01.30
Ferm is a Iptables front-end tool. Ferm allows you to configure your Iptables firewall in easy to read structured configuration files without need of write complex Iptables rules.
How to install ferm
Ferm is available as a package for Debian and other distributions. Check the official website.
If you want to install ferm from source just download it from ferm website, extract it and run:
Configuration file language
Ferm makes things simple:
proto (udp tcp) ACCEPT;
}
This will insert 4 rules, 2 in chain input and 2 in chain output, matching and accepting both udp and tcp packets.
In Iptables you would have to do a bit more typing 
iptables -A OUTPUT -p tcp -j ACCEPT
iptables -A INPUT -p udp -j ACCEPT
iptables -A OUTPUT -p udp -j ACCEPT
The C like structure is easy to understand and You can use variables, functions and test (if else).
You can read more about those in ferm manual.
Example configuration file (ferm.conf)
@def $DEV_LOCAL = lo;
@def $DEV_LAN = eth1;
@def $DEV_INTERNET = eth0;
# Ports
@def $PORTS = (ftp http);
# Known IPs
@def $SSH_ALLOWED = (195.111.25.61 95.155.41.172);
@def $SSH_DYNDNS = @resolve((joe.dyndns.com joe2.homelinux.net));
# SSH Clients
@def $SSH_CLIENTS = ($SSH_ALLOWED $SSH_DYNDNS);
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local connections
interface $DEV_LOCAL ACCEPT;
interface $DEV_LAN ACCEPT;
# respond to ping
proto icmp icmp-type echo-request ACCEPT;
# our services to the world
proto tcp dport $PORTS ACCEPT;
# SSH log and accept
saddr $SSH_CLIENTS proto tcp dport ssh ACCEPT;
# the rest is dropped by the above policy
}
# outgoing connections are not limited
chain OUTPUT policy ACCEPT;
# this is not a router
chain FORWARD policy DROP;
}
This configuration file will set default INPUT policy to DROP and allow unrestricted connections on http and ftp ports + restricted connections to SSH for listed IPs.
Running ferm
To load your rules:
hi,
first things first: nice article.
i’m starting to use ferm since i want a firewall and a powerful easy setup tool for it.
ferm really rocks but i don’t know it very much yet. i’ve just started using it a googleing for what i need to know. that’s how i “stumbled” upon your blog.
i’m trying to enable ssh on a certain port (let’s say 10000) , here’s what i’m trying:
# allow SSH connections
proto tcp dport 10000 ACCEPT;
proto (ssh) ACCEPT;
but if i test it i get:
ferm -n -l /etc/ferm/ferm.conf
[...]
-A INPUT –protocol tcp –dport 10000 –jump ACCEPT
-A INPUT –protocol ssh –jump ACCEPT
[...]
from what i can see and understand, that would accept incoming to port 10000 but also on ssh (which defaults to 22).
what i’d like to achieve is to have only port 10000 and not 22 enabled since my sshd_config has port 10000 set and i don’t want more ports open than the ones i need.
can you help me please?
thanks
–
cga
Hi,
Try without the second line.
hi,
thanks for the fast reply, i figured out a few things in the meanwhile =)
now i have (thanks to your example config) a quite nice firewall.
the only one more question is: you define a $DEV_INTERNET but it seems to me that you don’t use it. what’s the point of defining an interface and not using it?
anyway if i test the config it says it’s ok and shows teh rules. even iptables -L does it right. is only that i don’t understand this “misconfiguration”
please
thanks
–
cga
oh i forgot: the icmp seems to not work. if i ping my server it does not respond to ping.
–
cga
sorry for flooding. my bad. now icp is working.
ferm kicks asses. man i’m building a firewall with extreme ease.
If you set “policy drop” do you need add “invalid drop”? Isn’t it automaticly droped anyway? :>
Might be. I’ve took this bit form Ferm manual