shorewall universal configuration

Slakerlife · 11-27-2016, 12:47 PM

Hello
I currently use alien's Bob firewall script, I was thinking on trying shorewall just so I can do logging. I was wondering if someone is using the universal configuration which is intended for standalone system, now by no means em I a guru of networking or firewalling so I would like to ask the gurus if using universal configuration good enough for protection? I only use my computer for web browsing, online banking, netflix, kodi, etc. I dont do any remote SSH into the box, I dont host a server, nor any other external services. So what do the gurus have to say?

Hangaber · 11-27-2016, 02:16 PM

(I'm definitely not a guru)
I've used arno-iptables-firewall and shorewall with minor tweaks, and I like shorewall a lot. I've installed it on most of my machines.

If you use the Universal from "/usr/doc/shorewall-<version>/Samples/Universal/", you may wish to remove or comment out the PING and SSH lines in the 'rules' file.

hitest · 11-27-2016, 03:21 PM

I'm not a guru. If you have an old PC and throw a few NICs in it then pfsense is another solid hardware firewall solution based on FreeBSD using OpenBSD's PF. I ran pfsense for a time and liked it.

FTIO · 11-27-2016, 09:14 PM

Shorewall is a very fine firewall, and the e-mail support is always active and Tone Eastep (the owner of Shorewall) stays on top of questions and is more than willing to help, so long as you've proved you at least tried to figure things out from the website (he's 72 and can't do this forever, heh).

Slakerlife · 11-28-2016, 06:34 PM

I guess I can try the universal config and just follow the instructions and do some of the suggestions.

I always wanted to try pfsense or other firewall distro but never had as I really don't feel confident to fully and properly setup a firewall box, it would be nice to get someone who understand pfsense or other distro to set up a box for me and in the process teach me a thing or two

FTIO · 12-15-2016, 10:13 AM

Quote:

Originally Posted by FTIO

Shorewall is a very fine firewall, and the e-mail support is always active and Tone Eastep (the owner of Shorewall) stays on top of questions and is more than willing to help, so long as you've proved you at least tried to figure things out from the website (he's 72 and can't do this forever, heh).

Sorry, that should be Tom.

PROBLEMCHYLD · 12-15-2016, 10:55 AM

Have you guys tried this? https://www.wilderssecurity.com/thre...alling.376935/

I have added the following to my rc.firewall to allow connectons using the link above.

Code:

# IKE
iptables -A OUTPUT -p udp -m udp  --dport 500  -m state --state NEW  -j ACCEPT

# IPsec
iptables -A OUTPUT -p udp -m udp  --dport 4500  -m state --state NEW  -j ACCEPT

# L2TP
iptables -A OUTPUT -p udp -m udp  --dport 1701  -m state --state NEW  -j ACCEPT

# PPTP
iptables -A OUTPUT -p tcp -m tcp  --dport 1723  -m state --state NEW  -j ACCEPT

# RDP
iptables -A OUTPUT -p tcp -m tcp  --dport 3389  -m state --state NEW  -j ACCEPT
iptables -A OUTPUT -p udp -m udp  --dport 3389  -m state --state NEW  -j ACCEPT