LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Poll: How have you configured IPTABLES on your system[s]?
Poll Options
How have you configured IPTABLES on your system[s]?

You must log in and have one post to vote in this poll. If you don't have an account, you can register here.
Results will be available after the polls close.

The nominees are:

Easy Firewall Generator (or a derivative like Alien Bob's, post link please)
Firestarter
KMyFirewall
fwbuilder
Guarddog
Script from an LQ forum post (link please)
Some other script (link please) or GUI
Don't use iptables

Reply
 
Search this Thread
Old 02-20-2007, 10:15 PM   #31
nutronix
Member
 
Registered: Jan 2003
Location: montreal
Distribution: Slackware and XUbuntu an Debian
Posts: 111
Blog Entries: 1

Rep: Reputation: 17

I use a script by Brian Hatch that i am sure i got from a post on this here forum ;
http://www.linuxquestions.org/questi...d.php?t=449022 - 64k
as googled for " brian hatch's firewall script " .I am not sure i understand everything in the script but it did seem to be the easiest way for me to get a firewall going in slackware.
 
Old 02-21-2007, 01:12 AM   #32
Randux
Senior Member
 
Registered: Feb 2006
Location: Siberia
Distribution: Slackware & Slamd64. What else is there?
Posts: 1,705

Rep: Reputation: 54
Quote:
Originally Posted by robw810
Right - he probably wasn't, but it seemed relevant at the time


Therein lies the problem. If I'm doing internet banking with GNUCash, I *want* it to connect to the internet, and if I'm not, I *don't* want it to connect to the internet. If the application is written properly, it won't connect to the internet unless I'm doing internet banking and/or unless it checks for updates automatically (whether it does or doesn't do that, I can't say - I don't use it).
I got it, but the issue is not whether you want it to or not- it's "how do you know what all your many and varied apps are exposing?" if you don't have an application-level firewall?

Quote:
Originally Posted by robw810
The point is this: if the app does things it shouldn't do, either don't use it, modify the source to fix it, or raise enough hell with the developers to have them fix it. Quite frankly, if an application is trying to send things to the internet when it shouldn't, it won't be installed on my system very long - there's simply no middle ground here IMHO.
If you know what you're doing, and you run a network trace the whole time your system(s) are running, and you examine it constantly, then I say (1) you're doing a fine job! and (2) you're spending too much time administering your system(s). I agree with you in principle- software should not do bad things. But the reality is we have many thousands of apps and systems software packages and it's not realistic to manage this by tracing things all the time (at least not for most people).

Quote:
Originally Posted by robw810
Having an application level firewall in place would constitute tacit acceptance of a 'phone-home' application, and that's not the impression I want to give to the developers of $APP.
I don't understand what you are saying here. Are you saying that if it becomes commonplace to run application firewalls (which btw can be set to allow nothing- which is how I started when I ran winbloze (out out damn spot!) and then over the days and weeks to follow I allow or not as I use each app) then people will start adding exploits to their apps because if people don't want the exploit they'll just block it? You can't be saying that, because according to what you just said, if you found an app like that you would raise hell with the devs So what did you mean?

Any big system has millions of lines of source behind it. It's not realistic to examine that much source manually and I haven't heard that people are writing tools to do that (which anyway wouldn't be 100%). Do you really look at all the source for everything you run? It's just not practical.

What I am saying is that administering a system is a lot of work, and I don't trust apps generally. I personally would like a way to control not only inbound traffic, but outbound traffic. I would love an app like ZoneAlarm or Kerio or some other app-level firewall that I can set to deny everything on my system and then get prompted to allow or not on a app by app basis. It should also allow you to do packet filtering and all kinds of other setup manually if you want. This would be the simplest, best way to manage this situation. The problem will only grow as more and more people are moving to Linux and more and more people are writing apps for Linux. Eventually (if not already judging from what I have seen) spyware, malware, etc. are coming to the *NIX world. Unlike winbloze, we should be ready before they get here.

Last edited by Randux; 02-21-2007 at 01:16 AM.
 
Old 02-21-2007, 07:30 PM   #33
pbhj
Member
 
Registered: Dec 2002
Location: UK
Distribution: Slackware 12; Ubuntu 7.10
Posts: 358

Original Poster
Rep: Reputation: 31
interactive firewall ... try firestarter

Quote:
Originally Posted by gtimur
I need a graphical pop-up window i.e. interactive firewall that asks me what to do each time a new type of connection happens
Firestarter does this to an extent .. it sits in the tray, when it blocks it changes colour, you can open the gui and in the events tab you can see what was blocked.

So if you're trying to access a samba share or some such it will show an access on port (what is it, ?) 139 (?) and you can decide then (via right click menu) to add a policy such as "allow outbound service for everyone". Policies can then be altered manually to fit better.

There's at least one zonealarms type program, but I can't be arsed to google for it!
 
Old 02-21-2007, 07:35 PM   #34
pbhj
Member
 
Registered: Dec 2002
Location: UK
Distribution: Slackware 12; Ubuntu 7.10
Posts: 358

Original Poster
Rep: Reputation: 31
shorewall is not just a FW distro!

Quote:
Originally Posted by pdevries
Configuration is straight-forward, although requiring some knowledge of precisely what you want to do
I always thought that shorewall was only a firewall distro, but I've been wrong before too!

From the little I've seen now it looks harder than a manual iptables config?
 
Old 02-22-2007, 09:30 AM   #35
pdevries
LQ Newbie
 
Registered: May 2004
Distribution: slackware
Posts: 8

Rep: Reputation: 0
Quote:
Originally Posted by pbhj
I always thought that shorewall was only a firewall distro, but I've been wrong before too!

From the little I've seen now it looks harder than a manual iptables config?
Shorewall is merely a set of scripts and configuration files to set up Iptables. It's distribution agnositic, and doesn't require a GUI.

I never learned to write iptables entries manually, so I don't have an opinion as to how easy/hard that is. But the firewall on my desktop includes two NICs and a bridge and Tun/Tap interface (for Qemu using Vde) -- I did not have too much trouble getting shorewall to handle these the way I wanted.
 
Old 02-22-2007, 06:34 PM   #36
Wynd
Member
 
Registered: Jul 2001
Distribution: Slackware 12
Posts: 511

Rep: Reputation: 32
Quote:
Originally Posted by robw810
Unless you're running an ntp server for the public, there's no need to explicitly open that port either - the est/rel rule will catch replies to your outgoing requests.

If you'd like to use the recent match to cut down on some of the ssh brute force attacks, this might be helpful - I tried to comment it well enough for someone to actually understand what they're doing rather than just blindly copying... http://rlworkman.net/conf/firewall/sshattacks

Also, if you'd like to have identd requests acknowledged when they're expected but dropped otherwise, see this link: http://rlworkman.net/howtos/irc-identd
Thanks for the tip, I don't know why I didn't think of that
 
Old 02-22-2007, 10:44 PM   #37
rworkman
Slackware Contributor
 
Registered: Oct 2004
Location: Tuscaloosa, Alabama (USA)
Distribution: Slackware
Posts: 1,971

Rep: Reputation: Disabled
Quote:
Originally Posted by Randux
If you know what you're doing, and you run a network trace the whole time your system(s) are running, and you examine it constantly, then I say (1) you're doing a fine job! and (2) you're spending too much time administering your system(s). I agree with you in principle- software should not do bad things. But the reality is we have many thousands of apps and systems software packages and it's not realistic to manage this by tracing things all the time (at least not for most people).
Haha - no, I don't run a net trace (nor monitor one) the whole time, but I do periodically monitor various system stats (including network activity). On a related note, this is probably the *only* good thing about dialup internet access - if something is sending network traffic unexpectedly, then it's going to be noticed.
Yes, I'm still on dialup - not by choice, but because it's the only option available out here where I live...

Quote:
I don't understand what you are saying here. Are you saying that if it becomes commonplace to run application firewalls (which btw can be set to allow nothing- which is how I started when I ran winbloze (out out damn spot!) and then over the days and weeks to follow I allow or not as I use each app) then people will start adding exploits to their apps because if people don't want the exploit they'll just block it? You can't be saying that, because according to what you just said, if you found an app like that you would raise hell with the devs So what did you mean?
Well, yes and no I'm simply stating that it's easier for someone to decide "well, it's okay - I can block it with my {application level firewall}" instead of "Aw, hell no." Note that the term "exploit" is a bit strong here, but the idea is the same, I guess...

Quote:
Any big system has millions of lines of source behind it. It's not realistic to examine that much source manually and I haven't heard that people are writing tools to do that (which anyway wouldn't be 100%). Do you really look at all the source for everything you run? It's just not practical.
Agreed - it's not (and of course I don't) However, you can bet that I do some investigating if an app starts talking to the internet without a good reason

Quote:
Eventually (if not already judging from what I have seen) spyware, malware, etc. are coming to the *NIX world. Unlike winbloze, we should be ready before they get here.
On that point, you'll get no argument from me

RW

Last edited by rworkman; 02-22-2007 at 10:46 PM.
 
Old 02-23-2007, 04:24 PM   #38
pbhj
Member
 
Registered: Dec 2002
Location: UK
Distribution: Slackware 12; Ubuntu 7.10
Posts: 358

Original Poster
Rep: Reputation: 31
The "Brian Hatch" script is at http://www.hackinglinuxexposed.com/a.../20030709.html ... but it doesn't work for me as it seems to prevent name resolution ... if I had half a clue about this stuff I'd know why!!

Last edited by pbhj; 02-23-2007 at 04:55 PM.
 
Old 02-24-2007, 02:30 PM   #39
pbhj
Member
 
Registered: Dec 2002
Location: UK
Distribution: Slackware 12; Ubuntu 7.10
Posts: 358

Original Poster
Rep: Reputation: 31
I can't see why everyone things shorewall is so easy to configure ... easy like procmail presumably. I must be missing something, is there a good front end (other than webmin)?
 
Old 02-25-2007, 07:10 AM   #40
SirMsquared
LQ Newbie
 
Registered: Nov 2005
Location: Western Australia
Posts: 18

Rep: Reputation: 0
Custom IP Tables

This blocks all incoming connections, and permits only packets related to existing outgoing connections.

Code:
iptables -P INPUT REJECT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
Old 02-25-2007, 12:17 PM   #41
GrapefruiTgirl
Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550
Linux Firewall version 2.0 (final) -- 07/25/06
http://lfw.sf.net/

I visited a whack of tutorial and other sites and did a lot of reading and HOW-TO's. After trying a few similar rc.firewall scripts which were giving me errors, and also trying a couple 'packaged' firewalls from the likes of sourceforge and freshmeat, I downloaded this little package named above (can't remember exactly where from, but there's the homepage named within the script) and followed the instructions to recompile my kernel again, with a bunch of IPTABLES and related stuff into it and swapped it in place of my original Slack rc.firewall script.
It's complete, functional, and seems to be working fine, starting up on boot. My learning is an ongoing thing; as I learn stuff, I tweak stuff.
I'm on a LAN so I'm not too concerned at the moment, but between me and the big bad internet is a W1nd0w5 machine, so can't be too careful I also installed a firewall-log scanner and two rootkit-hunters, run by cron twice per day.
Also, and I recommend this to anyone: read everything up-to-date about securing and hardening your distribution, and keep on top of security updates and patches.
 
Old 02-27-2007, 10:11 AM   #42
Slim Backwater
Member
 
Registered: Nov 2005
Distribution: Slackware 10.2 2.6.20
Posts: 68

Rep: Reputation: 15
Quote:
Originally Posted by robw810
If you'd like to use the recent match to cut down on some of the ssh brute force attacks, this might be helpful - I tried to comment it well enough for someone to actually understand what they're doing rather than just blindly copying... http://rlworkman.net/conf/firewall/sshattacks
You just might want to add a note about the bug in the 'recent' module in older kernels. I really liked your solution and started testing it out, and just got bit by it on an old Slack 10.2 box running 2.6.13.

http://blog.blackdown.de/2005/05/09/...filter-module/

While there's a patch that can be applied to older kernels, it seems like it's not fully fixed until 2.6.18 when 'recent' was rewritten. (At least that's what I gather from the discussion)

What's really interesting is if you connect to a machine within 5 minutes of booting, then you'll be locked out on your second ssh connection after that 5 minute window. If you wait more than 5 minutes after booting for your first connection, then you're good for ~25 days.

Just thought I'd mention it in case someone's left wondering why they're getting locked out of their machines.
 
Old 02-27-2007, 12:37 PM   #43
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,005
Blog Entries: 11

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
Where's the option "hand-written"? :}

I used to use ferm in the past which I still think is quite nice.


Cheers,
Tink

Last edited by Tinkster; 02-27-2007 at 12:39 PM.
 
Old 02-27-2007, 04:34 PM   #44
pbhj
Member
 
Registered: Dec 2002
Location: UK
Distribution: Slackware 12; Ubuntu 7.10
Posts: 358

Original Poster
Rep: Reputation: 31
iptables ... write your own

Quote:
Originally Posted by Tinkster
Where's the option "hand-written"?
"Some other script ..."

Will that do.

I didn't see the point in distinguishing between scripts that you wrote yourself and little known scripts that one can copy. Oftentimes people start with the later and end with the former anyway - ie download and modify beyond all recognition.

HTH
 
Old 02-27-2007, 05:10 PM   #45
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,005
Blog Entries: 11

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
Quote:
Originally Posted by pbhj
"Some other script ..."

Will that do.

I didn't see the point in distinguishing between scripts that you wrote yourself and little known scripts that one can copy. Oftentimes people start with the later and end with the former anyway - ie download and modify beyond all recognition.

HTH
Not *quite* ... can't provide a link to it ;}



Cheers,
Tink
 
  


Reply

Tags
configure, firewall, iptables, slackware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Please help me with iptables configuration rbm Linux - Security 4 01-29-2006 06:48 AM
iptables configuration help Alien#007 Linux - Networking 1 08-12-2005 02:32 PM
IPTables Configuration shaileshjain Linux - Networking 2 04-07-2005 01:16 AM
Iptables configuration Salihou Linux - Networking 2 09-24-2003 03:26 PM
iptables configuration know Linux - Networking 2 05-25-2003 05:55 PM


All times are GMT -5. The time now is 12:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration