NAME /etc/firewall/modules - base directory for rcf(8) modules. DESCRIPTION rcf(8) modules are kept (by default) under the /etc/fire- wall/modules directory. They are used by rcf(8) to setup forwarding and control network traffic on private/public interfaces. SUB-DIRECTORIES private block-high-ports services public block-local-ports Deny incoming traffic to specific ports. The naming of modules in the block-local-ports directory is not important. These modules must be executed before broader services and/or rules are imple- mented (outbound active FTP, ICQ, etc.). For this reason, the modules are called from ../ser- vices/750-BLOCK-LOCAL-PORTS. block-remote-ports The block-remote-ports directory contains strict mode modules. These modules reject outgoing packets to specific ports which may be cracker-friendly, insecure (uses clear text passwords, poor authenti- cation, etc.), and/or DoS control ports. The mod- ules are implemented just before global outgoing TCP traffic is allowed. online-games port-forwarding services Modules in this directory must be named with three leading numbers, followed by a hyphen and the mod- ule name (the type is usually appended too). Like the SYSV rc.d directories, modules are loaded in the order listed. Services which generate more net- work traffic, from bandwidth and/or sheer number of connections, should be listed top-most. Other ser- vices, which are less performance oriented (telnet comes to mind), can be listed lower. Three modules are worth mentioning; The 750-BLOCK-LOCAL-PORTS module causes specific local high-ports to be blocked (see the lock-local-ports directory above). Any service which allows incoming traffic (TCP con- nect and/or UDP) to high-ports (1024:65535) should be listed after this module. 880-ONLINE-GAMES has been placed (almost) last since a few firewall- unfriendly games may cause massive numbers of ports to be opened. Warnings about these games will be included in the firewall configuration. 900-BLOCK- REMOTE-PORTS is only executed in strict mode. You can shorten the time --update-config takes to execute by removing/renaming modules in this direc- tory. For example, if you don't use the Postgres database, you can rename the 160-postgres-clients module to .160-postgres-clients or remove it com- pletely. The tcp-clients-template file in this directory can be used as an example to quickly develop new TCP- based modules. If this is a well known service, please send me a copy of your module (after test- ing, of course). It will be posted to our contrib directory for others who may need it. FILES /etc/firewall.conf Default location of the rcf(8) configuration file. /etc/firewall/ Default location of the rcf(8) groups, modules, and sbin directories. FAQ The rcf Frequently Asked Questions (FAQ) are available at: BUGS If you experience any problems using rcf, please subscribe to our mailing list . If you'd like to contribute to the evolution of rcf, you can also join the development list at . UPDATES Releases of RCF are announced on Freshmeat . Development and production releases are also announced on our mailing list . The latest versions are always available from: AUTHOR Jean-Sebastien Morisset SEE ALSO firewall.conf(5) rcf-groups(5) rcf(8)