| View previous topic :: View next topic |
| Author |
Message |
rattiraivo
n00b
Joined: 06 Jun 2024
Posts: 35
|
 Posted: Sun Sep 01, 2024 3:25 pm Post subject: Where to begin if I'd like to spin off a basic firewall? |
 |
|
I know it has something to do with iptables, and I was looking at ufw but I'm not sure.
Can someone atleast direct me to some good resources regarding it? I really don't know my way around iptables at all. I've always used ufw on other distros since it just works. |
|
| Back to top |
|
 |
pa4wdh
l33t
Joined: 16 Dec 2005
Posts: 881
|
| Posted: Sun Sep 01, 2024 5:23 pm Post subject: |
|
|
First of all: Be aware that basically there are only two real firewall methods in the linux kernel: iptables and nftables, with iptables being the old one and nftables the shiny new one. If you're learning from scratch i'd advise to go with nftables and don't learn old stuff.
All the others, firewalld, ufw and many others are just frontends, they generate iptables or nftables rules and use them to do the real work.
Second: Know what you're doing. Make sure you understand networking concepts like source/destination IP addresses (possibly IPv4 and IPv6), tcp and udp ports and connection tracking. No matter how you configure your firewall (directly with iptables/nftables or using a frontend), if you don't know what you're doing there's a good chance you'll make mistakes and have security holes. Also make friends with tcpdump and wireshark, they are very valuable then it comes to troubleshooting.
Third: Have a place to experiment, for example your desktop. Make sure it's a place where it's safe to simply remove the whole ruleset in case you did something that breaks everything.
My personal preference is always to write my own iptables or nftables rules, because in my opinion the frontends usually make a mess of your ruleset. It will work, but it'll be hard to read the actual iptables/nftables ruleset if you need to do that for troubleshooting. I'll have to add a little warning that i might be biased here since networking is my profession, i'm very much used to handling large rulesets by hand  . That might sound hard, but it's not as bad as it sounds.
For nftables there is a nice wiki with tutorials: https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
The manpage for nft (the commandline tool to handle your nftables ruleset) is also an excellent source of information.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5061
Location: Bavaria
|
|
| Back to top |
|
|
rattiraivo
n00b
Joined: 06 Jun 2024
Posts: 35
|
| Posted: Sun Sep 01, 2024 8:04 pm Post subject: |
|
|
I don't really have a place to experiment with these things, just my main pc atm. Any good beginner friendly resources on these matters? Would really like to learn more, but I'm as inexperienced as one can be so I don't know the proper questions to ask 
Edit: Will take a look at the wiki pages, it's just that I'd need to be taught these things on layman terms to understand some of them. |
|
| Back to top |
|
|
|
Networking & Security
