Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
just add your own iptables command, yes. there is an iptables service under fedora which will save and restore iptables configurations for you if you wish to save what you're currently running. i think you just run "service iptables save" and it writes it to disk for you. as for how to use iptables, well that's the subject of MANY heavy books... essentially you need a moderate grasp of networking to get going.
Distribution: open SUSE 11.0, Fedora 7 and Mandriva 2007
Posts: 1,662
Original Poster
Rep:
Thanks acid_kewpie
In your case, did you make your own firewall or just use the built in firewall?
I read some online articles and checked this with my system too.
There is a script. It is a very long one.
You will find your script here.
/etc/rc.d/init.d/iptables)
------------------------------------------------ Did you write the script?
You may have accepted the built in script or rather built in firewall.
I guess iptables means creating your own firewall. So if you know pros and cons, you will make your firewall. I am not sure.
well theres firestarter, guarddog and fwbuilder as GUI's for setting up a firewall, listed in the order of complexity / capability lowest/easiest on the left highest/most capable on the right.
Distribution: open SUSE 11.0, Fedora 7 and Mandriva 2007
Posts: 1,662
Original Poster
Rep:
Well, acid_kewpie wrote that you need a good knowledge of networking.
I have studied networking in Cisco for 2 years. So I have some knowledge of networking. I must confess that I am not an expert. There are so many things which I must learn.
In Cisćo's IOS it is possible to use ACL to block websites to a client or to an entire subnet.
I have a router simulator so I can practice Cisco's IOS as well as ACLs.
I am sure many of you are familiar with Cisco's IOS. To work with Access control Lists is a part of IOS. It is not a tall order to use the ACL to block websites. Does it counts as part of a firewall? I am not sure.
When it comes to firewall in Windows people use programs like Zone Alarm. I think Windows XP has a built in firewall too. I am not sure about Vista. I don't think people make their own firewall in Windows. You can use a hardware firewall just to stop ICMP requests. But you need a separate firewall for Windows.
I think in UNIX people always use the built in firewall. I mean when you install a distro the firewall is always there; unless you opt out.
Am I wrong here? I mean some people create or rather write a new firewall. Those Iptables are about firewalls.
I would like to read your comments on this.
Well, acid_kewpie wrote that you need a good knowledge of networking.
I have studied networking in Cisco for 2 years. So I have some knowledge of networking. I must confess that I am not an expert. There are so many things which I must learn.
It's not about how long you spend time at Cisco doing this reading that, it's about how efficiently you use it. Networking is so vast subject that I doubt if it's even possible for one person to understand everything "fully" (because when you get to the end of the subject, half of what you learned has renewed and you'll need to re-learn it). Anyway if a single person would like to create a personal firewall using iptables (for example) I don't think it's sensible to say "hey you've got to buy 400 books and work 5 years at Cisco to get started". Nope, the first thing to do is to get an example or two of iptables scripts/rules, preferrably with some documentation, to get the grasp of it. That's the start.
Iptables does come along almost any Linux distribution. It is possible to leave it out of the kernel and not install the userspace program, but if the machine is to be networked, I don't see why anybody would do that. But even if iptables "is there", it's not the same as if everybody actually used that: many people (that I know) just install Linux and let it be; they consider it secure enough for them, compared to Windows for example, that they don't feel it necessary to start building firewalls. This is why graphical front-ends like firestarter are good, they may get people create a firewall even if they don't like writing scripts for iptables. On the other hand, hardly any graphical front-end for iptables is as good as understanding iptables userspace program and the kernel modules more deeply; I don't know them enough myself to do anything magical, but do know enough to create a personal firewall (I, like many others, start off by dropping everything possible, and then start making holes for what I need).
The story is the same as with physics: there's too much to know. You can do with a little less information, you're just fine with that. Only if you want more or need more, for example if you're working at Cisco where they never get enough, then you can sit down and study more. But for a desktop user it's hardly worth it spending years reading books..I guess it's more valuable to visit iptables.org and see the documentation/faq/examples sections and pick up what you need. After ten years you'll know if it was enough or if you should learn more.
Distribution: open SUSE 11.0, Fedora 7 and Mandriva 2007
Posts: 1,662
Original Poster
Rep:
Thanks b0uncer
Did you look at your firewall? In the second post I have written the place you find your iptables. Did you look at it?
Now in my first post, I have written a command; this is to block a site or rather drop a packet. How can I edit my iptables and insert some command line similar to it?
I know in Windows world, you can't have 2 or 3 filrewalls to get good protection. It doesn't work in that way. I guess it is the same in UNIX too.
My built in firewall is on. So I get some protection; I hope so. Does it work to have firestarter firewall too?
I could just download and install firestarter.
Firestarter as well as the other two GUIs I mentioned basically handle the grunt work of writing the rules for you.
Firestarter is basic blocks incoming but doesn't worry so much about blocking outbound traffic. Closest match to how the Windows Firewall works. Simple to use, quick to setup to give basic protection to a machine with very little work.
Guraddog allows you to get a bit more granular on your rule sets to allow only the specific incoming and outgoing traffic you desire. this is a more powerful Firewall frontend.
fwbuilder is an object oriented GUI for designing a firewall.. If you have ever used a Checkpoint Firewall this interface will look VERY familiar to you.. this tool is used to create your firewall rule set for Linux, Cisco, or various other firewalls.
Using any of the GUI's after the firewall is enabled you can check the rule set by doing iptables -L because they are only front ends to the Linux iptables firewall...
Distribution: open SUSE 11.0, Fedora 7 and Mandriva 2007
Posts: 1,662
Original Poster
Rep:
Thanks farsplayer for the reply.
Still I didn't get the answer which I was looking for.
I have a built in firewall. If I install one of the firewalls you mentioned, do you think it will work. If it works, I have two firewalls on my system.
you don't have two firewalls. you have two seperate ways in which you are buggering about with netfilter. there is only one "firewall", which is manipulated primarily by iptables, which is in turn used by gui tools like firestarter. there is only *ever* one firewall. it may contain contradicting rules from different applications, but it's one firewall.
for my own sanity, i need to unsubscribe from this thread now...
The only way in main-line kernels to filter packets arriving is through the netfilter infrastructure. This is normally administered by the "iptables" command which provides the kernel with information on how to handle packets: these are the so-called "iptables rules", similar to Cisco IOS routing rules, I suppose. (Disclaimer: I don't know IOS, I just know people that know IOS)
Guarddog, firestarter, and every other firewall gui for Linux that I have *EVER* seen just builds iptables rules and sticks them in place. Thus, you have ONE firewall, and several ways of administering it.
Distribution: open SUSE 11.0, Fedora 7 and Mandriva 2007
Posts: 1,662
Original Poster
Rep:
Thanks Matir
I am a bit surprised why acid_kewpie was bit hard on me. I am trying to learn here. I am not testing your knowledge.
I don't know much about things like iptables, netfilters, etc. So please do understand that I am begging your help to learn things I am not familiar with. I have a fairly good knowledge of Cisco IOS as well as ACL.
Things pertaining to firewalls is one of my Achilles heel.
I think his frustration stemmed more from the fact that your question had already been addressed and answered, but it seemed you skimmed the replies without bothering to grasp the information provided.
You could have taken the information that was given, looked up the GUI's that were mentioned and read about them on their respective websites and got the answers you were looking for. Doing the legwork yourself is often times more educational and rewarding, and doesn't make people frustrated when they feel they are spoon feeding you and still getting nowhere.
Quote:
from fwbuilder site FAQ:
We have policy compilers for the popular free firewalls iptables http://www.iptables.org/, ipfilter http://coombs.anu.edu.au/~avalon/, pf http://www.benzedrine.cx/pf.html. Because of the modular architecture, Firewall Builder can be used to manage firewalls built on a variety of platforms including, but not limited to, Linux using iptables, ipfilter on FreeBSD or Solaris and pf on OpenBSD.
from Guarddog site:
* Guarddog is a firewall configuration utility for Linux systems.
* Supports advanced Linux 2.4+ iptables features such as connection tracking and rate limited logging.
from firestarter site: http://www.fs-security.com/docs/kernel.php - ( explains the features in Linux used for this firewall gui.)
At the very least, the Connection tracking, IP tables, Connection state match support, Connection tracking match support, Packet filtering, Full NAT and the LOG target support features must be present in your kernel or loaded as modules.
From the netfilter site:
netfilter.org is home to the software of the packet filtering framework inside the Linux 2.4.x and 2.6.x kernel series. Software commonly associated with netfilter.org is iptables. iptables how-to
While this may not be the case, sometimes that is how things appear when you are given answers but keep asking the same questions.
Distribution: open SUSE 11.0, Fedora 7 and Mandriva 2007
Posts: 1,662
Original Poster
Rep:
farslayer
I eat humble pie. The false partly lies with me. As you said, I didn't read carefully what acid_kewpie and the others wrote.
There are so many things in mind when you are on the Internet. So it is natural that you skim the replies.
I always work on the Internet while listening to TV. I mean the background music for me is listening to TV. This is because I don't have time to listen TV. I will try to be more attentive!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.