Open source tools for security configuration, administration

Do you recommend using iptables or a distro-specific tool for security configuration?

I firmly recommend that before you decide to use a tool, you gain an understanding of the way iptables rules are constructed and how iptables is configured. James Turnbull Security consultant, Commonwealth Bank of Australia

James Turnbull: This is a tricky question to answer as there are a lot of variables involved. Firstly you need to consider how comfortable you are with using iptables and with networking generally. You also need to take into consideration that distro-specific tools for enabling and managing firewalls are often aimed at a broad audience with a varying level of skills. They are thus designed to be approachable by less skilled or beginning administrators. This results in a tool that provides some broad and often basic protection for your host, whilst trying not to overly limit the functioning of your applications.

These tools often make assumptions about the default settings of iptables. This can sometimes create the illusion that your host is securely firewalled. For example, the default policy of the Red Hat Lokkit firewall management tool is to accept traffic. Most good firewall policies would do the reverse -- deny all traffic and only accept traffic you explicitly specify.

This being said, some tools are excellent and designed to provide a complete and highly flexible interface to iptables.

What are some examples of distro-specific or GUI-based configuration tools?

More security tips from James Turnbull Hardening Linux: Firewall implementation How netfilter and iptables harden Linux Eliminating spam with SpamAssassin, DSPAM and ClamAV Ask James your security questions

Turnbull: We've seen that Red Hat comes with its own tool, Lokkit. The Lokkit tool comes in a command-line and Gnome GUI form and is very simple to use but is limited in what it can configure and do. Also, as I've highlighted above, its use of default accept policies can be problematic. A variety of other tools also exist ranging from simple to very complicated (all the tools I'll discuss here are open source and free). These include:

• Fwbuilder, which is a sophisticated multi-firewall (it also supports Cisco PIX, BSD pf and ipfilter) rule builder. It has a GUI interface and is designed to output complete, functional firewall configurations. It can be quite complicated to use and is not recommended for beginners.
• NARC (Netfilter Automatic Rule Configurator): a Bash script which runs from the command line and allows you to configure iptables. It has a strong focus on helping you configure rules that handle abnormal traffic (for example, blocking Smurf attacks, IP spoofing and SYN floods). The command-line interface can be intimidating for beginning users though.
• Turtle Firewall is a Webmin-based firewall admin tool. It allows for the configuration of firewalls using an object-based system. If you are using Webmin for your administration, this is an excellent tool.
• Firestarter is another GUI-based firewall configuration tool. I have found it personally easier to use than many of the other tools and its interface is clear and simple to navigate and operate. It also contains a real-time event and connection view of your firewall that allows you to monitor your firewall from the tool.