Alternatives to Firestarter...are there any?

If none of the more specific forums is the right place to ask

Alternatives to Firestarter...are there any?

Postby s3a » 2008-10-21 10:37

Is there any firewall with a GUI built for GNOME in Lenny's repositories? If so, then which one(s)? I'd prefer not to use a KDE firewall since it doesn't intergrate well and I don't like the KDE feel and look but if I have no choice then which is the best KDE firewall in your opinion?

Thanks in advance!
User avatar
s3a
 
Posts: 777
Joined: 2008-07-17 22:13

Re: Alternatives to Firestarter...are there any?

Postby tiresia » 2008-10-21 11:39

Apple PowerMac G5 - Debian Squeeze - Mac OS X 10.5
Lenovo 3000 N200 - Debian Wheezy amd64
User avatar
tiresia
 
Posts: 26
Joined: 2008-07-01 09:22
Location: Berlin

Postby Telemachus » 2008-10-21 11:48

I will just throw in that I find all the gui firewalls to be a big waste of cpu cycles. It takes some time to learn how to write your own iptables rules, but it's well worth the effort. Sorry if that doesn't help much.
"We have not been faced with the need to satisfy someone else's requirements, and for this freedom we are grateful."
Dennis Ritchie and Ken Thompson, The UNIX Time-Sharing System
User avatar
Telemachus
 
Posts: 4676
Joined: 2006-12-25 15:53

Postby MeanDean » 2008-10-21 12:07

Have you searched the repos for firewall, looks like plenty of them are available.
apt-cache search firewall

I think a GUI firewall tool is kind of silly myself - like we need zonealarm and those cool blinky lights. Why not use one of the firewall scripts that are in the repo, or steal some iptables rules from somewhere

I dont use a firewall but I played with mason for a little while and thought it was cool and about as easy as it gets...
User avatar
MeanDean
 
Posts: 3956
Joined: 2007-09-01 01:14

Postby stoffepojken » 2008-10-21 12:13

arno-iptables-firewall is very easy. Not a gui but ncurses configuration.
User avatar
stoffepojken
 
Posts: 707
Joined: 2007-01-25 01:21
Location: Stockholm, Sweden

Postby rickh » 2008-10-21 14:10

Firestarter or Guarddog is fine as a backup to the excellent NAT firewall that comes with most routers. I leave a few ports open on the router that I use regularly (FTP, P2P programs, etc.), but close them with Firestarter until I want them active.

From GRC's ShieldsUp:
Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.


Good enough for me.
Last edited by rickh on 2008-10-21 21:06, edited 1 time in total.
Debian-Lenny/Sid 32/64
Desktop: Generic Core 2 Duo, EVGA 680i, Nvidia
Laptop: Generic Intel SIS/AC97
User avatar
rickh
 
Posts: 3475
Joined: 2006-06-29 02:13
Location: Albuquerque, NM USA

Postby garrincha » 2008-10-21 20:51

Additionally, if you find iptable a bit too steep a learning curve, you could use shorewall which is not a firewall by definition but really a set of scripts that run iptables.

Here's a nice and simple guide for setting up a custom Debian firewall/gateway using shorewall:

http://www.cyberdogtech.com/firewalls/

The guide is a bit out of date (2006) but still relevant.
Maurice Green on Usain Bolt's 9.58: "The Earth stopped for a second, and he went to Mars."
User avatar
garrincha
 
Posts: 2341
Joined: 2006-06-02 16:38

Postby BioTube » 2008-10-21 21:19

MeanDean wrote:Have you searched the repos for firewall, looks like plenty of them are available.
apt-cache search firewall

I think a GUI firewall tool is kind of silly myself - like we need zonealarm and those cool blinky lights. Why not use one of the firewall scripts that are in the repo, or steal some iptables rules from somewhere

I dont use a firewall but I played with mason for a little while and thought it was cool and about as easy as it gets...
ZoneAlarm's definitely the most convenient firewall I've used. Per program permissions are, in my opinion, better than per port(I see no technical reason why these can't be combined) and ZA does have the interesting feature of requiring changed programs to be reauthorized.
Image
Ludwig von Mises wrote:The elite should be supreme by virtue of persuasion, not by the assistance of firing squads.
User avatar
BioTube
 
Posts: 7551
Joined: 2007-06-01 04:34

Postby Gonky » 2008-10-22 17:42

garrincha wrote:Additionally, if you find iptable a bit too steep a learning curve, you could use shorewall which is not a firewall by definition but really a set of scripts that run iptables.

Here's a nice and simple guide for setting up a custom Debian firewall/gateway using shorewall:

http://www.cyberdogtech.com/firewalls/

The guide is a bit out of date (2006) but still relevant.


I followed that guide a couple years back when I was using an old Mac as a Debian based router. Following the guide is pretty easy if you just want a simple straightforward firewall, it gets really complicated if you want to deviate from the guide though. Shorewall has a gazillion config files that you have to play with in order to get things done, and all those config files do is setup some iptables rules for you. It's much quicker and easier to just learn iptables, in my opinion.
Permission to speak freely, Sir?
User avatar
Gonky
 
Posts: 156
Joined: 2008-06-30 23:49

Postby Bulkley » 2008-10-22 17:50

ipmasq is simple to set up.
Bulkley
 
Posts: 3878
Joined: 2006-02-11 18:35

Postby garrincha » 2008-10-22 18:15

Gonky wrote:
garrincha wrote:Here's a nice and simple guide for setting up a custom Debian firewall/gateway using shorewall:

http://www.cyberdogtech.com/firewalls/

The guide is a bit out of date (2006) but still relevant.


I followed that guide a couple years back when I was using an old Mac as a Debian based router. Following the guide is pretty easy if you just want a simple straightforward firewall, it gets really complicated if you want to deviate from the guide though. Shorewall has a gazillion config files that you have to play with in order to get things done, and all those config files do is setup some iptables rules for you. It's much quicker and easier to just learn iptables, in my opinion.


Yes that the Shorewall package has so many configuration files but as mentioned in my post above I only suggested this guide as one of simple solutions for setting up iptable for a simple firewall/router system. Of course, it's up to the person to explore Shorewall a bit further or simply go into the deep end of iptable scripting.

Incidentally, some people were under mistaken impression that Shorewall is a firewall, but it's not as quoted from the guide in the link above:
Before we move on, let's clear up a couple common misconceptions: Shorewall is not a firewall, and in fact it's not even an application. The common notion of a program (or daemon) is that of an application that runs continuously. This is not the case with Shorewall. Instead, Shorewall is actually just a very large set of scripts which run once and then exit. Shorewall itself does not perform any firewalling work; it merely configures iptables to your specifications, then quits.
Maurice Green on Usain Bolt's 9.58: "The Earth stopped for a second, and he went to Mars."
User avatar
garrincha
 
Posts: 2341
Joined: 2006-06-02 16:38

Postby Lou » 2008-10-23 14:43

Being dense when it comes to iptables and rules, i use guarddog which is the only gui firewall that shows a total green (stealth - invisible to all eyes) status at grc.com .
Wheezy - Ratpoison - vimperator - no DM
KISS - Keep It Simple, Stupid
Deodato - The Crossing (full album) - http://youtu.be/nlRsIgz23qY
Lou
 
Posts: 1766
Joined: 2006-05-08 02:15
Location: Panama

Postby rickh » 2008-10-23 14:54

...guarddog which is the only gui firewall that shows a total green (stealth - invisible to all eyes) status at grc.com .

Before I had a router, I had no problem achieving that with Firestarter.
Debian-Lenny/Sid 32/64
Desktop: Generic Core 2 Duo, EVGA 680i, Nvidia
Laptop: Generic Intel SIS/AC97
User avatar
rickh
 
Posts: 3475
Joined: 2006-06-29 02:13
Location: Albuquerque, NM USA

Postby freek » 2008-10-24 15:48

I'm using Firehol > http://firehol.sourceforge.net/
shows total green (stealth - invisible to all eyes) at grc.com

easy to setup

succes
there's no business like .. your own business ..
User avatar
freek
 
Posts: 57
Joined: 2007-04-03 01:36
Location: Nederland

Postby s3a » 2008-10-24 17:50

Ok I did what entering "firehol" told me and now it seems that when I type "iptables -L" that I am being protected! I just want confirmation from you people please so:

deniz@debian:~$ su
Password:
debian:/home/deniz# firehol start


WARNING
File '/etc/firehol/RESERVED_IPS' is more than 90 days old.
You should update it to ensure proper operation of your firewall.

Run the supplied get-iana script to generate this file.

FireHOL: Saving your old firewall to a temporary file: OK
FireHOL: Processing file /etc/firehol/firehol.conf: OK
FireHOL: Activating new firewall (41 rules): OK
debian:/home/deniz# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
in_world all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `'IN-unknown:''
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `'PASS-unknown:''
DROP all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
out_world all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `'OUT-unknown:''
DROP all -- anywhere anywhere

Chain in_world (1 references)
target prot opt source destination
in_world_all_c1 all -- anywhere anywhere
in_world_irc_c2 all -- anywhere anywhere
in_world_ftp_c3 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `''IN-world':''
DROP all -- anywhere anywhere

Chain in_world_all_c1 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED

Chain in_world_ftp_c3 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:32768:61000 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data dpts:32768:61000 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:32768:61000 state ESTABLISHED

Chain in_world_irc_c2 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ircd dpts:32768:61000 state ESTABLISHED

Chain out_world (1 references)
target prot opt source destination
out_world_all_c1 all -- anywhere anywhere
out_world_irc_c2 all -- anywhere anywhere
out_world_ftp_c3 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `''OUT-world':''
DROP all -- anywhere anywhere

Chain out_world_all_c1 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,ESTABLISHED

Chain out_world_ftp_c3 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpts:1024:65535 state RELATED,ESTABLISHED

Chain out_world_irc_c2 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpt:ircd state NEW,ESTABLISHED
debian:/home/deniz# exit
deniz@debian:~$


When I check using System Monitor or by entering "top" in terminal, it doesn't even show the name Firehol but is this because Firehol is not a running program but just one that configures the iptables once (unless you choose to re-configure them) which is what is technically running? Please tell me if I am now protected and also please help me understand what is going on a little bit more.

Thanks in advance!
User avatar
s3a
 
Posts: 777
Joined: 2008-07-17 22:13

Next

Return to General Questions

Who is online

Users browsing this forum: No registered users and 20 guests

fashionable