Re: [DNG] How to firewall on Devuan?
Quoting Patrick Bartek via Dng (dng@lists.dyne.org): > I've been using ufw for years. It's a commandline front-end for > iptables. There's also a GUI for it, too. For people's convencience, that would be gufw, a somewhat GNOME-ish Python/GTK thingie. https://github.com/costales/gufw -- Cheers, This limerick goes in reverse. If you start from the bottom-most verse Rick Moen Unless I'm remiss, This limerick's not any worse. rick@linu The neat thing is this:-- Zach Weiner xmafia.com McQ! (4x80) ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] How to firewall on Devuan?
On Wed, Feb 24, 2021 at 04:00:00PM +0200, Lars Noodén via Dng wrote: > So even though Beowuulf seems to come with iptables, I would > recommend removing iptables and installing with nft. My experience was that firewalls such as arno and ufw don't work property under nft. > https://wiki.nftables.org/ > > https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes -- Joel Roth ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] How to firewall on Devuan?
‐‐‐ Original Message ‐‐‐
On Wednesday, February 24, 2021 5:58 PM, Adam Borowski
wrote:
> On Wed, Feb 24, 2021 at 07:26:35AM -0700, Gabe Stanton via Dng wrote:
>
> > If I understand correctly, the iptables cli that we use now is just a
> > wrapper around nftables.
>
> Actually, there are two independent subsystems. They're managed by two
> userspace tools:
>
> - iptables-legacy
> - iptables-nft
>
> Rules set by one of them are not visible by the other. This may give a
> nasty surprise if some tool sets a rule some other way.
>
> /usr/sbin/iptables is an alternatives link to one of the two, you can
> check
> update-alternatives --display iptables
> to see which subsystem you're using by default.
>
> Meow!
> --
> ⢀⣴⠾⠻⢶⣦⠀ Latin: meow 4 characters, 4 columns, 4 bytes
> ⣾⠁⢠⠒⠀⣿⡁ Greek: μεου 4 characters, 4 columns, 8 bytes
> ⢿⡄⠘⠷⠚⠋⠀ Runes: ᛗᛖᛟᚹ 4 characters, 4 columns, 12 bytes
> ⠈⠳⣄ Chinese: 喵 1 character, 2 columns, 3 bytes <-- best!
>
>
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Steve,
I suggest that anybody new to firewalling should go with NFT.
There is a lot more IPTables choice of wrappers and GUI's which hide what is
really happening and is not necessarily a good thing. No doubt NFT will get
these further down the line.
IPTables is earmarked to go away as IFTables did before it and then you will
need to learn NFT anyway.
Speaking as someone whom used IPTables ever since it came about and is new to
NFT, NFT is far more versatile, logical and simpler to configure.
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated by us
ct state established,related accept
# count and drop any other traffic
counter drop
}
}
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] How to firewall on Devuan?
On Wed, 2021-02-24 at 18:58 +0100, Adam Borowski wrote: > On Wed, Feb 24, 2021 at 07:26:35AM -0700, Gabe Stanton via Dng wrote: > > If I understand correctly, the iptables cli that we use now is just > > a > > wrapper around nftables. > > Actually, there are two independent subsystems. They're managed by > two > userspace tools: > * iptables-legacy > * iptables-nft > > Rules set by one of them are not visible by the other. This may give > a > nasty surprise if some tool sets a rule some other way. > > /usr/sbin/iptables is an alternatives link to one of the two, you can > check > update-alternatives --display iptables > to see which subsystem you're using by default. > > > Meow! Interesting, so I just checked and when I call iptables, that calls /usr/sbin/iptables, which calls /etc/alternatives/iptables, which calls /usr/sbin/iptables-nft. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] How to firewall on Devuan?
On Wed, Feb 24, 2021 at 07:26:35AM -0700, Gabe Stanton via Dng wrote: > If I understand correctly, the iptables cli that we use now is just a > wrapper around nftables. Actually, there are two independent subsystems. They're managed by two userspace tools: * iptables-legacy * iptables-nft Rules set by one of them are not visible by the other. This may give a nasty surprise if some tool sets a rule some other way. /usr/sbin/iptables is an alternatives link to one of the two, you can check update-alternatives --display iptables to see which subsystem you're using by default. Meow! -- ⢀⣴⠾⠻⢶⣦⠀ Latin: meow 4 characters, 4 columns, 4 bytes ⣾⠁⢠⠒⠀⣿⡁ Greek: μεου 4 characters, 4 columns, 8 bytes ⢿⡄⠘⠷⠚⠋⠀ Runes: ᛗᛖᛟᚹ 4 characters, 4 columns, 12 bytes ⠈⠳⣄ Chinese: 喵 1 character, 2 columns, 3 bytes <-- best! ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] How to firewall on Devuan?
On Wed, 24 Feb 2021 07:01:58 -0500 Steve Litt wrote: > Hi all, > > I'm now at the stage where I need a firewall on my Devuan VM guest, > and I don't know how to do it. I have the iptables package installed, > and /usr/sbin/iptables is a command, but I have no idea where to go > from there. Is there a file that iptables uses to define which ports > are blocked? > > I'm used to iptables being a daemon, and that seems not to be the case > in Devuan. I've been using ufw for years. It's a commandline front-end for iptables. There's also a GUI for it, too. Simple and easy to set up, configure, etc. B ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] How to firewall on Devuan?
On Wed, 2021-02-24 at 16:00 +0200, Lars Noodén via Dng wrote: > There is an awful lot of inertia for iptables, more than there was > for > ipchains, but iptables is rather difficult to learn and use. It has > also been succeeded by nftables, which is where the development is > happening. So even though Beowuulf seems to come with iptables, I > would > recommend removing iptables and installing with nft. > > See: > > https://wiki.nftables.org/ > > https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes > > Furthermore, nftables keeps its configuration in a single file: > /etc/nftables.conf which is then read on startup, once nftables is > activate in sysvinit or openrc. Though it is very different, I find > that nft makes a bit more sense. It is also supposed to be more > efficient. YMMV. > > /Lars If I understand correctly, the iptables cli that we use now is just a wrapper around nftables. The increased functionality of nftables is intriguing. The increased verbosity was a turnoff, but if it's necessary for increased functionality it's understandable. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] How to firewall on Devuan?
On 2/24/21 2:01 PM, Steve Litt wrote: > Hi all, > > I'm now at the stage where I need a firewall on my Devuan VM guest, > and I don't know how to do it. I have the iptables package installed, > and /usr/sbin/iptables is a command, but I have no idea where to go > from there. Is there a file that iptables uses to define which ports > are blocked? There is an awful lot of inertia for iptables, more than there was for ipchains, but iptables is rather difficult to learn and use. It has also been succeeded by nftables, which is where the development is happening. So even though Beowuulf seems to come with iptables, I would recommend removing iptables and installing with nft. See: https://wiki.nftables.org/ https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes Furthermore, nftables keeps its configuration in a single file: /etc/nftables.conf which is then read on startup, once nftables is activate in sysvinit or openrc. Though it is very different, I find that nft makes a bit more sense. It is also supposed to be more efficient. YMMV. /Lars ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] How to firewall on Devuan?
On Wed, 2021-02-24 at 21:32 +0900, Olaf Meeuwissen via Dng wrote: > Do not uncomment the #allow-hotplug eth0 line. Doing so leads > to a delay when booting. Just a note about the above, allow-hotplug eth0 seems to be necessary on your VM. As for the delay in booting, I've had that ever since setting up the bridge for the VM. The delay seems to be when it is setting up your bridge interface. Relevant to that, I've noticed that if I'm not connected to the network while booting (I use ethernet so it's real clear for me) networking doesn't work on my VM (if I recall correctly, networking was also not working on the host if I wasn't connected to a network upon boot). My 2 cents on iptables is: iptables -F will flush your ruleset, setting it back to default open communications. If a firewall created other chains or rules, they may survive a flush until the firewall is removed and the machine rebooted. iptables -S will show your current ruleset. If you flushed your rules and there is no firewall that's created other chains, the output of this will usually be: iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT I typically start with iptables -P INPUT DROP iptables -P FORWARD DROP (Note, if this is set to DROP, you must have another rule in place to handle traffic that is forwarded directly to your VM. You can do so by allowing traffic to a specific destination IP) iptables -P OUTPUT ACCEPT Since we're dropping traffic on the INPUT chain, we need to ensure that we can accept traffic from connections we initiated, so we use this iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT An example of allowing traffic to a specific source IP is: iptables -A INPUT -s 192.168.1.54/32 -j ACCEPT Allowing traffic to a specific destination looks like this: iptables -A OUTPUT -d 192.168.1.54/32 -j ACCEPT Aside from that, you can setup any rule pertaining to a specific port, source IP, destination IP, range of source or destination IP's. The only thing I wish I could tack onto it would be to specify programs that are allowed or not allowed to communicate. I'm sure that's not easy though. That should give you the basics but as you go along, a websearch for your specific question will yield results. Personally I don't do web searches on ***gle for various good reasons. I'm guessing I'm not alone. Some alternatives to that are: startpage.com (uses ***gle search engine but provides a layer of anonymity between) swisscows.com (requires javascript but claims to respect privacy) duckduckgo.com (claims to offer anonymity but is hosted on amazon, so not sure how much they can backup their claim) None of those are perfect, but at least they're not trying to take over the world like be evil alphabet soup. Gabe ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] How to firewall on Devuan?
Hi Steve, Steve Litt writes: > Hi all, > > I'm now at the stage where I need a firewall on my Devuan VM guest, and > I don't know how to do it. I have the iptables package installed, and > /usr/sbin/iptables is a command, but I have no idea where to go from > there. Is there a file that iptables uses to define which ports are > blocked? > > I'm used to iptables being a daemon, and that seems not to be the case > in Devuan. No, iptables is not a daemon. It's just a utility to (re)configure the rules used by the kernel. It has been for as long as I know and that goes over a decade back in time. I have been hooking my iptables configuration into ifupdown. Below is the /etc/network/interfaces for my laptop. I use it in combination with netplug. Do not uncomment the #allow-hotplug eth0 line. Doing so leads to a delay when booting. # interfaces(5) -- file used by ifup(8) and ifdown(8) # Only bring up the loopback interface automatically during boot. # Any other interfaces are handled by other software in a later stage # of the boot process or in reaction to interface (dis)connect events. auto lo # Loopback interface # This interface should be brought up first so that it can be used to # set up the system's packet filtering policy *before* any interfaces # become available. To achieve this the `pre-up` phase is used. # The configuration below aims to implement a deny-all policy for all # but *sollicited* replies and `localhost` traffic first. iface lo inet loopback ## Configure IPv4 packet filter policy pre-up /sbin/iptables -P INPUT DROP pre-up /sbin/iptables -A INPUT \ --match state --state ESTABLISHED,RELATED \ --jump ACCEPT pre-up /sbin/iptables -A INPUT \ --source 127.0.0.1/8 --destination 127.0.0.1/8 \ --jump ACCEPT down/sbin/iptables -F INPUT iface lo inet6 loopback ## Configure IPv6 packet filter policy pre-up /sbin/ip6tables -P INPUT DROP pre-up /sbin/ip6tables -A INPUT \ --match state --state ESTABLISHED,RELATED \ --jump ACCEPT pre-up /sbin/ip6tables -A INPUT \ --source ::1/128 --destination ::1/128 \ --jump ACCEPT down/sbin/ip6tables -F INPUT # Primary wired interface #allow-hotplug eth0 iface eth0 inet dhcp I nuked the wireless interface bit for brevity as it doesn't relate to setting up iptables. For additional rules, see the iptables manual page and the iptables-extensions manual page. Other people may prefer using iptables-save/iptables-restore. You could hook those into /etc/network/interfaces instead. Hope this helps, -- Olaf Meeuwissen, LPIC-2FSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Softwarehttps://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] How to firewall on Devuan?
On Wed, 24 Feb 2021 07:01:58 -0500 Steve Litt wrote: > Hi all, > > I'm now at the stage where I need a firewall on my Devuan VM guest, > and I don't know how to do it. I have the iptables package installed, > and /usr/sbin/iptables is a command, but I have no idea where to go > from there. Is there a file that iptables uses to define which ports > are blocked? > > I'm used to iptables being a daemon, and that seems not to be the case > in Devuan. > > Thanks, > > SteveT > Hi, apt install arno-iptables-firewall it is the easiest to manage. Ciao, Tito ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] How to firewall on Devuan?
Den 2021-02-24 kl. 13:01, skrev Steve Litt: Hi all, I'm now at the stage where I need a firewall on my Devuan VM guest, and I don't know how to do it. Once (ipchains) I was in your place and searched and liked a setup by someone called Bob Sully whos work later was reworked for iptables by Craig Zeller and I still have that foundation and eventually I will need to find its superseeder for next generation. I let /etc/network/interfaces and ifup trigger my script and its a dynamic lease I need to protect. If I google "Craig Zeller iptables" it comes first, at least for me. //PG ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] How to firewall on Devuan?
Am 2021-02-24 13:01, schrieb Steve Litt: Hi all, I'm now at the stage where I need a firewall on my Devuan VM guest, and I don't know how to do it. I have the iptables package installed, and /usr/sbin/iptables is a command, but I have no idea where to go from there. Is there a file that iptables uses to define which ports are blocked? I'm used to iptables being a daemon, and that seems not to be the case in Devuan. Maybe ufw is what you want. https://ubuntu.com/server/docs/security-firewall 0xA9189208.asc Description: application/pgp-keys ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] How to firewall on Devuan?
Hi all, I'm now at the stage where I need a firewall on my Devuan VM guest, and I don't know how to do it. I have the iptables package installed, and /usr/sbin/iptables is a command, but I have no idea where to go from there. Is there a file that iptables uses to define which ports are blocked? I'm used to iptables being a daemon, and that seems not to be the case in Devuan. Thanks, SteveT Steve Litt Autumn 2020 featured book: Thriving in Tough Times http://www.troubleshooters.com/thrive ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
