BRRABill's Field Report With Linux
-
@BRRABill said in BRRABill's Field Report With Linux:
@travisdh1 said
Wait... Ubuntu.... and more crazy Ubuntu type things. I don't think they enable the firewall by default. They say "Just don't run a service you don't need." instead, don't they?
Well, that's part of m question as well.
From a little reading, it appears there is no firewall by default, because no ports are open.
But then all you have to do is add ports into iptables, and that enables it?
This is why I am confused.
Nope. You want a web server on port 80, just install apache2. Done.
-
@BRRABill said in BRRABill's Field Report With Linux:
@travisdh1 said
Wait... Ubuntu.... and more crazy Ubuntu type things. I don't think they enable the firewall by default. They say "Just don't run a service you don't need." instead, don't they?
Well, that's part of m question as well.
From a little reading, it appears there is no firewall by default, because no ports are open.
But then all you have to do is add ports into iptables, and that enables it?
This is why I am confused.
No adding ports to iptables doesn't not enable it - you'd have to start the service that enables it, and then open the required ports (I suppose you could do it either one first, but if you don't enable the service, then there is no firewall running)
-
@Dashrender said i
No adding ports to iptables doesn't not enable it - you'd have to start the service that enables it, and then open the required ports (I suppose you could do it either one first, but if you don't enable the service, then there is no firewall running)
Are you sure about that?
iptables is just the interface to the firewall, which I think is always running.
Now, by default, it is allowing everything.
I set up another fresh droplet for testing, and this is what iptables -L gives me
Chain INPUT (policy ACCEPT) Chain FORWARD (policy ACCEPT) Chain OUTPUT (policy ACCEPT)
-
yep, I'm sure IF the following is correct and the firewall is not enabled by default as mentioned below.
@travisdh1 said in BRRABill's Field Report With Linux:
Wait... Ubuntu.... and more crazy Ubuntu type things. I don't think they enable the firewall by default. They say "Just don't run a service you don't need." instead, don't they?
-
@Dashrender said in BRRABill's Field Report With Linux:
yep, I'm sure IF the following is correct and the firewall is not enabled by default as mentioned below.
@travisdh1 said in BRRABill's Field Report With Linux:
Wait... Ubuntu.... and more crazy Ubuntu type things. I don't think they enable the firewall by default. They say "Just don't run a service you don't need." instead, don't they?
I think maybe what @travisdh1 meant was that it is enabled, but be default allows everything.
Hence, it seeming like it's not actually firewalling anything.
@travisdh1 ???
And where are all the Ubuntu experts here on ML???
-
So, in this fresh install, I tried adding a rule in ufw, and it added all sorts of stuff to iptables.
So maybe it works the one way, but not the other?
-
@BRRABill said in BRRABill's Field Report With Linux:
So, in this fresh install, I tried adding a rule in ufw, and it added all sorts of stuff to iptables.
So maybe it works the one way, but not the other?
that's completely possible. Unifi stuff is that way
you can update the device with a json file, but it won't update the GUI. -
@Dashrender said in BRRABill's Field Report With Linux:
@BRRABill said in BRRABill's Field Report With Linux:
So, in this fresh install, I tried adding a rule in ufw, and it added all sorts of stuff to iptables.
So maybe it works the one way, but not the other?
that's completely possible. Unifi stuff is that way
you can update the device with a json file, but it won't update the GUI.Actually the Unifi installer made NO changes to iptables.
-
I mean that adding in one rule in ufw (allwing SSH) added all this to the output of iptables -L
Chain INPUT (policy DROP) target prot opt source destination ufw-before-logging-input all -- anywhere anywhere ufw-before-input all -- anywhere anywhere ufw-after-input all -- anywhere anywhere ufw-after-logging-input all -- anywhere anywhere ufw-reject-input all -- anywhere anywhere ufw-track-input all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward all -- anywhere anywhere ufw-before-forward all -- anywhere anywhere ufw-after-forward all -- anywhere anywhere ufw-after-logging-forward all -- anywhere anywhere ufw-reject-forward all -- anywhere anywhere ufw-track-forward all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- anywhere anywhere ufw-before-output all -- anywhere anywhere ufw-after-output all -- anywhere anywhere ufw-after-logging-output all -- anywhere anywhere ufw-reject-output all -- anywhere anywhere ufw-track-output all -- anywhere anywhere Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
-
@BRRABill said in BRRABill's Field Report With Linux:
@Dashrender said in BRRABill's Field Report With Linux:
@BRRABill said in BRRABill's Field Report With Linux:
So, in this fresh install, I tried adding a rule in ufw, and it added all sorts of stuff to iptables.
So maybe it works the one way, but not the other?
that's completely possible. Unifi stuff is that way
you can update the device with a json file, but it won't update the GUI.Actually the Unifi installer made NO changes to iptables.
considering the instructions you found that had you manually make iptables changes, I'm not surprised - not that the script couldn't include that, they don't so they remain simple to be used on any linux distro or nearly any.
-
@BRRABill said in BRRABill's Field Report With Linux:
@Dashrender said i
No adding ports to iptables doesn't not enable it - you'd have to start the service that enables it, and then open the required ports (I suppose you could do it either one first, but if you don't enable the service, then there is no firewall running)
Are you sure about that?
iptables is just the interface to the firewall, which I think is always running.
Now, by default, it is allowing everything.
I set up another fresh droplet for testing, and this is what iptables -L gives me
Chain INPUT (policy ACCEPT) Chain FORWARD (policy ACCEPT) Chain OUTPUT (policy ACCEPT)
That's the "tables is turned off" output.
-
@travisdh1 said
That's the "tables is turned off" output.
See, I think that is semantics.
tables is turned on, but accepting everything.
Because you don't have to issue any commands, simple add something to iptables
-
@BRRABill said in BRRABill's Field Report With Linux:
@Dashrender said in BRRABill's Field Report With Linux:
yep, I'm sure IF the following is correct and the firewall is not enabled by default as mentioned below.
@travisdh1 said in BRRABill's Field Report With Linux:
Wait... Ubuntu.... and more crazy Ubuntu type things. I don't think they enable the firewall by default. They say "Just don't run a service you don't need." instead, don't they?
I think maybe what @travisdh1 meant was that it is enabled, but be default allows everything.
Hence, it seeming like it's not actually firewalling anything.
@travisdh1 ???
And where are all the Ubuntu experts here on ML???
Ubuntu does things so odd compared to the rest of the ecosystem (ufw), that many of us only touch it if when we have no other choice.
-
@BRRABill said in BRRABill's Field Report With Linux:
@travisdh1 said
That's the "tables is turned off" output.
See, I think that is semantics.
I is! I was so confused when I first ran into this.
-
@travisdh1 said in BRRABill's Field Report With Linux:
@BRRABill said in BRRABill's Field Report With Linux:
@Dashrender said in BRRABill's Field Report With Linux:
yep, I'm sure IF the following is correct and the firewall is not enabled by default as mentioned below.
@travisdh1 said in BRRABill's Field Report With Linux:
Wait... Ubuntu.... and more crazy Ubuntu type things. I don't think they enable the firewall by default. They say "Just don't run a service you don't need." instead, don't they?
I think maybe what @travisdh1 meant was that it is enabled, but be default allows everything.
Hence, it seeming like it's not actually firewalling anything.
@travisdh1 ???
And where are all the Ubuntu experts here on ML???
Ubuntu does things so odd compared to the rest of the ecosystem (ufw), that many of us only touch it if when we have no other choice.
It seems to be a very common choice for many things, though. Even here at ML (such as XO).
-
@BRRABill said in BRRABill's Field Report With Linux:
@travisdh1 said in BRRABill's Field Report With Linux:
@BRRABill said in BRRABill's Field Report With Linux:
@Dashrender said in BRRABill's Field Report With Linux:
yep, I'm sure IF the following is correct and the firewall is not enabled by default as mentioned below.
@travisdh1 said in BRRABill's Field Report With Linux:
Wait... Ubuntu.... and more crazy Ubuntu type things. I don't think they enable the firewall by default. They say "Just don't run a service you don't need." instead, don't they?
I think maybe what @travisdh1 meant was that it is enabled, but be default allows everything.
Hence, it seeming like it's not actually firewalling anything.
@travisdh1 ???
And where are all the Ubuntu experts here on ML???
Ubuntu does things so odd compared to the rest of the ecosystem (ufw), that many of us only touch it if when we have no other choice.
It seems to be a very common choice for many things, though. Even here at ML (such as XO).
Yes, because it's what the devs use instead of a sane environment (Debian, CentOS). Running things on a different distribution when the devs don't know what's broken is a pain, and huge time sink.
-
Another interesting tidbit...
I couldn't get it to stick on reboots with my other install, but it now seems to be sticking.
Uh, Linux. Er, Ubuntu.
-
Today's Question...
When setting up a static IP, do you need the "network" and "broadcast" entries?
auto eth0
iface eth0 inet static
address 192.168.1.100
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
dns-nameservers 192.168.1.1 -
@BRRABill said in BRRABill's Field Report With Linux:
Today's Question...
When setting up a static IP, do you need the "network" and "broadcast" entries?
auto eth0
iface eth0 inet static
address 192.168.1.100
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
dns-nameservers 192.168.1.1I have never had any issues not putting them in... But make sure you understand what they are at a bare minimum... Bonus points if you know how to calculate them.
-
@BRRABill said in BRRABill's Field Report With Linux:
Today's Question...
When setting up a static IP, do you need the "network" and "broadcast" entries?
auto eth0
iface eth0 inet static
address 192.168.1.100
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
dns-nameservers 192.168.1.1Don't need. It is just good practice.