SlackwareThis Forum is for the discussion of Slackware Linux.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Distribution: Debian Jessie, FreeBSD 10.1 anything *nix to get my fix
Easy Slackware Firewall?
I need to set up a firewall on my slackware system asap. Are there any easy programs that i can use to do this? I cant deal with configuring this & that at the moment, i just need a quick fix solution program where i only need to install a rpm.
I ran shorewall on my mandrake system, but i tried to put it on slack & i kept getting message after message about failed dependancies etc. When i downloaded a needed file i found the system asking for another file & another etc!!
# set a sane policy: everything not accepted > /dev/null
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# disable ExplicitCongestionNotification - too many routers are still
echo 0 > /proc/sys/net/ipv4/tcp_ecn
# If you are frequently accessing ftp-servers or enjoy chatting you might
# notice certain delays because some implementations of these daemons have
# the feature of querying an identd on your box for your username for
# logging. Although there's really no harm in this, having an identd
# running is not recommended because some implementations are known to be
# To avoid these delays you could reject the requests with a 'tcp-reset':
#iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
#iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT
# To log and drop invalid packets, mostly harmless packets that came in
# after netfilter's timeout, sometimes scans:
#iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \ "FIREWALL:INVALID"
#iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP
Those are scripts..... easy piecey....... The -------------------------------------------------- seperates each script. Save the first one as firewall-start, the second one as firewall-status, and the third one as firewall-stop. Save them all into /bin..........
Then when you want to activate your firewall, open up a prompt and type "firewall-start"... It doesn't get any easier than that. If you want to check the status and see what packets have been dropped or allowed thru, type "firewall-status". If you want to disable the firewall, type "firewall-stop"....... This is a very strict yet easy going firewall... It will not allow anything to punch thru unless YOU initiate the transaction..... No difference between this and ZoneAlarm or similar progs for windows.... If you study up, you can get really creative and add all sorts of shit to the first one......
The only thing you need to be aware of is this section of "firewall-start":
If all or any of these are built into the kernel, then they need to be commented like they already are... If they are built as modules, the appropriate lines need to be uncommented. These kernel options need to be built as modules or "in-house" for ANY firewall to work. If your using the stock kernel, like I'm sure you probably are, then forget about it. They are already there... Do this.....
1. Uncomment all of those so it reads:
2. type "firewall-start". If you get feedback saying that "something or other" is already built into the kernel, then simpily put a "#" in front of the coresponding line until you get NO feedback after running "firewall-start"... It's really about the easiest thing you can do....
What desktop are you using? In gnome Applications--->control center--->Advanced--->sessions can be used to automatically start programs at boot. KDE probably has a similar tool. I think you can also add the path to /etc/rc.d/rc.local.
Check this webpage out, it has many useful setup proceedures for lots of linux distros.
It recommends "Arno's IPTables Firewall". I have been using it for a long time now and I find it helped me understand how to set it up as the /etc/iptables-firewall.conf file contains lots of information about all the options it uses. http://jetblackz.cjb.net/
Thanks LinFreak!, I thought it was something like that, I've added the following line to /etc/rc.d/rc.S
between the part about mounting non-root filesystems in fstab, and the part about cleaning up some temporary files.
Am I right in thinking that there's no problem with not doing 'firewall-stop' during shutdown, and that it doesn't matter if the 'firewall-start' script is run every time I start up without checking whether anything else is running?
I wouldn't think you would ever need "firewall-stop" on your average home system, or any other system for that matter. If I need to change something I would normally modify the firewall configuration file: /etc/iptables-firewall.conf (specific to arno's firewall i think) then issue the command:-
/etc/rc.d/rc.iptables restart (this may be specific to arno's firewall too, but you get the idea!)
/etc/rc.d/rc.local is a good file to use.... I run hdparm optimizations on all drives, adsl-start and /bin/firewall-start thru that.... I don't anymore actually except hdparm, but thats the file that will run any command you want before you hit login..... There are all sorts of firewalls out there... They are bookmarked on my arch partition... I'm on Slack and don't feel like rooting for them right now... Firestarter is one that I can remember... I don't trust em tho.... Anything that has a gui and asks for a yes or a no, I just don't trust. I'd rather use a script..... I'd sooner boot into windows and use Zonealarm if I wanted that kinda stuff, tho ZoneAlarm is pretty tight...... My personal opinion anyway.... Up to the individual....