Hey Scot.

Here's a HUGE bit of advice that I wish I had been given.

Tattoo this on your right hand:

I'll probably get some flames for saying that. But, it's true.

I mention this because you mentioned "I am not yet so savi [] that I am punching my own code." You don't have to be a coder to use linux. Many, many programmers love to use linux. But you don't have to be a coder to use the OS.

Good luck with your firewall search. There are MANY options for firewalling.

If you know how to configure the nitty gritty details of a firewall, use the built in iptables software.

Other than that, well... I'm no firewall junkie. I stick everything behind a NAT, configure holes for my DMZ boxes and DMZ firewalls, and leave it at that.

The package I am most familiar with is for setting up a dedicated firewall/router. It is called HomeLANSecurity, and can be easily located on the web. If you are looking for a package to protect only a single local host, it is not appropriate for your needs.
What I describe as a canned package will invariably be something on the level of what win32sux has provided in this forum. To be truthful, what he has given you is not so difficult to install. You probably just need to examine what he has described, ask a few questions here to fill in the blanks and attempt an installation. As much as you would like to think of a firewall as an 'install-and-forget' project, it is probably not so realistic. You will probably someday want to run some sort of service requiring you to open some port(s). For instance, you may want to enable SSH to allow you to login remotely. You may wish to enable certain P2P services. Online games may require specific configuration. Most times, these updates are not difficult to perform, but it does require some understanding of where to look and how to restart the system.
--- rod.

Okay, this thread got me interested enough to try out Firestarter. I ran it on a firewall host that had previously been configured with the aforementioned homeLanSecurity. It seemed to generate a more or less acceptable firewall script, but I didn't want to keep it as a permanent set up. Therein lies my problem. I did a , and re-ran the homeLanSecurity script. Everything worked fine, until WAN interface lease expired, at which point it reloaded itself, removing all of the settings applied by homeLanSecurity. The documentation for Firestarter states: When the network device bound to the DHCP service is assigned an IP address (either when connecting for the first time or on a lease renewal) the firewall is started or refreshed.
This seems to be happening, and I don't want it to. I cannot seem to locate the mechanism by which this is occurring. Can anyone tell me how to terminate this? A re-boot did not solve the problem. Thanks.

BTW, my take is that the basic scripts generated by Firestarter would probably be a decent starting point for someone who wanted to generate a more highly customized or special-purpose firewall. Significant changes would probably make the Hits tool work incorrectly, however, as would probably be lost

I wonder what acid_kewpie objects to about the script generator in Firestarter? Care to expand on that, acid_kewpie (not saying you're wrong, would just like more detail)?
--- rod.

Okay, in answer to my own question...
The firestarter tool, either the installer or the tool itself, creates an entry in the /etc/dhclient-exit-hooks file, which re-runs the firewall startup script immediately after the WAN interface renews its DHCP lease. I am hopeful that removing the entry from /etc/dhclient-exit-hooks will stop firestarter from clobbering my preferred firewall. I will know for sure in a couple of hours when the lease is renewed.
--- rod.

you could simply uninstall or purge the firestarter package from your distro if you don't intend to continue using it.. wouldn't have to worry about it restarting then..


Firestarter is a great choice for new Linux users imho. It's simple to use sorta like zone-alarm in windows..

Advanced Policy Firewall (APF)
http://rfxnetworks.com/apf.php

Useful Guide: Securing & Hardening Linux v1.0
_

I did use yum remove, which deleted all of the binaries and scripts, except the troublesome ones. In my searches for a solution to this, it appeared that this was considered a bug, at least by people responsible for Debian packages, although mine is a Fedora RPM. The firestarter homepage seems to say that the behavior I object to is a feature, but I don't see it that way. It is hardly inconceivable that one might wish to turn a firewall off for arbitrary time periods (like,,,, forever), and to have it autocratically restart itself just seems wrong to me.

Maybe this kind of thing is prevalent with packages like firestarter, and that might be what acid_kewpie objects to.

--- rod.