Graphical tools for firewall configuration
Restricted Zone
Setting up a comprehensive firewall with netfilter and iptables is complicated. Graphic user interfaces seek to take the worries out of this demanding task.
Firewalls under Linux are usually based on the kernel's netfilter system [1], which was introduced in 2001. Nftables [2] is about to replace this system, but until then, iptables [3] remains the configuration helper for the complicated netfilter system and is regarded as the default tool for Linux.
However, configuring iptables is not very intuitive. If you don't regularly use this process, you tend to forget quickly the necessary command-line parameters. Iptables does not make it easy for less experienced administrators to configure the firewall, so several distributions have their own tools. Because of this lack of intuitiveness, running the packet filter at the command line can quickly cause damage by user error.
For this reason, many firewalls now have graphical user interfaces (GUIs), which makes this somewhat cumbersome task easier. In this article, I review four such GUIs: firewalld [4], fwbuilder [5], Gufw [6], and Shorewall [7]. I also looked at the PeerGuardian [8] IP blocker, which is not a conventional firewall (see the "PeerGuardian" box). Not included in this review are configuration environments that are outdated (see the "Not in the Running" box).
PeerGuardian
PeerGuardian (Figure 1) [8] is not a conventional firewall, but an application that blocks individual IP addresses or entire address blocks. Originally, the software was designed to prevent peer-to-peer connections under protocols such as BitTorrent or FastTrack from being spied on, but now it also blocks IP addresses that link to websites with criminal content or to spam and phishing sites. It uses the netfilter and iptables rules available on the host. Addresses and address ranges are blocked by the software with predefined blocklists that contain known IP addresses with malware. You can add to these lists.
PeerGuardian's source code is available for DIY compilation, as well as from the repositories of some major Linux distributions. The GUI greatly simplifies the handling of blocklists. PeerGuardian lets you block unwanted IP addresses quickly without the need for complex proxy server configuration in intranets.
The program, which is distributed under the GNU GPL, initially comes up with an empty list area in the active Control tab of the dialog window showing the session log. The buttons above manage the software. The ready-made blocklists are grouped in the Configure tab. Here, in the Whitelist area, you can enter addresses to be released. At the top is an option to start the software at system boot and to update the blocklist automatically.
You can activate the blocklist update intervals as required by checking the address range to be blocked. You can add more websites or areas to the list by pressing the green plus symbol below the blocklist. On first use, you will want to update the lists by pressing the Update button in the Control tab; then, track the update in a small log window, which you call with View | View pglcmd's log. Once the updates have been installed, the firewall is enabled by clicking on the Start button in the Control tab. The log window now gradually fills up with blocked IP addresses, the associated ports, and information about the type of connection (Figure 2).
PeerGuardian offers not only your predefined lists and blocklists, but also externally predefined address collections [9]. They are available on the Internet, divided into categories, some of which can also be purchased for a fee as part of a subscription. You can add the lists to PeerGuardian by copying and pasting the list URL into the add-on dialog; it then regularly updates the blocklists moving forward. If IP addresses that you do not want to block are shown in the history log, you can change it by right-clicking on the entry: Using the context menu, you can temporarily or permanently release both the IP address and the associated port.
If there is too little information available about the blocked address, you can launch a whois query from the context menu. The software then displays information in a window, making it easier to decide whether to extend or remove the block.
Not in the Running
In addition to the GUIs for firewall modules discussed in this article, other configuration environments, such as FireStarter [10], Turtle Firewall [11], or FireFlier [12], can occasionally be found on the Internet. The ncurses program, Vuurmuur [13], has also gained a certain popularity as a Linux firewall management application. What all of these packages have in common is that they have not been maintained for about 10 years, and therefore they do not support – or at least do not fully support – new standards, such as IPv6.
In this article, I have also left out other active professional systems, such as IPFire [14], Untangle NG Firewall [15], and Alpine Linux [16], because they are specialist Linux distributions not based on a standard Linux system.
Criteria
Two of the most important things that professional firewalls need to support are the ability to handle IPv4 and IPv6 and the ability to adapt dynamically. In contrast to a static firewall, not every modification should stop and restart the firewall while interrupting the Internet connection, which is the only way to implement appropriate rules for applications that require specific ports during operation.
Another important evaluation criterion for firewalls is logging. For example, log analyses of packet transfers help the admin set up an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS). Application filters and blacklists also boost security – as long as the admin maintains and updates them regularly.
firewalld
Firewalld [4] has been the default firewall on Red Hat Enterprise Linux (RHEL) since version 7, replacing iptables in this distribution. Although firewalld works with the netfilter system, the software is incompatible with the iptables control model. The firewall, which runs as a daemon, is also found in Fedora and the CentOS RHEL derivative, as well as in the repositories of most common Linux derivatives.
Firewalld supports IPv4 and IPv6; in particular, its zone model stands out. It lets you configure the firewall for different zones, each containing a specific ruleset. The rules are based on the desired or required security level, which is especially advantageous for mobile devices: Depending on the working environment, the user can select the relevant zone, which guarantees a specific level of safety.
Firewalld also demonstrates its strengths in large IT infrastructures with DMZ integration. In this way, the administrator can configure the firewall to suit the interface. The wireless settings then differ from those on the wired LAN. You can set up the server on the intranet or in a DMZ with different zones to suit your needs.
Firewalld comes with several zones that offer different preset security levels: The palette ranges from the trusted zone, which forwards all incoming data packets, through other predefined rulesets, to the drop zone, which discards all incoming packets if they do not relate to outgoing packets. The daemon supports its own syntax with which the zones can be managed at the command line.
For less experienced admins who want to set up firewalld as quickly as possible, the software offers a graphical tool primarily designed for Gnome. Firewalld automatically lands on the disk in Fedora, CentOS, and RHEL, but you have to install it on Gnome through its Software utility – the package is called Firewall. Alternatively, you can integrate the firewall-config
tool with:
yum install firewall-config
After installing, call the GUI by pressing the Start button in the graphical installer. Alternatively, enter firewall-config
in the terminal. Assuming you have logged in as a system administrator, you will be taken to a very clear-cut interface (Figure 3).
A list on the left side of the program window labeled Active Bindings (not shown in this figure) shows all the active connections that physically exist in the system along with the matching zones. To the right of this list are three tabs (Zones, Services, IPSets) supplemented by a smaller window in the lower-right-hand corner that allows changes to other group-specific options. The Configuration drop-down above the tabs determines whether the options are changed permanently (Permanent) or temporarily (Runtime).
Zones
In the Zones tab, you can define the respective packet transfer rules for all existing firewall zones. The Services, Ports, and Protocols tabs contain the most important groups. All tabs show the same options in the basic settings.
The Services tab makes services installed on the computer accessible for external access. Depending on the application scenario, it grants access from an intranet or the Internet. You will come across a very extensive selection of available services, which you can enable by checking the boxes. If you log in as a system administrator, firewalld instantly enables the appropriate settings without rebooting.
In the Ports tab, you can manually release individual ports or whole port areas for external access to the system. If you want certain protocols to pass through the firewall, you can pick them from the Protocols tab. Specifically for IPv4, the Masquerading and Port Forwarding tabs are intended for setting up the relevant computer system as a gateway for an intranet. However, for this purpose, you have to equip the computer on which the firewall is running with two interfaces. Port forwarding is used to forward ports to the local system or to a remote computer.
For less common services or individual configurations, you can configure firewalld in the Services tab. You can use Ports to assign port addresses for predefined or manually added services that deviate from the defaults. You can also define source ports and target addresses on request, although these are only available in the Permanent configuration setting. Target addresses can be enabled for IPv4 and IPv6.
The last IPSets tab lets you define IP address ranges or individual IP addresses for which firewalls grant or block external access. For this purpose, you create the corresponding blacklists and whitelists; the software also takes port numbers and MAC addresses into account.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.