Is Guarddog still the easiest and best firewall GUI program for Linux?

On 12/3/2011 2:10 AM PT, yamo' typed:

>> Is Guarddog still the best frontend GUI program to configure iptables
>> for firewalls in Linux (Debian) and average Linux desktop users?
>
> I don't know Guarddog, for using on a GUI I use firestarter.

Interesting. It looks good.

I have two questions since I didn't see the answers when quick glancing
its documentations and screen shots: Does it prompt to allow/deny and
customize in real-time when programs use the network? And does this
program use iptables like Guarddog?
--
"This is the ant. Treat it with respect. For it may very well be the
next dominant lifeform of our planet." --Empire of the Ants movie
/\___/\ Ant @ http://antfarm.ma.cx (Personal Web Site)
/ /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
| |o o| |
\ _ / If crediting, then use Ant nickname and AQFL URL/link.
( ) If e-mailing, then axe ANT from its address if needed.
Ant is currently not listening to any songs on this computer.

On 2011-12-03, Ant <(E-Mail Removed)> wrote:

> I have two questions since I didn't see the answers when quick glancing
> its documentations and screen shots: Does it prompt to allow/deny and
> customize in real-time when programs use the network? And does this
> program use iptables like Guarddog?

I understand yer dilemma, having once been a Windows user, myself.
Then, I used Signal9, which later was sold to and hosed by McAffee
under the name Conseal. It did as you ask, prompted you each time a
new connection w/o a corresponding rule, was made, either in or out,
and asked what you wanted to do.

"Do you want to pee-pee"?

"Yes"

"Do you have to unzip yer pants?"

"Yes"

Those days are over, Ant!

If you now use linux, time to acquire a new mindset. Linux assumes
you understand what yer doing and operates accordingly, not be a
clueless newbie that needs yer hand held, each action requiring a
question and answer babysitting session from the OS. You need to
consider what you want and/or need, then configure the iptables
firewall accordingly.

The best security policy is, block ALL, allowing only what you need.
Iptables allows "stateful inspection". These are rules which allow
any outgoing traffic initiated by you, but only incoming traffic that
is in direct response to the outgoing traffic you jes sent. Since
linux, by its nature, has no applications phoning home or trying to
contact the creator behind yer back ....at least by default.... then
that shouldn't be a worry. Granted, a few applications like firefox
are set up to phone home for updates, but I've yet to see one of these
auto-update apps for linux do this without first asking and/or
allowing you to disable this option. They may be out there, but I've
not run across one, yet.

So, if you browse google on yer browser, or send an IM message, you
should be safe with any block all, statefull inspection, linux
iptables packet filter (firewall) configuration. If you want to do
bittorrents and share bits, or allow SSH access, or run an apache web
server, yer gonna hafta open up yer firewall and understand how it
works.

Understand there are no firewall applications, only configuration
applications for the linux kernal iptables packet filter. They all do
the same thing, which is write the appropriate rules for iptables.
You should learn about iptables and how it works and tcp/ip
fundamentals and the various network protocols. Lotta good info pages
out there on both subjects.

IMO, understanding tcp/ip protocols is the best place to start.
Here's a pretty good one:

http://www.w3schools.com/tcpip/tcpip_intro.asp

Once you learn the protocols, then learn how/why iptables filters
them.

Good luck!

nb

On 03/12/11 17:58, Ant wrote:
> On 12/3/2011 3:23 AM PT, David Brown typed:
>
>>> Ah, I want GUI because it is easier to understand what's going on. I use
>>> similiar products like Kerio Personal Firewall v2.1.4, Outpost Firewall
>>> 2009, Conseal PC Firewall, Norton, etc.
>>
>> These aren't similar products. Windows "firewalls" operate in a
>> completely different way from Linux firewalls. Linux firewalls are
>> concerned about what comes into, goes out of, or passes through your
>> machine at a lower level. Mostly you allow or deny packets depending on
>> their source (which interface they come in on, or their IP address),
>> their destination, and their protocol and port (such as port 80 tcp for
>> http traffic). There are, of course, many other possibilities and
>> features of iptables firewalls.
>>
>> For typical home use, you only need a very simple setup - everything
>> outgoing is allowed, everything incoming is blocked unless it is in
>> answer to outgoing connections. You may also want to open particular
>> incoming ports, for applications such as bittorrent.
> ...
>
> Well, I still want to get prompted what goes in and out. Then, I can
> tell it to allow/deny, learn the IP addresses, ports, dircetions, etc. I
> don't allow everything to go out either since I hate programs that phone
> home.

You are using Linux - programs for Linux are mostly either open source
(and very rarely do anything nasty - it would quickly be spotted), or
they are serious professional programs (which also don't do anything
nasty - at least, not unless you have made illegal copies). Stop
thinking in the Windows world.

["Followup-To:" header set to comp.os.linux.security.]

On Sun, 2011-12-04, David Brown wrote:
> On 03/12/11 17:58, Ant wrote:
>> On 12/3/2011 3:23 AM PT, David Brown typed:
>>
>>>> Ah, I want GUI because it is easier to understand what's going on. I use
>>>> similiar products like Kerio Personal Firewall v2.1.4, Outpost Firewall
>>>> 2009, Conseal PC Firewall, Norton, etc.
>>>
>>> These aren't similar products. Windows "firewalls" operate in a
>>> completely different way from Linux firewalls. Linux firewalls are
>>> concerned about what comes into, goes out of, or passes through your
>>> machine at a lower level. Mostly you allow or deny packets depending on
>>> their source (which interface they come in on, or their IP address),
>>> their destination, and their protocol and port (such as port 80 tcp for
>>> http traffic). There are, of course, many other possibilities and
>>> features of iptables firewalls.
>>>
>>> For typical home use, you only need a very simple setup - everything
>>> outgoing is allowed, everything incoming is blocked unless it is in
>>> answer to outgoing connections. You may also want to open particular
>>> incoming ports, for applications such as bittorrent.
>> ...
>>
>> Well, I still want to get prompted what goes in and out. Then, I can
>> tell it to allow/deny, learn the IP addresses, ports, dircetions, etc. I
>> don't allow everything to go out either since I hate programs that phone
>> home.
>
> You are using Linux - programs for Linux are mostly either open source
> (and very rarely do anything nasty - it would quickly be spotted), or
> they are serious professional programs (which also don't do anything
> nasty - at least, not unless you have made illegal copies). Stop
> thinking in the Windows world.

There's a narrow zone of "freeware" though -- Google Chrome, Skype,
Adobe Flash ... I use none of them, but if I *did* want them I'd take
the privacy risk into account first.

(Of course the risk from these is less than from some random Windows
..exe you download -- about the same as from the corresponding Windows
version.)

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .

Thanks. I will have to check it out. Yeah, I think I will have to dump
Guarddog soon and starting learning a new GUI firewall program if Debian
is going to dump it.

Actually, will Debian remove my installed Guarddog later on or does it
leave it alone? Guarddog seems to work though. I use the same firewall
rules from my old Debian box (export and import feature).


> <http://www.simonzone.COM/software/guarddog/>

> 1) Guarddog has not had a new release in over 4 years.

> 2) The last release of Guarddog was based on the obsolete QT3/KDE3.

> 2) Debian unstable no longer provides Guarddog.

> Please draw your own conclusions in terms of what you consider "best".

> As an alternative you may wish to consider gufw.

> Description: graphical user interface for ufw

> gufw is an easy and intuitive way to manage your Linux firewall.

> It supports common tasks such as allowing or blocking pre-configured,
> common p2p, or individual port(s), and many others!

> Homepage: https://launchpad.net/gui-ufw

--
Quote of the Week: "I made my list for my birthday." --Christopher.
"Yeah, what'd you put on there? - A basketball or an ant farm." and
"This could be an ant farm. This could be a microscope or anything."
--Chris from The Pursuit of Happyness movie.
/\___/\ Ant(Dude) @ http://antfarm.home.dhs.org (Personal Web Site)
/ /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
| |o o| |
\ _ / Please nuke ANT if replying by e-mail. If crediting,
( ) then please kindly use Ant nickname and AQFL URL/link.

On Monday, December 5th, 2011 at 14:33:48h -0600, Ant wrote:

> if Debian is going to dump it.

There is no *if* about it.

<http://packages.qa.debian.org/g/guarddog.html>


QUOTE

This package is neither part of unstable nor experimental.

This probably means that the package has been removed (or has been renamed).
Thus the information here is of little interest ... the package is going
to disappear unless someone takes it over and reintroduces it into unstable.

[2011-03-29] guarddog REMOVED from testing (Britney)
[2011-03-28] Removed 2.6.0-3 from unstable (Alexander Reichle-Schmehl)

UNQUOTE

> Actually, will Debian remove my installed Guarddog later on or does it
> leave it alone?

Debian will not remove packages automagically.

But remember if you do an upgrade which causes the removal of
the Qt3 libraries, then that will cause the Guarddog package
to also be removed.

Em 02-12-2011 21:14, Ant escreveu:
> Hello.
>
> Is Guarddog still the best frontend GUI program to configure iptables
> for firewalls in Linux (Debian) and average Linux desktop users?
>
> Thank you in advance.

I am using fwbuilder.
I only had some difficulties at first.
I took an example, deleted all stuff I didn't need and then it became
really very easy to maintain, even if it is a long time without making
any changes.