This page looks best with JavaScript enabled

Using ipkungfu as a PC Firewall

 ·  ☕ 3 min read

2020-10-29 Update

ipkungfu has not had a debian package maintainer for over 2000 days (source) and appears to be dead. I have used several iptables ‘clients’ which have since become unmaintained and now simply recommend using iptables directly.

Background

I have wrote previous articles on using Guarddog as a PC Firewall and it is a great intermediate level firewall; however, its a bit outdated and I’ve been looking for a solid replacement for years. I have tried most and found all but iptables inadequate at some level or another.

ipkungfu seems to be different for several reasons:

  • it just works - not a lot of config or setup to get it working
  • it is lightweight - I don’t need or want a service running or an overly complicated UI to learn
  • it is portable - within minutes I can have the same setup running on several machines

iptables is probably a better fit for me as its even lighter (ipkungfu writes your iptables rules for you); however, I find I do not do enough iptables work to fully learn all of the syntax so I’m often left digging around trying to find the right syntax to do what I need.

Details

Installation of ipkungfu is easy as its in most repos: $ apt-get install ipkungfu

Configuration of ipkungfu is not much more difficult; however it varies depending upon your needs. The following sections present my basic setup.

Configure

  • Base application configuration
    ** Open the /etc/ipkungfu/ipkungfu.conf file in a text editor and make the following changes:
    ...
    IPKUNGFU_LOG=/var/log/ipkungfu.log
    ...
    INT_NET="eth0 wlan0"
    #for virtualbox
    #INT_NET="eth0 wlan0 virbr0 vboxnet1"
    ...
    LOCAL_NET="192.168.1.0/255.255.255.0"
    ...
    FORBIDDEN_PORTS="135 137 139"
    ...
    SUSPECT="DROP"
    ...
    KNOWN_BAD="DROP"
    ...
    PORT_SCAN="DROP"
    ...
    GET_IP="AUTO"
    ...
    #DISALLOW_PRIVATE=0   #See logging note
    ...
  • Configure Services (application and ports)
    ** Open the /etc/ipkungfu/services.conf file in a text editor and adjust as you need. This is where you will open up ports, for instance if I wanted to allow SSH in on port 22 I would have the following: ssh:22:tcp:ACCEPT

Usage

  • Start ipkungfu: $ ipkungfu
    • to enable starting on boot edit the /etc/default/ipkungfu file and change IPKFSTART=0 to IPKFSTART=1
  • Stop ipkungfu: $ ipkungfu -d && ipkungfu -f
    • you can verify/check iptables are clean with: $iptables -L -n
  • Checking/Viewing ipkungfu Rules: $ ipkungfu -c
  • List Rules: $ ipkungfu -l
  • Test Rules: $ ipkungfu -t
    • if you have a public facing PC, you can also test it with ShieldsUp! as this is a good firewall/security assessment tool.

Logging

I have found several circumstances where I need to modify the default logging (to ignore log messages). In my case, this was due to being on a corporate LAN which caused extemporaneous log messages. To address the issue, I set DISALLOW_PRIVATE=0 in the ipkungfu.conf file and modified the default log levels in /etc/ipkungfu/log.conf (set items not needed to ‘0’).

Notes

  • You can truncate your messages log with $ > /var/log/messages.
Share on
drad
WRITTEN BY
drad
Sr. Consultant

See Also

©2020. Adercon Inc. All Rights Reserved