Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: User-Friendly Firewall For a Brand-New Linux User?

Posted by timothy on from the perfect-security-on-the-way dept.

An anonymous reader writes "I am a new Linux user; I'm on 2nd day now. Currently I am trying out Ubuntu, but that could change. I am looking for a user friendly firewall that I can set up that lets me do these things:1) set up a default deny rule 2) carve out exceptions for these programs: browser, email client, chat client, yum and/or apt. 3) carve out exceptions to the exceptions in requirement 2 — i.e. I want to be able to then block off IPs and IP ranges known to be used by malware, marketers, etc., and all protocols which aren't needed for requirement 2. It also needs to have good enough documentation that a beginner like me can figure it out. Previously, I had done all of the above in AVG Firewall on Windows, and it was very easy to do. So far, I have tried these things:1) IPTABLES — it looked really easy to screw it up and then not notice that it's screwed up and/or not be able to fix it even if I did notice, so I tried other things at that point... 2) searched the internet and found various free firewalls such as Firestarter, GUFW, etc., which I weren't able to make meet my requirements. Can someone either point me to a firewall that meets my needs or else give me some hints on how to make firestarter or GUFW do what I need?"

5 of 187 comments (clear)

  1. Shorewall by ttucker · · Score: 4, Informative

    Shorewall is a pretty good iptables configuration tool.

    1. Re:Shorewall by ttucker · · Score: 3, Informative

      So let me sort this out, in order to easily configure iptables, shorewall is a good solution, but to configure shorewall, I will want to use webmin. So what do I need to install to configure webmin?

      You might be surprised to find that using several layers of abstraction is relatively common in the computer world, and that your much vaunted probably does something very similar.

    2. Re:Shorewall by klui · · Score: 3, Informative

      You a word there.

      I think you meant Windows does the same thing? Indeed, netsh is used to manage firewall rules on the command line level, and the Windows firewall snapin uses netsh. There are 3rd-party programs that replace the snapin or make it more intuitive like wfc from BiniSoft. I'm not sure if it replaces the regular snapin or runs on top of it.

    3. Re:Shorewall by Antique+Geekmeister · · Score: 3, Informative

      _This_ is why many people hate asking It for help. Rather than answer the questions as stated, the poster is being told to buy more hardware and learn to program it himself by fan boys of half a dozen different toolkits, many of them requiring new hardware, without a good guideline to compare them, and many of them that require quite a bit of learning to master. Many of the suggestions are completely unsuitable to many environments: carrying a spare router around to put in front of a laptop is impractical. And even with a commercial grade firewall router in _front_ of a local network, that provides no protection against internal attack by infected laptops or houseguests:. And let's be honest, many households do leave their home wireless networks open to visitors.

      The built-in iptables in most Linux systems is not *bad*, and quite suitable for home use. I just took a look at the current release of webmin, and the interface to manage iptables is really quite good: just remember to not accidentally cut off the webmin interface while firewalling off other traffic.

  2. Re:what he actually wants to configure is applicat by causality · · Score: 3, Informative

    he wants a global way of configuring which applications have the capability to connect to what servers or open what ports. This is a different meaning of 'firewall' than is used in the Unix world.

    AFAIK there's already some capability enforcement prohibiting some programs from accessing the Internet in modern Linux distributions, but, I don't really know how it's configured either.

    I simply use an alternate user to arrange this. In my case, it's the Windows games I run via Wine. I don't trust them and I have no need for single-player games to connect to remote servers.

    So I create a user named "winegames". I run all Windows games as this user. Then I add a simple iptables rule:

    iptables -A OUTPUT --match owner --uid-owner winegames -j REJECT

    Now nothing run as "winegames" can connect anywhere. A few games will briefly complain that they can't connect to the server so that people who don't care can see my in-game achievements but that's alright. Also, I use REJECT instead of DROP so that the programs get an instant error when they try to connect. If you use DROP they will waste a lot of time waiting for a response that will never come.

    Incidentally, if your distro does not provide this, you will need to add a line to your PAM config to allow alternate users to open windows on your X display. For my distro (Gentoo) the file is /etc/pam.d/su. I simply add this to the file on its own line: "session optional pam_xauth.so". Now the alternate user "winegames" can open new windows on the X server started by my main user.

    --
    It is a miracle that curiosity survives formal education. - Einstein