TAOFirewall2 – Bugfixes & Lenny compatibility

Lately I installed the firewall on a Debian Lenny Dom0 with Xen 3.2-1. It does work well despite the hotplugpath.sh script the provided network-route-tao script tries to include – simply comment it out; it’s not needed.

But I also discovered three bugs:

  1. Completely or partially disabling the firewall for an interface means it doesn’t get NAT for the disabled directions.
  2. All guests using ioemu as device driver (e.g. Windows) use some tapX device. The firewall doesn’t account for that and thus antispoofing blocks all outgoing traffic.
  3. Not very important but there: When a firewall is disabled in whole its temporary files are not deleted.

The first one was fixed partially; it does work now for outgoing connections but still doesn’t for incoming ones. This is due to the very nature of NAT so this is a WONTFIX. The second one is tough to solve because Xenstore does not provide the necessary information. Spoofing protection is thus simply disabled for IOEMU-using DomUs. And 3. was fixed, of course.

Also there where some minor improvements made to the package. It now contains a install.sh script which creates/moves all directories and files to the right locations and we removed the configuration directory for Xen since basically the only difference between the configuration for Xen and any other machine is the variable XEN right at the beginning of taofirewall.conf which is set to TRUE.

How to install?

Download TAOFirewall2 1.0.2 to the computer you want to install the script on. You’ll need bzip2 installed on it to extract the files from the package.

tar xpf TAOFirewall2.0.2.tar.bz2
cd TAOFirewall2
./install.sh

After you’ve configured it you may start the firewall and see if it’s working by issuing the following:

invoke-rc.d firewall start
iptables -L -n -v | more

In case you locked yourself out: restart your server and you’ll be able to connect to it again. Once everything is working as you expect it to, you can run the following to start the firewall when the system boots up:

update-rc.d firewall defaults

Good luck!