I have a router on 192.168.0.1 and eth0 on 192.168.0.122 and that's it, and i'm trying to set up a fire wall. so i choose DHCP conn for eth0, put my ip into eth1 and compile, but when i try to install it with firewall builder it asks me for user and password, i put in my user and root password that i use with (sudo) and 192.168.0.122 for the adress that will connect to firewall, but i get permission denied message for about 3 hours now. Whaat do i do?

Does the Router not have an integrated firewall?

How about writing it yourself with IPTABLES?

What connectivity are you looking to have through the fw?

router has a firewall, but i wanted to set one up on the host machine, and as far as connectivity, i'm looking for the bear minimum with the firewall.

how can i find outgoing adress to the internet? and where to accept tcp requests and where to forward packets to?

I do $ sudo iptables -A INPUT -p TCP -i eht0 --destination-port 80 -j ACCEPT
and then $ sudo ufw enable
but I still get no internet traffic. What is wrong? Shouldn't opening port 80 to TCP allow the packets though my firewall?

Can you confirm you just want to allow outgoing traffic and the incoming traffic should only be from established/related sessions?

If so you could use something like the below (which i use) and includes logging.


# Generated by iptables-save v1.4.4 on Thu Apr 15 10:48:04 2010
*mangle
:PREROUTING ACCEPT [11942:11357753]
:INPUT ACCEPT [11942:11357753]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11547:1781254]
:POSTROUTING ACCEPT [11580:1783721]
COMMIT
# Completed on Thu Apr 15 10:48:04 2010
# Generated by iptables-save v1.4.4 on Thu Apr 15 10:48:04 2010
*filter
:INPUT DROP [256:35817]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [11547:1781254]
:LOGNDROP - [0:0]
:allowed - [0:0]
:existing-connections - [0:0]
-A INPUT -j existing-connections
-A INPUT -j allowed
-A INPUT -j LOGNDROP
-A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-prefix "IPTABLES Denied TCP: " --log-level 5
-A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-prefix "IPTABLES Denied UDP: " --log-level 5
-A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-prefix "IPTABLES Denied ICMP: " --log-level 5
-A existing-connections -i lo -j ACCEPT
-A existing-connections -m state --state ESTABLISHED -j ACCEPT
-A existing-connections -m state --state RELATED -j ACCEPT
COMMIT
# Completed on Thu Apr 15 10:48:04 2010

To use it, save the contents to a file, and then use sudo iptables-restore <filename>

I wrote a policy for my firewall with fwbuilder
it compiles fine, but when i use the fwbuilder installer ti gives me this:

scp: /etc/fw/tmp/: Is a directory
SSH session terminated, exit status: 1
I set-up fwadmin to manage the account and set up the password, I just can't install it.
Do you know what the problem is?

That program is in the repos, why do you need to compile it?

As said in your other thread: use GUFW instead. All GUI "firewall tools" are just frontends for iptables.

What do do you mean by repos? I compiled the firewall policy fine, I think I installed the firewall policy before from the command line instructions for which i found on some website, but I'd really would like to solve the problem of why I can't install it with fwbuilder installer.
P.S. I spent a lot of time reading the doc's and user guide for fwbuilder and would like to be able to use it. I would rather not use Gufw. It doesn't have many options and I'm having troubles with the program. Anytime I use gufw it completely disconnects my internet, and ignores any rules I set for it.

oh you mean repositories, I'm not talking about ufw or gufw i'm trying to figure out a problem i'm having with a policy that i compiled with fwbuilder (firewall builder program)

What's the policy that you are trying to implement?

I looked at fwbuilder and it looks overly complicated for setting up simple rules.

It's a firewall policy that I generated with fwbuilder interface. The policy compiles but when I use the fwbuilder built-in installer it gives me the error:
scp: /etc/fw/tmp/: Is a directory
SSH session terminated, exit status: 1
I don't know how to fix this, it doesn't seem to be able to connect to the firewall using ssh

It connects, otherwise you wouldn't get to the scp part. it looks like it finds a directory instead of what it is looking for.

Does it save the rules to a file that you can apply manually?

Yeah I can do it manually, but i just buggs me that I can't do it using the interface.

Please don't create multiple threads on the same subject, I have merged your two threads.

Normally permission denied errors are because the program needs to access parts of the file system that the current user doesn't have permission to access.

If you can apply it manually, then do it that way. You can set it so that it's applied every time the machine boots by adding a command to the startup applications area.

Ok thx CharlesA

thx yeleek

The answer you are really looking for is that your problem is caused by the directory it is trying to put the files in not existing.

When using Firewall Builder, just before the install stage you get an "Install Options" dialogue. If you select "Test run: run the script on the firewall but do not store it permanently", FWB will try to put the firewall script in $FWHOME/tmp. If you haven't pre-created that directory, you will get this error message, due to a peculiarity of scp.

To resolve this:

Select your firewall on the left-hand side of Firewall Builder
Click Firewall Settings.. at the bottom
Click the Installer tab
Look at the value of "Directory on the firewall where script should be installed" - this is where FWB will put the files for the permanent installation. I'll call it $FWHOME. The default value is /etc
Log on to your firewall if it isn't local
Create the directory $FWHOME/tmp


If when Firewall Builder prompts you to install the policy, you don't choose the user "root", then you need to make sure that the user you do use has rights to create files in that directory.

Another option is of course to not use test mode - then it will write the files to /etc instead, which will already exist on your machine and thus skirt the problem.

On another note I thoroughly disagree with previous posters - I have been cautiously testing Firewall Builder for the last three years, and will not now go back to manually writing firewall scripts. It provides lots of flexibility, easy management and good quality output. I further think it adds security for those who don't know iptables intimately by making it obvious what the end result will be. It is absolutely the right tool for the job.