Arch Linux

ILoveJapaneseGirls

Banned

Registered: 2009-09-05

Posts: 72

What to do to have reasonable security with firewall?

Hello everybody!

I plan to use torrent (Deluge) all day long to download and seed, but I'm worried that this will expose the IP address to the rest of the world and someone can get access to the machine and see my personal stuff.

All this personal stuff is in the second HD and the wisest option would be to put it all in an encrypted partition. I agree and I will do it later.

However the problem now is with firewall. I don't understand anything about firewalls and would like a suggestion of how to set up one (preferably an easy, graphical one if possible), so I can have a reasonable level of security without worrying that someone will get access to my machine.

What are the basic things that can ensure this protection?

Or do you have a tutorial for beginners?

Thanks!

trusktr

Banned

From: .earth

Registered: 2010-02-18

Posts: 907

Website

Re: What to do to have reasonable security with firewall?

Intersting question, I'd like to know too!

---

joe@trusktr.io - joe at true skater dot io.

SidK

Member

Registered: 2011-03-03

Posts: 116

Re: What to do to have reasonable security with firewall?

Assuming you are behind a NAT (most home routers) you're perfectly safe. If you're not behind a NAT, or you've put your computer into the DMZ to help seed torrents more effectively, then you do want firewall rules of some form. In general you'll want to firewall off any services you don't want remote access to.

Ultimately you can pick from several firewall front-ends, see https://wiki.archlinux.org/index.php/Firewall. I tend to use iptables directly, but you don't have to.

With deluge you can limit its incoming/outgoing ports. Perhaps the best way to do this is to give it a range of a few hundred ports in the 40k range or thereabouts, then disallow access to any other ports from any foreign IPs.

Let's say you have a local network, you've put your computer with deluge in the DMZ and it has a local IP of 192.168.0.10. It runs deluge, ssh and ftp. You want deluge to work normally but you also want ssh and ftp to be limited to LAN access only. First you configure deluge to use 40000-40200 as incoming ports.
Then you create the following firewall rules:

# Flush current rules
iptables -F
# Block all incoming
iptables -P INPUT DROP
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#  Allow SSH from LAN
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport ssh -j ACCEPT
#  Allow FTP from LAN
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport ftp -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport ftp-data -j ACCEPT
# Allow Deluge remote management from LAN
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 58846 -j ACCEPT
# Allow Deluge from anywhere
iptables -A INPUT -p tcp --dport 40000:42000 -j ACCEPT
# Allow ICMP ping
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

# Reject all remaining incoming traffic with icmp protocol unreachable message
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreach

Of course if you are behind a standard home router then instead of putting the computer into the DMZ and the closing off most ports you could instead NOT put it in the DMZ and only port forward the correct ports.

After you've done this, try to connect over SSH from outside your network. You can use http://nmap-online.com/ if you don't have external computers you can connect to.

ghen

Member

From: Belgium

Registered: 2010-08-31

Posts: 121

Re: What to do to have reasonable security with firewall?

I plan to use torrent (Deluge) all day long to download and seed, but I'm worried that this will expose the IP address to the rest of the world and someone can get access to the machine and see my personal stuff.

All this personal stuff is in the second HD and the wisest option would be to put it all in an encrypted partition. I agree and I will do it later.

Disk encryption won't do anything for you if someone gets access to your (running) computer over the network, as the filesystems are mounted and the data is exposed.

Disk encryption protects your data when off-line, eg. if your disk or computer gets stolen.  It is typically used on laptops.

brebs

Member

Registered: 2007-04-03

Posts: 3,742

Re: What to do to have reasonable security with firewall?

reasonable level of security

If you don't trust deluge to be secure, then run it as a different user, or set up SELinux (not easy) or AppArmor.

Last edited by brebs (2011-10-15 08:31:07)

jnguyen

Member

Registered: 2011-02-17

Posts: 139

Website

Re: What to do to have reasonable security with firewall?

reasonable level of security

If you don't trust deluge to be secure, then run it as a different user, or set up SELinux (not easy) or AppArmor.

Another choice is the easy to use TOMOYO Linux

---

TOMOYO Linux: Mandatory Access Control.
My AUR packages

ILoveJapaneseGirls

Banned

Registered: 2009-09-05

Posts: 72

Re: What to do to have reasonable security with firewall?

Thank you for the answers so far guys!

SidK you helped the most, unfortunately I don't even know what DMZ means lol!

I use a standalone computer that is connected to the internet via a cable modem. There is no LAN here.

I do trust Deluge to be secure, and it's one of the best torrent clients I've ever used: simple, fast and secure.

There are only two users here: the root and the regular user (and I obviously use the regular one).

The only services I use internet here is: Browsers, IMs (like Pidgin), Thunderbird, File-Sharing programs, pacman and CDDB access (like from Audacious and VLC). I don't use other things or protocols, don't even use remote access.

To make things simpler: isn't there a program or website where I can scan my computer so it tells which ports are open and/or vulnerable and which ones it's okay to let the way they are?

(It really sucks not to understand anything about security, not even the terminology!)

By the way, thanks for pointing the disk encryption process ghen.

Thanks!

SidK

Member

Registered: 2011-03-03

Posts: 116

Re: What to do to have reasonable security with firewall?

I use a standalone computer that is connected to the internet via a cable modem. There is no LAN here.

If you have no LAN, then you will want firewall rules of some kind as your computer is accessible directly from the net.

If you want to double check, run:

ip addr show dev eth0

If you see 192.168.x.y or 10.x.y.z then you're on a LAN, otherwise you're not (there are exceptions, but generally you in those cases you already know the answer).

To make things simpler: isn't there a program or website where I can scan my computer so it tells which ports are open and/or vulnerable and which ones it's okay to let the way they are?

I posted a link in my previous post to where you can scan your PC from. The wiki page I mentioned also links to Shields Up as another place to do the scan from.

The only services I use internet here is: Browsers, IMs (like Pidgin), Thunderbird, File-Sharing programs, pacman and CDDB access (like from Audacious and VLC). I don't use other things or protocols, don't even use remote access.

The firewall rules I posted don't restrict any outgoing traffic, so browsing, IM, SMTP, POP/IMAP etc should all be fine. Since you're not on a LAN you can scrap all the LAN only rules I created as they wouldn't apply to you.

unfortunately I don't even know what DMZ means

A lot of people have a router at home, often supplied by their ISP. This router actually is much more than a router. It's also a switch, a dhcp server and a NAT box. In simpler terms is allows many computers to connect to it and lets them share one Internet connection. This is great for ISPs as it means they only have to assign you a single IP address and it gets shared among however many computers you have in the house. It poses a problem for some users though because if they want to run a service (say a web server) from their home then they have to configure the router for the web server to be externally accessible. Let's say you are running a web server on one of your computers behind such a router and I want to connect. I type your IP address into my address bar. This connects to your router, but the router doesn't know which of the computers within your network I actually intend to talk to. To solve this you would have to port forward the web server on your router, tell it to send any traffic on port 80 to computer X. Then when I type your IP address into my address bar your router knows what to do and everything works.

However if you don't know the ports your need to port forward, or if you just want to forward everything to a certain computer, then you tell the router to put it into the DMZ (de-militarised zone). Now when I connect to your IP address on any port the router will just forward that request to the computer you put in the DMZ. I'm sure you can find more information on your own regarding NAT, port forwarding and DMZs if you want to read up on them.

Leonid.I

Member

From: Aethyr

Registered: 2009-03-22

Posts: 999

Re: What to do to have reasonable security with firewall?

Firewall is not going to secure you in the case of a compromised torrent client. It only protect from unauthorized access to some services (sshd, httpd, etc), but you seem to have none (browser, IM, email are not services). So, firewall will not do any good for you.

If you really want security, don't mess with selinux/apparmor/tomoyou, but run your torrent in a VM...

---

Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd