Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Any newb friendly firewalls?
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
<3
Veteran
Veteran


Joined: 21 Oct 2004
Posts: 1081

PostPosted: Fri Jan 31, 2014 12:52 pm    Post subject: Any newb friendly firewalls? Reply with quote

I have been a Gentoo user for over 10 years and I've asked this question every so often, never to get a solid answer. I would like an easy to use firewall for my gentoo setups. I've tried reading multiple iptables & shorewall configuration guides and non of them make any sense to me. So I'd like to ask again (maybe something has changed in 2014) does there exists any easy to setup, newb friendly Linux firewall software that an idiot like myself can use?
Back to top
View user's profile Send private message
mrbassie
l33t
l33t


Joined: 31 May 2013
Posts: 771
Location: over here

PostPosted: Fri Jan 31, 2014 3:34 pm    Post subject: Reply with quote

Ubuntu's ufw (uncomplicated firewall) is in the portage tree, I've not yet been able to get it to work properly however. Maybe you'll have better luck.
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6747

PostPosted: Fri Jan 31, 2014 4:13 pm    Post subject: Reply with quote

You might want to have a look at firewall-mv from the mv overlay, although one can of course always argue what is "simple". The default rules (especially blocking outgoing traffic) are likely to be too restrictive for you so you must really look at the configuration.
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Fri Jan 31, 2014 5:33 pm    Post subject: Re: Any newb friendly firewalls? Reply with quote

Arch's wiki explains things pretty well.

Yes, iptables has a nasty learning curve, but you can play with it ;)
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6747

PostPosted: Fri Jan 31, 2014 7:21 pm    Post subject: Re: Any newb friendly firewalls? Reply with quote

PaulBredbury wrote:
Yes, iptables has a nasty learning curve, but you can play with it

One must warn that it is a bad moment to start learning iptables: It seems that nftables is the upcoming replacement in the foreseeable future.
Back to top
View user's profile Send private message
<3
Veteran
Veteran


Joined: 21 Oct 2004
Posts: 1081

PostPosted: Fri Jan 31, 2014 11:21 pm    Post subject: Reply with quote

mrbassie wrote:
Ubuntu's ufw (uncomplicated firewall) is in the portage tree, I've not yet been able to get it to work properly however. Maybe you'll have better luck.
Doesn't look like this ufw has been marked stable on any arch.
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 318

PostPosted: Fri Jan 31, 2014 11:43 pm    Post subject: Reply with quote

I used guarddog http://www.simonzone.com/software/guarddog/ but it got dropped a few years ago.
I tried ufw and iptables ... and I prefer iptables. So I use iptables, I'm far from an expert and I'm only doing some basic stuff like block in-coming and allow limited users access to limited ports for some egress protection ... but it's good enough for me.

If you have been using Gentoo for the last 10 years what have you been using for a firewall configuration tool?
Back to top
View user's profile Send private message
<3
Veteran
Veteran


Joined: 21 Oct 2004
Posts: 1081

PostPosted: Sat Feb 01, 2014 7:40 am    Post subject: Reply with quote

jonathan183 wrote:
If you have been using Gentoo for the last 10 years what have you been using for a firewall configuration tool?
That is the point, for the past 10 years I have used nothing, because I have not found _ANYTHING_ that is easy enough for me to understand. There really need to be something easier than iptabels for linux systems.

It would be nice if someone wrote a generic shorewall config for the gentoo wiki.
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6747

PostPosted: Sat Feb 01, 2014 9:41 am    Post subject: Reply with quote

jonathan183 wrote:
I'm far from an expert and I'm only doing some basic stuff

The problem with this is that it is not really helpful against attackers if you do not know all the tricks hackers use: you get only protection against the tricks which you do know. As an example, as we just had recently, blocking icmp can even allow certain types of new attacks, so it can do more harm than be helpful if you do not understand fully what you are doing.
Blocking ports actually should not be necessary if you let your programs listen to only local ports (which is usually the default, but checking
Code:
netstat -tulpe
won't hurt).
Back to top
View user's profile Send private message
i92guboj
Bodhisattva
Bodhisattva


Joined: 30 Nov 2004
Posts: 10315
Location: Córdoba (Spain)

PostPosted: Sat Feb 01, 2014 10:13 am    Post subject: Reply with quote

You can stop searching. There's only iptables. The rest are all frontends to it. That in turn means that at some point, even if you use one of these frontends, you will hit a showstopper that will force you to learn iptables to do something that the frontend at hand can't do.
Back to top
View user's profile Send private message
Goverp
Veteran
Veteran


Joined: 07 Mar 2007
Posts: 1972

PostPosted: Sat Feb 01, 2014 12:05 pm    Post subject: Reply with quote

I've used UFW for over three years on a couple of boxes. It's very easy and intuitive to configure, and there are GUI front-ends (I use kcm-ufw).

It used to be a bit of a pain, as it requires your kernel config to include many of the netfilter components (as modules or built-in). The current ebuilds check this and warn you if it's not right. (The same config requirements will apply to any firewall, 'cos as mentioned above they're all backed by iptables.)

You have to enable it thus:
Code:
rc-update add ufw boot
<first time, /etc/init.d/ufw start>
<configure your firewall; default is permit all outbound, deny any inbound>
ufw enable

_________________
Greybeard
Back to top
View user's profile Send private message
<3
Veteran
Veteran


Joined: 21 Oct 2004
Posts: 1081

PostPosted: Sat Feb 01, 2014 12:23 pm    Post subject: Reply with quote

As another poster previously stated, it's pointless for me to even try to learn iptables since it will soon be replaced by nftables.
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w

PostPosted: Sat Feb 01, 2014 5:24 pm    Post subject: Reply with quote

"only ip tables" maybe we beef this up then? https://wiki.gentoo.org/wiki/Iptables
"nftable deprecation" the wiki and other pages state that there will be compatibility layers to habituate you into the new format.
"nftables" net-firewall/nftables Linux kernel (3.13+) firewall, NAT and packet mangling tools

how new is your kernel? 3.13.1 is latest stable vanilla sources. there is a 3.13 gentoo source also floating around. maybe we start banging out the nftables wiki with arch wiki guidance. https://wiki.archlinux.org/index.php/Nftables
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 318

PostPosted: Sat Feb 01, 2014 9:26 pm    Post subject: Reply with quote

mv wrote:
jonathan183 wrote:
I'm far from an expert and I'm only doing some basic stuff

The problem with this is that it is not really helpful against attackers if you do not know all the tricks hackers use: you get only protection against the tricks which you do know. As an example, as we just had recently, blocking icmp can even allow certain types of new attacks, so it can do more harm than be helpful if you do not understand fully what you are doing.
Blocking ports actually should not be necessary if you let your programs listen to only local ports (which is usually the default, but checking
Code:
netstat -tulpe
won't hurt).


I'm not sure why you think I am making things worse with a firewall. I only allow access to the net for user accounts which need it, one account for email (access via claws-mail) or web-browsing. So programs can only access the net if they were started with my network access group, since I use IceWM that's easy to put in the toolbar etc
Code:
prog FireFox /etc/icewm/iechew.png sg my_net_group firefox
prog "Filezilla - FTP website management" /usr/share/icons/Mint-X/apps/48/filezilla.png sg my_net_group filezilla
prog "Claws Mail" /usr/share/icons/Mint-X/apps/48/evolution.png sg my_net_group claws-mail

I have included my firewall script below - if you could point out the parts which will make things worse than no firewall at all I'd appreciate it so that I can fix them 8)

Code:

#!/bin/bash
### my firewall config using iptables
#
### use start or stop parameter

### parameter for internet access group name dont use - in names
internet_access_group="my_net_group"
### where this is used with gid-owner option the program should be started with sg to switch group to net access group

### list of websurfer users
internet_websurfer_users='jonathan-websurfer'

### list of email users
internet_email_users='jonathan-email'

### list of filezilla users
internet_filezilla_users='jonathan-filezilla'


if [ "$1" = "start" ]
then
   echo "Starting firewall ..."

   ##########################################
   ### Set default policies for chains - drop
   ##########################################

   ### default - drop all incomming
   sudo iptables -P INPUT DROP

   ### default - drop all forward
   sudo iptables -P FORWARD DROP

   ### default - drop all outgoing
   sudo iptables -P OUTPUT DROP

   ##########################################
   ### Setup loopback interface - allow
   ##########################################

   ### allow loopback input/output
   sudo iptables -A INPUT -i lo -p all -j ACCEPT
   sudo iptables -A OUTPUT -o lo -p all -j ACCEPT

   ##########################################
   ########### INPUT chain ##################
   ##########################################

   ### allow established connections
   # obselete state option sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
   sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

   # reject tcp and udp like no firewall is running
   sudo iptables -A INPUT -p tcp -j LOG --log-prefix myfwall-in-chain-tcp-reject-rule
   sudo iptables -A INPUT -p udp -j LOG --log-prefix myfwall-in-chain-udp-reject-rule
   sudo iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
   sudo iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

   ### default drop inputs if they have not matched the above rules
   sudo iptables -A INPUT -j LOG --log-prefix myfwall-in-chain-default-rej-last-rule-in-chain
   sudo iptables -A INPUT -j REJECT

   ##########################################
   ### create new chains as needed ##########
   ##########################################

   ############################################################################
   ### first we have users with websurfer access - web browser users
   ############################################################################
   
   for websurfer_user in $internet_websurfer_users
   do

      # create chain
      sudo iptables -N ckpt_$websurfer_user
      # dns
      sudo iptables -A ckpt_$websurfer_user -d 192.168.1.1 -p udp --dport 53 -j ACCEPT
      # http
      sudo iptables -A ckpt_$websurfer_user -m owner --gid-owner $internet_access_group -p tcp --dport 80 -j ACCEPT
      # https
      sudo iptables -A ckpt_$websurfer_user -m owner --gid-owner $internet_access_group -p tcp --dport 443 -j ACCEPT

      ## for mocp internet radio ip=62.75.221.192 port=9106
      sudo iptables -A ckpt_$websurfer_user -m owner --gid-owner $internet_access_group -d 62.75.221.192 -p tcp --dport 9106 -j ACCEPT
      sudo iptables -A ckpt_$websurfer_user -m owner --gid-owner $internet_access_group -d 62.75.221.192 -p udp --dport 9106 -j ACCEPT

      # default drop
      sudo iptables -A ckpt_$websurfer_user -j LOG --log-prefix myfwall-ckpt_$websurfer_user
      sudo iptables -A ckpt_$websurfer_user -j DROP
   done

   ############################################################################
   ### now we have users with email access - claws-mail users
   ############################################################################

   for email_user in $internet_email_users
   do

      # create chain
      sudo iptables -N ckpt_$email_user
      # dns
      sudo iptables -A ckpt_$email_user -d 192.168.1.1 -p udp --dport 53 -j ACCEPT
   
      ## for claws-mail
      # pop port 995
      sudo iptables -A ckpt_$email_user -m owner --gid-owner $internet_access_group -p tcp --dport 995 -j ACCEPT
      sudo iptables -A ckpt_$email_user -m owner --gid-owner $internet_access_group -p udp --dport 995 -j ACCEPT
      # smtp port 465
      sudo iptables -A ckpt_$email_user -m owner --gid-owner $internet_access_group -p tcp --dport 465 -j ACCEPT
      sudo iptables -A ckpt_$email_user -m owner --gid-owner $internet_access_group -p udp --dport 465 -j ACCEPT

      # default drop
      sudo iptables -A ckpt_$email_user -j LOG --log-prefix myfwall-ckpt_$email_user
      sudo iptables -A ckpt_$email_user -j DROP
   done

   ############################################################################
   ### now we have users with filezilla access
   ############################################################################

   for filezilla_user in $internet_filezilla_users
   do

      # create chain
      sudo iptables -N ckpt_$filezilla_user
      # dns
      sudo iptables -A ckpt_$filezilla_user -d 192.168.1.1 -p udp --dport 53 -j ACCEPT
   
      ## for filezilla - need to change ports
      # pop port 995
      sudo iptables -A ckpt_$filezilla_user -m owner --gid-owner $internet_access_group -p tcp --dport 995 -j ACCEPT
      sudo iptables -A ckpt_$filezilla_user -m owner --gid-owner $internet_access_group -p udp --dport 995 -j ACCEPT
      # smtp port 465
      sudo iptables -A ckpt_$filezilla_user -m owner --gid-owner $internet_access_group -p tcp --dport 465 -j ACCEPT
      sudo iptables -A ckpt_$filezilla_user -m owner --gid-owner $internet_access_group -p udp --dport 465 -j ACCEPT

      # default drop
      sudo iptables -A ckpt_$filezilla_user -j LOG --log-prefix myfwall-ckpt_$filezilla_user
      sudo iptables -A ckpt_$filezilla_user -j DROP
   done

   ############################################################################

   ############################################################################
   ### chain check_port_root ##############

   # create chain
   sudo iptables -N check_port_root
   # dns
   sudo iptables -A check_port_root -d 192.168.1.1 -p udp --dport 53 -j ACCEPT
   # rsync
   sudo iptables -A check_port_root -p tcp --dport 873 -j ACCEPT
   
   # rkhunter updates DST=216.34.181.96
   sudo iptables -A check_port_root -d 216.34.181.96 -p tcp --dport 80 -j ACCEPT
   sudo iptables -A check_port_root -d 216.34.181.96 -p udp --dport 80 -j ACCEPT


   # default drop
   sudo iptables -A check_port_root -j LOG --log-prefix myfwall-check_port_root
   sudo iptables -A check_port_root -j DROP
   ############################################################################

   ############################################################################
   ### chain check_port_portage ##############

   # create chain
   sudo iptables -N check_port_portage
   # dns
   sudo iptables -A check_port_portage -d 192.168.1.1 -p udp --dport 53 -j ACCEPT
   # rsync
   sudo iptables -A check_port_portage -p tcp --dport 873 -j ACCEPT
   # ftp
   sudo iptables -A check_port_portage -p tcp --dport 21 -j ACCEPT
   sudo iptables -A check_port_portage -p tcp --dport 20 -j ACCEPT
   # ftp on port 80 - http port
   sudo iptables -A check_port_portage -p tcp --dport 80 -j ACCEPT

   # default drop
   sudo iptables -A check_port_root -j LOG --log-prefix myfwall-check_port_portage
   sudo iptables -A check_port_root -j DROP
   ############################################################################

   ############################################################################
   ### chain check_port_clamav ####

   # create chain
   sudo iptables -N check_port_clamav
   # dns
   sudo iptables -A check_port_clamav -d 192.168.1.1 -p udp --dport 53 -j ACCEPT
   # http
   sudo iptables -A check_port_clamav -p tcp --dport 80 -j ACCEPT
   # https
   sudo iptables -A check_port_clamav -p tcp --dport 443 -j ACCEPT

   # default drop
   sudo iptables -A check_port_websurfer -j LOG --log-prefix myfwall-check_port_clamav
   sudo iptables -A check_port_websurfer -j DROP
   ############################################################################

   ############################################################################
   ### chain check_port_unmatched ##############
   ### this chain is for users without a corresponding matching table

   # create chain
   sudo iptables -N check_port_unmatched
   # dns
   sudo iptables -A check_port_unmatched -d 192.168.1.1 -p udp --dport 53 -j ACCEPT
   # ftp - this is needed for emerge to work (should work on portage user but does not for some reason)
   sudo iptables -A check_port_unmatched -m conntrack --ctproto tcp --ctorigdstport 21 -j ACCEPT
   sudo iptables -A check_port_unmatched -m conntrack --ctstatus EXPECTED -j ACCEPT

   # default drop
   sudo iptables -A check_port_unmatched -j LOG --log-prefix myfwall-check_port_unmatched
   sudo iptables -A check_port_unmatched -j DROP
   ############################################################################


   ############################################################
   ### end new chains
   ############################################################


   ##########################################
   ########### OUTPUT chain #################
   ##########################################

   ### allow established connections
   sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

   # log all new output connections being made
   sudo iptables -A OUTPUT -m conntrack --ctstate NEW -j LOG --log-prefix myfwall-new-output

   # only enable next rule on a temporary basis - no egress protection
   # sudo iptables -A OUTPUT -m conntrack --ctstate NEW -j ACCEPT

   ### Now lets match specific users and check port numbers in their own chain
   
   for websurfer_user in $internet_websurfer_users
   do
      sudo iptables -A OUTPUT -m conntrack --ctstate NEW -m owner --uid-owner $websurfer_user -j ckpt_$websurfer_user
   done

   for email_user in $internet_email_users
   do
      sudo iptables -A OUTPUT -m conntrack --ctstate NEW -m owner --uid-owner $email_user -j ckpt_$email_user
   done

   sudo iptables -A OUTPUT -m conntrack --ctstate NEW -m owner --uid-owner root -j check_port_root
   sudo iptables -A OUTPUT -m conntrack --ctstate NEW -m owner --uid-owner portage -j check_port_portage
   sudo iptables -A OUTPUT -m conntrack --ctstate NEW -m owner --uid-owner clamav -j check_port_clamav

   ### unmatched users default check port numbers chain
   sudo iptables -A OUTPUT -m conntrack --ctstate NEW -j check_port_unmatched

   ### default drop inputs if they have not matched the above rules
   sudo iptables -A OUTPUT -j LOG --log-prefix myfwall-output-chain-default-drop-last-rule-in-chain
   sudo iptables -A OUTPUT -j DROP

   # check for filter for dropping spoof packets
#   echo "Check values are 1 to drop spoof packets"
#   cat /proc/sys/net/ipv4/conf/wlan0/rp_filter
#   cat /proc/sys/net/ipv4/conf/eth0/rp_filter

   ### output firewall config info
#   sudo iptables -v -L

elif [ "$1" = "stop" ]
then
   echo "Stopping firewall ..."
   sudo iptables -F INPUT
   sudo iptables -P INPUT ACCEPT
   sudo iptables -F OUTPUT
   sudo iptables -P OUTPUT ACCEPT

   ### flush and remove my chains

   for websurfer_user in $internet_websurfer_users
   do
      sudo iptables -F ckpt_$websurfer_user
      sudo iptables -X ckpt_$websurfer_user
   done

   for email_user in $internet_email_users
   do
      sudo iptables -F ckpt_$email_user
      sudo iptables -X ckpt_$email_user
   done

   for filezilla_user in $internet_filezilla_users
   do
      sudo iptables -F ckpt_$filezilla_user
      sudo iptables -X ckpt_$filezilla_user
   done


   sudo iptables -F check_port_root
   sudo iptables -X check_port_root
   sudo iptables -F check_port_portage
   sudo iptables -X check_port_portage
   sudo iptables -F check_port_clamav
   sudo iptables -X check_port_clamav
   sudo iptables -F check_port_unmatched
   sudo iptables -X check_port_unmatched
   ### dont forget to add new chains here

   ### output firewall config info
#   sudo iptables -v -L

elif [ "$1" = "" ]
then
   echo " You have not selected anything - no firewall changes made ! "
   echo
   echo "    use ./myfirewall.sh start"
   echo
   echo "       or"
   echo
   echo "    use ./myfirewall.sh stop"
   echo
   echo " to start or stop the firewall as needed ;-)"

fi


Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6747

PostPosted: Sun Feb 02, 2014 5:56 pm    Post subject: Reply with quote

666threesixes666 wrote:
"nftable deprecation" the wiki and other pages state that there will be compatibility layers to habituate you into the new format.

One cannot rely on that: Currently "most"(TM) functionality is provided, but it is some sort of emulation mode, and the interface has a rather different syntax. I have not looked at the details yet, but it seems that in nftables some things should "natively" be do differently - the emulation mode (even if it does work, which for some enhanced iptables functionality might be only a limited time, since it appears that the "emulation" of some such features is to call the old iptables code in the kernel) is certainly less optimal than if you setup the bytecode directly.
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6747

PostPosted: Sun Feb 02, 2014 6:13 pm    Post subject: Reply with quote

jonathan183 wrote:
I'm not sure why you think I am making things worse with a firewall

I didn't say that you make it worse, but it is possible to make it worse if one makes some mistakes. I have currently no time to look at your code and also do not remember the url posted in some recent discussion. You might want to google for "blocking icmp harmful": I remember there were some attacks possible with packets broken up in several parts if these parts are not put together correctly due to wrong blocking. Also, not all spoofing can be detected automatically by the kernel. E.g. if you know that through some interfaces you should only get certain IP ranges you should check for these. To get a safe setup you should know that such spoofing is a possible attack method. Probably there are other such examples which I do not remember in the moment.
Back to top
View user's profile Send private message
<3
Veteran
Veteran


Joined: 21 Oct 2004
Posts: 1081

PostPosted: Tue Feb 11, 2014 11:28 am    Post subject: Reply with quote

So I guess that means their aren't any newb friendly GNU/Linux firewalls
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Tue Feb 11, 2014 11:50 am    Post subject: Reply with quote

jonathan183 wrote:
sudo iptables
sudo again
sudo some more

The whole script should be run as root, without having to run sudo a hundred times ;)
Back to top
View user's profile Send private message
Fitzcarraldo
Advocate
Advocate


Joined: 30 Aug 2008
Posts: 2034
Location: United Kingdom

PostPosted: Tue Feb 11, 2014 1:34 pm    Post subject: Reply with quote

<3 wrote:
So I guess that means their aren't any newb friendly GNU/Linux firewalls

I'm not so sure about that. I agree with Goverp, UFW is about as beginner-friendly as you're going to get. I've been using it for four years or so on a few laptops. My main laptop runs KDE so I use the KConfig Module kcm-ufw, which is a nice GUI front-end. My other laptops run Xfce, so on those I use ufw-frontends, which is also a nice GUI front-end. You can see screenshots of the GUIs on the respective Web sites. The installation of a front-end does not preclude you using the command line instead, if you want.

Example 1:

To access Samba shares on my laptop from a Windows PC, I launched the ufw-frontends GUI and added the rule:

General
Direction: In
Action: Allow
Protocol: Any
Logging: Off

Source
Address: Custom 192.168.1.0/24
Port: Any

Destination
Address: Any
Port: Application CIFS

and now the list of rules reported by ufw includes:

Code:
# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
137,138/udp (CIFS)         ALLOW IN    192.168.1.0/24
139,445/tcp (CIFS)         ALLOW IN    192.168.1.0/24

N.B. My router uses 192.168.1.0/24 as the internal IP address range for my home network. Your router may use a different internal address range, so check in your router's User Guide or its Web configuration page and modify your rule accordingly if necessary.

Example 2:

Yesterday I installed KDE Connect on my Android phone and my main laptop running KDE. The KDE Connect developers wrote that ports 1714 to 1764 need to be open for TCP and UDP in order to allow the two devices to communicate. Adding the required firewall rules via the KDE GUI (System Settings > Firewall) was a piece of cake, but I also tried it via the command line to check both approaches:

Code:
# # Open the ports for TCP:
# ufw allow proto tcp to any port 1714:1764
# # Open the ports for UDP:
# ufw allow proto udp to any port 1714:1764
#
# # Now check that the rules look correct:
#
# ufw status verbose | grep 1714
1714:1764/tcp ALLOW IN Anywhere
1714:1764/udp ALLOW IN Anywhere
1714:1764/tcp ALLOW IN Anywhere (v6)
1714:1764/udp ALLOW IN Anywhere (v6)


Firewalls are inherently complicated. UFW may not be perfect, but at least it allows me to set up some protection without spending hours grappling with something more complicated.

KDE:
Code:
# emerge ufw kcm-ufw


Other DE:
Code:
# emerge ufw ufw-frontends

In all cases, as Goverp wrote:

Code:
# rc-update add ufw boot
# /etc/init.d/ufw start # To start for first time.
# # Configure your firewall via the GUI or command line (default is: permit all outbound, deny any inbound).
# # Now enable the firewall:
# ufw enable

DuckDuckGo will find you some decent 'How To' articles on the Web, since UFW is installed with Ubuntu and is therefore widely used.

Code:
# ufw --help
# man ufw

_________________
Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.

Fitzcarraldo's blog
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Tue Feb 11, 2014 4:11 pm    Post subject: Reply with quote

Fitzcarraldo wrote:
ufw enable

Can you then run iptables-save and see what it's produced in iptables? Anything interesting there?
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Tue Feb 11, 2014 4:15 pm    Post subject: Reply with quote

I've tried ufw on Ubuntu, and quickly went back to iptables.

I have some objections to a dummied down firewall:

  1. They leave a lot of functionality out, and some of that functionality is stuff I want to use.
  2. They hide what's really happening
  3. It all comes down to the same thing in the end.
  4. You need to understand what's being blocked and why, and what's being passed and why.
  5. Once you get there, the syntax for iptables and cisco and whatever else you might try isn't so complicated anymore.
Back to top
View user's profile Send private message
Marlo
Veteran
Veteran


Joined: 26 Jul 2003
Posts: 1591

PostPosted: Tue Feb 11, 2014 5:34 pm    Post subject: Reply with quote

666threesixes666 wrote:
... https://wiki.archlinux.org/index.php/Nftables



Thank you 666threesixes666,
the link was really helpful.

Ma
_________________
------------------------------------------------------------------
http://radio.garden/
Back to top
View user's profile Send private message
Fitzcarraldo
Advocate
Advocate


Joined: 30 Aug 2008
Posts: 2034
Location: United Kingdom

PostPosted: Tue Feb 11, 2014 10:28 pm    Post subject: Reply with quote

PaulBredbury wrote:
Fitzcarraldo wrote:
ufw enable

Can you then run iptables-save and see what it's produced in iptables? Anything interesting there?


Code:
# iptables-save
# Generated by iptables-save v1.4.21 on Tue Feb 11 22:26:10 2014
*filter
:INPUT DROP [53:2084]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [7:328]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -s 192.168.1.0/24 -p udp -m multiport --dports 137,138 -m comment --comment "\'dapp_CIFS\'" -j ACCEPT
-A ufw-user-input -s 192.168.1.0/24 -p tcp -m multiport --dports 139,445 -m comment --comment "\'dapp_CIFS\'" -j ACCEPT
-A ufw-user-input -p tcp -m multiport --dports 1714:1764 -j ACCEPT
-A ufw-user-input -p udp -m multiport --dports 1714:1764 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Tue Feb 11 22:26:10 2014

Code:
# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
137,138/udp (CIFS)         ALLOW IN    192.168.1.0/24
139,445/tcp (CIFS)         ALLOW IN    192.168.1.0/24
1714:1764/tcp              ALLOW IN    Anywhere
1714:1764/udp              ALLOW IN    Anywhere
1714:1764/tcp              ALLOW IN    Anywhere (v6)
1714:1764/udp              ALLOW IN    Anywhere (v6)

_________________
Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.

Fitzcarraldo's blog
Back to top
View user's profile Send private message
SirRobin2318
Apprentice
Apprentice


Joined: 24 Apr 2004
Posts: 241
Location: Strasbourg, france.

PostPosted: Wed Feb 12, 2014 8:50 pm    Post subject: Reply with quote

Until nftables become a thing, try firehol.
This is what a config looks like:

Code:
server_devweb_ports="tcp/8000"
client_devweb_ports="any"


interface eth0 internet
        protection strong
        server ping accept
        server devweb accept
        server http accept
        server https accept
        server ssh accept with recent SSH 60 10
        # kolab:
        server ldap accept
        server ldaps accept
        server smtp accept
        server smtps accept
        server submission accept
        server pop3 accept
        server pop3s accept
        server imap accept
        server imaps accept
        client all accept
        server all drop

interface eth1 priv
        client all accept
        server all accept
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w

PostPosted: Sat Feb 15, 2014 4:45 am    Post subject: Reply with quote

https://wiki.gentoo.org/wiki/Ufw

i basically found all the snags of ufw and posted a wiki stub, im leaving it as a stub until i get more frontend data going in sub pages.....

ufw-frontends yeah.... i have em working but i know there are more from the wikipedia article or something i seen of it a few days ago while i was arranging all of this.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum