LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-23-2011, 07:09 PM   #1
mansour
Member
 
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172

Rep: Reputation: 2
Where would I find a tutorial in building a simple linux firewall ?


Hi everyone:

Where would I find an easy to follow tutorial in building a simple linux firewall ?

Is it possible to use an Open BSD PF on an Ubuntu Linux 10.04 machine?
and if not, why not?


mansour
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 10-23-2011, 08:05 PM   #2
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian, Mint, OpenBSD
Posts: 11,346
Blog Entries: 12

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Here's an iptables tutorial:

http://www.frozentux.net/documents/iptables-tutorial/

It might be easier to use an rc.firewall script, such as this one:

http://projectfiles.org/firewall/

The script is well-annotated.

And here's The Linux Documentation Project HOWTO:

http://tldp.org/HOWTO/Firewall-HOWTO.html

I usually use either an rc.firewall script or the Firestarter GUI frontend for iptables.

Firestarter is in the Ubuntu repos.

Last edited by frankbell; 10-23-2011 at 08:08 PM.
 
2 members found this post helpful.
Old 10-23-2011, 08:36 PM   #3
mansour
Member
 
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by frankbell View Post
Here's an iptables tutorial:

http://www.frozentux.net/documents/iptables-tutorial/

It might be easier to use an rc.firewall script, such as this one:

http://projectfiles.org/firewall/

The script is well-annotated.

And here's The Linux Documentation Project HOWTO:

http://tldp.org/HOWTO/Firewall-HOWTO.html

I usually use either an rc.firewall script or the Firestarter GUI frontend for iptables.

Firestarter is in the Ubuntu repos.


Hi:

Thank you very much for the useful sites, but if I don't know how to recompile the kernel as suggested in that HowTo, should I just go with the Firestarter which is a GUI as I understood.
Am I correct to assume that the Firestarter GUI works well on a Ubuntu 10.04 machine, which I am going to use for my Firewall?



mansour
 
Old 10-24-2011, 05:53 AM   #4
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,053

Rep: Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881
Quote:
Originally Posted by mansour View Post
... but if I don't know how to recompile the kernel as suggested in that HowTo
Most people using a normal kernel from a distribution (as oppose to a custom, minimalist, self-compiled, kernel) will have no reason to recompile the kernel just to use a firewall. Some people who have compiled a very stripped-down kernel might have to do it, but it is hardly the commonest case.

And:

Quote:
Is it possible to use an Open BSD PF on an Ubuntu Linux 10.04 machine?
Given that recompiling the kernel would be the least of your problems, if you went down this route, and you are not confident about recompiling the kernel, I'd have to suggest that it is possible (what isn't, if you have the source?) but the degree of difficulty would be well in excess of anything that you are likely to be able to be successful with. Of course, you'd learn a lot, on the way, but, from what evidence there is, I doubt that you would ever succeed.

Of course, it is likely to be possible for an expert with quasi-infinite resources, but why would they do that? What advantage is there that would accrue which would lead them to do this? It would probably be easier to 'fix' iptables to include whatever it is that is the hidden advantage of PF rather than get PF to work with Linux, but that doesn't make it impossible (just unreasonable/insane, but a lot of good can come out of insane projects...)

Quote:
Originally Posted by mansour View Post
should I just go with the Firestarter which is a GUI as I understood.
Am I correct to assume that the Firestarter GUI works well on a Ubuntu 10.04 machine, which I am going to use for my Firewall?
Roughly, 'firewalls' on the Linux platform fall into two categories
  • Bash scripts that create and instantiate a set of firewall rules for iptables
  • GUIs that create and instantiate a set of firewall rules for iptables

(so, really, iptables is the firewall, these other things are just easier ways of controlling it...and, another possible wrinkle is that if you are using one of the very compact distros (dsl, etc) that uses an earlier kernel, you might find that you are using a precursor to iptables, but the view from 10,000 ft is the same, anyway)

In general, whatever your distribution, if you can get the 'firewall' (the program to interface to the firewall, not iptables, itself) from your distro's repositories, then that ought to work with your distribution in a relatively painless manner. If not, there is something wrong with how your distro has configured the program and its install routines. (I don't think that firestarter is the default for Ubuntu, but Gufw, or something, is*. However, if you install from the main repos of your distro, whatever you get ought to work, or it is a misconfiguration bug. If, hiowever, you manually compile the code for something from, eg, a widely available .tar.gz that has not been tweaked for you distro it may work or it may not, depending on whether any tweaks are required for your distro. Obviously, you may have more difficulty getting help with a problem like that.)

* ...and, at some points, the default for Kubuntu has not necessarily been the same as Ubuntu (what about xubuntu, lubuntu, etc, etc?), so we do have to be careful about what exactly we are talking about here but I am referring to Ubuntu, and not the other Ubuntus, or Ubuntu server.
 
1 members found this post helpful.
Old 10-24-2011, 01:10 PM   #5
mansour
Member
 
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by salasi View Post
Most people using a normal kernel from a distribution (as oppose to a custom, minimalist, self-compiled, kernel) will have no reason to recompile the kernel just to use a firewall. Some people who have compiled a very stripped-down kernel might have to do it, but it is hardly the commonest case.

And:



Given that recompiling the kernel would be the least of your problems, if you went down this route, and you are not confident about recompiling the kernel, I'd have to suggest that it is possible (what isn't, if you have the source?) but the degree of difficulty would be well in excess of anything that you are likely to be able to be successful with. Of course, you'd learn a lot, on the way, but, from what evidence there is, I doubt that you would ever succeed.

Of course, it is likely to be possible for an expert with quasi-infinite resources, but why would they do that? What advantage is there that would accrue which would lead them to do this? It would probably be easier to 'fix' iptables to include whatever it is that is the hidden advantage of PF rather than get PF to work with Linux, but that doesn't make it impossible (just unreasonable/insane, but a lot of good can come out of insane projects...)



Roughly, 'firewalls' on the Linux platform fall into two categories
  • Bash scripts that create and instantiate a set of firewall rules for iptables
  • GUIs that create and instantiate a set of firewall rules for iptables

(so, really, iptables is the firewall, these other things are just easier ways of controlling it...and, another possible wrinkle is that if you are using one of the very compact distros (dsl, etc) that uses an earlier kernel, you might find that you are using a precursor to iptables, but the view from 10,000 ft is the same, anyway)

In general, whatever your distribution, if you can get the 'firewall' (the program to interface to the firewall, not iptables, itself) from your distro's repositories, then that ought to work with your distribution in a relatively painless manner. If not, there is something wrong with how your distro has configured the program and its install routines. (I don't think that firestarter is the default for Ubuntu, but Gufw, or something, is*. However, if you install from the main repos of your distro, whatever you get ought to work, or it is a misconfiguration bug. If, hiowever, you manually compile the code for something from, eg, a widely available .tar.gz that has not been tweaked for you distro it may work or it may not, depending on whether any tweaks are required for your distro. Obviously, you may have more difficulty getting help with a problem like that.)

* ...and, at some points, the default for Kubuntu has not necessarily been the same as Ubuntu (what about xubuntu, lubuntu, etc, etc?), so we do have to be careful about what exactly we are talking about here but I am referring to Ubuntu, and not the other Ubuntus, or Ubuntu server.



Hello salasi:




Thank you for all this useful feedback.
Actually this is what I had thought or guessed myself too, I mean I don't know anything about recompiling.
So I am not going that root, and therefore PF is out for me, at this stage of my knowledge.


OK, I downloaded the Firestarter last night from their site. But do I need to connect it to the iptables at all, and how would I do that?
or if you suggest that it should get me started right after the download, it isn't happening.
I appreciate if you can guide me about using my Firestarter.

I am just trying to learn the basics of using a firewall.


mansour
 
Old 10-24-2011, 03:41 PM   #6
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,053

Rep: Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881
Quote:
Originally Posted by mansour View Post
OK, I downloaded the Firestarter last night from their site. But do I need to connect it to the iptables at all, and how would I do that?
Err, did you read what I wrote? Really?
 
Old 10-24-2011, 09:48 PM   #7
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian, Mint, OpenBSD
Posts: 11,346
Blog Entries: 12

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Run Firestarter as root and it will take care of finding iptables.
 
Old 10-24-2011, 11:02 PM   #8
mansour
Member
 
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by salasi View Post
Err, did you read what I wrote? Really?

I did, but maybe didn't understand it well,
I know what is the real firewall in linux.(is the iptables or ipchain) obviously the Firestarter is only a GUI interface with the iptables, in order to control it. And I have installed it already on my ubuntu desktop machine. But I don't know how to use it now.
Now are you saying that I should forget about the Firestarter and instead install the GuFw.
I am not going to do that.


mansour
 
Old 10-24-2011, 11:06 PM   #9
mansour
Member
 
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by frankbell View Post
Run Firestarter as root and it will take care of finding iptables.
I did, but isn't clear to me, whether is working or not. maybe it is.
If there was a way to show you guys my screen shot I would do it, but I don't think the forum features would allow that.
Is there anyway that I can check in the terminal, on the command line, whether or not the Firestarter is working well?



mansour
 
Old 10-25-2011, 12:00 AM   #10
mansour
Member
 
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by frankbell View Post
Run Firestarter as root and it will take care of finding iptables.

Ok, it definitely is working.
I have an icon under the Administration menu, and I also copied it to the desktop.
The Active button is displayed.
I still don't know how to change the policies.
I have a manual of 30 pages for it, which I find a bit challenging to understand for a beginner to the firewalls world.


mansour

Last edited by mansour; 10-25-2011 at 12:43 AM.
 
Old 10-25-2011, 04:46 AM   #11
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,053

Rep: Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881
Quote:
Originally Posted by mansour View Post
Now are you saying that I should forget about the Firestarter and instead install the GuFw.
I am not going to do that.
You made that up; you need to read more carefully.


Quote:
Originally Posted by mansour View Post
I did, but maybe didn't understand it well,
I know what is the real firewall in linux.(is the iptables or ipchain) obviously the Firestarter is only a GUI interface with the iptables, in order to control it. And I have installed it already on my ubuntu desktop machine. But I don't know how to use it now.
You will need to know something about its use; in normal circumstances, the answer 'read the man page' would be one of the appropriate ones. In downloading direct from the website of the program, rather than using the easier and safer (and more guaranteed to work) method, you have made it more likely that you have no man page, or no man page that works, and that is entirely your problem.

Note also that creating iptables rulesets is not the only thing that firewall utilities do; there is some level of configuring the kernel that is usually done as well. Ubuntu is somewhat variant in this regard, so unless you have a utility modified for the Ubuntu platform, the kernel config part may not work. If you get something out of the Ubuntu repos, I am 99.9% certain that it will work; for something from a producer's website, it is probably closer to 50%.
 
Old 10-25-2011, 09:37 AM   #12
mansour
Member
 
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by salasi View Post
You made that up; you need to read more carefully.




You will need to know something about its use; in normal circumstances, the answer 'read the man page' would be one of the appropriate ones. In downloading direct from the website of the program, rather than using the easier and safer (and more guaranteed to work) method, you have made it more likely that you have no man page, or no man page that works, and that is entirely your problem.

Note also that creating iptables rulesets is not the only thing that firewall utilities do; there is some level of configuring the kernel that is usually done as well. Ubuntu is somewhat variant in this regard, so unless you have a utility modified for the Ubuntu platform, the kernel config part may not work. If you get something out of the Ubuntu repos, I am 99.9% certain that it will work; for something from a producer's website, it is probably closer to 50%.


Well, I actually removed it once, and then re-installed it again form the command line.
#apt-get install firestarter

So I think is from the ubuntu repositories.
I think it is a success initially, I just have to learn to configure the policy page.

I copied its icon on my desktop as well. Everything seems clear. Its active button is seen, a UDP connection from SMB service from my Win XP was blocked on five or six occasions on first time around 7:30 pm when I first statrted it. I just don't know yet how to make any changes to the policy page if I need to. And it has a 30 page manual with it that is hard to understand. So this would be my stand alone firewall, and I will isntall one on each machine I have. That's three linux machine.


mansour

Last edited by mansour; 10-25-2011 at 11:50 AM.
 
Old 10-26-2011, 02:59 PM   #13
mansour
Member
 
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by mansour View Post
Well, I actually removed it once, and then re-installed it again form the command line.
#apt-get install firestarter

So I think is from the ubuntu repositories.
I think it is a success initially, I just have to learn to configure the policy page.

I copied its icon on my desktop as well. Everything seems clear. Its active button is seen, a UDP connection from SMB service from my Win XP was blocked on five or six occasions on first time around 7:30 pm when I first statrted it. I just don't know yet how to make any changes to the policy page if I need to. And it has a 30 page manual with it that is hard to understand. So this would be my stand alone firewall, and I will isntall one on each machine I have. That's three linux machine.


mansour



The Firestarter's policy sub menus are greyed out.
Does anyone know why this is happening ? I installed it two nights ago and now I am trying to understand how to use it, by reading its 30 page manual.
However the policy sub menus are all greyed out.

I installed it using the terminal command line.
# apt-get install firestarter

I even just posted the same question on a Firestarter Forum, but there is only 3 posts there that I could see and probably not too many people taking part in the forum.


mansour
 
Old 10-26-2011, 04:53 PM   #14
spankbot
Member
 
Registered: Aug 2007
Posts: 131

Rep: Reputation: 16
IPCop is a well known Linux distribution that is built from the ground up to be a dedicated firewall. It's easy to setup and powerful.

Building your own firewall from the ground up is not a good idea if you're a beginner (in my opinion).

Firestarter is also a great solution if you simply want to run a software firewall on your desktop machine. Note that your typical WiFi NAT router is a far better solution.
 
Old 10-26-2011, 05:49 PM   #15
mansour
Member
 
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by spankbot View Post
IPCop is a well known Linux distribution that is built from the ground up to be a dedicated firewall. It's easy to setup and powerful.

Building your own firewall from the ground up is not a good idea if you're a beginner (in my opinion).

Firestarter is also a great solution if you simply want to run a software firewall on your desktop machine. Note that your typical WiFi NAT router is a far better solution.


Actually now, after so many searches I have done on internet about these two (Firestarter and IPCop), I perfectly understand, the difference between Firestarter and IPCop. And IPCop is my next project, when I get my hands on some reasonable hardware to install it on, for my small network.
IPCop is better suited to be used as a network Firewall, and not as a stand alone Firewall, whereas, Firestarter is better suited as stand alone Firewall (on one machine only).

Obviously you haven't even bothered to read my last post, because you would have seen there, that my question was specific to Firestarter.

I also know the difference between my WiFi Router Firewall and Firestarter. But am trying to learn using Firestarter. Still you didn't post an answer to my last post.
But posted your opinion about what is best for my situation.



mansour

Last edited by mansour; 10-26-2011 at 05:53 PM.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Tutorial: Building A Linux Music Studio Part 2 LXer Syndicated Linux News 0 01-04-2008 03:40 AM
LXer: Tutorial: Building A Linux Music Studio LXer Syndicated Linux News 0 12-27-2007 01:20 PM
LXer: Tutorial: Building a Linux Network Appliance, Part 3 LXer Syndicated Linux News 0 06-30-2006 11:21 AM
LXer: Tutorial: Building a Linux Network Appliance, Part 2 LXer Syndicated Linux News 0 06-28-2006 03:54 AM
Where can I find a simple tutorial on quota (limit capacity of disk space of a user)? George2 Linux - Software 5 11-04-2003 09:56 AM


All times are GMT -5. The time now is 10:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration