View previous topic :: View next topic |
Author |
Message |
Sith_Happens Veteran


Joined: 15 Dec 2004 Posts: 1807 Location: The University of Maryland at College Park
|
Posted: Mon Mar 14, 2005 12:35 am Post subject: **SUPPORT** Personal Firewall with Shorewall Tutorial |
|
|
This is the support thread for the Prompt and Powerful Firewalling with Shorewall tutorial. Haven't read it? Check it out and tell me what you think. If you've read it and need some help, post here and I'll see what I can do.  _________________ "That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Last edited by Sith_Happens on Mon May 02, 2005 7:11 am; edited 1 time in total |
|
Back to top |
|
 |
WarMachine Apprentice

Joined: 15 Jul 2002 Posts: 181
|
Posted: Mon Mar 14, 2005 2:30 am Post subject: |
|
|
Would you consider expanding the tutorial to include instructions on how to configure shorewall for systems functioning as internet gateways? |
|
Back to top |
|
 |
Sith_Happens Veteran


Joined: 15 Dec 2004 Posts: 1807 Location: The University of Maryland at College Park
|
Posted: Mon Mar 14, 2005 3:07 am Post subject: |
|
|
Maybe I'll make a second tutorial to do that. This tutorial has a clear purpose and to expand upon it would take away from that. However, I wrote the tutorial with the hope that it not only gives a quick how-to that allows you to set up a personal firewall, but that it gives you enough of the basics of Shorewall that a more advanced configuration is eaisier to concieve and execute. The other nice thing about shorewall is their is a great deal of documentation that is available to you. Not only in man and info pages, but in the config files, and on their website. Check out this tutorial on setting up a bridge/router, and see if it helps you. _________________ "That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
Back to top |
|
 |
Sheepdogj15 Guru


Joined: 07 Jan 2005 Posts: 430 Location: Backyard
|
Posted: Mon Mar 14, 2005 5:49 am Post subject: |
|
|
i'm just posting to let you know if you do decide to write tutorial for setting up a firewall/gateway box, i'd use it. i actually tried setting up M0n0wall (like Smoothwall except based on FreBSD. site: http://m0n0.ch/wall) on a spare PC i had handy, but the install failed miserably.
i was thinking of switching to Smoothwall, but i like the idea of using Shorewall on Gentoo as it looks like it would give me more options. (i like bells and whistles.. ahem, i mean secured bells and whistles )
otherwise, i'll probably just check out the tutorial from the Shorewall website. |
|
Back to top |
|
 |
Sith_Happens Veteran


Joined: 15 Dec 2004 Posts: 1807 Location: The University of Maryland at College Park
|
Posted: Mon Mar 14, 2005 6:06 am Post subject: |
|
|
Here is a better tutorial from the site for setting up a simple two zone (loc and net) firewall/router. I was looking for this one earlier, but I could only find the first tutorial. I think if I were to create a tutorial for a two interface shorewall set up it would probably be a recreation of this only specifically for gentoo users. The other difference is this tutorial sets up a policy to accept all outgoing connections, as opposed to my approch which is to decide what outgoing connections I want to allow. See if this helps, if you have any questions from this two interface tutorial I can probably help you in this thread as well. _________________ "That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
Back to top |
|
 |
rhill Retired Dev


Joined: 22 Oct 2004 Posts: 1629 Location: sk.ca
|
Posted: Mon Mar 14, 2005 7:16 am Post subject: |
|
|
very nice. i'm just emerging shorewall now, after skimming over the tutorial. i just wanted to say thanks. it seems that everything written on the topic of linux and networking immediately assumes you have more than one box. i've been looking for a good guide applicable to a single pc setup for a while now. _________________ by design, by neglect
for a fact or just for effect |
|
Back to top |
|
 |
jdeane n00b

Joined: 09 Sep 2004 Posts: 8
|
Posted: Mon Mar 14, 2005 1:13 pm Post subject: |
|
|
Thanks for the tutorial, just what I was looking for,
Jon |
|
Back to top |
|
 |
Sheepdogj15 Guru


Joined: 07 Jan 2005 Posts: 430 Location: Backyard
|
Posted: Mon Mar 14, 2005 7:29 pm Post subject: |
|
|
excellent. thank you.
i might still use your tutorial for my local box as well. can never be too paranoid these days, eh?  |
|
Back to top |
|
 |
Sith_Happens Veteran


Joined: 15 Dec 2004 Posts: 1807 Location: The University of Maryland at College Park
|
Posted: Mon Mar 14, 2005 7:51 pm Post subject: |
|
|
I'm really pleased with the positive feedback. If you guys have any problems with the tutorial tell me your suggestions, if I can make it easier to understand or clearer in any part I'd like to know. _________________ "That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
Back to top |
|
 |
spike_spiegel n00b

Joined: 14 Mar 2005 Posts: 4
|
Posted: Mon Mar 14, 2005 8:37 pm Post subject: Firewall For lan |
|
|
Shorewall seems pretty nice, but so far, Ive seen nothing that will help me set it up for my router and windows PC's.
Ill try and mess around with it some more, but any help would be great.
____
spike
Ircop at irc.Aniverse.net
#linux |
|
Back to top |
|
 |
Sith_Happens Veteran


Joined: 15 Dec 2004 Posts: 1807 Location: The University of Maryland at College Park
|
Posted: Mon Mar 14, 2005 9:04 pm Post subject: |
|
|
Did you look at this tutorial? _________________ "That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
Back to top |
|
 |
Sith_Happens Veteran


Joined: 15 Dec 2004 Posts: 1807 Location: The University of Maryland at College Park
|
Posted: Mon Mar 14, 2005 10:38 pm Post subject: |
|
|
Here is a tutorial on the Shorewall site for setting up a standalone firewall. Read my criticism of this how-to in the tutorial thread however before following it. Thanks to Krolden for posting the link. _________________ "That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
Back to top |
|
 |
Dumphrey n00b


Joined: 04 Mar 2005 Posts: 5 Location: NC
|
Posted: Mon Mar 14, 2005 11:34 pm Post subject: thanks much |
|
|
I apprecite the how-to. I had no idea shoewwall was out there till i stumbled on this thread. I had been trying to set up ip-tables manually. Gahh!
Shorewall is my new buddy. |
|
Back to top |
|
 |
Sith_Happens Veteran


Joined: 15 Dec 2004 Posts: 1807 Location: The University of Maryland at College Park
|
Posted: Tue Mar 15, 2005 12:13 am Post subject: |
|
|
Shorewall is certainly easier to understand than iptables by itself. Shorewall allows you to quickly and simply create a complex iptables setup in no time. _________________ "That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
Back to top |
|
 |
Andersson Guru


Joined: 12 Jul 2003 Posts: 525 Location: Göteborg, Sweden
|
Posted: Tue Mar 15, 2005 12:53 am Post subject: |
|
|
I've only been using iptables until now, it's been working great. It never hurts trying new solutions, though. Shorewall might be a little quicker and give a little better overview. I'll try it for a while and see if I like it better.
Ok, how about this, I wish to have an ssh server running on port 22 (done), but drop connections to this port from the internet (done), then redirect internet connections addressed to port 2222, to port 22.
This is to avoid those annoying bots attempting to log in. So why not run the server on port 2222 and simply ACCEPT connections to that port? Well, I want to use port 22 to save me from typing "-p 2222" when I'm on the local network.
So anyway, this is my attempt but it does not work.
Code: | #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
REDIRECT net 22 tcp 2222 - fw |
I may have confused DEST, DEST PORT and ORIGINAL DEST, but I haven't been able to test since I get the following error:
Code: | bash-2.05b# /etc/init.d/shorewall start
* Starting firewall...
Warning: Zone dmz is empty
iptables v1.2.11: host/network `fw' not found
Try `iptables -h' or 'iptables --help' for more information.
/sbin/runscript.sh: line 532: 17543 Avslutad /sbin/shorewall start >/dev/null [ !! ] |
Suggestions? _________________ Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking... |
|
Back to top |
|
 |
Sith_Happens Veteran


Joined: 15 Dec 2004 Posts: 1807 Location: The University of Maryland at College Park
|
Posted: Tue Mar 15, 2005 1:14 am Post subject: |
|
|
Try Code: | #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
REDIRECT net 22 tcp 2222 |
_________________ "That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
Back to top |
|
 |
Andersson Guru


Joined: 12 Jul 2003 Posts: 525 Location: Göteborg, Sweden
|
Posted: Tue Mar 15, 2005 1:51 am Post subject: |
|
|
So a single port number means a port on the firewall itself?
I get no errors from shorewall using your rule. I still can't connect, but I must have misconfigured sshd somehow  _________________ Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking... |
|
Back to top |
|
 |
Sith_Happens Veteran


Joined: 15 Dec 2004 Posts: 1807 Location: The University of Maryland at College Park
|
Posted: Tue Mar 15, 2005 2:51 am Post subject: |
|
|
Well, let's test it just to be sure the rule is working. Go to this site and have it scan port 2222 on your firewall. Then run dmesg, it should have an entry for the scan, post that shorewall message, and we'll see if it works. _________________ "That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
Back to top |
|
 |
Andersson Guru


Joined: 12 Jul 2003 Posts: 525 Location: Göteborg, Sweden
|
Posted: Tue Mar 15, 2005 4:24 am Post subject: |
|
|
It works like a charm! And the sshd wasn't misconfigured -just not started  _________________ Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking... |
|
Back to top |
|
 |
Sith_Happens Veteran


Joined: 15 Dec 2004 Posts: 1807 Location: The University of Maryland at College Park
|
Posted: Tue Mar 15, 2005 4:29 am Post subject: |
|
|
The thing about redirect is it implies you are talking about traffic to the firewall. _________________ "That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
Back to top |
|
 |
Gripp Tux's lil' helper

Joined: 02 Mar 2005 Posts: 99
|
Posted: Fri Mar 18, 2005 11:04 am Post subject: |
|
|
hmm.. ofcoarse everything i do has a catch eh
at the line
Code: | /etc/init.d/shorewall start
|
i get:
Code: | modprobe: Can't locate module ip_tables
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do yo u need to insmod?)
|
then, after doing that several times it gives me:
Code: | /sbin/runscript.sh: line 532: 877 Terminated /sbin/shorewall star t >/dev/null [ !! ]
#$%^# root # |
i have kernel 2.4.28-r7 -- looking at the portage description of it, 2.4 is what it needs.
and it does have loadable module support...
i just ran emerge --sync today
the best i find in my kernel is "network packet filter (replaces IPTABLES)"
any ideas?
Last edited by Gripp on Wed Mar 23, 2005 5:39 am; edited 1 time in total |
|
Back to top |
|
 |
trooper_ryan n00b

Joined: 07 Apr 2004 Posts: 74
|
Posted: Fri Mar 18, 2005 12:13 pm Post subject: |
|
|
I'm being finicky, but perhaps the subject should not include the phrase "Personal firewall". This suggests an app that interacts with the user.
Got me all excited - bastards!  |
|
Back to top |
|
 |
Sith_Happens Veteran


Joined: 15 Dec 2004 Posts: 1807 Location: The University of Maryland at College Park
|
Posted: Fri Mar 18, 2005 3:07 pm Post subject: |
|
|
trooper_ryan wrote: | This suggests an app that interacts with the user. | I think "personal firewall" represents a firewall for a standalone machine as opposed to a dedicated firewall for a network. Just so I know, what were you looking for as far as interactivity? A GUI? If that's the case maybe you should look into KMyFirewall. Personally, I think GUI's make it much more difficult to configure anything, but thats just me.  _________________ "That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
Back to top |
|
 |
trooper_ryan n00b

Joined: 07 Apr 2004 Posts: 74
|
Posted: Sat Mar 19, 2005 12:08 am Post subject: |
|
|
Sith_Happens wrote: | I think "personal firewall" represents a firewall for a standalone machine as opposed to a dedicated firewall for a network. Just so I know, what were you looking for as far as interactivity? |
Personal firewall products are generally desktop based and have a learning capability. e.g if I initiate an FTP session the personal firewall will pop up a dialogue asking if FTP should be allowed temporarily or permanently.
I haven't seen any products like this for linux, but on Windoze there are many examples: Tiny, ISS, ZoneAlarm etc etc |
|
Back to top |
|
 |
Sith_Happens Veteran


Joined: 15 Dec 2004 Posts: 1807 Location: The University of Maryland at College Park
|
Posted: Sat Mar 19, 2005 2:25 am Post subject: |
|
|
trooper_ryan wrote: | Sith_Happens wrote: | I think "personal firewall" represents a firewall for a standalone machine as opposed to a dedicated firewall for a network. Just so I know, what were you looking for as far as interactivity? |
Personal firewall products are generally desktop based and have a learning capability. e.g if I initiate an FTP session the personal firewall will pop up a dialogue asking if FTP should be allowed temporarily or permanently.
I haven't seen any products like this for linux, but on Windoze there are many examples: Tiny, ISS, ZoneAlarm etc etc | Well, the definition of a "personal firewall" is one which protects a single computer with one network connection. What you are looking for isn't so much a personal firewall as it is an "idiot firewall" . In that case I would still suggest you take a look at KMyFirwall. _________________ "That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
Back to top |
|
 |
|