Firewall for the lazy

Sector11 · 2017-06-09 20:33:10

Quick question:

How does a user know if they fall into the "do not require a firewall group."

Now he's going to tell me - "Well, S11, you're in the: Do not require a Firewall Group"

Head_on_a_Stick · 2017-06-09 20:45:09

Sector11 wrote:

How does a user know if they fall into the "do not require a firewall group."

That's a good question

Debian ships with most ports closed but if programs are installed that "listen" to the internet then a firewall may be required; examples of such applications would be the Apache HTTP server (used to host websites) and the Samba file sharing system.

This link is from the Comical crowd but it still applies to our corner of Tuxland:

https://help.ubuntu.com/community/DoINeedAFirewall

bigbenaugust · 2017-06-09 20:57:08

I've been using ufw for a while on my Debian and Ubuntu machines. Looks like it still exists in stretch.

Head_on_a_Stick · 2017-06-09 21:07:30

bigbenaugust wrote:

ufw

That's a nice abstraction but one of the reasons I prefer nftables is because the ruleset is declarative in nature and just as easy to understand as ufw without needing an extra layer to help the user understand the syntax.

p9000 · 2017-06-09 21:45:50

Ws the cfg lng dsgned by a 14 yr old grl addictd 2 txting?

Head_on_a_Stick · 2017-06-09 21:50:05

^ Vowels are bloat!

8o

Sector11 · 2017-06-09 21:50:19

Head_on_a_Stick wrote:

This link is from the Comical crowd but it still applies to our corner of Tuxland:
https://help.ubuntu.com/community/DoINeedAFirewall

Comical Crowd. That's a keeper.

1. Lets see how I do with the "Straight Man"

This Internet probe sends up to ten (10) UPnP Simple Service Discovery Protocol (SSDP) M-SEARCH UDP packets, one every half-second, to our visitor's current IPv4 address (1xx.xxx.xxx.xx) in an attempt to solicit a response from any publicly exposed and listening UPnP SSDP service. The UPnP protocols were never designed to be exposed to the public Internet, and any Internet-facing equipment which does so should be considered defective, insecure, and unusable. Any such equipment should be disconnected immediately.

Your equipment at IP: 1xx.xxx.xxx.xx

Is now being queried:

THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!
(That's good news!)

There is no question whether hackers are, in fact, currently sweeping the Internet for the presence of exposed and vulnerable consumer Internet routers in order to gain access to the private networks residing behind them. Just such hacking packets are now being detected across the Internet. Scanning is underway and the threat is real.

Whenever changes are made to your network configuration, whenever you update your router's firmware, and also from time to time just to be sure, you should consider re-running this quick test to confirm that your Internet-facing equipment is continuing to ignore all attempts at its subversion though the Universal Plug n'Play (UPnP) protocols.

-----
2. https://www.hackerwatch.org/probe/

Generate Port Events

The server will now send packets to your computer.

You will receive event warnings if:
Your computer is connected directly to the Internet
Your computer is not connected through a proxy server or NAT
Your firewall is running

RESULT:
The page cannot be displayed because an internal server error has occurred.

Now that's funny! Or Not!
-----
3. http://ccm.net/faq/2204-testing-your-firewall-online
- Common Ports:
Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.

I like all those: There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

- All Service Ports: ALL Greem - the writeup is identical to the paragraph above.

https://www.grc.com/x/ne.dll?rh1dkyd2 <<-- MUST Read.

COLOUR ME

Last edited by Sector11 (2017-06-09 22:11:13)

johnraff · 2017-06-10 00:41:55

Sector11 wrote:

http://ccm.net/faq/2204-testing-your-firewall-online
- Common Ports:
Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests.

I got the same. No firewall here, but maybe it's my router doing the same job.

Sector11 · 2017-06-10 01:15:31

I remember my install of Ubuntu/Xubuntu failing that ... well, it had a lot of read blocks at least.

I would think your router would have a firewall.

bigbenaugust · 2017-06-10 02:44:22

Head_on_a_Stick wrote:

bigbenaugust wrote:
ufw
That's a nice abstraction but one of the reasons I prefer nftables is because the ruleset is declarative in nature and just as easy to understand as ufw without needing an extra layer to help the user understand the syntax.

True, but on a few hundred RH boxes at work, we define all of the iptables rules in Puppet anyway, so very very rarely do I have to sit down and write raw firewall rules.

Head_on_a_Stick · 2017-06-10 16:55:13

^ Thanks for reminding me about this...

I'm now in BunsenLabs (Diproton) and it's using the stock "workstation" rules with the "flush ruleset" line present and un-commented and the rules are loading just fine:

empty@Diproton:~ $ grep flush /etc/nftables.conf
flush ruleset
empty@Diproton:~ $ sudo nft -f /etc/nftables.conf
empty@Diproton:~ $ sudo nft list ruleset
table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
                iif "lo" accept
                ct state established,related accept
                counter packets 1 bytes 36 drop
        }
}
empty@Diproton:~ $

No idea why that line is a problem for your system.

Also:

S11 wrote:

"Straight Man"

That site just probes your ports (fnar!), the firewall does not affect the result.

For the record, my Win10 system also returns a sea of green on that "test" 8)

Head_on_a_Stick · 2017-06-10 17:06:31

You need kernel version >3.18 for `flush ruleset` to work:

https://lists.debian.org/debian-backpor … 00042.html

Are you using the backported kernel?

cat /proc/version

This has actually come up already in this very thread, I'm not having a good week here

https://forums.bunsenlabs.org/viewtopic … 376#p30376

Sector11 · 2017-06-10 17:57:10

Head_on_a_Stick wrote:

Also:
S11 wrote:
"Straight Man"
That site just probes your ports (fnar!), the firewall does not affect the result.
For the record, my Win10 system also returns a sea of green on that "test" 8)

Which only goes to highlight my noobishness. (is that a word?)

m1rr0r5h4d35 · 2018-04-11 04:28:36

Nothing new to add, just wanted to report that these instructions worked without a hitch for me. Thanks HOAS!

Head_on_a_Stick · 2018-04-11 09:14:35

^ Nice, thanks for the feedback!

If you're comfortable with the defaults you could try changing to a stateful firewall:

https://wiki.archlinux.org/index.php/Nf … le_machine

It's pretty simple to implement and the rules are almost comprehensible

#61 2017-06-09 20:33:10

Re: Firewall for the lazy

#62 2017-06-09 20:45:09

Re: Firewall for the lazy

#63 2017-06-09 20:57:08

Re: Firewall for the lazy

#64 2017-06-09 21:07:30

Re: Firewall for the lazy

#65 2017-06-09 21:45:50

Re: Firewall for the lazy

#66 2017-06-09 21:50:05

Re: Firewall for the lazy

#67 2017-06-09 21:50:19

Re: Firewall for the lazy

#68 2017-06-10 00:41:55

Re: Firewall for the lazy

#69 2017-06-10 01:15:31

Re: Firewall for the lazy

#70 2017-06-10 02:44:22

Re: Firewall for the lazy

#71 2017-06-10 16:55:13

Re: Firewall for the lazy

#72 2017-06-10 17:06:31

Re: Firewall for the lazy

#73 2017-06-10 17:57:10

Re: Firewall for the lazy

#74 2018-04-11 04:28:36

Re: Firewall for the lazy

#75 2018-04-11 09:14:35

Re: Firewall for the lazy

Board footer