/etc/netscript/README is in netscript-2.4 5.2.9ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 | Netscript Configuration files
The files found in this directory are for an alternative network configuration
and IP filtering system for kernel 2.4 based on /bin/sh. This system is
designed for use with a routing daemon like zebra. This system also uses
iproute
Most of what you should really have to edit is found in network.conf
The files and their uses are as follows:
network.conf: general network, bridging, QoS and some ptables configuration
items. Comments in here contain the current documentation
on the configuration items, which can even handle pppd,
wanconfig, and ciped. Configuration variables for ipfilter-defs
are also in here.
ipfilter.conf: The shell script sused to set up the iptables
filtering/masquerading etc.
if.conf Lower level functions for configuring interfaces.
qos.conf Functions to configure Quality of Service using /sbin/tc
ipfilter-defs.conf Functions to help with the iptables-defs and netscript
compile firewalling tool.
ipfilter-defs Directory containing firewall definiton tables that are
compiled into the unctions in ipfilter-defs-comiled.conf.
You should be able to do most things by editing the settings in network.conf.
See below for more details on this reccomended editing policy.
You will have to configure the firewall using the iptables commands directly,
or using the ipfilter-defs mentioned above. Have a look in the ipfilter-defs
directory at the README filein there. It will tell you where to start.
Don't forget to save the configurations using the
'netscript ipfilter|ip6filter save' commands! Unlike the last version,
the firewalling and filtering is no longer configured from network.conf.
This has been done as stateful filtering has helped obviate the need for
great complexity in the firewall scripts, and more flexibility is possible.
Complex firewalling can be achieved using the ipfilter-defs tools.
It is a good idea to get down and get dirty with iptables and learn it,
which you will appreciate if you are running this to build a network - you
should understand things fully, or else you will get things wrong.
UPGRADE PATH FROM KERNEL 2.4.X
------------------------------
The firewall/IP filtering stuff in ipfilter.conf is the part that changed
radically with the move to iptables and a far better way of setting up the
IP filtering rules, however the QoS and interface startup/shutdown in if.conf
have changed but are backwards compatible with the old 2.2.x ipchains version
of netscript for the interface address configuration settings. You will have
to set up the filtering again to use iptables by directly using the iptables
commands.
Also, the kernel 2.2.x version scripts are set up so that iptables is only
run on a 2.4.x kernel, otherwise IP forwarding is disabled if beforehand
you set IPFWDING_KERNEL to FILTER_ON in network.conf.
This means that when you upgrade a box to a 2.4.x router kernel, you should
then be able to reboot it and log into remotely and upgrade netscript to the
version that will support 2.4.x. In this situation, if you have set
old IPFWDING_KERNEL setting to FILTER_ON beforehand in network.conf, all
IP forwarding through the box will also be disabled. This means that you
can safely remotely upgrade a firewall.
|