Iceditch functionality: Difference between revisions
m (→Invoking Iceditch: added backup/restore) |
m (→Special options: changed layout) |
||
Line 23: | Line 23: | ||
===Special options=== | ===Special options=== | ||
There are a number of options that Iceditch recognises, that are listed below. Note: options cannot be grouped. Iceditch understands ''-d -e'' but not ''-de''.<br> | There are a number of options that Iceditch recognises, that are listed below. Note: options cannot be grouped. For example, Iceditch understands ''-d -e'' but not ''-de''.<br> | ||
'''-d''' dummy run; prevents Iceditch to actually invoke IPtables at all. Used mainly with -e or -E<br> | '''-d''' dummy run; prevents Iceditch to actually invoke IPtables at all. Used mainly with ''-e'' or ''-E'', to check a configuration.<br> | ||
'''-e''' will make Iceditch echo all generated IPtables commands to the console. This can be useful to test a complex configuration.<br> | '''-e''' will make Iceditch echo all generated IPtables commands to the console. This can be useful to test a complex configuration. ''-e'' cannot be combined with ''-E''<br> | ||
'''-E''' will make Iceditch echo all rules in Iceditch language. Only useful if your rulefile contains lots of conditional rules, flow control and other programming bling.<br> | '''-E''' will make Iceditch echo all rules in Iceditch language. Only useful if your rulefile contains lots of conditional rules, flow control and other programming bling. ''-E'' cannot be combined with ''-e''<br> | ||
'''-r <rulefile>''' will make Iceditch use <rulefile> instead of the default rulefile /etc/iceditch/rules.conf. <rulefile> can be specified with an absolute path, with a relative path from the current working directory, or without path at all (in which case Iceditch assumes the file lives in /etc/iceditch).<br> | '''-r <rulefile>''' will make Iceditch use ''<rulefile>'' instead of the default rulefile ''/etc/iceditch/rules.conf''. ''<rulefile>'' can be specified with an absolute path, with a relative path from the current working directory, or without path at all (in which case Iceditch assumes the file lives in ''/etc/iceditch'').<br> | ||
'''-t <number>''' can be used only with ''safestart''; it signifies the number of minutes (1-60) that ''safestart'' must wait before it reverts the configuration.<br> | '''-t <number>''' can be used only with ''safestart''; it signifies the number of minutes (1-60) that ''safestart'' must wait before it reverts the configuration.<br> | ||
'''-v''' verbosity; will make Iceditch send the -v option to all commands it calls itself<br> | '''-v''' verbosity; will make Iceditch send the -v option to all commands it calls itself<br> |
Revision as of 06:29, 1 July 2008
This page describes the functions that the Iceditch script can perform for you.
Rights and security
Since Iceditch calls IPtables, you need root rights to call it. We therefor have not implemented any mechanism to use Iceditch as a non-root user.
Invoking Iceditch
iceditch start | restart | reload
The most common invocation will be the automatic startup at boot time. To this end, the script understands being called with only the "start" parameter. iceditch start will setup the firewall quietly and completely.
iceditch stop | halt
We don't want anyone person or process to be able to stop the firewall, so this command is accepted, but does nothing except log the attempt.
iceditch clear
This clears all firewall rules, so essentially you're left with no firewall at all. Thus, you're also left without transparent proxy, NATting etcetera. Since this is inherently very unsafe, Iceditch will also disable forwarding between network interfaces.
iceditch backup
This will make Iceditch write a copy of the current configuration files. Used mainly with safestart.
iceditch safestart
This will have Iceditch start the firewall, but after five minutes, it will revert to the backup configuration. This enables you to backup the current configuration, change it, and test it. If it accidentally shuts you out, it will revert to the old configuration after five minutes. Good thinking, eh? Note: requires the presence of the at command, where Iceditch will schedule the fallback to the old configuration.
iceditch restore
This will make Iceditch revert to the configuration it previously backed up. Note: this command can only be run interactively, since Iceditch will tell you at which time and date the backup configuration was made, and ask you if you really want to overwrite the current configuration with the old one.
iceditch noclear
This command will remove the fallback to the old configuration by clearing the at fallback.
iceditch halt
This is an emergency break: it will clear all firewall rules, and then block any network traffic going in or out of your machine over any network interface - with the exception of the lo internal network adapter. When you have reason to believe your system is in some way compromised, you can throw this emergency brake. For those who don't need or want it: the configuration file can disable this emergency break.
Special options
There are a number of options that Iceditch recognises, that are listed below. Note: options cannot be grouped. For example, Iceditch understands -d -e but not -de.
-d dummy run; prevents Iceditch to actually invoke IPtables at all. Used mainly with -e or -E, to check a configuration.
-e will make Iceditch echo all generated IPtables commands to the console. This can be useful to test a complex configuration. -e cannot be combined with -E
-E will make Iceditch echo all rules in Iceditch language. Only useful if your rulefile contains lots of conditional rules, flow control and other programming bling. -E cannot be combined with -e
-r <rulefile> will make Iceditch use <rulefile> instead of the default rulefile /etc/iceditch/rules.conf. <rulefile> can be specified with an absolute path, with a relative path from the current working directory, or without path at all (in which case Iceditch assumes the file lives in /etc/iceditch).
-t <number> can be used only with safestart; it signifies the number of minutes (1-60) that safestart must wait before it reverts the configuration.
-v verbosity; will make Iceditch send the -v option to all commands it calls itself
-V print the version number and exit (overrides any other option or parameter)
Logging
Iceditch logs any (attempted) start or stop action to the syslog. When the Iceditch-built firewall runs, it can make use of the standard IPtables log facilities. These can be either logging packages to syslog, or using the ulogd logging daemon. This choice can be specified in the Iceditch configuration file, although you have to ensure yourself that ulogd actually exists on your system.