[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnewsense-dev] gNS 3 | the ufw firewall is not install & not presen
From: |
Lars Nooden |
Subject: |
Re: [Gnewsense-dev] gNS 3 | the ufw firewall is not install & not present in aptitude |
Date: |
Sun, 06 Dec 2009 11:01:36 +0200 |
User-agent: |
Thunderbird 2.0.0.23 (X11/20090817) |
Karl Goetz wrote:
> It was written for Ubuntu (IIRC by a canonical person), its not in
> Debian stable/metad.
> http://packages.debian.org/search?keywords=ufw
The more pieces there are, the greater the probability that at any given
time one of them is broken or misconfigured. Instead of creating yet
another layer of complexity, ufw, there are two things to consider:
1a) the needs of intermediate users, specifically those that have
learned shell scripting, could be met by updating Rusty Russell's
IPTables Tutorial:
http://www.frozentux.net/documents/iptables-tutorial/
1b) and supplemented with a second, more general audience Tutorial with
some of the more common activities written up.
2) If a 'default' firewall is needed one way to do that while still
using tools that are part of the basic system would be to use either a
regular systemv or upstart script. That would be one way to provide a
packet filter out of the box at the same time as not requiring learning,
developing, maintaining, debugging, supporting yet another UI or
package. The postscript below contains one primitive example.
There is also nftables to think about for more distant future versions
of gNewSense. It is in the early alpha stage:
http://netfilter.org/projects/nftables/
Regards,
/Lars
PS.
#/bin/sh
# basic IP Tables-based IPv4 filter
# Lars Nooden, address@hidden
# 25 Jan 2009
# update-rc.d firewall start 20 2 3 4 5 . stop 20 1 6 S .
# See:
#
http://refspecs.freestandards.org/LSB_3.1.0/LSB-Core-generic/LSB-Core-generic/initscrcomconv.html
#
http://refspecs.freestandards.org/LSB_3.1.0/LSB-Core-generic/LSB-Core-generic/facilname.html
# For a non-init.d option, See Also:
#
https://help.ubuntu.com/community/IptablesHowTo#Configuration%20on%20startup
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $syslog
# Required-Stop: $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start packet filter at boot time
# Description: Enable packet filter provided by IP Tables.
### END INIT INFO
# load script logging functions
. /lib/lsb/init-functions
start_4filter()
{
##
## set default policies
iptables --policy INPUT DROP; # has to be DROP,
iptables --policy OUTPUT DROP; # default policy
iptables --policy FORWARD DROP; # won't use REJECT
##
## start fresh
iptables -Z; # zero counters
iptables -F; # flush (delete) rules
iptables -X; # delete all extra chains
##
##
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow the courtesy of at least a ping
iptables -A INPUT -p icmp --icmp-type echo-request \
-m limit --limit 1/s -i eth0 -j ACCEPT
##
##
iptables -A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 -j ACCEPT
iptables -A OUTPUT -p icmp -o eth0 -j ACCEPT
# Default policy can't use REJECT, so we add these at the end
iptables -A INPUT -j REJECT; # hack for changing default policy
iptables -A OUTPUT -j REJECT; # from DROP to REJECT
iptables -A FORWARD -j REJECT; #
}
stop_4filter()
{
##
## set default policies to let everything in
iptables --policy INPUT ACCEPT;
iptables --policy OUTPUT ACCEPT;
iptables --policy FORWARD ACCEPT;
##
## start fresh
iptables -Z; # zero counters
iptables -F; # flush (delete) rules
iptables -X; # delete all extra chains
}
##
###
##
start_6filter()
{
##
## set default policies
ip6tables --policy INPUT DROP; # has to be DROP,
ip6tables --policy OUTPUT DROP; # default policy
ip6tables --policy FORWARD DROP; # won't use REJECT
##
## start fresh
ip6tables -Z; # zero counters
ip6tables -F; # flush (delete) rules
ip6tables -X; # delete all extra chains
##
##
ip6tables -A INPUT -i lo --source ::1/128 --destination ::1/128 -j ACCEPT
ip6tables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow the courtesy of at least a ping
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request \
-m limit --limit 1/s -i eth0 -j ACCEPT
##
##
ip6tables -A OUTPUT -o lo --source ::1/128 --destination ::1/128 -j
ACCEPT
ip6tables -A OUTPUT -p tcp -o eth0 -j ACCEPT
ip6tables -A OUTPUT -p udp -o eth0 -j ACCEPT
ip6tables -A OUTPUT -p icmp -o eth0 -j ACCEPT
# Default policy can't use REJECT, so we add these at the end
ip6tables -A INPUT -j REJECT; # hack for changing default policy
ip6tables -A OUTPUT -j REJECT; # from DROP to REJECT
ip6tables -A FORWARD -j REJECT; #
}
stop_6filter()
{
##
## set default policies to let everything in
ip6tables --policy INPUT ACCEPT;
ip6tables --policy OUTPUT ACCEPT;
ip6tables --policy FORWARD ACCEPT;
##
## start fresh
ip6tables -Z; # zero counters
ip6tables -F; # flush (delete) rules
ip6tables -X; # delete all extra chains
}
start_ssh()
{
ip6tables -N SSH; # create chain
iptables -N SSH; # create chain
# send all incoming SSH trafficc to SSH chain
ip6tables -I INPUT -i eth0 -p tcp --destination-port 22 -j SSH;
iptables -I INPUT -i eth0 -p tcp --destination-port 22 -j SSH;
# accept incoming connections, in moderation
ip6tables -I SSH -i eth0 -p tcp --destination-port 22 \
-m limit --limit 1/minute --limit-burst 2 -j ACCEPT
iptables -I SSH -i eth0 -p tcp --destination-port 22 \
-m limit --limit 1/minute --limit-burst 2 -j ACCEPT
# allow finite new connections per timelimit
ip6tables -I SSH -p tcp --destination-port 22 -i eth0 \
-m state --state NEW -m recent --update --seconds 60 --hitcount 4
-j REJECT
iptables -I SSH -p tcp --destination-port 22 -i eth0 \
-m state --state NEW -m recent --update --seconds 60 --hitcount 4
-j REJECT
ip6tables -I SSH -p tcp --destination-port 22 -i eth0 \
-m state --state NEW -m recent --set
iptables -I SSH -p tcp --destination-port 22 -i eth0 \
-m state --state NEW -m recent --set
}
start_squid()
{
ip6tables -I INPUT -i eth0 -p tcp --destination-port 3128 -j ACCEPT
iptables -I INPUT -i eth0 -p tcp --destination-port 3128 -j ACCEPT
}
##
###
##
main()
{
case "$1" in
start)
log_daemon_msg "Loading packet filter rules" "iptables"
start_4filter;
start_6filter;
log_end_msg $?
;;
addssh)
log_daemon_msg "Adding packet filter rules + ssh" "iptables"
# start_4filter;
# start_6filter;
start_ssh;
log_end_msg $?
;;
addsquid)
log_daemon_msg "Adding packet filter rules + squid" "iptables"
# start_4filter;
# start_6filter;
start_squid;
log_end_msg $?
;;
stop)
log_daemon_msg "Clearing packet filter rules" "iptables"
stop_4filter;
stop_6filter;
log_end_msg $?
;;
force-reload|restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|addssh|addsquid|stop|restart|force-reload}"
exit 1
;;
esac
}
# allow several parameters to be used, in sequence
while test -n "$1"; do
main $1;
shift;
done;
exit 0