Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: User-Friendly Firewall For a Brand-New Linux User?

timothy posted about 4 months ago | from the perfect-security-on-the-way dept.

Security 187

An anonymous reader writes "I am a new Linux user; I'm on 2nd day now. Currently I am trying out Ubuntu, but that could change. I am looking for a user friendly firewall that I can set up that lets me do these things:1) set up a default deny rule 2) carve out exceptions for these programs: browser, email client, chat client, yum and/or apt. 3) carve out exceptions to the exceptions in requirement 2 — i.e. I want to be able to then block off IPs and IP ranges known to be used by malware, marketers, etc., and all protocols which aren't needed for requirement 2. It also needs to have good enough documentation that a beginner like me can figure it out. Previously, I had done all of the above in AVG Firewall on Windows, and it was very easy to do. So far, I have tried these things:1) IPTABLES — it looked really easy to screw it up and then not notice that it's screwed up and/or not be able to fix it even if I did notice, so I tried other things at that point... 2) searched the internet and found various free firewalls such as Firestarter, GUFW, etc., which I weren't able to make meet my requirements. Can someone either point me to a firewall that meets my needs or else give me some hints on how to make firestarter or GUFW do what I need?"

cancel ×

187 comments

Shorewall (4, Informative)

ttucker (2884057) | about 4 months ago | (#46671087)

Shorewall is a pretty good iptables configuration tool.

Re:Shorewall (0)

Anonymous Coward | about 4 months ago | (#46671131)

I can echo support for this tool. I use it on a wide variety of machines (including my laptop). It's very easy to setup and maintain.

Re:Shorewall (4, Insightful)

Durrik (80651) | about 4 months ago | (#46671137)

Shorewall is very nice. For the user I would suggest using it and installing webmin to configure it. Webmin does an OK job configuring shorewall which is already pretty easy to set up, just it can be fairly confusing for the first timer with all the config files. After the first few times with webmin you learn how to do it with the command line and vim.

Bastille-linux is also something that was fairly easy to use in the past. I used that before shorewall, but I haven't used bastille for years, must be a least a decade so I don't know what the current state of it is.

Re:Shorewall (2, Funny)

Anonymous Coward | about 4 months ago | (#46671239)

Shorewall is very nice. For the user I would suggest using it and installing webmin to configure it. Webmin does an OK job configuring shorewall which is already pretty easy to set up, just it can be fairly confusing for the first timer with all the config files. After the first few times with webmin you learn how to do it with the command line and vim.

So let me sort this out, in order to easily configure iptables, shorewall is a good solution, but to configure shorewall, I will want to use webmin. So what do I need to install to configure webmin?

No wonder why the year of the linux desktop will never be.

Re:Shorewall (5, Funny)

dreamchaser (49529) | about 4 months ago | (#46671279)

So what do I need to install to configure webmin?

The IQ of a chimpanzee should suffice.

Re:Shorewall (1)

Jmc23 (2353706) | about 4 months ago | (#46671427)

Is that a cold press extraction or your basic toxic-solvent + centrifuge?

Re:Shorewall (1)

rahvin112 (446269) | about 4 months ago | (#46672153)

With our without poop throwing?

Re:Shorewall (1)

dreamchaser (49529) | about 4 months ago | (#46672167)

The throwing of fecal matter is optional. That's the beauty of open source; it allows the user to have a choice.

Re:Shorewall (3, Informative)

ttucker (2884057) | about 4 months ago | (#46671441)

So let me sort this out, in order to easily configure iptables, shorewall is a good solution, but to configure shorewall, I will want to use webmin. So what do I need to install to configure webmin?

You might be surprised to find that using several layers of abstraction is relatively common in the computer world, and that your much vaunted probably does something very similar.

Re:Shorewall (2)

Antique Geekmeister (740220) | about 4 months ago | (#46671743)

Go back to the original spec. The poster wants a stable, sophisticated, flexible firewall. They also want it to be easy to configure. These are distinct, and to some extent contradictory requirements. And yes, for a new admin, the built-in "iptables" and most Linux firewall tools are confusing. Shorewall has a good reputation as robust and stable, and Webmin has an _excellent_ reputation as being a tool that makes system management much, much, easier.

In fact, testing webmin with just "Linux Firewalls" configuration tool built into it might be enough.

Re:Shorewall (1)

Lumpy (12016) | about 4 months ago | (#46672023)

Then he needs to install DD-WRT on a router in front of his PC.

what he actually wants to configure is application (0)

Anonymous Coward | about 4 months ago | (#46671315)

he wants a global way of configuring which applications have the capability to connect to what servers or open what ports. This is a different meaning of 'firewall' than is used in the Unix world.

AFAIK there's already some capability enforcement prohibiting some programs from accessing the Internet in modern Linux distributions, but, I don't really know how it's configured either.

User friendly, as in having GUI? (0)

Anonymous Coward | about 4 months ago | (#46671937)

I've used Zentyal for some time: ubuntu based, powerfull, very easy even if a little canned up (you MUST use the GUI or risk ruining your setup).

Also Untangle is very good, powerfull and easy.

King of simplicity can be ipCop: it's been going for years and is very well made, strong, flexible and easy to use.

Of course you can use Shorewall or even ufw (Uncomplicated Firewall, bundled with ubuntu server), both GUI. Webmin will give you a pretty good front end for shorewall.

Astaro / Sophos (0)

therealkevinkretz (1585825) | about 4 months ago | (#46671099)

I've used Astaro for years and been very happy with it. It includes many free features (VPN is great) and there are other features you can add for a fee. Sophos purchased it a couple of years ago and still have a very featured free version.

http://www.sophos.com/en-us/pr... [sophos.com]

I always considered BSD's PF more logical (0)

Anonymous Coward | about 4 months ago | (#46671103)

And more user-friendly to set up. It should be available for all decent Linux dists, too.

Firestarter (0)

Anonymous Coward | about 4 months ago | (#46671117)

Unless im mistaken...I may very well be....Firestarter is just an interface to iptables.

K

Guarddog: (1)

deego (587575) | about 4 months ago | (#46671119)

I always thought of guarddog as the simplest, easiest, friendly GUI-based firewall.

It's still around, of course, but IDK why it vanished from Debian starting wheezy. Made me switch to the command-line based ufw ... about time!

Re:Guarddog: (1)

antdude (79039) | about 4 months ago | (#46672077)

Because it is no longer updated. I used to use it too, but it doesn't work with the latest stable Debian and its Kernel versions. :(

Ask Slashdot? (-1)

Anonymous Coward | about 4 months ago | (#46671121)

I guess reading howto is out of the question.

Okay, for you, just pick the one with the prettiest colors, but do avoid pastels, unless you're queer, which, by the nature of your question, you just might be!

Oh hell, just buy a Mac...

Re:Ask Slashdot? (0)

Anonymous Coward | about 4 months ago | (#46671407)

You shouldn't have to read a HOWTO to setup a simple firewall. It should be a "click-click-done" job.

Re:Ask Slashdot? (0)

jedidiah (1196) | about 4 months ago | (#46672009)

You're either doing nothing particularly interesting in which case any consumer appliance will do.

Or you are doing something inherently interesting and should not be a total rube while doing it. In that case, you should be able to deal with the iptables interface or seriously reconsider what you are doing.

There's a little issue of professional responsibility here. You should have enough pride to not want to be a menace to others and willing to do what it takes to ensure that.

Re:Ask Slashdot? (1)

Anonymous Coward | about 4 months ago | (#46671789)

Yeah, just read all the documentation to educate you about network security and firewalls, and then read all the documentation for all of the front-ends so you can make an educatged decision about which one to use. It's not as if there are other people that know more than you that could advise you out of some fellow-feeling of community or anything. Not in linux-land at least, there you just get blasted for not re-doing all the work for yourself. I'm surprised you didn't demand they write their own version of iptables!

FreeBSD/PF (0)

Anonymous Coward | about 4 months ago | (#46671143)

PF speaks almost proper english like you and me.

No more iptables (0)

Anonymous Coward | about 4 months ago | (#46671145)

The latest beta of Ubuntu uses kernel 3.13 which does away with iptables. (Which is probably going to confuse tons of admins too. lol.)

Re:No more iptables (0)

Anonymous Coward | about 4 months ago | (#46671225)

is it now nftables?

User friendliest: (5, Funny)

Anonymous Coward | about 4 months ago | (#46671149)

I would suggest installing WINE and then running Windows Firewall.

Re:User friendliest: (1)

JohnVanVliet (945577) | about 4 months ago | (#46671395)

I would suggest installing WINE and then running Windows Firewall.

WTF !!! are you "fracked in the head " ?
iptables is way better

anyway you could not even do that

Re:User friendliest: (5, Funny)

Anonymous Coward | about 4 months ago | (#46672031)

case $- in
*i* ) # Interactive shell
                if [ -f ~/noob ]; then
                source ~/noob
                fi ;;
esac
                if [ -z "$DISPLAY" ] && [ $(tty) == /dev/ttyx ]; then
                whoosh
                fi

Experts Recommend (1)

Anonymous Coward | about 4 months ago | (#46671169)

Something based on Windows XP if you value your family's security.

Re:Experts Recommend (2, Funny)

Anonymous Coward | about 4 months ago | (#46672179)

This expert trusts Windows 8 for my family's security. All the UAC prompts frustrate the would-be penetrators so they move on to other targets. And since there's no way to find the shutdown button, it provides my loved ones with rock solid, around-the-clock protection from evildoers.

Microsoft. Because your family's well-being shouldn't be entrusted to dirty hippies.

OpenBSD (1)

Anonymous Coward | about 4 months ago | (#46671171)

If you are willing to learn how to use a text editor, OpenBSD's pf is a pretty great home firewall. I run it on little Soekris box at home.

You will have a little learning curve, but you'll be getting a real firewall out of it.

The pf documentation is pretty good, and there are a ton of tutorials out there. Calomel.org has what is possibly the best one.

gufw (0)

Anonymous Coward | about 4 months ago | (#46671189)

The gufw will do most of what you want. If you need finer control then use the very friendly ufw command line tool. UFW has a great manual page so start there.

some notes (1)

taikedz (2782065) | about 4 months ago | (#46671197)

I know you've said you're trying to avoid screwing it up, but if you want, the CentOS wiki is pretty good for explaining what and why, and since it's a kernel firewall, it applies to Ubuntu too. In fact, I suspect all other "firewall tools" are basic GUI frontends to iptables. If you are indeed concerned about firewalling (though not quite as concerned as crypto-specialists), you probably at least want to have a go at it manually with some easy to understand notes

When in doubt, try it on a virtual machine of course.

I put together a general, documented, script [ducakedhare.co.uk] that I run on all my new installs; comment out any lines you don't need. nixCraft has some notes [cyberciti.biz] on restarting the Ubuntu iptables/firewall under what I assume is upstart.

Re:some notes (1)

gbjbaanb (229885) | about 4 months ago | (#46671215)

I agree - all the 'firewalls' are really just iptables configuration guis.

In the day I used to use APF [rfxn.com] , a text-based configuration tool. It was very easy to use.

Re:some notes (0)

Anonymous Coward | about 4 months ago | (#46671249)

I'm using a mac, and after trailing a commercial mac specific firewall I tried to find an open source UNIX one.

What I found is none of the UNIX ones work the way I wanted. I don't want to block specific types of network traffic, I want to block specific processes.

I'm fine with apt-get talking to a package server for example, but I don't want *anything else* on the system to be able to communicate with those servers. A web browser can talk on port 80, but nothing else. Etc etc.

Also, when something is blocked... I want a GUI popup offering a chance to create an exception.

Little Snitch (1)

fyngyrz (762201) | about 4 months ago | (#46671931)

Have you tried Little Snitch [obdev.at] ? When an app tries to open an outgoing port, it intercepts it and pops up a dialog giving you the option to allow the app to open any port, just that port, just to that target -- and then you can qualify that with once, until reboot, or forever.

You can edit these settings later if you have a reason to.

I've found it to be very useful, and certainly not difficult in any way.

Not affiliated, just a happy customer.

UFW (0)

Anonymous Coward | about 4 months ago | (#46671199)

The Bulit in Firewall in Ubuntu UFW https://wiki.ubuntu.com/UncomplicatedFirewall is great, and very straight forward. If you find it not be so, Linux might not be for you.

Why? Is it really necessary? (3, Insightful)

tqk (413719) | about 4 months ago | (#46671203)

I can understand trying to wall off Windows from what you can, but with non-Windows you just make sure you only enable services that you want. Use good passwords, lock it down so only what you want running can run, and don't listen to the script kiddies knocking on your door. Crank up the stereo.

I assume your box hangs off a router of some sort? It's probably all you need for a firewall.

Re:Why? Is it really necessary? (0)

Anonymous Coward | about 4 months ago | (#46671235)

I was going to troll with a 'Linux is so secure it doesn't need a firewall' comment, but a serious poster beat me to it.

Re:Why? Is it really necessary? (5, Interesting)

abhi_beckert (785219) | about 4 months ago | (#46671273)

You're making the assumption that all the bad stuff is outside the firewall and nothing evil ever gets in.

An example of how I use my firewall, is I block my email program from making any network connection other than imap/smtp. If it tries to make any other network connection (eg: downloading images from a web server), the firewall blocks it.

Re:Why? Is it really necessary? (1)

tqk (413719) | about 4 months ago | (#46671453)

... you just make sure you only enable services that you want.

I block my email program from making any network connection other than imap/smtp.

Is there an echo in here?

Re:Why? Is it really necessary? (0)

Anonymous Coward | about 4 months ago | (#46671781)

You clearly didn't comprehend. It's not just about enabling the services that you want, but making sure that even if the services behave in unexpected ways you're still covered.

For example, it's not unheard of for updates to suddenly misbehave...

Re:Why? Is it really necessary? (1)

Assmasher (456699) | about 4 months ago | (#46671369)

1997 called and wants its comment back...

Re:Why? Is it really necessary? (1, Insightful)

gdshaw (1015745) | about 4 months ago | (#46671911)

1997 called and wants its comment back...

For machines which are not routers the comment is just as valid now as it was then. If you use a GNU/Linux distribution that takes security seriously then it will not install any externally-visible network services by default. The attack surface in that condition is small enough that installing a firewall won't help much, and might even make matters worse. If you deliberately install any public-facing network services then you need to add matching firewall rules, so again no benefit.

A firewall does help if you install a private network service and forget to bind it to the loopback interface (unless you have one of those systems which automatically install a firewall rule alongside the network service, which totally defeats the purpose of having a firewall). In any event, this only protects against internal incompetence rather than external malice, so is not a necessary part of running a secure system.

Firewalls are useful on routers, and on servers where you want very specific control of what can be accessed from where (such as a DBMS that is only accessible from a single client machine), but for typical Linux-based hosts they add little.

Re:Why? Is it really necessary? (0)

Anonymous Coward | about 4 months ago | (#46671421)

I haven't had the need to set up a separate firewall since...well since I started using Linux. On Winders, it was essential to have a good 2 way firewall. Never had a Linux computer hacked that I noticed. (have had Windows boxes hacked to the point they'd hardly run.)

Re:Why? Is it really necessary? (1)

tqk (413719) | about 4 months ago | (#46671495)

Never had a Linux computer hacked that I noticed. (have had Windows boxes hacked to the point they'd hardly run.)

If this box was supplying connectivity to a LAN of Windows boxes, that would be a different thing. That isn't the case here.

m0n0 (0)

Anonymous Coward | about 4 months ago | (#46671207)

Mono, BSD based but the UI it is great. Bet NAT/port forwarding interface i've seen.

Endian or Untangle (0)

Anonymous Coward | about 4 months ago | (#46671229)

Can't get any easier with an easy to use web interface

Wrong paradigm here (1)

emoreau (1247650) | about 4 months ago | (#46671243)

Ok, seems like you're trying to do things the windows way, i.e. blocking outbound connections based which application is running. Things are not done that way on Linux. Outbound connections are open and most of us are fine with it.

Re:Wrong paradigm here (0)

Anonymous Coward | about 4 months ago | (#46671295)

So why are you perfectly fine with it on Linux and conversely why should outbound connections be blocked by default on Windows?

Re:Wrong paradigm here (1)

emoreau (1247650) | about 4 months ago | (#46671523)

Because the malware situation on Windows got out of hand because of poor initial security decisions.

The days of innocence have ended (1)

Anonymous Coward | about 4 months ago | (#46671313)

Linux's "outbound connections are open" paradigm was designed in the good old days of innocence, before malware grew to current levels and before applications were phoning home.

In today's world, that early innocence is badly misplaced. Third party applications need to be restricted to nothing more than the outbound connections which the user permits.

Re:The days of innocence have ended (1)

emoreau (1247650) | about 4 months ago | (#46671359)

If you run applications that are included with your distribution, it is pretty safe to assume that they don't have to be blocked. If you run third-party applications, you will probably want to allow them to do their job and let them open wathever outbound connection they want to. Most user will allow anything anyway. Most people don't know enough to be able to decide what to permit.

Re:The days of innocence have ended (0)

Anonymous Coward | about 4 months ago | (#46671823)

sum=0

Re:Wrong paradigm here (-1)

Anonymous Coward | about 4 months ago | (#46671363)

Ok, seems like you're trying to do things the windows way,
i.e. blocking outbound connections based which application is
running.
Things are not done that way on Linux.
Outbound connections are open and most of us are fine
with it.

No the paradigm is correct, it's just that the linux world is decades behind windows.

Re:Wrong paradigm here (1)

emoreau (1247650) | about 4 months ago | (#46671403)

You got me there. Those are really convincing arguments. You`re the man!

Re:Wrong paradigm here (5, Funny)

Daniel Oom (2826737) | about 4 months ago | (#46671517)

Nothing wrong here: the Windows firewall is designed for keeping malware inside the PC and out of the Internet, the other firewalls are designed for keeping malware on the Internet out of the computer.

Re:Wrong paradigm here (1)

emoreau (1247650) | about 4 months ago | (#46671615)

That's the whole point

Re:Wrong paradigm here (3, Insightful)

Lesrahpem (687242) | about 4 months ago | (#46671399)

The parent poster is correct. Windows and Linux are totally different animals in regards to firewalls. There is only one firewall for Linux and it is built into the system. IPTables is how the firewall is configured. All other tools are just front-ends or wrappers for IPTables.

IPTables doesn't have support for application-based firewalling. You can do that kind of thing using something lilke the Grsecurity [grsecurity.net] patch for the kernel, but it is not for beginners.

Grsecurity will let you create policies exactly like what you're talking about and then some. For example, it will allow you to create a policy limiting which files and folders a given program can access. To be specific, on my machine I have a policy that Firefox can only write data to it's own folders and to my Downloads directory, and can't execute/run any files inside those folders. That way, if somebody hits me with a drive-by download or something it simply won't work.

Re:Wrong paradigm here (2)

emoreau (1247650) | about 4 months ago | (#46671437)

I have to add that some of this stuffed is handled by SELinux. If you wan't an CGI script to be able to send an email on a Red Hat derivative, you have to explicitly add the rule to your SELinux configuration

Re:Wrong paradigm here (1)

emoreau (1247650) | about 4 months ago | (#46671439)

Sorry I meant stuff, not stuffed

Re:Wrong paradigm here (2)

stevey (64018) | about 4 months ago | (#46671611)

Actually iptables does have support for matching based on the process. You might have run commands that include "-m recent", or similar. The "-m" is used to specify a module-name, and there are many matching modules available and included by default.

For example on a CentOS system you might allow your webserver to make outgoing SMTP connections via something fun like this: "iptables -A OUTPUT -m owner --cmd-owner httpd --dest-port 25 -j ACCEPT". (Why CentOS? Because it matches the command against HTTPD. On Debian systems the webserver process is more typically called 'apache2'.)

Hope that helps.

Re:Wrong paradigm here (2)

Lesrahpem (687242) | about 4 months ago | (#46671745)

For example on a CentOS system you might allow your webserver to make outgoing SMTP connections via something fun like this: "iptables -A OUTPUT -m owner --cmd-owner httpd --dest-port 25 -j ACCEPT". (Why CentOS? Because it matches the command against HTTPD. On Debian systems the webserver process is more typically called 'apache2'.)

The cmd-owner match was removed in kernel 2.6.14 because it was broken with SMP.

Re:Wrong paradigm here (1)

stevey (64018) | about 4 months ago | (#46671905)

Interesting thanks.

strings says I have the user-space component on my system, but it's been a long time since I used it so I didn't realize the kernel-support might have gone away.

Re:Wrong paradigm here (1)

amorsen (7485) | about 4 months ago | (#46671471)

This is changing though. If you run a distribution with SELinux enabled, many applications and daemons are likely to be blocked from making outbound connections. Changing the rules is somewhat difficult though; distributions generally assume that the user does not have a clue when asked whether frobnitzd should be allowed to connect to Slashdot, so there is no GUI for asking the user.

AppArmor can do it too, and the configuration is perhaps a bit easier. I have no idea how much Ubuntu restricts by default.

Re:Wrong paradigm here (1)

emoreau (1247650) | about 4 months ago | (#46671569)

Yes, that`s why distribution now ships with less strict configurations. System daemons are thighly controlled, but end-user stuff is much more relaxed.

Re:Wrong paradigm here (1)

emoreau (1247650) | about 4 months ago | (#46671509)

I would also like to say that I spend most of my days writing software that use network connections, so I would constantly be tweeking that damn firewall if I was using this kind off configuration.

Re:Wrong paradigm here (1)

PetiePooo (606423) | about 4 months ago | (#46671873)

Ok, seems like you're trying to do things the windows way, i.e. blocking outbound connections based which application is running. Things are not done that way on Linux. Outbound connections are open and most of us are fine with it.

The Window Firewall, the original BlackIce for Windows, and AVG as well, I believe, all fall in the category of Application Firewalls, [wikipedia.org] as they base their actions with knowledge of the application holding the IP connection endpoint. IPtables is a Stateful Firewall, [wikipedia.org] so named because it relies solely on the connection's state, without regard to the application at the sending or receiving end of the connection.

The Application Firewall link above actually does have some suggestions about how such things can be handled on Linux using utilities others have described. Mandatory Access Control [wikipedia.org] tools such as SELinux and grsecurity can allow or deny access to resources (such as the network interface) to applications, but I don't believe they have fine-grained controls for conditional access based on IPs or ports.

None of these are as easy to use as AVG for Windows is.. (This could be the new definition of "understatement!") In fact, I would like to think I know Linux quite well, have used it as a desktop and server platform for years, have written patches for kernel modules, and can configure a solid IPtables firewall ruleset from scratch, but AppArmor and SELinux still scare me...

There's a link here [niftiestsoftware.com] describing how to mark packets based on an application's uid (user). This might be a basis for controlling permissions per app, but you're talking about a very complex IPtables ruleset. Definitely not for someone only two days into their Linux journey.

Re:Wrong paradigm here (1)

emoreau (1247650) | about 4 months ago | (#46671963)

As a matter of fact, on my local network, I have no problem leaving inbound connections open as well, because firewalling is provided by my router. When you look at early litterature, a firewall was at first a network configuration, not an application or a kernel module.

Poster asking about GUI frontend software (3, Interesting)

caseih (160668) | about 4 months ago | (#46671259)

Many of the posts so far direct the original poster to dedicated firewall appliances or distributions. If I read the summary correctly, the OP is simply looking for a good GUI to manipulate the firewall rules built into the kernel of all modern Linux distributions.

I can't vouch for any of them, but GUI frontends include guardog, lokkit, firestarter, and probably others. They are all in various states of development and maintenance.

Part of what the user wants to do (firewall per app) wasn't possible in the past with iptables (per-gid blocking was easy), but I believe it's now possible. A primitive daemon, called Leopard Flower, seems to offer this functionality: http://leopardflower.sourcefor... [sourceforge.net]

From what I can see, the most promising, integrated, easy-to-use firewalling GUI software going forward is Fedora's firewalld and it's accompanying GUI. I know firewalld is available on Ubuntu (and its command-line interface). I'm not sure about the GUI part. Perhaps someone familiar wit Ubuntu can comment. Here's an article on installing it in Mint, so I assume it's similar in Ubuntu: http://www.linuxbsdos.com/2013... [linuxbsdos.com]

From what I can see, firewalld and firewall-config hit the sweet spot for most desktop users. I'd never use it on my router, but for a desktop, it works pretty well and is under active development. I imagine it will sport per-application feature soon, if it doesn't already.

Re:Poster asking about GUI frontend software (1)

phantomfive (622387) | about 4 months ago | (#46671841)

Not only that, iptables isn't that hard, and you feel good after you figure it out. It's not THAT hard to mess things up, you can always just clear your iptables and start over if you really break things. Problem solved.

LeopardFlower looks good, but... (1)

antdude (79039) | about 4 months ago | (#46672159)

"As of 2014-01-12, this project is no longer under active development." text. :(

I like GuardDog, but it is no longer updated and doesn't work with the latest Debian/Linux's Kernels when I tried it a couple years ago. :(

www.fwbuilder.org (0)

Anonymous Coward | about 4 months ago | (#46671261)

I have used Firewall Builder for this and it worked well.

Re:www.fwbuilder.org (1)

Richy_T (111409) | about 4 months ago | (#46671563)

Same here. If you're used to checkpoint firewall, it's an easy transition. Worked perfectly when I had to duplicate a firewall config for a firewall-on-a-floppy firewall (albeit it was done manually and not automatically).

Re:www.fwbuilder.org (1)

Richy_T (111409) | about 4 months ago | (#46671589)

I do handcraft firewall rules for my home Slackware install though. It just seems the right thing to do :)

Not so much since I moved to a Tomato based internet router though. It was probably never a good idea to have the email, web server etc on the same system as the router.

ufw, ipfire, ddwrt (1)

mspohr (589790) | about 4 months ago | (#46671287)

Lots of options:
http://www.ipfire.org/ [ipfire.org]
ufw can be installed from apt-get (no gui)
ddwrt runs on many routers and has lots of features... don't need a full PC.

pfsense (2)

michrech (468134) | about 4 months ago | (#46671293)

I just jumped into playing with pfsense. It's based on FreeBSD, but it was very easy for me to get in and mess around with. :)

Re:pfsense (1)

laffer1 (701823) | about 4 months ago | (#46671431)

This doesn't help him. He wants windows firewall or norton internet security level of firewall (but for linux) for his own computer.

I'm a huge fan of pfSense, but it's not a desktop OS.

Honestly, I think the OP needs to realize that even today, Linux requires a little command line foo. Look at the official ubuntu documentation and turn on the firewall. Blocking incoming traffic is sufficient on Linux most of the time. There's much less malware that will connect out and cause harm.

See https://help.ubuntu.com/12.04/... [ubuntu.com] if you want to get into some gritty details. This is the server guide, they may have a more user friendly desktop guide, but it should still be useful.

Untangle (0)

Anonymous Coward | about 4 months ago | (#46671337)

It is easy to install and set up, the free version does everything you want, and it can even run dns and dhcp for you.

Hmmmm (1)

jawtheshark (198669) | about 4 months ago | (#46671417)

I had done all of the above in AVG Firewall on Windows, and it was very easy to do.

That's the part I actually doubt. All firewalls configured by normal users I've seen in my lifetime were so much of a mess, that they had more holes than a swiss cheese on were so strict they became unusable
I'm also quite surprised about "ranges known to be used by malware, marketers, etc...". If those were really even halfway public knowledge, there would be no malware of "marketing" problem on the Internet.
This one should get his medication, and think his strategy over.

Re:Hmmmm (1)

Spad (470073) | about 4 months ago | (#46671957)

Well, there are lists of ranges known to be used by malware, etc. such as this: http://www.spamhaus.org/drop/ [spamhaus.org] - it's not that it's a list of *all* ranges used for those things, just that these ranges are known *only* to be used for those things and so can safely be blocked outright.

Most of the rest of it comes from random compromised residential machines or hosted boxes and so is hard to block other than when you find a really shitty host like Nobis/Ubiquity who just don't care about shutting down compromised machines on their networks.

fwbuilder (1)

lkcl (517947) | about 4 months ago | (#46671451)

i have a bit of a problem comprehending firewall rules (and deploying them). i asked around (just as you did) and got the advice "use fwbuilder". i liked it so much that i ended up writing a python script that parsed its xml files and generated HTML output so that i could clearly see what it was doing.

but, despite admitting that i am not a firewall rules expert, i do have to say that nothing substitutes for actually studying what firewall rules are and understanding them properly. i say that from the position of being a person who, whenever they need firewall rules, does an internet search and cuts/pastes the results successfully into an amalgam that "does the job", but it "does the job" with the concern always being in the back of my mind that i probably completely messed it up...

pfSense (2)

JRoth25 (964977) | about 4 months ago | (#46671461)

You may want to have a look at: https://www.pfsense.org/ [pfsense.org] Very good option...

Firewall Builder (0)

Anonymous Coward | about 4 months ago | (#46671469)

This - http://www.fwbuilder.org/

Is been around for ages, is really easy to use and supports a whole bunch of stuff like iptables and pf firewalls.

No love for Untangle? (0)

Anonymous Coward | about 4 months ago | (#46671477)

Untangle is probably the easiest I've come across. The free basic package (Lite) even comes with openvpn: https://www.untangle.com/store/lite-package.html

Just a suggestion. I'm sure someone here will recommend the right solution.

You have ubuntu... (0)

Anonymous Coward | about 4 months ago | (#46671481)

So... https://wiki.ubuntu.com/UncomplicatedFirewall

The UFW command does wonderful things.

Go back to Windows (0)

Anonymous Coward | about 4 months ago | (#46671487)

...we don't want you to get hurt !

You're a "brand new Linux user" (1)

93 Escort Wagon (326346) | about 4 months ago | (#46671525)

Why not take this opportunity to learn how iptables works and how to edit the text-based configuration? The basics are pretty easy - you can figure out how to allow ssh, for example, and get up and running without knowing something like how to set up vpn traffic forwarding.

Isn't part of the point to learn how Linux works? It's not just like Windows, but that can be a plus. Once you get past the "AAH, I DONT HAVE ANYTHING TO CLICK ON" stage, you may just find it's actually easier! Personally, having done both, I'd much rather admin Apache than IIS - and Windows is shifting more towards the Linux paradigm at the server side anyway.

Re:You're a "brand new Linux user" (1)

Spad (470073) | about 4 months ago | (#46671983)

Because, like he said, iptables is easy to screw up without realising it and you don't really want to take that approach on a machine you care about and are using day to day, you ideally want kind of abstraction layer to break you in gently where there's less chance of fucking it up and you can learn how it works at a sensible pace.

for blocking ads and malware (0)

Anonymous Coward | about 4 months ago | (#46671637)

You might consider using a hosts file instead of or in conjunction with. http://winhelp2002.mvps.org/ho... [mvps.org]

Re:for blocking ads and malware (0)

Anonymous Coward | about 4 months ago | (#46672119)

There is no excuse for using a hosts file to block malware on linux, and very little for windows. Plus, that list describes domains that serve windows malware, dipshit.

In Linux-land, when we want to fuck with our local DNS, we install a local DNS server. This lets you do things like block *.ru or *.cn, and the server will return NXDOMAIN instead of a potentially-valid IP address, which will prevent an attempted TCP connection. You can also use this for the rest of your networked devices if you like.

Blocking malicious content of course, should always be done at the application layer, with e.g. AdBlock. But you knew that.

Windows thinking (0)

Chewbacon (797801) | about 4 months ago | (#46671715)

Firewalling is a windows necessity with nasty shit piggy backing in on exploits in legitimate shit, not so much in Linux, however. If you're using client applications (web browser, email client, etc) then they will only open up sockets when needed and not open ports to receive traffic. And I agree with what I read above: if you know what services you're starting, you don't need a firewall.

GUFW config: (1)

Anonymous Coward | about 4 months ago | (#46671761)

gufw should be fine for what you need. Start by clicking the unlock button to unlock controls.

1. Set firewall policy (dropdowns) to Deny outgoing, Allow incoming. now all unsolicited inbound traffic will be blocked.

**Note: You probably don't need to block outbound traffic. You also don't need to allow inbound smtp/pop/imap just to check your mail - those are outbound connections from your computer to the server. Unless you're serving content, you're probably done here. (Do other computer connect to your computer to get stuff?)

2. If you are providing a service(example ssh access):
Click [Add] button to add an exception. In Preconfigured tab select [Allow] [In] [Service] [SSH], then click [Add]. If the service or application isn't listed (or has been configured to use different ports!) use the simple tab and select [Allow] [In] [TCP] [22].

At this point only the ports/services/applications you've explicitly added will be allowed in.

3. There are two ways to make exceptions to #2:
First you could just make a more complicated rule using the advanced tab to set any of these ip requirements: source, sourceport, destination, destport.
The other way (and probably best for you) is to make another rule to deny untrusted host.
Example: if you didn't trust 10.1.1.1 Click [Add] to start a new rule. Go to advanced tab, check [show extended actions] and set the first number to 1 -- this will make sure your deny rule is the first rule and will come before the allow rule. Now set [Deny] [In] [Don't Log] [Both] from:10.1.1.1 (leave from-port/to/to-port blank). -- this will block 10.1.1.1 from accessing your computer even though other hosts can connect to your SSH (from #2)

done. protip: rtfm, learn tcp/ip. CAPTCHA: barrier

Welcome to Linux er, (0)

Anonymous Coward | about 4 months ago | (#46671783)

Welcome to Linux except it isn't called Linux anymore the new name is Lennart NT.

All these mean druids are telling you that you have to learn iptables. Too bad they don't know it is about to be replaced by firewalld.

https://fedoraproject.org/wiki... [fedoraproject.org]

Why firewall? Protecting some other computers? (0)

dUb (21971) | about 4 months ago | (#46671831)

Hi

Good you found Linux and you are trying it.

Some rules what you should know about different Operating Systems - examples about Linux here:
- Linux does not need firewall. Unless you are protecting other computers.
- Firewall is not needed unless you have ports open (listening) what you can not close. On Linux _you_manage_your_computer_ and you can close programs which are listening and you don't like.
- If you have any services you want to protect being accessed from bad/wrong hosts... you have options like tcpwrapper.
So check your ports by running command: sudo lsof -i -Pn
It shows you currently open connections AND ports which are ready to receive traffic from Internet.

If you see ports what you don't want to be listening then identify it and stop. Like this:
smbd 7114 root 26u IPv6 101652 0t0 TCP *:445 (LISTEN)
So you have smbd (Samba) listening TCP port 445, it has PID number 7114 ("sudo kill 7114" to kill it) and it is running as root level.

So - you don't need firewall. Just knowledge how to close unneeded services/programs.

Br, Henri

apt-get iptables-persistent (0)

Anonymous Coward | about 4 months ago | (#46671879)

You're welcome. If you can't figure out iptables, you have no business editing firewalls anyway.

Try Mint instead of Ubuntu (0)

Anonymous Coward | about 4 months ago | (#46671967)

I use CentOS for my web servers. I have some still fully functional XP boxes and laptops that I was looking to move over to Linux so I tried Ubuntu. Eh. It was nice.

Then I tried Linux Mint and I like it so much better, especially since it "feels" more like XP than Ubuntu.

Give Mint a try.

(Yes, I know Mint is based on Ubuntu but the UI is certainly different)

This is hard on Linux (1)

Adam Hooper (3605785) | about 4 months ago | (#46672013)

Defining rules on a program-by-program basis is hard on Linux.

That's sort of embarrassing for a "secure" operating system, right?

The historical reason: filters based on application (as opposed to port) are comparatively slow and complicated. Linux thrives in a server environment, where the threat model is different: on a server, it's a better idea to write extremely restrictive firewall rules that all applications must abide by. Spyware is not much of a threat on a server that allows no outgoing connections except HTTPS to 10.x.x.x.

The feature does exist, in something called "libnetfilter_queue". I haven't seen anything that's usable by Normal People. Folks who want to write their firewalls in C can start here: https://home.regit.org/netfilt... [regit.org]

IPTables (1)

Jorkapp (684095) | about 4 months ago | (#46672089)

IPTables is by far the best firewall for linux, and its built-in to boot.

If you're iffy on command-line parameters, install Webmin on your system. It gives you a web interface, and the IPTables page makes configuring your firewall relatively newbie-proof.

I, for one, hate IPTables on the command-line, and much prefer the Webmin method. Its what I use on my home server.

firehol (3, Interesting)

demerson3 (1631599) | about 4 months ago | (#46672101)

I'm a little surprised nobody has mentioned firehol - http://firehol.org/ [firehol.org] . I've been using it for my simple needs, and it is fabulous. Easy to learn, simple language, great results, and CLI-friendly. (Prior to discovering it, I used guarddog, which I found to be good but which isn't anywhere near as good as firehol.) From the firehol page: FireHOL is an iptables firewall generator producing stateful iptables packet filtering firewalls, on Linux hosts and routers with any number of network interfaces, any number of routes, any number of services served, any number of complexity between variations of the services (including positive and negative expressions).
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...