name the best firewall.
"Historically", I've used graphical utilities such as KMyFirewall, Guarddog, and Firestarter as my firewalls. KMyFirewall being my favorite of these. However, I need to take a step up.
My goal is internet security/UNIX-Linux Programming/Network Analysis as a career, and I need to stop procrastinating. :D Thus said, should I go to the "core" and learn IPTables, or go with something like FWBuilder or Shorewall? Since I have never interfaced with IPTables directly, here are a few newbish questions: 1. I assume iptables is installed by default on Linux and BSD yet is unconfigured. Is this correct? 2. I also assume that iptables requires some sort of configuration file. If so, what is the standard location of this file? Please post links to helpful tutorials. I'm ready for a lot of reading. |
1) The iptables command interfaces with the netfilter in the Linux kernel. BSD has a different kernel and a different command and syntax for configuring its firewall.
2) It is common practice that a startup script runs a number of iptables commands. You will need to resort to your distro's documentation. If you use DHCP for example, the IP addresses won't be fixed and need to be resolved before running the IP tables commands. The script will assign variables at the top of the script and then use these variables in the iptables commands. So loading a file saved with iptables-save is one possible method but not the best way of doing it. I'd recommend looking at one table at a time, e.g. "iptables -L OUTPUT". This makes it easier to study each table and to insert a new rule in the correct place. Part of your study will need to be the TCP/IP protocols. The No Starch Press "TCP/IP Guide" by Charles M. Kozeirok is very comprehensive yet approachable. Also install wireshark so that you can study them on the wire and check if your rules perform as expected. There are also books on Linux Firewalls, including "Linux Firewalls 3rd Ed." by Steve Suehring and Robert L. Ziegler. Published by Novell. Good Luck! |
Quote:
Quote:
So, it varies from distro to distro; most of the larger ones will install iptables but probably don't do very much with it until you configure it (the deliberately small distributions such as DSL, Puppy, etc., may be exceptions, I don't know); afaik the BSDs use a different system that looks more comparable to the old iptables system to me, but I am no expert on BSDs. Quote:
If you take this approach, you can take advantage of string substitution, so that you can define variables, e.g., "local_net" and have that substituted everywhere appropriate in your rules. This makes things easier to understand and maintain. Another approach (rather than use a scripting language as a rule builder) is to just use the commands to load and unload iptables rule sets. As I can't see any circumstance in which you would regularly want to do that by hand, you'd probably still do that from a scripting language (bash, maybe python, etc, etc) on start up, but the scripting language part could be almost trivial. Quote:
for me this is the if-you-only-read-one-firewall/iptables-tutorial. On the other hand, it is about 500 pages long and is more of a manual than a tutorial. http://iptables-tutorial.frozentux.net/ If you want to start at the shallow end http://howtoforge.com/bash-script-fo...ables-firewall http://www.linuxhomenetworking.com/w...Using_iptables http://howtoforge.com/bash-script-fo...ables-firewall (and the Linux quick Fix Notebook by Harrison (referenced here http://search.techrepublic.com.com/s...x+and+web.html, which gives a script more or less equivalent to http://www.chinalinuxpub.com/doc/www...bles-intro.htm http://safari.oreilly.com/0672327716/ch08 ...and there is much, much more available with the aid of a search engine. |
All times are GMT -5. The time now is 01:54 PM. |