			NETSCRIPT version 4.0

The firewall and network configuration system for advanced Linux 
firewalls/routers, and it is NOT meant to be used on servers!

Copyright 1995-2001 Matthew Grant <grantma@anathoth.gen.nz>
	  1998,1999 Dave Cinege <dcinege@psychosis.com>

This script system for network setup has its roots in the original firewalling 
setup that Matthew Grant did for a firewall using kernel 1.2.x.  Since then
it has been evolved through firewalls/routers on Linux kernels 2.0.x, 2.2.x 
2.4.x, and 2.6.x.

Version 1 was the stuff under kernel 2.0.x, version 2 on LRP 2.9.4 Kilimanjaro, 
Materhorn, and Eiger under 2.2, version 3.0 for Debian under kernel 2.2.x, and
this one is for Debian under kernel 2.4.x and 2.6.x.

You should install bridge-utils for bridging, iproute2 tools and iptables to
use these scripts.  Your kernel will need to be compiled for Advanced Router
support and have almost the configuration options turned on.  It is also 
recomended that routing software like zebra be installed on the system as it 
will make things like static routing and complex routing a lot easier to 
handle.

A kernel configuration of what is needed can be found in 2.4.x-kernel.config
It is also a good idea to add kernel patches from the iptables source tar ball,
especially the IPv6 ones for logging support. The scripts will load all the 
neccessary modules for QoS and iptables.  

Documentation for this system is sparse at the moment, but more will be written
as further development takes place.

When installed, most of the configuration you will need will be found in 
/etc/netscript/network.conf including lower level protocol 
daemons/configuration programs like ciped, pppd, or wanconfig. 

You will have to configure the firewall using the iptables commands directly. 
Don't forget to save the configurations using the 
'netscript ipfilter|ip6filter save' commands! Unlike the last version, 
the firewalling and filtering is no longer configured from network.conf.  
This has been done as stateful filtering obviates the need for great 
complexity in the firewall scripts, and  more flexibility is possible.  
You have to get down and get dirty with iptables and learn it, which is a 
good thing to do if you are running this to build a network - you should 
understand things fully, or else you will get things wrong.

UPGRADE PATH FROM KERNEL 2.2.X
------------------------------

The firewall/IP filtering stuff in ipfilter.conf is the part that changed 
radically with the move to iptables and a far better way of setting up the 
IP filtering rules, however the QoS and interface startup/shutdown in if.conf 
have changed but are backwards compatible with the old 2.2.x ipchains version
of netscript for the interface address configuration settings.  You will have
to set up the filtering again to use iptables by directly using the iptables
commands.  

Also, the kernel 2.2.x version scripts are set up so that iptables is only 
run on a 2.4.x kernel, otherwise IP forwarding is disabled if beforehand 
you set IPFWDING_KERNEL to FILTER_ON in network.conf.

This means that when you upgrade a box to a 2.4.x router kernel, you should
then be able to reboot it and log into remotely and upgrade netscript to the
version that will support 2.4.x.  In this situation, if you have set
old IPFWDING_KERNEL setting to FILTER_ON beforehand in network.conf, all 
IP forwarding through the box will also be disabled.  This means that you 
can safely remotely upgrade a firewall.


