Re: firewall newbie questions

To: debian-firewall@lists.debian.org
Subject: Re: firewall newbie questions
From: Daniel Pittman <daniel@rimspace.net>
Date: Sun, 11 Apr 2004 09:42:37 +1000
Message-id: <[🔎] 87ptafs8lu.fsf@enki.rimspace.net>
References: <[🔎] 20040409235621.GA649@nazgul.mejo.net> <[🔎] 878yh4tj10.fsf@enki.rimspace.net> <[🔎] 20040410122030.GA620@nazgul.mejo.net>

On Sat, 10 Apr 2004, Jonas Meurer wrote:
> On 10/04/2004 Daniel Pittman wrote:

[...]

>> > maybe you can point me to the right docs or simply to the right
>> > firewall tools.
>> 
>> Well, I use and recommend the 'firehol' script for this sort of work. 
>> It is quite simple to set up initially, but also very powerful and
>> able to integrate anything you want to do nicely.
>> 
>> It is packaged in testing and unstable, or trivial to backport as it
>> has no real dependencies other than bash, awk and so.
> 
> yea, sounds really nice, but yesterday I fucked my system with fiaif
> only executing a 'iptables -F INPUT' and this way locking out
> everything from my server.

Ouch.  One of the reasons that I use firehol is that I have done the
same thing a couple of times myself, on my home server.

> To prevent this, I don't plan to install some firewall scripts that
> have a paranoidal default configuration and this way block for example
> the ssh server -> don't allow any login from remote any longer.

*nod*  That would be one path. 

> Since the package you recommented, 'firehol' has a note at
> description, called: "The default configuration file will allow only
> client traffic on PPP and ethernet interfaces.", I'm made a little bit
> confiused about if to install the package.

That should indicate that the default configuration is *NOT* enabled by
default, and you need to manually activate firehol before it installs
the rules file.

So, you would be safe remotely installing it.

Once you have the package there, there are two key commands for you:

] firehol-wizard

This will generate a firehol configuration script (but not install it)
that tries to match your current system.

It is actually pretty darn good at getting it right, and will give you a
much more useful point to start from with writing your rules.

] firehol try

That is the *real* key, though.  If you do that, firehol will process
it's configuration file and install the new firewall.

It will then wait 30 seconds for you to type 'commit' manually, or it
will restore the previous firewall.

So, if you screw up and SSH no longer works, after 30 (very long, as I
know from experience :) seconds your firewall is restored, and it works
again.

Also, I note that Juerg Schneider showed how to write your own version
of this routine in a follow-up post.  That is the other path - I am
happy that someone else did the work for me. :)

I hope that makes you a bit more comfortable than the package
description suggests. I will file a wishlist bug against the package to
ask that this be improved.

    Daniel

-- 
If you want to learn to love better, you should start
with a friend who you hate.
        -- Nikka (age 6)

Reply to:

Follow-Ups:
- Re: firewall newbie questions
  - From: Gerhard Schoening <g.sch@onlinehome.de>

References:
- firewall newbie questions
  - From: Jonas Meurer <jonas@freesources.org>
- Re: firewall newbie questions
  - From: Daniel Pittman <daniel@rimspace.net>
- Re: firewall newbie questions
  - From: Jonas Meurer <jonas@freesources.org>

Prev by Date: Re: firewall newbie questions
Next by Date: Re: firewall newbie questions
Previous by thread: Re: firewall newbie questions
Next by thread: Re: firewall newbie questions
Index(es):
- Date
- Thread