Tip of the Trade: Linux Firewall Builder Roundup
December 17, 2007
A fundamental skill for all Linux system and network administrators is knowing how to write a good stout iptables firewall from scratch, and knowing how to modify it for all sorts of different circumstances. Out here in the real world, however, it seems to be a skill in short supply. The learning curve for iptables is a bit steep, but it's not that bad ȃ spend a couple of days with Oskar Andreasson's iptables tutorial and you'll be in business.
An alternative, although I still think all admins should understand iptables inside-out, is to use one of the many excellent Linux firewall-building tools.
Firewall Builder is a sophisticated multi-platform graphical firewall configuration and management tool. It works on iptables, ipfilter, OpenBSD's PF and Cisco's PIX. By design, it hides the specifics of rule-building and instead focuses on writing policies. Don't run Firewall Builder on your actual firewall because it requires X Windows. Instead, run it on a workstation, then copy the scripts created to your firewall.
Firestarter is a nice graphical firewall-building wizard that leads you step-by-step through the process of building your firewall. It's a good choice for a NAT firewall that shares a single public IP address with a LAN and also has some public services behind the firewall, or a separate DMZ. It has easy commands for turning the firewall on and off, and views of status and current activities. You can run it on headless boxes and monitor it remotely, or use it as a stand-alone host firewall.
Shorewall is a popular firewall builder; it is more complex and flexible than Firestarter, and it is suitable for more complex networks. Shorewall has a learning curve nearly equivalent to iptables, but it is well-documented and offers howtos for different scenarios, such a single-host firewalls, two- and three-interface firewalls, and firewalls with multiple public IP addresses. You'll get help with filtering P2P services such as Kazaa, rate-limiting, QoS (quality of service), VPN passthrough, and lots more.
The short story is you don't need to spend gobs of money on commercial firewall software, which is often inferior to the built-in Linux and Unix packet filters, anyway. Spend the money on good-quality hardware, instead.