Firewall Builderįirewall Builder is a good choice for more complex needs, such as a multi-homed NAT firewall, or a network with multiple firewalls. You can use it to create all the custom rules you want, but if you know how to do that, you probably don’t need a firewall builder. Its major drawback is it’s difficult to set up a proper multi-homed NAT firewall with the wizard, which makes it difficult to build a firewall/gateway that shares an Internet connection. It lists all the files it creates, and gives you the commands you need to flush all rules and chains. KMyFirewall is careful- you may preview your firewall script before activating it, and then you can test it before installing it. If you have any Windows hosts, be especially diligent with your egress filtering. Blocking ICMP requests entirely is a popular thing these days, but it’s a bad thing to do, as a lot of network services depend on it.Īnother nice feature is the wizard configures egress filtering- be a good Netizen and don’t let bad packets leak out of your network. This has some nice touches, like allowing ICMP echo_requests with a rate limit of five per minute. It’s especially good at creating a strong, sensible workstation firewall with a few mouse clicks. It sets up complex firewalls easily, and you have the choice of using the wizard, the menu interface, or editing the scripts directly. It requires KDE to run, but the scripts it generates can be used in any environment. It writes nice clean scripts, and it tries to be educational. It’s still a bit rough about the edges, but it has a lot of good things going for it. KMyFirewall is a recent addition to the world of firewall builders. The Filter table is the default, so you must specify the NAT and Mangle tables to see them: There are two ways to view iptables rules: read the source script, which for Lokkit is /etc/default/lokkit on Debian, and /etc/sysconfig/iptables on Red Hat, or use the iptablescommand. Red Hat and Fedora users can try the system-config-securitylevelcommand, which looks like Lokkit with a SELinux configuration menu. It’s good practice, and if you irreversibly gum things up, just delete the iptables source script and reboot. Lokkit uses only the Filter table, and creates a custom chain named “RH-Lokkit.” When you try writing your own rules, this makes it easy to separate what you did from Lokkit’s rules. Using it is dead easy- just start it up and answer a few questions. Users who want a nice X windows interface can use Gnome-Lokkit.ĭebian users will find that the installer creates and activates a basic firewall, which may or may not suit your needs, so you should re-run Lokkit to make sure it has the correct settings. Lokkit uses an ncurses interface, so you don’t need X windows. Lokkit is not for the ace admin with a large complex network to protect. Lokkit is a decent choice for a personal firewall. You can still use traditional init scripts with Debian, or try out the newfangled method see /usr/share/doc/iptables/examples/oldinitdscript.gz and /usr/share/doc/iptables/ more information. It remains in whatever state I want it, up or down, regardless of whatever networking craziness might be happening. I prefer to keep networking and iptables separate for easier debugging, and having iptables come up at boot means I don’t have to worry about introducing an additional potential point of failure. While I’m always game for good new ways of doing things, this one has me puzzled. Debian 3.1 does away with init scripts entirely, and now wants users to control iptables with ifupdown, so that iptables comes up and down with the networking interfaces. Red Hat and its derivatives, and Debian and its spawn, make iptables way too complicated with large tangled scripts. However, there is a rather steep learning curve, and the various Linux distributions do not make it any easier. The netfilter/iptables package is an amazing construct, and very effective. It filters on any of the fields in IP, TCP, and UDP packets, which gives the ace admin great flexibility and packet-filtering powers. Netfilter/iptables is the basis for the vast majority of Linux-based firewalls. There are gazillions of the things, so today we’ll look at three that I think are pretty good: Lokkit, KMyFirewall, and Firewall Builder. With a firewall building utility you can get a functioning firewall up and running, and have scripts and rulesets to study. But learning how to do this is the tricky part, so this is where firewall builder programs earn their beans. I believe that any network or system administrator who wishes to maintain an iptables firewall should learn iptables well, and be able to easily whip up a basic firewall from scratch. We may make money when you click on links to our partners. Enterprise Networking Planet content and product recommendations are editorially independent.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |