Firewall setup
in [Linux Networking]
|
From: Tim Frink on 22 Jun 2010 04:46 Hi, I've a new Linux box (running Debian Lenny) which is connected via a WLAN card to a DSL router. The firewall of the DSL router is disabled. Now I would like to install a firewall on my Linux system. Which connections do I need to block in general? Are there any graphical tools that help me to setup firewall rules? Or any out-of-the-box scripts that can be used after a slight modification? Thank you. Tim
From: mjt on 22 Jun 2010 11:04 On Tue, 22 Jun 2010 08:46:43 +0000 (UTC) Tim Frink <plfriko(a)yahoo.de> wrote: > I've a new Linux box (running Debian Lenny) which is connected via a > WLAN card to a DSL router. The firewall of the DSL router is > disabled. Now I would like to install a firewall on my Linux system. > Which connections do I need to block in general? Basically, everything except services required > Are there any > graphical tools that help me to setup firewall rules? Or any > out-of-the-box scripts that can be used after a slight modification? http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-setup WebMin is a tool that goes well beyond configuration of a firewall http://www.webmin.com/intro.html -- .... If forced to travel on an airplane, try and get in the cabin with the Captain, so you can keep an eye on him and nudge him if he falls asleep or point out any mountains looming up ahead ... -- Mike Harding, "The Armchair Anarchist's Almanac" <<< Remove YOURSHOES to email me >>>
From: Jorgen Grahn on 22 Jun 2010 14:08 On Tue, 2010-06-22, mjt wrote: > On Tue, 22 Jun 2010 08:46:43 +0000 (UTC) > Tim Frink <plfriko(a)yahoo.de> wrote: > >> I've a new Linux box (running Debian Lenny) which is connected via a >> WLAN card to a DSL router. The firewall of the DSL router is >> disabled. Now I would like to install a firewall on my Linux system. >> Which connections do I need to block in general? > > Basically, everything except services required Or nothing, if you don't run any servers, or only secure ones. /Jorgen -- // Jorgen Grahn <grahn@ Oo o. . . \X/ snipabacken.se> O o .
From: Aragorn on 22 Jun 2010 16:39 On Tuesday 22 June 2010 10:46 in comp.os.linux.networking, somebody identifying as Tim Frink wrote... > Hi, > > I've a new Linux box (running Debian Lenny) which is connected via a > WLAN card to a DSL router. The firewall of the DSL router is disabled. > Now I would like to install a firewall on my Linux system. Which > connections do I need to block in general? Only those which are in use by a service offered by your machine, and only insofar that the firewalling rejects unsolicited connections on said ports. For instance, you might have "sshd" running to allow remote logins, but you are seeing a lot of of break-in attempts on that. So then you could set up a firewalling rule that only allows access to port 22 from a limited and trusted range of IP addresses. (Note: In the case of "sshd", this need not necessarily be done -via firewalling rules, as the "sshd" configuration file already allows for finegraining access to that service, and as has been pointed out elsewhere already, it is always a good idea to use a non-standard port for "sshd".) Most people who have a residential internet connection and who are inquiring about firewalling are people who come from the Windows world, where firewalling is an absolute necessity, because Windows is by nature very promiscuous. UNIX does not work that way, and there is no point in blocking a given port if that port has no daemon running on it. > Are there any graphical tools that help me to setup firewall rules? Or > any out-of-the-box scripts that can be used after a slight > modification? For graphical tools, another poster has already recommended "webmin". It's a web-based graphical interface for system administration - not just firewalling. Most distributions ship with "webmin" packages. Once it's installed and properly set up, you can connect to it on port 10000. It is advised to use it with https only, especially if you intend administering the machine remotely from another location on the internet. As for scripts... There are some, but considering what I wrote higher up about how UNIX only accepts connections on ports which have a service/daemon running on them, such scripts would be highly specialized. For instance, if you install your machine with the Xen hypervisor, then the management virtual machine will - provided that it has direct access to a NIC, which is not always the case in a Xen set-up - implement a firewalling script which secures the management virtual machine from the internet and sets up the NIC either as a bridge or with routing, depending on the chosen networking set-up. There are however no general purpose scripts for firewalling on a GNU/Linux system, because every system has different needs. Alas, and again as I wrote higher up, people coming from the Windows world have been badly misindoctrinated into believing that a firewall is absolutely required under all circumstances. With Windows, that is the case, yes, even if it were only to prevent Windows from phoning home, because although most people don't know this - and I don't do Windows but I'm familiar with how it works - Windows is actually spyware that contacts Microsoft at least once every week to let them know that you're still using an official version. A tactic which, given the sheer number of pirated copies, doesn't seem to serve its purpose too well. ;-) In real operating systems however, there is no need for a firewall except for what firewalls were really designed for, i.e. to keep the bad guys out and let the good guys in. ;-) -- *Aragorn* (registered GNU/Linux user #223157)
|
Pages: 1 Prev: Degraded network (protocol problems?) Next: Netfilter clarification |