I did it by hand and good ol fashioned trial and error
|
Please keep in mind that there are people coming from Windows firewalls. I am the one. I need a graphical pop-up window i.e. interactive firewall that asks me what to do each time a new type of connection happens, of course with "remember this" option. Any idea?
While a lot of firewalls exist in Windows, it's easy to find a good one, even for free. But here, I am confused, each distribution is using its own and then you come with hand option... |
Arno-iptables-firewall deserves a mention home page http://rocky.eld.leidenuniv.nl/
There's a Slackware 11.0 package at http://www.linuxpackages.net/search_...e=arn&ver=11.0 |
Wrote my own with the thanks of netfilter.org, read quite a few scripts, took out what I like to make my own script. I have also added a lot of my own code to it to make a lot of things more automatic rather than having to heavily modify each time it goes onto a new host, only have to adjust the rules depending on the services the host is going to run. Unfortunately I don't run any servers at the moment so I cannot link to it.
|
I wrote mine by hand after looking at online examples. Basically, it's:
accept all traffic on loopback accept all outbound traffic drop all inbound traffic except ssh, ntp, and established/related packets Seems to work fine so far :) |
Quote:
Unless you're running an ntp server for the public, there's no need to explicitly open that port either - the est/rel rule will catch replies to your outgoing requests. If you'd like to use the recent match to cut down on some of the ssh brute force attacks, this might be helpful - I tried to comment it well enough for someone to actually understand what they're doing rather than just blindly copying... http://rlworkman.net/conf/firewall/sshattacks Also, if you'd like to have identd requests acknowledged when they're expected but dropped otherwise, see this link: http://rlworkman.net/howtos/irc-identd |
Quote:
|
Quote:
[1] There is at least one legitimate use of the owner match that comes to mind - only allow outgoing smtp traffic if the process sending it is owned by the mail user; this way, if apache (or some other service is rooted, it won't be allowed to send spam from your system). However, this is a stop-gap measure, and a far better solution is to either run other services chrooted and/or make sure you stay up to date with security patches for them. Quote:
|
Quote:
This is a fantastic module I like using it as well, great for the webserver, helps to slow alot of those scripts down that like to hammer your site. |
configured by hand
|
I use Shorewall
I've been using shorwall (www.shorewall.net) for a number of years. Shorewall is a text mode tool, not a gui. I think it offers a great flexibility for lots of different applications, while being substantially simpler than directly writing IPtables rules. Configuration is straight-forward, although requiring some knowledge of precisely what you want to do. (In this regard, I consider it "slackwarish".) I also think the documentation on shorewall is fantastic, giving a very clear description of what firewalling is about for systems ranging from one desktop to an enterprise.
|
I use firestarter for desktop and laptop. For the webserver, I use rules that I constructed and run them during bootup.
I want to move to a firewall startup script of my own one of these days...once I get some time from my month-old daughter. :D Thanks! gilead for posting that awesome tutorial. I actually use Linux Firewalls by Steve Suehring and Robert Ziegler; ISBN 0672327716. Has pretty good info on setting up basic to advanced iptables firewall. |
simple home made script with all the rules inside. (as rc. file)
|
Quote:
Basically the winbloze firewalls protect you from an inside-job. If you don't like apps "phoning home" it's a good idea to do some checking with ethereal/wireshark/iptraf/etc. If not you have no idea what's being exposed by programs you run. For example how do you know that some app that does your finances (gnucash) is not connecting to the internet (it does). In winbloze this kind of exposure in built-in to the "OS" which is why it's so important. We know that our kernel devs would never do anything like that ;) and we trust them. But we also have thousands of 3rd party apps we build and use every day and how do we know what they're doing? It would be a lot easier (and safer) if there was an easy way to control all outbound traffic as well as we can control inbound traffic. |
Quote:
Quote:
Quote:
Quote:
|
All times are GMT -5. The time now is 06:54 PM. |