Hello fellow Linux enthusiasts!

As many of you know, Linux can be a powerful and flexible operating system, but it can also be daunting for new users, especially when it comes to securing their systems. With the abundance of information available online, it’s easy to get overwhelmed and confused about the best practices for firewall configuration and basic security.

That’s why I reaching out to the Linux community for help. I am looking users who are willing to share their expertise and write a comprehensive guide to Linux firewall and security.

The goal of this guide is to provide a centralized resource that covers the following topics:

Introduction to Linux firewalls (e.g., firewalld, ufw, etc.)
Understanding basic security principles (e.g., ports, protocols, network traffic)
Configuring firewalls for various scenarios (e.g., home networks, servers, VPNs)
Best practices for securing Linux systems (e.g., password management, package updates, file permissions)
Troubleshooting common issues and errors
Advanced topics (e.g., network segmentation, SELinux, AppArmor)

I am looking for a well-structured and easy-to-follow guide that will help new users understand the fundamentals of Linux firewall and security, while also providing advanced users with a comprehensive resource for reference.

If you’re interested in contributing to this project, please reply to this post with your experience and expertise in Linux firewall and security. We’ll be happy to discuss the details and work together to create a high-quality guide that benefits the Linux community.

Thank you for your time and consideration, and im looking forward to hearing from you!

  • Stillhart@lemm.ee
    link
    fedilink
    arrow-up
    6
    ·
    1 year ago

    I tried using a guide online one time to build a linux router/firewall onto a passively-cooled mini-computer that I could leave on a shelf with no I/O connected… basically a replacement for the garbo off-the-shelf wifi routers that die every year. It worked…mostly. The problem is that the random little things that didn’t work right just were insurmountable for a linux noob who was just trying to follow a guide.

    I hate that spending money on the best ones you can buy STILL die after a year or two. And now they all require you to login so even more people can inspect all my network traffic.

    I’d love to see a guide that’s kept up to date for building a simple router/firewall, with sections like you have above for more information so people can unlock ports for unusual stuff or whatever. I mean, in a perfect world, you install a LTS OS and set it up and forget about it for a few years. Mine was like that except it required manual intervention every time it rebooted. If that wasn’t the case, it would have been perfect and I would be recommeding it to everyone.

    • LordKitsuna@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      Instead of building one from scratch why not simply use one of the already made router operating systems? I would personally recommend opnsense, it has a nice easy to use web UI and can be setup in like maybe 20min.

      as for hardware you can use just about anything but i highly recommend these cute little dedicated router boxes. It is passively cooled, plenty powerful to handle wireguard VPN at gigabit speeds and should easily last you many many years without an issue.

      • Stillhart@lemm.ee
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        That’s the kind of box I’ve been using. Just been running linux on it. It’s been a few years, I’ll look into opnsense, thx.

      • Stillhart@lemm.ee
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        My issue is that the cheapo consumer hardware sucks. Using good software on bad hardware doesn’t solve the issue. Unless I can use it on a normal computer… last I looked into it, I don’t think you could.

        • Pantherina@feddit.de
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          I really want to. My flatmates dont care at all, but afaik our router is supported. Could you share any experiences, how is the installation on such a “not meant to use third party software” device, are updates automatic? Do you install packages? How is the WebUI, how long would it take to just have it working?

          • jollyrogue@lemmy.ml
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            1 year ago

            Installation of OpenWRT from stock depends on the device. Some devices are more involved than others.

            Updates are not automatic, and they require planning with some down time. The process is backup settings, update wiping out settings, reapply settings by uploading backup.

            I do not install packages. That leads even more horribly complicated updates. I don’t recommend using anything that isn’t in the stock image.

            LuCI is serviceable. It’s not pretty, or the most intuitive, but it works.

            OPNsense is better if you have the x86 hardware around to run it.

            • Pantherina@feddit.de
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              Thanks! So its a bit like Docker images, why doesnt it save settings? This sounds pretty horrible, shouldnt network hardware always be updated automatically?

              • jollyrogue@lemmy.ml
                link
                fedilink
                arrow-up
                1
                ·
                1 year ago

                OpenWRT saves settings. It’s what’s in the backup, and that’s what allows the router to return to operation after a power cycle.

                Things get can sideways when settings are persisted across updates. There is an option to persist settings, but there are fewer headaches when settings are wiped and restored from backup.

                This gets even worse when packages are in play. Packages aren’t reinstalled when the backup is restored, so any packages need to be tracked then reinstalled after an update.

                You’re opting to self-manage the router by installing OpenWRT. You are the QA department, and it’s up to you to make sure everything works and any manual changes are made.

                In a production setting, no not at all. Updates need to be QA’d before being released, especially network equipment updates, to prevent outages.

                The Turris Omnia is OpenWRT based and does auto updates, but the Turris is also $300-$400 dollars.

            • Possibly linux@lemmy.zip
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              2
              ·
              1 year ago

              I’m serious. You can pick up a WiFi 6 router with gigabit networking that will work just fine.

              • The Doctor@beehaw.org
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                Seriously. I have a couple of Linksys EA8300’s running OpenWRT in my house, and I did not expect the performance jump over my old ones. For not a lot of money I pretty much tripled the speed of the house wireless network.

    • Pantherina@feddit.de
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      1 year ago

      Can you explain to me what a router does? Is is just a PC tunnelling inbound and outbound connections? What makes it the master of the network?

      Btw in Germany we have FritzBox which doesnt suck, but seems they sell their company

      • Stillhart@lemm.ee
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        You got a lot of good answers to this. I’ll add mine:

        A router is a device that bridges multiple physical networks (it will have at least two network interfaces) and directs traffic between them. It inspects every packet of data and decides which port to send it to.

        In a typical home here in the US, one network is your ISP (connected to your cable modem, for example) and the other is your home computers, consoles and devices via wifi or direct connection (like a NAS drive, for example).

        Generally you want a firewall to go along with your router. Instead of blindly passing all data to the correct network, it will decide whether it is allowed to pass or not based on a configured ruleset. Most consumer home wifi routers have a simple firewall built-in.

        They also have other features like “load balancing” to prioritize certain data that is more sensitive to interruptions in the data flow (like gaming) over data that isn’t (like video or audio), or “DHCP servers” to hand out IP addressed to devices on the network, or “VPN tunneling” to encrypt data, etc.

        A linux-based computer is more than capable of performing all these tasks. If well-configured, it can do it much better than a consumer device, with better hardware and more reliability for less money over time (when taking reliability into account).

        • Pantherina@feddit.de
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Thanks!

          I had another problem, I wanted to set a not sucking DNS server on our router, but nobody had internet anymore unless they would set the same server on their devices. Why is that?

          I simply wanted to avoid our ISP spying on us by using some shit DNS server they control or get paid by

          • Stillhart@lemm.ee
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            The best way to avoid your ISP spying is to use a VPN. It encrypts all the data before your ISP ever sees the data so they can’t spy on you. I use Private Internet Access but I recommend doing some research and finding one that’s good in your country.

            I’m not sure why you had an issue with just changing your DNS. Did you change it in the DHCP settings or somewhere else?

            Regardless, just to be clear, changing your DNS won’t prevent your ISP from spying on you. Many of the big DNS providers like Google will absolutely spy on you through your DNS calls so I do think it’s a good idea to use a better DNS. I personally use AdGuard DNS, which has a built in ad blocker that works really well.

            • Pantherina@feddit.de
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              I wanted to use the changed DNS for adblocking (good for the environment too haha) and also of course not use Google but a good one, best not in my own country.

              This would be pretty good for privacy I think, especially if it would use DNSCrypt where your ISP would just see the DNSses IP, right?

              But this would probably need to be set up on all the clients, and my roomies have apple devices, LOL

          • The Doctor@beehaw.org
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Do they use DHCP for their network addressing information? They should get the router’s IP as the default recursive DNS resolver…

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        A router routes traffic. It usually has dhcp and a firewall.

        However, most devices for consumers are a router, switch and a wireless access point. What this means is that they have a router but also Ethernet plugs in the back and a WiFi antenna

      • Captain Aggravated@sh.itjust.works
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        There is a thing called the OSI model, which is a useful tool for understanding what different components of a computer network do. I suggest looking up that term if you want to learn more about how networks work.

        You might be familiar with the idea of IP addresses and MAC addresses. An IP address is routable, as in you can look at an IP address and tell where on the network (and broadly speaking, in the world) it is. A MAC address is assigned to the network adapter during its manufacture, it’s kind of like the machine’s name.

        When you get out a sheet of parchment, a well of squid ink and a quill pen and write an old fashioned letter to an acquaintance (ask your parents, they probably used to actually do this), you write both the recipients street address and their name on the envelope. The postal service uses the street address to move the letter to the correct building, and then there’s probably someone in your household who gets the mail out of the mailbox and then says “Jim, this letter is for you.”

        Think of a router as a post office; routers send each other data packets based on the recipient IP address. A switch works via MAC addresses and is more like your dad saying “Jim you got a letter.” A hub, which is a technology we don’t use anymore, would be more like your dad reading everyone’s mail out loud for everyone to hear, and everyone else is just supposed to ignore what’s not for them.

        Now, let’s talk about a more informal definition of the word “router”: The box with a bunch of wires and probably a couple antennas on it that your Wi-Fi probably comes out of. We call that little box a “router,” and that’s one of the many jobs it does. You can think of networking components as little building blocks, and your home router has many building blocks in it. It’s a little computer with some networking hardware attached, and it likely functions as a router, an Ethernet switch, a wireless access point or two, probably your DHCP server (assigns IP addresses to devices on the network automatically), it probably serves as a firewall, mine can be a print server or a file server.

        • Pantherina@feddit.de
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Thanks a lot! So a switch uses Mac adresses and not the DHCP IPs?

          In our basement we had two switches. A long ethernet cable goes from the router there, into one switch, and from that one many cables into another switch, and from that one all the cables go seperately to the rooms. Both switches are supplied with electricity.

          Now for some reason ethernet doesnt work anymore, even though I used the correct cables and removed the rest as nobody uses ethernet anymore, just two cables, repeater and my cloud server.

          I just used one switch, as I had no idea what you would need two switches for? Before there were 8 cables or so, now only 2

          • Captain Aggravated@sh.itjust.works
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            “From that one many cables into another switch” as in, you used more than one cable to plug one switch into another? Yeah that won’t work. Ethernet doesn’t like that kind of thing.

            It is valid to connect one switch to another if you need more ethernet ports, but you would connect them with one cable. The best way to do it if possible would be to connect each switch to a port on the router,

            • Pantherina@feddit.de
              link
              fedilink
              arrow-up
              1
              ·
              edit-2
              1 year ago

              Hmm no sorry.

              One ethernet cable going down from the router

              Two switches, both plugged into power supplies

              The ethernet cable goes into the first switch and out go 8 seperate ones. But these dont directly go to the rooms, but to the second switch first, one in one out each and into the rooms.

              Yes what you described makes sense. I just removed a switch but now nothing is working which is weird. Will have to test plugging in at each step to see where the failure point is

                • Pantherina@feddit.de
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  1 year ago

                  Understandable, here you go.

                  I dont get the purpose of switch 2, both are plugged into electricity so seem to be active.

                  • Captain Aggravated@sh.itjust.works
                    link
                    fedilink
                    arrow-up
                    1
                    ·
                    1 year ago

                    Huh. Yeah that’s some bizarre network architecture right there. It shouldn’t be necessary to connect two boxes with multiple wires like that, and in fact it shouldn’t work at all. You’re saying it doesn’t work if you remove one of the switches? There’s something odd going on there, like these are probably managed switches with some odd configuration happening. If you figure out exactly what it is, let me know, because I think it’d be an interesting learning opportunity.