Idea for Slackware 14.0 - Easy Firewall Generator (clone of AlienBob's)
I just realized that Slackware really doesn't include a ready to use Firewall by default that is setup by the user either during installation or post-installation using IPTables.
Why not add a simple extra set of tools to the BusyBox nCurses installer to generate a Firewall using a script program labeled something like "fwconfig" (similar to the current config scripts for Alsa, X11, Network, and such) that operates exactly like the Easy Firewall Generator webpage on AlienBob's (Eric's) website, and makes it executable for the boot sequence. Would be a nice extra touch, IMO. Any comments? Good idea? Bad idea? Etc? |
Quote:
This will be a value added in security for 'lazy' slackers like me :) |
Great Awesome idea
|
I think it would be useful, and would improve default security in Slackware.
|
Not a bad idea at all :-) BTW - Alien, thanks for the generator!
|
You know of all the things you never think about, it's simple basic security like a Firewall. If Windows, since XP Service Pack 2, can be secure out of the box with it's own pre-configured Firewall, why can't Linux, and especially Slackware have it's own firewall setup tool and firewall script?
You know, of all the Linux distributions out there, how many Linux distributions actually INCLUDE a firewall tool ready to go out of the box for IPTables at installation time? One or two, maybe? But are those mainstream distributions? Probably not. Time to drop the boulder in the small pond and make a hell of a splash in my opinion. |
Quote:
|
ReaperX7,
I like that idea a lot. I like and use Eric's script. I think that would be a very welcome addition to 14.0. :) |
Well,
I'm glad this subject comes to "mainstream", as I tried to propose a script myself for that but barely had any answers :)... It was last summer... I'm still using this script. And have some other useful scripts but I don't have the time to setup a "blog" or something and feed it with "human pleasable" content ;)... But I'd be happy to team up with some folks in order to improve "3rd party slackware utilities"... Cheers. Garry. |
I've used Ubuntu before but I've never seen them have a ready-to-go Firewall out of the box. I have seen them have available a Firewall like Firestarter and FireHOL but they were never actually included in the general configuration, only in the online downloadable packages.
I wonder how Patrick would feel about a proposal such as this? |
Quote:
Quote:
|
Personally, I do not like this idea. I recognise that iptables and firewall scripts are intimidating to new users, but there are many HOWTOs and examples available. Security is an issue that requires study and understanding. Scripts and GUI generators do not provide this.
If the desire is to protect a new user setting up on a home system, then firewall protection is very likely already being provided by the external modem/router. If the desire is to setup a minimal firewall that blocks everything, then simply copy the already provided '/etc/ppp/firewall-standalone' to '/etc/rc.d/rc.firewall' and change the EXTIF if necessary. Having a firewall setup at installation will be a hindrance to those trying to setup servers with various servers available. |
Quote:
|
You can always skip that step, which would obviously be provided as other existing tools provide if you feel a manual configuration is more your thing, or no configuration is needed.
The point of the tool's addition isn't to take away from existing tools out there, just supplement what's already there for the end-user who may want to setup his/her own Firewall and make it less a headache while providing a sense of having a tool that makes security readily available if desired. While SPI Firewall's on Routers and other hardware are effective often sometimes this isn't enough if another computer is or has become compromised. AlienBob's Firewall script by default when you visit his webpage configures a basic yet powerful Firewall for Dynamic IP Addresses on Single Systems. This should be at minimal, a setup for a normal user during installation. Even without understanding some level of security, the default configuration offers a very solid solution even a novice Linux user would benefit from. If needed the tool can be reran and the script updated to allow things like BitTorrent, MSN, etc. However, currently there is not a tool to do this on the system if it's offline. If you want to use AlienBobs EFG, you have to be online. For IT professionals there are other tools even in his script that allow for Static IPs, specialized ports, and even application specific allowances, and some of which are server oriented. http://www.slackware.com/~alien/efg/ If we can have tools to setup Xorg, ALSA, Network Addressing schemes, disk partitions, and even a window manager, why can't we have a tool that sets up a firewall with a basic to advanced level of configuration? |
Quote:
It's nice if rc.firewall exist by default after instalation (although in blank page when I type nano /etc/rc.d/rc.firewall) :) |
Quote:
If you want to trust your security to a script provided by someone else over the web, then feel free. I choose not to do so. |
Well, it should be choice during the install, something like "Would you like to configure a minimal firewall ?". Obviously, experts will choose no, and do it themselves. Newbies and lazy users (like me) will choose yes. It will improve default security in these cases. I don't see anything wrong with AlienBob's EFG, I've never had problems with and it provides good protection as I see from online tests.
|
Quote:
Edit: well, to be fair, it's a port of "parts" of the php script I used... I might (will) require some improvement and more features... But I'm ok to do this work if people need those features. |
Quote:
Cheers |
It would be very nice to have an easy way to set up a firewall.
I actually still use Chess Griffin's firewall from a document I found years ago titled Slackware security (IIRK). Thanks Chess! And thanks to allend for pointing to /etc/ppp/firewall-standalone! I had never looked there...:o |
Quote:
Cheers |
My problem with an easier firewall setup is that it encourages a user to think that all that needs to be done to securely set up services such as NFS or SSH is elect to start the daemon during the install and then open ports in the firewall. Both the examples that I cite require further changes to a default Slackware install in order to to achieve an appropriately configured and secure setup. Merely opening ports in a firewall is only part of the setup process.
I do not wish to denigrate firewall setup scripts. I have used Alien_Bob's EFG and have learned from the output. |
The point of the tools is to at least get some basic level of security integrated into Slackware's setup not for the advanced users with their custom setup scripts, but for beginner/novice users who don't understand the complex startup scripts for IPTables.
For many users starting out, they don't understand how anything works on Linux until AFTER they get online and start reading. Before they get online they have a system that is NOT secure even in the least. It's only after they get everything from online websites, documents, and such they finally learn how to setup a Firewall on Linux, but by that time, it could be too late. The basic firewall or even advanced setup script(s) that could be implemented at least offer some fundamental baseline for what type of security we should strive for. Even at the most basic level of configuration AlienBOB's script does block a lot of unwanted traffic and only allows valid protocols from applications loaded. For the advanced users running servers, yes we don't need it and that part of the setup and system configuration CAN be skipped. Even I don't use the basic setup of AlienBOB's script. I actually have some customizations just for my system to handle ports, protocols, and which traffic from other systems on my network can see and communicate with my machine, but in comparison, something is better than nothing. By offering at least some basic level we can at least tell the beginner user, "Yes you have a firewall setup tool, yes the firewall works, and yes your system has protection, but there are documents out there to allow for more advanced features when and if you need them." This tool is needed for the system regardless of how we look at it. Yes, it's not a tool for advanced users, but for beginners it's a sign that the project cares about your security. And as stated, if you don't want to use it, you can skip it... Just like some of us skip the installation section to create a Bootable USB Stick for LILO, and Testing Custom Screen Fonts. |
Quote:
|
Quote:
|
Quote:
Quote:
|
Quote:
Where are the "leader board" so I can see if me too I can be "the geekier slacker around" ??? I like slackware because it's straightforward, vanilla and so on... NOT because it makes me feel superior to other people because *I* would know in which deeply hidden documentation some quote is... Seriously that is off topic and does not help the debate... The debate is: There ARE noobs, even using Slackware, and even if you don't mind, there also are professionals (myself) not willing to write many time the same stuff... sorry, I'm a programmer, for 23 years now, and I never like writing the same thing twice, moreover I got the brain to automate a "dull task"... If you like doing those no brain task by hand that's your freedom, having some tool that helps people not to write the script, just using easy and human readable data (yet itself a script that can itself be generated or whatever), I really don't understand where it bothers the one that like to type useless stuff (yes useful, but brainless once you have done it), they can... The one who'd rather have a life instead of opening vi etc, those people would be able to do something else AND have a firewall AND have a control on how this firewall is setup. I'm not into the graphical tools... BUt complaining because a helper, not mandatory, could be too easy for the people... Sorry but this is deeply stupid... (Nothing personal allend, this is the content of your message that brang one of my turns, something like that http://www.youtube.com/watch?v=kG36n8vFAmE :) ) |
Quote:
Sorry, but there is at least another one, obviously it's unfirewalled, but also SSH deamon accept root connection (this is not a safe behavior for a server plugged directly on the web). Edit: well, thinking about that, it's not really a "leak", you really need to be able to connect as root during the early install phase, and the fact that you should first create a user then, disable the remote root access, is a "good habit", but the system can't do or propose a lot more without getting into something overkill. There might be some other, but I don't remind at the time (..of wakening :) )... BTW, we are not criticizing nor willing to impose anything on slackware, we just propose things that we think could be useful to some of us, and if it can help "noobs" to come to slackware, I'd be happy. Thanks for all the hard work, Cheers Garry. |
Quote:
|
Quote:
In Slackware 13.37 that email has the subject "Welcome to Linux (Slackware 13.37)!" and you are well-advised to read it! Also, Slackware does not activate the SSH daemon by default. You, the person installing Slackware, makes the conscious decision of activating it (or not) during installation. Eric |
Because I think it fits: http://noobfarm.org/viewquote.php?id=1667
|
Quote:
Quote:
However, I agree IPtables is not the easiest thing to deal with, when you want to learn to control the firewall. Many people -- and not only noob -- seem to dream to an OpenBSD's pf Linux clone (and indeed nftables was taking that way). Maybe include shorewall or this kind of thing could help to fix this... |
Quote:
|
Shorewall from the last times I've tried to use it takes a lot of configuration time to setup, configure, reconfigure several times, hoping you get it right. A script to configure Shorewall would be a real undertaking though, but would make the process easier to setup everything and the fact that Shorewall6 supports IPv6 would be a good addition as well.
Perhaps a small compromise... Could an offline form of AlienBOB's webpage for setting up the IPTables firewall be included on the DVD in /extra? |
What about firewall builder, it looks reasonably easy to use:
http://www.fwbuilder.org/ You can use it to generate scripts in a similar but more GUI way. It is GPL'd by the way, just in case you think the site looks proprietary. http://www.youtube.com/watch?v=Q5GPrkwyGxw |
FwBuilder might be too advanced for some users. It might be best to want a firewall that anyone can use and can be setup with a script generation tool that doesn't require advanced level and knowledge of firewalls, IP addressing, and such tasks.
Shorewall seems better because it's just non-architectural scripts that require an editor or script generator. AlienBOB's EFG fits this because it more or less the same thing, but just uses a webpage based script generation tool to create the rc.firewall script to load modules for the kernel and setup addressing schemes, ports, etc. However, regardless which would ever be useful, you want something for everybody of any skill level and it has to be optional to setup. |
Quote:
|
Choose your answer :
A.ONLY a blank rc.firewall. B.ONLY rc.firewall with very basic script. C.Installer option + blank rc.firewall D.Installer option + very basic firewall E.Installer option + generator scripts included F.All the anwers wrong. (Only BDFL can choose this ) :D Maybe the easy route just make rc.firewall exist. The user will enable this features if he want it (just change it to 755).The problem is the content of rc.firewall it self. Every user have different agenda, so the content should be a basic one. |
Quote:
Plus I did leave the option out to discuss including an offline webpage on the installation disk for EFG, possibly in /extra. The decision to remove Gnome was big but then find out we have to rely on some of it's libraries and find out we need to add some back in to support packages using them as dependencies. Yet many seem to think adding Gnome libraries back in for dependencies is the end of the world. It's just dependencies and while Slackware is growing all the time, it's evolving all the time as well. We knew eventually it wasn't going to be an OS limited to just 1 CD-ROM disk or even now 1 DVD-ROM disk. With time all things change to some extent. However, as anything goes, it's just discussion, ideas being tossed back and forth, conversion, and even some debate. Better to be a ripple in a pond than a wave in the ocean. |
Quote:
I like the sample and warning from FreeBSD related to firewall : http://www.freebsd.org/doc/en_US.ISO...alls-ipfw.html Quote:
|
Posting from my phone:
I would suggest that if a firewall was ever included that even at the bsic configuration that it's a stateful packet inspection firewall rather than a stateless firewall. However there could be an option to have a generic rc.firewall script setup as such for a stateful packet inspection and filtering scheme for dynamic addresses already in the /etc/rc.d directory and all the end user has to do is run chmod +x against it from root to enable it. |
We have /usr/share/mkinitrd/mkinitrd_command_generator.sh with no option in installer to use it.
As for me /usr/share/iptables/firewall_generator.sh placed in iptables package and mentioned in documentation (CHANGES_AND_HINTS.TXT) with no option in installer seems the best solution. |
Quote:
|
Cool.
|
+1 for the firewall config script in the installer, although it should be "skippable"
Scripts that automate system configuration (like liloconfig or mkinitrd_command_generator.sh) are already present in Slackware, so I don't think making things easier goes against the distro's philosophy. |
Quote:
I will repeat that I wouldn't object to a firewall script being included, but pretending that it is a simple matter of shipping a do-everything script is not helping. Enabling a good, secure firewall *will* flood Pat with support requests asking why network services aren't working (why can't I ssh to my box???). Since the way to prevent those support requests is to get users to understand what they're doing, allowing users to implement their own firewalls via rc.firewall puts the responsibility on the user instead of the maintainer. I would much rather Pat spend his time juggling package versions and patches to try and get a good, stable, functional Slackware than worrying about writing firewall scripts and responding to e-mails from uninformed users, especially when there's a very good chance that I and anyone else looking for more than the bare minimum firewall will end up rewriting it anyway. Pumping out a stable distro and knowing which versions of software to include (for ~1000 packages) so that everything works well is beyond my capability and time constraints, but creating a firewall is well within my abilities. I would rather more time be spent on the former than the latter. The EFG already exists (and is hosted on slackware.com) and is a noob-friendly way to create a firewall without any additional support required from Pat. I think it's sufficient. Of course that is just one man's opinion. Also see this from rc.inet2: Code:
# If there is a firewall script, run it before enabling packet forwarding. |
Quote:
Code:
If you need to set up your Linux machine as a router for other systems, |
Quote:
|
Quote:
|
Going off what Eric said, the HOWTO documentation could be added to to include more information into this perhaps. That being said couldn't a sample firewall script be provided like the sample Samba script?
|
All times are GMT -5. The time now is 07:43 AM. |