Adding an ipkungfu Firewall to Your Debian Pogoplug/Dockstar
I am definitely not a firewall wizard. In fact one of the big reasons I installed Debian on my Pogoplug was that I wasn’t comfortable setting up a firewall in optware. Personally I find Ipkungfu to be among the easiest firewalls to understand and configure.
In this case I installed on my Debian PogoPlug gray. It uses Lighttpd to serve Webdav as well as a Weblery photo gallery.
Open a terminal on your desktop/laptop and ssh into your pogoplug.
Installation is straightforward:
apt-get install ipkungfu
The configuration files reside in /etc/ipkungfu. The overall configuration file is called ipkungfu.conf. For my purposes, all of the default settings were correct. The configuration files I needed to modify were accept_hosts.conf and services.conf. The first tells the firewall what hosts to allow through the firewall. Typically, and in this case as well, this includes host on your local network and the machine you are installing the firewall upon.
# ======================================================================= # $Id: accept_hosts.conf 41 2005-10-30 23:39:47Z s0undt3ch $ # ======================================================================= # Please see the README and FAQ for more information # # IP addresses of hosts or nets to always ACCEPT # and optionally, ports they are allowed to access # Format: host[:port:protocol] # Examples: #22.214.171.124 #126.96.36.199/255.255.255.0:22:tcp # # This line allows machines on my local network through the firewall # where xx is my subnet 192.168.xx.0/24 # # This line allows the pogoplug to access itself 127.0.0.1/0
Make your changes and exit.
The second file tells the firewall what services (ports) to open up. In this case I’m opening up port 80 for Lighttpd and port 22 for ssh access.
# ======================================================================= # $Id: services.conf 146 2006-01-25 21:13:38Z trappist $ # ======================================================================= # Services needed for TOS. # Do NOT change the list bellow, unless you run these services on diferent por$ # or you want to accept their traffic. In this case add ':ACCEPT' or any # other valid target. # # Service Names and Protocols are lowercase, Targets are UPPERCASE. # # Example: # ssh:22:tcp:ACCEPT ftp-data:20:tcp ftp:21:tcp # # This line tells the firewall to allow ssh access ssh:22:tcp:ACCEPT telnet:23:tcp smtp:25:tcp domain:53:tcp:ACCEPT bootps:63:tcp # # This line tells the firewall to allow access to my web server http:80:tcp:ACCEPT pop3:110:tcp auth:113:tcp ntp:123:tcp imap:143:tcp https:443:tcp imaps:993:tcp pop3s:995:tcp socks:1080:tcp # # Add :ACCEPT to the end of each of the following 4 lines if you want to allow # samba access to your pogo (less secure--you may not want to do this) netbios-ns:137:tcp netbios-dgm:138:tcp netbios-ssn:139:tcp microsoft-ds:445:tcp # # Add additional services bellow. The rule is: # ServiceName:ServicePort:Protocol[:ACCEPT|DROP|REJECT|or any valid target)]
Ipkungfu can be tested using
assuming all is well you can, and should run it manually using
Out of the box ipkungfu only runs manually. That means, if something goes terribly wrong and you lose ssh access when you turn on your firewall a simple reboot will restore ssh access. Once you are sure all is well you can proceed to make your firewall active on startup.
Running ipkungfu automatically at startup
The flag to cause ipkungfu to start automatically is in /etc/default
# Defaults for ipkungfu initscript # sourced by /etc/init.d/ipkungfu # installed at /etc/default/ipkungfu by the maintainer scripts # # This is a POSIX shell fragment # # Additional options that are passed to the Daemon. DAEMON_OPTS="" # setting this to 1 causes ipkungfu to start automatically IPKFSTART=1