Distribution-Independent
From Grokdoc
ipchains/iptables is much too cryptic and hard to understand and learn. My friend did not trust the gui app written by an unknown person because she does not know C++ and the source code could have been a virus/trojan/worm for all she knew. Gnu/Linux needs to come up with an ipchains/iptables gui package, read the source code, and, if it is safe, include it as standard in all distributions of Linux. This would make working with ipchains/iptables easier and would make my friend much more comfortable in connecting to the internet with Linux - it's the only thing keeping from switching at the moment.
ipchains is very outdated (from the 2.2.x kernel era). The current solutions are all based on netfilter (iptables) and work quite well. However a major difference from the ms-windows firewalls is that most or all Linux based firewalls are static, i.e. they do not get built in a reactive manner like e.g. ZoneAlarm. Neither solution is totally intuitive, a combination (the RIGHT combination) would be an improvement... --SimonOosthoek
Perhaps I have a different understandig of what a firewall is, but I think that configuring and managing a firewall is no task for a newbie. IMHO this is a dangerous thing. What should be done is to help and show the newbie how to secure his own machine by showing her/him different utilities like netstat or nmap.
I think to tell a newbie how to use iptables or snort or similar "products" is a too complex task, without a deeper knowledge about networks and security. You only push the user in the same wrong feeling of security like windows users with products like ZoneAlarm.
The most important thing to tell a linux newbie about security is that they should turn off any servers they don't need and never ever work as root on the machine.
Some words to the two posts above:
1. A nice GUI for iptables would be for example webmin, with the build in Firewall module you can fairly easily edit your iptables rules which then get saved with the standard iptables-save command, so that you can always control what the tool is doing.
2. An iptables firewall itself is static, that's true, but if you combine iptables with p.e. snort you can dynamically generate the rules depending on the actuall traffic. AFAIK the buitlin firewall of Windows XP is also a purelly static packetfilter. Products like ZoneAlarm work on a different layer and can only help you on the local machine and most newbies get very frustrated by all the questions ("Allow program svchost.exe to access the internet?" ...) and, as they most of the time don't understand what this means they either always click on "Yes" or end up with a system where they can't do anything so they simply switch the whole "firewall" off. If you want a combination of these kind of products you need a proxy for all these services (for example squid for http) combined with the correct iptables rules and an intrusion detection system. So the combination is possible, but a fairly complex thing. For a basic and relatively easy start into this matter you could try special distributions like ipcop --Gipsy 17:41, 14 Jun 2004 (EDT)
I have found that firestarter (firestarter.sourceforge.net) is a good package for building firewalls with iptables. It has a little wizard which sets up a pretty good baseline. Then you run a little GUI monitor (can be run as a normal user but asks for the root password before it can make changes to the rules). The program lets outbound traffic work by default (via stateful connections), so the newbie doesn't have to worry about "allow svchost.exe to access the network." Hence, it won't block trojans, but as mentioned above, that really doesn't help newbies anyway.
The newbie can use the monitor for a day or two to look at the hits. When he or she sees a whole lotta hits (51 hits to port 137 thank you microsoft network spam), a right click allows hits to be allowed or blocked without logging.
The first post brings up the question of whether or not a newbie can trust the code if she/he can't read C++. I can't read it either, but, I decided to try firestarter after it was reviewed in a magazine. The author keeps md5sums of the packages.
I also started using Firestarter after reading a magazine review (Linux Format) and found it by far the easiest firewall creator for Linux so far. It provides all the flexability of ipchains, but is much easier to get to grips with. My first install of it kept logging things to stdout so my terminals would fill up with gibberish, but this was soon fixed. The Mandrake and Debian downloads of it are great. The only problem I've had is where I hadn't RTFMed, and assumed that putting in 255.255.255.248 as an allowed host would make my LAN trusted (needed to be xxx.xxx.xxx.xxx/xx instead).
If not guided by the hand, any firewall-newby (like myself) will do nothing about the firewall, just be vulnerable (if firewall too low) or unable to do things (if firewall too high). I usually configure manually hosts.allow and hosts.deny, because I don't know how to manage a firewall. I think the ideal way is to set up reasonable defaults (like only listening to ssh), or ask in a friendly way (I liked Mandrake's low-medium-high-paranoic menu).
Note about hosts.allow and hosts.deny: Not all services use these files to explicitly block traffic inbound to your machine. The only way to keep security is to setu pyour own firewall or buy a cheapo 'router' firewall. I think that most users should just buy an appliance firewall like linksys/dlink/etc.. if they really want an easy to use Firewall. - DC
I guess I forgot to read the instructions before submitting my original comment. The current shape of this page is not the intention of GrokDoc as I understand it now. OTOH, distribution independent is perhaps the location where general conclusions from the distribution specific sections can be combined?
Anyway, The problem for newbies and firewalls is that a firewall is actually a very low level, TCP/IP specific thing. Without going into the details of ip addressing, IANA and TCP/UDP port numbers, well known ports, etc. There's no way a firewall can be explained. A firewall solution for newbies must assume the user knows nothing except some general terms "Firewalled", "Open a port on the firewall", "NAT" whatever that means, etc. Understanding is good, but I know for sure that my mother will not be able to grok tcp/ip enough to understand firewalling. --SimonOosthoek
