
Copyright (C) 2000-2001, Jean-Sebastien Morisset <jsmoriss@mvlan.net>
rcf - the most secure and complete ipchains Firewall for Linux.

This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the 
Free Software Foundation <http://www.gnu.org/copyleft/gpl.txt>.

This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of 
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License (LICENSE file in archive) for more details.

************************************************************************
   PLEASE SEE <http://rcf.mvlan.net/#commercial> FOR COMMERCIAL USE.
************************************************************************

DESCRIPTION

rcf (aka rc.firewall) is an ipchains-based firewall with support for
over 50 network service modules (including vtun, dhcp, nfs, smb,
napster, proxies, online games, etc.), masquerading, port forwarding,
and ip accounting. All services are self-contained modules which can be
prioritized in the ipchains stack. Protections include spoofing, stuffed
routing/masqerading, DoS, smurf attacks, outgoing port scans, and many
more. rcf also supports unlimited public, private (masqu'ed), dmz, and
mz (non-masq'ed) interface and their subnets. Access rules are defined 
per interface and dmz/mz server "clusters". rcf is compatible with Red
Hat, Slackware, Debian, Linux Router Project (LRP), and many other
distros. rcf is distributed under the General Public License (GPL)
terms.

FILES

The rcf-5.2.tar.gz archive should include the following files:

ChangeLog       History of changes
FAQ.html        Frequently asked questions
INSTALL         Installation instructions and other notes
LICENSE         General public license (GPL)
TODO            Features planned for future releases.
firewall        Startup script for Red Hat and Debian users
functions.tar   Functions used by the rcf script
groups.tar      Essential group files (iana reserved networks, etc.)
install.sh      Installation script
man.tar         Man pages
modules.tar     Tarball of basic firewall modules
rcf             The main firewall script

UPGRADING

    AUTOMATED

    You can follow the automated installation instructions. Existing
    files and directories will be saved with a ".yymmddHHMM" 
    extension.

    !!! WARNING !!!

    Version 5.1 introduces access rules on the firewall's private 
    interfaces. If you are using telnet or ssh to access your firewall
    by it's private interface, don't forget to review the accept-{int}-
    telnet-clients and accept-{int}-ssh-clients options for your private
    interfaces!

    5.x -> 5.1

        MANUAL

        The /etc/firewall-modules directory has been changed to
        /etc/firewall/modules.

        MODULES

        If you have written your own custom modules (and plan to use 
        them for DMZ clusters) you'll have to rename the $INTERFACE 
        variables to $INTOPT. This new variable contains cluster 
        information necessary to retrieve host information.

        The first parameter to the Accept_Hostports function has been 
        changed to "local" or "remote" instead of $INTERFACE.

        The first parameter ($INTERFACE variable) to the 
        Forward_Hostports function has been removed.

INSTALLATION

    AUTOMATED

    Execute the install.sh script.

    MANUAL

    As root, copy the rcf script into /sbin.

        # umask 077
        # cp rcf /sbin
        # chmod 700 /sbin/rcf

    If your system has an /etc/rc.d directory, you'll probably want to
    add a symbolic link for rcf.

        # ln -s /sbin/rcf /etc/rc.d/rc.firewall

    You could also setup some init scripts, call rcf from rc.local, or
    let your dhcpcd client execute it when your IP address changes. A
    sample startup script (simply called firewall) has been included
    for Red Hat and Debian users.
    
    Red Hat users can copy it to /etc/rc.d/init.d/firewall and create
    symlinks in their startup directories.

        # cp firewall /etc/rc.d/init.d/firewall
        # chkconfig --add firewall

    Extract the functions, groups, modules, and man pages tarballs. 

        # tar -xvp -C /etc/firewall -f functions.tar
        # tar -xvp -C /etc/firewall -f groups.tar
        # tar -xvp -C /etc/firewall -f modules.tar
        # tar -xvp -C /usr/man -f man.tar

    To create the initial configuration file, execute rcf. Edit the
    resulting /etc/filewall.conf and re-run rcf.

CONFIGURATION NOTES

Don't forget to review the accept-{pub}-dns-servers option. If you have
a DNS on your firewall, you'll have to set your public interface's 
option to "any/0". If you use your ISP's DNS, you can enter it's IP
address here instead. If the the DNS doesn't support recursive lookups,
you'll have to use "any/0".

PARAMETERS

A few command line arguments are available. Execute "rcf --help" (or
"man rcf") to view the summary.

LOG FILE

On several occasions you might wonder what traffic is being blocked --
to debug something, spot hacker activity, etc. I recommend you save 
syslog messages generated by ipchains to a seperate log file. Add 
something like this to your /etc/syslog.conf file "kern.=info 
/var/log/firewall/ipchains.log".

MODULES

rcf comes with an extensive list of modules which support the most 
common services. If the service you need isn't listed in the
configuration file, check the /etc/firewall/modules/contrib directory
for additional user-contributed modules. You simply need to link the new
module in the same (relative) public or private sub-directory, then 
execute rcf using the "--update-config" parameter. The new module 
options will be added to the configuration file.

You can also shorten the time --update-config takes to execute by 
removing module links in the public and/or private directories.

If you'd like to try your hand at creating a new module, take a look
at the tcp-clients-template file under /etc/firewall/modules/common/
services/.

FAQ

The FAQ is available at <http://rcf.mvlan.net/dist/FAQ.html>.

MAILING LIST

If you need help, would like to know when new versions are released, 
or contribute to the general evolution of this script, subscribe to 
our mailing lists:

    http://lists.mvlan.net/mailman/listinfo/rcf-users
    http://lists.mvlan.net/mailman/listinfo/rcf-dev
    http://lists.mvlan.net/mailman/listinfo/rcf-announce

