Ask Slashdot: User-Friendly Firewall For a Brand-New Linux User?

An anonymous reader writes "I am a new Linux user; I'm on 2nd day now. Currently I am trying out Ubuntu, but that could change. I am looking for a user friendly firewall that I can set up that lets me do these things:1) set up a default deny rule 2) carve out exceptions for these programs: browser, email client, chat client, yum and/or apt. 3) carve out exceptions to the exceptions in requirement 2 — i.e. I want to be able to then block off IPs and IP ranges known to be used by malware, marketers, etc., and all protocols which aren't needed for requirement 2. It also needs to have good enough documentation that a beginner like me can figure it out. Previously, I had done all of the above in AVG Firewall on Windows, and it was very easy to do. So far, I have tried these things:1) IPTABLES — it looked really easy to screw it up and then not notice that it's screwed up and/or not be able to fix it even if I did notice, so I tried other things at that point... 2) searched the internet and found various free firewalls such as Firestarter, GUFW, etc., which I weren't able to make meet my requirements. Can someone either point me to a firewall that meets my needs or else give me some hints on how to make firestarter or GUFW do what I need?"

Re:Shorewall

[Durrik]

Shorewall is very nice. For the user I would suggest using it and installing webmin to configure it. Webmin does an OK job configuring shorewall which is already pretty easy to set up, just it can be fairly confusing for the first timer with all the config files. After the first few times with webmin you learn how to do it with the command line and vim.

Bastille-linux is also something that was fairly easy to use in the past. I used that before shorewall, but I haven't used bastille for years, must be a least a decade so I don't know what the current state of it is.

Why? Is it really necessary?

[tqk]

I can understand trying to wall off Windows from what you can, but with non-Windows you just make sure you only enable services that you want. Use good passwords, lock it down so only what you want running can run, and don't listen to the script kiddies knocking on your door. Crank up the stereo.

I assume your box hangs off a router of some sort? It's probably all you need for a firewall.

Re:Wrong paradigm here

[Lesrahpem]

The parent poster is correct. Windows and Linux are totally different animals in regards to firewalls. There is only one firewall for Linux and it is built into the system. IPTables is how the firewall is configured. All other tools are just front-ends or wrappers for IPTables.

IPTables doesn't have support for application-based firewalling. You can do that kind of thing using something lilke the Grsecurity [grsecurity.net] patch for the kernel, but it is not for beginners.

Grsecurity will let you create policies exactly like what you're talking about and then some. For example, it will allow you to create a policy limiting which files and folders a given program can access. To be specific, on my machine I have a policy that Firefox can only write data to it's own folders and to my Downloads directory, and can't execute/run any files inside those folders. That way, if somebody hits me with a drive-by download or something it simply won't work.

Re:Why? Is it really necessary?

[gdshaw]

1997 called and wants its comment back...

For machines which are not routers the comment is just as valid now as it was then. If you use a GNU/Linux distribution that takes security seriously then it will not install any externally-visible network services by default. The attack surface in that condition is small enough that installing a firewall won't help much, and might even make matters worse. If you deliberately install any public-facing network services then you need to add matching firewall rules, so again no benefit.

A firewall does help if you install a private network service and forget to bind it to the loopback interface (unless you have one of those systems which automatically install a firewall rule alongside the network service, which totally defeats the purpose of having a firewall). In any event, this only protects against internal incompetence rather than external malice, so is not a necessary part of running a secure system.

Firewalls are useful on routers, and on servers where you want very specific control of what can be accessed from where (such as a DBMS that is only accessible from a single client machine), but for typical Linux-based hosts they add little.