gShield is a iptables firewall script which should run
"out of the box" for most folks with minimal fuss.

gShield has the following features:

- handles dynamic or static IP's without problem
- can selectively enable NAT for multiple private ranges
- adds tcpwrapper-like functionality for access to services
- aggressive defaults; only default 'open' service is auth
- easily configurable via a well commented BSD-style conf file.

----------------------------------------------

A few things to help folks along:

All major configuration settings are stored in /etc/firewall/gShield.conf
You WILL need to look over this file before running the firewall,
but for most cases, the defaults should work fine for most
folks. Go ahead, open another term and take a peek.

gShield itself has some runtime options you can use
to ease some typical administrative tasks.  These
are detailed below and in USAGE.
----------------------------------------------

ACL's

gShield tries to incorporate Access Control lists in a more
direct manner than the "usual" approach with firewall scripts. 

An ACL is simply a list of hosts which are allowed to connect
to pre-defined services. In this way, we can protect core
services (such as POP, SMTP, FTP, etc) from "the world", while
still having unrestricted access to "trusted" hosts.

A good example:

You wish to have access to your home machine from work,
but worry about leaving the sorts of services you'd
like access to open to the world. One way to accomplish
protecting these services would be via tcpwrappers or xinetd.

gShield takes this a bit further by allowing you to set what
hosts even get to have a packet touch the service in the first
place.

In the case of our "I want to have access to my home machine
from work" scenerio, we simply drop the ip (or range) of
our work machine into /etc/firewall/conf/client_hosts.

Any ip (or range) in client-hosts is allowed access
to those services as defined in /etc/firewall/conf/client_services, while
"other" hosts cannot. So one can easily restrict access to services
by distinguishing between "clients" and "the public".

----------------------------------------------

Other ACL's

/etc/firewall/conf contains the following 'other' files:

NATS
black_listed_hosts
client_hosts
client_services
closed_ports
highport_access
reserved_addresses
time_servers
open_ports
blocked_outgoing
no_log_ports

client_hosts and client_services we've touched on already.

* NATS
	should contain the private addresses you wish to provide NAT services
	for. You can specify multiple ranges here.

* black_listed_hosts

	drop "problem" hosts in here. gShield will drop -all-
	connections from these hosts (and log them at no extra cost!)

* highport_access

	IRC bots like to connect to high (unreserved) ports, which gShield
	drops by default. 

	Many services like to establish high TCP connections as well -- simply
	drop those hosts in here (if you need unrestricted access from
	the public to high ports, this can be configured in gShield.conf).

* closed_ports

	These are ports you simply want -fully- closed off for whatever
	reason. In most cases, this is over-kill given gShield's defaults.
	These ports are closed to -everyone-, even those hosts listed as
	clients, so be aware.

* reserved_addresses

	These are ip ranges which have no business hitting the external interface
	in the first place (i.e., private ranges)

* time_servers

	Having your time synced is a good thing. Having that port open
	to the whole world may not be. Dump the time-servers you tend
	to favor in here to allow them to have access to time services.
	For example, I use chrony to keep my time accurate, and the servers
	chrony uses for this are also listed here. This allows them to do
	their time-sych'n magic.	

* open_ports

	Sometimes, you just want that port open. 
        Add those ports you want open ON the firewall machine.
	gShield will open both tcp and udp on those specified ports.

* blocked_outgoing

	ports which you wish to -prevent- access to (both for the firewall
   	itself, as well as NAT'd clients

* no_log_ports

	ports which you do not wish logged, regardless of the default
	logging policy 

----------------------------------------------

RUNTIME options

Beginning with 2.4, gShield adds additional
run-time options to make some tasks easier.

From ./gShield help

gShield run-time options:
-------------------------
flush: flush all rulesets and disable firewall
client x: add ip "x" to clientlist
blacklist x: add ip  "x" to blacklist
highport x: add ip "x" to highport access list
help: this list

Briefly put, you can add ips to the client list, highport list
or blacklist all from the command line without having to re-load
gShield to re-read the ACL for that service.

For example, say I want to allow 1.2.3.4 as a client.  Starting with
gShield 2.4, this is a single step:

/etc/firewall/gShield.rc client 1.2.3.4

gShield will:

- add 1.2.3.4 to the -current- client list for immediate access
- add 1.2.3.4 to /etc/firewall/conf/client_hosts (for next time) and date its
insertion.
           
There ARE some limitations:

- you have to use an -ip- address; hostnames are no good
- you can only use -single- ip addresses, not ranges or nets

----------------------------------------------
Feel free to contact me with suggestions and/or problems

Godot (godot@mindspring.com)

I can also generally be found on EFNet, #Linuxhelp