# Firewall GUI setup

## dgrant

What's the best way to set up a simple firewall, using a GUI?  (Alternatively, if you think there is a CLI based firewall setup method that is far better than an GUI and easy to use, feel free to suggest that).  And what kind of backend is best to use?  I assume iptables...

----------

## slartibartfasz

shorewall, fwbuilder, kmyfirewall there are a lot of them - for an overview browse through net-firewall in your portage tree...

----------

## Brown Eyed Boy

Hi.  To be honest, I've tried GUI firewall builders and I find that a well laid out and properly commented shell script is much more logical and easy to follow.  Somehow, I seem to lose track of where I am in a GUI and there seems to be a reliance on the GUI doing things for you, which is generally a bad idea because it encourages you to write rules with less consideration than you might give if you were writing them by hand.  Just my tuppence worth.

~Brown Eyed Boy

----------

## dgrant

shorewall, which slartibartfasz suggested, is actually just a conf file setup with no GUI, is it not?  I think I used shorewall a long time ago in Mandrake.  It seemed pretty good but I remember having a problem with it blocking SMB packets and after discussion with the author, even he couldn't figure out what was wrong.

What about guarddog vs. kmyfirewall?

----------

## slartibartfasz

 *dgrant wrote:*   

> shorewall, which slartibartfasz suggested, is actually just a conf file setup with no GUI, is it not?

 

yes u asked for it, and a lot of people are fond of it...

 *Quote:*   

> Alternatively, if you think there is a CLI based firewall...

 

i personally have a similar attitude toward this as Brown Eyed Boy - for most issues the following will be enough for desktop boxes...

```

iptables -P INPUT -j DROP # drop all incoming by default

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # allow everything initiated by localhost

```

simple and straightforward - the more complicated u make it, the more likely u will make errors. and a badly configured firewall can be worse than none at all...

----------

## dgrant

Thanks,

and what do I had to allow incoming TCP packets on port 80 (web) and incoming TCP packets on port 22 (SSH)?  One line for each I assume.  I also need to SMB which is a pain, but I can probaby find the ports required...I think it is UDP and TCP on 137-139.

Is that really all that is needed?  2 lines minimum, plus more lines for servers and games and such?

----------

## slartibartfasz

well - yes - u can make it a lot more complicated of course, but the fastest and easiest method is: deny everything, punch holes where u need them...there are some problems though with certain clients that switch a lot, but for most problems googling for <progname> && iptables should provide a solution...

in general to allow incoming connections:

```

iptables -A INPUT -s <source-ip> -p <tcp|udp> --dport <protocol port number: 22 for ssh> -j ACCEPT

```

i'm sure u can find a quickstart guide on the net somewhere - it is not as complicated as it seems - however u should have an idea about what u are doing - reading at least once through man iptables wont hurt...

----------

## KiTaSuMbA

Most GUI firewall builders are more fuss than help. Fwbuilder is a different beast, as it allows to make a lot more than a firewall for the current box but still is no less complex than other solutions.

If you need a GUI "manager" for your firewall I suggest firestarter. The setup wizzard is  reasonably secure and quite detailed although pretty much self-explainatory, plus you have the advantage of adding/removing/modifying rules on-the-fly and watch real-time hits. It also cooperates fine with the kde systray in case you don't use gnome.

----------

