Snowfence is a simple firewall for the Sharp Zaurus, a GNU/Linux-based palmtop computer. It uses the Linux kernel's iptables firewall support to limit the ability of potential attackers to access the Zaurus's services remotely while still allowing the Zaurus's legitimate local user to make use of the network as usual.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License (LICENSE in the source distribution) for more details.
Note that, unlike most application software, iptables kernel module packages are apt to be specific to a particular Linux kernel version. These are the packages I use on my SL-6000 (Sharp ROM 1.12, Linux kernel 2.4.18):
# Empty all tables and set default policies: # Unless specifically permitted below, drop all incoming # packets. No forwarding. Outgoing packets are allowed. iptables -F INPUT iptables -P INPUT DROP iptables -F FORWARD iptables -P FORWARD DROP iptables -F OUTPUT iptables -P OUTPUT ACCEPT # Allow incoming packets on the loopback and usb # interfaces. These rules permit normal usage of # local programs and the cradle. iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i usb+ -j ACCEPT # On the remaining interfaces (Ethernet, wireless, and so on), # allow incoming packets only if they are part of, or # related to, an existing session. In other words, your # Zaurus will participate in conversations with other # computers only when *you* start the conversation, not # *them*. Consequently, you should be able to browse the # web, read and send E-mail, and so on, as usual. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # That's all for the standard rules. Here are some hints for # customizing the firewall for more advanced needs. If you # would like to run some server on your Zaurus, uncomment the # appropriate line below, or add your own. # # For sshd: # iptables -A INPUT -p tcp --dport ssh -j ACCEPT # # For a web server: # iptables -A INPUT -p tcp --dport www -j ACCEPT
Here are two ways to verify that Snowfence is running:
Chain INPUT (policy DROP 10 packets, 840 bytes) pkts bytes target prot opt in out source destination 7443 723K ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT all -- usb+ any anywhere anywhere 80 14142 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 7561 packets, 735K bytes) pkts bytes target prot opt in out source destinationThe packets, pkts and bytes numbers are apt to be different; this is OK.
Feedback is welcome. If you'd like to report a successful install of Snowfence, please include the model of your Zaurus, your ROM version number, and your Linux kernel version number, if possible. Follow the link below for my E-mail address.
Tim Fraser's homepage at the WPI alumni site
$Id: index.html,v 1.8 2005/11/26 18:11:42 tim Exp $