View previous topic :: View next topic |
Author |
Message |
<3 Veteran
Joined: 21 Oct 2004 Posts: 1081
|
Posted: Fri Jan 31, 2014 12:52 pm Post subject: Any newb friendly firewalls? |
|
|
I have been a Gentoo user for over 10 years and I've asked this question every so often, never to get a solid answer. I would like an easy to use firewall for my gentoo setups. I've tried reading multiple iptables & shorewall configuration guides and non of them make any sense to me. So I'd like to ask again (maybe something has changed in 2014) does there exists any easy to setup, newb friendly Linux firewall software that an idiot like myself can use? |
|
Back to top |
|
|
mrbassie l33t
Joined: 31 May 2013 Posts: 772 Location: over here
|
Posted: Fri Jan 31, 2014 3:34 pm Post subject: |
|
|
Ubuntu's ufw (uncomplicated firewall) is in the portage tree, I've not yet been able to get it to work properly however. Maybe you'll have better luck. |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Fri Jan 31, 2014 4:13 pm Post subject: |
|
|
You might want to have a look at firewall-mv from the mv overlay, although one can of course always argue what is "simple". The default rules (especially blocking outgoing traffic) are likely to be too restrictive for you so you must really look at the configuration. |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Fri Jan 31, 2014 5:33 pm Post subject: Re: Any newb friendly firewalls? |
|
|
Arch's wiki explains things pretty well.
Yes, iptables has a nasty learning curve, but you can play with it |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Fri Jan 31, 2014 7:21 pm Post subject: Re: Any newb friendly firewalls? |
|
|
PaulBredbury wrote: | Yes, iptables has a nasty learning curve, but you can play with it |
One must warn that it is a bad moment to start learning iptables: It seems that nftables is the upcoming replacement in the foreseeable future. |
|
Back to top |
|
|
<3 Veteran
Joined: 21 Oct 2004 Posts: 1081
|
Posted: Fri Jan 31, 2014 11:21 pm Post subject: |
|
|
mrbassie wrote: | Ubuntu's ufw (uncomplicated firewall) is in the portage tree, I've not yet been able to get it to work properly however. Maybe you'll have better luck. | Doesn't look like this ufw has been marked stable on any arch. |
|
Back to top |
|
|
jonathan183 Guru
Joined: 13 Dec 2011 Posts: 318
|
Posted: Fri Jan 31, 2014 11:43 pm Post subject: |
|
|
I used guarddog http://www.simonzone.com/software/guarddog/ but it got dropped a few years ago.
I tried ufw and iptables ... and I prefer iptables. So I use iptables, I'm far from an expert and I'm only doing some basic stuff like block in-coming and allow limited users access to limited ports for some egress protection ... but it's good enough for me.
If you have been using Gentoo for the last 10 years what have you been using for a firewall configuration tool? |
|
Back to top |
|
|
<3 Veteran
Joined: 21 Oct 2004 Posts: 1081
|
Posted: Sat Feb 01, 2014 7:40 am Post subject: |
|
|
jonathan183 wrote: | If you have been using Gentoo for the last 10 years what have you been using for a firewall configuration tool? | That is the point, for the past 10 years I have used nothing, because I have not found _ANYTHING_ that is easy enough for me to understand. There really need to be something easier than iptabels for linux systems.
It would be nice if someone wrote a generic shorewall config for the gentoo wiki. |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Sat Feb 01, 2014 9:41 am Post subject: |
|
|
jonathan183 wrote: | I'm far from an expert and I'm only doing some basic stuff |
The problem with this is that it is not really helpful against attackers if you do not know all the tricks hackers use: you get only protection against the tricks which you do know. As an example, as we just had recently, blocking icmp can even allow certain types of new attacks, so it can do more harm than be helpful if you do not understand fully what you are doing.
Blocking ports actually should not be necessary if you let your programs listen to only local ports (which is usually the default, but checking won't hurt). |
|
Back to top |
|
|
i92guboj Bodhisattva
Joined: 30 Nov 2004 Posts: 10315 Location: Córdoba (Spain)
|
Posted: Sat Feb 01, 2014 10:13 am Post subject: |
|
|
You can stop searching. There's only iptables. The rest are all frontends to it. That in turn means that at some point, even if you use one of these frontends, you will hit a showstopper that will force you to learn iptables to do something that the frontend at hand can't do. |
|
Back to top |
|
|
Goverp Advocate
Joined: 07 Mar 2007 Posts: 2008
|
Posted: Sat Feb 01, 2014 12:05 pm Post subject: |
|
|
I've used UFW for over three years on a couple of boxes. It's very easy and intuitive to configure, and there are GUI front-ends (I use kcm-ufw).
It used to be a bit of a pain, as it requires your kernel config to include many of the netfilter components (as modules or built-in). The current ebuilds check this and warn you if it's not right. (The same config requirements will apply to any firewall, 'cos as mentioned above they're all backed by iptables.)
You have to enable it thus:
Code: | rc-update add ufw boot
<first time, /etc/init.d/ufw start>
<configure your firewall; default is permit all outbound, deny any inbound>
ufw enable |
_________________ Greybeard |
|
Back to top |
|
|
<3 Veteran
Joined: 21 Oct 2004 Posts: 1081
|
Posted: Sat Feb 01, 2014 12:23 pm Post subject: |
|
|
As another poster previously stated, it's pointless for me to even try to learn iptables since it will soon be replaced by nftables. |
|
Back to top |
|
|
666threesixes666 Veteran
Joined: 31 May 2011 Posts: 1248 Location: 42.68n 85.41w
|
Posted: Sat Feb 01, 2014 5:24 pm Post subject: |
|
|
"only ip tables" maybe we beef this up then? https://wiki.gentoo.org/wiki/Iptables
"nftable deprecation" the wiki and other pages state that there will be compatibility layers to habituate you into the new format.
"nftables" net-firewall/nftables Linux kernel (3.13+) firewall, NAT and packet mangling tools
how new is your kernel? 3.13.1 is latest stable vanilla sources. there is a 3.13 gentoo source also floating around. maybe we start banging out the nftables wiki with arch wiki guidance. https://wiki.archlinux.org/index.php/Nftables |
|
Back to top |
|
|
jonathan183 Guru
Joined: 13 Dec 2011 Posts: 318
|
Posted: Sat Feb 01, 2014 9:26 pm Post subject: |
|
|
mv wrote: | jonathan183 wrote: | I'm far from an expert and I'm only doing some basic stuff |
The problem with this is that it is not really helpful against attackers if you do not know all the tricks hackers use: you get only protection against the tricks which you do know. As an example, as we just had recently, blocking icmp can even allow certain types of new attacks, so it can do more harm than be helpful if you do not understand fully what you are doing.
Blocking ports actually should not be necessary if you let your programs listen to only local ports (which is usually the default, but checking won't hurt). |
I'm not sure why you think I am making things worse with a firewall. I only allow access to the net for user accounts which need it, one account for email (access via claws-mail) or web-browsing. So programs can only access the net if they were started with my network access group, since I use IceWM that's easy to put in the toolbar etc
Code: | prog FireFox /etc/icewm/iechew.png sg my_net_group firefox
prog "Filezilla - FTP website management" /usr/share/icons/Mint-X/apps/48/filezilla.png sg my_net_group filezilla
prog "Claws Mail" /usr/share/icons/Mint-X/apps/48/evolution.png sg my_net_group claws-mail
|
I have included my firewall script below - if you could point out the parts which will make things worse than no firewall at all I'd appreciate it so that I can fix them
Code: |
#!/bin/bash
### my firewall config using iptables
#
### use start or stop parameter
### parameter for internet access group name dont use - in names
internet_access_group="my_net_group"
### where this is used with gid-owner option the program should be started with sg to switch group to net access group
### list of websurfer users
internet_websurfer_users='jonathan-websurfer'
### list of email users
internet_email_users='jonathan-email'
### list of filezilla users
internet_filezilla_users='jonathan-filezilla'
if [ "$1" = "start" ]
then
echo "Starting firewall ..."
##########################################
### Set default policies for chains - drop
##########################################
### default - drop all incomming
sudo iptables -P INPUT DROP
### default - drop all forward
sudo iptables -P FORWARD DROP
### default - drop all outgoing
sudo iptables -P OUTPUT DROP
##########################################
### Setup loopback interface - allow
##########################################
### allow loopback input/output
sudo iptables -A INPUT -i lo -p all -j ACCEPT
sudo iptables -A OUTPUT -o lo -p all -j ACCEPT
##########################################
########### INPUT chain ##################
##########################################
### allow established connections
# obselete state option sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# reject tcp and udp like no firewall is running
sudo iptables -A INPUT -p tcp -j LOG --log-prefix myfwall-in-chain-tcp-reject-rule
sudo iptables -A INPUT -p udp -j LOG --log-prefix myfwall-in-chain-udp-reject-rule
sudo iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
sudo iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
### default drop inputs if they have not matched the above rules
sudo iptables -A INPUT -j LOG --log-prefix myfwall-in-chain-default-rej-last-rule-in-chain
sudo iptables -A INPUT -j REJECT
##########################################
### create new chains as needed ##########
##########################################
############################################################################
### first we have users with websurfer access - web browser users
############################################################################
for websurfer_user in $internet_websurfer_users
do
# create chain
sudo iptables -N ckpt_$websurfer_user
# dns
sudo iptables -A ckpt_$websurfer_user -d 192.168.1.1 -p udp --dport 53 -j ACCEPT
# http
sudo iptables -A ckpt_$websurfer_user -m owner --gid-owner $internet_access_group -p tcp --dport 80 -j ACCEPT
# https
sudo iptables -A ckpt_$websurfer_user -m owner --gid-owner $internet_access_group -p tcp --dport 443 -j ACCEPT
## for mocp internet radio ip=62.75.221.192 port=9106
sudo iptables -A ckpt_$websurfer_user -m owner --gid-owner $internet_access_group -d 62.75.221.192 -p tcp --dport 9106 -j ACCEPT
sudo iptables -A ckpt_$websurfer_user -m owner --gid-owner $internet_access_group -d 62.75.221.192 -p udp --dport 9106 -j ACCEPT
# default drop
sudo iptables -A ckpt_$websurfer_user -j LOG --log-prefix myfwall-ckpt_$websurfer_user
sudo iptables -A ckpt_$websurfer_user -j DROP
done
############################################################################
### now we have users with email access - claws-mail users
############################################################################
for email_user in $internet_email_users
do
# create chain
sudo iptables -N ckpt_$email_user
# dns
sudo iptables -A ckpt_$email_user -d 192.168.1.1 -p udp --dport 53 -j ACCEPT
## for claws-mail
# pop port 995
sudo iptables -A ckpt_$email_user -m owner --gid-owner $internet_access_group -p tcp --dport 995 -j ACCEPT
sudo iptables -A ckpt_$email_user -m owner --gid-owner $internet_access_group -p udp --dport 995 -j ACCEPT
# smtp port 465
sudo iptables -A ckpt_$email_user -m owner --gid-owner $internet_access_group -p tcp --dport 465 -j ACCEPT
sudo iptables -A ckpt_$email_user -m owner --gid-owner $internet_access_group -p udp --dport 465 -j ACCEPT
# default drop
sudo iptables -A ckpt_$email_user -j LOG --log-prefix myfwall-ckpt_$email_user
sudo iptables -A ckpt_$email_user -j DROP
done
############################################################################
### now we have users with filezilla access
############################################################################
for filezilla_user in $internet_filezilla_users
do
# create chain
sudo iptables -N ckpt_$filezilla_user
# dns
sudo iptables -A ckpt_$filezilla_user -d 192.168.1.1 -p udp --dport 53 -j ACCEPT
## for filezilla - need to change ports
# pop port 995
sudo iptables -A ckpt_$filezilla_user -m owner --gid-owner $internet_access_group -p tcp --dport 995 -j ACCEPT
sudo iptables -A ckpt_$filezilla_user -m owner --gid-owner $internet_access_group -p udp --dport 995 -j ACCEPT
# smtp port 465
sudo iptables -A ckpt_$filezilla_user -m owner --gid-owner $internet_access_group -p tcp --dport 465 -j ACCEPT
sudo iptables -A ckpt_$filezilla_user -m owner --gid-owner $internet_access_group -p udp --dport 465 -j ACCEPT
# default drop
sudo iptables -A ckpt_$filezilla_user -j LOG --log-prefix myfwall-ckpt_$filezilla_user
sudo iptables -A ckpt_$filezilla_user -j DROP
done
############################################################################
############################################################################
### chain check_port_root ##############
# create chain
sudo iptables -N check_port_root
# dns
sudo iptables -A check_port_root -d 192.168.1.1 -p udp --dport 53 -j ACCEPT
# rsync
sudo iptables -A check_port_root -p tcp --dport 873 -j ACCEPT
# rkhunter updates DST=216.34.181.96
sudo iptables -A check_port_root -d 216.34.181.96 -p tcp --dport 80 -j ACCEPT
sudo iptables -A check_port_root -d 216.34.181.96 -p udp --dport 80 -j ACCEPT
# default drop
sudo iptables -A check_port_root -j LOG --log-prefix myfwall-check_port_root
sudo iptables -A check_port_root -j DROP
############################################################################
############################################################################
### chain check_port_portage ##############
# create chain
sudo iptables -N check_port_portage
# dns
sudo iptables -A check_port_portage -d 192.168.1.1 -p udp --dport 53 -j ACCEPT
# rsync
sudo iptables -A check_port_portage -p tcp --dport 873 -j ACCEPT
# ftp
sudo iptables -A check_port_portage -p tcp --dport 21 -j ACCEPT
sudo iptables -A check_port_portage -p tcp --dport 20 -j ACCEPT
# ftp on port 80 - http port
sudo iptables -A check_port_portage -p tcp --dport 80 -j ACCEPT
# default drop
sudo iptables -A check_port_root -j LOG --log-prefix myfwall-check_port_portage
sudo iptables -A check_port_root -j DROP
############################################################################
############################################################################
### chain check_port_clamav ####
# create chain
sudo iptables -N check_port_clamav
# dns
sudo iptables -A check_port_clamav -d 192.168.1.1 -p udp --dport 53 -j ACCEPT
# http
sudo iptables -A check_port_clamav -p tcp --dport 80 -j ACCEPT
# https
sudo iptables -A check_port_clamav -p tcp --dport 443 -j ACCEPT
# default drop
sudo iptables -A check_port_websurfer -j LOG --log-prefix myfwall-check_port_clamav
sudo iptables -A check_port_websurfer -j DROP
############################################################################
############################################################################
### chain check_port_unmatched ##############
### this chain is for users without a corresponding matching table
# create chain
sudo iptables -N check_port_unmatched
# dns
sudo iptables -A check_port_unmatched -d 192.168.1.1 -p udp --dport 53 -j ACCEPT
# ftp - this is needed for emerge to work (should work on portage user but does not for some reason)
sudo iptables -A check_port_unmatched -m conntrack --ctproto tcp --ctorigdstport 21 -j ACCEPT
sudo iptables -A check_port_unmatched -m conntrack --ctstatus EXPECTED -j ACCEPT
# default drop
sudo iptables -A check_port_unmatched -j LOG --log-prefix myfwall-check_port_unmatched
sudo iptables -A check_port_unmatched -j DROP
############################################################################
############################################################
### end new chains
############################################################
##########################################
########### OUTPUT chain #################
##########################################
### allow established connections
sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# log all new output connections being made
sudo iptables -A OUTPUT -m conntrack --ctstate NEW -j LOG --log-prefix myfwall-new-output
# only enable next rule on a temporary basis - no egress protection
# sudo iptables -A OUTPUT -m conntrack --ctstate NEW -j ACCEPT
### Now lets match specific users and check port numbers in their own chain
for websurfer_user in $internet_websurfer_users
do
sudo iptables -A OUTPUT -m conntrack --ctstate NEW -m owner --uid-owner $websurfer_user -j ckpt_$websurfer_user
done
for email_user in $internet_email_users
do
sudo iptables -A OUTPUT -m conntrack --ctstate NEW -m owner --uid-owner $email_user -j ckpt_$email_user
done
sudo iptables -A OUTPUT -m conntrack --ctstate NEW -m owner --uid-owner root -j check_port_root
sudo iptables -A OUTPUT -m conntrack --ctstate NEW -m owner --uid-owner portage -j check_port_portage
sudo iptables -A OUTPUT -m conntrack --ctstate NEW -m owner --uid-owner clamav -j check_port_clamav
### unmatched users default check port numbers chain
sudo iptables -A OUTPUT -m conntrack --ctstate NEW -j check_port_unmatched
### default drop inputs if they have not matched the above rules
sudo iptables -A OUTPUT -j LOG --log-prefix myfwall-output-chain-default-drop-last-rule-in-chain
sudo iptables -A OUTPUT -j DROP
# check for filter for dropping spoof packets
# echo "Check values are 1 to drop spoof packets"
# cat /proc/sys/net/ipv4/conf/wlan0/rp_filter
# cat /proc/sys/net/ipv4/conf/eth0/rp_filter
### output firewall config info
# sudo iptables -v -L
elif [ "$1" = "stop" ]
then
echo "Stopping firewall ..."
sudo iptables -F INPUT
sudo iptables -P INPUT ACCEPT
sudo iptables -F OUTPUT
sudo iptables -P OUTPUT ACCEPT
### flush and remove my chains
for websurfer_user in $internet_websurfer_users
do
sudo iptables -F ckpt_$websurfer_user
sudo iptables -X ckpt_$websurfer_user
done
for email_user in $internet_email_users
do
sudo iptables -F ckpt_$email_user
sudo iptables -X ckpt_$email_user
done
for filezilla_user in $internet_filezilla_users
do
sudo iptables -F ckpt_$filezilla_user
sudo iptables -X ckpt_$filezilla_user
done
sudo iptables -F check_port_root
sudo iptables -X check_port_root
sudo iptables -F check_port_portage
sudo iptables -X check_port_portage
sudo iptables -F check_port_clamav
sudo iptables -X check_port_clamav
sudo iptables -F check_port_unmatched
sudo iptables -X check_port_unmatched
### dont forget to add new chains here
### output firewall config info
# sudo iptables -v -L
elif [ "$1" = "" ]
then
echo " You have not selected anything - no firewall changes made ! "
echo
echo " use ./myfirewall.sh start"
echo
echo " or"
echo
echo " use ./myfirewall.sh stop"
echo
echo " to start or stop the firewall as needed ;-)"
fi
|
|
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Sun Feb 02, 2014 5:56 pm Post subject: |
|
|
666threesixes666 wrote: | "nftable deprecation" the wiki and other pages state that there will be compatibility layers to habituate you into the new format. |
One cannot rely on that: Currently "most"(TM) functionality is provided, but it is some sort of emulation mode, and the interface has a rather different syntax. I have not looked at the details yet, but it seems that in nftables some things should "natively" be do differently - the emulation mode (even if it does work, which for some enhanced iptables functionality might be only a limited time, since it appears that the "emulation" of some such features is to call the old iptables code in the kernel) is certainly less optimal than if you setup the bytecode directly. |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Sun Feb 02, 2014 6:13 pm Post subject: |
|
|
jonathan183 wrote: | I'm not sure why you think I am making things worse with a firewall |
I didn't say that you make it worse, but it is possible to make it worse if one makes some mistakes. I have currently no time to look at your code and also do not remember the url posted in some recent discussion. You might want to google for "blocking icmp harmful": I remember there were some attacks possible with packets broken up in several parts if these parts are not put together correctly due to wrong blocking. Also, not all spoofing can be detected automatically by the kernel. E.g. if you know that through some interfaces you should only get certain IP ranges you should check for these. To get a safe setup you should know that such spoofing is a possible attack method. Probably there are other such examples which I do not remember in the moment. |
|
Back to top |
|
|
<3 Veteran
Joined: 21 Oct 2004 Posts: 1081
|
Posted: Tue Feb 11, 2014 11:28 am Post subject: |
|
|
So I guess that means their aren't any newb friendly GNU/Linux firewalls |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Tue Feb 11, 2014 11:50 am Post subject: |
|
|
jonathan183 wrote: | sudo iptables
sudo again
sudo some more |
The whole script should be run as root, without having to run sudo a hundred times |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Tue Feb 11, 2014 1:34 pm Post subject: |
|
|
<3 wrote: | So I guess that means their aren't any newb friendly GNU/Linux firewalls |
I'm not so sure about that. I agree with Goverp, UFW is about as beginner-friendly as you're going to get. I've been using it for four years or so on a few laptops. My main laptop runs KDE so I use the KConfig Module kcm-ufw, which is a nice GUI front-end. My other laptops run Xfce, so on those I use ufw-frontends, which is also a nice GUI front-end. You can see screenshots of the GUIs on the respective Web sites. The installation of a front-end does not preclude you using the command line instead, if you want.
Example 1:
To access Samba shares on my laptop from a Windows PC, I launched the ufw-frontends GUI and added the rule:
General
Direction: In
Action: Allow
Protocol: Any
Logging: Off
Source
Address: Custom 192.168.1.0/24
Port: Any
Destination
Address: Any
Port: Application CIFS
and now the list of rules reported by ufw includes:
Code: | # ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
To Action From
-- ------ ----
137,138/udp (CIFS) ALLOW IN 192.168.1.0/24
139,445/tcp (CIFS) ALLOW IN 192.168.1.0/24 |
N.B. My router uses 192.168.1.0/24 as the internal IP address range for my home network. Your router may use a different internal address range, so check in your router's User Guide or its Web configuration page and modify your rule accordingly if necessary.
Example 2:
Yesterday I installed KDE Connect on my Android phone and my main laptop running KDE. The KDE Connect developers wrote that ports 1714 to 1764 need to be open for TCP and UDP in order to allow the two devices to communicate. Adding the required firewall rules via the KDE GUI (System Settings > Firewall) was a piece of cake, but I also tried it via the command line to check both approaches:
Code: | # # Open the ports for TCP:
# ufw allow proto tcp to any port 1714:1764
# # Open the ports for UDP:
# ufw allow proto udp to any port 1714:1764
#
# # Now check that the rules look correct:
#
# ufw status verbose | grep 1714
1714:1764/tcp ALLOW IN Anywhere
1714:1764/udp ALLOW IN Anywhere
1714:1764/tcp ALLOW IN Anywhere (v6)
1714:1764/udp ALLOW IN Anywhere (v6) |
Firewalls are inherently complicated. UFW may not be perfect, but at least it allows me to set up some protection without spending hours grappling with something more complicated.
KDE:
Code: | # emerge ufw kcm-ufw |
Other DE:
Code: | # emerge ufw ufw-frontends |
In all cases, as Goverp wrote:
Code: | # rc-update add ufw boot
# /etc/init.d/ufw start # To start for first time.
# # Configure your firewall via the GUI or command line (default is: permit all outbound, deny any inbound).
# # Now enable the firewall:
# ufw enable |
DuckDuckGo will find you some decent 'How To' articles on the Web, since UFW is installed with Ubuntu and is therefore widely used.
Code: | # ufw --help
# man ufw |
_________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Tue Feb 11, 2014 4:11 pm Post subject: |
|
|
Fitzcarraldo wrote: | ufw enable |
Can you then run iptables-save and see what it's produced in iptables? Anything interesting there? |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Tue Feb 11, 2014 4:15 pm Post subject: |
|
|
I've tried ufw on Ubuntu, and quickly went back to iptables.
I have some objections to a dummied down firewall:
- They leave a lot of functionality out, and some of that functionality is stuff I want to use.
- They hide what's really happening
- It all comes down to the same thing in the end.
- You need to understand what's being blocked and why, and what's being passed and why.
- Once you get there, the syntax for iptables and cisco and whatever else you might try isn't so complicated anymore.
|
|
Back to top |
|
|
Marlo Veteran
Joined: 26 Jul 2003 Posts: 1591
|
Posted: Tue Feb 11, 2014 5:34 pm Post subject: |
|
|
Thank you 666threesixes666,
the link was really helpful.
Ma _________________ ------------------------------------------------------------------
http://radio.garden/ |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Tue Feb 11, 2014 10:28 pm Post subject: |
|
|
PaulBredbury wrote: | Fitzcarraldo wrote: | ufw enable |
Can you then run iptables-save and see what it's produced in iptables? Anything interesting there? |
Code: | # iptables-save
# Generated by iptables-save v1.4.21 on Tue Feb 11 22:26:10 2014
*filter
:INPUT DROP [53:2084]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [7:328]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -s 192.168.1.0/24 -p udp -m multiport --dports 137,138 -m comment --comment "\'dapp_CIFS\'" -j ACCEPT
-A ufw-user-input -s 192.168.1.0/24 -p tcp -m multiport --dports 139,445 -m comment --comment "\'dapp_CIFS\'" -j ACCEPT
-A ufw-user-input -p tcp -m multiport --dports 1714:1764 -j ACCEPT
-A ufw-user-input -p udp -m multiport --dports 1714:1764 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Tue Feb 11 22:26:10 2014 |
Code: | # ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
To Action From
-- ------ ----
137,138/udp (CIFS) ALLOW IN 192.168.1.0/24
139,445/tcp (CIFS) ALLOW IN 192.168.1.0/24
1714:1764/tcp ALLOW IN Anywhere
1714:1764/udp ALLOW IN Anywhere
1714:1764/tcp ALLOW IN Anywhere (v6)
1714:1764/udp ALLOW IN Anywhere (v6) |
_________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
SirRobin2318 Apprentice
Joined: 24 Apr 2004 Posts: 241 Location: Strasbourg, france.
|
Posted: Wed Feb 12, 2014 8:50 pm Post subject: |
|
|
Until nftables become a thing, try firehol.
This is what a config looks like:
Code: | server_devweb_ports="tcp/8000"
client_devweb_ports="any"
interface eth0 internet
protection strong
server ping accept
server devweb accept
server http accept
server https accept
server ssh accept with recent SSH 60 10
# kolab:
server ldap accept
server ldaps accept
server smtp accept
server smtps accept
server submission accept
server pop3 accept
server pop3s accept
server imap accept
server imaps accept
client all accept
server all drop
interface eth1 priv
client all accept
server all accept |
|
|
Back to top |
|
|
666threesixes666 Veteran
Joined: 31 May 2011 Posts: 1248 Location: 42.68n 85.41w
|
Posted: Sat Feb 15, 2014 4:45 am Post subject: |
|
|
https://wiki.gentoo.org/wiki/Ufw
i basically found all the snags of ufw and posted a wiki stub, im leaving it as a stub until i get more frontend data going in sub pages.....
ufw-frontends yeah.... i have em working but i know there are more from the wikipedia article or something i seen of it a few days ago while i was arranging all of this. |
|
Back to top |
|
|
|