Firewalls

From ArchWiki
Revision as of 15:14, 17 July 2011 by Unikum (Talk | contribs) (kcm-ufw)

Jump to: navigation, search

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

A firewall is a system designed to prevent unauthorized access to or from a private network (which could be just one machine). Firewalls can be implemented in only hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and allows, proxys, or denies the traffic based on specified security criteria.

There is a nice list of firewalls here.

There are many posts on the forums about different firewall apps and scripts so here they all are condensed into one page - please add your comments about each firewall, especially ease of use and a security check at Shields Up.

Note: Checks at Shields Up are only a valid measure of your router should you have one in the LAN. To accurately evaluate a software firewall, one needs to directly connect the box to the cable modem.

iptables

The Linux kernel itself has very powerful firewall called iptables. Other firewalls are usually just frontends.

See the iptables article for more information.

More info:

iptables front-ends

Arno's Firewall

Arno's IPTABLES Firewall Script is a secure firewall for both single and multi-homed machines.

The script:

  • EASY to configure and highly customizable
  • daemon script included
  • a filter script that makes your firewall log more readable

Supports:

  • NAT and SNAT
  • port forwarding
  • ADSL ethernet modems with both static and dynamically assigned IPs
  • MAC address filtering
  • stealth port scan detection
  • DMZ and DMZ-2-LAN forwarding
  • protection against SYN/ICMP flooding
  • extensive user definable logging with rate limiting to prevent log flooding
  • all IP protocols and VPNs such as IPSec
  • plugin support to add extra features.

ferm

ferm (which stands for "For Easy Rule Making") is a tool to maintain complex firewalls, without having the trouble to rewrite the complex rules over and over again. ferm allows the entire firewall rule set to be stored in a separate file, and to be loaded with one command. The firewall configuration resembles structured programming-like language, which can contain levels and lists.

Firehol

FireHOL is a language to express firewalling rules, not just a script that produces some kind of a firewall. It makes building even sophisticated firewalls easy - the way you want it. The result is actually iptables rules.

Template:Codeline is available in the community repository.

Firetable

Firetable is an iptables-based firewall with "human readable" syntax.

Template:Codeline is available in AUR.

gShield

gShield is a really simple iptables configuration system. (Nothing to do with gnome) Easy to configure, blocks everything not needed (almost) by default. Controlled by only one configuration file. It gave me all stealth on grc.com

Template:Codeline is available in AUR.

Pros:

  • Easy to configure
  • Only one configuration file
  • Will give you a iptables configuration, which is the best firewall

Cons:

  • No GUI

Shorewall

The Shoreline Firewall, more commonly known as "Shorewall", is high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities.

Template:Codeline is available in the Template:Codeline repository.

uruk

uruk loads an rc file, which defines network service access policy, and invokes iptables to set up firewall rules implementing this policy.

uruk is not available in any Arch Linux repository.

ufw

ufw (uncomplicated firewall) is a simple frontend for iptables and is available in [community]. The next two sections are simply high-level explanations and examples. Users are encouraged to consult the Ubuntu Firewall Help page for additional details.

Basic Configuration

A very simplistic configuration which will deny all by default, allow any protocol from inside a 192.168.0.1-192.168.0.255 LAN, and allow incoming Deluge and SSH traffic from anywhere:

# ufw default deny
# ufw allow from 192.168.0.0/24
# ufw allow Deluge
# ufw allow SSH

The next line is only need once the first time you install the package. From there on out, control it via the standard rc.d script (i.e. rc.d start ufw):

# ufw enable

Finally, query the rules being applied via the status command:

# ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW       192.168.0.0/24
Deluge                     ALLOW       Anywhere
SSH                        ALLOW       Anywhere

Adding Other Applications

The PKG comes with some defaults based on the default ports of many common daemons and programs. Inspect the options by looking in the /etc/ufw/applications.d directory or by listing them in the program itself:

# ufw app list

If users are running any of the applications on a non-standard port, it is recommended to simply make Template:Filename containing the needed data using the defaults as a guide.

Warning: If users modify any of the PKG provided rule sets, these will be overwritten the first time the ufw package is updated. This is why custom app definitions need to reside in a non-PKG file as recommended above!

Example, deluge with custom tcp ports that range from 20202-20205:

[Deluge-my]
title=Deluge
description=Deluge BitTorrent client
ports=20202:20205/tcp

Should you require to define both tcp and udp ports for the same application, simply separate them with a pipe as shown: this app opens tcp ports 10000-10002 and udp port 10003

ports=10000:10002/tcp|10003/udp

One can also use a comma to define ports if a range is not desired. This example opens tcp ports 10000-10002 (inclusive) and udp ports 10003 and 10009

 ports=10000:10002/tcp|10003,10009/udp

Deleting Applications

Drawing on the Deluge/Deluge-my example above, the following will remove the standard Deluge rules and replace them with the Deluge-my rules from the above example:

# ufw delete allow Deluge
# ufw allow Deluge-my

Query the result via the status command:

# ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW       192.168.0.0/24
SSH                        ALLOW       Anywhere
Deluge-my                  ALLOW       Anywhere

Vuurmuur

Vuurmuur Vuurmuur is a powerful firewall manager built on top of iptables. It has a simple and easy to learn configuration that allows both simple and complex configurations. The configuration can be fully configured through an ncurses GUI, which allows secure remote administration through SSH or on the console. Vuurmuur supports traffic shaping, has powerful monitoring features, which allow the administrator to look at the logs, connections and bandwidth usage in realtime.

Template:Codeline and is available in AUR.

iptables GUIs

Firestarter

Firestarter is a good GUI for iptables writen on GTK2, it has the ability to use both white and black lists for regulating traffic, it is very simple and easy to use, with good documentation available on their website.

Firestarter has gnome dependencies and is available in AUR.

Guarddog

Guarddog is a really easy to use GUI for configuring iptables. After setting up a basic desktop configuration it passes all Shields Up tests perfectly.

Guarddog requires kdelibs3 and is available in the AUR repository.

To have the firewall settings applied at bootup you must run /etc/rc.firewall from inside /etc/rc.local or something similar.

Gufw

Gufw is an easy to use Ubuntu / Linux firewall, powered by ufw.

Gufw is an easy, intuitive, way to manage your Linux firewall. It supports common tasks such as allowing or blocking pre-configured, common p2p, or individual ports port(s), and many others! Gufw is powered by ufw , runs on Ubuntu, and anywhere else Python, GTK, and Ufw are available.

kcm-ufw

kcm-ufw is KDE4 control module for ufw. The following features are supported:

  • Enable/disable firewall
  • Configure firewall default settings
  • Add, edit, and remove rules
  • Re-order rules via drag\'n\'drop
  • Import/export of rules
  • Setting of some IP tables modules

The module will appear under "Network and Connectivty" category.

KMyFirewall

KMyFirewall is KDE3 GUI for iptables.

Firewall editing capabilities are simple enough to use to be suitable for beginners, but also allow for sophisticated tweaking of the firewall settings.

KMyFirewall requires kdelibs3 and is available in AUR.

Firewall Builder

Firewall Builder is "a GUI firewall configuration and management tool that supports iptables (netfilter), ipfilter, pf, ipfw, Cisco PIX (FWSM, ASA) and Cisco routers extended access lists. [...] The program runs on Linux, FreeBSD, OpenBSD, Windows and Mac OS X and can manage both local and remote firewalls." Source: http://www.fwbuilder.org/

Template:Codeline is available in the Template:Codeline repository.