picoFIREWALL: A Linux Firewall for Debian, SuSE, and other Linux Distributions

picoFIREWALL: A Linux Firewall for Debian, SuSE, and other Linux Distributions - Tested on Debian and SuSE Linux

firewall-logo     picoFirewall protects your personal PC reliably and without configuration
firewall-logo     picoFirewall protects your server reliably and with little configuration

- You are in a hurry? Quick install on Debian Linux
- Features
- Changelog
- Download
- Installation
- Configuration
- Starting/stopping picoFirewall
- Using picoFirewall and other iptables commands
- picoFirescan


- As root add the following line in your file /etc/apt/sources.list:
deb http://debian.seismo.ethz.ch sarge ethz_sed
- Enter: apt-get update; apt-get install picofirewall
- You're done and protected! - Consider installing
picoFirescan for viewing the results


picoFIREWALL is a small (as the prefix 'pico' implies) firewall based on netfilter (the part in the Linux-Kernel) and iptables (the user-interface).
It is setup to be a stateful firewall, meaning that it keeps track of its connections and thereby distinguishes packets associated with an established connection from packets, which are not associated with a connection from your PC.

picoFIREWALL was especially designed to serve three purposes: Protect the machine very well, easy or no configuration, and find a good balance of logging packets and keep the log file small. A useful feature is rule-based logging: the entries in the log-file allow to find the corresponding rule in picofirewall.conf, which caused the entry. These rule-based comments also appear in the log file analysis program picoFIRESCAN.
The principle followed was a 'drop all packets philosophy', then allow needed packets on a step-by-step basis; this concept seemed more safe to me than the other way round (first allow everything, then make restrictions).

It does a good job and secures machines, which are directly connected to the internet (via ADSL, TV-cable, modem, or otherwise). If you have more than one ethernet interfaces, the one pointing to the internet will be protected; the other interfaces will be allowed full in- and outbound traffic.
This firewall allows to run VMware on this machine if you are running it in the NAT mode and want to connect to your host system.

Picofirewall is intended to protect your machine against unauthorized packets arriving from the internet. However, in addition you should also make sure, that you do not have any services running on your Linux system, which are not really necessary. If you have such services running, you should only allow to use them by those you trust.

picoFIREWALL and the monitoring software picoFIRESCAN may be useful tools, if you want to know what's going on at your internet connection.
More information is given in the files README, CHANGELOG, CONFIGURATION, INSTALL, and REFERENCES, which come with the distribution of picoFIREWALL.


V3.8  13Jul2006 Allow to execute your own iptables-commands when starting or
                stopping picofirewall
V3.7  08Apr2005 Log outgoing packets only if connection is not established or related
V3.6  08Apr2005 Log outgoing packets as well
V3.5  02Dec2004 Added an improved solution for German locales from Jo Sender.
V3.4  02Dec2004 Make sure, things also work with 'German locales'; thanks to
                Jo Sender from the DLR for the hint!
V3.3  30Nov2004 Support DNS-Servers and enable unlimited traffic to other
                interfaces than the one pointing to the internet.
V3.2  27Sep2004 Create /etc/picofirewall/picofirewall.conf automatically
V3.1  27Sep2004 Improved the check, whether we are on Debian or not.
                Other minor changes.
V3.0  23Sep2004 Files are now stored in places according to the Linux
                filesystem standard. picofirewall.conf has been splitted
                into picofirewall.conf (configuration only) and
                picofirewall.sh (rules only).
                In addition, a Debian package is available now.
                A new open_extra_log.cfg is now also used by picofirewall.

Currently, newer versions than V2.9 are only available as Debian packages,
see section Download.

V2.9  28Apr2004 Change some links to our new web-server www.seismo.ethz.ch
V2.8  25Mar2004 Allow packets from port 53 (DNS replies) to upper ports only
V2.7  24Mar2004 Allow only DHCP replies, when state is 'established'
V2.6  31Jan2004 For noise_nolog machines, drop also INVALID packets!
                Ask, if more than one ethernet interfaces are found
V2.5  30Nov2003 First treat open- and noise-hosts; *then* make syn-flood checks
V2.4  25Nov2003 New order: first *_nolog, then *log
V2.3  18Nov2003 We do not strictly drop ping-requests anymore: incoming
                'pings' can be allowed for specific or all machines.
                They same is possible for all kinds of icmp packets.
                First, we now make sure, that www and mail are allowed for all.
                Second, we check the noisy hosts, where we drop packets.
                Then we allow packets from trusted machine (open*.cfg).
                With this, it is possible, to e.g. deny pings from a machine,
                but from which we allow all other packets.
                Modified for usage under Debian as well.
V2.2  18May2003 For web- and mail-servers allow lots of packets to specific
                ports (80 and 25); otherwise we might loose e-mails
- First version: Version 0.1 in early December 2002


Should you like to see how picoFIREWALL is programmed, just follow the link to the firewall-script.


We run picoFIREWALL on several Linux machines, running SuSE Linux 7.3, 8.0, 8.1, 8.2, and 9.0, as well as on Debian Linux (Sarge); one of these machines is a mail-, web-, and a DNS-server.
We also run VMware workstation 3.2, 4.0, and 4.5 on a machine, and it works fine while picoFIREWALL is active and we even can share files between the Windoze guest OS and the Linux host operating system.
picoFIREWALL should run on all newer Linux versions (2,4 and 2.6) with netfilter in the kernel and iptables as the user interface.
And: Please note, that the file picofirewall.conf (and it's link to picofirewall.html) may be viewed with a web-browser for better understanding!!
Any feedback to picoFIREWALL is greatly appreciated - whether good or bad!
Urs Kradolfer uk


Debian users may download and install picoFIREWALL by doing the following:

- Add the following line in your /etc/apt/sources.list :
deb http://debian.seismo.ethz.ch sarge ethz_sed (new since 13Apr2005)

- Then enter:   apt-get update;  apt-get install picofirewall
- The documentation is then available in /usr/share/doc/picofirewall
In order to build picoFirewall from source, do the following:
Download and save picofirewall.tar.gz to your computer.


You should first stop any existing firewall you have already running!
Debian users have installed picoFirewall already by 'downloading' it - see above.
On other Linux systems, go to your directory, below which picoFIREWALL should be installed (e.g. /app ) and enter the following:
You have to enter the commands (as root, in order to be able to start picoFIREWALL):

su -
(enter root-password)
gunzip picofirewall.tar.gz
tar xvf picofirewall.tar
cd picofirewall


Typically, picoFirewall needs no configuration. Should you run a web-, dns-, dhcp-, or mail-server, modify the file /etc/picofirewall/picofirewall.conf.

- Attention Debian users:
     In early 2004 it was experienced, that the kernel did not properly
     log the firewall results; this problem has obviously been solved now.
     Should you experience this behaviour, proceeed as follows:
     Modify the file /etc/init.d/klogd
     Instead of  KLOGD=""  it should read:  KLOGD="-c 1"
     This is necessary in order to have the firewall logging
     Then enter:  /etc/init.d/klogd restart
cd /etc/picofirewall
  --> Configure the very few things in the head of the file
      /etc/picofirewall/picofirewall.conf (configuration is explained there)
If you want further configuration infos, read the file CONFIGURATION coming with the distribution.


To start picoFirewall, enter as user root /etc/init.d/picofirewall start - on Debian, picoFirewall is started automatically after installation.
To stop picoFirewall, enter as user root /etc/init.d/picofirewall stop

Using picoFirewall and other iptables commands

Should you want to execute additional iptables commands for your own purposes, you may create an executable file /etc/picofirewall/commands_after_start.sh, which will be executed after picoFirewall is started.
Similarly, if you want to execute iptables commands after having picoFirewall stopped, create an executable file /etc/picofirewall/commands_after_stop.sh, which will be executed after picoFirewall has been stopped.


In order to have a nice view of the entries in the log file, I recommend to also install picoFIRESCAN. picoFIRESCAN analyses the entries in the logfile of picoFIREWALL and creates HTML pages in order to get a quick overview of what happened to incoming and outgoing packets.

And: let me know, if you like the program (and also, if you do not like it...).

Last Update: 13Jul2006 uk --- Created: 02Jan2003 uk