4 Auke Kok <sofar@foo-projects.org>
5 Max Kellermann <max@foo-projects.org>
14 - Getting a firewall working with ferm on your system
20 ferm is a frontend for iptables. It reads the rules from
21 a structured configuration file and calls iptables(8) to
22 insert them into the running kernel.
24 ferm's goal is to make firewall rules easy to write and
25 easy to read. It tries to reduce the tedious task of writing
26 down rules, thus enabling the firewall administrator to spend
27 more time on developing good rules than the proper
28 implementation of the rule.
30 To achieve this, ferm uses a simple but powerful configuration
31 language, which allows variables, functions, arrays,
32 blocks. It also allows you to include other files, allowing
33 you to create libraries of commonly used structures and
36 ferm, pronounced "firm", stands for "For Easy Rule Making".
43 The package does not need to be compiled, just make sure you
44 have perl (which is present in any base linux system) and
45 iptables (including iptables-save and iptables-restore), and
46 the a kernel supporting netfilter.
48 Run the make install install script as root to install the
49 package in it's best location, so it can be reached from
50 the command line when called. The manual page will also
60 Ferm can now be quickly removed from the system by issuing
61 a "make uninstall" command (as root, of course). This
62 will not remove any configuration files of course!
67 ferm is designed to parse structured firewall files,
68 merely it's own language (quite C-like) to describe
69 firewall-rules. Look at the examples for a good idea.
70 To install a firewall, create an appropriate firewall
71 file that suits your needs, store it into a good spot
72 like /etc/ferm/ferm.conf and execute:
74 ferm /etc/ferm/ferm.conf
76 ferm will read the file, translate it into netfilter rules,
77 and install these into the kernel. Read the manual and the
78 examples to get the idea about the syntax of the firewall
81 Generally, ferm will be called in 2 ways:
83 - testing a firewall.conf file:
85 ferm --lines --noexec /etc/ferm/ferm.conf
87 This way, the actual firewall is not implemented, but the
88 resulting rules are printed so you may check them. Add
89 -d or -v for even more information.
91 - implementing a ferm setup manually:
93 ferm --lines --noexec /etc/ferm/ferm.conf
95 This way, you may check any iptables generated errors and
96 check again rules are implemented correctly. It is
97 advisable to carefully check the output.
99 When you are satisfied with the generated rules, feel free
100 to insert ferm into an rc.d script or even an ip-up ppp
101 script. Make sure you are satisfied with the setup because
102 a wrong configuration may lead to terrible things. The
103 line you need to insert will look like this:
105 ferm /etc/ferm/ferm.conf
108 Getting a firewall working with ferm on your system
110 First, get to know ferm, read the previous section and toy
111 around with some examples. Ferm is really simple, but still
112 people e-mail me questions that are answered in the man-page.
114 It is a requirement that you get some basic knowledge of
115 networking before experimenting with ferm. I cannot stress
116 that enough. There are many introductions available on
117 the internet that explain the way the internet is constructed
118 and what all those protocols are and how they work.
120 Also you should be comfortable as root modifying your system
121 setup and editing some textfiles. Ferm may require you to
122 use text-editors and plain old point and click do not work
125 Okay, you've not ran away crying or screaming, good, now do
128 - make a ferm config file (or even more!)
130 Read the examples and compile a firewall that suits your needs,
131 add or remove items at will and test it thoroughly
133 - test the ferm config file
135 Make sure the firewall behaves as you want it to! Be careful
138 - install it on the system
140 Execute ferm manually or put it in an rc.d boot script, a ppp
141 script or wherever you see fit. You might have more that one
142 script (like the author).
150 * AUTHORS List of people who worked on the project
151 * COPYING Copy of the GPL
152 * NEWS A list of changes in the development of ferm
153 * src/ferm The program
154 * doc/ferm.pod The pod (perl doc format) file
155 * doc/ferm.1 The man page
156 * doc/ferm.txt The man page as plain text
157 * doc/ferm.html The man page as html file
158 * examples/* Some examples
159 * Makefile Installation Makefile
163 Auke Kok <sofar@foo-projects.org>