LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 07-01-2012, 09:53 AM   #31
ppr:kut
Member
 
Registered: Aug 2006
Location: Netherlands
Distribution: Slackware
Posts: 356

Rep: Reputation: 91

Because I think it fits: http://noobfarm.org/viewquote.php?id=1667
 
5 members found this post helpful.
Old 07-01-2012, 10:38 AM   #32
NonNonBa
Member
 
Registered: Aug 2010
Distribution: Slackware
Posts: 61

Rep: Reputation: 21
Quote:
Originally Posted by NoStressHQ
Sorry, but there is at least another one, obviously it's unfirewalled, [...]
Not absolutely true. I don't know for other countries, but I don't think the French ISPs are particularly innovative. By there, the boxes provided by the ISPs are configured to reject all the input connections, so the real problem is more to success in dealing with insane web interfaces to finally get the ports you need open.

Quote:
Originally Posted by NoStressHQ
[...]but also SSH deamon accept root connection (this is not a safe behavior for a server plugged directly on the web).
In the case of an headless machine, it's just the sane default setting. This is the problem when you want a "noob-proof" thing, you are drawn to fight the skilled users which will first have to break the default config to then do what they need.

However, I agree IPtables is not the easiest thing to deal with, when you want to learn to control the firewall. Many people -- and not only noob -- seem to dream to an OpenBSD's pf Linux clone (and indeed nftables was taking that way). Maybe include shorewall or this kind of thing could help to fix this...

Last edited by NonNonBa; 07-01-2012 at 10:41 AM. Reason: Bad English, as usual...
 
3 members found this post helpful.
Old 07-01-2012, 12:13 PM   #33
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Quote:
Originally Posted by NonNonBa View Post
Maybe include shorewall or this kind of thing could help to fix this...
It's true it might be a better idea. I mean I no longer use the slackware internet config scripts, I use wicd, because it is a lot easier to work with especially with wifi. Still, I guess I could install shorewall or something like it myself ... you know I just might.
 
Old 07-01-2012, 03:24 PM   #34
ReaperX7
Senior Member
 
Registered: Jul 2011
Distribution: LFS-SVN, Slackware-14.1, PCBSD-10.0
Posts: 2,994
Blog Entries: 15

Original Poster
Rep: Reputation: 752Reputation: 752Reputation: 752Reputation: 752Reputation: 752Reputation: 752Reputation: 752
Shorewall from the last times I've tried to use it takes a lot of configuration time to setup, configure, reconfigure several times, hoping you get it right. A script to configure Shorewall would be a real undertaking though, but would make the process easier to setup everything and the fact that Shorewall6 supports IPv6 would be a good addition as well.

Perhaps a small compromise...

Could an offline form of AlienBOB's webpage for setting up the IPTables firewall be included on the DVD in /extra?

Last edited by ReaperX7; 07-01-2012 at 10:41 PM.
 
Old 07-02-2012, 01:06 PM   #35
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
What about firewall builder, it looks reasonably easy to use:
http://www.fwbuilder.org/
You can use it to generate scripts in a similar but more GUI way. It is GPL'd by the way, just in case you think the site looks proprietary.
http://www.youtube.com/watch?v=Q5GPrkwyGxw

Last edited by H_TeXMeX_H; 07-02-2012 at 01:12 PM.
 
Old 07-02-2012, 01:31 PM   #36
ReaperX7
Senior Member
 
Registered: Jul 2011
Distribution: LFS-SVN, Slackware-14.1, PCBSD-10.0
Posts: 2,994
Blog Entries: 15

Original Poster
Rep: Reputation: 752Reputation: 752Reputation: 752Reputation: 752Reputation: 752Reputation: 752Reputation: 752
FwBuilder might be too advanced for some users. It might be best to want a firewall that anyone can use and can be setup with a script generation tool that doesn't require advanced level and knowledge of firewalls, IP addressing, and such tasks.

Shorewall seems better because it's just non-architectural scripts that require an editor or script generator. AlienBOB's EFG fits this because it more or less the same thing, but just uses a webpage based script generation tool to create the rc.firewall script to load modules for the kernel and setup addressing schemes, ports, etc.

However, regardless which would ever be useful, you want something for everybody of any skill level and it has to be optional to setup.
 
Old 07-02-2012, 01:57 PM   #37
T3slider
Senior Member
 
Registered: Jul 2007
Distribution: Slackware64-14.1
Posts: 2,247

Rep: Reputation: 625Reputation: 625Reputation: 625Reputation: 625Reputation: 625Reputation: 625
Quote:
Originally Posted by ReaperX7 View Post
However, regardless which would ever be useful, you want something for everybody of any skill level and it has to be optional to setup.
What you are describing doesn't sound anything like Slackware at all. Slackware, in my opinion, is a distro that makes things simple rather than easy. It has already done this by checking for /etc/rc.d/rc.firewall from rc.inet2, allowing you to just drop in any firewall script using any firewall tool you may desire. It is simple yet flexible and makes no assumptions. While I suppose I wouldn't *object* to a firewall script during setup as long as it allows me to skip it, I don't see the need and as far as I'm concerned the current rc.firewall situation falls in line with the rest of the design decisions in Slackware (no multilib, but setup for multilib by using lib64 on 64-bit systems, for example). I use the EFG to create a base and modify the resulting script to fit my needs. The current situation fits me just fine, and since Slackware is meant to be the thinking man's distro I would think anyone who knows anything about computers would know about firewalls as a concept and find a way to implement it in Slackware if they didn't already know how. There are hundreds of iptables firewall tutorials available, and shorewall, firehol and fwbuilder are all available from slackbuilds.org.
 
9 members found this post helpful.
Old 07-02-2012, 07:45 PM   #38
cikrak
Member
 
Registered: Sep 2006
Location: Surabaya, Indonesia
Distribution: Slackware
Posts: 35

Rep: Reputation: 5
Choose your answer :

A.ONLY a blank rc.firewall.
B.ONLY rc.firewall with very basic script.
C.Installer option + blank rc.firewall
D.Installer option + very basic firewall
E.Installer option + generator scripts included
F.All the anwers wrong. (Only BDFL can choose this )

Maybe the easy route just make rc.firewall exist. The user will enable this features if he want it (just change it to 755).The problem is the content of rc.firewall it self. Every user have different agenda, so the content should be a basic one.
 
Old 07-02-2012, 08:20 PM   #39
ReaperX7
Senior Member
 
Registered: Jul 2011
Distribution: LFS-SVN, Slackware-14.1, PCBSD-10.0
Posts: 2,994
Blog Entries: 15

Original Poster
Rep: Reputation: 752Reputation: 752Reputation: 752Reputation: 752Reputation: 752Reputation: 752Reputation: 752
Quote:
Originally Posted by T3slider View Post
What you are describing doesn't sound anything like Slackware at all. Slackware, in my opinion, is a distro that makes things simple rather than easy. It has already done this by checking for /etc/rc.d/rc.firewall from rc.inet2, allowing you to just drop in any firewall script using any firewall tool you may desire. It is simple yet flexible and makes no assumptions. While I suppose I wouldn't *object* to a firewall script during setup as long as it allows me to skip it, I don't see the need and as far as I'm concerned the current rc.firewall situation falls in line with the rest of the design decisions in Slackware (no multilib, but setup for multilib by using lib64 on 64-bit systems, for example). I use the EFG to create a base and modify the resulting script to fit my needs. The current situation fits me just fine, and since Slackware is meant to be the thinking man's distro I would think anyone who knows anything about computers would know about firewalls as a concept and find a way to implement it in Slackware if they didn't already know how. There are hundreds of iptables firewall tutorials available, and shorewall, firehol and fwbuilder are all available from slackbuilds.org.
How would Slackware be different than it is? To include one extra tool/step during setup/configuration to configure some basic level of internet/network security or allow an advanced user to program in what they want for their firewall? LILO sets up this way and most people don't "think" about how they want to configure LILO. They just set it up with the basics, pick what resolution they want for the framebuffer, and go with it. There are those who chose to customize LILO to their hearts desire but that's them. Heck, if you're crazy enough you can even skip LILO, not that it's recommended or advised you do so.

Plus I did leave the option out to discuss including an offline webpage on the installation disk for EFG, possibly in /extra.

The decision to remove Gnome was big but then find out we have to rely on some of it's libraries and find out we need to add some back in to support packages using them as dependencies. Yet many seem to think adding Gnome libraries back in for dependencies is the end of the world. It's just dependencies and while Slackware is growing all the time, it's evolving all the time as well. We knew eventually it wasn't going to be an OS limited to just 1 CD-ROM disk or even now 1 DVD-ROM disk. With time all things change to some extent.

However, as anything goes, it's just discussion, ideas being tossed back and forth, conversion, and even some debate. Better to be a ripple in a pond than a wave in the ocean.

Last edited by ReaperX7; 07-02-2012 at 08:23 PM.
 
Old 07-02-2012, 08:37 PM   #40
cikrak
Member
 
Registered: Sep 2006
Location: Surabaya, Indonesia
Distribution: Slackware
Posts: 35

Rep: Reputation: 5
Quote:
Originally Posted by ReaperX7 View Post
They just set it up with the basics, pick what resolution they want for the framebuffer, and go with it. There are those who chose to customize LILO to their hearts desire but that's them.
I believe the basics configuration will not make Slackware dictate their user how to run their system (firewall).

I like the sample and warning from FreeBSD related to firewall :

http://www.freebsd.org/doc/en_US.ISO...alls-ipfw.html

Quote:
The IPFW sample ruleset (found in /etc/rc.firewall and /etc/rc.firewall6) in the standard FreeBSD install is rather simple and it is not expected to be used directly without modifications. The example does not use stateful filtering, which is beneficial in most setups...
 
Old 07-03-2012, 05:36 AM   #41
ReaperX7
Senior Member
 
Registered: Jul 2011
Distribution: LFS-SVN, Slackware-14.1, PCBSD-10.0
Posts: 2,994
Blog Entries: 15

Original Poster
Rep: Reputation: 752Reputation: 752Reputation: 752Reputation: 752Reputation: 752Reputation: 752Reputation: 752
Posting from my phone:

I would suggest that if a firewall was ever included that even at the bsic configuration that it's a stateful packet inspection firewall rather than a stateless firewall. However there could be an option to have a generic rc.firewall script setup as such for a stateful packet inspection and filtering scheme for dynamic addresses already in the /etc/rc.d directory and all the end user has to do is run chmod +x against it from root to enable it.
 
Old 07-04-2012, 07:44 AM   #42
bormant
Member
 
Registered: Jan 2008
Posts: 97

Rep: Reputation: 42
We have /usr/share/mkinitrd/mkinitrd_command_generator.sh with no option in installer to use it.
As for me /usr/share/iptables/firewall_generator.sh placed in iptables package and mentioned in documentation (CHANGES_AND_HINTS.TXT) with no option in installer seems the best solution.
 
2 members found this post helpful.
Old 07-04-2012, 08:15 AM   #43
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Quote:
Originally Posted by bormant View Post
We have /usr/share/mkinitrd/mkinitrd_command_generator.sh with no option in installer to use it.
As for me /usr/share/iptables/firewall_generator.sh placed in iptables package and mentioned in documentation (CHANGES_AND_HINTS.TXT) with no option in installer seems the best solution.
Yeah, that is also possible, although I don't see why it shouldn't be mentioned in the installer.
 
Old 07-04-2012, 02:02 PM   #44
ReaperX7
Senior Member
 
Registered: Jul 2011
Distribution: LFS-SVN, Slackware-14.1, PCBSD-10.0
Posts: 2,994
Blog Entries: 15

Original Poster
Rep: Reputation: 752Reputation: 752Reputation: 752Reputation: 752Reputation: 752Reputation: 752Reputation: 752
Cool.
 
Old 07-05-2012, 12:43 PM   #45
Slax-Dude
Member
 
Registered: Mar 2006
Location: Valadares, Portugal
Distribution: Slackware
Posts: 253

Rep: Reputation: 71
+1 for the firewall config script in the installer, although it should be "skippable"

Scripts that automate system configuration (like liloconfig or mkinitrd_command_generator.sh) are already present in Slackware, so I don't think making things easier goes against the distro's philosophy.

Last edited by Slax-Dude; 07-06-2012 at 04:19 AM. Reason: skippable, not shippable
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Easy Slackware Firewall? neilcpp Slackware 26 06-28-2013 09:28 PM
[SOLVED] Question about Eric Hameleers' firewall generator Switch7 Slackware 6 11-26-2009 07:06 AM
Want an easy password generator? Try this :) taskara Linux - General 4 07-24-2005 11:02 PM
Iptables Sample Firewall Generator mqe Linux - Security 2 06-20-2002 02:12 PM
firewall - iptables - generator mqe Linux - Networking 0 06-20-2002 03:09 AM


All times are GMT -5. The time now is 04:26 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration