Easy Slackware Firewall?
I need to set up a firewall on my slackware system asap. Are there any easy programs that i can use to do this? I cant deal with configuring this & that at the moment, i just need a quick fix solution program where i only need to install a rpm.
I ran shorewall on my mandrake system, but i tried to put it on slack & i kept getting message after message about failed dependancies etc. When i downloaded a needed file i found the system asking for another file & another etc!! Thanks:( |
You can make your own....
--------------------------------------------------------------- #!/bin/sh # Begin /bin/firewall-start # Insert connection-tracking modules (not needed if built into the kernel). #modprobe ip_tables #modprobe iptable_filter #modprobe ip_conntrack #modprobe ip_conntrack_ftp #modprobe ipt_state #modprobe ipt_LOG # allow local-only connections iptables -A INPUT -i lo -j ACCEPT # free output on any interface to any ip for any service # (equal to -P ACCEPT) iptables -A OUTPUT -j ACCEPT # permit answers on already established connections # and permit new connections related to established ones (eg active-ftp) iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Log everything else: What's Windows' latest exploitable vulnerability? iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " # set a sane policy: everything not accepted > /dev/null iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # be verbose on dynamic ip-addresses (not needed in case of static IP) echo 2 > /proc/sys/net/ipv4/ip_dynaddr # disable ExplicitCongestionNotification - too many routers are still # ignorant echo 0 > /proc/sys/net/ipv4/tcp_ecn # If you are frequently accessing ftp-servers or enjoy chatting you might # notice certain delays because some implementations of these daemons have # the feature of querying an identd on your box for your username for # logging. Although there's really no harm in this, having an identd # running is not recommended because some implementations are known to be # vulnerable. # To avoid these delays you could reject the requests with a 'tcp-reset': #iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset #iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT # To log and drop invalid packets, mostly harmless packets that came in # after netfilter's timeout, sometimes scans: #iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \ "FIREWALL:INVALID" #iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP # End /bin/firewall-start ----------------------------------------------- #!/bin/sh # Begin /bin/firewall-status echo "iptables.mangling:" iptables -t mangle -v -L -n --line-numbers echo echo "iptables.nat:" iptables -t nat -v -L -n --line-numbers echo echo "iptables.filter:" iptables -v -L -n --line-numbers # End /bin/firewall-status ------------------------------------------------------ #!/bin/sh # Begin /bin/firewall-stop # deactivate IP-Forwarding echo 0 > /proc/sys/net/ipv4/ip_forward iptables -Z iptables -F iptables -t nat -F PREROUTING iptables -t nat -F OUTPUT iptables -t nat -F POSTROUTING iptables -t mangle -F PREROUTING iptables -t mangle -F OUTPUT iptables -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT # End /bin/firewall-stop ---------------------------------------------------------- Thats what I do. It's simple but yet very effective. They'll be in your path so just type the filename and they're activated. Or make a launcher with the command of /bin/firewall-start... Up to you. |
Thanks - but that looks like kernel code to me !!.. :)
|
All you have to do is copy the code into 3 sepereat files. and chmod them to 777
|
No, no, no...... Just copy each section and paste it into a gedit or kedit pad... Save it as either
1. firewall-start 2. firewall-status 3. firewall-stop Those are scripts..... easy piecey....... The -------------------------------------------------- seperates each script. Save the first one as firewall-start, the second one as firewall-status, and the third one as firewall-stop. Save them all into /bin.......... Then when you want to activate your firewall, open up a prompt and type "firewall-start"... It doesn't get any easier than that. If you want to check the status and see what packets have been dropped or allowed thru, type "firewall-status". If you want to disable the firewall, type "firewall-stop"....... This is a very strict yet easy going firewall... It will not allow anything to punch thru unless YOU initiate the transaction..... No difference between this and ZoneAlarm or similar progs for windows.... If you study up, you can get really creative and add all sorts of shit to the first one...... The only thing you need to be aware of is this section of "firewall-start": #modprobe ip_tables #modprobe iptable_filter #modprobe ip_conntrack #modprobe ip_conntrack_ftp #modprobe ipt_state #modprobe ipt_LOG If all or any of these are built into the kernel, then they need to be commented like they already are... If they are built as modules, the appropriate lines need to be uncommented. These kernel options need to be built as modules or "in-house" for ANY firewall to work. If your using the stock kernel, like I'm sure you probably are, then forget about it. They are already there... Do this..... 1. Uncomment all of those so it reads: modprobe ip_tables modprobe iptable_filter modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_state modprobe ipt_LOG 2. type "firewall-start". If you get feedback saying that "something or other" is already built into the kernel, then simpily put a "#" in front of the coresponding line until you get NO feedback after running "firewall-start"... It's really about the easiest thing you can do.... |
You can try kmyfirewall at http://kmyfirewall.sourceforge.net/
|
Wow ... Nice
|
Very, very nice.
Any suggestions for starting it automatically at boot, or whenever I start kppp, and stopping it afterwards? Cheers Amos |
What desktop are you using? In gnome Applications--->control center--->Advanced--->sessions can be used to automatically start programs at boot. KDE probably has a similar tool. I think you can also add the path to /etc/rc.d/rc.local.
|
Check this webpage out, it has many useful setup proceedures for lots of linux distros.
It recommends "Arno's IPTables Firewall". I have been using it for a long time now and I find it helped me understand how to set it up as the /etc/iptables-firewall.conf file contains lots of information about all the options it uses. http://jetblackz.cjb.net/ |
Thanks LinFreak!, I thought it was something like that, I've added the following line to /etc/rc.d/rc.S
Code:
#start firewall Am I right in thinking that there's no problem with not doing 'firewall-stop' during shutdown, and that it doesn't matter if the 'firewall-start' script is run every time I start up without checking whether anything else is running? Cheers Amos:D |
I wouldn't think you would ever need "firewall-stop" on your average home system, or any other system for that matter. If I need to change something I would normally modify the firewall configuration file: /etc/iptables-firewall.conf (specific to arno's firewall i think) then issue the command:-
/etc/rc.d/rc.iptables restart (this may be specific to arno's firewall too, but you get the idea!) |
Yep, I get the idea.
Cheers all. Amos |
/etc/rc.d/rc.local is a good file to use.... I run hdparm optimizations on all drives, adsl-start and /bin/firewall-start thru that.... I don't anymore actually except hdparm, but thats the file that will run any command you want before you hit login..... There are all sorts of firewalls out there... They are bookmarked on my arch partition... I'm on Slack and don't feel like rooting for them right now... Firestarter is one that I can remember... I don't trust em tho.... Anything that has a gui and asks for a yes or a no, I just don't trust. I'd rather use a script..... I'd sooner boot into windows and use Zonealarm if I wanted that kinda stuff, tho ZoneAlarm is pretty tight...... My personal opinion anyway.... Up to the individual....
Jon |
guarddog
guarddog has a nice "simple" gui. http://www.simonzone.com/software/guarddog/#download
|
Some sites that might be useful...
Easy Firewall Generator for IP Tables http://morizot.net/firewall/ Citadec Firewall Generator http://www.citadec.com/FirewallGenerator.html PHP Firewall Generator http://phpfwgen.sourceforge.net/ IPTables Script Generator http://iptables-script.dk/index1.php Arno's IPTables Firewall script http://rocky.molphys.leidenuniv.nl/ |
Greetings Jong357,
How come I'm getting command not found for iptables from line 8 to 19 in your script firewall-stop. I'm running firewall-stop in rc.shutdown. but every time I reboot or shutdown i'm getting that error. but when I simply stop it from console seems to shutdown quietly. Thanks |
|
Quote:
|
|
Quote:
+1 That rocks,totally use it. Fwbuilder,ufw,shorewall has slackbuilds too sbopkg makes it very easy for you. |
Quote:
|
Robby has a very nice firewall page:
http://rlworkman.net/conf/firewall/ |
I am very sorry for reviving such an old thread but I really need help about this firewall.
I did everything that has been said in this thread, but my bash returns something like this: iptables v1.4.14: can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. iptables v1.4.14: can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. iptables v1.4.14: can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. iptables v1.4.14: can't initialize iptables table `filter': Table does not exist (do you need to insmod?) I installed slackware few days ago and am a complete noob in linux, so i really don't know what this means. Thank you very much for help. |
Why not post a question of your own directly related to your problem (maybe link it to this one) rather than resurrect a thread I last posted to in 2004. I haven't made use of a separate firewall in a long time so can't directly help you unfortunately. At the time I was still on dial up now that I use broadband my router is configured to drop anything incoming which is unsolicited.
Cheers Amos |
Quote:
Dropped it in to rc.local and it fires up on boot. |
Ah, shit, necromancing........
|
All times are GMT -5. The time now is 02:07 AM. |