You are not logged in.
Since tcp_wrappers is now flushed, I think it's time to add a firewall
I have a very simplistic setup here and want to make sure I'm understanding this applications. My goal:
1) Allow incoming "LAN" traffic (all ports/protocols from machines in my subsnet). This will encompass services such as CIFS, Samba, Printing, distcc, etc. etc.
2) Allow incoming bittorrent traffic from the entire Internal via the [Deluge] preset
3) Allow incoming ssh connections from the entire Internet AND allow port forwarding therein. I access my machine via tunneling through ssh.
# ufw default deny
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)
# ufw allow from 192.168.0.0/24
Rules updated
# ufw allow Deluge
Rules updated
# ufw allow SSH
Rules updated
Is this it? Do I need to worry about localhost or 127.0.0.1 to facilitate the port forwarding? For example, vnc only accepts connections from 127.0.0.1 since again, I tunnel into it from outside the LAN. I do the same from my lighttpd.
# ufw status
Status: active
To Action From
-- ------ ----
Anywhere ALLOW 192.168.0.0/24
Deluge ALLOW Anywhere
SSH ALLOW Anywhere
Last edited by graysky (2011-07-16 18:26:14)
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
Any reason not to go full on with iptables? It isn't that hard to use and the wiki already has a good example of a starting point [1] and I'd say that it might be easier to get help for tricky problems if you are using iptables.
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline
Graysky: it looks like we both did something similar today. I tested port forwarding, and it didn't appear that I needed to add any extra rules other than SSH.
Any reason not to go full on with iptables? It isn't that hard to use and the wiki already has a good example of a starting point [1] and I'd say that it might be easier to get help for tricky problems if you are using iptables.
For simple dekstop or laptop configurations, setting up iptables by hand is a little ridiculous. But yes, if you have some sort of tricky problem or complicated setup, you should probably go with something a little more advanced than ufw.
BTW, I'd noticed a neat graphical tool for ufw in the AUR today: kcm-ufw.
It integrates with KDE's systemsettings very nicely, and has more options than gufw from [community].
Offline
Seems that ufw is the way for me to go as well.
Status: active
To Action From
-- ------ ----
Anywhere ALLOW 192.168.1.0/24
Transmission ALLOW Anywhere
SSH ALLOW Anywhere
Samba ALLOW Anywhere
Had to change a few ports around in the /etc/ufw/applications.d/ files but that's it, took all of 5 minutes.
EDIT/ actually only use Samba on LAN
Meyithi-NB meyithi ~
$ sudo ufw allow from 192.168.1.0/24 to any app Samba
Rule added
Meyithi-NB meyithi ~
$ sudo ufw status
Status: active
To Action From
-- ------ ----
Anywhere ALLOW 192.168.1.0/24
Transmission ALLOW Anywhere
SSH ALLOW Anywhere
Samba ALLOW 192.168.1.0/24
Last edited by Meyithi (2011-07-17 00:47:27)
Offline
@mey - I'd be careful about modding files that the pkg installs... I believe that future updates could overwrite your files, no? ...or would the new ones get installed as *.pacnew.
Hmm... probably the later.
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
Doh, allowing LAN traffic obviously allows Samba, so I can remove that rule I think.
Actually sod it, I'd rather remove the Anywhere rule.
End up with
Meyithi-NB meyithi ~
$ sudo ufw status
Status: active
To Action From
-- ------ ----
Transmission ALLOW Anywhere
SSH ALLOW Anywhere
Samba ALLOW 192.168.1.0/24
@graysky - I hope so yeah, my ports are all different so not sure where else I could do it from.
Last edited by Meyithi (2011-07-17 00:56:43)
Offline
In any file under /etc/ufw/applications.d/ although you'd have it give it a non-standard identifier since the standard one already exists in the PKG files... after looking at the PKGBUILD for ufw I don't believe that any file that the PKG installed will be spared from being overwritten. I believe only files in the backups array are spared.
Last edited by graysky (2011-07-17 01:28:49)
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
Do one need to ad booth iptables and ufw to the daemons array in /etc/rc.conf ?
"If the person you are talking to doesn't appear to be listening, be patient. It may simply be that he has a small piece of fluff in his ear." - A.A. Milne (Winnie-the-Pooh)
Offline
In any file under /etc/ufw/applications.d/ although you'd have it give it a non-standard identifier since the standard one already exists in the PKG files... after looking at the PKGBUILD for ufw I don't believe that any file that the PKG installed will be spared from being overwritten. I believe only files in the backups array are spared.
Yup, this was spot on. I've created a ufw-custom file and just appended My to the front of each identifier, MySamba, MySSH etc.
[MySamba]
title=Windows file and printer server for Unix
description=Tools to access a server's filespace and printers via SMB
ports=111,111/udp|111,111/tcp
[MySSH]
title=SSH server
description=SSH server
ports=11111/tcp
[MyTransmission]
title=Transmission
description=Transmission BitTorrent client
ports=11111/tcp
Ports changed ofc
Do one need to ad booth iptables and ufw to the daemons array in /etc/rc.conf ?
Just ufw, make sure you
#ufw enable
before you do though.
Last edited by Meyithi (2011-07-17 10:08:36)
Offline
I updated the ufw section on the wiki.
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline