# Setting up a firewall

## firsttry

I'm trying to set up a firewall for my laptop - is there anyway to do so without reading pages and pages about iptables? As I'm running KDE I tried installing Guarddog and just clicking apply, hoping there would be a default or 'learning' (as some windows software calls it) mode - this gave me a bunch of errors - realised I had to include certain options in the kernel, which I did following this HOWTO, but I really didn't want to read the WHOLE document... Anyway, Guarddog worked though it prints out about 15 

```
iptables: No chain/target/match by that name
```

 but after that even Firefox wouldn't access the net!

Seriously - is there no simple out of the box firewall setup? I hate to say this but firewalls are SO easy to set up in windows... never had to bother with them really...!

----------

## ketjap

It depends on what you want. There are a lot of scripts/apps that claims to be easy, don't know any by name though. But first, you need to build the proper kernel modules etc.

But if you want to know what your firewall is really doing, I recommend you read some stuff about it. I can recommend you this howto from Linux From Scratch. It isn't a lot of text, but it is worth it.

Good luck.

----------

## Hu

I do not mean to sound rude, but is it really that much trouble to read the documentation for the program you are trying to use?  You are welcome to come back and post questions about things which do not make sense, but please at least read what was written first.

----------

## firsttry

You're not being rude at all...

In fact I hope I wasn't being so referring to Windows...

All I meant was is there any way of setting up a firewall without reading loads of docs? I guess I should do, but seen as networking is not really my field of interest and I'm spending loads of time doing other things on Linux, I was wondering if there was a 'shortcut' to having a standard way of having a relatively safe configuration...

I really like gentoo but for some things (and this IS the first one) I wouldn't mind out-of-the-box...

----------

## GNUtoo

mabe try another firewall(look in net-firewall:http://packages.gentoo.org/packages/?category=net-firewall)

i've not tried them all but i've tried fireflier...not very pretty but effective

you also have the option of using iptables in order to block or allow programs to acess the web:

```
   owner

       This module attempts to match various characteristics of the packet creator, for locally-generated packets.  It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match.

       --uid-owner userid

              Matches if the packet was created by a process with the given effective user id.

       --gid-owner groupid

              Matches if the packet was created by a process with the given effective group id.

       --pid-owner processid

              Matches if the packet was created by a process with the given process id.

       --sid-owner sessionid

              Matches if the packet was created by a process in the given session group.

       --cmd-owner name

              Matches if the packet was created by a process with the given command name.  (this option is present only if iptables was compiled under a kernel supporting this feature)

       NOTE: pid, sid and command matching are broken on SMP

```

----------

## magowiz

You should try kmyfirewall

----------

## Hu

 *firsttry wrote:*   

> 
> 
> All I meant was is there any way of setting up a firewall without reading loads of docs? I guess I should do, but seen as networking is not really my field of interest and I'm spending loads of time doing other things on Linux, I was wondering if there was a 'shortcut' to having a standard way of having a relatively safe configuration...
> 
> I really like gentoo but for some things (and this IS the first one) I wouldn't mind out-of-the-box...

 

If you cannot find a front-end that suits your needs (and other posters are already recommending them, such as net-firewall/fireflier and net-firewall/kmyfirewall), post your requirements here.  I suspect some of the regulars could write a first pass at the rules faster than we can diagnose various package problem reports, so asking someone to write out your rules once is not a big deal.  Once you have a baseline, the script should be pretty easy to tweak, such as if you later realize you want a port open that you did not originally request.

The really cheap "safe" configuration would be something like (untested):

```

#!/bin/sh

# Flush the tables.  This may print some errors, since many people do

# not have all the tables.

for a in nat mangle filter raw; do

   iptables -t ${a} -F

done

# Silently discard incoming traffic which does not match any rule.

iptables -P INPUT DROP

# Silently refuse to forward traffic which does not match any rule.

iptables -P FORWARD DROP

# Accept loopback traffic.  Necessary to keep IP-over-localhost working.

# *** Do not remove unless you know _EXACTLY_ what you are doing. ***

iptables -A INPUT -i lo -j ACCEPT

# Accept traffic from connections which already existed.  Without any

# rules to permit incoming connections, this rule requires that this

# machine initiate all connections.

# Requires NETFILTER_XT_STATE_MATCH

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Log any traffic which gets here, but use a limit modifier so that the

# logs do not fill with every single incoming dropped packet.  This is a

# non-terminating target, so traffic which matches it will continue on.

iptables -A INPUT -m limit -j LOG --log-tcp-options --log-ip-options 

exit 0

# Optional features (comment out the exit to run them)

# Accept incoming connections to TCP port 12345.  This is needed if you

# want to run a TCP server on port 12345 and have someone connect to it.

iptables -A INPUT -p tcp -m udp --dport 12345 -j ACCEPT

# Accept incoming packets on UDP port 12345.  This is needed if you

# want to run a UDP server on port 12345 and have someone connect to it.

iptables -A INPUT -p udp -m udp --dport 12345 -j ACCEPT

```

This may have a few shortcomings, but it should serve as a starting point.  Feel free to ask for help if the comments are insufficient or it does not demonstrate something you want to do (or it breaks something you want to have working).

----------

## carpenike

I like shorewall; it's not a GUI frontend but it's not that difficult to use/setup... There's documentation on Shorewall's website that should allow you to get a firewall up and going in about 5 minutes...

http://www.shorewall.net

Look up the guide; stand-alone firewall...

----------

## jakomo

Well, I totally understand not wanting to learn iptables  :Wink: 

Having said that, guarddog's documentation is quite simple and straitforward and does give you all you need to have a working firewall set up in no time.

A few things that might help you:

1) Guarddog sets iptables rules. That means you have to have iptables installed and added to your default runlevel.

2) It saves you a lot of error messages to compile the kernel options as modules.

3) Guarddog has a "what is not explicitly allowed is forbidden" policy. That means that if you install and run guarddog correctly and don't allow anything, your laptop will be completely shut of from the outside world  :Wink:  Things you must allow:

 a) dns (you want to type urls, not ip's  :Wink:  )

b) http (I guess you want this one as well...)

c) rsync (for gentooers this one is quite handy  :Wink:  )

d) and all the other protocols (pop/smtp...) you want/need

This is done on the "Protocols" tab. All you have to do is to click on the check box allowing "Internet" to serve "DNS" to "Local", for instance.

A quick (for the moment, ugly) hack:

I use guarddog but when I started I coudn't get it to set firewall rules on boot, forcing me to manually aply them everytime. Then I found some advice on a thread on the forum that gave me this idea. If you realize that guraddong doesn't apply firewall rules on boot create a script on /etc/init.d with the following:

```
#!/sbin/runscript 

 

 depend() { 

          after iptables

     before ddclient 

          } 

 

 start() { 

          ebegin "Applying firewall rules - Guarddog" 

 

          /etc/rc.firewall 

          eend $? "Firewall rules not set" 

          }
```

Call it guarddog then run "rc-update add guraddog default" and your problems are solved  :Smile: 

When I finish my exam (unfortunately that's December) I'll file a bug report with a proposed ebuild that creates this script, if nobody takes care of it before. 

Have fun,

Jakomo

----------

## firsttry

Abandoned the firewall thing for a while (quite)...

I'll try some of your suggestions when I can!

----------

## hg78

Using fw-builder might be a easy way of using IP-Tables without reading the manpages. It's a powerful gui, which creates the ip-tables scripts for you.

----------

