pf in ubuntu
Peter Garrett
peter.garrett at optusnet.com.au
Sun Jan 7 11:43:56 UTC 2007
On Sun, 7 Jan 2007 11:57:28 +0100
Martin Marcher <martin.marcher at openforce.com> wrote:
> Am 05.01.2007 um 17:26 schrieb Adam Durity:
[ snips]
> > Additionally, does anyone know of a good pf vs. iptables
> > vs. <insert firewall method of your choice here> discussion, or have a
> > particular rant they need to express? My eyes are open.
>
> Nope, but my personal rant is that I hate iptables for it's syntax.
> pf has a human readable syntax and also a config file instead of
> single commands on the command line.
Well, you don't have to use iptables on the command line - you can make a
script without too much trouble. In the simplest case where you just want
to block everything incoming it boils down to
############################
#!/bin/bash
#First clean up in case we have existing policies like default DROP
#Means we start with a clean slate ...
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#Set up our policies and rules
iptables -P INPUT DROP #Drop everything that doesn't match the following
iptables -A INPUT -i lo -j ACCEPT # Accept local connections (loopback)
#Now make sure any connections we make allow incoming replies etc
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#############################
Add allowed IPs and protocols etc ad lib... Store in an appropriate place,
say /etc/iptables.up, make it executable, and call
from /etc/network/interfaces with pre-up or post-up etc., something like
# The primary network interface
auto eth0
iface eth0 inet dhcp
post-up /etc/iptables.up
There's a reasonable and simple intro at
https://help.ubuntu.com/community/IptablesHowTo
although it uses a default "ACCEPT" policy, which I think makes things
more complicated.
I used to be an Iptables phobic, but I now think that the problem is the
fact that people make it more complicated than it actually is :) Of course
you will need more lines than my example, but really not many - allow ssh
for example, from your office, with
iptables -A INPUT -m state --state NEW -s some.office.com -p tcp --dport 22
-j ACCEPT
and so on ...
Peter
More information about the ubuntu-users
mailing list