09-14-2018, 07:22 AM | #1 |
Human being with feelings
Join Date: Mar 2008
Location: Planet Earth
Posts: 9,055
|
UFW / GUFW /IPTables / netfilter
I guess a software firewall isn't needed in Linux, otherwise they would have one enabled upon installation, like Windows does.
Last edited by Glennbo; 09-15-2018 at 07:55 AM. |
09-14-2018, 10:19 PM | #2 |
Human being with feelings
Join Date: Jul 2011
Posts: 850
|
That doesn't depend on the OS you're are using. The question is do I want to use a firewall (whatever your OS is)?
Some Linux distros have a firewall configured and ready to go, usually those having a desktop environment. Some others, usually small or barebones distros, leave to the user de decission of installing and setting one up. ufw and gufw are just frontends for iptables. Really popular and easy to use. Nevertheless, besides many users still use iptables it's recommended to use nftables instead. https://en.wikipedia.org/wiki/Nftables https://wiki.archlinux.org/index.php/Nftables |
09-15-2018, 11:20 AM | #3 |
Human being with feelings
Join Date: Mar 2008
Location: Planet Earth
Posts: 9,055
|
I appreciate the info and links. I decided that I DO want a firewall (even though none was enabled by default), and just spent the last five hours trying to get my MythTV server accessible from my DAW and other machines on the network. I used ufw since it was natively installed, but not enabled, and after chasing down far too many ports for things like MySQL, and MAC addresses for hardware ethernet tuners, I finally have it all working like it was before enabling the firewall on all my recently converted Linux machines.
I may sometime in the future have a look at Nftables, but for now I at least have a functioning software firewall on all Linux machines. I'm guessing that just enabling it, is as good or better than Windows firewall, coz it sure broke a lot of connections just on my local network. Thanks again for your help. |
09-16-2018, 11:56 PM | #4 |
Human being with feelings
Join Date: Jul 2011
Posts: 850
|
You won't go wrong with iptables. It's only that nftables is a simpler, cleaner and better implementation. iptables works just fine. That's why a lot of users still use it. iptables vs nftables is more or less the same sort of scenario as vim vs neovim, mutt vs neomutt, etc... Just chose your poison.
|
09-17-2018, 12:13 PM | #5 |
Human being with feelings
Join Date: Nov 2013
Posts: 2,779
|
So, if I did not install GUFW myself and activated it then Linux kernel by itself have firewall stuff built-in and blocks all by default?
Using iptables or what ever just is a way to speak/control the kernels fw? I think I would prefer to use what ever my distro of choice's default is. Thank you for the information! I am ready to understand this now and remove GUFW.
__________________
_Ohh.))::_Kubuntu_::((.Xoxo_my precious |
09-17-2018, 12:30 PM | #6 | |
Human being with feelings
Join Date: Mar 2008
Location: Planet Earth
Posts: 9,055
|
Quote:
sudo ufw enable Before doing that, I could access my MythTV server from my DAW, both of which are running Xubuntu. After enabling it, I could NOT access the Myth machine until I set rules for about six ports, and two hardware MAC addresses. I don't know if your particular distro has any firewall enabled by default, but mine didn't. |
|
09-17-2018, 12:54 PM | #7 |
Human being with feelings
Join Date: Nov 2013
Posts: 2,779
|
It sure sounds to me that this is what Eeeveryone is trying to explain to us though that Linux have that built-in and there is no on/off, what you use to control it is a choice, via terminal or graphically.
Your story is suggesting stuff though and I am not qualified to explain this.
__________________
_Ohh.))::_Kubuntu_::((.Xoxo_my precious |
09-17-2018, 01:06 PM | #8 | |
Human being with feelings
Join Date: Mar 2008
Location: Planet Earth
Posts: 9,055
|
Quote:
|
|
09-17-2018, 01:12 PM | #9 |
Human being with feelings
Join Date: Nov 2013
Posts: 2,779
|
I am interested also to understand so, keep it up! and thanks for information
Have you mentioned what kind of Linux/OS you are on?
__________________
_Ohh.))::_Kubuntu_::((.Xoxo_my precious |
09-17-2018, 01:18 PM | #10 |
Human being with feelings
Join Date: Mar 2008
Location: Planet Earth
Posts: 9,055
|
Yes, I'm running Xubuntu 18.04 Bionic Beaver.
|
09-17-2018, 01:25 PM | #11 |
Human being with feelings
Join Date: Nov 2013
Posts: 2,779
|
Ahh-ha's for oops, Linux Mint
Firewall 1.2. A firewall is already installed by default. It's called IPtables. IPtables can be managed through the application Uncomplicated Firewall (ufw), which is also installed by default. By default the firewall isn't activated, because behind the ports that are exposed to the internet, there aren't any listening services. At least not in a standard installation. An attacker can't do anything without a listening service that keeps a port open. https://sites.google.com/site/easyli...y#TOC-Firewall
__________________
_Ohh.))::_Kubuntu_::((.Xoxo_my precious Last edited by SmajjL; 09-18-2018 at 01:05 AM. |
09-18-2018, 01:07 AM | #12 |
Human being with feelings
Join Date: Nov 2013
Posts: 2,779
|
That link was for Linux Mint, my bad SmajjL... it was informational though.
__________________
_Ohh.))::_Kubuntu_::((.Xoxo_my precious |
09-18-2018, 01:18 AM | #13 | ||
Human being with feelings
Join Date: Jul 2011
Posts: 850
|
Quote:
Though I never done it myself, different sets of rules/configs can be switched depending on what you want to do at a given time. This involves dealing with services, but as usual, convenience/commodity/easy-going and best practices don't hold together. Quote:
FWIW: Differences between iptables and nftables explained https://linux-audit.com/differences-...les-explained/ Firewall for the lazy: https://forums.bunsenlabs.org/viewtopic.php?id=1765 Last edited by Snap; 09-18-2018 at 01:39 AM. |
||
09-18-2018, 02:10 AM | #14 |
Human being with feelings
Join Date: Jul 2011
Posts: 850
|
Along with a well configured firewall it's a very good practice to complement it with the /etc/host file. This
particular file (also present in windows, by the way) is intended to allow and block specific host names and IP addreses system-wide. It allows to block anything you don't want your system to connect to. It of course can complete or fully replace those dedicated browser or email program blocking addons/tools altogether as it will work for every program and user within your system. If you want to block sites (malicious, trackers, ads, my-kids-won't-see-this, that-specific-site-you-happen-to-hate...) the hosts file is the one to use. There are some nice guys and sites dedicated to collect and keping updated blocking hosts lists, like these ones: https://github.com/jmdugan/blocklists https://github.com/StevenBlack/hosts And you can even go strong... https://github.com/jmdugan/blocklist...s/facebook/all This could be a nice place to start: https://github.com/hakerdefo/pmiab I use a modified and fully stripped down version of hackerdefo's script myself. Be sure to update the hosts lists regularly. Like once a week or so. It can be automated with cron or any other scheduling tool you like. |
09-18-2018, 04:31 AM | #15 |
Human being with feelings
Join Date: Nov 2013
Posts: 2,779
|
Thanks for info!
So what would GUFW's ON/OFF button command in iptables be?
__________________
_Ohh.))::_Kubuntu_::((.Xoxo_my precious |
09-18-2018, 06:54 AM | #16 | |
Human being with feelings
Join Date: Mar 2008
Location: Planet Earth
Posts: 9,055
|
Quote:
http://winhelp2002.mvps.org/hosts.htm They keep a very comprehensive list of known parasite and trackers. Putting their hosts file in was the first thing I did when setting up Linux for the first time on my DAW. I'll have to check out the hosts file you linked, as it has three additional sources. Last edited by Glennbo; 09-18-2018 at 12:08 PM. |
|
09-27-2018, 01:19 PM | #17 |
Human being with feelings
Join Date: Jan 2011
Posts: 610
|
That looks pretty neat. However, I read all the comments in this thread and was decidedly in over my head: https://www.putorius.net/2012/01/blo...ements-on.html
Do you do this manually or use a script as that page suggests? |
09-27-2018, 06:09 PM | #18 | |
Human being with feelings
Join Date: Mar 2008
Location: Planet Earth
Posts: 9,055
|
Quote:
I did try the script you linked to and it does work. I deleted my hosts file to see if it would recreate it and it did. For now I don't mind doing the more hands on manual copying of the file, but might automate it sometime down the line, so I did save the script. |
|
09-27-2018, 10:24 PM | #19 |
Human being with feelings
Join Date: Jul 2011
Posts: 850
|
My modified/simplified version is still not final. I have some more tweaks to check and test, but since it works and does the job I left it somewhat abandoned... I'll try to check these things this weekend and post the script in case anyone wants to peek.
|
09-28-2018, 08:39 AM | #20 | |
Human being with feelings
Join Date: Jan 2011
Posts: 610
|
Quote:
|
|
09-28-2018, 09:21 AM | #21 | |
Human being with feelings
Join Date: Mar 2008
Location: Planet Earth
Posts: 9,055
|
Quote:
The only sites I've ever had to drop the hosts file for were broadcast network television sites. Broadcast TV sites won't stream a video with a hosts file borking all the little adbot trackers. Netflix and Youtube work fine with the hosts file active, and I don't ever really need to stream video from broadcast TV sites, so I keep the hosts file active all the time. |
|
09-28-2018, 10:20 AM | #22 |
Human being with feelings
Join Date: Jan 2011
Posts: 610
|
That's great to hear; I appreciate that. I'll give it a try. Thanks!
|
09-29-2018, 02:26 AM | #23 |
Human being with feelings
Join Date: Jul 2011
Posts: 850
|
That's it. What's blocked is trackers, analytics, etc... I doesn't deny regular access to Amazon, yt or whatever, unless you specifically go for it and configure /etc/hosts for the purpose.
|
Thread Tools | |
Display Modes | |
|
|