Graphical tools for firewall configuration

Restricted Zone

© Photo by Mike Wilson on Unsplash.com

© Photo by Mike Wilson on Unsplash.com

Article from Issue 207/2018
Author(s):

Setting up a comprehensive firewall with netfilter and iptables is complicated. Graphic user interfaces seek to take the worries out of this demanding task.

Firewalls under Linux are usually based on the kernel's netfilter system [1], which was introduced in 2001. Nftables [2] is about to replace this system, but until then, iptables [3] remains the configuration helper for the complicated netfilter system and is regarded as the default tool for Linux.

However, configuring iptables is not very intuitive. If you don't regularly use this process, you tend to forget quickly the necessary command-line parameters. Iptables does not make it easy for less experienced administrators to configure the firewall, so several distributions have their own tools. Because of this lack of intuitiveness, running the packet filter at the command line can quickly cause damage by user error.

For this reason, many firewalls now have graphical user interfaces (GUIs), which makes this somewhat cumbersome task easier. In this article, I review four such GUIs: firewalld [4], fwbuilder [5], Gufw [6], and Shorewall [7]. I also looked at the PeerGuardian [8] IP blocker, which is not a conventional firewall (see the "PeerGuardian" box). Not included in this review are configuration environments that are outdated (see the "Not in the Running" box).

PeerGuardian

PeerGuardian (Figure 1) [8] is not a conventional firewall, but an application that blocks individual IP addresses or entire address blocks. Originally, the software was designed to prevent peer-to-peer connections under protocols such as BitTorrent or FastTrack from being spied on, but now it also blocks IP addresses that link to websites with criminal content or to spam and phishing sites. It uses the netfilter and iptables rules available on the host. Addresses and address ranges are blocked by the software with predefined blocklists that contain known IP addresses with malware. You can add to these lists.

Figure 1: PeerGuardian blocks IP addresses or IP address ranges.

PeerGuardian's source code is available for DIY compilation, as well as from the repositories of some major Linux distributions. The GUI greatly simplifies the handling of blocklists. PeerGuardian lets you block unwanted IP addresses quickly without the need for complex proxy server configuration in intranets.

The program, which is distributed under the GNU GPL, initially comes up with an empty list area in the active Control tab of the dialog window showing the session log. The buttons above manage the software. The ready-made blocklists are grouped in the Configure tab. Here, in the Whitelist area, you can enter addresses to be released. At the top is an option to start the software at system boot and to update the blocklist automatically.

You can activate the blocklist update intervals as required by checking the address range to be blocked. You can add more websites or areas to the list by pressing the green plus symbol below the blocklist. On first use, you will want to update the lists by pressing the Update button in the Control tab; then, track the update in a small log window, which you call with View | View pglcmd's log. Once the updates have been installed, the firewall is enabled by clicking on the Start button in the Control tab. The log window now gradually fills up with blocked IP addresses, the associated ports, and information about the type of connection (Figure 2).

Figure 2: PeerGuardian displays blocked IP addresses in a window.

PeerGuardian offers not only your predefined lists and blocklists, but also externally predefined address collections [9]. They are available on the Internet, divided into categories, some of which can also be purchased for a fee as part of a subscription. You can add the lists to PeerGuardian by copying and pasting the list URL into the add-on dialog; it then regularly updates the blocklists moving forward. If IP addresses that you do not want to block are shown in the history log, you can change it by right-clicking on the entry: Using the context menu, you can temporarily or permanently release both the IP address and the associated port.

If there is too little information available about the blocked address, you can launch a whois query from the context menu. The software then displays information in a window, making it easier to decide whether to extend or remove the block.

Not in the Running

In addition to the GUIs for firewall modules discussed in this article, other configuration environments, such as FireStarter [10], Turtle Firewall [11], or FireFlier [12], can occasionally be found on the Internet. The ncurses program, Vuurmuur [13], has also gained a certain popularity as a Linux firewall management application. What all of these packages have in common is that they have not been maintained for about 10 years, and therefore they do not support – or at least do not fully support – new standards, such as IPv6.

In this article, I have also left out other active professional systems, such as IPFire [14], Untangle NG Firewall [15], and Alpine Linux [16], because they are specialist Linux distributions not based on a standard Linux system.

Criteria

Two of the most important things that professional firewalls need to support are the ability to handle IPv4 and IPv6 and the ability to adapt dynamically. In contrast to a static firewall, not every modification should stop and restart the firewall while interrupting the Internet connection, which is the only way to implement appropriate rules for applications that require specific ports during operation.

Another important evaluation criterion for firewalls is logging. For example, log analyses of packet transfers help the admin set up an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS). Application filters and blacklists also boost security – as long as the admin maintains and updates them regularly.

firewalld

Firewalld [4] has been the default firewall on Red Hat Enterprise Linux (RHEL) since version 7, replacing iptables in this distribution. Although firewalld works with the netfilter system, the software is incompatible with the iptables control model. The firewall, which runs as a daemon, is also found in Fedora and the CentOS RHEL derivative, as well as in the repositories of most common Linux derivatives.

Firewalld supports IPv4 and IPv6; in particular, its zone model stands out. It lets you configure the firewall for different zones, each containing a specific ruleset. The rules are based on the desired or required security level, which is especially advantageous for mobile devices: Depending on the working environment, the user can select the relevant zone, which guarantees a specific level of safety.

Firewalld also demonstrates its strengths in large IT infrastructures with DMZ integration. In this way, the administrator can configure the firewall to suit the interface. The wireless settings then differ from those on the wired LAN. You can set up the server on the intranet or in a DMZ with different zones to suit your needs.

Firewalld comes with several zones that offer different preset security levels: The palette ranges from the trusted zone, which forwards all incoming data packets, through other predefined rulesets, to the drop zone, which discards all incoming packets if they do not relate to outgoing packets. The daemon supports its own syntax with which the zones can be managed at the command line.

For less experienced admins who want to set up firewalld as quickly as possible, the software offers a graphical tool primarily designed for Gnome. Firewalld automatically lands on the disk in Fedora, CentOS, and RHEL, but you have to install it on Gnome through its Software utility – the package is called Firewall. Alternatively, you can integrate the firewall-config tool with:

yum install firewall-config

After installing, call the GUI by pressing the Start button in the graphical installer. Alternatively, enter firewall-config in the terminal. Assuming you have logged in as a system administrator, you will be taken to a very clear-cut interface (Figure 3).

Figure 3: The firewalld interface makes iptables easier.

A list on the left side of the program window labeled Active Bindings (not shown in this figure) shows all the active connections that physically exist in the system along with the matching zones. To the right of this list are three tabs (Zones, Services, IPSets) supplemented by a smaller window in the lower-right-hand corner that allows changes to other group-specific options. The Configuration drop-down above the tabs determines whether the options are changed permanently (Permanent) or temporarily (Runtime).

Zones

In the Zones tab, you can define the respective packet transfer rules for all existing firewall zones. The Services, Ports, and Protocols tabs contain the most important groups. All tabs show the same options in the basic settings.

The Services tab makes services installed on the computer accessible for external access. Depending on the application scenario, it grants access from an intranet or the Internet. You will come across a very extensive selection of available services, which you can enable by checking the boxes. If you log in as a system administrator, firewalld instantly enables the appropriate settings without rebooting.

In the Ports tab, you can manually release individual ports or whole port areas for external access to the system. If you want certain protocols to pass through the firewall, you can pick them from the Protocols tab. Specifically for IPv4, the Masquerading and Port Forwarding tabs are intended for setting up the relevant computer system as a gateway for an intranet. However, for this purpose, you have to equip the computer on which the firewall is running with two interfaces. Port forwarding is used to forward ports to the local system or to a remote computer.

For less common services or individual configurations, you can configure firewalld in the Services tab. You can use Ports to assign port addresses for predefined or manually added services that deviate from the defaults. You can also define source ports and target addresses on request, although these are only available in the Permanent configuration setting. Target addresses can be enabled for IPv4 and IPv6.

The last IPSets tab lets you define IP address ranges or individual IP addresses for which firewalls grant or block external access. For this purpose, you create the corresponding blacklists and whitelists; the software also takes port numbers and MAC addresses into account.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Persistent iptables

    The Linux iptables packet filter lacks an easy way to load rules automatically after restarting a system, but you can automate this process several ways.

  • Firewalls Intro

    Firewalls are becoming evermore sophisticated. Luckily, the tools for managing firewalls are becoming simpler and more accessible for ordinary users

  • Shorewall

    When users think about their workstations at home, they often forget about security. But danger is out there,waiting to pounce on the unsuspecting. Shorewall helps everyday Linux users keep the intruders away.

  • KTools: KMyFirewall

    Linux has a fantastic selection of firewalls for securing stand-alone computers or whole networks. Although you can use IPTables to set up a firewall, the configuration is often the most difficult step. KMyFirewall offers a powerful, user-friendly, GUI-based approach.

  • Firewall Logfile Analyzers

    Netfilter firewalls create highly detailed logfiles that nobody really wants to inspectmanually. Logfile analysis tools like IPtables Log Analyzer,Wallfire Wflogs,and FWlogwatch help administrators keep track of developments and filter for importantmessages.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News