LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-21-2008, 11:05 PM   #1
phantom_cyph
Senior Member
 
Registered: Feb 2007
Location: My HDD...
Distribution: WinXP for designing, Linux for life.
Posts: 2,329
Blog Entries: 1

Rep: Reputation: 47
name the best firewall.


"Historically", I've used graphical utilities such as KMyFirewall, Guarddog, and Firestarter as my firewalls. KMyFirewall being my favorite of these. However, I need to take a step up.

My goal is internet security/UNIX-Linux Programming/Network Analysis as a career, and I need to stop procrastinating.

Thus said, should I go to the "core" and learn IPTables, or go with something like FWBuilder or Shorewall? Since I have never interfaced with IPTables directly, here are a few newbish questions:

1. I assume iptables is installed by default on Linux and BSD yet is unconfigured. Is this correct?

2. I also assume that iptables requires some sort of configuration file. If so, what is the standard location of this file?

Please post links to helpful tutorials. I'm ready for a lot of reading.
 
Old 07-21-2008, 11:24 PM   #2
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
1) The iptables command interfaces with the netfilter in the Linux kernel. BSD has a different kernel and a different command and syntax for configuring its firewall.

2) It is common practice that a startup script runs a number of iptables commands. You will need to resort to your distro's documentation. If you use DHCP for example, the IP addresses won't be fixed and need to be resolved before running the IP tables commands. The script will assign variables at the top of the script and then use these variables in the iptables commands. So loading a file saved with iptables-save is one possible method but not the best way of doing it.

I'd recommend looking at one table at a time, e.g. "iptables -L OUTPUT". This makes it easier to study each table and to insert a new rule in the correct place.

Part of your study will need to be the TCP/IP protocols. The No Starch Press "TCP/IP Guide" by Charles M. Kozeirok is very comprehensive yet approachable. Also install wireshark so that you can study them on the wire and check if your rules perform as expected.

There are also books on Linux Firewalls, including "Linux Firewalls 3rd Ed." by Steve Suehring and Robert L. Ziegler. Published by Novell.


Good Luck!

Last edited by jschiwal; 07-21-2008 at 11:29 PM.
 
Old 07-22-2008, 04:31 AM   #3
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,060

Rep: Reputation: 883Reputation: 883Reputation: 883Reputation: 883Reputation: 883Reputation: 883Reputation: 883
Quote:
Originally Posted by phantom_cyph View Post
My goal is internet security/UNIX-Linux Programming/Network Analysis as a career, and I need to stop procrastinating.
Well, now, or thereabouts would quite a good time to stop procrastinating... Or, alternatively, you could put it off a bit.

Quote:
1. I assume iptables is installed by default on Linux and BSD yet is unconfigured. Is this correct?
Most of the distros that I know install the iptables code. In this Ubuntu box (7.10) it is active, but configured with "accept all" rules; i.e., the default is for it to do nothing. From what I recall, SuSE installs a firewall configured to do some minimum work by default, but that may be a function of the answers that you give during installation.

So, it varies from distro to distro; most of the larger ones will install iptables but probably don't do very much with it until you configure it (the deliberately small distributions such as DSL, Puppy, etc., may be exceptions, I don't know); afaik the BSDs use a different system that looks more comparable to the old iptables system to me, but I am no expert on BSDs.

Quote:
2. I also assume that iptables requires some sort of configuration file. If so, what is the standard location of this file?
You could take several different approaches to this; probably the most common is to run a bash script (or scripts) on start-up which builds the rules. This script can be anywhere that your distro runs start-up scripts (SuSE, if you use SuSEFirewall2, does this in two phases; a simple 'block-most-things' firewall early in the startup process, and your hand-tuned firewall later on and this makes some sense, but may be just a teensy bit more paranoid than is reasonable - security experts will probably argue that just "a teensy bit more paranoid than is reasonable" is not quite paranoid enough...). So the actual location of such scripts is distro-specific.

If you take this approach, you can take advantage of string substitution, so that you can define variables, e.g., "local_net" and have that substituted everywhere appropriate in your rules. This makes things easier to understand and maintain.

Another approach (rather than use a scripting language as a rule builder) is to just use the commands to load and unload iptables rule sets. As I can't see any circumstance in which you would regularly want to do that by hand, you'd probably still do that from a scripting language (bash, maybe python, etc, etc) on start up, but the scripting language part could be almost trivial.

Quote:
Please post links to helpful tutorials. I'm ready for a lot of reading.
OK:
for me this is the if-you-only-read-one-firewall/iptables-tutorial. On the other hand, it is about 500 pages long and is more of a manual than a tutorial.
http://iptables-tutorial.frozentux.net/
If you want to start at the shallow end
http://howtoforge.com/bash-script-fo...ables-firewall
http://www.linuxhomenetworking.com/w...Using_iptables
http://howtoforge.com/bash-script-fo...ables-firewall

(and the Linux quick Fix Notebook by Harrison (referenced here http://search.techrepublic.com.com/s...x+and+web.html, which gives a script more or less equivalent to http://www.chinalinuxpub.com/doc/www...bles-intro.htm
http://safari.oreilly.com/0672327716/ch08
...and there is much, much more available with the aid of a search engine.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
router billion 5102 has firewall and software firewall tests aus9 Linux - Security 6 12-31-2006 10:09 PM
using a router with firewall, local firewall waste? Michael_aust Linux - General 1 03-26-2006 08:02 AM
slackware's /etc/rc.d/rc.firewall equivalent ||| firewall script startup win32sux Debian 1 03-06-2004 09:15 PM
Firewall Builder sample firewall policy file ? (.xml) nuwanguy Linux - Networking 0 09-13-2003 12:32 PM


All times are GMT -5. The time now is 07:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration