root/trunk/etcnet/docs/README.firewall

Following documentation is obsolete and should be rewritten. etcnet supports now
iptables, ip6tables and ebtables with basic support of profiles (by using 
fw/type#profile and fw/options#profile)
===================================================================================
Firewall support in /etc/net
1. Iptables configs structure

/etc/net/ifaces/default/options: You'd set CONFIG_FW to "yes" for firewall support
/etc/net/ifaces/default/fw/options: Some options for firewall (type, syntax,
default policy for chains)

/etc/net/ifaces/<IFACE>/fw/iptables:
modules: file with list of modules to load when firewall starting
syntax: file with syntax of firewall rules if you've enabled
IPTABLES_HUMAN_SYNTAX

filter: directory with chains for table filter
   |
   --INPUT: File with rules for chain INPUT
   |
   --FORWARD: File with rules for chain FORWARD
   |
   --OUTPUT: File with rules for chain OUTPUT
  
nat: directory with chains for table nat
   |
   --PREROUTING: File with rules for chain PREROUTING
   |
   --POSTROUTING: File with rules for chain POSTROUTING
   |
   --OUTPUT: File with rules for chain OUTPUT
   
mangle: directory with chains for table mangle
   |
   --PREROUTING: File with rules for chain PREROUTING
   |
   --INPUT: File with rules for chain INPUT
   |
   --FORWARD: File with rules for chain FORWARD
   |
   --OUTPUT: File with rules for chain OUTPUT
   |
   --POSTROUTING: File with rules for chain POSTROUTING

You can create your own chain by adding new file to directory. Chain name is
case-sensitive!

Each directory may contains special file "loadorder". In this case tables and
chains processed in order from this file (ony by one)

2. Rules syntax
Supported  two type of syntax:
        - raw iptables syntax
        - new "human" syntax a la ipfw
        
If you've enabled IPTABLES_HUMAN_SYNTAX in fw/options, then you can use rules
like ipfw (see examples and syntax file)

In both types of syntax you'd not to include chain or table name to rule.

You can use environment variables and even run one-string commands by using $(cmd).
If there is now output from commnd rule will not be added (this can be used
for including some configs or files with functions).

System environment variable $NAME contains current interface name.

Comments in all files must begins with #

3. How it works

When you start service network:
interface "default":
- If CONFIG_FW is yes then go step 2 otherwise go out :)
- Apply chains policy before any interface start and before forwarding is enabled
  sysctl
- Load all modules from first to last from "module" file if any
- Create all user-defined chains in all tables if any
- From each chain in each table read rules one by one, parse it (if IPTABLES_HUMAN_SYNTAX)
  and pass it to iptables
each other interface:
- Do same work except chains policy

When you stop service network:
 Do same work in case of start with some diffrences:
- All steps goes in reverse order
- If interface is not "default" then rules deleted one by one from last to first
  otherwise chain just flushed
- Modules unloads from last to first
- Reset chains policy to ACCEPT

You don't need to have all configs for all interfaces. Default rules (in
virtual "default" interface directory) are enough to setup firewall.
But you can have and start some special firewall rules for given interface
or just for clean kernel rules tables (i.e. if you have down some interface
there is no reason to have hundreds of rules for it)

There is special script /sbin/fw which can manage firewall without restarting
interface. Just run: /sbin/fw default stop and your firewall will be stopped :)

 Bugs and limitations
1. Syntax file is not completed. Some rules (especially with prefix "not") will
not work (you can patch syntax file)
2. Many other limitations :)