LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
LinkBack Search this Thread
Old 02-13-2004, 04:28 PM   #1
neilcpp
Member
 
Registered: Jul 2003
Location: England
Distribution: Debian Squeezy, FreeBSD 9.0, anything *nix to get my fix
Posts: 318

Rep: Reputation: 31
Easy Slackware Firewall?


I need to set up a firewall on my slackware system asap. Are there any easy programs that i can use to do this? I cant deal with configuring this & that at the moment, i just need a quick fix solution program where i only need to install a rpm.

I ran shorewall on my mandrake system, but i tried to put it on slack & i kept getting message after message about failed dependancies etc. When i downloaded a needed file i found the system asking for another file & another etc!!



Thanks
 
Old 02-13-2004, 04:48 PM   #2
jong357
Senior Member
 
Registered: May 2003
Location: Columbus, OH
Distribution: DIYSlackware
Posts: 1,914

Rep: Reputation: 52
You can make your own....

---------------------------------------------------------------

#!/bin/sh

# Begin /bin/firewall-start

# Insert connection-tracking modules (not needed if built into the kernel).
#modprobe ip_tables
#modprobe iptable_filter
#modprobe ip_conntrack
#modprobe ip_conntrack_ftp
#modprobe ipt_state
#modprobe ipt_LOG

# allow local-only connections
iptables -A INPUT -i lo -j ACCEPT
# free output on any interface to any ip for any service
# (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT

# permit answers on already established connections
# and permit new connections related to established ones (eg active-ftp)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log everything else: What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "

# set a sane policy: everything not accepted > /dev/null
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# disable ExplicitCongestionNotification - too many routers are still
# ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# If you are frequently accessing ftp-servers or enjoy chatting you might
# notice certain delays because some implementations of these daemons have
# the feature of querying an identd on your box for your username for
# logging. Although there's really no harm in this, having an identd
# running is not recommended because some implementations are known to be
# vulnerable.
# To avoid these delays you could reject the requests with a 'tcp-reset':
#iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
#iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT

# To log and drop invalid packets, mostly harmless packets that came in
# after netfilter's timeout, sometimes scans:
#iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \ "FIREWALL:INVALID"
#iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP

# End /bin/firewall-start


-----------------------------------------------

#!/bin/sh

# Begin /bin/firewall-status

echo "iptables.mangling:"
iptables -t mangle -v -L -n --line-numbers

echo
echo "iptables.nat:"
iptables -t nat -v -L -n --line-numbers

echo
echo "iptables.filter:"
iptables -v -L -n --line-numbers

# End /bin/firewall-status

------------------------------------------------------

#!/bin/sh

# Begin /bin/firewall-stop

# deactivate IP-Forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

iptables -Z
iptables -F
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -t nat -F POSTROUTING
iptables -t mangle -F PREROUTING
iptables -t mangle -F OUTPUT
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# End /bin/firewall-stop

----------------------------------------------------------

Thats what I do. It's simple but yet very effective. They'll be in your path so just type the filename and they're activated. Or make a launcher with the command of /bin/firewall-start... Up to you.

Last edited by jong357; 02-13-2004 at 09:30 PM.
 
1 members found this post helpful.
Old 02-13-2004, 08:37 PM   #3
neilcpp
Member
 
Registered: Jul 2003
Location: England
Distribution: Debian Squeezy, FreeBSD 9.0, anything *nix to get my fix
Posts: 318

Original Poster
Rep: Reputation: 31
Thanks - but that looks like kernel code to me !!..
 
Old 02-13-2004, 09:18 PM   #4
slackwarefan
Member
 
Registered: Oct 2003
Location: Florida
Distribution: Slackware
Posts: 273

Rep: Reputation: 30
All you have to do is copy the code into 3 sepereat files. and chmod them to 777
 
Old 02-13-2004, 09:20 PM   #5
jong357
Senior Member
 
Registered: May 2003
Location: Columbus, OH
Distribution: DIYSlackware
Posts: 1,914

Rep: Reputation: 52
No, no, no...... Just copy each section and paste it into a gedit or kedit pad... Save it as either

1. firewall-start
2. firewall-status
3. firewall-stop

Those are scripts..... easy piecey....... The -------------------------------------------------- seperates each script. Save the first one as firewall-start, the second one as firewall-status, and the third one as firewall-stop. Save them all into /bin..........

Then when you want to activate your firewall, open up a prompt and type "firewall-start"... It doesn't get any easier than that. If you want to check the status and see what packets have been dropped or allowed thru, type "firewall-status". If you want to disable the firewall, type "firewall-stop"....... This is a very strict yet easy going firewall... It will not allow anything to punch thru unless YOU initiate the transaction..... No difference between this and ZoneAlarm or similar progs for windows.... If you study up, you can get really creative and add all sorts of shit to the first one......

The only thing you need to be aware of is this section of "firewall-start":

#modprobe ip_tables
#modprobe iptable_filter
#modprobe ip_conntrack
#modprobe ip_conntrack_ftp
#modprobe ipt_state
#modprobe ipt_LOG

If all or any of these are built into the kernel, then they need to be commented like they already are... If they are built as modules, the appropriate lines need to be uncommented. These kernel options need to be built as modules or "in-house" for ANY firewall to work. If your using the stock kernel, like I'm sure you probably are, then forget about it. They are already there... Do this.....

1. Uncomment all of those so it reads:
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe ipt_LOG
2. type "firewall-start". If you get feedback saying that "something or other" is already built into the kernel, then simpily put a "#" in front of the coresponding line until you get NO feedback after running "firewall-start"... It's really about the easiest thing you can do....

Last edited by jong357; 02-13-2004 at 09:42 PM.
 
Old 02-14-2004, 12:46 AM   #6
Minderbinder
Member
 
Registered: Aug 2003
Location: Boston, MA
Distribution: Slackware-current
Posts: 142

Rep: Reputation: 15
You can try kmyfirewall at http://kmyfirewall.sourceforge.net/
 
Old 02-14-2004, 08:05 AM   #7
tharris
Member
 
Registered: Jun 2002
Location: Albany, GA
Distribution: Slackware 9.1, Debian Woody (2.4.18-bf2.4)
Posts: 34

Rep: Reputation: 15
Wow ... Nice
 
Old 02-14-2004, 08:20 AM   #8
amos
Member
 
Registered: Dec 2002
Location: Manchester, UK
Distribution: Debian
Posts: 222

Rep: Reputation: 30
Very, very nice.

Any suggestions for starting it automatically at boot, or whenever I start kppp, and stopping it afterwards?

Cheers
Amos

Last edited by amos; 02-14-2004 at 08:29 AM.
 
Old 02-14-2004, 10:00 AM   #9
Minderbinder
Member
 
Registered: Aug 2003
Location: Boston, MA
Distribution: Slackware-current
Posts: 142

Rep: Reputation: 15
What desktop are you using? In gnome Applications--->control center--->Advanced--->sessions can be used to automatically start programs at boot. KDE probably has a similar tool. I think you can also add the path to /etc/rc.d/rc.local.
 
Old 02-14-2004, 12:35 PM   #10
LinFreak!
Member
 
Registered: Jul 2003
Location: England
Distribution: slack9.1
Posts: 209

Rep: Reputation: 30
Check this webpage out, it has many useful setup proceedures for lots of linux distros.
It recommends "Arno's IPTables Firewall". I have been using it for a long time now and I find it helped me understand how to set it up as the /etc/iptables-firewall.conf file contains lots of information about all the options it uses.
http://jetblackz.cjb.net/
 
Old 02-14-2004, 01:14 PM   #11
amos
Member
 
Registered: Dec 2002
Location: Manchester, UK
Distribution: Debian
Posts: 222

Rep: Reputation: 30
Thanks LinFreak!, I thought it was something like that, I've added the following line to /etc/rc.d/rc.S

Code:
#start firewall
/bin/firewall-start
between the part about mounting non-root filesystems in fstab, and the part about cleaning up some temporary files.

Am I right in thinking that there's no problem with not doing 'firewall-stop' during shutdown, and that it doesn't matter if the 'firewall-start' script is run every time I start up without checking whether anything else is running?

Cheers
Amos
 
Old 02-14-2004, 02:38 PM   #12
LinFreak!
Member
 
Registered: Jul 2003
Location: England
Distribution: slack9.1
Posts: 209

Rep: Reputation: 30
I wouldn't think you would ever need "firewall-stop" on your average home system, or any other system for that matter. If I need to change something I would normally modify the firewall configuration file: /etc/iptables-firewall.conf (specific to arno's firewall i think) then issue the command:-
/etc/rc.d/rc.iptables restart (this may be specific to arno's firewall too, but you get the idea!)
 
Old 02-14-2004, 03:08 PM   #13
amos
Member
 
Registered: Dec 2002
Location: Manchester, UK
Distribution: Debian
Posts: 222

Rep: Reputation: 30
Yep, I get the idea.

Cheers all.
Amos
 
Old 02-14-2004, 11:16 PM   #14
jong357
Senior Member
 
Registered: May 2003
Location: Columbus, OH
Distribution: DIYSlackware
Posts: 1,914

Rep: Reputation: 52
/etc/rc.d/rc.local is a good file to use.... I run hdparm optimizations on all drives, adsl-start and /bin/firewall-start thru that.... I don't anymore actually except hdparm, but thats the file that will run any command you want before you hit login..... There are all sorts of firewalls out there... They are bookmarked on my arch partition... I'm on Slack and don't feel like rooting for them right now... Firestarter is one that I can remember... I don't trust em tho.... Anything that has a gui and asks for a yes or a no, I just don't trust. I'd rather use a script..... I'd sooner boot into windows and use Zonealarm if I wanted that kinda stuff, tho ZoneAlarm is pretty tight...... My personal opinion anyway.... Up to the individual....

Jon
 
Old 02-14-2004, 11:32 PM   #15
subekk0
Member
 
Registered: Sep 2003
Location: Dallas, TX.
Distribution: Slacking since '94
Posts: 153

Rep: Reputation: 32
guarddog

guarddog has a nice "simple" gui. http://www.simonzone.com/software/guarddog/#download
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
easy to configure firewall jaakkop Linux - Software 3 09-18-2005 02:58 PM
dvorak made easy (slackware) phos LinuxQuestions.org Member Success Stories 1 12-05-2004 01:33 PM
easy firewall like sygate or zonealarm ? cmorey Linux - Software 2 10-08-2004 10:19 PM
easy-to-use firewall for system w/ fluxbox sether Linux - Security 3 08-29-2004 01:27 PM
Easy to Install, Libranet-like slackware? flamesrock Slackware 8 10-01-2003 10:47 AM


All times are GMT -5. The time now is 07:50 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration