Re: recommend hardware firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04/05/2010 11:51 AM, Rick Stevens wrote:
> On 04/05/2010 11:33 AM, Michael Miles wrote:
>    
>> On 04/05/2010 10:15 AM, Mikkel wrote:
>>      
>>> On 04/05/2010 11:51 AM, Michael Miles wrote:
>>>
>>>        
>>>> On 04/05/2010 09:34 AM, Mikkel wrote:
>>>>
>>>>          
>>>>> On 04/05/2010 11:16 AM, Michael Miles wrote:
>>>>>
>>>>>
>>>>>            
>>>>>> I'm not too bad with firewalls but I am used to more detailed firewall
>>>>>> software.
>>>>>> I just came from the hell they call Win 7 and I was using Bitdefender
>>>>>> for the last couple of years.
>>>>>> I'm just using the firewall that comes with Fedora 12, is there better
>>>>>> firewall software out there.
>>>>>>
>>>>>>
>>>>>>
>>>>>>              
>>>>> Not for the actual firewall, but there are different front-ends for
>>>>> configuring it. You can pick the one that works best for you, or
>>>>> write your own firewall rules by hand.
>>>>>
>>>>> The actual firewall is part of the kernel. What the firewall
>>>>> software does is help you configure that firewall. When I played
>>>>> with Windows, the firewall was an add-on - kind of an afterthought.
>>>>> I don't know if this is still true.
>>>>>
>>>>> Mikkel
>>>>>
>>>>>
>>>>>            
>>>> It is all add on with windows
>>>>
>>>> I tell you my 4 core Phenom II 945 has more than doubled speed going
>>>> from Win 7 x64 to Fedora 12.
>>>>
>>>> These front ends for the firewall in Fedora. Is there one in particular
>>>> the you use
>>>>
>>>> Michael
>>>>
>>>>          
>>> I usually use system-config-firewall, as the needs on my desktop and
>>> laptop are fairly simple. I do have 2 sets of rules for the laptop,
>>> depending on weather I am home or traveling. When I am home, the
>>> network is behind a hardware firewall as well. But your needs may
>>> differ from mine.
>>>
>>> On a side note, if you want to see the firewall rules set up by the
>>> front end, take a look a /etc/sysconfing/iptables and ip6tables. You
>>> can also run "iptables -L" to see the rules currently in affect. The
>>> iptables command will also let you modify rules without going
>>> through a GUI.
>>>
>>> Mikkel
>>>
>>>        
>> It looks like the default desktop config for firewall lets everything
>> through
>>
>> Chain INPUT (policy ACCEPT)
>> target     prot opt source               destination
>> ACCEPT     all  --  anywhere             anywhere            state
>> RELATED,ESTABLISHED
>> ACCEPT     icmp --  anywhere             anywhere
>> ACCEPT     all  --  anywhere             anywhere
>> ACCEPT     all  --  anywhere             anywhere
>> ACCEPT     ah   --  anywhere             anywhere
>> ACCEPT     esp  --  anywhere             anywhere
>> ACCEPT     udp  --  anywhere             224.0.0.251         state NEW
>> udp dpt:mdns
>> ACCEPT     udp  --  anywhere             anywhere            state NEW
>> udp dpt:ipp
>> ACCEPT     udp  --  anywhere             anywhere            state NEW
>> udp dpt:netbios-ns
>> ACCEPT     udp  --  anywhere             anywhere            state NEW
>> udp dpt:netbios-dgm
>> REJECT     all  --  anywhere             anywhere            reject-with
>> icmp-host-prohibited
>>
>> Chain FORWARD (policy ACCEPT)
>> target     prot opt source               destination
>> ACCEPT     all  --  anywhere             anywhere            state
>> RELATED,ESTABLISHED
>> ACCEPT     icmp --  anywhere             anywhere
>> ACCEPT     all  --  anywhere             anywhere
>> ACCEPT     all  --  anywhere             anywhere
>> REJECT     all  --  anywhere             anywhere            reject-with
>> icmp-host-prohibited
>>
>> Chain OUTPUT (policy ACCEPT)
>> target     prot opt source               destination
>>
>>
>>
>>
>>
>> This is my iptables file
>>
>>      :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -A INPUT -p icmp -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -i eth+ -j ACCEPT
>> -A INPUT -p ah -j ACCEPT
>> -A INPUT -p esp -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251
>> -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
>> -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -A FORWARD -p icmp -j ACCEPT
>> -A FORWARD -i lo -j ACCEPT
>> -A FORWARD -i eth+ -j ACCEPT
>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>> COMMIT
>>
>>
>>
>> And ip6tables
>>
>>
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -A INPUT -p ipv6-icmp -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -i eth+ -j ACCEPT
>> -A INPUT -m ipv6header --header ah -j ACCEPT
>> -A INPUT -m ipv6header --header esp -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d ff02::fb -j
>> ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
>> -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -A FORWARD -p ipv6-icmp -j ACCEPT
>> -A FORWARD -i lo -j ACCEPT
>> -A FORWARD -i eth+ -j ACCEPT
>> -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
>> -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
>> COMMIT
>>      
> Make sure you do "iptables -L -n -v".  You'll find that a lot of the
> open ports are actually restricted to lo (the loopback) on a standard
> install, and the "ESTABLISHED,RELATED" stuff is to permit two-way I/O
> initiated by the local machine (e.g. web browsing and the like).
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer, C2 Hosting          ricks@xxxxxxxx -
> - AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
> -                                                                    -
> -           Lottery: A tax on people who are bad at math.            -
> ----------------------------------------------------------------------
>    



\
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               
destination
8664K   17G ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0           state RELATED,ESTABLISHED
   485 29100 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0
  107K 6417K ACCEPT     all  --  lo     *       0.0.0.0/0            
0.0.0.0/0
53557 8058K ACCEPT     all  --  eth+   *       0.0.0.0/0            
0.0.0.0/0
     0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            
0.0.0.0/0
     0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            
0.0.0.0/0
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            
224.0.0.251         state NEW udp dpt:5353
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            
0.0.0.0/0           state NEW udp dpt:631
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            
0.0.0.0/0           state NEW udp dpt:137
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            
0.0.0.0/0           state NEW udp dpt:138
     0     0 REJECT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               
destination
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0
     0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            
0.0.0.0/0
     0     0 ACCEPT     all  --  eth+   *       0.0.0.0/0            
0.0.0.0/0
     0     0 REJECT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 9017K packets, 18G bytes)
  pkts bytes target     prot opt in     out     source               
destination
[root@localhost amiga5]#

This is the output from the latest command
iptables -L -n -v

I am downloading right now when I executed command

It is somewhat confusing compared to years of Bitdefender
But I would not go back for anything.



Thank you for your help, I really appreciate it.


-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux