I want to install a firewall on my Raspi 3B. I have found this site on security https://gist.github.com/boseji/c9e91ff3bd0b3cfb62a5e260fe505374 on Github. It suggests a mixture UFW (the U stands for uncomplicated,and that has an immediate attraction)and Fail2Ban. He also suggests the following too .. # Uncomment the next two lines to enable Spoof protection (reverse-path filter) # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 ... # Do not accept ICMP redirects (prevent MITM attacks) net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 # _or_ # Accept ICMP redirects only for gateways listed in our default # gateway list (enabled by default) # net.ipv4.conf.all.secure_redirects = 1 # # Do not send ICMP redirects (we are not a router) net.ipv4.conf.all.send_redirects = 0 # # Do not accept IP source route packets (we are not a router) net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 ... Should I make these mods? It would mean that I need to understand which ports are being used, whether they are incoming or outgoing and the related ip address in order to complete the iptables.Any thoughts how I do this, given that I supply data to ADSBX and FA Thanks
So you are not behind a firewall router already? Your pi is hooked directly to a cable modem getting a public IP? If so, you should burn the SD and start over, it is already compromised. If you are behind a firewall already, why install one on the pie internally? If you are running publicly, I'd suggest a router, and if you want something tiny: https://amzn.to/2V0rAkV Then run it in front of the pi. Just a suggestion.
If he has a non-trivial password, why would the RPi be compromised? (the default password counts as trivial if you were wondering.) The post you linked to talks about securing SSH, which is always a good idea. Normally only server/listen ports require firewall rules. Outbound connections are normally just allowed. As none of the feeders require public ports, you should be good. And if you just allow http anyway, there wasn't really any gain as that is probably the only port besides SSH that is open anyhow. You should specify which image you are using and how the RPi is connected to the network/internet.
Yes, I am behind a router that does the normal Stateful Packet Inspection, IP Masquerading or Network Address Translation (NAT) and all TCP and UDP ports are closed for incoming connections from the internet to the network. Your MT300 idea has got me thinking as I am just abut to flash a number of the 750's and create a Mesh network and I could buy an extra one...........
A very helpful reply (as usual).I am using the Piaware image, with their Dump1090, your performance charts, the ADSB image on a 3B using stretch (!) on an Ethernet network, behind a modem/router. I have used two extra ports for capturing data to populate SQL databases for ADSB and MLAT data. Have I given enough pertinent info for more thoughts? Regards
What would the firewall do? People from outside your network can't connect to it. If you had it directly on the internet a firewall might make sense to only expose SSH via public key authentication (password login SSH disabled) and close all other ports to the internet but not from localhost. That way you could use ssh tunnel or zerotier to connect to other stuff besides the SSH. But with your current setup, you want all the ports accessible that the device has open. Best policy: strong password or access only via public key for SSH. I wouldn't worry much about the other ports being open. I'm not aware of any major vulnerabilities for stuff like dump1090 and lighttpd. If you don't have an overview of running services, it is nice to only allow services you really need. It really seems unnecessary on the local network and it most likely wouldn't change anything. Others might have a different approach, but that's how i see it.
Agree with everything @wiedehopf said. The ADSBx image should never be exposed to the world directly, now should PiAware or any other IoT device. You can enable ssh key auth and you should not expose ports other than those you know.
