Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Simple firewall for a beginner

New to Debian (Or Linux in general)? Ask your questions here!
Post Reply
Message
Author
andy638
Posts: 25
Joined: 2010-01-15 19:15
Been thanked: 3 times

Simple firewall for a beginner

#1 Post by andy638 »

Hi

I've just set up a Debian Lenny home server for the first time. The network is a simple one with all PCs and my Linksys ADSL router connected to a common Ethernet switch. At the moment the server just runs dnsmasq and samba to provide DHCP, DNS and act as a local file/print server for my Windows and Ubuntu PCs. So far I've not opened any ports on the router and depended on the router firewall to protect me.

My first question is: is a firewall necessary or useful on the server under these circumstances, with no direct access from the Internet? It's not functioning as a gateway or anything like that.

Whether necessary or not, I think I would like to set up a firewall to get some experience and understanding of what's involved. At some point in the future I'm considering making the server accessible over the Internet (just for my own use - maybe SSH access) and I imagine I would want a firewall then. What firewall configuration program would you recommend? I'm a beginner when it comes to servers so I'd like something simple.

Thanks

Andy

User avatar
julian67
Posts: 4633
Joined: 2007-04-06 14:39
Location: Just hanging around
Been thanked: 7 times

Re: Simple firewall for a beginner

#2 Post by julian67 »

First, you don't really need another firewall if your router's firewall is set up. But some people don't trust their router and have another firewall behind it. I'd suggest firehol as being about the easiest way to create iptables rules, even complex ones. The firehol website has excellent examples, tutorials, advice and so on.

If you want ssh access from beyond your LAN then you don't need another firewall for this. All you need to do is to forward the appropriate port on your router. It's important to use key authentication and disallow password authentication, this guarantees that bots can't break in with a dictionary based attacks. Another good idea is to not use the default ssh port 22 but something in a high range such as 1122 or 1222, still easy to remember but avoids bots hammering away on 22 and filling the logs.
Wisdom from my inbox: "do not mock at your pottenocy"

User avatar
Absent Minded
Posts: 3464
Joined: 2006-07-09 08:50
Location: Washington State U.S.A.
Been thanked: 3 times

Re: Simple firewall for a beginner

#3 Post by Absent Minded »

The place you want your firewall is not on that server but in between the internet and the rest of your network. Otherwise you will be blocking your network traffic insead of stopping people from hacking in to your network.
Serving the community the best way I can.
Spreading the tradition of Community Spirit.
Please read some Basic Forum Philosophy
Give a man a fish, he eats for a day. Teach him how to fish, he eats for life.
Updated Nov. 19, 2012

User avatar
julian67
Posts: 4633
Joined: 2007-04-06 14:39
Location: Just hanging around
Been thanked: 7 times

Re: Simple firewall for a beginner

#4 Post by julian67 »

Absent Minded wrote:The place you want your firewall is not on that server but in between the internet and the rest of your network. Otherwise you will be blocking your network traffic insead of stopping people from hacking in to your network.
It wouldn't block any traffic unless it was set up that way. If the server is set up as the gatweway then it's easy enough to allow all traffic within the LAN while having all kinds of rules about traffic entering and exiting the LAN, in fact this usually exactly what the router's firewall does. Personally on a home LAN I'd not bother with anything beyond the router's firewall, which will anyway by default be dropping all unsolicited packets from outside the LAN.

On my home LAN I don't firewall anything. The router drops everything from outside unless I've forwarded ports and this works fine. I have temporarily firewalled clients at different times to see what the log showed. The log showed that the router firewall does its job and it made for very unexciting reading.
Wisdom from my inbox: "do not mock at your pottenocy"

andy638
Posts: 25
Joined: 2010-01-15 19:15
Been thanked: 3 times

Re: Simple firewall for a beginner

#5 Post by andy638 »

Thank you everyone for your help and suggestions - I'm new to this forum and it's great to get clear and helpful advice like this.

I'll probably look at firehol as a way of learning about firewalls - if it's not really necessary on my server I'll probably try it on another Debian PC (less chance of messing something important up).

I'm interested in julian67's advice regarding SSH. How serious is the risk if I choose a good strong password? And if as suggested I use key authentication instead would this preclude access from other people's PCs? I would normally anticipate using my own laptop for access but I could imagine situations when I might find it useful to access my network from someone else's system.

Regards

Andy

User avatar
julian67
Posts: 4633
Joined: 2007-04-06 14:39
Location: Just hanging around
Been thanked: 7 times

Re: Simple firewall for a beginner

#6 Post by julian67 »

andy638 wrote:....How serious is the risk if I choose a good strong password? And if as suggested I use key authentication instead would this preclude access from other people's PCs? I would normally anticipate using my own laptop for access but I could imagine situations when I might find it useful to access my network from someone else's system.

Regards

Andy
Big risk! There is a huge number of bots that just hammer away at ssh servers trying to brute force the user name and password. Sooner or later one of them may succeed. By using key authentication edit: and disallowing password authentication! you guarantee they cannot succeed, and by using denyhosts, and a non standard port, you stop them filling your logs as well.

As for access from other people's PCs there are various things you can do, such as use a live distro which boots from USB flash memory stick and which also contains your keys in a truecrypt container or similar. A tiny distro like DSL can boot from USB into a virtual machine on Windows by using Qemu, which is also on the USB. You could also use a portable version of the Windows ssh client, Putty, from USB and again keep your keys in an encrypted container.
Wisdom from my inbox: "do not mock at your pottenocy"

blasicle
Posts: 36
Joined: 2010-01-20 17:20

Re: Simple firewall for a beginner

#7 Post by blasicle »

andy638 wrote:I'll probably look at firehol as a way of learning about firewalls - if it's not really necessary on my server I'll probably try it on another Debian PC (less chance of messing something important up).
You could try ufw, because it is very simple to set up rules. For example:

Code: Select all

ufw allow ssh
or

Code: Select all

ufw allow from 192.168.1.0/24 to any port 22
It might not teach you much, though, because it's so simple.
Also, it's not in the lenny repos. I built the squeeze package from source and that, in turn, required upgrading debhelper from backports.org.

Post Reply