Safety of iptables firewalls if you don't know what you're doing.. or the easiest fw.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Safety of iptables firewalls if you don't know what you're doing.. or the easiest fw.
Other than Firestarter, how safe is it to use an iptables firewall for Linux if you know the basics of iptables but not the details and not exactly what you're doing with iptables? I want to be very secure without configuring iptables myself if possible or doing as little as possible. If you don't think iptables is safe if you don't really know what you're doing, can you please tell me which firewall you can use (Slackware specific, preferably) that is the easiest to install and configure? Are there any that work like free Windows firewalls, other than Firestarter? I've looked around and looked at slackbuild and can't find a Firestarter package, I searched this site also and saw something about the reason there isn't one. I need help. I'm concerned with my security and I don't want to write my own iptables firewall - I don't fully know what I'm doing.
Last edited by pr_deltoid; 06-14-2010 at 03:57 PM.
The default on redhat/centos and many distributions disable access to most things by default... that being said, it's not easy if you don't know iptables, but if you don't it IS worth learning. Honestly there is no security product that is effective if you don't know what you're doing.
I read the how-to and tutorials (not the NAT and hacking) from the netfilter site, but I don't really know WHAT to do with the settings. I understand how to configure iptables, I just don't really know what to do with iptables to make it very secure. I guess I could just copy Firestarter's configuration, huh?
Other than Firestarter, how safe is it to use an iptables firewall for Linux...
For Linux??? I think that my advice might have quite different elements if you were the admin of a server farm from that I would give if you were a typical home user, both of whom could be using Linux.
Quote:
..if you know the basics of iptables but not the details and not exactly what you're doing with iptables?
Iptables itself isn't that difficult to learn, but you will have to know about networking in order to use it.
Quote:
I want to be very secure without configuring iptables myself if possible or doing as little as possible.
Iptables itself isn't that difficult to learn...oh, sorry, I've already done that. There are quite a number of iptables scripts that you can find scattered around the 'net, and configuring them isn't difficult, if you know what you want to do. Have a look at: linuxhomenetworking frozentux
Quote:
Are there any that work like free Windows firewalls, other than Firestarter?
I don't directly know how Windows firewalls work, but if what you mean is that you want a GUI to configure, there are quite a few. if you try this search, you'll find a few including this
Quote:
I've looked around and looked at slackbuild and can't find a Firestarter package
I did also see mention of guarddog being available for an earlier version.
Last edited by salasi; 06-15-2010 at 02:28 AM.
Reason: typo
...didn't see this when I wrote my previous reply...
Quote:
Originally Posted by prdeltoid
I understand how to configure iptables, I just don't really know what to do with iptables to make it very secure.
Your first assumption should be that you want to disable everything unless you actually need it. Of course, that only raises the question of how little you can open up and still do what you want to do...
If the problem is that you don't know which ports associate with which services, there are hints here:
/etc/services
(Although it is possible to use processes on ports other than the default one, so you might have to look in your conf files for that).
Also, netstat can be used to see what is listening on which port.
Quote:
I guess I could just copy Firestarter's configuration, huh?
Yes. There is an argument that this (running a gui rule-generator on another machine) is the normal paranoid's way forward. This enables you to run the rule generator on a machine that is not itself under direct threat of attack and so removes the possibility that the miscreant gets in and substitutes a 'bad' version of the rule generating program.
(In a security context, I am not in any way suggesting that being paranoid is bad; the opposite, in fact.)
Basically you want to disable all NEW state connections in bound unless they're explicitly allowed. You probably want to allow any state RELATED,ESTABLISHED connections. If you have nothing enabled from outside (a good configuration for a desktop) then you're about as secure as you can get. Servers should only have the required remotely accessible services enabled.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.