I saw two good firewalls:
- Firestarter wich is easy
- Shorewall wich seems versatile
Wich is best for a single server pc? Does the complexity of shorewall
worth the effort or is firestarter as good as shorewall?
Just this
Thanks
Jordi
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
1. reading the documentation will give you a much better understanding
for what is happening
2. shorewall scales very well to a great many different roles, so your
simple one server firewall today might tomorrow be routing traffic for a
small network with a DMZ and doing traffic shaping
Regards,
-Roberto
--
Roberto C. Sanchez
http://people.connexer.com/~roberto
http://www.connexer.com
I will do then the effort and try to install and use Shorewall.
Is Webmin a good tool to install? has some kind of disavantage? Is it
better to not use webmin?
The fact that Firestarter has a GUI tipped the scales for me - towards
Shorewall. While it may be nice to do the initial setup in a GUI,
being able to make modifications from anywhere over SSH has proven
valuable enough to justify the initial learning curve. And once you
'got it', Shorewall isn't actually that hard to work with.
Just my 2 cents
--j
Just to be contrary, I like and use m0n0wall (http://www.m0n0.ch) at
home in a WRAP board. Very nice, very quiet, plenty of performance.
Nice web based interface, boots off compact flash, etc.
John
John, that seems to complicated for me, but seems good as it is a
hardware firewall.
Roverto, seems you like to do a control of all parameters, you must be
an expert. I will try to do as you say, and learn a bit.
Thanks for your opinions.
Jordi
> signature.asc
> 1 KDescargar
Firestarter and Shorewall are both just front-ends to iptables, but
firestarter is simple (and has far less features than shorewall).
Shorewall does appear complicated, but in fact, the examples only need
minor editing for use.
You could just use iptables directly, but _that_ is complicated.
Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF5za9iXBCVWpc5J4RApWdAJ9z54yiTo8BQ1Pcqebj+JGjnKQ11gCgrdDv
q2GWiU2bItM4PTVFdVJL6qA=
=9/Iu
-----END PGP SIGNATURE-----
Want to set up a firewall ; it is better to know what you do :)!
I started using iptables first, and now it is quite difficult to change,
even to try other stuff. So if you want to learn more, take a look at the
iptables tutorial. However, I should admit it is time consuming.
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
--
Franck Joncourt
http://www.debian.org
http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
Right, like when you want a firewall to manage a half-dozen different
zones on your network, which is connected to several different ISPs,
while performing traffic shaping functions?
Regards,
-Roberto
--
I will take all that is said in exam, and learn all to some degree.
But I have so much work on Java, php, and virtual reality modelling
languages, plus build the site, so I think I better build a simple
server, as strong as I can. But can't spend months or years learning,
I need to start developing just now.
So if you know some tool that may be useful for a server like mine,
that consist in just one machine, running a Debian based OS
(Xubuntu), with a router with hardware firewall, please tell me. For
many months, maybe years, there will be no more servers nor dsl lines,
just 1 with 1 static ip.
So I just want software for THIS situation. In next months or years, I
will learn by the way, as I grow.
But just wanted to know a good solution for this little server: 1 dsl
line, 1 ip, 1 machine. No more.
And better: I can use this server directly, with the keyboard, as I
access to it with a KVM Switch. So don't need to manipulate it through
ssh or nothing for now.
I wonder if shorewall is for me like using a cannon to kill a flea.
Having this in mind, do you know a good and simple solution? I will
have much time to learn for future, it is just to have a start point.
Thanks for replying
Jordi
Jordi wrote:
> Oh yes,
>
> I will take all that is said in exam, and learn all to some degree.
> But I have so much work on Java, php, and virtual reality modelling
> languages, plus build the site, so I think I better build a simple
> server, as strong as I can. But can't spend months or years learning,
> I need to start developing just now.
>
> So if you know some tool that may be useful for a server like mine,
> that consist in just one machine, running a Debian based OS
> (Xubuntu), with a router with hardware firewall, please tell me. For
> many months, maybe years, there will be no more servers nor dsl lines,
> just 1 with 1 static ip.
> So I just want software for THIS situation. In next months or years, I
> will learn by the way, as I grow.
> But just wanted to know a good solution for this little server: 1 dsl
> line, 1 ip, 1 machine. No more.
> And better: I can use this server directly, with the keyboard, as I
> access to it with a KVM Switch. So don't need to manipulate it through
> ssh or nothing for now.
> I wonder if shorewall is for me like using a cannon to kill a flea.
>
> Having this in mind, do you know a good and simple solution? I will
> have much time to learn for future, it is just to have a start point.
>
> Thanks for replying
>
> Jordi
>
>
Jordi,
If it's just one box and you're not running any internet services on it,
then you don't really need a firewall. You can always test how good
your machine is protected by using one of the security scanners on the
web such as :
there are many more.
Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF6CzFiXBCVWpc5J4RAjAhAJ9z8BdImEkrNW2GTMCuL6LlQtjz7wCePKaL
FMRICaTpwybVwImWPjOUWQo=
=iHT3
-----END PGP SIGNATURE-----
I've never had any problem using iptables directly -- except when I
upgraded from woody to sarge -- suddenly there was a firewall of sorts
introduced by default and I couln't get anything to work until I tracked
it down in /etc and removed it.
-- hendrik
If you need to manage a half-dozen zones the chances are that you'll
be doing packet filtering on specialized hardware so shorewall will
be of no use.
On Fri 2007-03-02 04:31:18 -0800 Jordi wrote:
> I wonder if shorewall is for me like using a cannon to kill a flea.
It probably is.
> Having this in mind, do you know a good and simple solution? I will
> have much time to learn for future, it is just to have a start point.
I recommend
http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html
written by Rusty Russell, the initial author and one of the current main
developers of iptables/netfilter.
He shows a simple six line firewall script at
http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-5.html.
--
David Hart <deb...@tonix.org>
I have never said using iptables was the best solution, however, I think the understanding of netfilter/iptables might help. It is up to everyone to choose whether they want to get a better understanding of what they are doing, or not. He may not need to bother with all that.
Anyway, iptables, fwbuilder, shorewall and ohters have their own advantages and drawbacks.
>
> > Having this in mind, do you know a good and simple solution? I will
> > have much time to learn for future, it is just to have a start point.
>
> I recommend
> http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html
> written by Rusty Russell, the initial author and one of the current main
> developers of iptables/netfilter.
>
> He shows a simple six line firewall script at
> http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-5.html.
Here is the link I use where you can get pretty useful information (for the future maybe 8)! ), as well :
- protocol description
- connection tracking
- iptables itself
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
There are some examples too.
I asked in the Ubuntu forum too and they say me that it may be
unnecessary to combine hardware firewall and software firewall
(iptables or any other that uses it).
But they said I can do, if I am paranoid.
And as you said, the correct place to stop an intruder is BEFORE they
cross the router.
As has been said in all these conversations here in Debian and Ubuntu,
we could resume:
- A hardware firewall is better than a software firewall.
- You can convine software and hardware firewall.
- But if you do that, you won't get a fantastic improvement on
security.
- All software firewalls use iptables, but some allow extra features.
- To have a good hardware firewall buy a good router-switch or a
specific hardware device.
If something is wrong please correct me.
In order to find a good router with firewall I saw this in the pc
shop:
http://www.smc.com/index.cfm?event=viewProduct&localeCode=EN_USA&pid=1588
It is the 7904WBRA2 of the company named SMC Networks.
The text says this:
---------
The SMC7904WBRA2 combines an ADSL2/2+ modem, router, 4-port 10/100 LAN
switch, 802.11g wireless access point & robust SPI firewall making it
the complete solution for securely connecting & sharing your high
speed ADSL connection, wired or wirelessly. It gives you instant
always on internet connectivity with download speeds up to 24Mbps -
ideal for streaming multimedia content to the home. The EZ
Installation Wizard with on-screen help configures your ADSL
connection & wireless network in 5 easy to follow steps. Quality-of-
Service gives priority to real-time, delay sensitive applications like
Voice-over-IP and video-on-demand to improve the user experience. The
NAT firewall with Stateful Packet Inspection (SPI), Intrusion
Detection System (IDS) & Denial-of-Service (DoS) provides robust
security from hackers. VPN pass-through is also provided for securely
connecting to your office or corporate network.
---------
It seems it has good protection: hardware firewall, IDS and protection
against DoS. It is thought both for personal and corporate use. Seems
good.
Should I buy this router-modem-switch ?
So long,
Jordi
I can only tell about firestarter. Perhaps it helps a bit.
First, about the "understanding what is happening"-argument:
I do not want to know about the lowest level of my firewall.
I do not programm in assembler, I use C++ or C#.
With an assembler I would have "a better understand what
is happening". I do not need it. I want a solution.
I do not write my own operating system out of the same reason.
So I just want a working firewall.
And firestarter does this job.
I do not know about complex setups with multiple servers.
I am just using one server, client etc at the time.
The firewall shall protect one computer at a time.
And so I use firestarter everywhere.
I use ssh with X11 forwarding to manage the firewall.
If I have a pure debian server without gui, it takes
ca. 70 MB extra space to install firestarter + gui bla bla.
Then I can use the firestarter gui to setup.
It shows the active connections it it has a mode, where
it stops all outgoing connections per default (this has
to be activated: one click) etc....
Before you use this option, you should enable ssh :-)
It is just great.
But I do not know, if shorewall is better or worse.
Cu,
Andreas
To have a good hardware firewall buy a cheap used pc, install Linux on it,
and configure it as a router and firewall.
--
John Hasler
> Jordi writes:
>> To have a good hardware firewall buy a good router-switch or a
>> specific
>> hardware device.
>
> To have a good hardware firewall buy a cheap used pc, install Linux
> on it,
> and configure it as a router and firewall.
> --
Or, if you like ease of use (great web based GUI) combined with
powerfull functions out of the box, commit adultery and install
m0n0wall (based on freebsd). Keeps me happy. I use an old pII with
64MB and 3 3com fast ethernet cards, wan up & download and heavy
traffic between lan & DMZ runs flawless with the processor never
getting above 30%.
Peter
I do not want a Web server running on my router.
--
John Hasler
I agree with most that you said, as I am very pragmatic on my needs.
I think I will buy the router I said, wich looks a very strong router
from security point of view, and plus install firestarter and some
other utility if I need.
And things sometimes are not so complex. For example, in Xubuntu you
can install all in graphical mode, start the server through Terminal,
and then, if you want to save more resources, it can be done through
an option. So you exit the graphical environment and the server
continues working, with all resources avaliable.
To return to graphical GUI, just another command.
So no need to masochism typing dozens of comands to do what you can
graphicaly, at least when you have your pc at hand like me.
Yes I know most people may say this is not profesional, and I am
missing learning lots of shell comands, but I know enough, and I
already have to have so many things in mind, so this would be a
RESOURCE LEAK for my brain hahahaha!!
Anyway, please give me opinions about the router by SMC Networks:
7904WBRA2
http://www.smc.com/index.cfm?event=viewProduct&localeCode=EN_USA&pid=1588
Thanks
Jordi
> So I just want a working firewall.
> And firestarter does this job.
> I do not know about complex setups with multiple servers.
> I am just using one server, client etc at the time.
> The firewall shall protect one computer at a time.
> And so I use firestarter everywhere.
> I use ssh with X11 forwarding to manage the firewall.
With firestarter? How?
> If I have a pure debian server without gui, it takes
> ca. 70 MB extra space to install firestarter + gui bla bla.
> Then I can use the firestarter gui to setup.
70MB is *huge* amount of data to install *only* to have a gui. IMHO
firestarter is only useful if you already have X installed, though this
is a bad idea on a server.
> But I do not know, if shorewall is better or worse.
Shorewall is very easy to setup. Please see:
http://newbiedoc.berlios.de/wiki/Firewall_with_masquerading
Regards,
Andrei
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)
First I have no wide knowledge of routers. I only know some.
But I can tell you what I think while reading the data sheet.
Perhaps it helps, perhpas it is a 2nd sheet. Spell it the other way.
4 Lan ports should be enough, or do you know otherwise.
For example for me are 4 ports to few. But I can't buy another...
WebInterface, so you do not *have* to install some software.
That
"Quality-of-Service gives
priority to real-time, delay sensitive applications like
Voice-over-IP and video-on-demand to improve the user
experience."
sounds to me like: give some type of connection prority.
That would be really cool. I'd like to have it.
I do not know if I understand it correct.
WPA for wireless is good, because WEP has been broken.
DHCP server and NAT are a must have.
UPNP is bad. For me. So it should be possible to disable it.
(it allows any application on the inside to open ports on the router)
In the requirements are browsers from different OSes listed.
That is good. So you are not left with a router which *needs* IE.
Some things are ok.
A lot of things mean nothing to me.
I'd *like* to have that think to try the unknown things out. :-)
Cu,
A.
On my side in
/etc/ssh/ssh_config (that is for the client)
ForwardX11 yes
that way you dont have to say ssh -X bla bla
on the other side in
/etc/ssh/sshd_config (that is for the server)
X11Forwarding yes
Then I allow via firestarter on the server incoming connections on "the"
ssh port. Whatever that is for you. Normally 22.
That is is.
No other incoming or outgoing ports are needed on the server for
the firestarter gui to work that way.
Hope it works.
*crosses fingers*
Andreas
So you have a Web server running on your firewall. Not good.
> ...so you do not *have* to install some software.
You wouldn't have to install software to use ssh.
> [QOS] would be really cool. I'd like to have it.
Linux already has it.
--
John Hasler
ShoreWall is great, if you want a non-gui but also easy way to
configure a simple firewall based on Iptables try this one.
http://linux.go2linux.org/node/3
regards.
--
Guillermo Garron
"Linux IS user friendly... It's just selective about who its friends are."
(Using FC6, CentOS4.4 and Ubuntu 6.06)
http://feeds.feedburner.com/go2linux
http://www.go2linux.org
> >> I use ssh with X11 forwarding to manage the firewall.
> >
> > With firestarter? How?
[snip X11 forwarding stuff]
If *that* isn't shooting a fly with a canon, than I don't know what is.
With shorewall I just open a normal ssh session, change some config
file with very decent syntax/explanations/examples. This works even
over a slow link or with machines where disk space is very limited.
Regards,
Andrei
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)
Mmm. So why do you use shorewall at all ? It is like using a pistol
against an unarmed invader.
*WHAT* is the point of your message ?
I dont tell you how to do things. I like it that way. I do it that way.
If you dont like it... I DO *NOT* CARE !
Ok. You can edit files with the text editor. Fine.
Nice. COOOOOL.
I want my work done.
We all know, that it is possible to configure a firewall with an
texteditor. You may use vi. Or even a line based. Who cares ?
If you like it, do it.
I have to say that you are perhaps on the wrong operating system, if you
want to do it the way, it was done by your grandfather.
Linux is an operating system which is getting easier to use every day.
So if someone does it the easy way, what is the point of patronizing
messages ?
The good thing about linux is, that is is possible to do it with the
commandline *and* and (more and more) with the gui.
But trying to show off with telling "I am using the commandline" is
just not working, because it means, you don't understand the concept.
It is not *better*.
Please stop writing such mails. We all know what kind of people do that.
.
> Andrei Popescu wrote:
> >>>> I use ssh with X11 forwarding to manage the firewall.
> >>> With firestarter? How?
> >
> > [snip X11 forwarding stuff]
> >
> > If *that* isn't shooting a fly with a canon, than I don't know what
> > is.
[snip rant against console users]
Please read my other mail carefully:
"IMHO firestarter is only useful if you already have X installed"
If this is a multi-purpose machine which already runs X for some reason
then no problem, but having X installed on the firewall/router just for
configuration purposes is bad security practice.
If you want to do this on your system, you are free to do so, but
*please* don't recommend it to others.
Regards,
Andrei
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)
You *really* do not read what others write ?
Just *read* it.
I do *not* rant against console users.
I *do* use the console.
Is it to complicated for you to understand, that
someone DOES use the console but DOES also
use the gui if the gui is easier in *his* opinion.
And please no senseless comments about
how easy this or that is.
If something is easier for me, then it *is* easier for me.
Please do not lie about my messages.
I DO NOT RANT AGAINST CONSOLE USERS !
Ok ? got it ? Really ?
if not.. read it again. and again and again.
I really have to say that my last message was
not really to discuss something. You just wrote silly stuff.
If I write how to use a gui program via
ssh and you write about "shooting with canon",
then you did not get it.
It is supposed to be used that way.
Why do you think is the gui behaving that way ?
Why do X-Servers exist ?
Why not do it the windows way ?
Do you ever *think* ?
> "IMHO firestarter is only useful if you already have X installed"
Ok.
So you have a desktop without X ?
Or what ?
Do you really try to tell me that any admin will
admin his servers from a pc without a desktop ?
Are you ... ..
No. I will not use such words.
But really. I dont think you are worth to talk to.
I will now start looking if my programm can filter users.
> If this is a multi-purpose machine which already runs X for some reason
> then no problem, but having X installed on the firewall/router just for
> configuration purposes is bad security practice.
That is nonsense.
Did you understand what I told about ssh ?
Do you want to tell me, that ssh is unsecure ?
Ok. it is late at night. But I *really* need a filter for your messages...
Hopefully I will not ever read anything about you.
You could run X on another system. People tend to forget that X is a
networked protocol.
-- hendrik
mmm. I am not sure we are talking about the same thing.
If yes.. then I'd like to learn how to do it the other way.
But to be sure I will tell how I see it. If you still think otherways,
please point me to some docu. Or at least say so. That would be cool.
What I think, how it is (not sure though)
To export the display of a program you need
a running X-Server at the computer where the display will
point to.
And where the program runs,
you need some X-files
(no, not the ones with the small grey things from ufos),
some stuff from X, too.
That is the reason why I talk about ca. 70 MB.
FireStarter is small. But to start the gui, the
system wants some other files.
At least, I thought so until now.
When I say "apt-get install firestarter" it will
get firestart + needed files.
And if I have no X related files there, it starts to
download lots of them.
Do I understand you right, that I do not have to
download these X-files, if I intend to export the display
to another computer ?
That would be really nice.
Cu,
Andreas
You need some libraries but no X-server. Firestarter 1.0.3-1.3
dependencies:
libart-2.0-2 (>= 2.3.16), libatk1.0-0 (>= 1.12.2),
libaudiofile0 (>= 0.2.3-4), libavahi-client3 (>= 0.6.13),
libavahi-common3 (>= 0.6.10), libavahi-glib1 (>= 0.6.12),
libbonobo2-0 (>= 2.13.0), libbonoboui2-0 (>= 2.5.4), libc6 (>= 2.3.6-6),
libcairo2 (>= 1.2.4), libdbus-1-3,
libesd0 (>= 0.2.35) | libesd-alsa0 (>= 0.2.35),
libfontconfig1 (>= 2.3.0), libfreetype6 (>= 2.2), libgconf2-4 (>= 2.13.5),
libgcrypt11 (>= 1.2.2), libglade2-0 (>=1:2.5.1), libglib2.0-0 (>= 2.10.0),
libgnome-keyring0 (>= 0.4.3), libgnome2-0 (>= 2.14.1),
libgnomecanvas2-0 (>= 2.11.1), libgnomeui-0 (>= 2.13.0),
libgnomevfs2-0 (>= 2.13.92), libgnutls13 (>= 1.4.0-0),
libgpg-error0 (>= 1.2), libgtk2.0-0 (>= 2.8.0), libice6 (>= 1:1.0.0),
libjpeg62, liborbit2 (>= 1:2.10.0), libpango1.0-0 (>= 1.12.3),
libpng12-0 (>= 1.2.8rel), libpopt0 (>= 1.10), libsm6,
libtasn1-3 (>= 0.3.4), libx11-6, libxcursor1 (>> 1.1.2), libxext6,
libxfixes3, libxi6, libxinerama1, libxml2 (>= 2.6.26), libxrandr2,
libxrender1, zlib1g (>= 1:1.2.1), gconf2 (>= 2.10.1-2),
iptables (>= 1.2.11), gksu (>= 0.8.5)
All that to edit a few text files? Amazing.
--
John Hasler
Right,
> And where the program runs,
You don't need an X server where the program runs. The X server is the
thing that provides the display.
> you need some X-files
> (no, not the ones with the small grey things from ufos),
> some stuff from X, too.
>
> That is the reason why I talk about ca. 70 MB.
> FireStarter is small. But to start the gui, the
> system wants some other files.
> At least, I thought so until now.
>
> When I say "apt-get install firestarter" it will
> get firestart + needed files.
> And if I have no X related files there, it starts to
> download lots of them.
>
> Do I understand you right, that I do not have to
> download these X-files, if I intend to export the display
> to another computer ?
>
> That would be really nice.
That's right. The program you're running *is* the X client, and
it needs an X server to display its stuff on. Usually it uses the
DISPLAY environment variable to find it.
I used to do this all the time in my full-time job circa 1990. I had my
program, the window manager, and the display all running on different
machines.
However, since then people have become much more paranoid about
security, and now there a hoops you have to jump through to break down
the security barriers to get this to work.
Can anyone enlighten me about the details of doing this on a closed LAN
where there are no particular security problems?
One way that is apparently compatible with today's paranoia appears to
be to use an option on ssh (I believe it's ssh -X) to get ssh to carry
the X protocol. I'm not sure of the details, except that it appears to
require configuration on both the client and server side.
-- hendrik
> On Sat, Mar 03, 2007 at 11:19:02PM +0200, Andrei Popescu wrote:
> >
> > 70MB is *huge* amount of data to install *only* to have a gui. IMHO
> > firestarter is only useful if you already have X installed, though
> > this is a bad idea on a server.
>
> You could run X on another system. People tend to forget that X is a
> networked protocol.
But you still need parts of X installed on the server, err, client in X
speak.
Regards,
Andrei
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)
Where you sit:
ssh-client, X-Server
/etc/ssh/ssh_config
ForwardX11 yes
that way you dont have to say ssh -X bla bla
on the other side:
ssh-server, X-Client
/etc/ssh/sshd_config
X11Forwarding yes
Btw.
If you are not used to ssh,
you should use keys.
If you are used to, you now thing: of course. :-)
1) Create a key: ssh-keygen -t dsa
2) copy public key to other pc: ssh-copy-id user@host
3) ssh-add [file] (asks password)
4) ssh user@host (without password)
If your user is the same on both machines, you don't have
to mention the user, so its not user@host but just host.
There are are of course lots of options for the different ssh
programs.
If you want to use it a lot, then you perhaps would like
to use libpam-ssh.
If you have the same password for your system (where you sit)
and for the key, then you can setup your system to
use the password you enter at login for your
ssh-agent and that way you only have to enter
that password at the login.
And not for every ssh or at least once for the ssh-agent.
If you are interested....I can tell you more. Just ask.
Cu,
Andreas