Does /g/ run a firewall? Which one?
I DMZ everything to a win2k box like a real man.
Your router is a firewall more or less. Windows and loonix have firewall built in by default. If you want more detailed network info on per app basis install glasswire
>he runs pirated software without using a firewall to block it from phoning home
>>61240455
no I don't use a firewall, what are you, a pussy?
I bet you wear condoms too
this. I don't even know if I should add any special rules. no idea whether it actually protects me from anything.
on a Mac, there's Little Snitch. It's by far the best firewall I've used because it blocks applications themselves.
>>61240455
pfSense
pfblockerng is nice for blocking ads and domains
>>61240681
heh even after censoring out all that bullshit you still missed one of the most important pieces of info. thanks, nothin personal kid
>>61240702
fugg, go easy on me
>>61240681
I would delete that if I were you. Just nmapped your network and it looks like you're vulnerable to at least a couple privescv vulns and a smb exploit
>>61240743
bring it
>>61240765
I just felt morally obligated to tell you, I'm not gonna fuck your shit up. But any kid with kali or eternal blue on here could do some major damage.
>>61240681
>pfSense
what machine do you run it on?
>>61240702
those IPs on the right?
>>61240765
commenting to see op get hax0red
>>61240780
kek, I'll just have to take my chances ;^)
OpenBSD pf best firewall
>>61240455
Fortinet fortigate
>>61240455
iptables on debian netinstall
works. very lightweight.
>>61240681
I run Pfsense as well, but I'm not dumb enough to post a screenshot of it
>>61240455
pf on FreeBSD
>>61240901
come at me bro
>>61240912
This
>>61240780
>Run an exploit
>It was a honeypot
>Get countered
>>61240912
>>61240901
>>61240812
Anyone implying that BSD based firewalls are good doesn't know what they're talking about.
Enjoy your extremely subpar qos. Nothing touches fq_codel and cake on linux, and yes, the freebsd dummynet stuff in since 11R does implement fq_codel but it's not nearly as efficient as it is on linux.
Best solution: use your distro of choice with nftables, the iptables replacement.
Preferably use one with good selinux coverage like fedora/centos (or even debian, recent work on upstream refpolicy has come a long way).
Hardened kernels are useless now that grsec is dead. A hardened libc might be useful, but not as useful as selinux.
>>61240512
But why. Unless you're a high value target, it's kind of overkill.
>>61240681
Bro I don't think you understand what you've just given everyone here.. Lock down mode ASAP.
Forced anal sex incoming.
>>61241216
my body is ready
give me your best
>>61240681
Just because I enjoy ruining fun, there's no worthwhile waldo to find in this image. He posted the ipv6 address assigned to his lan interface. No big deal whatsoever.
>>61240743
>smb exploit
How, why, what?
>>61241261
1. He's bullshitting you.
2. He's referencing this recent CVE.
https://www.samba.org/samba/security/CVE-2017-7494.html
>>61241237
REEEEEEEEEEE
No because it's not 2003
>>61241396
???
>>61241237
It's global, my dude, likely routable.
>>61241296
Not OP here, but I would kek a bit too hard to be healthy if OP did leave smb open to the world.
>>61240780
>>61241137
>Attack OP's network
>Actually a honeypot set up by the FBI to catch kiddies
>They get your location
>Vans inbound
OH SHI-
>>61241432
I would really like to see what you can do with that ipv6
>>61240455
saved
>>61241467
I am just an old man on a Vietnamese yak shaving forum. But watch out for those meddling kids.
>>61241467
Nothing, it's a LAN IP.
>>61240455
yeah, I got an i7-7700k and now all four walls of my room are firewalls
Dont have any firewalls on my pc or router nor antivirus programs
Common sense 2018 edition is best
>>61241539
Well not exactly nothing. You can tell that he's a Comcast user in Minnesota. No big deal, doesn't really identify him.
But it does bring up the point that everyone in here seems to miss. Yes, you do need a firewall in the ipv6 world. The only thing preventing any machine behind his router with a ipv6 address being directly connected to is his firewall, and that includes his lan interface.
But no, unless he has seriously misconfigured pfsense, that address being leaked doesn't make him eligible for being pwn'd. It's just a little identifying.
>>61241296
That CVE affected a lot more than just samba dude. Like Windows 7 for example. That's pretty big.
>>61241261
>>61241748
Window's SMB is not samba.
>>61240455
IPTables on my Arch Linux system
In windows i have restricted ports for file sharing, samba and shit for wannacry, in linux i have nothing blocked, in my work we put a firewall blocking everything except some shit like browsing and some other ports for server and clients, but i don't think they work very well cuz a virtualmachine with debian got infected, and today i was checking something in a pc and i found some malware for bitcoin mining LOL i don't know if that was the user fault for downloading shit or we got fucked through our public ip, like when you have a pc runing a program for listening some shit, using DMZ and sometimes you start listening shit from chinese ips
>>61241488
>Glasswire
>Glasswire
>Glasswire
tinywall :^^^)
>>61242308
>japanese bird cooking spaghetti
its been a long time, this is the only bot i missed since captcha got turned on
>>61240455
My router.
>>61240455
MS firewall with custom rules.
Others have the same but they also have some HIPS, stuff included in a av
>>61240576
>Outgoing :allow
>not making rules for each program
wew lad
>>61241549
I block system and the internet still works on what I need.
>>61240455
Yes. I use ufw.
>>61240576
You are literally using the firewall that comes included with Linux Mint. Good to know that your overpriced OS uses freeware, huh?
>>61240539
Tfw I actually do this and has always done this even though I have no actual idea if it helps or not.
>>61243295
>>not making rules for each program
can you even do this in ufw?
>>61243410
Yeah
>>61243426
How?
>>61243452
You shove a huge black dildo up yo ass.
hit >>>/g/stg/
>>61243426
>>61243476
yeah no, tell us how if you're not a troll
test
>>61240455
Have you ever seen something so strange as a damn Japanese bird cooking spaghetti?
>>61240455
Checkpoint + Sophos UTM on layer 2 Hypervisor
>>61243540
MODS
ESET.
>>61243497
I figured out how to do it a few minutes ago. I'm using deluge, so I will use that as an example. Open up deluge, and go to preferences, then click on network. Pick a specific port for outgowing, and then disable that specific port through ufw. Can't seed, but you can't phone home, either.
>>61243637
interesting idea but won't really work if the destination changes
test
what about iptable??????what can be better than that?
>>61243557
that's not a firewall
>>61243934
not wasting your fucking time
>>61243540
MOOOOOOOOOOOOOODS
>>61241175
thank you for your opinion sir
sadly i dont care enough to re-model my firewall setup because some anon online is a GNU fanboy rather than a BSD fanboy
>>61243410
you can do it on a per-user basis in iptables
>>61244616
What if you only want to allow 80/tcp for firefox? Can you do anything like that in >muh Linux?
>>61244573
>>61243554
How retarded are you exactly?
>>61243186
this is all you need
>>61244648iptables -m owner --uid-owner test -I OUTPUT -p udp --dport 53 -j ACCEPT
iptables -m owner --uid-owner test -A OUTPUT -p udp -j DROP
iptables -m owner --uid-owner test -I OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -m owner --uid-owner test -A OUTPUT -p tcp -j DROP
iptables -m owner --uid-owner test -A OUTPUT -j DROP
something like this ought to work
>>61244774
downvoted. This board doesn't allow bullies here.
>>61244938
what you gonna do about it?
nigger
>>61243540
Always suspected her name was Arabic.
>>61240681
nigga u going down
>>61245226
There's no need to use the N word man.
You might hurt the feelings of coloured people.
>>61243537
the expression on the face in OP is priceless as he's looking at that parrot.
>>61243537
its penne u autistic fuqboi
>>61243346
>You are literally using the firewall that comes included with Linux Mint. Good to know that your overpriced OS uses freeware, huh?
he's using Linux and not macOS you stupid retard. macOS comes with a different FW and Gufw doesn't even run on macOS.
I have a PA200
>>61244583
But he is right, BSD fanboy.
>>61241175
>Reading comprehension
No one said shit about QoS.
>>61240455
Watchgaurd T25
Works fine
>>61244583
I'm not a gnu fanboy by any stretch of the imagination. BSDs just don't have the ability to compete on QoS currently, Linux gets a lot more attention from researchers. See pic related.
If you're on a non-gigabit home line with very asymmetrical upload/download speeds, you will run into bufferbloat, plain and simple. Proper QoS will make a substantial difference in how fast your internet feels, especially if you have roommates.
Have you ever been in a Skype call or online game and noticed extreme latency spikes when your roommate starts watching Netflix? There legitimately is something you can do about it, just use fq_codel or cake. There's no knobs to fiddle with, just turn it on and it learns. Your pings stay low and throughput isn't affected.
Honestly the work that has been done by the bufferbloat researchers is nothing short of mind-blowing.
>>61243540
wtf fag, do you know how expensive are those?
>>61246014
That's a fair point, youre right.
but what everyone is really talking about here is a home router and firewall. It's called subtext.
>>61244911
>>61244616
>>61241841
>>61240871
I just want to take a second and shill again for nftables. It's basically like pf syntax for Linux, it's the successor to iptables, developed by the same netfilter team of developers. It outperforms iptables, has new features that iptables can't do, you don't have to use the whole clunky iptables-save nonsense, seriously worth checking out if you're setting up a new machine.
In the next few years it will likely become the norm, so if you don't really know either of them in-depth, it's a good idea to just learn nftables now and skip iptables all together. If you work in system adminstration/devops it's especially a good thing to learn.
>>61240455
Firewall on router
+
on server: iptables
+
on desktop: ESET internet security
Used to use kaspersky and still "prefer" them over ESET, but their ties to russian gov is disturbing.
>>61246014
>implying it doesn't count
Another reason not to use memeBSD
>>61246457
>their ties to russian gov is disturbing
you're an idiot. watch less CNN
>>61246512
This, and I am not at-right or whatever nazis are called these days
>>61246615
>>61246512
they are constantly losing contracts due to allegations, why even take the chance. Plus the owner is ex russian NSA
>>61246685
>they are constantly losing contracts due to allegations, why even take the chance. Plus the owner is ex russian NSA
And Half the McAfee and Symantec are ex-NSA. McAfee also has whole bunch of Mossad guys.
Russians can't do shit to me and they're also the first ones to remove NSA spyware.
>>61246215
>iptables-save
I just wrote a shell "script" that contains everything I want and a systemd service file for it
>>61246685
Nice try NSA! Leaked CIA Vault7 docs tell us that Kaspersky's the hardest to bypass.
I think I'll continue using the best.
# Generated by iptables-save v1.4.7 on Thu Jul 6 11:21:34 2017
*filter
:INPUT DROP [4409900:662844199]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Thu Jul 6 11:21:34 2017
>>61241175
stale pasta is stale
Asa 5505masterrace reporting in
>in b4 nsa hax
>in b4 cisco sux
>in b4 juniper fortundt thu best
>>61246782
And?
Nobody ever recommends Symmantec nor McAfee. Just because you use kaspersky does not mean it is a great product, my friend.
>>61246831
How does it being the hardest to bypass in any way invalidate the statement that they are accused of working directly with russian intelligence?
I use the firewall included in RouterOS
My firewall kicked that hackers ass last night
>>61247583
can someone explain to a retard whats the difference with a cisco asa vs other cisco router doing NAT and other shit
>>61248949
>How does it being the hardest to bypass in any way invalidate the statement that they are accused of working directly with russian intelligence?
Name one US company that doesn't work with US intelligence.
Can Russians put you in jail? No. Can FBI/NSA/DSA/DOJ? Yes.
Kaspersky's the only one that uncovers all state-sponsored malware (yes, including russian ones).
Stay retarded. Keep on using placebo.
>>61248990
>>>61247583 (You)
>can someone explain to a retard whats the difference with a cisco asa vs other cisco router doing NAT and other shit
On the asa is all about acl and network objects. Just a method of obfuscation same shit
>>61246790
I use a up script with openvpn (that automatically starts on boot), I also route all my torrent shit through VPN (as seen in picture) in the same script.
also
>using sites that doesn't allow dynamic logless VPNs
>>61249019
what the fuck does this even mean, im not big into networking. in what situation you want a ASA instead of a regular cisco running IOS for example?
>>61248994
Nice goal-post moving, retard.
>A-AT LEAST THEY'RE N-NOT WORKING WITH THE NSA
I run the most impenetrable firewall
I unplug my computer and go outside
>>61248994
>Name one US company that doesn't work with US intelligence
Freddy's steaks and icecream
Your move fag lord
>>61249086
I see you ran out of arguments. my job is done.
>>61249129
No, I said "they are doing X" then you went "WELL AT LEAS THEY AREN'T DOING Y".
Please fuck off, dumb teenager.
>>61249128
>implying Freddy doesn't personally feed every NSA employee
>>61249068
>>>61249019 (You)
>what the fuck does this even mean, im not big into networking. in what situation you want a ASA instead of a regular cisco running IOS for example?
A. Uses ios
B. Its like an obfuscated ios <try it, see what i mean>
C. NAT on the ASA is configured with network objects and ACL's again an obfuscation if you ask me
Great device, couple hours with it you should be fine. VPN with any connect is GOAT
>>61249198
>MUH RUSSIANS ATE MY DOG
is that you Hillary, you crazy old cunt?
>>61249229
>Accepts government backdoors in his software regardless of government
Like I said, fuck door dumb teenager.
>>61249254
fuck off Jose.
No firewall. Feel free to fuck my shit up
>>61249049
font name and howto highlighting please
>>61247192
stale implying is stale
>>61249049
You might be interested in upscripts that move the tunnel interface into their own network namespace. Then you can be certain that the only routes that the application is aware of are the routes through your tun interface, it will not be possible for the application to go out through another route.
You have to be careful about things like DNS still, though, unless you use chroots and such. nspawn + machinectl works well.
>>61250397
With what I'm doing the chosen users (which run the programs) can't connect to the internet through any other interface than the tun0 one (which is the VPN), so if tun0 is down then they have no connection.
I'm sure there are better ways of implementing it, but I can't really be bothered to get into it when this setup works.
For DNS, I run DNSCRYPT on 2 separate machines (one on the server in the picture, and another instance on rpi3 in case the server goes down and I still need internet access).
I'm the bone of my firewall.
>>61240455
only the best
>>61240455
Gentoo
>>61240455
>Openwrt box which allows traffic to my vpn and drops anything else
>LittleSnitch for app specific rules
>>61240539
centos with iptables + fail2ban
home router + firewall
small custom pc cobbled together with a cheap celeron (2016 model) 4GB ram and an pci nic
>>61240681
Nigga, be careful with your IPv6:
Source: whois.arin.netName: MINNESOTA-RPD-V6-2Handle: NET6-2601-440-1Registration Date: Tue Mar 24 13:31:37 EDT 2015Range: 2601:440:: - 2601:47F:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
btw You are running EUI-64 in your GW, your Ethernet Card is from PC Engines GmbH (I think is a dedicated server)
>>61241575
You can atack him with a Tunnel 6to4, just do some Routing tricks to do that
>>61250627
my nigga
>>61240455
>firewall
Geez, anon, sounds like you have something to hide. Maybe if you didn't download all that child pornography you wouldn't need to worry about a firewall.
>>61251280
>>61251334
I think you dont know how Tunnel 6to4 works, right?. Its an encapulation ipv6ip from the Ipv4 side
Btw im CCIE, thats why I know this
>>61240559
lmao
Untangle on a 1U Atom S2530/4GB custom blade. Works quite well, QOS is top notch. Don't need the additional paid functionality like AD integration so it's good for my needs.
Router/cable modem is kinda a firewall as I limit it to having only the ports open i need for FTP/Remote web interface. Then I use built in windows firewall on all clients and my server. For FTP/Remote web access I have it limited to a special account that is restricted to read only with the exception of the uploaded files folder. So even if someone did "hack" me they could not delete any data.
>>61243346
>overpriced OS
are you fucking retarded?
Firewall software running on Windows can't block Microsoft's built-in handshakes/telemetry.
How do you deal with this if you can't use a VM or rely on a hardware firewall?
>>61250627
>>>61240455 (OP)
>only the best
After 5505
>>61252422
By installing linux
>>61252554
that's a good solution to use while poosting on 4chan, but it's useless for all other tasks.
>>61252580
Is not, even games phone home nowadays and the only way to stop them is a linux system, that is how I stopped xcom. And yes, I played an xcom port for linux, the no games is a meme.
>>61248994
Even f-secure got caught whitelisting QWERTY and other stuff. Depressing.
>>61240455
I have a fortigate
>>61252547
100% guaranteed you don't have any licensing for that so it's just a glorified iptables. Enjoy being cucked by (((cisco))).
>>61241888
Most fitting response i've seen all day. nice trips too
>>61244911
Where does it say "firefox" or refers to a process id? I want to go down to the app level and allow a port/app which you can do in Windows.
>>61248994
>Kaspersky's the only one that uncovers all state-sponsored malware (yes, including russian ones).
Is this true? Source?
My bitdefender license will expire in a couple of weeks, thinking of switching.
>>61240681
Nice bait
>>61248994
>>61246831
>>61249229
The state and organized crime are the same thing in Russia. Read this carefully, dummy:
https://www.bloomberg.com/news/articles/2017-03-06/russian-hackers-said-to-seek-hush-money-from-liberal-u-s-groups
>>61240576
This may help, yet again it may not
https://wiki.archlinux.org/index.php/Simple_stateful_firewall
>>61243950
It comes with one.
>>61243637
>>61243497
All these summerfags tick me off.
UFW is a frontend to iptables. You can use the "owner" module to make specific rules:
https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#OWNERMATCH
>The owner match only works within the OUTPUT chain, for obvious reasons
>The owner can be specified as the process ID either of the user who issued the command in question, that of the group, the process, the session, or that of THE COMMAND itself.
>>61240455
>iptables
>Unifi Security Gateway Pro 4
>>61250397
where can I find more info on moving the tunnel interface into their own namespace?
>>61256315
https://unix.stackexchange.com/questions/149293/feed-all-traffic-through-openvpn-for-a-specific-network-namespace-only
>he doesnt run Cisco Firepower Threat Defense
>he cant afford to dedicate at least 16GB RAM and 8 cores to his firewall
>his firewall can't do application fingerprinting
>his firewall can't scan for malware
>his firewall can't run a IPS at line rate
>his firewall doesn't support clustering
you're all firewalllets
>>61247583
You should replace it with a FTD, its what they're replacing the ASAs with; I used to run a 5510. If you go on certcollection I posted a crack for it.
>>61248990
statefulness and clustering. With a more modern FTD having the commercial form for Snort, having malware scanning, having URL filtering, and tons of other stuff. Technically the ASAs have a IPS module but they're shitty. Newer ASAs have Firepower modules but they're also shitty.
>>61253289
They're dirt cheap and easy to find licensed, there is also a keygen for them which is easily found on torrent sites.
What are some free open-source firewall programs for Windows?
I don't want all those iptables whats its nots, and all those router. Just something that gives me 100% control over my firewall like my android does. If I want to block Microsoft I can do so, like I block my manufacturer from getting data from me on my tablet.
>>61257733
> free open-source
> for Windows
lol
>>61256680
the cucknood macfag autist returns, insulting everyone who doesn't have dumb shit like this at home making noise and eating shit ton of power thinking its necessary, kek, i always love seeing this guy
>ITT people that claim they don't run a firewall that don't realize NAT is basically a masquerading firewall
>>61258600
> i always love seeing this guy
I'm glad I have a fan club, and I dont even need a trip
>>61241547
but if it were a amd it would overheat and burn the walls down
>>61258680
i do love seeing you, its always funny to see the mac guy with "bixnood" in the url bar insulting everyone while even you yourself know its just a huge meme to run this stuff, its funny that someone actually does this
hope u post more often
>>61243950
Yeah, it includes a firewall but it's not any better than the ones operating systems come with.
>>61258600
there's only 3 people on /g/
>>61258925
this thread has 98 posters
>>61258956
97 of them were me
>>61258956
okay, mostly shitposters