best linux firewall?
 

What do you think guys, what is the best firewall for linux?

My option is to use my router's firewall personnally.


I had no problem whatsoever with it in 3 years and it's rather cheap..

In the past, I used guarddog. Nice interface but a bit tedious. It might have changed for the best since then though.

I tried shorewall . It is cool!
http://shorewall.net/

I have experienced, over time, different possibilities. I've used IPTABLES (written my own tables) in order to learn.
Currently, for my personal computer I use Firestarter, which I consider a very reliable and easy to use firewall.
For my router I use Smoothwall. It is small (under 250MB) has a nice web interface for the administrator and I find it friendly and reliable.

Hope this helps.

Rick

Some of our members reported overload of shorewall when traffic is hit by virus for M$ machines. IPTABLES is easy enough and without implementations and "improvements"

As far as I can see (and I use it), Shorewall is simply an iptables-rule generator. It has no active components. I believe that the stories of an "overload" must be mistaken.

Of course, the processing of iptables rules does require a certain amount of CPU power per-packet. Here, a hardware firewall on the front-end, e.g. within the router leading in from the DSL line or cable-modem, can be very useful. It will strip out most of the unwanted traffic, leaving Linux to deal only with a small percentage.

Learn iptables and write the rules by yourself!! Ethereal is a great help! Besides it is good to learn something about the firewall theory and different firewall "architectures" in order to write a good set of iptables rules: http://www.unix.org.ua/orelly/networ...fire/index.htm

iptables is extremely powerful. It is in the kernel itself, instead of being a program running on top of the kernel. This makes it hard to hack (typically). The downside is that you need to learn how to manually configure it if you want it to be perfect.

I believe there is only ONE firewall in linux, which is "iptables" (in fact it's part of the kernel), it replaces the old "ipchains" now.

In case you are asking about a front-end (GUI) to it, then there is plenty, but they are all bad at my opinion. Writign a firwall script is just a bad thing to do trought a GUI, you will always be limited at some time and drive into problem. You better just write it yourself by hand. It's not hard at all.

if you are wanting a dedicated firewall, router, proxy, NAT box, then i sujest looking into www.ipcop.org

this is a little 50M self installing CD that can handle up to 4 NICs. one for RED (connected to your ISP), GREEN (LAN safe side), BLUE (WiFi, different subnet then GREEN) and ORANGE as your DMZ again a different subnet.

has a nice little https: web interface and right out of the box is very secure, you can lock it down tighter as it does run iptables and there are plenty of pre-configured add-ons for blocking things.

this also does VPNs and much much more. check them out.

All right, thanks everyone :) I think I'll stick to IPTables for now, as many of you suggested....