From ArchWiki
Revision as of 16:59, 20 July 2011 by Cmlr (Talk | contribs) (ufw: Added instructions to put ufw in the daemons array.)

Jump to: navigation, search

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.

Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어

External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

A firewall is a system designed to prevent unauthorized access to or from a private network (which could be just one machine). Firewalls can be implemented in only hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and allows, proxys, or denies the traffic based on specified security criteria.

There is a nice list of firewalls here.

There are many posts on the forums about different firewall apps and scripts so here they all are condensed into one page - please add your comments about each firewall, especially ease of use and a security check at Shields Up.

Note: Checks at Shields Up are only a valid measure of your router should you have one in the LAN. To accurately evaluate a software firewall, one needs to directly connect the box to the cable modem.


The Linux kernel itself has very powerful firewall called iptables. Other firewalls are usually just frontends.

See the iptables article for more information.

More info:

iptables front-ends

Arno's Firewall

Arno's IPTABLES Firewall Script is a secure firewall for both single and multi-homed machines.

The script:

  • EASY to configure and highly customizable
  • daemon script included
  • a filter script that makes your firewall log more readable


  • NAT and SNAT
  • port forwarding
  • ADSL ethernet modems with both static and dynamically assigned IPs
  • MAC address filtering
  • stealth port scan detection
  • DMZ and DMZ-2-LAN forwarding
  • protection against SYN/ICMP flooding
  • extensive user definable logging with rate limiting to prevent log flooding
  • all IP protocols and VPNs such as IPSec
  • plugin support to add extra features.


ferm (which stands for "For Easy Rule Making") is a tool to maintain complex firewalls, without having the trouble to rewrite the complex rules over and over again. ferm allows the entire firewall rule set to be stored in a separate file, and to be loaded with one command. The firewall configuration resembles structured programming-like language, which can contain levels and lists.


FireHOL is a language to express firewalling rules, not just a script that produces some kind of a firewall. It makes building even sophisticated firewalls easy - the way you want it. The result is actually iptables rules.

Template:Codeline is available in the community repository.


Firetable is an iptables-based firewall with "human readable" syntax.

Template:Codeline is available in AUR.


gShield is a really simple iptables configuration system. (Nothing to do with gnome) Easy to configure, blocks everything not needed (almost) by default. Controlled by only one configuration file. It gave me all stealth on

Template:Codeline is available in AUR.


  • Easy to configure
  • Only one configuration file
  • Will give you a iptables configuration, which is the best firewall


  • No GUI


The Shoreline Firewall, more commonly known as "Shorewall", is high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities.

Template:Codeline is available in the Template:Codeline repository.


uruk loads an rc file, which defines network service access policy, and invokes iptables to set up firewall rules implementing this policy.

uruk is not available in any Arch Linux repository.


ufw (uncomplicated firewall) is a simple frontend for iptables and is available in [community]. The next two sections are simply high-level explanations and examples. Users are encouraged to consult the Ubuntu Firewall Help page for additional details.

You need to include ufw in your daemons array in rc.conf, but iptables does not have to go there.

DAEMONS=(syslog-ng ufw network ...)

Basic Configuration

A very simplistic configuration which will deny all by default, allow any protocol from inside a LAN, and allow incoming Deluge and SSH traffic from anywhere:

# ufw default deny
# ufw allow from
# ufw allow Deluge
# ufw allow SSH

The next line is only need once the first time you install the package. From there on out, either put ufw in your daemons array in rc.conf or control it via the standard rc.d script (i.e. rc.d start ufw):

# ufw enable

Finally, query the rules being applied via the status command:

# ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW
Deluge                     ALLOW       Anywhere
SSH                        ALLOW       Anywhere

Adding Other Applications

The PKG comes with some defaults based on the default ports of many common daemons and programs. Inspect the options by looking in the /etc/ufw/applications.d directory or by listing them in the program itself:

# ufw app list

If users are running any of the applications on a non-standard port, it is recommended to simply make Template:Filename containing the needed data using the defaults as a guide.

Warning: If users modify any of the PKG provided rule sets, these will be overwritten the first time the ufw package is updated. This is why custom app definitions need to reside in a non-PKG file as recommended above!

Example, deluge with custom tcp ports that range from 20202-20205:

description=Deluge BitTorrent client

Should you require to define both tcp and udp ports for the same application, simply separate them with a pipe as shown: this app opens tcp ports 10000-10002 and udp port 10003


One can also use a comma to define ports if a range is not desired. This example opens tcp ports 10000-10002 (inclusive) and udp ports 10003 and 10009


Deleting Applications

Drawing on the Deluge/Deluge-my example above, the following will remove the standard Deluge rules and replace them with the Deluge-my rules from the above example:

# ufw delete allow Deluge
# ufw allow Deluge-my

Query the result via the status command:

# ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW
SSH                        ALLOW       Anywhere
Deluge-my                  ALLOW       Anywhere


Vuurmuur Vuurmuur is a powerful firewall manager built on top of iptables. It has a simple and easy to learn configuration that allows both simple and complex configurations. The configuration can be fully configured through an ncurses GUI, which allows secure remote administration through SSH or on the console. Vuurmuur supports traffic shaping, has powerful monitoring features, which allow the administrator to look at the logs, connections and bandwidth usage in realtime.

Template:Codeline and is available in AUR.

iptables GUIs


Firestarter is a good GUI for iptables writen on GTK2, it has the ability to use both white and black lists for regulating traffic, it is very simple and easy to use, with good documentation available on their website.

Firestarter has gnome dependencies and is available in AUR.


Guarddog is a really easy to use GUI for configuring iptables. After setting up a basic desktop configuration it passes all Shields Up tests perfectly.

Guarddog requires kdelibs3 and is available in the AUR repository.

To have the firewall settings applied at bootup you must run /etc/rc.firewall from inside /etc/rc.local or something similar.


Gufw is an easy to use Ubuntu / Linux firewall, powered by ufw.

Gufw is an easy, intuitive, way to manage your Linux firewall. It supports common tasks such as allowing or blocking pre-configured, common p2p, or individual ports port(s), and many others! Gufw is powered by ufw , runs on Ubuntu, and anywhere else Python, GTK, and Ufw are available.


kcm-ufw is KDE4 control module for ufw. The following features are supported:

  • Enable/disable firewall
  • Configure firewall default settings
  • Add, edit, and remove rules
  • Re-order rules via drag\'n\'drop
  • Import/export of rules
  • Setting of some IP tables modules

The module will appear under "Network and Connectivty" category.


KMyFirewall is KDE3 GUI for iptables.

Firewall editing capabilities are simple enough to use to be suitable for beginners, but also allow for sophisticated tweaking of the firewall settings.

KMyFirewall requires kdelibs3 and is available in AUR.

Firewall Builder

Firewall Builder is "a GUI firewall configuration and management tool that supports iptables (netfilter), ipfilter, pf, ipfw, Cisco PIX (FWSM, ASA) and Cisco routers extended access lists. [...] The program runs on Linux, FreeBSD, OpenBSD, Windows and Mac OS X and can manage both local and remote firewalls." Source:

Template:Codeline is available in the Template:Codeline repository.