# Gentoo firewall.

## Mr. Hahn

What is a good firewall program I can merge in gentoo? I will be running this system on a college lan and I'm just trying to be safe (I go to a rather Technically inclined institute , so their are plenty of people that know a lot more that me about programming and Unix). I'm just not sure how well the network is monitored for this sort of thing by the security people.

----------

## jeffrice

Try this one:  pretty secure as far as I know and easy to setup.

http://monmotha.mplug.org/firewall/index.php

----------

## ronmon

I use shorewall and like it a lot. It's in portage so you can emerge it. Configuring it by editing the config files is pretty easy, but you can also use webmin.

----------

## Mr. Hahn

forgot to mention, I am planning on running an ssh, apache, and possibly an ftp server (and maybe even samba too if I can get the server and not just the client part working). I just don't want these to make me too vulnerable. 

Also just a quick question. I'm trying to figure out how to tunnel vnc through ssh, and I was wondering if it is too much slower than regular unencrpted vnc. that is all.

----------

## Mr. Hahn

oh yeah, this won't be a dedicated firewall, just my regular home pc. Just happens to make a dam good server too.

----------

## aljeux

After trying several solution, I choose firestarter, it has a very simple & nice GUI. 

```
*  net-firewall/firestarter

      Latest version available: 0.9.2

      Latest version installed: 0.9.2

      Size of downloaded files: 674 kB

      Homepage:    http://firestarter.sf.net

      Description: GUI for iptables firewall setup and monitor.
```

Hope that help,

Alain.

----------

## sindre

I've had good luck with guarddog. It's QT-based and in portage.

----------

## Mr. Hahn

gui based would definetly be prefered. This is just one of those thing I want to get working and not have to worry about for a while if you know what I mean.

----------

## shimage

shorewall is really nice, and though it does not have a gui, I thought it was a breeze to set up. Just follow the directions on the developers' website.

----------

## Jimbow

I use rc.firewall: http://projectfiles.com/firewall/ . It is a single 2000 line bash script.   My configuration consisted of a single line: 

```
 PERMIT="80/tcp 25/tcp 20-22/tcp 873/tcp"
```

All other ports were put into "stealth" mode.   You can do much more complicated things with it if you would like.   It's been around the block and used by a lot of people so I think it is very safe.

----------

## sschlueter

 *Mr. Hahn wrote:*   

> forgot to mention, I am planning on running an ssh, apache, and possibly an ftp server (and maybe even samba too if I can get the server and not just the client part working). I just don't want these to make me too vulnerable.

 

iptables can't help you in this case. If you want to run these services, ports 22, 80, 21 and 137-139 must be reachable. If any of these services has a bug that allows an intruder to take over your machine, there's nothing that iptables can do to help you.

So make sure that you have no other listening ports apart from these, i.e. run exactly the services that you want to run, not more. Configure these services in a safe way and as restrictive as possible without losing important functionality and watch out for security vulnerabilities and patch/update your system fast.

----------

## Mr. Hahn

hmm I think I may just keep it down to ssh and apache.

May just use firestarter, and maybe shorewall.Last edited by Mr. Hahn on Wed Jul 30, 2003 1:31 pm; edited 1 time in total

----------

## Mr. Hahn

I'm gonna nmap my box and  see what ports are open. Should be only 22 for ssh, I remeber doing it before and there was a port for X11... Is that just fir forwarding x ? Thought that was done throughssh tunnel. Then again I might not be remebering correctly. I don't hae apache installed yet.

----------

## sschlueter

 *Mr. Hahn wrote:*   

> I'm gonna nmap my box and  see what ports are open. 

 

You can simply use netstat -tulpn

If you get an entry like

```

tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      964/cupsd

```

then the service is not accessible from the outside because the socket is bound to 127.0.0.1 but these services

```

tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      1313/smbd

tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      1673/pure-ftpd (SER

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1346/sshd

```

are accessible from the outside.

 *Mr. Hahn wrote:*   

> Should be only 22 for ssh, I remeber doing it before and there was a port for X11... 

 

You should start the X Server without listening port. You can do this by adding "-nolisten tcp" to the arguments. The location of the file you have to edit depends on how you start the X server. I use kdm for example and would have to edit /usr/kde/3.1/share/config/kdm/Xservers (I guess). BTW, ssh X11 forwarding will still work if you disable the listening port.

If you configure your system this way (that there are only the listening ports that are absolutely needed), you won't need any iptables rules.

----------

## pjp

Moved from Other Things Gentoo.

----------

## Mr. Hahn

 *pjp wrote:*   

> Moved from Other Things Gentoo.

 

Thanks

----------

## Mr. Hahn

Yeah so I was told by a friend at work to compile netfilter into the kernel and setup other things I need in the kernel, and that it is very sercure and all I really need.

----------

## Mr. Hahn

hmm I was told that netfilters was a kernel option. I can;t find it, where is it?

----------

## Cicero

Networking options  --->

     [*] Network packet filtering (replaces ipchains)

     IP: Netfilter Configuration  --->

           <M> IP tables support (required for filtering/masq/NAT)

Compile all the modules you might want to use in your firewall. Connection tracking, various types of packet matching support for iptables rules.

----------

## To

If you use shorewall and it's guide it has a part about where to reach the modules and what are the ones you need.

Tó

----------

## ronmon

No matter what you use to configure your firewall / routing, the iptables modules must be available.

What I do is make every module that is listed except for those labeled EXPERIMENTAL, ipchains, ipfwadmin and NAT of local connections. So whatever is called for by the startup scripts can be loaded on demand.

Works for me  :Smile: 

----------

## lordstanley

 *ronmon wrote:*   

> I use shorewall and like it a lot. It's in portage so you can emerge it. Configuring it by editing the config files is pretty easy, but you can also use webmin.

 

ronmon, You mention "webmin". Is that a web-based admin tool for configuring shorewall? Or, am I missing something. Thanks.

----------

## redshift

I recommend FireHOL.

Guarddog is good if you use KDE.

----------

