LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Easy Slackware Firewall? (http://www.linuxquestions.org/questions/slackware-14/easy-slackware-firewall-145782/)

neilcpp 02-13-2004 04:28 PM

Easy Slackware Firewall?
 
I need to set up a firewall on my slackware system asap. Are there any easy programs that i can use to do this? I cant deal with configuring this & that at the moment, i just need a quick fix solution program where i only need to install a rpm.

I ran shorewall on my mandrake system, but i tried to put it on slack & i kept getting message after message about failed dependancies etc. When i downloaded a needed file i found the system asking for another file & another etc!!



Thanks:(

jong357 02-13-2004 04:48 PM

You can make your own....

---------------------------------------------------------------

#!/bin/sh

# Begin /bin/firewall-start

# Insert connection-tracking modules (not needed if built into the kernel).
#modprobe ip_tables
#modprobe iptable_filter
#modprobe ip_conntrack
#modprobe ip_conntrack_ftp
#modprobe ipt_state
#modprobe ipt_LOG

# allow local-only connections
iptables -A INPUT -i lo -j ACCEPT
# free output on any interface to any ip for any service
# (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT

# permit answers on already established connections
# and permit new connections related to established ones (eg active-ftp)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log everything else: What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "

# set a sane policy: everything not accepted > /dev/null
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# disable ExplicitCongestionNotification - too many routers are still
# ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# If you are frequently accessing ftp-servers or enjoy chatting you might
# notice certain delays because some implementations of these daemons have
# the feature of querying an identd on your box for your username for
# logging. Although there's really no harm in this, having an identd
# running is not recommended because some implementations are known to be
# vulnerable.
# To avoid these delays you could reject the requests with a 'tcp-reset':
#iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
#iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT

# To log and drop invalid packets, mostly harmless packets that came in
# after netfilter's timeout, sometimes scans:
#iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \ "FIREWALL:INVALID"
#iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP

# End /bin/firewall-start


-----------------------------------------------

#!/bin/sh

# Begin /bin/firewall-status

echo "iptables.mangling:"
iptables -t mangle -v -L -n --line-numbers

echo
echo "iptables.nat:"
iptables -t nat -v -L -n --line-numbers

echo
echo "iptables.filter:"
iptables -v -L -n --line-numbers

# End /bin/firewall-status

------------------------------------------------------

#!/bin/sh

# Begin /bin/firewall-stop

# deactivate IP-Forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

iptables -Z
iptables -F
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -t nat -F POSTROUTING
iptables -t mangle -F PREROUTING
iptables -t mangle -F OUTPUT
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# End /bin/firewall-stop

----------------------------------------------------------

Thats what I do. It's simple but yet very effective. They'll be in your path so just type the filename and they're activated. Or make a launcher with the command of /bin/firewall-start... Up to you.

neilcpp 02-13-2004 08:37 PM

Thanks - but that looks like kernel code to me !!.. :)

slackwarefan 02-13-2004 09:18 PM

All you have to do is copy the code into 3 sepereat files. and chmod them to 777

jong357 02-13-2004 09:20 PM

No, no, no...... Just copy each section and paste it into a gedit or kedit pad... Save it as either

1. firewall-start
2. firewall-status
3. firewall-stop

Those are scripts..... easy piecey....... The -------------------------------------------------- seperates each script. Save the first one as firewall-start, the second one as firewall-status, and the third one as firewall-stop. Save them all into /bin..........

Then when you want to activate your firewall, open up a prompt and type "firewall-start"... It doesn't get any easier than that. If you want to check the status and see what packets have been dropped or allowed thru, type "firewall-status". If you want to disable the firewall, type "firewall-stop"....... This is a very strict yet easy going firewall... It will not allow anything to punch thru unless YOU initiate the transaction..... No difference between this and ZoneAlarm or similar progs for windows.... If you study up, you can get really creative and add all sorts of shit to the first one......

The only thing you need to be aware of is this section of "firewall-start":

#modprobe ip_tables
#modprobe iptable_filter
#modprobe ip_conntrack
#modprobe ip_conntrack_ftp
#modprobe ipt_state
#modprobe ipt_LOG

If all or any of these are built into the kernel, then they need to be commented like they already are... If they are built as modules, the appropriate lines need to be uncommented. These kernel options need to be built as modules or "in-house" for ANY firewall to work. If your using the stock kernel, like I'm sure you probably are, then forget about it. They are already there... Do this.....

1. Uncomment all of those so it reads:
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe ipt_LOG
2. type "firewall-start". If you get feedback saying that "something or other" is already built into the kernel, then simpily put a "#" in front of the coresponding line until you get NO feedback after running "firewall-start"... It's really about the easiest thing you can do....

Minderbinder 02-14-2004 12:46 AM

You can try kmyfirewall at http://kmyfirewall.sourceforge.net/

tharris 02-14-2004 08:05 AM

Wow ... Nice

amos 02-14-2004 08:20 AM

Very, very nice.

Any suggestions for starting it automatically at boot, or whenever I start kppp, and stopping it afterwards?

Cheers
Amos

Minderbinder 02-14-2004 10:00 AM

What desktop are you using? In gnome Applications--->control center--->Advanced--->sessions can be used to automatically start programs at boot. KDE probably has a similar tool. I think you can also add the path to /etc/rc.d/rc.local.

LinFreak! 02-14-2004 12:35 PM

Check this webpage out, it has many useful setup proceedures for lots of linux distros.
It recommends "Arno's IPTables Firewall". I have been using it for a long time now and I find it helped me understand how to set it up as the /etc/iptables-firewall.conf file contains lots of information about all the options it uses.
http://jetblackz.cjb.net/

amos 02-14-2004 01:14 PM

Thanks LinFreak!, I thought it was something like that, I've added the following line to /etc/rc.d/rc.S

Code:

#start firewall
/bin/firewall-start

between the part about mounting non-root filesystems in fstab, and the part about cleaning up some temporary files.

Am I right in thinking that there's no problem with not doing 'firewall-stop' during shutdown, and that it doesn't matter if the 'firewall-start' script is run every time I start up without checking whether anything else is running?

Cheers
Amos:D

LinFreak! 02-14-2004 02:38 PM

I wouldn't think you would ever need "firewall-stop" on your average home system, or any other system for that matter. If I need to change something I would normally modify the firewall configuration file: /etc/iptables-firewall.conf (specific to arno's firewall i think) then issue the command:-
/etc/rc.d/rc.iptables restart (this may be specific to arno's firewall too, but you get the idea!)

amos 02-14-2004 03:08 PM

Yep, I get the idea.

Cheers all.
Amos

jong357 02-14-2004 11:16 PM

/etc/rc.d/rc.local is a good file to use.... I run hdparm optimizations on all drives, adsl-start and /bin/firewall-start thru that.... I don't anymore actually except hdparm, but thats the file that will run any command you want before you hit login..... There are all sorts of firewalls out there... They are bookmarked on my arch partition... I'm on Slack and don't feel like rooting for them right now... Firestarter is one that I can remember... I don't trust em tho.... Anything that has a gui and asks for a yes or a no, I just don't trust. I'd rather use a script..... I'd sooner boot into windows and use Zonealarm if I wanted that kinda stuff, tho ZoneAlarm is pretty tight...... My personal opinion anyway.... Up to the individual....

Jon

subekk0 02-14-2004 11:32 PM

guarddog
 
guarddog has a nice "simple" gui. http://www.simonzone.com/software/guarddog/#download


All times are GMT -5. The time now is 01:15 PM.