Linode Forum

[theatereleven]

I've just setup a new Linode running Debian 5/Drupal 6.x.

Is the Linode "Basic Firewall for Debian Lenny" a good one to use? Are linodes all wide open on the public IP? If so I've got to get something up asap.

Any recommendations would be awesome! I promise to post what I end up doing and any issues. THANKS.

http://library.linode.com/networking/security-guides/arno-iptables-firewall-debian-lenny

[pclissold]

theatereleven wrote: Any recommendations would be awesome!
Shorewall

[theatereleven]

Cool thanks!

So are linodes really wide open on the public IP? Is there any NAT going on or anything?

[hoopycat]

There isn't even a screen door on the hatch of the ol' networking submarine, much less something as debilitating as NAT. That's what an Internet connection is... a connection to the Internet. :-)

[pclissold]

theatereleven wrote: So are linodes really wide open on the public IP? Is there any NAT going on or anything?
There's some port filtering at the Atlanta data center (done by the provider, not by Linode) and Linode does some filtering in the network layer (OSI 3) to stop wayward or malicious Linodes from seeing/sending traffic to/from IPs that they don't own.

[theatereleven]

Tried to setup Shorewall, but the documentation doesn't match up. There is supposed to an /etc/shorewall directory and I have none.

Removed shorewall by typing:

apt-get remove --purge shorewall-common

Then I rebooted and typed:

apt-get install shorewall-common shorewall-shell

And now /sbin/shorewall version -a says 4.0.15

BUT I then look for configuration files in /etc/shorewall, and there isn't even a shorewall directory. ARGH. so frustrating. Anyone else run into this on Debian?

[rsk]

shorewall should pull in shorewall-shell, which should pull in shorewall-common. That last one comes with, among other files,
/etc/shorewall/Makefile
/etc/shorewall/shorewall.conf

http://packages.debian.org/lenny/all/shorewall-common/filelist

So, if it isn't the case for you, something's seriously screwed >.>

[theatereleven]

Just noticed that if I look in WinSCP I see a Shorewall folder under /etc but with Putty, it says that the directory does not exist.

A directory listing in Putty shows it, so I just tried going to the directory again and it is working. I must have been using the CD command like in DOS as opposed to Linux.

THANKS!

The docs say in Lenny to copy all of the files from user/share/doc/shorewall-common/default-config to my /etc/shorewall folder - am I reading this right?

Thanks again man.

[vonskippy]

Seems like an overkill for just one LAMP box.

What does Shorewall provide that IPTABLES doesn't?

IPTABLES and FAIL2BAN should be MORE then enough protection, and way less overhead to install/config/maintain/run.

Block everything.
Then allow PUBLIC access to your website (80, 443 if needed).
Then allow PUBLIC or LIMITED access to 25 (for your MTA)
Then allow PUBLIC or LIMITED access to whatever port you setup SSH on.

Simple and secure.

Too simple? Then add FAIL2BAN so that anyone that pounds on one of your services gets auto-dropped via a automagically added IPTABLES rule.

[rsk]

theatereleven wrote: The docs say in Lenny to copy all of the files from user/share/doc/shorewall-common/default-config to my /etc/shorewall folder - am I reading this right?

Thanks again man.

I don't know if you're reading it right, I'm perfectly happy with Arno's firewall. ;) But I wouldn't be surprised if they were saying something in style of "The debian default is to (block|allow) everything. To get a config like when you install shorewall from source, copy the default-config files to /etc.". Just read them until they make sense...

And no problem... no problem...

(Good luck!)

PS. vonskippy... I know you like to state your opinions aggressively... but please... cut it down a bit... I agree, partially - a big package like shorewall doesn't seem necessary. On the other hand, "raw" iptables is quite a bit of manual work, and if you're a newb like me and the OP, it's quite dangerous to mess with.
That's why I'd actually recommend going with arno's, which has been linked above. It's not much more than a nice SIMPLE debconf-configurable frontend to iptables, with really nice throttled logging.

[glg]

rsk wrote: That's why I'd actually recommend going with arno's, which has been linked above. It's not much more than a nice SIMPLE debconf-configurable frontend to iptables, with really nice throttled logging.

I use firehol for that same reason. It's a script that sets up iptables nicely for you.

[nfn]

What about csf firewall? Any comments on this?

[db3l]

glg wrote: I use firehol for that same reason. It's a script that sets up iptables nicely for you.
I'll throw a second vote in for Firehol. I ended up choosing it when working with some distributions other than Ubuntu (where I had initially just started with ufw), and then started using it on Ubuntu too. I found it among the simplest to configure of the various iptables overlays.

I like that it's configuration is a single bash script, so easily commented, you can add logic if you need to, yet for the basics it's a really simple syntax.

-- David

[theatereleven]

rsk and others - thanks for the feedback.

based on these comments I'm definitely ditching shorewall and probably will do a lighter setup. I do just need to block the morons on the NET and Fail2Ban sounds cool too.

I'll post details on what I do for any other newbies out there.

[jed]

fail2ban and lighter setup don't mix. I dropped it due to its resource consumption.