GUFW to connect to router only

Discussion in 'all things UNIX' started by Palancar, Mar 26, 2014.

Thread Status:
Not open for further replies.
  1. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    I have 13.10 installed (as a host OS) and its running great. I setup a VPN connection to be able to securely update the host OS from time to time. The VPN connection works fine but I won't be using it except for those times when I want to update the host, virtualbox, etc.. (about monthly). My internet activity will be pfsense VM's and linux VMs beyond the host.

    Back to the linux host: while it likely is not needed, I wanted to disconnect/lock the host except for of course grabbing the router, which will allow pfsense to do its thing. I was thinking about using GUFW for the task of locking down the host. My initial thoughts are setting everything to deny and then adding two rules. Do you guys think setting allow via advanced rules to LAN only would work? I would add two advanced allow rules. The normal LAN IP so the machine can find the router, and if needed the LAN2 IP (LAN2= pfsense LAN). Would locking down to only LAN keep the host from "accidentally" ever going out on the internet? I would simply disable the host firewall while I was updating the host, and again that would be monthly or less. I want to use GUFW because its gui and simple and others can easily replicate the process if they wanted to copy this.

    I am not concerned about pfsense or beyond for the purpose of this thread. It will be a day or so until I build the pfsense vm(s) so I can't check this out yet. Looking for thoughts on the subject.

    Would my proposal seem reasonable to you guys, or what/how would you go about this?
     
  2. jnthn

    jnthn Registered Member

    Joined:
    Sep 22, 2010
    Posts:
    185
    You can try these settings and see if it works for you.

    Deny Incoming
    Allow Outgoing
    Allow Out Both from [host IP address] to [gateway IP address]
    Deny Out Both from [host IP address]


    You may need to map a static IP address for the host.
     
  3. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Question:

    Granted Linux "under the hood" is newer to me than windows. I am thinking in windows firewall terms as I looked over your suggestions. Why would you not leave Outgoing as Deny and simply use advanced rules to make the LAN IP the exception -- otherwise ALL deny both directions? It would be easy to add the host IP address if needed but would that be necessary? I am not questioning the correctness of your "flow" it frankly lost me somehow.

    When I get home I may fire up 13.10 and set the firewall. The VPN connection should be blocked from a handshake but the machine should be able to grab the router. If its blocked then I'll launch Firefox and see if I can connect to anything at all. The answer should be no.


    You will not insult me if you "dumb it down" because I missed something in your "flow".
     
  4. jnthn

    jnthn Registered Member

    Joined:
    Sep 22, 2010
    Posts:
    185
    Well you can do that too. Have both Incoming and Outgoing set to Deny and then add a rule to allow a connection to the router. :)
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Thanks.

    btw - I didn't get a chance to try this last night. Family has a way of claiming my hobby time.
     
  6. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Stuck and could use a steer. Need GUFW rule advice.

    Report: when I boot Linux with GUFW on/enabled using DENY ALL in both directions (I created NO rules in the table at all) I find something interesting. It still connects and shows my network as connected in the upper right corner of the desktop. BUT - as expected I can't go anywhere at all. If I try and use my VPN connection, no dice. If I launch Firefox and enter my router's LAN in the browser, no dice. Linux must be a different creature. I was a little surprised that the system connected to my router at all but it definitely does.

    When I open a terminal and ifconfig it shows the same network device address as when I am on windows. 192.168.1.5, which to me indicates that I am in fact connected but can't go anywhere.

    I don't have any "heartburn" with Linux grabbing my router in this mode but I am at a loss as to why since I had configured deny all in the firewall. If the router gets connected and the Linux host is useless for going anywhere that is fine with me.

    How do I add GUFW rule(s) allowing me to open the router admin panel from the host? When I drop the firewall I can pull it up immediately at the normal address of 192.168.1.1. That is the same as windows of course. I am confused as to whether I need any port numbers after rules (advanced options being used).

    I need to work this through so I can depend upon this host for no leaks.

    While you are considering this I also need to make sure that my pfsense VM's will be able to get out. I am pretty sure I'll handle that from the configurator but if I need any host rules please advise.

    Mostly, I want to solve the host OS issue for now. Thanks in advance.
     
  7. jnthn

    jnthn Registered Member

    Joined:
    Sep 22, 2010
    Posts:
    185
    At boot up, your host arps for the mac address of the gateway. ARP is a link layer protocol thus not within the scope of layer3/4 firewall rules.

    If you only need to access the router via web gui, you can probably set the rule to allow only tcp out to 192.168.1.1 port 80.
     
  8. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Thanks that did the trick!

    Now I am trying to use a VM - pfsense ova on the host. Its having issues finding the wan even with the firewall disabled. That's another thread, UNLESS you think I'll need to add another rule to GUFW.

    Again, at this time its still struggling with wan even with GUFW off so its not that for now.
     
  9. jnthn

    jnthn Registered Member

    Joined:
    Sep 22, 2010
    Posts:
    185
    My knowledge with pFsense is quite limited, sadly. I thought it is usually run on dedicated hardware with probably a default route to point all traffic to that machine for filtering. I have no clue as to how to run it via a VM and have it filter the host's and WAN traffic.
     
  10. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    I am going to move forward on this. My windows 7 box grabs pfsense great from a VM in virtualbox. Using that config it finds my wireless intel using bridged adapter, and I also use a private internal adapter to the subsequent VM's. Works without a hitch in windows. Same physical computer and network. Now I bring up Linux and it cannot find wan, even with the firewall off. The raw connection is strong, fast, and perfect. Hmmm?

    I'll head off to pfsense forums and then come back and post on my thread the privacy forums.

    If anyone thinks of anything Linux specific I'll be checking this thread too.
     
Loading...
Thread Status:
Not open for further replies.