Louis, Followed your instructions so far. Take a look at the output of the various steps. I'm down to removing items form /etc/ufw. I'm not sure what I should delete. I know some of the files are backups generated after some rules were deleted. Please tell me what is safe to delete before I procede further. martin at radio:~$ sudo apt-get remove --purge ufw gufw Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: libqt5positioning5 libqt5qml5 libqt5quick5 libqt5sensors5 libqt5webchannel5 libqt5webkit5 python-pyatspi Use 'sudo apt autoremove' to remove them. The following packages will be REMOVED: gufw* ufw* 0 upgraded, 0 newly installed, 2 to remove and 29 not upgraded. After this operation, 4,355 kB disk space will be freed. Do you want to continue? [Y/n] y (Reading database ... 324565 files and directories currently installed.) Removing gufw (18.04.0-0ubuntu1) ... Removing ufw (0.35-5) ... Skip stopping firewall: ufw (not enabled) Processing triggers for mime-support (3.60ubuntu1) ... Processing triggers for desktop-file-utils (0.23+linuxmint4) ... Processing triggers for man-db (2.8.3-2ubuntu0.1) ... Processing triggers for hicolor-icon-theme (0.17-2) ... (Reading database ... 324309 files and directories currently installed.) Purging configuration files for ufw (0.35-5) ... Purging configuration files for gufw (18.04.0-0ubuntu1) ... dpkg: warning: while removing gufw, directory '/etc/gufw' not empty so not removed Processing triggers for ureadahead (0.100.0-20) ... ureadahead will be reprofiled on next reboot Processing triggers for systemd (237-3ubuntu10.11) ... Processing triggers for rsyslog (8.32.0-1ubuntu4) ... martin at radio:~$ iptables --list-rules iptables v1.6.1: can't initialize iptables table `filter': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. martin at radio:~$ sudo iptables --list-rules -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N ufw-after-forward -N ufw-after-input -N ufw-after-logging-forward -N ufw-after-logging-input -N ufw-after-logging-output -N ufw-after-output -N ufw-before-forward -N ufw-before-input -N ufw-before-logging-forward -N ufw-before-logging-input -N ufw-before-logging-output -N ufw-before-output -N ufw-reject-forward -N ufw-reject-input -N ufw-reject-output -N ufw-track-forward -N ufw-track-input -N ufw-track-output -A INPUT -j ufw-before-logging-input -A INPUT -j ufw-before-input -A INPUT -j ufw-after-input -A INPUT -j ufw-after-logging-input -A INPUT -j ufw-reject-input -A INPUT -j ufw-track-input -A FORWARD -j ufw-before-logging-forward -A FORWARD -j ufw-before-forward -A FORWARD -j ufw-after-forward -A FORWARD -j ufw-after-logging-forward -A FORWARD -j ufw-reject-forward -A FORWARD -j ufw-track-forward -A OUTPUT -j ufw-before-logging-output -A OUTPUT -j ufw-before-output -A OUTPUT -j ufw-after-output -A OUTPUT -j ufw-after-logging-output -A OUTPUT -j ufw-reject-output -A OUTPUT -j ufw-track-output martin at radio:~$ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX martin at radio:~$ sudo iptables --list-rules After REBOOT [sudo] password for martin: -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT martin at radio:~$ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX martin at radio:~$ sudo updatedb && locate ufw /etc/gufw /etc/ufw /etc/gufw/Home.profile /etc/gufw/Office.profile /etc/gufw/Public.profile /etc/gufw/gufw.cfg /etc/ufw/after.rules.20190205_094713 /etc/ufw/after.rules.20190208_093000 /etc/ufw/after6.rules.20190205_094713 /etc/ufw/after6.rules.20190208_093000 /etc/ufw/applications.d /etc/ufw/before.rules.20190205_094713 /etc/ufw/before.rules.20190208_093000 /etc/ufw/before6.rules.20190205_094713 /etc/ufw/before6.rules.20190208_093000 /etc/ufw/user.rules.20190205_094713 /etc/ufw/user.rules.20190208_093000 /etc/ufw/user6.rules.20190205_094713 /etc/ufw/user6.rules.20190208_093000 /etc/ufw/applications.d/cups /etc/ufw/applications.d/samba /lib/firmware/rtlwifi/rtl8188eufw.bin /lib/firmware/rtlwifi/rtl8192cufw.bin /lib/firmware/rtlwifi/rtl8192cufw_A.bin /lib/firmware/rtlwifi/rtl8192cufw_B.bin /lib/firmware/rtlwifi/rtl8192cufw_TMSC.bin /lib/firmware/rtlwifi/rtl8723aufw_A.bin /lib/firmware/rtlwifi/rtl8723aufw_B.bin /lib/firmware/rtlwifi/rtl8723aufw_B_NoBT.bin /usr/share/app-install/desktop/gufw:gufw.desktop /usr/share/app-install/icons/gufw.svg /usr/share/icons/Mint-X/apps/16/gufw.png /usr/share/icons/Mint-X/apps/16/gufw_menu.png /usr/share/icons/Mint-X/apps/16/ufw-frontends.png /usr/share/icons/Mint-X/apps/22/gufw.png /usr/share/icons/Mint-X/apps/22/gufw_menu.png /usr/share/icons/Mint-X/apps/22/ufw-frontends.png /usr/share/icons/Mint-X/apps/24/gufw.png /usr/share/icons/Mint-X/apps/24/gufw_menu.png /usr/share/icons/Mint-X/apps/24/ufw-frontends.png /usr/share/icons/Mint-X/apps/32/gufw.png /usr/share/icons/Mint-X/apps/32/gufw_menu.png /usr/share/icons/Mint-X/apps/32/ufw-frontends.png /usr/share/icons/Mint-X/apps/48/gufw.png /usr/share/icons/Mint-X/apps/48/gufw_menu.png /usr/share/icons/Mint-X/apps/48/ufw-frontends.png /usr/share/icons/Mint-X/apps/96/gufw.svg /usr/share/icons/Mint-X/apps/96/gufw_menu.svg /usr/share/icons/Mint-X/apps/96/ufw-frontends.svg /usr/share/icons/Mint-Y/apps/16/gufw.png /usr/share/icons/Mint-Y/apps/16/gufw_menu.png /usr/share/icons/Mint-Y/apps/16 at 2x/gufw.png /usr/share/icons/Mint-Y/apps/16 at 2x/gufw_menu.png /usr/share/icons/Mint-Y/apps/22/gufw.png /usr/share/icons/Mint-Y/apps/22/gufw_menu.png /usr/share/icons/Mint-Y/apps/22 at 2x/gufw.png /usr/share/icons/Mint-Y/apps/22 at 2x/gufw_menu.png /usr/share/icons/Mint-Y/apps/24/gufw.png /usr/share/icons/Mint-Y/apps/24/gufw_menu.png /usr/share/icons/Mint-Y/apps/24 at 2x/gufw.png /usr/share/icons/Mint-Y/apps/24 at 2x/gufw_menu.png /usr/share/icons/Mint-Y/apps/256/gufw.png /usr/share/icons/Mint-Y/apps/256/gufw_menu.png /usr/share/icons/Mint-Y/apps/256 at 2x/gufw.png /usr/share/icons/Mint-Y/apps/256 at 2x/gufw_menu.png /usr/share/icons/Mint-Y/apps/32/gufw.png /usr/share/icons/Mint-Y/apps/32/gufw_menu.png /usr/share/icons/Mint-Y/apps/32 at 2x/gufw.png /usr/share/icons/Mint-Y/apps/32 at 2x/gufw_menu.png /usr/share/icons/Mint-Y/apps/48/gufw.png /usr/share/icons/Mint-Y/apps/48/gufw_menu.png /usr/share/icons/Mint-Y/apps/48 at 2x/gufw.png /usr/share/icons/Mint-Y/apps/48 at 2x/gufw_menu.png /usr/share/icons/Mint-Y/apps/64/gufw.png /usr/share/icons/Mint-Y/apps/64/gufw_menu.png /usr/share/icons/Mint-Y/apps/64 at 2x/gufw.png /usr/share/icons/Mint-Y/apps/64 at 2x/gufw_menu.png /usr/share/icons/Mint-Y/apps/96/gufw.png /usr/share/icons/Mint-Y/apps/96/gufw_menu.png /usr/share/icons/Mint-Y/apps/96 at 2x/gufw.png /usr/share/icons/Mint-Y/apps/96 at 2x/gufw_menu.png /usr/share/icons/gnome-colors-common/16x16/apps/gufw_menu.png /usr/share/icons/gnome-colors-common/22x22/apps/gufw_menu.png /usr/share/icons/gnome-colors-common/24x24/apps/gufw_menu.png /usr/share/icons/gnome-colors-common/32x32/apps/gufw_menu.png /usr/share/icons/gnome-colors-common/scalable/apps/gufw_menu.svg /usr/share/locale-langpack/en_AU/LC_MESSAGES/ufw.mo /usr/share/locale-langpack/en_CA/LC_MESSAGES/ufw.mo /usr/share/locale-langpack/en_GB/LC_MESSAGES/ufw.mo /var/log/gufw.log /var/log/ufw.log /var/log/ufw.log.1 /var/log/ufw.log.2.gz /var/log/ufw.log.3.gz /var/log/ufw.log.4.gz martin at radio:~$ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX martin at radio:/etc/ufw$ ls -l total 60 -rw-r----- 1 root root 915 Feb 3 13:17 after6.rules.20190205_094713 -rw-r----- 1 root root 915 Feb 6 15:58 after6.rules.20190208_093000 -rw-r----- 1 root root 1004 Feb 3 13:17 after.rules.20190205_094713 -rw-r----- 1 root root 1004 Feb 6 15:58 after.rules.20190208_093000 drwxr-xr-x 2 root root 4096 Jan 24 15:34 applications.d -rw-r----- 1 root root 6451 Aug 17 2017 before6.rules.20190205_094713 -rw-r----- 1 root root 6451 Feb 5 09:47 before6.rules.20190208_093000 -rw-r----- 1 root root 2667 Aug 17 2017 before.rules.20190205_094713 -rw-r----- 1 root root 2667 Feb 5 09:47 before.rules.20190208_093000 -rw-r----- 1 root root 2152 Feb 5 09:47 user6.rules.20190205_094713 -rw-r----- 1 root root 1826 Feb 8 09:29 user6.rules.20190208_093000 -rw-r----- 1 root root 3035 Feb 5 09:47 user.rules.20190205_094713 -rw-r----- 1 root root 2682 Feb 8 09:29 user.rules.20190208_093000 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX martin at radio:/lib$ cd ufw bash: cd: ufw: No such file or directory martin at radio:/lib$ Regards, Marty
Am 11.02.19 um 17:35 schrieb Martin McGlensey via samba:> Louis, > > Followed your instructions so far. Take a look at the output of the > various steps. I'm down to removing items form /etc/ufw. I'm not sure > what I should delete. I know some of the files are backups generated > after some rules were deleted. Please tell me what is safe to delete > before I procede further. > > martin at radio:~$ sudo apt-get remove --purge ufw gufw > Reading package lists... Done > Building dependency tree > Reading state information... Done > The following packages were automatically installed and are no longer > required: > libqt5positioning5 libqt5qml5 libqt5quick5 libqt5sensors5frankly why don#t you throw away all that crap and start write a "iptables.sh" which is even for a datacenter firewall doing NAT and firewalling in front of a /24 network no rocket science also looking what rules are currently active is a no-brainer [root at firewall:~]$ cat /usr/local/bin/firewall_status #!/bin/bash IPTABLES="/sbin/iptables" DEFAULT_COLOR_START="\e[36m" DEFAULT_COLOR_STOP="\e[0m" function firewall_status { # Ausgabemodus if [ "$1" != "short" ]; then VERBOSE="--verbose" fi # Alle geladenen Tabellen sortiert durchlaufen for table in `cat /proc/net/ip_tables_names | sort` do echo -e "${DEFAULT_COLOR_START}---------------------------------------------------------------------------------------${DEFAULT_COLOR_STOP}" echo -e "${DEFAULT_COLOR_START}`echo $table: | tr a-z A-Z`${DEFAULT_COLOR_STOP}" echo -e "${DEFAULT_COLOR_START}---------------------------------------------------------------------------------------${DEFAULT_COLOR_STOP}" $IPTABLES -t "$table" --list --numeric --line-numbers $VERBOSE echo "" done } if [ -t 1 ]; then firewall_status "$1" | less -R else firewall_status "$1" | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" fi
Hai, Not everyone understand iptables that good Reindl. Ufw can be handy and its usable, now gufw thats the problem here. Gufw added the profile and sadly i dont know anything about gufw, execpt thats a gui on ufw. I dont know the modifications Gufw made on ufw, exacpt i noticed the profiles. Now martin, ok, great. You removed ufw ang gufw. The output looks good. All tables are cleaned up. Run : apt-get autoremove to remove left over packages from the install. If you plan to install gufw again, dont run the autoremove. Ok, backup the leftovers in /etc en /etc/gufw ( just rename the folders to .old ) Install ufw again. ufw allow 22/tcp ufw allow 139,445/tcp ufw allow 137,138/udp ( if you network browsing, but not really needed. ) ( add other ports if needed ) ufw --force enable Thats a minimal setting that must work. Im moving a bit ahead in time now. While i totaly agree with Reindl, i dont suggest moving to plain iptables. If you switch now, drop iptables start learning nftables, but ufw can be handy, its just what you need. Nftables ( as of debian buster) https://wiki.debian.org/nftables works the same for mint. https://wiki.nftables.org/wiki-nftables/index.php/Main_Page more general. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Reindl Harald via samba > Verzonden: maandag 11 februari 2019 18:28 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba and ufw > > > > Am 11.02.19 um 17:35 schrieb Martin McGlensey via samba: > > Louis, > > > > Followed your instructions so far. Take a look at the output of the > > various steps. I'm down to removing items form /etc/ufw. > I'm not sure > > what I should delete. I know some of the files are backups generated > > after some rules were deleted. Please tell me what is safe to delete > > before I procede further. > > > > martin at radio:~$ sudo apt-get remove --purge ufw gufw > > Reading package lists... Done > > Building dependency tree > > Reading state information... Done > > The following packages were automatically installed and are > no longer > > required: > > libqt5positioning5 libqt5qml5 libqt5quick5 libqt5sensors5 > > frankly why don#t you throw away all that crap and start write a > "iptables.sh" which is even for a datacenter firewall doing NAT and > firewalling in front of a /24 network no rocket science > > also looking what rules are currently active is a no-brainer > > [root at firewall:~]$ cat /usr/local/bin/firewall_status > #!/bin/bash > > IPTABLES="/sbin/iptables" > DEFAULT_COLOR_START="\e[36m" > DEFAULT_COLOR_STOP="\e[0m" > > function firewall_status > { > # Ausgabemodus > if [ "$1" != "short" ]; then > VERBOSE="--verbose" > fi > # Alle geladenen Tabellen sortiert durchlaufen > for table in `cat /proc/net/ip_tables_names | sort` > do > echo -e > "${DEFAULT_COLOR_START}--------------------------------------- > ------------------------------------------------${DEFAULT_COLOR_STOP}" > echo -e "${DEFAULT_COLOR_START}`echo $table: | tr a-z > A-Z`${DEFAULT_COLOR_STOP}" > echo -e > "${DEFAULT_COLOR_START}--------------------------------------- > ------------------------------------------------${DEFAULT_COLOR_STOP}" > $IPTABLES -t "$table" --list --numeric --line-numbers $VERBOSE > echo "" > done > } > > if [ -t 1 ]; > then > firewall_status "$1" | less -R > else > firewall_status "$1" | sed -r > "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" > fi > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Am 12.02.19 um 09:02 schrieb L.P.H. van Belle via samba:> Not everyone understand iptables that good Reindli switched 1 years ago to Linux and wrote my first "iptables.sh" on day one which got improved over the years, so it#s not rocket science to learn> Ufw can be handy and its usable, now gufw thats the problem here. > Gufw added the profile and sadly i dont know anything about gufw, > execpt thats a gui on ufw. > I dont know the modifications Gufw made on ufw, exacpt i noticed the profiles.yeah, UFW as abstraction-layer to iptables and because abstraction is cool put another layer on top of that with a GUI until the result is "nobody understands his own setup at all" and it needs dozens of emails trying to fix something trivial as a packet filter
On 2/12/19 2:02 AM, L.P.H. van Belle via samba wrote:> Hai, > > Not everyone understand iptables that good Reindl. > > Ufw can be handy and its usable, now gufw thats the problem here. > Gufw added the profile and sadly i dont know anything about gufw, > execpt thats a gui on ufw. > I dont know the modifications Gufw made on ufw, exacpt i noticed the profiles. > > Now martin, ok, great. You removed ufw ang gufw. > The output looks good. > All tables are cleaned up. > > Run : apt-get autoremove to remove left over packages from the install. > If you plan to install gufw again, dont run the autoremove. > > Ok, backup the leftovers in /etc en /etc/gufw ( just rename the folders to .old ) > Install ufw again. > ufw allow 22/tcp > ufw allow 139,445/tcp > ufw allow 137,138/udp ( if you network browsing, but not really needed. ) > ( add other ports if needed ) > > > ufw --force enable > > Thats a minimal setting that must work. > Im moving a bit ahead in time now. > > While i totaly agree with Reindl, i dont suggest moving to plain iptables. > If you switch now, drop iptables start learning nftables, > but ufw can be handy, its just what you need. > > Nftables ( as of debian buster) > https://wiki.debian.org/nftables works the same for mint. > https://wiki.nftables.org/wiki-nftables/index.php/Main_Page more general....and while googling nftables, I discover this post about BPFilters implemented in the linux 4.18 kernel as eBPF: https://cilium.io/blog/2018/04/17/why-is-the-kernel-community-replacing-iptables/ Looks like there will be another successor. Louis is absolutely correct about users not wanting to manipulate iptables directly, and Tom Eastep has indicated that he doesn't intend to move his project to nftables. So, as a Shorewall user, I will be tied to iptables for the foreseeable future. Dale> > Greetz, > > Louis > > > > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Reindl Harald via samba >> Verzonden: maandag 11 februari 2019 18:28 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Samba and ufw >> >> >> >> Am 11.02.19 um 17:35 schrieb Martin McGlensey via samba: >>> Louis, >>> >>> Followed your instructions so far. Take a look at the output of the >>> various steps. I'm down to removing items form /etc/ufw. >> I'm not sure >>> what I should delete. I know some of the files are backups generated >>> after some rules were deleted. Please tell me what is safe to delete >>> before I procede further. >>> >>> martin at radio:~$ sudo apt-get remove --purge ufw gufw >>> Reading package lists... Done >>> Building dependency tree >>> Reading state information... Done >>> The following packages were automatically installed and are >> no longer >>> required: >>> libqt5positioning5 libqt5qml5 libqt5quick5 libqt5sensors5 >> frankly why don#t you throw away all that crap and start write a >> "iptables.sh" which is even for a datacenter firewall doing NAT and >> firewalling in front of a /24 network no rocket science >> >> also looking what rules are currently active is a no-brainer >> >> [root at firewall:~]$ cat /usr/local/bin/firewall_status >> #!/bin/bash >> >> IPTABLES="/sbin/iptables" >> DEFAULT_COLOR_START="\e[36m" >> DEFAULT_COLOR_STOP="\e[0m" >> >> function firewall_status >> { >> # Ausgabemodus >> if [ "$1" != "short" ]; then >> VERBOSE="--verbose" >> fi >> # Alle geladenen Tabellen sortiert durchlaufen >> for table in `cat /proc/net/ip_tables_names | sort` >> do >> echo -e >> "${DEFAULT_COLOR_START}--------------------------------------- >> ------------------------------------------------${DEFAULT_COLOR_STOP}" >> echo -e "${DEFAULT_COLOR_START}`echo $table: | tr a-z >> A-Z`${DEFAULT_COLOR_STOP}" >> echo -e >> "${DEFAULT_COLOR_START}--------------------------------------- >> ------------------------------------------------${DEFAULT_COLOR_STOP}" >> $IPTABLES -t "$table" --list --numeric --line-numbers $VERBOSE >> echo "" >> done >> } >> >> if [ -t 1 ]; >> then >> firewall_status "$1" | less -R >> else >> firewall_status "$1" | sed -r >> "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" >> fi >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >