I like the netfilter / iptables firewall, it comes with Linux and is part of the kernel. The best is, it has a rich feature set, is secure and free of charge.
Netfilter / iptables can target:
- IP source and destination addresses
- TCP/UDP source and destination ports
- Ethernet MAC source and destination addresses
- Inbound and Outbound
Netfilter / iptables is by default a layer four stateful firewall. With a patch it can even work at layer seven as application firewall. Furthermore, it has a bunch of advanced features, like:
- Can do IP forwarding
- Can do port forwarding
- QoS / traffic limit
- Filter according to user authentication
- Time of day filtering
- Change TTL
The only question is, which tool to use to configure it. There are some tools one can use to configure the netfilter firewall, like KMyFirewall, Guarddog, Shorewall, Webmin and ... Fwbuilder. I used to work with Checkpoint firewall - this may be the reason why I like the drag and drop Fwbuilder approach.
From the website: Firewall Builder is multi-platform firewall configuration and management tool. It consists of a GUI and set of policy compilers for various firewall platforms. Firewall Builder uses object-oriented approach, it helps administrator maintain a database of network objects and allows policy editing using simple drag-and-drop operations. Firewall Builder currently supports iptables, ipfilter, OpenBSD PF as well as Cisco PIX and Cisco IOS extended access lists.
First, You need the software. The folks at Fwbuilder (www.fwbuilder.org) provide by default no Slackware package. If you want to start from scratch, grab the sources and compile them. The better and easier way would be to grab the Slackware packages from here. You need the packages "fwbuilder" and "libfwbuilder". Install them with "installpkg".
NB: My package does not create a Fwbuilder menu link. It is in your obligation to do so, the fwbuilder executable lies in /usr/bin.
Start fwbuilder for the first time
There is no firewall defined at this point.
Enter a name for your firewall and choose "iptables" and "Linux 2.4/2.6"
Define your interfaces. You can do this automatically provided you have snmp installed, active and configured. Otherwise you have to do this manually.
You can also define a interface to have a dynamic IP address.
Check your "Host OS Settings"
Check your "Firewall Settings"
If you change to the "Standard" library you will find a almost complete set of object predefinitions.
Now you can create your rules by dragging and dropping objects from the left side. You can use the context menu to create additional rules or the rules menu on the top.
"Allow all" ruleset
You may want to have a "allow all" ruleset for testing purposes or similar use.
If you want to use your box as a router to connect your private network to the Internet, a masquerade rule is useful.
When you have finished creating your policy, install it. Choose "Compile" and "Install".
Choose a directory to save the compiled policy file (in this case /etc/fwbuilder).