[CentOS-devel] contrib arno-iptables-firewall-1.8.8h

Boris Folgmann boris at folgmann.de
Tue Apr 3 20:22:37 UTC 2007


following the rules on http://wiki.centos.org/HowToContribute/Packages
I've attached my specfile for arno's iptables firewall and are offering the 
SRPM for you here:


I use this firewall for years now and am extremely satisfied. Why can't be 
every Linux daemon configured by editing a simple, well documented text 
file? I remember only squid-cache and maybe postfix comparable smooth to 

best regards,

-------------- next part --------------
Name:           arno-iptables-firewall
Version:        1.8.8h
Release:        1
Epoch:          0
Summary:        Single- & multi-homed firewall script with DSL/ADSL support
Group:          System Environment/Base
License:        GPL
URL:            http://rocky.molphys.leidenuniv.nl/
Source0:	http://rocky.molphys.leidenuniv.nl/iptables-firewall/arno-iptables-firewall_1.8.8h.tar.gz
Patch0:         arno-iptables-firewall-enable-seperate-fw-log.patch
BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch:	noarch  
Requires:       iptables, sysklogd

After installation, edit /etc/arno-iptables-firewall/firewall.conf, 
try "service arno-iptables-firewall start" and if satisfied permanently enable with
"chkconfig arno-iptables-firewall on"

* Very secure stateful filtering firewall
* Both kernel 2.4 & 2.6 support
* Can be used for both single- and multi(eg. dual)-homed boxes
* Masquerading (NAT) and SNAT support
* Multiple external (internet) interfaces supported
* Supports multiroute NAT & SNAT (load balancing over multiple (internet) interfaces)
* Port forwarding (NAT)
* Supports MAC address filtering
* Support for DSL/ADSL modems
* Support for PPPoE, PPPoA and bridging modem setups
* Support for static and ISP assigned (DHCP) IPs
* Support for (transparent) proxies
* Full support for DMZ's and DMZ-2-LAN forwarding. You can also use it to isolate e.g. your wireless LAN.
* (Nmap)(stealth) portscan detection
* Protection against SYN-flooding (DoS attacks)
* Protection against ICMP-flooding (DoS attacks)
* Extensive user-definable logging with rate limiting to prevent log flooding
* Includes options to optimize your throughput
* User definable open ports, closed ports, trusted hosts, blocked hosts etc.
* Log & protection options are both highly customizable
* Support for custom iptables rules in a seperate file
* Can be used with chkconfig runlevel system (eg. RedHat/Fedora)
* Main focus on TCP/UDP/ICMP but additional support for *ALL* IP protocols
* Works with Freeswan IPSEC (VPN) & SSH Sentinel (http://www.freeswan.org) (+virtual IP's)
* Works with PoPTop PPTP (http://www.poptop.org)
* Works with UPnP
* DRDOS protection/detection (experimental)
* Easy to configure
* And much more...

%setup -q -n %{name}_%{version}
%patch0 -p1

# gzip man pages
pushd man
gzip arno-fwfilter.1 arno-iptables-firewall.8


install -d $RPM_BUILD_ROOT/%_sysconfdir $RPM_BUILD_ROOT/%_sysconfdir/rc.d/init.d $RPM_BUILD_ROOT/%_sbindir \
	   $RPM_BUILD_ROOT/%_sysconfdir/arno-iptables-firewall \
           $RPM_BUILD_ROOT/%_mandir/man1 $RPM_BUILD_ROOT/%_mandir/man8
cp -r   etc/arno-iptables-firewall/* $RPM_BUILD_ROOT/%_sysconfdir/arno-iptables-firewall
install -m 755 -o root -g root arno-iptables-firewall  $RPM_BUILD_ROOT/%_sysconfdir/rc.d/init.d
install        -o root -g root arno-fwfilter           $RPM_BUILD_ROOT/%_sbindir
install -m 644 -o root -g root man/arno-fwfilter.1.gz          $RPM_BUILD_ROOT/%_mandir/man1
install -m 644 -o root -g root man/arno-iptables-firewall.8.gz $RPM_BUILD_ROOT/%_mandir/man8


%dir /%_sysconfdir/arno-iptables-firewall/
%attr(600,root,root) %config /%_sysconfdir/arno-iptables-firewall/firewall.conf
%attr(600,root,root) %config /%_sysconfdir/arno-iptables-firewall/custom-rules
%attr(600,root,root) %config /%_sysconfdir/arno-iptables-firewall/plugins/*.conf
%doc README CHANGELOG gpl_license.txt

if [ $1 -eq 1 ]; then
        chkconfig --add arno-iptables-firewall
	cat >> /etc/syslog.conf <<-EOF
# Log all iptables messages to /var/log/firewall
kern.=debug                                             /var/log/firewall
	service syslog reload
	sed -e 's/\/var\/log\/messages/\/var\/log\/firewall \/var\/log\/messages/' \
	/etc/logrotate.d/syslog > /etc/logrotate.d/syslog.$$ \
	&& mv /etc/logrotate.d/syslog.$$ /etc/logrotate.d/syslog

if [ $1 -eq 0 ]; then
        chkconfig --del arno-iptables-firewall
	service arno-iptables-firewall stop

if [ $1 -eq 0 ]; then
	grep -v "/var/log/firewall" /etc/syslog.conf > /etc/syslog.conf.$$ \
        && mv /etc/syslog.conf.$$ /etc/syslog.conf
	service syslog reload
	sed -e 's/\/var\/log\/firewall //' \
	/etc/logrotate.d/syslog > /etc/logrotate.d/syslog.$$ \
	&& mv /etc/logrotate.d/syslog.$$ /etc/logrotate.d/syslog

* Tue Apr  3 2007 Boris Folgmann <boris at folgmann.de> - 1.8.8h
- Upgraded to new version

* Wed Feb  1 2006 Boris Folgmann <boris at folgmann.de> - 1.8.4d
- Initial SPEC file version.

More information about the CentOS-devel mailing list