Firewalls

Does Sup Forums run a firewall? Which one?

Other urls found in this thread:

samba.org/samba/security/CVE-2017-7494.html
twitter.com/NSFWRedditGif

I DMZ everything to a win2k box like a real man.

Your router is a firewall more or less. Windows and loonix have firewall built in by default. If you want more detailed network info on per app basis install glasswire

>he runs pirated software without using a firewall to block it from phoning home

no I don't use a firewall, what are you, a pussy?
I bet you wear condoms too

this. I don't even know if I should add any special rules. no idea whether it actually protects me from anything.

on a Mac, there's Little Snitch. It's by far the best firewall I've used because it blocks applications themselves.

pfSense
pfblockerng is nice for blocking ads and domains

heh even after censoring out all that bullshit you still missed one of the most important pieces of info. thanks, nothin personal kid

fugg, go easy on me

I would delete that if I were you. Just nmapped your network and it looks like you're vulnerable to at least a couple privescv vulns and a smb exploit

bring it

I just felt morally obligated to tell you, I'm not gonna fuck your shit up. But any kid with kali or eternal blue on here could do some major damage.

>pfSense
what machine do you run it on?

those IPs on the right?

commenting to see op get hax0red

kek, I'll just have to take my chances ;^)

OpenBSD pf best firewall

Fortinet fortigate

iptables on debian netinstall

works. very lightweight.

I run Pfsense as well, but I'm not dumb enough to post a screenshot of it

pf on FreeBSD

come at me bro

This

>Run an exploit
>It was a honeypot
>Get countered

Anyone implying that BSD based firewalls are good doesn't know what they're talking about.
Enjoy your extremely subpar qos. Nothing touches fq_codel and cake on linux, and yes, the freebsd dummynet stuff in since 11R does implement fq_codel but it's not nearly as efficient as it is on linux.

Best solution: use your distro of choice with nftables, the iptables replacement.
Preferably use one with good selinux coverage like fedora/centos (or even debian, recent work on upstream refpolicy has come a long way).
Hardened kernels are useless now that grsec is dead. A hardened libc might be useful, but not as useful as selinux.

But why. Unless you're a high value target, it's kind of overkill.

Bro I don't think you understand what you've just given everyone here.. Lock down mode ASAP.

Forced anal sex incoming.

my body is ready
give me your best

Just because I enjoy ruining fun, there's no worthwhile waldo to find in this image. He posted the ipv6 address assigned to his lan interface. No big deal whatsoever.

>smb exploit
How, why, what?

1. He's bullshitting you.
2. He's referencing this recent CVE.
samba.org/samba/security/CVE-2017-7494.html

REEEEEEEEEEE

No because it's not 2003

???

It's global, my dude, likely routable.

Not OP here, but I would kek a bit too hard to be healthy if OP did leave smb open to the world.

>Attack OP's network
>Actually a honeypot set up by the FBI to catch kiddies
>They get your location
>Vans inbound
OH SHI-

I would really like to see what you can do with that ipv6

saved

I am just an old man on a Vietnamese yak shaving forum. But watch out for those meddling kids.

k

Nothing, it's a LAN IP.

yeah, I got an i7-7700k and now all four walls of my room are firewalls

...

Dont have any firewalls on my pc or router nor antivirus programs
Common sense 2018 edition is best

Well not exactly nothing. You can tell that he's a Comcast user in Minnesota. No big deal, doesn't really identify him.

But it does bring up the point that everyone in here seems to miss. Yes, you do need a firewall in the ipv6 world. The only thing preventing any machine behind his router with a ipv6 address being directly connected to is his firewall, and that includes his lan interface.

But no, unless he has seriously misconfigured pfsense, that address being leaked doesn't make him eligible for being pwn'd. It's just a little identifying.

That CVE affected a lot more than just samba dude. Like Windows 7 for example. That's pretty big.

Window's SMB is not samba.

IPTables on my Arch Linux system

...

In windows i have restricted ports for file sharing, samba and shit for wannacry, in linux i have nothing blocked, in my work we put a firewall blocking everything except some shit like browsing and some other ports for server and clients, but i don't think they work very well cuz a virtualmachine with debian got infected, and today i was checking something in a pc and i found some malware for bitcoin mining LOL i don't know if that was the user fault for downloading shit or we got fucked through our public ip, like when you have a pc runing a program for listening some shit, using DMZ and sometimes you start listening shit from chinese ips

...

>Glasswire
>Glasswire
>Glasswire

tinywall :^^^)

>japanese bird cooking spaghetti
its been a long time, this is the only bot i missed since captcha got turned on

My router.

MS firewall with custom rules.
Others have the same but they also have some HIPS, stuff included in a av

>Outgoing :allow
>not making rules for each program
wew lad

I block system and the internet still works on what I need.

Yes. I use ufw.

You are literally using the firewall that comes included with Linux Mint. Good to know that your overpriced OS uses freeware, huh?

Tfw I actually do this and has always done this even though I have no actual idea if it helps or not.

>>not making rules for each program
can you even do this in ufw?

Yeah

How?

You shove a huge black dildo up yo ass.
hit

yeah no, tell us how if you're not a troll

test

Have you ever seen something so strange as a damn Japanese bird cooking spaghetti?

Checkpoint + Sophos UTM on layer 2 Hypervisor

MODS

ESET.

I figured out how to do it a few minutes ago. I'm using deluge, so I will use that as an example. Open up deluge, and go to preferences, then click on network. Pick a specific port for outgowing, and then disable that specific port through ufw. Can't seed, but you can't phone home, either.

interesting idea but won't really work if the destination changes

test

what about iptable??????what can be better than that?

that's not a firewall

not wasting your fucking time

MOOOOOOOOOOOOOODS

thank you for your opinion sir
sadly i dont care enough to re-model my firewall setup because some user online is a GNU fanboy rather than a BSD fanboy

you can do it on a per-user basis in iptables

What if you only want to allow 80/tcp for firefox? Can you do anything like that in >muh Linux?

How retarded are you exactly?

this is all you need

iptables -m owner --uid-owner test -I OUTPUT -p udp --dport 53 -j ACCEPT
iptables -m owner --uid-owner test -A OUTPUT -p udp -j DROP
iptables -m owner --uid-owner test -I OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -m owner --uid-owner test -A OUTPUT -p tcp -j DROP
iptables -m owner --uid-owner test -A OUTPUT -j DROP

something like this ought to work

downvoted. This board doesn't allow bullies here.

what you gonna do about it?
nigger

Always suspected her name was Arabic.

nigga u going down

There's no need to use the N word man.
You might hurt the feelings of coloured people.

the expression on the face in OP is priceless as he's looking at that parrot.

its penne u autistic fuqboi

>You are literally using the firewall that comes included with Linux Mint. Good to know that your overpriced OS uses freeware, huh?
he's using Linux and not macOS you stupid retard. macOS comes with a different FW and Gufw doesn't even run on macOS.

I have a PA200

But he is right, BSD fanboy.

>Reading comprehension

No one said shit about QoS.

Watchgaurd T25

Works fine

I'm not a gnu fanboy by any stretch of the imagination. BSDs just don't have the ability to compete on QoS currently, Linux gets a lot more attention from researchers. See pic related.
If you're on a non-gigabit home line with very asymmetrical upload/download speeds, you will run into bufferbloat, plain and simple. Proper QoS will make a substantial difference in how fast your internet feels, especially if you have roommates.
Have you ever been in a Skype call or online game and noticed extreme latency spikes when your roommate starts watching Netflix? There legitimately is something you can do about it, just use fq_codel or cake. There's no knobs to fiddle with, just turn it on and it learns. Your pings stay low and throughput isn't affected.
Honestly the work that has been done by the bufferbloat researchers is nothing short of mind-blowing.

wtf fag, do you know how expensive are those?

That's a fair point, youre right.
but what everyone is really talking about here is a home router and firewall. It's called subtext.

I just want to take a second and shill again for nftables. It's basically like pf syntax for Linux, it's the successor to iptables, developed by the same netfilter team of developers. It outperforms iptables, has new features that iptables can't do, you don't have to use the whole clunky iptables-save nonsense, seriously worth checking out if you're setting up a new machine.
In the next few years it will likely become the norm, so if you don't really know either of them in-depth, it's a good idea to just learn nftables now and skip iptables all together. If you work in system adminstration/devops it's especially a good thing to learn.

Firewall on router
+
on server: iptables
+
on desktop: ESET internet security

Used to use kaspersky and still "prefer" them over ESET, but their ties to russian gov is disturbing.

>implying it doesn't count
Another reason not to use memeBSD