Adding an ipkungfu Firewall to Your Debian Pogoplug/Dockstar

Overview

I am definitely not a firewall wizard. In fact one of the big reasons I installed Debian on my Pogoplug was that I wasn’t comfortable setting up a firewall in optware. Personally I find Ipkungfu to be among the easiest firewalls to understand and configure.

In this case I installed on my Debian PogoPlug gray. It uses Lighttpd to serve Webdav as well as a Weblery photo gallery.

Installation/Configuration

Open a terminal on your desktop/laptop and ssh into your pogoplug.

ssh root@your-pogoplug-ip-address

Installation is straightforward:

apt-get install ipkungfu

The configuration files reside in /etc/ipkungfu. The overall configuration file is called ipkungfu.conf. For my purposes, all of the default settings were correct. The configuration files I needed to modify were accept_hosts.conf and services.conf. The first tells the firewall what hosts to allow through the firewall. Typically, and in this case as well, this includes host on your local network and the machine you are installing the firewall upon.

begin configuration:

cd/etc/ipkungfu
nano accept_hosts.conf

# =======================================================================
# $Id: accept_hosts.conf 41 2005-10-30 23:39:47Z s0undt3ch $
# =======================================================================

# Please see the README and FAQ for more information
#
# IP addresses of hosts or nets to always ACCEPT
# and optionally, ports they are allowed to access
# Format: host[:port:protocol]

# Examples:
#208.13.100.12
#64.3.0.0/255.255.255.0:22:tcp
#
# This line allows machines on my local network through the firewall 
# where xx is my subnet
192.168.xx.0/24
#
# This line allows the pogoplug to access itself
127.0.0.1/0

Make your changes and exit.

The second file tells the firewall what services (ports) to open up. In this case I’m opening up port 80 for Lighttpd and port 22 for ssh access.

nano services.conf

# =======================================================================
# $Id: services.conf 146 2006-01-25 21:13:38Z trappist $
# =======================================================================

# Services needed for TOS.
# Do NOT change the list bellow, unless you run these services on diferent por$
# or you want to accept their traffic. In this case add ':ACCEPT' or any
# other valid target.
#
# Service Names and Protocols are lowercase, Targets are UPPERCASE.
#
# Example:
#       ssh:22:tcp:ACCEPT
ftp-data:20:tcp
ftp:21:tcp
#
# This line tells the firewall to allow ssh access
ssh:22:tcp:ACCEPT

telnet:23:tcp
smtp:25:tcp
domain:53:tcp:ACCEPT
bootps:63:tcp
#
# This line tells the firewall to allow access to my web server
http:80:tcp:ACCEPT
pop3:110:tcp
auth:113:tcp
ntp:123:tcp
imap:143:tcp
https:443:tcp
imaps:993:tcp
pop3s:995:tcp
socks:1080:tcp
#
# Add :ACCEPT to the end of each of the following 4 lines if you want to allow
# samba access to your pogo (less secure--you may not want to do this)
netbios-ns:137:tcp
netbios-dgm:138:tcp
netbios-ssn:139:tcp
microsoft-ds:445:tcp
#
# Add additional services bellow. The rule is:
#   ServiceName:ServicePort:Protocol[:ACCEPT|DROP|REJECT|or any valid target)]

Testing

Ipkungfu can be tested using

ipkungfu -t

assuming all is well you can, and should run it manually using

ipkungfu

Out of the box ipkungfu only runs manually. That means, if something goes terribly wrong and you lose ssh access when you turn on your firewall a simple reboot will restore ssh access. Once you are sure all is well you can proceed to make your firewall active on startup.

Running ipkungfu automatically at startup

The flag to cause ipkungfu to start automatically is in /etc/default

cd /etc/default/
nano ipkungfu

# Defaults for ipkungfu initscript
# sourced by /etc/init.d/ipkungfu
# installed at /etc/default/ipkungfu by the maintainer scripts

#
# This is a POSIX shell fragment
#

# Additional options that are passed to the Daemon.
DAEMON_OPTS=""
# setting this to 1 causes ipkungfu to start automatically
IPKFSTART=1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: