I read about shorewall. Are there any other firewall available for me to choose from? If yes, what firewall is recommended?
I read about shorewall. Are there any other firewall available for me to choose from? If yes, what firewall is recommended?
Last edited by cariboo; May 12th, 2013 at 07:04 PM. Reason: normalize font to comply with forum C of C
I believe that ufw is the recommended firewall for Ubuntu. In general, all you need to do is run the command
and this will give you all the firewalling most people need - allow all outgoing connections but block all incoming connections.Code:sudo ufw enable
thank you very much for the prompt reply
I tend to be a bit picky, so this is how I check to make sure everything is good..
Once your firewall is enabled. Run the following command
sudo ufw status verbose
You should see output similar to this:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
Dihydrogen Monoxide has killed more people this year due to overdose than murder, yet we do nothing about it..
http://www.dhmo.org/facts.html
There is one more method to create a very good firewall for Desktop:
Add this lines to the /etc/init.d/iptables file (e.g. copy and paste) and save changesCode:$ sudo touch /etc/init.d/iptables # create a file for rules $ sudo leafpad /etc/init.d/iptables # edit file with 'leafpad', 'gedit' or 'medit' etc.
Now, let's set the firewall to start every time, on bootCode:#!/bin/bash echo "Starting Firewall" iptables -F INPUT iptables -F FORWARD iptables -F OUTPUT iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate INVALID -j DROP iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
That's all. Of course everything mentioned above is also good.Code:$ sudo chmod +x /etc/init.d/iptables # make file executable $ sudo update-rc.d iptables defaults # install System-V style init script links for iptables $ sudo /etc/init.d/iptables [enter] # start firewall Starting Firewall $ sudo iptables -L -n # check filter status
Last edited by kleenex; July 7th, 2013 at 05:53 PM.
Splat Double Splat Triple Splat
Earn Your Keep
Don't mind me, I'm only passing through.
Once in a blue moon, I'm actually helpful.
Look, your basically going to get two opinions to your problem.
A lot of people in these forums don't use shorewall, so your not going to get a lot of help from that aspect.
The other most commonly used Ubuntu firewalls are ufw (or gufw if you want a gui interface to ufw) and iptables. ufw is a frontend to iptables, so its usually easier to use for basic things since "its a frontend". Depending on what you need to use your firewall for, you may or may not prefer ufw compared to iptables.
Any firewall is kind of a pain to use -- meaning you aint going to master firewall construction in like 15 minutes. You need to know basics about tcp and udp packets and how they are routed (through what chains) in order to make a decent firewall. This unfortunately means you're liking going to have to make a small commitment to reading and trying things out, and become very knowledgeable about how to interpret log files so you know if you're firewall is actually blocking packets you want to drop. I'm still learning a lot about iptables after several years.
Hi, kevdog You are right. A lot of people in these forums don't use shorewall, so the best choice is UFW (GUFW) or iptables. Firewall proposed in my post #5 is pretty good and secure. All incoming connections are blocked (DROP) and only established and related connections started by user are allowed. In my opinion this is sufficient configuration for desktop - without any running services, such as ssh, Samba etc. To create more "hardened" firewall you can add to the iptables script something like this;
Please remember, that it is only examples! I wrote it quickly so something may be wrong with these rules - I did not use iptables for a long time. Oh, by the way; all logged events you can find in /var/log/kern.log or /var/log/syslog files (first rule for connections without syn packets).Code:# every new connection attempt should begin with a syn packet # if it doesn't, it is likely a port scan. iptables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-level debug --log-prefix "ScanAttempts: " iptables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP # and maybe something for bad tcp packets and for hindering port scanners iptables -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH ACK -j DROP iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN -j DROP iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN,URG,PSH -j DROP # you can also DROP icmp packets: echo-request iptables -A INPUT -p icmp -j DROP iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
Last edited by kleenex; May 18th, 2013 at 11:02 AM.
Howdy,
I used shorewall many moons ago. If it is anything like it was then, then it provides a ton of filter rules against a ton of things are never going to happen on a LAN and protects you against a bevy of network stack problems that do not exist anymore...
When I run a server on the internet, I use only a rate limit rule. Nothing else. My servers typically stay up until the PSU fails in 4 to 5 years.
On my home machines I use nothing, since they are behind a dinky little NAT router. A typical home router is so slow, that nothing of consequence will get through.
On my laptop machines that get carried around the world and plugged into strange nets, I use the same rate limiting rule as on the servers.
So, before you go totally crazy with firewalls, have a good think about what you are trying to achieve.
Bookmarks