The sys admin's daily grind: UFW

Lack of Defense

Article from Issue 171/2015
Author(s):

Things were better back then. No way! Charly takes a look back at the bad old firewall days and explains why things are better today – assuming you have the right tools.

Watch out, Granddaddy Charly is about to tell his old war stories again: We had nothing back then. If you were in firewall support, that meant working on the front, in your underwear, at temperatures of minus 20 degrees. And, we used to have to build firewall rulesets using BSD's built-in IPFW tool, which didn't even have stateful packet inspection at the time. People kept locking themselves out of the command center or shooting themselves in the foot.

IPWF led to ipchains, which was a blessing; it was followed in kernel 2.4 by iptables, on which most of today's Linux firewalls are based – although the designated successor, nftables, went missing in action some time ago.

However, you can't teach the troops iptables in five minutes – not even the basic routines, such as allow all outgoing, block all incoming, except for connections on ports 22, 80, and 443. Uncomplicated Firewall [1], UFW is actually a much better choice for building just-so firewalls.

[...]

Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Charly's Column: Mosh

    Dangling your legs in the sea while enjoying the Mediterranean sunshine can affect the prospect of a good Internet connection; fortunately, Charly knows what to do.

    more »
  • Charly's Column – TLS Interposer

    Many of the recent Linux exploits are the result of vulnerabilities in SSL libraries. TLS Interposer can help calm the waves.

    more »
  • Charly's Column: Prosody

    Columnist Charly Kühnast has been looking into the options of running an instant messaging back end. He chose a particularly lean and easily extendable version.

    more »
  • Charly's Column: Trickle

    If your data traffic suffers from congestion at times, don't worry. Now you can shoot down programs that are heavy on traffic to free up the inflow and outflow.

    more »
  • Charly's Column – Keepalived

    Columnist Charly likes to keep system-critical daemons on two or more servers. If one of the servers fails, the idea is that the service can be started on the other and will be available at the same IP address – a scenario that works with or without the Pacemaker heartbeat.

    more »
comments powered by Disqus