), edit the firewall.conf file and update the pub and pri interface variables with what you will have on the completed machine. Then re-run '/sbin/rcf --update-config'. This will create all the variables and interfaces if they exist yet or not. As long as they're not installed, RCF will report that they are down and remove them temporarily.

Q: I'm unable to ping my box!

A: Hosts which should be able to ping you can be put in the accept-[int]-ping-clients. Pings and traceroutes are denied by default.

Q: I can't do a traceroute or a portscan from the firewall. I get messages like this:
traceroute: sendto: Operation not permitted

A: You're running in strict mode or higher. Outgoing portscans are only allowed in open or relaxed mode. Since outgoing UDP traffic is blocked in strict mode and better, you can either switch to relaxed mode, or use icmp traceroute (traceroute -I HOST).
Note: relaxed mode in 5.0.1 doesn't allow outgoing UDP. Upgrade to 5.1b7 or better.

Q: My favorite game/application doesn't work!

A: See section 3 on how to make it work. And I really mean all of section 3.

Q: I downloaded a custom port script and it doesn't work!

A: You should have placed it in the correct directory. Then run RCF with --update-config, change the generated /etc/firewall.conf to suit your needs. Last but not least, restart the firewall. See again section 3. Also look if RCF reports the script being loaded.

Q: RCF hangs when I do an --update-config. I'm logged in via telnet or SSH to the firewall.

A: Telnet connections mostly get lost, SSH pauses until the rules for SSH are set up. Invoke RCF like this, so RCF will keep going even if you lose the connection:
nohup /sbin/rcf & ; tail -f nohup.out

Q: RCF works fine when I start it by hand, but my computer hangs when I start it through the initscripts when my computer boots. I'm using RedHat 6.1 or older (initscripts older than 5.0).

A: RCF conforms to initscripts 5.0. You should upgrade your initscripts to 5.0 or better.

Q: I can't get the virtual interfaces to work!

A: It seems that the code is flawed at least as far as 5.1b7. You should upgrade to a better version.

Q: I can't get the DMZ stuff to work. I'm using RCF 5.0.1 or below.

A: The DMZ support in 5.0.1 is broken, unfortunately. As of the development version 5.1b4 it was fixed, so the only possibility is to upgrade.

Q: When I try to use the SMB module, I can't browse a Windows 2000 box from my backend boxes, but I can connect to other Windows versions correctly.

A: That's a limitation of Samba. There's a patch for Samba available.

Q: It still doesn't work!

A: If you still can't find the cause of your problem, after reading this document, join & post a question to the mailing list, But read this FAQ first!

2. What does this warning mean?

Your PATH variable contains relative directories (doesn't start with '/').
For security reasons, you should remove these directories from your PATH
permanently.

Relative PATH variables, such as ".", or "./bin" have proven to be security risks, therefore it cannot accept those. As the warning says, the script will strip those paths temporarily, but it is highly recommended to remove them completely. (e.g. in /etc/profile, /etc/bashrc, or where you put your PATH statement at your system.)

Unable to locate XXXXX in any PATH directory!

The binary XXXXX is missing! The named binary is needed for correct functioning of your firewall, so make sure you install it, or complete you PATH variable to include it, then re-run the script.

The owners and/or permissions for XXXXX are incorrect.
Please execute the following commands:
chmod XXXXX
chown root:root XXXXX

The firewall script should be protected from users who don't have any rights to modify the rules. It is therefore required to set the permissions accordingly, with the suggested statements.

The /etc/firewall.conf file is missing - a new one will be created.
Edit this new configuration file and re-run the firewall script.

This warning is self-explanatory. Review and edit the /etc/firewall.conf file to suit your needs.

Both /etc/firewall.conf and rc.firewall.conf exist!
The correct configuration file path is /etc/firewall.conf.
Please remove the old rc.firewall.conf file.

rc.firewall-4.1 and earlier had a /etc/rc.d/rc.firewall.conf file. It is moved to /etc/firewall.conf when upgrading to rc.firewall-5.0. When running two different versions, you might get this message. Remove the old file, and upgrade to the newest version.

Version mismatch between script and configuration file! You must
execute RCF with the --update-config parameter to fix this problem.
Since all variables and options are backwards compatible, the script will
continue.

A version check is performed to ensure you have the correct config file. Make sure you upgrade your configuration, since new parameters may be added. Don't forget to review your configuration before restarting!

WARNING: Please enable XXXXX in your kernel!

See chapter 4. How should I configure my kernel?

The configuration file has moved to /etc/firewall.conf since version 5.0.
Moving rc.firewall.conf to /etc/firewall.conf...

This one is self-explanatory. No intervention is needed.

The rc.firewall.custom-ports file was renamed in version 5.0.
Moving rc.firewall.custom-ports to rc.firewall.custom-pub-ports...

This one is self-explanatory. No intervention is needed.

Removing XXXXX (down) Interface from INT_INTERFACES

It seems that the specified internal interface is down. Make sure it's up and execute the script again.

Removing XXXXX (down) Interface from EXT_INTERFACES

It seems that the specified external interface is down. Make sure it's up and execute the script again.

modprobe: Can't locate module XXXXX

The specified module cannot be found. They are usually located in /lib/modules/your_current_kernel_version/ipv4/
Make sure you compiled your kernel correctly (see chapter 4. How should I configure my kernel?). Also, for ip_masq_icq you need to obtain, compile and install a separate module, as explained in the firewall.conf file.

Note: /etc/conf.modules is more recent than /lib/modules/(your kernel version)/modules.dep

This is a message from modprobe. Apparently there's an inconsistency between those two files.

3. How, who, what, where, why...?

Getting started

How do I get RCF going?

• Download the latest (stable) version of RCF for your architecture.
• Install it on your system.
  

  Plain tar file / Slackware

  • Untar it.
  • Run the install.sh script.
  • For more info, or manual install, please refer to the installation notes.

  RedHat (RPM)

  rpm -U rcf-noarch-[version].rpm

• Edit the default config file (/etc/firewall.conf) to suit your needs.
• If you changed one or more of the security levels, you'll need to run RCF with the --update-config parameter, some items will appear, others disappear.
• If necessary, edit the config file again to change the newly appeared settings.
• Start RCF.

I'm confused. How do I fill in the options?

First: You only need to fill in the options present. You don't have to cerate new ones. If you add or remove interfaces or change the security level, or add new modules, execute RCF with the --update-config parameter so it will update the options for you. You'll of course need to review the config file.
Most of the options consist of this structure:

• accept / ignore / deny
  The policy regarding this rule. Accept means to allow the entered host(s). Deny and ignore allow you to set exceptions to the allowed hosts. So accept = x.y.z.0/255.255.255.0 and deny x.y.z.3 allows all hosts in the x.y.z.0 network, except host x.y.z.3. The difference between deny and ignore is the logging. Deny may be logged, ignore won't be logged. If you don't run that particular service, you don't need to enter any of those variables.
• interface
  The interface (eth0, ppp0, ipsec0 etc.) for which this rule applies.
• service
  The service it applies to. Obviously, http applies to www-traffic. You don't need to enter any values for services you don't intend to use.
• servers / clients
  Servers are hosts you're connecting to, from your firewall or backend hosts.
  Clients are hosts that connect to your firewall.

Example 1:
You want to be able to surf the web, and don't want to be restricted in your movements (I assume eth0 to be your public interface, it may be ppp0 or something else for you):

accept-eth0-http-servers = any/0
ignore-eth0-http-servers =
  deny-eth0-http-servers =


Example 2:
You're running a webserver on your box, which needs to be available for your companies subnets (a.b.c.0/255.255.255.0 and x.y.0.0/255.255.0.0) only. Also, it shouldn't be available to the subnet x.y.z.0/255.255.255.0, but we don't need logging of this.

accept-eth0-http-clients = a.b.c.0/255.255.255.0 x.y.0.0/255.255.0.0
ignore-eth0-http-clients = x.y.z.0/255.255.255.0
  deny-eth0-http-clients =

I'm still confused. Could you show an example configuration?

Consider this setup (RCF 5.1). One external interface (eth0), two backends (eth1, eth2). The firewall offers limited services (DNS, SMTP, SSH, POP3, FTP, SMB, Squid, Ident and RC5 personal proxy). Entries which don't show up below are empty. The options are listed in the order they appear in the config file.

We'll need to declare those interfaces:
public-interfaces = eth0
private-interfaces = eth1 eth2

Since the firewall itself offers almost no services (as it should), I'll be very strict on security. Because users on my backend use some exotic configurations, it's very hard to use paranoid mode on the external interface (though it's highly recommended).
public-interfaces-security = strict
private-interfaces-security = paranoid

For the external interface, I need to enable some services.

My backend users need this to join IRC channels.
accept-eth0-auth-clients = any/0

A module to ignore all packets sent to the universal broadcast address (255.255.255.255).
ignore-eth0-broadcast-clients = any/0
And I don't want to log DHCP info on my subnet
ignore-eth0-dhcp-clients = 130.89.0.0/16

Another module (IP removed) to accomodate some external users to use my RC5 personal proxy.
accept-eth0-dnetproxy-clients = a.x.y.z

I'm running my own DNS server, so I'll need to accept the responses from outgoing queries.
accept-eth0-dns-servers = any/0

Sometimes I need to FTP something from my server when I'm not on my backend.
accept-eth0-ftpactv-clients = a.y.x.z

From the firewall and backend, I want to be able to initiate an FTP connection to any host
accept-eth0-ftpactv-servers = any/0

I only want my firewall to appear on my local subnet.
accept-eth0-ping-clients = 130.89.0.0/16

To be able to ICQ on my backend, I've set this port range. My clients are configured to take a subrange, so each client can have it's own ports forwarded:
accept-eth0-icqdirect-clients = any/0
accept-eth0-icqdirect-ports = 47101:47130
accept-eth0-icq-servers = 205.188.0.0/16

Sometimes I need to be able to read my mail externally:
accept-eth0-pop3-clients = a.x.y.z

To make use of file sharing, I want a number of hosts to be able to connect. Since the list is too long to fit on one line, I decided to put the into a group file in the groups directory (/etc/firewall/groups).
accept-eth0-smb-hosts = ./smb-hosts

I have a local mailserver, which needs to be able to deliver and receive my e-mail.
accept-eth0-smtp-clients = any/0

When I'm away, I may need to contact my server, so again one specific host is allowed.
accept-eth0-ssh-clients = a.x.y.z

Some annoying port 513 traffic should be ignored.
ignore-eth0-who-clients = any/0

This one is default. It ignores the IP's which are not officially in use (and therefore shouldn't be used).
iana-reserved-networks = ./iana-reserved-networks

My backend users occasionally play Quake, so they can play wherever they want to.
accept-eth0-quake-servers = any/0

Now I'll need to define the services the backend users can connect to on the firewall. So this doesn't control the access to the outside!
Since I've set the security to paranoid, I need to open every service I need.

From my first subnet, all boxes may connect to my RC5 proxy.
accept-eth1-dnetproxy-clients = 192.168.1.0/24

All boxes may use the DNS server.
accept-eth1-dns-clients = 192.168.1.0/24
accept-eth2-dns-clients = 192.168.2.0/24

Sometimes I want to connect from the firewall to an internal host.
accept-eth1-ftpactv-servers = 192.168.1.2

All boxes may ping the firewall internally. Mostly for testing purposes.
accept-eth1-ping-clients = 192.168.1.0/24
accept-eth2-ping-clients = 192.168.2.0/24

Sometimes I want to do a security sweep of my network. Therefore I have a Nessus server, located on the firewall which sweeps the internal networks. This one is not permanently active of course, since paranoid and strict mode do not allow portscans etc. The daemon is off by default, started by hand when a sweep is to be made, and the internal security lowered to open mode to allow the scan. Only one host is allowed to use it, since the sweep contains exploits which may crash a box. Obviously, not many people may use it. :-)
accept-eth1-nessus-clients = 192.168.1.2

Only one host which makes use of the POP server.
accept-eth1-pop3-clients = 192.168.1.2

On the firewall I have a Squid proxy (mostly because it zaps the ads out of the web pages. ;-)
accept-eth1-proxy-clients = 192.168.1.0/24
accept-eth2-proxy-clients = 192.168.2.0/24
accept-eth1-proxy-ports = 3128
accept-eth2-proxy-ports = 3128

Internally, it's perfectly safe to use Windoze file sharing, and so we allow so for the Windoze boxes.
accept-eth1-smb-hosts = any/0
accept-eth2-smb-hosts = any/0

The mailserver may be used by one subnet only.
accept-eth1-smtp-clients = 192.168.1.0/24

And we'll need to be able to log into the firewall from one box only.
accept-eth1-ssh-clients = 192.168.1.2

Here I assign the ICQ ports I want to forward to the different hosts (also see the section on ICQ in chapter 3, Configuring for more information.) 10 ports per client seems to be on the high side. Fewer ports per client (say, 5) should also work without any problems.
forward-eth0-tcp-hostports = 192.168.1.2 47101:47110, 192.168.2.13 47111:47120, 192.168.2.5 47121:47130

To make use of the protocols I've enable at the public interface for my backend users, I'll need some special modules. Also the timeouts are set to defaults. Note that I don't use the icq masq module.
masq-modules = ftp irc quake
masq-timeouts = 7200 10 160

I want to forward both internal networks so they have outside access.
forward-eth0-masq-networks = 192.168.1.0/24 192.168.2.0/24

Some miscellaneous things

I don't run debug mode unless necessary.
debug = no
To keep track of traffic I've installed IPAC with some accounting rules. RCF starts them automagically for me.
ipac-bindir = /usr/bin/scripts

Installing / upgrading

Where can I get the latest version of RCF?

The latest stable version will be available at the homepage and at Freshmeat. If you feel the need to have the latest version, for development, or because you need the state-of-the-art, you can download the development version at: http://rcf.mvlan.net/dist/dev/
Be advised that the development version may contain bugs, doesn't function correctly etc.
It is not recommended to run the development version on a production machine!
The latest version of this FAQ can also be found in the development directory.

How do I upgrade from an earlier version?

Save the original RCF and it's configuration file (just in case). Execute the new RCF with the --update-config parameter. Review the new configuration file (some options may have been added).

How do I upgrade from rc.firewall to RCF without losing my config?

You should first do an uninstall of rc.firewall before installing RCF. To prevent the loss of your config file, use the following commands: cp /etc/firewall.conf /etc/firewall.conf.old ; rpm -e rc.firewall ; cp /etc/firewall.conf.old /etc/firewall.conf ; rpm -i rcf-[version].noarch.rpm

How can I run a script every time I connect and get a new IP address?

Put the script in /etc/ppp/ip-up. See the pppd(8) man page.

How can I see what RCF will do beforehand?

RCF has a test mode. Because the normal comments are piped to standard output, and the commands are piped to standard error, the output is best viewed when RCF is invoked as follows:

/sbin/rcf --test 2>&1

How can I upgrade RCF safely when I don't have physical access to the box or logged in remotely?

It's very unfortunate if you're locked out due to a misconfiguration when you don't have physical access to the box. Invoke RCF like this:

/sbin/rcf ; sleep 300 ; /sbin/rcf --accept-all

The 'sleep 300' will enable you to test this config for 5 minutes (300 secs). If it doesn't work after this period, rcf will open up the box entirely. You'll be able to login thereafter.

Configuring

Which RCF man pages are available?

• firewall.conf (5)
• firewall-groups (5)
• firewall-modules (5)
• rcf-groups (5)
• rcf-modules (5)
• rcf (8)
• rc.firewall (8)

How can I determine which services to open?

The firewall.conf file lists several services you offer, or accept from the public Internet. It's easy to get lost in it. Generally: If you don't know what the specific service is, you don't need it. Specify no hosts, just leave the quotes empty ("").
Look at your firewall logs if you don't know the host, protocol or port number or can't find them in http://www.iana.org/numbers.htm

How do I enable support for protocol XXXXX?

Enable all protocols you'll be needing by setting the accept-[int]-XXX-[servers-clients] accordingly. Hosts and networks can be in IP or hostname format, subnets might only be entered in IP format (for example 192.168.1.0/24 or 192.168.1.0/255.255.255.0) for a class C (private) network).

How do I open specific ports for my favorite game/application?

Since this script cannot possibly include every service out there, you can easily create your own script with the example provided in the file: /etc/firewall/modules/public/services/tcp-clients-template Copy the file to the relevant directory in the firewall-modules hierarchy and edit it to suit your needs. Run RCF with the --update-config parameter and edit your newly created options in /etc/firewall.conf. Upon restart of the firewall, your script should be executed. After you've fine-tuned your new service rules, please send the list a copy of your script. If this is a widely used application, and your rules look secure, they'll be added to RCF. You can also post your custom script and/or get some help from our developers mailing list.
Some earlier developed scripts are available in /etc/firewall/modules/common. Link them (with the ln command) to the appropriate (private or public) direcory.

How do I open certain ports when RCF has already started?

Use the --[accept|deny|forward]-[int]-[serv]-[hosts|servers|clients|ports|rhostlports] {host|ip|subnet} {...} switch. Adds a temporary entry to a configuration option; Useful when you want to open-up a service "on the fly". These settings will be lost the next time the firewall is executed.

How do I open all ports (i.e. tear down my firewall)?

Use the --accept-all switch. This sets the default policy to "accept"; flushes all firewall rules and removes chains. This allows any incoming and outgoing traffic.

How do I pass options to the modules to be loaded, e.g. ICQ?

Modprobe should be used to pass options to modules. The options should be entered in /etc/modules.conf or /etc/conf.modules. See man modprobe and man modules.conf for more information.

How do I determine whether I have enough firewall rules?

"That which is not strictly allowed, is prohibited." Keep that in mind. Deny everything that should not be allowed.
As to the amount of rules as reported by RCF: There's no general rule of thumb. I depends on your configuration. If need to open lots of services to the outside world, your rule-count will increase. The strict mode will also add a lot of rules (+/- 60) for added security. Counts have been reported in the range of 180 - 330 rules.

How can I be certain I am hacker-proof?

You can't. Simple as that. Nothing can be made 100% hacker-proof. Even Fort Knox can be cracked, but the effort might be more costly than the rewards. If you want to be certain no-one enters your box from the Internet, there's one solution: pull the plug. Don't connect. That's however not an option for most of us, so try to make as little services available to the outside world as possible. Comment them out in /etc/inetd.conf and block them with RCF. Don't start any unnecessary services in /etc/rc.d/rcX.d and block them with RCF. Be as secure on every level of configuration as you can possibly be. Read the guides mentioned in the websites section of this document.
You may also probe your security from other boxes with portscanners. They won't tell if it's vulnerable, but they can show you the strength of your firewall.

How do I set up RCF to use my one ethernet card for both public and private traffic?

You can't. Private traffic is just what it says it is: private. It must not be allowed on the public Internet, since there's no way a packet sent to a private IP will ever arrive. It just pollutes the net. You should buy yourself a second ethernet card.

How do I enable support for IRC?

Make sure you have the right masquerading module installed in your firewall.conf:
masq-modules = irc

How do I enable support for ICQ?

Previously, it was suggested to just open a port range for your clients to use and load the icq kernel module to take care of the forwarding. This method became more and more obsolete with the introduction of ICQ 2000, since that version wasn't supported. Development on the kernel module seems to have stopped.
The current best practice, is to forward a small port range per client, and configure the client accordingly. This way, the special functions (file transfer, chat, etc.) will also work.
How can this be accomplished? In my example configuration, we have three hosts on the backend with their own ICQ clients. They're divided over two subnets:
192.168.1.2 on subnet 1, and 192.168.2.5 and 192.168.2.13 on subnet 2.
For the special functions of ICQ we need to allow direct connections:
accept-eth0-icqdirect-clients = any/0
The port range to cover all clients. (You may choose any range, as long as you don't pick one already occupied by standard programs. Check with IANA assignments first.)
accept-eth0-icqdirect-ports = 47101:47130
Of course we'll need to allow contact with the ICQ servers:
accept-eth0-icq-servers = 205.188.0.0/16
And the masq-modules will not be required an option 'icq':
masq-modules = (does not contain 'icq')
Now we'll divide the ports among the clients. I used 10 ports per client,which seems to be a little too much. Using a smaller number of ports should work fine:
forward-eth0-tcp-hostports = 192.168.1.2 47101:47110, 192.168.2.13 47111:47120, 192.168.2.5 47121:47130
To make this work, configure the clients to use the same port ranges (instead of the default 'random ports' setting.) as you entered above. Restart the clients and the firewall, and you should be able to chat, receive files etc.

How do I enable support for pcAnywhere?

You'll need the PcAnywhere modules (can be found in /etc/firewall/modules/common/services) linked to you private or public section (depending on your requirements). Run RCF with the --update-config parameter. After that reload RCF and it should work, unless your PCAnywhere is not using TCP/IP Compatibility mode. If it isn't working visit symantec.com and search for "How to change the pcAywhere IP ports". There is a short section on "Restricting pcAnywhere ports". Follow those instructions (it's a registry change on the host and remote) and then it should be working ok.

How do I get an IP address range for domains?

For example, if you want to get the range for *.doubleclick.com. That is unfortunately not possible, since it is a feature of DNS, and only through DNS related to IP's. You have to use name lookup tools to find out the domain, and use the address range specified by the nameserver. This example is a very peculiar one. Last time I researched, some months ago, www.doubleclick.net has 16 different IP addresses, in 3 different subnets. The best solution to that problem is to run Squid with an ad zapper, or Junkbuster or so.

Can I use address ranges like 192.168.1.14-192.168.1.157 in the options?

No, you can't. It's inherent to the way the IP's work. It's not RCF specific, not even specific to ipchains (or ipfwadm or iptables for that matter). Your only option is to put those IP's in a group file, and refer to that group file. That's why the groups file option was created.

E.g.
option = ./large-list-of-hosts

Logging

How can I see what my firewall is doing?

On several occasions you might wonder what traffic is being blocked -- to debug something, spot hacker activity, etc. I recommend you save syslog messages generated by ipchains to a seperate log file. Add something like this to your /etc/syslog.conf file:
kern.=info /var/log/firewall/ipchains.log
'Normal' kernel logging can then be redirected by:
kern.notice /var/log/kernel
Remember to use only TABS as whitespace, NOT spaces, or else it will not work. The directory /var/log/firewall needs to exist, of course. You can follow it realtime with:
# tail -f /var/log/firewall/ipchains.log
Alternatively (or additionally), you can send all firewall log entries to a terminal with this syslog.conf entry, so you can watch the firewall log without logging in (this does not make much sense on a busy network):
kern.=info /dev/tty7
For more ideas please refer to the syslog documentation.

What do all those syslog log entries mean?

An typical log entry looks like this:
Sep 25 09:18:19 privateer kernel: Packet log: eth0i DENY eth0 PROTO=17
130.89.XXX.XXX:513 130.89.255.255:513 L=232 S=0x00 I=45818 F=0x0000 T=64
(#141)

Sep 25 09:18:19

The date and time the packet hit the firewall

privateer

It occured on host 'privateer'

kernel

Was logged by the kernel

Packet log

Describes a packet log entry

eth0i

It matched a rule in the ruleset for 'eth0', 'i'nbound

DENY

The packet was denied (i.e. discarded without notice to the sender) You can have REJECT here as well, this discards the packet and acknowledges to the sender that it was discarded. We mostly DENY on the outside, and REJECT on the inside. That's because a sender must wait until the packet has expired, and will make the life of portscanners a little more difficult. This does reveal you have a strong firewall in place, though.

eth0

Occured on 'eth0' (my external interface). Other devices might be ppp for a dialup link

PROTO=17

It was a packet with protocol 17, i.e. it was an UDP packet. (These protocol numbers can be found in /etc/protocols, or at http://www.iana.org/assignments/protocol-numbers) Other common numbers are for example 1 (ICMP) or 6 (TCP).

130.89.XXX.XXX

It originated at the host with IP 130.89.XXX.XXX (IP erased for privacy reasons)

513

On it's port 513.
The numbers can be found in /etc/services, or far more exhaustive at http://www.iana.org/assignments/port-numbers

130.89.255.255

It was sent to IP 130.89.255.255, the broadcast on this (class B) subnet

513

With destination port 513

L=232

It had a length of 232 bytes

S=0x00

It had no type of service set.
In theory, you can tell the Internet how to handle your traffic, be it sensitive to delay, throughput, etc.

• 0x10 = Minimum Delay
  
• 0x08 = Maximum Throughput
  
• 0x04 = Maximum Reliability
  
• 0x02 = Minimum Cost
  
• 0x00 = not set
  

I=45818

Had this ID number, which is not important to firewalls.

F=0x0000

It had a 16bit fragment offset including any TCP/IP packet flags of "0x0000"
"0x2..." or "0x3..." means the "More Fragments" bit was set so more fragmented packet will be coming in to complete this one big packet.
"0x4..." or "0x5..." means that the "Don't Fragment" bit is set. Any other values is the Fragment offset (divided by 8) to be later used to recombine into the original big packet.

T=64

It's TTL (Time To Live) was 64. Each hop on the internet subtracts 1 from this number. If it reaches zero, we assume that it was lost and it will be dropped/discarded.

#141

And matched my firewall rule number 141 (as present in the kernel). If you want to know exactly which rule it was, use "ipchains -L -n --line-numbers".

Well, what do we know then? It was a packet denied from some host, broadcasted at 513/UDP. This was, according to the IANA numbers, a communication which "maintains databases showing who's logged in to machines on a local net and the load average of the machine", AKA r-services. Nice to know, nothing threatening. But I personally think it gives away too much about his box, even though it might be cool to report your fabulous uptime.

How do I log the screen output of RCF?

Invoke the script as:
/sbin/rcf 2>&1 | logger
This will log all output on level user.info. Make sure you have a rule in /etc/syslog.conf to do something with that level. (On my system it will by default be logged to /var/log/messages). If your not comfortable with that level, use the '-p' flag to specify the desired level.

If you use SysV startup scripts (e.g. /etc/rc.d/rc3.d/S12firewall) screen output is logged automatically when you change runlevels.

How do I log the screen output of RCF to a file, instead of syslog?

Invoke the script as:
/sbin/rcf 2>&1 | tee -a rcf.log
This will append (hence the '-a' flag) all output to the file rcf.log.

What are those martians in my logs?

Ask Mulder & Scully... Serious, these are entries where packets were dropped because they were spoofed, source-routed, or redirect packets.

Advanced

How do I set up a DMZ (De-Militarized Zone) using RCF?

The architecture suggested with RCF is this:

--INTERNET--> firewall --DMZ--> router --MZ--|

The router should (of course) make use of ACLs to control DMZ->MZ traffic. Typically, databases would be located on the MZ.
Let's not forget, the 'standard' definition of a DMZ is a network with servers offering their services on the Internet. MZ servers should not communicate directly with the Internet, but only with DMZ servers in a very restricted fashion.
Using RCF, you have to keep your public IPs on the firewall, so you can't really load balance with RCF.
Note: DMZ support is not working correctly with RCF 5.0.1 and below. Use 5.1b7 or higher instead.

To accomplish this, you need to set in /etc/firewall.conf:

# De-Militarized Zones (DMZs) are public network segments connected to
# the firewall. DMZ servers typically offer public services such as
# http, ftp, etc. IP addresses on these segments should be routable on
# the internet (no private IPs like 10.0.0.0, 192.168.0.0, etc.).
#
dmz-interfaces = (your interface)

If you do an --update-config, you'll get a new option "dmz-(your inteface)-clusters =" with a lot of extra information. If you defined clusters for your machines, you will have to do a second --update-config and get new options, so you can enable the protocols you need for your clusters.

How would a MZ config look like?

This is JS's setup (using 5.1b9):
public-interfaces = eth1
private-interfaces = eth0:1 eth0:2 eth0:3

My network's gateway (10.1.1.1) is on eth0:1. eth0:2 is my DNS IP and eth0:3 is my SMTP server. I plan to move the DNS and SMTP services onto another server in a few weeks.

mz-interfaces = eth0

I want to control where LAN PCs can go, so eth0 (my private interface) is listed as an MZ interface instead.

public-interfaces-security = paranoid

I don't even trust myself! :-)

private-interfaces-security = paranoid
mz-interfaces-security = paranoid
mz-clusters-security = paranoid

In paranoid mode, I'll have to specify where LAN traffic can go. For example, if I have a proxy (which I do) and I want to prevent PCs from by-passing it...

mz-eth0-clusters = lan 10.1.1.0/24

I just create a single cluster for my whole LAN.

ignore-eth1-auth-clients = any/0

Don't log auth/identd denied traffic.

accept-eth1-dhcp-servers = 10.16.96.1 10.16.96.2 10.16.128.1 10.23.128.2

My ISP uses private IPs on their network! Ugly...

accept-eth1-dns-servers = any/0

My DNS must be able to reach-out to other DNSs...

accept-eth1-ftpactv-clients = any/0
accept-eth1-ftpactv-servers = ./ftpactv-servers
accept-eth1-http-clients = any/0
ignore-eth1-http-clients = a.x.y.z
accept-eth1-https-clients = any/0
accept-eth1-http-servers = any/0
accept-eth1-https-servers = any/0

Since I run in paranoid mode, I have specify which services are allowed out.

ignore-eth1-ping-clients = any/0
accept-eth1-icqdirect-clients = ./icqdirect-clients
accept-eth1-icqdirect-ports = 4020:4030
accept-eth1-icqdirect-servers = any/0
accept-eth1-icq-servers = 205.188.0.0/16
accept-eth1-irc-servers = a.x.y.z
accept-eth1-nntp-servers = ./nntp-servers
accept-eth1-ntp-servers = time.risq.qc.ca clock.uregina.ca
accept-eth1-pop3-servers = pop.videotron.ca
accept-eth1-proxy-ports = 8000
ignore-eth1-smb-hosts = any/0
accept-eth1-smtp-clients = any/0
accept-eth1-smtp-servers = any/0
accept-eth1-ssh-clients = any/0
accept-eth1-ssh-servers = any/0
accept-eth1-time-servers = time.risq.qc.ca
accept-eth1-wmstream-servers = 208.184.229.0/24
iana-reserved-networks = ./iana-reserved-networks
accept-eth0-dhcp-clients = 10.1.1.0/24

I run a DHCP server on my private/MZ interface...

accept-eth0:2-dns-clients = 10.1.1.0/24
accept-eth0-nfs-servers = arthur.localdomain
accept-eth0:3-pop3-clients = trillian.localdomain
accept-eth0-proxy-clients = 10.1.1.0/24
accept-eth0:1-proxy-ports = 8000
accept-eth0:2-proxy-ports = 8000
accept-eth0:3-proxy-ports = 8000
accept-eth0-proxy-ports = 8000
accept-eth0:lan-proxy-ports = 8000
accept-eth0-smb-hosts = trillian.localdomain
ignore-eth0-smb-hosts = arthur.localdomain

arthur is another linux box so I don't want to see it's smb broadcasts.

accept-eth0:3-smtp-clients = 10.1.1.0/24
accept-eth0-smtp-clients = 10.1.1.0/24
accept-eth0-ssh-clients = 10.1.1.0/24
masq-modules = ftp irc raudio
masq-timeouts = 7200 10 160
forward-eth1-masq-networks = 10.1.1.0/24
debug = no
ipac-bindir = /opt/ipac/bin

You'll note that I didn't use any "*-eth0:lan-*" options. This is because opening a service for the interface, accept-eth0-ssh-clients for example, is equivalent to using accept-eth0:lan-ssh-servers. It all depends on your perspective. The difference would come when going from one interface to another, like in a DMZ/MZ setup. You'd have to open the outgoing service on one end and open it for incoming on the other.

How do I set up VPN (Virtual Private Networking) using RCF?

Setting up a Virtual Private Network is not an every day job, but if you follow these steps correctly, it should be a piece of cake. I'm assuming your external (VPN) interface will be eth0, but your situation may be different. Use the name of your VPN interface where I say [int] or eth0. Your ISP will give you an IP to use for your VPN connection.

• You'll of course need separate VPN software, such as Free S/WAN, vpnd or PPTP. It needs to be configured properly, and running.
• You need to check your routing tables and add a route to the host(s) if needed.
• Depending on your VPN software, you need to enable a different VPN module.
  • For S/WAN VPN servers you'll need either 050-ipsecvpn-hosts (if you're using ESP encryption and/or authentication (the typical case)) or 050-ipsecvpnah-hosts (if you're using AH packet level authentication), depending on your VPN configuration. If you don't know which one is used, try ESP first. If it doesn't work, try AH.
  • For PPTP VPN servers you'll need the 030-pptp-servers or 030-pptp-clients module.
  • For CIPE VPN servers you'll need the 070-cipe-hostports module.
  • Currently no other VPN servers are supported. You're welcome to contribute new ones to the development list, or ask for one to be developed. (Provide as many technical details on the protocol as possible. For instance an URL where all technical specifications regarding the protocol are given.)
• In /etc/firewall/modules/public/services the correct one should be present. If not, you'll need to link it from the common directory like:
  ln -s ../../common/050-ipsecvpn-hosts
  
• Update the firewall.conf by invoking RCF with the --update-config parameter.
• Edit /etc/firewall.conf:
  • Declare the VPN interface private, since there will be both private and public IP's on the interface. Like this:
    private-interfaces = eth0
    
  • An option for your VPN server should be present, like this:
    accept-[int]-[your VPN protocol]-hosts =
    E.g.: accept-eth0-ipsecvpn-hosts =
    If it's not, the file was not linked in /etc/firewall/modules/public/services. Check whether it's present. If not, link it correctly.
  • Fill in the IP of the ISP's VPN host.
  • Make sure all other services you want to offer or use are configured properly.
• Restart RCF, and you should be up and running.
• Note: If you're unable to ping the remote box(es), be sure to check whether you have accept-[int]-ping-clients set correctly.
  

How do I forward ports to a server on my internal LAN?

In some cases, you may want to forward a port from your firewall directly to an internal (LAN) host. You can enter multiple hosts and ports in these variables (seperated by commas). You'll also need to install the ipmasqadm tool (available from http://juanjox.linuxhq.com/).

Syntax:
forward-[int]-[prot]-hostports = [host/ip] [ports],[...]

The [ports] field can be a simple port number (25), a port range (3010:3020), or a local->remote port match (25->60 or 3010:3020->4010:4020). Multiple [ports] can also be entered for each host/ip.

Example:
forward-eth1-tcp-hostports = zaphod.localdomain 80 81
forward-eth1-tcp-hostports = zaphod.localdomain 80->8080
forward-eth1-tcp-hostports = zaphod.localdomain 6100:6200
forward-eth1-tcp-hostports = zaphod.localdomain 80, trillian.localdomain 23 25

How can I determine what ports should be forwarded to a server on my internal LAN?

If the protocol isn't already supported, you might find some valuable tips at http://www.tsmservices.com/masq/

How do I protect Windows machines on my internal LAN from trojans?

There are a few modules which can be linked from /etc/firewall/modules/common/block-remote-ports to /etc/firewall/modules/public/block-remote-ports. No --update-config is necessary, the firewall does need to be restarted however for the changes to take effect.

How do I use iptables / kernel 2.4.x and RCF?

RCF doesn't support iptables yet. Not to worry, ipchains will be supported for quite some time in the 2.4 kernels. (Refer to netfilter.filewatcher.org/unreliable-guides/packet-filtering-HOWTO/index.html) RCF will be ported to iptables eventually, but since defining a firewall with iptables is a far more complex matter than with ipchains, don't expect a reliable version (of any firewall for that matter) to come out soon.
Besides, you wouldn't see much difference either...
To use RCF with a 2.4 kernel you need to compile support for ipchains. Refer to the kernel configuration for the details.

How can I pipe all commands RCF will be executing to a custom script tailored to my setup?

Some users expressed the need for a tailored script, which improves execution speed. To create such a script, invoke RCF as follows:
/sbin/rcf --test >/dev/null 2>script.sh
Mind you, the new shell script will not reflect any changes in the config file. You'll need to create a new one each time you upgrade RCF, add or remove interfaces or change something in your configuration file.

How can I use multiple public connections in a fail-over setup?

In this example we have an ADSL modem on ppp0 and a CableModem on eth1. All referenced scripts can be found in a contrib directory, http://rcf.mvlan.net/dist/contrib/adsl-cable-failover/. The idea is to use the ADSL to host web servers, etc., and the CableModem for all outgoing stuff (like browsing the web from LAN PCs, outgoing e-mail, etc.). If one of the lines goes down, traffic should start using the other viable internet connection. This can all be done with routing. There's no monitoring of anything involved.

You need a process that runs in order to move incoming connections from one line to the other though. In this case, we assume you're using a dynamic DNS, this is fairly easy. Monitor the ADSL line, if it goes down, update the dynamic DNS with the Cable's IP (using the cable's outgoing connection). Start monitoring the ADSL line, and when it comes back, update the DNS entries with the ADSL's IP.

What you need is a startup script called 'route' (created by Jean-Sébastien Morisset). It sits in /etc/rc.d/init.d/route and is executed when the system starts-up and shuts down. The start/stop parameters introduce some default routes. The script also needs to be executed when an interface is started. I.e. the /etc/rc.d/init.d/adsl script will call /etc/rc.d/init.d/route, using the 'adsl' parameter, after successfully bringing up the ppp0 interface. Same goes for the cable modem script (/etc/rc.d/init.d/dhcpcd).

Here are the details of the routing...

# ip ro ls
10.1.1.60 dev eth0  scope link  src 10.1.1.60 
255.255.255.255 dev eth0  scope link 
64.39.160.16 dev ppp0  proto kernel  scope link  src 64.39.178.10 
10.1.1.10 dev eth0  scope link  window 16384
10.1.1.50 dev eth0  scope link  src 10.1.1.50 
10.1.1.1 dev eth0  scope link  src 10.1.1.1 
24.200.98.0/24 dev eth1  proto kernel  scope link  src 24.200.98.99 
10.1.1.0/24 dev eth0  proto kernel  scope link  src 10.1.1.10 
127.0.0.0/8 dev lo  scope link  window 16384
default via 24.200.98.1 dev eth1  metric 1000 
default via 64.39.160.16 dev ppp0  metric 2000 

Everything is fairly standard, except for the last two default routes. In this example, the preferred outgoing route is eth1 (metric 1000). If it fails, then traffic will start to go out ppp0 instead (metric 2000).

Here are iproute2's rules:

# ip ru ls
0:	from all lookup local 
500:	from all to 10.1.1.0/24 lookup main 
1000:	from 24.200.98.99 lookup cable 
2000:	from 64.39.178.10 lookup adsl 
3000:	from all to 10.1.1.0/24 lookup main 
5000:	from all to 216.162.64.9 lookup adsl 
5000:	from all to 216.162.64.65 lookup adsl 
5000:	from all to 216.162.64.130 lookup adsl 
5000:	from all to 216.162.64.71 lookup adsl 
5000:	from all to 216.162.65.26 lookup adsl 
5000:	from all to 205.237.233.50 lookup cable 
5000:	from all to 205.237.233.52 lookup cable 
5000:	from all to 209.171.35.194 lookup adsl 
5000:	from all to 209.171.38.37 lookup adsl 
5000:	from all to 209.171.38.40 lookup adsl 
5000:	from all to 209.171.38.104 lookup adsl 
32766:	from all lookup main 
32767:	from all lookup default 

Pref 500 allows LAN IPs to communicate with the firewall's public interfaces.
Pref 1000 uses the cable table to route all traffic from the cablemodem's IP.
Pref 2000 uses the adsl table to route all traffic from the adsl's IP.

Here's the cable routing table:

# ip ro ls tab cable
default via 24.200.98.1 dev eth1 

And the adsl routing table:

# ip ro ls tab adsl
default via 64.39.160.16 dev ppp0 

Don't forget that the 'route' script must be called if/when one of your public IPs change. The cablemodem uses a dhcp client which executes a script called dhcpcd-eth1.exe (created by Jean-Sébastien Morisset) after it changes the ip. This script reloads the firewall rules for eth1 (only) and calls the 'route' script to update the routing tables.

The only thing left was sending web traffic to the secondary link if the primary went down. Since this example uses a dynamic DNS, just update the domain with the currently valid IP address. You could do the same with a static DNS, but the TTL should be fairly low (30 secs in this case). Run a script called check-routes every minute (in a cronjob) which pings the dynamic DNS provider (you could use any reliable ip like www.sun.com, or whatever). If the ping fails, then it tries from the secondary interface. If it fails also, then it checks the gateways. When the primary link comes back up, the DNS is updated once again. You probably want to avoid running this script as you're loading firewall rules, so the crontab would look like this:

# Don't make any route changes, etc. when rcf is running.
*/5  * * * *    [ "`ps --no-heading -C rcf`" ] || { /root/bin/check-interfaces; /root/bin/check-routes-and-dyndns; }

If you get the following error:
# ip ru ls
RTNETLINK answers: Invalid argument
Dump terminated

This just means you don't have the right kernel options selected. Configure your kernel like this:
# CONFIG_IP_MULTICAST is not set
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_ROUTE_LARGE_TABLES is not set
# CONFIG_IP_ROUTE_NAT is not set
# CONFIG_IP_PNP is not set
CONFIG_IP_FIREWALL=y
CONFIG_IP_FIREWALL_NETLINK=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_TRANSPARENT_PROXY=y
CONFIG_IP_MASQUERADE=y
CONFIG_IP_MASQUERADE_ICMP=y
CONFIG_IP_MASQUERADE_MOD=y
CONFIG_IP_MASQUERADE_IPAUTOFW=m
CONFIG_IP_MASQUERADE_IPPORTFW=m
CONFIG_IP_MASQUERADE_MFW=m
CONFIG_IP_ROUTER=y
CONFIG_IP_ALIAS=y
# CONFIG_IPV6 is not set
# CONFIG_IPX is not set

How can I restart one interface only?

RCF takes a significant time to run, and often other services attempt to get out/in before it's completed. This is why there's a "--refresh-interfaces" option. Why update all of the firewall chains when only one interface has gone up or down? So in /etc/ppp/ip-up.local and /etc/ppp/ip-down.local you should run rcf as follows:
/sbin/rcf -nsfc -ri $1
You can also use a wrapper to add a file locking scheme to stop rcf running twice at the same time. This is necessary when several connections are possible at once, such as a dial-in or pptp setup. It's possible you are also getting this, where the ip-up.local rcf is running before the ip-down.local rcf has finished running. This causes a real mess of the ipchains.

Speed and performance

Is it possible that RCF slows down my connection?

No. Given the speed of computers nowadays, you shouldn't experience any performance loss, not even on an old 486. If you experience delays, it's possible due to a parallel protocol which has to time out, such as an ident lookup with smtp. You may need enable/add support for the component which can't connect if you feel like it.

How come protocol XYZ takes much longer when I use RCF?

This is due to the fact that you forgot to enable support for a part of the particular protocol you experience problems with. This is similar to the previous question.

How come my box runs out of memory/CPU time etc.?

First of all: RCF is not a program, in the sense that it's running. RCF is merely a script to feed ipchains commands to the kernel. As soon as it exits, it's no longer running/sleeping whatsoever. It exited.
The only thing running then (regarding firewalling) is the kernel. The kernel reads the headers from incoming and outgoing packets, and verifies them with the table of rules we (RCF) have setup. This is a process which costs relatively little CPU time and memory.

Trashing (the process which occurs when programs are continuously swap each other out to enable them to run) occurs on memory-low systems, but cannot be caused by RCF. If you experience this type of problem and you run a box with, say, 16 MB's or less RAM, you'll need to disable large windows in your kernel (Networking options - IP: Allow large windows).

CONFIG_SKB_LARGE:
On high speed, long distance networks the performance limit on networking becomes the amount of data the sending machine can buffer until the other end confirms its reception. (At 45 Mbit/second there are a lot of bits between New York and London...). If you say Y here, bigger buffers can be used which allows larger amounts of data to be "in flight" at any given time. It also means a user process can require a lot more memory for network buffers and thus this option is best used only on machines with 16 MB of memory or higher. Unless you are using long links with end to end speeds of over 2 Mbit a second or satellite links this option will make no difference to performance.

There's one other problem you may run in to: syslogd can't cope with all entries that should be made. Normally this only occurs on a busy network running in debug mode, but there are other situations which can cause this problem. For instance:

• Most common: Gamers on you network. Some multiplayer games flood the network with broadcast messages, mostly on UDP. If they're denied and logged syslog might run out of resources. If you experience this behavior, enable the 'broadcast-clients' module, which lets you deny all broadcasts to the global broadcast address (255.255.255.255).
• Less common: Someone is trying to launch a DoS (Denial of Service) attack against you or your network. Put that host in your blacklist, or just sit it out.

Development

How can I contribute my module to the current sources through CVS?

The CVS repository is used to add new or modified files. You can browse the file hierarchy by picking directories (which have slashes after them, e.g., rcf-5.2.1/). If you pick a file, you will see the revision history for that file. Selecting a revision number will display it's revision. There is a link at each revision to display diffs between that revision and the previous one. A form at the bottom of the page will also allow you to display diffs between arbitrary revisions.

You can also checkout the latest code using our public cvs pserver. Here's an example of the syntax:
cvs -d :pserver:anonymous@cvs.mvlan.net:/rcf login
cvs -d :pserver:anonymous@cvs.mvlan.net:/rcf co rcf-5.2.1

Or to checkout a specific release (aka branch):
cvs -d :pserver:anonymous@cvs.mvlan.net:/rcf co -r [branch] rcf-5.2.1

-r [branch] is optional and refers to the current development release (i.e. HEAD, a1, b1, c1, etc.).

To work on the current development code, checkout the main (aka HEAD) branch. Example: cvs -d :pserver:username@cvs.mvlan.net:/rcf login
cvs -d :pserver:username@cvs.mvlan.net:/rcf co rcf-5.2.1

If you need to go back to a specific release (to test for reported bugs, create patches, etc.), you should specify the branch. Example:
cvs -d :pserver:username@cvs.mvlan.net:/rcf update -P -r c1 rcf-5.2.1

You can go back to the current development version using:
cvs -d :pserver:username@cvs.mvlan.net:/rcf update -P -r HEAD rcf-5.2.1

As we develop the main (aka HEAD) branch, we'll decide to release an alpha, beta, pre-release, etc. version. At that time, Jean-Sébastien will create a new branch. This is only a place marker and should only be used as mentioned above.

cvs watch has also been turned on. This means that all checked-out code is read-only. Instead of using a chmod command, use the "cvs edit" and "cvs unedit" commands to make the code read-write and read-only again. Other developers may place watches on specific files, and those edit/unedit commands could trigger status messages to be sent to them.

The "cvs watchers" command will list who is watching which files, and "cvs editors" will list who is working on those files. A "cvs commit" will take care of unediting the file.

How can I obtain a CVS account?

You should contact Jean-Sébastien directly.

Miscellaneous

How does the numbering scheme work (e.g. 110-modulename)?

The numbering scheme has nothing to do with port numbers! Instead, they're in the order they'll be loaded into the kernel. Services which transfer a lot of stuff should be upper most.

How do I block SPAM with my firewall?

A firewall is not the most suitable tool for dealing with spam. There are enough anti-spam features in for example sendmail to deal with it. If you're interested in blocking SPAM, have a look at http://mail-abuse.org/rss/

How do I block annoying ads (e.g. from doubleclick.net)?

A firewall is not the most suitable tool for dealing with that. There are some programs which can do it for you, e.g. junkbuster.

How do I report a bug?

About the RCF script:
Send a message to the author, Jean-Sébastien Morisset, or to the 'users' mailing list.

About the RCF FAQ:
Send a message to the author, Edwin ten Brink, or to the 'users' mailing list.

How do I contribute to the evolution of RCF?

Join the 'developers' mailing list, and contribute your additions there or consider becoming an official RCF developer.

Mailing lists

How do I pose a question to a mailing list?

If you want to contribute a custom module, you should direct your mail towards the developers list.
If you have a question on the current version of RCF, your mail should be addressed towards the users list. If you want to have a quick answer to your question, include the version number of RCF you're using, a few relevant lines of your logs and your configuration (obtained with the --show-config parameter).
Be sure your problem isn't described in the man pages, this FAQ or the mailing list archives already.

How do I unsubscribe from one of the mailing lists?

See the section on mailing lists for instructions

Why is nobody answering my question on the list?

There may be several causes for this problem. Either no one knows the answer, or your problem is not formulated very clearly or lacks enough information to give an answer. Or simply no one has had time to have a look at your problem. Remember that all members of the list are volunteers and may have something other at their hands...

4. How should I configure my kernel?

2.0.x and earlier kernels

2.2.x kernels

In General Setup:

Needed:

Networking support: CONFIG_NET

Recommended:

Sysctl support: CONFIG_SYSCTL

In Networking options:

Needed:

Network firewalls: CONFIG_FIREWALL

Needed:

TCP/IP Networking: CONFIG_INET

Recommended:

IP: advanced router: CONFIG_IP_ADVANCED_ROUTER

Recommended (speed):

IP: use TOS value as routing key: CONFIG_IP_ROUTE_TOS

Recommended (security):

IP: verbose route monitoring: CONFIG_IP_ROUTE_VERBOSE

Needed:

IP: firewalling: CONFIG_IP_FIREWALL

Needed (masquerading):

IP: masquerading: CONFIG_IP_MASQUERADE

Recommended (security):

IP: ICMP masquerading: CONFIG_IP_MASQUERADE_ICMP

Needed (port forwarding, ICQ etc.):

IP: masquerading special modules support: CONFIG_IP_MASQUERADE_MOD

Recommended (speed when routing mostly):

IP: optimize as router not host: CONFIG_IP_ROUTER

Recommended (security):

IP: TCP syncookie support: CONFIG_SYN_COOKIES

In Network device support:

Needed:

Network device support: CONFIG_NETDEVICES

Needed:

Support for your network card or dialup connection

In Filesystems:

Recommended:

/proc filesystem support: CONFIG_PROC_FS

2.4.x kernels

In General Setup:

Needed:

Networking support: CONFIG_NET

Recommended:

Sysctl support: CONFIG_SYSCTL

In Networking options:

Needed:

Network packet filtering (replaces ipchains): CONFIG_NETFILTER

Needed:

Unix domain sockets: CONFIG_UNIX

Needed:

TCP/IP Networking: CONFIG_INET

Recommended:

IP: advanced router: CONFIG_IP_ADVANCED_ROUTER

Recommended (speed):

IP: use TOS value as routing key: CONFIG_IP_ROUTE_TOS

Recommended (security):

IP: verbose route monitoring: CONFIG_IP_ROUTE_VERBOSE

Recommended (security):

IP: TCP syncookie support: CONFIG_SYN_COOKIES

Needed:

ipchains (2.2-style) support: CONFIG_IP_NF_COMPAT_IPCHAINS

In Network device support:

Needed:

Network device support: CONFIG_NETDEVICES

Needed:

Support for your network card or dialup connection

In Filesystems:

Recommended:

/proc filesystem support: CONFIG_PROC_FS

5. More information

5.1 Websites

RCF Homepage

http://rcf.mvlan.net/

ftp://ftp.axess.com/mirrors/jsmoriss.mvlan.net/linux/rcf.html
http://the.wiretapped.net/security/firewalls/rc.firewall/
ftp://ftp.wiretapped.net/pub/security/firewalls/rc.firewall/

HOWTO's

Linux Documentation Project (LDP)

Clarification of protocol/port/network/rfc numbers

Assessing your security

Host information

Other information

Sites where RCF is advertised

5.2 Mailing lists

The RCF mailing lists

Linux ipchains firewall announce mailing list

Audience:

All users who want to be notified of updates

About the list:

http://lists.mvlan.net/mailman/listinfo/rcf-announce

Archive of previous posts:

http://www.mvlan.net/pipermail/rcf-announce/

Help about the list:

Mail to: rcf-announce-request@lists.mvlan.net
With the subject: "help"

Subscribe:

Mail to: rcf-announce-request@lists.mvlan.net
With the subject: "subscribe"

Unsubscribe:

Mail to: rcf-announce-request@lists.mvlan.net
With the subject: "unsubscribe"

Linux ipchains firewall users mailing list

Audience:

Users who want to ask or answer general user questions about the current production version.
So no development questions!

About the list:

http://www.mvlan.net/mailman/listinfo/rcf-users

Archive of previous posts:

http://www.mvlan.net/pipermail/rcf-users/

Help about the list:

Mail to: rcf-users-request@lists.mvlan.net
With the subject: "help"

Subscribe:

Mail to: rcf-users-request@lists.mvlan.net
With the subject: "subscribe"

Unsubscribe:

Mail to: rcf-users-request@lists.mvlan.net
With the subject: "unsubscribe"

Posting a message:

Mail to: rcf-users@lists.mvlan.net

Linux ipchains firewall developers mailing list

Audience:

Users who want to participate in or stay informed about developments of RCF

About the list:

http://www.mvlan.net/mailman/listinfo/rcf-dev

Archive of previous posts:

http://www.mvlan.net/pipermail/rcf-dev/

Help about the list:

Mail to: rcf-dev-request@lists.mvlan.net
With the subject: "help"

Subscribe:

Mail to: rcf-dev-request@lists.mvlan.net
With the subject: "subscribe"

Unsubscribe:

Mail to: rcf-dev-request@lists.mvlan.net
With the subject: "unsubscribe"

Posting a message:

Mail to: rcf-dev@lists.mvlan.net

Other, security- or firewall related mailing-lists

5.3 Newsgroups