FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 11-21-2007, 08:29 AM
Amit Uttamchandani
 
Default Laptop Firewalling

> Hi all,
>
> Being on the road a lot with my trusted lappy, I'd like to get
> suggestions on the best solution for an iptables based firewall that
> needs to be easily reconfigurable for wireless, ethernet cable, and ppp.
> I should be able to apply rules on the fly using tools such as wireshark
> to identify mac address exclusions, etc, and hopefully would be ipv6
> capable. Any ideas?
>
> Regards,
>
> Klein

I have a laptop that I use at home, on campus, and various other places. The firewall solution I use is called firestarter. The simplest way to get it up and running is sudo aptitude install firestarter. It is a front-end to iptables and very simple to use and set up. I believe it will fit your needs. Check it out.

Good luck.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 11-21-2007, 11:12 AM
Johannes Wiedersich
 
Default Laptop Firewalling

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Amit Uttamchandani wrote:
> I have a laptop that I use at home, on campus, and various other
> places. The firewall solution I use is called firestarter. The
> simplest way to get it up and running is sudo aptitude install
> firestarter. It is a front-end to iptables and very simple to use and
> set up. I believe it will fit your needs. Check it out.

I use firestarter as well on my etch laptop. One problem I have is that
I have to manually reconfigure firestarter to switch from cable (eth0)
to wireless (eth2). How did you solve this problem?

If you just configure it once, say for eth0, it will simply ignore all
the traffic on eth2 (IIUC), if you happen to later use eth2 without
reconfiguration of firestarter. I guess one could write a script to
automate this, but you should be aware of the problem.

Johannes

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHRCCeC1NzPRl9qEURAhJhAJ9wHe0hmh2l9ADSXOdCXL zGlEs06gCfd0QY
am+QeDXZYMMdN+o3Cv/NxGg=
=2O2V
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 11-21-2007, 12:32 PM
"Douglas A. Tutty"
 
Default Laptop Firewalling

On Wed, Nov 21, 2007 at 01:49:15PM +0700, Klein Moebius wrote:
> Being on the road a lot with my trusted lappy, I'd like to get
> suggestions on the best solution for an iptables based firewall that
> needs to be easily reconfigurable for wireless, ethernet cable, and ppp.
> I should be able to apply rules on the fly using tools such as wireshark
> to identify mac address exclusions, etc, and hopefully would be ipv6
> capable. Any ideas?

You could look at shorewall. It has a great set of docs in
shorewall-doc.

Your laptop has three potential interfaces: eth(cable), eth(wireless)
and ppp. Do the two eth end up with different unit numbers? (I've never
used wireless). From a firewall perspective, does it matter if at any
given time you're using a particular interface? Assuming that you're
not forwarding, although perhaps the Nat config will change.

You could create a set of config files for each setup and write a script
that copies the correct set to /etc/shorewall then restarts shorewall.
Have the script start when an interface goes up.

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 11-21-2007, 03:08 PM
Klein Moebius
 
Default Laptop Firewalling

* Douglas A. Tutty <dtutty@porchlight.ca> [2007-11-21 08:32:41 -0500]:

> You could look at shorewall. It has a great set of docs in
> shorewall-doc.

Yes, it does. I use it at three systems on dedicated firewall boxes.
Hadn't thought about using it in a laptop environment.

>
> Your laptop has three potential interfaces: eth(cable), eth(wireless)
> and ppp. Do the two eth end up with different unit numbers?

They do.

> From a firewall perspective, does it matter if at any
> given time you're using a particular interface? Assuming that you're
> not forwarding, although perhaps the Nat config will change.
>
> You could create a set of config files for each setup and write a script
> that copies the correct set to /etc/shorewall then restarts shorewall.
> Have the script start when an interface goes up.

That's a darned good idea. For hotels and such, I could start the
interface with some fairly stout (read paranoid) settings as well.

Any others out there?

Regards,
Klein
 
Old 11-21-2007, 03:29 PM
Patter
 
Default Laptop Firewalling

On Wed, 21 Nov 2007 14:40:21 +0100, Douglas A. Tutty wrote:
> You could create a set of config files for each setup and write a script
> that copies the correct set to /etc/shorewall then restarts shorewall.
> Have the script start when an interface goes up.

Though a decent connection-tracking 'allow anything outbound, nothing
new inbound' policy without any interface or IP matching should be a
good starting point, unless you run services on your laptop.

--
Stephen Patterson :: steve@patter.mine.nu :: http://patter.mine.nu/
GPG: B416F0DE :: Jabber: patter@jabber.earth.li
"Don't be silly, Minnie. Who'd be walking round these cliffs with a gas oven?"


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 11-21-2007, 04:40 PM
Klein Moebius
 
Default Laptop Firewalling

* Patter <steve@patter.mine.nu> [2007-11-21 16:29:11 +0000]:

> unless you run services on your laptop.
>

I do. Which moves me to monitor first, then allow services while taking
appropriate precautions with custom rules in new environments...

Regards,
Klein.
 
Old 11-21-2007, 08:08 PM
Amit Uttamchandani
 
Default Laptop Firewalling

>
> I use firestarter as well on my etch laptop. One problem I have is that
> I have to manually reconfigure firestarter to switch from cable (eth0)
> to wireless (eth2). How did you solve this problem?
>
> If you just configure it once, say for eth0, it will simply ignore all
> the traffic on eth2 (IIUC), if you happen to later use eth2 without
> reconfiguration of firestarter. I guess one could write a script to
> automate this, but you should be aware of the problem.
>
> Johannes
>

Really? I actually never thought of that. Because right now I am only using a wireless connection. Now that you have mentioned it, I have never ever used a wired connection with this laptop. I was unaware of this issue. I guess I will have to look at it in more detail.

Thanks for mentioning this.


Amit


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 11-23-2007, 11:17 AM
Chris Davies
 
Default Laptop Firewalling

Someone wrote:
> Being on the road a lot with my trusted lappy, I'd like to get
> suggestions on the best solution for an iptables based firewall that
> needs to be easily reconfigurable for wireless, ethernet cable, and ppp.
> I should be able to apply rules on the fly using tools such as wireshark
> to identify mac address exclusions, etc, and hopefully would be ipv6
> capable. Any ideas?

Shorewall works for me. I have two network interfaces (eth0/wlan0) and
two frequent networks (home/work), as well as the usual collection of
other wired and wireless LANs.

Chris


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 07:57 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org