Results 1 to 10 of 10

Thread: Setting up secure firewalls

  1. #1
    Join Date
    Jul 2012
    Location
    SuperUserLand
    Posts
    538

    Default Setting up secure firewalls

    So I have been messing around with firewalld in fedora and a few iptable frontends in ubuntu...


    but


    I still haven't found a way to restrict traffic just they way I like: only allowing outgoing connections from ports 80 and 443.


    not only that what I really like is interactive firewalls that flag every single process that tries to establish a connection.

    Is there anything like that in the linux ecosystem?

    firewallbuilder just confused the shit out of me and UGFW doesn't allow whitelisting only blacklisting.


    Fedora's firewall seems good but even when I deselect all services and reject icmp I don't really know how to restrict it to ports 80 and 443

  2. #2
    Join Date
    Feb 2008
    Location
    Linuxland
    Posts
    5,269

    Default

    firewallbuilder just confused the shit out of me and UGFW doesn't allow whitelisting only blacklisting.

    Fedora's firewall seems good but even when I deselect all services and reject icmp I don't really know how to restrict it to ports 80 and 443
    This translates to
    "The GUIs won't let me do what I want"

    The solution
    man iptables


    This post brought to you in writing style very similar to that of Pallidus

  3. #3
    Join Date
    Jul 2012
    Location
    SuperUserLand
    Posts
    538

    Default

    Where can I find a list of console codes I can copy and paste to configure iptables


    ????

  4. #4
    Join Date
    Jul 2009
    Location
    Germany
    Posts
    523

    Default

    Quote Originally Posted by Pallidus View Post
    Where can I find a list of console codes I can copy and paste to configure iptables


    ????
    If you care about security you shouldn't just paste commands you don't understand from the internet in your terminal ;-) AFAIK fedora has the iptables setup in way where everything is blocked. If you only want 80 and 443 you just have to whitelist ("trusted service") these ports with 'system-config-firewall'.

  5. #5
    Join Date
    Feb 2008
    Location
    Linuxland
    Posts
    5,269

    Default

    In "man iptables". Perhaps you didn't read my post

  6. #6
    Join Date
    Jul 2012
    Location
    SuperUserLand
    Posts
    538

    Default

    Quote Originally Posted by droste View Post
    If you care about security you shouldn't just paste commands you don't understand from the internet in your terminal ;-) AFAIK fedora has the iptables setup in way where everything is blocked. If you only want 80 and 443 you just have to whitelist ("trusted service") these ports with 'system-config-firewall'.

    this is what I don't get:


    in firewalld they show you a bunch of services and say "tick the services that you want so they are available everyhwere etc etc"

    now I untick ssh and mdns and the like

    actually I untick everything, including http and https


    and firefox still works


    ???????????'


    shouldn't I, by unticking http and https not be able to block them? or do they mean https as a server?

  7. #7
    Join Date
    Jul 2012
    Location
    SuperUserLand
    Posts
    538

    Default


    see here it is unticketed and firefox is still working

    is fedora firewalld's broken?

  8. #8
    Join Date
    Jul 2009
    Location
    Germany
    Posts
    523

    Default

    A firewall is for incoming communication requests (so for "servers") and not outgoing traffic. If you want to block outgoing traffic (why?) you have to either just disable the ethernet card or use iptables directly.

  9. #9
    Join Date
    Jul 2012
    Location
    SuperUserLand
    Posts
    538

    Default

    you have clearly never been hacked in windows: they reverse engineer code to find exploits in popular apps and then they are able to trigger behavior on those same apps to establish connections to wherever...

    meaning it's not hackers establishing incoming communications to your system, it's your system itself dialing home to the hackers.


    Skype for instance is dangerous as fuck, and I have proof just like I did back in march about that very dangerous flash exploit.



    I didn't know shit about firewalls or much about computers/linux but now I'm learning.

    In good routers you can block all outgoing and incoming traffic and then just open up the ports you need.

    Turns out UGFW is actually more secure than fedora's firewalld as you can allow outgoing connections but then specify the rejection of ssh, telnet etc traffic

    a good firewall should monitor all your connections and not just incoming.

  10. #10
    Join Date
    Jul 2009
    Location
    Germany
    Posts
    523

    Default

    Quote Originally Posted by Pallidus View Post
    you have clearly never been hacked in windows:
    True

    Quote Originally Posted by Pallidus View Post
    meaning it's not hackers establishing incoming communications to your system, it's your system itself dialing home to the hackers.
    [...]
    Turns out UGFW is actually more secure than fedora's firewalld as you can allow outgoing connections but then specify the rejection of ssh, telnet etc traffic

    a good firewall should monitor all your connections and not just incoming.
    What exactly stops the malware from using https or a custom protocol instead of ssh/telnet/etc? And when you have malware with root access it's quite easy for it to disable the firewall I'm not saying blocking as much as possible is bad, but you are never 100% safe unless you pull out the ethernet cable. Usually you are pretty safe on linux with blocking incoming stuff and not executing random stuff you downloaded from the internet.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •