Comments on: Simple Software Firewall with a Twist

By: http://www.webiihost.com/

http://www.webiihost.com/ — Tue, 03 Sep 2013 18:18:37 +0000

Thanks for sharing such a pleasant idea, article is pleasant, thats why i have
read it completely

By: matador

matador — Wed, 30 Nov -0001 00:00:00 +0000

I used this once and found it fine, but openSuse’s built in works ok for me so I use it instead.

But what I think Linux is missing is a fw that controls outgoing traffic by application (like Zonealarm in windows).

By: drokmed

drokmed — Wed, 30 Nov -0001 00:00:00 +0000

Great job on the write up. Firestarter is definitely easy to use, and seems popular too. A good starter personal firewall.

It’s great for a personal firewall, but I wouldn’t recommend it for the corporate firewall. There are plenty of simple options available for a better stand-alone firewall, such as IPCop, SmoothWall Express, Pfsense, etc., that all have great web-based interfaces, and offer many more features.

By: lnxgnome

lnxgnome — Wed, 30 Nov -0001 00:00:00 +0000

If you like FireStarter but think it is oversimplified, then you'll love FireWall Builder for its flexibility.

FWB User's Guide (pdf)

By: dtigue

dtigue — Wed, 30 Nov -0001 00:00:00 +0000

I have installed FireStarter and it seems to be great, but I was wondering if it was worth having if my network is running through a LinkSys router. Doesn’t the router have a built in firewall?? Is it not a good enough firewall for a home network or do I need to install FireStarter on all my boxes on the network??

Great article and very informative. Thanks

By: mjnbrn

mjnbrn — Wed, 30 Nov -0001 00:00:00 +0000

What is wrong w/ good ol’ iptables?

By: stoggy

stoggy — Wed, 30 Nov -0001 00:00:00 +0000

/Quote
But what I think Linux is missing is a fw that controls outgoing traffic by application (like Zonealarm in windows).
/Quote

you can do this, by cmd name, by uid, by gid, by pid, and by sid. its in the man page. try "man iptables" then hit "/" and type "owner" and hit enter. I just reloaded and in the man file i got this at the end of the section, "NOTE: pid, sid and command matching are broken on SMP" So your mileage may vary.

/Quote
but I was wondering if it was worth having if my network is running through a LinkSys router. Doesnâ€™t the router have a built in firewall?
/Quote

Yes, you cant make a firewall at the router that can block all types of attacks. So you have to fine tune at the desktops. Now you could put something like snort at the router or behind it, goodluck getting that on your Linksys though. Which could reduce the need for desktop firewalls but with tools like firestarter and others the risk doesn't justify the gains.

By: xjlittle

xjlittle — Wed, 30 Nov -0001 00:00:00 +0000

Yeah but it’s pretty basic..I learned the hard way. If you don’t have a linux gateway where you can use iptables then I would use firestarter on your workstations. If you have a home base web server, ftp, or anything else that you want accessible from the internet this is even more true. just my .02

By: xjlittle

xjlittle — Wed, 30 Nov -0001 00:00:00 +0000

Most if not all applications use a port #. Do a little digging, get the correct port and allow it through your firewall from your LAN. That said most distributions that I have used allow any application originating from the LAN side out to the internet and the returning traffic back in.

By: jeffatrackaid

jeffatrackaid — Wed, 30 Nov -0001 00:00:00 +0000

On the desktop, I see egress filtering as the greatest challenge. Most networks (I hope) are using a gateway firewall, so the real threat from the desktop is that it will start accessing resources that it should not. This is where MS Windows firewalls excel. If an application connects to a resource, you have to approve it. I don’t know of a similar app for Linux?

By: samclark

samclark — Wed, 30 Nov -0001 00:00:00 +0000

Both you and Matador fail to notice or note that Firestarter has the ability to blacklist ALL outgoing services, allowing access only with approval via Firestarter's root access [password required].Like ZONEALARM and many other SPENDows firewall applications, you have the ability to work at the highest level of restriction by default.

What the article fails to note is that FIRESTARTER is simply a program to control built in firewall support [iptables] present within Linux, an evolution from the original offering that added iptables support when not present.

Most SPENDows users will be very comfortable using FIRESTARTER, as the wizard does all necessary work to turn on an operating system level firewall control.

You have to go beyond what you see in the article to fully appreciate the power of this free add-on desktop firewall.

By: rcbranco

rcbranco — Wed, 30 Nov -0001 00:00:00 +0000

I agree, there’s nothing better security wise. In the other hand when the network is complex it takes a lot of work maintaining someone else’s script. A graphical interface in those cases is always handy

By: ngpd

ngpd — Wed, 30 Nov -0001 00:00:00 +0000

Security is enhanced by defence in depth, so even if you have enabled the firewall on your router it is worthwhile running firewall software on your machine. Also, if there are any other machines on your internal network, a personal firewall will protect you against malware running on them – this is particularly necessary if you are using a wireless network, as you can never be sure who else is sharing your network!

By: bmw

bmw — Wed, 30 Nov -0001 00:00:00 +0000

Check out the Linux project for Peerguardian, MoBlock, at http://developer.berlios.de/projects/moblock/

By: opc0d3

opc0d3 — Wed, 30 Nov -0001 00:00:00 +0000

old iptables is for minimalist.