A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

More information

Choosing an IPtables frontend

introduction

There are lots of iptables frontends. So you have lots of choice. This section is devoted to help you making a choice among this truckload of options by comparing the tools. NB: you should install just one of these packages. Installing more than one will not make your system more secure; it will likely make your system unmanageable.

BTW: There's also a [http://online.securityfocus.com/infocus/1410 securityfocus article] comparing some of these tools. Some of these are described in the [http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-pack Securing Debian Manual].

overview

Here's an overview of the different tools (selection inspired upon what's available in current Debian unstable):

Package and Upstream URL;

Interface;

Programming Language;

Size of Source;

Releases (as of 2005-10)

[http://rocky.eld.leidenuniv.nl/ arno-iptables-firewall]

edit (debconf)

sh

60K

< 2003-08 - 2005-09

[http://ferm.foo-projects.org/ ferm] ([http://max.kellermann.name/projects/ferm/ development version])

edit

perl

80K

< 2001-04 - 2005-06

[http://www.fiaif.net/ fiaif]

edit

bash

320K

< 2003-01 - 2004-02

[http://hairy.beasts.org/filter/ filtergen]

edit

C

150K

< 2002-10 - 2004-08

[http://fireflier.sourceforge.net/ fireflier]

gui

C

230K

2002-02 - 2005-09

[http://firehol.sourceforge.net/ firehol]

edit

bash

210K

< 2003-05 - 2005-01

[http://www.fs-security.com/ firestarter]

gui (gnome)

C

1170K

< 2003-01 - 2005-01

[http://www.fwbuilder.org/ fwbuilder]

gui (kde)

C++

1190K

< 2003-12 - 2005-09

[http://www.simonzone.com/software/guarddog/ guarddog]

gui (kde)

C++

960K

2000-06 - 2005-08

[http://www.simonzone.com/software/guidedog/ guidedog]

gui (kde)

C++

590K

2001-11 - 2003-11

[http://www.hlfl.org/ hlfl]

edit

C

100K

< 2000-07 - 2003-10

[http://www.linuxkungfu.org/ ipkungfu]

edit

sh

40K

2002-09 - 2003-10

[http://users.pandora.be/stes/ipmenu.html ipmenu]

curses

perl

30K

< 2001-05 - 2001-05

[http://kmyfirewall.sourceforge.net/ kmyfirewall]

gui (kde)

C++

1060K

2002-08 - 2005-03

[http://expansa.sns.it/knetfilter/ knetfilter]

gui (kde)

C++

960K

< 2001-01 - 2005-04

lokkit / gnome-lokkit

shell, gui

C

500K

around 2000

[http://www.stearns.org/mason/ mason]

shell (autolearning)

bash

500K

< 1999-03 - 2002-05

netscript-2.4

edit, iptables

sh

70K

< 2000-11 - 2004-10

[http://shorewall.sourceforge.net/ shorewall]

edit, webmin

sh

130K

< 2001-12 - 2005-09

[http://lug.fh-swf.de/uif/ uif]

edit (debconf)

perl

34K

2002-02 - 2005-04

[http://mdcc.cx/uruk uruk]

edit

sh

80K

2003-03 - 2005-07

[http://www.vuurmuur.org/ Vuurmuur]

curses

C

1877K

2004-07 - 2005-11

The Debian ipmenu package is still maintained.

The fiaif configuration file is very similar to raw iptables rules.

Filtergen has support for non-iptables packet filters too. The configuration file is application-specific.

fireflier has a client-server setup. It is "a tool which does what all those personal windows firewalls do: At the beginning everything is denied. When someone wants to connect in or out, the tool asks the user, providing information about the corresponding packet, if it should accept or deny this packet. Besides you can create rules based on the packets."

firestarter is an application oriented towards end-users that includes a wizard useful to quickly setup firewall rules. The application includes a GUI to be able to monitor when a firewall rule blocks traffic.

fwbuilder is an object oriented GUI which includes policy compilers for various firewall platforms including Linux' netfilter, BSD's pf (used in OpenBSD, NetBSD, FreeBSD and MacOS X) as well as router's access-lists. It is similar to enterprise firewall management software. Complete fwbuilder's functionality is also available from the command line.

guarddog is oriented both to novice and advanced users.

knetfilter is an alternative/competitor to the guarddog tool although slightly oriented towards advanced users.

"Lokkit is an attempt to provide firewalling for the average Linux end user. Instead of having to configure firewall rules the Lokkit program asks a small number of simple questions and writes a firewall rule set for you. [...] solely designed to handle typical dialup user and cable modem setups " Written by Alan Cox. There doesn't seem to be any canonical website for lokkit. Some Korean site offers the [http://www.yud.co.kr/share/usr_share/gnome/help/gnome-lokkit/C/ GNOME Lokkit User's Guide], however. It seems both a GNOME and a Newt (the windowing toolkit for text mode) interface is offered. The Debian package warns: "Please note that this package is no longer maintained upstream (it has been abandoned by Red Hat), so it may disappear from Debian before the etch release."

mason is an application which can propose firewall rules based on the network traffic your system sees.

The netscript-2.4 Debian package description says: "DON'T use this on a server - it is designed for dedicated routers and firewalls with hardly any configured services."

shorewall is a firewall configuration tool which provides support for IPsec as well as limited support for traffic shaping as well as the definition of the firewall rules. Configuration is done through a simple set of files that are used to generate the iptables rules.

vuurmuur: Victor Julien's [http://www.vuurmuur.org/ vuurmuur] is not (yet?) included in Debian, but [http://www.kriegisch.at/~adi/software/vuurmuur/ Debian packages] are available, as well as an [http://wiki.vuurmuur.org/tiki/tiki-index.php?page=Downloads apt-able archive].

debian specific information

Some Debian-specific data about these packages:

Package and Debian package URL

Debian package description

[http://popcon.debian.org/source/by_inst.gz Popularity (2005-10-02)]

[http://bugs.debian.org/325696 arno-iptables-firewall]

Single- and multi-homed firewall script with DSL/ADSL support

-

[http://packages.debian.org/unstable/net/ferm ferm]

maintain and setup complicated firewall rules

4365

[http://packages.debian.org/unstable/net/fiaif fiaif]

An easy to use, yet complex firewall

7919

[http://packages.debian.org/unstable/net/filtergen filtergen]

packet filter generator for various firewall systems

7738

[http://packages.debian.org/unstable/net/fireflier-server fireflier]

Interactive firewall rule creation tool

6555

[http://packages.debian.org/unstable/net/firehol firehol]

An easy to use but powerful iptables stateful firewall

3801

[http://packages.debian.org/unstable/net/firestarter firestarter]

gtk program for managing and observing your firewall

3440

[http://packages.debian.org/unstable/net/fwbuilder fwbuilder]

Firewall administration tool GUI

1557

[http://packages.debian.org/unstable/net/guarddog guarddog]

firewall configuration utility for KDE

3882

[http://packages.debian.org/unstable/net/guidedog guidedog]

NAT/masquerading/port-forwarding configuration tool for KDE

4733

[http://packages.debian.org/unstable/net/hlfl hlfl]

translator for firewalling rules

8302

[http://packages.debian.org/unstable/net/ipkungfu ipkungfu]

iptables-based Linux firewall

9263

[http://packages.debian.org/unstable/net/ipmenu ipmenu]

A cursel iptables/iproute2 GUI

3904

[http://packages.debian.org/unstable/net/kmyfirewall kmyfirewall]

iptables based firewall configuration tool for KDE

6617

[http://packages.debian.org/unstable/net/knetfilter knetfilter]

GUI for configuring the 2.4 kernel IP Tables

4928

[http://packages.debian.org/unstable/net/lokkit lokkit]

basic interactive firewall configuration tool

5227

[http://packages.debian.org/unstable/net/mason mason]

Interactively creates a Linux packet filtering firewall

7220

[http://packages.debian.org/unstable/net/netscript-2.4 netscript-2.4]

Linux 2.4.x (and 2.6.x) router/firewall network configuration system

8963

[http://packages.debian.org/unstable/net/shorewall shorewall]

Shoreline Firewall (Shorewall)

2034

[http://packages.debian.org/unstable/net/uif uif]

Advanced iptables-firewall script

8458

[http://packages.debian.org/unstable/net/uruk uruk]

Wrapper for Linux iptables, for filtering rules management

9391

vuurmuur

IPTables frontend.

-

The number in the popularity is a ranking: 1 would be the most popular package in Debian; "-" in popularity means: not yet in Debian.

As of 2005-11-02, for all packages (ferm, fiaif, filtergen, fireflier, firehol, firestarter, fwbuilder, guarddog, guidedog, hlfl, ipkungfu, ipmenu, kmyfirewall, knetfilter, lokkit, mason, netscript-2.4, shorewall, uif) the [http://bugs.debian.org/ BTS] looks quite OK: no serious bugs, the packages look well-maintained.

Notes on size of package: if there are lots of sources, the package might be too bloated for your taste. However, if the size of the sources is small, there are likely less nice features. OTOH, small packages are more easy to check for errors, and might offer a nice "mean 'n' lean" feeling.

yet other ones

There's also [http://www.webmin.com/ webmin-firewall], [http://packages.debian.org/unstable/net/ipmasq ipmasq] and [http://muse.linuxmafia.org/gshield/ gshield]. webmin-firewall is a webmin plugin, shipped in [http://www.webmin.com/standard.html firewall.wbm.gz]: "Configure a Linux firewall using iptables". ipmasq is shipped as a Debian package only. gshield is not (no longer?) shipped with Debian.

And then there's some really obsolete stuff: firewall-easy was shipped with Debian potato only. [http://indev.insu.com/Fwctl/ fwctl]'s last release was in 2000. Gfcc and easyfw were shipped with Debian woody only.

conclusion

Now for the conclusion: we'll give a possible way to decide, using the data gathered above.

If you want a gui tool choosing firestarter, fwbuilder or guarddog is probably wise: these are all popular tools. fwbuilder (for KDE) is by far the most popular. However, it is said it's definately not a tool for newbies. Guarddog (KDE) and firestarter (GNOME) are both equally popular. The codesize for all three is about the same.

Now suppose you don't want a gui tool, for instance since you're working on servers and don't have X libraries installed. You also might like a plain-text editable configuration file, since you manage your configuration files with a version control system. You also want a tool which is actively maintained: since 2004-09 there should have been at least one release.

Let's take a closer look at 5 of the qualifying non-gui tools:

Package and Online Documentation

Configuration file format

Size of main script

[http://rocky.eld.leidenuniv.nl/page/iptables/help.htm arno-iptables-firewall]

shell

135K

[http://ferm.foo-projects.org/ferm.html ferm]

app specific

62K

[http://firehol.sourceforge.net/overview.html firehol]

shell

24K + 131K = 155K

[http://shorewall.sourceforge.net/standalone.htm shorewall]

app specific

203K

[http://mdcc.cx/pub/uruk/uruk-latest/man/uruk.html#getting%20started uruk]

shell

9K

The arno-iptables-firewall Debian package comes with a debconf frontend: it is possible to configure this tool interactively.

To use ferm, one has to hack up a configuration file. In order to write this file, one has to know about iptables/ipchains commands. Ferm basically adds nesting syntax to iptables-rules. It seems it has no support for IPv6. This tool is very likely only useful in very specific cases, where you really have a need for the ferm-specific configuration file format.

"FireHOL is a language to express firewalling rules, not just a script that produces some kind of a firewall." FireHOL configuration files are shell scripts (but actually don't really look like that; it seems they're about as simple as one can get). FireHOL comes with firehol-wizard(8), which creates a configuration file you'll have to edit manually afterwards. It seems it has no support for IPv6. This is a pretty popular tool.

"Shorewall is not the easiest to use of the available iptables configuration tools but I believe that it is the most flexible and powerful." It "can handle complex and fast changing network environments." It needs multiple configuration files, even for simple setups. Seems only suitable for powerusers. (Likely there are a lot of these among Debian users: shorewall is very popular!)

For uruk, there is an [http://mdcc.cx/pub/uruk/uruk-latest/doc/rc example uruk configuration file]. Uruk is extremely small: this is nice if you want to adapt the tool to your own needs, or want to be very sure it does what you want: it doesn't take long to check all the code manually. Of course, the small size comes with less functionality. However, if you have very specific needs, you can easily hook your own crafted iptables rules in the uruk framework. This is documented in the uruk manpages. However, beware: the major part of this section of this wiki-page was written by the uruk-author. If you feel this page could be more objective, please edit it!

Making the final decision between the 5 short-list ones is left as an exercise to the reader: it depends on your specific situation and needs. You could install them one after the other, and try them for yourself.

thanks

Thanks to [http://apsy.gse.uni-magdeburg.de/main/index.php?page=hanke Michael Hanke] for making the first start of the IPtables frontends comparison. Thanks to Victor Julien for contributing some notes on the Vuurmuur package. Provided in part by the [http://lists.debian.org/debian-firewall/ debian-firewall list].