{"id":22366738,"url":"https://github.com/vaeth/firewall-mv","last_synced_at":"2025-07-30T17:32:15.388Z","repository":{"id":2373742,"uuid":"3338493","full_name":"vaeth/firewall-mv","owner":"vaeth","description":"Initialize iptables and net-related sysctl variables","archived":false,"fork":false,"pushed_at":"2023-05-15T19:35:32.000Z","size":75,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":5,"default_branch":"main","last_synced_at":"2024-06-11T00:48:44.029Z","etag":null,"topics":["firewall","initscript","iptables","openrc","posix","shell","sysctl-variables","systemd"],"latest_commit_sha":null,"homepage":"http://www.mathematik.uni-wuerzburg.de/~vaeth/download/index.html#firewall","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vaeth.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2012-02-02T20:30:06.000Z","updated_at":"2023-11-06T07:00:11.000Z","dependencies_parsed_at":"2023-07-05T20:46:41.355Z","dependency_job_id":null,"html_url":"https://github.com/vaeth/firewall-mv","commit_stats":null,"previous_names":[],"tags_count":34,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vaeth%2Ffirewall-mv","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vaeth%2Ffirewall-mv/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vaeth%2Ffirewall-mv/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vaeth%2Ffirewall-mv/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vaeth","download_url":"https://codeload.github.com/vaeth/firewall-mv/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":228164524,"owners_count":17879085,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["firewall","initscript","iptables","openrc","posix","shell","sysctl-variables","systemd"],"created_at":"2024-12-04T18:15:29.242Z","updated_at":"2024-12-04T18:15:29.713Z","avatar_url":"https://github.com/vaeth.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# firewall-mv\n\n(C) Martin Väth \u003cmartin at mvath.de\u003e\nThis project is under the BSD license 2.0 (“3-clause BSD license”).\nSPDX-License-Identifier: BSD-3-Clause\n\nA collection of POSIX shell scripts to initialize iptables and\nnet-related sysctl variables of Linux.\n\nThese POSIX scripts set some typical __iptables__ commands for a dialup PC,\noptionally including a simple portknocking solution and router functionality.\nThe usage is somewhat similar to __SuSEfirewall2__, but the approach has\nsome essential differences. In particular, packets are usually not `DROP`-ed\nbut `REJECT`-ed until a rate-limit is reached. It is not necessary to restart\nthe firewall after a connection is established.\nCurrently, IPv6 is practically not supported (except for closing everything).\n\nThe setting of the kernel variables is done with a separate script sysctl.net\n\nBy default, firewall makes use of the functions from `firewall-scripted.sh`\nwhich allow a \"scripted\" use of `iptables-restore` and `ip6tables-restore`.\nThis means that all __iptables__ rules are created in one command.\nThis has not only the advantage that it is much faster, but, moreover,\nit avoids race conditions when creating the rules,see\n- http://inai.de/documents/Perfect_Ruleset.pdf\n\nSee the instruction at the end how to use `firewall-scripted.sh`.\n\nTo install this project easily, run `make` (and `make install` as root).\nFor manual installation, copy the scripts from `sbin/` into your `PATH`.\n`etc/firewall.config` can be copied into `/etc` or `/usr/lib/firewall` or\n`/lib/firewall` (if it is readable in a former directory, it is used;\nthus, the latter can be used to provide distribution-wide defaults).\nYou should modify `firewall.config` to your needs (for the default, copy\n`etc/firewall.d` to the `/etc` directory and follow `etc/firewall.d/README`).\nFor __zsh completion__ support copy the content of zsh into your `$fpath`.\n\nYou also need `push.sh` from https://github.com/vaeth/push (v2.0 or newer)\nin your `PATH`.\n\nBefore you run firewall, please edit `firewall.config` to your needs:\nYou have to create it in `/etc/firewall.config` to override the sample default\nfrom `/usr/lib/firewall` or `/lib/firewall`.\nThe example `firewall.config` sets the default based on the existence of some\nmagic files in `/etc`. It assumes that the original `eth*` interfaces have\nbeen renamed to `net*` (e.g. by __eudev__ or __udev__ rules).\n\nThe firewall script reads your `firewall.config` and then\n(by default) runs `sysctl.net` and initializes __iptables__ according\nto the content of `firewall.config`.\n\n`sysctl.net` initializes some net-related Linux __sysctl__ variables.\n\nTo get help, run `firewall -h` or `sysctl.net -h`, respectively.\n\nIf you use __systemd__, you can copy the content of `systemd` into your\nsystemd system folder and (after `systemctl daemon-reload`) enable the\nscripts with\n```\n\tsystemctl enable firewall.service\n```\n\nFor __openrc__ (the Gentoo init system) there are some scripts provided in\nthe openrc folder. Copy these scripts and their configs to `/etc/init.d`\nor `/etc/conf.d`, respectively and edit `/etc/conf.d`.\nTo activate the firewall with openrc, call e.g.\n(the runlevels might depend on your configuration):\n```\n\trc-config add fireclose boot\n\trc-config add firewall default\n```\nInstead of adding `fireclose` to your boot runlevel, you might also want to\nadd to your relevant `/etc/conf.d/net*` file(s):\n```\nrc_need=fireclose\n```\n\nTo load the required kernel modules with systemd or openrc, copy e.g. the\ncontent of `modules-load.d/` to `/etc/modules-load.d/` or\n`/usr/lib/modules-load.d/` and edit it for your needs.\n__Systemd__ and __openrc-0.21.7__ (or newer) automatically support\nthese directories.\nFor older versions of openrc, you can use the `conf.d/modules` file to get\nat least some rudimentary support of these directories.\n\nFor Gentoo, there is an ebuild in the mv overlay (available by layman)\n(but you might still have to configure the firewall.config, see above).\n\n## Instructions for firewall-scripted.sh:\n\n### Step 1.\n\nEvaluate the output of firewall-scripted.sh in a POSIX compliant shell, e.g.\n```\nif SOME_VARIABLE=`firewall-scripted.sh 2\u003e/dev/null`\nthen\teval \"$SOME_VARIABLE\"\nelse\techo \"firewall-scripted.sh not installed\" \u003e\u00262\nfi\n```\n__Remark__: An obsoleted method was to use instead\n```\n. firewall-scripted.sh\n```\nThe latter works for older versions of firwall-mv or if one installs manually,\nbut unless an appropriate PATH before sourcing is set, it fails when\nfirewall-scripted.sh is replaced by a wrapper script which happens with the\nprovided Makefile. Moreover, if firwell-scripted.sh is not available it stops\nthe script.\n\nAll functions and variables used internally by firewall-scripted.sh have the\nform Fwmv[A-Z]* or fwmv_*, respectively, so do not use these.\nAll these variables are cleaned up by firewall-scripted.sh when possible.\n\n### Step 2.\n\nCall `FwmvTable 4` or `FwmvTable 6` instead of `iptables` or `ip6tables`,\nrespectively. You can pass most options of `iptables` or `ip6tables` in exactly\nthe same form; if you use the option `-t`, it must be the first one.\n\n### Step 3.\n\nWhen you are done, you can execute the \"stored\" commands in one step using\n`FwmvSet 4` or `FwmvSet 6`, respectively.\nIf you pass additionally the parameter `Echo` (possibly combined with `Exec`),\nthe command is printed instead (and only executed if you also passed `Exec`).\nIn this case, `firewall-scripted.sh` requires the `push.sh` script (and uses\nthe functions/variables used by `push.sh` in addition to those from Step 1.)\n\n### Step 4.\n\nAfter Step 3 all variables are reset so that you can start over with Step 2.\n\n### Disclaimer\n\nNot all options for `FwmvTable` in `firewall-scripted.sh` are tested;\nessentially only those used by the `firewall` script are tested.\nIn particular, `ip6tables` is not tested at all with `firewall-scripted.sh`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvaeth%2Ffirewall-mv","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvaeth%2Ffirewall-mv","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvaeth%2Ffirewall-mv/lists"}