FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 07-04-2012, 08:48 AM
"Weaver"
 
Default firewall

> Hi,
>
> I don't know which firewall (http://wiki.debian.org/Firewalls) I should
> choose.

APF (Advanced Policy Firewall)
>
> Thanks ahead for recommendation, and it will be very nice if you tell
> me why you recommend this one.

Easy to configure and comprehensively used by many ISPs.
Other reasons are best summed up here:

http://www.rfxn.com/projects/advanced-policy-firewall/

Regards,

Weaver

--


Religion is regarded by the common people as true,
by the wise as false,
and by the rulers as useful.

— Lucius Annæus Seneca.

Terrorism, the new religion.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: df6f984ff0bbee4965f2835ad4c4f4e3.squirrel@fulvetta .riseup.net">http://lists.debian.org/df6f984ff0bbee4965f2835ad4c4f4e3.squirrel@fulvetta .riseup.net
 
Old 07-04-2012, 09:22 AM
Atıf CEYLAN
 
Default firewall

On Wed, 2012-07-04 at 11:19 +0800, lina wrote:
> Hi,
>
> I don't know which firewall (http://wiki.debian.org/Firewalls) I should choose.
>
> Thanks ahead for recommendation, and it will be very nice if you tell
> me why you recommend this one.
>
> Best regards,
>
>

I think you don't need anything else than Iptables. You should learn
Iptables if you want to use linux as a firewall. But my suggestion is PF
on BSD. PF is a very powerful stateful firewall. I use PF on FreeBSD and
I show 1-2 million states at attack times. Also my firewall cpu and
memory usage is very low shown (I have 1 cpu and 4GB memory).

If you want to more easy solution than PF+BSD you can use pfsense.
pfsense is web based management tool for PF on FreeBSD. You must do some
settings as manual on terminal but I think pfsense is better solution
for you.
--
M.Atıf CEYLAN


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/1341393750.3632.54.camel@debian
 
Old 07-04-2012, 09:45 AM
Muhammad Yousuf Khan
 
Default firewall

On Wed, Jul 4, 2012 at 1:16 PM, Ralf Mardorf <ralf.mardorf@alice-dsl.net> wrote:
> On Wed, 2012-07-04 at 12:46 +0500, Muhammad Yousuf Khan wrote:
>> Web base Firewall (IPCOP) very powerful with the addon called BOT
>> (block out traffice) base on IPtables.
>
> I don't care, but I certain that I know some guys (no women) how
> recommend IPCOP too, for good reasons. At least for my usage it's
> overdosed. Believing does ... Wow, there's no shortcut for my "new
> needs" so simply believe the hype.
>

IPcop is a SOHO firewall. with squid, iptables, snort , openvpn and
all the other useful stuff.
BTW due to the GUI limitation i am also moving towards more CLI base.
thats why i join debian list but i am sure for those who are beginners
lina and want to use some open source stuff is quite good option.
there are several other firewalls like pfsence, monowall, utangle, etc
but i found IPCop more easier to configure,


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAGWVfMkt5oQ2STy6g4LHWD2DvoeLpJscy__-YAwOjW6YAp5nfg@mail.gmail.com">http://lists.debian.org/CAGWVfMkt5oQ2STy6g4LHWD2DvoeLpJscy__-YAwOjW6YAp5nfg@mail.gmail.com
 
Old 07-04-2012, 12:21 PM
Eike Lantzsch
 
Default firewall

OK, I see that this might be flamebait ...

On Tuesday 03 July 2012 23:19:06 lina wrote:
> Hi,
>
> I don't know which firewall (http://wiki.debian.org/Firewalls) I should
> choose.
>
> Thanks ahead for recommendation, and it will be very nice if you tell
> me why you recommend this one.
>
> Best regards,

It seems that you want a firewall on the computer which you are working with.
As regards to closing unnecessary ports or limiting them to localhost, Joe
gave good advice already.

Some may call me a security paranoid and a control freak but ...

I'm afraid that learning about IPtables is necessary before one is able to
appreciate what the higher layer of administration s/w does to it.
A firewall frontend may deceive you into thinking that you have full control
over the firewall while it does things that the frontend developer THINKS you
want - but do you?
e.g. For some years I was using Webmin to maintain my servers until it did
atrocious things to my Samba configuration. Now I'm a lot more wary and double
check against the config files. Backups and etckeeper (using git) help to
avoid catastrophies.

I personally do not think much of firewalls which reside on the same machine
which I want to protect. I'd choose an older PC to play with and install
OpenBSD on it. Then setup a firewall - you might even have a look at a
bridging firewall if you want to make it invisible to the network. As long as
you have keyboard and screen access to the machine you won't need a third
network port for maintenance. Although it comes in handy for upgrades.

http://www.openbsd.org/faq/faq6.html#Bridge
http://bio3d.colorado.edu/tor/sadocs/tcpip/bridge.html#what%20is%20a%20bridging%20firewall
see also: Firewalling with OpenBSD’s PF packet filter
Peter N. M. Hansteen
To get started with OpenBSD
"Secure Architectures With OpenBSD" by Palmer and Nazario

The OpenBSD documentation is excellent and very helpful. Later when everything
is working as planned and if I'm tight on office space I'd get one of those
Soekris boxes or similar and install my firewall there. Then you can tuck it
safely under your desk.

I once tried out a GUI to handle my OpenBSD firewall but gave it up and I do
prefer editing the pf.conf file with vim.

I installed Denyhosts on the firewall as well. There is no OpenBSD port for it
but setup is easy with the Denyhosts documentation.
It is quite funny to see all the attempts to break into your box on port 22.
Changing SSH to another port quiets this immediately.

Kind regards
Eike


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201207040821.10855.zp6cge@gmx.net">http://lists.debian.org/201207040821.10855.zp6cge@gmx.net
 
Old 07-04-2012, 02:16 PM
Jon Dowland
 
Default firewall

On Wed, Jul 04, 2012 at 10:53:00AM +0300, Lars Noodn wrote:
> On 7/4/12 10:46 AM, Muhammad Yousuf Khan wrote:
> > Web base Firewall (IPCOP) very powerful with the addon called BOT
> > (block out traffice) base on IPtables.
>
> In some ways it's easier just to work with IPtables directly.

Except on Debian you are required to do a fair amount of work to make
your rules persistent across reboots and ensure you get ordering right
to not lock yourself out of the box (if remote): all problems that
do not exist if you install and use ufw.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120704141610.GA10717@debian
 
Old 07-04-2012, 02:20 PM
lina
 
Default firewall

Hi,

Following the instructions from http://wiki.debian.org/iptables

I am kinda of "running" the iptables now? (perhaps I understand wrong.
welcome correction.)

One thing a bit unexpected (to me) is that there are continuously
rolling info as following:

Jul 4 22:18:07 Debian dhclient: DHCPREQUEST on eth0 to 172.21.4.192 port 67
Jul 4 22:18:10 Debian kernel: [42251.607781] --log-prefixIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:1b:78:4a:c7:5f:08:00 SRC=172.21.51.33
DST=255.255.255.255 LEN=149 TOS=0x00 PREC=0x00 TTL=127 ID=0 DF
PROTO=UDP SPT=43619 DPT=17500 LEN=129
Jul 4 22:18:23 Debian kernel: [42264.062275] --log-prefixIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:26:55:e3:4e:29:08:00 SRC=172.21.48.111
DST=172.21.51.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=11802 PROTO=UDP
SPT=137 DPT=137 LEN=58

Is it normal? or I set something wrong? Here is the output of the iptables -L

c# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere loopback/8
reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere state
NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit:
avg 5/min burst 5 LOG level debug prefix "--log-prefix"
REJECT all -- anywhere anywhere
reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere
reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Thanks ahead for your suggestions,

Best regards,


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAG9cJmnRjvgoe0QYwYXhM86mB4LSuNfh2m7O4v1X4Myq=TPsk A@mail.gmail.com
 
Old 07-04-2012, 02:35 PM
lina
 
Default firewall

P.S. Your guys are great.
Sometimes even I didn't reply item by item, or thanks one by one, but
I read every sentences in the emails. Many times read more than once.
So please kindly realize that your suggestions are very valuable and
highly appreciated (most time silently).
BTW, I didn't realize there is a etckeeper before. just installed. And
for iptables I have spent 5 hours on it based on the suggestions.

Thanks again.

Best regards,


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAG9cJmm10vYHujOUvJ=GyDWb5OFN4nQQxJ==Tj6mcRQWEj6ut g@mail.gmail.com
 
Old 07-04-2012, 04:14 PM
Brad Alexander
 
Default firewall

On Wed, Jul 4, 2012 at 2:15 AM, Ralf Mardorf <ralf.mardorf@alice-dsl.net> wrote:
> On Wed, 2012-07-04 at 11:19 +0800, lina wrote:
>> Hi,
>>
>> I don't know which firewall (http://wiki.debian.org/Firewalls) I should choose.
>>
>> Thanks ahead for recommendation, and it will be very nice if you tell
>> me why you recommend this one.
>
> To answer drily: Test them and report what firewall does protect you the
> best against no attacks. Linux for home usage was safe, is safe, will be
> safe. Yes, it's safe regarding to things I criticize. I don't criticize
> protection per se, I only worry about toooo much security for nothing.

I disagree. Its about defense in depth. Because what happens if you
get a piece of bad software that opens a vulnerability? And yes, that
could happen to a home Linux user as easily as a corporate one, since
they are using the same update mechanisms. In fact, I would posit that
a home user could be at *more* risk, since, in theory, a corporate
user would be limited in the amount and types of software
installed...Corporate server vs home workstation.

So a piece of bad software gets introduced into the repos. It could
happen...And having a firewall in place (an external firewall would
have the advantage of not being able to be turned off by said
malware).

So it comes down to where the line between "protection" and "too
much". Which means it comes down to the following two questions. "What
are you trying to protect?" and "Who are you trying to defend
against?" For a home user, the obvious answer, like with corporate
users is "your data." Consider what that data consists of. Personal
documents, banking information, pictures, etc, would all be valid
types of data. The types of data may be different, but the exercise of
protecting it would be the same as a corporate user.

Now as for the second question, who are you trying to defend against,
let's look at the windows world. You have people taking over boxes,
using them in botnets, stealing information, a whole niche market for
antivirus and antimalware products. IMHO, there are three things that
keep us from being in a similar situation. First, Linux users are
generally more savvy than Windows users (and less arrogant than Mac
users ); second, Linux has a higher bar for base security. Use of a
firewall, IDS, reading your logs only enhances that. But the fact that
the bar is higher doesn't mean its insurmountable. The third reason we
are not in the same boat as windows is that we have a much smaller
attack surface than Windows. Windows still has over 90% penetration on
the desktop, Therefore, they are the low hanging fruit.

This doesn't mean that we will never be in that boat, and only
vigilance will keep us out of it.

Just my 2 cents.
--b


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAKmZw+Y+HV9dq2+v_d4PsYRN9fLa+JHt_Yu6P-oEMAaZOX7c5w@mail.gmail.com">http://lists.debian.org/CAKmZw+Y+HV9dq2+v_d4PsYRN9fLa+JHt_Yu6P-oEMAaZOX7c5w@mail.gmail.com
 
Old 07-04-2012, 05:11 PM
Lisi
 
Default firewall

On Wednesday 04 July 2012 17:14:29 Brad Alexander wrote:
> The third reason we
> are not in the same boat as windows is that we have a much smaller
> attack surface than Windows. Windows still has over 90% penetration on
> the desktop, Therefore, they are the low hanging fruit.

How, then, do you explain the fact that Windows servers, which have a
penetration of less than 50%, suffer on the Internet as do Windows home
users, whilst Unix and family servers, which have over 50% penetration, still
suffer from _far_ less malware?

Lisi


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201207041811.14505.lisi.reisz@gmail.com">http://lists.debian.org/201207041811.14505.lisi.reisz@gmail.com
 
Old 07-04-2012, 07:46 PM
Joe
 
Default firewall

On Wed, 4 Jul 2012 18:11:14 +0100
Lisi <lisi.reisz@gmail.com> wrote:

> On Wednesday 04 July 2012 17:14:29 Brad Alexander wrote:
> > The third reason we
> > are not in the same boat as windows is that we have a much smaller
> > attack surface than Windows. Windows still has over 90% penetration
> > on the desktop, Therefore, they are the low hanging fruit.
>
> How, then, do you explain the fact that Windows servers, which have a
> penetration of less than 50%, suffer on the Internet as do Windows
> home users, whilst Unix and family servers, which have over 50%
> penetration, still suffer from _far_ less malware?
>

All kinds of reasons, beginning with the fact that most malware
designed for Windows desktops works just fine on the servers, too,
though I think most servers are somewhat better protected than a home
PC. People don't sit in front of them and surf the Web, for one thing
(at least not in sensible companies).

But while there are excellent Windows admins, the fact is that it is a
point-and-click environment, with qualifications obtainable from exams
marked by computer, and hence multiple-choice. I'm not suggesting the
exams are trivial, but by their nature they ask go-nogo questions, and
the questions are mostly based on operating the Windows dialogue boxes.

Microsoft has made its billions by making computers relatively easy to
use, so you can go a long way as a junior admin or consultant by just
knowing the right box to tick. There is a relatively small amount you
can do wrong.

I'm not just guessing here: I started in network admin by being given a
small NT4 network to look after. I didn't install the server, and
occasionally had to call in the company who did, but I bought the
appropriate set of MS books with a view to going for the MSCE. That
never happened, but I got fairly familiar with what was in the books
and I could sort out most problems. I built a second PC at home and
installed NT server and workstation software multi-booting with my
production Win95 and Win98.

Then I discovered Linux, at about Red Hat 5 if I remember rightly (long
before RHEL and Fedora), and learned a great deal more about computer
and network admin in a couple of months than I had in about two years
of practical NT admin, having in that time learned what I estimated was
most of the knowledge necessary for the NT4 MCSE. What was a little
disturbing was that after a fairly short exposure to Linux, I now
*understood* a lot more about what I had been doing by rote with NT,
and that understanding was *not* required by the MCSE exam.

The bottom line is that Linux is significantly harder to drive than
Windows (and I've dabbled with Server 2000, 2003 and 2008, and a few
Red Hats, Mandrakes and Debians) and the admins are likely to know
more about what they're actually doing, because they need to.

On the other hand, a lot more Linux knowledge is transferable, because
Linux developers don't have to sell new versions every few years.
Windows doesn't actually change all that much between versions, but the
GUI and in particular the GUI paradigms (I hate that word, but it is
the right one for the mix of views and concepts that MS use to overlay
the prosaic world of IP addresses and daemons) must change noticeably
to convince buyers they're getting something better. So Windows admins
have to learn a different method of access to many configurations with
each version, getting further and further away from the nuts and
bolts, and Linux admins just need to keep track of what has now
migrated into /etc/default, or that a big configuration file is now
split into many smaller ones.

The current limit is reached with MS Small Business Server, which aims
to be a full-featured server for people who know no IT whatever. It's
very limited compared to the full Server version, because almost
everything is hard-coded. There are a lot of these about now, and
some of the people who own them do some extremely stupid things with
them...

--
Joe


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120704204605.22653fec@jretrading.com">http://lists.debian.org/20120704204605.22653fec@jretrading.com
 

Thread Tools




All times are GMT. The time now is 05:54 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org