Old 09-14-2018, 07:22 AM   #1
Glennbo
Human being with feelings
 
Glennbo's Avatar
 
Join Date: Mar 2008
Location: Planet Earth
Posts: 3,689
Default UFW / GUFW /IPTables / netfilter

I guess a software firewall isn't needed in Linux, otherwise they would have one enabled upon installation, like Windows does.
__________________
Glennbo
Hear My Music - Click Me!!!
--

Last edited by Glennbo; 09-15-2018 at 07:55 AM.
Glennbo is offline   Reply With Quote
Old 09-14-2018, 10:19 PM   #2
Snap
Human being with feelings
 
Snap's Avatar
 
Join Date: Jul 2011
Posts: 850
Default

That doesn't depend on the OS you're are using. The question is do I want to use a firewall (whatever your OS is)?

Some Linux distros have a firewall configured and ready to go, usually those having a desktop environment. Some others, usually small or barebones distros, leave to the user de decission of installing and setting one up.

ufw and gufw are just frontends for iptables. Really popular and easy to use. Nevertheless, besides many users still use iptables it's recommended to use nftables instead.

https://en.wikipedia.org/wiki/Nftables

https://wiki.archlinux.org/index.php/Nftables
Snap is offline   Reply With Quote
Old 09-15-2018, 11:20 AM   #3
Glennbo
Human being with feelings
 
Glennbo's Avatar
 
Join Date: Mar 2008
Location: Planet Earth
Posts: 3,689
Default

I appreciate the info and links. I decided that I DO want a firewall (even though none was enabled by default), and just spent the last five hours trying to get my MythTV server accessible from my DAW and other machines on the network. I used ufw since it was natively installed, but not enabled, and after chasing down far too many ports for things like MySQL, and MAC addresses for hardware ethernet tuners, I finally have it all working like it was before enabling the firewall on all my recently converted Linux machines.

I may sometime in the future have a look at Nftables, but for now I at least have a functioning software firewall on all Linux machines. I'm guessing that just enabling it, is as good or better than Windows firewall, coz it sure broke a lot of connections just on my local network. Thanks again for your help.
__________________
Glennbo
Hear My Music - Click Me!!!
--
Glennbo is offline   Reply With Quote
Old 09-16-2018, 11:56 PM   #4
Snap
Human being with feelings
 
Snap's Avatar
 
Join Date: Jul 2011
Posts: 850
Default

You won't go wrong with iptables. It's only that nftables is a simpler, cleaner and better implementation. iptables works just fine. That's why a lot of users still use it. iptables vs nftables is more or less the same sort of scenario as vim vs neovim, mutt vs neomutt, etc... Just chose your poison.
Snap is offline   Reply With Quote
Old 09-17-2018, 12:13 PM   #5
SmajjL
Human being with feelings
 
SmajjL's Avatar
 
Join Date: Nov 2013
Location: Sweden
Posts: 2,063
Default

So, if I did not install GUFW myself and activated it then Linux kernel by itself have firewall stuff built-in and blocks all by default?
Using iptables or what ever just is a way to speak/control the kernels fw?
I think I would prefer to use what ever my distro of choice's default is.
Thank you for the information! I am ready to understand this now and remove GUFW.
__________________
:)
SmajjL is offline   Reply With Quote
Old 09-17-2018, 12:30 PM   #6
Glennbo
Human being with feelings
 
Glennbo's Avatar
 
Join Date: Mar 2008
Location: Planet Earth
Posts: 3,689
Default

Quote:
Originally Posted by SmajjL View Post
So, if I did not install GUFW myself and activated it then Linux kernel by itself have firewall stuff built-in and blocks all by default?
Using iptables or what ever just is a way to speak/control the kernels fw?
I think I would prefer to use what ever my distro of choice's default is.
Thank you for the information! I am ready to understand this now and remove GUFW.
I found that no firewall was active or enabled until I enabled it with this command.

sudo ufw enable

Before doing that, I could access my MythTV server from my DAW, both of which are running Xubuntu. After enabling it, I could NOT access the Myth machine until I set rules for about six ports, and two hardware MAC addresses.

I don't know if your particular distro has any firewall enabled by default, but mine didn't.
__________________
Glennbo
Hear My Music - Click Me!!!
--
Glennbo is offline   Reply With Quote
Old 09-17-2018, 12:54 PM   #7
SmajjL
Human being with feelings
 
SmajjL's Avatar
 
Join Date: Nov 2013
Location: Sweden
Posts: 2,063
Default

It sure sounds to me that this is what Eeeveryone is trying to explain to us though that Linux have that built-in and there is no on/off, what you use to control it is a choice, via terminal or graphically.
Your story is suggesting stuff though and I am not qualified to explain this.
__________________
:)
SmajjL is offline   Reply With Quote
Old 09-17-2018, 01:06 PM   #8
Glennbo
Human being with feelings
 
Glennbo's Avatar
 
Join Date: Mar 2008
Location: Planet Earth
Posts: 3,689
Default

Quote:
Originally Posted by SmajjL View Post
It sure sounds to me that this is what Eeeveryone is trying to explain to us though that Linux have that built-in and there is no on/off, what you use to control it is a choice, via terminal or graphically.
Your story is suggesting stuff though and I am not qualified to explain this.
Pre "sudo ufw enable" and post "sudo ufw enable" absolutely produced different results, so I am 100% confident that the firewall was not enabled on my particular distro before, but now is.
__________________
Glennbo
Hear My Music - Click Me!!!
--
Glennbo is offline   Reply With Quote
Old 09-17-2018, 01:12 PM   #9
SmajjL
Human being with feelings
 
SmajjL's Avatar
 
Join Date: Nov 2013
Location: Sweden
Posts: 2,063
Default

I am interested also to understand so, keep it up! and thanks for information
Have you mentioned what kind of Linux/OS you are on?
__________________
:)
SmajjL is offline   Reply With Quote
Old 09-17-2018, 01:18 PM   #10
Glennbo
Human being with feelings
 
Glennbo's Avatar
 
Join Date: Mar 2008
Location: Planet Earth
Posts: 3,689
Default

Quote:
Originally Posted by SmajjL View Post
I am interested also to understand so, keep it up! and thanks for information
Have you mentioned what kind of Linux/OS you are on?
Yes, I'm running Xubuntu 18.04 Bionic Beaver.
__________________
Glennbo
Hear My Music - Click Me!!!
--
Glennbo is offline   Reply With Quote
Old 09-17-2018, 01:25 PM   #11
SmajjL
Human being with feelings
 
SmajjL's Avatar
 
Join Date: Nov 2013
Location: Sweden
Posts: 2,063
Default

Ahh-ha's for oops, Linux Mint


Firewall

1.2. A firewall is already installed by default. It's called IPtables. IPtables can be managed through the application Uncomplicated Firewall (ufw), which is also installed by default.

By default the firewall isn't activated, because behind the ports that are exposed to the internet, there aren't any listening services. At least not in a standard installation. An attacker can't do anything without a listening service that keeps a port open.


https://sites.google.com/site/easyli...y#TOC-Firewall
__________________
:)

Last edited by SmajjL; 09-18-2018 at 01:05 AM.
SmajjL is offline   Reply With Quote
Old 09-18-2018, 01:07 AM   #12
SmajjL
Human being with feelings
 
SmajjL's Avatar
 
Join Date: Nov 2013
Location: Sweden
Posts: 2,063
Default

That link was for Linux Mint, my bad SmajjL... it was informational though.
__________________
:)
SmajjL is offline   Reply With Quote
Old 09-18-2018, 01:18 AM   #13
Snap
Human being with feelings
 
Snap's Avatar
 
Join Date: Jul 2011
Posts: 850
Default

Quote:
Originally Posted by SmajjL View Post
So, if I did not install GUFW myself and activated it then Linux kernel by itself have firewall stuff built-in and blocks all by default?
It depends on the distros. It's commonly disabled as default even if tools are already installed, usually left as an user choice to enable it.

Though I never done it myself, different sets of rules/configs can be switched depending on what you want to do at a given time. This involves dealing with services, but as usual, convenience/commodity/easy-going and best practices don't hold together.

Quote:
Using iptables or what ever just is a way to speak/control the kernels fw?
Correct.

FWIW: Differences between iptables and nftables explained

https://linux-audit.com/differences-...les-explained/

Firewall for the lazy:

https://forums.bunsenlabs.org/viewtopic.php?id=1765

Last edited by Snap; 09-18-2018 at 01:39 AM.
Snap is offline   Reply With Quote
Old 09-18-2018, 02:10 AM   #14
Snap
Human being with feelings
 
Snap's Avatar
 
Join Date: Jul 2011
Posts: 850
Default

Along with a well configured firewall it's a very good practice to complement it with the /etc/host file. This
particular file (also present in windows, by the way) is intended to allow and block specific host names and
IP addreses system-wide. It allows to block anything you don't want your system to connect to. It of course
can complete or fully replace those dedicated browser or email program blocking addons/tools altogether as it
will work for every program and user within your system.

If you want to block sites (malicious, trackers, ads, my-kids-won't-see-this, that-specific-site-you-happen-to-hate...)
the hosts file is the one to use.

There are some nice guys and sites dedicated to collect and keping updated blocking hosts lists, like these ones:

https://github.com/jmdugan/blocklists
https://github.com/StevenBlack/hosts

And you can even go strong...

https://github.com/jmdugan/blocklist...s/facebook/all

This could be a nice place to start:

https://github.com/hakerdefo/pmiab

I use a modified and fully stripped down version of hackerdefo's script myself.

Be sure to update the hosts lists regularly. Like once a week or so. It can be automated with cron or any other
scheduling tool you like.
Snap is offline   Reply With Quote
Old 09-18-2018, 04:31 AM   #15
SmajjL
Human being with feelings
 
SmajjL's Avatar
 
Join Date: Nov 2013
Location: Sweden
Posts: 2,063
Default

Thanks for info!
So what would GUFW's ON/OFF button command in iptables be?
__________________
:)
SmajjL is offline   Reply With Quote
Old 09-18-2018, 06:54 AM   #16
Glennbo
Human being with feelings
 
Glennbo's Avatar
 
Join Date: Mar 2008
Location: Planet Earth
Posts: 3,689
Default

Quote:
Originally Posted by Snap View Post
This could be a nice place to start:

https://github.com/hakerdefo/pmiab

I use a modified and fully stripped down version of hackerdefo's script myself.

Be sure to update the hosts lists regularly. Like once a week or so. It can be automated with cron or any other
scheduling tool you like.
I've been using the hosts file from these guys for almost 20 years.

http://winhelp2002.mvps.org/hosts.htm

They keep a very comprehensive list of known parasite and trackers. Putting their hosts file in was the first thing I did when setting up Linux for the first time on my DAW.

I'll have to check out the hosts file you linked, as it has three additional sources.
__________________
Glennbo
Hear My Music - Click Me!!!
--

Last edited by Glennbo; 09-18-2018 at 12:08 PM.
Glennbo is offline   Reply With Quote
Old 09-27-2018, 01:19 PM   #17
Tyrannocaster
Human being with feelings
 
Join Date: Jan 2011
Posts: 524
Default

That looks pretty neat. However, I read all the comments in this thread and was decidedly in over my head: https://www.putorius.net/2012/01/blo...ements-on.html

Do you do this manually or use a script as that page suggests?
Tyrannocaster is offline   Reply With Quote
Old 09-27-2018, 06:09 PM   #18
Glennbo
Human being with feelings
 
Glennbo's Avatar
 
Join Date: Mar 2008
Location: Planet Earth
Posts: 3,689
Default

Quote:
Originally Posted by Tyrannocaster View Post
That looks pretty neat. However, I read all the comments in this thread and was decidedly in over my head: https://www.putorius.net/2012/01/blo...ements-on.html

Do you do this manually or use a script as that page suggests?
In Windows I use a utility called HostsXpert, but so far in Linux, I've just grabbed the text file from MVP Hosts and copied it to /etc/hosts

I did try the script you linked to and it does work. I deleted my hosts file to see if it would recreate it and it did. For now I don't mind doing the more hands on manual copying of the file, but might automate it sometime down the line, so I did save the script.
__________________
Glennbo
Hear My Music - Click Me!!!
--
Glennbo is offline   Reply With Quote
Old 09-27-2018, 10:24 PM   #19
Snap
Human being with feelings
 
Snap's Avatar
 
Join Date: Jul 2011
Posts: 850
Default

My modified/simplified version is still not final. I have some more tweaks to check and test, but since it works and does the job I left it somewhat abandoned... I'll try to check these things this weekend and post the script in case anyone wants to peek.
Snap is offline   Reply With Quote
Old 09-28-2018, 08:39 AM   #20
Tyrannocaster
Human being with feelings
 
Join Date: Jan 2011
Posts: 524
Default

Quote:
Originally Posted by Glennbo View Post
In Windows I use a utility called HostsXpert, but so far in Linux, I've just grabbed the text file from MVP Hosts and copied it to /etc/hosts

I did try the script you linked to and it does work. I deleted my hosts file to see if it would recreate it and it did. For now I don't mind doing the more hands on manual copying of the file, but might automate it sometime down the line, so I did save the script.
Yes, that is slick, isn't it? One thing gives me pause about that list, though - I was looking at it, and there are a ton of items filtered from Amazon, and I buy stuff there, as little as I like the company and try to purchase elsewhere. I'm not sure enough of how this works to try it without removing them (or commenting them out), and so far I haven't tried that, mainly because there are just so many of them and they aren't next to each other.
Tyrannocaster is offline   Reply With Quote
Old 09-28-2018, 09:21 AM   #21
Glennbo
Human being with feelings
 
Glennbo's Avatar
 
Join Date: Mar 2008
Location: Planet Earth
Posts: 3,689
Default

Quote:
Originally Posted by Tyrannocaster View Post
Yes, that is slick, isn't it? One thing gives me pause about that list, though - I was looking at it, and there are a ton of items filtered from Amazon, and I buy stuff there, as little as I like the company and try to purchase elsewhere. I'm not sure enough of how this works to try it without removing them (or commenting them out), and so far I haven't tried that, mainly because there are just so many of them and they aren't next to each other.
I've used the hosts file from MVP Hosts for almost 20 years in Windows, and have bought stuff from Amazon with the hosts file active every time. It's never interfered with any transactions for me.

The only sites I've ever had to drop the hosts file for were broadcast network television sites. Broadcast TV sites won't stream a video with a hosts file borking all the little adbot trackers.

Netflix and Youtube work fine with the hosts file active, and I don't ever really need to stream video from broadcast TV sites, so I keep the hosts file active all the time.
__________________
Glennbo
Hear My Music - Click Me!!!
--
Glennbo is offline   Reply With Quote
Old 09-28-2018, 10:20 AM   #22
Tyrannocaster
Human being with feelings
 
Join Date: Jan 2011
Posts: 524
Default

That's great to hear; I appreciate that. I'll give it a try. Thanks!
Tyrannocaster is offline   Reply With Quote
Old 09-29-2018, 02:26 AM   #23
Snap
Human being with feelings
 
Snap's Avatar
 
Join Date: Jul 2011
Posts: 850
Default

That's it. What's blocked is trackers, analytics, etc... I doesn't deny regular access to Amazon, yt or whatever, unless you specifically go for it and configure /etc/hosts for the purpose.
Snap is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -7. The time now is 11:21 PM.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2019, vBulletin Solutions Inc.