While it does do its job in keeping out traffic, it is certainly not an easy task to configure it to allow remote traffic such as ssh (22), samba(137/udp, 138/udp, 139/tcp, 445/tcp), cups (631/tcp) and others.
Fortunately, the famed Slacker AlienBob has a firewall that works and isn't so difficult to configure. Actually, taking his script as a template it would be very easily puppified with a gtkdialog frontend.
For those interested, AlienBob actually has a web-based configuration tool, but it is mainly server oriented (and the current puppy firewall is too I might add) Why are simple things that home users need (samba, cups, dlna) not in the basic configuration?
Here is the online tool <-- http://www.slackware.com/~alien/efg/
While it doesn't work OOTB on Puppy, you can easily adjust it.
Here is a snippet of what I have that does work allowing samba and cups access from my network :
I was considering writing a gtkdialog frontend for the original puppy script but that was going to be a nightmare! This new one will be simple. It could also be integrated with a revamped tray icon, that theoretically could support any linux. Of course anything to do with firewall/starting services must be run as root anyway.# chatter from Windows systems. COMMENT THESE for samba remote access
#$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
#$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
# Dynamic Address
# If DHCP, the initial request is a broadcast. The response
# doesn't exactly match the outbound packet. This explicitly
# allow the DHCP ports to alleviate this problem.
# If you receive your dynamic address by a different means, you
# can probably comment this line.
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 \
-j ACCEPT
# User specified allowed UDP protocol YOU CAN ADD UDP allowed access here
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 631 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j ACCEPT
# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j RETURN
# udp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# UDP requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT
# No match, so ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
# tcp_inbound chain
#
# This chain is used to allow inbound connections to the
# system/gateway. Use with care. It defaults to none.
# It's applied on INPUT from the external or Internet interface.
# sshd
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
# User specified allowed UDP protocol YOU CAN ADD TCP allowed access here (original UDP in this line is a typo I believe)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 631 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 139 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 445 -j ACCEPT
----
If you want to try AlienBob's with my mods (or your own) just run through the wizard on the website, then copy/paste the generated script to /etc/init.d/rc.firewall. Delete any old firewall script in /etc/rc.d and also delete the line to kick it off in /etc/rc.d/rc.local.
Then make /ect/init.d/rc.firewall executable and start it. it's a bit noisy on the console but the noise is useful.
Code: Select all
chmod 755 /etc/init.d/rc.firewall
/etc/init.d/rc.firewall start #replace start with stop to stop it
If you want to test it from a remote computer get the nmap utility from PPM. It should be there.
Then just run it with the -sT -sU args on the 'server' IP
For example from my remote with IP address 192.168.1.8
Code: Select all
nmap -sT -sU 192.168.1.10