ferm – extremly easy powerful firewall

Posted by on January 30, 2009 Leave a comment (7) Go to comments

Ferm is a Iptables front-end tool. Ferm allows you to configure your Iptables firewall in easy to read structured configuration files without need of write complex Iptables rules.

How to install ferm

Ferm is available as a package for Debian and other distributions. Check the official website.

If you want to install ferm from source just download it from ferm website, extract it and run:

user@computer:$ make install

Configuration file language

Ferm makes things simple:

chain (INPUT OUTPUT) {
proto (udp tcp) ACCEPT;
}

This will insert 4 rules, 2 in chain input and 2 in chain output, matching and accepting both udp and tcp packets.

In Iptables you would have to do a bit more typing ;)

iptables -A INPUT -p tcp -j ACCEPT
iptables -A OUTPUT -p tcp -j ACCEPT
iptables -A INPUT -p udp -j ACCEPT
iptables -A OUTPUT -p udp -j ACCEPT

The C like structure is easy to understand and You can use variables, functions and test (if else).
You can read more about those in ferm manual.

Example configuration file (ferm.conf)

# Interfaces
@def $DEV_LOCAL = lo;
@def $DEV_LAN = eth1;
@def $DEV_INTERNET = eth0;

# Ports
@def $PORTS = (ftp http);

# Known IPs
@def $SSH_ALLOWED = (195.111.25.61 95.155.41.172);
@def $SSH_DYNDNS = @resolve((joe.dyndns.com joe2.homelinux.net));

# SSH Clients
@def $SSH_CLIENTS = ($SSH_ALLOWED $SSH_DYNDNS);

table filter {
chain INPUT {
policy DROP;

# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;

# allow local connections
interface $DEV_LOCAL ACCEPT;
interface $DEV_LAN ACCEPT;

# respond to ping
proto icmp icmp-type echo-request ACCEPT;

# our services to the world
proto tcp dport $PORTS ACCEPT;

# SSH log and accept
saddr $SSH_CLIENTS proto tcp dport ssh ACCEPT;

# the rest is dropped by the above policy
}

# outgoing connections are not limited
chain OUTPUT policy ACCEPT;

# this is not a router
chain FORWARD policy DROP;
}

This configuration file will set default INPUT policy to DROP and allow unrestricted connections on http and ftp ports + restricted connections to SSH for listed IPs.

Running ferm

To load your rules:

user@computer:$ ferm ferm.conf
Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
Security, , ,
  • http://cga.cx cga

    hi,

    first things first: nice article.

    i’m starting to use ferm since i want a firewall and a powerful easy setup tool for it.

    ferm really rocks but i don’t know it very much yet. i’ve just started using it a googleing for what i need to know. that’s how i “stumbled” upon your blog.

    i’m trying to enable ssh on a certain port (let’s say 10000) , here’s what i’m trying:

    # allow SSH connections
    proto tcp dport 10000 ACCEPT;
    proto (ssh) ACCEPT;

    but if i test it i get:

    ferm -n -l /etc/ferm/ferm.conf

    [...]
    -A INPUT –protocol tcp –dport 10000 –jump ACCEPT
    -A INPUT –protocol ssh –jump ACCEPT
    [...]

    from what i can see and understand, that would accept incoming to port 10000 but also on ssh (which defaults to 22).

    what i’d like to achieve is to have only port 10000 and not 22 enabled since my sshd_config has port 10000 set and i don’t want more ports open than the ones i need.

    can you help me please?
    thanks


    cga

    • http://www.krzywanski.net/ Artur

      Hi,

      Try without the second line.

  • http://cga.cx cga

    hi,

    thanks for the fast reply, i figured out a few things in the meanwhile =)

    now i have (thanks to your example config) a quite nice firewall.

    the only one more question is: you define a $DEV_INTERNET but it seems to me that you don’t use it. what’s the point of defining an interface and not using it?

    anyway if i test the config it says it’s ok and shows teh rules. even iptables -L does it right. is only that i don’t understand this “misconfiguration”

    please
    thanks


    cga

  • http://cga.cx cga

    oh i forgot: the icmp seems to not work. if i ping my server it does not respond to ping.


    cga

  • http://cga.cx cga

    sorry for flooding. my bad. now icp is working.

    ferm kicks asses. man i’m building a firewall with extreme ease.

  • 3ED

    If you set “policy drop” do you need add “invalid drop”? Isn’t it automaticly droped anyway? :>

    • http://www.krzywanski.net/ Artur

      Might be. I’ve took this bit form Ferm manual ;)