Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: User-Friendly Firewall For a Brand-New Linux User?

Posted by timothy on from the perfect-security-on-the-way dept.

An anonymous reader writes "I am a new Linux user; I'm on 2nd day now. Currently I am trying out Ubuntu, but that could change. I am looking for a user friendly firewall that I can set up that lets me do these things:1) set up a default deny rule 2) carve out exceptions for these programs: browser, email client, chat client, yum and/or apt. 3) carve out exceptions to the exceptions in requirement 2 — i.e. I want to be able to then block off IPs and IP ranges known to be used by malware, marketers, etc., and all protocols which aren't needed for requirement 2. It also needs to have good enough documentation that a beginner like me can figure it out. Previously, I had done all of the above in AVG Firewall on Windows, and it was very easy to do. So far, I have tried these things:1) IPTABLES — it looked really easy to screw it up and then not notice that it's screwed up and/or not be able to fix it even if I did notice, so I tried other things at that point... 2) searched the internet and found various free firewalls such as Firestarter, GUFW, etc., which I weren't able to make meet my requirements. Can someone either point me to a firewall that meets my needs or else give me some hints on how to make firestarter or GUFW do what I need?"

26 of 187 comments (clear)

  1. Shorewall by ttucker · · Score: 4, Informative

    Shorewall is a pretty good iptables configuration tool.

    1. Re:Shorewall by Durrik · · Score: 4, Insightful

      Shorewall is very nice. For the user I would suggest using it and installing webmin to configure it. Webmin does an OK job configuring shorewall which is already pretty easy to set up, just it can be fairly confusing for the first timer with all the config files. After the first few times with webmin you learn how to do it with the command line and vim.

      Bastille-linux is also something that was fairly easy to use in the past. I used that before shorewall, but I haven't used bastille for years, must be a least a decade so I don't know what the current state of it is.

      --
      Software Engineer & Writer of Military Science Fiction and Fantasy Blog: petermwright.com Twitter: WrightPeterM
    2. Re:Shorewall by Anonymous Coward · · Score: 2, Funny

      Shorewall is very nice. For the user I would suggest using it and installing webmin to configure it. Webmin does an OK job configuring shorewall which is already pretty easy to set up, just it can be fairly confusing for the first timer with all the config files. After the first few times with webmin you learn how to do it with the command line and vim.

      So let me sort this out, in order to easily configure iptables, shorewall is a good solution, but to configure shorewall, I will want to use webmin. So what do I need to install to configure webmin?

      No wonder why the year of the linux desktop will never be.

    3. Re:Shorewall by dreamchaser · · Score: 5, Funny

      So what do I need to install to configure webmin?

      The IQ of a chimpanzee should suffice.

    4. Re:Shorewall by ttucker · · Score: 3, Informative

      So let me sort this out, in order to easily configure iptables, shorewall is a good solution, but to configure shorewall, I will want to use webmin. So what do I need to install to configure webmin?

      You might be surprised to find that using several layers of abstraction is relatively common in the computer world, and that your much vaunted probably does something very similar.

    5. Re:Shorewall by Antique+Geekmeister · · Score: 2

      Go back to the original spec. The poster wants a stable, sophisticated, flexible firewall. They also want it to be easy to configure. These are distinct, and to some extent contradictory requirements. And yes, for a new admin, the built-in "iptables" and most Linux firewall tools are confusing. Shorewall has a good reputation as robust and stable, and Webmin has an _excellent_ reputation as being a tool that makes system management much, much, easier.

      In fact, testing webmin with just "Linux Firewalls" configuration tool built into it might be enough.

    6. Re:Shorewall by klui · · Score: 3, Informative

      You a word there.

      I think you meant Windows does the same thing? Indeed, netsh is used to manage firewall rules on the command line level, and the Windows firewall snapin uses netsh. There are 3rd-party programs that replace the snapin or make it more intuitive like wfc from BiniSoft. I'm not sure if it replaces the regular snapin or runs on top of it.

    7. Re:Shorewall by Hanzie · · Score: 2

      Then he needs to install DD-WRT on a router in front of his PC.

      +1 insightful.

      Even though that's not what he asked for, that's the best suggestion so far. Yes, the parent poster obviously realizes that firewalls are still needed on the PC's. Castles need moats as well as walls.

      He's worried about security, and this will *HELP* do the job on all his PC's, and automatically provide some protection to every box that happens to connect to his network. It will also do it's job no matter what gets plugged in, and even provide some protection if he happens to plug in some malware (at least it'll have a tough time phoning home).

      Thanks.

      --
      ********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
    8. Re:Shorewall by Antique+Geekmeister · · Score: 3, Informative

      _This_ is why many people hate asking It for help. Rather than answer the questions as stated, the poster is being told to buy more hardware and learn to program it himself by fan boys of half a dozen different toolkits, many of them requiring new hardware, without a good guideline to compare them, and many of them that require quite a bit of learning to master. Many of the suggestions are completely unsuitable to many environments: carrying a spare router around to put in front of a laptop is impractical. And even with a commercial grade firewall router in _front_ of a local network, that provides no protection against internal attack by infected laptops or houseguests:. And let's be honest, many households do leave their home wireless networks open to visitors.

      The built-in iptables in most Linux systems is not *bad*, and quite suitable for home use. I just took a look at the current release of webmin, and the interface to manage iptables is really quite good: just remember to not accidentally cut off the webmin interface while firewalling off other traffic.

  2. User friendliest: by Anonymous Coward · · Score: 5, Funny

    I would suggest installing WINE and then running Windows Firewall.

    1. Re:User friendliest: by Anonymous Coward · · Score: 5, Funny

      case $- in
      *i* ) # Interactive shell
                      if [ -f ~/noob ]; then
                      source ~/noob
                      fi ;;
      esac
                      if [ -z "$DISPLAY" ] && [ $(tty) == /dev/ttyx ]; then
                      whoosh
                      fi

  3. Why? Is it really necessary? by tqk · · Score: 3, Insightful

    I can understand trying to wall off Windows from what you can, but with non-Windows you just make sure you only enable services that you want. Use good passwords, lock it down so only what you want running can run, and don't listen to the script kiddies knocking on your door. Crank up the stereo.

    I assume your box hangs off a router of some sort? It's probably all you need for a firewall.

    --
    "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
  4. Poster asking about GUI frontend software by caseih · · Score: 3, Interesting

    Many of the posts so far direct the original poster to dedicated firewall appliances or distributions. If I read the summary correctly, the OP is simply looking for a good GUI to manipulate the firewall rules built into the kernel of all modern Linux distributions.

    I can't vouch for any of them, but GUI frontends include guardog, lokkit, firestarter, and probably others. They are all in various states of development and maintenance.

    Part of what the user wants to do (firewall per app) wasn't possible in the past with iptables (per-gid blocking was easy), but I believe it's now possible. A primitive daemon, called Leopard Flower, seems to offer this functionality: http://leopardflower.sourcefor...

    From what I can see, the most promising, integrated, easy-to-use firewalling GUI software going forward is Fedora's firewalld and it's accompanying GUI. I know firewalld is available on Ubuntu (and its command-line interface). I'm not sure about the GUI part. Perhaps someone familiar wit Ubuntu can comment. Here's an article on installing it in Mint, so I assume it's similar in Ubuntu: http://www.linuxbsdos.com/2013...

    From what I can see, firewalld and firewall-config hit the sweet spot for most desktop users. I'd never use it on my router, but for a desktop, it works pretty well and is under active development. I imagine it will sport per-application feature soon, if it doesn't already.

  5. Re:Why? Is it really necessary? by abhi_beckert · · Score: 5, Interesting

    You're making the assumption that all the bad stuff is outside the firewall and nothing evil ever gets in.

    An example of how I use my firewall, is I block my email program from making any network connection other than imap/smtp. If it tries to make any other network connection (eg: downloading images from a web server), the firewall blocks it.

  6. pfsense by michrech · · Score: 2

    I just jumped into playing with pfsense. It's based on FreeBSD, but it was very easy for me to get in and mess around with. :)

    --
    bork bork bork!
  7. Re:Wrong paradigm here by Lesrahpem · · Score: 3, Insightful

    The parent poster is correct. Windows and Linux are totally different animals in regards to firewalls. There is only one firewall for Linux and it is built into the system. IPTables is how the firewall is configured. All other tools are just front-ends or wrappers for IPTables.

    IPTables doesn't have support for application-based firewalling. You can do that kind of thing using something lilke the Grsecurity patch for the kernel, but it is not for beginners.

    Grsecurity will let you create policies exactly like what you're talking about and then some. For example, it will allow you to create a policy limiting which files and folders a given program can access. To be specific, on my machine I have a policy that Firefox can only write data to it's own folders and to my Downloads directory, and can't execute/run any files inside those folders. That way, if somebody hits me with a drive-by download or something it simply won't work.

  8. Re:Wrong paradigm here by emoreau · · Score: 2

    I have to add that some of this stuffed is handled by SELinux. If you wan't an CGI script to be able to send an email on a Red Hat derivative, you have to explicitly add the rule to your SELinux configuration

  9. pfSense by JRoth25 · · Score: 2

    You may want to have a look at: https://www.pfsense.org/ Very good option...

  10. Re:Wrong paradigm here by DanielOom · · Score: 5, Funny

    Nothing wrong here: the Windows firewall is designed for keeping malware inside the PC and out of the Internet, the other firewalls are designed for keeping malware on the Internet out of the computer.

  11. Re:Wrong paradigm here by stevey · · Score: 2

    Actually iptables does have support for matching based on the process. You might have run commands that include "-m recent", or similar. The "-m" is used to specify a module-name, and there are many matching modules available and included by default.

    For example on a CentOS system you might allow your webserver to make outgoing SMTP connections via something fun like this: "iptables -A OUTPUT -m owner --cmd-owner httpd --dest-port 25 -j ACCEPT". (Why CentOS? Because it matches the command against HTTPD. On Debian systems the webserver process is more typically called 'apache2'.)

    Hope that helps.

  12. Re:Wrong paradigm here by Lesrahpem · · Score: 2

    For example on a CentOS system you might allow your webserver to make outgoing SMTP connections via something fun like this: "iptables -A OUTPUT -m owner --cmd-owner httpd --dest-port 25 -j ACCEPT". (Why CentOS? Because it matches the command against HTTPD. On Debian systems the webserver process is more typically called 'apache2'.)

    The cmd-owner match was removed in kernel 2.6.14 because it was broken with SMP.

  13. firehol by demerson3 · · Score: 3, Interesting

    I'm a little surprised nobody has mentioned firehol - http://firehol.org/. I've been using it for my simple needs, and it is fabulous. Easy to learn, simple language, great results, and CLI-friendly. (Prior to discovering it, I used guarddog, which I found to be good but which isn't anywhere near as good as firehol.) From the firehol page: FireHOL is an iptables firewall generator producing stateful iptables packet filtering firewalls, on Linux hosts and routers with any number of network interfaces, any number of routes, any number of services served, any number of complexity between variations of the services (including positive and negative expressions).

  14. Re:Experts Recommend by Anonymous Coward · · Score: 2, Funny

    This expert trusts Windows 8 for my family's security. All the UAC prompts frustrate the would-be penetrators so they move on to other targets. And since there's no way to find the shutdown button, it provides my loved ones with rock solid, around-the-clock protection from evildoers.

    Microsoft. Because your family's well-being shouldn't be entrusted to dirty hippies.

  15. Re:Ask Slashdot? by evenmoreconfused · · Score: 2

    You want someone two days into a simple desktop linux system to get a consumer appliance?

    Surely there should be some simple point-and-click app he can install from the desktop that will prevent basic misbehaviours. The very act of asking here shows that he does indeed have pride enough to want not to be a menace.

    --
    No. Well...maybe. Actually, yes. It really just depends.
  16. Re:what he actually wants to configure is applicat by causality · · Score: 3, Informative

    he wants a global way of configuring which applications have the capability to connect to what servers or open what ports. This is a different meaning of 'firewall' than is used in the Unix world.

    AFAIK there's already some capability enforcement prohibiting some programs from accessing the Internet in modern Linux distributions, but, I don't really know how it's configured either.

    I simply use an alternate user to arrange this. In my case, it's the Windows games I run via Wine. I don't trust them and I have no need for single-player games to connect to remote servers.

    So I create a user named "winegames". I run all Windows games as this user. Then I add a simple iptables rule:

    iptables -A OUTPUT --match owner --uid-owner winegames -j REJECT

    Now nothing run as "winegames" can connect anywhere. A few games will briefly complain that they can't connect to the server so that people who don't care can see my in-game achievements but that's alright. Also, I use REJECT instead of DROP so that the programs get an instant error when they try to connect. If you use DROP they will waste a lot of time waiting for a response that will never come.

    Incidentally, if your distro does not provide this, you will need to add a line to your PAM config to allow alternate users to open windows on your X display. For my distro (Gentoo) the file is /etc/pam.d/su. I simply add this to the file on its own line: "session optional pam_xauth.so". Now the alternate user "winegames" can open new windows on the X server started by my main user.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  17. pfSense by ltrand · · Score: 2

    I know you're new to the linux world, but while you're at it, dive into the BSD realm while you're at it.

    You can do Firewalling with packet filter instead of iptables (better session tracking). BSD is generally better as a network appliance than linux for a number of reasons, and for firewalling especially. Better session tracking, better dynamic protocol handling, better error and flow control, and generally more robust. Iptables is powerful, but it has its downsides that can be felt these days with higher network speeds, IPv6, and dynamic network protocols which is why the linux kernel is moving away from it to NFTables. But NFTables is not yet complete, hence we circle back to BSD with its pf package.

    pfSense offers exactly what you're looking for and probably more. It provides a gui and cli to manage the device and a robust user/support community. Beyond firewalling you can do proxy, captive portal, VPN, DNS, DHCP, NAT, IPS/IDS, and a whole lot more. It has a webGUI and sets up in all of about 10 minutes.

    It packs all of the features you would see on "enterprise class" firewalls, just open source.
    https://www.pfsense.org/