You are not logged in.

#1 2013-02-24 01:19:06

rabcor
Member
Registered: 2013-02-09
Posts: 490

How to configure my firewall?

I installed iptables and ufw

ufw is as simple as it gets right?

so i made sure to disable iptables at startup and enabled ufw at startup with systemctl

Then i ran
#ufw default deny
#ufw enable

rebooted to make sure everything is working and

#ufw status

Status: active

so it claims to be working.

Now as you can see i haven't enabled anything through my firewall right?

however why is it that i can log in to steam, torrent and use my internet browser if everything should be blocked?

did i do something wrong? or am i just being a total noob?

Offline

#2 2013-02-24 03:08:49

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 5,661

Re: How to configure my firewall?

I don't use ufw but according to the wiki, you can use ufw status to see the rules. What does that give? Try iptables --list as well as it will probably give you more detail. (ufw is just a front end as I'm sure you know.)

Note: If the commands you issued really prevented *all* connections, I don't think you would be able to boot.

Last edited by cfr (2013-02-24 03:10:09)


How To Ask Questions The Smart Way | Help Vampires

Arch Linux | x86_64 | GPT | EFI boot | grub2 | systemd | LVM2 on LUKS
Lenovo x121e | Intel(R) Core(TM) i3-2367M CPU @ 1.40GHz GenuineIntel | Intel Centrino Wireless-N 1000 | US keyboard with Euro | 320G 7200 RPM Seagate HDD

Offline

#3 2013-02-24 04:00:35

smudge
Member
Registered: 2011-03-20
Posts: 135

Re: How to configure my firewall?

rabcor wrote:

so i made sure to disable iptables at startup and enabled ufw at startup with systemctl

I'm assuming you ran:

systemctl disable iptables.service

ufw just passes rules to iptables so iptables.service needs to be enabled at startup.

Last edited by smudge (2013-02-24 04:01:21)

Offline

#4 2013-02-24 04:35:31

x33a
Forum Moderator
Registered: 2009-08-15
Posts: 3,301
Website

Re: How to configure my firewall?

cfr wrote:

Note: If the commands you issued really prevented *all* connections, I don't think you would be able to boot.

How does that work? Can iptables block local sockets too?

Offline

#5 2013-02-24 11:12:34

brebs
Member
Registered: 2007-04-03
Posts: 3,414

Re: How to configure my firewall?

x33a wrote:

Can iptables block local sockets too?

No. Only thing relevant is:

-A INPUT -s 127.0.0.1 -i lo -j ACCEPT

Offline

#6 2013-02-24 12:05:17

rabcor
Member
Registered: 2013-02-09
Posts: 490

Re: How to configure my firewall?

smudge wrote:
rabcor wrote:

so i made sure to disable iptables at startup and enabled ufw at startup with systemctl

I'm assuming you ran:

systemctl disable iptables.service

ufw just passes rules to iptables so iptables.service needs to be enabled at startup.

quoting this

While this works just fine for reporting, keep in mind not to enable the iptables service as long as you use ufw for managing it.

so i'm confused as hell now.

Regardless of whether i disable or enable iptables with systemctl, i'm still able to torrent with deluge, i'm pretty sure i shouldn't be able to do that without adding an exception.
That's of course with ufw enabled.

Last edited by rabcor (2013-02-24 12:07:52)

Offline

#7 2013-02-24 12:17:09

Grima
Member
Registered: 2011-09-02
Posts: 58

Re: How to configure my firewall?

If you want to deny all outgoing connections, you issue the command ufw default deny outgoing. By omitting the "outgoing", the default defaults (hehe) to "incoming". That is probably why you can browse the web and so on, since your computer only filters the incoming traffic and not outgoing.

Edit: Hmm, or maybe I misunderstood you. Well, I'll leave this post as-is.

Last edited by Grima (2013-02-24 12:20:46)

Offline

#8 2013-02-24 12:46:32

brebs
Member
Registered: 2007-04-03
Posts: 3,414

Re: How to configure my firewall?

iptables.service

iptables isn't a service wink

$ ps ax | grep iptab
23282 pts/1    S+     0:00 grep --color=auto iptab

The startup initscript, or what you probably mean by "service", just seeds the in-kernel firewall code with your firewall rules.

Offline

#9 2013-02-24 15:13:22

rabcor
Member
Registered: 2013-02-09
Posts: 490

Re: How to configure my firewall?

so basically its working and i'm just being a total noob here.

Well, maybe you can enlighten me (or show me where i could read up on it)

how does this work exactly?

I get that if i deny all outgoing connections i can't do anything online, pretty much. (which i tested to see if the firewall is working, which it is)

but if i deny all incoming connections by default howcome i can surf the net?

Basically... the way i think its working right now is that it blocks all incoming connections except the ones i've connected to myself with outgoing connections... correct?

so if i were to say try to host a server now no one could connect to it unless i'd allow incoming connections on the servers port...

am i somewhere close?

Last edited by rabcor (2013-02-24 15:19:11)

Offline

#10 2013-02-24 15:24:13

x33a
Forum Moderator
Registered: 2009-08-15
Posts: 3,301
Website

Re: How to configure my firewall?

brebs wrote:
x33a wrote:

Can iptables block local sockets too?

No. Only thing relevant is:

-A INPUT -s 127.0.0.1 -i lo -j ACCEPT

Thanks, but can blocking localhost prevent a computer from booting?

Offline

#11 2013-02-24 15:25:16

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 5,661

Re: How to configure my firewall?

brebs wrote:

iptables isn't a service wink

Yes. It is a service.

$ ps ax | grep iptab
23282 pts/1    S+     0:00 grep --color=auto iptab

The startup initscript, or what you probably mean by "service", just seeds the in-kernel firewall code with your firewall rules.

I think you mean that it is not a daemon. It is a service, though, in the systemd sense of "service".

systemctl status iptables.service

will return information if it is active but it will show that the service has exited even if it is successful for just the reason you state - it just sets up the rules and is then no longer needed as a process.


How To Ask Questions The Smart Way | Help Vampires

Arch Linux | x86_64 | GPT | EFI boot | grub2 | systemd | LVM2 on LUKS
Lenovo x121e | Intel(R) Core(TM) i3-2367M CPU @ 1.40GHz GenuineIntel | Intel Centrino Wireless-N 1000 | US keyboard with Euro | 320G 7200 RPM Seagate HDD

Offline

#12 2013-02-24 15:30:50

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 5,661

Re: How to configure my firewall?

rabcor wrote:

so basically its working and i'm just being a total noob here.

It depends what you mean by "working". You probably have some rules in the firewall but whether they are doing exactly what you want depends on (i) how exactly ufw configures things in the light of the commands you issued, and (ii) what exactly you want to do. You can get a sense of (i) by issuing iptables --list. Only you can know the answer to (ii) unless you tell us.

I also don't know if ufw handles ipv6 without additional setup or whether this is even an issue for you.

how does this work exactly?

I get that if i deny all outgoing connections i can't do anything online, pretty much. (which i tested to see if the firewall is working, which it is)

but if i deny all incoming connections by default howcome i can surf the net?

Basically... the way i think its working right now is that it blocks all incoming connections except the ones i've connected to myself with outgoing connections... correct?

I'm *guessing* that maybe so but only iptables --list will say for sure what it is doing.  (Or the docs for ufw maybe.)

You can use ShieldsUp to test for open ports etc. but make sure you are directly connected to the net i.e. not behind a router.


How To Ask Questions The Smart Way | Help Vampires

Arch Linux | x86_64 | GPT | EFI boot | grub2 | systemd | LVM2 on LUKS
Lenovo x121e | Intel(R) Core(TM) i3-2367M CPU @ 1.40GHz GenuineIntel | Intel Centrino Wireless-N 1000 | US keyboard with Euro | 320G 7200 RPM Seagate HDD

Offline

#13 2013-02-24 16:21:29

brebs
Member
Registered: 2007-04-03
Posts: 3,414

Re: How to configure my firewall?

x33a wrote:

can blocking localhost prevent a computer from booting?

Not from *booting* (that would be ridiculous, since "lo" isn't even configured at that point), but it can prevent some apps from working correctly - this did happen to me last year, but sorry, I can't remember which apps suffered.

Offline

#14 2013-02-24 23:29:21

smudge
Member
Registered: 2011-03-20
Posts: 135

Re: How to configure my firewall?

rabcor wrote:

    While this works just fine for reporting, keep in mind not to enable the iptables service as long as you use ufw for managing it.

so i'm confused as hell now.

Don't be confused, I bow to the superior knowledge of the all knowing wiki. smile

rabcor wrote:

Basically... the way i think its working right now is that it blocks all incoming connections except the ones i've connected to myself with outgoing connections... correct?

so if i were to say try to host a server now no one could connect to it unless i'd allow incoming connections on the servers port...

am i somewhere close?

Very close I'd say, check out:

https://wiki.archlinux.org/index.php/Si … l_Firewall

Try setting up your firewall that way. You'll get a better understanding of what's going on.

ufw probably does something similar to:

# iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

which is why you can browse and such like.

You'll still need to open a port for your torrents (or for a server) or it'll block new, previously unknown incoming connections.

Disclaimer: I'm no expert smile

Last edited by smudge (2013-02-24 23:30:50)

Offline

#15 2013-02-25 04:46:17

x33a
Forum Moderator
Registered: 2009-08-15
Posts: 3,301
Website

Re: How to configure my firewall?

brebs wrote:
x33a wrote:

can blocking localhost prevent a computer from booting?

Not from *booting* (that would be ridiculous, since "lo" isn't even configured at that point), but it can prevent some apps from working correctly - this did happen to me last year, but sorry, I can't remember which apps suffered.

Yeah, that's what I was wondering too. cfr said that preventing all connections will probably lead to an unbootable machine, and I can't understand how that's possible.

Offline

#16 2013-02-26 01:15:08

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 5,661

Re: How to configure my firewall?

I was thinking that it would screw up "normal" booting because I thought/think X needs to be able to connect on localhost. But I could be wrong about this and I wasn't clear.

I think that the equivalent ipfw command prevents OS X booting but, again, that would be "normal" booting into Aqua not booting into the equivalent of the cli or rescue mode. And I could be wrong about that too.

(I'm probably wrong about everything. sad)


How To Ask Questions The Smart Way | Help Vampires

Arch Linux | x86_64 | GPT | EFI boot | grub2 | systemd | LVM2 on LUKS
Lenovo x121e | Intel(R) Core(TM) i3-2367M CPU @ 1.40GHz GenuineIntel | Intel Centrino Wireless-N 1000 | US keyboard with Euro | 320G 7200 RPM Seagate HDD

Offline

#17 2013-02-26 05:09:13

x33a
Forum Moderator
Registered: 2009-08-15
Posts: 3,301
Website

Re: How to configure my firewall?

cfr wrote:

(I'm probably wrong about everything. sad)

Don't worry, has happened with me many times tongue

Last edited by x33a (2013-02-26 05:11:22)

Offline

Board footer

Powered by FluxBB