| View previous topic :: View next topic |
| Author |
Message |
micmac
l33t
Joined: 28 Nov 2003
Posts: 996
|
|
| Back to top |
|
 |
DNAspark99
Guru
Joined: 03 Sep 2004
Posts: 321
|
 Posted: Tue Sep 13, 2005 6:59 am Post subject: |
 |
|
once again, i can not recommend fireHOL enough.
I've spent the time to emerge and configure several different popular firewalls. In the end, it was firehol had me hooked.
I too, handle more than one server, and with firehol's quick, clear, highly configurable syntax, no matter what the machine's purpose, it's easy to setup an excellent firewall in a matter of minutes. This was the tool I wasted much time to find. save yourself the trouble, take a look at fireHOL!
Last edited by DNAspark99 on Tue Sep 13, 2005 7:02 am; edited 1 time in total |
|
| Back to top |
|
|
zeek
Guru
Joined: 16 Nov 2002
Posts: 480
Location: Bantayan Island
|
| Posted: Tue Sep 13, 2005 7:01 am Post subject: |
|
|
| Go with Shorewall. |
|
| Back to top |
|
|
gozu
n00b
Joined: 04 Jan 2003
Posts: 55
|
| Posted: Tue Sep 13, 2005 7:24 am Post subject: |
|
|
I personally find all of these solutions over kill for what most people need. I would suggest, as allready suggested just make a little itty bitty iptables script  |
|
| Back to top |
|
|
spankmeister7
Tux's lil' helper
Joined: 10 Apr 2005
Posts: 76
|
| Posted: Wed Sep 14, 2005 1:48 am Post subject: shorewall |
|
|
It took quite some time to get Shorewall installed and configured correctly. My real problem is the how-tos assume a config I'm not using.
Finally I got it all correctly installed and configured. The nice part is, there is only one easy file (rules) to edit to make it do what I want (allowing certain traffic on certain ports, keeping all else closed) in the future. Easy to admin, hoo!
I'll take a look at fireHOL for my next project.
As far as straight up iptableschainswhatever, I just find the documentation and examples too cryptic to understand in the small amount of time I have considering my many responsibilities and clients. I'm no stranger to admin and networking stuff, but I think its crazy for what should be administered through a single, simple config file should have to be an exercise in scripting. For those who already know about it of course it's easy. Telling the rest of us how easy it is for THEM does the rest of us NO GOOD AT ALL. Not only is it not constructive, but really it's just the kind of techno-machismo that turns the otherwise willing away. What good is the best security feature if a non-expert can't get it to work? The sad part is that I understand the syntax and concept of what firewall tables look like...
Screw iptableschainswhips scripting.
My $0.02 |
|
| Back to top |
|
|
micmac
l33t
Joined: 28 Nov 2003
Posts: 996
|
| Posted: Wed Sep 14, 2005 6:12 pm Post subject: Re: shorewall |
|
|
| spankmeister7 wrote: | It took quite some time to get Shorewall installed and configured correctly. My real problem is the how-tos assume a config I'm not using.
Finally I got it all correctly installed and configured. The nice part is, there is only one easy file (rules) to edit to make it do what I want (allowing certain traffic on certain ports, keeping all else closed) in the future. Easy to admin, hoo!
I'll take a look at fireHOL for my next project.
As far as straight up iptableschainswhatever, I just find the documentation and examples too cryptic to understand in the small amount of time I have considering my many responsibilities and clients. I'm no stranger to admin and networking stuff, but I think its crazy for what should be administered through a single, simple config file should have to be an exercise in scripting. For those who already know about it of course it's easy. Telling the rest of us how easy it is for THEM does the rest of us NO GOOD AT ALL. Not only is it not constructive, but really it's just the kind of techno-machismo that turns the otherwise willing away. What good is the best security feature if a non-expert can't get it to work? The sad part is that I understand the syntax and concept of what firewall tables look like...
Screw iptableschainswhips scripting.
My $0.02 |
Well spoken!
mic |
|
| Back to top |
|
|
crashoverride659
n00b
Joined: 12 Oct 2005
Posts: 54
Location: WIsconsin
|
| Posted: Sun Nov 13, 2005 10:25 pm Post subject: good firewall? |
|
|
anybody have any preferences on firewalls? i would like to get one but i have no idea on what firewalls are good for linux!
please feel free to be biased in what ever firewall you use
thanks in advance,
Crash |
|
| Back to top |
|
|
DNAspark99
Guru
Joined: 03 Sep 2004
Posts: 321
|
| Posted: Sun Nov 13, 2005 10:29 pm Post subject: |
|
|
| personally, I'm a fireHOL fan |
|
| Back to top |
|
|
crashoverride659
n00b
Joined: 12 Oct 2005
Posts: 54
Location: WIsconsin
|
| Posted: Sun Nov 13, 2005 10:43 pm Post subject: |
|
|
| any particular reasons? experiences? |
|
| Back to top |
|
|
ticho
Tux's lil' helper
Joined: 23 Oct 2003
Posts: 138
Location: yes
|
| Posted: Mon Nov 14, 2005 1:23 am Post subject: |
|
|
I have been using shorewall for several years, and it has always been able to support all my whims and firewalling needs. It also allows you to add custom iptables rules (in addition to rules generated from your shorewall config), has config file checking (check for validity before trying to activate defined rules), and various other options - I guess I'm using only about half of the features it offers.
fireHOL looks good as well, though, judging by brief read through the tutorial on its website.
_________________
The more you depend on forces outside yourself, the more you are dominated by them. |
|
| Back to top |
|
|
syg00
l33t
Joined: 23 Aug 2004
Posts: 907
Location: Brisbane, AUS
|
| Posted: Mon Nov 14, 2005 2:42 am Post subject: |
|
|
Not knowing how to proceed initially, I used this to get going.
Still using shorewall ... |
|
| Back to top |
|
|
crashoverride659
n00b
Joined: 12 Oct 2005
Posts: 54
Location: WIsconsin
|
| Posted: Thu Nov 17, 2005 6:53 am Post subject: |
|
|
Im STILL researching into a firewall if anybody has anymore input of what they use and why...
Thanks alot,
Crash |
|
| Back to top |
|
|
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK
|
| Posted: Thu Nov 17, 2005 9:57 am Post subject: |
|
|
Unless I'm mistaken there's only one Linux firewall - iptables - part of the kernel.
You can manipulate iptables directly or you can use 101 different GUIs, scripts and frontends.
Look for some good iptables primer/HOWTO articles. Then, having read them, decide if you want to get your hands dirty and deal with iptables, or whether to use a middleman.
If you go down the scripts/gui route and it doesn't work or adapt as your needs change you'll be a bit lost.
Most of the iptables queries on here involve scripts/GUIs. Many produce overly complex firewalls, IMO.
For a standalone workstation running no servers, you can protect with <6 lines of iptables I'd say. I can't see the point barring ANY outgoing stuff if you have control over the machine itself. Virus/trojans etc not a high priority with decent security.
I used this http://www.pettingers.org/code/firewall.html but left out the malformed packet stuff. Only open up for SMTP and such if you actually use the servers on your machine. |
|
| Back to top |
|
|
ticho
Tux's lil' helper
Joined: 23 Oct 2003
Posts: 138
Location: yes
|
| Posted: Thu Nov 17, 2005 1:13 pm Post subject: |
|
|
Yes, it is definitely a plus if you know how to work with iptables directly, and are aware of its capabilities. Many of the frontend scripts (such as shorewall) are much easier to use then. It is all because iptables is a very complex tool, so any frontend tool has to be complex as well, if it aims to utilize iptables fully.
_________________
The more you depend on forces outside yourself, the more you are dominated by them. |
|
| Back to top |
|
|
DNAspark99
Guru
Joined: 03 Sep 2004
Posts: 321
|
| Posted: Thu Nov 17, 2005 6:21 pm Post subject: |
|
|
ok, to expand a little, I chose fireHOL because it's very clear what machine is doing what (on multiple machines in different roles, the config syntax is easily understandable at a glance - and *very* easy to add or adjust rules)
deals with a simple concept: two types of basic connections -
server: allow incoming connections to $service
client: allow outgoing connections for $service
| Code: |
trusted_ips="192.168.0.0/32"
interface eth0+ internet
server icmp accept src "$trusted_ips"
server ssh accept with knock SSH
server http accept
server https accept
server dns accept
server smtp accept src "$trusted_ips"
client https accept
client http accept
client ssh accept
client dns accept
client rsync accept
client ftp accept
client icmp accept
client smtp accept
client ntp accept
|
so with no prior knowledge of what this box does, a quick look at the config file should make it very obvious what is and what isn't allowed.
Even something as simple as:
| Code: |
interface eth0+ internet
client all accept
|
results in a very usefull firewall for the average workstation.
A user-quote on the homepage sums it up:
| Quote: | I still marvel at the shortness and simplicity of your configuration language contrasted against the completeness and tightness of the fully stateful iptables rules!
|
I tried all the popular firewall tools (+gui, scripted, etc), but once I actually tried fireHOL, I unmerged everything else. |
|
| Back to top |
|
|
codergeek42
Bodhisattva
Joined: 05 Apr 2004
Posts: 5142
Location: Anaheim, CA (USA)
|
| Posted: Thu Nov 17, 2005 6:27 pm Post subject: |
|
|
| DNAspark99 wrote: | | personally, I'm a fireHOL fan |
As am I. Its syntax is very sensible and is comparatively simple to use. No hassling with iptables commands or port numbering, etc. There's no flashy GUI or anything, but it's an excellent iptables configuration tool. You want SSH support? Cool: Add something like "server ssh accept" to your config. It really is fantastic and it really is that simple. 
_________________
~~ Peter: Programmer, Mathematician, STEM & Free Software Advocate, Enlightened Agent, Transhumanist, Fedora contributor
Who am I? :: EFF & FSF |
|
| Back to top |
|
|
DNAspark99
Guru
Joined: 03 Sep 2004
Posts: 321
|
| Posted: Thu Nov 17, 2005 6:57 pm Post subject: |
|
|
| codergeek42 wrote: | | DNAspark99 wrote: | | personally, I'm a fireHOL fan |
As am I. Its syntax is very sensible and is comparatively simple to use. No hassling with iptables commands or port numbering, etc. There's no flashy GUI or anything, but it's an excellent iptables configuration tool. You want SSH support? Cool: Add something like "server ssh accept" to your config. It really is fantastic and it really is that simple. |
ntm, in the case of ssh, the simplicity of adding support for port-knocking!
...just set up knockd to listed for the knock (hopefully on ports more random than 1,2,3,4,5 :p)
/etc/knockd.conf:
| Code: |
[openSSH]
sequence = 1,2,3,4,5
seq_timeout = 5
command = /sbin/iptables -A knock_SSH -s %IP% -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT && /sbin/iptables -A knock_SSH -d %IP% -p tcp --dport 1024:65535 --sport 22 -m state --state ESTABLISHED -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 5,4,3,2,1
seq_timeout = 5
command = /sbin/iptables -D knock_SSH -s %IP% -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT && /sbin/iptables -D knock_SSH -d %IP% -p tcp --dport 1024:65535 --sport 22 -m state --state ESTABLISHED -j ACCEPT
tcpflags = syn
|
then in /etc/firehol/firehol.conf:
| Code: |
...
server ssh accept with knock SSH
...
|
...then just use a simple bash script to handle the knocking for you...
| Code: |
#!/bin/bash
SERVER="$IP.OF.YOUR.SERVER"
USER="bob"
KEY="$HOME/.ssh/keys/yourkeyname"
OPEN_SEQ="1 2 3 4 5"
CLOSE_SEQ="5 4 3 2 1"
echo "Knock knock..."
/usr/bin/knock $SERVER $OPEN_SEQ
ssh -i $KEY $USER@$SERVER
/usr/bin/knock $SERVER $CLOSE_SEQ
echo "thanks for knocking!"
|
simple, effective, and no more automated ssh attempts! |
|
| Back to top |
|
|
rev138
l33t
Joined: 19 Jun 2003
Posts: 848
Location: Vermont, USA
|
| Posted: Thu Nov 17, 2005 7:06 pm Post subject: |
|
|
I've been using Shorewall for several years and I'm very happy with it.
While I now find it easier to edit the config files directly, the Webmin frontend for Shorewall was a big help as a n00b. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20585
|
| Posted: Thu Nov 17, 2005 7:19 pm Post subject: |
|
|
Merged a few threads.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
codergeek42
Bodhisattva
Joined: 05 Apr 2004
Posts: 5142
Location: Anaheim, CA (USA)
|
| Posted: Thu Nov 17, 2005 11:00 pm Post subject: |
|
|
Oh that's very nifty, DNAspark99. Thank you.
_________________
~~ Peter: Programmer, Mathematician, STEM & Free Software Advocate, Enlightened Agent, Transhumanist, Fedora contributor
Who am I? :: EFF & FSF |
|
| Back to top |
|
|
GetLinux
Apprentice
Joined: 09 Nov 2005
Posts: 249
Location: USA
|
| Posted: Sat Nov 26, 2005 6:28 pm Post subject: Good firewall for Gentoo n00b? |
|
|
I'm not sure I should be looking at a GUI firewall or not. I'm really not comfortable with the idea of writing a script (i.e., relying on my own limited security knowledge) to "make" a firewall. I've seen some references to fwbuilder and ipkungfu, but it appears that "kungfu" has not had a release in several years, and "builder" is just a GUI to a script?
Is this because all Linux firewalls have to use iptables or something?
I'm just wondering what's the most *reliable* way to go to get an easy-to-use firewall that does stealthing as well as blocking suspicious traffic in/out...e.g., all the same features as any "major" firewall (ZoneAlarm, Norton Personal Firewall, Kerio Personal Firewall).
Hopefully, without writing my own scripts...something I can just install and run, and make changes to as needed.
_________________
Adopt an unanswered post, and help others.
When your question is solved, please put [SOLVED] in original post title.
You can't complain unless you VOTE! |
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
|
| Back to top |
|
|
BoNd60
n00b
Joined: 17 Nov 2005
Posts: 73
Location: Paris, France
|
| Posted: Sat Nov 26, 2005 6:46 pm Post subject: |
|
|
Personnally, i use guarddog. Never had to complain (but i don't know how to run it at boot)
_________________
Oops, I think I'm not DOS compatible
In every situation, don't forget that the answer is 42 |
|
| Back to top |
|
|
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Sat Nov 26, 2005 7:44 pm Post subject: |
|
|
I second firestarter as a good starting point. If you like to have more influence on the created ruleset you might want to take a look at fwbuilder.
Hth, Alex!!!
_________________
ALT-F4 |
|
| Back to top |
|
|
erikm
l33t
Joined: 08 Feb 2005
Posts: 634
|
| Posted: Sat Nov 26, 2005 8:30 pm Post subject: |
|
|
My choice is firehol. Easy to configure, yet advanced if need be, and no ugly gui's  . |
|
| Back to top |
|
|
|
Networking & Security
