Q: 
   How do I allow people to ping my firewall (or send other ICMP packets)
A:
   Add the desired IP address (or 0/0 for all) to allowed protocols for 
   protocol 1 (ICMP).  For example to allow anyone to ping the firewall:
      ALLOWED_PROTOCOLS="0/0(1)"


Q:
   How can I allow active FTP connections through and/or to my firewall?

A:
   For active FTP connections you need to load a few iptables modules, namely
   ip_nat_ftp and ip_conntrack_ftp.  The script does not normally load these.
   However, you can utilize the HOOKS option to have them loaded on start and
   restart.
   
      POSTSTART="/usr/local/sbin/iptables-helper"
      POSTRESTART"/usr/local/sbin/iptables-helper"

      $ cat /usr/local/sbin/iptables-helper
      #!/bin/sh

      modprobe ip_nat_ftp
      modprobe ip_conntrack_ftp

      
Q:
   I've got a dymanic IP.  Do I have to edit the firewall.conf every time
   my IP changes, or I can I have the script look it up for me?
   
A:
   You can define your external IP address as the ouptput provided by a few
   commands.  For example, the following commands will return the IP 
   address assigned to "eth0":
   
   ifconfig eth0 | grep -i "addr:" | cut -f2 -d: | cut -f1 -d " "
   
   So, if you assign this as the value for the EXT_IP variable like so:
   
   EXT_IP=`ifconfig eth0 | grep -i "addr:" | cut -f2 -d: | cut -f1 -d " "`
   
   The value will be updated each time the firewall script is run.  Be
   sure you've enclosed the commands in back-ticks (`) not single quotes
   (') so the commands are executed and their response assigned to the 
   variable and not the string of commands.


Q:
   With logging enabled (LOGGING_ENABLED="1"), what gets logged?

A:
   In normal mode (start, restart) the firewall script will log any packet
   that is dropped due to a chain's policy.  This means that any packet
   that is not explicity allowed or denied by one of the other rules.  In
   short, anything in the logs was not allowed through the firewall.  
   However, if you have explicit blocks defined, traffic stopped by these
   will not appear in your logs.


Q:
  Can the firewall log to it's own log file?

A:
  The firewall uses the normal system logging facilities.  TMK, most systems
  use syslog for logging. Sending firewall entries to their own log does not
  appear to be possible under syslog.  However, there is a syslog replacement
  that does appear to provide this functionality.  If you are interested, take
  a look into syslog-ng:

    http://www.balabit.hu/en/downloads/syslog-ng/

  
Q:
   I want to forward certain ports on my external address to internal 
   machines.  However, I have a dynamic IP, how can this be done without
   constantly re-editing my firewall.conf?

A:
   Provided that you have only one external IP address, you can use the 
   variable already defined previously in the script ($EXT_IP) in your 
   forwarding definitions, like so:

      PORT_FORWARDS="$EXT_IP(25)-192.168.1.2(25) \
                     $EXT_IP(993)-192.168.1.2(993)"


Q:
   I've specified port 80 (or other standard service port) as open in my 
   firewall.conf, but external users are reporting that my system is not 
   responding or allowing connections.  However, internal tests work
   fine.  Where should I look?

A:
   First, make sure that logging is enabled.  Then after a few external
   attempts, check for any entries from the firewall in your logs.  If 
   there are no entries, chances are that your ISP is blocking the 
   incoming traffic.  Try moving the service to another port for testing.
   If the service works on another port, but not the standard port, your
   ISP (or someone else) is blocking the standard port traffic.


Q:
   I'm running a DNS server on the firewall for internal/external name
   resolution.  With the firewall script enabled, name resolution on the
   firewall itself doesn't work.  Instead I see errors like the following
   in my log:

      Dec 27 15:14:09 firewall kernel: FW: Filter-INPUT IN=lo OUT=
      MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.0.1
      DST=192.168.0.1 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=39768 DF 
      PROTO=UDP SPT=1045 DPT=53 LEN=39

A: 
   Try changing the entry in /etc/resolv.conf to use 127.0.0.1 (the localhost
   address) rather then the internal private IP address.  The firewall script
   can be a little strict about what traffic and connections are allowed.
   However, it does specifically allow all localhost communications.


Q:
   Can I have the firewall REJECT packets rather than DROP them?

A: 
   The script does not natively use the REJECT method for a few reasons.  One
   of which is that the REJECT target is only valid in the INPUT, FORWARD and
   OUTPUT chains.  This means that most packets would need to be allowed
   through at least the PREROUTING chains of both the mangle and nat tables.
   If you would like this functionality, it's rather easy to add through the
   use of HOOKS in the firewall.conf.  The following example shows how to
   REJECT traffic to port 113:

      POSTSTART="/usr/local/sbin/iptables-helper"
      POSTRESTART"/usr/local/sbin/iptables-helper"
   
      $ cat /usr/local/sbin/iptables-helper
      #!/bin/sh
   
      /sbin/iptables -t mangle -I PREROUTING -p tcp --dport 113 -j ACCEPT
      /sbin/iptables -t nat -I PREROUTING -p tcp --dport 113 -j ACCEPT
      /sbin/iptables -t filter -I INPUT -p tcp --dport 113 -j REJECT \
         --reject-with tcp-reset
   
