FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 03-24-2012, 06:32 AM
Camaleón
 
Default simple stand-alone firewall

On Sat, 24 Mar 2012 07:02:42 +0000, Russell L. Harris wrote:

> From the standpoint of protection of a LAN (two or three machines) for
> a home or home office, how effective is a firmware-based firewall/router
> in comparison with a software-based stand-alone firewall/router?

I'd say even the SPI and firewall capabilities of most home/soho DSL
routers will be enough for that environment.

> Is either significantly better than the other?

That will depend on the appliance.

> I am thinking in terms of devoting an old computer (200 MHz Pentium) to
> the task of firewall/router. In years past (back in the dark epoch when
> I was running Window$), I discovered SmoothWall while struggling with a
> DSL line with PPPoE.
>
> After downloading a small CD ISO image from the SmoothWall web site, it
> took me less than an hour to install and configure SmoothWall. With
> SmoothWall, it was not necessary for the user to study the subject of
> firewall configuration -- the default SmoothWall configuration was
> perfectly adequate for most users.
>
> I quit using SmoothWall several years ago, when a friend gave me a
> firmware firewall/router and convinced me that I ought to make the
> transition, simply for the economy in terms of desktop space and
> electricity. And I no longer have the curse of PPPoE.
>
> But now I think that it might be prudent to return to a devoted machine
> and software, and I would much prefer to use a Debian package instead of
> SmoothWall.

A dedicated machine managed by a complete SO and iptables is usually
better than anything, when it comes to security, of course. The problem
is that you have to waste power, space and time to configure it properly.

> Is there a good firewall application in Debian which provides a secure
> default configuration? Or must I learn how to configure a firewall?

You must learn how to configure a firewall but there some tools that can
help you with the task:

http://wiki.debian.org/Firewalls

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: jkjt9p$7bd$3@dough.gmane.org">http://lists.debian.org/jkjt9p$7bd$3@dough.gmane.org
 
Old 03-24-2012, 06:39 AM
Mika Suomalainen
 
Default simple stand-alone firewall

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I use UFW as firewall on all computers at home. It's very easy to
configure.

UFW (package ufw) can be found from Debian repositories. For
documentation see https://help.ubuntu.com/community/UFW . There is
also graphical user interface called GUFW (package gufw).

On 24.03.2012 09:02, Russell L. Harris wrote:
>> From the standpoint of protection of a LAN (two or three
>> machines) for
> a home or home office, how effective is a firmware-based
> firewall/router in comparison with a software-based stand-alone
> firewall/router? Is either significantly better than the other?
>
> I am thinking in terms of devoting an old computer (200 MHz
> Pentium) to the task of firewall/router. In years past (back in
> the dark epoch when I was running Window$), I discovered SmoothWall
> while struggling with a DSL line with PPPoE.
>
> After downloading a small CD ISO image from the SmoothWall web
> site, it took me less than an hour to install and configure
> SmoothWall. With SmoothWall, it was not necessary for the user to
> study the subject of firewall configuration -- the default
> SmoothWall configuration was perfectly adequate for most users.
>
> I quit using SmoothWall several years ago, when a friend gave me a
> firmware firewall/router and convinced me that I ought to make the
> transition, simply for the economy in terms of desktop space and
> electricity. And I no longer have the curse of PPPoE.
>
> But now I think that it might be prudent to return to a devoted
> machine and software, and I would much prefer to use a Debian
> package instead of SmoothWall.
>
> Is there a good firewall application in Debian which provides a
> secure default configuration? Or must I learn how to configure a
> firewall?
>
> RLH
>
>

- --
Mika Suomalainen
> gpg --keyserver keyserver.ubuntu.com --recv-keys 62FE66853913CB03
> Key fingerprint = ED5E 7C98 4489 7058 CDA9 9A55 62FE 6685 3913
> CB03

>> Are you seeing weird character mess on bottom of this email?
>>> Or are you seeing weird .sig files in attachments?
>>>> If the answer is yes, follow these steps:
>>>>> 1. Install GPG.
>>>>>> For Linux: see package managment of your distribution.
>>>>>> For Mac OS X: http://gpgtools.org/ For Windows:
>>>>>> http://gpg4win.org/
>>>>> 2. Install GPG compatible email client. E.g. Thunderbird
>>>>>> http://mozilla.org/thunderbird/
>>>>> 3. Install GPG support for Thunderbird
>>>>>> http://enigmail.mozdev.org/home/index.php.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPbXo1AAoJEGL+ZoU5E8sD3EsIAKMjOtf4B/QPKYjfp1g7szvt
ZKPDPL/lGQs6W+hJEhRuh3sgGNjCD6lndYmPetEgoL86QOrbXEGT/jsefu1HtGjO
KmaH9Iiw6m/w+8uww/EEs6uzzVPyFz7ja57lgA5a2U+Xe6vCX/75oSNca/O2v9US
IcXrvZ9qx53U3JESAvthcBYKOSebZ6IimytfYXGe6mkjJ0SY9+ CT7qlQpxB/CkSF
Dljh7gh3qoY37MSwLCVcZnPKU4DFg35cY6S9bz3tq2m0kuJFK9 SNQ0sHif+529zb
/nh+zxUwpkMbWvp1eiTNu7kBfftiBGpcWkvQFcwulYaKp+Bvnu/3YZzoK5nc8OM=
=+3RS
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F6D7A3D.80709@gmail.com">http://lists.debian.org/4F6D7A3D.80709@gmail.com
 
Old 03-24-2012, 11:17 AM
Chris Davies
 
Default simple stand-alone firewall

Russell L. Harris <rlharris@broadcaster.org> wrote:
> From the standpoint of protection of a LAN (two or three machines)
> for a home or home office, how effective is a firmware-based
> firewall/router in comparison with a software-based stand-alone
> firewall/router? Is either significantly better than the other?

Firmware based will probably be on a lower-powered device - and therefore
more energy friendly. You should be able to get one that is sufficiently
sophisticated to handle pretty much all your SoHo needs.


> I am thinking in terms of devoting an old computer (200 MHz Pentium)
> to the task of firewall/router.

Plenty sufficient.


> Is there a good firewall application in Debian which provides a secure
> default configuration? Or must I learn how to configure a firewall?

I'm not aware of a firewall application that provides a default secure
configuration. (That could be as harsh as "nothing in, nothing out",
or a little more relaxed such as "nothing in, anything out". It depends
on your requirements.)

My preference is shorewall, but that's not GUI based and you do need
to understand firewalls "enough" to make some sensible decisions. I've
tried to use fwbuilder in the past but I couldn't get my head around
how to make the GUI do what I wanted. The shorewall website has some
pretty good worked examples for different scenarios.

A really simple "nothing in, anything out" for a end-point workstation
can be defined like this -

# Erase the rules associated with the INPUT chain
iptables -F INPUT

# Allow in anything that is part of a known connection
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Put other ALLOW rules here
# e.g. inbound to tcp port 80: iptables -A INPUT -p TCP --dport 80

# Reject anything else coming in via eth0
iptables -A INPUT -i eth0 -j REJECT

But it gets more complicated if you're going to route from one interface
to another - which is why a "default" ruleset isn't always one that's
going to work. For starters, you need to define which interface is
"external" and which one(s) are "internal".

Chris


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: ekq049x72q.ln2@news.roaima.co.uk">http://lists.debian.org/ekq049x72q.ln2@news.roaima.co.uk
 
Old 03-24-2012, 11:27 AM
green
 
Default simple stand-alone firewall

Russell L. Harris wrote at 2012-03-24 02:02 -0500:
> Is there a good firewall application in Debian which provides a secure
> default configuration? Or must I learn how to configure a firewall?

Hopefully you are able to find something simple to use, but if you do learn
how to configure a firewall, I can recommend the ferm package. Ferm is
simple to use after learning a bit about iptables, and much faster than
custom iptables scripts. There is more information and an example script at:
http://wiki.debian.org/ferm
 
Old 03-24-2012, 03:16 PM
Charles Kroeger
 
Default simple stand-alone firewall

>Is there a good firewall application in Debian which provides a secure
>default configuration? Or must I learn how to configure a firewall?

The package: 'arno-iptables-firewall' will do that. You will have to tell it
how you're connecting (e.g. eth0) but after that it will configure a
'default' script. It will give you a 'stealth' classification on the grc.com
'shields up' port prober..possibly a false sense of security but fun to watch.

I use shorewall myself, there's good examples presented with the package in
how to configure the various files you can use those examples with some
obvious local tweaking and get good results even if you don't know what
you're doing.

You won't get a 'stealth' rating at grc. Shorewall seems to leave port 0
visible but closed. I don't know why this is but would be interested to know
if someone on this list knew the reason.

What is the deal with port 0?

--
CK


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 9t6aa9Fg5rU1@mid.individual.net">http://lists.debian.org/9t6aa9Fg5rU1@mid.individual.net
 
Old 03-24-2012, 09:18 PM
Steven Jan Springl
 
Default simple stand-alone firewall

On Saturday 24 Mar 2012 16:16:08 Charles Kroeger wrote:
>
> You won't get a 'stealth' rating at grc. Shorewall seems to leave port 0
> visible but closed. I don't know why this is but would be interested to
> know if someone on this list knew the reason.
>
> What is the deal with port 0?

I have just tried grc, and my Shorewall firewall gets a 'stealth' rating.

Steven.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201203242218.08365.steven@springl.ukfsn.org">http://lists.debian.org/201203242218.08365.steven@springl.ukfsn.org
 
Old 03-26-2012, 12:39 PM
Celejar
 
Default simple stand-alone firewall

On Sat, 24 Mar 2012 12:17:50 +0000
Chris Davies <chris-usenet@roaima.co.uk> wrote:

> Russell L. Harris <rlharris@broadcaster.org> wrote:
> > From the standpoint of protection of a LAN (two or three machines)
> > for a home or home office, how effective is a firmware-based
> > firewall/router in comparison with a software-based stand-alone
> > firewall/router? Is either significantly better than the other?
>
> Firmware based will probably be on a lower-powered device - and therefore
> more energy friendly. You should be able to get one that is sufficiently
> sophisticated to handle pretty much all your SoHo needs.

You can get the best of both worlds with an OpenWrt installation on a
firmware based device: full blown linux, fully customizable - you can
install any linux based firewall software you want - but with the same
low power consumption and small physical footprint of firmware based
units.

What you may lose out on, though, is ease of use: the flashing and
configuration can take some getting used to.

Celejar


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120326083922.da49b615.celejar@gmail.com">http://lists.debian.org/20120326083922.da49b615.celejar@gmail.com
 
Old 03-26-2012, 04:25 PM
Andrei POPESCU
 
Default simple stand-alone firewall

On Sb, 24 mar 12, 11:16:08, Charles Kroeger wrote:
>
> You won't get a 'stealth' rating at grc. Shorewall seems to leave port 0
> visible but closed. I don't know why this is but would be interested to know
> if someone on this list knew the reason.

Port 0? I haven't used Shorewall in a while, but it used to be 113:

http://www1.shorewall.net/FAQ.htm#Openports (FAQ 4)

Hope this helps,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
 
Old 03-27-2012, 03:58 PM
Curt
 
Default simple stand-alone firewall

On 2012-03-24, Charles Kroeger <ckrogrr@frankensteinface.com> wrote:
>
> You won't get a 'stealth' rating at grc. Shorewall seems to leave port 0

That's all hooey anyway, that "stealth" business, as if you're some kind
of combat aircraft over an Iranian nuclear installation or something,
prospect which must be attractive to the teenaged mind, I guess, but not
to us adults, right?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: slrnjn3oun.22g.curty@einstein.electron.org">http://lists.debian.org/slrnjn3oun.22g.curty@einstein.electron.org
 
Old 03-30-2012, 05:07 PM
"Russell L. Harris"
 
Default simple stand-alone firewall

* Russell L. Harris <rlharris@broadcaster.org> [120324 07:15]:
> >From the standpoint of protection of a LAN (two or three machines) for
> a home or home office...
...
> Is there a good firewall application in Debian which provides a secure
> default configuration? Or must I learn how to configure a firewall?

I thank all of you for the response. I have read the various
recommendations and have printed them out for reference.

Meanwhile -- because my need is immediate -- I chose to go with the
IPCop system, which is a branch of SmoothWall GPL, but now appears to
have advanced beyond SmoothWall. IPCop version 2 is very easy to
install and get running, using the default rules.

So now that I have running a replacement for the failed D-Link
DIR-615, I have the leisure to study and consider other approaches.

RLH



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120330170712.GC4184@cromwell.tmiaf">http://lists.debian.org/20120330170712.GC4184@cromwell.tmiaf
 

Thread Tools




All times are GMT. The time now is 05:06 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org