Hey there

So I'm working on setting up my new Linux box to pick up the Fidonet HUBing duties that a Windows system I run is currently handling.

An area I am a n00b at is setting up a firewall for the system. I'm running Debian Buster and if I am correct there is no out of the box firewall
software that comes with the default install?

I have had some distant past exposure to iptables using a raspberry pi but that's about it, and that was not that fun.

I'm wondering what would be best to install such that I can easily open ports to allow hub and bbs software to work with incoming and outgoing traffic
being allowed to flow.

I have a heavy duty router on my home LAN that I can use to port forward say BinkP traffic to the Linux box and not allow anything else to it from the Internet... I figure this is a good first line of defense but am also
wondering about how far to go with a firewall on the box itself?

What I don't want to end up with is a situation where I am struggling to get software to work on the box because I can get it to connect in/out from the internet due to a firewall causing me grief.

So there we are, your tips and advice as to what I should do and how to approach this would be appreciated :)

Thanks :)

--- Mystic BBS v1.12 A46 2020/08/26 (Windows/32)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)

An area I am a n00b at is setting up a firewall for the system. I'm
running
Debian Buster and if I am correct there is no out of the box firewall software that comes with the default install?

I think that "ufw" is probably the easiest frontend to ip tables.

Andrew


--- Talisman v0.10-dev (Linux/armv7l)
* Origin: HappyLand v2.0 - telnet://happyland.zapto.org:11892/ (21:1/182)

On 24 Jan 2021 at 06:16p, apam pondered and said...

I think that "ufw" is probably the easiest frontend to ip tables.

Thanks I'll have a look at this one. A quick glance and it has 'made for new folks' written all over it :)

--- Mystic BBS v1.12 A46 2020/08/26 (Windows/32)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)

Hello Avon!

On 24 Jan 2021, Avon said the following...

An area I am a n00b at is setting up a firewall for the system. I'm running Debian Buster and if I am correct there is no out of the box firewall software that comes with the default install?

Kind of. The 'iptables' command is there and is linked to the 'iptables-nft' command. nftables is used as the firewall backend, and comes with an empty ruleset.

See: https://wiki.debian.org/nftables#nftables_in_Debian_the_easy_way

Unless you have rogue hosts on your internal network -- and since you're behind a router taking care of the port forwarding (i.e. only letting through traffic to the ports of interest) -- I'd suggest leaving the Debian firewall at the default setting, i.e. allowing all traffic, in and out.

Best regards
Zip

--- Mystic BBS v1.12 A47 2021/01/24 (Linux/64)
* Origin: Star Collision BBS, Uppsala, Sweden (21:1/202)

Re: Linux Firewall
By: Avon to All on Sun Jan 24 2021 09:12 pm

Howdy,

I have a heavy duty router on my home LAN that I can use to port forward say BinkP traffic to the Linux box and not allow anything else to it from the Internet... I figure this is a good first line of defense but am also wondering about how far to go with a firewall on the box itself?

I dont firewall internal systems (or said another way, non-internet facing systems).

If you have a device infront of it (which you say you do), then that is your firewall.

I might be a bit relaxed because I have everything run in a docker container (another benefit). Inside the running container is a jail - so if somebody did break the application and install a backdoor (or run a trojan), then resetting the container (well technically deleting and re-creating) instantly removes anything not part of the image. Until I discover the trojan/back door, they are inside a jail with limited tools and resources.

...ëîåï

... As a boy, he swallowed a teaspoon. And he hasn't stirred since.
--- SBBSecho 3.12-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

Avon wrote (2021-01-24):

Hey there

So I'm working on setting up my new Linux box to pick up the Fidonet
HUBing duties that a Windows system I run is currently handling.

An area I am a n00b at is setting up a firewall for the system.

Why and for what do you need a firewall?

---
* Origin: . (21:3/102)

Re: Linux Firewall
By: Avon to All on Sun Jan 24 2021 09:12 pm

Hey there

So I'm working on setting up my new Linux box to pick up the Fidonet HUBing duties that a Windows system I run is currently
handling.

An area I am a n00b at is setting up a firewall for the system. I'm running Debian Buster and if I am correct there is no ou
of the box firewall
software that comes with the default install?

I have had some distant past exposure to iptables using a raspberry pi but that's about it, and that was not that fun.

I'm wondering what would be best to install such that I can easily open ports to allow hub and bbs software to work with
incoming and outgoing traffic
being allowed to flow.

I have a heavy duty router on my home LAN that I can use to port forward say BinkP traffic to the Linux box and not allow
anything else to it from the Internet... I figure this is a good first line of defense but am also
wondering about how far to go with a firewall on the box itself?

What I don't want to end up with is a situation where I am struggling to get software to work on the box because I can get i
to connect in/out from the internet due to a firewall causing me grief.

So there we are, your tips and advice as to what I should do and how to approach this would be appreciated :)

Thanks :)

If you have not much of a clue and you need some quick solution, just install ufw. Or gufw for a gui.

Having the router doing the firewalling is a must, but I like to have packet filtering running on the hosts just in case the
router has trouble. I have had ISP isued routers reset their firewall rules and expose big chunks of the LAN to the Internet so
host based firewalling is important to have.

I use iptables directly myself. If you want to get started, duckduckgo for Alienbob's iptables script. It is tailored for
slackware but should work for any Linux with iptables on it.

--
gopher://gopher.richardfalken.com/1/richardfalken
--- SBBSecho 3.12-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (21:2/138)

Re: Linux Firewall
By: deon to Avon on Sun Jan 24 2021 09:17 pm

I dont firewall internal systems (or said another way, non-internet facing systems).

If you have a device infront of it (which you say you do), then that is your firewall.

You just made me sad right there.

As I have said elsewhere, if you are using an ISP issued router or a low quality firewall, you lack proper protection.
Specially if you are in an ipv6 enabled network. Spanish Orange ISP once managed to screw everybody who had complex LAN
topologies and managed to get them exposed to the Internet so I think running even some simple filtering inside the LAN is a
must.

Specially if you have guests or irresponsible users in your LAN (ie little rat brother who downloads tons of porn and potential
malware with it). I like to set my machines so they only talk to necessary appliances an to other of my machines, firewalling
my family and guests out.

In fact I ended up setting my own network within the LAN, with static arp and host-to-host ipsec.

I agree that is excessive, but point is setting an easy firewall costs no effort and the LAN is not something you should be
blindy trusting unless you are the sole user. And probably even then.

--
gopher://gopher.richardfalken.com/1/richardfalken
--- SBBSecho 3.12-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (21:2/138)

Re: Linux Firewall
By: Arelor to deon on Sun Jan 24 2021 04:40 am

You just made me sad right there.

Cheer up - its not that bad...

As I have said elsewhere, if you are using an ISP issued router or a low quality firewall, you lack proper protection. Specially if you are in an ipv6 enabled network. Spanish Orange ISP once managed to screw everybody who had complex LAN topologies and managed to get them exposed to the Internet so I think running even some simple filtering inside the LAN is a must.

I dont have an ISP issued router.

I agree that is excessive, but point is setting an easy firewall costs no effort and the LAN is not something you should be blindy trusting unless you are the sole user. And probably even then.

I agree that that is excessive too. But your point is valid - context. My "server" is not on the same network as my "wifi users", and my wifi users are my wife and young children (who dont own devices).

A lot of compromise (most), comes from the "inside" - either directly or indirectly - and I do know who is in the inside, so I am a lot more comfortable. I may not be when my son (or daughter - dont want to stereo type) become teenages/hackers - especially if they are after that internet fix that everybody talks about.

...ëîåï

... Beware of all enterprises requiring new clothes.
--- SBBSecho 3.12-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

On Monday, January 25th Avon was heard saying...

wondering about how far to go with a firewall on the box itself?

Running at this level even behind a "hardware" FW is always a good idea.


Twas Monday, January 25th when Avon said...

So there we are, your tips and advice as to what I should do and how to approach this would be appreciated :)

I'd look into firewalld -- it's easy to deal with. Here is a Guide for Debian Buster:

https://computingforgeeks.com/how-to-install-and-configure-firewalld-on-debian/



--
|08 â–  |12NuSkooler |06// |12Xibalba |08- |07"|06The place of fear|07"
|08 â–  |03xibalba|08.|03l33t|08.|03codes |08(|0344510|08/|03telnet|08, |0344511|08/|03ssh|08)
|08 â–  |03ENiGMA 1/2 WHQ |08| |03Phenom |08| |0367 |08| |03iMPURE |08| |03ACiDic
--- ENiGMA 1/2 v0.0.12-beta (linux; x64; 12.13.1)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

deon around Monday, January 25th...

I might be a bit relaxed because I have everything run in a docker container (another benefit). Inside the running container is a jail - so if somebody did break the application and install a backdoor (or run a trojan), then resetting the container (well technically deleting and re-creating) instantly removes anything not part of the image. Until I discover the trojan/back door, they are inside a jail with limited tools and resources.

Running in a Docker container being inheriently more secure is a common misconception / pitfall.

A BSD style Jail is a good layer, but this is VERY differnet than a Docker container.

If you're using this for your security, I'd look again :)





--
|08 â–  |12NuSkooler |06// |12Xibalba |08- |07"|06The place of fear|07"
|08 â–  |03xibalba|08.|03l33t|08.|03codes |08(|0344510|08/|03telnet|08, |0344511|08/|03ssh|08)
|08 â–  |03ENiGMA 1/2 WHQ |08| |03Phenom |08| |0367 |08| |03iMPURE |08| |03ACiDic
--- ENiGMA 1/2 v0.0.12-beta (linux; x64; 12.13.1)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

Re: RE: Linux Firewall
By: NuSkooler to deon on Sun Jan 24 2021 01:52 pm

Running in a Docker container being inheriently more secure is a common misconception / pitfall.

Can you elaborate more with an example?

...ëîåï

... I used to be indecisive; now I'm not sure.
--- SBBSecho 3.12-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

On 24 Jan 2021 at 10:09a, Zip pondered and said...

Kind of. The 'iptables' command is there and is linked to the 'iptables-nft' command. nftables is used as the firewall backend, and comes with an empty ruleset.

See: https://wiki.debian.org/nftables#nftables_in_Debian_the_easy_way

Thank you I'll check this out along with the other suggestions I'm looking at tonight :)

--- Mystic BBS v1.12 A46 2020/08/26 (Windows/32)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)

On 24 Jan 2021 at 09:17p, deon pondered and said...

I dont firewall internal systems (or said another way, non-internet
facing systems).

Although I have a high end router in the house running first in line before
the rest of the LAN. I've usually run a firewall on most internal systems
that run services that involve incoming traffic from the Internet.

If you have a device infront of it (which you say you do), then that is your firewall.
I might be a bit relaxed because I have everything run in a docker

OK, thanks good sir.

--- Mystic BBS v1.12 A46 2020/08/26 (Windows/32)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)

On 24 Jan 2021 at 11:26a, Oli pondered and said...

Why and for what do you need a firewall?

The reasons for running one I think are kind of clear... just want to ensure the system is not risking being compromised in any way by taking steps to mitigate that risk. :)

--- Mystic BBS v1.12 A46 2020/08/26 (Windows/32)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)

On 24 Jan 2021 at 04:34a, Arelor pondered and said...

If you have not much of a clue and you need some quick solution, just install ufw. Or gufw for a gui.

Thanks, I'll look into this one. Apam also suggested it.

I have used iptables on the Raspberry Pi but didn't find it overly intuitive etc.

That said if need be I can set it up in conjugation with some online web guidelines :)

Perhaps I should have said I have around 2/3rds of a clue :)

--- Mystic BBS v1.12 A46 2020/08/26 (Windows/32)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)

On 24 Jan 2021 at 01:47p, NuSkooler pondered and said...

wondering about how far to go with a firewall on the box itself?

Running at this level even behind a "hardware" FW is always a good idea.

Thanks. Just to clarify, what do you me 'at this level'? I'm guessing 'a box that handles IP traffic on assorted ports from the Internet' counts? :)

I'd look into firewalld -- it's easy to deal with. Here is a Guide for Debian Buster:

https://computingforgeeks.com/how-to-install-and-configure-firewalld-on-de

Thanks Nu! I'll also check this one out. Appreciate the suggestion.

--- Mystic BBS v1.12 A46 2020/08/26 (Windows/32)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)

NuSkooler wrote (2021-01-24):

A BSD style Jail is a good layer, but this is VERY differnet than a
Docker container.

Do you know if there are differences between the BSDs (Free/Net/Open/DragonflyBSD) regarding Jails? I used Smartos (Illumos kernel (open sourced Solaris)) on a VPS for some time and the Zones there were great.

---
* Origin: . (21:3/102)

Re: Linux Firewall
By: Oli to NuSkooler on Mon Jan 25 2021 07:51 am

NuSkooler wrote (2021-01-24):

A BSD style Jail is a good layer, but this is VERY differnet than a Docker container.

Do you know if there are differences between the BSDs (Free/Net/Open/DragonflyBSD) regarding Jails? I used Smartos (Illumos kernel (open sourced Solaris)) on a VPS for some time and the Zones there were grea

OpenBSD has no jails.

We rely mainly on chroot+privilege separation at this point. We have a set of calls that work more or less like Linux' seccomp.

--
gopher://gopher.richardfalken.com/1/richardfalken
--- SBBSecho 3.12-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (21:2/138)

On Tuesday, January 26th Avon muttered...

Thanks. Just to clarify, what do you me 'at this level'? I'm guessing 'a box that handles IP traffic on assorted ports from the Internet' counts? :)

Yeah, so:
{ internet } <-> [ dedi firewall ] <-> [[ soft fw - ipf/etc.] your service ]

Where the last box on the Right is a server/vm/docker host/whatever running iptables/similar/similar.




--
|08 â–  |12NuSkooler |06// |12Xibalba |08- |07"|06The place of fear|07"
|08 â–  |03xibalba|08.|03l33t|08.|03codes |08(|0344510|08/|03telnet|08, |0344511|08/|03ssh|08)
|08 â–  |03ENiGMA 1/2 WHQ |08| |03Phenom |08| |0367 |08| |03iMPURE |08| |03ACiDic
--- ENiGMA 1/2 v0.0.12-beta (linux; x64; 12.13.1)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

Oli around Monday, January 25th...

Do you know if there are differences between the BSDs (Free/Net/Open/DragonflyBSD) regarding Jails? I used Smartos (Illumos kernel (open sourced Solaris)) on a VPS for some time and the Zones there were great.

I mostly know FreeBSD... There are most certainly impelmentation differences as they are independent code bases, but I'm not sure if there are design goal differences.


--
|08 â–  |12NuSkooler |06// |12Xibalba |08- |07"|06The place of fear|07"
|08 â–  |03xibalba|08.|03l33t|08.|03codes |08(|0344510|08/|03telnet|08, |0344511|08/|03ssh|08)
|08 â–  |03ENiGMA 1/2 WHQ |08| |03Phenom |08| |0367 |08| |03iMPURE |08| |03ACiDic
--- ENiGMA 1/2 v0.0.12-beta (linux; x64; 12.13.1)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

On 25 Jan 2021 at 04:38p, NuSkooler pondered and said...

Yeah, so:
{ internet } <-> [ dedi firewall ] <-> [[ soft fw - ipf/etc.] your
service ]

Where the last box on the Right is a server/vm/docker host/whatever running iptables/similar/similar.

Gotcha, thanks, that mirrors my thinking also. Cheers :)

--- Mystic BBS v1.12 A46 2020/08/26 (Windows/32)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)

Arelor wrote (2021-01-25):

Do you know if there are differences between the BSDs
(Free/Net/Open/DragonflyBSD) regarding Jails? I used Smartos (Illumos
kernel (open sourced Solaris)) on a VPS for some time and the Zones
there were grea

OpenBSD has no jails.

We rely mainly on chroot+privilege separation at this point. We have a
set of calls that work more or less like Linux' seccomp.

For some reason I thought all BSDs have jails, but it looks like it's a FreeBSD thing. NetBSD also doesn't have jails.

---
* Origin: . (21:3/102)

Hi, now its my time to help you out :-)

the best and easiest ubuntu / debian firewall to use is "ufw" its super easy
to open or close ports. try this at the bash shell

example:
# apt install ufw
# ufw allow binkp (to open binkp port)
# ufw deny binkp (to close binkp port)
# ufw status verbose

here is a reference page: www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules -and-commands

Thanks
- Gamecube Buddy

telnet --<{bbs.hive32.com:23333}>--

--- Mystic BBS v1.12 A46 2020/08/26 (Linux/64)
* Origin: Hive32 (21:4/129)

also to see incoming / outgoing network traffic, you might want to install these programs too

apt install iptraf ngrep htop
these will show you the traffic flowing through your system....

Thanks
- Gamecube Buddy

telnet --<{bbs.hive32.com:23333}>--

--- Mystic BBS v1.12 A46 2020/08/26 (Linux/64)
* Origin: Hive32 (21:4/129)

i usually run a firewall on my router, and also as a second line of defence,
i run a firewall on my local VMs. #DefenceInDepth
also for those how run fedora / centos / RHEL, it uses firewalld which is simular to ufw, but a little bit more complicated - but not by much.
i also run clamav antivirus on all my linux servers and desktops.



On 24 Jan 2021, Arelor said the following...

Re: Linux Firewall
By: Avon to All on Sun Jan 24 2021 09:12 pm

Hey there

So I'm working on setting up my new Linux box to pick up the Fidonet HU

duties that a Windows system I run is currently

handling.

An area I am a n00b at is setting up a firewall for the system. I'm run

Debian Buster and if I am correct there is no ou

of the box firewall
software that comes with the default install?

I have had some distant past exposure to iptables using a raspberry pi

that's about it, and that was not that fun.

I'm wondering what would be best to install such that I can easily open

ports to allow hub and bbs software to work with

incoming and outgoing traffic
being allowed to flow.

I have a heavy duty router on my home LAN that I can use to port forwar

BinkP traffic to the Linux box and not allow

anything else to it from the Internet... I figure this is a good first

of defense but am also

wondering about how far to go with a firewall on the box itself?

What I don't want to end up with is a situation where I am struggling t

software to work on the box because I can get i

to connect in/out from the internet due to a firewall causing me grief.

So there we are, your tips and advice as to what I should do and how to

approach this would be appreciated :)

Thanks :)

If you have not much of a clue and you need some quick solution, just install ufw. Or gufw for a gui.

Having the router doing the firewalling is a must, but I like to have packet filtering running on the hosts just in case the
router has trouble. I have had ISP isued routers reset their firewall rules and

expose big chunks of the LAN to the Internet so
host based firewalling is important to have.

I use iptables directly myself. If you want to get started, duckduckgo
for Alienbob's iptables script. It is tailored for
slackware but should work for any Linux with iptables on it.

--
gopher://gopher.richardfalken.com/1/richardfalken
--- SBBSecho 3.12-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (21:2/138)

Thanks
- Gamecube Buddy

telnet --<{bbs.hive32.com:23333}>--

--- Mystic BBS v1.12 A46 2020/08/26 (Linux/64)
* Origin: Hive32 (21:4/129)

Oh man! i cringe whenever i hear the word ilumnos. i worked at a state
collage in the computer department, which ran their department NAS off an
alpha / beta version of OpenIndiana / Illumnos - which was a free verson of solaris that at the time was older than 10+ years before i got there. it had some really bad issues. very broken system that crashed evertime you sneezed. the only reason they used it was they wanted "ZFS" - which in my linux
oppinon is a crappy OS file system. its fat and bloated, and waists a ton of space taking individual file snapshots on the OS. That version of OpenIndiana had a kernel bug which prevented it from accepting new drives with 4k sectoring. so when 2 drives died, i had to dig up some old 1 gig drives which uses the 512 byte sectoring. you couldnt even "remask" the drive sectors to
fit the 512 byte either. it ust flat out offlined the drives and refused to see it. I told my boss at the time, that the computers and NAS were 10 years out of warrenty, and the best bet would be to buy a new NAS system stacked
out with hard drives. i told him that i could take the current Backup server, whihc was in a perminante down state, and install RHEL with the ZFS file
system (which they get for free anyways due ot being a state collage). i told my boss i could migrate all the VMs and files off onto the rebuilt server, in order to buy us some time to buy the new equipmnet..... i mentioned this to
him in a meeting he had with a director of IT for the collage.
he fired me the next week...
i hope their NAS crashed and lost all their data.
on the way out the door - as i had a feeling they were about to let me go,
i wrote a note on my desktop to the new replacement admin. and left the long notes about how the whole network arch was put together - something i was not given. i was there for 3 months total. it sucked. one of the worst jobs i
have worked. + i hated the receptionist who was just plain mean.



On 25 Jan 2021, Oli said the following...

NuSkooler wrote (2021-01-24):

A BSD style Jail is a good layer, but this is VERY differnet than a Docker container.

Do you know if there are differences between the BSDs (Free/Net/Open/DragonflyBSD) regarding Jails? I used Smartos (Illumos kernel (open sourced Solaris)) on a VPS for some time and the Zones
there were great.

---
* Origin: . (21:3/102)

Thanks
- Gamecube Buddy

telnet --<{bbs.hive32.com:23333}>--

--- Mystic BBS v1.12 A46 2020/08/26 (Linux/64)
* Origin: Hive32 (21:4/129)