this post was submitted on 11 Oct 2023
315 points (96.5% liked)

Linux

48002 readers
996 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Hello fellow Linux enthusiasts!

As many of you know, Linux can be a powerful and flexible operating system, but it can also be daunting for new users, especially when it comes to securing their systems. With the abundance of information available online, it's easy to get overwhelmed and confused about the best practices for firewall configuration and basic security.

That's why I reaching out to the Linux community for help. I am looking users who are willing to share their expertise and write a comprehensive guide to Linux firewall and security.

The goal of this guide is to provide a centralized resource that covers the following topics:

Introduction to Linux firewalls (e.g., firewalld, ufw, etc.)
Understanding basic security principles (e.g., ports, protocols, network traffic)
Configuring firewalls for various scenarios (e.g., home networks, servers, VPNs)
Best practices for securing Linux systems (e.g., password management, package updates, file permissions)
Troubleshooting common issues and errors
Advanced topics (e.g., network segmentation, SELinux, AppArmor)

I am looking for a well-structured and easy-to-follow guide that will help new users understand the fundamentals of Linux firewall and security, while also providing advanced users with a comprehensive resource for reference.

If you're interested in contributing to this project, please reply to this post with your experience and expertise in Linux firewall and security. We'll be happy to discuss the details and work together to create a high-quality guide that benefits the Linux community.

Thank you for your time and consideration, and im looking forward to hearing from you!

top 50 comments
sorted by: hot top controversial new old
[–] apt_install_coffee@lemmy.ml 34 points 1 year ago (3 children)

I build Linux routers for my day job. Some advice:

  • your firewall should be an appliance first and foremost; you apply appropriate settings and then other than periodic updates, you should leave it TF alone. If your firewall is on a machine that you regularly modify, you will one day change your firewall settings unknowingly. Put all your other devices behind said firewall appliance. A physical device is best, since correctly forwarding everything to your firewall comes under the "will one day unknowingly modify" category.

  • use open source firewall & routing software such as OpenWRT and PFSense. Any commercial router that keeps up to date and patches security vulnerabilities, you cannot afford.

[–] LordKitsuna@lemmy.world 10 points 1 year ago

i just want to also toss opnsense into that list, a long time ago it forked off pfsense and these days it offers (in my opinion) a significantly easier and better UI as well as more up to date kernel and better tools for dealing with things like buffer bloat

[–] skimm@lemmy.sdf.org 5 points 1 year ago (2 children)

Any links or thoughts on sane OpenWRT settings for a home network? I'm a networking noob but learning slowly and would love some good reading or tips.

[–] wrinkletip@feddit.nl 6 points 1 year ago (1 children)
[–] drwho@beehaw.org 3 points 1 year ago

Agreed. Solid out of the box.

[–] apt_install_coffee@lemmy.ml 2 points 1 year ago

Most firewalls are at their safest when you first get them i.e by default they block everything coming in. As you start doing port forwarding and the like you start making the network selectively less secure; that's when you have to pay attention.

[–] cole@lemdro.id 2 points 1 year ago (1 children)

opinions on Ubiquiti routers?

[–] apt_install_coffee@lemmy.ml 2 points 1 year ago

I had an EdgeRouter X for years before I started my job. They are solid devices, and I'd definitely put them above most consumer routers.

Because they only charge for the hardware, they will eventually run into the same disincentive to provide consistent timely updates. If you do buy an Ubiquiti or similar enthusiast brand, do still keep an eye out for the CVEs that don't get patched.

[–] TCB13@lemmy.world 33 points 1 year ago
[–] pastermil@sh.itjust.works 16 points 1 year ago (1 children)

I think firewall is the last thing you'd want to discuss with the newcomers...

[–] LordKitsuna@lemmy.world 5 points 1 year ago* (last edited 1 year ago) (2 children)

Yeah I don't even understand the point. The vast majority of people don't even need a client side firewall. The only time you need to worry about a client side of firewall is if you're on a laptop that you actually take out of your house ever or on a university or otherwise shared network. At home it's completely meaningless and a waste of CPU Cycles.

There are significantly better ways to address security, like how to enable a sandbox like firejail or bubblewrap or enable things like apparmor, firewall is probably one of the most inconsequential parts of security these days because it's all handled by the local router

[–] AProfessional@lemmy.world 11 points 1 year ago* (last edited 1 year ago) (7 children)

Home networks are full of trash like iot devices, like smart speakers, tvs, plugs, etc. Average people should have firewalls. It’s free.

[–] LordKitsuna@lemmy.world 3 points 1 year ago (2 children)

If you genuinely wish to isolate those devices the correct way to do it is not with client firewalls but with a Smart Switch and vlans

[–] AProfessional@lemmy.world 3 points 1 year ago

You may want them to communicate with each other to control them. Also setting up a vlan is quite complex for most users even if it has clear upsides.

load more comments (1 replies)
load more comments (6 replies)
[–] Honytawk@lemmy.zip 8 points 1 year ago (1 children)

Yeah, because how many people take their laptops out of their home, amiright?

[–] LordKitsuna@lemmy.world 6 points 1 year ago

I did consumer electronics recycling and repair for 5 years, and then did like another 5 years of just generic home call repair. You would be shocked how many people basically use their laptop as nothing more than a weird underpowered desktop and it literally just never leaves that spot

[–] aodhsishaj@lemmy.world 13 points 1 year ago (1 children)

This is a very broad subject. Are we talking straight iptables, or ufw/firewalld or at the app level with selinux/apparmor. Or at the firewall level like opnsense/pfsense? Or on the router side ddwrt and tomato etc. You can grab certain distros on either side, whonix/tails on the blueteam side, kali on the red team side. There are hardened kernels like zen and securelinux. There's network security, but also kernel level stuff like run levels, tpm, uefi, etc.

My real question is who is the audience for this? What is their use case, what distro are they using? What is the proposed environment?

[–] Pantherina@feddit.de 2 points 1 year ago

Problem 1: what tools do you choose?

[–] jollyrogue@lemmy.ml 7 points 1 year ago

Interesting.

What are the hosting details and contrib guidelines?

And some other random notes…

“Best practices for securing Linux” could probably be dropped. There are enough of those, and the topic could overrun the focus on firewalls. I could see a secure network section, but Linux might be too broad.

What about opening it up to FOSS firewalls and networking in general? The BSDs, Illumos, Haiku, and others could be added. Linux could be the starting point, and the others could be added as people feel like it.

[–] Stillhart@lemm.ee 6 points 1 year ago (17 children)

I tried using a guide online one time to build a linux router/firewall onto a passively-cooled mini-computer that I could leave on a shelf with no I/O connected... basically a replacement for the garbo off-the-shelf wifi routers that die every year. It worked...mostly. The problem is that the random little things that didn't work right just were insurmountable for a linux noob who was just trying to follow a guide.

I hate that spending money on the best ones you can buy STILL die after a year or two. And now they all require you to login so even more people can inspect all my network traffic.

I'd love to see a guide that's kept up to date for building a simple router/firewall, with sections like you have above for more information so people can unlock ports for unusual stuff or whatever. I mean, in a perfect world, you install a LTS OS and set it up and forget about it for a few years. Mine was like that except it required manual intervention every time it rebooted. If that wasn't the case, it would have been perfect and I would be recommeding it to everyone.

[–] LordKitsuna@lemmy.world 4 points 1 year ago (1 children)

Instead of building one from scratch why not simply use one of the already made router operating systems? I would personally recommend opnsense, it has a nice easy to use web UI and can be setup in like maybe 20min.

as for hardware you can use just about anything but i highly recommend these cute little dedicated router boxes. It is passively cooled, plenty powerful to handle wireguard VPN at gigabit speeds and should easily last you many many years without an issue.

load more comments (1 replies)
[–] possiblylinux127@lemmy.zip 3 points 1 year ago (1 children)

Use openwrt on a existing device

[–] Stillhart@lemm.ee 4 points 1 year ago (5 children)

My issue is that the cheapo consumer hardware sucks. Using good software on bad hardware doesn't solve the issue. Unless I can use it on a normal computer... last I looked into it, I don't think you could.

[–] Pantherina@feddit.de 1 points 1 year ago (1 children)

I really want to. My flatmates dont care at all, but afaik our router is supported. Could you share any experiences, how is the installation on such a "not meant to use third party software" device, are updates automatic? Do you install packages? How is the WebUI, how long would it take to just have it working?

[–] jollyrogue@lemmy.ml 2 points 1 year ago* (last edited 1 year ago) (2 children)

Installation of OpenWRT from stock depends on the device. Some devices are more involved than others.

Updates are not automatic, and they require planning with some down time. The process is backup settings, update wiping out settings, reapply settings by uploading backup.

I do not install packages. That leads even more horribly complicated updates. I don’t recommend using anything that isn’t in the stock image.

LuCI is serviceable. It’s not pretty, or the most intuitive, but it works.

OPNsense is better if you have the x86 hardware around to run it.

load more comments (2 replies)
load more comments (4 replies)
load more comments (15 replies)
[–] knobbysideup@lemm.ee 5 points 1 year ago (1 children)
  • use pfsense for a firewall. Using nftables, firewalld, etc should only really come into play if on an untrusted network. Firewalls on servers can cause more problems than they solve and are easy to misconfigure.
  • run lynis on your Linux servers to help get them compliant with CIS benchmarks
  • be careful with your reverse proxies
  • keep things patched
  • run only necessary services
  • configure needed services conservatively
  • no root logins
[–] LordKitsuna@lemmy.world 3 points 1 year ago

i just want to also toss opnsense into that list, a long time ago it forked off pfsense and these days it offers (in my opinion) a significantly easier and better UI as well as more up to date kernel and better tools for dealing with things like buffer bloat

[–] hottari@lemmy.ml 5 points 1 year ago* (last edited 1 year ago)

Have your tried the ArchWiki for the firewall programs you mentioned and their Security wiki as well? I usually find it resourceful and very comprehensive.

[–] MigratingtoLemmy@lemmy.world 5 points 1 year ago

Basically, a dummies guide on nftables and SELinux?

[–] Secret300@sh.itjust.works 4 points 1 year ago (1 children)

Been using Linux for 8 years. Never even touched a firewall. Well one time on Ubuntu server i used ufw to open a port but that was it

[–] Espi@lemmy.world 5 points 1 year ago

While I think firewalls are overrated, they are also dead easy to set up, and the best kind of defense is defense in depth.

[–] kugmo@sh.itjust.works 4 points 1 year ago

I'd love a good firewalld guide that's kinda tldr and would go into the details later.

[–] JWBananas@startrek.website 3 points 1 year ago (1 children)

Nobody:

OP: "Please do the needful."

[–] drwho@beehaw.org 4 points 1 year ago

It reads like OP has been looking for something that is actually usable and not LLM shat garbage blog posts. Asking people directly seems like the primary way of getting any actually useful information these days.

[–] barrett9h@lemmy.one 3 points 1 year ago (2 children)
  1. Install OpenBSD
  2. ???
  3. Profit!
load more comments (2 replies)
[–] ReakDuck@lemmy.ml 2 points 1 year ago* (last edited 1 year ago) (1 children)

What kind of attacks could I expect on a Linux Machine? Especially when using bare Arch Linux and only setting up software that I consume (Minecraft Server, Zerotier)

[–] redprog@feddit.de 4 points 1 year ago (1 children)

Arch on a server, that's gonna be fun lol

[–] float@feddit.de 4 points 1 year ago (3 children)

There aren't many distro with a base system as tiny as Arch. It's not a bad choice at all. It's on my server since many years, working perfectly reliable. Everything except the base system is inside Podman containers. Why not?

load more comments (3 replies)
load more comments
view more: next ›