LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

View Poll Results: How have you configured IPTABLES on your system[s]?
Easy Firewall Generator (or a derivative like Alien Bob's, post link please) 12 9.84%
Firestarter 21 17.21%
KMyFirewall 4 3.28%
fwbuilder 2 1.64%
Guarddog 17 13.93%
Script from an LQ forum post (link please) 1 0.82%
Some other script (link please) or GUI 44 36.07%
Don't use iptables 24 19.67%
Multiple Choice Poll. Voters: 122. You may not vote on this poll

Reply
 
LinkBack Search this Thread
Old 02-18-2007, 11:24 PM   #16
dive
Senior Member
 
Registered: Aug 2003
Location: UK
Distribution: Slackware
Posts: 3,185

Rep: Reputation: 285Reputation: 285Reputation: 285

I did it by hand and good ol fashioned trial and error
 
Old 02-19-2007, 03:37 AM   #17
gtimur
LQ Newbie
 
Registered: Feb 2006
Posts: 1

Rep: Reputation: 0
Please keep in mind that there are people coming from Windows firewalls. I am the one. I need a graphical pop-up window i.e. interactive firewall that asks me what to do each time a new type of connection happens, of course with "remember this" option. Any idea?
While a lot of firewalls exist in Windows, it's easy to find a good one, even for free. But here, I am confused, each distribution is using its own and then you come with hand option...
 
Old 02-19-2007, 06:00 AM   #18
solly
LQ Newbie
 
Registered: Aug 2005
Posts: 19

Rep: Reputation: 0
Arno-iptables-firewall deserves a mention home page http://rocky.eld.leidenuniv.nl/

There's a Slackware 11.0 package at
http://www.linuxpackages.net/search_...e=arn&ver=11.0
 
Old 02-19-2007, 04:06 PM   #19
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,275

Rep: Reputation: 61
Wrote my own with the thanks of netfilter.org, read quite a few scripts, took out what I like to make my own script. I have also added a lot of my own code to it to make a lot of things more automatic rather than having to heavily modify each time it goes onto a new host, only have to adjust the rules depending on the services the host is going to run. Unfortunately I don't run any servers at the moment so I cannot link to it.
 
Old 02-19-2007, 08:18 PM   #20
Wynd
Member
 
Registered: Jul 2001
Distribution: Slackware 12
Posts: 511

Rep: Reputation: 32
I wrote mine by hand after looking at online examples. Basically, it's:

accept all traffic on loopback
accept all outbound traffic
drop all inbound traffic except ssh, ntp, and established/related packets

Seems to work fine so far
 
Old 02-19-2007, 09:22 PM   #21
rworkman
Slackware Contributor
 
Registered: Oct 2004
Location: Tuscaloosa, Alabama (USA)
Distribution: Slackware
Posts: 1,904

Rep: Reputation: Disabled
Quote:
Originally Posted by Wynd
I wrote mine by hand after looking at online examples. Basically, it's:

accept all traffic on loopback
accept all outbound traffic
drop all inbound traffic except ssh, ntp, and established/related packets

Unless you're running an ntp server for the public, there's no need to explicitly open that port either - the est/rel rule will catch replies to your outgoing requests.

If you'd like to use the recent match to cut down on some of the ssh brute force attacks, this might be helpful - I tried to comment it well enough for someone to actually understand what they're doing rather than just blindly copying... http://rlworkman.net/conf/firewall/sshattacks

Also, if you'd like to have identd requests acknowledged when they're expected but dropped otherwise, see this link: http://rlworkman.net/howtos/irc-identd
 
Old 02-19-2007, 09:41 PM   #22
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266
Quote:
Originally Posted by gtimur
Please keep in mind that there are people coming from Windows firewalls. I am the one. I need a graphical pop-up window i.e. interactive firewall that asks me what to do each time a new type of connection happens, of course with "remember this" option. Any idea?
While a lot of firewalls exist in Windows, it's easy to find a good one, even for free. But here, I am confused, each distribution is using its own and then you come with hand option...
I just wanna say that I find this post hilarious
 
Old 02-19-2007, 10:05 PM   #23
rworkman
Slackware Contributor
 
Registered: Oct 2004
Location: Tuscaloosa, Alabama (USA)
Distribution: Slackware
Posts: 1,904

Rep: Reputation: Disabled
Quote:
Originally Posted by gtimur
Please keep in mind that there are people coming from Windows firewalls. I am the one. I need a graphical pop-up window i.e. interactive firewall that asks me what to do each time a new type of connection happens, of course with "remember this" option. Any idea?
Application-level "firewalls" (whether that's an appropriate term or not is debatable, but I'll not go into it here) are an entirely different breed of cat, so to speak. There's limited ability to filter by process owner with iptables, but it's not perfect. It has some valid uses, but access control IMHO is not generally one of them [1]. If you don't want an application sending packets out on the internet, don't install it. If you have users that you can't trust, remove their accounts. With all that said, there have been some attempts to create an application-level "firewall" for linux, but I can't recall any of the names at the moment - a search on freshmeat should be enlightening...

[1] There is at least one legitimate use of the owner match that comes to mind - only allow outgoing smtp traffic if the process sending it is owned by the mail user; this way, if apache (or some other service is rooted, it won't be allowed to send spam from your system). However, this is a stop-gap measure, and a far better solution is to either run other services chrooted and/or make sure you stay up to date with security patches for them.

Quote:
While a lot of firewalls exist in Windows, it's easy to find a good one, even for free. But here, I am confused, each distribution is using its own and then you come with hand option...
There's really only one working packet filter on modern linux systems - netfilter (and the iptables userspace interface for it). All of the distribution-specific things are just wrappers and/or front-ends for iptables, and as you've seen, some are better than others. My advice is to learn the iptables syntax and configure it manually - the knowledge you gain is portable across distributions, and the knowledge you're forced to gain about TCP/IP in general is portable across operating systems.
 
Old 02-19-2007, 11:06 PM   #24
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,275

Rep: Reputation: 61
Quote:
Originally Posted by robw810
If you'd like to use the recent match to cut down on some of the ssh brute force attacks, this might be helpful

This is a fantastic module I like using it as well, great for the webserver, helps to slow alot of those scripts down that like to hammer your site.
 
Old 02-20-2007, 01:48 AM   #25
Tux-Slack
Member
 
Registered: Nov 2006
Location: Slovenia
Distribution: Slackware 13.37
Posts: 511

Rep: Reputation: 36
configured by hand
 
Old 02-20-2007, 08:15 AM   #26
pdevries
LQ Newbie
 
Registered: May 2004
Distribution: slackware
Posts: 8

Rep: Reputation: 0
I use Shorewall

I've been using shorwall (www.shorewall.net) for a number of years. Shorewall is a text mode tool, not a gui. I think it offers a great flexibility for lots of different applications, while being substantially simpler than directly writing IPtables rules. Configuration is straight-forward, although requiring some knowledge of precisely what you want to do. (In this regard, I consider it "slackwarish".) I also think the documentation on shorewall is fantastic, giving a very clear description of what firewalling is about for systems ranging from one desktop to an enterprise.
 
Old 02-20-2007, 11:06 AM   #27
tuxrules
Senior Member
 
Registered: Jun 2004
Location: Chicago
Distribution: Slackware64 14.1
Posts: 1,137

Rep: Reputation: 55
I use firestarter for desktop and laptop. For the webserver, I use rules that I constructed and run them during bootup.

I want to move to a firewall startup script of my own one of these days...once I get some time from my month-old daughter.

Thanks! gilead for posting that awesome tutorial. I actually use Linux Firewalls by Steve Suehring and Robert Ziegler; ISBN 0672327716. Has pretty good info on setting up basic to advanced iptables firewall.
 
Old 02-20-2007, 11:08 AM   #28
teebones
Member
 
Registered: Aug 2005
Location: /home/teebones
Distribution: sometimes this, sometimes that..
Posts: 500

Rep: Reputation: 56
simple home made script with all the rules inside. (as rc. file)
 
Old 02-20-2007, 11:25 AM   #29
Randux
Senior Member
 
Registered: Feb 2006
Location: Siberia
Distribution: Slackware & Slamd64. What else is there?
Posts: 1,705

Rep: Reputation: 54
Cool

Quote:
Originally Posted by robw810
Application-level "firewalls" (whether that's an appropriate term or not is debatable, but I'll not go into it here) are an entirely different breed of cat, so to speak. There's limited ability to filter by process owner with iptables, but it's not perfect. It has some valid uses, but access control IMHO is not generally one of them [1]. If you don't want an application sending packets out on the internet, don't install it. If you have users that you can't trust, remove their accounts. With all that said, there have been some attempts to create an application-level "firewall" for linux, but I can't recall any of the names at the moment - a search on freshmeat should be enlightening...

[1] There is at least one legitimate use of the owner match that comes to mind - only allow outgoing smtp traffic if the process sending it is owned by the mail user; this way, if apache (or some other service is rooted, it won't be allowed to send spam from your system). However, this is a stop-gap measure, and a far better solution is to either run other services chrooted and/or make sure you stay up to date with security patches for them.
I don't think he's talking about untrusted users. This kind of firewall is a really good idea and I predict we will see more support for this in the future as more and more apps are ported/built for *NIX.

Basically the winbloze firewalls protect you from an inside-job. If you don't like apps "phoning home" it's a good idea to do some checking with ethereal/wireshark/iptraf/etc. If not you have no idea what's being exposed by programs you run. For example how do you know that some app that does your finances (gnucash) is not connecting to the internet (it does).

In winbloze this kind of exposure in built-in to the "OS" which is why it's so important. We know that our kernel devs would never do anything like that and we trust them. But we also have thousands of 3rd party apps we build and use every day and how do we know what they're doing? It would be a lot easier (and safer) if there was an easy way to control all outbound traffic as well as we can control inbound traffic.

Last edited by Randux; 02-20-2007 at 11:27 AM.
 
Old 02-20-2007, 12:00 PM   #30
rworkman
Slackware Contributor
 
Registered: Oct 2004
Location: Tuscaloosa, Alabama (USA)
Distribution: Slackware
Posts: 1,904

Rep: Reputation: Disabled
Quote:
Originally Posted by Randux
I don't think he's talking about untrusted users.
Right - he probably wasn't, but it seemed relevant at the time

Quote:
This kind of firewall is a really good idea and I predict we will see more support for this in the future as more and more apps are ported/built for *NIX.
It's certainly something that lots of users want, but I'm still undecided as to whether it's truly needed (aside from specialized environments perhaps).

Quote:
Basically the winbloze firewalls protect you from an inside-job. If you don't like apps "phoning home" it's a good idea to do some checking with ethereal/wireshark/iptraf/etc. If not you have no idea what's being exposed by programs you run. For example how do you know that some app that does your finances (gnucash) is not connecting to the internet (it does).
Therein lies the problem. If I'm doing internet banking with GNUCash, I *want* it to connect to the internet, and if I'm not, I *don't* want it to connect to the internet. If the application is written properly, it won't connect to the internet unless I'm doing internet banking and/or unless it checks for updates automatically (whether it does or doesn't do that, I can't say - I don't use it). The point is this: if the app does things it shouldn't do, either don't use it, modify the source to fix it, or raise enough hell with the developers to have them fix it. Quite frankly, if an application is trying to send things to the internet when it shouldn't, it won't be installed on my system very long - there's simply no middle ground here IMHO. Having an application level firewall in place would constitute tacit acceptance of a 'phone-home' application, and that's not the impression I want to give to the developers of $APP.

Quote:
In winbloze this kind of exposure in built-in to the "OS" which is why it's so important. We know that our kernel devs would never do anything like that and we trust them. But we also have thousands of 3rd party apps we build and use every day and how do we know what they're doing? It would be a lot easier (and safer) if there was an easy way to control all outbound traffic as well as we can control inbound traffic.
And we're back to where we started...
 
  


Reply

Tags
configure, firewall, iptables, slackware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Please help me with iptables configuration rbm Linux - Security 4 01-29-2006 05:48 AM
iptables configuration help Alien#007 Linux - Networking 1 08-12-2005 01:32 PM
IPTables Configuration shaileshjain Linux - Networking 2 04-07-2005 12:16 AM
Iptables configuration Salihou Linux - Networking 2 09-24-2003 02:26 PM
iptables configuration know Linux - Networking 2 05-25-2003 04:55 PM


All times are GMT -5. The time now is 10:40 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration