Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Is Guarddog still the easiest and best firewall GUI program for Linux?
347 views
Skip to first unread message
Ant
Dec 2, 2011, 4:14:49 PM12/2/11
to
Hello.
Is Guarddog still the best frontend GUI program to configure iptables
for firewalls in Linux (Debian) and average Linux desktop users?
Thank you in advance. :)
--
Quote of the Week: "Stir up an ant's nest." --unknown
/\___/\ Ant @ http://antfarm.home.dhs.org (Personal Web Site)
/ /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
| |o o| |
\ _ / Please nuke ANT if replying by e-mail. If crediting,
( ) then please kindly use Ant nickname and AQFL URL/link.
Is Guarddog still the best frontend GUI program to configure iptables
for firewalls in Linux (Debian) and average Linux desktop users?
Thank you in advance. :)
--
Quote of the Week: "Stir up an ant's nest." --unknown
/\___/\ Ant @ http://antfarm.home.dhs.org (Personal Web Site)
/ /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
| |o o| |
\ _ / Please nuke ANT if replying by e-mail. If crediting,
( ) then please kindly use Ant nickname and AQFL URL/link.
notbob
Dec 2, 2011, 4:42:28 PM12/2/11
to
On 2011-12-02, Ant <ANT...@zimage.com> wrote:
> Hello.
>
> Is Guarddog still the best frontend GUI program to configure iptables
> for firewalls in Linux (Debian) and average Linux desktop users?
I don't think so. I use arno's firewall:
> Hello.
>
> Is Guarddog still the best frontend GUI program to configure iptables
> for firewalls in Linux (Debian) and average Linux desktop users?
http://rocky.eld.leidenuniv.nl/joomla/
Arno's firewall starts out blocking everthing coming at your computer.
The only traffic allowed, by default, is outgoing traffic from your
computer and it's subject to stateful inspection. End of story. If
you want to allow incoming traffic for a server (ssh, http, etc), you
can do so by editing the bash script file that configures iptables at
boot up.
I tried figuring out guarddog, but it was jes too confusing. With
arno's, no icons or zones or whatever all that GD crap is. Jes get it
running and forget it. This on a slackware box, where the command
line is mightier than the mouse. ;)
If yer running ubuntu or some ubu variant, ufw seems to work well
enough. It certainly lives up to its name, uncomplicated firewall.
I'd stick with that. I don't know if ufw is available for debian.
nb
The Natural Philosopher
Dec 2, 2011, 11:05:40 PM12/2/11
to
Ant wrote:
> Hello.
>
> Is Guarddog still the best frontend GUI program to configure iptables
> for firewalls in Linux (Debian) and average Linux desktop users?
>
Depends on what you know about firewalling...
> Hello.
>
> Is Guarddog still the best frontend GUI program to configure iptables
> for firewalls in Linux (Debian) and average Linux desktop users?
>
I have used Webmin, and it was good enough for me, but in the end I
needed to write done a fairly tidy set of rules anyway, and it wasn't
hard to do that as a series of command line commands wrappedd into a
script,.
Ant
Dec 3, 2011, 3:30:33 AM12/3/11
to
On 12/2/2011 1:42 PM PT, notbob typed:
Ah, I want GUI because it is easier to understand what's going on. I use
similiar products like Kerio Personal Firewall v2.1.4, Outpost Firewall
2009, Conseal PC Firewall, Norton, etc. :)
--
"Forbear, thou great good husband, little ant." --Richard Lovelace
/\___/\ Ant @ http://antfarm.ma.cx (Personal Web Site)
\ _ / If crediting, then use Ant nickname and AQFL URL/link.
( ) If e-mailing, then axe ANT from its address if needed.
Ant is currently not listening to any songs on this computer.
similiar products like Kerio Personal Firewall v2.1.4, Outpost Firewall
2009, Conseal PC Firewall, Norton, etc. :)
--
"Forbear, thou great good husband, little ant." --Richard Lovelace
/\___/\ Ant @ http://antfarm.ma.cx (Personal Web Site)
\ _ / If crediting, then use Ant nickname and AQFL URL/link.
( ) If e-mailing, then axe ANT from its address if needed.
Ant is currently not listening to any songs on this computer.
Ant
Dec 3, 2011, 3:34:40 AM12/3/11
to
On 12/2/2011 8:05 PM PT, The Natural Philosopher typed:
>> Is Guarddog still the best frontend GUI program to configure iptables
>> for firewalls in Linux (Debian) and average Linux desktop users?
>
> Depends on what you know about firewalling...
Just basics like what needs to go in and out from alerts from programs.
> I have used Webmin, and it was good enough for me, but in the end I
> needed to write done a fairly tidy set of rules anyway, and it wasn't
> hard to do that as a series of command line commands wrappedd into a
> script,.
Well, I usually wait for the network programs to alert me of accesses.
--
"Remember when walking down the road of life, always stop and squish the
ants." --Albian in Creatures game
/\___/\ Ant @ http://antfarm.ma.cx (Personal Web Site)
>> Is Guarddog still the best frontend GUI program to configure iptables
>> for firewalls in Linux (Debian) and average Linux desktop users?
>
> Depends on what you know about firewalling...
> I have used Webmin, and it was good enough for me, but in the end I
> needed to write done a fairly tidy set of rules anyway, and it wasn't
> hard to do that as a series of command line commands wrappedd into a
> script,.
--
"Remember when walking down the road of life, always stop and squish the
ants." --Albian in Creatures game
/\___/\ Ant @ http://antfarm.ma.cx (Personal Web Site)
Message has been deleted
David Brown
Dec 3, 2011, 6:23:53 AM12/3/11
to
On 03/12/11 09:30, Ant wrote:
> On 12/2/2011 1:42 PM PT, notbob typed:
>
>> On 2011-12-02, Ant<ANT...@zimage.com> wrote:
>>> Hello.
>>>
>>> Is Guarddog still the best frontend GUI program to configure iptables
>>> for firewalls in Linux (Debian) and average Linux desktop users?
>>
>> I don't think so. I use arno's firewall:
>>
>> http://rocky.eld.leidenuniv.nl/joomla/
>>
>> Arno's firewall starts out blocking everthing coming at your computer.
>> The only traffic allowed, by default, is outgoing traffic from your
>> computer and it's subject to stateful inspection. End of story. If
>> you want to allow incoming traffic for a server (ssh, http, etc), you
>> can do so by editing the bash script file that configures iptables at
>> boot up.
>>
>> I tried figuring out guarddog, but it was jes too confusing. With
>> arno's, no icons or zones or whatever all that GD crap is. Jes get it
>> running and forget it. This on a slackware box, where the command
>> line is mightier than the mouse. ;)
>>
>> If yer running ubuntu or some ubu variant, ufw seems to work well
>> enough. It certainly lives up to its name, uncomplicated firewall.
>> I'd stick with that. I don't know if ufw is available for debian.
>
> Ah, I want GUI because it is easier to understand what's going on. I use
> similiar products like Kerio Personal Firewall v2.1.4, Outpost Firewall
> 2009, Conseal PC Firewall, Norton, etc. :)
>
These aren't similar products. Windows "firewalls" operate in a
> On 12/2/2011 1:42 PM PT, notbob typed:
>
>> On 2011-12-02, Ant<ANT...@zimage.com> wrote:
>>> Hello.
>>>
>>> Is Guarddog still the best frontend GUI program to configure iptables
>>> for firewalls in Linux (Debian) and average Linux desktop users?
>>
>> I don't think so. I use arno's firewall:
>>
>> http://rocky.eld.leidenuniv.nl/joomla/
>>
>> Arno's firewall starts out blocking everthing coming at your computer.
>> The only traffic allowed, by default, is outgoing traffic from your
>> computer and it's subject to stateful inspection. End of story. If
>> you want to allow incoming traffic for a server (ssh, http, etc), you
>> can do so by editing the bash script file that configures iptables at
>> boot up.
>>
>> I tried figuring out guarddog, but it was jes too confusing. With
>> arno's, no icons or zones or whatever all that GD crap is. Jes get it
>> running and forget it. This on a slackware box, where the command
>> line is mightier than the mouse. ;)
>>
>> If yer running ubuntu or some ubu variant, ufw seems to work well
>> enough. It certainly lives up to its name, uncomplicated firewall.
>> I'd stick with that. I don't know if ufw is available for debian.
>
> Ah, I want GUI because it is easier to understand what's going on. I use
> similiar products like Kerio Personal Firewall v2.1.4, Outpost Firewall
> 2009, Conseal PC Firewall, Norton, etc. :)
>
completely different way from Linux firewalls. Linux firewalls are
concerned about what comes into, goes out of, or passes through your
machine at a lower level. Mostly you allow or deny packets depending on
their source (which interface they come in on, or their IP address),
their destination, and their protocol and port (such as port 80 tcp for
http traffic). There are, of course, many other possibilities and
features of iptables firewalls.
For typical home use, you only need a very simple setup - everything
outgoing is allowed, everything incoming is blocked unless it is in
answer to outgoing connections. You may also want to open particular
incoming ports, for applications such as bittorrent.
Windows firewalling does most of that, though not perfectly (and with
far fewer advanced options) - I believe there are certain services and
accesses that you can't disable because the system uses them. It is not
uncommon that attacks on Windows machines with the native firewall or
third-party firewalls do so by exploiting flaws in the firewall software.
What firewalls on Windows do, that firewalls on Linux normally don't do,
is try to place limits on /programs/. In the Windows world, the
assumption is that many of the programs running on your machine are
malware, or legitimate programs that otherwise "phone home" in an
undesirable way, or illegal copies of programs that might report
themselves back to the publishers. So much of a Windows firewall's
efforts are concerned with limiting the function of programs running on
your system. Again, they vary a lot on how successful they are, and
what the run-time costs in performance are. And they do not "show you
what's going on" - they give some information about some things, but you
have no way to be sure of any of it.
Of course in Linux it is possible to limit programs' access to
networking if you want - but it is normally only done by people looking
for more advanced security measures. The simplest way is probably to
make an extra user and set up rules to limit that user's access - then
you run your suspect program as that user (if your program is suspect,
you wouldn't want to run it as your normal user anyway). Or you would
use a virtual machine to get better sandboxing. For more complete
measures, including controlling the access of root programs, you should
probably look at SELinux.
I have no idea if there are gui's that help with this. But since it's
way beyond what most people need, and something that needs to be
thoroughly understood to be useful, I doubt it.
Ant
Dec 3, 2011, 11:58:38 AM12/3/11
to
On 12/3/2011 3:23 AM PT, David Brown typed:
>> Ah, I want GUI because it is easier to understand what's going on. I use
>> similiar products like Kerio Personal Firewall v2.1.4, Outpost Firewall
>> 2009, Conseal PC Firewall, Norton, etc. :)
>
> These aren't similar products. Windows "firewalls" operate in a
> completely different way from Linux firewalls. Linux firewalls are
> concerned about what comes into, goes out of, or passes through your
> machine at a lower level. Mostly you allow or deny packets depending on
> their source (which interface they come in on, or their IP address),
> their destination, and their protocol and port (such as port 80 tcp for
> http traffic). There are, of course, many other possibilities and
> features of iptables firewalls.
>
> For typical home use, you only need a very simple setup - everything
> outgoing is allowed, everything incoming is blocked unless it is in
> answer to outgoing connections. You may also want to open particular
> incoming ports, for applications such as bittorrent.
...
Well, I still want to get prompted what goes in and out. Then, I can
tell it to allow/deny, learn the IP addresses, ports, dircetions, etc. I
don't allow everything to go out either since I hate programs that phone
home.
--
"The evaluator counts the ants at the picnic of progress." --Mohan Singh
>> Ah, I want GUI because it is easier to understand what's going on. I use
>> similiar products like Kerio Personal Firewall v2.1.4, Outpost Firewall
>> 2009, Conseal PC Firewall, Norton, etc. :)
>
> These aren't similar products. Windows "firewalls" operate in a
> completely different way from Linux firewalls. Linux firewalls are
> concerned about what comes into, goes out of, or passes through your
> machine at a lower level. Mostly you allow or deny packets depending on
> their source (which interface they come in on, or their IP address),
> their destination, and their protocol and port (such as port 80 tcp for
> http traffic). There are, of course, many other possibilities and
> features of iptables firewalls.
>
> For typical home use, you only need a very simple setup - everything
> outgoing is allowed, everything incoming is blocked unless it is in
> answer to outgoing connections. You may also want to open particular
> incoming ports, for applications such as bittorrent.
Well, I still want to get prompted what goes in and out. Then, I can
tell it to allow/deny, learn the IP addresses, ports, dircetions, etc. I
don't allow everything to go out either since I hate programs that phone
home.
--
"The evaluator counts the ants at the picnic of progress." --Mohan Singh
Ant
Dec 3, 2011, 12:04:45 PM12/3/11
to
On 12/3/2011 2:10 AM PT, yamo' typed:
>> Is Guarddog still the best frontend GUI program to configure iptables
>> for firewalls in Linux (Debian) and average Linux desktop users?
>
> I don't know Guarddog, for using on a GUI I use firestarter.
Interesting. It looks good.
I have two questions since I didn't see the answers when quick glancing
its documentations and screen shots: Does it prompt to allow/deny and
customize in real-time when programs use the network? And does this
program use iptables like Guarddog?
--
"This is the ant. Treat it with respect. For it may very well be the
next dominant lifeform of our planet." --Empire of the Ants movie
/\___/\ Ant @ http://antfarm.ma.cx (Personal Web Site)
>> Is Guarddog still the best frontend GUI program to configure iptables
>> for firewalls in Linux (Debian) and average Linux desktop users?
>
Interesting. It looks good.
I have two questions since I didn't see the answers when quick glancing
its documentations and screen shots: Does it prompt to allow/deny and
customize in real-time when programs use the network? And does this
program use iptables like Guarddog?
--
"This is the ant. Treat it with respect. For it may very well be the
next dominant lifeform of our planet." --Empire of the Ants movie
/\___/\ Ant @ http://antfarm.ma.cx (Personal Web Site)
notbob
Dec 3, 2011, 1:57:08 PM12/3/11
to
On 2011-12-03, Ant <a...@zimage.comANT> wrote:
> I have two questions since I didn't see the answers when quick glancing
> its documentations and screen shots: Does it prompt to allow/deny and
> customize in real-time when programs use the network? And does this
> program use iptables like Guarddog?
I understand yer dilemma, having once been a Windows user, myself.
> I have two questions since I didn't see the answers when quick glancing
> its documentations and screen shots: Does it prompt to allow/deny and
> customize in real-time when programs use the network? And does this
> program use iptables like Guarddog?
Then, I used Signal9, which later was sold to and hosed by McAffee
under the name Conseal. It did as you ask, prompted you each time a
new connection w/o a corresponding rule, was made, either in or out,
and asked what you wanted to do.
"Do you want to pee-pee"?
"Yes"
"Do you have to unzip yer pants?"
"Yes"
Those days are over, Ant!
If you now use linux, time to acquire a new mindset. Linux assumes
you understand what yer doing and operates accordingly, not be a
clueless newbie that needs yer hand held, each action requiring a
question and answer babysitting session from the OS. You need to
consider what you want and/or need, then configure the iptables
firewall accordingly.
The best security policy is, block ALL, allowing only what you need.
Iptables allows "stateful inspection". These are rules which allow
any outgoing traffic initiated by you, but only incoming traffic that
is in direct response to the outgoing traffic you jes sent. Since
linux, by its nature, has no applications phoning home or trying to
contact the creator behind yer back ....at least by default.... then
that shouldn't be a worry. Granted, a few applications like firefox
are set up to phone home for updates, but I've yet to see one of these
auto-update apps for linux do this without first asking and/or
allowing you to disable this option. They may be out there, but I've
not run across one, yet.
So, if you browse google on yer browser, or send an IM message, you
should be safe with any block all, statefull inspection, linux
iptables packet filter (firewall) configuration. If you want to do
bittorrents and share bits, or allow SSH access, or run an apache web
server, yer gonna hafta open up yer firewall and understand how it
works.
Understand there are no firewall applications, only configuration
applications for the linux kernal iptables packet filter. They all do
the same thing, which is write the appropriate rules for iptables.
You should learn about iptables and how it works and tcp/ip
fundamentals and the various network protocols. Lotta good info pages
out there on both subjects.
IMO, understanding tcp/ip protocols is the best place to start.
Here's a pretty good one:
http://www.w3schools.com/tcpip/tcpip_intro.asp
Once you learn the protocols, then learn how/why iptables filters
them.
Good luck! ;)
nb
David Brown
Dec 3, 2011, 8:34:56 PM12/3/11
to
On 03/12/11 17:58, Ant wrote:
> On 12/3/2011 3:23 AM PT, David Brown typed:
>
>>> Ah, I want GUI because it is easier to understand what's going on. I use
>>> similiar products like Kerio Personal Firewall v2.1.4, Outpost Firewall
>>> 2009, Conseal PC Firewall, Norton, etc. :)
>>
>> These aren't similar products. Windows "firewalls" operate in a
>> completely different way from Linux firewalls. Linux firewalls are
>> concerned about what comes into, goes out of, or passes through your
>> machine at a lower level. Mostly you allow or deny packets depending on
>> their source (which interface they come in on, or their IP address),
>> their destination, and their protocol and port (such as port 80 tcp for
>> http traffic). There are, of course, many other possibilities and
>> features of iptables firewalls.
>>
>> For typical home use, you only need a very simple setup - everything
>> outgoing is allowed, everything incoming is blocked unless it is in
>> answer to outgoing connections. You may also want to open particular
>> incoming ports, for applications such as bittorrent.
> ...
>
> Well, I still want to get prompted what goes in and out. Then, I can
> tell it to allow/deny, learn the IP addresses, ports, dircetions, etc. I
> don't allow everything to go out either since I hate programs that phone
> home.
You are using Linux - programs for Linux are mostly either open source
> On 12/3/2011 3:23 AM PT, David Brown typed:
>
>>> Ah, I want GUI because it is easier to understand what's going on. I use
>>> similiar products like Kerio Personal Firewall v2.1.4, Outpost Firewall
>>> 2009, Conseal PC Firewall, Norton, etc. :)
>>
>> These aren't similar products. Windows "firewalls" operate in a
>> completely different way from Linux firewalls. Linux firewalls are
>> concerned about what comes into, goes out of, or passes through your
>> machine at a lower level. Mostly you allow or deny packets depending on
>> their source (which interface they come in on, or their IP address),
>> their destination, and their protocol and port (such as port 80 tcp for
>> http traffic). There are, of course, many other possibilities and
>> features of iptables firewalls.
>>
>> For typical home use, you only need a very simple setup - everything
>> outgoing is allowed, everything incoming is blocked unless it is in
>> answer to outgoing connections. You may also want to open particular
>> incoming ports, for applications such as bittorrent.
> ...
>
> Well, I still want to get prompted what goes in and out. Then, I can
> tell it to allow/deny, learn the IP addresses, ports, dircetions, etc. I
> don't allow everything to go out either since I hate programs that phone
> home.
(and very rarely do anything nasty - it would quickly be spotted), or
they are serious professional programs (which also don't do anything
nasty - at least, not unless you have made illegal copies). Stop
thinking in the Windows world.
Jorgen Grahn
Dec 4, 2011, 4:11:49 AM12/4/11
to
["Followup-To:" header set to comp.os.linux.security.]
There's a narrow zone of "freeware" though -- Google Chrome, Skype,
Adobe Flash ... I use none of them, but if I *did* want them I'd take
the privacy risk into account first.
(Of course the risk from these is less than from some random Windows
.exe you download -- about the same as from the corresponding Windows
version.)
/Jorgen
--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .
Adobe Flash ... I use none of them, but if I *did* want them I'd take
the privacy risk into account first.
(Of course the risk from these is less than from some random Windows
.exe you download -- about the same as from the corresponding Windows
version.)
/Jorgen
--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .
0 new messages