knowplace.org

Disclaimer: NARC, or any firewall for that matter, cannot possible guarantee the security of your network or hosts. See the Introduction for a brief primer.

Requirements of this package:
- kernel version 2.4.x (or 2.6.x) w/ netfilter support compiled in (http://www.kernel.org)
- iptables tools (http://netfilter.samba.org)
- a working compiler (if you are planning on compiling your own binaries)

Who?

If you are interested in using Netfilter/Iptables and kernel 2.4.x or 2.6.x to do firewalling but don't feel completely confident to write your own ruleset, keep reading. Whether you are a dial-up user or have a constant-on connection, NARC will help you lock down some network services.

What?

NARC is a free firewalling package for Netfilter/Iptables released under the BSD license.

NARC attempts to simplify the setup of a firewall (stateful packet filter) via the iptables tools. NARC is a bash shellscript that generates (hopefully) sensible and secure rules for Netfilter based on a simple configuration file.

Even though this isn't a howto, you're welcome to look at the code and take examples from it. You're welcome to modify it and incorporate it in your code. If you notice that something can be improved, by all means send the changes in, but know that it's not a requirement.

Narc Features (incomplete list):

  • Quick setup via a simple configuration file
  • Connection tracking (and fragmentation reassembly)
  • Customized logging
  • Probe detection (TCP & UDP)
  • Illegal TCP packet filtering
  • FIN, NULL, ACK scan detection
  • ICMP message filtering and rate limiting
  • SYN packet length checking
  • General rate limiting (to prevent DoS type attacks)
  • IP/network based TCP connection rate limiting
  • SYN flood protection
  • Smurf attack protection
  • Spoofed IP address filtering
  • DMZ support
  • Port forwarding support

Why?

NARC was written to simplify the setup of a "firewall". This script will (hopefully) make your life a bit easier and give you more time to do the things that you really care about.

As more and more people connect to the Internet and have constant on connections, security becomes an important issue. However, configuring a firewall properly usually require a fairly thorough understanding in IP and networking, a task that is beyond the complexity of most users.

While everyone knows that making something user-friendly is clearly evil, I feel that it's more important to help people secure their boxes. Being a good neighbor is as important as being technically proficient in EVERYTHING. Raise your hand if you've written your own OS. =) It's important to acknowledge that not everyone has the time or the inclination to become a security expert.

Where?

The NARC project page can be found at http://www.knowplace.org/netfilter/narc.html. The current release v0.7 can be downloaded at http://www.knowplace.org/dl/narc-0.7.tgz (f07c2b58fbb2e532df9f73276879956d - MD5sum).

How?

Read the INSTALL file for quick installation instructions.

If you have any questions, please join the NARC mailing list by sending an email to narc-request@knowplace.org and include the word "subscribe" in the body. Since I'm not known for my speedy reply to emails. You'll have a much better chance for a reply if you email the list. Unsubscribe by sending an email to narc-request@knowplace.org and include the word "unsubscribe" in the body. The NARC mailinglist archive is now available at http://www.knowplace.org/pipermail/narc/.

If you really want to learn more about how this stuff works, go to: http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/index.html or my Netfilter presentation at http://www.knowplace.org/netfilter/.

CHANGELOG

  • v0.7 (Aug. 12, 2004)
    • Implemented IPLIMIT so that it works with 2.4 & 2.6 kernels
    • Implemented port forwarding to other interfaces (no longer limited to DMZ)
      Note that it still defaults to DMZ if the INTERFACE option is left blank
    • Fixed error in install script that omitted a mkdir
    • Removed TCP port 445 (microsoft-ds) from TCP_PROBE
    • Implemented SMB/CIFS specific logging options

  • v0.6.3 (Nov. 12, 2002)
    • Added even more sanity checking
    • New experimental install script (see INSTALL)
    • Changed default logging level from kern.=info to kern.=debug in narc.conf.
      Please modify your syslog.conf to accommodate the change!
    • Added LOG_LIMIT_EXCEED option to log TCP connections that exceed
      LIMIT_RATE in narc.conf

  • v0.6.2 (Oct. 7, 2002)
    • Fixed errant detection of ipchains module
    • Changed modules detection to include /lib for certain distributions
    • Added AUTOGET_EXTERNAL_IP option for narc-forward.conf
    • Fixed more typos

  • v0.6.1 (Feb. 19, 2002)
    • Fixed rp_filter (ingress filtering)
    • Fixed ENABLE_IPLIMIT
    • First NARC release to be compatible with older (v0.6) narc.conf file

  • v0.6 (Jan. 17, 2002)
    • NARC executable path now configurable (used by /etc/init.d/iptables)
    • Rewrote NARC to make adding future options easier
    • Added support for general rate limiting
    • Added support for IP/network based connection limit (TCP only)
    • Added more logging options (ICMP, packet length, iplimit)
    • General code cleanup & optimization

  • v0.5.1 (Oct. 04, 2001)
    • Fixed error in INSTALL directions
    • Fixed CHECK_SYN_PACKET_LENGTH
    • Added LOOPBACK_MODE
    • Added more sanity checking of the config file

  • v0.5 (Sep. 23, 2001)
    • Moved the default location of /etc/narc.conf to /etc/narc/narc.conf
    • Moved the default location of /usr/bin/narc to /usr/sbin/narc
    • Modified the iptables init.d script to support chkconfig for Redhat users (also modified path info)
    • Implemented port range matching (allows for more than 15 ports)
    • Added /etc/narc-custom.script to allow execution of custom commands
    • General fixes (typos, clean up, etc.)
    • General optimization (rule reordering, logging)
    • More sanity checking of the config file
    • Improved AUTH_REJECT
    • Fixed FORWARD_LAN_TO_DMZ

  • v0.4 (Aug 27, 2001)
    • Improved and fixed the logging section
    • Reworked and fixed the port forwarding section
    • Added the narc-forward.conf file
    • Made CHECK_SYN_PACKET_LENGTH configurable so that NARC can be used with stock kernels that do not support packet length checking
    • Tweaked spoof checking

  • v0.3.1 (Aug. 19, 2001)
    • Added ACK scan detection

  • v0.3 (Aug. 17, 2001)
    • Added console detection and some color display
    • Added LOG_MARTIANS
    • Added SYN,FIN,ACK,RST to illegal TCP flags
    • Fixed some typos
    • Re-did SPOOF_CHK
    • Auth_REJECT moved to TCP_CHK
    • Added DMZ support and port forwarding
    • Added more sanity checking of the config file
    • Updated the README, INSTALL, and TODO files

  • v0.2 (Jun. 14, 2001)
    • First public release

-- Shane
p.s. Bug reports and suggestions are welcome, but please keep the questions to a
minimum. I've included comments whenever I can. Use the force, Luke.

  
Shane Tzen © 2008
 
brought to you by the number 9 and the letter M