# Another which firewall thread [SOLVED ANSW=PLAIN IPTABLES]

## monsm

Hi,

Sorry for asking this question yet again.  I have been using my Gentoo box for a while now without any firewall, so I am thinking it is time to fix that.

My instinct is to get a nice GUI (for GNOME), but I can't find any.  I tried fwbuilder, but don't like it much.  Is there any alternative?

A lot of talk is about Shorewall.  If I can't find a GUI I guess that would be an alternative.  it isn't overkill on a normal desktop is it?

Secondly on Shorewall.  There are 4 packages on portage: shorewall, shorewall-common, shorewall-lite, shorewall-perl, shorewall-shell.

What are all these packages for?  Far as I can see the tutorial I found mentions only shorewall itself.  Hopefully one or more of those packages are gui or text based front-ends...(???)

Mons   :Question: Last edited by monsm on Sat Feb 16, 2008 5:10 pm; edited 1 time in total

----------

## i92guboj

 *monsm wrote:*   

> Hi,
> 
> Sorry for asking this question yet again.  I have been using my Gentoo box for a while now without any firewall, so I am thinking it is time to fix that.
> 
> My instinct is to get a nice GUI (for GNOME), but I can't find any.  I tried fwbuilder, but don't like it much.  Is there any alternative?
> ...

 

Every "firewall" as you say, under linux, is nothing but a frontend to "the only" firewall, which in turn is iptables. So, all this fancy things, are only frontends, and most of them require from you a certain (that can be more or less) amount of knowledge about iptables. Or at least, a basic understanding about how the firewall works, and which ports do you want/need to be open.

The big problem with gui's is that:

-first, they need to be run as root to be able to modify the rules for iptables, running that kind of app as root is not good

-second, different distros like to use iptables on different manners, that means that usually, guis are completelly useless unless you know how to set up them correctly, which is usually a pain in the arse, because on each distro the configs and rules are saved on different ways and/or locations. For painless integration, these guis would need to be rewritten to handle different circumstances. Gentoo is even more special in that regards, since it's init system (which loads and configure services like iptables) is not a standard sysvinit. That might make most iptables guis even more useless, though I have not much experience with any of them (only with guarddog, and it definitely turned useless for nat long ago).

 *Quote:*   

> 
> 
> A lot of talk is about Shorewall.  If I can't find a GUI I guess that would be an alternative.  it isn't overkill on a normal desktop is it?
> 
> 

 

First, all of them are the same overkill, since they are just nice things to configure the same daemon: iptables. There is no pure-gui firewall, because the firewalls need to be up since you start the net connection (usually at boot time). Otherwise they would be completely useless.

Shorewall seems to be easier to configure and that is why lots of people use it instead of directly using iptables. It is probably good enough for most people, though I can't comment on it personally.

 *Quote:*   

> 
> 
> Secondly on Shorewall.  There are 4 packages on portage: shorewall, shorewall-common, shorewall-lite, shorewall-perl, shorewall-shell.
> 
> What are all these packages for?  Far as I can see the tutorial I found mentions only shorewall itself.  Hopefully one or more of those packages are gui or text based front-ends...(???)
> ...

 

Don't really know, sorry.

----------

## monsm

Ok, thanks for that.

I guess shorewall might be a good one to use.  Would appreciate if someone could describe what all of those shorewall packages mentioned above are for?

Mons

----------

## overkll

The main shorewall app used to be just one ebuild:

```
net-firewall/shorewall-3.4.6
```

The newer versions have some changes that require multiple ebuilds

```
net-firewall/shorewall-shell-4.0.8 

net-firewall/shorewall-common-4.0.8 

net-firewall/shorewall-4.0
```

I believe shorewall-perl is optional and I'm guessing shorewall lite is a watered-down version ?

----------

## micmac

I use shorewall as well and I must say that in all these years it has served me very well. It's easy to set up and it comes with a decent documentation, the same quality documentation Gentoo comes with.

Just follow one of their quickstart quides: Link

----------

## monsm

I noticed that the latest stable release is shorewall-3.4.6.  The later ones with shorewall-common, -perl and -shell packages are still marked unstable.

So guess it's just for me to get on with it then....

----------

## Knieper

 *monsm wrote:*   

> I have been using my Gentoo box for a while now without any firewall, so I am thinking it is time to fix that.

 

Why?

----------

## overkll

monsm,

I use 4.0.8 with no issues.  AFAIK, version 4 is considered stable by the shorewall devs and I recall having some issues with the 3 series, but I don't remember what they were.

----------

## i92guboj

 *Knieper wrote:*   

>  *monsm wrote:*   I have been using my Gentoo box for a while now without any firewall, so I am thinking it is time to fix that. 
> 
> Why?

 

"Why did he run without firewall" or "why did hi think it's time to *fix* that"?

If it is the first, well, there's really no need to use a firewall if you don't have any services listening on any port and you don't need to do any nat'ing or something like that. In that case having a firewall it is just a waste of resources.

If your question is the second, then the OP is the one to answer that  :Smile: 

----------

## Knieper

I just want to know, why he thinks it's time to fix that. There is no description of the problem or the aims.

----------

## monsm

 *Knieper wrote:*   

> I just want to know, why he thinks it's time to fix that. There is no description of the problem or the aims.

 

Well, I have been thinking of setting up SSH access from my work PC so I can kick off things at home in quiet periods at work   :Smile: 

I know that without any such services running, there is not much need for the firewall.  My broadband router has a built in one too.

I guess I do need one on my desktop in this situation (i.e. running SSHD)? My router is a BTHomehub (UK specific, branded thing from my broadband provider, not sure who's hardware they have used in it).

----------

## linuxtuxhellsinki

 *monsm wrote:*   

> Well, I have been thinking of setting up SSH access from my work PC so I can kick off things at home in quiet periods at work  
> 
> I know that without any such services running, there is not much need for the firewall.

 

If it's just ssh then you'd use very good...

```
# eix denyhosts

[I] app-admin/denyhosts

     Available versions:  2.6 2.6-r1

     Installed versions:  2.6-r1(18:49:14 09/26/07)

     Homepage:            http://www.denyhosts.net

     Description:         DenyHosts is a utility to help sys admins thwart ssh hackers
```

...or otherwise your logs are starting to fill up with denied (hopefully) attempts to access your box via ssh.

But you can also deny access from some IP after few unsuccessfully login attempts via ssh with iptables but it's harder to accomplish.

----------

## i92guboj

If it is just ssh then you are ok with solid passwords and denyhosts or something similar.

I personally preffer to just turn off pam authentication for ssh, and use passwordless key authentication.

----------

## JC99

Webmin also has a firewall interface you can use to create your firewall. 

Personally I just did a lot of reading on the net about iptables and created my firewall manually, this way you learn about how things work which is what Gentoo is all about, building your system from scratch.

----------

## pteppic

 *EvilEye wrote:*   

> Webmin also has a firewall interface you can use to create your firewall. 
> 
> Personally I just did a lot of reading on the net about iptables and created my firewall manually, this way you learn about how things work which is what Gentoo is all about, building your system from scratch.

 

I used to use webmin for iptables, it's quite good for the uninitiated. Now I do it on the cli with a few aliases for listing some tables.

----------

## Knieper

 *i92guboj wrote:*   

> I personally preffer to just turn off pam authentication for ssh, and use passwordless key authentication.

 

Maybe in conjunction with a different port, access restriction for the ip range at work (router firewall), fail2ban or Port Knocking. The more software, the more flaws...

----------

## i92guboj

 *Knieper wrote:*   

>  *i92guboj wrote:*   I personally preffer to just turn off pam authentication for ssh, and use passwordless key authentication. 
> 
> Maybe in conjunction with a different port, access restriction for the ip range at work (router firewall), fail2ban or Port Knocking. The more software, the more flaws...

 

With passwordless authentication there's no flaw. IF you don't have a key, you are not allowed in. Brute force is completely useless here, though it would be equally useless if you are a 16 digits passwords that is not based on a dictionary.

----------

## Knieper

 *i92guboj wrote:*   

> With passwordless authentication there's no flaw.

 

And the authentication phase is voodoo and requires no user input (p.ex. the key) and sshd drops by magic packets from anybody but monsm?

----------

## i92guboj

 *Knieper wrote:*   

>  *i92guboj wrote:*   With passwordless authentication there's no flaw. 
> 
> And the authentication phase is voodoo and requires no user input (p.ex. the key) and sshd drops by magic packets from anybody but monsm?

 

Yes, it requires a key. But, again, if you don't have it, there's no valid input you can give. Unless you can magically guess a dsa2 key, which is even harder (by many many many orders of magnitude) than cracking a 16 bytes password.

The private key is usually at your ~/.ssh/id_dsa file. The public part of the key is on every server you want to access to. So, if the server has pam disabled, and you don't have a key pair that matches (and that's done automatically), then you simple can't enter. You have no choice to use a password either.

EDIT: of course, you can send random packets, but you would spend a whole life to crack a 16 bytes password, and you would spend probably much more to crach a dsa key.

----------

## Knieper

 *i92guboj wrote:*   

> But, again, if you don't have it, there's no valid input you can give.

 

Invalid input is often enough for attackers - that's the problem. Keep in mind, that ssh is very bad implemented and brute force is just one attack pattern.

----------

## guero61

For 90% of desktop users, the following script really would suffice:

```

iptables -F

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -P INPUT DROP

iptables -P FORWARD DROP

```

That should do what most people expect it would.  If you're acting as a router, though, and are unwilling/unable to learn plain iptables commands, one of the scripts (like shorewall) would do you fine.  If you want to allow SSH and PING (the other two most commonly requested services, it would be the following:

```

iptables -F

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -m state --state NEW -p icmp --icmp-type 8 -j ACCEPT

iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT

iptables -P INPUT DROP

iptables -P FORWARD DROP

```

Or, you could get really freaky and do ssh brute-force filtering at the firewall level and forget the log-parsing scripts:

```

iptables -F

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -m state --state NEW -p icmp --icmp-type 8 -j ACCEPT

iptables -A INPUT -m state --state NEW -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rsource -j DROP

iptables -A INPUT -m state --state NEW -p tcp --dport 22 -m recent --set --rsource -j ACCEPT

iptables -P INPUT DROP

iptables -P FORWARD DROP

```

I typed all of those by memory.  It's not hard.

----------

## GenKreton

http://iptables-tutorial.frozentux.net/iptables-tutorial.html

This is the world's second greatest firewall application  :Very Happy:  Learning a GUI that changes with updates, is quirky, and has dependencies that you may not want is a poor alternative to typing up a good script for your own firewall by hand.

(First would be OpenBSD's, sorry Linux)

----------

## monsm

Thanks for the help all.

I printed all 243 pages (at work obviously   :Wink:  ) of the tutorial GenKreton pointed to. Have read about half of it so far.

Meanwhile I have read a Gentoo Wiki:http://gentoo-wiki.com/HOWTO_Iptables_for_newbies

The conclusion to all this is that I have removed Shorewall again (emerge -C) and for the time being I am using the second example from guero61 as my firewall.

I might fine-tune it a bit when I have finished the remaining 8 chapters of the tutorial    :Very Happy: 

Or I might just remove the whole iptables again.  My broadband router is actually running a Linux kernel already, so is probably already using iptables.

Thanks again.

Mons

----------

