Linode.com Forum

[ngm]

Hi, can you tell me what's the best firewall for my Linode running Ubuntu?

The Ubuntu Server Guide tells me it is ufw - Uncomplicated Firewall.

The book Beginning Ubunto Server Administration tells me it's NetFilter.

The name Shorewall appears many times throughout this foruns.

Someone told me that there's nothing more powerful then Iptables.

I'm a bit lost.

Also, scanning my Linode IP with NMAP return 1467 ports closed, 46 ports filtered, and one port open (22/ssh). It's a brand new Linode. Should I be concerned about the filtered ones?

Thanks a lot.

[SteveG]

First: iptables is the basic Linux network packet filtering system. It's powerful, yes, but also complex, in that what you would think of as a single function takes several iptables commands. It's also extremely sensitive to order. It's really easy to make a mistake. So don't use it directly. The various firewall packages are layers on top of iptables, generating the correct iptables commands and providing a more function based interface to you.

I'm not sure what "Netfilter" you're referencing; the only one I know is the BSD packet filtering system, equivalent to iptables.

I've used Shorewall in the past, and for complicated setups, it works, but it's probably overkill for a single linode. In particular, the many different configuration files can be confusing. Don't know about the others you mention, but to help, I'll sugest another one: firehol. easy config, good docs.

There's a case to be made that a linode doesn't actually need a firewall, since you can control which ports are listened on, and usually there's no other system involved. But there's nothing wrong with an extra layer.

[Jay]

Most of the time things like firehol and shorewall are just "interfaces" to make iptables easier to use.

[pclissold]

SteveG wrote: There's a case to be made that a linode doesn't actually need a firewall, since you can control which ports are listened on, and usually there's no other system involved. But there's nothing wrong with an extra layer.
Having a firewall means you have to make two mistakes to expose your Linode to the bad guys. Also, I use one to restrict some inbound ports to specific source addresses - ssh only from home and work, etc.

Firehol: easy to use, gets the job done.

Shorewall: more versatile, more complicated; learn it on your Linode, use it for more complex situations elsewhere. This is what I use, on Linode and everywhere else.

[ngm]

Hey,

Thanks for your explanations.

After reading your suggestions I googled a bit more on the subject and here are some conclusions:

Netfilter is not a firewall, is "the packet filter facility built into the 2.4 and later Linux kernels", which means that when we use the iptables command we are defining rules to Netfilter handle.

As Jay said, all firewalls one can found are "interfaces" to "create rules for the packet filtering (both inbound and outbound)".

Firehol is maintained by Debian Linux group and the last release was on May, 2007 (which seems a long time for a firewall application).

ufw, uncomplicated firewall, is an Ubuntu project project to "create a tool for host-based iptables firewall configuration. This tool should provide an easy to use interface to the user, as well as support package integration and dynamic-detection of open ports."

Shorewall seems to have no downsides.

Given this, I'll start by using the iptables command since it's installed by default and offers all the options available. If it's much complicated for me, I'll move to Shorewall.

[SteveG]

It looks like Ubuntu is letting Firehol fall behind. The Debian version is maintained by Alexander Wirt, and was updated in October, 2007.

Good luck with iptables. Just for comparison, on my linode:
Code:
# iptables -L |grep -vE '^Chain |^target |^$' |wc -l
113
# grep -vE '^#|^$' firehol.conf |wc -l
21

(The greps remove all the noise lines - comments, headers, blanks.)

So the iptables effort is about 5-6 times. Not to mention that the firehol.conf commands are along the lines of "server http accept" and the iptables commands ... aren't. I'd really urge you to step up to a higher level than direct iptables. It's easy to make a mistake that bypasses your protections, and difficult to debug. If firehol doesn't suit, that's fine. Shorewall is a great product, just overkill for my tastes and current needs. Coding iptables directly is like coding assembler: sure, it's the most powerful, flexible choice, and some times it's the only way to get the job done. But do you really want to bet you can get it right the firsti time, every time?

[ngm]

Hey SteveG,

Your post made me think twice (mainly the "wc" commands which are far above by knowledge, but I get the point).

After reading a bit more about iptables I got a bit concerned about being locked out, something that doesn't happen when using a "interface".

From the book Beginning Ubuntu Server Administration:
"Do note, however, that the policy (using the iptables command) will become effective immediately, so, if you are configuring your firewall from an external connection, you will be locked out immediately."

And this will be my first server setup, I'm still a noob! So I reconsider and I'll try ufw: it's a brand new solution with a big community behind it, it seems to be even simpler than Firehol and it's the "supported" Ubuntu Firewall. I can even follow the Ubuntu Server Guide that is of great help.

Thanks a lot.

Just one further question: imagine that I want to restrict the ssh access to 3 attempts (After entering 3 wrong pass-phrases the ssh service should shutdown, wait 1 hour and then restart allowing other 3 attempts). How can I achieve this? Is it related to the firewall? Am I being paranoid?

[AVonGauss]

ngm, with Linode's Lish, you can never be locked out of your system by the firewall (iptables). If you're setting up your firewall and accidently block your own access, you can connect through Lish just as if you were sitting at a console in front of the server and re-establish your access.

With regard to the ssh server, no, I don't think you are being paranoid. I would suggest looking at fail2ban or another similar program that will help monitor undesirable activity and take the appropriate action. On all of my servers fail2ban is setup to monitor the ssh server log and after three failed attempts willl ban the source ip for a day.

[dfelicia]

I use a simple iptables ruleset + sshguard to protect my linode. Firewall UI's are nice, but overkill for a linode IMHO.

To generate a simple iptables ruleset, you can use any number of the available Web generators. I really like this one: http://www.lowth.com/LinWiz/

Once you have your ruleset, just active with:
Code:
iptables-restore < /path/to/ruleset


Now that you have a firewall blocking everything but ssh, http, whatever, add sshguard: http://sshguard.sourceforge.net/

I use Gentoo, so it was a simple matter of:

Code:
echo "app-admin/sshguard ~x86" >> /etc/portage/package.keywords
emerge sshguard


Once you have the binary installed, adjust syslog-ng.conf (or use the tail method). Again, on Gentoo, it's simply adding this to /etc/syslog-ng/syslog-ng.conf:

Code:
destination sshguardproc {
   program("/usr/sbin/sshguard"
      template("$DATE $FULLHOST $MESSAGE\n"));
};
filter f_sshlogs { facility(auth, authpriv) and match("sshd"); }; # for sshguard

log { source(src); filter(f_sshlogs); destination(sshguardproc); };


Final step is to add sshguard chain and rule to your iptables ruleset, then importing with iptables-restore.

Here's my ruleset, for example:
Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:sshguard - [0:0]
:REJECT-PKT - [0:0]
:SYN-FLOOD - [0:0]

######################################################################
# Allow all loopback interface traffic
-A INPUT -i lo -j ACCEPT

# Block all attempts to spoof the loopback address
-A INPUT -s 127.0.0.0/8 -j DROP
-A INPUT -d 127.0.0.0/8 -j DROP

# Block all attempts to spoof the local IP address
-A INPUT -s 64.22.124.206 -j DROP

# Block Syn Flood attacks
-A INPUT -p tcp -m tcp --syn -j SYN-FLOOD

# Ensure that TCP connections start with syn packets
-A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP

# Allow session continuation traffic
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Pass ssh traffic to sshguard for processing
-A INPUT -p tcp -m tcp --dport 22 -j sshguard

# Allow selected TCP/IP and/or UDP services
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

# Block all other TCP/IP and UDP traffic
-A INPUT -j REJECT-PKT

######################################################################
# Syn flood filtering chain
-A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN
-A SYN-FLOOD -j DROP

######################################################################
# Chain used to reject all TCP/IP, UDP and ICMP/PING packets
-A REJECT-PKT -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A REJECT-PKT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
-A REJECT-PKT -p icmp -m icmp --icmp-type ping -j REJECT --reject-with icmp-host-unreachable

COMMIT


(With exception for my own tweaking, credit for this ruleset goes to http://www.lowth.com/LinWiz/)

[SteveG]

Whatever make you happy, for sure, but I fail to see how using an external ip tables rule generator is different than using a local one like shorewall or ufw or firehol

[dfelicia]

Quote: I fail to see how using an external ip tables rule generator is different than using a local one
Because one requires you install software, and one doesn't, and the original poster commented:
Quote: I'll start by using the iptables command since it's installed by default and offers all the options available.
That's it. I agree that "whatever floats your boat" is best route... my post was more about sshguard.

[hdfsk5]

SteveG wrote: There's a case to be made that a linode doesn't actually need a firewall, since you can control which ports are listened on, and usually there's no other system involved. But there's nothing wrong with an extra layer.

Are you saying that all the distro's linode has available have ports closed by default (like ubuntu's default distro), or that linode has a tool to allow/disallow ports on a lower layer? If the later, where's that tool available?

If the former, never mind ;).

[SteveG]

<p>I'm saying that pretty much any modern Linux distribution has most ports closed by default, mostly because they don't install server software by default. Now, some of the very basic inetd-supported ports might be available (assuming inetd is installed), but I just looked at a recently installed server (Debian Lenny) at home, and here are all the open ports:
Code:
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
80/tcp    open  http
111/tcp   open  rpcbind
113/tcp   open  auth
119/tcp   open  nntp
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
2049/tcp  open  nfs
4713/tcp  open  unknown
6600/tcp  open  unknown
43651/tcp open  unknown
46087/tcp open  unknown
55671/tcp open  unknown

All of those represent servers I explicitly installed: SSH, Apache, Postfix, NFS, Samba, PulseAudio (4713), and MPD (6600).(The three high ports are NFS related, assigned by rpcbind.) Since, presumably, you'd open holes in the firewall for the servers you have installed, one can argue you don't need a firewall.

OTOH, I've come to the conclusion you can't go wrong with an extra layer. It helps you avoid accidently exposing a service you haven't yet configured. If someone manages to exploit apache and install a botnet, the firewall keeps them from controlling it. So I recommend going ahead and installing a firewall.

[hdfsk5]

Thanks!

I think I will follow your lead as well.

[rweir]

SteveG wrote:
I'm not sure what "Netfilter" you're referencing; the only one I know is the BSD packet filtering system, equivalent to iptables.


Technically, "netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack."

Older user documents tend to use it instead of the term "iptables".