Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Basic firewalling of my remote hosted Raspberry Pi  (Read 3384 times)

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Basic firewalling of my remote hosted Raspberry Pi
« on: September 27, 2018, 11:32:35 PM »

I really ought to do something with basic firewalling of Ubuntu (which is what it is running now)on my remote, hosted Raspberry Pi. But I am way to foggy to get stuck in to using the less friendly *nix firewalling tools such as raw IPTABLES, and there is little point if I simply get it all wrong anyway, so being sure of the results would need to be part of the deal. I think my options are to use a friendlier configuration tool for idiots, such as myself, or get a basic potted configuration from somewhere which I can just edit. Something that says all inbound=deny, all outbound=allow, does Dracula and the Virgin stateful firewalling to allow inbound conversations if initiated from outbound and enables all the related ICMPv6 inbound being allowed too.

The danger in my case is that the slightest mistake would mean I lock myself out for good. I am wondering about setting some job going on a delta timer to disable the firewall, as a safety switch. Probably the best would be to have the timer retriever itself or the job set a new timer, or whatever, but repeating every ten minutes or so.

I decided to give ufw a try -

And as my safety measure I tried the following
    ( sleep 500 ; ufw disable ) &

And then something like

    ufw disable & ufw default deny incoming & ufw default allow outgoing
    ufw allow from 2001:8b0:xxx::/48 & ufw enable


Where the latter IPv6 address range is my own IPv6 allocation

Sound reasonable?

What next?
« Last Edit: September 27, 2018, 11:45:25 PM by Weaver »
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Basic firewalling of my remote hosted Raspberry Pi
« Reply #1 on: September 27, 2018, 11:57:13 PM »

And it seems already I have somehow locked myself out, although I can’t see what I got wrong with that command. I should have made that disabled background thing self-retriggering -forgot that, stupidly.

I am wondering if I can prevent ufw’s Configuration from being initially active at boot time and manually enable it instate for now, as that way I can just reboot the Pi if I get into dire trouble, which I can do remotely regardless, thanks to Mythic Beasts’ magic (the hosting company).
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Basic firewalling of my remote hosted Raspberry Pi
« Reply #2 on: September 28, 2018, 12:29:28 AM »

Sorry, I am unable to assist you as I do not know Ubuntu and have no knowledge of "ufw".

However I will type . . .

( while sleep 500; do ufw disable; done ) &
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Basic firewalling of my remote hosted Raspberry Pi
« Reply #3 on: September 28, 2018, 01:44:21 AM »

God, as simple as that. Am still living in the world of NT batch which doesn’t have a while command - have to use horrible ‘for’ constructions or conditional gotos.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Basic firewalling of my remote hosted Raspberry Pi
« Reply #4 on: September 28, 2018, 01:46:55 AM »

I suppose that I could dig out the iptables config that ufw generates, because I think that is all it is - an iptables config-generator and front-end. Then maybe someone here who speaks standard stuff would be able to check for sanity.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Basic firewalling of my remote hosted Raspberry Pi
« Reply #5 on: September 28, 2018, 08:13:10 AM »

So I managed to stuff the machine twice more, making it inaccessible, even with Burakkucat’s fix. In the end I spotted something. Even though ssh was now unresponsive, I could still ping the pi from my iPad. So it does not seem to be a straightforward case of blocked-by-firewall. (Unless it always lets icmp through but nothing else, but that seems a bit weird. Is that even possible?) So I have no idea what is going on.

Anyway ufw is out. And since I have no way of safely proceeding, I don’t see how I can continue with any more firewalling development, since I have no way of debugging it and the cost of a complete wipe-and-rebuild every time things go wrong is way too high.

If I could find some known good config then that might be worth a try.
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Basic firewalling of my remote hosted Raspberry Pi
« Reply #6 on: September 28, 2018, 03:44:55 PM »

I suppose that I could dig out the iptables config . . .

iptables -L
ip6tables -L

Quote
       -L, --list [chain]
              List all rules in the selected chain.  If no chain is selected, all chains are listed. Like every other  iptables  command,  it
              applies to the specified table (filter is the default), so NAT rules get listed by
               iptables -t nat -n -L
              Please  note  that it is often used with the -n option, in order to avoid long reverse DNS lookups.  It is legal to specify the
              -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed.  The exact output is affected by the
              other arguments given. The exact rules are suppressed until you use
               iptables -L -v
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

parkdale

  • Reg Member
  • ***
  • Posts: 597
Logged
Vodafone FTTC ECI cab 40/10Mb connection / Fritz!box7590

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Basic firewalling of my remote hosted Raspberry Pi
« Reply #8 on: October 07, 2018, 03:45:14 PM »

Thank you very much. Until I can somehow proceed without locking myself out every time, then I just don’t know what to do.
Logged