*EDIT*
[SOLVED] Firewall tutorial?
4 posts
• Page 1 of 1
[SOLVED] Firewall tutorial?
by Sephiroth » March 22nd, 2011, 7:37 pm
I've been toying with KMyFirewall and have an interesting problem. I wrote a simple firewall using KMyFirewall and created an input rule that checked to see whether or not the connection is related and established, that the interface is wlan0, and to accept the connection if that's the case. The problem is that when I enable this rule, the laptop doesn't work properly. Windows don't pop up, etc. It's like it filters against lo and maybe even eth0 as well. Can anybody offer me some guidance on this?
*EDIT*
*EDIT*
Last edited by Sephiroth on March 24th, 2011, 1:49 am, edited 1 time in total.
Owyn: "This next one is a high elf sorceress or something, just get in close and stab her a few times, that'll teach her!"
Owyn: "I heard a rumor that you're an idiot. Is that true?"
Cicero: "Stab you, stab you, stab you!"
Psycho: "You sat in my swing, now I'm going to eat you!"
Psycho: "I think he's gonna' play xylophone with my spinal cord!"
Owyn: "I heard a rumor that you're an idiot. Is that true?"
Cicero: "Stab you, stab you, stab you!"
Psycho: "You sat in my swing, now I'm going to eat you!"
Psycho: "I think he's gonna' play xylophone with my spinal cord!"
- Sephiroth
- Posts: 387
- Joined: February 22nd, 2011, 3:09 pm
- Location: North Carolina
Re: Firewall tutorial?
by Sephiroth » March 23rd, 2011, 2:14 am
I wasn't thinking. I added two more rules. One filters wlan0, one filters eth0, and one accepts everything destined for lo. Below is a screenshot. So far this seems to be working. My only concern is that all input for lo is accepted, as I believe it has to be for X/KDE/whatever to function properly. Is this correct, or should I somehow filter input for lo?
Owyn: "This next one is a high elf sorceress or something, just get in close and stab her a few times, that'll teach her!"
Owyn: "I heard a rumor that you're an idiot. Is that true?"
Cicero: "Stab you, stab you, stab you!"
Psycho: "You sat in my swing, now I'm going to eat you!"
Psycho: "I think he's gonna' play xylophone with my spinal cord!"
Owyn: "I heard a rumor that you're an idiot. Is that true?"
Cicero: "Stab you, stab you, stab you!"
Psycho: "You sat in my swing, now I'm going to eat you!"
Psycho: "I think he's gonna' play xylophone with my spinal cord!"
- Sephiroth
- Posts: 387
- Joined: February 22nd, 2011, 3:09 pm
- Location: North Carolina
Re: Firewall tutorial?
by telemachus » March 23rd, 2011, 1:18 pm
There's a good introductory tutorial for raw iptables commands on the other forum: http://forums.debian.net/viewtopic.php?t=16166. (Note that it says part one of three, but the other two were never written. Sadly, the author stopped posting altogether long ago. He was a funny, knowledgeable guy.)
In any case, yes, I believe you must let lo accept everything. Once upon a time, when I was first trying to learn iptables, I wrote a set of rules without anything about lo, and I put the machine into a state where it couldn't even shut down. Ouch. I'm not sure I'm reading that wonky-ass KDE gui correctly, but it looks like anything not explicitly accepted is DROPPED. That would explain your earlier problem.
In any case, yes, I believe you must let lo accept everything. Once upon a time, when I was first trying to learn iptables, I wrote a set of rules without anything about lo, and I put the machine into a state where it couldn't even shut down. Ouch. I'm not sure I'm reading that wonky-ass KDE gui correctly, but it looks like anything not explicitly accepted is DROPPED. That would explain your earlier problem.
"We have not been faced with the need to satisfy someone else's requirements, and for this freedom we are grateful."
Dennis Ritchie and Ken Thompson, The UNIX Time-Sharing System
Dennis Ritchie and Ken Thompson, The UNIX Time-Sharing System
-
telemachus - Posts: 116
- Joined: February 10th, 2011, 1:39 am
Re: Firewall tutorial?
by Sephiroth » March 24th, 2011, 1:48 am
You are correct, Tele. In my second picture, you see what I run now. It works fine, but I have not yet had the chance to plop the laptop into a wireless or wired DMZ and test it with "Shields Up!" or the like. I was only curious about allowing everything into lo because technically all data will eventually hit lo, right? I mean this web-page came in through wlan0, but Iceweasel runs on the local machine!
I'm marking this as solved because it works now. The solution was to drop everything incoming by default, and specify a set of rules for each interface manually. The only rule for the lo interface should be to accept. You can specify any rules you want for your other interfaces though.
I'm marking this as solved because it works now. The solution was to drop everything incoming by default, and specify a set of rules for each interface manually. The only rule for the lo interface should be to accept. You can specify any rules you want for your other interfaces though.
Owyn: "This next one is a high elf sorceress or something, just get in close and stab her a few times, that'll teach her!"
Owyn: "I heard a rumor that you're an idiot. Is that true?"
Cicero: "Stab you, stab you, stab you!"
Psycho: "You sat in my swing, now I'm going to eat you!"
Psycho: "I think he's gonna' play xylophone with my spinal cord!"
Owyn: "I heard a rumor that you're an idiot. Is that true?"
Cicero: "Stab you, stab you, stab you!"
Psycho: "You sat in my swing, now I'm going to eat you!"
Psycho: "I think he's gonna' play xylophone with my spinal cord!"
- Sephiroth
- Posts: 387
- Joined: February 22nd, 2011, 3:09 pm
- Location: North Carolina
4 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 1 guest