Debian – Configure your firewall with firehol

If you’re anything like me, then the thought of having to dive into iptables rules and configuration if a harbinger of doom, often followed by hours of frustration as we consult the almighty google in the attempt to find our lost salvation. Fear not, for yesterday I discovered the almighty firehol, and I think it may have changed my life forever.

Firehol is a light weight package written in bash, which converts a simple, intelligible configuration file into rock solid iptables hell-speak. Moreover, it does a neat job of generating a foundation configuration for you, and the tutorials do a great job of explaining firewalling concepts to someone as naive as me.

Setting up a basic firewall configuration is pretty easy.. and goes something like this:

apt-get install firehol
mv /etc/firehol/firehol.conf /etc/firehol/firehol.conf.backup
firehol helpme > /etc/firehol/firehol.conf
firehol try
commit

Basically this examines your running services and opens ports for them. So you might say that this has just rendered your firewall absolutely useless, by simply opening everything. Having said that, if you have a look at /etc/firehol/firehol.conf, it’s pretty easy to see (and change) what’s going on.

The firehol tutorial and manual are really well written and do a superb job of explaining things to the weekend warrior / linux dabbler. There’s really not much point rehashing it all here.

There are a few things worth knowing however, that I will point out here. Firstly, if you’ve ever configured a firewall by remote ssh, then there’s a fair chance you’ve experienced the horror of setting a rule which blocks your own ssh accesses. Firehol deals with that nicely, the “firehol try” command converts your /etc/firehol/firehol.conf to iptables, and then reverts to the old configuration 30 seconds later. A nifty life saver if ever I saw one.

Secondly, if I run the default “firehol helpme” configuration, I get a raft of errors about “rule length being no greater than 29 characters”. There’s probably a better way to fix this, but in my own case I just renamed all my interfaces in the configuration file to if1, if2, if3 etc. The tutorial and manual suggest naming your interfaces something meaningful, but to be honest I’m not really sure why. I think it simply means that your iptables rules will be slightly more human readable, because they will all contain your arbitrary interface names. That said, iptables configurations have always been a mystery to me, so the rules are far from “human readable” regardless of the interface name. Of course, you can just comment your firehol.conf to explain what your interfaces are for.

That’s it! That’s all there is to it, happy firewalling kids!

What the NBN means for Australian Business

It’s a shame that the proposed changes to the NBN rollout have been overshadowed by other issues in the political arena. It’s something that I really feel strongly about because I can see the benefits to Australian small business.

The proponents for the NBN often argue that the changes will greatly reduce the bandwidth available to residential connections. Whilst that’s certainly true, I think it skews the core issue.

The originally proposed NBN would deliver ~ 100mbit speeds to Australian residences, not in 2010 when the scheme was announced, not now in 2013, and not only in 2017 when the network is complete, but also for the foreseeable future.

Unfortunately, it’s too easy for cost cutting political bean counters to argue that we simply don’t need broadband speeds in excess of 20mbit. Whilst that may be true for the moment, it’s certainly will not be true, in 2017.

The core of the issue as I see it, is that we’re not talking about building a network to use right now, we’re talking about the network we are going to use in 10, 20, or even 30 years time.

As digital services continue to permeate our businesses in the future, affordable access to bandwidth will become far more important than it was historically. In the recent past, ~1.5mbit was satisfactory. Right now 20mbit is almost compulsory for even a small business with only a few users.  It’s not difficult to extrapolate the future demand given the online services we all use today.

Over the last few days an online petition as received over 250,000 signatures from Australians who consider this to be an important issue. If you don’t agree, that’s fine, but if you simply haven’t considered it, then please do.

If you feel strongly about it, then please consider signing the petition.

great opensource business tools

Opensource software really has matured a lot in the last decade. Where opensource used to be seen as a hobbyist / student sector, it really has progressed to the point at which many projects are more secure, and more stable than their proprietary counterparts.

So with that in mind, I thought I’d put together the list of opensource software I use every day. Continue reading

Bookkeeping too hard? Here’s Five ways to make everyone’s life easier.

Running your own business isn’t easy, and managing your time is very challenging. Most small businesses try to manage their own accounts in order to cut down on accountancy fees. It’s certainly a worthy goal, but if you go about it the wrong way, you will invest too much time, and possibly not save any money when it comes to tax time.  Continue reading

Sparkleshare, just the thing for super secure syncing

There’s a bunch of options for those feeling a little anxious about the privacy of their data on cloud hosted services. Owncloud, spideroak, bittorrent sync, git-annex, and seafile to name just a few. Over the last several months I’ve tried the lot, with varying degrees of success. Some of these projects are plagued by community-version-syndrome, while others just seem really poorly organised. Continue reading