Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Is UFW mandatory?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
rattiraivo
n00b
n00b


Joined: 06 Jun 2024
Posts: 35

PostPosted: Sat Jun 22, 2024 11:32 am    Post subject: Is UFW mandatory? Reply with quote

I've always wondered this question when it comes to minimal distros, because the guides usually rarely go over ufw directly. So if I wouldn't know of it's existence I wouldn't worry about it.

If it is mandatory, I followed the wiki page on the kernel options yet I'm being hit with these errors as I'm trying to enable it:

Code:

ERROR: problem running ufw-init
Warning: Extension limit revision 0 not supported, missing kernel module?
iptables-restore: line 75 failed
Warning: Extension comment revision 0 not supported, missing kernel module?
Warning: Extension limit revision 0 not supported, missing kernel module?
iptables-restore: line 33 failed
Warning: Extension hl revision 0 not supported, missing kernel module?
ip6tables-restore: line 142 failed
Warning: Extension comment revision 0 not supported, missing kernel module?
Warning: Extension limit revision 0 not supported, missing kernel module?
ip6tables-restore: line 30 failed

Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/user.rules'
Problem running '/etc/ufw/before6.rules'
Problem running '/etc/ufw/user6.rules'


Thanks.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5118
Location: Bavaria

PostPosted: Sat Jun 22, 2024 12:36 pm    Post subject: Reply with quote

No, "ufw" is not mandatory ... Do you really know what "ufw" is and what id does ?

Let me answer the question:

Our Linux kernel contains modules to filter network packets ... what is called a "firewall" ... Yes, the kernel is the FW. There are two applications that are able to pass filter rules to the kernel: iptables and nftables. You can use either of them.

There are also other applications such as "shorewall" and "ufw" ... which only generate rules that are THEN passed on to the kernel via iptables or nftables. I never recommend these two applications ! Why ? Because you always need to know what a FW - the kernel - can do and therefore you need to know the rules. "shorewall" is only suitable if you have to generate extensive filter rules (*) and "ufw" is there to generate simple rules ... which are unfortunately TOO simple == TOO insecure.

(* Even shorewall itself says in https://shorewall.org/Introduction.html : "Shorewall is not the easiest to use of the available iptables configuration tools but I believe that it is the most flexible and powerful. So if you are looking for a simple point-and-click set-and-forget Linux firewall solution that requires a minimum of networking knowledge, I would encourage you to check out the following alternatives: UFW (Uncomplicated Firewall), ipcop")

That's why I always recommend learning how to create rules with iptables or nftables native.

Do you know what a firewall can do ... and what it CANNOT do ?

Let me quote myself from this post: https://forums.gentoo.org/viewtopic-p-8465650.html#8465650

Quote:
Learning iptables / example with 2 interfaces

First of all, I want to explain for what a firewall is good for. What it can do and what it cant do ?

A firewall has two sides:

1.) It can prevent you from the Internet, allowing only communications to a dedicate server you have.
2.) If you have a bad program (virus, rootkit) on your computer, it can TRY to disallow this bad program communicating with a bad server somewhere in the internet.

First look on (2). Why I wrote: "TRY" ? Because a firewall alone cant do this. Why ? The answer is: You want to go with your browser into the internet and read some webpages from "https://forums.gentoo.org". Therefore you must allow outgoing https-traffic (this is port: 443). Now you have a bad program, who wants to communicate with a bad server. This bad program communicate also over the same (open) port to its bad server ... and the firewall (must) allow this. What you would need, is a proxy server for websurfing, who log all communications into the internet for the port 443 (and 80 for normal http), so you dont go directly with your browser into the internet. Without a proxy server, the whole crap: "filtering outgoing packets" doesnt help you in any case against bad programs ... and therefore is complete senseless. Whithout a proxy you can simply allow ALL outgoing traffic and use the firewall only for (1).



Back to your problem: I know you configured your kernel manually (I really like it when people still do this nowadays) and so I'm quoting myself again:
Quote:
If you want configure a firewall with iptables or nftables I recommend to do: Enable ALL options in this submenu as <M>odule. Later you will make your firewall; after this is finished check with "lsmod" which modules you really need for your firewall configuration. After all you can enable all needed modules static (if you want) and disable all other you dont need.

(from: https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Manual_Configuring_Kernel_Version_6.6#Part_2_-_Slim_kernel )
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
rattiraivo
n00b
n00b


Joined: 06 Jun 2024
Posts: 35

PostPosted: Sat Jun 22, 2024 3:10 pm    Post subject: Reply with quote

Thanks for the detailed response. I knew beforehand that atleast iptables was the core so to speak, but I had no idea the kernel itself was the firewall.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54578
Location: 56N 3W

PostPosted: Sat Jun 22, 2024 3:30 pm    Post subject: Reply with quote

rattiraivo,

To generalise a bit, security is like the layers of a onion.
The idea is to assess your threats, then deploy the 'onion layers' to address those threats.

You will not keep a well resourced determined attacker out. See https://xkcd.com/538/

The idea is to discourage opportunists, so they attack someone else instead.

pietinger wrote:
F]rst look on (2). Why I wrote: "TRY" ? Because a firewall alone cant do this. Why ? The answer is: You want to go with your browser into the internet and read some webpages from "https://forums.gentoo.org". Therefore you must allow outgoing https-traffic (this is port: 443).

That's true as far as it goes but its not complete. Its possible to permit/deny certain IP address ranges too.
This address range restriction can be written for any port, both incoming and outgoing. Both IPv4 and IPv6.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
rattiraivo
n00b
n00b


Joined: 06 Jun 2024
Posts: 35

PostPosted: Sun Jun 23, 2024 7:50 pm    Post subject: Reply with quote

I see now. Thanks.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum