Re: Newbie friendly security and firewall docs (cookbook?)

To: debian-user@lists.debian.org
Subject: Re: Newbie friendly security and firewall docs (cookbook?)
From: Joe <joe@jretrading.com>
Date: Sun, 12 Oct 2014 17:18:10 +0100
Message-id: <[🔎] 20141012171810.44a6950d@jresid.jretrading.com>
In-reply-to: <[🔎] 201410121520.27075.lisi.reisz@gmail.com>
References: <[🔎] 543278E8.3090401@cloud85.net> <[🔎] 543992CC.6070901@rogers.com> <[🔎] 20141012015923.e788d98c9669bb19a40dbdb3@gmail.com> <[🔎] 201410121520.27075.lisi.reisz@gmail.com>

On Sun, 12 Oct 2014 15:20:27 +0100
Lisi Reisz <lisi.reisz@gmail.com> wrote:

> 
> Quite.  It is ALL there.  I keep hoping that something will be the
> basics for beginners (which is where we started on this thread).
> Teaching notes for college sounded great. 
> 
You basically have two options, to use a firewall tool, or to hack a
script yourself. The existing tools, last time I looked, aren't really
that versatile, they are intended to make simple firewalls using a GUI.
That's reasonable, because once you want something a bit unusual, any
tool is likely to be no easier to use than the iptables commands
themselves. I've (long ago) driven the 'sophisticated' Windows ISA
firewall, and honestly, I'd rather have produced a list of iptables
rules, when at least I'd have known for sure what was going on, and in
what order.

Did you try the horse's mouth, the creator of netfilter/iptables? These
documents are fairly old, a few commands have changed, Debian now has a
bit of infrastructure to help with maintaining the firewall, but this
may help a bit. New concepts can be easier to deal with if you can try
two or three different views, and the bits you understand in one view
can shed light on obscure bits in another.

http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html
http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-1.html

Chapter 5 of the first document, all dozen or so lines of it, shows how
simple an anything-out-nothing-in-except-replies firewall can be. Mr
Russell has oversimplified a bit, you would generally need to make
provision for packets from one localhost (lo) port to another, but
that's only another line. There are plenty of other example scripts
around, some with out-of-date commands, but that doesn't change the
principles. You can learn much more quickly from an actual working
script than by reading a dry list of options to the iptables command. A
diagram, such as the one on this page, helps a lot:

http://www.sibbald.com/unixutil/iptables-firewall.html

The 'local process', by the way, represents the computer itself, and
makes clear that the FORWARD chain applies only to packets that will
never enter or leave the computer's own applications and will only be
passed on from one network interface to another. The 'Network' at the
top and bottom of the diagram means *all* physical and virtual
interfaces.

-- 
Joe

Reply to:

Follow-Ups:
- Re: Newbie friendly security and firewall docs (cookbook?)
  - From: Andrei POPESCU <andreimpopescu@gmail.com>

References:
- Newbie friendly security and firewall docs (cookbook?)
  - From: Richard Owlett <rowlett@cloud85.net>
- Re: Newbie friendly security and firewall docs (cookbook?)
  - From: Peter Zoeller <peter_zoeller@rogers.com>
- Re: Newbie friendly security and firewall docs (cookbook?)
  - From: Reco <recoverym4n@gmail.com>
- Re: Newbie friendly security and firewall docs (cookbook?)
  - From: Lisi Reisz <lisi.reisz@gmail.com>

Prev by Date: Re: segfaults and error 4 in ld-2.13.so with soffice.bin and kate
Next by Date: Re: find out why a package was installed
Previous by thread: Re: Newbie friendly security and firewall docs (cookbook?)
Next by thread: Re: Newbie friendly security and firewall docs (cookbook?)
Index(es):
- Date
- Thread