How to set up a Linux box as a stand-alone firewall/gateway? [closed]

Question

Closed. This question is off-topic. It is not currently accepting answers.

Closed 8 years ago.

Questions seeking product, service, or learning material recommendations are off-topic because they become outdated quickly and attract opinion-based answers. Instead, describe your situation and the specific problem you're trying to solve. Share your research. Here are a few suggestions on how to properly ask this type of question.
Questions seeking for hardware shopping recommendations are off-topic because they are often relevant only to the question author at the time the question was asked and tend to become obsolete quickly. Instead of asking what to buy, try asking how to find out what suits your needs.

How do I separate Linux firewall/gateway box, to isolate now-chatty-with-Microsoft Windows machines from the internet? Permitting only approved user-initiated connections from Windows boxes. This given Windows 10 et al don't obey most same-machine approaches when phoning home. I'd like an interactive setup to allow or deny connections as they occur from other machines.

I'm only concerned with outgoing TCP/IP connections and UDP, since the router firewall blocks incoming traffic well enough.

I conjecture I could fudge something half baked with log tails and iptables, but that won't give me a simple user experience, and would be after the fact (so I could watch deny logs, then go back in and alter the rules case by case). I'd like the connection to hang (timeout notwithstanding) until I allow/deny.

Is what I'm looking for even possible without hacking something like iptables itself? What are the pitfalls I should look out for?

As a corollary, is it effective and possible to set up these boxes as gateway and DHCP servers for Windows boxes? Seems like I should be blocking the Windows boxes themselves from talking to the router and hence forcing them to go through the gateway/firewall box.

(Edit: rephrased.)

NoelC · Accepted Answer · 2015-09-22 19:40:34Z

Over the past months I've developed a "deny by default" firewall strategy based on the Sphinx Software "Windows 10 Firewall Control" product. I have the high-end "Network/Cloud" edition.

This product leverages the built-in Windows Windows Filtering Platform (WFP), but does not overlap the control exerted by the standard Windows Advanced Firewall configuration processes. That's a bit strange until you fully grok how it all fits together. I ended up deconfiguring the standard firewall entirely so everything is controlled through the Sphinx user interface.

It's effective - I stop virtually all chattiness online from my Win 7, Win 8.1, and Win 10 systems, which CANNOT be stopped fully through configuration - yet I can still complete Windows Update operations.

However, in the interest of full disclosure, my solution with the above named product may not meet all your needs for several reasons...

It uses the Windows software to do the filtering. So far I haven't found any evidence that Microsoft (or anyone else) is building a detour around it, but of course past performance is no guarantee of future results. I think it would be SUPREMELY embarrassing for Microsoft if they did work around their own firewall, so I'm guessing they won't do that any time soon.
It does not give an option to allow or deny, but fails the first attempt always, THEN pops up a dialog asking what you want to do for the same application in the future. This sounds minor, but really doesn't give the level of control you're looking for, and it CAN cause problems (e.g., if the software doesn't retry the operation). This one issue really does make it more complex to use this approach, and like you I'd rather it had the feature you describe.
Sphinx's newest releases are pretty new indeed, apparently corresponding in time to the release of Windows 10, and as such they're still apparently working out some bugs (their tech support IS very responsive, however). Unfortunately, with a complex process such as firewall setup management, any little glitch (such as a failure to actually update the firewall configuration per what you've just changed without an error message) can leave you really scratching your head and waste time.

I'm here to tell you, after having worked with and refined this setup for several months now, that what you want IS possible, and IS reasonable. What's scary is becoming aware of how much communication really does take place (or try to). Having control over what your computer does online is reasonable - though be aware that it WILL cost you extra effort in an ongoing fashion. It is most certainly NOT a "set it and forget it" process.

Anecdotally, with all the attention Windows 10 "privacy intrusion" has gotten lately, because of specialized tools developed I've found it's actually somewhat more effective to reconfigure Windows 10 to quiet it down than Windows 8.1. And not to be left out, Windows 7 is trying to get incrementally MORE chatty because of certain recent Windows Updates as well. It is an interesting time, and you're quite right to be concerned about what's being sent where.

-Noel

Stack Exchange Network

How to set up a Linux box as a stand-alone firewall/gateway? [closed]

1 Answer 1

Not the answer you're looking for? Browse other questions tagged
networking
router
firewall
interactive
.

Hot Network Questions

How to set up a Linux box as a stand-alone firewall/gateway? [closed]

1 Answer 1

Not the answer you're looking for? Browse other questions tagged networkingrouterfirewallinteractive.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
networking
router
firewall
interactive
.