PDA

View Full Version : Linux Firewall



4dz0
March 21st, 2006, 09:46 PM
This thread has been reposted from programming talk to gain feedback from a wider range of users:

I am currently planning my final year project at university and I'd like some opinions on my initial idea. I do have to stress that this idea is extremely primitive and I have barely begun, what I'd really like is to have some comments from you guys that I can use to decide whether to proceed.

I'm looking to create an interactive firewall, the exact nature of the firewall is yet to be determined but my main aim is to create a user friendly application that can help new users to Linux configure network access with maximum ease. By interactive I mean a firewall that is restrictive by default, allowing only those applications and services network access through interactively granting permissions.

What I'd really like at this initial stage is some opinions, on whether Linux actually needs another firewall, and some features that you'd like to see. I'd also like some advice on what is currently available, what firewall you use, and the things you like/dislike about it.

I'd really like people to be honest in there opinion, I'm not tied down to this application and I have pleanty of time, if the idea isn't required amongst Linux users then there is little point in proceeding.

I've asked a lot of questions here so comments on any would be great.

Thanks.

htinn
March 21st, 2006, 09:54 PM
At this point I'm just looking for some nice Ethereal filters. With that, I'm pretty much set for security.

jamesford
March 21st, 2006, 10:10 PM
if u have the opportunity, study agnitum outpost firewall for windows. its such a wonderful application. something like that for linux is something ive been missing

4dz0
March 21st, 2006, 11:32 PM
thanks, I'll take a look. Any more comments appreciated.

schnappy
March 21st, 2006, 11:39 PM
Though I tend to be a little sceptical concerning these kind of firewalls (I think they easily tend to give users a false sense of security), I think it's safe to say that there are certainly a lot of people looking for this kind of functionality on linux. Just take a look around these forums, this comes up again and again.

I think this alone would make this a very worthwhile endeavor, so I'm really looking forward to your software and can only encourage you.

4dz0
March 22nd, 2006, 11:03 AM
bump

stoeptegel
March 22nd, 2006, 11:17 AM
Another ex outpost pro lover here. I think the way outpost pro interacts with the user is the best way i've seen on all firewalls. (and i've used a lot)

You can judge about GUI firewalls giving a wrong feeling about the level of security, but one way or another i think you have to make it easy/usefull for novice people to configure it.
But i do feel that all win32 firewalls are way to much "with our firewall you are not in danger, granted". But that is probably because they are commercialized.

public_void
March 22nd, 2006, 02:04 PM
I don't trust most firewalls, especially on Windows, thats why I'm going to set up a box with IPCop on.

But for novice users it has to do the job, require little user interaction and simple to step up. If settings need changing then it should be simple to find and change.

woedend
March 22nd, 2006, 02:13 PM
firestarter is good, but i guess it depends on how much time and talent you have. Firestarter lacks a lot of features. One nice lacking feature(for the future more than now I suppose) is the ability to allow certain programs access and others block. Also the ability to block certain IP addresses either in or out(specify both). This is useful for tinkering, blocking sites, blocking users, etc. I take it though you will be using iptables base right?

4dz0
March 22nd, 2006, 06:39 PM
I take it though you will be using iptables base right?

This is something I'm going to need to discuss with my professor, i realise that to attempt to create something anywhere near comparable with iptables would be foolish, that would be reinventing the wheel. However, I need to ensure I undertake a project that is challenging enough to gain me a first class degree.

woedend
March 23rd, 2006, 01:39 AM
ah, but you see, there is no full featured gtk based iptables frontend that I know of. Firestarter is easy but primitive. Iptables is extremely easy to use, definetely all of your work would be in interfacing only. I personally would LOVE a full featured gtk frontend, typing is laborious :p.

gabruo
March 23rd, 2006, 01:58 AM
I tries firestarter, Kmyfirewall, and a GTK based gui having been used to windows easy firewalls. After much tinkering I was unhappy with all of them and finally settled on Firehol which is terminal based but fairly easy to use as well as fairly secure. I also tried many win firewall and I believe my favorite was symantec personal firewall, because it was less about being pretty and easy to use and didn't treat me like a complete idiot.

4dz0
March 23rd, 2006, 01:47 PM
thanks for your comments, much appreciated.

frodon
March 23rd, 2006, 02:02 PM
This is something I'm going to need to discuss with my professor, i realise that to attempt to create something anywhere near comparable with iptables would be foolish, that would be reinventing the wheel. However, I need to ensure I undertake a project that is challenging enough to gain me a first class degree.iptables is not a firewall, it's just a language to configure the firewall embedded in the kernel which is Netfilter.
http://www.netfilter.org/
So your purpose is more to create a frontend for iptables in order to configure interactively Netfilter, i think. Netfilter is one of strongest firewall ever seen and it's embedded to the kernel (really more reliable than windows firewalls because it acts at the start of the chain), you can filter by packet and also forward connections or configuring it as a proxy, i'm really impressed by what netfilter is able to do.
So since i learnt how use iptables i don't use nothing else than own iptables rules for my firewall and it's not really hard to use.

4dz0, you should have a look to the mandriva's firewall because it works the interactive way and is really near to your goal i think, therefore you will gain some times trying to learn more about how the mandiriva's interactive firewall works.

Good luck guy ;)

4dz0
March 23rd, 2006, 03:14 PM
So your purpose is more to create a frontend for iptables in order to configure interactively Netfilter

Do you think this is the best way to tackle the problem, or would interfacing directly with netfilter, bipassing iptables, be a more powerful and flexible approach?

frodon
March 23rd, 2006, 03:26 PM
Do you think this is the best way to tackle the problemIt's an easier way, interfacing directly with netfilter is good idea but i would ask myself if it's interesting to spend time to do something that iptables already do really well, execpt if you are mainly in a learning spirit.
However there are a lot of interesting things to do with interactivity. For example a friend asked me today if it's possible to define a firewall which open the port when you open the apps and close it when you close the apps, this idea require something to handle in real time iptable rules and could be a plus for a firewall frontend.
So there a lot of things to do to create a good front end for iptables and for the moment there's no perfect iptables frontend (my opinion).

So i would spend more time to find good idea's to make a reliable front end, of course easy to use, and add some new features like the one my friend asked for than spending times in re-creating iptables like feature (which is not needed i think). It mainly depends on what is your purpose.