Difference between revisions of "Firewalls"

From ArchWiki
Jump to navigation Jump to search
(Undo revision 81125 by Jozefk (Talk): starting iptables before network is a good idea)
(redirect to Category:Firewalls)
 
(122 intermediate revisions by 53 users not shown)
Line 1: Line 1:
[[Category:Networking (English)]]
+
#REDIRECT [[:Category:Firewalls]]
[[Category:Security (English)]]
 
[[Category:HOWTOs (English)]]
 
{{stub}}
 
 
 
{{i18n_links_start}}
 
{{i18n_entry|English|Firewalls}}
 
{{i18n_entry|Italiano|Firewalls (Italiano)}}
 
{{i18n_links_end}}
 
 
 
=Introduction=
 
A firewall is a system designed to prevent unauthorized access to or from a private network (which could be just one machine).  Firewalls can be implemented in both hardware and software, or a combination of both.  Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets.  All messages entering or leaving the intranet pass through the firewall, which examines each message and allows, proxys, or denies the traffic based on specified security criteria.
 
 
 
There is a nice list of firewalls [http://wiki.debian.org/Firewalls here], and a nice comparison of some firewalls [http://www.securityfocus.com/infocus/1410 here].
 
 
 
There are many posts on the forums about different firewall apps and scripts so here they all are condensed into one page - please add your comments about each firewall, especially ease of use and a security check at [https://www.grc.com/x/ne.dll?bh0bkyd2 Shields Up]
 
 
 
=Non-exhaustive list of firewalls for Arch=
 
==iptables==
 
The Linux kernel itself has very powerful and secure firewall called ''[[Iptables|iptables]]''. The other firewalls are usually just frontends to it. To use iptables in arch, you need to download its user-land utilities first:
 
# pacman -S iptables
 
 
 
Then define some rules and run {{Codeline|/etc/rc.d/iptables save}}. This script will call iptables-save and save your rules into {{Filename|/etc/iptables/iptables.rules}}.
 
 
 
Now you can start iptables, this will call {{Codeline|iptables-restore}} and load your rules:
 
# /etc/rc.d/iptables start
 
 
 
You can add it into DAEMONS array in {{Filename|/etc/rc.conf}}, preferably before 'network', so it will be loaded every time you boot:
 
DAEMONS=(... iptables network ...)
 
 
 
In fact, iptables is more than just a firewall. You can use it to share your internet connection for your private network. If you have your internal network already working but you can't access internet, just add this rule to your gateway-pc iptables:
 
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
'''Comment by Dheart'''
 
For some reason the above postrouting line didn't work for me so I used
 
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to xxx.xxx.xxx.xxx
 
where xxx.xxx.xxx.xxx is the ip address of my eth0 (the LAN card that has internet connection)
 
 
 
'''More info:'''
 
*[[Simple_stateful_firewall_HOWTO|Simple stateful firewall HOWTO]]
 
*[[NAT'ing firewall - Share your broadband connection]]
 
*man iptables http://unixhelp.ed.ac.uk/CGI/man-cgi?iptables+8
 
*http://tldp.org/HOWTO/Masquerading-Simple-HOWTO/
 
*http://netfilter.org/documentation/HOWTO/NAT-HOWTO.html
 
*http://iptables-tutorial.frozentux.net/iptables-tutorial.html
 
* [http://blog.webhosting.uk.com/2006/11/02/how-to-install-and-configure-apf-firewall-for-cpanel/  How to install and configure APF Firewall for cPanel?]
 
 
 
==iptables front-ends==
 
===Arno's Firewall===
 
[http://rocky.molphys.leidenuniv.nl/ Arno's IPTABLES Firewall Script] is a secure firewall for both single and multi-homed machines.
 
 
 
The script:
 
*EASY to configure and highly customizable
 
*daemon script included
 
*a filter script that makes your firewall log more readable
 
 
 
Supports:
 
*NAT and SNAT
 
*port forwarding
 
*ADSL ethernet modems with both static and dynamically assigned IPs
 
*MAC address filtering
 
*stealth port scan detection
 
*DMZ and DMZ-2-LAN forwarding
 
*protection against SYN/ICMP flooding
 
*extensive user definable logging with rate limiting to prevent log flooding
 
*all IP protocols and VPNs such as IPSec
 
*plugin support to add extra features.
 
 
 
===ferm===
 
[http://ferm.foo-projects.org/ ferm] (which stands for "For Easy Rule Making") is a tool to maintain complex firewalls, without having the trouble to rewrite the complex rules over and over again. ferm allows the entire firewall rule set to be stored in a separate file, and to be loaded with one command. The firewall configuration resembles structured programming-like language, which can contain levels and lists.
 
 
 
===Firehol===
 
[http://firehol.sourceforge.net/ FireHOL] is a language to express firewalling rules, not just a script that produces some kind of a firewall. It makes building even sophisticated firewalls easy - the way you want it.
 
 
 
{{Codeline|firehol}} is available in the {{Codeline|community}} repository.
 
 
 
===gShield===
 
[http://muse.linuxmafia.org/gshield/ gShield] is a really simple iptables configuration system. (Nothing to do with gnome) Easy to configure, blocks everything not needed (almost) by default. Controlled by only one configuration file. It gave me all stealth on grc.com
 
 
 
{{Codeline|gshield}} is available in [[AUR]].
 
 
 
Pros:
 
*Easy to configure
 
*Only one configuration file
 
*Will give you a iptables configuration, which is the best firewall
 
Cons:
 
*No GUI
 
 
 
===Shorewall===
 
[http://www.shorewall.net/ The Shoreline Firewall], more commonly known as "Shorewall", is high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities.
 
 
 
{{Codeline|shorewall}} is available in the {{Codeline|community}} repository.
 
 
 
===uruk===
 
[http://mdcc.cx/uruk/ uruk] loads an rc file, which defines network service access policy, and invokes iptables to set up firewall rules implementing this policy.
 
 
 
uruk is not available in any Arch Linux repository.
 
 
 
===ufw===
 
ufw (uncomplicated firewall) is a simple frontend for iptables and is available in the {{Codeline|community}} repository. For a simple firewall with ssh access, perform the following:
 
sudo ufw allow ssh/tcp
 
sudo ufw logging on
 
sudo ufw enable
 
This saves the rules for iptables. Edit your rc.conf to enable ufw at boot.
 
 
 
ufw also has the capability of package provided or custom created application rules via the /etc/ufw/applications.d/ directory.
 
For applications like [[Samba]] which utilizes multiple UDP and TCP ports an application rule file makes enabling all ports easy:
 
sudo vi /etc/ufw/applications.d/samba
 
 
 
[Samba]
 
title=Windows file and printer server for Unix
 
description=Tools to access a server's filespace and printers via SMB
 
ports=137,138/udp|139,445/tcp
 
Note the "|" is used to separate the UDP ports and the TCP ports. Commas are used to separate the port numbers themselves.
 
 
 
For applications that utilize different ports depending on configuration, like [[Apache]], rule files can contain multiple rule sets.
 
sudo vi /etc/ufw/applications.d/apache
 
 
 
[Apache]
 
title=Web Server
 
description=A high performance Unix-based HTTP server
 
ports=80/tcp
 
 
[Apache Secure]
 
title=Web Server (HTTPS)
 
description=A high performance Unix-based HTTP server
 
ports=443/tcp
 
 
[Apache Full]
 
title=Web Server (HTTP,HTTPS)
 
description=A high performance Unix-based HTTP server
 
ports=80,443/tcp
 
 
 
To list the available application settings use:
 
sudo ufw app list
 
Available applications:
 
  Apache
 
  Apache Full
 
  Apache Secure
 
  Samba
 
 
 
To enable just [[Apache]]'s HTTPS service:
 
sudo ufw allow Apache Secure
 
To enable access to [[Samba]] only within your LAN:
 
sudo ufw allow from 192.168.0.0/24 to any app Samba
 
 
 
Further Documentation and Source Citation: [https://help.ubuntu.com/9.04/serverguide/C/firewall.html Ubuntu Firewall Help]
 
 
 
==iptables GUIs==
 
===Firestarter===
 
[http://www.fs-security.com/ Firestarter] is a good GUI for iptables, it has the ability to use both white and black lists for regulating traffic, it is very simple and easy to use, with good documentation available on their website.
 
 
 
Firestarter has gnome dependencies and is available in [[AUR]].
 
 
 
===Firetable===
 
[http://projects.leisink.org/firetable Firetable] is an iptables-based firewall with "human readable" syntax.
 
 
 
{{Codeline|firetable}} is available in [[AUR]].
 
 
 
===Guarddog===
 
[http://www.simonzone.com/software/guarddog/ Guarddog] is a really easy to use GUI for configuring iptables. After setting up a basic desktop configuration it passes all Shields Up tests perfectly.
 
 
 
Guarddog requires kdelibs3 and is available in the {{Codeline|community}} repository.
 
 
 
To have the firewall settings applied at bootup you must run ''/etc/rc.firewall'' from inside ''/etc/rc.local'' or something similar.
 
 
 
===Gufw===
 
[http://gufw.tuxfamily.org/index.html Gufw] is an easy to use Ubuntu / Linux firewall, powered by [[Firewalls#ufw|ufw]].
 
 
 
Gufw is an easy, intuitive, way to manage your Linux firewall. It supports common tasks such as allowing or blocking pre-configured, common p2p, or individual ports port(s), and many others! Gufw is powered by ufw , runs on Ubuntu, and anywhere else Python, GTK, and Ufw are available.
 
 
 
===KMyFirewall===
 
[http://kmyfirewall.sourceforge.net/ KMyFirewall] is KDE3 GUI for iptables.
 
 
 
Firewall editing capabilities are simple enough to use to be suitable for beginners, but also allow for sophisticated tweaking of the firewall settings.
 
 
 
KMyFirewall requires kdelibs3 and is available in [[AUR]].
 
 
 
==Firewall Builder==
 
[http://www.fwbuilder.org/ Firewall Builder] is "a GUI firewall configuration and management tool that supports iptables (netfilter), ipfilter, pf, ipfw, Cisco PIX (FWSM, ASA) and Cisco routers extended access lists. [...] The program runs on Linux, FreeBSD, OpenBSD, Windows and Mac OS X and can manage both local and remote firewalls." Source: http://www.fwbuilder.org/
 
 
 
{{Codeline|fwbuilder}} is available in the {{Codeline|extra}} repository.
 

Latest revision as of 15:08, 7 November 2017

Redirect to: