Welcome to Cyborg`s active Firewalling Section

You have seen Firelogger and his output. now we want to setup an active firewall.

What does that mean?

A passiv Firewall does nothing else than checking packets against it`s rules. It is not interactive with the packtes and the result of the check. We have to make it active to be safer.

How do we do that?

we have to start firelogger after the interface ( in case of DSL with PPPoE it`s ppp0 ) is up and running. We have to check every given timeintervall ( in this example secs ) . You could use a real crond for that, but i coded a pseudo cron yesterday for myself which works quite nice and is easy to setup.

amitcp:s/start.bat - as seen in the config image above

stack 30000
run >nil: mycron t=20 firelogger -m -nnr -Acl -html -f amitcp:log/ALARM amitcp:log/miami_firewall.log

assign ixpipe: exists >nil:
if warn
    mount ixpipe:
endif
perl >t:index1.html amitcp:s/dynamicip.pl
ncftp ftp.x.x 
amitcp:s/dynamicip.pl

#perl -w

if (open(EINGABE, "ifconfig ppp0|") != 0)
 {
    foreach $Feld ()
     {
        if ($Feld =~ /inet/i ) 
         {
            ( $a1, $ip, $a3, $a4, $a5, $a6 ) = split( / /, $Feld);
         }
     }
    close(EINGABE);
 }

if (open(EINGABE, "date|") != 0)
 {
    $Feld=;
    close(EINGABE);
 }


print "Dynamic Redirecting\n";
print "\n";
print " you will be relinked to ";
print "this Link. If not press it yourself.\n";

# remeber the dsl ip for later use ( getting an static ip :-) )

if (open(AUSGABE, "echo \"$ip\" >>amitcp:log/ip.log|") != 0)
 {
    close(AUSGABE);
 }

ftp-upload.bat

lc t:
put index1.html
bye

You need the newest version of Firelogger for this and MiamiDX ( or another stack with the ipfw command ).

What does this crap?

As you can see in the configscreenshot, if the interface ppp0 got up, i start a newshell process which is really needed to run ncftp correctly. In this shellscript i start Firelogger with mycron every 20 seconds ( decrease if needed ) , which will now and forever check the logfiles for missuse. after this i upload my dynamic ip from my provider to my internet website and redirect all visitors to my personal webserver behind my Firewall in my LAN. This is possible with IP-NAT ( see somewhere else ). The perl script filters the ip from ifconfig output and generates the webpage. yes, we do that once every connect to the provider.

You said something about active firewalling!

Ok, the real feature we want to use comes from Firelogger in the last release ( 28.7.2001 ), it executes the "deny" command to lockout attacking hosts as soon as detected. For paranoids use timevalue=1 , but buy an 68080 for it :-)
If you really wanne do that ( checking every 2 seconds ), i would suggest to rebuild your whole log config and use the miam.logfile for firelogger at 10 seconds intervall and the SYSLOG.LIB'S output, directed to t: , every 2 seconds. the second check should not use the "clskipt.dat" and should delete the checked logfile to avoid killing the same ip 10 times.

If you have an ideas to increase security , let us all know about it!

back