README firewall-easy

  *!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  *!! WARNING UPGRADING FROM <0.40: firewall-easy.conf var names changing to
  *!! English break previous config files: IT MUST BE REPLACED AND RECONFIGURED
  *!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


FIREWALL-EASY CONFIGURATION

Even having authomatic configuration, IP, mask and DNS are autodetected,
it could be needed to fine tune some details:


WARNING ABOUT LOG IN 2.2 KERNEL
I strongly recommend you disable packet logging (NOLOG = yes) if your are using
a 2.2 or lower kernel, because they have no logging limitation.
A determined attacker knowing your IP can full your hard disk with packet
logging. It is safer to use a 2.4 kernel (iptables).


LOCAL NETWORK
If you have a local network besides the Internet connection you need to declare
which interface is used for the local network. This is to not apply Internet
rules to your local network so it can access to all your services.

    1) Edit /etc/firewall-easy.conf
    2) Add a line as IFACE_REDLOCAL=eth0 or the interface you use


ACTIVE FTP
There are two types of FTP, the passive or "port" mode and the active one
- In the passive mode our system opens the data connection
- In the active mode or "port" mode the outside FTP server tries to open one
 connection against us 

Modern browsers work by default in passive mode
Text mode browsers use to be configurable to work in passive mode (Search
 about "passive" in the page man of its configuration).

If an outside FTP server need to be accessed via the active mode then you
 have several options: 

HIGH SECURITY OPTION:
    Do not use active FTP, change of FTP client to one supporting "passive"
    mode or change of FTP provider

MEDIUM SECURITY OPTION:
    1) Edit /etc/firewall-easy.conf
    2) Add a line as FTP="1.1.1.1 2.2.2.2" with the FTP server IPs

LOW SECURITY OPTION:
    1) Edit /etc/firewall-easy.conf
    2) Add a line as FTP="0/0"
    
    This has the disadvantage someone can scan you (and in fact they will do)
    using the source port ftp-data
    
    a) You are visible to TCP pings in these scanings
    b) If you have any active service in a high port (1024-65535) not denied
     with a previous rule it could be tried to be accessed from Internet


DMZ IN INTERNET INTERFACE
If you are connecting to e.g. an ADSL router configured as multiPC in a private
network you need to exclude the range used for this network from $NO_PRIV
in /etc/firewall-easy.conf to be able to access it.
