LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Need advice for firewall (http://www.linuxquestions.org/questions/linux-security-4/need-advice-for-firewall-739640/)

JosephS 07-12-2009 10:12 PM

Need advice for firewall
 
I'm thinking of setting up a firewall. I've come across a few things so
far. I would like to know the differences are between Iptables, a
router, and a distro like Ipcop.
I'm trying to figure out the differences, and advantages are so that I will know what I will need.

Appreciate any advice or suggestions.

I need something for a home computer.

Thanks.

win32sux 07-12-2009 10:46 PM

Quote:

Originally Posted by JosephS (Post 3605608)
I'm thinking of setting up a firewall. I've come across a few things so
far. I would like to know the differences are between Iptables, a
router, and a distro like Ipcop.
I'm trying to figure out the differences, and advantages are so that I will know what I will need.

Appreciate any advice or suggestions.

I need something for a home computer.

Thanks.

A firewall is a tool that lets you control which packets are allowed on a system/network. Iptables is the tool used to configure Linux's native firewall functionality, which is called Netfilter. A router is a tool which lets you control which path packets should take. Distros like IPCop are a collection of software packages centered around the management of packets coming and going from organizational networks. Such distros include varied functionality, including (but not limited to) firewalling and routing.

H_TeXMeX_H 07-13-2009 04:17 AM

Personally I never trust a router firewall, I mean how often do you update your router's firmware ? Usually never. How much can you configure your router firewall ? Usually, not much. So even if I leave the router firewall on, I like to have a software firewall as well on my computer. There are many frontends for iptables if you need a GUI just search google or see here:

http://freshmeat.net/search?q=iptabl...&submit=Search

salasi 07-13-2009 06:05 AM

Quote:

Originally Posted by JosephS (Post 3605608)
I I would like to know the differences are between Iptables, a router, and a distro like Ipcop.
I'm trying to figure out the differences, and advantages..

A distro like Ipcop will include a firewall (in the case of Linux, its almost always Iptables/netfilter).

Pro
This approach is very useful if you are trying to build your own 'net appliance'-type box; a box that does firewalling, maybe caching, maybe a DNS server, because you get all the bits that you need in one package and little of the stuff that you don't need, and you get it more-or-less set up from the get-go, provided you go through the (slightly involved) install procedure correctly.

Con
For someone who has extensive experience of networking and one particular distribution it may not be much easier than the complete 'do it yourself' approach with his (or her) favourite distro, and if you intend to run lots of non-networking stuff on the box, it might not be helpful. Or, to put that another way, if this box isn't going to be your network appliance, you might be better off with a different approach.

Iptables/Netfilter
Is essentially (in appearance to the user) a special purpose programming language for firewalls. There are graphical front ends to this, and there are customised bash scripts, etc, etc, all of which try to make it easier to do the configuration (which isn't really all that hard, provided that you understand the basics of networking...which most people think that they do, but its only a smaller number who actually do).

Pro
totally configurable
can run on same box as your applications

Con
totally configurable

Router

Its difficult to say much about routers; some are good, with regard to firewalling, most consumer devices, errm, less good than they could be. Mainly this shows up as a lack of configurability in the firewall functionality (from zero, to ok but a bit coarse, to really quite useful). Whether this impacts you depends on how involved are your requirements and how good your particular model is. And there is the usual trade-off of flexibility against ease of configuration, but, if you know what you are doing, having slightly more config to do won't detain you for long.

Note that these aren't either/or. You could (probably should) decide on multiple layers of security. If nothing else, the logging capabilities on an Iptables/netfilter type firewall are better than on most consumer networking boxes that I've seen, so if you want to know whether you are under attack and that attack is getting past your router and trying the defenses of your computer, you'll want Iptables/netfilter in addition to whatever your router provides, just for logging. And, of course, its very configurable.

Whether you want an 'easy' front end to it, and whether than should be a Gui or a template baash script is very much a matter of preference; they all run the same iptables/netfilter at the end of the day, its just a matter of which config tool does what you want and you feel comfortable with.

JosephS 07-13-2009 10:24 PM

Thanks for the replies.

One of the things I was thinking of was which would be more secure:
having a firewall on the computer I was working on or a dedicated
firewall, or is this not important?

Is it a security problem to run a gui as root?
A graphical front end for Iptables.
Also I think IPCop is accessed through a web browser.

Thanks for the help.

viGeek 07-13-2009 10:54 PM

I would go with either APF (Advanced Policy Firewall) or KISS Firewall.

APF has a lot of nice add-ins and some real nice filtering options. KISS is incredibly basic but gets the job done.

Both are free/open source

win32sux 07-14-2009 01:53 AM

Quote:

Originally Posted by JosephS (Post 3606748)
One of the things I was thinking of was which would be more secure:
having a firewall on the computer I was working on or a dedicated
firewall, or is this not important?

Use both - especially if you've got more than one computer on your LAN. A dedicated firewall will filter packets from your WAN, while a host-based firewall will filter packets from within your LAN (while at the same time acting as a second line of defense).

Quote:

Is it a security problem to run a gui as root?
A graphical front end for Iptables.
Yes, it's always a risk to run anything as root. But certain things need root privileges, so you might not have much of a choice.

Quote:

Also I think IPCop is accessed through a web browser.
That seems to be the norm with firewall distros today.

salasi 07-14-2009 06:13 AM

Quote:

Originally Posted by JosephS (Post 3606748)

Is it a security problem to run a gui as root?

Yes. But you don't have to keep doing it and you don't have to do it when you are online. Actually, you have'nt said why you feel that you need to do it at all, assuming it is related to this problem of a firewall.

If you mean that you can't create a ruleset for iptables without running your chosen gui, that would be correct, but you can do that without running as root. It is only when you come to put that ruleset in place that you need to be root, and that can be a simple script in the start-up process.

So, provided that your chosen front end can create and store a ruleset without instantiating it, you should be fine. In fact, this is probably the only secure way of working, if you think that there is any chance of someone trying to crack your ruleset or your generator (back up and archive your ruleset, of course).


All times are GMT -5. The time now is 12:27 PM.