Difference between revisions of "Firewall Guide"

From Void Linux Wiki
Jump to: navigation, search
(Added - ufw service down during single user session)
(Moved ufw to Firewall Configuration)
 
Line 65: Line 65:
 
  ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0
 
  ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0
 
</pre>
 
</pre>
 
= ufw - Uncomplicated Firewall =
 
 
 
Alternatively, basic firewall rules (deny incoming, allow outgoing) can be established by default by installing and enabling [https://en.wikipedia.org/wiki/Uncomplicated_Firewall ufw]:
 
 
<pre>
 
$ sudo xbps-install ufw
 
$ sudo xbps-reconfigure ufw
 
$ sudo ufw enable
 
</pre>
 
 
To check whether the ufw firewall is active during the session:
 
 
<pre>
 
$ sudo ufw status
 
</pre>
 
 
To list rules:
 
 
<pre>
 
$ sudo ufw status verbose
 
</pre>
 
 
For the service to persist on reboot:
 
<pre>
 
$ sudo ln -s /etc/sv/ufw /var/service
 
</pre>
 
 
ufw pulls iptables as a dependency.  Rules can be modified using iptables, by following ufw's [http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html man page], or through gufw, a graphical interface for ufw:
 
<pre>
 
$ sudo xbps-install gufw 
 
$ sudo gufw
 
</pre>
 
{{Note|The '''ufw''' service will not start, and therefore the ufw will be '''inactive''',  if your session is launched in '''single user mode'''.
 
Other services, including the network service, will not start either by default during that session except for the '''sulogin''' service, used for single user mode. 
 
Single user mode can be entered through the Grub menu at startup:  Select 'Advanced options'  followed by 'recovery mode'. 
 
Services modified during that session are not persistent.}}
 
  
 
[[Category:Guides]]
 
[[Category:Guides]]

Latest revision as of 02:22, 29 August 2017

Icon delete.svgThis section (or entire page if this is at the beginning of it) has been marked for removal.

Reason: This page should be either removed or merged with Firewall Configuration (Discuss in Talk:Firewall Guide#)

iptables

First off, install the iptables package:

# xbps-install iptables

Now let's set up our firewall configuration:

 # Set default chain policies
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT

 # Accept on localhost
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT

 # Allow established sessions to receive traffic
 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

 # Allow SSH remote
 # iptables -I INPUT -p tcp --dport 22 -j ACCEPT
 iptables-save > /etc/firewall.conf

/etc/firewall.conf

# Generated by iptables-save v1.4.21 on Mon Oct 27 16:52:51 2014
*filter
:INPUT DROP [1:52]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [518:49547]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Mon Oct 27 16:52:51 2014

/etc/sv/iptables/run

#!/bin/sh
iptables-restore < /etc/firewall.conf
chmod +x /etc/sv/iptables/run
ln -s /etc/sv/iptables /var/service/

Reboot and test

$ sudo iptables -L -n
 Chain INPUT (policy DROP)
 target     prot opt source               destination         
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

 Chain FORWARD (policy DROP)
 target     prot opt source               destination         

 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination         
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0