# Any good linux firewalls?

## gohylse

Are there any good linux firewalls that's relatively easy to configure and use?

What are the things that one must do to have a secure box?

Thanks.

----------

## hook

well, iptables are perfect, but a bitch to configure

any gui firewalls ...hmm, there's tons, and some are really simple to configure and use, but i don't use them ...sorry

----------

## Genone

An IMO good firewall GUI is fwbuilder, but it might be a bit too complicated and overpowered for your use.

----------

## Jimbow

I use rc.firewall from http://projectfiles.com/firewall/  It is easy to configure and use.  

For security in general you may want to look at  The Gentoo Linux Security Guide.

----------

## The Khan Artist

KMyFirewall

----------

## dev

Easiest GUI, imo, is FireStarter. Ebuild in portage also. firestarter.sf.net

----------

## palebear

shorewall  ,just configure the /etc/shorewall files after emerge

and issue a shorewall start and done

iptables based which is sweet, but have to have a working knowledge of networking to configure it

----------

## Cheesefoam

I like Firestarter, though it seems to be a touch off kilter in its default wizard configuration, insofar as filtering out nonroutable IPs.  Correct me if I'm wrong, but I thought the only nonroutables were:

192.168.0.0/16

172.16.0.0/12

10.0.0.0/8

Correct?  Firestarter's default wizard config blocks huge swaths of IP space, 90% of which is routable.

However, I like Firestarter's ability to set up a basic firewall script that you can use as a baseline to learn from.  The firestarter program itself is a great firewall hit logger - I only wish it had support for the more advanced targets and options, such as MAC filtering and tarpit support.

----------

## fatcat.00

Actually, you are wrong AND right about that routable vs. non-routable space.  You are correct the 10/8, 172.16/12 and 192.168/16 is non-routable (on the internet) as defined in RFC 1918.

However, there are also vast quantities of networks that haven't been allocated by IANA.  These networks are in fact routable, its just that no one has had them allocated.  It is common practice to blackhole these unallocated networks, as no one is supposed to be using them, and transit ASs won't route them anyway.  

They *do* show up in half-open TCP SYN attacks where a reply isn't necessarily wanted, so its best to just ignore any packet claiming to come from this address space.

----------

## Caffeine

Yeah, tarpit support would be great in firestarter. I guess it's possible to alter the generated rules to use ipt_tarpit. I haven't checked it out.

What would also be nice is an apache tarpit module which tar pits any request for :  

/default.ida?

/scripts/..%252f../winnt/system32/cmd.exe

/msadc/..%255c

/d/winnt/system32/cmd.exe?

/c/winnt/system32/cmd.exe

/_mem_bin/..%255c

/_vti_bin

/MSADC/root.exe?/c+dir

----------

## hook

 *The Khan Artist wrote:*   

> KMyFirewall

 

i read an review on it yersterday, seems REALLY nice ...and i think it's (going to be) in kde-3.2 by default

----------

## beandog

 *Jimbow wrote:*   

> I use rc.firewall from http://projectfiles.com/firewall/  It is easy to configure and use.  
> 
> For security in general you may want to look at  The Gentoo Linux Security Guide.

 

I gotta throw my vote in for this one too.  I tried it after reading this post, and it's just plain awesome.  :Smile: 

Comes with a text-based GUI installer script which is very handy.  What is even better is that on the installation page it even tells you which networking options to compile in the kernel, and where they're located!  I was able to turn off a bunch of stuff I didn't know I don't need.

I'm impressed.  :Smile: 

Edit: While I'm at it, here's some installation tips:

By default, /etc/rc.d doesnt exist so you'll have to do this:

```
mkdir /etc/rc.d

touch /etc/rc.d/rc.local
```

Then, install the script, and add these lines to /etc/conf.d/local.start:

```
if [ -x /etc/rc.d/rc.firewall ]; then

  /etc/rc.d/rc.firewall start

fi

```

and now it will start on boot.  :Smile: 

----------

## To

If anyone has to use a firewall software I'll advice shorewall, easy to configure well documented. Anyway the best options is to dig and build something yourself, not easy but once you finish it's great;)

Tó

----------

## linux_weenie

i've recently installed a smoothwall 2.0 box and it was very easy to install and has a nice web interface. To is right though if you want a good firewall build one yourself (but i'm not that paranoid so smoothwall works nicely).

-Will

----------

