Firewall for FREESCO 027 for paranoid people

 A note about this article: 
 a 3rd party add-on firewall with an identical name (Firewall for paranoid people) is available at
 I'm not sure if that firewall is in any way related to the article below, but I think it's probably easier and safer? to use that solution.

dingetje 2004/11/30 18:59

What is it?

The name says it all. This firewall is for very paranoid people. It does it's best to hide all existence that you are online. All ports are filtered or “stealthed”. It does not respond to pings at all. It even has spoofing checks in place.

To go to the next paranoid step, all out going ports (under 1024) are also blocked. In the setup, you can tell it what you want to have access to. HTTP, POP, SMTP, FTP, etc. All can be turned off or on. Port forwarding now works in this version. It will open the requied ports. The ban list now works too.

I do not yet have it setup to open ports for Freesco services. So if you are running a http server on Freesco for the world to see, this firewall will block it.

This firewall is setup for a two connection system only. 1 ethernet for the Internet and 1 for the local net. OR 1 dial up connection, and one ethernet for the local connection. It's not going to work with 3 nics. And I don't think it will work for dial-in connections. This is for a NAT/firewall type setup for freesco. To keep the internet out of your system. It's not going to work on a bridge or other types of Freesco installs

This firewall works by loading after the rc_masq file, and clearing out all it's setting and making new setting with ipfwadm. If you think it's causing a problem, move the rc_fire file to someplace else and reboot for a test. This firewall is not for the Linux beginner.

I am open to all comments. I do have plans for V1.6 and would like to here all suggestions on what to add.

No package, but it does fit on a floppy install.

Freesco Firewall for Paranoid People

Made for modem install. Will work on an ethernet system. *Only works with 2 NICs, or a modem and 1 NIC.*

This firewall was made at and modified for use in Freesco 0.2.7. Some of the lines have been swiped out of rc_masq also. Parts where also copied from post and suggestions from the guys at the Freesco forum. Thanks.

This firewall created and mantained by BigHomeNet and TechieM2, do to the lack of a good firewall script for Freesco. It was created by trail and error as few docs are around for the ipfwadm command. We are still not sure how it all works. With an understanding like that, bugs and holes are bound to happen. Please email with any suggestions and fixes.

Things to fix

Fixed V1.5: Port fowarding not installed. Other setting in the Freesco setup that deal with opening ports to the outside world may not work.

Fixed V1.4: Problem with diald. Only a request from the DNS server will kick it over and dial. A hole in the firewall is *not* created for Freesco's web server if public is selected. Same for telnet and other services.

Things this firewall does

Does not let in any incomming packets, pings, or anything. Deny on everything. AKA “Stealth”. Outgoing packets are denied unless a hole (port) below is punched for them. Built in holes are below for common ports and programs. Enabled what you need.

This firewall now supports port forwarding and blocking. However, the firewall need to be restarted for changes to take effect. For dial up connection, hang up and reconnect. For ethernet, a full reboot is required.

Last Changed 6-18-01

Version 1.0 First version that worked. :)

Version 1.1 Fixed DHCP again. I think.

Version 1.2 Cleaned up script. Added deny lines to stop ip spoofing and other hacks. Added lines for ICQ support. Added docs. Added version info to status.

Version 1.3 Added support for NTP clients. Added support for CallWave. Programs like ICQ and Callwave are now disabled by default. See list below.

Version 1.4 Massive changes. Port 113 (auth) can now be closed and not stealthed. This is to fix a delay in some email servers. Reworked the services setup. Each service can now be turned off or on by a simple change from yes or no below. This firewall will now autodetect Freesco time (ntpdate) client and will create a port for it. Not tested to well, and can cause delays as it trys to look up the IP address. Putting in the ip address in place of in the Freesco setup should fix that. It will now also autodetect the DNS servers and create open ports only to them. Might have fixed the masquerade problem and Dial-On-Demand. Not sure. Ports only created for the DHCP client if it is needed. Seems not to be used for a dial up connection.

Version 1.5 Firewall now displays info on tty3 and in the log. Made it look a little better in the log. Made connection shutdown. When the connection drops, all incoming and outgoing ports are closed and the firewall is taken down to the just the basics required to get it to dial. Refined port 113 (auth) setup for mail servers. You can now enter up to 5 problem email systems and a closed port will be shown only to them. Incomming and outgoing ports are created. Fixed the problem with needing to turn on auth client for the authd to work for email systems. Got FTP port mode working. The ban list now works. It now reads foward.cfg and pokes holes in the firewall for the foward ports.


I boosted the IQ of this firewall. It can now figure out the IP address of the internet connection without any help from the ip-up file. You can also run it command line by typing rc_fire. No need to take on the IP address anymore. It also figures out the local and internet interface along with the local ip range. No need to set them by hand. This readme was split off into it's own file. The firewall was big to fit on a floppy!! Version 1.5b Changed to work with an ethernet connection and to be launched on bootup. Fixed a small bug with connection shutdown.

Version 1.5c More changes to be quicker to install. You can upgrade the rc_fire file (pre V1.5c) with this new version and it will work. However, for a new install, look at the install the docs below. Things have changed. Might be a good idea to make the changes anyway. This firewall will now figure out if you are connected or not. If it does not find a active ppp0 connection it will go into shutdown mode. The rc_fire is now stored in the mnt/router/rc/rcuser directory. It starts at boot time and loads the firewall. If no connection is found, it goes into shutdown mode. Shutdown mode only works on a dial up connection.

How to install, !! Modem Users ONLY !!

1) In the rc_fire file, edit the services section to turn on services you want. It's at the top.
2)Save the rc_fire file to the /mnt/router/rc/rcuser directory.
3)chmod +x rc_fire
4)edit the file /mnt/router/ppp/ip-up
5)under the ”#Add commands here” add ”/rc/rcuser/rc_fire” ←-including quotes
6)A few lines down change, >/temp/state to »/temp/state
7)edit the file /mnt/router/ppp/ip-down
8)under the ”#Add command here” add ”/rc/rcuser/rc_fire” ←- including quotes
9)Save and reboot. The firewall will be started on every connect and on boot. A new line in web admin panel, status,
will say “Firewall at…
10)Good luck!

How to install, !! Ethernet Users ONLY !!

1) In the rc_fire file, edit the services section to turn on services that you want. It's at the top.
2)Save the rc_fire file to the /mnt/router/rc/rcuser directory.
3)chmod +x rc_fire
4)Reboot. The firewall will start on boot.

Copyright from

Copyright (C) 1997, 1998, 1999, 2000 Robert L. Ziegler Permission to use, copy, modify, and distribute this software and its documentation for educational, research, private and non-profit purposes, without fee, and without a written agreement is hereby granted. This software is provided as an example and basis for individual firewall development. This software is provided without warranty.

Any material furnished by Robert L. Ziegler is furnished on an “as is” basis. He makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose, exclusivity or results obtained from use of the material.

freesco/howtos/freesco_firewall_for_paranoid_people.txt (24959 views) · Last modified: 2005/09/14 00:49 (external edit)
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki