Note: the ipfwadm script generated by TDG is the file named ipfw.dotfile in your home directory.
While fine for testing, this is not a permanent solution. If you wish the firewall to be configured automatically every time you boot the computer, you have to copy the ipfwadm script to the /etc/rc.d directory (perhaps naming it /etc/rc.d/rc.firewall), and edit /etc/rc.d/rc.local to include a line that runs it. Here's an excerpt from my /etc/rc.d/rc.local, with the added lines highlighted:
.
.
.
# This will overwrite /etc/issue at every boot. So, make any changes you
# want to make to /etc/issue here or you will lose them when you reboot.
echo "" > /etc/issue
echo "Red Hat Linux $R" >> /etc/issue
echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue
cp -f /etc/issue /etc/issue.net
echo >> /etc/issue
# set up the IP firewall and masquerade rules
/etc/rc.d/rc.firewall
# make serial port highest priority, ide0 highest priority cascaded
/sbin/irqtune -q 3 14
.
.
.
There are two ways you can incorporate the ipfwadm script into the ip-up processing:
r-x------ root rootby running the command:
chmod 500 /etc/ppp/firewall(You need to be root to do things in /etc/ppp anyway, so the owner and group should take care of themselves when the file is created.)
. /etc/ppp/firewall $*If you don't have an /etc/ppp/ip-up script yet, here's the minimum you'll need:
#!/bin/bash . /etc/ppp/firewalland give it the same permissions:
r-x------ root root
Note that you may want to set up your firewall at boot-time anyway, even though you have the firewall being set up every time you dial out. This is simple to do: change the ISP configuration from ip-up to non-ip-up, generate a new ipfwadm script, and save that as /etc/rc.d/rc.firewall as described above. No other options need to be changed.
If you use diald and are masquerading other systems you must do this. If you don't, the masqueraded systems won't bring up the PPP link until it's been brought up once by some other means.
In addition to the above steps, you need to have pppd pass an argument to ip-up so it can tell when the link being brought up is your link to the Internet (as opposed to an inbound PPP link). The ipfwadm script should only be executed for the Internet link.
If you use the diald demand-dial daemon, you might want to do the following:
pppd-options ipparam internetThis tells pppd to pass "internet" as a command-line argument to /etc/ppp/ip-up.
# only set up the firewall for the Internet connection if [ "$6" = "internet" ] then . /etc/ppp/firewall $* fi