# ufw, firehol or iptables

## Naib

For quite some time I relied on tcpwrapper to "protect" my box against attack - it sits behind a router that exposes http and sshd.

sshd dropped support for tcpd and thus the prospect of a firewall rose again. 

So what to use

ufw?  firewall for dummies?  nothing wrong with that as it is simple and (sort of) just works

firehol? scripting language on top of iptables that attempts to unobtrusify iptables - I use to use this

iptables? 

I sort of have an iptables setup that interacts with fail2ban (I have tested it) but the issue is well... not fully sure about what it does

----------

## thoughtform

I personally love iptables + fail2ban.

I'm no iptables expert but I've found it helpful to verify your fail2ban setup is working by issuing this command as root:

iptables -L -v -n

If you see some IP addresses banned under a chain named f2b-* or fail2ban-*, then you're somewhat protected.

----------

## szatox

I've been simply using block-all-except-what-I-explicitly-want-to-receive iptables set + public key login to ssh. I suppose disabling password login (and direct root login) provides sufficient protection againt dictionary and bf attacks even with extremaly week passwords  :Laughing: 

Blocking rogue traffic completly can of course reduce bandwidth usage slightly, but roughly 1-2 dozens of thousents of attempts every day wasn't even a noticable traffic.

Not like I was against f2b. I just didn't find it necessary for me. Your millage might vary.

Obvious downside is you need to carry your key with you, but do you ever use someone's else device to connect?

Also if you trust those devices with your password, why not to trust it with your key?

----------

## NeddySeagoon

Naib,

shorewall is a good iptables rule generator but it may be overkill for what you want.

----------

