Linux kernel has modules (called iptables
) that can, among other things, be used to create a firewall. In addition to these kernel modules there needs to be a userspace program called iptables
that controls the modules. When both of these are present, a firewall can be built using iptables
command; often this job is done by writing a script that, when run, sets the firewall rules (it's easy to modify and re-run to "update" the firewall configuration). The rules are usually forgotten during reboot, so this script that creates the rules is usually set to run during boot process (as an init script) so that the rules are created at every boot. Read
for more information, and the iptables website.
With iptables one can create a powerful firewall (and much more). However it's an "invisible" firewall, in the sense that it doesn't pop up any questions to ask if you want this or that program go trough or not; it shouldn't, because it's not sure if the user has an environment that can show the popups, and it's not even sure there is somebody answering the questions - still the firewall has to run, even on headless machines. This is a different approach from most Windows firewalling programs, but in my opinion much more powerful, and if the system is configured sensibly, a very well working solution. I'm not sure if there are such firewalls for Linux that ask per-program if they can access; in my opinion it would just be a mess.
All these "graphical firewall programs" like FWbuilder or Firestarter, or at least all that I know of, are not firewall programs themselves. They are merely nice front-ends for iptables. It means that you can create the rulesets in a graphical environment, click buttons and have smilies all around the place, and when you "save" the configuration, the program produces a script file that runs the needed iptables commands to create a firewall setup that you wanted, and places that file into a place where it gets executed during boot process. Shortly said, you can't do anything more with those programs that you can with iptables. Learning iptables syntax is a good idea in my opinion. The basics are easy and quick to learn, but it doesn't mean iptables would be "easy as in can't-do-complex-things".
Instead of having a false feeling of security while answering "yes/no" questions about program this or that, and not noticing if some program actually got pass the check, and getting mad at answering those numerous questions, you should re-think how the whole process works. It's not that difficult. Then think of a ruleset that would keep you as secure as you want. Then just do it. Most people start off with a set that follows the "UNIX policy" of denying and then accepting: flush every rule and chain, to make a fresh start - then deny (DROP is the right word in this case) everything, and after that allow some specific things I really need. That's easier, a lot easier, than the Windows way of "allow anything possible that I don't explicitly tell you to deny". Less questions, less holes.