Looking for best / easiest Linux firewall.

[Ulfwald]

Hey, I have messed around with freesco, even got it to copy to the hdd and boot from there. But what I am looking for is a good firewall, will run on a celeron 800, 256 mb ram, 20 gig hdd. 2 nic cards. I suck at command line, so a gui based one is for me at this point.

 

[child of wonder]

Endian, Clarkconnect, IPCop are all good.

I use Endian at home right now.

 

[n0cmonkey]

pfsense

 

[Platypus]

iptables configs can be generated from any number of free gui tools. I would recommend spending some time learning iptables, definitely worth the time investment.

other options are m0n0wall and offshoots of that

Don't be afraid of the cli, the power of UNIX lies there.

 

[Loop2kil]

Endian, Clarkconnect, IPCop are all good.

I use Endian at home right now.

Clarkconnect is now ClearOS and very good.

 

[mc866]

Pfsense or Monowall? Both are freeBSD based. I'm running Pfsense, pretty straight forward to get setup.

 

[Fallen Kell]

Another pfsense vote here... If you want better control, I would say IP Tables, but that requires a lot of knowledge and good scripting abilities of the admin to do things like add dynamic blocks to threats (I have one setup which is scanning the log files looking for repeated access failures, port probes, etc., and automatically blocking the IP address and once a threshold has been reached, does a reverse lookup to determine the ISP and does a lookup of all IPs owned by that ISP and blocks them as well).

 

[mxnerd]

Another vote for Endian.

Endian is a port of IPCop, but has much better UI and integrated a lot of add-ons (proxy, rule-based webfilter, antivirus, traffic log, system reports), the installation is painless.

Highly recommended.

 

[Brazen]

I've tried them all and definately liked pfsense the best. I've been using it for a year and couldn't be happier with it. Technically, though, it's not a Linux but it is a *nix.

 

[bugi_man]

-->

 

[bugi_man]

Another pfsense vote here... If you want better control, I would say IP Tables, but that requires a lot of knowledge and good scripting abilities of the admin to do things like add dynamic blocks to threats (I have one setup which is scanning the log files looking for repeated access failures, port probes, etc., and automatically blocking the IP address and once a threshold has been reached, does a reverse lookup to determine the ISP and does a lookup of all IPs owned by that ISP and blocks them as well).

I wanted to ask you if you would be so kind to share with me this "Know how" and for what I would be very thankful. Wish you all the best friend and I`ll be expecting your answer soon! ))

 

[PCTC2]

Clarkconnect is now ClearOS and very good.

Beat me to it. They just released ClearOS Community 6.1 and it's pretty good. I used to use ClearOS 5.x, switched to Zentyal and realized ClearOS was better.

I wanted to ask you if you would be so kind to share with me this "Know how" and for what I would be very thankful. Wish you all the best friend and I`ll be expecting your answer soon! ))

I do something similar, but just for ssh.

I have a line in /etc/pam.d/sshd that says

auth [default=ignore] pam_exec.so /usr/local/bin/ssh_lockout

/usr/local/bin/ssh_lockout looks like this:

#!/usr/local/bin/ruby

ip_format = /(\d+\.){3}\d+/
today = %x[date | awk '{printf "%s %s %s",$1,$2,$3}']
failed_ips = %x[lastb -i | grep "#{today}"].split(/\n/).collect{|line| line.split(/\s+/).select{|substr| substr =~ ip_format} rescue nil}.compact
last_failed_ip = %x[lastb -i -n 1].split(/\s+/).select{|ip| ip =~ ip_format}.first
if failed_ips.count(last_failed_ip) > 5
  if %x[grep #{last_failed_ip} /etc/hosts].empty?
     %x[echo "sshd : #{last_failed_ip} : deny" >> /etc/hosts.deny]
     %x[echo "#{last_failed_ip} has been blocked at #{Time.now}" >> /var/log/ssh_lock]
  end
end

So every day, if an IP gets more than 5 incorrect login attempts, it gets added to /etc/hosts.deny for sshd.
I do it on a daily basis in case I'm having a bad day.

 

[weovpac]

My vote goes for pfSense as well.

 

[TheRyuu]

I do something similar, but just for ssh.

I have a line in /etc/pam.d/sshd that says

auth [default=ignore] pam_exec.so /usr/local/bin/ssh_lockout

/usr/local/bin/ssh_lockout looks like this:

#!/usr/local/bin/ruby

ip_format = /(\d+\.){3}\d+/
today = %x[date | awk '{printf "%s %s %s",$1,$2,$3}']
failed_ips = %x[lastb -i | grep "#{today}"].split(/\n/).collect{|line| line.split(/\s+/).select{|substr| substr =~ ip_format} rescue nil}.compact
last_failed_ip = %x[lastb -i -n 1].split(/\s+/).select{|ip| ip =~ ip_format}.first
if failed_ips.count(last_failed_ip) > 5
  if %x[grep #{last_failed_ip} /etc/hosts].empty?
     %x[echo "sshd : #{last_failed_ip} : deny" >> /etc/hosts.deny]
     %x[echo "#{last_failed_ip} has been blocked at #{Time.now}" >> /var/log/ssh_lock]
  end
end

So every day, if an IP gets more than 5 incorrect login attempts, it gets added to /etc/hosts.deny for sshd.
I do it on a daily basis in case I'm having a bad day.

Isn't this basically the same as doing:

sudo apt-get install fail2ban

Edit:
I may have written that without really reading (or thinking for that matter) so it may actually not be applicable to the thread (although it just might... ).

 

[PCTC2]

Yeah, probably the same as fail2ban, but I just write my own scripts anyway.

 

[velvetpants]

Not linux, but pfSense gets my vote as well. It has the greatest GUI I've seen on any router/firewall.

 

[LCTSI]

Clarkconnect is now ClearOS and very good.

I was really impressed by this. I ended up building my router from SL6, but ClearOS surprised me, and I was just testing 5.2.

I like that you have the GUI, but you can drop to a console and run "yum install nmap"

 

[Alyx]

I've used pfSense in a few environments, and also vote for it. And PCTC2, that script is pretty awesome. I'm going to play with it on my rails servers, and maybe tie it into Capistrano so I can push the ban list across all my hosts.