README for firewall
===================

What is it ?
------------

This package contains a simple firewall system, with a configuration directory
in which one can drop files containing user-defined chains and rules to filter
network traffic. This allows system administrators to have an iptables-based
firewall system with a configuration syntax almost identical to the one used
natively by iptables, thus avoiding the need to learn a new configuration
syntax.

For more information about adding your own chains and rules, please read the
file /etc/firewall.d/README and the manual page of iptables.

The default configuration is suitable for most needs, allowing outgoing
connections and their answers, and dropping everything else.


Logging
-------

Every dropped packet can be logged with ulogd, simply by installing
"firewall-ulog".


Important note
--------------

The init script is normally run before the network interfaces are brought up
during the boot sequence. The major advantage is that they're already protected
when they are effectively brought up, but there's a drawback : if /usr is
mounted from the network, the binaries in there are not available when the
script is run.

To avoid this problem, no code provided in this package uses binaries located
from /usr.

However, if binaries from /usr must be used, and /usr is mounted from the
network, the firewall script can be made to run after remote filesystems are
mounted.

In the SysV init script, it can be done by replacing "$local_fs" with
"$remote_fs" in the LSB headers "Required-Start" and "Required-Stop".

In the systemd unit file, the whole file must be replaced (dependencies can't
be removed with drop-in files) by running the command "systemctl edit --full
firewall.service", removing both "Wants=" and "Before=" lines, and adding
"remote-fs.target" to the "After=" line.
