Originally Posted by rickh
I've used Firestarter for a long time and like it a lot. Simple and apparently quite secure. The one thing I want to do that I can't seem to do is define exceptions to Inbound traffic rules.
As I understand it, I can open a port to all comers only. There does not seem to be a way to tell Firestarter that anyone can use this port EXCEPT a specifically named ip address or a range of addresses. Am I missing something?
Is there perhaps a blacklist file that I can populate which iptables will check without prompting from Firestarter? Or is there another iptables GUI that allows such rulemaking. I notice that my 'Debian Bible' recommends Shorewall. Anyone familiar with that?
I use Shorewall on Debian. It's very good, but not that simple to use. It is easier than writing iptables scripts by hand, but not nearly as simple as the GUIs (Firestarter, Guarddog). You edit config files (at least 4 or so for a minimal config) and the Shorewall scripts then generate the iptable rules for you. Note that any mistakes (and you WILL make them!) result in the firewall locking down the system and you then have to sift through slightly cryptic startup error messages and log files to find the problem. Also, shorewall has no running process that you can monitor like the GUIs; you need to look at the log files (or the console messages). There are scripts (I use fwlogwatch) to sift through the Shorewall log messages.