Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi, first post. I have openSUSE 13.1 (Bottle) (i586) 32-bit as well as ubuntu and MINT and I'd like to install firewalls on them for the most basic security possible. Firewalls were recommended back in the day before every government corporation and spy agency demanded access to everything, and though they are out of fashion now, and although the groups mentioned get their employees to go online and tell everyone not to, I would still like to take a chance that someone can assist me to get past the roadblocks they have put up on the path to basic security.
I recall that windows used to incessantly pester you that you had no firewall until you put one in. I don't care for windows, but I do want a firewall. A distro is 4 GIGAbytes, and the firewall would be 600k. Thanks to the gov / corp / spy 'volunteers' I would guess it doesn't go in even as an option. I cannot find a firewall that will install in 'one click' or anything approaching it. I know the spies at GCHQ are imploring people to use simpler, and easier to guess passwords because they are having trouble cracking them, but I think the password here is hilarious and the advice good https://www.rt.com/usa/248401-snowde...ection-advice/
I'd like to install Peerguardian on openSUSE 13.1 first. I have done my best and tried my best so far, though even google comes to the roadblock party by directing to nothing but 10+ year old posts and so on.
the package is called pgl
Code:
sudo zypper install pgl
No provider of 'pgl' found.
Nothing to do.
is there any firewall included in any distro for the most basic online security ?
it wanted a C compiler. It was a surprising relief to see it install with one very easy command (I guess C is not part of the warzone)
Code:
sudo zypper install gcc
Code:
./configure >outputfileTMP
/home/suse/Downloads/pgl/pgl-2.3.0/missing: Unknown `--is-lightweight' option
Try `/home/suse/Downloads/pgl/pgl-2.3.0/missing --help' for more information
configure: WARNING: 'missing' script is too old or missing
configure: error: Package requirements (libnetfilter_queue) were not met:
No package 'libnetfilter_queue' found
Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.
Alternatively, you may set the environment variables libnetfilterqueue_CFLAGS
and libnetfilterqueue_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.
Code:
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking for ar... ar
checking the archiver (ar) interface... ar
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... no
checking for style of include used by make... none
checking whether make supports nested variables... no
checking dependency style of gcc... none
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking how to print strings... printf
checking for a sed that does not truncate output... /usr/bin/sed
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for fgrep... /usr/bin/grep -F
checking for ld used by gcc... /usr/i586-suse-linux/bin/ld
checking if the linker (/usr/i586-suse-linux/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1572864
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... yes
checking how to convert i686-pc-linux-gnu file names to i686-pc-linux-gnu format... func_convert_file_noop
checking how to convert i686-pc-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/i586-suse-linux/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf s\n
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for mt... mt
checking if mt is a manifest tool... no
checking how to run the C preprocessor... gcc -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... no
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/i586-suse-linux/bin/ld) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking for g++... no
checking for c++... no
checking for gpp... no
checking for aCC... no
checking for CC... no
checking for cxx... no
checking for cc++... no
checking for cl.exe... no
checking for FCC... no
checking for KCC... no
checking for RCC... no
checking for xlC_r... no
checking for xlC... no
checking whether we are using the GNU C++ compiler... no
checking whether g++ accepts -g... no
checking dependency style of g++... none
checking for gcc... (cached) gcc
checking whether we are using the GNU C compiler... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for gcc option to accept ISO C89... (cached) none needed
checking whether gcc understands -c and -o together... (cached) yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking arpa/inet.h usability... yes
checking arpa/inet.h presence... yes
checking for arpa/inet.h... yes
checking for inttypes.h... (cached) yes
checking limits.h usability... yes
checking limits.h presence... yes
checking for limits.h... yes
checking netinet/in.h usability... yes
checking netinet/in.h presence... yes
checking for netinet/in.h... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking syslog.h usability... yes
checking syslog.h presence... yes
checking for syslog.h... yes
checking for unistd.h... (cached) yes
checking for stdbool.h that conforms to C99... yes
checking for _Bool... yes
checking for inline... inline
checking for size_t... yes
checking for uint16_t... yes
checking for uint32_t... yes
checking for uint8_t... yes
checking for error_at_line... yes
checking for pid_t... yes
checking vfork.h usability... no
checking vfork.h presence... no
checking for vfork.h... no
checking for fork... yes
checking for vfork... yes
checking for working fork... yes
checking for working vfork... (cached) yes
checking for stdlib.h... (cached) yes
checking for GNU libc compatible malloc... yes
checking for stdlib.h... (cached) yes
checking for GNU libc compatible realloc... yes
checking for memchr... yes
checking for memmove... yes
checking for memset... yes
checking for strdup... yes
checking for strerror... yes
checking for strstr... yes
checking for libnetfilterqueue... no
Code:
sudo zypper install make
Overall download size: 366.7 KiB so 'make' cannot fit in the distro. <facepalm>
I don't know about make
Code:
make install
make: *** No rule to make target `install'. Stop.
the INSTALL file simply says
Quote:
Step 3.2: Build and install
---------------------------
After configure you can build and install the package, just issue:
make
make install
All distros come with firewall software. At the very minimum, distros have iptables, the command used to manipulate the network packet processing in the kernel. Those firewalls can be used for providing basic and advanced protection.
Watch the language, please, folks of different age ranges visit this forum and I would imagine those under 18, as well.
It appears a needed dependency, "libnetfilter_queue," is missing. Perhaps installing the package here, or possibly here, will resolve the issue.
Regards...
Hello, thank you.
Sorry for the sailor talk, I didn't notice. Shall do better sir.
I tried the first link twice, though it failed both times with the all too brief response of
Code:
Software installation
Installation was only partially successful.
The following packages could not be installed
• libnetfilter_queue
However it did look promising, the whole one click thing. It did use 42MB of bandwidth looking good, up until the point it failed. Trying manual now.
Code:
sudo zypper addrepo http://download.opensuse.org/repositories/openSUSE:Factory/standard/openSUSE:Factory.repo
File '/repositories/openSUSE:Factory/standard/openSUSE:Factory.repo' not found on medium 'http://download.opensuse.org/'
Abort, retry, ignore? [a/r/i/? shows all options] (a): i
Problem encountered while trying to read the file at the specified URI:
trying the "Grab binary packages directly" option.
produces a request to save file or open with add remove software. Clicked to open with add remove software. Requester appears saying
Quote:
Failed to install file
Failed with unknown error code
[Close]
Hello berndbausch, the page at https://en.opensuse.org/SuSEfirewall2 seems incomplete or requires a lot of preexisting knowledge to understand. pgl appears to have some documentation which solves those problems. I hope to install peerguardian because I want to use a firewall.
Hi, first post. I have openSUSE 13.1 (Bottle) (i586) 32-bit as well as ubuntu and MINT and I'd like to install firewalls on them for the most basic security possible. Firewalls were recommended back in the day before every government corporation and spy agency demanded access to everything, and though they are out of fashion now the groups mentioned get their employees to go online and tell everyone not to, dammit, I would still like to take a chance that someone can assist me to get past the roadblocks they have put up on the path to basic security.
I recall that windows used to incessantly pester you that you had no firewall until you put one in. I don't care for windows, but I do want a firewall. A distro is 4 GIGAbytes, and the firewall would be 600k. Thanks to the gov / corp / spy 'volunteers' I would guess it doesn't go in even as an option. I cannot find a firewall that will install in 'one click' or anything approaching it. I know the spies at GCHQ are imploring people to use simpler, and easier to guess passwords because they are having trouble cracking them, but I think the password here is hilarious and the advice good https://www.rt.com/usa/248401-snowde...ection-advice/
This is an unnecessary rant: pretty much every general purpose distro that I can think of comes with iptables(/netfilter) as a firewall system. (You can regard iptables and netfilter as 'the same thing' for most purposes, although it isn't quite true.)
Many of the other things that seem to be 'a linux firewall system' are (supposedly) easy configuration options for iptables. In some cases, I feel that the easy options don't do anything that really makes things easier, but that's a side issue; you can choose iptables or an 'easy' option, as you see fit.
In a opensuse system there will be susefirewall2 which is configurable via yast. Both this and iptables will already be present in any standard install.
By default, susefirewall2 is set up in a pretty generic, 'allow pretty much anything', mode that might not be to your taste. I'm not quite clear why you didn't ask questions about the configuration of susefirewall2, but you didn't.
I'm not quite clear why you didn't ask questions about the configuration of susefirewall2, but you didn't.
Because I'd like to install Peerguardian. I hadn't heard about susefirewall2 until someone gave me a link to a page that has scant and missing documentation about it. There is documentation about pgl, or there is likely to be more about it than the others, but I'd happily take any help on how to install a firewall and how to add rules to it.
Quote:
Originally Posted by John VV
you have just made a big problem for your self
you are garbing things from the FACTORY repo ( post 4)-- NOT A GOOD IDEA - not even a bad one but one that WILL KILL YOUR INSTALL!!!!!
factory is NOT 13.1 !!!!
yes, I do believe what you are saying, every gov, corp and spy agency has a vested interest in preventing people installing a working firewall, so bad advice is to be expected if and when it comes.
I have a computer where the hard drive is divided up into about 10 or more partitions with a different linux flavor on each, some have two or three copies. I am happy to install a new copy of opensuse onto a partition, is there a particular version or method that you would personally recommend so I can put on pgl ?
yes, I do believe what you are saying, every gov, corp and spy agency has a vested interest in preventing people installing a working firewall, so bad advice is to be expected if and when it comes.
THAT IS NOT!!!!!!!! what i said !!!!!! factory and 13.1 are TWO DIFFERENT COMPUTER OPERATING SYSTEMS !!!!
THEY ARE INCOMPATIBLE WITH EACH OTHER !!!!
DO NOT MIX THE TWO!!!!
OpenSUSE comes with iptables and susefirewall2 AUTO INSTALLED!!!!
if you try to mix "factory"( newer than 13.1) with 13.1 you will FUBAR your install
it is like trying to install Windows10 built programs on Windows7
-- WILL NOT WORK OUT WELL!!!
AND 13.1 is NOT supported any longer
install Leap !!!
THAT IS NOT!!!!!!!! what i said !!!!!! factory and 13.1 are TWO DIFFERENT COMPUTER OPERATING SYSTEMS !!!!
THEY ARE INCOMPATIBLE WITH EACH OTHER !!!!
DO NOT MIX THE TWO!!!!
OpenSUSE comes with iptables and susefirewall2 AUTO INSTALLED!!!!
if you try to mix "factory"( newer than 13.1) with 13.1 you will FUBAR your install
it is like trying to install Windows10 built programs on Windows7
-- WILL NOT WORK OUT WELL!!!
AND 13.1 is NOT supported any longer
install Leap !!!
I didn't try to put words in your mouth John, honestly. What I was saying is yes I agree with you. I should have put the full stop there. I was explaining why I agree with you and saying that I personally am not surprised to find the system breaking advice when discussing basic linux security. I will take your good advice and install Leap. I'll also try to install pgl onto Leap and let you know how I go. I will report here to you John. I appreciate your assistance a great deal.
OpenSUSE Leap 42.1 has been released on 4th Nov 2015. It is build from source code of SLE (SUSE Linux Enterprise) and can be installed only on 64-bit Machine.
I made a text file called block in the home directory. I put the url of a blocklist into that text file. On my machine the home directory for mint is called /home/mint
I then moved that file to the appropriate place.
Code:
cd /
Code:
cd etc/pgl
Code:
sudo mv blocklists.list "blocklists old.list"
Code:
sudo mv /home/mint/block blocklists.list
That worked for mint but I want to make a blocklist of my own, rather than someone elses. I want to know how to look at the traffic and where it is going.
But that's almost 1/3 of the job done. I still want to get a firewall on my opensuse machine.
almost forgot that switching on and off this firewall was handy during blocklist install
OpenSUSE Leap 42.1 has been released on 4th Nov 2015. It is build from source code of SLE (SUSE Linux Enterprise) and can be installed only on 64-bit Machine.
So Leap is an inappropriate course to take regardless of what machine I have because it is obviously only going to work half of the time at best. Thats if it can be made to work at all. The peerguardian file is about a megabyte, a new operating system is something along the lines of 4,000 times as large and could only serve as an off-topic distraction from the actual question, which is how to install a firewall on opensuse for example. I'm sure if I bought a new machine and installed a new operating system and hired extra I.T. staff it could be done, but that is not the question being asked here. but thanks for the suggestion.
So Leap is an inappropriate course to take regardless of what machine I have because it is obviously only going to work half of the time at best. Thats if it can be made to work at all...
I do not understand the point of this... mostly curious, but could you expand on that a little?
But as to your original question...
Quote:
Originally Posted by Taks
Hi, first post. I have openSUSE 13.1 (Bottle) (i586) 32-bit as well as ubuntu and MINT and I'd like to install firewalls on them for the most basic security possible.
You will already have iptables installed on those machines, which is the firewall - you need nothing else except a most basic set of rules for it to use.
If you specifically want a GUI firewall manager, which I suspect may be the case, then you/we need to focus on that instead of the "firewall" itself.
Writing and starting rules for the most basic security is actually pretty easy.
Even if you install a GUI firewall manager package it will still be fairly useless unless you understand the terms and rules that it offers for your use. There really isn't a one size fits all click and forget firewall.
So whatever solution you seek, learning the basics of iptables is the best place to start.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.