cutter(8) [debian man page]
CUTTER(8) System Manager's Manual CUTTER(8) NAME
cutter - cut tcp/ip connections SYNOPSIS
cutter ipaddress1 [ port1 [ ipaddress2 [ port2 ] ] ] DESCRIPTION
Cutter is an open source program that allows Linux firewall administrators to abort TCP/IP connections routed over the firewall or router on which it is run. WARNING
Cutter has been designed for use as a administrators tool for Linux firewalls. It's use (as is, or modified) for any other purpose is not sanctioned by the author. So - do not use this tool as a parachute, or to dry your cat, chill meat, answer your phone, drive you car, teach your kids to read or attack other people's computer systems or networks. This software has been designed for legal and appropriate use by network security administrators and the like. It has been written as part of a larger Linux firewall project, targetting at controlling traffic from peer-to-peer software such as Kazaa, iMesh and others into and out of a private network. It is not designed as a tool for malicious use and the author in no way sanctions such use. Users of the software should be aware that it's actions are easily detectable using a number of readily available network monitoring tools, and it makes no attempt to disguise it's actions. Malicious use of "cutter" could result in a jail sentance in a number of countries around the world. The author is not responsible for the results of using this software. It is provided "as is" in the hope that it will be useful, but no garantees are made about it's use. USAGE
Cutter can be called using one of the following four syntaxes. cutter ip-address Example: cutter 10.10.0.45 Cuts all connections passing through the firewall between any ports on the specified ip-address (either a "private" or "public" address) and any other hosts. This can be used to close down all incoming connections to a particular server, all outgoing connec- tions from a particular client or all outgoing connections to a server. cutter ip-address port Example: cutter 200.1.2.3 80 Cuts all connections to or from the specified ip-address/port pair. This allows the user to be a little more specific than the pre- vious example and allows targetting of specific services on specific hosts. cutter ip-address-1 port-1 ip-address-2 Example: cutter 200.1.2.3 22 10.10.0.45 Cuts all connections between ip-address-2 and ip-address-1/port-1. This allows the user to cut connections between a specified "client" and a particular service on a specified host. Our example closes host 10.10.0.45's SSH connection to server 200.1.2.3. cutter ip-address-1 port-1 ip-address-2 port-2 Example: cutter 200.1.2.3 22 10.10.0.45 32451 Cuts the specific connection between the two ip/port number pairs given. STATUS
Cutter 1.03 should be considered EXPERIMENTAL. The author is releasing a tool that works on the systems he has access to (namely: IPCop and RedHat Linux), and he is seeking input on it's use on other systems, ideas for improvement, offers of sponsorship - etc. ADDITIONAL DOCUMENTATION
This program is documented at http://www.lowth.com/cutter/ <http://www.lowth.com/cutter/> AUTHOR
Blars Blarson addapted the README and web page written by Chris Lowth into this man page for debian package of cutter. This man page may be distribuated under the terms of the Gnu GPL version 2. April, 2005 CUTTER(8)
Check Out this Related Man Page
FIREWALLD.ZONES(5) firewalld.zones FIREWALLD.ZONES(5) NAME
firewalld.zones - firewalld zones DESCRIPTION
What is a zone? A network zone defines the level of trust for network connections. This is a one to many relation, which means that a connection can only be part of one zone, but a zone can be used for many network connections. The zone defines the firewall features that are enabled in this zone: Predefined services A service is a combination of port and/or protocol entries. Optionally netfilter helper modules can be added and also a IPv4 and IPv6 destination address. Ports and protocols Definition of tcp or udp ports, where ports can be a single port or a port range. ICMP blocks Blocks selected Internet Control Message Protocol (ICMP) messages. These messages are either information requests or created as a reply to information requests or in error conditions. Masquerading The addresses of a private network are mapped to and hidden behind a public IP address. This is a form of address translation. Forward ports A forward port is either mapped to the same port on another host or to another port on the same host or to another port on another host. Rich language rules The rich language extends the elements (service, port, icmp-block, masquerade and forward-port) with additional source and destination addresses, logging, actions and limits for logs and actions. It can also be used for host or network white and black listing (for more information, please have a look at firewalld.richlanguage(5)). For more information on the zone file format, please have a look at firewalld.zone(5). Which zones are available? Here are the zones provided by firewalld sorted according to the default trust level of the zones from untrusted to trusted: drop Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible. block Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible. public For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. external For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. dmz For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted. work For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. home For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. internal For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted. trusted All network connections are accepted. Which zone should be used? A public WIFI network connection for example should be mainly untrusted, a wired home network connection should be fairly trusted. Select the zone that best matches the network you are using. How to configure or add zones? To configure or add zones you can either use one of the firewalld interfaces to handle and change the configuration: These are the graphical configuration tool firewall-config, the command line tool firewall-cmd or the D-BUS interface. Or you can create or copy a zone file in one of the configuration directories. /usr/lib/firewalld/zones is used for default and fallback configurations and /etc/firewalld/zones is used for user created and customized configuration files. How to set or change a zone for a connection? The zone is stored into the ifcfg of the connection with ZONE=option. If the option is missing or empty, the default zone set in firewalld is used. If the connection is controlled by NetworkManager, you can also use nm-connection-editor to change the zone. SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.direct(5), firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5), firewalld.zone(5), firewalld.zones(5) NOTES
firewalld home page at fedorahosted.org: http://fedorahosted.org/firewalld/ More documentation with examples: http://fedoraproject.org/wiki/FirewallD AUTHORS
Thomas Woerner <twoerner@redhat.com> Developer Jiri Popelka <jpopelka@redhat.com> Developer firewalld 0.3.9 FIREWALLD.ZONES(5)