You are not logged in.
@HoaS - have you tried ufw? It's excellent, lightweight, painfully simple, and works quite well. I'm happy to write up a quick howto if you think it's beneficial.
In fact, I think I may do it anyway. Starting new thread, huzzah!
Offline
No, the package has changed the stock configuration file so there is an extra step required now
Indeed, thank you, that solved the issue!
It's a bit surprising though if the firewall configuration changes without notice. Probably I missed some release note somewhere. Anyhow it looks now like the output you posted.
Offline
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHH!
Start:
09 Jun 17 @ 16:06:34 ~
$ sudo apt-get install -t jessie-backports nftables linux-image-amd64
[sudo] password for sector11:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
libuuid-perl
Use 'apt-get autoremove' to remove it.
The following extra packages will be installed:
irqbalance libjansson4 libnftnl4 linux-base linux-image-4.9.0-0.bpo.3-amd64
Suggested packages:
linux-doc-4.9 debian-kernel-handbook
The following NEW packages will be installed:
irqbalance libjansson4 libnftnl4 linux-image-4.9.0-0.bpo.3-amd64 linux-image-amd64 nftables
The following packages will be upgraded:
linux-base
1 upgraded, 6 newly installed, 0 to remove and 173 not upgraded.
Need to get 38.8 MB of archives.
After this operation, 192 MB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://ftp.us.debian.org/debian/ jessie/main libjansson4 amd64 2.7-1+deb8u1 [34.1 kB]
Get:2 http://ftp.us.debian.org//debian/ jessie-backports/main libnftnl4 amd64 1.0.7-1~bpo8+1 [65.1 kB]
Get:3 http://ftp.us.debian.org//debian/ jessie-backports/main nftables amd64 0.6-1~bpo8+1 [132 kB]
Get:4 http://ftp.us.debian.org//debian/ jessie-backports/main linux-base all 4.3~bpo8+1 [19.0 kB]
Get:5 http://ftp.us.debian.org//debian/ jessie-backports/main linux-image-4.9.0-0.bpo.3-amd64 amd64 4.9.25-1~bpo8+1 [38.5 MB]
Get:6 http://ftp.us.debian.org//debian/ jessie-backports/main linux-image-amd64 amd64 4.9+80~bpo8+1 [7,108 B]
Get:7 http://ftp.us.debian.org//debian/ jessie-backports/main irqbalance amd64 1.1.0-2~bpo8+1 [35.1 kB]
Fetched 38.8 MB in 32s (1,195 kB/s)
Retrieving bug reports... Done
Parsing Found/Fixed information... Done
Reading changelogs... Done
Preconfiguring packages ...
Selecting previously unselected package libjansson4:amd64.
(Reading database ... 204022 files and directories currently installed.)
Preparing to unpack .../libjansson4_2.7-1+deb8u1_amd64.deb ...
Unpacking libjansson4:amd64 (2.7-1+deb8u1) ...
Selecting previously unselected package libnftnl4:amd64.
Preparing to unpack .../libnftnl4_1.0.7-1~bpo8+1_amd64.deb ...
Unpacking libnftnl4:amd64 (1.0.7-1~bpo8+1) ...
Selecting previously unselected package nftables.
Preparing to unpack .../nftables_0.6-1~bpo8+1_amd64.deb ...
Unpacking nftables (0.6-1~bpo8+1) ...
Preparing to unpack .../linux-base_4.3~bpo8+1_all.deb ...
Unpacking linux-base (4.3~bpo8+1) over (3.5) ...
Selecting previously unselected package linux-image-4.9.0-0.bpo.3-amd64.
Preparing to unpack .../linux-image-4.9.0-0.bpo.3-amd64_4.9.25-1~bpo8+1_amd64.deb ...
Unpacking linux-image-4.9.0-0.bpo.3-amd64 (4.9.25-1~bpo8+1) ... package linux-image-amd64.
Preparing to unpack .../linux-image-amd64_4.9+80~bpo8+1_amd64.deb ...
Unpacking linux-image-amd64 (4.9+80~bpo8+1) ...
Selecting previously unselected package irqbalance.
Preparing to unpack .../irqbalance_1.1.0-2~bpo8+1_amd64.deb ...
Unpacking irqbalance (1.1.0-2~bpo8+1) ...
Processing triggers for man-db (2.7.0.2-5) ...
Processing triggers for systemd (215-17+deb8u7) ...
Setting up libjansson4:amd64 (2.7-1+deb8u1) ...
Setting up libnftnl4:amd64 (1.0.7-1~bpo8+1) ...
Setting up nftables (0.6-1~bpo8+1) ...
Setting up linux-base (4.3~bpo8+1) ...
Setting up linux-image-4.9.0-0.bpo.3-amd64 (4.9.25-1~bpo8+1) ...
I: /initrd.img.old is now a symlink to boot/initrd.img-3.16.0-4-amd64
I: /vmlinuz is now a symlink to boot/vmlinuz-4.9.0-0.bpo.3-amd64
I: /initrd.img is now a symlink to boot/initrd.img-4.9.0-0.bpo.3-amd64
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-4.9.0-0.bpo.3-amd64
/etc/kernel/postinst.d/zz-update-grub:
Generating grub configuration file ...
Found background image: /usr/share/images/desktop-base/desktop-grub.png
Found linux image: /boot/vmlinuz-4.9.0-0.bpo.3-amd64
Found initrd image: /boot/initrd.img-4.9.0-0.bpo.3-amd64
Found linux image: /boot/vmlinuz-3.16.0-4-amd64
Found initrd image: /boot/initrd.img-3.16.0-4-amd64
Found BunsenLabs GNU/Linux 8.7 (Hydrogen) (8.7) on /dev/sda1
done
Setting up linux-image-amd64 (4.9+80~bpo8+1) ...
Setting up irqbalance (1.1.0-2~bpo8+1) ...
Processing triggers for libc-bin (2.19-18+deb8u9) ...
Processing triggers for systemd (215-17+deb8u7) ...
09 Jun 17 @ 16:08:20 ~
$ sudo cp /usr/share/doc/nftables/examples/syntax/workstation /etc/nftables.conf
09 Jun 17 @ 16:09:07 ~
$ sudo systemctl start nftables
Job for nftables.service failed. See 'systemctl status nftables.service' and 'journalctl -xn' for details.
09 Jun 17 @ 16:09:29 ~
$ systemctl status nftables.service
● nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; disabled)
Active: failed (Result: exit-code) since Fri 2017-06-09 16:09:29 -03; 36s ago
Docs: man:nft(8)
http://wiki.nftables.org
Process: 26628 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=1/FAILURE)
Main PID: 26628 (code=exited, status=1/FAILURE)
did:
09 Jun 17 @ 16:11:36 ~
$ apt-cache policy nftables
nftables:
Installed: 0.6-1~bpo8+1
Candidate: 0.6-1~bpo8+1
Version table:
*** 0.6-1~bpo8+1 0
100 http://ftp.us.debian.org//debian/ jessie-backports/main amd64 Packages
100 /var/lib/dpkg/status
did:
09 Jun 17 @ 16:11:38 ~
$ grep -R backports /etc/apt/sources.list{,.d/*}
/etc/apt/sources.list:deb http://ftp.us.debian.org//debian jessie-backports main contrib non-free
/etc/apt/sources.list:# deb http://httpredir.debian.org/debian jessie-backports main contrib non-free
/etc/apt/sources.list.d/bunsen-jessie-backports.list:deb http://pkg.bunsenlabs.org/debian jessie-backports main
then I did:
09 Jun 17 @ 16:11:49 ~
$ sudo journalctl -xn
[sudo] password for sector11:
09 Jun 17 @ 16:16:18 ~
$ systemctl start nftables
Failed to start nftables.service: Access denied
09 Jun 17 @ 16:16:22 ~
$ sudo systemctl start nftables
Job for nftables.service failed. See 'systemctl status nftables.service' and 'journalctl -xn' for details.
09 Jun 17 @ 16:16:30 ~
$ systemctl list-unit-files | grep enabled
cups.path enabled
anacron-resume.service enabled
anacron.service enabled
atd.service enabled
avahi-daemon.service enabled
cron.service enabled
cups.service enabled
dbus-org.freedesktop.Avahi.service enabled
display-manager.service enabled
getty@.service enabled
hwclock-save.service enabled
lightdm.service enabled
lm-sensors.service enabled
pppd-dns.service enabled
rsyslog.service enabled
smartd.service enabled
syslog.service enabled
vnstat.service enabled
avahi-daemon.socket enabled
cups.socket enabled
remote-fs.target enabled
bunsen-pepperflash.timer enabled
09 Jun 17 @ 16:17:24 ~
$ sudo systemctl enable nftables.service
Created symlink from /etc/systemd/system/multi-user.target.wants/nftables.service to /lib/systemd/system/nftables.service.
09 Jun 17 @ 16:18:10 ~
$ sudo nft list ruleset
09 Jun 17 @ 16:19:03 ~
$ systemctl status nftables.service
● nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; enabled)
Active: failed (Result: exit-code) since Fri 2017-06-09 16:16:30 -03; 3min 1s ago
Docs: man:nft(8)
http://wiki.nftables.org
Main PID: 27416 (code=exited, status=1/FAILURE)
09 Jun 17 @ 16:19:31 ~
$
And I think (danger: thinking) it might be an ip6 thing.
09 Jun 17 @ 16:26:09 ~
$ cat /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# activate the following line to accept common local services
#tcp dport { 22, 80, 443 } ct state new accept
# accept neighbour discovery otherwise IPv6 connectivity breaks.
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# count and drop any other traffic
counter drop
}
}
09 Jun 17 @ 16:30:03 ~
$
S11 doesn't have ip6 - nor a router Now what?
HELP!
BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System: Host: sector11 Kernel: 4.9.0-11-amd64 x86_64 (64 bit gcc: 6.3.0)
Desktop: Openbox 3.6.1 dm: lightdm Distro: BunsenLabs GNU/Linux 9.6 (Helium)
Offline
What do these say:
sudo systemctl start nftables
sudo journalctl -u nftables
Last edited by Head_on_a_Stick (2017-06-09 19:51:34)
“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.
Offline
What do these say:
sudo systemctl start nftables sudo journalctl -u nftables
sudo systemctl start nftables
09 Jun 17 @ 16:56:10 ~
$ sudo systemctl start nftables
[sudo] password for sector11:
Job for nftables.service failed. See 'systemctl status nftables.service' and 'journalctl -xn' for details.
See 'systemctl status nftables.service' and 'journalctl -xn' below.
sudo journalctl -u nftables
-- Logs begin at Fri 2017-06-09 09:01:26 -03, end at Fri 2017-06-09 16:56:28 -03. --
Jun 09 16:09:28 bunsen systemd[1]: Starting nftables...
Jun 09 16:09:29 bunsen nft[26628]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Jun 09 16:09:29 bunsen nft[26628]: flush ruleset
Jun 09 16:09:29 bunsen nft[26628]: ^^^^^^^^^^^^^^
Jun 09 16:09:29 bunsen nft[26628]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Jun 09 16:09:29 bunsen nft[26628]: flush ruleset
Jun 09 16:09:29 bunsen nft[26628]: ^^^^^^^^^^^^^^
Jun 09 16:09:29 bunsen nft[26628]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Jun 09 16:09:29 bunsen nft[26628]: flush ruleset
Jun 09 16:09:29 bunsen nft[26628]: ^^^^^^^^^^^^^^
Jun 09 16:09:29 bunsen nft[26628]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Jun 09 16:09:29 bunsen nft[26628]: flush ruleset
Jun 09 16:09:29 bunsen nft[26628]: ^^^^^^^^^^^^^^
Jun 09 16:09:29 bunsen nft[26628]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Jun 09 16:09:29 bunsen nft[26628]: flush ruleset
Jun 09 16:09:29 bunsen nft[26628]: ^^^^^^^^^^^^^^
Jun 09 16:09:29 bunsen nft[26628]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Jun 09 16:09:29 bunsen nft[26628]: flush ruleset
Jun 09 16:09:29 bunsen nft[26628]: ^^^^^^^^^^^^^^
Jun 09 16:09:29 bunsen systemd[1]: ^[[1;39mnftables.service: main process exited, code=exited, status=1/FAILURE
Jun 09 16:09:29 bunsen systemd[1]: Failed to start nftables.
Jun 09 16:09:29 bunsen systemd[1]: ^[[1;39mUnit nftables.service entered failed state.
Jun 09 16:16:30 bunsen systemd[1]: Starting nftables...
Jun 09 16:16:30 bunsen nft[27416]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Jun 09 16:16:30 bunsen nft[27416]: flush ruleset
Jun 09 16:16:30 bunsen nft[27416]: ^^^^^^^^^^^^^^
Jun 09 16:16:30 bunsen systemd[1]: ^[[1;39mnftables.service: main process exited, code=exited, status=1/FAILURE
Jun 09 16:16:30 bunsen systemd[1]: Failed to start nftables.
Jun 09 16:16:30 bunsen systemd[1]: ^[[1;39mUnit nftables.service entered failed state.
Jun 09 16:25:59 bunsen systemd[1]: Starting nftables...
Jun 09 16:25:59 bunsen nft[29649]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Jun 09 16:25:59 bunsen nft[29649]: flush ruleset
Jun 09 16:25:59 bunsen nft[29649]: ^^^^^^^^^^^^^^
Jun 09 16:25:59 bunsen systemd[1]: ^[[1;39mnftables.service: main process exited, code=exited, status=1/FAILURE
Jun 09 16:25:59 bunsen systemd[1]: Failed to start nftables.
Jun 09 16:25:59 bunsen systemd[1]: ^[[1;39mUnit nftables.service entered failed state.
Jun 09 16:56:17 bunsen systemd[1]: Starting nftables...
Jun 09 16:56:17 bunsen nft[3054]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Jun 09 16:56:17 bunsen nft[3054]: flush ruleset
Jun 09 16:56:17 bunsen nft[3054]: ^^^^^^^^^^^^^^
Jun 09 16:56:17 bunsen systemd[1]: ^[[1;39mnftables.service: main process exited, code=exited, status=1/FAILURE
Jun 09 16:56:17 bunsen systemd[1]: Failed to start nftables.
Jun 09 16:56:17 bunsen systemd[1]: ^[[1;39mUnit nftables.service entered failed state.
systemctl status nftables.service
09 Jun 17 @ 16:57:34 ~
$ systemctl status nftables.service
● nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; enabled)
Active: failed (Result: exit-code) since Fri 2017-06-09 16:56:17 -03; 2min 17s ago
Docs: man:nft(8)
http://wiki.nftables.org
Process: 3054 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=1/FAILURE)
Main PID: 3054 (code=exited, status=1/FAILURE)
09 Jun 17 @ 16:58:34 ~
$
sudo journalctl -xn
-- Logs begin at Fri 2017-06-09 09:01:26 -03, end at Fri 2017-06-09 16:59:22 -03. --
Jun 09 16:56:17 bunsen nft[3054]: ^^^^^^^^^^^^^^
Jun 09 16:56:17 bunsen systemd[1]: ^[[1;39mnftables.service: main process exited, code=exited, status=1/FAILURE
Jun 09 16:56:17 bunsen systemd[1]: Failed to start nftables.
-- Subject: Unit nftables.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit nftables.service has failed.
--
-- The result is failed.
Jun 09 16:56:17 bunsen systemd[1]: ^[[1;39mUnit nftables.service entered failed state.
Jun 09 16:56:17 bunsen sudo[3046]: pam_unix(sudo:session): session closed for user root
Jun 09 16:56:28 bunsen sudo[3072]: ^[[1;39msector11 : TTY=pts/0 ; PWD=/home/sector11 ; USER=root ; COMMAND=/bin/journalctl -u nftables
Jun 09 16:56:28 bunsen sudo[3072]: pam_unix(sudo:session): session opened for user root by sector11(uid=0)
Jun 09 16:57:34 bunsen sudo[3072]: pam_unix(sudo:session): session closed for user root
Jun 09 16:59:22 bunsen sudo[3432]: ^[[1;39msector11 : TTY=pts/0 ; PWD=/home/sector11 ; USER=root ; COMMAND=/bin/journalctl -xn
Jun 09 16:59:22 bunsen sudo[3432]: pam_unix(sudo:session): session opened for user root by sector11(uid=0)
BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System: Host: sector11 Kernel: 4.9.0-11-amd64 x86_64 (64 bit gcc: 6.3.0)
Desktop: Openbox 3.6.1 dm: lightdm Distro: BunsenLabs GNU/Linux 9.6 (Helium)
Offline
Try commenting out this line from /etc/nftables.conf:
# flush ruleset
Sorry but I'm in OpenBSD atm so I can't test directly.
“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.
Offline
ifconfig tells me ip6 so that's cleared up.
BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System: Host: sector11 Kernel: 4.9.0-11-amd64 x86_64 (64 bit gcc: 6.3.0)
Desktop: Openbox 3.6.1 dm: lightdm Distro: BunsenLabs GNU/Linux 9.6 (Helium)
Offline
Try commenting out this line from /etc/nftables.conf:
# flush ruleset
Sorry but I'm in OpenBSD atm so I can't test directly.
Done ... where do I start now?
BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System: Host: sector11 Kernel: 4.9.0-11-amd64 x86_64 (64 bit gcc: 6.3.0)
Desktop: Openbox 3.6.1 dm: lightdm Distro: BunsenLabs GNU/Linux 9.6 (Helium)
Offline
OK, that worked ....
09 Jun 17 @ 17:14:23 ~
$ sudo systemctl start nftables
[sudo] password for sector11:
09 Jun 17 @ 17:14:30 ~
$ systemctl status nftables.service
● nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; enabled)
Active: active (exited) since Fri 2017-06-09 17:11:42 -03; 3min 3s ago
Docs: man:nft(8)
http://wiki.nftables.org
Process: 6030 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=0/SUCCESS)
Main PID: 6030 (code=exited, status=0/SUCCESS)
09 Jun 17 @ 17:14:46 ~
$ sudo systemctl enable nftables
09 Jun 17 @ 17:15:46 ~
$ systemctl list-unit-files | grep enabled
cups.path enabled
anacron-resume.service enabled
anacron.service enabled
atd.service enabled
avahi-daemon.service enabled
cron.service enabled
cups.service enabled
dbus-org.freedesktop.Avahi.service enabled
display-manager.service enabled
getty@.service enabled
hwclock-save.service enabled
lightdm.service enabled
lm-sensors.service enabled
nftables.service enabled
pppd-dns.service enabled
rsyslog.service enabled
smartd.service enabled
syslog.service enabled
vnstat.service enabled
avahi-daemon.socket enabled
cups.socket enabled
remote-fs.target enabled
bunsen-pepperflash.timer enabled
09 Jun 17 @ 17:16:17 ~
$
Thank you!
====================
EDIT: According to the "email" I got I beat you to it see I have "A Round Tuit".
Last edited by Sector11 (2017-06-09 20:29:56)
BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System: Host: sector11 Kernel: 4.9.0-11-amd64 x86_64 (64 bit gcc: 6.3.0)
Desktop: Openbox 3.6.1 dm: lightdm Distro: BunsenLabs GNU/Linux 9.6 (Helium)
Offline
So now for the first time in Linuxlandia I have a firewall?
Well, I played with one back in Ubuntu days 2007/8 but never got it to work so gave up.
Wouldn't it be a good idea to have this as a default setting?
BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System: Host: sector11 Kernel: 4.9.0-11-amd64 x86_64 (64 bit gcc: 6.3.0)
Desktop: Openbox 3.6.1 dm: lightdm Distro: BunsenLabs GNU/Linux 9.6 (Helium)
Offline
So now for the first time in Linuxlandia I have a firewall?
Looks like it, yes
Wouldn't it be a good idea to have this as a default setting?
Perhaps for Helium/stretch (nftables is only in jessie-backports), but as I said most users do not require a firewall and we usually adopt the upstream default.
“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.
Offline
Quick question:
How does a user know if they fall into the "do not require a firewall group."
Now he's going to tell me - "Well, S11, you're in the: Do not require a Firewall Group"
BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System: Host: sector11 Kernel: 4.9.0-11-amd64 x86_64 (64 bit gcc: 6.3.0)
Desktop: Openbox 3.6.1 dm: lightdm Distro: BunsenLabs GNU/Linux 9.6 (Helium)
Offline
How does a user know if they fall into the "do not require a firewall group."
That's a good question
Debian ships with most ports closed but if programs are installed that "listen" to the internet then a firewall may be required; examples of such applications would be the Apache HTTP server (used to host websites) and the Samba file sharing system.
This link is from the Comical crowd but it still applies to our corner of Tuxland:
“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.
Offline
I've been using ufw for a while on my Debian and Ubuntu machines. Looks like it still exists in stretch.
--Ben
BL / MX / Raspbian... and a whole bunch of RHEL boxes. :)
Offline
ufw
That's a nice abstraction but one of the reasons I prefer nftables is because the ruleset is declarative in nature and just as easy to understand as ufw without needing an extra layer to help the user understand the syntax.
“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.
Offline
Ws the cfg lng dsgned by a 14 yr old grl addictd 2 txting?
Offline
^ Vowels are bloat!
“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.
Offline
This link is from the Comical crowd but it still applies to our corner of Tuxland:
Comical Crowd. That's a keeper.
1. Lets see how I do with the "Straight Man"
This Internet probe sends up to ten (10) UPnP Simple Service Discovery Protocol (SSDP) M-SEARCH UDP packets, one every half-second, to our visitor's current IPv4 address (1xx.xxx.xxx.xx) in an attempt to solicit a response from any publicly exposed and listening UPnP SSDP service. The UPnP protocols were never designed to be exposed to the public Internet, and any Internet-facing equipment which does so should be considered defective, insecure, and unusable. Any such equipment should be disconnected immediately.
Your equipment at IP: 1xx.xxx.xxx.xx
Is now being queried:
THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!
(That's good news!)
There is no question whether hackers are, in fact, currently sweeping the Internet for the presence of exposed and vulnerable consumer Internet routers in order to gain access to the private networks residing behind them. Just such hacking packets are now being detected across the Internet. Scanning is underway and the threat is real.
Whenever changes are made to your network configuration, whenever you update your router's firmware, and also from time to time just to be sure, you should consider re-running this quick test to confirm that your Internet-facing equipment is continuing to ignore all attempts at its subversion though the Universal Plug n'Play (UPnP) protocols.
-----
2. https://www.hackerwatch.org/probe/
Generate Port Events
The server will now send packets to your computer.
You will receive event warnings if:
Your computer is connected directly to the Internet
Your computer is not connected through a proxy server or NAT
Your firewall is running
RESULT:
The page cannot be displayed because an internal server error has occurred.
Now that's funny! Or Not!
-----
3. http://ccm.net/faq/2204-testing-your-firewall-online
- Common Ports:
Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.
I like all those: There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!
- All Service Ports: ALL Greem - the writeup is identical to the paragraph above.
https://www.grc.com/x/ne.dll?rh1dkyd2 <<-- MUST Read.
COLOUR ME
Last edited by Sector11 (2017-06-09 22:11:13)
BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System: Host: sector11 Kernel: 4.9.0-11-amd64 x86_64 (64 bit gcc: 6.3.0)
Desktop: Openbox 3.6.1 dm: lightdm Distro: BunsenLabs GNU/Linux 9.6 (Helium)
Offline
http://ccm.net/faq/2204-testing-your-firewall-online
- Common Ports:
Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests.
I got the same. No firewall here, but maybe it's my router doing the same job.
John
--------------------
( a boring Japan blog, idle Twitterings and GitStuff )
In case you forget, the rules.
Offline
I remember my install of Ubuntu/Xubuntu failing that ... well, it had a lot of read blocks at least.
I would think your router would have a firewall.
BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System: Host: sector11 Kernel: 4.9.0-11-amd64 x86_64 (64 bit gcc: 6.3.0)
Desktop: Openbox 3.6.1 dm: lightdm Distro: BunsenLabs GNU/Linux 9.6 (Helium)
Offline
bigbenaugust wrote:ufw
That's a nice abstraction but one of the reasons I prefer nftables is because the ruleset is declarative in nature and just as easy to understand as ufw without needing an extra layer to help the user understand the syntax.
True, but on a few hundred RH boxes at work, we define all of the iptables rules in Puppet anyway, so very very rarely do I have to sit down and write raw firewall rules.
--Ben
BL / MX / Raspbian... and a whole bunch of RHEL boxes. :)
Offline
^ Thanks for reminding me about this...
I'm now in BunsenLabs (Diproton) and it's using the stock "workstation" rules with the "flush ruleset" line present and un-commented and the rules are loading just fine:
empty@Diproton:~ $ grep flush /etc/nftables.conf
flush ruleset
empty@Diproton:~ $ sudo nft -f /etc/nftables.conf
empty@Diproton:~ $ sudo nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
iif "lo" accept
ct state established,related accept
counter packets 1 bytes 36 drop
}
}
empty@Diproton:~ $
No idea why that line is a problem for your system.
Also:
That site just probes your ports (fnar!), the firewall does not affect the result.
For the record, my Win10 system also returns a sea of green on that "test"
“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.
Offline
You need kernel version >3.18 for `flush ruleset` to work:
https://lists.debian.org/debian-backpor … 00042.html
Are you using the backported kernel?
cat /proc/version
This has actually come up already in this very thread, I'm not having a good week here
“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.
Offline
Also:
S11 wrote:That site just probes your ports (fnar!), the firewall does not affect the result.
For the record, my Win10 system also returns a sea of green on that "test"
Which only goes to highlight my noobishness. (is that a word?)
BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System: Host: sector11 Kernel: 4.9.0-11-amd64 x86_64 (64 bit gcc: 6.3.0)
Desktop: Openbox 3.6.1 dm: lightdm Distro: BunsenLabs GNU/Linux 9.6 (Helium)
Offline
Nothing new to add, just wanted to report that these instructions worked without a hitch for me. Thanks HOAS!
"A graphic representation of data abstracted from the banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data. Like city lights, receding."
- William Gibson
Offline