Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Any newb friendly firewalls?
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
SirRobin2318
Apprentice
Apprentice


Joined: 24 Apr 2004
Posts: 241
Location: Strasbourg, france.

PostPosted: Mon Feb 17, 2014 9:59 am    Post subject: Reply with quote

This post got me into giving nftables a spin.
You'll need a 3.13 kernel. Way less of a pain than iptables, this is what I'm using (not the same machine as the firehol config):
Code:
table firewall {
    chain incoming {
        type filter hook input priority 0;

        # bad tcp -> avoid network scanning:
        tcp flags & (fin|syn) == (fin|syn)         drop
        tcp flags & (syn|rst) == (syn|rst)         drop
        tcp flags & (fin|syn|rst|psh|ack|urg) < (fin)      drop # == 0 would be better, not supported yet.
        tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)   drop

        # no ping floods:
        ip protocol icmp limit rate 10/second accept
        ip protocol icmp drop

        ct state {established, related} accept
        ct state invalid drop

        iifname lo accept

   # avoid brute force on ssh:
        tcp dport {ssh} limit rate 15/minute accept

        reject
    }
}

table ip6 firewall {
    chain incoming {
        type filter hook input priority 0;

        # bad tcp:
        tcp flags & (fin|syn) == (fin|syn)         drop
        tcp flags & (syn|rst) == (syn|rst)         drop
        tcp flags & (fin|syn|rst|psh|ack|urg) < (fin)      drop # == 0 would be better, not supported yet.
        tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)   drop

        # no ping floods:
        ip6 nexthdr icmpv6 limit rate 10/second accept
        ip6 nexthdr icmpv6 drop

        ct state {established, related} accept
        ct state invalid counter drop

        # loopback interface
        iifname lo accept

   # avoid brute force on ssh:
        tcp dport {ssh} limit rate 15/minute accept

        reject
    }
}
Back to top
View user's profile Send private message
<3
l33t
l33t


Joined: 21 Oct 2004
Posts: 917

PostPosted: Fri Feb 21, 2014 6:41 am    Post subject: Reply with quote

Thank you 666threesixes666 for taking the time to put up a gentoo wiki page. I have not tried your installation yet but are there nothing to configure? I don''t see anything in your wiki post pertaining to configuration.
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w

PostPosted: Fri Feb 21, 2014 6:50 am    Post subject: Reply with quote

im not done with it..... i got side tracked with fail2ban and auto banning clowns trying to hack my VPS.

simply put, emerge ufw-frontends, then look in your menus for firewall manager....

xfce4 says its pkexec /usr/sbin/ufw-gtk

or as root

ufw-gtk....

if you can handle zone alarm you can handle ufw-gtk.. ultra easy, im working on fail2ban integration & scripts behind the curtain.

there are kde front ends for ufw too but i dont play that...


@SirRobin2318: WOW... you're making me wish the 3.13.x branch worked good on this laptop. that kernel branch is so slow its unusable.

i also posted an nftables wiki with just links, including the one you used. https://wiki.gentoo.org/wiki/Nftables



@ firewall builder, i hit their request line with ufw support to generate configs for ufw on local / remote installs.

http://upload.wikimedia.org/wikipedia/commons/3/37/Wikipedia-lolcat.jpg
Back to top
View user's profile Send private message
<3
l33t
l33t


Joined: 21 Oct 2004
Posts: 917

PostPosted: Sat Mar 22, 2014 8:36 am    Post subject: Reply with quote

Hey 666threesixes666 I wanted to follow up on this post and ask you again to post your ufw configuration as by ufw has absolutely no firewall rules by default and running a firewall with no rules is pointless. Also I don't know much about networking so I am unsure what port I should be blocking. Also portage has the package ufw-frontends for a nice frontend for ufw.
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w

PostPosted: Sat Mar 22, 2014 8:02 pm    Post subject: Reply with quote

ufw blocks absolutely everything by default, even ssh.

Code:
emerge ufw-frontends


then run

Code:
ufw-gtk


http://ualinux.com/info/udp/ufw-gtk.png

http://sabayon.cz/wp-content/blogs.dir/1/files/sabayon7-instalace/32.jpg

ufw is really easy to deal with....
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum