gnewsense-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnewsense-dev] gNS 3 | the ufw firewall is not install & not presen


From: Lars Nooden
Subject: Re: [Gnewsense-dev] gNS 3 | the ufw firewall is not install & not present in aptitude
Date: Sun, 06 Dec 2009 11:01:36 +0200
User-agent: Thunderbird 2.0.0.23 (X11/20090817)

Karl Goetz wrote:
> It was written for Ubuntu (IIRC by a canonical person), its not in
> Debian stable/metad.
> http://packages.debian.org/search?keywords=ufw

The more pieces there are, the greater the probability that at any given
time one of them is broken or misconfigured.  Instead of creating yet
another layer of complexity, ufw, there are two things to consider:

1a) the needs of intermediate users, specifically those that have
learned shell scripting, could be met by updating Rusty Russell's
IPTables Tutorial:

        http://www.frozentux.net/documents/iptables-tutorial/

1b) and supplemented with a second, more general audience Tutorial with
some of the more common activities written up.


2) If a 'default' firewall is needed one way to do that while still
using tools that are part of the basic system would be to use either a
regular systemv or upstart script.  That would be one way to provide a
packet filter out of the box at the same time as not requiring learning,
developing, maintaining, debugging, supporting yet another UI or
package.  The postscript below contains one primitive example.


There is also nftables to think about for more distant future versions
of gNewSense.  It is in the early alpha stage:
        http://netfilter.org/projects/nftables/

Regards,
/Lars

PS.

#/bin/sh
# basic IP Tables-based IPv4 filter
# Lars Nooden, address@hidden
# 25 Jan 2009

# update-rc.d firewall start 20 2 3 4 5 . stop 20 1 6 S .

# See:
#
http://refspecs.freestandards.org/LSB_3.1.0/LSB-Core-generic/LSB-Core-generic/initscrcomconv.html

#
http://refspecs.freestandards.org/LSB_3.1.0/LSB-Core-generic/LSB-Core-generic/facilname.html

# For a non-init.d option, See Also:
#
https://help.ubuntu.com/community/IptablesHowTo#Configuration%20on%20startup

### BEGIN INIT INFO
# Provides:          firewall
# Required-Start:    $syslog
# Required-Stop:     $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start packet filter at boot time
# Description:       Enable packet filter provided by IP Tables.
### END INIT INFO

# load script logging functions
. /lib/lsb/init-functions

start_4filter()
{
   ##
   ## set default policies
   iptables --policy INPUT   DROP;              # has to be DROP,
   iptables --policy OUTPUT  DROP;              # default policy
   iptables --policy FORWARD DROP;              # won't use REJECT

   ##
   ## start fresh
   iptables -Z; # zero counters
   iptables -F; # flush (delete) rules
   iptables -X; # delete all extra chains

   ##
   ##
   iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
   iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
   # allow the courtesy of at least a ping
   iptables -A INPUT -p icmp --icmp-type echo-request \
         -m limit --limit 1/s -i eth0 -j ACCEPT

   ##
   ##
   iptables -A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT
   iptables -A OUTPUT -p tcp  -o eth0 -j ACCEPT
   iptables -A OUTPUT -p udp  -o eth0 -j ACCEPT
   iptables -A OUTPUT -p icmp -o eth0 -j ACCEPT

   # Default policy can't use REJECT, so we add these at the end
   iptables -A INPUT   -j REJECT;       # hack for changing default policy
   iptables -A OUTPUT  -j REJECT;       # from DROP to REJECT
   iptables -A FORWARD -j REJECT;       #


}

stop_4filter()
{
   ##
   ## set default policies to let everything in
   iptables --policy INPUT   ACCEPT;
   iptables --policy OUTPUT  ACCEPT;
   iptables --policy FORWARD ACCEPT;

   ##
   ## start fresh
   iptables -Z; # zero counters
   iptables -F; # flush (delete) rules
   iptables -X; # delete all extra chains

}

##
###
##

start_6filter()
{
   ##
   ## set default policies
   ip6tables --policy INPUT   DROP;     # has to be DROP,
   ip6tables --policy OUTPUT  DROP;     # default policy
   ip6tables --policy FORWARD DROP;     # won't use REJECT

   ##
   ## start fresh
   ip6tables -Z;        # zero counters
   ip6tables -F;        # flush (delete) rules
   ip6tables -X;        # delete all extra chains

   ##
   ##
   ip6tables -A INPUT -i lo --source ::1/128 --destination ::1/128 -j ACCEPT
   ip6tables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
   # allow the courtesy of at least a ping
   ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request \
         -m limit --limit 1/s -i eth0 -j ACCEPT

   ##
   ##
   ip6tables -A OUTPUT -o lo --source ::1/128 --destination ::1/128 -j
ACCEPT
   ip6tables -A OUTPUT -p tcp  -o eth0 -j ACCEPT
   ip6tables -A OUTPUT -p udp  -o eth0 -j ACCEPT
   ip6tables -A OUTPUT -p icmp -o eth0 -j ACCEPT

   # Default policy can't use REJECT, so we add these at the end
   ip6tables -A INPUT   -j REJECT;      # hack for changing default policy
   ip6tables -A OUTPUT  -j REJECT;      # from DROP to REJECT
   ip6tables -A FORWARD -j REJECT;      #

}

stop_6filter()
{
   ##
   ## set default policies to let everything in
   ip6tables --policy INPUT   ACCEPT;
   ip6tables --policy OUTPUT  ACCEPT;
   ip6tables --policy FORWARD ACCEPT;

   ##
   ## start fresh
   ip6tables -Z; # zero counters
   ip6tables -F; # flush (delete) rules
   ip6tables -X; # delete all extra chains

}

start_ssh()
{
   ip6tables -N SSH;    # create chain
   iptables  -N SSH;    # create chain

   # send all incoming SSH trafficc to SSH chain
   ip6tables -I INPUT -i eth0 -p tcp --destination-port 22 -j SSH;
   iptables  -I INPUT -i eth0 -p tcp --destination-port 22 -j SSH;

   # accept incoming connections, in moderation
   ip6tables -I SSH -i eth0 -p tcp --destination-port 22 \
      -m limit --limit 1/minute --limit-burst 2 -j ACCEPT
   iptables  -I SSH -i eth0 -p tcp --destination-port 22 \
      -m limit --limit 1/minute --limit-burst 2 -j ACCEPT

   # allow finite new connections per timelimit
   ip6tables -I SSH -p tcp --destination-port 22 -i eth0 \
      -m state --state NEW -m recent --update --seconds 60 --hitcount 4
-j REJECT
   iptables  -I SSH -p tcp --destination-port 22 -i eth0 \
      -m state --state NEW -m recent --update --seconds 60 --hitcount 4
-j REJECT

   ip6tables -I SSH -p tcp --destination-port 22 -i eth0 \
      -m state --state NEW -m recent --set
   iptables  -I SSH -p tcp --destination-port 22 -i eth0 \
      -m state --state NEW -m recent --set
}

start_squid()
{
   ip6tables -I INPUT -i eth0 -p tcp --destination-port 3128 -j ACCEPT
   iptables  -I INPUT -i eth0 -p tcp --destination-port 3128 -j ACCEPT
}

##
###
##

main()
{
   case "$1" in
      start)
           log_daemon_msg "Loading packet filter rules" "iptables"
           start_4filter;
           start_6filter;
           log_end_msg $?
       ;;
      addssh)
           log_daemon_msg "Adding packet filter rules + ssh" "iptables"
           # start_4filter;
           # start_6filter;
           start_ssh;
           log_end_msg $?
       ;;
      addsquid)
           log_daemon_msg "Adding packet filter rules + squid" "iptables"
           # start_4filter;
           # start_6filter;
           start_squid;
           log_end_msg $?
       ;;
     stop)
           log_daemon_msg "Clearing packet filter rules" "iptables"
           stop_4filter;
           stop_6filter;
           log_end_msg $?
       ;;
     force-reload|restart)
       $0 stop
       $0 start
       ;;
     *)
       echo "Usage: $0 {start|addssh|addsquid|stop|restart|force-reload}"
       exit 1
       ;;
   esac
}

# allow several parameters to be used, in sequence
while test -n "$1";  do
  main $1;
  shift;
done;


exit 0





reply via email to

[Prev in Thread] Current Thread [Next in Thread]