Generic Firewall script
SCerovec asked about a generic firewall script in the suggestions for current thread. How about this? (Did't want to clutter the other thread, don't remember where I got them either for proper attribution.) I've used these for a long time.
firewall-start Code:
#!/bin/sh Code:
#!/bin/sh Code:
#!/bin/sh |
No idea how to make generic set of rules, I mean one could only accept :443 by default, and then get doom players complaining about :666 not being open.
There's always something not working with those generic setups, even if everything is forseen (unlikely) someone will go out of their way to create a new situation and corner case. As for minimal set of client rules, and since :443 is the most common port these days, I'd just do something like this without complicating it too much: Code:
IP0=example.ip.address.here Sure thing ftp is broken when not specified, these rules are designed to obviously break things. If you design rules to allow all things then it's not the most secure set of rules. And some countries are known to enforce different rules, so it does not matter what generic firewall script will do and there is much potential for it to fail. Not to mention there's also Slackware Server userbase who will all laugh at the rule which does not accept INPUT NEW, while it's a common source of trouble on clients. So once again there will be conflict for no reason at all, as with all the other standard generic things which claim that one size fits all. |
Writing a firewall script is like making bolognese sauce, everybody has their own twist to achieve the perfect outcome.
So, I look at Code:
# set a sane policy: everything not accepted > /dev/null Code:
####################################################################### My 'drop-and-log-it' chain sends output to dmesg rather than a separate file as it maintains the sequence with other events. Then there is the question of services that might best be opened by default. As a network tool, ping can be very useful, but might be considered a security threat. New users have a tough time with SSH, without the problem of a firewall blocking connection attempts. One group of users might say CUPS should be open by default, so that all users on the LAN can access my USB connected printer. Others will say no need for that, so it should be closed by default. Should there be example entries for NFS, Samba, SMTP, PXE, Icecream, media servers etc? Or could these be in separate files that are sourced by the rc.firewall script? What about a laptop user who might use a wired connection, a wifi connection or a USB modem connection that require different firewall requirements? I think the generic firewall is as simple as the universally perfect bolognese sauce. |
Well, that's a start already!
I'd add hooks for pre-, -mid and post- rules, so the script has potential of seamless update without stomping out any custom rules (said game servers, samba or what have you) Not as elaborate as <progname>.d/<numbered directory entries>, but the mere pre.<name>.sh post.<name>.sh and mid.<name>.sh scripts not shipped with but mentioned as comments in the main <name>.sh file, just like /etc/resolv.conf does for instance. The <name> could be either firewall, iptables or something catchy instead (itc? (Ip Tables Configurator)). The gorilla in the room is where we draw the line in the sand of what is generic? I'd say kiosk mode usage case- a case that has nothing to be subtracted from and still be called a firewall. |
@SCerovec - You said generic!
I do not do gaming, nor do I have mail servers or other special use stuff. You also said further use cases would require more reading and due diligence (paraphrased a bit...ok a lot :) ). |
If you want to put this into rc.firewall you will start/stop commands. Moreover what is missing is lack of indication that firewall is up. Say you can create lock file under /var. Or create fake process indicating running firewall.
Edit: If stat represents firewall statistics better put it into crontab and output to syslog. Just common place for any system information. |
a skeleton:
rc.firewall: Code:
#!/bin/bash |
Quote:
A "raised firewall" means all incoming traffic is organized and sanely accounted for (DROP, LOG, whatever) instead of silently ignored (or worse yet - served). Since there is nothing "running" there is nothing to crash either - one merely saws the branch he's sitting on (kind of literally) and has to come by foot to the machine and fix the error - or else everything works just fine more or less. |
Why use a generic firewall (someone will have to maintain it) instead of one of these like arno-iptables-firewall (run a script, answer questions, get a firewall) which has been around for at least about 2 decades, and is continually being updated? https://slackbuilds.org/result/?search=firewall&sv=14.2
https://github.com/arno-iptables-firewall/aif/ https://www.linode.com/docs/guides/c...ebian-5-lenny/ I wanted to ask this in the Current thread, why does Slackware need a firewall solution when computers are behind a router's firewall and there are easily installable firewalls available at slackbuilds? |
At the risk of sounding cranky, may I ask what's a "generic" firewall script?
I remember myself being a total firewalling noob years ago and getting scared of those carpets of iptables rules (I'm by no means an expert now, but I already know the basics well enough to be able to support my own personal needs). I also remember instantly becoming more confident after stopping to think in terms of abstract things like "generic" or "best" or "shortest" or "safest" or whatever. My firewall ruleset always solves a well defined problem (or a set of them). I get to pick the default policy (ACCEPT ot DROP), I get to decide if I have a big subset of rules that filter all incoming traffic and another big subset of rules that filter all outgoing traffic, or if I have many per-task rule blocks containing both incoming and outgoing traffic rules etc OP, what's your definition of "generic" in this context? |
Quote:
Ever joined an install fest or a lan party? Internet caffee? |
Quote:
|
Quote:
I should understand that for you is unimaginable to use Slackware in a laptop supposed to carry with you and connect it to various WiFi or Ethernet networks? Considering the Slackware's "thrilling feature" of being sent to RTFM for a more or less lame but self-made firewall, well... I tend to agree with you. :p |
Guys, I have a question for you:
Slackware has basically the "default" network management made by NetworkManager for "home" use, while I understand that the networking from /etc/rc.d is supposed to be used mainly by servers. So, how integrates your Generic Firewall with the network connections managed by NetworkManager? |
I use a script /etc/NetworkManager/dispatcher.d/25_SetFirewall
Code:
#!/bin/sh |
All times are GMT -5. The time now is 02:18 AM. |