View previous topic :: View next topic |
Author |
Message |
SirRobin2318 Apprentice
Joined: 24 Apr 2004 Posts: 241 Location: Strasbourg, france.
|
Posted: Mon Feb 17, 2014 9:59 am Post subject: |
|
|
This post got me into giving nftables a spin.
You'll need a 3.13 kernel. Way less of a pain than iptables, this is what I'm using (not the same machine as the firehol config):
Code: | table firewall {
chain incoming {
type filter hook input priority 0;
# bad tcp -> avoid network scanning:
tcp flags & (fin|syn) == (fin|syn) drop
tcp flags & (syn|rst) == (syn|rst) drop
tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) drop # == 0 would be better, not supported yet.
tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) drop
# no ping floods:
ip protocol icmp limit rate 10/second accept
ip protocol icmp drop
ct state {established, related} accept
ct state invalid drop
iifname lo accept
# avoid brute force on ssh:
tcp dport {ssh} limit rate 15/minute accept
reject
}
}
table ip6 firewall {
chain incoming {
type filter hook input priority 0;
# bad tcp:
tcp flags & (fin|syn) == (fin|syn) drop
tcp flags & (syn|rst) == (syn|rst) drop
tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) drop # == 0 would be better, not supported yet.
tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) drop
# no ping floods:
ip6 nexthdr icmpv6 limit rate 10/second accept
ip6 nexthdr icmpv6 drop
ct state {established, related} accept
ct state invalid counter drop
# loopback interface
iifname lo accept
# avoid brute force on ssh:
tcp dport {ssh} limit rate 15/minute accept
reject
}
} |
|
|
Back to top |
|
|
<3 Veteran
Joined: 21 Oct 2004 Posts: 1081
|
Posted: Fri Feb 21, 2014 6:41 am Post subject: |
|
|
Thank you 666threesixes666 for taking the time to put up a gentoo wiki page. I have not tried your installation yet but are there nothing to configure? I don''t see anything in your wiki post pertaining to configuration. |
|
Back to top |
|
|
666threesixes666 Veteran
Joined: 31 May 2011 Posts: 1248 Location: 42.68n 85.41w
|
Posted: Fri Feb 21, 2014 6:50 am Post subject: |
|
|
im not done with it..... i got side tracked with fail2ban and auto banning clowns trying to hack my VPS.
simply put, emerge ufw-frontends, then look in your menus for firewall manager....
xfce4 says its pkexec /usr/sbin/ufw-gtk
or as root
ufw-gtk....
if you can handle zone alarm you can handle ufw-gtk.. ultra easy, im working on fail2ban integration & scripts behind the curtain.
there are kde front ends for ufw too but i dont play that...
@SirRobin2318: WOW... you're making me wish the 3.13.x branch worked good on this laptop. that kernel branch is so slow its unusable.
i also posted an nftables wiki with just links, including the one you used. https://wiki.gentoo.org/wiki/Nftables
@ firewall builder, i hit their request line with ufw support to generate configs for ufw on local / remote installs.
http://upload.wikimedia.org/wikipedia/commons/3/37/Wikipedia-lolcat.jpg |
|
Back to top |
|
|
<3 Veteran
Joined: 21 Oct 2004 Posts: 1081
|
Posted: Sat Mar 22, 2014 8:36 am Post subject: |
|
|
Hey 666threesixes666 I wanted to follow up on this post and ask you again to post your ufw configuration as by ufw has absolutely no firewall rules by default and running a firewall with no rules is pointless. Also I don't know much about networking so I am unsure what port I should be blocking. Also portage has the package ufw-frontends for a nice frontend for ufw. |
|
Back to top |
|
|
666threesixes666 Veteran
Joined: 31 May 2011 Posts: 1248 Location: 42.68n 85.41w
|
|
Back to top |
|
|
|