LinuxQuestions.org - [SOLVED] newbie tutorial sought for firewall: choice, configuration and usage

- Slackware (https://www.linuxquestions.org/questions/slackware-14/)

- - newbie tutorial sought for firewall: choice, configuration and usage (https://www.linuxquestions.org/questions/slackware-14/newbie-tutorial-sought-for-firewall-choice-configuration-and-usage-4175468744/)

textillis

07-07-2013 12:13 AM

newbie tutorial sought for firewall: choice, configuration and usage

Hi folks,
Subject says it all really: I am new to linux, newer still to slackware, which I have running nicely in -current version (had to go for -current as i couldn't get stable to support my inbuilt graphics)

Now I just want a very basic introduction to choosing, installing, configuring and optimizing the most suitable firewall for a stand alone, personal desktop linux box.

thanks in advance
PS all google searches I have tried return stuff that is too technical for me to benefit from

ButterflyMelissa

07-07-2013 02:53 AM

Hey there,

How about UFW? UFW stands for Uncomplicated FireWall...so it's pretty accessible, I use it on my servers...
Ubuntu has a page on it, but the info applies to others as well...

Grtz!

Thor

textillis

07-07-2013 03:12 AM

Quote:

Originally Posted by Thor_2.0 (Post 4985551)

Hey there,

How about UFW? UFW stands for Uncomplicated FireWall...so it's pretty accessible, I use it on my servers...
Ubuntu has a page on it, but the info applies to others as well...

Grtz!

Thor

Thanks Thor (great pseudo!)
I'll check it out man; that's real nice of you to pass it on.

regs,

PS:
1.Goedel's incompleteness theorem: you can either have a completely defined system which contains errors; or an error free system which is incomplete
2.Heisenberg's uncertainty principle comes to mind
3. Astronomer Royale, Sir Martin Rees: "We may - and probably do - inhabit a universe which is infinitely complex and therefore, infinitely beyond our capacity to fully understand, ever!"

ButterflyMelissa

07-07-2013 03:26 AM

Quote:

Thanks Thor (great pseudo!)

You're welcome! And, it's my real name :) why use a pseudo with a name like this? :D

UFW is super easy to get along with. It does work with iptables though, but that one is the exact opposite (to me anyway) as it is prettuy hard to understand...

By the way, there's quite some truth in the PS'es you added...

Thor

unSpawn

07-07-2013 04:32 AM

Moved: This thread is more suitable in the slackware forum (where almost all slackware-related threads go) and has been moved accordingly to help your thread/question get the exposure it deserves. BTW http://docs.slackware.com/howtos:sec...basic_security says check http://www.slackware.com/~alien/efg/ (maybe see http://rlworkman.net/conf/firewall/ as well?).

allend

07-07-2013 06:17 AM

Quote:

Now I just want a very basic introduction to choosing, installing, configuring and optimizing the most suitable firewall for a stand alone, personal desktop linux box.

If you are using your internet connection through the Optus Mobile Broadband, you are likely using ppp0 as your interface.
The simplest solution in a fresh Slackware install would be to copy /etc/ppp/firewall-standalone to /etc/rc.d/rc.firewall. This is a very simple but secure firewall. You will likely want a more flexible solution in the future, so I also recommend looking at Alien Bob's EFG.
If you are using NetworkManager to handle your internet connection, then I suggest creating a script in /etc/NetworkManager/dispatcher.d that will run the firewall script when the internet connection is established.
As an example see here http://www.linuxquestions.org/questi...1/#post4579765
Note that the firewall script for the ppp0 connection is actually named /etc/rc.d/rc.firewall_ppp0

textillis

07-07-2013 06:51 AM

Quote:

Originally Posted by unSpawn (Post 4985597)

Mighty nice of you.
Thanks for your great work in keeping a formidably great site going and available to the likes of me
: 0 ))
I'll follow the lead you offer.

cheers

frankbell

07-07-2013 09:47 PM

Linux includes firewall capabilities. It's called iptables.

The firewall programs you install are generally front-ends for configuring iptables.

My personal favorite for use with Slackware is the ProjectFiles rc.firewall script; like Slackware, it just works.

You configure it up, place it in /etc/rc.d, and make it executable. Then it will run at boot. You can start it as root with /etc/rc.d/rc.firewall start.

It's hard to find on the internet any more, but I do have a copy if you would like it. (I'm hesitant to post a link because it's on my website and might look like advertising.)

TobiSGD

07-07-2013 10:05 PM

Quote:

Originally Posted by frankbell (Post 4985943)

It's hard to find on the internet any more, but I do have a copy if you would like it. (I'm hesitant to post a link because it's on my website and might look like advertising.)

There is nothing wrong with posting a link to your site, as long as it is helpful and on-topic.

textillis

07-07-2013 11:47 PM

Quote:

Originally Posted by frankbell (Post 4985943)

Hi Frank. This is the script Allend alludes to (how about that alliterative "allend alludes")
Please do: go ahead and send site reference; Tobi has thoughtfully ok-ed it below; I would find it both helpful and interesting to see.

Kind thanks for your thoughtful response

ChrisAbela

07-08-2013 05:36 AM

I have a similar situation on my laptop. My solution is to write my own /etc/rc.d/rc.firewall.

Quote:

#!/bin/sh
# Start/stop/restart the firewall

IPT=/usr/sbin/iptables # This will provide some portability

firewall_start() {

# flush the iptables
echo -e "Starting the firewall .... \c"
$IPT -F

# policies
$IPT -P OUTPUT DROP
$IPT -P INPUT DROP
$IPT -P FORWARD DROP

$IPT -N SERVICES # services is a custom chain

# allowed output
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -o eth0 -j ACCEPT
$IPT -A OUTPUT -o wlan0 -j ACCEPT
$IPT -A OUTPUT -o tun0 -j ACCEPT

# allowed inputs
$IPT -A INPUT -i lo -j ACCEPT # Uncomment if the host is a desktop
$IPT -A INPUT -j SERVICES # Append the services chain to the input

# allow responses
$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# allow sshd on the default tcp port 22
#$IPT -A SERVICES -p tcp --dport 22 -j ACCEPT # Uncomment to allow sshd

echo "[Done]"
}

firewall_stop() {
echo -e "Stopping the firewall .... \c"

# polcies (permissive)
$IPT -P OUTPUT ACCEPT
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT

# flush the iptables
$IPT -F

# delete the services custom chain
$IPT -X SERVICES
echo "[Done]"
}

firewall_list() {
$IPT -vL
}

case "$1" in
'start')
firewall_start
;;
'stop')
firewall_stop
;;
'restart')
firewall_stop
firewall_start
;;
'list')
firewall_list
;;
*)
echo "Usage $0 start|stop|restart|list"
esac

You may copy and paste it. Then make sure it has executable permission:

Quote:

# chmod +x /etc/rc.d/rc.firewall

Start it:

Quote:

# /etc/rc.d/rc.firewall start

the next time you boot it will start automatically.

frankbell

07-08-2013 06:18 PM

Quote:

There is nothing wrong with posting a link to your site, as long as it is helpful and on-topic.

Thanks. I tend to prefer to be too careful, rather than not careful enough. :)

Here's my link to the rc.firewall script.

http://www.pineviewfarm.net/weblog/p...rewall-script/

allend

07-08-2013 07:48 PM

Just a comment on that firewall script that frankbell linked.

Code:

# Set default policy for ESTABLISHED and RELATED connections to ACCEPT on FORWARD chains.



iptables -t filter -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

if [ "$IS_ROUTER" == "yes" ]; then

iptables -t filter -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

fi

This section (and perhaps others) will need updating in Slackware-current. http://www.linuxquestions.org/questi...1/#post4900643

All times are GMT -5. The time now is 01:53 AM.