You are not logged in.

#1 2004-01-27 13:32:25

Mr Green
Forum Fellow
From: U.K.
Registered: 2003-12-21
Posts: 5,750

Can you help newbie set up firewall? [FXx]

Hi

I am looking to set up a firewall and wanted to know how to start..?

Mr Green :mrgreen:


Mr Green

Offline

#2 2004-01-27 13:52:00

dreas
Member
From: Germany
Registered: 2004-01-19
Posts: 15
Website

Re: Can you help newbie set up firewall? [FXx]

I've been told NARC does a pretty good job while being pretty simple.

NARC is a free firewalling package for Netfilter/Iptables released under the BSD license.

NARC attempts to simplify the setup of a firewall (stateful packet filter) via the iptables tools. NARC is a bash shellscript that generates (hopefully) sensible and secure rules for Netfilter based on a simple configuration file.

Even though this isn't a howto, you're welcome to look at the code and take examples from it. You're welcome to modify it and incorporate it in your code. If you notice that something can be improved, by all means send the changes in, but know that it's not a requirement.

Offline

#3 2004-01-27 14:13:01

Mr Green
Forum Fellow
From: U.K.
Registered: 2003-12-21
Posts: 5,750

Re: Can you help newbie set up firewall? [FXx]

Hi

Narc looks interesting but its not in package list........

I see Snort is in package list anyone know how to set it up?

Mr Green

:mrgreen:


Mr Green

Offline

#4 2004-01-27 14:43:24

Mork II
Member
From: Visby, Sweden
Registered: 2003-05-14
Posts: 87

Re: Can you help newbie set up firewall? [FXx]

http://www.netfilter.org/ is a good place to look. man iptables is also useful.

What do you need to do with your firewall? Protect a desktop machine? A server? Forward traffic to you network?

The script below is as simple as it gets, it is for a single desktop machine and allows all outgoing traffic and incoming answers to that traffic (it is rendered useless if you get a trojan though). It is a good start if you have no firewall at all but you might want to extend it with logging capabilities, blocking unused outgoing ports etc.

1. Paste the following to a file called firewall

#!/bin/sh
#
# /etc/rc.d/firewall: start/stop firewall
#

if [ "$1" = "start" ]; then
        /usr/sbin/iptables -F
        /usr/sbin/iptables -P OUTPUT ACCEPT
        /usr/sbin/iptables -P FORWARD DROP
        /usr/sbin/iptables -P INPUT DROP
        /usr/sbin/iptables -A INPUT -i eth0 -m state 
        --state ESTABLISHED,RELATED -j ACCEPT
elif [ "$1" = "stop" ]; then
        killall -q /usr/sbin/iptables
else
        echo "usage: $0 start|stop"
fi

#End of file

2. mv firewall /etc/rc.d/firewall
3. chown root /etc/rc.d/firewall
4. chmod 755 /etc/rc.d/firewall
5.Add firewall to your /etc/rc.conf, prefarbly before your network starts up:

DAEMONS=(syslogd klogd firewall network crond)

Snort is not a firewall per se. It is an intrusion detection system. That doesn't mean it's not useful though.

If you prefer a gui firewall configurator you can try firestarter.

Offline

#5 2004-01-27 15:35:28

Mr Green
Forum Fellow
From: U.K.
Registered: 2003-12-21
Posts: 5,750

Re: Can you help newbie set up firewall? [FXx]

Hi Mork II

Thank you for your help 8)  I connect to net via a router so its just to protect my Desktop .

Iptables makes my brain hurt.... lol

your script will help me make a start....its not so much incoming as outgoing :?

I will let you know how I get on wink

Mr Green :mrgreen:

P.S. I may give firestarter a look


Mr Green

Offline

#6 2004-04-11 16:23:23

@leX
Member
From: Israel
Registered: 2003-11-06
Posts: 76

Re: Can you help newbie set up firewall? [FXx]

It's my simple solution for desktops.
1) Start your browser end make securety test in http://scan.sygatetech.com/ and https://grc.com/x/ne.dll?bh0bkyd2
2) If iptables not installed

pacman -Sy iptables

else go to #3
3) Under root or su go to /etc/iptables

cd /etc/iptables/

4) copy simple_firewall.rules to iptables.rules

cp simple_firewall.rules iptables.rules

Note: IMXO file simple_firewall.rules contain basic predefined firewall rules
5) Add iptables to rc.config to DAEMONS section

DAEMONS = (SOMETHING iptables !SOMETHING)

6) Reboot your linux box.
7) Start your browser end make securety test in http://scan.sygatetech.com/ and https://grc.com/x/ne.dll?bh0bkyd2 .
8) See the differents.

Offline

#7 2004-04-12 04:32:10

mladen
Member
From: Home
Registered: 2004-03-03
Posts: 46

Re: Can you help newbie set up firewall? [FXx]

These advices above are healthy.

Just to clarify things:  Netfilter/iptables is the default firewalling mechanism for kernels 2.4 and above. Included in Arch is the latest version, just pacman it. Also (I think in extra's) included is Firestarter firewalling app with graphical seting and monitoring of packets (as an gui for iptables). This one will probably sufice nicely for most of the users - unless there is some weird machine configuration with multiple nic's etc...). For FAQ on Firestarter go to http://firestarter.sourceforge.net/   or, even, join the mail list.

If you prefer cli, then read Rusty Russel's iptables HOWTO and use his script at the end of it (http://www.netfilter.org/documentation/ … -HOWTO.txt). Then adjust to your needs.

In any case - use the firewall!  8)


No past, no future. It's all one long, never ending present.

Offline

#8 2004-04-12 09:07:34

Mr Green
Forum Fellow
From: U.K.
Registered: 2003-12-21
Posts: 5,750

Re: Can you help newbie set up firewall? [FXx]

I'm Using Guarddog at the moment....seems to be Ok.

I cannot play UT2004 online anymore...  :cry:

When I get round to it I want to set up firewall in router....

Mr Green


Mr Green

Offline

#9 2004-05-01 16:45:13

@leX
Member
From: Israel
Registered: 2003-11-06
Posts: 76

Re: Can you help newbie set up firewall? [FXx]

How I can enable input/output traffic for p2p clients (eDonkey network)?
I have ADSL connection PPPoE (ppp0)(External ADSL modem) true eth0. No router, no NAT.
Current configuration:
/etc/conf.d/iptables

# Configuration for iptables rules

IPTABLES=/usr/sbin/iptables

IPTABLES_CONF=/etc/iptables/iptables.rules
IPTABLES_FORWARD=1  # enable IP forwarding?

/etc/iptables/iptables.rules

# this drops all tcp connections not in established or related state
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
COMMIT

Offline

#10 2004-05-28 00:13:37

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: Can you help newbie set up firewall? [FXx]

@leX wrote:

5) Add iptables to rc.config to DAEMONS section

DAEMONS = (SOMETHING iptables !SOMETHING)

Just make sure that you put iptables in the list BEFORE you start your network...
the time of difference may seem insignificant, but if something does get in between network start and firewall start...well..


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#11 2004-05-28 02:21:32

kpiche
Forum Fellow
From: Ottawa, ON, Canada
Registered: 2004-03-30
Posts: 246
Website

Re: Can you help newbie set up firewall? [FXx]

For eDonkey you need to allow new outgoing and incoming connections on port 4662.  Is this a firewall?  If not then you don't need to forward packets.

Offline

#12 2004-05-29 21:49:18

@leX
Member
From: Israel
Registered: 2003-11-06
Posts: 76

Re: Can you help newbie set up firewall? [FXx]

kpiche wrote:

For eDonkey you need to allow new outgoing and incoming connections on port 4662.

I need
TCP port 4661 to connect to the server.
TCP port 4662 to connect to other clients.
UDP port 4665 to send messages to servers other then the one you are connected to.
How can I do it?

Offline

#13 2004-06-01 06:45:59

tpowa
Developer
From: Lauingen , Germany
Registered: 2004-04-05
Posts: 2,262

Re: Can you help newbie set up firewall? [FXx]

kmyfirewall is in staging repo
it's also a good frontend for iptables

Offline

#14 2004-06-07 03:59:06

nkw
Member
Registered: 2004-03-26
Posts: 80

Re: Can you help newbie set up firewall? [FXx]

how to make a rule that let all the traffice pass? I just need a router...

Offline

#15 2004-07-08 20:42:44

fideli
Member
From: calgary
Registered: 2004-06-20
Posts: 44

Re: Can you help newbie set up firewall? [FXx]

Mr Green wrote:

I'm Using Guarddog at the moment....seems to be Ok.

did you make a PKGBUILD for it?  i'm interested in using guarddog as well.


- fideli /-

Offline

#16 2005-02-24 20:39:47

@leX
Member
From: Israel
Registered: 2003-11-06
Posts: 76

Re: Can you help newbie set up firewall? [FXx]

@leX wrote:

How I can enable input/output traffic for p2p clients (eDonkey network)?
I have ADSL connection PPPoE (ppp0)(External ADSL modem) true eth0. No router, no NAT.
Current configuration:
/etc/conf.d/iptables

# Configuration for iptables rules

IPTABLES=/usr/sbin/iptables

IPTABLES_CONF=/etc/iptables/iptables.rules
IPTABLES_FORWARD=1  # enable IP forwarding?

/etc/iptables/iptables.rules

# this drops all tcp connections not in established or related state
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
COMMIT

--------------------------------------------------------------------------------------
SOLUTION

# this drops all tcp con]nections not in established or related state
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#aMule Rules
-A INPUT -i ppp0 -p tcp --dport 4662 -j ACCEPT
-A INPUT -i ppp0 -p udp --dport 4672 -j ACCEPT
#------------
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
COMMIT

Offline

Board footer

Powered by FluxBB