I'm preparing my second box to install Slackware 10.2/KDE 3.4.3. As you might deduce from my posts the past few weeks, I have been doing a lot of tweaking on my current multi-boot box before I play with the second box.
One of the areas I have been trying to improve is my rc.firewall script. Originally I used an online generator (
http://easyfwgen.morizot.net/gen/). That worked fine for my single workstation needs. Then a couple of days ago I tested the NIC in my second box and simple pinging helped me realize that my current firewall script was insufficient. I could not ping either direction. With some surfing and experimenting, I learned how to add some rules to recognize an internal LAN but still protect me from the outside. So far so good.
Despite being stuck on dialup, down the road there is a slim chance I might finally have access to a broadband connection. One of the new local ISPs is growing quickly providing wireless hot points throughout the rural area. Thus, I foresee the potential need for once again modifying my firewall script, this time to create a "green zone/red zone" approach.
Of course, although I am currently connected with a modem, I already have a "green zone/red zone" with my two-box network. All that really changes down the road is replacing the modem with another NIC. So I might as well prepare now with a robust script.
I want to create a script that conforms to typical Slackware rc.d script standards by using a case statement and minimally the options start/restart/stop. I'd like to modularize the script as much as possible with inline functions.
Currently I do not plan to use either box as a gateway. Both boxes have modems. I plan to use both boxes independently to connect to the web because the second box will be experimental in nature and not always available. And my current box is multi-boot, meaning I will be in Windows often with that box, as well as in Slackware. Therefore, I would like to embed NAT related rules but merely commented out. Or better yet, with a modular/function approach, I'm thinking I might want to add additional case options such as single/gateway/modem/nic or something like that. And then I could use the firewall script in both boxes regardless of my internal or external connections or hardware.
Yes, down the road, if I obtain broadband, and my second box finally is stable, I might then dedicate a box to gateway/router service, but not for now. Additionally, I have a 486 sitting idle on the shelf that with a minimal Slack install and this modified firewall script I am considering, I might then consider dedicating that box to gateway services.
I downloaded an iptables tutorial and I expect to refer to that as I progress. For another example, I copied the firewall script that comes packaged with Smoothwall 2.0. What I am asking for here are some thoughts and ideas about writing a flexible firewall script that is easily modified in the future should I finally have broadband, or easily fine-tuned based upon the parameter passed to the script. I am not asking for specific rules or examples, just conceptual ideas, a flow chart approach, or perhaps an outline on modifying my current script to allow me to adapt quickly if that time arrives. I'm asking for some ideas because even if I create a modularized script, I don't yet fully understand the pecking order and precedence of rule-making, and I know that is important. Thus, I need to ensure I call each function in the proper order regardless of the parameter I pass to the script.
Thanks again for all your ideas.