Forgot your password?
typodupeerror
Security Networking Open Source Software Linux

Ask Slashdot: User-Friendly Firewall For a Brand-New Linux User? 187

Posted by timothy
from the perfect-security-on-the-way dept.
An anonymous reader writes "I am a new Linux user; I'm on 2nd day now. Currently I am trying out Ubuntu, but that could change. I am looking for a user friendly firewall that I can set up that lets me do these things:1) set up a default deny rule 2) carve out exceptions for these programs: browser, email client, chat client, yum and/or apt. 3) carve out exceptions to the exceptions in requirement 2 — i.e. I want to be able to then block off IPs and IP ranges known to be used by malware, marketers, etc., and all protocols which aren't needed for requirement 2. It also needs to have good enough documentation that a beginner like me can figure it out. Previously, I had done all of the above in AVG Firewall on Windows, and it was very easy to do. So far, I have tried these things:1) IPTABLES — it looked really easy to screw it up and then not notice that it's screwed up and/or not be able to fix it even if I did notice, so I tried other things at that point... 2) searched the internet and found various free firewalls such as Firestarter, GUFW, etc., which I weren't able to make meet my requirements. Can someone either point me to a firewall that meets my needs or else give me some hints on how to make firestarter or GUFW do what I need?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: User-Friendly Firewall For a Brand-New Linux User?

Comments Filter:
  • Shorewall (Score:5, Informative)

    by ttucker (2884057) on Saturday April 05, 2014 @02:23PM (#46671087)
    Shorewall is a pretty good iptables configuration tool.
    • Re:Shorewall (Score:5, Insightful)

      by Durrik (80651) <pwright@@@ryksyll...com> on Saturday April 05, 2014 @02:30PM (#46671137) Homepage
      Shorewall is very nice. For the user I would suggest using it and installing webmin to configure it. Webmin does an OK job configuring shorewall which is already pretty easy to set up, just it can be fairly confusing for the first timer with all the config files. After the first few times with webmin you learn how to do it with the command line and vim.

      Bastille-linux is also something that was fairly easy to use in the past. I used that before shorewall, but I haven't used bastille for years, must be a least a decade so I don't know what the current state of it is.
      • Re: (Score:2, Funny)

        by Anonymous Coward

        Shorewall is very nice. For the user I would suggest using it and installing webmin to configure it. Webmin does an OK job configuring shorewall which is already pretty easy to set up, just it can be fairly confusing for the first timer with all the config files. After the first few times with webmin you learn how to do it with the command line and vim.

        So let me sort this out, in order to easily configure iptables, shorewall is a good solution, but to configure shorewall, I will want to use webmin. So what do I need to install to configure webmin?

        No wonder why the year of the linux desktop will never be.

        • by dreamchaser (49529) on Saturday April 05, 2014 @02:51PM (#46671279) Homepage Journal

          So what do I need to install to configure webmin?

          The IQ of a chimpanzee should suffice.

        • Re:Shorewall (Score:4, Informative)

          by ttucker (2884057) on Saturday April 05, 2014 @03:17PM (#46671441)

          So let me sort this out, in order to easily configure iptables, shorewall is a good solution, but to configure shorewall, I will want to use webmin. So what do I need to install to configure webmin?

          You might be surprised to find that using several layers of abstraction is relatively common in the computer world, and that your much vaunted probably does something very similar.

          • Re:Shorewall (Score:4, Informative)

            by klui (457783) on Saturday April 05, 2014 @07:05PM (#46672805)

            You a word there.

            I think you meant Windows does the same thing? Indeed, netsh is used to manage firewall rules on the command line level, and the Windows firewall snapin uses netsh. There are 3rd-party programs that replace the snapin or make it more intuitive like wfc from BiniSoft. I'm not sure if it replaces the regular snapin or runs on top of it.

            • by ttucker (2884057)
              I added some XML style brackets, oops. It said something like, "You might be surprised to find that using several layers of abstraction is relatively common in the computer world, and that your much vaunted %whatever firewall you like% probably does something very similar."
        • Go back to the original spec. The poster wants a stable, sophisticated, flexible firewall. They also want it to be easy to configure. These are distinct, and to some extent contradictory requirements. And yes, for a new admin, the built-in "iptables" and most Linux firewall tools are confusing. Shorewall has a good reputation as robust and stable, and Webmin has an _excellent_ reputation as being a tool that makes system management much, much, easier.

          In fact, testing webmin with just "Linux Firewalls" confi

          • by Lumpy (12016)

            Then he needs to install DD-WRT on a router in front of his PC.

            • by Hanzie (16075) *

              Then he needs to install DD-WRT on a router in front of his PC.

              +1 insightful.

              Even though that's not what he asked for, that's the best suggestion so far. Yes, the parent poster obviously realizes that firewalls are still needed on the PC's. Castles need moats as well as walls.

              He's worried about security, and this will *HELP* do the job on all his PC's, and automatically provide some protection to every box that happens to connect to his network. It will also do it's job no matter what gets plugged in, and even provide some protection if he happens to plug in some ma

    • AFAIK, Fedora 20 has a very good firewall offering, and it is presented as a dynamic software, meaning that you can make changes to network protections, etc., on the fly.

  • I've used Astaro for years and been very happy with it. It includes many free features (VPN is great) and there are other features you can add for a fee. Sophos purchased it a couple of years ago and still have a very featured free version.

    http://www.sophos.com/en-us/pr... [sophos.com]

    • Totally concur. Best product I've used in decades.

      • Totally concur. Best product I've used in decades.

        That being said, it runs on a separate box and supports things like balancing multiple uplinks and fail-over, so it's a wee bit beyond the stated requirements.

  • I always thought of guarddog as the simplest, easiest, friendly GUI-based firewall.

    It's still around, of course, but IDK why it vanished from Debian starting wheezy. Made me switch to the command-line based ufw ... about time!

  • by Anonymous Coward on Saturday April 05, 2014 @02:32PM (#46671149)
    I would suggest installing WINE and then running Windows Firewall.
  • by Anonymous Coward

    Something based on Windows XP if you value your family's security.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      This expert trusts Windows 8 for my family's security. All the UAC prompts frustrate the would-be penetrators so they move on to other targets. And since there's no way to find the shutdown button, it provides my loved ones with rock solid, around-the-clock protection from evildoers.

      Microsoft. Because your family's well-being shouldn't be entrusted to dirty hippies.

  • by Anonymous Coward

    If you are willing to learn how to use a text editor, OpenBSD's pf is a pretty great home firewall. I run it on little Soekris box at home.

    You will have a little learning curve, but you'll be getting a real firewall out of it.

    The pf documentation is pretty good, and there are a ton of tutorials out there. Calomel.org has what is possibly the best one.

  • I know you've said you're trying to avoid screwing it up, but if you want, the CentOS wiki is pretty good for explaining what and why, and since it's a kernel firewall, it applies to Ubuntu too. In fact, I suspect all other "firewall tools" are basic GUI frontends to iptables. If you are indeed concerned about firewalling (though not quite as concerned as crypto-specialists), you probably at least want to have a go at it manually with some easy to understand notes

    When in doubt, try it on a virtual machine o

    • by gbjbaanb (229885)

      I agree - all the 'firewalls' are really just iptables configuration guis.

      In the day I used to use APF [rfxn.com], a text-based configuration tool. It was very easy to use.

  • by tqk (413719) <s.keeling@mail.com> on Saturday April 05, 2014 @02:40PM (#46671203)

    I can understand trying to wall off Windows from what you can, but with non-Windows you just make sure you only enable services that you want. Use good passwords, lock it down so only what you want running can run, and don't listen to the script kiddies knocking on your door. Crank up the stereo.

    I assume your box hangs off a router of some sort? It's probably all you need for a firewall.

    • by abhi_beckert (785219) on Saturday April 05, 2014 @02:50PM (#46671273)

      You're making the assumption that all the bad stuff is outside the firewall and nothing evil ever gets in.

      An example of how I use my firewall, is I block my email program from making any network connection other than imap/smtp. If it tries to make any other network connection (eg: downloading images from a web server), the firewall blocks it.

      • by tqk (413719)

        ... you just make sure you only enable services that you want.

        I block my email program from making any network connection other than imap/smtp.

        Is there an echo in here?

    • by Assmasher (456699)

      1997 called and wants its comment back...

      • Re: (Score:2, Insightful)

        by gdshaw (1015745)

        1997 called and wants its comment back...

        For machines which are not routers the comment is just as valid now as it was then. If you use a GNU/Linux distribution that takes security seriously then it will not install any externally-visible network services by default. The attack surface in that condition is small enough that installing a firewall won't help much, and might even make matters worse. If you deliberately install any public-facing network services then you need to add matching firewall rules, so again no benefit.

        A firewall does help if

        • When was the last time you were party to a serious information security audit? I get the feeling you don't protect data of substantial value for a living.

          In any event, this only protects against internal incompetence rather than external malice, so is not a necessary part of running a secure system.

          You forgot to mention internal malice.

          • by gdshaw (1015745)

            In any event, this only protects against internal incompetence rather than external malice, so is not a necessary part of running a secure system.

            You forgot to mention internal malice.

            Let's put my comment back into context. I was talking about forgetting to bind a private network service to the loopback interface. That would normally be done by an administrator. If an administrator is acting maliciously then you have fairly serious problems with or without a local firewall. In fact, this is a pretty good demonstration of my point that if you are going to use a firewall to protect against that kind of threat then the firewall wants to be on a different box (eg. a router or dedicated firew

    • by antdude (79039)

      What if it is a portable machine and wants to use public wireless Internet? Also, what if (s)he wants to block outgoing connections and stuff which hardware firewalls can't do?

    • by AmiMoJo (196126) *

      That's fine as long as you are sure there are no bugs in the services you run and the TCP/IP stack, and you keep them all up to date, and you don't mind kiddies hammering on your door 24/7 trying to guess your passwords.

      • by gdshaw (1015745)

        That's fine as long as you are sure there are no bugs in the services you run and the TCP/IP stack, and you keep them all up to date, and you don't mind kiddies hammering on your door 24/7 trying to guess your passwords.

        If you need a service to be publicly accessible then you will need to configure the firewall accordingly, in which case it typically provides no protection if the service is exploitable.

        If the service doesn't need to be publicly accessible then either turn it off or bind it to the loopback interface. Why add extra software to protect against a vulnerability that you could have avoided creating in the first place? Note that operating systems that take security seriously do not install public-facing network s

    • I use DroidWall (iptables frontend) on my Android phone (=non-Windows) to keep apps from sending my private data out. As an added bonus, it blocks most ads.

      Yes, you can choose to not install those apps, but most of them want a network connection and access to storage...

    • by Arker (91948)
      Indeed, as unsatisfying as it is, the answer is that the question is wrong.

      A windows software firewall is not the same thing as a standard firewall, it's a rather specialized bit of software that, unlike normal firewalls, does NOT just look at the packets and judge them for themselves. Instead, it keeps track of which *programs* on the machine are allowed to connect and how. On Windows, it's needed, and can be very useful i.e. even if the trojan gets installed using a drive-by exploit, it still cant call ho
  • Ok, seems like you're trying to do things the windows way, i.e. blocking outbound connections based which application is running. Things are not done that way on Linux. Outbound connections are open and most of us are fine with it.
    • by Anonymous Coward

      Linux's "outbound connections are open" paradigm was designed in the good old days of innocence, before malware grew to current levels and before applications were phoning home.

      In today's world, that early innocence is badly misplaced. Third party applications need to be restricted to nothing more than the outbound connections which the user permits.

      • by emoreau (1247650)
        If you run applications that are included with your distribution, it is pretty safe to assume that they don't have to be blocked. If you run third-party applications, you will probably want to allow them to do their job and let them open wathever outbound connection they want to. Most user will allow anything anyway. Most people don't know enough to be able to decide what to permit.
        • Most desktop Linux distributions that I'm aware of include Mozlla Firefox or a renamed version of Firefox. By default, Firefox downloads and runs third-party JavaScript applications linked from web pages that the user visits. So do Chrome and other renamed versions of Chromium.
    • by Lesrahpem (687242) <iadnah@nospAM.uplinklounge.com> on Saturday April 05, 2014 @03:09PM (#46671399) Homepage
      The parent poster is correct. Windows and Linux are totally different animals in regards to firewalls. There is only one firewall for Linux and it is built into the system. IPTables is how the firewall is configured. All other tools are just front-ends or wrappers for IPTables.

      IPTables doesn't have support for application-based firewalling. You can do that kind of thing using something lilke the Grsecurity [grsecurity.net] patch for the kernel, but it is not for beginners.

      Grsecurity will let you create policies exactly like what you're talking about and then some. For example, it will allow you to create a policy limiting which files and folders a given program can access. To be specific, on my machine I have a policy that Firefox can only write data to it's own folders and to my Downloads directory, and can't execute/run any files inside those folders. That way, if somebody hits me with a drive-by download or something it simply won't work.
      • by emoreau (1247650)
        I have to add that some of this stuffed is handled by SELinux. If you wan't an CGI script to be able to send an email on a Red Hat derivative, you have to explicitly add the rule to your SELinux configuration
      • by stevey (64018)

        Actually iptables does have support for matching based on the process. You might have run commands that include "-m recent", or similar. The "-m" is used to specify a module-name, and there are many matching modules available and included by default.

        For example on a CentOS system you might allow your webserver to make outgoing SMTP connections via something fun like this: "iptables -A OUTPUT -m owner --cmd-owner httpd --dest-port 25 -j ACCEPT". (Why CentOS? Because it matches the command against HTTPD.

        • by Lesrahpem (687242)

          For example on a CentOS system you might allow your webserver to make outgoing SMTP connections via something fun like this: "iptables -A OUTPUT -m owner --cmd-owner httpd --dest-port 25 -j ACCEPT". (Why CentOS? Because it matches the command against HTTPD. On Debian systems the webserver process is more typically called 'apache2'.)

          The cmd-owner match was removed in kernel 2.6.14 because it was broken with SMP.

    • by amorsen (7485)

      This is changing though. If you run a distribution with SELinux enabled, many applications and daemons are likely to be blocked from making outbound connections. Changing the rules is somewhat difficult though; distributions generally assume that the user does not have a clue when asked whether frobnitzd should be allowed to connect to Slashdot, so there is no GUI for asking the user.

      AppArmor can do it too, and the configuration is perhaps a bit easier. I have no idea how much Ubuntu restricts by default.

  • by caseih (160668) on Saturday April 05, 2014 @02:47PM (#46671259)

    Many of the posts so far direct the original poster to dedicated firewall appliances or distributions. If I read the summary correctly, the OP is simply looking for a good GUI to manipulate the firewall rules built into the kernel of all modern Linux distributions.

    I can't vouch for any of them, but GUI frontends include guardog, lokkit, firestarter, and probably others. They are all in various states of development and maintenance.

    Part of what the user wants to do (firewall per app) wasn't possible in the past with iptables (per-gid blocking was easy), but I believe it's now possible. A primitive daemon, called Leopard Flower, seems to offer this functionality: http://leopardflower.sourcefor... [sourceforge.net]

    From what I can see, the most promising, integrated, easy-to-use firewalling GUI software going forward is Fedora's firewalld and it's accompanying GUI. I know firewalld is available on Ubuntu (and its command-line interface). I'm not sure about the GUI part. Perhaps someone familiar wit Ubuntu can comment. Here's an article on installing it in Mint, so I assume it's similar in Ubuntu: http://www.linuxbsdos.com/2013... [linuxbsdos.com]

    From what I can see, firewalld and firewall-config hit the sweet spot for most desktop users. I'd never use it on my router, but for a desktop, it works pretty well and is under active development. I imagine it will sport per-application feature soon, if it doesn't already.

    • Not only that, iptables isn't that hard, and you feel good after you figure it out. It's not THAT hard to mess things up, you can always just clear your iptables and start over if you really break things. Problem solved.
    • "As of 2014-01-12, this project is no longer under active development." text. :(

      I like GuardDog, but it is no longer updated and doesn't work with the latest Debian/Linux's Kernels when I tried it a couple years ago. :(

    • Doing a bit of research, the official Ubuntu firewalling utility is ufw, and there is a default GUI for it called gufw. Probably the OP should direct his attention here first.

  • Lots of options:
    http://www.ipfire.org/ [ipfire.org]
    ufw can be installed from apt-get (no gui)
    ddwrt runs on many routers and has lots of features... don't need a full PC.

  • by michrech (468134) on Saturday April 05, 2014 @02:52PM (#46671293)

    I just jumped into playing with pfsense. It's based on FreeBSD, but it was very easy for me to get in and mess around with. :)

    • by laffer1 (701823)

      This doesn't help him. He wants windows firewall or norton internet security level of firewall (but for linux) for his own computer.

      I'm a huge fan of pfSense, but it's not a desktop OS.

      Honestly, I think the OP needs to realize that even today, Linux requires a little command line foo. Look at the official ubuntu documentation and turn on the firewall. Blocking incoming traffic is sufficient on Linux most of the time. There's much less malware that will connect out and cause harm.

      See https://help.ubuntu.co [ubuntu.com]

  • i have a bit of a problem comprehending firewall rules (and deploying them). i asked around (just as you did) and got the advice "use fwbuilder". i liked it so much that i ended up writing a python script that parsed its xml files and generated HTML output so that i could clearly see what it was doing.

    but, despite admitting that i am not a firewall rules expert, i do have to say that nothing substitutes for actually studying what firewall rules are and understanding them properly. i say that from the pos

  • You may want to have a look at: https://www.pfsense.org/ [pfsense.org] Very good option...
  • Why not take this opportunity to learn how iptables works and how to edit the text-based configuration? The basics are pretty easy - you can figure out how to allow ssh, for example, and get up and running without knowing something like how to set up vpn traffic forwarding.

    Isn't part of the point to learn how Linux works? It's not just like Windows, but that can be a plus. Once you get past the "AAH, I DONT HAVE ANYTHING TO CLICK ON" stage, you may just find it's actually easier! Personally, having done bot

    • by Spad (470073)

      Because, like he said, iptables is easy to screw up without realising it and you don't really want to take that approach on a machine you care about and are using day to day, you ideally want kind of abstraction layer to break you in gently where there's less chance of fucking it up and you can learn how it works at a sensible pace.

    • by 32771 (906153)

      You could also set up some kind of DMZ where you use a router with firewalling capabilities between broadband and your home network. This gives you some security now while you are still experimenting. Also it is a good idea to not trust your router and set up your own firewall in addition to it. Beyond that you may also protect us from your experiments that way.

      You can also try to scan/hack your internal firewall with tools like nmap to see how it is holding up. Here is a list of a few links:
      http://www.ietf [ietf.org]

  • IPTables is by far the best firewall for linux, and its built-in to boot.

    If you're iffy on command-line parameters, install Webmin on your system. It gives you a web interface, and the IPTables page makes configuring your firewall relatively newbie-proof.

    I, for one, hate IPTables on the command-line, and much prefer the Webmin method. Its what I use on my home server.

  • firehol (Score:3, Interesting)

    by demerson3 (1631599) on Saturday April 05, 2014 @04:49PM (#46672101)
    I'm a little surprised nobody has mentioned firehol - http://firehol.org/ [firehol.org]. I've been using it for my simple needs, and it is fabulous. Easy to learn, simple language, great results, and CLI-friendly. (Prior to discovering it, I used guarddog, which I found to be good but which isn't anywhere near as good as firehol.) From the firehol page: FireHOL is an iptables firewall generator producing stateful iptables packet filtering firewalls, on Linux hosts and routers with any number of network interfaces, any number of routes, any number of services served, any number of complexity between variations of the services (including positive and negative expressions).
  • If standalone, as in replacing your existing router, I've used IPcop, Smoothwall (a little more flexible) and full-blown ClearOS with mail server, antivirus, even the kitchen sink (well, almost).

    If on the same machine, I honestly don't know, since I'm currently only running Windows and OSX

  • Most distros will have the rules in a single script, they are really easy to read, modify and understand. I don't understand what good a GUI would do for something as simple and important as a rule-based firewall, GUIs only hides things.

    Of the top of my head:
    iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -p 22 -j ACCEPT
    iptables -P INPUT -j DROP
    iptables -P OUTPUT -j ACCEPT
    iptables -P FORWARD -j DROP

    To get a detailed overview of the rules:
    iptables -nLv

    If you need any simpler, ju

  • IPFilter or PacketFilter on NetBSD. I am a bit redundant since it was already proposed for OpenBSD and FreeBSD, but NetBSD was missing :-)

    I must add that BSD are good systems to learn. They take no initiatives and most of the time stick to common Unix tools instead of reinventing the wheel. That means for instance that knowledge acquired on NetBSD can be useful on Linux

  • I know you're new to the linux world, but while you're at it, dive into the BSD realm while you're at it.

    You can do Firewalling with packet filter instead of iptables (better session tracking). BSD is generally better as a network appliance than linux for a number of reasons, and for firewalling especially. Better session tracking, better dynamic protocol handling, better error and flow control, and generally more robust. Iptables is powerful, but it has its downsides that can be felt these days with
  • Security by blocking bad things is a very bad idea, a completely false sense of security.

    Couple these together instead:
    default-deny (got that much correct);
    incoming, open stateful continuations of established connections;
    incoming, open ports for services you run (e.g. web- and dns-servers, etc), with rate-limiting per source.

    iptables will allow this, no problem.

    There is no point in "automatic" firewalls that detect bad things and block sources; all they do is clutter-up your firewall rules for the sake of a

  • You say you're a new Linux user, and it looks like you're carrying over you windows-way-of-thinking.

    Most Linux distros don't have services running with lots of security holes. You don't generally need this.
    Most malware out there is actually stuff like "click here for free money.exe". Even if you come across Ubuntu-targeted stuff, it does look like you're the kind of person who wouldn't click that.

    Several people here have pointed out possible solutions, but think for a moment if you really need them.

I cannot conceive that anybody will require multiplications at the rate of 40,000 or even 4,000 per hour ... -- F. H. Wales (1936)

Working...