# Any newb friendly firewalls?

## <3

I have been a Gentoo user for over 10 years and I've asked this question every so often, never to get a solid answer. I would like an easy to use firewall for my gentoo setups. I've tried reading multiple iptables & shorewall configuration guides and non of them make any sense to me. So I'd like to ask again (maybe something has changed in 2014) does there exists any easy to setup, newb friendly Linux firewall software that an idiot like myself can use?

----------

## mrbassie

Ubuntu's ufw (uncomplicated firewall) is in the portage tree, I've not yet been able to get it to work properly however. Maybe you'll have better luck.

----------

## mv

You might want to have a look at firewall-mv from the mv overlay, although one can of course always argue what is "simple". The default rules (especially blocking outgoing traffic) are likely to be too restrictive for you so you must really look at the configuration.

----------

## PaulBredbury

Arch's wiki explains things pretty well.

Yes, iptables has a nasty learning curve, but you can play with it  :Wink: 

----------

## mv

 *PaulBredbury wrote:*   

> Yes, iptables has a nasty learning curve, but you can play with it

 

One must warn that it is a bad moment to start learning iptables: It seems that nftables is the upcoming replacement in the foreseeable future.

----------

## <3

 *mrbassie wrote:*   

> Ubuntu's ufw (uncomplicated firewall) is in the portage tree, I've not yet been able to get it to work properly however. Maybe you'll have better luck.

  Doesn't look like this ufw has been marked stable on any arch.

----------

## jonathan183

I used guarddog http://www.simonzone.com/software/guarddog/ but it got dropped a few years ago.

I tried ufw and iptables ... and I prefer iptables. So I use iptables, I'm far from an expert and I'm only doing some basic stuff like block in-coming and allow limited users access to limited ports for some egress protection ... but it's good enough for me.

If you have been using Gentoo for the last 10 years what have you been using for a firewall configuration tool?

----------

## <3

 *jonathan183 wrote:*   

> If you have been using Gentoo for the last 10 years what have you been using for a firewall configuration tool?

  That is the point, for the past 10 years I have used nothing, because I have not found _ANYTHING_ that is easy enough for me to understand. There really need to be something easier than iptabels for linux systems.

It would be nice if someone wrote a generic shorewall config for the gentoo wiki.

----------

## mv

 *jonathan183 wrote:*   

> I'm far from an expert and I'm only doing some basic stuff

 

The problem with this is that it is not really helpful against attackers if you do not know all the tricks hackers use: you get only protection against the tricks which you do know. As an example, as we just had recently, blocking icmp can even allow certain types of new attacks, so it can do more harm than be helpful if you do not understand fully what you are doing.

Blocking ports actually should not be necessary if you let your programs listen to only local ports (which is usually the default, but checking 

```
netstat -tulpe
```

 won't hurt).

----------

## i92guboj

You can stop searching. There's only iptables. The rest are all frontends to it. That in turn means that at some point, even if you use one of these frontends, you will hit a showstopper that will force you to learn iptables to do something that the frontend at hand can't do.

----------

## Goverp

I've used UFW for over three years on a couple of boxes.  It's very easy and intuitive to configure, and there are GUI front-ends (I use kcm-ufw).

It used to be a bit of a pain, as it requires your kernel config to include many of the netfilter components (as modules or built-in).  The current ebuilds check this and warn you if it's not right.  (The same config requirements will apply to any firewall, 'cos as mentioned above they're all backed by iptables.)

You have to enable it thus:

```
rc-update add ufw boot

<first time, /etc/init.d/ufw start>

<configure your firewall; default is permit all outbound, deny any inbound>

ufw enable
```

----------

## <3

As another poster previously stated, it's pointless for me to even try to learn iptables since it will soon be replaced by nftables.

----------

## 666threesixes666

"only ip tables"  maybe we beef this up then?  https://wiki.gentoo.org/wiki/Iptables

"nftable deprecation"  the wiki and other pages state that there will be compatibility layers to habituate you into the new format.

"nftables" net-firewall/nftables Linux kernel (3.13+) firewall, NAT and packet mangling tools

how new is your kernel?  3.13.1 is latest stable vanilla sources.  there is a 3.13 gentoo source also floating around.  maybe we start banging out the nftables wiki with arch wiki guidance.  https://wiki.archlinux.org/index.php/Nftables

----------

## jonathan183

 *mv wrote:*   

>  *jonathan183 wrote:*   I'm far from an expert and I'm only doing some basic stuff 
> 
> The problem with this is that it is not really helpful against attackers if you do not know all the tricks hackers use: you get only protection against the tricks which you do know. As an example, as we just had recently, blocking icmp can even allow certain types of new attacks, so it can do more harm than be helpful if you do not understand fully what you are doing.
> 
> Blocking ports actually should not be necessary if you let your programs listen to only local ports (which is usually the default, but checking 
> ...

 

I'm not sure why you think I am making things worse with a firewall. I only allow access to the net for user accounts which need it, one account for email (access via claws-mail) or web-browsing. So programs can only access the net if they were started with my network access group, since I use IceWM that's easy to put in the toolbar etc

```
prog FireFox /etc/icewm/iechew.png sg my_net_group firefox

prog "Filezilla - FTP website management" /usr/share/icons/Mint-X/apps/48/filezilla.png sg my_net_group filezilla

prog "Claws Mail" /usr/share/icons/Mint-X/apps/48/evolution.png sg my_net_group claws-mail

```

I have included my firewall script below - if you could point out the parts which will make things worse than no firewall at all I'd appreciate it so that I can fix them   :Cool: 

```

#!/bin/bash

### my firewall config using iptables

#

### use start or stop parameter

### parameter for internet access group name dont use - in names

internet_access_group="my_net_group"

### where this is used with gid-owner option the program should be started with sg to switch group to net access group

### list of websurfer users

internet_websurfer_users='jonathan-websurfer'

### list of email users

internet_email_users='jonathan-email'

### list of filezilla users

internet_filezilla_users='jonathan-filezilla'

if [ "$1" = "start" ]

then

   echo "Starting firewall ..."

   ##########################################

   ### Set default policies for chains - drop

   ##########################################

   ### default - drop all incomming

   sudo iptables -P INPUT DROP

   ### default - drop all forward

   sudo iptables -P FORWARD DROP

   ### default - drop all outgoing

   sudo iptables -P OUTPUT DROP

   ##########################################

   ### Setup loopback interface - allow

   ##########################################

   ### allow loopback input/output

   sudo iptables -A INPUT -i lo -p all -j ACCEPT

   sudo iptables -A OUTPUT -o lo -p all -j ACCEPT

   ##########################################

   ########### INPUT chain ##################

   ##########################################

   ### allow established connections

   # obselete state option sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

   sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

   # reject tcp and udp like no firewall is running

   sudo iptables -A INPUT -p tcp -j LOG --log-prefix myfwall-in-chain-tcp-reject-rule

   sudo iptables -A INPUT -p udp -j LOG --log-prefix myfwall-in-chain-udp-reject-rule

   sudo iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset

   sudo iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

   ### default drop inputs if they have not matched the above rules

   sudo iptables -A INPUT -j LOG --log-prefix myfwall-in-chain-default-rej-last-rule-in-chain

   sudo iptables -A INPUT -j REJECT

   ##########################################

   ### create new chains as needed ##########

   ##########################################

   ############################################################################

   ### first we have users with websurfer access - web browser users

   ############################################################################

   

   for websurfer_user in $internet_websurfer_users

   do

      # create chain

      sudo iptables -N ckpt_$websurfer_user

      # dns

      sudo iptables -A ckpt_$websurfer_user -d 192.168.1.1 -p udp --dport 53 -j ACCEPT

      # http

      sudo iptables -A ckpt_$websurfer_user -m owner --gid-owner $internet_access_group -p tcp --dport 80 -j ACCEPT

      # https

      sudo iptables -A ckpt_$websurfer_user -m owner --gid-owner $internet_access_group -p tcp --dport 443 -j ACCEPT

      ## for mocp internet radio ip=62.75.221.192 port=9106

      sudo iptables -A ckpt_$websurfer_user -m owner --gid-owner $internet_access_group -d 62.75.221.192 -p tcp --dport 9106 -j ACCEPT

      sudo iptables -A ckpt_$websurfer_user -m owner --gid-owner $internet_access_group -d 62.75.221.192 -p udp --dport 9106 -j ACCEPT

      # default drop

      sudo iptables -A ckpt_$websurfer_user -j LOG --log-prefix myfwall-ckpt_$websurfer_user

      sudo iptables -A ckpt_$websurfer_user -j DROP

   done

   ############################################################################

   ### now we have users with email access - claws-mail users

   ############################################################################

   for email_user in $internet_email_users

   do

      # create chain

      sudo iptables -N ckpt_$email_user

      # dns

      sudo iptables -A ckpt_$email_user -d 192.168.1.1 -p udp --dport 53 -j ACCEPT

   

      ## for claws-mail

      # pop port 995

      sudo iptables -A ckpt_$email_user -m owner --gid-owner $internet_access_group -p tcp --dport 995 -j ACCEPT

      sudo iptables -A ckpt_$email_user -m owner --gid-owner $internet_access_group -p udp --dport 995 -j ACCEPT

      # smtp port 465

      sudo iptables -A ckpt_$email_user -m owner --gid-owner $internet_access_group -p tcp --dport 465 -j ACCEPT

      sudo iptables -A ckpt_$email_user -m owner --gid-owner $internet_access_group -p udp --dport 465 -j ACCEPT

      # default drop

      sudo iptables -A ckpt_$email_user -j LOG --log-prefix myfwall-ckpt_$email_user

      sudo iptables -A ckpt_$email_user -j DROP

   done

   ############################################################################

   ### now we have users with filezilla access

   ############################################################################

   for filezilla_user in $internet_filezilla_users

   do

      # create chain

      sudo iptables -N ckpt_$filezilla_user

      # dns

      sudo iptables -A ckpt_$filezilla_user -d 192.168.1.1 -p udp --dport 53 -j ACCEPT

   

      ## for filezilla - need to change ports

      # pop port 995

      sudo iptables -A ckpt_$filezilla_user -m owner --gid-owner $internet_access_group -p tcp --dport 995 -j ACCEPT

      sudo iptables -A ckpt_$filezilla_user -m owner --gid-owner $internet_access_group -p udp --dport 995 -j ACCEPT

      # smtp port 465

      sudo iptables -A ckpt_$filezilla_user -m owner --gid-owner $internet_access_group -p tcp --dport 465 -j ACCEPT

      sudo iptables -A ckpt_$filezilla_user -m owner --gid-owner $internet_access_group -p udp --dport 465 -j ACCEPT

      # default drop

      sudo iptables -A ckpt_$filezilla_user -j LOG --log-prefix myfwall-ckpt_$filezilla_user

      sudo iptables -A ckpt_$filezilla_user -j DROP

   done

   ############################################################################

   ############################################################################

   ### chain check_port_root ##############

   # create chain

   sudo iptables -N check_port_root

   # dns

   sudo iptables -A check_port_root -d 192.168.1.1 -p udp --dport 53 -j ACCEPT

   # rsync

   sudo iptables -A check_port_root -p tcp --dport 873 -j ACCEPT

   

   # rkhunter updates DST=216.34.181.96

   sudo iptables -A check_port_root -d 216.34.181.96 -p tcp --dport 80 -j ACCEPT

   sudo iptables -A check_port_root -d 216.34.181.96 -p udp --dport 80 -j ACCEPT

   # default drop

   sudo iptables -A check_port_root -j LOG --log-prefix myfwall-check_port_root

   sudo iptables -A check_port_root -j DROP

   ############################################################################

   ############################################################################

   ### chain check_port_portage ##############

   # create chain

   sudo iptables -N check_port_portage

   # dns

   sudo iptables -A check_port_portage -d 192.168.1.1 -p udp --dport 53 -j ACCEPT

   # rsync

   sudo iptables -A check_port_portage -p tcp --dport 873 -j ACCEPT

   # ftp

   sudo iptables -A check_port_portage -p tcp --dport 21 -j ACCEPT

   sudo iptables -A check_port_portage -p tcp --dport 20 -j ACCEPT

   # ftp on port 80 - http port

   sudo iptables -A check_port_portage -p tcp --dport 80 -j ACCEPT

   # default drop

   sudo iptables -A check_port_root -j LOG --log-prefix myfwall-check_port_portage

   sudo iptables -A check_port_root -j DROP

   ############################################################################

   ############################################################################

   ### chain check_port_clamav ####

   # create chain

   sudo iptables -N check_port_clamav

   # dns

   sudo iptables -A check_port_clamav -d 192.168.1.1 -p udp --dport 53 -j ACCEPT

   # http

   sudo iptables -A check_port_clamav -p tcp --dport 80 -j ACCEPT

   # https

   sudo iptables -A check_port_clamav -p tcp --dport 443 -j ACCEPT

   # default drop

   sudo iptables -A check_port_websurfer -j LOG --log-prefix myfwall-check_port_clamav

   sudo iptables -A check_port_websurfer -j DROP

   ############################################################################

   ############################################################################

   ### chain check_port_unmatched ##############

   ### this chain is for users without a corresponding matching table

   # create chain

   sudo iptables -N check_port_unmatched

   # dns

   sudo iptables -A check_port_unmatched -d 192.168.1.1 -p udp --dport 53 -j ACCEPT

   # ftp - this is needed for emerge to work (should work on portage user but does not for some reason)

   sudo iptables -A check_port_unmatched -m conntrack --ctproto tcp --ctorigdstport 21 -j ACCEPT

   sudo iptables -A check_port_unmatched -m conntrack --ctstatus EXPECTED -j ACCEPT

   # default drop

   sudo iptables -A check_port_unmatched -j LOG --log-prefix myfwall-check_port_unmatched

   sudo iptables -A check_port_unmatched -j DROP

   ############################################################################

   ############################################################

   ### end new chains

   ############################################################

   ##########################################

   ########### OUTPUT chain #################

   ##########################################

   ### allow established connections

   sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

   # log all new output connections being made

   sudo iptables -A OUTPUT -m conntrack --ctstate NEW -j LOG --log-prefix myfwall-new-output

   # only enable next rule on a temporary basis - no egress protection

   # sudo iptables -A OUTPUT -m conntrack --ctstate NEW -j ACCEPT

   ### Now lets match specific users and check port numbers in their own chain

   

   for websurfer_user in $internet_websurfer_users

   do

      sudo iptables -A OUTPUT -m conntrack --ctstate NEW -m owner --uid-owner $websurfer_user -j ckpt_$websurfer_user

   done

   for email_user in $internet_email_users

   do

      sudo iptables -A OUTPUT -m conntrack --ctstate NEW -m owner --uid-owner $email_user -j ckpt_$email_user

   done

   sudo iptables -A OUTPUT -m conntrack --ctstate NEW -m owner --uid-owner root -j check_port_root

   sudo iptables -A OUTPUT -m conntrack --ctstate NEW -m owner --uid-owner portage -j check_port_portage

   sudo iptables -A OUTPUT -m conntrack --ctstate NEW -m owner --uid-owner clamav -j check_port_clamav

   ### unmatched users default check port numbers chain

   sudo iptables -A OUTPUT -m conntrack --ctstate NEW -j check_port_unmatched

   ### default drop inputs if they have not matched the above rules

   sudo iptables -A OUTPUT -j LOG --log-prefix myfwall-output-chain-default-drop-last-rule-in-chain

   sudo iptables -A OUTPUT -j DROP

   # check for filter for dropping spoof packets

#   echo "Check values are 1 to drop spoof packets"

#   cat /proc/sys/net/ipv4/conf/wlan0/rp_filter

#   cat /proc/sys/net/ipv4/conf/eth0/rp_filter

   ### output firewall config info

#   sudo iptables -v -L

elif [ "$1" = "stop" ]

then

   echo "Stopping firewall ..."

   sudo iptables -F INPUT

   sudo iptables -P INPUT ACCEPT

   sudo iptables -F OUTPUT

   sudo iptables -P OUTPUT ACCEPT

   ### flush and remove my chains

   for websurfer_user in $internet_websurfer_users

   do

      sudo iptables -F ckpt_$websurfer_user

      sudo iptables -X ckpt_$websurfer_user

   done

   for email_user in $internet_email_users

   do

      sudo iptables -F ckpt_$email_user

      sudo iptables -X ckpt_$email_user

   done

   for filezilla_user in $internet_filezilla_users

   do

      sudo iptables -F ckpt_$filezilla_user

      sudo iptables -X ckpt_$filezilla_user

   done

   sudo iptables -F check_port_root

   sudo iptables -X check_port_root

   sudo iptables -F check_port_portage

   sudo iptables -X check_port_portage

   sudo iptables -F check_port_clamav

   sudo iptables -X check_port_clamav

   sudo iptables -F check_port_unmatched

   sudo iptables -X check_port_unmatched

   ### dont forget to add new chains here

   ### output firewall config info

#   sudo iptables -v -L

elif [ "$1" = "" ]

then

   echo " You have not selected anything - no firewall changes made ! "

   echo

   echo "    use ./myfirewall.sh start"

   echo

   echo "       or"

   echo

   echo "    use ./myfirewall.sh stop"

   echo

   echo " to start or stop the firewall as needed ;-)"

fi

```

----------

## mv

 *666threesixes666 wrote:*   

> "nftable deprecation"  the wiki and other pages state that there will be compatibility layers to habituate you into the new format.

 

One cannot rely on that: Currently "most"(TM) functionality is provided, but it is some sort of emulation mode, and the interface has a rather different syntax. I have not looked at the details yet, but it seems that in nftables some things should "natively" be do differently - the emulation mode (even if it does work, which for some enhanced iptables functionality might be only a limited time, since it appears that the "emulation" of some such features is to call the old iptables code in the kernel) is certainly less optimal than if you setup the bytecode directly.

----------

## mv

 *jonathan183 wrote:*   

> I'm not sure why you think I am making things worse with a firewall

 

I didn't say that you make it worse, but it is possible to make it worse if one makes some mistakes. I have currently no time to look at your code and also do not remember the url posted in some recent discussion. You might want to google for "blocking icmp harmful": I remember there were some attacks possible with packets broken up in several parts if these parts are not put together correctly due to wrong blocking. Also, not all spoofing can be detected automatically by the kernel. E.g. if you know that through some interfaces you should only get certain IP ranges you should check for these. To get a safe setup you should know that such spoofing is a possible attack method. Probably there are other such examples which I do not remember in the moment.

----------

## <3

So I guess that means their aren't any newb friendly GNU/Linux firewalls

----------

## PaulBredbury

 *jonathan183 wrote:*   

> sudo iptables
> 
> sudo again
> 
> sudo some more

 

The whole script should be run as root, without having to run sudo a hundred times  :Wink: 

----------

## Fitzcarraldo

 *<3 wrote:*   

> So I guess that means their aren't any newb friendly GNU/Linux firewalls

 

I'm not so sure about that. I agree with Goverp, UFW is about as beginner-friendly as you're going to get. I've been using it for four years or so on a few laptops. My main laptop runs KDE so I use the KConfig Module kcm-ufw, which is a nice GUI front-end. My other laptops run Xfce, so on those I use ufw-frontends, which is also a nice GUI front-end. You can see screenshots of the GUIs on the respective Web sites. The installation of a front-end does not preclude you using the command line instead, if you want.

Example 1:

To access Samba shares on my laptop from a Windows PC, I launched the ufw-frontends GUI and added the rule:

General

Direction: In

Action: Allow

Protocol: Any

Logging: Off

Source

Address: Custom 192.168.1.0/24

Port: Any

Destination

Address: Any

Port: Application CIFS

and now the list of rules reported by ufw includes:

```
# ufw status verbose

Status: active

Logging: on (low)

Default: deny (incoming), allow (outgoing)

New profiles: skip

To                         Action      From

--                         ------      ----

137,138/udp (CIFS)         ALLOW IN    192.168.1.0/24

139,445/tcp (CIFS)         ALLOW IN    192.168.1.0/24
```

N.B. My router uses 192.168.1.0/24 as the internal IP address range for my home network. Your router may use a different internal address range, so check in your router's User Guide or its Web configuration page and modify your rule accordingly if necessary.

Example 2:

Yesterday I installed KDE Connect on my Android phone and my main laptop running KDE. The KDE Connect developers wrote that ports 1714 to 1764 need to be open for TCP and UDP in order to allow the two devices to communicate. Adding the required firewall rules via the KDE GUI (System Settings > Firewall) was a piece of cake, but I also tried it via the command line to check both approaches:

```
# # Open the ports for TCP:

# ufw allow proto tcp to any port 1714:1764

# # Open the ports for UDP:

# ufw allow proto udp to any port 1714:1764

#

# # Now check that the rules look correct:

#

# ufw status verbose | grep 1714

1714:1764/tcp ALLOW IN Anywhere

1714:1764/udp ALLOW IN Anywhere

1714:1764/tcp ALLOW IN Anywhere (v6)

1714:1764/udp ALLOW IN Anywhere (v6)
```

Firewalls are inherently complicated. UFW may not be perfect, but at least it allows me to set up some protection without spending hours grappling with something more complicated.

KDE:

```
# emerge ufw kcm-ufw
```

Other DE:

```
# emerge ufw ufw-frontends
```

In all cases, as Goverp wrote:

```
# rc-update add ufw boot

# /etc/init.d/ufw start # To start for first time.

# # Configure your firewall via the GUI or command line (default is: permit all outbound, deny any inbound).

# # Now enable the firewall:

# ufw enable
```

DuckDuckGo will find you some decent 'How To' articles on the Web, since UFW is installed with Ubuntu and is therefore widely used.

```
# ufw --help

# man ufw
```

----------

## PaulBredbury

 *Fitzcarraldo wrote:*   

> ufw enable

 

Can you then run iptables-save and see what it's produced in iptables? Anything interesting there?

----------

## 1clue

I've tried ufw on Ubuntu, and quickly went back to iptables.

I have some objections to a dummied down firewall:

They leave a lot of functionality out, and some of that functionality is stuff I want to use.

They hide what's really happening

It all comes down to the same thing in the end.

You need to understand what's being blocked and why, and what's being passed and why.

Once you get there, the syntax for iptables and cisco and whatever else you might try isn't so complicated anymore.

----------

## Marlo

 *666threesixes666 wrote:*   

> ...   https://wiki.archlinux.org/index.php/Nftables

 

Thank you 666threesixes666,

the link was really helpful.

Ma

----------

## Fitzcarraldo

 *PaulBredbury wrote:*   

>  *Fitzcarraldo wrote:*   ufw enable 
> 
> Can you then run iptables-save and see what it's produced in iptables? Anything interesting there?

 

```
# iptables-save

# Generated by iptables-save v1.4.21 on Tue Feb 11 22:26:10 2014

*filter

:INPUT DROP [53:2084]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [7:328]

:ufw-after-forward - [0:0]

:ufw-after-input - [0:0]

:ufw-after-logging-forward - [0:0]

:ufw-after-logging-input - [0:0]

:ufw-after-logging-output - [0:0]

:ufw-after-output - [0:0]

:ufw-before-forward - [0:0]

:ufw-before-input - [0:0]

:ufw-before-logging-forward - [0:0]

:ufw-before-logging-input - [0:0]

:ufw-before-logging-output - [0:0]

:ufw-before-output - [0:0]

:ufw-logging-allow - [0:0]

:ufw-logging-deny - [0:0]

:ufw-not-local - [0:0]

:ufw-reject-forward - [0:0]

:ufw-reject-input - [0:0]

:ufw-reject-output - [0:0]

:ufw-skip-to-policy-forward - [0:0]

:ufw-skip-to-policy-input - [0:0]

:ufw-skip-to-policy-output - [0:0]

:ufw-track-input - [0:0]

:ufw-track-output - [0:0]

:ufw-user-forward - [0:0]

:ufw-user-input - [0:0]

:ufw-user-limit - [0:0]

:ufw-user-limit-accept - [0:0]

:ufw-user-logging-forward - [0:0]

:ufw-user-logging-input - [0:0]

:ufw-user-logging-output - [0:0]

:ufw-user-output - [0:0]

-A INPUT -j ufw-before-logging-input

-A INPUT -j ufw-before-input

-A INPUT -j ufw-after-input

-A INPUT -j ufw-after-logging-input

-A INPUT -j ufw-reject-input

-A INPUT -j ufw-track-input

-A FORWARD -j ufw-before-logging-forward

-A FORWARD -j ufw-before-forward

-A FORWARD -j ufw-after-forward

-A FORWARD -j ufw-after-logging-forward

-A FORWARD -j ufw-reject-forward

-A OUTPUT -j ufw-before-logging-output

-A OUTPUT -j ufw-before-output

-A OUTPUT -j ufw-after-output

-A OUTPUT -j ufw-after-logging-output

-A OUTPUT -j ufw-reject-output

-A OUTPUT -j ufw-track-output

-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input

-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input

-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input

-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input

-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input

-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input

-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input

-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "

-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "

-A ufw-before-forward -j ufw-user-forward

-A ufw-before-input -i lo -j ACCEPT

-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny

-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT

-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT

-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT

-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT

-A ufw-before-input -j ufw-not-local

-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT

-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT

-A ufw-before-input -j ufw-user-input

-A ufw-before-output -o lo -j ACCEPT

-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A ufw-before-output -j ufw-user-output

-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "

-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN

-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "

-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny

-A ufw-not-local -j DROP

-A ufw-skip-to-policy-forward -j DROP

-A ufw-skip-to-policy-input -j DROP

-A ufw-skip-to-policy-output -j ACCEPT

-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT

-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT

-A ufw-user-input -s 192.168.1.0/24 -p udp -m multiport --dports 137,138 -m comment --comment "\'dapp_CIFS\'" -j ACCEPT

-A ufw-user-input -s 192.168.1.0/24 -p tcp -m multiport --dports 139,445 -m comment --comment "\'dapp_CIFS\'" -j ACCEPT

-A ufw-user-input -p tcp -m multiport --dports 1714:1764 -j ACCEPT

-A ufw-user-input -p udp -m multiport --dports 1714:1764 -j ACCEPT

-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "

-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable

-A ufw-user-limit-accept -j ACCEPT

COMMIT

# Completed on Tue Feb 11 22:26:10 2014
```

```
# ufw status verbose

Status: active

Logging: on (low)

Default: deny (incoming), allow (outgoing)

New profiles: skip

To                         Action      From

--                         ------      ----

137,138/udp (CIFS)         ALLOW IN    192.168.1.0/24

139,445/tcp (CIFS)         ALLOW IN    192.168.1.0/24

1714:1764/tcp              ALLOW IN    Anywhere

1714:1764/udp              ALLOW IN    Anywhere

1714:1764/tcp              ALLOW IN    Anywhere (v6)

1714:1764/udp              ALLOW IN    Anywhere (v6)
```

----------

## SirRobin2318

Until nftables become a thing, try firehol.

This is what a config looks like:

```
server_devweb_ports="tcp/8000"

client_devweb_ports="any"

interface eth0 internet

        protection strong

        server ping accept

        server devweb accept

        server http accept

        server https accept

        server ssh accept with recent SSH 60 10

        # kolab:

        server ldap accept

        server ldaps accept

        server smtp accept

        server smtps accept

        server submission accept

        server pop3 accept

        server pop3s accept

        server imap accept

        server imaps accept

        client all accept

        server all drop

interface eth1 priv

        client all accept

        server all accept
```

----------

## 666threesixes666

https://wiki.gentoo.org/wiki/Ufw

i basically found all the snags of ufw and posted a wiki stub, im leaving it as a stub until i get more frontend data going in sub pages.....

ufw-frontends yeah....  i have em working but i know there are more from the wikipedia article or something i seen of it a few days ago while i was arranging all of this.

----------

## SirRobin2318

This post got me into giving nftables a spin. 

You'll need a 3.13 kernel. Way less of a pain than iptables, this is what I'm using (not the same machine as the firehol config):

```
table firewall {

    chain incoming {

        type filter hook input priority 0;

        # bad tcp -> avoid network scanning:

        tcp flags & (fin|syn) == (fin|syn)         drop

        tcp flags & (syn|rst) == (syn|rst)         drop

        tcp flags & (fin|syn|rst|psh|ack|urg) < (fin)      drop # == 0 would be better, not supported yet.

        tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)   drop

        # no ping floods:

        ip protocol icmp limit rate 10/second accept

        ip protocol icmp drop

        ct state {established, related} accept

        ct state invalid drop

        iifname lo accept

   # avoid brute force on ssh:

        tcp dport {ssh} limit rate 15/minute accept

        reject

    }

}

table ip6 firewall {

    chain incoming {

        type filter hook input priority 0;

        # bad tcp:

        tcp flags & (fin|syn) == (fin|syn)         drop

        tcp flags & (syn|rst) == (syn|rst)         drop

        tcp flags & (fin|syn|rst|psh|ack|urg) < (fin)      drop # == 0 would be better, not supported yet.

        tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)   drop

        # no ping floods:

        ip6 nexthdr icmpv6 limit rate 10/second accept

        ip6 nexthdr icmpv6 drop

        ct state {established, related} accept

        ct state invalid counter drop

        # loopback interface

        iifname lo accept

   # avoid brute force on ssh:

        tcp dport {ssh} limit rate 15/minute accept

        reject

    }

}
```

----------

## <3

Thank you 666threesixes666 for taking the time to put up a gentoo wiki page. I have not tried your installation yet but are there nothing to configure? I don''t see anything in your wiki post pertaining to configuration.

----------

## 666threesixes666

im not done with it.....  i got side tracked with fail2ban and auto banning clowns trying to hack my VPS.

simply put, emerge ufw-frontends, then look in your menus for firewall manager....

xfce4 says its pkexec /usr/sbin/ufw-gtk

or as root

ufw-gtk....

if you can handle zone alarm you can handle ufw-gtk..  ultra easy, im working on fail2ban integration & scripts behind the curtain.

there are kde front ends for ufw too but i dont play that...

@SirRobin2318:  WOW...  you're making me wish the 3.13.x branch worked good on this laptop.  that kernel branch is so slow its unusable.

i also posted an nftables wiki with just links, including the one you used.  https://wiki.gentoo.org/wiki/Nftables

@ firewall builder, i hit their request line with ufw support to generate configs for ufw on local / remote installs.

http://upload.wikimedia.org/wikipedia/commons/3/37/Wikipedia-lolcat.jpg

----------

## <3

Hey 666threesixes666 I wanted to follow up on this post and ask you again to post your ufw configuration as by ufw has absolutely no firewall rules by default and running a firewall with no rules is pointless. Also I don't know much about networking so I am unsure what port I should be blocking. Also portage has the package ufw-frontends for a nice frontend for ufw.

----------

## 666threesixes666

ufw blocks absolutely everything by default, even ssh.  

```
emerge ufw-frontends
```

then run

```
ufw-gtk
```

http://ualinux.com/info/udp/ufw-gtk.png

http://sabayon.cz/wp-content/blogs.dir/1/files/sabayon7-instalace/32.jpg

ufw is really easy to deal with....

----------

