# Some inputs on firewalls.

## colyte

I've been looking at pcxfirewall, gshield and etc. But I can't seem to find a comprehensive and configurable firewall package based on iptables. And was hoping for some inputs on that subject.

Preferrable I wan't a good packages and continue working on that one. Both packages mentioned before, requires totall rewrites, to my understanding atleast.

Regards,

colyte.

----------

## klieber

 *colyte wrote:*   

> I've been looking at pcxfirewall, gshield and etc. But I can't seem to find a comprehensive and configurable firewall package based on iptables. And was hoping for some inputs on that subject.

 

Well, the most comprehensive and configurable firewall package is going to be the one that you write on your own.  IPTables syntax really isn't that hard to understand if you have a decent understanding of TCP/IP and firewalls in general.  Just write your own script and set it to run at boot time.

However, here are a couple of other suggestions:

IPCop -- all the benefits of smoothwall, without any of the political B.S.  Stable, easy-to-use (or so I've heard)

FWBuilder -- this has consistently been one of the most active projects at Sourceforge.  Again, never used it myself, but it has a strong, active developer and user community.Side note; though Gentoo rocks, if you're building a dedicated firewall device, I'd recommend looking at a stripped-down distro like Devil-Linux.  It is purpose-built to be a firewall and runs on a CD/floppy, meaning you don't have to have a HD and can use an older, slower box. (like a 486)

hth

--kurt

----------

## rizzo

I agree that iptables is the best way to go.  There are a decent handful of websites that are basically places where people post their iptables scripts, ranging from fairly loose to very strict, so you can copy and paste from them to customize your own.

----------

## colyte

Thanks for the recomandations Klieber but I was looking for a skel to build on acctually. Building my own firewall from the ground up will be a far to time consuming process.

No, the firewall is to be used not as a dedicated firewall, leaving 'Devil-Linux' and Coyote and it's likes out of the target range.

Thnx anyways.

----------

## klieber

 *colyte wrote:*   

> Thnx anyways.

 

OK, then IPCop and FWBuilder are worth looking at.  Both let you get out of the box quickly.

--kurt

----------

## ChrisD

I'm using Shoreline Firewall (www.shorewall.net). It's based on iptables and it's excellent. It uses a logical policy/rules method for calculating what should and should not be allowed.

Highly recommended.

Chris

----------

## sidesh0w

I use NARC (http://www.knowplace.org/netfilter/narc.html) and it works fine for me.  Its really easy to configure and the documentation is great.

----------

## FINITE

What other packages did you install along with shoreline? I checked out the site and it says that you need iproute and of course iptables. I checked the packages list for gentoo and shoreline isn't listed so I assume you cannot use emerge to install it. If you can use emerge then how would this be done? Thanks.

----------

## drdebian

 *FINITE wrote:*   

> What other packages did you install along with shoreline? I checked out the site and it says that you need iproute and of course iptables. I checked the packages list for gentoo and shoreline isn't listed so I assume you cannot use emerge to install it. If you can use emerge then how would this be done? Thanks.

 

All I had to do was "emerge shorewall".

----------

## Pyrran

yup - i can recommend Shorewall "IP Tables Made Easy".  I've been using it for over a year now, without any major problems, just the occasional rules tweak & refresh to poke holes that I needed from time to time, to pass traffic to various machines.

There's also a Webmin module for it, if you prefer the manage things that way rather then editing the configs manually. Note though that Shorewall appears to have undergone a config "enhancement" recently allow custom multiple actions to be defined per firewall rule - the webmin module afaik hasn't been updated as yet to support these additions, so will only offer "normal" functionality (which tbh should be enough anyway).

I do have a samba/shorewall related problem atm though since the update, but I'll start another thread about that as i'm not sure if it's a firewall or samba problem. I'm going to do a little more searching about first though.  //Edit:  No need solved it - it was a samba problem with samba 3.0.7 - (thread here) 

I realise this thread was started some time ago now, out of curiosity, which one did you end up choosing in the end?Last edited by Pyrran on Mon Sep 27, 2004 3:10 pm; edited 1 time in total

----------

## nephros

The coolest thing about a floppy-based firewall running on a dedicated machine?

You can actually HALT (not poweroff) the system and the firewall will keep working!

It is pretty secure, works reliably and impresses the girls.

----------

