Linux Firewall Suggestions

  • I really really hate writing firewall configurations. And it looks like I'm going to have to write a cloud's worth for my cloud. 😦

    Do you know of a Linux firewall (presumably a front end to iptables) that lets me define a topology of "zones" in a global configuration file, and then lets me drop in which zones "this" host is on, in a directory?

    I'm thinking of the configuration pattern nginx and the like use. There's a global configuration file in /etc/nginx/nginx.conf, and then there's the "do all of these" directory (/etc/nginx/sites-enabled), where you drop in sites you want enabled.

    This has to exist. I hope.

  • +1

    I've only ever used pure iptables because all my servers are more or less individual. Interested to hear.

  • I don't think anything is going to do exactly what you want out of the box, but you can probably put a solution together from parts.

    It has been a while, but two iptables-based firewall configuration packages I've used are firehol and shorewall. They are both configured with simple text files, so you can create configuration from your own sources. They both have a zone concept which you may be able to bend to suit your purposes. Shorewall even claims to support centralised administration. They both make configuring firewalls pretty easy, especially compared with the complexity of calling iptables yourself.

    If you're running a cloud, I assume you're using something like Puppet? If so, you may be able to get away with defining the topology there.

    Good luck. Most firewall configuration stuff on Linux seems to be GUI-oriented, unsuitable for use on servers and unscalable for clusters.

  • That last paragraph seems extraordinary odd, considering Linux ships itself as God mode server.

  • Grade A Premium Asshole

    Shorewall might work for what you want. I would have to know more to answer for certain. Unlike most other Linux firewall distros, they actually have pretty decent documentation. You should be able to look over it and ascertain for yourself.

  • Shorewall is the frontend I typically use. I'm not extremely knowledgeable, but as far as I know, it's still set up in the "opposite" way.

    The config files say "This is how I relate to the interfaces I connect to" as opposed to "I'm in this zone"

    Then again, I don't know anything about it's centralized administration features, just the basic 3 zone router/firewall.

  • Grade A Premium Asshole

    Could you give us a little insight to the firewall configuration you will need? After reading back over your OP (I just finished my 4th vodka and tonic), it seems like you are hoping that there is a drop-in firewall for your very specific circumstances. If you give us some idea as to the exact needs, we might be able to help though.

  • Basically, I'm going to have a changing number of servers that provide:

    • static http service
    • an http proxy
    • a postgres server
    • a web application (behind the proxy)
    • smtp and imap
    • a Saltstack master
    • a backup server (i.e., it accepts rsync connections and backs data up)

    So what I want is to, turn my little diagram with clouds and arrows and service names into a list like:

    internet -> proxy:80
    internet -> proxy:443
    proxy    -> app:8080
    internet -> mail:587
    internet -> mail:993
    app      -> db:<whatever postgres' port is>

    etc. Presumably, the global configuration would have to know what each node's IP address is:


    And then, on each machine, I'd like to list the services it provides:

      - proxy
      - mail
      - db

    and have the firewall open its ports to all of the nodes in the "zones" the services need/provide to.

    I guess it's vaguely impossible to do exactly as I describe purely on the nodes (the nodes would have to query each other to figure out the services they all provide, or else the configuration would have to be generated all at once and uploaded to all the servers).

  • Grade A Premium Asshole

    For me, it sounds like your configuration is not all that advanced. Just simple port forwarding. What am I missing?

  • But I'm on the cloud, man.

    No, realistically, I may be adding and removing nodes programmatically. And the firewalls need to handle that.

  • Grade A Premium Asshole

    Then you are going to probably be programming your own solution. The other possibility would be running it through a load balancer? Depending upon your cloud, it might be a workable solution?

  • I suppose I could use a VPN and and a single firewall.

    I'm pretty tired of my devops tools. Maybe I will write my own. But not now.

  • Grade A Premium Asshole

    Next question: Are you going to be deploying all of this on virtual machines? I feel it safe to assume so. Could you instead of adding and removing nodes programmatically, preconfigure your VMs and only start them as load increases and power them down to free up resources as they are not needed?

    That is what we have done on other projects. There are also multiple ways to automate VM deployment, including IP address assignment, so that the firewall would not have to be changed through programming. If you get that wrong, you are opening yourself to a whole host of problems.

  • Grade A Premium Asshole

    @Intercourse said:

    There are also multiple ways to automate VM deployment, including IP address assignment, This comes to mind. We have used it in the past.

  • I'm going to be using Saltstack on Vagrant on Digital Ocean. (At least, that's the plan. I'm not overly attached to Vagrant) Powering nodes down isn't good enough for my purposes. I don't get any cost savings by powering down. I might as well keep them up.

  • Grade A Premium Asshole

    You are out of my area of expertise. We run our own "cloud". (I fucking hate that term) Powering down VMs and hosts at times of lower load is how we keep our costs down. It won't help you though.

  • Are you going to have a dedicated firewall box (or VM)? In that case, I suggest you look at pfSense. It's based on FreeBSD, offers a ton of customization, and has a company behind it that sells support.

    Otherwise I use shorewall on my Linux boxes, since I can't be bothered to deal with raw iptables.

  • May I suggest FireHOL (

    You can configure accepted services and clients (inbound and outbound protocols) per interface and per range of addresses/list. Just define the range as a variable, and you manage the assignment of hosts to "zones" as you wish.

    Config is a text file that is parsed and applied as iptables rules.

  • Who's your cloud provider? Amazon AWS's built-in (and required) firewall will meet your needs no problem.

    EDIT: nevermind, you're using some cloud provider I've never heard of before.

  • I just started using uncomplicated firewall a few days ago, but it's been amazingly easy to pick up and use and seems to do the right job. I run it from the command line because it's on a server install so I don't know if there is a gui.

    But it's really as easy as

    Ufw allow from to any port 22
    Ufw allow from any to any port 80

    You can restrict to exact match ip, exact range, tcp or udp, port ranges, etc. It also has the concept of app profiles which allow

    Ufw allow ssh
    Ufw deny ssh

    Ufw deny default

    So far it gets a 10 from this noob.

    And it is a front end on iptables


    I think it does have an UI, although it might be overly simplistic. Pretty sure Ubuntu comes with ufw these days, but since I don't use Ubuntu and I only had to install it on a few machines I did see something about it in the settings.

  • Came default with Linux Mint qiana, which I think has Ubuntu 14 stuff. But Fuck all if I know about Linux flavors. I just used your os mention.


    Oh, ok, didn't know they added it to Mint, still behind on the update, lazy and no free time pretty much.

  • I used the cinnamon desktop install for 64 bit, then changed the grub loader to text from splash.

  • The biggest issue I have with iptables is the constant fear of locking myself out (born out of experience, unfortunately). Lately, I've started setting up dead man switch-like scripts that just clear out the settings if I don't disable them in X minutes. I don't ever again want to go to my boss / people I'm working with, with hat in my hands and be like "Err... I sort of... locked myself out again..."

    I could care less about the web GUI, but if this thing gives me an easy way of setting up dead man switches or something similar, that would be worth investigating.

  • This ufw does look pretty reasonable. Especially if I can abuse the app profiles.

  • Yeah, I used to have issues with that type of thing as well when I first started in IT proper (I was one of two IT guys at a small business, and pretty much had to do all types of hardware/software work ranging from running cables in a new office to designing a php application for the business to use), but I have pretty much always had direct access to the machine (and still do with this one) so worst case isn't that bad.

    That said, on ufw you just do

    ufw allow from to any port 22

    and now you've guarenteed your local ip (or whatever range you're wanting) is immune from locking yourself out. Any rules applied after (such as ufw deny default) can't override that one because it's more specific.

    Now, if you explicitly called out your ip and blocked port 22, then you'd probably have a problem...

    from what I can tell, ufw is a wrapper over iptables so that you have a significantly reduced risk of locking yourself out. I haven't managed to do it yet, and that's pretty impressive. Though I will admit a bit of trepidation when i did the allow/deny shit above.

    The way I approach firewalls is: Whitelist how you're going to connect, from the range you're going to connect, then blanket deny everything and selectively add items back. That way the risk of you locking yourself out is negligible.

  • Good advice. I'm not too worried about locking myself out. I can use Vagrant to spin up virtual machines until I get it right. And then deploy to the cloud.

  • Most of our stuff are remote dedicated servers or VMs. Since it's not up to me what we use, most of the fancy schemes with Vagrant or whatever are out. We are doing all these settings (including interface/IP configs) through SSH from a whitelisted IPs. Get anything wrong and it's support ticket time (minimum half day wasted).

  • cron job for every 10 minute to disable the firewall until you're done? What could possibly go wrongtm?

  • Right this minute, I'm sure there are a few completely unsecured servers where I was tinkering with firewall and just forgot to bring it back. #yolo?

Log in to reply

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.