Ask Slashdot: User-Friendly Firewall For a Brand-New Linux User?
An anonymous reader writes "I am a new Linux user; I'm on 2nd day now. Currently I am trying out Ubuntu, but that could change. I am looking for a user friendly firewall that I can set up that lets me do these things:1) set up a default deny rule 2) carve out exceptions for these programs: browser, email client, chat client, yum and/or apt. 3) carve out exceptions to the exceptions in requirement 2 — i.e. I want to be able to then block off IPs and IP ranges known to be used by malware, marketers, etc., and all protocols which aren't needed for requirement 2. It also needs to have good enough documentation that a beginner like me can figure it out. Previously, I had done all of the above in AVG Firewall on Windows, and it was very easy to do. So far, I have tried these things:1) IPTABLES — it looked really easy to screw it up and then not notice that it's screwed up and/or not be able to fix it even if I did notice, so I tried other things at that point... 2) searched the internet and found various free firewalls such as Firestarter, GUFW, etc., which I weren't able to make meet my requirements. Can someone either point me to a firewall that meets my needs or else give me some hints on how to make firestarter or GUFW do what I need?"
Shorewall is very nice. For the user I would suggest using it and installing webmin to configure it. Webmin does an OK job configuring shorewall which is already pretty easy to set up, just it can be fairly confusing for the first timer with all the config files. After the first few times with webmin you learn how to do it with the command line and vim.
Bastille-linux is also something that was fairly easy to use in the past. I used that before shorewall, but I haven't used bastille for years, must be a least a decade so I don't know what the current state of it is.
Software Engineer & Writer of Military Science Fiction and Fantasy Blog: petermwright.com Twitter: WrightPeterM
I can understand trying to wall off Windows from what you can, but with non-Windows you just make sure you only enable services that you want. Use good passwords, lock it down so only what you want running can run, and don't listen to the script kiddies knocking on your door. Crank up the stereo.
I assume your box hangs off a router of some sort? It's probably all you need for a firewall.
"Tongue tied and twisted, just an Earth bound misfit
The parent poster is correct. Windows and Linux are totally different animals in regards to firewalls. There is only one firewall for Linux and it is built into the system. IPTables is how the firewall is configured. All other tools are just front-ends or wrappers for IPTables.
IPTables doesn't have support for application-based firewalling. You can do that kind of thing using something lilke the Grsecurity patch for the kernel, but it is not for beginners.
Grsecurity will let you create policies exactly like what you're talking about and then some. For example, it will allow you to create a policy limiting which files and folders a given program can access. To be specific, on my machine I have a policy that Firefox can only write data to it's own folders and to my Downloads directory, and can't execute/run any files inside those folders. That way, if somebody hits me with a drive-by download or something it simply won't work.