# Opinion: which firewall do you recommend?

## tiredoldcoder

Working on building a new firewall/gateway machine to place between the cable modem and my home network.  Which firewall do you use/recommend? 

Also does anyone have an opinion about using webmin to administer the firewall?

TOC

----------

## revertex

iptables have a lot of examples in these forums, shorewall is really easy to setup, and i ear about  a shorewall webmin module.

unless people that don't know linux will admin your box i advise you stay away from webmin, it's just a mess.

cheers.

----------

## beandog

Webmin is nice, but its a crutch.  Someone recommend to me once to skip everything and just learn iptables instead -- it's what all the firewall programs configure anyway, so you're better off going straight to the source.

For a quick easy setup/install, this is what I recommend:

- Download this firewall and install it -- http://projectfiles.com/firewall/

Get the installer file. It's a console frontend that makes it easy to setup which ports to open, and routing too.  After you install it and run it the first time, it will probably not start it, but it will have rc.firewall in /etc/rc.d/  Go there and start it (rc.firewall start), then save the iptables settings (/etc/init.d/iptables save), and you're done.  If its for your home network, be sure to enable ip forwarding as the iptables ebuild instructs.  Good luck -- its really not that hard, trust me.  :Smile: 

----------

## zeek

 *tiredoldcoder wrote:*   

> Which firewall do you use/recommend?

 

We use/reccomend Linux here but your question implies that you don't realize that Linux 2.4+ comes with a builtin firewall called Netfilter.  There aren't any other viable firewall options for Linux 2.4+.

IPTables is a userland program that controls Netfilter.  This is a very raw, low level interface to Netfilter.

Netfilter helper apps like Shorewall, firestarter, or webadmin use iptables behind the scenes and their primary purpose is to shield you from the fugly iptables interface.  These helper apps are highly recomended because they properly setup things that most home grown iptables scripts do not.  Examples would be proper handling of port 113, dealing with late DNS queries, blocking netbios, etc ...

http://www.netfilter.org/

----------

## drkstorm

for an easy to configure canned firewall script that uses iptables, I use gShield.. it can be emerged or http://muse.linuxmafia.org/gshield/ it works well and it is easy to configure, its alse very robust support router, DMZ, and forwarding filters.

in my opinion, using straight up iptables commands is a security risk unless you are an expert, im not, i dont have time

----------

## tiredoldcoder

My current firewall/NAT/MASQ is a RH 6.2 using IPCHAINS ... is iptables worse?

Also, do I need to configure my kernel special for iptables.

I am planning on using gs-sources for my kernel ... any comments?

v/r

TOC

----------

## madchaz

iptables is more powerfull and stable then ipchains. It's the new standard from 2.4 

shorewall  on a gentoo box had good results for me when I was still on cable. I've also used the smoothwall distribution. I know some people here don't like it, but I found it's easy to use and pretty secure. 

While learning iptables "would" be the most powerfull solution, doing things by hands isn't always the best. If you want to use gentoo, I'd recomend shorewall. The manual on there website is pretty strait forward and it's in portage.

----------

## stahlsau

hi,

i´d recommend iptables, simply because it can do everything you want it to do.

If you don´t understand all those configurationfiles of iptables, try out "ipkungfu". It´s a package of scripts/configs (~30kb) for iptables and works out of the box and can (better: should) be modified very simple. I like it because you get a nice iptables-configuration which works and only have to modify it to your needs, that´s much more simple than writing your own firewall.

----------

## adaptr

 *tiredoldcoder wrote:*   

> Working on building a new firewall/gateway machine to place between the cable modem and my home network.  Which firewall do you use/recommend? 

 

I use ipcop, but smoothwall is good too.

Setup once, forget about it  :Wink: 

----------

## Anime_Fan

OpenBSD has PF...

It's quite nifty, but may be overkill for what your purposes seem to be.

----------

## kerframil

 *Anime_Fan wrote:*   

> OpenBSD has PF...

 

I'm going to have to second the vote of confidence there, much as I love Linux. PF is in orders of magnitude greater, IMHO.

----------

## tiredoldcoder

Thanks to all!  I used the install script from http://projectfiles.com/firewall/ and everything seems to be working well  :Very Happy: 

Follow on questions:

1.  I hear words like "crutch" and "mess" about webmin.  I am using webmin, so I don't have to leave my comfy chair and run downstairs/upstairs to admin a server/workstation (I have 3 gentoo systems now, more to come).  Not to mention, I don't have to memorize every Linux admin command syntax to admin chores every in a blue moon.  That is the value of a GUI to me--to abstract the gory details for peoples whose vigor and brain cell count are in decline!  

Having set my heels firmly I'm not so naive to believe ANY software is perfect.  So, is there something about webmin I don't know?  Webmin has  a nice, friendly Linux Firewall interface.  Why not use it?

2. Even though I have a rule to block TCP port 10000 (webmin), it still shows up (closed) when I run nmap against my external IP.  Should I be concerned?

3. Once I save the IPTABLES, do I need to run the rc.firewall script at bootup?

4. How does the firewall know when my DHCP lease expires and my external IP has changed?  Do the IPTABLES saved files get automatically updated?

v/r

TOC

----------

## kerframil

 *tiredoldcoder wrote:*   

> Webmin has  a nice, friendly Linux Firewall interface.  Why not use it?

 

The only thing that springs to mind is that it is basically one big Perl script running as root i.e. there is no privelege separation. So any potential flaw or exploit could have greater ramifications than it really should have. One plus point is that on account of being written in Perl it should (in theory) be free of buffer overflow exploits.

 *Quote:*   

> Even though I have a rule to block TCP port 10000 (webmin), it still shows up (closed) when I run nmap against my external IP.  Should I be concerned?

 

By "block", do you mean DROP or REJECT? In the latter case, a TCP packet with the SYN flag set (the connection attempt) would be greeted with one in response with the RST flag set (connection reset), thus alerting the would-be client that the port is providing a service. You should be concerned in so far as that it makes it incredibly obvious that the host is a Unix-like system running webmin to anybody who scans the host  :Wink: 

I suggest you try and rectify the problem - or at least change the port number that webmin is using.

----------

## kerframil

 *Quote:*   

> I am planning on using gs-sources for my kernel ... any comments?

 

Personally, I wouldn't. Although the author of the patchset is very skilled, I would recommend against it simply on the basis that all of the gs-sources patchsets are built upon prepatch kernels. So, unless gs-sources provides you with something you simply must have then I would recommend sticking to vanilla-sources (that's 2.4.26 at present).

----------

## tom56

most firewalls on linux are just frontends to iptables.  i used to use shorewall but now i use firestarter.  they both work just as well, but i prefer firestarter as it has a purty gui interface  :Smile: 

----------

## Woody

You could also use one of the old floppy based 

linux-router-project style distros. I use coyote linux on a 

p75 with 24 megs of ram and the only moving parts are a 

floppy (at boot only) and the PS fan. I currently have an 

uptime over 300 days.

----------

## meyerm

Hmm, all mentioned "firewalls" here are just packet filters. Is there any open source application level firewall available? Linux or BSD - doesn't matter.  :Smile: 

BTW: I don't mean a layer-7-module for iptables. But a real firewall parsing the protocol and dropping dangerous packets.

----------

## n7down

If you have an old box sitting around I would suggest smoothwall which is a firewall/router.

www.smoothwall.org

----------

## GenKreton

smoothwall or shorewall for ease of use BUT if you want the best there is and willing to learn go for iptables or pf (all previously suggested).

----------

## adaptr

 *meyerm wrote:*   

> Hmm, all mentioned "firewalls" here are just packet filters. Is there any open source application level firewall available? Linux or BSD - doesn't matter. 

 

Iptables is a firewall - a packet filtering firewall  :Wink: 

 *meyerm wrote:*   

> BTW: I don't mean a layer-7-module for iptables. But a real firewall parsing the protocol and dropping dangerous packets.

 

There are several higher-level protocol modules for iptables.

www.netfilter.org for all the relevant details.

----------

## meyerm

 *adaptr wrote:*   

> Iptables is a firewall - a packet filtering firewall 

 

Oooook.  :Smile:  But it's only level5. Not level7.

 *adaptr wrote:*   

> There are several higher-level protocol modules for iptables.

 

Do you have an example? (I do believe you - just can't find anything useful!) Some time ago I found some module which was able to match specific data streams using regexps. That's almost good  :Smile: 

There are two application areas:

First: understand the higher protocol and do sth. with it.

Second: Just recognize the protocol and so sth. with it.

The second one would be what I need at the moment. I want to recognize if a connection is a FTP-connection (no matter of the ports used) and then reduce the bandwidth for this. How can I do that? I played around with the module mentioned above and traffic shaper. But the latter is a real cruel piece of software... And since I know that commercial level7 firewalls can do that, I hoped there would be some open source alternative  :Smile: . But when you have a) a very good howto or b) a "traffic shaping iptables module" I would be grateful if you post it.

Uff, sorry for writing so long texts without any content  :Wink: 

----------

## NemoTheLobster

For an application layer firewall, check out Zorp:

http://www.balabit.com/products/zorp/

There's a GPL version available.  I just stumbled on that today.

----------

## meyerm

Cool - looks promising.  :Smile:  My first readthrough didn't show me if it is capable of shaping the traffic. It looks like on/off/redirect. But I will read further. Thank you!

----------

## adaptr

 *meyerm wrote:*   

>  *adaptr wrote:*   Iptables is a firewall - a packet filtering firewall  
> 
> Oooook.  But it's only level5. Not level7.

 

I assume you mean layers.

 *meyerm wrote:*   

>  *adaptr wrote:*   There are several higher-level protocol modules for iptables. 
> 
> Do you have an example? (I do believe you - just can't find anything useful!) Some time ago I found some module which was able to match specific data streams using regexps. That's almost good 

 

Iptables has an arbitrary string matching module - which can obviously inspect the complete packet, up to and including layer 7.

Do not, however, expect to run this on 100mbits on a Pentium-100...

 *meyerm wrote:*   

> I want to recognize if a connection is a FTP-connection (no matter of the ports used) and then reduce the bandwidth for this. How can I do that? I played around with the module mentioned above and traffic shaper. But the latter is a real cruel piece of software... 

 

Yes, while at the same time very, very capable  :Wink: .

 *meyerm wrote:*   

> And since I know that commercial level7 firewalls can do that, I hoped there would be some open source alternative . But when you have a) a very good howto 

 

I do, in fact: http://lartc.org/

 *meyerm wrote:*   

> or b) a "traffic shaping iptables module" I would be grateful if you post it.

 

Hmm dunno - maybe you should check out the BSD solution mentioned...

----------

## Riftwing

 *tiredoldcoder wrote:*   

> 1.  I hear words like "crutch" and "mess" about webmin.  I am using webmin, so I don't have to leave my comfy chair and run downstairs/upstairs to admin a server/workstation (I have 3 gentoo systems now, more to come).

 

You know, there is a little something called ssh.

----------

## GenKreton

 *meyerm wrote:*   

> or b) a "traffic shaping iptables module" I would be grateful if you post it.

 

Newer kernels have support for packet mangling if this is what you are referring to.

----------

## RageX

 *Riftwing wrote:*   

>  *tiredoldcoder wrote:*   1.  I hear words like "crutch" and "mess" about webmin.  I am using webmin, so I don't have to leave my comfy chair and run downstairs/upstairs to admin a server/workstation (I have 3 gentoo systems now, more to come). 
> 
> You know, there is a little something called ssh.

 

I was thinking the same thing.  I'd drop webmin and just use SSH.  Much more secure, and there is a definate 'coolness factor' associated  :Wink: 

----------

