View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Hunting: Brilliant Firewall builder for debian
Log in to Ask a Question

Hunting: Brilliant Firewall builder for debian

networking

So im interested to knwo if anyone has found a firewall builder thaht they think is brilliant and works great etc, other then of course building the rules with ipitables commands themselves..

im looking for an application preferably console based, but if i have to use a gui i will only as long as i can export it to another computer.

anyone have any ideas?

cheers

Nathan

6 Replies

I recommend that you try FireHOL - easy to use, covers almost every need 'as-installed', can be extended to deal with non-standard protocols, and has good documentation. It's console based, too.

I tried running and tweaking both shorewall and firehol for about 3-4 days each and on different machines.

FireHOL is indeed good. But my final choice went to shorewall.

IMHO, none of the other tools came close to these two excellent choices.

I recommend you try both shorewall and firehol for a couple days before choosing. I wouldn't bother with other firewall tools unless you have a lot of free time to spare.

If you choose shorewall, just edit these 3 simple files: rules, policy and interfaces. By breaking up config into multiple files, shorewall makes the syntax easier yet more flexible than single-file configs.

For example, an entry in the 'rules' file to allow http and https connections from external network to the firewall looks like this:

AllowWeb net fw

Or it can look like this if you prefer seeing actual port numbers in your 'rules' config file:

ACCEPT net fw tcp 80

By defining 'net' in a separate config file (called 'interfaces'), shorewall simplifies the rules file syntax. This is the philosophy of shorewall which made it a no-brainer to configure and maintain (even on my home gateway/firewall with multiple network cards).

You can also specify a specific ip address like this so that only ip address 123.123.123.123 can connect via ssh into the fw machine:

AllowSSH net:123.123.123.123 fw

Or like this which means the same thing:

ACCEPT net:123.123.123.123 fw tcp 22

Again, try both shorewall and firehol. These are the top 2 choices by a huge margin and you can't go wrong with either in generating/managing iptables rules.

I also now use shorewall on all my boxes, and have done for some time, since it's very easy to configure and manage - I wrote a HOW-TO here:

HOW-TO: Shoreline Firewall (Shorewall) 2.0.15

http://www.unofficial-support.com/artic … /shorewall">http://www.unofficial-support.com/article/how-to/shorewall

I vote for FireHOL. Logical & simple.

I couldnt figure out shorewall (at least the doco I saw).

I've used Firestarter for awhile.. nice, simple, and has good customization and logging capabilities.

I recommend fwbuilder…very similar to the Checkpoint interface.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct