| Author |
Message |
Internat
Joined: 17 Aug 2004
Posts: 178
Location: Brisbane, Australia
|
| Posted: Sat Jan 22, 2005 4:37 am Post subject: Hunting: Brilliant Firewall builder for debian |
|
|
So im interested to knwo if anyone has found a firewall builder thaht they think is brilliant and works great etc, other then of course building the rules with ipitables commands themselves..
im looking for an application preferably console based, but if i have to use a gui i will only as long as i can export it to another computer.
anyone have any ideas?
cheers
Nathan |
|
| Back to top |
|
pclissold
Joined: 24 Oct 2003
Posts: 481
Location: Netherlands
|
| Posted: Sat Jan 22, 2005 4:54 am Post subject: |
|
|
| I recommend that you try FireHOL - easy to use, covers almost every need 'as-installed', can be extended to deal with non-standard protocols, and has good documentation. It's console based, too. |
|
| Back to top |
|
sarge
Joined: 19 Dec 2004
Posts: 58
|
| Posted: Sat Jan 22, 2005 9:37 am Post subject: |
|
|
I tried running and tweaking both shorewall and firehol for about 3-4 days each and on different machines.
FireHOL is indeed good. But my final choice went to shorewall.
IMHO, none of the other tools came close to these two excellent choices.
I recommend you try both shorewall and firehol for a couple days before choosing. I wouldn't bother with other firewall tools unless you have a lot of free time to spare.
If you choose shorewall, just edit these 3 simple files: rules, policy and interfaces. By breaking up config into multiple files, shorewall makes the syntax easier yet more flexible than single-file configs.
For example, an entry in the 'rules' file to allow http and https connections from external network to the firewall looks like this:
AllowWeb net fw
Or it can look like this if you prefer seeing actual port numbers in your 'rules' config file:
ACCEPT net fw tcp 80
By defining 'net' in a separate config file (called 'interfaces'), shorewall simplifies the rules file syntax. This is the philosophy of shorewall which made it a no-brainer to configure and maintain (even on my home gateway/firewall with multiple network cards).
You can also specify a specific ip address like this so that only ip address 123.123.123.123 can connect via ssh into the fw machine:
AllowSSH net:123.123.123.123 fw
Or like this which means the same thing:
ACCEPT net:123.123.123.123 fw tcp 22
Again, try both shorewall and firehol. These are the top 2 choices by a huge margin and you can't go wrong with either in generating/managing iptables rules. |
|
| Back to top |
|
projectandrew
Joined: 16 Sep 2004
Posts: 5
|
| Posted: Sat Jan 22, 2005 3:19 pm Post subject: |
|
|
I also now use shorewall on all my boxes, and have done for some time, since it's very easy to configure and manage - I wrote a HOW-TO here:
HOW-TO: Shoreline Firewall (Shorewall) 2.0.15
http://www.unofficial-support.com/article/how-to/shorewall |
|
| Back to top |
|
gmt
Joined: 20 Jul 2003
Posts: 96
Location: Tropical Queensland, Australia
|
| Posted: Mon Jan 24, 2005 12:13 am Post subject: |
|
|
I vote for FireHOL. Logical & simple.
I couldnt figure out shorewall (at least the doco I saw). |
|
| Back to top |
|
asura
Joined: 03 Jan 2004
Posts: 71
Location: Oregon
|
| Posted: Tue Jan 25, 2005 1:07 am Post subject: |
|
|
| I've used Firestarter for awhile.. nice, simple, and has good customization and logging capabilities. |
|
| Back to top |
|
unixfool
Joined: 08 Apr 2004
Posts: 63
Location: VA
|
| Posted: Tue May 10, 2005 7:01 pm Post subject: |
|
|
| I recommend fwbuilder...very similar to the Checkpoint interface. |
|
| Back to top |
|
| |
