LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 06-29-2012, 12:27 AM   #16
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 3,379

Rep: Reputation: 824Reputation: 824Reputation: 824Reputation: 824Reputation: 824Reputation: 824Reputation: 824

Quote:
However, currently there is not a tool to do this on the system if it's offline. If you want to use AlienBobs EFG, you have to be online.
As I explained, you can get a minimal secure firewall from the default Slackware install.
If you want to trust your security to a script provided by someone else over the web, then feel free. I choose not to do so.
 
3 members found this post helpful.
Old 06-29-2012, 01:54 AM   #17
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Well, it should be choice during the install, something like "Would you like to configure a minimal firewall ?". Obviously, experts will choose no, and do it themselves. Newbies and lazy users (like me) will choose yes. It will improve default security in these cases. I don't see anything wrong with AlienBob's EFG, I've never had problems with and it provides good protection as I see from online tests.
 
1 members found this post helpful.
Old 06-29-2012, 02:46 AM   #18
NoStressHQ
Member
 
Registered: Apr 2010
Location: Lausanne - Switzerland ( Bordeaux - France / Montreal - QC - Canada)
Distribution: Slackware Leet - 32/64bit
Posts: 271

Rep: Reputation: 87
Quote:
Originally Posted by ReaperX7 View Post
However, currently there is not a tool to do this on the system if it's offline. If you want to use AlienBobs EFG, you have to be online.
That's not true: the bash script conversion I did (see above) is a port of the PHP generator as a BASH script... It IS DONE to be run "offline"...

Edit: well, to be fair, it's a port of "parts" of the php script I used... I might (will) require some improvement and more features... But I'm ok to do this work if people need those features.

Last edited by NoStressHQ; 06-29-2012 at 03:21 AM.
 
Old 06-29-2012, 02:47 AM   #19
NoStressHQ
Member
 
Registered: Apr 2010
Location: Lausanne - Switzerland ( Bordeaux - France / Montreal - QC - Canada)
Distribution: Slackware Leet - 32/64bit
Posts: 271

Rep: Reputation: 87
Quote:
Originally Posted by cikrak View Post
It would be nice if your script going to /testing first of Slackware-current. Hope your project will get more attention from Slackware users to try,test, and improve it.



It doesn't hurt everyone NoStressHQ is ready now to take an action without Stress
Yeah and I'd be glad to package it as a "slackbuild", and work on improvements on it.

Cheers
 
Old 06-29-2012, 02:57 AM   #20
solarfields
Member
 
Registered: Feb 2006
Location: Outer Shpongolia
Distribution: Slackware
Posts: 448

Rep: Reputation: 116Reputation: 116
It would be very nice to have an easy way to set up a firewall.
I actually still use Chess Griffin's firewall from a document I found years ago titled Slackware security (IIRK). Thanks Chess! And thanks to allend for pointing to /etc/ppp/firewall-standalone! I had never looked there...
 
Old 06-29-2012, 06:16 AM   #21
cikrak
Member
 
Registered: Sep 2006
Location: Surabaya, Indonesia
Distribution: Slackware
Posts: 35

Rep: Reputation: 5
Quote:
Originally Posted by NoStressHQ View Post
Yeah and I'd be glad to package it as a "slackbuild", and work on improvements on it.

Cheers
I propose the name like NoStressHQ-*.txz No Stress for lazy Slackers, HIGH QUALITY firewall

Cheers
 
Old 06-29-2012, 07:13 AM   #22
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 3,379

Rep: Reputation: 824Reputation: 824Reputation: 824Reputation: 824Reputation: 824Reputation: 824Reputation: 824
My problem with an easier firewall setup is that it encourages a user to think that all that needs to be done to securely set up services such as NFS or SSH is elect to start the daemon during the install and then open ports in the firewall. Both the examples that I cite require further changes to a default Slackware install in order to to achieve an appropriately configured and secure setup. Merely opening ports in a firewall is only part of the setup process.
I do not wish to denigrate firewall setup scripts. I have used Alien_Bob's EFG and have learned from the output.
 
Old 06-29-2012, 02:51 PM   #23
ReaperX7
Senior Member
 
Registered: Jul 2011
Distribution: LFS-SVN, Slackware-14.1, PCBSD-10.0
Posts: 2,863
Blog Entries: 15

Original Poster
Rep: Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743
The point of the tools is to at least get some basic level of security integrated into Slackware's setup not for the advanced users with their custom setup scripts, but for beginner/novice users who don't understand the complex startup scripts for IPTables.

For many users starting out, they don't understand how anything works on Linux until AFTER they get online and start reading. Before they get online they have a system that is NOT secure even in the least. It's only after they get everything from online websites, documents, and such they finally learn how to setup a Firewall on Linux, but by that time, it could be too late. The basic firewall or even advanced setup script(s) that could be implemented at least offer some fundamental baseline for what type of security we should strive for. Even at the most basic level of configuration AlienBOB's script does block a lot of unwanted traffic and only allows valid protocols from applications loaded.

For the advanced users running servers, yes we don't need it and that part of the setup and system configuration CAN be skipped. Even I don't use the basic setup of AlienBOB's script. I actually have some customizations just for my system to handle ports, protocols, and which traffic from other systems on my network can see and communicate with my machine, but in comparison, something is better than nothing. By offering at least some basic level we can at least tell the beginner user, "Yes you have a firewall setup tool, yes the firewall works, and yes your system has protection, but there are documents out there to allow for more advanced features when and if you need them."

This tool is needed for the system regardless of how we look at it. Yes, it's not a tool for advanced users, but for beginners it's a sign that the project cares about your security.

And as stated, if you don't want to use it, you can skip it... Just like some of us skip the installation section to create a Bootable USB Stick for LILO, and Testing Custom Screen Fonts.
 
3 members found this post helpful.
Old 06-29-2012, 10:24 PM   #24
cikrak
Member
 
Registered: Sep 2006
Location: Surabaya, Indonesia
Distribution: Slackware
Posts: 35

Rep: Reputation: 5
Quote:
Originally Posted by ReaperX7 View Post
"Yes you have a firewall setup tool, yes the firewall works, and yes your system has protection, but there are documents out there to allow for more advanced features when and if you need them."
This tool will give enough time for coffee morning break while thinking advanced features,...or handle another non technical stuff (from the first online).
 
Old 06-29-2012, 10:55 PM   #25
volkerdi
Slackware Maintainer
 
Registered: Dec 2002
Location: Minnesota
Distribution: Slackware! :-)
Posts: 858

Rep: Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668
Quote:
Originally Posted by ReaperX7 View Post
For many users starting out, they don't understand how anything works on Linux until AFTER they get online and start reading. Before they get online they have a system that is NOT secure even in the least.
Really? I'm curious where the security issues are on a freshly installed, unfirewalled machine that would let people break in the moment you got online.
 
4 members found this post helpful.
Old 06-29-2012, 11:17 PM   #26
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 3,379

Rep: Reputation: 824Reputation: 824Reputation: 824Reputation: 824Reputation: 824Reputation: 824Reputation: 824
Quote:
Originally Posted by ReaperX7
"Yes you have a firewall setup tool, yes the firewall works, and yes your system has protection, but there are documents out there to allow for more advanced features when and if you need them."
That reads a lot like:
Quote:
If you need to set up your Linux machine as a router for other systems,
you'll want to set up the interfaces in /etc/rc.d/rc.inet1.conf, and
set up NAT support with something like this in /etc/rc.d/rc.firewall,
and then make rc.firewall executable.

# Delete and flush. Default table is "filter".
# Others like "nat" must be explicitly stated.
iptables --flush
# Flush all the rules in filter and nat tables
iptables --table nat --flush
# Delete all chains that are not in default filter and nat table
iptables --delete-chain
iptables --table nat --delete-chain
# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo "Enabling ip_forwarding..."
echo 1 > /proc/sys/net/ipv4/ip_forward

It's possible to expand (or reduce ;-) this script for just about any
firewall needed. See "man iptables" for lots of information.
All Slackware users should know where that quote came from.
 
4 members found this post helpful.
Old 07-01-2012, 04:29 AM   #27
NoStressHQ
Member
 
Registered: Apr 2010
Location: Lausanne - Switzerland ( Bordeaux - France / Montreal - QC - Canada)
Distribution: Slackware Leet - 32/64bit
Posts: 271

Rep: Reputation: 87
Quote:
Originally Posted by allend View Post
That reads a lot like:

All Slackware users should know where that quote came from.
That's a shade I dislike... Are we "playing a game" ? Do you want to know who's got the bigger d*ck ?? Seriously... That reminds one of my colleague "playing teacher" with another one instead of just doing its job...

Where are the "leader board" so I can see if me too I can be "the geekier slacker around" ??? I like slackware because it's straightforward, vanilla and so on... NOT because it makes me feel superior to other people because *I* would know in which deeply hidden documentation some quote is...

Seriously that is off topic and does not help the debate...

The debate is: There ARE noobs, even using Slackware, and even if you don't mind, there also are professionals (myself) not willing to write many time the same stuff... sorry, I'm a programmer, for 23 years now, and I never like writing the same thing twice, moreover I got the brain to automate a "dull task"... If you like doing those no brain task by hand that's your freedom, having some tool that helps people not to write the script, just using easy and human readable data (yet itself a script that can itself be generated or whatever), I really don't understand where it bothers the one that like to type useless stuff (yes useful, but brainless once you have done it), they can... The one who'd rather have a life instead of opening vi etc, those people would be able to do something else AND have a firewall AND have a control on how this firewall is setup.

I'm not into the graphical tools... BUt complaining because a helper, not mandatory, could be too easy for the people... Sorry but this is deeply stupid...

(Nothing personal allend, this is the content of your message that brang one of my turns, something like that http://www.youtube.com/watch?v=kG36n8vFAmE )

Last edited by NoStressHQ; 07-01-2012 at 05:27 AM.
 
1 members found this post helpful.
Old 07-01-2012, 04:37 AM   #28
NoStressHQ
Member
 
Registered: Apr 2010
Location: Lausanne - Switzerland ( Bordeaux - France / Montreal - QC - Canada)
Distribution: Slackware Leet - 32/64bit
Posts: 271

Rep: Reputation: 87
Quote:
Originally Posted by volkerdi View Post
Really? I'm curious where the security issues are on a freshly installed, unfirewalled machine that would let people break in the moment you got online.
Hi Pat,

Sorry, but there is at least another one, obviously it's unfirewalled, but also SSH deamon accept root connection (this is not a safe behavior for a server plugged directly on the web).
Edit: well, thinking about that, it's not really a "leak", you really need to be able to connect as root during the early install phase, and the fact that you should first create a user then, disable the remote root access, is a "good habit", but the system can't do or propose a lot more without getting into something overkill.

There might be some other, but I don't remind at the time (..of wakening )...

BTW, we are not criticizing nor willing to impose anything on slackware, we just propose things that we think could be useful to some of us, and if it can help "noobs" to come to slackware, I'd be happy.

Thanks for all the hard work,

Cheers

Garry.

Last edited by NoStressHQ; 07-01-2012 at 06:11 AM.
 
1 members found this post helpful.
Old 07-01-2012, 06:44 AM   #29
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Quote:
Originally Posted by NoStressHQ View Post
Hi Pat,

Sorry, but there is at least another one, obviously it's unfirewalled, but also SSH deamon accept root connection (this is not a safe behavior for a server plugged directly on the web).
Edit: well, thinking about that, it's not really a "leak", you really need to be able to connect as root during the early install phase, and the fact that you should first create a user then, disable the remote root access, is a "good habit", but the system can't do or propose a lot more without getting into something overkill.

There might be some other, but I don't remind at the time (..of wakening )...

BTW, we are not criticizing nor willing to impose anything on slackware, we just propose things that we think could be useful to some of us, and if it can help "noobs" to come to slackware, I'd be happy.

Thanks for all the hard work,

Cheers

Garry.
I agree. It stops port scanning, where hackers look for vulnerable services with open and unfirewalled ports. It helps prevent exploitation of bugs in unpatched services or unknown exploits in services with open ports. I don't see how not having a firewall by default is more secure than having a basic one. The first thing I do after installing slackware is copy in my old rc.firewall (one generated by EFG).
 
Old 07-01-2012, 08:18 AM   #30
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,189

Rep: Reputation: Disabled
Quote:
Originally Posted by NoStressHQ View Post
That's a shade I dislike... Are we "playing a game" ? Do you want to know who's got the bigger d*ck ?? Seriously... That reminds one of my colleague "playing teacher" with another one instead of just doing its job...

Where are the "leader board" so I can see if me too I can be "the geekier slacker around" ??? I like slackware because it's straightforward, vanilla and so on... NOT because it makes me feel superior to other people because *I* would know in which deeply hidden documentation some quote is...

Seriously that is off topic and does not help the debate...
It is not off-topic actually. That quote is taken from the email root has in her mailbox immediately after a fresh install of Slackware...
In Slackware 13.37 that email has the subject "Welcome to Linux (Slackware 13.37)!" and you are well-advised to read it!

Also, Slackware does not activate the SSH daemon by default. You, the person installing Slackware, makes the conscious decision of activating it (or not) during installation.

Eric
 
4 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Easy Slackware Firewall? neilcpp Slackware 26 06-28-2013 09:28 PM
[SOLVED] Question about Eric Hameleers' firewall generator Switch7 Slackware 6 11-26-2009 07:06 AM
Want an easy password generator? Try this :) taskara Linux - General 4 07-24-2005 11:02 PM
Iptables Sample Firewall Generator mqe Linux - Security 2 06-20-2002 02:12 PM
firewall - iptables - generator mqe Linux - Networking 0 06-20-2002 03:09 AM


All times are GMT -5. The time now is 08:07 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration