help to enable and configure a good firewall for slitaz 4.0

SliTaz Forum » English Support » Packages

help to enable and configure a good firewall for slitaz 4.0

(14 posts) (6 voices)

Started 12 years ago by aquario455
Latest reply from christophe
This topic is not a support question

Tags:

No tags yet.

aquario455

offline
Member

hello!

I am using slitaz 4.0 on dell c600, now I would like to have a good firewall

I am using gufw (graphic firewall configuration) with ubuntu 12.04.1 on another laptop. I configured gufw this way: incoming=deny, outgoing=allow, and I didn't add any rule (I read it is safe to deny all incoming and allow all outgoing). This way I never had any problem, I mean I successfully can navigate, watch videos, download... (to use transmission I just have to open the right port when necessary) no matter if I use a wired or wireless connection

So I have been searching for a similar graphical firewall for slitaz, before installing and configuring the firewall:

According to this post http://forum.slitaz.org/topic/firewall:

===============================
Open terminal login root password root
hwsetup firewall
hwsetup script should install iptables change IPTABLES=no to IPTABLES=yes in /etc/firewall.conf
and start firewall with /etc/init.d/firewall start
================================

According to http://doc.slitaz.org/en:handbook:networkconf, this is a good example of using iptables

================================
# Netfilter/iptables rules.
# This shell function is included in /etc/init.d/firewall.sh
# to start iptables rules.
#
iptables_rules()
{

# Drop all connections.
iptables -P INPUT DROP
iptables -P OUTPUT DROP

# Accept all on localhost (127.0.0.1).
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Accept all on the local network (192.168.0.0/24).
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24 -j ACCEPT

# Accept port 80 for the HTTP server.
iptables -A INPUT -i $INTERFACE -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -o $INTERFACE -p tcp --dport 80 -j ACCEPT

# Accept port 22 for SSH.
iptables -A INPUT -i $INTERFACE -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o $INTERFACE -tcp --sport 22 -j ACCEPT

# Accept port 21 for active FTP connections.
iptables -A INPUT -i $INTERFACE -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -i $INTERFACE -p tcp --sport 21 -j ACCEPT

}
===================================

- If I only want to deny all incoming and allow all outgoing the same safe way as gufw in ubuntu. Is it ok if I only write this iptables (without any other rule)?:

===============================
# Netfilter/iptables rules.
# This shell function is included in /etc/init.d/firewall.sh
# to start iptables rules.
#
iptables_rules()
{

# Drop all input connections.
iptables -P INPUT DROP

# Accept all output connections.
iptables -P OUTPUT ACCEPT

}
===============================

- Everytime I turn on the pc. Do I have to start the firewall with the command:

# /etc/init.d/firewall start

- Anyway, what is the right way to verify the status of the firewall (to check if it is enable or not)?

thanks for pay attention! bye

Posted 12 years ago #
gdesilva

offline
Member

@aquario455,

Edit /etc/firewall.conf using leafpad and I would suggest the following to achieve your stated objectives.

# /etc/firewall.conf: SliTaz firewall configuration.
# Config file used by: /etc/init.d/firewall.sh
#

# Network interface.
INTERFACE="eth0"

# Enable/disable kernel security.
KERNEL_SECURITY="yes"

# Enable/disable iptables rules (iptables package must be installed).
IPTABLES_RULES="yes"

# Netfilter/iptables rules.
# This shell function is included in /etc/init.d/firewall.sh
# to start iptables rules.
#
iptables_rules()
{

# Drop all input connections.
iptables -P INPUT DROP

# Drop all output connections.
iptables -P OUTPUT DROP

# Drop all forward connections.
iptables -P FORWARD DROP

# Accept input on localhost (127.0.0.1).
iptables -A INPUT -i lo -j ACCEPT

# Accept input on the local network (192.168.0.0/24).
# iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT

# Accept near all output trafic.
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Accept input trafic only for connections initialized by user.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# If you manage a HTTP/SSH/FTP/IRC server you can accept input for non-established connections an some ports.
# else you can disable the lines below for more secured setup

# Accept input on port 80 for the HTTP server.
# iptables -A INPUT -i $INTERFACE -p tcp --source-port 80 -j ACCEPT

# Accept input on port 22 for SSH.
# iptables -A INPUT -i $INTERFACE -p tcp --destination-port 22 -j ACCEPT

# Accept port 21 and, 1024 to 60310 for FTP.
# iptables -A INPUT -i $INTERFACE -p tcp --destination-port 21 -j ACCEPT
# iptables -A INPUT -i $INTERFACE -p tcp --destination-port 1024:60310 -j ACCEPT

# Accept port 6667 for IRC chat.
# iptables -A INPUT -i $INTERFACE -p tcp --source-port 6667 -j ACCEPT

# Accept unprivileged ports.
# iptables -A INPUT -i $INTERFACE -p udp --destination-port 1024:65535 -j ACCEPT

# Accept ping.
iptables -A INPUT -i $INTERFACE -p icmp -j ACCEPT

}

You probably want to allow pings to the machine. Change interface to wlan0 if using wireless.

You don't need to start up firewall every time as firewall daemon is auto started.

As root type, 'iptables -L' which will list the rules in operation.

Hope this helps.

Posted 12 years ago #
aquario455

offline
Member

hi gdesilva!

you know, your suggestion is exactly what I have right now, but as I told previously I would like to have a firewall the same way as ufw in ubuntu

please, can anybody read my post? I know a firewall is very important even in linux environment

bye!

Posted 12 years ago #
Trixar_za

offline
Key Master

ufw - as in ubuntu firewall - is a front-end for iptables which is an extension of the Linux kernel's security features. All firewall programs in Linux is just a front-end for iptables. Our firewall and firewall.conf is no exception. It's not a seperate program like in Windows. Install iptables and use gdesilva configuration and you'll have a working firewall.

Posted 12 years ago #
gdesilva

offline
Member

@aquario455, if you do not like the simplicity of editing a text file then you can try installing firewall builder package - <tazpkg get-install fwbuilder> which will give you the gui you are after.

Good luck.

Posted 12 years ago #
aquario455

offline
Member

hi all!

As I told previously, on Ubuntu I just configured gufw this way: incoming=deny, outgoing=allow, and I didn't add any other rule (I read it is safe to deny all incoming and allow all outgoing). This way I never had any problem, I mean I successfully can navigate, watch videos, download... (to use transmission I just have to open the right port when necessary) no matter if I use a wired or wireless connection

What I want to know is: If I only want to deny all incoming and allow all outgoing. Is it ok if I only write this iptables (without any other rule)? or are there any mistakes to fix?:

===============================
# Netfilter/iptables rules.
# This shell function is included in /etc/init.d/firewall.sh
# to start iptables rules.
#
iptables_rules()
{

# Drop all input connections.
iptables -P INPUT DROP

# Accept all output connections.
iptables -A OUTPUT ACCEPT

}
==================================

see you!, bye

Posted 12 years ago #
Aleksej

offline
Coder-hobbyist

Hi aquario455,

Is it ok if I only write this iptables (without any other rule)? or are there any mistakes to fix?

Try it & tell us ;D

(I'm not using any firewall, do I need it?)

Posted 12 years ago #
aquario455

offline
Member

hi Aleksej!

I tried (enabling my firewall.conf)... Now when I reboot the laptop I can't enter to desktop. This is what I get:

============================================
Slitaz GNU/Linux kernel 2.6.37-slitaz tty4

slitaz login
=============================================

I tried giving the password, entering as root, pressing CTRL+ALT+F6, CTRL+ALT+F7, startx, but nothing change

tanto ha afectado haber activado el firewall con mi propia configuración?

Posted 12 years ago #
Trixar_za

offline
Key Master

What errors do you get when you try startx? Ctrl+Alt+F7 only works if Xorg has been started (which it clearly hasn't). You may have to learn how to use nano now so you can edit files with it. Try nano /etc/firewall.conf and change IPTABLES_RULES="yes" to IPTABLES_RULES="no".

I came from Windows to Ubuntu to SliTaz, so I can tell you this with confidence: Forget everything you know. SliTaz can teach you to be better at Linux than most veteran Ubuntu user will ever be. You just need to be willing to put in the effort.

Posted 12 years ago #
aquario455

offline
Member

hi trixar_za

a long time ago I used nano to edit txt files...

you are right I can enter as root, to the location /etc/firewall.conf to edit that config file, but then the firewall is disabled. I read many times that is very important to enable the firewall (deny all input and allow all outgoing), no matter if the OS is windows or linux

so I tried to modify the default firewall.conf, because it doesn't deny all input and allow all outgoing.

by the way I did a search about this topic, but there is no clear and simple information. so I guess this is it

also right now, I am using ubuntu 12.04.1 lts (excellent!) on another laptop, and you say slitaz can teach people to be better in linux than most veteran ubuntu user will ever be... but do you think everybody is a master about PC or operating systems? or do you think everybody has enough time to search, read, and learning about specific configurations?. I dont think so

besides I dont think is good idea to speak bad about ubuntu or the people who use it, because there are a lot of reasons to use ubuntu (complete, easy, fast (I dont have problems about the speed, using unity3d), excellent support, secure,....)

don't get me wrong, I have respect about slitaz, that's it

well. bye, bye!

Posted 12 years ago #
Aleksej

offline
Coder-hobbyist

Hi aquario455,

Why you just not copy config file with iptables rules from your Ubuntu installation to SliTaz?

And, please tell, is firewall disabling fixes your booting to graphical desktop or not?

Posted 12 years ago #
Trixar_za

offline
Key Master

I have nothing against Ubuntu because it's a nice way to introduce people to Linux. The problem I have with it is that it makes most people lazy and gives them weird expectations. Nobody has the time to learn it? I learned more in my first week with SliTaz than I did using Ubuntu (8.10 to 10.04) for 2 years. That's the point: SliTaz forces you to learn how to use Linux. SliTaz doesn't hide things with abstraction or configures things for you. In that way using SliTaz WILL make you more skilled than an Ubuntu veteran because SliTaz puts you in FULL control without anything being hidden or done for you.

That said, use nano to change IPTABLES_RULES="yes" to IPTABLES_RULES="no" in /etc/firewall.conf. Reading the firewall.conf file tells you why: # Enable/disable iptables rules (iptables package must be installed). My guess? You didn't have iptables installed when you enabling it in firewall.conf which led to your current situation. So just use nano to fix /etc/firewall.conf, once in SliTaz, install the iptables package and try again.

And while we're on the subject: Having a firewall in Linux isn't that essential because Linux is secure even without it. Linux is not Windows and doesn't suffer from the same problems.

Posted 12 years ago #
domcox

offline
Administrator

@aquario455:

iptables has the ability to monitor the state of a connection and redirect, modify or stop data packets based on the state of the connection, not just on input/output connections. A firewall using iptables this way is said to be a stateful firewall.

gdesilva configuration is already very restrictive, you cannot strip it down.

Posted 12 years ago #
christophe

offline
Member

The good things with Ubuntu is that most everything works out of the box.
The not so good thing is that if something DOES NOT work then to fix it might be more problematic.

With Slitaz, it is the opposite. Many things are a challenge, but if you are patient enough to learn you have a good chance to find a way around it, and if you ask here, a very good chance to get a problem fixed

As much a i love slitaz, I had to stop trying to use as my main distro and go back to some ubuntu derivative. Though it is sometime frustrating, it is much more stable and gives less headaches. And I still need an XP virtualbox for a small number of things.... and must admit that i find it overall much more efficient that Linux. I just hate the burden of the antivirus and malware which is a lost war anyway.

And i absolutely agree with you aquario455 that not everyone has the skill and the time to make the investment in slitaz.

But Slitaz is very close to where it should be, in my view. Most most everything i need everyday is working with one or two exceptions, and i will try to solve it when i have more time again.

Slitaz will eventually go mainstream as a distrib ;) hopefully with next version...

for what concerns the firewall, I have not enabled it home (but I sit behind a NAT so the firewall is not as much needed).
I would not feel comfortable (and would not recommend) to use no firewall on a public network eg a public wifi though....

Posted 12 years ago #

RSS feed for this topic

Reply

You must log in to post.