UbuntuThis forum is for the discussion of Ubuntu Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been using something called GUFW, but I am thinking FIRESTARTER might be better. I am basing that on the fact that Firestarter seems a lot more configurable. I don't like that Fstarter sets itself up in the task bar at the bottom AND the notification area. But, that's really of no consequence, as the most important thing is which one is better as a firewall.
Also I read that Fstarter is only used to configure the firewall and so it runs in the background without having an icon anywhere on the desktop. This would be good. So, all things being equal, I would prefer Fstarter...The BIG question is "is it as efficient as a firewall?"
I have heard of iptables, but everything I have seen states that it's hard for a non expert to set up. And, as you already know, I am definitely a non expert.
I am looking for something with a GUI that's easy to set up and works well. The two I mentioned in my post are what I am asking about.
Perhaps you can give me your opinion if the firewall is set up correctly (using FIRESTARTER) for a standalone desktop PC (not networked). Do you see any potential problems in the following output?
(most of this stuff is greek to me)
Code:
joe@joe-desktop:~$ sudo iptables -L
[sudo] password for joe:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- rns1.domainnameserv.net anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp -- rns1.domainnameserv.net anywhere
ACCEPT tcp -- rns2.domainnameserv.net anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp -- rns2.domainnameserv.net anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
DROP all -- anywhere 255.255.255.255
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state INVALID
LSI all -f anywhere anywhere limit: avg 10/min burst 5
INBOUND all -- anywhere anywhere
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Input'
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Forward'
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 64-48-158-3.den-01.cvx.algx.net rns1.domainnameserv.net tcp dpt:domain
ACCEPT udp -- 64-48-158-3.den-01.cvx.algx.net rns1.domainnameserv.net udp dpt:domain
ACCEPT tcp -- 64-48-158-3.den-01.cvx.algx.net rns2.domainnameserv.net tcp dpt:domain
ACCEPT udp -- 64-48-158-3.den-01.cvx.algx.net rns2.domainnameserv.net udp dpt:domain
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state INVALID
OUTBOUND all -- anywhere anywhere
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Output'
Chain INBOUND (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
LSI all -- anywhere anywhere
Chain LOG_FILTER (5 references)
target prot opt source destination
Chain LSI (2 references)
target prot opt source destination
LOG_FILTER all -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound '
DROP all -- anywhere anywhere
Chain LSO (0 references)
target prot opt source destination
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound '
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTBOUND (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
joe@joe-desktop:~$
If you are behind a router, then you really don't need a software firewall. If you are not behind a router, then Firestarter is a good choice. I used it for quite a while in Ubuntu. It was easy to configure and did the job well.
You can check how well the firewall is working for you by using the port scans at "Shields Up" on this site: http://www.grc.com/default.htm
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.