[gentoo-user] simple firewall

[gentoo-user] simple firewall

[gigli]

Hi

I wonder if there is any easy firewall for gentoo. I tried ubuntu for a
while and used their ufw, which was very simple.

My needs:

Block incoming traffic except for sshd and https (and sometimes
bittorrent) and allow my lan to connect to my samba share, mythtv and
mysql when i use openvpn or allways, which would be easyist. My box is
usually protected by pfsense.

I have a hard time to understand iptables and i have tried guarddog and
kmyfirewall and others, didn't really like them. Something like ufw
would be nice.

Cheers
Martin

Re: [gentoo-user] simple firewall

[forgottenwizard]

On 00:24 Sun 05 Apr, gigli wrote:
> Hi
> 
> I wonder if there is any easy firewall for gentoo. I tried ubuntu for a
> while and used their ufw, which was very simple.
> 
> My needs:
> 
> Block incoming traffic except for sshd and https (and sometimes
> bittorrent) and allow my lan to connect to my samba share, mythtv and
> mysql when i use openvpn or allways, which would be easyist. My box is
> usually protected by pfsense.
> 
> I have a hard time to understand iptables and i have tried guarddog and
> kmyfirewall and others, didn't really like them. Something like ufw
> would be nice.
> 
> Cheers
> Martin
> 
> 

Something I did was setup a virtual machine and did all my trial and
error there. It keeps you from messing up your machine, and you can test
everything out at your lesure.

As for software, you could look into Shorewall and see if that works for you.

-- 
I'm not anti-social, I'm just not user friendly

Re: [gentoo-user] simple firewall

[Roy Wright]

gigli wrote:
> I wonder if there is any easy firewall for gentoo. I tried ubuntu for a
> while and used their ufw, which was very simple.
> 
> My needs:
> 
> Block incoming traffic except for sshd and https (and sometimes
> bittorrent) and allow my lan to connect to my samba share, mythtv and
> mysql when i use openvpn or allways, which would be easyist. My box is
> usually protected by pfsense.

I'll second the request.  What I'd really like is one similar to what's
on the mac where basically when an app attempts to connect to a port, a
popup asks if you want to allow it.

In the meantime I've been using shorewall which is way more complicated
than I like.

Re: [gentoo-user] simple firewall

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 1264 bytes --]

forgottenwizard schrieb:
> On 00:24 Sun 05 Apr, gigli wrote:
>> Hi
>>
>> I wonder if there is any easy firewall for gentoo. I tried ubuntu for a
>> while and used their ufw, which was very simple.
>>
>> My needs:
>>
>> Block incoming traffic except for sshd and https (and sometimes
>> bittorrent) and allow my lan to connect to my samba share, mythtv and
>> mysql when i use openvpn or allways, which would be easyist. My box is
>> usually protected by pfsense.
>>
>> I have a hard time to understand iptables and i have tried guarddog and
>> kmyfirewall and others, didn't really like them. Something like ufw
>> would be nice.
>>
[...]
> 
> As for software, you could look into Shorewall and see if that works for you.
> 

I second that recommendation. Shorewall is a really great piece of
software: a lot of functionality paired with a lot of documentation.

It has got support for OpenVPN and macros for most common services
(which makes it a matter of maybe a minute to add a rule for a new service).

The only downside I see is that it compiles many rules which wouldn't be
strictly necessary and therefore needs a lot of kernel modules to start
(and it doesn't always give helpful error messages when it misses a module).


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 261 bytes --]

Re: [gentoo-user] simple firewall

[gigli]

Florian Philipp skrev:
> forgottenwizard schrieb:
>> On 00:24 Sun 05 Apr, gigli wrote:
>>> Hi
>>>
>>> I wonder if there is any easy firewall for gentoo. I tried ubuntu for a
>>> while and used their ufw, which was very simple.
>>>
>>> My needs:
>>>
>>> Block incoming traffic except for sshd and https (and sometimes
>>> bittorrent) and allow my lan to connect to my samba share, mythtv and
>>> mysql when i use openvpn or allways, which would be easyist. My box is
>>> usually protected by pfsense.
>>>
>>> I have a hard time to understand iptables and i have tried guarddog and
>>> kmyfirewall and others, didn't really like them. Something like ufw
>>> would be nice.
>>>
> [...]
>> As for software, you could look into Shorewall and see if that works for you.
>>
> 
> I second that recommendation. Shorewall is a really great piece of
> software: a lot of functionality paired with a lot of documentation.
> 
> It has got support for OpenVPN and macros for most common services
> (which makes it a matter of maybe a minute to add a rule for a new service).
> 
> The only downside I see is that it compiles many rules which wouldn't be
> strictly necessary and therefore needs a lot of kernel modules to start
> (and it doesn't always give helpful error messages when it misses a module).
> 
Thanks for the answers, i will give shorewall a new try and hope i'll
make better progress thsi time

Re: [gentoo-user] simple firewall

[Peter Humphrey]

On Sunday 05 April 2009 11:41:55 gigli wrote:

> i will give shorewall a new try and hope i'll make better progress thsi
> time 

My gateway machine has three interfaces and uses shorewall to protect them. 
If you like I could tar up /etc/shorewall and send it to you. I've had to 
create macros for several services and put them in /usr/share/shorewall, 
but if you run "shorewall try /etc/shorewall" it'll tell you which you 
need. I made them by copying others and changing bits.

The three interfaces are the external network (a DSL modem), the internal 
wired network (an Ethernet switch) and a wireless network (an access 
point).

I don't suppose my setup is the acme of elegance or wit, but it seems to 
work. The rules file is 195 lines long.

-- 
Rgds
Peter

Re: [gentoo-user] simple firewall

[gigli]

Peter Humphrey skrev:
> On Sunday 05 April 2009 11:41:55 gigli wrote:
> 
>> i will give shorewall a new try and hope i'll make better progress thsi
>> time 
> 
> My gateway machine has three interfaces and uses shorewall to protect them. 
> If you like I could tar up /etc/shorewall and send it to you. I've had to 
> create macros for several services and put them in /usr/share/shorewall, 
> but if you run "shorewall try /etc/shorewall" it'll tell you which you 
> need. I made them by copying others and changing bits.
> 
> The three interfaces are the external network (a DSL modem), the internal 
> wired network (an Ethernet switch) and a wireless network (an access 
> point).
> 
> I don't suppose my setup is the acme of elegance or wit, but it seems to 
> work. The rules file is 195 lines long.
> 
Hi peter

I would be happy if you mailed me the tar. I have only one interface and
need to protect my computer while connected through openvpn, i guess
openvpn goes directly through my pfsense box bothways and it would be
nice to stay protected then. Or have i misunderstood that?

Martin
gigli@swipnet.se

Re: [gentoo-user] simple firewall

[James Stull]

[-- Attachment #1: Type: text/plain, Size: 1328 bytes --]

Have you tried Firewall Builder? You can use Firewall Builder to make all
the rules for iptables.



On Sun, Apr 5, 2009 at 8:47 AM, gigli <gigli@swipnet.se> wrote:

> Peter Humphrey skrev:
> > On Sunday 05 April 2009 11:41:55 gigli wrote:
> >
> >> i will give shorewall a new try and hope i'll make better progress thsi
> >> time
> >
> > My gateway machine has three interfaces and uses shorewall to protect
> them.
> > If you like I could tar up /etc/shorewall and send it to you. I've had to
> > create macros for several services and put them in /usr/share/shorewall,
> > but if you run "shorewall try /etc/shorewall" it'll tell you which you
> > need. I made them by copying others and changing bits.
> >
> > The three interfaces are the external network (a DSL modem), the internal
> > wired network (an Ethernet switch) and a wireless network (an access
> > point).
> >
> > I don't suppose my setup is the acme of elegance or wit, but it seems to
> > work. The rules file is 195 lines long.
> >
> Hi peter
>
> I would be happy if you mailed me the tar. I have only one interface and
> need to protect my computer while connected through openvpn, i guess
> openvpn goes directly through my pfsense box bothways and it would be
> nice to stay protected then. Or have i misunderstood that?
>
> Martin
> gigli@swipnet.se
>
>

[-- Attachment #2: Type: text/html, Size: 1873 bytes --]

Re: [gentoo-user] simple firewall

[Andreas Niederl]

Hi,

gigli wrote:
> Hi
> 
> I wonder if there is any easy firewall for gentoo. I tried ubuntu for a
> while and used their ufw, which was very simple.
> 
> My needs:
> 
> Block incoming traffic except for sshd and https (and sometimes
> bittorrent) and allow my lan to connect to my samba share, mythtv and
> mysql when i use openvpn or allways, which would be easyist. My box is
> usually protected by pfsense.

net-firewall/firehol is a fairly light-weight iptables rule generator.

You just have to specify which services to allow and in some cases
protocol and portnumber for services unknown to firehol.


Regards,
Andi

Re: [gentoo-user] simple firewall

[Liviu Andronic]

On Sun, Apr 5, 2009 at 12:24 AM, gigli <gigli@swipnet.se> wrote:
> kmyfirewall and others, didn't really like them. Something like ufw
> would be nice.
>
The other day I filed a bug report for gufw [1], but there's no ebuild sofar.
Liviu

[1] http://bugs.gentoo.org/show_bug.cgi?id=264912



-- 
Do you know how to read?
http://www.alienetworks.com/srtest.cfm
Do you know how to write?
http://garbl.home.comcast.net/~garbl/stylemanual/e.htm#e-mail