Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
ufw, firehol or iptables
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5586
Location: Removed by Neddy

PostPosted: Mon May 04, 2015 2:46 pm    Post subject: ufw, firehol or iptables Reply with quote

For quite some time I relied on tcpwrapper to "protect" my box against attack - it sits behind a router that exposes http and sshd.

sshd dropped support for tcpd and thus the prospect of a firewall rose again.
So what to use

ufw? firewall for dummies? nothing wrong with that as it is simple and (sort of) just works
firehol? scripting language on top of iptables that attempts to unobtrusify iptables - I use to use this
iptables?

I sort of have an iptables setup that interacts with fail2ban (I have tested it) but the issue is well... not fully sure about what it does
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
thoughtform
Guru
Guru


Joined: 24 May 2004
Posts: 594
Location: east coast USA

PostPosted: Tue May 05, 2015 10:31 pm    Post subject: Reply with quote

I personally love iptables + fail2ban.
I'm no iptables expert but I've found it helpful to verify your fail2ban setup is working by issuing this command as root:

iptables -L -v -n

If you see some IP addresses banned under a chain named f2b-* or fail2ban-*, then you're somewhat protected.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Wed May 06, 2015 8:06 pm    Post subject: Reply with quote

I've been simply using block-all-except-what-I-explicitly-want-to-receive iptables set + public key login to ssh. I suppose disabling password login (and direct root login) provides sufficient protection againt dictionary and bf attacks even with extremaly week passwords :lol:
Blocking rogue traffic completly can of course reduce bandwidth usage slightly, but roughly 1-2 dozens of thousents of attempts every day wasn't even a noticable traffic.
Not like I was against f2b. I just didn't find it necessary for me. Your millage might vary.

Obvious downside is you need to carry your key with you, but do you ever use someone's else device to connect?
Also if you trust those devices with your password, why not to trust it with your key?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42563
Location: 56N 3W

PostPosted: Wed May 06, 2015 8:30 pm    Post subject: Reply with quote

Naib,

shorewall is a good iptables rule generator but it may be overkill for what you want.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum