Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Where to begin if I'd like to spin off a basic firewall?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
rattiraivo
n00b
n00b


Joined: 06 Jun 2024
Posts: 35

PostPosted: Sun Sep 01, 2024 3:25 pm    Post subject: Where to begin if I'd like to spin off a basic firewall? Reply with quote

I know it has something to do with iptables, and I was looking at ufw but I'm not sure.

Can someone atleast direct me to some good resources regarding it? I really don't know my way around iptables at all. I've always used ufw on other distros since it just works.
Back to top
View user's profile Send private message
pa4wdh
l33t
l33t


Joined: 16 Dec 2005
Posts: 892

PostPosted: Sun Sep 01, 2024 5:23 pm    Post subject: Reply with quote

First of all: Be aware that basically there are only two real firewall methods in the linux kernel: iptables and nftables, with iptables being the old one and nftables the shiny new one. If you're learning from scratch i'd advise to go with nftables and don't learn old stuff.
All the others, firewalld, ufw and many others are just frontends, they generate iptables or nftables rules and use them to do the real work.

Second: Know what you're doing. Make sure you understand networking concepts like source/destination IP addresses (possibly IPv4 and IPv6), tcp and udp ports and connection tracking. No matter how you configure your firewall (directly with iptables/nftables or using a frontend), if you don't know what you're doing there's a good chance you'll make mistakes and have security holes. Also make friends with tcpdump and wireshark, they are very valuable then it comes to troubleshooting.

Third: Have a place to experiment, for example your desktop. Make sure it's a place where it's safe to simply remove the whole ruleset in case you did something that breaks everything.

My personal preference is always to write my own iptables or nftables rules, because in my opinion the frontends usually make a mess of your ruleset. It will work, but it'll be hard to read the actual iptables/nftables ruleset if you need to do that for troubleshooting. I'll have to add a little warning that i might be biased here since networking is my profession, i'm very much used to handling large rulesets by hand :). That might sound hard, but it's not as bad as it sounds.
For nftables there is a nice wiki with tutorials: https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
The manpage for nft (the commandline tool to handle your nftables ruleset) is also an excellent source of information.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5236
Location: Bavaria

PostPosted: Sun Sep 01, 2024 5:50 pm    Post subject: Reply with quote

What most people stumble with at the beginning is the understanding of “stateful inspection” ... just read my attempt to explain it:
https://forums.gentoo.org/viewtopic-p-8465650.html#8465650
(This also applies to nftables although iptables was used here.)

(See also: https://en.wikipedia.org/wiki/Stateful_firewall )
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
rattiraivo
n00b
n00b


Joined: 06 Jun 2024
Posts: 35

PostPosted: Sun Sep 01, 2024 8:04 pm    Post subject: Reply with quote

I don't really have a place to experiment with these things, just my main pc atm. Any good beginner friendly resources on these matters? Would really like to learn more, but I'm as inexperienced as one can be so I don't know the proper questions to ask :D

Edit: Will take a look at the wiki pages, it's just that I'd need to be taught these things on layman terms to understand some of them.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum