Master iptables with GUI Firewall Builders - Page 2

Configuring a Linux firewall can be a real chore, but with these graphical tools you can protect your network and learn by example at the same time.

 By Carla Schroder
Page 2 of 2   |  Back to Page 1
Print Article

Firewall Builder

Firewall Builder is a good choice for more complex needs, such as a multi-homed NAT firewall, or a network with multiple firewalls. It is both a firewall builder and a management system. It incorporates RCS (Revision Control System), so you can easily track all versions of your firewall configurations.

Firewall Builder
(Courtesy Firewall Builder Project)

It comes with several good templates, such as simple Internet connection sharing with a dynamic WAN IP/ static LAN IP, which is typical of home networks on cable or DSL. A second template adds internal DNS/DHCP. A third template includes rules for a DMZ on a third network interface. There is a "host" template for protecting a workstation, and a Web server template. You're not stuck with the default template rules, because all files generated by Firewall Builder are editable, and you can create your own templates.

Firewall Builder has a useful graphical interface that shows current states, rules, and interfaces all across your network. It is SNMP-aware, and includes a Network Discovery Druid for mapping your network. Be sure to get the User Manual .pdf, as it is a lot more useful than the man pages.

Just Say Yes to Firewalls

Every time the subject of firewalls comes up, you can count on two dissenting voices arising:

1. "If you properly configure your box you don't need a firewall"
2. "Software firewalls are lame. Use a hardware firewall."

#1 is theoretically true, but we live in the real world. Things change, mistakes happen, and layered defenses are a standard best practice. And why let your hosts be pummeled and your LAN congested by outside attacks? Head all that crap off at your Internet gateway. Even public services benefit from being firewalled. For example, there's no need to subject your Web server to the endless SSH attacks infesting the Internet- block everything but port TCP 80. Same goes for all of your public services; reduce the load and potential compromises by diverting the junk.

#2 is one of those silly arguments from the Planet Bizarro. There is no magic in a "hardware firewall." All firewalls are a combination of software and hardware. A firewall is effective because it is well-configured. A more accurate question is "is it better to have a standalone, dedicated firewall, or are host-based firewalls good enough?" I prefer a standalone, dedicated box. It reduces the load on the host PC, and it's easier to maintain and secure, because you can jettison all the irrelevant bits. But well-made host-based iptables firewalls are perfectly good, too. So the definitive answer is "whichever you prefer."


This article was originally published on Nov 20, 2007
Get the Latest Scoop with Networking Update Newsletter