View previous topic :: View next topic |
Author |
Message |
rattiraivo n00b
Joined: 06 Jun 2024 Posts: 35
|
Posted: Sat Jun 22, 2024 11:32 am Post subject: Is UFW mandatory? |
|
|
I've always wondered this question when it comes to minimal distros, because the guides usually rarely go over ufw directly. So if I wouldn't know of it's existence I wouldn't worry about it.
If it is mandatory, I followed the wiki page on the kernel options yet I'm being hit with these errors as I'm trying to enable it:
Code: |
ERROR: problem running ufw-init
Warning: Extension limit revision 0 not supported, missing kernel module?
iptables-restore: line 75 failed
Warning: Extension comment revision 0 not supported, missing kernel module?
Warning: Extension limit revision 0 not supported, missing kernel module?
iptables-restore: line 33 failed
Warning: Extension hl revision 0 not supported, missing kernel module?
ip6tables-restore: line 142 failed
Warning: Extension comment revision 0 not supported, missing kernel module?
Warning: Extension limit revision 0 not supported, missing kernel module?
ip6tables-restore: line 30 failed
Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/user.rules'
Problem running '/etc/ufw/before6.rules'
Problem running '/etc/ufw/user6.rules'
|
Thanks. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5109 Location: Bavaria
|
Posted: Sat Jun 22, 2024 12:36 pm Post subject: |
|
|
No, "ufw" is not mandatory ... Do you really know what "ufw" is and what id does ?
Let me answer the question:
Our Linux kernel contains modules to filter network packets ... what is called a "firewall" ... Yes, the kernel is the FW. There are two applications that are able to pass filter rules to the kernel: iptables and nftables. You can use either of them.
There are also other applications such as "shorewall" and "ufw" ... which only generate rules that are THEN passed on to the kernel via iptables or nftables. I never recommend these two applications ! Why ? Because you always need to know what a FW - the kernel - can do and therefore you need to know the rules. "shorewall" is only suitable if you have to generate extensive filter rules (*) and "ufw" is there to generate simple rules ... which are unfortunately TOO simple == TOO insecure.
(* Even shorewall itself says in https://shorewall.org/Introduction.html : "Shorewall is not the easiest to use of the available iptables configuration tools but I believe that it is the most flexible and powerful. So if you are looking for a simple point-and-click set-and-forget Linux firewall solution that requires a minimum of networking knowledge, I would encourage you to check out the following alternatives: UFW (Uncomplicated Firewall), ipcop")
That's why I always recommend learning how to create rules with iptables or nftables native.
Do you know what a firewall can do ... and what it CANNOT do ?
Let me quote myself from this post: https://forums.gentoo.org/viewtopic-p-8465650.html#8465650
Quote: | Learning iptables / example with 2 interfaces
First of all, I want to explain for what a firewall is good for. What it can do and what it cant do ?
A firewall has two sides:
1.) It can prevent you from the Internet, allowing only communications to a dedicate server you have.
2.) If you have a bad program (virus, rootkit) on your computer, it can TRY to disallow this bad program communicating with a bad server somewhere in the internet.
First look on (2). Why I wrote: "TRY" ? Because a firewall alone cant do this. Why ? The answer is: You want to go with your browser into the internet and read some webpages from "https://forums.gentoo.org". Therefore you must allow outgoing https-traffic (this is port: 443). Now you have a bad program, who wants to communicate with a bad server. This bad program communicate also over the same (open) port to its bad server ... and the firewall (must) allow this. What you would need, is a proxy server for websurfing, who log all communications into the internet for the port 443 (and 80 for normal http), so you dont go directly with your browser into the internet. Without a proxy server, the whole crap: "filtering outgoing packets" doesnt help you in any case against bad programs ... and therefore is complete senseless. Whithout a proxy you can simply allow ALL outgoing traffic and use the firewall only for (1). |
Back to your problem: I know you configured your kernel manually (I really like it when people still do this nowadays) and so I'm quoting myself again:
Quote: | If you want configure a firewall with iptables or nftables I recommend to do: Enable ALL options in this submenu as <M>odule. Later you will make your firewall; after this is finished check with "lsmod" which modules you really need for your firewall configuration. After all you can enable all needed modules static (if you want) and disable all other you dont need. |
(from: https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Manual_Configuring_Kernel_Version_6.6#Part_2_-_Slim_kernel ) _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
rattiraivo n00b
Joined: 06 Jun 2024 Posts: 35
|
Posted: Sat Jun 22, 2024 3:10 pm Post subject: |
|
|
Thanks for the detailed response. I knew beforehand that atleast iptables was the core so to speak, but I had no idea the kernel itself was the firewall. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54578 Location: 56N 3W
|
Posted: Sat Jun 22, 2024 3:30 pm Post subject: |
|
|
rattiraivo,
To generalise a bit, security is like the layers of a onion.
The idea is to assess your threats, then deploy the 'onion layers' to address those threats.
You will not keep a well resourced determined attacker out. See https://xkcd.com/538/
The idea is to discourage opportunists, so they attack someone else instead.
pietinger wrote: | F]rst look on (2). Why I wrote: "TRY" ? Because a firewall alone cant do this. Why ? The answer is: You want to go with your browser into the internet and read some webpages from "https://forums.gentoo.org". Therefore you must allow outgoing https-traffic (this is port: 443). |
That's true as far as it goes but its not complete. Its possible to permit/deny certain IP address ranges too.
This address range restriction can be written for any port, both incoming and outgoing. Both IPv4 and IPv6. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
rattiraivo n00b
Joined: 06 Jun 2024 Posts: 35
|
Posted: Sun Jun 23, 2024 7:50 pm Post subject: |
|
|
I see now. Thanks. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|