# what are people using for a firewall?

## DNH

I was wondering what people use for a firewall and if they emerged a package to get it.  I am debating just creating an iptables script, but thought I'd see if anybody is using a firewall program and whether or not they would recommend it.  Thanks.

----------

## garyura

Iptables is enuff for the firewall if U want to connect to internet and safe from hacker

----------

## klieber

 *DNH wrote:*   

> I am debating just creating an iptables script, but thought I'd see if anybody is using a firewall program and whether or not they would recommend it.  Thanks.

 

If you're comfortable with iptables syntax, just write your own -- it's likely the easiest way.  Otherwise, check out fwbuilder, which is a great GTK-based GUI helper program to write iptables scripts.  Not sure if there's a gentoo package, though.

--kurt

----------

## Guest

http://monmotha.mplug.org/firewall/index.php <-- Monmotha's firewall script, fairly good

Another good one to break your teeth on is "Endoshield" you can find with a google search, I use a (heavily) modified version of it.

----------

## gilgames

 *DNH wrote:*   

> I was wondering what people use for a firewall and if they emerged a package to get it.

 

I picked up ferm which is nothing more than a easy (= readable) way of specifying iptables statements. I wrote my own ebuild file but it's not quite finished. Best of all, it doesn't need/have a GUI(which would make it impossible to run on my P100)Last edited by gilgames on Tue Apr 23, 2002 6:03 pm; edited 2 times in total

----------

## static

If you like GUI's guarddog for KDE is excellent

----------

## skylinux

I wrote an iptables script using connection tracking, from my tests and from other users this script seams to work pretty good. You can download it from here:

http://home.earthlink.net/~skylinux/linux/skyfire/

I would appreciate some feedback if someone decides to use my script.

Stay save

Skylinux

----------

## kipper

I built my own using iptables.  Building your own gives you control over what access you restrict or close.  If you are uncomfortable or don't know much about doing this you can check out this tutorial http://www-105.ibm.com/developerworks/education.nsf/linux-onlinecourse-bytitle/A7F41AE725B03E1D86256A46005DB972?OpenDocument

----------

## dice

I use an OpenBSD bridging firewall.  It's very cool  :Cool: 

----------

## dr_strange

firestarter is a nice firewall, lets you close and open individual ports, monitor your ports etcetera

----------

## bbibber

the TrinityOS documents provide a good background if you want to secure your system.  It' s aimed for redhat systems though

----------

## d3c3it

Hi all

ive been trying for ages to get iptables working but i could never get my kernel config to work. Well after extensive searching on google and these forums ive finally got iptables working. To start with i tired kmyfirewall to setup a firewall, which worked great, it really locked down my system but there was somethings i didnt like *the kde stuff for 1, as i dont use kde and the kde config on my system is messed up so the program didnt work quite right* and also i couldnt use msn nor rsync but then i tired out firestarter. Found to be very good. Couldnt get the log viewer working till i found this

https://forums.gentoo.org/viewtopic.php?t=76874 which stopped the error messages but still no logs. The firewall using the grc tests almost locks down my system but apart from port 57-56 which i couldnt get to lock down. But also my main problem with it is it doesnt save any /var/lib/iptables/rules-save and when i run /etc/init.d/iptables save i get a cat: no file.... and iptables -L doesnt show any rules. But there is rules as the grc test shows the ports being blocked.

Now i would setup my own rule set but i dont know where to start. Ive read up on google but it seems alot of work for a personal firewall. A server i understand but for just a personal aspect is there any easier way around it? Maybe someone has created a prebuilt script as such for a workstation ?

any help would greatly be appreated *i know its long winded but basically i want a firewall to keep nasty stuff out and keep all my ports stealth on a workstation*

thanks alot

----------

## Keyed

Have you read the Gentoo Security guide yet?

http://www.gentoo.org/doc/en/gentoo-security.xml

also you could look at

http://www.openna.com/products/books/sol/solus.php

I use a tweaked version of what is shown in their pdf.

----------

## d3c3it

 *Keyed wrote:*   

> Have you read the Gentoo Security guide yet?
> 
> http://www.gentoo.org/doc/en/gentoo-security.xml
> 
> also you could look at
> ...

 

Thanks man, i never knew gentoo had a security page  :Smile: 

----------

## Xaignar

If you just want a firewall for a workstation, then either Shorewall or FireHOL is my recommendation. Both are in portage, are easy to use and make use of bash scripts to perform their magic, so there is no need for X.  :Smile: 

----------

## voltron2k4

Ok, so after looking in /usr/portage/net-firewall/ I see that there are many different firewalls. My question to the gentoo public is... Which do you feel is the best and why? Also is there a firewall that has gui? And also is there a good "example config" that I can go by?

* Any help is more than appreciated *

----------

## idefix

There is no gui available, but configuration is straight forward. Short documentation is available in the config files itself, otherwise have a look at the developers homepage [url]http://www.shorewall.net/[/url]

----------

## barbar

knetfilter is a gui for iptables. if you are using kde it can be handy configuring iptables.

----------

## sschlueter

 *voltron2k4 wrote:*   

> Ok, so after looking in /usr/portage/net-firewall/ I see that there are many different firewalls. My question to the gentoo public is... Which do you feel is the best and why? Also is there a firewall that has gui?

 

If you think of packet filtering and network address translation, then there are no "different firewalls". It's practically always netfilter/iptables that does the work. But there are several helper applications. While I currently don't use any of them, I think they range from simple GUIs to tools like FireHOL where rules can be expressed via a heavily simplified syntax to tools that represent a higher abstraction layer like fwbuilder or shorewall.

----------

## sschlueter

 *idefix wrote:*   

> There is no gui available
> 
> 

 

There is a webmin module available.

----------

## don quixada

Hi, it seems the general consensus about firewalls is that ``a poorly configured firewall is worse than no firewall at all''. Therefore, I'm afraid to install any kind of firewall. However, I do like the idea of being able to close/open ports easily. 

My system is my own personal machine so there are no other users I need to administrate, so I'd only be protecting my computer from ouside attacks. I've tried to keep everything network-related secure (from faqs etc.) and I've tested my ip from outside resoures (abuse.net etc.). 

However, what I'm wondering is: am I being naive? Should I install a firewall? and how would I know that it will be properly configured?

Thanks in advance.

dq

----------

## neilhwatson

Would you have unprotected sex with a stranger?! You definitely need a firewall.  As for testing a  firewall there are website that will scan your firewall for you.

----------

## don quixada

Ok, I'll install one. Any suggestions?-- if not, I'll install iptables.

There are websites that test firewalls? What are they? The only ones I know of are:

http://grc.com/intro.htm

and

http://www.abuse.net/

Or are these all I need?

Thanks,

dq

----------

## neilhwatson

Iptables is the engine that drives your firewall.  How to configure your firewall is up to you.  I do it by hand which may not be for you.  If you search around here you'll see some suggestions on what applications might be right for you.

Yes, those sites are fine for testing your firewall

However you do it remember the golden rule of firewalls.  ALWAYS DENY EVERYTHING BY DEFAULT, then configure the firewall to allow the network traffic you need.

----------

## mmealman

http://www.simonzone.com/software/guarddog/

There are a lot of apps like the above that use iptables, but provide an easier interface to work with.

----------

## sschlueter

While such a general question can't be answered in a few sentences, just a little info:

Most security problems come from running services which have a security related bug. So the best thing you can do is not to provide any services at all. Luckily, with Linux it's perfectly possible to provide exactly the services that you want to provide. It's perfectly possible to provide 0 services if you want to. (Note: This is different from Windows.) You can use the command "netstat -tulpn" to see which services are running. (Note: This command is sufficient. You don't need to rely on external scan sites.)

There are security related bugs in client software, too. So keep informed about them. Security announcements are posted to the News & Announcements forum. Update your apps as required.

Linux uses iptables for packet filtering (aka "firewalling"). There are no different "firewalls". There are, however, several helper apps that make configuration easier.

But: iptables can't protect services that should be reachable by everybody on the internet.  Running services and using iptables to completely block access to them is kind of pointless. And if you don't provide any services, there's nothing to protect. And iptables also can't protect you from security bugs in client software.

But: Using iptables tables may still be useful because it makes your system a bit more tolerant to misconfiguration like running a service without knowledge of doing so at some point in the future.

----------

## the_bard

 *sschlueter wrote:*   

> 
> 
> But: Using iptables tables may still be useful because it makes your system a bit more tolerant to misconfiguration like running a service without knowledge of doing so at some point in the future.

 

So if a guy had a fiance who was dead set on running Windows (although she thinks the games and screensavers for Linux are *cool* (her words, not mine)), it'd be handy to have a firewall up. Or if I was going to go with a more mundane distro, like Redhat or Suse, where things tend to be a bit more preconfigured. But on my Gentoo system, where I know what's running & I know what ought to be listening on a given port, the need for a firewall isn't quite as great.

----------

## don quixada

Hmmm, so the impression I'm getting is that if one keeps a close eye on what services are running and updates them as required a firewall is not completely necessary; however, it doesn't hurt to have one. 

Well, I guess I should install one since I have time to learn how to configure it right now. However, I'm a little confused on the engine versus actual firewall. The Gentoo-security guide makes an off-hand reference to Shorewall. If I install Shorewall (or Guarddog) do I need to worry about configuring iptables at all? 

And what about kernel options? Right now I'm using the bare-minimum suggestions from an iptables tutorial as suggested by the Gentoo-security guide.

Also, is there a GNOME app like Guarddog out there?

Sorry if I'm asking basic questions here, but everything I've read seems a little over my head.

Thanks so far...

dq

----------

## dmind

http://morizot.net/firewall/gen/

used this site when i set up my first firewall about a year ago   :Smile: 

its darn good.

----------

## michael-reilly

 *Quote:*   

> Hmmm, so the impression I'm getting is that if one keeps a close eye on what services are running and updates them as required a firewall is not completely necessary; however, it doesn't hurt to have one.
> 
> 

 

This is true only if you are sure you can patch any future vulnerabilities in the services you are runing before someone discovers your unpatched box and attacks it.  The idea is to not let anyone get at your machine unless you specifically allow that access.  As previously stated, begin with DENY everything and open holes in the firwall as needed, making those holes as small as possible.  Otherwise I would consider a firewall a must.

If you wish to open up some ports to the Internet (an http server for example) then it is a completely different story.  You need to harden your system since a firewall won't help against traffic you intentionally let in.

----------

## TheWart

I was in the same boat as you when I started using Gentoo.

I decided to use Shorewall, which is kind of a front-end for iptables.  While it is command-line only, its config files are extremely easy to understand and are straightfoward.

If you need any help setting it up, just pm me.

Here is what I have going on with it:

- Just a single system

- AIM

- FTP server

some other stuff.

----------

## sschlueter

 *michael-reilly wrote:*   

> 
> 
> This is true only if you are sure you can patch any future vulnerabilities in the services you are runing before someone discovers your unpatched box and attacks it.
> 
> 

 

But iptables can't protect you from vulnerabilities in services. If you run a service that has a known vulnerability and there is no patch available (or you can't apply the patch for some reason), you can simply shut down the service if you want to be secure. (Of course you could also use iptables to block access to these services but it's more straight forward to not running the services at all.)

Until now I have only addressed the issues when you want to completely block or allow access to a service. But sometimes you want to allow access to a service only from a specific ip address or range or ip addresses or want to ban a specific address. If the service you're using doesn't provide such a feature, you can use iptables for this. (But most services provide such a feature: Everything that runs through inetd/xinetd, everything that can be compiled with tcp wrapper support, Apache has a mod_access module, ProFTPD can be configured similar to Apache, the sshd from  OpenSSH can be configured in such a way...)

----------

## sschlueter

 *don quixada wrote:*   

> 
> 
> The Gentoo-security guide makes an off-hand reference to Shorewall. If I install Shorewall (or Guarddog) do I need to worry about configuring iptables at all?
> 
> 

 

You always  have to configure it. There is no solution that is suitable for everybody.

However, things like shorewall are usually only useful for rather complex setups. I have the impresion that your setup is rather simple - a single host where no services should be reachable even if some are running by accident. This is pretty easy to do. You only need two rules for this.

```

# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# iptables -A INPUT -j REJECT

```

You need the connection tracking module for this to work. And you should at least also use the ftp connection tracking module.

With these two rules you can perform dns queries, receive and send mail, read newsgroups and send newsgroup messages, surf the web, run rsync, run an ftp client (both actice and passive modes), run an IRC client, run instant messaging software and so on.

The only drawbacks are: IRC clients and instant messaging software have features to allow direct client to client file transfers. One of the two client has to open a port and accept incoming connections. With such a ruleset you won't be the one that has an open port. File transfer may fail then. And of course this ruleset will be bad for all kinds of peer2peer software like bittorrent and xmule and the like. You would have to allow some ports for incoming connections in iptables. But depending on the peer2peer software, it may be difficult to figure out which ports it actualy uses.

----------

## TheWart

I don't think shorewall is complex at all.

It is extremely  easy, and the docs on their site are very helpful.  I am no network wizard, and even I understood the manual  :Smile: 

And like you said, if you need to later allow AIM access (not filesharing, just striaght-up access to the Oscar network), you will need to pen at least one port, and then if you decide to do some other p2p app, then you need to open more......and then it gets confusing with those iptables commands.

Shorewall puts all of this stuff in little config files, which are not archaic in language.

----------

## don quixada

 *sschlueter wrote:*   

> 
> 
> You always  have to configure it. There is no solution that is suitable for everybody. 

 

I get it now, the firewall itself is the result of the commands or script that either I create/enter manually, auto-generated (like the one on http://morizot.net/firewall/gen/) or gets generated by Shorewall or Guarddog. 

 *Quote:*   

> 
> 
> ```
> 
> # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> ...

 

I can't seem to get this to work. I get:

```
iptables: No chain/target/match by that name
```

as an error message. I have the connection tracking module enabled (not as a module, but built into the kernel).

Thanks,

dq

----------

## TheWart

 *don quixada wrote:*   

>  *sschlueter wrote:*   
> 
> You always  have to configure it. There is no solution that is suitable for everybody.  
> 
> I get it now, the firewall itself is the result of the commands or script that either I create/enter manually, auto-generated (like the one on http://morizot.net/firewall/gen/) or gets generated by Shorewall or Guarddog. 
> ...

 

I would build it as a module, as it screwed up for me when I tried to build it in.

Also, I think you are going to need a lot more options than just Connection tracking.  Check out the Shorewall site, as they have an example kernel config.  I am sure I have stuff built as modules that I do not need, but it doesn't slow my system down, and I don't have the time to check to see if my firewall works if I diable x module.

----------

## don quixada

This is so annoying, I cannot get any of the modules to load even after configuring the kernel the same way as the Shorewall website. I don't even remember how many times I've re-compiled the kenel. I'm ready to give up. Maybe it's because I'm using the Gentoo kernel instead of the vanilla one?

dq

----------

## professorn

Cant you modprobe them or get them to autoload? If you cant autoload them thats because you have to add them in /etc/modules.autoload/kernel-KV

----------

## sschlueter

 *don quixada wrote:*   

> 
> 
> This is so annoying, I cannot get any of the modules to load even after configuring the kernel the same way as the Shorewall website. I don't even remember how many times I've re-compiled the kenel. I'm ready to give up. Maybe it's because I'm using the Gentoo kernel instead of the vanilla one?
> 
> 

 

As far as I know, there are no general problems with the iptables kernel modules. You should be able to load them via modprobe or let them load automatically at system boot if you list them in /etc/modules.autoload.d/kernel-2.4

But it may be neccessary to recompile iptables, if the kernel you're using now is different from the one that you ran when you initially compiled iptables. So, if the kernel modules load fine and you still get errors like "iptables: No chain/target/match by that name" re-emerge iptables.

----------

## TheWart

 *don quixada wrote:*   

> This is so annoying, I cannot get any of the modules to load even after configuring the kernel the same way as the Shorewall website. I don't even remember how many times I've re-compiled the kenel. I'm ready to give up. Maybe it's because I'm using the Gentoo kernel instead of the vanilla one?
> 
> dq

 

There is no need to load them.

Shorewall will automatically do it for you when you run the command.

----------

## don quixada

I can't modprobe them or use Shorewall to initiate them. 

I get errors like:

```

# modprobe ip_tables

/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt

/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt

/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_tables.o failed

/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed

```

And I also re-emerged iptables after both setting-up iptables as modules and built into the kernel and it still didn't work.

dq

----------

## TheWart

 *don quixada wrote:*   

> I can't modprobe them or use Shorewall to initiate them. 
> 
> I get errors like:
> 
> ```
> ...

 

Hmm

That is odd.  Sorry, but I am not very good at fixing kernel-ish problems.  The only advice I can offer is maybe trying a 2.6 kernel, as this is all I use.  But beware, you may have to get the iptables version off of Gentoo bugzilla, as the one in prtage does not compile with 2.6 kernel.  But maybe you won't have to do that since it is already installed.

----------

## don quixada

Well, thanks for your help. I'm not going to switch to 2.6 until Gentoo releases their own flavour. 

dq

----------

## fribadeau

 *Quote:*   

> I can't modprobe them or use Shorewall to initiate them.
> 
> I get errors like:
> 
> Code:
> ...

 

OK, I just solved the same problem...   :Smile:   It's comming from your Kernel compile.

You need to :

```
cd /usr/src/linux

cp .config ..

make mrproper

mv ../.config .

make menuconfig

...

```

The make mrproper will do a "real" clean of your kernel before you compile it. Put every thing related to iptables as module, it should solve your problem.

 :Exclamation:   Please don't forget to save your .config file, the command deletes it.

Good luck,

Fred

----------

## don quixada

Awesome! it worked like a charm. I now have a firewall. Whether it's good remains to be seen. Thank you!

dq

----------

## Apreche

Hi, I need some help selecting a firewall application for gentoo.  I got a dual boot system and in windows XP I use Sygate Personal Firewall.  It allows me to set which applications I want to be allowed to access the internet and which ones I want to block.  It also notifies me of strange incoming traffic, automatically blocks port scans, etc. etc. 

I see a lot of different apps in portage that all seem to be firewalls.  ipchains, iptables, shorewall...  Which one is easiest to use and will suit my needs the best.  Is there one that works like Sygate or Zone Alarm does, or are they all more difficult than that?  Thanks for your help.

----------

## BitJam

I use rc.firewall from http://projectfiles.com/firewall/ It is safe, easy and effective.

No matter what firewall software you choose to use, you will need to compile ip_tables either into your kernel or as modules.   The web site above will tell you exactly what modules you will need.

----------

## To

```
emerge -s shorewall
```

Try this one, it's easy to configure, well documented... and it's on portage  :Wink: 

Tó

----------

## ikaro

I use shorewall too and i can recomend it  :Smile: 

its really easy to install, admin and configure. and it has many possibilities with lan and so on .

( ola tó )

----------

## jaska

If you need the flashyness of a gui, firestarter might be what you need, if not stick to shorewall.

----------

## malloc

I think that before you use shorewall or anyother gui's you should read and learn about iptables since that's the main engine of things.

----------

## fosstux

Hello!

I'm planning to build a firewall based on Gentoo Linux. 

The structure is as follows:

Firewall = Gateway (3 NICs)

1 Server (DMZ, contains Web, SFTP, IMAPS and SMTP, ev. SSH)

1 PC (internal)

I'm seeking a firewall with following features:

- Web administrtation (from internal LAN)

- Access to DMZ from Internet.

- onm critical errors contact via email.

Please recommend me a good and solid firewall solution. I do not want to manage everything by hand, if possible.

Thanks in advance.

----------

## klasikahl

Since the box will only be a firewall, I would suggest taking extra security measures on the box because all Internet traffic will be passing through it.  My personal favorite all-around security measure is definitely SELinux.

There's good news, too.  SELinux is supported by the Gentoo Hardened team (of which I am a member).  You can find out more about Gentoo Hardened here and SELinux on Gentoo here.

As for your other requests:

Webmin seems to be the weapon of choice when it comes to management via a webbrowser.

Usually email notifications are done by IDS (intrusion detection systems) or by cronjobs.  Cronjobs are usually just scripted by the system admin either in perl, ruby, or bash.  It's all about choice.

I hope that this information helped.

Oh, and by the way, you may want to check out #gentoo-server and #gentoo-hardened on irc.freenode.net if you have no already.

----------

## 1eyedhive

interesting idea here.

I'm rolling my own CD based gentoo firewall to replace a Red Hat 8 firewall on an aging 2GB drive.

Here's what i have so far

the devbox is a PII-350 384MB 5GB HD

the production box is similar, PII-400 128MB CD/Floppy only

preliminary layout so far:

/ - root, on the CD, contains:

/etc - etc files, uncompressed on floppy (etc = TINY, just text files, got the idea from Devil-linux

/tmp - ramdisk

/var - ramdisk, rsynced to NFS server at night and cleared

/usr -- static, on CD

/usr/portage -- only needed for installation of files, also VERY large, mounted NFS as needed.

The box will have:

gentoo-hardened/SELinux core

2 NICs (linksys LNE100, native to the 2.x kernel)

SSHD (duh)

webmin

shorewall

boot from CD. pulling the RP tag on the floppy prevents modification. and removing the NFS shares on the server (putting the /usr/portage in exports only as needed and allowing the host access only as needed) keep things secure.

What do you think?

----------

## gazR

HI All,

Can anybody please point me to a decent frontend for iptables (the only firewall conf I'm used to is the win32 app for Watchguard products   :Confused:  )

Also, I know that the ideal solution is for the firewall to be a seperate box on the network, but is it still possible to get a secure system using iptables on my desktop machine? my only other solution is to use the NAPT firewall on my ADSL router which I hate and would like to dissable (also because it doesn't support VPN passthru)?

Thanks Gaz

----------

## nope2dope

You should check out http://www.fwbuilder.org/ (FirewallBuilder).

There are some others BitFrost and so on. Check out www.freshmeat.net to make up your mind.

You can secure your desktop with iptables, but I don't think it is possible to get a secure system over all. But keep in mind that a badly set up Firewall can even cause more insecurance.

----------

## gazR

 *Quote:*   

> You should check out http://www.fwbuilder.org/ (FirewallBuilder). 

 

Cheers for that, will have a look at it now

----------

## fatcat.00

fwbuilder is great, but if you just need something relatively simple then I suggest http://firestarter.sf.net

----------

## Rooney

 *fatcat.00 wrote:*   

> fwbuilder is great, but if you just need something relatively simple then I suggest http://firestarter.sf.net

 

Ill second the the firestarter GUI it's excellent nice and simply.

----------

## klasikahl

 *1eyedhive wrote:*   

> interesting idea here.
> 
> I'm rolling my own CD based gentoo firewall to replace a Red Hat 8 firewall on an aging 2GB drive.
> 
> 

 

This is great to hear.  A hardened server on a CD is a goal for the hardened team.  I'm glad to hear that you are also making your own efforts.  Our CD will be like the LiveCDs in that it will automatically detect hardware, etc.

----------

## 1eyedhive

I'm a newbie to gentoo and scripting in general.

I'd appreciate any insight you guys have into setting up a way to load config files to a ramdisk from an alternate media (floppy/flash drive). and getting the thing to boot off a CD, the buildhost is just now chewing on the stage 3 tarball/system emerge. so it's still a long ways off.

you guys have an irc channel or something somewhere?

----------

## klasikahl

The hardened team is on #gentoo-hardened on irc.freenode.net

----------

## HomerSimpson

 *nope2dope wrote:*   

> You can secure your desktop with iptables, but I don't think it is possible to get a secure system over all. But keep in mind that a badly set up Firewall can even cause more insecurance.

 

Really? I have heard this before. But you cannot secure your system overall with iptables? Why not?. Is it worse (less secure) than ZoneAlarm Pro for Windows? What kinds of setups would make it less secure?

Please don't read any sarcasm into the above questions. Really, I want to know.

Thx   :Very Happy: 

----------

## ozonator

 *HomerSimpson wrote:*   

> But you cannot secure your system overall with iptables? Why not?. Is it worse (less secure) than ZoneAlarm Pro for Windows? What kinds of setups would make it less secure?

 

It's generally assumed that a firewall alone won't make your system secure, since a firewall can't evaluate the content of traffic:  it can only evaluate packets based on a certain set of characteristics (source and destination addresses, MAC address, protocol, port number, etc.), which by itself can't determine whether or not a particular bit of traffic is acceptable or potentially malicious.  This is true of simple firewalls intended for a single box (like ZoneAlarm) or sophisticated packet filters (iptables, or OpenBSD's pf, which can even make decisions based on the OS that likely generated a packet).  A firewall, for example, can't tell whether traffic on port 80 is http traffic; it just knows it's using port 80, is tcp, and has such and such source and destination addresses; if it's a stateful firewall, it can also know whether or not it's part of a pre-established connection, but again, not what's inside the packet.  Accordingly, a firewall alone is no substitute for a properly secured box.

Consider another example:  if your firewall lets traffic through to your web server, and your web server has a vulnerability, having the firewall won't make any difference.  A real example of a similar sort of situation was common during the blaster worm earlier this year:  even if a network had a firewall that blocked blaster traffic at the network boundary, all it took was someone bringing in an infected laptop and connecting it to the internal network (thereby completely bypassing the firewall) for other unpatched internal machines to be infected.  This same thing happens on a smaller scale when a user opens an e-mail attachment that turns out to be a virus; presumably the firewall lets you get your e-mail, so it can do nothing to stop the virus.

That being said, a good firewall can mitigate the severity of security problems.  Consider the recent openssh vulnerabilities:  if your firewall only lets in ssh traffic from a limited number of external machines, the chance of the vulnerability being exploited before you have a chance to patch is significantly reduced, since only some external addresses have the opportunity to reach the vulnerable sshd.  Also,  firewalls certaintly can help make machines and networks harder targets, by making them more difficult to scan and otherwise get into from outside.

There are many more good examples, but the moral of the story is this:  a firewall is one part of a strategy for securing a machine and/or network, but not the only part.  Having one is far better than not, but having one doesn't allow you to skip other security measures, like patching, securing access from outside, enforcing access priviledges, running only needed services, etc.

----------

## sparks

If you are using KDE I would recommend http://kmyfirewall.sourceforge.net/  KmyFirewall has been great when I want to setup a "personal firewall" for my friends and family.  One by I'm getting them to try Linux.

----------

## HomerSimpson

I am running Gnome. I tried Firestarter but it said I had to be running Kernel 2.4 and above. I am running 2.6. I am now trying Firewall Builder but I need to read up on it (and iptables) more.

ozonator, thanks for the explanation.  I am running a Sonicwall (stateful inspection) hardware firewall. I just closed ftp. I just keep hearing (and being told) to stop running ftp. So I did.

Thx

----------

## fatcat.00

 *Quote:*   

> Really? I have heard this before. But you cannot secure your system overall with iptables? Why not?. Is it worse (less secure) than ZoneAlarm Pro for Windows? What kinds of setups would make it less secure? 

 

iptables is a perfectly good firewall.  It will do everything you could want a firewall to do.  It is at least as good as ZoneAlarm or anything like it *in terms of its ability to stop packets*.

Now with that said, you must also recognize that a firewall is only as good as the policy it enforces.  If you allow insecure protocols in or out, then the firewall can't protect you from yourself.  For example, if you have Winders machines and you allow port 135 inbound from the internet, you *will* be compromised.

Also, effective security is about *layers* of security.  A well-configured firewall is just one layer of many.  Intrusion detection, rootkit detection, hardened systems, patch management, anti-virus etc. etc. are all effective layers too.

----------

## Rooney

Does any one have a list of the modules which need to be add to the kernel to get iptables working.

----------

## ozonator

 *Rooney wrote:*   

> Does any one have a list of the modules which need to be add to the kernel to get iptables working.

 

There's an excellent reference recommended in the Gentoo security guide:

http://iptables-tutorial.frozentux.net/chunkyhtml/kernelsetup.html

----------

## fosstux

Hi!

I've now started to install my firewall using hardened kernel 2.4.22 and thew shorewall firewall.

But I'm having problems with iptables:

1. When I compile the Netfilter - IPTables as a module I get depmod errors containing nf_hooks, nf_hook_slow, nf_unregistersockopts and nf_registersockopts.

2. I've even tried to compile it into the kernel, but the firewall still does not start.

3. When I try to start the fiorewall I get the following errors:

 *Quote:*   

> modprobe: Can't locate module ip_tables
> 
> iptables v1.2.8: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
> 
> Perhaps iptables or your kernel needs to be upgraded.

 

Please help.

Thanks in advance.

----------

## Rah

Hi i recently installed gentoo but i dont have a firewall as yet and i was just wondering what are some of the best firewalls for gentoo. I recently had blackice on my windows box but i switched completely to linux. I would appreciate replies explaining your favorite firewalls and why. I need something thats good but also thats farely easy to configure since im new to this. Thanks.

                                                  Rah (noob)

----------

## ikaro

Hi.

Please read this:

http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap12

I recommend shorewall ( http://www.shorewall.net )

If you think its too dificult, try rc firewall

http://freshmeat.net/projects/rc.firewall/?highlight=rc.firewall

----------

## echo6

The Gentoo security guide mentions Smoothwall www.smoothwall.org and if you have a spare old machine to dedicate for use with it then I reckon this is probably one of the best ways of implenenting a firewall for home or a small office.

----------

## Rah

 *ikaro wrote:*   

> Hi.
> 
> Please read this:
> 
> http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap12
> ...

 

Hi the article for rc firewall states that it is based off the linux 2.4.x kernel and i'm running 2.6.3, would this be an issue?

----------

## ikaro

dont think so.

try it.

----------

## Rah

anyone have any other suggestions?  :Confused: 

----------

## primero.gentoo

 *Rah wrote:*   

> anyone have any other suggestions? 

 

Go Shorewall, nothing better and simpler at the same time. Don't feel afraid about so many text config files, for a normal environment you'll need only policy,rules and some more. 

It is flexible, powerfull and well integrated with Gentoo. It also have a good documentation and a wide support inside and outside this forum ... other suggestion ?   :Wink: 

bye

----------

## HubyRod

Nothing easier ?? 

I like 'monmotha'

----------

## eNTi

i use arno's iptable script.

----------

## primero.gentoo

 *HubyRod wrote:*   

> Nothing easier ?? 
> 
> I like 'monmotha'

 

I said powerfull and Easy at the same time  :Smile: 

Personally i don't like this kind of "Firewall Script" because:

If you know what you need but don't know Iptables syntax and philosophy you have so little possibility of getting what you want.

If you know what you need and know Iptables ... then, you're gonna write the script by yourself...

I think Shorewall is easy even if you need a simple "Personal Firewall" (Download the sample conf for 1 ethernet and modify the ports you need open and closed) and even if you need something a little bit more complex like a 2 Ethernet Firewall with NAT, MASQ or whatever you want.

And last but not least Shorewall is the only one implementation of iptables i found that use "Chains" in a very intelligent way. Chains are so Nice and powerfull but all the other GUI,scriprs, sorcery that use iptables (and that i have tried) seems more like an Access control list that have to be run from top to bottom ...

So , make your choice, this is the Gentoo way ... bye  :Smile: 

----------

## 1eyedhive

I've been using shorewall 1.3.14a on a redhat8 box for a year or so, before that I ran a LRP box with shorewall on it, i am currently in the process of converting the box to gentoo and beefing it up a bit (PII 400/64MB/2GB up to PII 400/192MB/8GB) so i can add stuff like a teamspeak server, apache, ftp, maybe an irc server. Keeps things off my file server (PII 350/256MB/270GB) (don't ask about the difference, damn mobos...) and where they belong on the edge of the network.

If possible, use a dedicated box, like I do, I just add a few features to the thing to make it work for a living, it's a great feeling having an ftp server that you can access internally via samba from your doze box  :Smile: 

----------

## Rah

hey thanks guys for all your suggestions, I think i'm going to go shorewall by the way. I'll install it and let you guys know how it goes. You guys rock!!

----------

## meulie

Hi!

I'm looking for a good/the best firewall app to install under Gentoo. I'm tempted to go for shorewall since it's good supported in webmin, which makes it easy to admin, I hope.

Is shorewall good enough/the best, or should I go for another app that might be harder to admin, but simply works better?

----------

## Deathwing00

I personally like shorewall (and use it). There is also the possibility to use raw iptables... very nice for a single computer, but quite tricky if you are administrating an entire network.

You could start using shorewall for basic and advanced needs, it is pretty easy to configure. For special needs, there are no dedicated apps, so you might have to use directly iptable commands.

There is also an application called portsentry, which you can find in portage, that responds to determined attacks with the way you want, i.e. running scripts, programs,...

----------

## Chris W

I use Shorewall because a GUI is useless on a headless server machine and, for something you don't often change, easy-click buttons are really unneeded.  I don't use Webmin because I like to know what is going on in the engine bay.  The rules seem solid enough, and little needs to be done for a basic setup.  

Ultimately all the wrappers around Netfilter are just that, wrappers.  Netfilter is doing the work for all these tools so, provided the rules written by the tool are good, there will be no difference in performance between competing wrappers.  Given to absence of substantive performance differences, the definition of "Best" usually comes down to GUI/no GUI and ease of use of the wrapper software.

You don't have to use a wrapper program/script set at all.  You are quite welcome to roll your own using the iptables command.

My two cents worth  :Smile: 

----------

## scout

I didn't install shorewall because It weights more than 2Mb of sources, and installed firehol which weights 77ko of sources. I can't tell if shorewall is good because I never used it, I can just tell you that firehol completely fulfill my (very precise) needs.

Before I had a big iptables script (the one of gentoo's security documentation) but I prefer having a higher level app now, because it's much easier to maintain, on the other hand it may be less CPU efficient than the pure iptables because it writes extra stateless rules, but I don't have to complain about that.

----------

## phildrip

Another plug for firehol - I use it and found it easy to use to generate the firewall I wanted; plus it helped with my home NAT.

----------

## Deathwing00

 *scout wrote:*   

> I didn't install shorewall because It weights more than 2Mb of sources, and installed firehol which weights 77ko of sources.

 

http://france.shorewall.net/pub/shorewall/shorewall-2.0.1/

shorewall-2.0.1.tgz     05-Apr-2004 22:00    96k  GZIP compressed tar ar>

----------

## GetCool

I use shorewall and I like it a lot.  Even if you do all your administration via its configuration files (like I do), it is extremely easy to set up and tailor to your needs.  I'm using pretty simple configurations, however, so I'd have to say that the "best" firewall is probably going to vary from case to case.

----------

## scout

 *Deathwing00 wrote:*   

> http://france.shorewall.net/pub/shorewall/shorewall-2.0.1/
> 
> shorewall-2.0.1.tgz     05-Apr-2004 22:00    96k  GZIP compressed tar ar>

 

Ok, I see now that it's the doc which is heavy ... I just considered the size that appeared in emerge -s

----------

## Deathwing00

 *scout wrote:*   

>  *Deathwing00 wrote:*   http://france.shorewall.net/pub/shorewall/shorewall-2.0.1/
> 
> shorewall-2.0.1.tgz     05-Apr-2004 22:00    96k  GZIP compressed tar ar> 
> 
> Ok, I see now that it's the doc which is heavy ... I just considered the size that appeared in emerge -s

 

Indeed, it's incredible that the documentation for 'such a simple program' is about 20 times bigger than the program itself.

----------

## Beckman

```
beckman@Sinlex beckman $ cd /usr/portage/net-firewall/

beckman@Sinlex net-firewall $ ls

arptables  firehol      fwbuilder  gtk-iptables       ipkungfu     knetfilter

dshieldpy  firestarter  fwipsec    guarddog           ipsec-tools  psad

dynfw      firestorm    giptables  ipchains           iptables     shorewall

ebtables   fwanalog     gshield    ipchains-firewall  kmyfirewall

beckman@Sinlex net-firewall $
```

well  :Razz: 

which one? hehe   :Rolling Eyes: 

----------

## ikaro

i use shorewall, its doesnt have a GUI but its very configurable and easy to use.

----------

## Beckman

thanks. just wanted to start somewhere

dont want to try them all  :Razz: 

will try this one  :Very Happy: 

----------

## justanothergentoofanatic

Firehol has a better user interface IMO. Shorewall configuration information is scattered among different files in a very cron-like and human-unfriendly syntax. It also requires the user to muck about with needless details about his network connection, such as whether he's been assigned a public or private IP address (can't it tell)?

Since all Firehol scripts are Bash scripts, you can easily organize them in whatever manner seems best. The syntax is declarative, usually placing subjects, adjectives, and verbs next to each other instead of haphazardly flinging them across the filesystem.

A sample Firehol config file:

```
interface eth0 internet

    protection strong

    client all accept

```

-Mike

----------

## codergeek42

I'm quite partial to firestarter. It has a nice GTK+2 GUI and is quite easy to set up open/blocked/stealhted ports and packet types, etc.

----------

## spudicus

 *Beckman wrote:*   

> 
> 
> ```
> beckman@Sinlex beckman $ cd /usr/portage/net-firewall/
> 
> ...

 

I'd recommend iptables :p

Shorewall seems to be popular, as does firestarter/fwbuilder.

The following aren't firewalls:

psad detects portscan

ipsec-tools is for   :Surprised:  ipsec

ipchains/ipchains-firewall are firewalls but are becoming outdated (I'll probably get shot for saying that  :Smile: )

arptables is a firewall but acts at a lower level than iptables, so you probably don't want/need that.

There's also Monmotha's firewall script which is already written for you but just needs the appropriate variables set.

----------

## bin-doph

iptables rule and the advantage is, if u know iptables u know what ur doing which is one of the most important steps in maintaining a firewall/packetfilter. If you can handle a GUI but don't know whats going up in the background you could install windoze XP as firewall also

http://www.netfilter.org/documentation/index.html

if u understand german, oreilly has published a nice book (for free) about firewalls/security

http://www.oreilly.de/german/freebooks/linuxfireger/index.html

hth

-fe

----------

## Beckman

perfect  :Very Happy: 

yap german is fine

and thats what id prefer. iptables

cos in firestarter there was no option to block all ports 1024+ and these more advanced things, so i think ill go with the iptables thing  :Very Happy: 

thanks for the ebooks

----------

## IMTheNachoMan

ok so i have a working gentoo install

now the only thing i figure i need is network security

im trying to get iptables working

however i honostly dont have the time to figure out all the config files and crap

im a college student and i could easily spend a few hours reading it and the man pages

but i just dont have time

i found a few GUI progs that use it

firestarter

gtk-iptables

(anyone know of any more, im not using kde so if it needs kde no good)

only prob is i dont know what the best one is

if anyone has any recomendations id appreciate it

thank you in advance

and if your just gonna post to say im a moron cause i dont wanna read the docs then please dont

i could learn how all of it works if i needed/wanted to

but i just dont have the time

i figure why re-invent the wheel, if someone else made a prog to make it easier then i shall use it

thank you again

nacho

IMTheNachoMan on irc.freenode.net

----------

## kepik_k

I don't know about GUI programs but I have a short self sensing (for 2 nics) script that is customizable (by default everything is turned off)

Some gave it to me a long time ago and I don't know who to properly thank for it but if you want I can post.

----------

## rbr28

You don't get a nice gui with shorewall, but it's really easy to configure.  The quick guides on their site, are about as concise as you are going to get.  If you just have a single machine, they also have sample config files.  For a home setup, you can take those config files, drop them in /etc/shorewall, make a couple easy edits, and be ready to go.  All their config files are very well commented also.

If you use shorewall though, I would suggest using ~x86 on the emerge to get ver. 2.2 or later.  If you use something like metalog, it's also really easy to pull shorewall logging data out of your log.  I just search for the regexp Shorewall: (which a config file for shorewall sets up as the prefix to any log entry), and put all that info in a separate log.

A couple of other tips... make sure you edit shorewall.conf to enable startup (it's one of the first lines in the config), and you may also want to make a symbolic link for /var/log/messages to whatever log you want, such as /var/log/everything/current if you are using metalog.  If you look at shorewall.conf you will see why, although there are plenty of other ways to achieve the same result.

----------

## teilo

I'll second that. No GUI in shorewall, but it is very easy to use in a single-machine configuration, as all my servers are.

If you understand the terms: source, destination, port, ip, tcp, and udp, then you already know everything you need to know to configure shorewall.

NAT/router setups (with your linux box serving as the router) are more complicated, but still vastly easier to setup in shorewall than doing it by hand with iptables commands.

----------

## paul555

Hi all because i am very novice in understanding security i want to learn about how can i do my gentoo box more secure?Also in linux you can be effected by viruses?And last what firewall i can use?(remember i am really novice but i would like to learn)

----------

## darkcoder

There are some steps that can be done to enhance computer security.

1. If your computer is exposed to other persons, you can first add a password to your grub menu.  That will restrict users from changing, or bypassing it.

2. Also, the system has a list of user accounts, many of them are assigned for server daemons (services) like web server, file server, etc.  While Gentoo already provide a very secure setting in which those "server accounts" are assigned to a shell that prevents login with them (/bin/false), the most secure setting is not having them at all.  If you do not have any interest on installing services like those mentioned before, you can remove accounts associated with them of the user and group file.  The files are /etc/passwd and /etc/group.  Important:(1) make a backup of the files first, and (2) never remove your user, or root accounts.

3. A good, and easy to use personal firewall is Firestarter.  It ask you some questions like if you have a Web server, etc,  only answer no to all, and you will be fine.

4. After installing the firewall, you can check if you have open ports visible from the outside world with the application nmap.  Or search google for  online port scan 

There is a very good manual on hardening gentoo boxes http://www.gentoo.org/doc/en/gentoo-security.xml

----------

## bulash

You only have open ports if you run services listening on those ports (sshd, apache, mailserver, etc.). If you run those services and want them to be accessible to everybody (might be the case for a webserver  :Wink:  ) there is no real use for a firewall. You should make sure you configure your services secure, though. If you run a service such as sshd and only want certain computers to have access, a firewall may be useful.

IMHO, if you have no services running, you really don't need a firewall. Much more important is that you keep your system up to date.

----------

## omnicloud

What are some that people recommend.

----------

## NeddySeagoon

omnicloud,

IPCop and Smoothwall are good but they need a PC to themselves.

If its to run on your PC, there is only one - iptables.

However rule sets differ.

----------

## omnicloud

okay. it looks like I'll be doing iptables how is it to configure.

----------

## Slurp53

I vote for Firestarter.  GUI, easy to configure.  If you have a dedicated machine, Coyote Linux.  Runs on very low end hardware.

 :Very Happy:   :Very Happy: 

----------

## Nuteater

My vote goes for Shorewall.

It's easy to operate & configure. (No GUI, though, but the syntax is simple and there are plenty of howtos) and it is

IMHO the most featureful iptables frontend there is: VPN integration, DNAT, dynamic blacklisting, traffic control... you name it.

I've been using it for a year or so and never looked back  :Wink:  .

Consider the following example from the rules-file:

```
ACCEPT  lan  fw  tcp  4444
```

to accept traffic from LAN to the machine running Shorewall targeting TCP port 4444. Here 'lan' is defined in the hosts-file to be a zone of everything coming from eth0 with source addresses in 192.168.0.0/24 like this:

```
lan  eth0:192.168.0.0/24  tcpflags,nosmurfs
```

Here the options tcpflags and nosmurfs automatically filter packets that have unclean tcp flags or come from a broadcast address.

Clean & simple!  :Smile: 

----------

## tkdfighter

 *Nuteater wrote:*   

> My vote goes for Shorewall.

 

Ditto  :Very Happy: 

----------

## krolden

 *tkdfighter wrote:*   

>  *Nuteater wrote:*   My vote goes for Shorewall. 
> 
> Ditto 

 

Ditto²  :Wink: 

----------

## Sith_Happens

Shorewall is a really easy way to configure iptables (thats all shorewall and firestarter do, they configure iptables and provide logging options).  You only need to edit three files to set up an effective and useable personal firewall, and setting up a dedicated firewall is simple with shorewall as well.  Here is a post where I show how to easily set up shorewall, so check it out.  Just emerge shorewall, edit /etc/shorwall/rules, /etc/shorewall/interfaces, and /etc/shorewall/policy to look like the files in my first post (edit them to your needs, the are not to hard to understand), run rc-update add shorewall default, and your done.  I also talk about logging shorewall messages to a seperate file using syslog-ng.

----------

## inode77

If you like to have a dedicated firewall I'd go with either shorewall or an OpenBSD/pf setup.

To build a personal firewall, just a few lines iptables are needed and I write them by hand normally.

----------

## Sith_Happens

OpenBSD is the sh!t when it comes to firewalls.

----------

## ugus

i am using guarddog . it is easy to configure

----------

## rai

If you have spare pc then i recommend m0n0wall.

----------

## spikeddem

Nothing, security wise, beats the old scissors to the ethernet cord  :Smile:   You lose some functionality though :/

edit:  Sith, thanks for your post-link.  :Smile: 

----------

## Sith_Happens

Sure thing, I think I'm going to make a documentation post on how to quickly configure shorewall to make a personal firewall.  I'll have to do it tonight though, right now I'm away from my computer.    There are a couple how-to's on creating iptables scripts, but none on shorewall.

----------

## Sith_Happens

Allright, here is my tutorial.  Check it out, tell me what you think.  I'm itchin for some feedback (positive or negetive).

----------

## spankmeister7

I want to install a firewall on a stand-alone web server. The box does NOT need to do NAT, routing, forwarding, or masquerading, etc. It's just a solo webserver with a single, real-world IP address.

I read the so-called "newbie-friendly" writeup at gentoo-wiki for ipchains, but that application assumes that I want to do NAT, routing, and whatever else.

The question is, is there an easy ipchains config tool like Firestarter that I can use from the shell? The webserver does not have X on it, and Firestarter wants to use X.

----------

## RlC

shorewall

[edit]:

made the link to show "shorewall" but the link themselveLast edited by RlC on Wed Sep 14, 2005 3:25 pm; edited 2 times in total

----------

## minskpower

I don't think you need to "install" a firewall for such a setup. And shorewall would be a bit of overhead, with rules spread over too many conf files.

If I were you, I would just run a very simple iptables conf script, dropping everything and allowing only 80 tcp (443?) and maybe icmp 8. To remote admin the machine I would also let ssh in, but only from a restricted set of ip's.

----------

## fatcat.00

Try firestarter.  It is a nice gtk+ front-end that generates an iptables script.  Very easy to use.

----------

## micmac

Hi,

setup shorewall. 

```
emerge shorewall
```

You can find quick start guides at its website http://www.shorewall.net/shorewall_quickstart_guide.htm.

Cheers

mic

----------

## DNAspark99

once again, i can not recommend fireHOL enough.

I've spent the time to emerge and configure several different popular firewalls. In the end, it was firehol had me hooked. 

I too, handle more than one server, and with firehol's quick, clear, highly configurable syntax, no matter what the machine's purpose, it's easy to setup an excellent firewall in a matter of minutes. This was the tool I wasted much time to find. save yourself the trouble, take a look at fireHOL!Last edited by DNAspark99 on Tue Sep 13, 2005 7:02 am; edited 1 time in total

----------

## zeek

Go with Shorewall.

----------

## gozu

I personally find all of these solutions over kill for what most people need. I would suggest, as allready suggested just make a little itty bitty iptables script  :Smile: 

----------

## spankmeister7

It took quite some time to get Shorewall installed and configured correctly. My real problem is the how-tos assume a config I'm not using.

Finally I got it all correctly installed and configured. The nice part is, there is only one easy file (rules) to edit to make it do what I want (allowing certain traffic on certain ports, keeping all else closed) in the future. Easy to admin, hoo!

I'll take a look at fireHOL for my next project.

As far as straight up iptableschainswhatever, I just find the documentation and examples too cryptic to understand in the small amount of time I have considering my many responsibilities and clients. I'm no stranger to admin and networking stuff, but I think its crazy for what should be administered through a single, simple config file should have to be an exercise in scripting.  For those who already know about it of course it's easy. Telling the rest of us how easy it is for THEM does the rest of us NO GOOD AT ALL.  Not only is it not constructive, but really it's just the kind of techno-machismo that turns the otherwise willing away. What good is the best security feature if a non-expert can't get it to work? The sad part is that I understand the syntax and concept of what firewall tables look like...

Screw iptableschainswhips scripting.

My $0.02

----------

## micmac

 *spankmeister7 wrote:*   

> It took quite some time to get Shorewall installed and configured correctly. My real problem is the how-tos assume a config I'm not using.
> 
> Finally I got it all correctly installed and configured. The nice part is, there is only one easy file (rules) to edit to make it do what I want (allowing certain traffic on certain ports, keeping all else closed) in the future. Easy to admin, hoo!
> 
> I'll take a look at fireHOL for my next project.
> ...

 

Well spoken!

mic

----------

## crashoverride659

anybody have any preferences on firewalls? i would like to get one but i have no idea on what firewalls are good for linux!

please feel free to be biased in what ever firewall you use

thanks in advance,

Crash

----------

## DNAspark99

personally, I'm a fireHOL fan

----------

## crashoverride659

any particular reasons? experiences?

----------

## ticho

I have been using shorewall for several years, and it has always been able to support all my whims and firewalling needs. It also allows you to add custom iptables rules (in addition to rules generated from your shorewall config), has config file checking (check for validity before trying to activate defined rules), and various other options - I guess I'm using only about half of the features it offers.

fireHOL looks good as well, though, judging by brief read through the tutorial on its website.

----------

## syg00

Not knowing how to proceed initially, I used this to get going.

Still using shorewall ...

----------

## crashoverride659

Im STILL researching into a firewall if anybody has anymore input of what they use and why...

Thanks alot,

Crash

----------

## magic919

Unless I'm mistaken there's only one Linux firewall - iptables - part of the kernel.

You can manipulate iptables directly or you can use 101 different GUIs, scripts and frontends.

Look for some good iptables primer/HOWTO articles.  Then, having read them, decide if you want to get your hands dirty and deal with iptables, or whether to use a middleman.

If you go down the scripts/gui route and it doesn't work or adapt as your needs change you'll be a bit lost.

Most of the iptables queries on here involve scripts/GUIs.  Many produce overly complex firewalls, IMO.

For a standalone workstation running no servers, you can protect with <6 lines of iptables I'd say.  I can't see the point barring ANY outgoing stuff if you have control over the machine itself.  Virus/trojans etc not a high priority with decent security.

I used this http://www.pettingers.org/code/firewall.html but left out the malformed packet stuff.  Only open up for SMTP and such if you actually use the servers on your machine.

----------

## ticho

Yes, it is definitely a plus if you know how to work with iptables directly, and are aware of its capabilities. Many of the frontend scripts (such as shorewall) are much easier to use then. It is all because iptables is a very complex tool, so any frontend tool has to be complex as well, if it aims to utilize iptables fully.

----------

## DNAspark99

ok, to expand a little, I chose fireHOL because it's very clear what machine is doing what (on multiple machines in different roles, the config syntax is easily understandable at a glance - and *very* easy to add or adjust rules)

deals with a simple concept: two types of basic connections - 

 server: allow incoming connections to $service

 client: allow outgoing connections for $service

```

trusted_ips="192.168.0.0/32"

interface eth0+ internet

        server icmp           accept src "$trusted_ips"

        server ssh             accept with knock SSH

        server http            accept 

        server https           accept

        server dns             accept

        server smtp           accept src "$trusted_ips"

        client https             accept

        client http               accept

        client ssh                accept 

        client dns                accept

        client rsync             accept

        client ftp                 accept

        client icmp              accept

        client smtp              accept

        client ntp                accept

```

so with no prior knowledge of what this box does, a quick look at the config file should make it very obvious what is and what isn't allowed.

Even something as simple as:

```

interface eth0+ internet

        client all               accept

```

results in a very usefull firewall for the average workstation.

A user-quote on the homepage sums it up:

 *Quote:*   

> I still marvel at the shortness and simplicity of your configuration language contrasted against the completeness and tightness of the fully stateful iptables rules!
> 
> 

 

I tried all the popular firewall tools (+gui, scripted, etc), but once I actually tried fireHOL, I unmerged everything else.

----------

## codergeek42

 *DNAspark99 wrote:*   

> personally, I'm a fireHOL fan

 As am I. Its syntax is very sensible and is comparatively simple to use. No hassling with iptables commands or port numbering, etc. There's no flashy GUI or anything, but it's an excellent iptables configuration tool. You want SSH support? Cool: Add something like "server ssh accept" to your config. It really is fantastic and it really is that simple.  :Very Happy: 

----------

## DNAspark99

 *codergeek42 wrote:*   

>  *DNAspark99 wrote:*   personally, I'm a fireHOL fan As am I. Its syntax is very sensible and is comparatively simple to use. No hassling with iptables commands or port numbering, etc. There's no flashy GUI or anything, but it's an excellent iptables configuration tool. You want SSH support? Cool: Add something like "server ssh accept" to your config. It really is fantastic and it really is that simple. 

 

ntm, in the case of ssh, the simplicity of adding support for port-knocking!

...just set up knockd to listed for the knock (hopefully on ports more random than 1,2,3,4,5 :p)

/etc/knockd.conf: 

```

[openSSH]

        sequence    = 1,2,3,4,5

        seq_timeout = 5

        command     = /sbin/iptables -A knock_SSH -s %IP% -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT && /sbin/iptables -A knock_SSH -d %IP% -p tcp --dport 1024:65535 --sport 22 -m state --state ESTABLISHED -j ACCEPT

        tcpflags    = syn

[closeSSH]

        sequence    = 5,4,3,2,1

        seq_timeout = 5

        command     = /sbin/iptables -D knock_SSH -s %IP% -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT && /sbin/iptables -D knock_SSH -d %IP% -p tcp --dport 1024:65535 --sport 22 -m state --state ESTABLISHED -j ACCEPT

        tcpflags    = syn

```

then in /etc/firehol/firehol.conf:

```

...

server ssh accept with knock SSH

...

```

...then just use a simple bash script to handle the knocking for you...

```

#!/bin/bash

SERVER="$IP.OF.YOUR.SERVER"

USER="bob"

KEY="$HOME/.ssh/keys/yourkeyname"

OPEN_SEQ="1 2 3 4 5"

CLOSE_SEQ="5 4 3 2 1"

echo "Knock knock..."

/usr/bin/knock $SERVER $OPEN_SEQ

ssh -i $KEY $USER@$SERVER

/usr/bin/knock $SERVER $CLOSE_SEQ

echo "thanks for knocking!"

```

simple, effective, and no more automated ssh attempts!

----------

## rev138

I've been using Shorewall for several years and I'm very happy with it. 

While I now find it easier to edit the config files directly, the Webmin frontend for Shorewall was a big help as a n00b.

----------

## pjp

Merged a few threads.

----------

## codergeek42

Oh that's very nifty, DNAspark99. Thank you.  :Very Happy: 

----------

## GetLinux

I'm not sure I should be looking at a GUI firewall or not. I'm really not comfortable with the idea of writing a script (i.e., relying on my own limited security knowledge) to "make" a firewall. I've seen some references to fwbuilder and ipkungfu, but it appears that "kungfu" has not had a release in several years, and "builder" is just a GUI to a script?

Is this because all Linux firewalls have to use iptables or something?

I'm just wondering what's the most *reliable* way to go to get an easy-to-use firewall that does stealthing as well as blocking suspicious traffic in/out...e.g., all the same features as any "major" firewall (ZoneAlarm, Norton Personal Firewall, Kerio Personal Firewall).

Hopefully, without writing my own scripts...something I can just install and run, and make changes to as needed.

----------

## PaulBredbury

Try Firestarter. Yes, iptables is the standard Linux firewall.

----------

## BoNd60

Personnally, i use guarddog. Never had to complain (but i don't know how to run it at boot)

----------

## tuxmin

I second firestarter as a good starting point. If you like to have more influence on the created ruleset you might want to take a look at fwbuilder.

Hth, Alex!!!

----------

## erikm

My choice is firehol. Easy to configure, yet advanced if need be, and no ugly gui's  :Wink:  .

----------

## dambacher

I think, shorewall is a good choice:

documentation good

easy to configure

easy to adapt to complex networking

----------

## GetLinux

Yeah, OK, so iptables IS the firewall. I got a good book on security that has 1 chapter covering iptables and ipchains (linux 2.2-2.3x): Linux Security Cookbook (by Barret, Silverman & Byrnes, pub. O'Reily, ISBN# 0-596-00391-9). It makes everything easy to understand, and it also has good coverage of Tripwire (system snapshots and integrity checks), access control, authentication, etc.

----------

## dundas

fireHOl sounds great for firewall newbie like me, since I kinda found the whitelist/blacklist function of shorewall hard to use, (can't I just block everyone for a certain service and allow them 1 by 1?), and I found that could be done easily wiz fireHOL

correct me if I'm wrong....

thx a lot for the info!

----------

