CONFIGURATION of picoFIREWALL 13Jul2006/uk 1. Basic configuration Basic configuration of picoFIREWALL is done after the installation in the file /etc/picofirewall/picofirewall.conf - there, you often will have to set just the name of the interface. The other very few things to possibly configure are explained there. The next sections are only useful, if you want to fine-tune picoFIREWALL: having other machines accessing your machine or further limit the logging of packets arriving at our machine. 2. Opening your firewall for selected machines and opening ports picoFIREWALL is also designed following a pretty safe strategy: the default policy is to drop all packets and then to accept whatever is needed. If you have 'trusted machines' or want to completely open some ports, you may do this by using the two configuration files open_log.cfg and open_nolog.cfg in the directory /etc/picofirewall . open_log.cfg Here you may enter IP numbers of machines, which you trust. You may either allow full access or you may restrict access for certain protocols and ports. It is also possible, to completely open ports for any remote machine. The details are given directly in the file open_log.cfg If you have an ADSL router between your machine and the internet, you should enter it's IP address here, especially, if you are doing automated telnet operations with the device. Should you be on a private network with access to the internet through a router, you should enter the IP numbers of the trusted machines within your private net here. Whatever you allow in this file, will be minimally logged and you will have an overview, what is happening (especially, if you also install 'picofirescan'). open_extra_log.cfg Treated by picofirewall in the same way as open_log.cfg, but typically used for temporarily opening the firewall for one or several hosts. open_nolog.cfg Basically the same as open_log.cfg , but packets allowed in this file are not logged. Be careful with this! If you allow anything here, you won't see in the log file what is going on; I do not recommend to make any entries here. 3. Logging less than the default picoFIREWALL is designed to well log packets arriving on your machine, but finding a good balance in order to not overfill your log-file - not even in the case of a portscan! If you want to log less, you may do this by using the two configuration files noise_log.cfg and noise_nolog.cfg in the directory /etc/picofirewall . Some machines are really sending lots of packets during the day. picoFIREWALL protects you quite well against these, but if you think that having the same type of packets again and again from the same machine in your log file is annoying, then you may further limit the logging of such 'noisy' machines (often windoze or mac machines) sending 'noise' to your machine just too frequently. noise_log.cfg Here you may enter IP addresses of machines, which send lots of packets (which are dropped, but appear in the log file). Such packets are then logged only once a day - so you still have some overview, what's going on. The details are given directly in the file noise_log.cfg noise_nolog.cfg If you have identified sources, which send packets to your machine, which are dropped and of absolutely no interest to you, their IP addresses can be entered here. Such packets will be dropped and not logged at all. There are a few suggestions from me in this configuration file. 4. The format used in the four fine-tuning configuration files In the four *.cfg files the user may configure, which packets from remote machines are accepted or less often logged and dropped in the case of 'noisy' machines, which fill your logfiles. The same notation is used in all these files and definitions can be made using three different variations: IPnumber # any packet FROM IPnumber IPnumber,protocol,port # packets FROM IPnumber via 'protocol' TO our port IPnumber,protocol,port:port # packets FROM IPnumber TO a range of our ports Example: +----------------+ +--------------+ destination|+--------------+| | IP number | port|| Your machine || | of a remote |------->--------------->|| with the || | machine | protocol || firewall || +--------------+ |+--------------+| 111.222.111.222 tcp 22+----------------+ 111.222.111.222,tcp,22 # packets from 111.222.111.222 sent via tcp to port 22 A line as above in one of the four fine-tuning configuration files *.cfg will refer to packets from the machine with the IP number 111.222.111.222, sent with the protocol 'tcp' to the destination port '22' on your machine. If this line appears in the file open_log.cfg , then such packets will be accepted and logged. If this line appears in the file noise_log.cfg , then such packets will be dropped and logged. 5. Using picoFirewall and other iptables commands Should you want to execute additional iptables commands for your own purposes, you may create an executable file /etc/picofirewall/commands_after_start.sh, which will be executed after picoFirewall is started. Similarly, if you want to execute iptables commands after having picoFirewall stopped, create an executable file /etc/picofirewall/commands_after_stop.sh, which will be executed after picoFirewall has been stopped. -.-