Firewalls (Српски)

From ArchWiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Tango-preferences-desktop-locale.pngThis article or section needs to be translated.Tango-preferences-desktop-locale.png

Notes: Largely not translated, last touched in 2011 and the English page was turned into a category (Discuss in Talk:Firewalls (Српски))

A firewall is a system designed to prevent unauthorized access to or from a private network (which could be just one machine). Firewalls can be implemented in only hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and allows, proxys, or denies the traffic based on specified security criteria.

There is a nice list of firewalls here.

There are many posts on the forums about different firewall apps and scripts so here they all are condensed into one page - please add your comments about each firewall, especially ease of use and a security check at Shields Up

iptables

The Linux kernel itself has very powerful firewall called iptables. Other firewalls are usually just frontends.

See the iptables article for more information.

More info:

iptables front-ends

Arno's Firewall

Arno's IPTABLES Firewall Script is a secure firewall for both single and multi-homed machines.

The script:

  • EASY to configure and highly customizable
  • daemon script included
  • a filter script that makes your firewall log more readable

Supports:

  • NAT and SNAT
  • port forwarding
  • ADSL ethernet modems with both static and dynamically assigned IPs
  • MAC address filtering
  • stealth port scan detection
  • DMZ and DMZ-2-LAN forwarding
  • protection against SYN/ICMP flooding
  • extensive user definable logging with rate limiting to prevent log flooding
  • all IP protocols and VPNs such as IPSec
  • plugin support to add extra features.

ferm

ferm (which stands for "For Easy Rule Making") is a tool to maintain complex firewalls, without having the trouble to rewrite the complex rules over and over again. ferm allows the entire firewall rule set to be stored in a separate file, and to be loaded with one command. The firewall configuration resembles structured programming-like language, which can contain levels and lists.

Firehol

FireHOL is a language to express firewalling rules, not just a script that produces some kind of a firewall. It makes building even sophisticated firewalls easy - the way you want it. The result is actually iptables rules.

firehol is available in the community repository.

Firetable

Firetable[dead link 2021-11-10 ⓘ] is an iptables-based firewall with "human readable" syntax.

firetable is available in AUR.

gShield

gShield[dead link 2021-11-10 ⓘ] is a really simple iptables configuration system. (Nothing to do with gnome) Easy to configure, blocks everything not needed (almost) by default. Controlled by only one configuration file. It gave me all stealth on grc.com

gshield is available in AUR.

Pros:

  • Easy to configure
  • Only one configuration file
  • Will give you a iptables configuration, which is the best firewall

Cons:

  • No GUI

Shorewall

The Shoreline Firewall, more commonly known as "Shorewall", is high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities.

shorewall is available in the community repository.

uruk

uruk loads an rc file, which defines network service access policy, and invokes iptables to set up firewall rules implementing this policy.

uruk is not available in any Arch Linux repository.

ufw

ufw (uncomplicated firewall) is a simple frontend for iptables and is available in the community repository. For a simple firewall with ssh access, perform the following: 

sudo ufw allow ssh/tcp
sudo ufw logging on
sudo ufw enable

This saves the rules for iptables. Edit your rc.conf to enable ufw at boot (in DAEMONS array).

ufw also has the capability of package provided or custom created application rules via the /etc/ufw/applications.d/ directory. For applications like Samba which utilizes multiple UDP and TCP ports an application rule file makes enabling all ports easy: 

sudo vi /etc/ufw/applications.d/samba

[Samba]
title=Windows file and printer server for Unix
description=Tools to access a server's filespace and printers via SMB
ports=137,138/udp|139,445/tcp

Note the "|" is used to separate the UDP ports and the TCP ports. Commas are used to separate the port numbers themselves.

For applications that utilize different ports depending on configuration, like Apache, rule files can contain multiple rule sets. 

sudo vi /etc/ufw/applications.d/apache

[Apache]
title=Web Server
description=A high performance Unix-based HTTP server
ports=80/tcp

[Apache Secure]
title=Web Server (HTTPS)
description=A high performance Unix-based HTTP server
ports=443/tcp

[Apache Full]
title=Web Server (HTTP,HTTPS)
description=A high performance Unix-based HTTP server
ports=80,443/tcp

To list the available application settings use: 

sudo ufw app list
Available applications:
 Apache
 Apache Full
 Apache Secure
 Samba

To enable just Apache's HTTPS service: 

sudo ufw allow Apache Secure

To enable access to Samba only within your LAN: 

sudo ufw allow from 192.168.0.0/24 to any app Samba

Further Documentation and Source Citation: Ubuntu Firewall Help

Vuurmuur

Vuurmuur Vuurmuur is a powerful firewall manager built on top of iptables. It has a simple and easy to learn configuration that allows both simple and complex configurations. The configuration can be fully configured through an ncurses GUI, which allows secure remote administration through SSH or on the console. Vuurmuur supports traffic shaping, has powerful monitoring features, which allow the administrator to look at the logs, connections and bandwidth usage in realtime.

Vuurmuur and is available in AUR.

iptables grafička sučelja

Firestarter

Firestarter je dobro grafičko sučelje, ima mogućnost da koristi crnu i belu listu za regulaciju prometa, veoma je jednostavan za upotrebu, sa odličnim uputstvom dostupnim na njihovom sajtu.

Firestarter ima gnome međuzavisnosti i dostupan je iz AUR riznice.

Guarddog

Guarddogje zaista lagan program za konfigurisanje iptables. Nakon podešavanja osnovnih parametara, prolazi sve zaštitne testove.

Guarddog zahteva kdelibs3 i dostupan je u AUR riznici.

Da bi se firewall podešavanja primenila prilikom pokretanja računara /etc/rc.firewall iznutra /etc/rc.local ili nešto slično.

Gufw

Gufw je lagan za upotrebu Ubuntu / Linux firewall, od Uncomplicated Firewall.

Gufw je lagan, intuitivan, za upravljanje Linux firewall.

KMyFirewall

KMyFirewall je KDE3 GUI za iptables.

Ovaj firewall je dovoljno uprošten da ga i početnici mogu koristiti, ali takođe poseduje i sofisticirana podešavanja za napredne korisnike.

KMyFirewall zahteva kdelibs3 i dostupan je u AUR riznici.

Firewall Builder

Firewall Builder[dead link 2021-11-10 ⓘ] is "a GUI firewall configuration and management tool that supports iptables (netfilter), ipfilter, pf, ipfw, Cisco PIX (FWSM, ASA) and Cisco routers extended access lists. [...] The program runs on Linux, FreeBSD, OpenBSD, Windows and Mac OS X and can manage both local and remote firewalls." Source: http://www.fwbuilder.org/[dead link 2021-11-10 ⓘ]

fwbuilder is available in the extra repository.