Where would I find a tutorial in building a simple linux firewall ?
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I usually use either an rc.firewall script or the Firestarter GUI frontend for iptables.
Firestarter is in the Ubuntu repos.
Hi:
Thank you very much for the useful sites, but if I don't know how to recompile the kernel as suggested in that HowTo, should I just go with the Firestarter which is a GUI as I understood.
Am I correct to assume that the Firestarter GUI works well on a Ubuntu 10.04 machine, which I am going to use for my Firewall?
... but if I don't know how to recompile the kernel as suggested in that HowTo
Most people using a normal kernel from a distribution (as oppose to a custom, minimalist, self-compiled, kernel) will have no reason to recompile the kernel just to use a firewall. Some people who have compiled a very stripped-down kernel might have to do it, but it is hardly the commonest case.
And:
Quote:
Is it possible to use an Open BSD PF on an Ubuntu Linux 10.04 machine?
Given that recompiling the kernel would be the least of your problems, if you went down this route, and you are not confident about recompiling the kernel, I'd have to suggest that it is possible (what isn't, if you have the source?) but the degree of difficulty would be well in excess of anything that you are likely to be able to be successful with. Of course, you'd learn a lot, on the way, but, from what evidence there is, I doubt that you would ever succeed.
Of course, it is likely to be possible for an expert with quasi-infinite resources, but why would they do that? What advantage is there that would accrue which would lead them to do this? It would probably be easier to 'fix' iptables to include whatever it is that is the hidden advantage of PF rather than get PF to work with Linux, but that doesn't make it impossible (just unreasonable/insane, but a lot of good can come out of insane projects...)
Quote:
Originally Posted by mansour
should I just go with the Firestarter which is a GUI as I understood.
Am I correct to assume that the Firestarter GUI works well on a Ubuntu 10.04 machine, which I am going to use for my Firewall?
Roughly, 'firewalls' on the Linux platform fall into two categories
Bash scripts that create and instantiate a set of firewall rules for iptables
GUIs that create and instantiate a set of firewall rules for iptables
(so, really, iptables is the firewall, these other things are just easier ways of controlling it...and, another possible wrinkle is that if you are using one of the very compact distros (dsl, etc) that uses an earlier kernel, you might find that you are using a precursor to iptables, but the view from 10,000 ft is the same, anyway)
In general, whatever your distribution, if you can get the 'firewall' (the program to interface to the firewall, not iptables, itself) from your distro's repositories, then that ought to work with your distribution in a relatively painless manner. If not, there is something wrong with how your distro has configured the program and its install routines. (I don't think that firestarter is the default for Ubuntu, but Gufw, or something, is*. However, if you install from the main repos of your distro, whatever you get ought to work, or it is a misconfiguration bug. If, hiowever, you manually compile the code for something from, eg, a widely available .tar.gz that has not been tweaked for you distro it may work or it may not, depending on whether any tweaks are required for your distro. Obviously, you may have more difficulty getting help with a problem like that.)
* ...and, at some points, the default for Kubuntu has not necessarily been the same as Ubuntu (what about xubuntu, lubuntu, etc, etc?), so we do have to be careful about what exactly we are talking about here but I am referring to Ubuntu, and not the other Ubuntus, or Ubuntu server.
Most people using a normal kernel from a distribution (as oppose to a custom, minimalist, self-compiled, kernel) will have no reason to recompile the kernel just to use a firewall. Some people who have compiled a very stripped-down kernel might have to do it, but it is hardly the commonest case.
And:
Given that recompiling the kernel would be the least of your problems, if you went down this route, and you are not confident about recompiling the kernel, I'd have to suggest that it is possible (what isn't, if you have the source?) but the degree of difficulty would be well in excess of anything that you are likely to be able to be successful with. Of course, you'd learn a lot, on the way, but, from what evidence there is, I doubt that you would ever succeed.
Of course, it is likely to be possible for an expert with quasi-infinite resources, but why would they do that? What advantage is there that would accrue which would lead them to do this? It would probably be easier to 'fix' iptables to include whatever it is that is the hidden advantage of PF rather than get PF to work with Linux, but that doesn't make it impossible (just unreasonable/insane, but a lot of good can come out of insane projects...)
Roughly, 'firewalls' on the Linux platform fall into two categories
Bash scripts that create and instantiate a set of firewall rules for iptables
GUIs that create and instantiate a set of firewall rules for iptables
(so, really, iptables is the firewall, these other things are just easier ways of controlling it...and, another possible wrinkle is that if you are using one of the very compact distros (dsl, etc) that uses an earlier kernel, you might find that you are using a precursor to iptables, but the view from 10,000 ft is the same, anyway)
In general, whatever your distribution, if you can get the 'firewall' (the program to interface to the firewall, not iptables, itself) from your distro's repositories, then that ought to work with your distribution in a relatively painless manner. If not, there is something wrong with how your distro has configured the program and its install routines. (I don't think that firestarter is the default for Ubuntu, but Gufw, or something, is*. However, if you install from the main repos of your distro, whatever you get ought to work, or it is a misconfiguration bug. If, hiowever, you manually compile the code for something from, eg, a widely available .tar.gz that has not been tweaked for you distro it may work or it may not, depending on whether any tweaks are required for your distro. Obviously, you may have more difficulty getting help with a problem like that.)
* ...and, at some points, the default for Kubuntu has not necessarily been the same as Ubuntu (what about xubuntu, lubuntu, etc, etc?), so we do have to be careful about what exactly we are talking about here but I am referring to Ubuntu, and not the other Ubuntus, or Ubuntu server.
Hello salasi:
Thank you for all this useful feedback.
Actually this is what I had thought or guessed myself too, I mean I don't know anything about recompiling.
So I am not going that root, and therefore PF is out for me, at this stage of my knowledge.
OK, I downloaded the Firestarter last night from their site. But do I need to connect it to the iptables at all, and how would I do that?
or if you suggest that it should get me started right after the download, it isn't happening.
I appreciate if you can guide me about using my Firestarter.
I am just trying to learn the basics of using a firewall.
I did, but maybe didn't understand it well,
I know what is the real firewall in linux.(is the iptables or ipchain) obviously the Firestarter is only a GUI interface with the iptables, in order to control it. And I have installed it already on my ubuntu desktop machine. But I don't know how to use it now.
Now are you saying that I should forget about the Firestarter and instead install the GuFw.
I am not going to do that.
Run Firestarter as root and it will take care of finding iptables.
I did, but isn't clear to me, whether is working or not. maybe it is.
If there was a way to show you guys my screen shot I would do it, but I don't think the forum features would allow that.
Is there anyway that I can check in the terminal, on the command line, whether or not the Firestarter is working well?
Run Firestarter as root and it will take care of finding iptables.
Ok, it definitely is working.
I have an icon under the Administration menu, and I also copied it to the desktop.
The Active button is displayed.
I still don't know how to change the policies.
I have a manual of 30 pages for it, which I find a bit challenging to understand for a beginner to the firewalls world.
Now are you saying that I should forget about the Firestarter and instead install the GuFw.
I am not going to do that.
You made that up; you need to read more carefully.
Quote:
Originally Posted by mansour
I did, but maybe didn't understand it well,
I know what is the real firewall in linux.(is the iptables or ipchain) obviously the Firestarter is only a GUI interface with the iptables, in order to control it. And I have installed it already on my ubuntu desktop machine. But I don't know how to use it now.
You will need to know something about its use; in normal circumstances, the answer 'read the man page' would be one of the appropriate ones. In downloading direct from the website of the program, rather than using the easier and safer (and more guaranteed to work) method, you have made it more likely that you have no man page, or no man page that works, and that is entirely your problem.
Note also that creating iptables rulesets is not the only thing that firewall utilities do; there is some level of configuring the kernel that is usually done as well. Ubuntu is somewhat variant in this regard, so unless you have a utility modified for the Ubuntu platform, the kernel config part may not work. If you get something out of the Ubuntu repos, I am 99.9% certain that it will work; for something from a producer's website, it is probably closer to 50%.
You made that up; you need to read more carefully.
You will need to know something about its use; in normal circumstances, the answer 'read the man page' would be one of the appropriate ones. In downloading direct from the website of the program, rather than using the easier and safer (and more guaranteed to work) method, you have made it more likely that you have no man page, or no man page that works, and that is entirely your problem.
Note also that creating iptables rulesets is not the only thing that firewall utilities do; there is some level of configuring the kernel that is usually done as well. Ubuntu is somewhat variant in this regard, so unless you have a utility modified for the Ubuntu platform, the kernel config part may not work. If you get something out of the Ubuntu repos, I am 99.9% certain that it will work; for something from a producer's website, it is probably closer to 50%.
Well, I actually removed it once, and then re-installed it again form the command line.
#apt-get install firestarter
So I think is from the ubuntu repositories.
I think it is a success initially, I just have to learn to configure the policy page.
I copied its icon on my desktop as well. Everything seems clear. Its active button is seen, a UDP connection from SMB service from my Win XP was blocked on five or six occasions on first time around 7:30 pm when I first statrted it. I just don't know yet how to make any changes to the policy page if I need to. And it has a 30 page manual with it that is hard to understand. So this would be my stand alone firewall, and I will isntall one on each machine I have. That's three linux machine.
Well, I actually removed it once, and then re-installed it again form the command line.
#apt-get install firestarter
So I think is from the ubuntu repositories.
I think it is a success initially, I just have to learn to configure the policy page.
I copied its icon on my desktop as well. Everything seems clear. Its active button is seen, a UDP connection from SMB service from my Win XP was blocked on five or six occasions on first time around 7:30 pm when I first statrted it. I just don't know yet how to make any changes to the policy page if I need to. And it has a 30 page manual with it that is hard to understand. So this would be my stand alone firewall, and I will isntall one on each machine I have. That's three linux machine.
mansour
The Firestarter's policy sub menus are greyed out.
Does anyone know why this is happening ? I installed it two nights ago and now I am trying to understand how to use it, by reading its 30 page manual.
However the policy sub menus are all greyed out.
I installed it using the terminal command line. # apt-get install firestarter
I even just posted the same question on a Firestarter Forum, but there is only 3 posts there that I could see and probably not too many people taking part in the forum.
IPCop is a well known Linux distribution that is built from the ground up to be a dedicated firewall. It's easy to setup and powerful.
Building your own firewall from the ground up is not a good idea if you're a beginner (in my opinion).
Firestarter is also a great solution if you simply want to run a software firewall on your desktop machine. Note that your typical WiFi NAT router is a far better solution.
IPCop is a well known Linux distribution that is built from the ground up to be a dedicated firewall. It's easy to setup and powerful.
Building your own firewall from the ground up is not a good idea if you're a beginner (in my opinion).
Firestarter is also a great solution if you simply want to run a software firewall on your desktop machine. Note that your typical WiFi NAT router is a far better solution.
Actually now, after so many searches I have done on internet about these two (Firestarter and IPCop), I perfectly understand, the difference between Firestarter and IPCop. And IPCop is my next project, when I get my hands on some reasonable hardware to install it on, for my small network.
IPCop is better suited to be used as a network Firewall, and not as a stand alone Firewall, whereas, Firestarter is better suited as stand alone Firewall (on one machine only).
Obviously you haven't even bothered to read my last post, because you would have seen there, that my question was specific to Firestarter.
I also know the difference between my WiFi Router Firewall and Firestarter. But am trying to learn using Firestarter. Still you didn't post an answer to my last post.
But posted your opinion about what is best for my situation.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
