You are not logged in.

#51 2016-07-03 22:28:34

cloverskull
Member
Registered: 2015-10-01
Posts: 307

Re: Firewall for the lazy

@HoaS - have you tried ufw? It's excellent, lightweight, painfully simple, and works quite well. I'm happy to write up a quick howto if you think it's beneficial.

In fact, I think I may do it anyway. Starting new thread, huzzah! tongue

Offline

#52 2016-07-04 16:06:09

martix
Kim Jong-un Stunt Double
Registered: 2016-02-19
Posts: 1,267

Re: Firewall for the lazy

Head_on_a_Stick wrote:

No, the package has changed the stock configuration file so there is an extra step required now


Indeed, thank you, that solved the issue!

It's a bit surprising though if the firewall configuration changes without notice. Probably I missed some release note somewhere. Anyhow it looks now like the output you posted.

Offline

#53 2017-06-09 19:32:13

Sector11
The Tpyo Knig Mod
From: 77345 ¡#
Registered: 2015-08-20
Posts: 5,554

Re: Firewall for the lazy

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHH!

Start:

 09 Jun 17 @ 16:06:34 ~
   $ sudo apt-get install -t jessie-backports nftables linux-image-amd64
[sudo] password for sector11: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following package was automatically installed and is no longer required:
  libuuid-perl
Use 'apt-get autoremove' to remove it.
The following extra packages will be installed:
  irqbalance libjansson4 libnftnl4 linux-base linux-image-4.9.0-0.bpo.3-amd64
Suggested packages:
  linux-doc-4.9 debian-kernel-handbook
The following NEW packages will be installed:
  irqbalance libjansson4 libnftnl4 linux-image-4.9.0-0.bpo.3-amd64 linux-image-amd64 nftables
The following packages will be upgraded:
  linux-base
1 upgraded, 6 newly installed, 0 to remove and 173 not upgraded.
Need to get 38.8 MB of archives.
After this operation, 192 MB of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 http://ftp.us.debian.org/debian/ jessie/main libjansson4 amd64 2.7-1+deb8u1 [34.1 kB]
Get:2 http://ftp.us.debian.org//debian/ jessie-backports/main libnftnl4 amd64 1.0.7-1~bpo8+1 [65.1 kB]
Get:3 http://ftp.us.debian.org//debian/ jessie-backports/main nftables amd64 0.6-1~bpo8+1 [132 kB]
Get:4 http://ftp.us.debian.org//debian/ jessie-backports/main linux-base all 4.3~bpo8+1 [19.0 kB]
Get:5 http://ftp.us.debian.org//debian/ jessie-backports/main linux-image-4.9.0-0.bpo.3-amd64 amd64 4.9.25-1~bpo8+1 [38.5 MB]
Get:6 http://ftp.us.debian.org//debian/ jessie-backports/main linux-image-amd64 amd64 4.9+80~bpo8+1 [7,108 B]                                
Get:7 http://ftp.us.debian.org//debian/ jessie-backports/main irqbalance amd64 1.1.0-2~bpo8+1 [35.1 kB]                                      
Fetched 38.8 MB in 32s (1,195 kB/s)                                                                                                          
Retrieving bug reports... Done
Parsing Found/Fixed information... Done
Reading changelogs... Done
Preconfiguring packages ...
Selecting previously unselected package libjansson4:amd64.
(Reading database ... 204022 files and directories currently installed.)
Preparing to unpack .../libjansson4_2.7-1+deb8u1_amd64.deb ...
Unpacking libjansson4:amd64 (2.7-1+deb8u1) ...
Selecting previously unselected package libnftnl4:amd64.
Preparing to unpack .../libnftnl4_1.0.7-1~bpo8+1_amd64.deb ...
Unpacking libnftnl4:amd64 (1.0.7-1~bpo8+1) ...
Selecting previously unselected package nftables.
Preparing to unpack .../nftables_0.6-1~bpo8+1_amd64.deb ...
Unpacking nftables (0.6-1~bpo8+1) ...
Preparing to unpack .../linux-base_4.3~bpo8+1_all.deb ...
Unpacking linux-base (4.3~bpo8+1) over (3.5) ...
Selecting previously unselected package linux-image-4.9.0-0.bpo.3-amd64.
Preparing to unpack .../linux-image-4.9.0-0.bpo.3-amd64_4.9.25-1~bpo8+1_amd64.deb ...
Unpacking linux-image-4.9.0-0.bpo.3-amd64 (4.9.25-1~bpo8+1) ... package linux-image-amd64.
Preparing to unpack .../linux-image-amd64_4.9+80~bpo8+1_amd64.deb ...
Unpacking linux-image-amd64 (4.9+80~bpo8+1) ...
Selecting previously unselected package irqbalance.
Preparing to unpack .../irqbalance_1.1.0-2~bpo8+1_amd64.deb ...
Unpacking irqbalance (1.1.0-2~bpo8+1) ...
Processing triggers for man-db (2.7.0.2-5) ...
Processing triggers for systemd (215-17+deb8u7) ...
Setting up libjansson4:amd64 (2.7-1+deb8u1) ...
Setting up libnftnl4:amd64 (1.0.7-1~bpo8+1) ...
Setting up nftables (0.6-1~bpo8+1) ...
Setting up linux-base (4.3~bpo8+1) ...
Setting up linux-image-4.9.0-0.bpo.3-amd64 (4.9.25-1~bpo8+1) ...
I: /initrd.img.old is now a symlink to boot/initrd.img-3.16.0-4-amd64
I: /vmlinuz is now a symlink to boot/vmlinuz-4.9.0-0.bpo.3-amd64
I: /initrd.img is now a symlink to boot/initrd.img-4.9.0-0.bpo.3-amd64
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-4.9.0-0.bpo.3-amd64
/etc/kernel/postinst.d/zz-update-grub:
Generating grub configuration file ...
Found background image: /usr/share/images/desktop-base/desktop-grub.png
Found linux image: /boot/vmlinuz-4.9.0-0.bpo.3-amd64
Found initrd image: /boot/initrd.img-4.9.0-0.bpo.3-amd64
Found linux image: /boot/vmlinuz-3.16.0-4-amd64
Found initrd image: /boot/initrd.img-3.16.0-4-amd64
Found BunsenLabs GNU/Linux 8.7 (Hydrogen) (8.7) on /dev/sda1
done
Setting up linux-image-amd64 (4.9+80~bpo8+1) ...
Setting up irqbalance (1.1.0-2~bpo8+1) ...
Processing triggers for libc-bin (2.19-18+deb8u9) ...
Processing triggers for systemd (215-17+deb8u7) ...
 
 09 Jun 17 @ 16:08:20 ~
   $ sudo cp /usr/share/doc/nftables/examples/syntax/workstation /etc/nftables.conf
 
 09 Jun 17 @ 16:09:07 ~
   $ sudo systemctl start nftables
Job for nftables.service failed. See 'systemctl status nftables.service' and 'journalctl -xn' for details.
 
 09 Jun 17 @ 16:09:29 ~
   $ systemctl status nftables.service
● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; disabled)
   Active: failed (Result: exit-code) since Fri 2017-06-09 16:09:29 -03; 36s ago
     Docs: man:nft(8)
           http://wiki.nftables.org
  Process: 26628 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=1/FAILURE)
 Main PID: 26628 (code=exited, status=1/FAILURE)

did:

 09 Jun 17 @ 16:11:36 ~
   $ apt-cache policy nftables
nftables:
  Installed: 0.6-1~bpo8+1
  Candidate: 0.6-1~bpo8+1
  Version table:
 *** 0.6-1~bpo8+1 0
        100 http://ftp.us.debian.org//debian/ jessie-backports/main amd64 Packages
        100 /var/lib/dpkg/status

did:

 09 Jun 17 @ 16:11:38 ~
   $ grep -R backports /etc/apt/sources.list{,.d/*}
/etc/apt/sources.list:deb http://ftp.us.debian.org//debian jessie-backports main contrib non-free
/etc/apt/sources.list:# deb http://httpredir.debian.org/debian jessie-backports main contrib non-free
/etc/apt/sources.list.d/bunsen-jessie-backports.list:deb http://pkg.bunsenlabs.org/debian jessie-backports main

then I did:

 09 Jun 17 @ 16:11:49 ~
   $ sudo journalctl -xn
[sudo] password for sector11: 
 
 09 Jun 17 @ 16:16:18 ~
   $ systemctl start nftables
Failed to start nftables.service: Access denied
 
 09 Jun 17 @ 16:16:22 ~
   $ sudo systemctl start nftables
Job for nftables.service failed. See 'systemctl status nftables.service' and 'journalctl -xn' for details.
 
 09 Jun 17 @ 16:16:30 ~
   $ systemctl list-unit-files | grep enabled
cups.path                              enabled 
anacron-resume.service                 enabled 
anacron.service                        enabled 
atd.service                            enabled 
avahi-daemon.service                   enabled 
cron.service                           enabled 
cups.service                           enabled 
dbus-org.freedesktop.Avahi.service     enabled 
display-manager.service                enabled 
getty@.service                         enabled 
hwclock-save.service                   enabled 
lightdm.service                        enabled 
lm-sensors.service                     enabled 
pppd-dns.service                       enabled 
rsyslog.service                        enabled 
smartd.service                         enabled 
syslog.service                         enabled 
vnstat.service                         enabled 
avahi-daemon.socket                    enabled 
cups.socket                            enabled 
remote-fs.target                       enabled 
bunsen-pepperflash.timer               enabled 
 
 09 Jun 17 @ 16:17:24 ~
   $ sudo systemctl enable nftables.service
Created symlink from /etc/systemd/system/multi-user.target.wants/nftables.service to /lib/systemd/system/nftables.service.
 
 09 Jun 17 @ 16:18:10 ~
   $ sudo nft list ruleset
 
 09 Jun 17 @ 16:19:03 ~
   $ systemctl status nftables.service
● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; enabled)
   Active: failed (Result: exit-code) since Fri 2017-06-09 16:16:30 -03; 3min 1s ago
     Docs: man:nft(8)
           http://wiki.nftables.org
 Main PID: 27416 (code=exited, status=1/FAILURE)
 
 09 Jun 17 @ 16:19:31 ~
   $ 

And I think (danger: thinking) it might be an ip6 thing.

 09 Jun 17 @ 16:26:09 ~
   $ cat /etc/nftables.conf
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0;

		# accept any localhost traffic
		iif lo accept

		# accept traffic originated from us
		ct state established,related accept

		# activate the following line to accept common local services
		#tcp dport { 22, 80, 443 } ct state new accept

		# accept neighbour discovery otherwise IPv6 connectivity breaks.
		ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept

		# count and drop any other traffic
		counter drop
	}
}
 
 09 Jun 17 @ 16:30:03 ~
   $ 

S11 doesn't have ip6 - nor a router  Now what?

HELP!


BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System:    Host: d67 Kernel: 4.9.0-9-amd64 x86_64 (64 bit gcc: 6.3.0)
Desktop: Openbox 3.6.1 Distro: Debian GNU/Linux 9 (stretch)

Online

#54 2017-06-09 19:39:04

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

What do these say:

sudo systemctl start nftables
sudo journalctl -u nftables

Last edited by Head_on_a_Stick (2017-06-09 19:51:34)


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#55 2017-06-09 20:01:13

Sector11
The Tpyo Knig Mod
From: 77345 ¡#
Registered: 2015-08-20
Posts: 5,554

Re: Firewall for the lazy

Head_on_a_Stick wrote:

What do these say:

sudo systemctl start nftables
sudo journalctl -u nftables

sudo systemctl start nftables

 09 Jun 17 @ 16:56:10 ~
   $ sudo systemctl start nftables
[sudo] password for sector11: 
Job for nftables.service failed. See 'systemctl status nftables.service' and 'journalctl -xn' for details.

See 'systemctl status nftables.service' and 'journalctl -xn' below.

sudo journalctl -u nftables

-- Logs begin at Fri 2017-06-09 09:01:26 -03, end at Fri 2017-06-09 16:56:28 -03. --
Jun 09 16:09:28 bunsen systemd[1]: Starting nftables...
Jun 09 16:09:29 bunsen nft[26628]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Jun 09 16:09:29 bunsen nft[26628]: flush ruleset
Jun 09 16:09:29 bunsen nft[26628]: ^^^^^^^^^^^^^^
Jun 09 16:09:29 bunsen nft[26628]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Jun 09 16:09:29 bunsen nft[26628]: flush ruleset
Jun 09 16:09:29 bunsen nft[26628]: ^^^^^^^^^^^^^^
Jun 09 16:09:29 bunsen nft[26628]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Jun 09 16:09:29 bunsen nft[26628]: flush ruleset
Jun 09 16:09:29 bunsen nft[26628]: ^^^^^^^^^^^^^^
Jun 09 16:09:29 bunsen nft[26628]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Jun 09 16:09:29 bunsen nft[26628]: flush ruleset
Jun 09 16:09:29 bunsen nft[26628]: ^^^^^^^^^^^^^^
Jun 09 16:09:29 bunsen nft[26628]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Jun 09 16:09:29 bunsen nft[26628]: flush ruleset
Jun 09 16:09:29 bunsen nft[26628]: ^^^^^^^^^^^^^^
Jun 09 16:09:29 bunsen nft[26628]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Jun 09 16:09:29 bunsen nft[26628]: flush ruleset
Jun 09 16:09:29 bunsen nft[26628]: ^^^^^^^^^^^^^^
Jun 09 16:09:29 bunsen systemd[1]: ^[[1;39mnftables.service: main process exited, code=exited, status=1/FAILURE
Jun 09 16:09:29 bunsen systemd[1]: Failed to start nftables.
Jun 09 16:09:29 bunsen systemd[1]: ^[[1;39mUnit nftables.service entered failed state.
Jun 09 16:16:30 bunsen systemd[1]: Starting nftables...
Jun 09 16:16:30 bunsen nft[27416]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Jun 09 16:16:30 bunsen nft[27416]: flush ruleset
Jun 09 16:16:30 bunsen nft[27416]: ^^^^^^^^^^^^^^
Jun 09 16:16:30 bunsen systemd[1]: ^[[1;39mnftables.service: main process exited, code=exited, status=1/FAILURE
Jun 09 16:16:30 bunsen systemd[1]: Failed to start nftables.
Jun 09 16:16:30 bunsen systemd[1]: ^[[1;39mUnit nftables.service entered failed state.
Jun 09 16:25:59 bunsen systemd[1]: Starting nftables...
Jun 09 16:25:59 bunsen nft[29649]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Jun 09 16:25:59 bunsen nft[29649]: flush ruleset
Jun 09 16:25:59 bunsen nft[29649]: ^^^^^^^^^^^^^^
Jun 09 16:25:59 bunsen systemd[1]: ^[[1;39mnftables.service: main process exited, code=exited, status=1/FAILURE
Jun 09 16:25:59 bunsen systemd[1]: Failed to start nftables.
Jun 09 16:25:59 bunsen systemd[1]: ^[[1;39mUnit nftables.service entered failed state.
Jun 09 16:56:17 bunsen systemd[1]: Starting nftables...
Jun 09 16:56:17 bunsen nft[3054]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Jun 09 16:56:17 bunsen nft[3054]: flush ruleset
Jun 09 16:56:17 bunsen nft[3054]: ^^^^^^^^^^^^^^
Jun 09 16:56:17 bunsen systemd[1]: ^[[1;39mnftables.service: main process exited, code=exited, status=1/FAILURE
Jun 09 16:56:17 bunsen systemd[1]: Failed to start nftables.
Jun 09 16:56:17 bunsen systemd[1]: ^[[1;39mUnit nftables.service entered failed state.

systemctl status nftables.service

 09 Jun 17 @ 16:57:34 ~
   $ systemctl status nftables.service
● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; enabled)
   Active: failed (Result: exit-code) since Fri 2017-06-09 16:56:17 -03; 2min 17s ago
     Docs: man:nft(8)
           http://wiki.nftables.org
  Process: 3054 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=1/FAILURE)
 Main PID: 3054 (code=exited, status=1/FAILURE)
 
 09 Jun 17 @ 16:58:34 ~
   $ 

sudo journalctl -xn

-- Logs begin at Fri 2017-06-09 09:01:26 -03, end at Fri 2017-06-09 16:59:22 -03. --
Jun 09 16:56:17 bunsen nft[3054]: ^^^^^^^^^^^^^^
Jun 09 16:56:17 bunsen systemd[1]: ^[[1;39mnftables.service: main process exited, code=exited, status=1/FAILURE
Jun 09 16:56:17 bunsen systemd[1]: Failed to start nftables.
-- Subject: Unit nftables.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit nftables.service has failed.
--
-- The result is failed.
Jun 09 16:56:17 bunsen systemd[1]: ^[[1;39mUnit nftables.service entered failed state.
Jun 09 16:56:17 bunsen sudo[3046]: pam_unix(sudo:session): session closed for user root
Jun 09 16:56:28 bunsen sudo[3072]: ^[[1;39msector11 : TTY=pts/0 ; PWD=/home/sector11 ; USER=root ; COMMAND=/bin/journalctl -u nftables
Jun 09 16:56:28 bunsen sudo[3072]: pam_unix(sudo:session): session opened for user root by sector11(uid=0)
Jun 09 16:57:34 bunsen sudo[3072]: pam_unix(sudo:session): session closed for user root
Jun 09 16:59:22 bunsen sudo[3432]: ^[[1;39msector11 : TTY=pts/0 ; PWD=/home/sector11 ; USER=root ; COMMAND=/bin/journalctl -xn
Jun 09 16:59:22 bunsen sudo[3432]: pam_unix(sudo:session): session opened for user root by sector11(uid=0)

BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System:    Host: d67 Kernel: 4.9.0-9-amd64 x86_64 (64 bit gcc: 6.3.0)
Desktop: Openbox 3.6.1 Distro: Debian GNU/Linux 9 (stretch)

Online

#56 2017-06-09 20:08:00

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

Try commenting out this line from /etc/nftables.conf:

# flush ruleset

Sorry but I'm in OpenBSD atm so I can't test directly.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#57 2017-06-09 20:08:10

Sector11
The Tpyo Knig Mod
From: 77345 ¡#
Registered: 2015-08-20
Posts: 5,554

Re: Firewall for the lazy

ifconfig tells me ip6 so that's cleared up.


BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System:    Host: d67 Kernel: 4.9.0-9-amd64 x86_64 (64 bit gcc: 6.3.0)
Desktop: Openbox 3.6.1 Distro: Debian GNU/Linux 9 (stretch)

Online

#58 2017-06-09 20:12:55

Sector11
The Tpyo Knig Mod
From: 77345 ¡#
Registered: 2015-08-20
Posts: 5,554

Re: Firewall for the lazy

Head_on_a_Stick wrote:

Try commenting out this line from /etc/nftables.conf:

# flush ruleset

Sorry but I'm in OpenBSD atm so I can't test directly.

Done ... where do I start now?


BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System:    Host: d67 Kernel: 4.9.0-9-amd64 x86_64 (64 bit gcc: 6.3.0)
Desktop: Openbox 3.6.1 Distro: Debian GNU/Linux 9 (stretch)

Online

#59 2017-06-09 20:15:51

Sector11
The Tpyo Knig Mod
From: 77345 ¡#
Registered: 2015-08-20
Posts: 5,554

Re: Firewall for the lazy

OK, that worked ....

 09 Jun 17 @ 17:14:23 ~
   $ sudo systemctl start nftables
[sudo] password for sector11: 
 
 09 Jun 17 @ 17:14:30 ~
   $ systemctl status nftables.service
● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; enabled)
   Active: active (exited) since Fri 2017-06-09 17:11:42 -03; 3min 3s ago
     Docs: man:nft(8)
           http://wiki.nftables.org
  Process: 6030 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=0/SUCCESS)
 Main PID: 6030 (code=exited, status=0/SUCCESS)
 
 09 Jun 17 @ 17:14:46 ~
   $ sudo systemctl enable nftables
 
 09 Jun 17 @ 17:15:46 ~
   $ systemctl list-unit-files | grep enabled
cups.path                              enabled 
anacron-resume.service                 enabled 
anacron.service                        enabled 
atd.service                            enabled 
avahi-daemon.service                   enabled 
cron.service                           enabled 
cups.service                           enabled 
dbus-org.freedesktop.Avahi.service     enabled 
display-manager.service                enabled 
getty@.service                         enabled 
hwclock-save.service                   enabled 
lightdm.service                        enabled 
lm-sensors.service                     enabled 
nftables.service                       enabled 
pppd-dns.service                       enabled 
rsyslog.service                        enabled 
smartd.service                         enabled 
syslog.service                         enabled 
vnstat.service                         enabled 
avahi-daemon.socket                    enabled 
cups.socket                            enabled 
remote-fs.target                       enabled 
bunsen-pepperflash.timer               enabled 
 
 09 Jun 17 @ 17:16:17 ~
   $ 

Thank you!

====================
EDIT:  According to the "email" I got I beat you to it see I have "A Round Tuit".  smile

Last edited by Sector11 (2017-06-09 20:29:56)


BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System:    Host: d67 Kernel: 4.9.0-9-amd64 x86_64 (64 bit gcc: 6.3.0)
Desktop: Openbox 3.6.1 Distro: Debian GNU/Linux 9 (stretch)

Online

#60 2017-06-09 20:19:13

Sector11
The Tpyo Knig Mod
From: 77345 ¡#
Registered: 2015-08-20
Posts: 5,554

Re: Firewall for the lazy

So now for the first time in Linuxlandia I have a firewall?


Well, I played with one back in Ubuntu days 2007/8 but never got it to work so gave up.

Wouldn't it be a good idea to have this as a default setting?


BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System:    Host: d67 Kernel: 4.9.0-9-amd64 x86_64 (64 bit gcc: 6.3.0)
Desktop: Openbox 3.6.1 Distro: Debian GNU/Linux 9 (stretch)

Online

#61 2017-06-09 20:24:02

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

Sector11 wrote:

So now for the first time in Linuxlandia I have a firewall?

Looks like it, yes smile

Wouldn't it be a good idea to have this as a default setting?

Perhaps for Helium/stretch (nftables is only in jessie-backports), but as I said most users do not require a firewall and we usually adopt the upstream default.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#62 2017-06-09 20:33:10

Sector11
The Tpyo Knig Mod
From: 77345 ¡#
Registered: 2015-08-20
Posts: 5,554

Re: Firewall for the lazy

Quick question:

How does a user know if they fall into the "do not require a firewall group."

Now he's going to tell me - "Well, S11, you're in the: Do not require a Firewall Group"


BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System:    Host: d67 Kernel: 4.9.0-9-amd64 x86_64 (64 bit gcc: 6.3.0)
Desktop: Openbox 3.6.1 Distro: Debian GNU/Linux 9 (stretch)

Online

#63 2017-06-09 20:45:09

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

Sector11 wrote:

How does a user know if they fall into the "do not require a firewall group."

That's a good question smile

Debian ships with most ports closed but if programs are installed that "listen" to the internet then a firewall may be required; examples of such applications would be the Apache HTTP server (used to host websites) and the Samba file sharing system.

This link is from the Comical crowd but it still applies to our corner of Tuxland:

https://help.ubuntu.com/community/DoINeedAFirewall


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#64 2017-06-09 20:57:08

bigbenaugust
Member
From: unc.edu / the 919 / KIGX
Registered: 2017-05-20
Posts: 167

Re: Firewall for the lazy

I've been using ufw for a while on my Debian and Ubuntu machines. Looks like it still exists in stretch.


--Ben
BL / MX / Raspbian... and a whole bunch of RHEL boxes. :)

Offline

#65 2017-06-09 21:07:30

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

bigbenaugust wrote:

ufw

That's a nice abstraction but one of the reasons I prefer nftables is because the ruleset is declarative in nature and just as easy to understand as ufw without needing an extra layer to help the user understand the syntax.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#66 2017-06-09 21:45:50

p9000
Member
Registered: 2017-05-28
Posts: 22

Re: Firewall for the lazy

Ws the cfg lng dsgned by a 14 yr old grl addictd 2 txting?

Offline

#67 2017-06-09 21:50:05

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

^ Vowels are bloat!

monkey


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#68 2017-06-09 21:50:19

Sector11
The Tpyo Knig Mod
From: 77345 ¡#
Registered: 2015-08-20
Posts: 5,554

Re: Firewall for the lazy

Head_on_a_Stick wrote:

This link is from the Comical crowd but it still applies to our corner of Tuxland:

https://help.ubuntu.com/community/DoINeedAFirewall

lol lol lol  Comical Crowd.  That's a keeper.

1. Lets see how I do with the "Straight Man"

This Internet probe sends up to ten (10) UPnP Simple Service Discovery Protocol (SSDP) M-SEARCH UDP packets, one every half-second, to our visitor's current IPv4 address (1xx.xxx.xxx.xx) in an attempt to solicit a response from any publicly exposed and listening UPnP SSDP service. The UPnP protocols were never designed to be exposed to the public Internet, and any Internet-facing equipment which does so should be considered defective, insecure, and unusable. Any such equipment should be disconnected immediately.

Your equipment at IP:  1xx.xxx.xxx.xx

Is now being queried:

THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!
(That's good news!)

There is no question whether hackers are, in fact, currently sweeping the Internet for the presence of exposed and vulnerable consumer Internet routers in order to gain access to the private networks residing behind them. Just such hacking packets are now being detected across the Internet. Scanning is underway and the threat is real.

Whenever changes are made to your network configuration, whenever you update your router's firmware, and also from time to time just to be sure, you should consider re-running this quick test to confirm that your Internet-facing equipment is continuing to ignore all attempts at its subversion though the Universal Plug n'Play (UPnP) protocols.

-----
2. https://www.hackerwatch.org/probe/

Generate Port Events

The server will now send packets to your computer.

You will receive event warnings if:
    Your computer is connected directly to the Internet
    Your computer is not connected through a proxy server or NAT
    Your firewall is running

RESULT:
The page cannot be displayed because an internal server error has occurred.

Now that's funny!  Or Not!
-----
3.  http://ccm.net/faq/2204-testing-your-firewall-online
- Common Ports:
Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.

I like all those:  There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

- All Service Ports:  ALL Greem - the writeup is identical to the paragraph above.

https://www.grc.com/x/ne.dll?rh1dkyd2 <<-- MUST Read.  smile

COLOUR ME big_smile

Last edited by Sector11 (2017-06-09 22:11:13)


BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System:    Host: d67 Kernel: 4.9.0-9-amd64 x86_64 (64 bit gcc: 6.3.0)
Desktop: Openbox 3.6.1 Distro: Debian GNU/Linux 9 (stretch)

Online

#69 2017-06-10 00:41:55

johnraff
nullglob
From: Nagoya, Japan
Registered: 2015-09-09
Posts: 5,829
Website

Re: Firewall for the lazy

Sector11 wrote:

http://ccm.net/faq/2204-testing-your-firewall-online
- Common Ports:
Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests.

I got the same. No firewall here, but maybe it's my router doing the same job.


John
--------------------
( a boring Japan blog , Japan Links, idle twitterings  and GitStuff )
In case you forget, the rules.

Offline

#70 2017-06-10 01:15:31

Sector11
The Tpyo Knig Mod
From: 77345 ¡#
Registered: 2015-08-20
Posts: 5,554

Re: Firewall for the lazy

I remember my install of Ubuntu/Xubuntu failing that ... well, it had a lot of read blocks at least.

I would think your router would have a firewall.


BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System:    Host: d67 Kernel: 4.9.0-9-amd64 x86_64 (64 bit gcc: 6.3.0)
Desktop: Openbox 3.6.1 Distro: Debian GNU/Linux 9 (stretch)

Online

#71 2017-06-10 02:44:22

bigbenaugust
Member
From: unc.edu / the 919 / KIGX
Registered: 2017-05-20
Posts: 167

Re: Firewall for the lazy

Head_on_a_Stick wrote:
bigbenaugust wrote:

ufw

That's a nice abstraction but one of the reasons I prefer nftables is because the ruleset is declarative in nature and just as easy to understand as ufw without needing an extra layer to help the user understand the syntax.

True, but on a few hundred RH boxes at work, we define all of the iptables rules in Puppet anyway, so very very rarely do I have to sit down and write raw firewall rules. smile


--Ben
BL / MX / Raspbian... and a whole bunch of RHEL boxes. :)

Offline

#72 2017-06-10 16:55:13

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

^ Thanks for reminding me about this...

I'm now in BunsenLabs (Diproton) and it's using the stock "workstation" rules with the "flush ruleset" line present and un-commented and the rules are loading just fine:

empty@Diproton:~ $ grep flush /etc/nftables.conf
flush ruleset
empty@Diproton:~ $ sudo nft -f /etc/nftables.conf
empty@Diproton:~ $ sudo nft list ruleset
table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
                iif "lo" accept
                ct state established,related accept
                counter packets 1 bytes 36 drop
        }
}
empty@Diproton:~ $

hmm

No idea why that line is a problem for your system.

Also:

S11 wrote:

That site just probes your ports (fnar!), the firewall does not affect the result.

For the record, my Win10 system also returns a sea of green on that "test" glasses


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#73 2017-06-10 17:06:31

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

You need kernel version >3.18 for `flush ruleset` to work:

https://lists.debian.org/debian-backpor … 00042.html

Are you using the backported kernel?

cat /proc/version

This has actually come up already in this very thread, I'm not having a good week here sad

https://forums.bunsenlabs.org/viewtopic … 376#p30376


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#74 2017-06-10 17:57:10

Sector11
The Tpyo Knig Mod
From: 77345 ¡#
Registered: 2015-08-20
Posts: 5,554

Re: Firewall for the lazy

Head_on_a_Stick wrote:

Also:

S11 wrote:

That site just probes your ports (fnar!), the firewall does not affect the result.

For the record, my Win10 system also returns a sea of green on that "test" glasses

Which only goes to highlight my noobishness. (is that a word?) big_smile


BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System:    Host: d67 Kernel: 4.9.0-9-amd64 x86_64 (64 bit gcc: 6.3.0)
Desktop: Openbox 3.6.1 Distro: Debian GNU/Linux 9 (stretch)

Online

#75 2018-04-11 04:28:36

m1rr0r5h4d35
Member
Registered: 2017-01-08
Posts: 40

Re: Firewall for the lazy

Nothing new to add, just wanted to report that these instructions worked without a hitch for me. Thanks HOAS!


"A graphic representation of data abstracted from the banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data. Like city lights, receding."

- William Gibson

Offline

Board footer

Powered by FluxBB