LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-12-2009, 10:12 PM   #1
JosephS
Member
 
Registered: Jun 2007
Distribution: Debian Squeeze, CrunchBang Waldorf
Posts: 514

Rep: Reputation: 38
Need advice for firewall


I'm thinking of setting up a firewall. I've come across a few things so
far. I would like to know the differences are between Iptables, a
router, and a distro like Ipcop.
I'm trying to figure out the differences, and advantages are so that I will know what I will need.

Appreciate any advice or suggestions.

I need something for a home computer.

Thanks.
 
Old 07-12-2009, 10:46 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by JosephS View Post
I'm thinking of setting up a firewall. I've come across a few things so
far. I would like to know the differences are between Iptables, a
router, and a distro like Ipcop.
I'm trying to figure out the differences, and advantages are so that I will know what I will need.

Appreciate any advice or suggestions.

I need something for a home computer.

Thanks.
A firewall is a tool that lets you control which packets are allowed on a system/network. Iptables is the tool used to configure Linux's native firewall functionality, which is called Netfilter. A router is a tool which lets you control which path packets should take. Distros like IPCop are a collection of software packages centered around the management of packets coming and going from organizational networks. Such distros include varied functionality, including (but not limited to) firewalling and routing.

Last edited by win32sux; 07-12-2009 at 10:48 PM.
 
Old 07-13-2009, 04:17 AM   #3
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Personally I never trust a router firewall, I mean how often do you update your router's firmware ? Usually never. How much can you configure your router firewall ? Usually, not much. So even if I leave the router firewall on, I like to have a software firewall as well on my computer. There are many frontends for iptables if you need a GUI just search google or see here:

http://freshmeat.net/search?q=iptabl...&submit=Search
 
Old 07-13-2009, 06:05 AM   #4
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,887

Rep: Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774
Quote:
Originally Posted by JosephS View Post
I I would like to know the differences are between Iptables, a router, and a distro like Ipcop.
I'm trying to figure out the differences, and advantages..
A distro like Ipcop will include a firewall (in the case of Linux, its almost always Iptables/netfilter).

Pro
This approach is very useful if you are trying to build your own 'net appliance'-type box; a box that does firewalling, maybe caching, maybe a DNS server, because you get all the bits that you need in one package and little of the stuff that you don't need, and you get it more-or-less set up from the get-go, provided you go through the (slightly involved) install procedure correctly.

Con
For someone who has extensive experience of networking and one particular distribution it may not be much easier than the complete 'do it yourself' approach with his (or her) favourite distro, and if you intend to run lots of non-networking stuff on the box, it might not be helpful. Or, to put that another way, if this box isn't going to be your network appliance, you might be better off with a different approach.

Iptables/Netfilter
Is essentially (in appearance to the user) a special purpose programming language for firewalls. There are graphical front ends to this, and there are customised bash scripts, etc, etc, all of which try to make it easier to do the configuration (which isn't really all that hard, provided that you understand the basics of networking...which most people think that they do, but its only a smaller number who actually do).

Pro
totally configurable
can run on same box as your applications

Con
totally configurable

Router

Its difficult to say much about routers; some are good, with regard to firewalling, most consumer devices, errm, less good than they could be. Mainly this shows up as a lack of configurability in the firewall functionality (from zero, to ok but a bit coarse, to really quite useful). Whether this impacts you depends on how involved are your requirements and how good your particular model is. And there is the usual trade-off of flexibility against ease of configuration, but, if you know what you are doing, having slightly more config to do won't detain you for long.

Note that these aren't either/or. You could (probably should) decide on multiple layers of security. If nothing else, the logging capabilities on an Iptables/netfilter type firewall are better than on most consumer networking boxes that I've seen, so if you want to know whether you are under attack and that attack is getting past your router and trying the defenses of your computer, you'll want Iptables/netfilter in addition to whatever your router provides, just for logging. And, of course, its very configurable.

Whether you want an 'easy' front end to it, and whether than should be a Gui or a template baash script is very much a matter of preference; they all run the same iptables/netfilter at the end of the day, its just a matter of which config tool does what you want and you feel comfortable with.
 
Old 07-13-2009, 10:24 PM   #5
JosephS
Member
 
Registered: Jun 2007
Distribution: Debian Squeeze, CrunchBang Waldorf
Posts: 514

Original Poster
Rep: Reputation: 38
Thanks for the replies.

One of the things I was thinking of was which would be more secure:
having a firewall on the computer I was working on or a dedicated
firewall, or is this not important?

Is it a security problem to run a gui as root?
A graphical front end for Iptables.
Also I think IPCop is accessed through a web browser.

Thanks for the help.
 
Old 07-13-2009, 10:54 PM   #6
viGeek
LQ Newbie
 
Registered: Jul 2009
Posts: 28

Rep: Reputation: 17
I would go with either APF (Advanced Policy Firewall) or KISS Firewall.

APF has a lot of nice add-ins and some real nice filtering options. KISS is incredibly basic but gets the job done.

Both are free/open source
 
Old 07-14-2009, 01:53 AM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by JosephS View Post
One of the things I was thinking of was which would be more secure:
having a firewall on the computer I was working on or a dedicated
firewall, or is this not important?
Use both - especially if you've got more than one computer on your LAN. A dedicated firewall will filter packets from your WAN, while a host-based firewall will filter packets from within your LAN (while at the same time acting as a second line of defense).

Quote:
Is it a security problem to run a gui as root?
A graphical front end for Iptables.
Yes, it's always a risk to run anything as root. But certain things need root privileges, so you might not have much of a choice.

Quote:
Also I think IPCop is accessed through a web browser.
That seems to be the norm with firewall distros today.

Last edited by win32sux; 07-14-2009 at 01:54 AM.
 
Old 07-14-2009, 06:13 AM   #8
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,887

Rep: Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774
Quote:
Originally Posted by JosephS View Post

Is it a security problem to run a gui as root?
Yes. But you don't have to keep doing it and you don't have to do it when you are online. Actually, you have'nt said why you feel that you need to do it at all, assuming it is related to this problem of a firewall.

If you mean that you can't create a ruleset for iptables without running your chosen gui, that would be correct, but you can do that without running as root. It is only when you come to put that ruleset in place that you need to be root, and that can be a simple script in the start-up process.

So, provided that your chosen front end can create and store a ruleset without instantiating it, you should be fine. In fact, this is probably the only secure way of working, if you think that there is any chance of someone trying to crack your ruleset or your generator (back up and archive your ruleset, of course).
 
  


Reply

Tags
ipcop, iptables, router


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall, advice sought. PBH Grafpup 4 08-10-2007 06:18 AM
Need some advice about setting up a firewall stuart Linux - Networking 3 08-09-2007 05:00 AM
Need advice on my firewall script artielnx Linux - Security 1 04-04-2005 11:04 PM
IPTables Firewall Advice... Bomber Linux - Security 5 04-11-2004 01:17 AM
Antivirus/Firewall advice Tweaker Linux - Newbie 5 05-14-2003 03:20 AM


All times are GMT -5. The time now is 09:21 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration