Hello fellow Linux enthusiasts!
As many of you know, Linux can be a powerful and flexible operating system, but it can also be daunting for new users, especially when it comes to securing their systems. With the abundance of information available online, it's easy to get overwhelmed and confused about the best practices for firewall configuration and basic security.
That's why I reaching out to the Linux community for help. I am looking users who are willing to share their expertise and write a comprehensive guide to Linux firewall and security.
The goal of this guide is to provide a centralized resource that covers the following topics:
Introduction to Linux firewalls (e.g., firewalld, ufw, etc.)
Understanding basic security principles (e.g., ports, protocols, network traffic)
Configuring firewalls for various scenarios (e.g., home networks, servers, VPNs)
Best practices for securing Linux systems (e.g., password management, package updates, file permissions)
Troubleshooting common issues and errors
Advanced topics (e.g., network segmentation, SELinux, AppArmor)
I am looking for a well-structured and easy-to-follow guide that will help new users understand the fundamentals of Linux firewall and security, while also providing advanced users with a comprehensive resource for reference.
If you're interested in contributing to this project, please reply to this post with your experience and expertise in Linux firewall and security. We'll be happy to discuss the details and work together to create a high-quality guide that benefits the Linux community.
Thank you for your time and consideration, and im looking forward to hearing from you!
I build Linux routers for my day job. Some advice:
-
your firewall should be an appliance first and foremost; you apply appropriate settings and then other than periodic updates, you should leave it TF alone. If your firewall is on a machine that you regularly modify, you will one day change your firewall settings unknowingly. Put all your other devices behind said firewall appliance. A physical device is best, since correctly forwarding everything to your firewall comes under the "will one day unknowingly modify" category.
-
use open source firewall & routing software such as OpenWRT and PFSense. Any commercial router that keeps up to date and patches security vulnerabilities, you cannot afford.
Any links or thoughts on sane OpenWRT settings for a home network? I'm a networking noob but learning slowly and would love some good reading or tips.
Most firewalls are at their safest when you first get them i.e by default they block everything coming in. As you start doing port forwarding and the like you start making the network selectively less secure; that's when you have to pay attention.
I had an EdgeRouter X for years before I started my job. They are solid devices, and I'd definitely put them above most consumer routers.
Because they only charge for the hardware, they will eventually run into the same disincentive to provide consistent timely updates. If you do buy an Ubiquiti or similar enthusiast brand, do still keep an eye out for the CVEs that don't get patched.
-
Interesting.
What are the hosting details and contrib guidelines?
And some other random notes…
“Best practices for securing Linux” could probably be dropped. There are enough of those, and the topic could overrun the focus on firewalls. I could see a secure network section, but Linux might be too broad.
What about opening it up to FOSS firewalls and networking in general? The BSDs, Illumos, Haiku, and others could be added. Linux could be the starting point, and the others could be added as people feel like it.
- use pfsense for a firewall. Using nftables, firewalld, etc should only really come into play if on an untrusted network. Firewalls on servers can cause more problems than they solve and are easy to misconfigure.
- run lynis on your Linux servers to help get them compliant with CIS benchmarks
- be careful with your reverse proxies
- keep things patched
- run only necessary services
- configure needed services conservatively
- no root logins
What kind of attacks could I expect on a Linux Machine? Especially when using bare Arch Linux and only setting up software that I consume (Minecraft Server, Zerotier)
I tried using a guide online one time to build a linux router/firewall onto a passively-cooled mini-computer that I could leave on a shelf with no I/O connected... basically a replacement for the garbo off-the-shelf wifi routers that die every year. It worked...mostly. The problem is that the random little things that didn't work right just were insurmountable for a linux noob who was just trying to follow a guide.
I hate that spending money on the best ones you can buy STILL die after a year or two. And now they all require you to login so even more people can inspect all my network traffic.
I'd love to see a guide that's kept up to date for building a simple router/firewall, with sections like you have above for more information so people can unlock ports for unusual stuff or whatever. I mean, in a perfect world, you install a LTS OS and set it up and forget about it for a few years. Mine was like that except it required manual intervention every time it rebooted. If that wasn't the case, it would have been perfect and I would be recommeding it to everyone.
