Iceditch functionality

From SaruWiki
Revision as of 22:57, 30 June 2008 by Saruman! (talk | contribs) (First inventory of functionality)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This page describes the functions that the Iceditch script can perform for you.

Rights and security

Since Iceditch calls IPtables, you need root rights to call it. We therefor have not implemented any mechanism to use Iceditch as a non-root user.

Invoking Iceditch

iceditch start
The most common invocation will be the automatic startup at boot time. To this end, the script understands being called with only the "start" parameter. iceditch start will setup the firewall quietly and completely.
iceditch restart and iceditch reload
These two invocations start up the firewall just as start does: the firewall is cleared and set up, quietly and completely.
iceditch stop
We don't want anyone to be able to stop the firewall, so this command is accepted, but does nothing (except log the attempt).
iceditch clear
This clears all firewall rules, so essentially you're left with no firewall at all. Thus, you're also left without transparent proxy, NATting etcetera. Since this is inherently very unsafe, Iceditch will also disable forwarding between network interfaces.
iceditch safestart
This will have Iceditch start the firewall, but after five minutes, it will fall back to the backup configuration. This enables you to backup the current configuration, change it, and test it. If it accidentally shuts you out, it will revert to the old configuration after five minutes. Good thinking, eh? Note: requires the presence of the at command, where Iceditch will schedule the fallback to the old configuration.
iceditch noclear
This command will remove the fallback to the old configuration by clearing the at fallback. iceditch halt
This is an emergency break: it will clear all firewall rules, and then block any network traffic going in or out of your machine over any network interface - with the exception of the lo internal network adapter. When you have reason to believe your system is in some way compromised, you can throw this emergency brake. For those who don't need or want it: the configuration file can disable this emergency break.

Special options

There are a number of options that Iceditch recognises, that are listed below. Note: options cannot be grouped. Iceditch understands -d -e but not -de.
-d dummy run; prevents Iceditch to actually invoke IPtables at all. Used mainly with -e or -E
-e will make Iceditch echo all generated IPtables commands to the console. This can be useful to test a complex configuration.
-E will make Iceditch echo all rules in Iceditch language. Only useful if your rulefile contains lots of conditional rules, flow control and other programming bling.
-r <rulefile> will make Iceditch use <rulefile> instead of the default rulefile /etc/iceditch/rules.conf. <rulefile> can be specified with an absolute path, with a relative path from the current working directory, or without path at all (in which case Iceditch assumes the file lives in /etc/iceditch).
-v verbosity; will make Iceditch send the -v option to all commands it calls itself
-V print the version number and exit (overrides any other option or parameter)

Logging

Iceditch logs any (attempted) start or stop action to the syslog. When the Iceditch-built firewall runs, it can make use of the standard IPtables log facilities. These can be either logging packages to syslog, or using the ulogd logging daemon. This choice can be specified in the Iceditch configuration file, although you have to ensure yourself that ulogd actually exists on your system.

Retrieved from "https://www.saruman.biz/saruwiki/index.php?title=Iceditch_functionality&oldid=1540"