fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

8.7K
active users

#shorewall

0 posts0 participants0 posts today
albi always there<p>konec <a href="https://f.cz/tags/IPTables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IPTables</span></a> je v dohlednu, částecně už i na dosah<br>za poslední rok jsem investoval čas a z předchozích <a href="https://f.cz/tags/UFW" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>UFW</span></a> a mrtvého <a href="https://f.cz/tags/Shorewall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Shorewall</span></a> přeskočil <a href="https://f.cz/tags/FirewallD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FirewallD</span></a> rovnou do nahatých <a href="https://f.cz/tags/NFTables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NFTables</span></a></p><p>- UFW využívá na pozadí iptables automaticky překládané do nftables, což je paskvil, který může vyhovovat závislákům na prehistorických iptables souborech "na které se nešahá", ale progresivnějšímu uživateli dost svazuje ruce<br>- navíc je nutné mít namemorovanou jejich speciální syntaxi a hlavně skladbu argumentů, takže většinou zadám validní příkaz na asi 4. pokus</p><p>- FirewallD si samozřejmě taky vymyslel vlastní příkazovou syntaxi, ale zároveň zapleveluje nftables nepoužívanými chainy, přijít k cizímu stroji a udělat nějakou drobnou úpravu v pravidlech je skoro na nobelovku</p><p>- NFtables jsou za mě nejpřehlednější a nejspolehlivější (největší kontrola), navíc umožňujou mít totální kontrolu nad firewallem a poslat k šípku snahy Dockeru o nadvládu<br>- navíc jsou velmi jednoduché a snadno pochopitelné</p>
Marcos Dione<p><span class="h-card" translate="no"><a href="https://mastodon.social/@JulianOliver" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>JulianOliver</span></a></span> I guess it's the same than with physics: classic mechanics works fine until you need more detail and use quantum instead.</p><p>For deep level but still with a patine of abstraction I suggest <a href="https://en.osm.town/tags/ShoreWall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ShoreWall</span></a>. A shame the config language won't ever evolve from text based tables, but definitely better than writing ip/nftables rules by hand, and IIRC¹ it has a try mode that rolls back in case you get kicked out.</p><p>¹ I think I sued it once, but it's been a looong while since I last touched my FW.</p>
Talkless :debian: :kde:<p><a href="https://fosstodon.org/tags/FOSS" class="mention hashtag" rel="tag">#<span>FOSS</span></a> <a href="https://fosstodon.org/tags/Linux" class="mention hashtag" rel="tag">#<span>Linux</span></a> <a href="https://fosstodon.org/tags/Firewall" class="mention hashtag" rel="tag">#<span>Firewall</span></a> <a href="https://fosstodon.org/tags/Security" class="mention hashtag" rel="tag">#<span>Security</span></a> <a href="https://fosstodon.org/tags/NetSec" class="mention hashtag" rel="tag">#<span>NetSec</span></a> </p><p>Just finished migrating from <a href="https://fosstodon.org/tags/Shorewall" class="mention hashtag" rel="tag">#<span>Shorewall</span></a> (iptables) firewall configurator to <a href="https://fosstodon.org/tags/foomuuri" class="mention hashtag" rel="tag">#<span>foomuuri</span></a> (nftables) in my personal <a href="https://fosstodon.org/tags/Debian" class="mention hashtag" rel="tag">#<span>Debian</span></a> Sid laptop.</p><p>Took about four-five hours or so.</p><p>Ruleset is now shorter and actually easier to read. I have paranoid setup where even outgoing AND localhost traffic is filtered...</p><p>Feels refreshing after upgrade 👍 . And it&#39;s simply just great peace of <a href="https://fosstodon.org/tags/OpenSource" class="mention hashtag" rel="tag">#<span>OpenSource</span></a> software engineering:</p><p><a href="https://github.com/FoobarOy/foomuuri" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="">github.com/FoobarOy/foomuuri</span><span class="invisible"></span></a></p>
L'autre<p>Перевел свои :calculate: сервера с <a href="https://calculate.social/tags/shorewall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>shorewall</span></a> на <a href="https://calculate.social/tags/nftables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nftables</span></a>. Насколько же все стало проще и логичней!</p>
Antoine Mottier<p>@0xDEADBEEF thanks for mentioning <a href="https://fosstodon.org/tags/Shorewall" class="mention hashtag" rel="tag">#<span>Shorewall</span></a> 👍 After taking a close look it seems that it won&#39;t provided added value compared to using directly <a href="https://fosstodon.org/tags/nftables" class="mention hashtag" rel="tag">#<span>nftables</span></a> at least for my needs. Also I didn&#39;t see any new commits (<a href="https://gitlab.com/shorewall/code/-/commits/master" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">gitlab.com/shorewall/code/-/co</span><span class="invisible">mmits/master</span></a>) for more than a year on the project so I&#39;m not sure if it either super stable or no longer actively maintained?</p>
Marcos Dione<p><a href="https://en.osm.town/tags/til" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>til</span></a></p><p>* <a href="https://en.osm.town/tags/shorewall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>shorewall</span></a>, the trusty <a href="https://en.osm.town/tags/linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>linux</span></a> <a href="https://en.osm.town/tags/firewall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>firewall</span></a> you can simply describe in a few config files, has a `try` command to setup the firewall for a while and tear it down again after a timeout. Very good for configuring the firewall remotely; combine with ssh and <a href="https://en.osm.town/tags/screen" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>screen</span></a>. I still lick my scars for the night I did the cowboy thing, tried to setup a firewall by hand, and the first thing I did was to `DROP` all packets. I lost a good job opportunity because of that. <a href="https://en.osm.town/tags/NeverAgain" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NeverAgain</span></a></p>
ZERO GmbH<p>If you've followed our recent posts, you already know that we gave Shorewall a try to tidy up our VPN firewall rules and gain full overview about our configuration. Our migration to Shorewall has been successful and we'd like to share some insights in our configuration: </p><p>"Keeping the Wireguard VPN firewall clear with Shorewall" - <a href="https://blog.zero-iee.com/en/posts/vpn-firewall-shorewall/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.zero-iee.com/en/posts/vpn</span><span class="invisible">-firewall-shorewall/</span></a></p><p>Shorewall by Tom Eastep is just perfect for small to mid size firewall deployments that are mostly static and not too complex. One of our developers uses OpnSense and PfSense for more complex scenarios in his private projects. </p><p>Which firewall / configuration tool do you use and why?</p><p><a href="https://techhub.social/tags/shorewall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>shorewall</span></a> <a href="https://techhub.social/tags/firewall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>firewall</span></a> <a href="https://techhub.social/tags/wireguard" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>wireguard</span></a> <a href="https://techhub.social/tags/vpn" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vpn</span></a> <a href="https://techhub.social/tags/teamzero" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>teamzero</span></a> <a href="https://techhub.social/tags/zeroiee" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>zeroiee</span></a> <a href="https://techhub.social/tags/blog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>blog</span></a> <a href="https://techhub.social/tags/techblog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>techblog</span></a> <a href="https://techhub.social/tags/linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>linux</span></a> <a href="https://techhub.social/tags/debian" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>debian</span></a></p>
ZERO GmbH<p>We're currently evaluating Shorewall [1] as a Firewall / iptables configuration tool. </p><p>Configuring iptables manually [2] works, but can get messy and thus is error prone. For our VPN server with its many customer VPNs, we are looking for a clearer solution that can be easily configured via configuration files. One of our developers has already used Shorewall and is impressed by the software. It was therefore a natural decision to take a look at it. </p><p>Initial experiments have gone well!</p><p>[1]: <a href="https://shorewall.org/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">shorewall.org/</span><span class="invisible"></span></a><br>[2]: <a href="https://blog.zero-iee.com/posts/multi-tenant-wireguard-vpn-server/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.zero-iee.com/posts/multi-</span><span class="invisible">tenant-wireguard-vpn-server/</span></a></p><p><a href="https://techhub.social/tags/wireguard" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>wireguard</span></a> <a href="https://techhub.social/tags/shorewall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>shorewall</span></a> <a href="https://techhub.social/tags/foss" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>foss</span></a> <a href="https://techhub.social/tags/server" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>server</span></a> <a href="https://techhub.social/tags/vpn" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vpn</span></a> <a href="https://techhub.social/tags/firewall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>firewall</span></a></p>
agarbathi<p>Gestern hatte ich auf einem Test Server einmal firewalld ausprobiert. Gefallen hat mir das Zonenmodell, das netfilter mitbringt. Die Syntax ist verhältnismäßig schnell und einfach zu erlernen. Allerdings muss ich gestehen, dass ich ein Fan von Shorewall bin und somit war es ein kleiner aber informativer Abstecher.</p><p>Was verwendet Ihr, um die Firewall eurer Server zu konfigurieren?</p><p><a href="https://squeet.me/search?tag=server" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>server</span></a> <a href="https://squeet.me/search?tag=linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>linux</span></a> <a href="https://squeet.me/search?tag=admin" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>admin</span></a> <a href="https://squeet.me/search?tag=firewall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>firewall</span></a> <a href="https://squeet.me/search?tag=firewalld" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>firewalld</span></a> <a href="https://squeet.me/search?tag=shorewall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>shorewall</span></a> <a href="https://squeet.me/search?tag=iptables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>iptables</span></a> <a href="https://squeet.me/search?tag=netfilter" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>netfilter</span></a> <a href="https://squeet.me/search?tag=ufw" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ufw</span></a> <a href="https://squeet.me/search?tag=administration" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>administration</span></a> <a href="https://squeet.me/search?tag=redhat" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>redhat</span></a> <a href="https://squeet.me/search?tag=debian" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>debian</span></a> <a href="https://squeet.me/search?tag=arch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>arch</span></a> <a href="https://squeet.me/search?tag=suse" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>suse</span></a> <a href="https://squeet.me/search?tag=itsicheheit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>itsicheheit</span></a></p>
Udo B.<p>I would like to lock down my "smart" <a href="https://chaos.social/tags/LG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LG</span></a> TV as much as possible, network wise. </p><p>The relevant router is Linux with <a href="https://chaos.social/tags/iptables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>iptables</span></a> based <a href="https://chaos.social/tags/shorewall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>shorewall</span></a>. My idea is to reject everything and <a href="https://chaos.social/tags/whitelist" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>whitelist</span></a> only actually used services. This approach is not trivial as CDNs like the Amazon cloud, Google, Akamai and Cloudflare are being used, different per specific service.</p><p>Any ideas or pointers for me?</p><p><a href="https://chaos.social/tags/smarttv" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>smarttv</span></a> <a href="https://chaos.social/tags/firewall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>firewall</span></a></p>
Michael Gurski<p><span class="h-card"><a href="https://strangeplace.me/@greppy" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>greppy</span></a></span> I prefer keeping the pi-hole off the perimeter if I can help it, personally.</p><p>I've done the <a href="https://strangeplace.me/tags/Debian" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Debian</span></a> thing before (and moved to <a href="https://strangeplace.me/tags/Shorewall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Shorewall</span></a> from iptables at some point. These days, I'm using a <a href="https://strangeplace.me/tags/Synology" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Synology</span></a> RT2600ac as mine, having upgraded from an <a href="https://strangeplace.me/tags/openwrt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openwrt</span></a> flashed router.</p>
DeaDSouL :fedora:<p>What <a href="https://fosstodon.org/tags/firewall" class="mention hashtag" rel="tag">#<span>firewall</span></a> frontend do you use on your <a href="https://fosstodon.org/tags/linux" class="mention hashtag" rel="tag">#<span>linux</span></a> distro? </p><p>Please boost, for more range 📶</p><p><a href="https://fosstodon.org/tags/iptables" class="mention hashtag" rel="tag">#<span>iptables</span></a> <a href="https://fosstodon.org/tags/nftables" class="mention hashtag" rel="tag">#<span>nftables</span></a> <a href="https://fosstodon.org/tags/ipset" class="mention hashtag" rel="tag">#<span>ipset</span></a> <a href="https://fosstodon.org/tags/firewalld" class="mention hashtag" rel="tag">#<span>firewalld</span></a> <a href="https://fosstodon.org/tags/shorewall" class="mention hashtag" rel="tag">#<span>shorewall</span></a> <a href="https://fosstodon.org/tags/ufw" class="mention hashtag" rel="tag">#<span>ufw</span></a> <a href="https://fosstodon.org/tags/gnulinux" class="mention hashtag" rel="tag">#<span>gnulinux</span></a> <a href="https://fosstodon.org/tags/network" class="mention hashtag" rel="tag">#<span>network</span></a> <a href="https://fosstodon.org/tags/networksecurity" class="mention hashtag" rel="tag">#<span>networksecurity</span></a> <a href="https://fosstodon.org/tags/distro" class="mention hashtag" rel="tag">#<span>distro</span></a></p>
Stéphane Bortzmeyer<p><span class="h-card"><a href="https://mastodon.gougere.fr/@ignorantcowboy" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>ignorantcowboy</span></a></span> <a href="https://mastodon.gougere.fr/tags/Shorewall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Shorewall</span></a>, c'est plus simple.</p>
Frederik<p><strong>Setting up Wireguard VPN with IPv6</strong></p><p><a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://blog.frehi.be/tag/debian/" target="_blank">#Debian</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://blog.frehi.be/tag/firewall/" target="_blank">#firewall</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://blog.frehi.be/tag/ipv6/" target="_blank">#IPv6</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://blog.frehi.be/tag/linux/" target="_blank">#Linux</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://blog.frehi.be/tag/security/" target="_blank">#security</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://blog.frehi.be/tag/shorewall/" target="_blank">#Shorewall</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://blog.frehi.be/tag/vpn-en/" target="_blank">#vpn</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://blog.frehi.be/tag/wireguard-en/" target="_blank">#Wireguard</a></p><p><a href="https://blog.frehi.be/2022/06/11/setting-up-wireguard-vpn-with-ipv6/" rel="nofollow noopener" target="_blank">https://blog.frehi.be/2022/06/11/setting-up-wireguard-vpn-with-ipv6/</a></p>
Talkless :debian: :kde:<p>Debian&#39;s Shorewall (iptables-based firewall configurator) maintainer requests for help maintaining the package.</p><p><a href="https://fosstodon.org/tags/foss" class="mention hashtag" rel="tag">#<span>foss</span></a> <a href="https://fosstodon.org/tags/debian" class="mention hashtag" rel="tag">#<span>debian</span></a> <a href="https://fosstodon.org/tags/networking" class="mention hashtag" rel="tag">#<span>networking</span></a> <a href="https://fosstodon.org/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a> <a href="https://fosstodon.org/tags/firewall" class="mention hashtag" rel="tag">#<span>firewall</span></a> <a href="https://fosstodon.org/tags/iptables" class="mention hashtag" rel="tag">#<span>iptables</span></a> <a href="https://fosstodon.org/tags/shorewall" class="mention hashtag" rel="tag">#<span>shorewall</span></a></p><p><a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986152" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">bugs.debian.org/cgi-bin/bugrep</span><span class="invisible">ort.cgi?bug=986152</span></a></p>
Dr. Roy Schestowitz (罗伊)" <a class="hashtag" href="https://pleroma.site/tag/shorewall" rel="nofollow noopener" target="_blank">#Shorewall</a> <a href="http://5.2.3.5" rel="nofollow noopener" target="_blank">5.2.3.5</a> is now available for download. Shorewall is a gateway/firewall configuration tool for GNU/Linux, written in Perl."<br><br> <a href="http://blogs.perl.org/users/dean/2020/01/shorewall-5235-released.html" rel="nofollow noopener" target="_blank">http://blogs.perl.org/users/dean/2020/01/shorewall-5235-released.html</a>