Anyone know any good firewall scripts? I pretty much just want to allow ssh and http traffic to my server and so am wondering if anyone has any scripts they could share?

thanks

ShoreWall, APF, BFD.. i'm not sure on the names. I use the old fashioned method :)

Don't forget about the iptables module for webmin...

Or indeed the shorewall module for webmin!

The only trouble with shorewall that I have found is it is not designed to do loopback firewalling. I plan to patch it up to support that.

The most simplistic approach is to setup your firewall rules with a bunch of "iptables -A" commands (or iptables-restore a previously iptables-save'd ruleset) somewhere within the boot scripts. For example, in Debian you can put any script in /etc/network/if-pre-up.d and it will be run whenever a network interface is brought up.

I have the following script in my /etc/network/if-pre-up.d directory. It allows everything through the loopback interface, anything on ports 22, 25 and 80, and any TCP packets that are related to pre-existing packets (e.g. an inbound ftp-data connection caused by an ftp request originating from the host itself). And then any other new TCP connection is logged to syslog and dropped.#!/bin/sh

[ "$IFACE" = "eth0" ] || exit

/sbin/iptables-restore <<DONE
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LogDrop - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22,25,80 -j ACCEPT
-A INPUT -p tcp -m state --state RELATED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -j LogDrop
-A LogDrop -j LOG --log-level 6
-A LogDrop -j DROP
COMMIT
DONE(This script is run whenever any interface is brought up, including loopback, so it's necessary to have the test in the first line to ensure the iptables rules are set only once.)