Iceditch functionality - Revision history

Saruman!: Reverted edits by 78.46.88.202 (Talk); changed back to last version by Saruman!

2008-10-02T21:01:12Z

Reverted edits by 78.46.88.202 (Talk); changed back to last version by Saruman!

← Older revision		Revision as of 21:01, 2 October 2008
Line 1:		Line 1:
	This page describes the functions that the Iceditch script can perform for you.		This page describes the functions that the Iceditch script can perform for you.

	~~jVYDym <a href~~=~~"http://czxqjpspjmbt.com/">czxqjpspjmbt</a>, [url~~=~~http://ubtuxtgwpuzk.com/]ubtuxtgwpuzk[/url]~~, ~~[link=http://fljbqgcuodqv~~.~~com/]fljbqgcuodqv[/link], http://ravgxyikblcz~~.~~com/~~		===Rights and security===
			Since Iceditch calls IPtables, you need root rights to call it. We therefor have not implemented any mechanism to use Iceditch as a non-root user.

	===Invoking Iceditch===		===Invoking Iceditch===

78.46.88.202: /* Rights and security */

2008-10-02T19:22:29Z

Rights and security

← Older revision		Revision as of 19:22, 2 October 2008
Line 1:		Line 1:
	This page describes the functions that the Iceditch script can perform for you.		This page describes the functions that the Iceditch script can perform for you.

	===~~Rights and security===~~		jVYDym <a href="http://czxqjpspjmbt.com/">czxqjpspjmbt</a>, [url=http://ubtuxtgwpuzk.com/]ubtuxtgwpuzk[/url], [link=http://fljbqgcuodqv.com/]fljbqgcuodqv[/link], http://ravgxyikblcz.com/
	~~Since Iceditch calls IPtables~~, ~~you need root rights to call it. We therefor have not implemented any mechanism to use Iceditch as a non-root user~~.

	===Invoking Iceditch===		===Invoking Iceditch===

Saruman!: changed rulesfile location to always be /etc/iceditch

2008-07-26T08:14:27Z

changed rulesfile location to always be /etc/iceditch

← Older revision		Revision as of 08:14, 26 July 2008
Line 27:		Line 27:
	'''-e''' will make Iceditch echo all generated IPtables commands to the console. This can be useful to test a complex configuration. ''-e'' cannot be combined with ''-E''<br>		'''-e''' will make Iceditch echo all generated IPtables commands to the console. This can be useful to test a complex configuration. ''-e'' cannot be combined with ''-E''<br>
	'''-E''' will make Iceditch echo all rules in Iceditch language. Only useful if your rulefile contains lots of conditional rules, flow control and other programming bling. ''-E'' cannot be combined with ''-e''<br>		'''-E''' will make Iceditch echo all rules in Iceditch language. Only useful if your rulefile contains lots of conditional rules, flow control and other programming bling. ''-E'' cannot be combined with ''-e''<br>
	'''-r <rulefile>''' will make Iceditch use ''<rulefile>'' instead of the default rulefile ''~~/etc/iceditch/~~rules.conf''. ''<rulefile>'' ~~can~~ be specified ~~with an absolute path, with~~ a ~~relative path from the current working directory, or without path at all~~ (~~in which case~~ Iceditch ~~assumes~~ the ~~file lives~~ in ''/etc/iceditch'').<br>		'''-r <rulefile>''' will make Iceditch use ''<rulefile>'' instead of the default rulefile ''rules.conf''. ''<rulefile>'' must be specified as a simple filename only (Iceditch expects the rulefile to live in /etc/iceditch)<br>
	'''-t <number>''' can be used only with ''safestart''; it signifies the number of minutes (1-60) that ''safestart'' must wait before it reverts the configuration.<br>		'''-t <number>''' can be used only with ''safestart''; it signifies the number of minutes (1-60) that ''safestart'' must wait before it reverts the configuration.<br>
	'''-v''' verbosity; will make Iceditch send the -v option to all commands it calls itself<br>		'''-v''' verbosity; will make Iceditch send the -v option to all commands it calls itself<br>

Saruman!: halt command cleared up

2008-07-25T18:28:16Z

halt command cleared up

← Older revision		Revision as of 18:28, 25 July 2008
Line 7:		Line 7:
	'''iceditch start \| restart \| reload'''<br>		'''iceditch start \| restart \| reload'''<br>
	The most common invocation will be the automatic startup at boot time. To this end, the script understands being called with only the "start" parameter. ''iceditch start'' will setup the firewall quietly and completely.<br>		The most common invocation will be the automatic startup at boot time. To this end, the script understands being called with only the "start" parameter. ''iceditch start'' will setup the firewall quietly and completely.<br>
	'''iceditch stop \| ~~halt~~'''<br>		'''iceditch stop \| unload'''<br>
	We don't want anyone person or process to be able to ''stop'' the firewall, so this command is accepted, but does nothing except log the attempt.<br>		We don't want anyone person or process to be able to ''stop'' the firewall, so this command is accepted, but does nothing except log the attempt.<br>
	'''iceditch clear'''<br>		'''iceditch clear'''<br>

Saruman!: /* Invoking Iceditch */ expanded safestart

2008-07-01T05:33:19Z

Invoking Iceditch: expanded safestart

← Older revision		Revision as of 05:33, 1 July 2008
Line 14:		Line 14:
	This will make Iceditch write a copy of the current configuration files. Used mainly to accommodate ''safestart''.<br>		This will make Iceditch write a copy of the current configuration files. Used mainly to accommodate ''safestart''.<br>
	'''iceditch safestart'''<br>		'''iceditch safestart'''<br>
	This will have Iceditch start the firewall, but after five minutes, it will revert to the backup configuration. This enables you to backup the current configuration, change it, and test it. If it accidentally shuts you out, it will revert to the old configuration after five minutes. Good thinking, eh? Note: requires the ~~presence~~ of the ''at'' command, where Iceditch will schedule the fallback to the old configuration.<br>		This will have Iceditch start the firewall, but after five minutes, it will revert to the backup configuration. This enables you to backup the current configuration, change it, and test it. If it accidentally shuts you out, it will revert to the old configuration after five minutes. Good thinking, eh? Note: requires that you've made a backup confiuration; if none is present, safestart will ''clear'' the firewall upon the reversion time. Furthermore this option requires availability of the ''at'' command, where Iceditch will schedule the fallback to the old configuration.<br>
	'''iceditch restore'''<br>		'''iceditch restore'''<br>
	This will make Iceditch revert to the configuration it previously backed up. Note: this command can only be run interactively, since Iceditch will tell you at which time and date the backup configuration was made, and ask you if you really want to overwrite the current configuration with the old one.		This will make Iceditch revert to the configuration it previously backed up. Note: this command can only be run interactively, since Iceditch will tell you at which time and date the backup configuration was made, and ask you if you really want to overwrite the current configuration with the old one.<br>
	'''iceditch noclear'''<br>		'''iceditch noclear'''<br>
	This command will remove the fallback to the old configuration by clearing the ''at'' fallback.		This command will remove the fallback to the old configuration by clearing the ''at'' fallback.<br>
	'''iceditch halt'''<br>		'''iceditch halt'''<br>
	This is an emergency break: it will clear all firewall rules, and then block any network traffic going in or out of your machine over any network interface - with the exception of the ''lo'' internal network adapter. When you have reason to believe your system is in some way compromised, you can throw this emergency brake. For those who don't need or want it: the configuration file can disable this emergency break.		This is an emergency break: it will clear all firewall rules, and then block any network traffic going in or out of your machine over any network interface - with the exception of the ''lo'' internal network adapter. When you have reason to believe your system is in some way compromised, you can throw this emergency brake. For those who don't need or want it: the configuration file can disable this emergency break.

Saruman!: /* Invoking Iceditch */ layout

2008-07-01T05:31:00Z

Invoking Iceditch: layout

← Older revision		Revision as of 05:31, 1 July 2008
Line 12:		Line 12:
	This clears all firewall rules, so essentially you're left with no firewall at all. Thus, you're also left without transparent proxy, NATting etcetera. Since this is inherently very unsafe, Iceditch will ''also'' disable forwarding between network interfaces.<br>		This clears all firewall rules, so essentially you're left with no firewall at all. Thus, you're also left without transparent proxy, NATting etcetera. Since this is inherently very unsafe, Iceditch will ''also'' disable forwarding between network interfaces.<br>
	'''iceditch backup'''<br>		'''iceditch backup'''<br>
	This will make Iceditch write a copy of the current configuration files. Used mainly ~~with~~ ''safestart''.		This will make Iceditch write a copy of the current configuration files. Used mainly to accommodate ''safestart''.<br>
	'''iceditch safestart'''<br>		'''iceditch safestart'''<br>
	This will have Iceditch start the firewall, but after five minutes, it will revert to the backup configuration. This enables you to backup the current configuration, change it, and test it. If it accidentally shuts you out, it will revert to the old configuration after five minutes. Good thinking, eh? Note: requires the presence of the ''at'' command, where Iceditch will schedule the fallback to the old configuration.<br>		This will have Iceditch start the firewall, but after five minutes, it will revert to the backup configuration. This enables you to backup the current configuration, change it, and test it. If it accidentally shuts you out, it will revert to the old configuration after five minutes. Good thinking, eh? Note: requires the presence of the ''at'' command, where Iceditch will schedule the fallback to the old configuration.<br>

Saruman!: /* Special options */ changed layout

2008-07-01T05:29:15Z

Special options: changed layout

← Older revision		Revision as of 05:29, 1 July 2008
Line 23:		Line 23:

	===Special options===		===Special options===
	There are a number of options that Iceditch recognises, that are listed below. Note: options cannot be grouped. Iceditch understands ''-d -e'' but not ''-de''.<br>		There are a number of options that Iceditch recognises, that are listed below. Note: options cannot be grouped. For example, Iceditch understands ''-d -e'' but not ''-de''.<br>
	'''-d''' dummy run; prevents Iceditch to actually invoke IPtables at all. Used mainly with -e or -E<br>		'''-d''' dummy run; prevents Iceditch to actually invoke IPtables at all. Used mainly with ''-e'' or ''-E'', to check a configuration.<br>
	'''-e''' will make Iceditch echo all generated IPtables commands to the console. This can be useful to test a complex configuration.<br>		'''-e''' will make Iceditch echo all generated IPtables commands to the console. This can be useful to test a complex configuration. ''-e'' cannot be combined with ''-E''<br>
	'''-E''' will make Iceditch echo all rules in Iceditch language. Only useful if your rulefile contains lots of conditional rules, flow control and other programming bling.<br>		'''-E''' will make Iceditch echo all rules in Iceditch language. Only useful if your rulefile contains lots of conditional rules, flow control and other programming bling. ''-E'' cannot be combined with ''-e''<br>
	'''-r <rulefile>''' will make Iceditch use <rulefile> instead of the default rulefile /etc/iceditch/rules.conf. <rulefile> can be specified with an absolute path, with a relative path from the current working directory, or without path at all (in which case Iceditch assumes the file lives in /etc/iceditch).<br>		'''-r <rulefile>''' will make Iceditch use ''<rulefile>'' instead of the default rulefile ''/etc/iceditch/rules.conf''. ''<rulefile>'' can be specified with an absolute path, with a relative path from the current working directory, or without path at all (in which case Iceditch assumes the file lives in ''/etc/iceditch'').<br>
	'''-t <number>''' can be used only with ''safestart''; it signifies the number of minutes (1-60) that ''safestart'' must wait before it reverts the configuration.<br>		'''-t <number>''' can be used only with ''safestart''; it signifies the number of minutes (1-60) that ''safestart'' must wait before it reverts the configuration.<br>
	'''-v''' verbosity; will make Iceditch send the -v option to all commands it calls itself<br>		'''-v''' verbosity; will make Iceditch send the -v option to all commands it calls itself<br>

Saruman!: /* Invoking Iceditch */ added backup/restore

2008-07-01T05:22:52Z

Invoking Iceditch: added backup/restore

← Older revision		Revision as of 05:22, 1 July 2008
Line 5:		Line 5:

	===Invoking Iceditch===		===Invoking Iceditch===
	'''iceditch start'''<br>		'''iceditch start \| restart \| reload'''<br>
	The most common invocation will be the automatic startup at boot time. To this end, the script understands being called with only the "start" parameter. ''iceditch start'' will setup the firewall quietly and completely.<br>		The most common invocation will be the automatic startup at boot time. To this end, the script understands being called with only the "start" parameter. ''iceditch start'' will setup the firewall quietly and completely.<br>
	~~'''iceditch restart''' and '''iceditch reload'''<br>~~		'''iceditch stop \| halt'''<br>
	~~These two invocations start up the firewall just as ''start'' does: the firewall is cleared and set up, quietly and completely.<br>~~		We don't want anyone person or process to be able to ''stop'' the firewall, so this command is accepted, but does nothing except log the attempt.<br>
	'''iceditch stop'''<br>
	We don't want anyone to be able to ''stop'' the firewall, so this command is accepted, but does nothing (except log the attempt).<br>
	'''iceditch clear'''<br>		'''iceditch clear'''<br>
	This clears all firewall rules, so essentially you're left with no firewall at all. Thus, you're also left without transparent proxy, NATting etcetera. Since this is inherently very unsafe, Iceditch will ''also'' disable forwarding between network interfaces.<br>		This clears all firewall rules, so essentially you're left with no firewall at all. Thus, you're also left without transparent proxy, NATting etcetera. Since this is inherently very unsafe, Iceditch will ''also'' disable forwarding between network interfaces.<br>
			'''iceditch backup'''<br>
			This will make Iceditch write a copy of the current configuration files. Used mainly with ''safestart''.
	'''iceditch safestart'''<br>		'''iceditch safestart'''<br>
	This will have Iceditch start the firewall, but after five minutes, it will ~~fall back~~ to the backup configuration. This enables you to backup the current configuration, change it, and test it. If it accidentally shuts you out, it will revert to the old configuration after five minutes. Good thinking, eh? Note: requires the presence of the ''at'' command, where Iceditch will schedule the fallback to the old configuration.<br>		This will have Iceditch start the firewall, but after five minutes, it will revert to the backup configuration. This enables you to backup the current configuration, change it, and test it. If it accidentally shuts you out, it will revert to the old configuration after five minutes. Good thinking, eh? Note: requires the presence of the ''at'' command, where Iceditch will schedule the fallback to the old configuration.<br>
			'''iceditch restore'''<br>
			This will make Iceditch revert to the configuration it previously backed up. Note: this command can only be run interactively, since Iceditch will tell you at which time and date the backup configuration was made, and ask you if you really want to overwrite the current configuration with the old one.
	'''iceditch noclear'''<br>		'''iceditch noclear'''<br>
	This command will remove the fallback to the old configuration by clearing the ''at'' fallback.		This command will remove the fallback to the old configuration by clearing the ''at'' fallback.

Saruman!: /* Special options */ added -t switch

2008-07-01T05:15:59Z

Special options: added -t switch

← Older revision		Revision as of 05:15, 1 July 2008
Line 26:		Line 26:
	'''-E''' will make Iceditch echo all rules in Iceditch language. Only useful if your rulefile contains lots of conditional rules, flow control and other programming bling.<br>		'''-E''' will make Iceditch echo all rules in Iceditch language. Only useful if your rulefile contains lots of conditional rules, flow control and other programming bling.<br>
	'''-r <rulefile>''' will make Iceditch use <rulefile> instead of the default rulefile /etc/iceditch/rules.conf. <rulefile> can be specified with an absolute path, with a relative path from the current working directory, or without path at all (in which case Iceditch assumes the file lives in /etc/iceditch).<br>		'''-r <rulefile>''' will make Iceditch use <rulefile> instead of the default rulefile /etc/iceditch/rules.conf. <rulefile> can be specified with an absolute path, with a relative path from the current working directory, or without path at all (in which case Iceditch assumes the file lives in /etc/iceditch).<br>
			'''-t <number>''' can be used only with ''safestart''; it signifies the number of minutes (1-60) that ''safestart'' must wait before it reverts the configuration.<br>
	'''-v''' verbosity; will make Iceditch send the -v option to all commands it calls itself<br>		'''-v''' verbosity; will make Iceditch send the -v option to all commands it calls itself<br>
	'''-V''' print the version number and exit (overrides any other option or parameter)<br>		'''-V''' print the version number and exit (overrides any other option or parameter)<br>

Saruman!: First inventory of functionality

2008-06-30T20:57:23Z

First inventory of functionality

New page

This page describes the functions that the Iceditch script can perform for you.

===Rights and security===
Since Iceditch calls IPtables, you need root rights to call it. We therefor have not implemented any mechanism to use Iceditch as a non-root user.

===Invoking Iceditch===
'''iceditch start''' 
The most common invocation will be the automatic startup at boot time. To this end, the script understands being called with only the "start" parameter. ''iceditch start'' will setup the firewall quietly and completely. 
'''iceditch restart''' and '''iceditch reload''' 
These two invocations start up the firewall just as ''start'' does: the firewall is cleared and set up, quietly and completely. 
'''iceditch stop''' 
We don't want anyone to be able to ''stop'' the firewall, so this command is accepted, but does nothing (except log the attempt). 
'''iceditch clear''' 
This clears all firewall rules, so essentially you're left with no firewall at all. Thus, you're also left without transparent proxy, NATting etcetera. Since this is inherently very unsafe, Iceditch will ''also'' disable forwarding between network interfaces. 
'''iceditch safestart''' 
This will have Iceditch start the firewall, but after five minutes, it will fall back to the backup configuration. This enables you to backup the current configuration, change it, and test it. If it accidentally shuts you out, it will revert to the old configuration after five minutes. Good thinking, eh? Note: requires the presence of the ''at'' command, where Iceditch will schedule the fallback to the old configuration. 
'''iceditch noclear''' 
This command will remove the fallback to the old configuration by clearing the ''at'' fallback.
'''iceditch halt''' 
This is an emergency break: it will clear all firewall rules, and then block any network traffic going in or out of your machine over any network interface - with the exception of the ''lo'' internal network adapter. When you have reason to believe your system is in some way compromised, you can throw this emergency brake. For those who don't need or want it: the configuration file can disable this emergency break.

===Special options===
There are a number of options that Iceditch recognises, that are listed below. Note: options cannot be grouped. Iceditch understands ''-d -e'' but not ''-de''. 
'''-d''' dummy run; prevents Iceditch to actually invoke IPtables at all. Used mainly with -e or -E 
'''-e''' will make Iceditch echo all generated IPtables commands to the console. This can be useful to test a complex configuration. 
'''-E''' will make Iceditch echo all rules in Iceditch language. Only useful if your rulefile contains lots of conditional rules, flow control and other programming bling. 
'''-r <rulefile>''' will make Iceditch use <rulefile> instead of the default rulefile /etc/iceditch/rules.conf. <rulefile> can be specified with an absolute path, with a relative path from the current working directory, or without path at all (in which case Iceditch assumes the file lives in /etc/iceditch). 
'''-v''' verbosity; will make Iceditch send the -v option to all commands it calls itself 
'''-V''' print the version number and exit (overrides any other option or parameter) 

===Logging===
Iceditch logs any (attempted) start or stop action to the syslog. When the Iceditch-built firewall runs, it can make use of the standard IPtables log facilities. These can be either logging packages to syslog, or using the ''ulogd'' logging daemon. This choice can be specified in the Iceditch configuration file, although you have to ensure yourself that ''ulogd'' actually exists on your system.