• Diff for "Firewalls"

Translation(s): Deutsch - Italiano

A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

Note that some of the information in this page can be out of date.

More information

• Firewalls-dnat-redirect is one sticky point where hosts are in the same subnet as the DNATed service they are trying to use, and need special attention to make connections work.

• Firewalls-local-port-redirection tells you how to redirect traffic from one port to another within single machine.

• I also found this to be invaluable, along the lines of ECN: http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.cookbook.ultimate-tc.html

• Another very good reading on iptables, including both - new or advanced iptables users can be found here: http://www.frozentux.net/documents/iptables-tutorial/

• On this wiki there's the iptables page.

• iptables-persistent

Choosing an IPtables frontend

Introduction

There are lots of iptables frontends. So you have lots of choice. This section is devoted to help you making a choice among this truckload of options by comparing the tools. NB: you should install just one of these packages. Installing more than one will not make your system more secure; it will likely make your system unmanageable.

BTW: There's also a securityfocus article (from April 2001) comparing some of these tools. Some of these are described in the Securing Debian Manual.

Overview

Here's an overview of the different tools (selection inspired upon what's available in Debian unstable as of 2014-07):

ferm uses a text-based configuration with keywords closely resembling iptables rules. Variables and combined rules simplify rule definitions and enhance readability.

The fiaif configuration file is very similar to raw iptables rules.

Filtergen has support for non-iptables packet filters too. The configuration file is application-specific.

firestarter is an application oriented towards end-users that includes a wizard useful to quickly setup firewall rules. The application includes a GUI to be able to monitor when a firewall rule blocks traffic.

fwbuilder is an object oriented GUI which includes policy compilers for various firewall platforms including Linux' netfilter, BSD's pf (used in OpenBSD, NetBSD, FreeBSD and MacOS X) as well as router's access-lists. It is similar to enterprise firewall management software. Complete fwbuilder's functionality is also available from the command line.

mason is an application which can propose firewall rules based on the network traffic your system sees.

The netscript-2.4 Debian package description says: "DON'T use this on a server - it is designed for dedicated routers and firewalls with hardly any configured services."

shorewall is a firewall configuration tool which provides support for IPsec as well as limited support for traffic shaping as well as the definition of the firewall rules. Configuration is done through a simple set of files that are used to generate the iptables rules.

ufw: Canonical's ufw is from Ubuntu. (New for squeeze)

vuurmuur: Victor Julien's vuurmuur is not (yet?) included in Debian, but Debian packages are available in an apt-able archive.

Debian specific information

Some Debian-specific data about these packages:

The number in the popularity is the number of installations. The higher the number the more installations it has. "-" and "X" denote packages not in Debian; "X" marks former packages that have been removed as of stretch.

As of 2005-11-02, for all packages (ferm, fiaif, filtergen, firehol, firestarter, fwbuilder, guidedog, hlfl, ipkungfu, ipmenu, mason, netscript-2.4, shorewall, uif) the BTS looks quite OK: no serious bugs, the packages look well-maintained.

Notes on size of package: if there are lots of sources, the package might be too bloated for your taste. However, if the size of the sources is small, there are likely less nice features. OTOH, small packages are more easy to check for errors, and might offer a nice "mean 'n' lean" feeling.

Yet other ones

There's also webmin-firewall. webmin-firewall is a webmin plugin, shipped in firewall.wbm.gz: "Configure a Linux firewall using iptables".

ipmenu, a small perl script with curses interface, wasn't shipped with the Debian etch release.

Conclusion

Now for the conclusion: we'll give a possible way to decide, using the data gathered above.

If you want a gui tool choosing firestarter or fwbuilder is probably wise: these are all popular tools. fwbuilder (for KDE) is by far the most popular. However, it is said it's definately not a tool for newbies. Guarddog (KDE) and firestarter (GNOME) are both equally popular. The codesize for all three is about the same.

Now suppose you don't want a gui tool, for instance since you're working on servers and don't have X libraries installed. You also might like a plain-text editable configuration file, since you manage your configuration files with a version control system. You also want a tool which is actively maintained: since 2004-09 there should have been at least one release.

Let's take a closer look at 6 of the qualifying non-gui tools:

The arno-iptables-firewall Debian package comes with a debconf frontend: it is possible to configure this tool interactively.

To use ferm, one has to write a configuration file using keywords that are used by iptables. Ferm basically adds nesting syntax and variables to iptables rules. It seems it has the best support for IPv6 among these packages. This tool offers a quick and maintainable approach to writing firewall rules if you are used to iptables commands.

"FireHOL is a language to express firewalling rules, not just a script that produces some kind of a firewall." FireHOL configuration files are shell scripts (but actually don't really look like that; it seems they're about as simple as one can get). FireHOL comes with firehol-wizard(8), which creates a configuration file you'll have to edit manually afterwards. Support for IPv6 was added recently (it was previously available in FireHOL fork called Sanewall). This is a pretty popular tool.

"Shorewall is not the easiest to use of the available iptables configuration tools but I believe that it is the most flexible and powerful." It "can handle complex and fast changing network environments." It needs multiple configuration files, even for simple setups. Seems only suitable for powerusers. (Likely there are a lot of these among Debian users: shorewall is very popular!)

For uruk, there is an example uruk configuration file. Uruk is extremely small: this is nice if you want to adapt the tool to your own needs, or want to be very sure it does what you want: it doesn't take long to check all the code manually. Of course, the small size comes with less functionality. However, if you have very specific needs, you can easily hook your own crafted iptables rules in the uruk framework. This is documented in the uruk manpages. However, beware: the major part of this section of this wiki-page was written by the uruk-author. If you feel this page could be more objective, please edit it!

Making the final decision between the 5 short-list ones is left as an exercise to the reader: it depends on your specific situation and needs. You could install them one after the other, and try them for yourself.

Thanks

Thanks to Michael Hanke for making the first start of the IPtables frontends comparison. Thanks to Victor Julien for contributing some notes on the Vuurmuur package. Provided in part by the debian-firewall list.

CategorySystemAdministration | CategorySystemSecurity | CategoryRedundant: merge with DebianFirewall