Topic: NetSecL Firewall 2.4

Hello,

Since I had the situation - I needed to Accept connection from my home-made router, I thought it might be handy to have an extra option in the firewall. The new option in the firewall-script is called BEHINDROUTER and accepts connections from the DNS IP which in most cases is also the same as the gateway IP and the router IP.

This will be included in the upcoming NetSecL 2.4

Download Link:
http://rsync.netsecl.com/firewall/netse … .4.tar.bz2
Have fun,
Yuriy

Re: NetSecL Firewall 2.4

I'm a newbie here.

I would like to know if this Firewall is beter than the Frirestarter?

Is there a documentation for configuration this program?

Greetings

Re: NetSecL Firewall 2.4

If it's better than it depends on what you understand under it. The NetSecL firewall is a script not a GUI application, it stealths all ports and protects against many scans, has snort if you would like to use it as IDS. You basically would not have to do anything just let it run (which also happens by default in NetSecL), unless you need to allow some server application trough the firewall or set some IP that the script was unable to fetch. Options are in the script itself, open it in a text editor and say Y or N to turn on or off available options. If you use the firewall in a different than NetSecL distro it will be /etc/rc.d/rc.firewall and by the default in NetSecL this would be /etc/rc.d/rc.standart

Re: NetSecL Firewall 2.4

hi!

Can somebody explain the differencies of the two version of the firewall script, the standard and the advanced one?

And what is the best network layout for netsecl or to start with? a direct connection to internet with a modem or a LAN with a router as dns server?
I've always used the second one and i hope netsecl configuration supports it after installation without configuration as slackware does.
I don't pretend surfing internet but just seeing the router and pinging it.

Re: NetSecL Firewall 2.4

Hi smile,

The difference is if you want to use snort, you will have to use the advanced firewall script - set it in rc.firewall, you will see a variable there, also in the snort configuration you have to set your network. If you have a router just open the script you use by default rc.standart and set BEHINDROUTER to Y then save. It should work just fine smile

Yuriy

Re: NetSecL Firewall 2.4

yeah. it works.....!
now i'll have a look to snort configuration files.

thx

Re: NetSecL Firewall 2.4

Sure it will work wink

Re: NetSecL Firewall 2.4

Does the new firewall permit the same ports (e.g. I need regular web browsing ports enabled: 80, 443; and wanted to make sure that the reason I can not access the web through firefox while grsec is enabled is due to the fault of the firewall or not) whether grsec is or is not enabled? I noticed in my /etc/rc.d/netsecfirewall file it showed that port 53 is not permitted. What port do I use DNS if it is not 53?

Re: NetSecL Firewall 2.4

Yes it does. Do you use a router at home? If yes set BEHINDROUTER to Y then save - it will resolve the issue. There shouldn't be any other issue - I use this script for ages.

Yuriy

10

Re: NetSecL Firewall 2.4

Sorry I didn't catch this advice earlier. I did read you saying to set that variable to other people. Until now, I did not know for sure if it meant whether I have a router at all or not, because I did not really know you could access the internet without one lol . I did find the line in the file that said BEHINDROUTER, so I think I do not need further assistance with this problem; thank you for your help.

Re: NetSecL Firewall 2.4

Well sure you can smile, but there is a point - the prices of routers dropped so much that the ISPs are giving them out for "free" even in poor countries so maybe it is time to switch that option on by default.

Yuriy

12

Re: NetSecL Firewall 2.4

That's funny, which the ISPs do that.

Sounds like a good idea to switch BEHINDROUTER=yes to default configuration wink .

Re: NetSecL Firewall 2.4

Already changed it in the current version smile.

14

Re: NetSecL Firewall 2.4

Right on, man.