Firewall for Linux
Jason Ng
I would like to install a firewall on my Linux box. Does anyone have any
suggestions?
I am a newbie for this and I want to know which one is good...
Regards,
Jason
Donald K Knepshield
: Hi,
PMFirewall is another one that works well. www.pmfirewall.com/PMFirewall
interested.
:
:
--
Kevin Knepshield
dkne...@runet.edu
Zebee Johnstone
Like almost everything.. "it depends"
What do you want it for?
Do you want to control access in or out, if so what kind of control
and what kind of access?
Are you running software that uses special TCP ports, and do the ports
change? Some proprietary software is very bad mannered about ports.
Do you need logging, if so what do you want to log?
Do you want it free, or are you willing to pay?
There are lots of ways of firewalling, and they all have advantages
and disadvantages. So you need to think about what one is, why you
want it, and what things you want to do. That way you can decide what
it must have, what it mustn't have, and what you don't care about.
Then you can decide which one is good.
So your first job is to decide why you want one. List the reasons in
order.
Next, list the connections that will be made into and out of your
machine. What software, what ports.
Then decide what logging you want, incoming? outgoing? just the fact
of a connection? What the connection was? Who made it? URLs? FTP
sites?
Zebee
--
SAGE-AU: The System Administrator's Guild. www.sage-au.org.au
To advance the profession of System Administration by raising
awareness of the need for System Administrators, and educating
System Administrators in technical as well as professional issues.
John Hovell
Whats the application? Is the Linux box an internet gateway or just a
standalone "personal" machine?
Corporate? Home?
Anything based on the ipchains package is a stateless filter which is behind
the times, but it is what Linux has.
Beyond this, you could try
www.snort.org -- very powerful... but maybe difficult to configure.
Other IPchains front-ends:
If you are new and want a GUI to play with, maybe gfcc (works with Gnome).
I think firestarter is popular with beginners.
As another poster said SeaWALL is supposedly really good... never tried it
myself.
With linux 2.4 coming up, ipchains will go away and become iptables
(stateful).
There are really dozens more to try. Tell me what you are trying to
accomplish, and I can recommend one that is for what you are trying to do.
Cheers,
John
Patrick Lambe
"Jason Ng" <jaso...@yahoo.com> wrote in message
news:8nvg72$oiu$1...@news.hk.linkage.net...
You might want to check out the book building linux and openBSD firewalls,
probably tells you more than you want to know right now, but it will make
you think about what you want out of your firewall, which as others have
said is probably the most difficult part of building any firewall.
P. (Considering how frequently I recommend this book, I ought to be on
commission ;o)
Sjoerd Langkemper
> I would like to install a firewall on my Linux box. Does anyone have any
> suggestions?
You can use ipchains (ipfwadm in 2.0 kernels, again renamed in kernels later
as 2.2) to build a basic firewall, altough you need some knowledge about
networking. Read the ipchains howto for more information at
www.linuxdoc.org.
Sjoerd
Chris J/#6
I wrote a script to set up the firewall from a config firewall on my SuSE
box ... should only need minor changes for other dists (and I'm talking
really minor)...
http://www.nccnet.co.uk/~sixie/linux/
is where you can grab the stuff from if you're interested. It uses linux 2.2's
ipchains stuff, but you shouldn't need to know its syntax (unless you run
into problems with the script or want to do more fancy stuff). The config
file takes care of it all.
Chris...
--
@}-,'-------------------------------------------------- Chris Johnson --'-{@
/ "(it is) crucial that we learn the difference / si...@nccnet.co.uk \
/ between Sex and Gender. Therein lies the key / \
/ to our freedom" -- LB / www.nccnet.co.uk/~sixie \
Bit Twister
You did not post what Linux/release.
You should already have one loaded and just need to set the rules
and turn it on.
This built me a tight ipchain firewall rule set
http://linux-firewall-tools.com/linux/firewall/index.html
I used DENY, hardcoded external addresses, logged everything.
As part of the instruction and if you read the script, it will
give several suggestions as to where you install the firewall
and turn on IP Masquerading.
You might want to read Armoring Linux
http://www.enteract.com/~lspitz/linux.html
and http://www.securityportal.com/lskb/articles/
and http://www.securityportal.com/lasg/
and http://www.cert.org/advisories/
--
The warranty and liability expired as you read this message.
If the above breaks your system, it's yours and you keep both pieces.
Practice safe computing. Backup the file before you change it.
Do a, man command_here or cat command_here, before using it.
Rinaldi J. Montessi
Depends on what you want to do. I use the following in my
/etc/rc.d/rc.local:
echo 1 > /proc/sys/net/ipv4/ip_forward # Turn things on
/sbin/ipchains -P forward DENY #General policy
/sbin/ipchains -A forward -s 192.168.1.0/24 -d 0.0.0.0/0 -j MASQ
#Append the rules to allow forwarding to the local network from the
default route
#And to tcpwrap the samba ports..
/sbin/ipchains -A input -p tcp -j DENY --destination-port 137:139 -i
ppp0
/sbin/ipchains -A input -p udp -j DENY --destination-port 137:139 -i
ppp0
/sbin/ipchains -A output -p tcp -j DENY --destination-port 137:139
-i ppp0
/sbin/ipchains -A output -p udp -j DENY --destination-port 137:139
-i ppp0
There may be more elaborate ways to do things, but this works for
me, and I love simplicity.
Cross Posting Removed.
--
Rinaldi]$
The hottest places in Hell are reserved for those who, in time of
moral crisis, maintain their neutrality.--Dante
Kai
just askes you a few questions to set up the firewall. It took me several
tries to get it work. Make sure to read the README and other documentation
first. The mistake I made was not enabling port 6000( for X server) and
7101(for true type font server). That caused KDE not running. you may also
need to exclude some ports that are reqired some internet applications. For
example, if you use ICQ, you need to exclude port "4000".
Good luck
Kai
"Patrick Lambe" <wo...@maru.org.invalid> wrote in message
news:JXNo5.1790$hQ.1...@nnrp4.clara.net...
>
> "Jason Ng" <jaso...@yahoo.com> wrote in message
> news:8nvg72$oiu$1...@news.hk.linkage.net...
Tim Haynes
[]
> PMFirewall is another one that works well. www.pmfirewall.com/PMFirewall
> interested.
I once saw the results of running it. I wasn't all that impressed[i].
What's wrong with ipchains either in a script of your own design - you
know, you, keyboard, vim or (X)emacs, DIY - or something concocted in
e.g. gfcc?
~Tim
Footnotes:
[i] I expected a deny-by-default and log-all with holes allowed and
continuations firewall. It came out with dodgy policies and excessive rules
`closing' various ports.. duh.
--
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-
| The sun is melting over the hills, | http://piglet.is.dreaming.org/
| All our roads are waiting / To be revealed | pig...@glutinous.custard.org
Simon Brooke
> dkne...@runet.edu (Donald K Knepshield) writes:
>
> []
> > PMFirewall is another one that works well. www.pmfirewall.com/PMFirewall
> > interested.
>
> I once saw the results of running it. I wasn't all that impressed[i].
>
> What's wrong with ipchains either in a script of your own design - you
> know, you, keyboard, vim or (X)emacs, DIY - or something concocted in
> e.g. gfcc?
If it's useful, my firewall script is here:
<URL:http://www.jasmine.org.uk/~simon/bookshelf/papers/instant-firewall/instant-firewall.html>
It's quite simple, but it's mentioned in despatches^H^H^H^H^H^H^H^H
the firewall FAQ, so it can't be all bad.
--
si...@jasmine.org.uk (Simon Brooke) http://www.jasmine.org.uk/~simon/
;; Woz: 'All the best people in life seem to like LINUX.'
;; <URL:http://www.woz.org/woz/cresponses/response03.html>
Tim Haynes
[]
> > What's wrong with ipchains either in a script of your own design - you
> > know, you, keyboard, vim or (X)emacs, DIY - or something concocted in
> > e.g. gfcc?
>
> If it's useful, my firewall script is here:
> <URL:http://www.jasmine.org.uk/~simon/bookshelf/papers/instant-firewall/instant-firewall.html>
It's interesting - a good example of generalisation although I'd have to
think a little about non-3-way firewalling with it.
Two things: I use input policy = DENY, it seems to ACCEPT it. With DENY,
you have to know about everything you want to accept, with ACCEPT you have
the advantage that you can do ipchains -F remotely and not block yourself
out by accident (hic!); we make of these what we may, anyway.
The other thing that struck me on a quick scan-through was this comment:
| # Spoof protection: if a packet arrives at one interface claiming to
| # come from another network, it's lying. Stop it, and log the attempt.
I didn't see any special treatment of `hostname`-on-loopback cases here -
see the vague discussion with John a month or so back. OTOH I didn't look
particularly carefully, and it might not claim to deal with that case
anyway.
I'll give it a blast for one or two networks and check the results in a bit
:8]
~Tim
Colin W Holywell
time hit monitor. It is pretty cool. http://firestarter.sourceforge.net/
Simon Brooke
> Simon Brooke <si...@jasmine.org.uk> writes:
>
> []
> > > What's wrong with ipchains either in a script of your own design - you
> > > know, you, keyboard, vim or (X)emacs, DIY - or something concocted in
> > > e.g. gfcc?
> >
> > If it's useful, my firewall script is here:
> > <URL:http://www.jasmine.org.uk/~simon/bookshelf/papers/instant-firewall/instant-firewall.html>
>
> It's interesting - a good example of generalisation although I'd have to
> think a little about non-3-way firewalling with it.
As to that, I'm a great believer in Rusty's Three-line Guide to
Firewalling:
<URL:http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-3.html#ss3.1>