[aklug] Re: Firewall

From: James Zuelow <James_Zuelow@ci.juneau.ak.us>
Date: Mon May 11 2009 - 16:20:24 AKDT

> -----Original Message-----
> From: aklug-bounce@aklug.org [mailto:aklug-bounce@aklug.org]=20
> On Behalf Of Joshua J. Kugler
> Sent: Monday, 11 May, 2009 15:28
> To: aklug@aklug.org
> Subject: [aklug] Re: Firewall
>=20
> On Monday 11 May 2009, captgoodnight captgoodnight said=20
> something like:
> > Dig into iptables, stay away from graphical front ends until you
> > understand the under current syntax, thus improving your
> > understanding of tcp/ip and iptables...
> > > Question: What programs do you guys use for firewalls on your PCs?
> > >
> > > I never used firewall software on my PCs because they were hidden
> > > behind a router running a firewall distro, and I'm pretty careful
> > > about what services I install. But I thought I should=20
> probably have
> > > something in place on my laptop.
> > >
> > > The laptop is 32-bit Debian, running an XFCE DE I installed from
> > > the ground up.
>=20
> Once you have a basic understanding of IPTables, check out=20
> Shorewall. =20
> it is quite useful for even simple firewalls, and the config is all=20
> text-file based, and I think there are GUIs if you really want it.
>=20
> j

Christopher --

I'm another one that sets up firewalls on EVERY box I build.

Here's a quick firewall checklist. If you can implement this in iptables y=
ou're doing ok. Given that it's been a couple of hours since your post, I =
figure you are probably done already. But just in case:

1) Set policies: drop incoming, drop forward, accept outgoing.
2) Accept any traffic going to or coming from your loopback interface. Thi=
s is important.
3) Accept any traffic that has a state of related or established.
4) If you use something like OpenVPN, accept any traffic on it's interface.=
  (OpenVPN likes tun0, etc.)
5) drop everything else.

If you set that up on a laptop, you can browse the net and connect to other=
 machines on your LAN. When you're away from home your VPN still works. B=
ut nobody can connect to you at all. =20

And really, iptables syntax is pretty easy. The only mildly strange entry =
in the list above is the state matching. =20

I think the biggest newbie error is forgetting to accept stuff from loopbac=
k. Then things tend to break.=
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon May 11 16:21:14 2009

This archive was generated by hypermail 2.1.8 : Mon May 11 2009 - 16:21:14 AKDT