Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
**SUPPORT** Personal Firewall with Shorewall Tutorial
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3 ... 9, 10, 11  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Mon Mar 14, 2005 12:35 am    Post subject: **SUPPORT** Personal Firewall with Shorewall Tutorial Reply with quote

This is the support thread for the Prompt and Powerful Firewalling with Shorewall tutorial. Haven't read it? Check it out and tell me what you think. If you've read it and need some help, post here and I'll see what I can do. :)
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall


Last edited by Sith_Happens on Mon May 02, 2005 7:11 am; edited 1 time in total
Back to top
View user's profile Send private message
WarMachine
Apprentice
Apprentice


Joined: 15 Jul 2002
Posts: 181

PostPosted: Mon Mar 14, 2005 2:30 am    Post subject: Reply with quote

Would you consider expanding the tutorial to include instructions on how to configure shorewall for systems functioning as internet gateways?
Back to top
View user's profile Send private message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Mon Mar 14, 2005 3:07 am    Post subject: Reply with quote

Maybe I'll make a second tutorial to do that. This tutorial has a clear purpose and to expand upon it would take away from that. However, I wrote the tutorial with the hope that it not only gives a quick how-to that allows you to set up a personal firewall, but that it gives you enough of the basics of Shorewall that a more advanced configuration is eaisier to concieve and execute. The other nice thing about shorewall is their is a great deal of documentation that is available to you. Not only in man and info pages, but in the config files, and on their website. Check out this tutorial on setting up a bridge/router, and see if it helps you.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
Sheepdogj15
Guru
Guru


Joined: 07 Jan 2005
Posts: 430
Location: Backyard

PostPosted: Mon Mar 14, 2005 5:49 am    Post subject: Reply with quote

i'm just posting to let you know if you do decide to write tutorial for setting up a firewall/gateway box, i'd use it. i actually tried setting up M0n0wall (like Smoothwall except based on FreBSD. site: http://m0n0.ch/wall) on a spare PC i had handy, but the install failed miserably.

i was thinking of switching to Smoothwall, but i like the idea of using Shorewall on Gentoo as it looks like it would give me more options. (i like bells and whistles.. ahem, i mean secured bells and whistles ;) )

otherwise, i'll probably just check out the tutorial from the Shorewall website.
Back to top
View user's profile Send private message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Mon Mar 14, 2005 6:06 am    Post subject: Reply with quote

Here is a better tutorial from the site for setting up a simple two zone (loc and net) firewall/router. I was looking for this one earlier, but I could only find the first tutorial. I think if I were to create a tutorial for a two interface shorewall set up it would probably be a recreation of this only specifically for gentoo users. The other difference is this tutorial sets up a policy to accept all outgoing connections, as opposed to my approch which is to decide what outgoing connections I want to allow. See if this helps, if you have any questions from this two interface tutorial I can probably help you in this thread as well.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
rhill
Developer
Developer


Joined: 22 Oct 2004
Posts: 1629
Location: sk.ca

PostPosted: Mon Mar 14, 2005 7:16 am    Post subject: Reply with quote

very nice. i'm just emerging shorewall now, after skimming over the tutorial. i just wanted to say thanks. it seems that everything written on the topic of linux and networking immediately assumes you have more than one box. i've been looking for a good guide applicable to a single pc setup for a while now.
_________________
by design, by neglect
for a fact or just for effect
Back to top
View user's profile Send private message
jdeane
n00b
n00b


Joined: 09 Sep 2004
Posts: 8

PostPosted: Mon Mar 14, 2005 1:13 pm    Post subject: Reply with quote

Thanks for the tutorial, just what I was looking for,
Jon
Back to top
View user's profile Send private message
Sheepdogj15
Guru
Guru


Joined: 07 Jan 2005
Posts: 430
Location: Backyard

PostPosted: Mon Mar 14, 2005 7:29 pm    Post subject: Reply with quote

excellent. :) thank you.

i might still use your tutorial for my local box as well. can never be too paranoid these days, eh? :lol:
Back to top
View user's profile Send private message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Mon Mar 14, 2005 7:51 pm    Post subject: Reply with quote

I'm really pleased with the positive feedback. If you guys have any problems with the tutorial tell me your suggestions, if I can make it easier to understand or clearer in any part I'd like to know.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
spike_spiegel
n00b
n00b


Joined: 14 Mar 2005
Posts: 4

PostPosted: Mon Mar 14, 2005 8:37 pm    Post subject: Firewall For lan Reply with quote

Shorewall seems pretty nice, but so far, Ive seen nothing that will help me set it up for my router and windows PC's.

Ill try and mess around with it some more, but any help would be great.
____
spike
Ircop at irc.Aniverse.net
#linux
Back to top
View user's profile Send private message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Mon Mar 14, 2005 9:04 pm    Post subject: Reply with quote

Did you look at this tutorial?
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Mon Mar 14, 2005 10:38 pm    Post subject: Reply with quote

Here is a tutorial on the Shorewall site for setting up a standalone firewall. Read my criticism of this how-to in the tutorial thread however before following it. Thanks to Krolden for posting the link.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
Dumphrey
n00b
n00b


Joined: 04 Mar 2005
Posts: 5
Location: NC

PostPosted: Mon Mar 14, 2005 11:34 pm    Post subject: thanks much Reply with quote

I apprecite the how-to. I had no idea shoewwall was out there till i stumbled on this thread. I had been trying to set up ip-tables manually. Gahh!
Shorewall is my new buddy.
Back to top
View user's profile Send private message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Tue Mar 15, 2005 12:13 am    Post subject: Reply with quote

Shorewall is certainly easier to understand than iptables by itself. Shorewall allows you to quickly and simply create a complex iptables setup in no time.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
Andersson
Guru
Guru


Joined: 12 Jul 2003
Posts: 525
Location: Göteborg, Sweden

PostPosted: Tue Mar 15, 2005 12:53 am    Post subject: Reply with quote

I've only been using iptables until now, it's been working great. It never hurts trying new solutions, though. Shorewall might be a little quicker and give a little better overview. I'll try it for a while and see if I like it better. :)

Ok, how about this, I wish to have an ssh server running on port 22 (done), but drop connections to this port from the internet (done), then redirect internet connections addressed to port 2222, to port 22.

This is to avoid those annoying bots attempting to log in. So why not run the server on port 2222 and simply ACCEPT connections to that port? Well, I want to use port 22 to save me from typing "-p 2222" when I'm on the local network.

So anyway, this is my attempt but it does not work.
Code:
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE            USER/
#                                               PORT    PORT(S)    DEST         LIMIT           GROUP
REDIRECT net            22              tcp     2222    -          fw

I may have confused DEST, DEST PORT and ORIGINAL DEST, but I haven't been able to test since I get the following error:
Code:
bash-2.05b# /etc/init.d/shorewall start
 * Starting firewall...
   Warning: Zone dmz is empty
iptables v1.2.11: host/network `fw' not found
Try `iptables -h' or 'iptables --help' for more information.
/sbin/runscript.sh: line 532: 17543 Avslutad     /sbin/shorewall start >/dev/null                 [ !! ]

Suggestions?
_________________
Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking...
Back to top
View user's profile Send private message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Tue Mar 15, 2005 1:14 am    Post subject: Reply with quote

Try
Code:
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE            USER/
#                                               PORT    PORT(S)    DEST         LIMIT           GROUP
REDIRECT net            22              tcp     2222

_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
Andersson
Guru
Guru


Joined: 12 Jul 2003
Posts: 525
Location: Göteborg, Sweden

PostPosted: Tue Mar 15, 2005 1:51 am    Post subject: Reply with quote

So a single port number means a port on the firewall itself?

I get no errors from shorewall using your rule. I still can't connect, but I must have misconfigured sshd somehow :oops:
_________________
Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking...
Back to top
View user's profile Send private message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Tue Mar 15, 2005 2:51 am    Post subject: Reply with quote

Well, let's test it just to be sure the rule is working. Go to this site and have it scan port 2222 on your firewall. Then run dmesg, it should have an entry for the scan, post that shorewall message, and we'll see if it works.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
Andersson
Guru
Guru


Joined: 12 Jul 2003
Posts: 525
Location: Göteborg, Sweden

PostPosted: Tue Mar 15, 2005 4:24 am    Post subject: Reply with quote

It works like a charm! And the sshd wasn't misconfigured -just not started :roll:
_________________
Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking...
Back to top
View user's profile Send private message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Tue Mar 15, 2005 4:29 am    Post subject: Reply with quote

The thing about redirect is it implies you are talking about traffic to the firewall.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
Gripp
Tux's lil' helper
Tux's lil' helper


Joined: 02 Mar 2005
Posts: 99

PostPosted: Fri Mar 18, 2005 11:04 am    Post subject: Reply with quote

hmm.. ofcoarse everything i do has a catch eh
at the line
Code:
/etc/init.d/shorewall start

i get:
Code:
modprobe: Can't locate module ip_tables
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do yo u need to insmod?)

then, after doing that several times it gives me:
Code:
/sbin/runscript.sh: line 532:   877 Terminated              /sbin/shorewall star t >/dev/null                                                              [ !! ]

#$%^# root #


i have kernel 2.4.28-r7 -- looking at the portage description of it, 2.4 is what it needs.
and it does have loadable module support...

i just ran emerge --sync today
the best i find in my kernel is "network packet filter (replaces IPTABLES)"
any ideas?


Last edited by Gripp on Wed Mar 23, 2005 5:39 am; edited 1 time in total
Back to top
View user's profile Send private message
trooper_ryan
n00b
n00b


Joined: 07 Apr 2004
Posts: 74

PostPosted: Fri Mar 18, 2005 12:13 pm    Post subject: Reply with quote

I'm being finicky, but perhaps the subject should not include the phrase "Personal firewall". This suggests an app that interacts with the user.

Got me all excited - bastards! :D
Back to top
View user's profile Send private message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Fri Mar 18, 2005 3:07 pm    Post subject: Reply with quote

trooper_ryan wrote:
This suggests an app that interacts with the user.
I think "personal firewall" represents a firewall for a standalone machine as opposed to a dedicated firewall for a network. Just so I know, what were you looking for as far as interactivity? A GUI? If that's the case maybe you should look into KMyFirewall. Personally, I think GUI's make it much more difficult to configure anything, but thats just me. :)
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
trooper_ryan
n00b
n00b


Joined: 07 Apr 2004
Posts: 74

PostPosted: Sat Mar 19, 2005 12:08 am    Post subject: Reply with quote

Sith_Happens wrote:
I think "personal firewall" represents a firewall for a standalone machine as opposed to a dedicated firewall for a network. Just so I know, what were you looking for as far as interactivity?


Personal firewall products are generally desktop based and have a learning capability. e.g if I initiate an FTP session the personal firewall will pop up a dialogue asking if FTP should be allowed temporarily or permanently.

I haven't seen any products like this for linux, but on Windoze there are many examples: Tiny, ISS, ZoneAlarm etc etc
Back to top
View user's profile Send private message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Sat Mar 19, 2005 2:25 am    Post subject: Reply with quote

trooper_ryan wrote:
Sith_Happens wrote:
I think "personal firewall" represents a firewall for a standalone machine as opposed to a dedicated firewall for a network. Just so I know, what were you looking for as far as interactivity?


Personal firewall products are generally desktop based and have a learning capability. e.g if I initiate an FTP session the personal firewall will pop up a dialogue asking if FTP should be allowed temporarily or permanently.

I haven't seen any products like this for linux, but on Windoze there are many examples: Tiny, ISS, ZoneAlarm etc etc
Well, the definition of a "personal firewall" is one which protects a single computer with one network connection. What you are looking for isn't so much a personal firewall as it is an "idiot firewall" :wink: . In that case I would still suggest you take a look at KMyFirwall.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2, 3 ... 9, 10, 11  Next
Page 1 of 11

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum