Opinion: which firewall do you recommend?

[tiredoldcoder]

Working on building a new firewall/gateway machine to place between the cable modem and my home network. Which firewall do you use/recommend?

Also does anyone have an opinion about using webmin to administer the firewall?

TOC

[revertex]

iptables have a lot of examples in these forums, shorewall is really easy to setup, and i ear about a shorewall webmin module.
unless people that don't know linux will admin your box i advise you stay away from webmin, it's just a mess.

cheers.

[beandog]

Webmin is nice, but its a crutch. Someone recommend to me once to skip everything and just learn iptables instead -- it's what all the firewall programs configure anyway, so you're better off going straight to the source.

For a quick easy setup/install, this is what I recommend:

- Download this firewall and install it -- http://projectfiles.com/firewall/

Get the installer file. It's a console frontend that makes it easy to setup which ports to open, and routing too. After you install it and run it the first time, it will probably not start it, but it will have rc.firewall in /etc/rc.d/ Go there and start it (rc.firewall start), then save the iptables settings (/etc/init.d/iptables save), and you're done. If its for your home network, be sure to enable ip forwarding as the iptables ebuild instructs. Good luck -- its really not that hard, trust me.
_________________
If it ain't broke, tweak it. dvds | blurays | blog | wiki

[zeek]

[drkstorm]

for an easy to configure canned firewall script that uses iptables, I use gShield.. it can be emerged or http://muse.linuxmafia.org/gshield/ it works well and it is easy to configure, its alse very robust support router, DMZ, and forwarding filters.

in my opinion, using straight up iptables commands is a security risk unless you are an expert, im not, i dont have time

[tiredoldcoder]

My current firewall/NAT/MASQ is a RH 6.2 using IPCHAINS ... is iptables worse?

Also, do I need to configure my kernel special for iptables.

I am planning on using gs-sources for my kernel ... any comments?

v/r

TOC

[madchaz]

iptables is more powerfull and stable then ipchains. It's the new standard from 2.4

shorewall on a gentoo box had good results for me when I was still on cable. I've also used the smoothwall distribution. I know some people here don't like it, but I found it's easy to use and pretty secure.

While learning iptables "would" be the most powerfull solution, doing things by hands isn't always the best. If you want to use gentoo, I'd recomend shorewall. The manual on there website is pretty strait forward and it's in portage.
_________________
Someone asked me once if I suffered from mental illness. I told him I enjoyed every second of it.
www.madchaz.com A small candle of a website. As my lab specs on it.

[stahlsau]

hi,
i´d recommend iptables, simply because it can do everything you want it to do.
If you don´t understand all those configurationfiles of iptables, try out "ipkungfu". It´s a package of scripts/configs (~30kb) for iptables and works out of the box and can (better: should) be modified very simple. I like it because you get a nice iptables-configuration which works and only have to modify it to your needs, that´s much more simple than writing your own firewall.

[adaptr]

[Anime_Fan]

OpenBSD has PF...
It's quite nifty, but may be overkill for what your purposes seem to be.

[474]

[tiredoldcoder]

Thanks to all! I used the install script from http://projectfiles.com/firewall/ and everything seems to be working well

Follow on questions:

1. I hear words like "crutch" and "mess" about webmin. I am using webmin, so I don't have to leave my comfy chair and run downstairs/upstairs to admin a server/workstation (I have 3 gentoo systems now, more to come). Not to mention, I don't have to memorize every Linux admin command syntax to admin chores every in a blue moon. That is the value of a GUI to me--to abstract the gory details for peoples whose vigor and brain cell count are in decline!

Having set my heels firmly I'm not so naive to believe ANY software is perfect. So, is there something about webmin I don't know? Webmin has a nice, friendly Linux Firewall interface. Why not use it?

2. Even though I have a rule to block TCP port 10000 (webmin), it still shows up (closed) when I run nmap against my external IP. Should I be concerned?

3. Once I save the IPTABLES, do I need to run the rc.firewall script at bootup?

4. How does the firewall know when my DHCP lease expires and my external IP has changed? Do the IPTABLES saved files get automatically updated?

v/r

TOC

[474]

[474]

[tom56]

most firewalls on linux are just frontends to iptables. i used to use shorewall but now i use firestarter. they both work just as well, but i prefer firestarter as it has a purty gui interface

[Woody]

You could also use one of the old floppy based
linux-router-project style distros. I use coyote linux on a
p75 with 24 megs of ram and the only moving parts are a
floppy (at boot only) and the PS fan. I currently have an
uptime over 300 days.

[meyerm]

Hmm, all mentioned "firewalls" here are just packet filters. Is there any open source application level firewall available? Linux or BSD - doesn't matter.

BTW: I don't mean a layer-7-module for iptables. But a real firewall parsing the protocol and dropping dangerous packets.

[n7down]

If you have an old box sitting around I would suggest smoothwall which is a firewall/router.
www.smoothwall.org

[GenKreton]

smoothwall or shorewall for ease of use BUT if you want the best there is and willing to learn go for iptables or pf (all previously suggested).

[adaptr]

[meyerm]

[NemoTheLobster]

For an application layer firewall, check out Zorp:

http://www.balabit.com/products/zorp/

There's a GPL version available. I just stumbled on that today.

[meyerm]

Cool - looks promising. My first readthrough didn't show me if it is capable of shaping the traffic. It looks like on/off/redirect. But I will read further. Thank you!

[adaptr]

[Riftwing]