recommend hardware firewall
Michael Miles
mmamiga6 at gmail.com
Mon Apr 5 19:58:47 UTC 2010
On 04/05/2010 11:51 AM, Rick Stevens wrote:
> On 04/05/2010 11:33 AM, Michael Miles wrote:
>
>> On 04/05/2010 10:15 AM, Mikkel wrote:
>>
>>> On 04/05/2010 11:51 AM, Michael Miles wrote:
>>>
>>>
>>>> On 04/05/2010 09:34 AM, Mikkel wrote:
>>>>
>>>>
>>>>> On 04/05/2010 11:16 AM, Michael Miles wrote:
>>>>>
>>>>>
>>>>>
>>>>>> I'm not too bad with firewalls but I am used to more detailed firewall
>>>>>> software.
>>>>>> I just came from the hell they call Win 7 and I was using Bitdefender
>>>>>> for the last couple of years.
>>>>>> I'm just using the firewall that comes with Fedora 12, is there better
>>>>>> firewall software out there.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> Not for the actual firewall, but there are different front-ends for
>>>>> configuring it. You can pick the one that works best for you, or
>>>>> write your own firewall rules by hand.
>>>>>
>>>>> The actual firewall is part of the kernel. What the firewall
>>>>> software does is help you configure that firewall. When I played
>>>>> with Windows, the firewall was an add-on - kind of an afterthought.
>>>>> I don't know if this is still true.
>>>>>
>>>>> Mikkel
>>>>>
>>>>>
>>>>>
>>>> It is all add on with windows
>>>>
>>>> I tell you my 4 core Phenom II 945 has more than doubled speed going
>>>> from Win 7 x64 to Fedora 12.
>>>>
>>>> These front ends for the firewall in Fedora. Is there one in particular
>>>> the you use
>>>>
>>>> Michael
>>>>
>>>>
>>> I usually use system-config-firewall, as the needs on my desktop and
>>> laptop are fairly simple. I do have 2 sets of rules for the laptop,
>>> depending on weather I am home or traveling. When I am home, the
>>> network is behind a hardware firewall as well. But your needs may
>>> differ from mine.
>>>
>>> On a side note, if you want to see the firewall rules set up by the
>>> front end, take a look a /etc/sysconfing/iptables and ip6tables. You
>>> can also run "iptables -L" to see the rules currently in affect. The
>>> iptables command will also let you modify rules without going
>>> through a GUI.
>>>
>>> Mikkel
>>>
>>>
>> It looks like the default desktop config for firewall lets everything
>> through
>>
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> ACCEPT icmp -- anywhere anywhere
>> ACCEPT all -- anywhere anywhere
>> ACCEPT all -- anywhere anywhere
>> ACCEPT ah -- anywhere anywhere
>> ACCEPT esp -- anywhere anywhere
>> ACCEPT udp -- anywhere 224.0.0.251 state NEW
>> udp dpt:mdns
>> ACCEPT udp -- anywhere anywhere state NEW
>> udp dpt:ipp
>> ACCEPT udp -- anywhere anywhere state NEW
>> udp dpt:netbios-ns
>> ACCEPT udp -- anywhere anywhere state NEW
>> udp dpt:netbios-dgm
>> REJECT all -- anywhere anywhere reject-with
>> icmp-host-prohibited
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> ACCEPT icmp -- anywhere anywhere
>> ACCEPT all -- anywhere anywhere
>> ACCEPT all -- anywhere anywhere
>> REJECT all -- anywhere anywhere reject-with
>> icmp-host-prohibited
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>>
>>
>>
>>
>> This is my iptables file
>>
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -A INPUT -p icmp -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -i eth+ -j ACCEPT
>> -A INPUT -p ah -j ACCEPT
>> -A INPUT -p esp -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251
>> -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
>> -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -A FORWARD -p icmp -j ACCEPT
>> -A FORWARD -i lo -j ACCEPT
>> -A FORWARD -i eth+ -j ACCEPT
>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>> COMMIT
>>
>>
>>
>> And ip6tables
>>
>>
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -A INPUT -p ipv6-icmp -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -i eth+ -j ACCEPT
>> -A INPUT -m ipv6header --header ah -j ACCEPT
>> -A INPUT -m ipv6header --header esp -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d ff02::fb -j
>> ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
>> -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -A FORWARD -p ipv6-icmp -j ACCEPT
>> -A FORWARD -i lo -j ACCEPT
>> -A FORWARD -i eth+ -j ACCEPT
>> -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
>> -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
>> COMMIT
>>
> Make sure you do "iptables -L -n -v". You'll find that a lot of the
> open ports are actually restricted to lo (the loopback) on a standard
> install, and the "ESTABLISHED,RELATED" stuff is to permit two-way I/O
> initiated by the local machine (e.g. web browsing and the like).
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer, C2 Hosting ricks at nerd.com -
> - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
> - -
> - Lottery: A tax on people who are bad at math. -
> ----------------------------------------------------------------------
>
\
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
8664K 17G ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
485 29100 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
107K 6417K ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
53557 8058K ACCEPT all -- eth+ * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
224.0.0.251 state NEW udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:631
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:137
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:138
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- eth+ * 0.0.0.0/0
0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 9017K packets, 18G bytes)
pkts bytes target prot opt in out source
destination
[root at localhost amiga5]#
This is the output from the latest command
iptables -L -n -v
I am downloading right now when I executed command
It is somewhat confusing compared to years of Bitdefender
But I would not go back for anything.
Thank you for your help, I really appreciate it.
More information about the users
mailing list