recommend hardware firewall
Rick Stevens
ricks at nerd.com
Mon Apr 5 18:51:14 UTC 2010
On 04/05/2010 11:33 AM, Michael Miles wrote:
> On 04/05/2010 10:15 AM, Mikkel wrote:
>> On 04/05/2010 11:51 AM, Michael Miles wrote:
>>
>>> On 04/05/2010 09:34 AM, Mikkel wrote:
>>>
>>>> On 04/05/2010 11:16 AM, Michael Miles wrote:
>>>>
>>>>
>>>>> I'm not too bad with firewalls but I am used to more detailed firewall
>>>>> software.
>>>>> I just came from the hell they call Win 7 and I was using Bitdefender
>>>>> for the last couple of years.
>>>>> I'm just using the firewall that comes with Fedora 12, is there better
>>>>> firewall software out there.
>>>>>
>>>>>
>>>>>
>>>> Not for the actual firewall, but there are different front-ends for
>>>> configuring it. You can pick the one that works best for you, or
>>>> write your own firewall rules by hand.
>>>>
>>>> The actual firewall is part of the kernel. What the firewall
>>>> software does is help you configure that firewall. When I played
>>>> with Windows, the firewall was an add-on - kind of an afterthought.
>>>> I don't know if this is still true.
>>>>
>>>> Mikkel
>>>>
>>>>
>>> It is all add on with windows
>>>
>>> I tell you my 4 core Phenom II 945 has more than doubled speed going
>>> from Win 7 x64 to Fedora 12.
>>>
>>> These front ends for the firewall in Fedora. Is there one in particular
>>> the you use
>>>
>>> Michael
>>>
>> I usually use system-config-firewall, as the needs on my desktop and
>> laptop are fairly simple. I do have 2 sets of rules for the laptop,
>> depending on weather I am home or traveling. When I am home, the
>> network is behind a hardware firewall as well. But your needs may
>> differ from mine.
>>
>> On a side note, if you want to see the firewall rules set up by the
>> front end, take a look a /etc/sysconfing/iptables and ip6tables. You
>> can also run "iptables -L" to see the rules currently in affect. The
>> iptables command will also let you modify rules without going
>> through a GUI.
>>
>> Mikkel
>>
> It looks like the default desktop config for firewall lets everything
> through
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT ah -- anywhere anywhere
> ACCEPT esp -- anywhere anywhere
> ACCEPT udp -- anywhere 224.0.0.251 state NEW
> udp dpt:mdns
> ACCEPT udp -- anywhere anywhere state NEW
> udp dpt:ipp
> ACCEPT udp -- anywhere anywhere state NEW
> udp dpt:netbios-ns
> ACCEPT udp -- anywhere anywhere state NEW
> udp dpt:netbios-dgm
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
>
>
>
>
> This is my iptables file
>
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth+ -j ACCEPT
> -A INPUT -p ah -j ACCEPT
> -A INPUT -p esp -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251
> -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
> -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A FORWARD -p icmp -j ACCEPT
> -A FORWARD -i lo -j ACCEPT
> -A FORWARD -i eth+ -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
>
>
> And ip6tables
>
>
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p ipv6-icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth+ -j ACCEPT
> -A INPUT -m ipv6header --header ah -j ACCEPT
> -A INPUT -m ipv6header --header esp -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d ff02::fb -j
> ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
> -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A FORWARD -p ipv6-icmp -j ACCEPT
> -A FORWARD -i lo -j ACCEPT
> -A FORWARD -i eth+ -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
> -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
> COMMIT
Make sure you do "iptables -L -n -v". You'll find that a lot of the
open ports are actually restricted to lo (the loopback) on a standard
install, and the "ESTABLISHED,RELATED" stuff is to permit two-way I/O
initiated by the local machine (e.g. web browsing and the like).
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, C2 Hosting ricks at nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- Lottery: A tax on people who are bad at math. -
----------------------------------------------------------------------
More information about the users
mailing list