Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Pietinger's Privoxy and "Personal Firewall" Guide
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Ralphred
Guru
Guru


Joined: 31 Dec 2013
Posts: 470

PostPosted: Wed May 19, 2021 3:28 am    Post subject: Pietinger's Privoxy and "Personal Firewall" Guide Reply with quote

Translated from pietinger's post in German here.
Even in the "wrong language for me" it was easier to follow than the nebulous info searches returned

(This post is part of an installation guide. If you haven't already done so, please read: Installation Guide for Paranoid Dummies )

B.1 Firewall and proxy server (iptables / privoxy)

Most people "only" use a firewall to protect themselves from "outside". This makes sense in any case and is usually necessary. Yes, today's (private) DSL routers also have a FW integrated, which is usually already activated by default. You can see this quickly when you look at the log of your own FW and don't see a single DROP for days, although we all know how many port scans are running continuously. Only - I don't trust a TeleKom Huawei key. In addition, the configuration for protection against the evil Internet is still the simplest part, even if you have to open one or two ports for a server.

Very few use a FW to protect themselves from the enemy "inside" - programs that want to "call home". In this post I will provide the necessary configuration steps for both. But I'll start with the proxy server. Why? Because then the FW is configured in such a way that only the proxy is allowed to visit external web pages. In other words, every program that tries to access the Internet directly via port 80 or 443 is rejected (and logged). The proxy itself can also log all of the pages it visits. There are different proxy servers; I've been using the "Privoxy" for years - because it's simple and only does what I want: to protect myself a little from bad websites. If you want a different proxy (like the squid), use this one. But without a proxy, all of the filtering of outgoing traffic makes no sense, because a "bad" program can then get out via port 443 at any time and you will not notice it. Without a proxy, your FW only protects you from traffic from the Internet.

I. Install and configure Privoxy
See also: https://wiki.gentoo.org/wiki/Privoxy
Code:
# emerge -avD privoxy
# rc-update add privoxy default
# nano -w /etc/env.d/99myproxy
=>
export http_proxy = "http://127.0.0.1:8118"
export https_proxy = "http: //127.0.0.1: 8118 "
<=
# env-update
# grep privoxy /etc/passwd
-> note the privoxy UID for later

Unfortunately, privoxy is very tame and forgiving with it's default configuration. No wonder, only the lowest level of filtering is active. Therefore it has to be made more "aggressive" (at least slightly angry). To do this, a part of the file /etc/privoxy/default.action must be copied to the to the /etc/privoxy/match-all.action file.
Code:
grep "# Medium settings" -B2 -A59 /etc/privoxy/default.action |sed '/^[\+{}a-z]/s/\(.*\)/#\1/g' >> /etc/privoxy/default.action

If you now look at /etc/privoxy/match-all.action, you will see the default settings, with the Medium settings and Advanced settings commented out underneath. Comment/uncomment the settings of your choice (at least medium)

Now you can/should activate the logging, which is also completely switched off by default in /etc/privoxy/config (search for "The available debug levels are" and the debug [number] underneath to set the "log-level")
If you plan to have a blacklist of sites you want blocked, search for "actionsfile user.action" and add your own "actionsfile blacklist.action" underneath it. Don't forget to
Code:
touch /etc/privoxy/blacklist.action
after saving.

Finished. Privoxy can be started immediately with "/etc/init.d/privoxy start".


II. Install and configure iptables

This is a little more effort. First you should have ALL the FW modules enabled in the kernel (and of course also compiled). Commonly, you can only get to all of them when the following is set:
Code:
Networking support> Networking options> Network packet filtering framework (Netfilter)
[*] Advanced netfilter configuration


And it's from these "hidden options" that we will need for later:
Code:
Networking support> Networking options> Network packet filtering framework (Netfilter)> Core Netfilter Configuration
[M] "owner" match support
[M] "state" match support


How does our firewall work, very simple: Everything is forbidden unless expressly allowed. If you do not operate a server, incoming traffic is only let through when packets belong to an already existing connection; anything that wants to establish a new unsolicited connection will be dropped. As I said, the easiest part.

Unfortunately, we want to call outside as well. We have to allow all of this individually. But don't panic, it's not that much either, as most of it runs through our Privoxy. What else do we need? DNS, email, possibly SSH.

One more word on the subject of "script that activates the FW rules". Some demonize this approach because it is said (under certain circumstances) to be absolutely unsafe. Yes, but not in this - simple - case that I use. If everything is locked first and then, little by little, some things are unlocked, aborting a script (due to typing errors or missing kernel module, for example) is not critical because then nothing is unlocked anymore. If it breaks off at the beginning in the variable definition, the previous FW configuration does not change at all. Oh yes, another hint: /etc/init.d/iptables itself backs up the FW config and loads it automatically when booting. This means that the script only has to be executed once; or run again when you change/add something.

So, let's start now. First, as always, a link:
https://wiki.gentoo.org/wiki/Iptables
Code:
# emerge -avD iptables
- gather some information for needed services; eg ping your email provider
- search for your used DNS server in ->
# less /etc/resolv.conf
- search for your used NTP server in ->
# less /etc/conv.d/ntp-client
- ping all of them to get their IP address
# cd /etc/MY
# nano -w fwrules-big.sh
! copy/paste from below and edit some variables
! if your are unsure comment out some lines with #
- save and exit
# chmod 0700 fwrules-hal.sh
# ./fwrules-hal.sh
- check if there where an error, then check your new konfig with ->
# iptables -L -v -n
- dont wait until the next shutdown and save the config right now, with:
# /etc/init.d/iptables save
# rc-update add iptables default
OPT:
# rc-update add sshd default
# lsmod
-> write down the used modules (you already know this from A.2)


Before you use this skeleton, you should at least read the meaning of certain parameters with "man iptables" ... and check every single line (you are certainly using different servers than me). Also read what the difference between DROP and REJECT is ...
Code:

#!/bin/sh
#
# 2017.02.10: Initial FireWall-Script for: big
# 2017.02.15: allow out server wesnoth game
#

### Defines ###

# define general logging
logit = "-j LOG --log-prefix "

# define privoxy uid from /etc/passwd
privoxy_uid =" -uid-owner [number]"

# change this [number] TO YOUR UID

# define addresses
ip_gw =" 192.168.2.1 "# My DSL router
ip_dns1 =" abcd " # free dns-server1: xxxxxx
ip_dns2 = "abcd" # free dns-server2: xxxxxx
ip_ntp = "192.53.103.108" # time-server: ptbtime1.ptb.de
ip_hal = "192.168.2.3" # local Notebook hal
ip_guest = "192.168.2.101" # if Notebook boots with dhcp
# ip_dnssec1 = "185.95.218.42" # free dns-server: digital society (CH)
# ip_dnssec2 = "185.95.218.43" # free dns-server: digital society (CH )


### Basic Settings ###

iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED, RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED, RELATED -j ACCEPT


### Firewall In ###

# accept some ICMP (or comment out if not desired)
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT

# accept SSH IN from notebook hal without logging
iptables -A INPUT -s $ {ip_hal} -p tcp --dport 22 -j ACCEPT

# accept and log SSH IN from guest
iptables -A INPUT -s $ {ip_guest} -p tcp --dport 22 ${logit} "!!! ACCEPT IN SSH GUEST"
iptables -A INPUT -s $ {ip_guest} -p tcp --dport 22 -j ACCEPT

# drop some stuff (if you have WINDOWS in your network) without logging
#iptables -A INPUT -p udp --dport 137 -j DROP # netbios-ns
#iptables -A INPUT -p udp --dport 138 -j DROP # netbios-dgm
#iptables -A INPUT -p udp --dport 67 -j DROP
#iptables -A INPUT -p udp --dport 68 -j DROP
iptables -A INPUT -p 2 -j DROP # stuff from router

# drop some stuff from dnssec-servers without logging
#iptables -A INPUT -s ${ip_dnssec1} -j DROP
#iptables -A INPUT -s ${ip_dnssec2} -j DROP

# drop some bad sites/ranges without logging
#iptables -A INPUT -s a.b.c.d -j DROP
#iptables -A INPUT -s a.b.c.d/e -j DROP

# log all other
iptables -A INPUT $ {logit} "!!! DROP"

# we dont need an extra DROP, because the standard action for INPUT is DROP (see above: "iptables -P OUTPUT DROP")


### Firewall Out ###

# accept all https / http (maybe we need sometimes http-alt ) from privoxy
iptables -A OUTPUT -p tcp --dport 443 -m owner ${privoxy_uid} -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -m owner ${privoxy_uid} -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 8080 -m owner ${privoxy_uid} -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 8085 -m owner ${privoxy_uid} -j ACCEPT

# accept dns
iptables -A OUTPUT -d ${ip_dns1} ​​-p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -d ${ip_dns1} ​​-p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -d ${ip_dns2} -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -d ${ip_dns2} -p tcp --dport 53 -j ACCEPT

# accept dnssec
#iptables -A OUTPUT -d ${ip_dnssec1} -p tcp --dport 853 -j ACCEPT
#iptables -A OUTPUT -d ${ip_dnssec2} -p tcp --dport 853 -j ACCEPT

# Here you have to edit something
# accept mail
#iptables -A OUTPUT -d a.b.c.d -p tcp --dport 995 -m comment --comment "pop3s" -j ACCEPT
#iptables -A OUTPUT -d a.b.c.d/24 -p tcp --dport 587 -m comment --comment "smtp submit" -j ACCEPT
#iptables -A OUTPUT -d a.b.c.d/24 -p tcp --dport 465 -m comment --comment "smtps" -j ACCEPT

# accept ntp to time-server
iptables -A OUTPUT -d ${ip_ntp} -p udp --dport 123 -j ACCEPT

# accept irc to XXXXXXX
#iptables -A OUTPUT -d a.b.c.d -p tcp --dport 6697 -j ACCEPT

# accept server wesnoth
iptables -A OUTPUT -d 95.217.86.148 -j ACCEPT

# accept pings
iptables -A OUTPUT -p icmp --icmp-type 8/0 ${logit} "!!! ACCEPT OUT PING"
iptables -A OUTPUT -p icmp --icmp-type 8/0 -j ACCEPT

# accept and log ssh only to my stations in my local network
iptables -A OUTPUT -d 192.168.2.0/24 -p tcp --dport 22 ${logit} "!!! ACCEPT OUT SSH"
iptables -A OUTPUT -d 192.168.2.0/24 -p tcp --dport 22 -j ACCEPT

# accept and log hkp (pgp-key-server)
iptables -A OUTPUT -p tcp --dport 11371 ${logit} "!!! ACCEPT OUT HKP"
iptables -A OUTPUT -p tcp --dport 11371 -j ACCEPT

# accept and log traceroute
iptables -A OUTPUT -p udp --dport 33434: 33524 ${logit} "!!! ACCEPT OUT TRCR"
iptables -A OUTPUT -p udp --dport 33434: 33524 -j ACCEPT

# accept and log rsync (should be portage from gentoo only)
iptables -A OUTPUT -p tcp --dport 873 ${logit} "!!! ACCEPT OUT RSYNC"
iptables -A OUTPUT -p tcp --dport 873 -j ACCEPT

# accept and log whois
iptables -A OUTPUT -p tcp --dport 43 ${logit} "!!! ACCEPT OUT WHOIS"
iptables -A OUTPUT -p tcp --dport 43 - j ACCEPT

############################################## ###
# for testing only !!!
# accept and log all https
#iptables -A OUTPUT -p tcp --dport 443 ${logit} "!!! ACCEPT OUT ALL HTTPS"
#iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

# for testing only !!!
# accept and log all http
#iptables -A OUTPUT -p tcp --dport 80 ${logit} "!!! ACCEPT OUT ALL HTTP"
#iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

# for testing only !!!
# accept and log all (dont use !!!)
#iptables -A OUTPUT ${logit} "!!! ACCEPT OUT ALL"
#iptables -A OUTPUT -j ACCEPT
############# #####################################

# Reject some stuff without logging
#iptables -A OUTPUT -d a.b.c.d -j REJECT
#iptables -A OUTPUT -d a.b.c.d -j REJECT


# reject and log all other
iptables -A OUTPUT ${logit} "!!! REJECT"
iptables -A OUTPUT -j REJECT


You can now search for "!!!" in the kernel log. search to check all messages of your FW; or specifically only after "DROP", "ACCEPT" or "ACCEPT IN" / "ACCEPT OUT". Anyway, I recommend checking your /var/log/ messages more often (alias: "mylog" from A.3.3).

With "iptables -Z" you can reset the counters of the packets to zero and then with "iptables -L -v -n" you can look up again which counters from which rules go up again.

Last but not least, you should also tell your favourite browser about the new proxy. My "falkon" even noticed this automatically and I didn't have to tell it anything. If you use "wget", it might also be necessary to configure the proxy (today's wget reads the environment variables and then takes over the proxy settings itself). But don't worry, from now on you will immediately see if someone wants to get out ... but can't ...

Have fun.

Last edited by pietinger on Fri May 07, 2021 12:54 am; edited 23 times in total
Back to top
View user's profile Send private message
Ralphred
Guru
Guru


Joined: 31 Dec 2013
Posts: 470

PostPosted: Wed May 19, 2021 3:53 am    Post subject: Reply with quote

Comments from me: Google translate made a real mess of the code sections, I think I've repaired it all.
I didn't use the firewall script, as I deployed privoxy on a router, but pietinger has done such a good job of a "personal firewall" script I felt loathe to leave it out of the translation.
The bit that wasn't covered in the original post was the blacklist.action file, which I shall cover now.
Code:
#Everything beyond the +block directive won't make it back into your network beyond the proxy.
{+block}
# block www.doubleclick.net
www.doubleclick.net

# block *.googlesyndication.com
.googlesyndication.com

# block *.ads.google.*
.ads.google.
And it's that simple.
It's not as good as blocking them at the IP level in the firewall, but if you are running a network without role based access control and multiple users it's a nice little addition.
It's also worth noting there is whiltelist option, you create the files in the same way as blacklist, and using the same syntax, only the opening directive is
Code:
{-block}

The last option is the trustfile, this is well documented in /etc/privoxy/trust, seems like a nifty little feature, so read it all.
Back to top
View user's profile Send private message
figueroa
Advocate
Advocate


Joined: 14 Aug 2005
Posts: 2913
Location: Edge of marsh USA

PostPosted: Wed May 19, 2021 4:34 am    Post subject: Reply with quote

+1 -- Can't wait to study it further.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/17.1/desktop (stable), OpenRC, -systemd -pulseaudio -uefi
Back to top
View user's profile Send private message
kukibl
Apprentice
Apprentice


Joined: 10 Jun 2008
Posts: 230

PostPosted: Wed May 19, 2021 7:03 am    Post subject: Reply with quote

Thank you very much for this.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 3999
Location: Bavaria

PostPosted: Wed May 19, 2021 9:05 am    Post subject: Reply with quote

Ralphred,

thank you very much for translating and extending it !

I want add a little Info:

In my german Thread I added some posts in (my poor school) english explaining some points of a firewall; (IMO) most important the section about "stateful inspection" you will find with this direct link:
https://forums.gentoo.org/viewtopic-p-8465650.html#8465650

Many Greetings,
Peter



P.S.: (The first german sentence in this post says: "I've answered some questions in other threads and thought I'd collect this here. Maybe it will help one or the other. (Please don't laugh at my bad English)")
Back to top
View user's profile Send private message
sokrovenno
n00b
n00b


Joined: 23 Aug 2023
Posts: 65

PostPosted: Wed Jan 31, 2024 3:41 pm    Post subject: Reply with quote

Hi everyone.
I decided to give an other try and configure my firewall again. I just configured the Privoxy and I was checking to see if it is working correctly; I checked this page and it says that
Quote:
'Privoxy is not being used'.

Is it normal? Although this message appears, some pages are broken (not loading correctly) for me, like this one.
The site is not supposed to be on my cache cause I always used private browse mode and now my .cache is on /tmp, so when I close my browser or reboot my notebook all history should be deleted.
I also configured the proxy settings on firefox to 127.0.0.1 8118 as the wiki says.

Another thing I noticed while checking the wiki is this:
"iptables [...] It should be replaced with its successor nftables."
Is it still okay to use iptables or should I really replace it with nftables?
I'm asking because I do not understand much/at all about firewalls and I don't know if I can configure it right. But as far as I know, I don't need any sophisticated configurations for my firewall, because I just use it for University stuff, watch some videos, movies and read some books.

Quote:
First you should have ALL the FW modules enabled in the kernel

Should I enable CONFIG_NF_TABLES as well or just CONFIG_NETFILTER_XTABLES? (If I opt to just follow this tutorial)

Since I don't know what I'm doing, I thought on maybe just configure the kernel Netfilters for nftables and just use UFW on top of that to make the configurations for me.
But as I said, I don't know what I'm doing, so I wanted to have some insights from you guys.

As always, thank you very much.

Best regards,
sokrovenno

EDIT: Sorry if this is not the right place to post it. Should I start a thread about it?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21490

PostPosted: Wed Jan 31, 2024 3:57 pm    Post subject: Reply with quote

sokrovenno wrote:
Another thing I noticed while checking the wiki is this:
"iptables [...] It should be replaced with its successor nftables."
Is it still okay to use iptables or should I really replace it with nftables?
Although nftables exists, and may serve some use cases better, I am not aware of any plans to remove iptables or force anyone to migrate to nftables. In my opinion, the statement you quote from the Wiki looks like it needs a citation justifying why people should move, and describing who should move:
  • Everyone, immediately
  • Everyone, sometime within the next few years
  • Only people whose use cases are better served by nftables (and a description of how to know if you are in that group)
Personally, I still use iptables. My use cases are modest, and I am not aware of any value that I would gain by moving to nftables, so I plan to remain with iptables until such time as the kernel begins deprecating the iptables functionality I use. I am not aware of any plans by the kernel developers to do that, so it may be years or even never before they do. (It could also be tomorrow, if the right person gets really unhappy.)
sokrovenno wrote:
EDIT: Sorry if this is not the right place to post it. Should I start a thread about it?
Possibly so. pietinger: would you like for us to take this elsewhere? If so, I can move my post and the preceding one out, or you can do it, as you like.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 3999
Location: Bavaria

PostPosted: Wed Jan 31, 2024 4:36 pm    Post subject: Reply with quote

Hu wrote:
pietinger: would you like for us to take this elsewhere? If so, I can move my post and the preceding one out, or you can do it, as you like.

For me it is fine here (because maybe some other users have the same questions).

@sokrovenno,

some remarks:

1. nftables is fine IF you want use IPv4 AND IPv6 (because you can do both at once; with iptables you will need ip6tables also). nftables have another syntax (and some enhancements for professional FWs), but the same approach as iptables. As soon as you understand iptables you will also understand nftables. I have found that most newcomers do not understand the principle of "stateful inspection" and therefore stumble a little. Please read the post here:
https://forums.gentoo.org/viewtopic-p-8465650.html#8465650 -> Stateful inspection -> see an example below

2. Yes, our wiki is sometimes a little bit outdated ... dont believe everything from https://wiki.gentoo.org/wiki/Security_Handbook/Firewalls_and_Network_Security :lol:

3. Yes, enable everything in these submenus (also CONFIG_NETFILTER_ADVANCED; you will get more options now; enable also everything as <M>odule)

4. You have to know a little bit about networking: IP addresses AND ports. Sessionless communication (UDP; ICMP; ...) and TCP. Start (*) from this Wiki page: https://simple.wikipedia.org/wiki/OSI_model and compare it with https://en.wikipedia.org/wiki/Internet_protocol_suite. (* start means: read also further links ... :lol: )

Example:
Code:
I delete the counters with:
# iptables -Z
Then I started a new website in my browser:
# iptables -L -vn
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   60 11383 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           
   86 38989 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     6    --  *      *       192.168.2.4          0.0.0.0/0            tcp dpt:22
...         
         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   60 11383 ACCEPT     0    --  *      lo      0.0.0.0/0            0.0.0.0/0           
   83 10640 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 owner UID match 392
    2   120 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 owner UID match 392
    1    60 ACCEPT     6    --  *      *       0.0.0.0/0            185.95.218.42        tcp dpt:853
    2   120 ACCEPT     6    --  *      *       0.0.0.0/0            185.95.218.43        tcp dpt:853
...

You see my Browser asked my caching DNS resolver "unbound" which asked 185.95.218.42 via DNS-over-TLS (=port 853) for the name; and then my browser asked my privoxy (only this application is allowed to speak with the internet directly via port 80 and 443) which sent only two packets over port 80 (yes, it was not a https-site; it was a http-site) and all other packets have been enabled by kernel automatically (by the rules for ESTABISHED communication).
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 3999
Location: Bavaria

PostPosted: Wed Jan 31, 2024 5:18 pm    Post subject: Reply with quote

P.S.: You will need CONFIG_NETFILTER_ADVANCED to get the option: CONFIG_NETFILTER_XT_MATCH_OWNER

This option you will need for rules which filters by UID !

I use this kind of rules, to allow only my proxy (=privoxy) communicating to 443 and 80:

Code:
...
# define privoxy uid
privoxy_uid="--uid-owner 392"
...
iptables -A OUTPUT      -p tcp --dport 443 -m owner ${privoxy_uid} -j ACCEPT
iptables -A OUTPUT      -p tcp --dport 80 -m owner ${privoxy_uid} -j ACCEPT
...


Of course you must check your /etc/passwd for this:
Code:
...
privoxy:x:392:392:A privoxy; privacy oriented web proxy user:/dev/null:/sbin/nologin
...

_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 3999
Location: Bavaria

PostPosted: Wed Jan 31, 2024 5:44 pm    Post subject: Reply with quote

P.P.S.:

An equally common misunderstanding about firewalls in Linux is: I can choose between different firewall solutions in Linux ... :lol: NO !

Only the kernel does the job ... based on rules ! You have only ONE firewall: It is the KERNEL !!

iptables and nftables only pass rules to the kernel. All other "firewalls" such as "UFW" or "shorewall" ... are NOT firewalls but only generators for rules, which they then simply transmit to the KERNEL using ALSO iptables or nftables. If you want to know what is actually happening, you should use the native iptables or nftables. Here you can then configure much more specifically - also with regard to logging !
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum