picoFIREWALL: A Linux Firewall for Debian, SuSE, and other Linux Distributions
- Tested on Debian and SuSE Linux
![]() |
![]() |
![]() |
Contents:
- You are in a hurry? Quick install on Debian Linux
- Features
- Changelog
- Download
- Installation
- Configuration
- Starting/stopping picoFirewall
- Using picoFirewall and other iptables commands
- picoFirescan
QUICK INSTALL ON DEBIAN LINUX
- As root add the following line in your file /etc/apt/sources.list:
FEATURES
picoFIREWALL is a small (as the prefix 'pico' implies) firewall based on
netfilter (the part in the Linux-Kernel) and iptables (the user-interface).
picoFIREWALL was especially designed to serve three purposes: Protect the
machine very well, easy or no configuration, and find a good balance of logging
packets and keep the log file small.
A useful feature is rule-based logging: the entries in the log-file allow to
find the corresponding rule in picofirewall.conf, which caused the entry.
These rule-based comments also appear in the log file analysis program
picoFIRESCAN.
It does a good job and secures machines, which are directly connected to the
internet (via ADSL, TV-cable, modem, or otherwise). If you have more than one
ethernet interfaces, the one pointing to the internet will be protected; the
other interfaces will be allowed full in- and outbound traffic.
Picofirewall is intended to protect your machine against unauthorized packets
arriving from the internet. However, in addition you should also make sure,
that you do not have any services running on your Linux system, which are not
really necessary. If you have such services running, you should only allow to
use them by those you trust.
picoFIREWALL and the monitoring software picoFIRESCAN
may be useful tools, if you want to know what's going on at your internet
connection.
LINK TO THE picoFIREWALL SCRIPT
Should you like to see how picoFIREWALL is programmed, just follow the
link to the firewall-script.
We run picoFIREWALL on several Linux machines, running SuSE Linux 7.3, 8.0,
8.1, 8.2, and 9.0, as well as on Debian Linux (Sarge);
one of these machines is a mail-, web-, and a DNS-server.
Debian users may download and install picoFIREWALL by doing the following:
You should first stop any existing firewall you have already running!
Typically, picoFirewall needs no configuration. Should you run a web-, dns-,
dhcp-, or mail-server, modify the file /etc/picofirewall/picofirewall.conf.
deb http://debian.seismo.ethz.ch sarge ethz_sed
- Enter: apt-get update; apt-get install picofirewall
- You're done and protected!
- Consider installing picoFirescan for viewing the results
It is setup to be a stateful firewall, meaning that it keeps track of its
connections and thereby distinguishes packets associated with an established
connection from packets, which are not associated with a connection from your PC.
The principle followed was a 'drop all packets philosophy', then allow needed
packets on a step-by-step basis; this concept seemed more safe to me than
the other way round (first allow everything, then make restrictions).
This firewall allows to run VMware on this machine if you are running it in
the NAT mode and want to connect to your host system.
More information is given in the files README, CHANGELOG,
CONFIGURATION,
INSTALL, and REFERENCES, which come with the distribution of picoFIREWALL.
V3.8 13Jul2006 Allow to execute your own iptables-commands when starting or
stopping picofirewall
V3.7 08Apr2005 Log outgoing packets only if connection is not established or related
V3.6 08Apr2005 Log outgoing packets as well
V3.5 02Dec2004 Added an improved solution for German locales from Jo Sender.
V3.4 02Dec2004 Make sure, things also work with 'German locales'; thanks to
Jo Sender from the DLR for the hint!
V3.3 30Nov2004 Support DNS-Servers and enable unlimited traffic to other
interfaces than the one pointing to the internet.
V3.2 27Sep2004 Create /etc/picofirewall/picofirewall.conf automatically
V3.1 27Sep2004 Improved the check, whether we are on Debian or not.
Other minor changes.
V3.0 23Sep2004 Files are now stored in places according to the Linux
filesystem standard. picofirewall.conf has been splitted
into picofirewall.conf (configuration only) and
picofirewall.sh (rules only).
In addition, a Debian package is available now.
A new open_extra_log.cfg is now also used by picofirewall.
Currently, newer versions than V2.9 are only available as Debian packages,
see section Download.
V2.9 28Apr2004 Change some links to our new web-server www.seismo.ethz.ch
V2.8 25Mar2004 Allow packets from port 53 (DNS replies) to upper ports only
V2.7 24Mar2004 Allow only DHCP replies, when state is 'established'
V2.6 31Jan2004 For noise_nolog machines, drop also INVALID packets!
Ask, if more than one ethernet interfaces are found
V2.5 30Nov2003 First treat open- and noise-hosts; *then* make syn-flood checks
V2.4 25Nov2003 New order: first *_nolog, then *log
V2.3 18Nov2003 We do not strictly drop ping-requests anymore: incoming
'pings' can be allowed for specific or all machines.
They same is possible for all kinds of icmp packets.
First, we now make sure, that www and mail are allowed for all.
Second, we check the noisy hosts, where we drop packets.
Then we allow packets from trusted machine (open*.cfg).
With this, it is possible, to e.g. deny pings from a machine,
but from which we allow all other packets.
Modified for usage under Debian as well.
V2.2 18May2003 For web- and mail-servers allow lots of packets to specific
ports (80 and 25); otherwise we might loose e-mails
.
.
- First version: Version 0.1 in early December 2002
We also run VMware workstation 3.2, 4.0, and 4.5 on a machine, and it works
fine while picoFIREWALL is active and we even can share files between the
Windoze guest OS and the Linux host operating system.
picoFIREWALL should run on all newer Linux versions (2,4 and 2.6) with
netfilter in the kernel and
iptables as the user interface.
And: Please note, that the file picofirewall.conf (and it's link to
picofirewall.html) may be viewed with a web-browser for better understanding!!
Any feedback to picoFIREWALL is greatly appreciated - whether good or bad!
Urs Kradolfer uk
- Add the following line in your /etc/apt/sources.list :
deb http://debian.seismo.ethz.ch sarge ethz_sed (new since 13Apr2005)
- Then enter: apt-get update; apt-get install picofirewall
- The documentation is then available in /usr/share/doc/picofirewall
In order to build picoFirewall from source, do the following:
Download and save picofirewall.tar.gz to your computer.
Debian users have installed picoFirewall already by 'downloading' it - see above.
On other Linux systems,
go to your directory, below which picoFIREWALL should be installed (e.g. /app )
and enter the following:
You have to enter the commands (as root, in order to be able to start picoFIREWALL):
su -
(enter root-password)
gunzip picofirewall.tar.gz
tar xvf picofirewall.tar
cd picofirewall
./install
- Attention Debian users:
In early 2004 it was experienced, that the kernel did not properly
log the firewall results; this problem has obviously been solved now.
Should you experience this behaviour, proceeed as follows:
Modify the file /etc/init.d/klogd
Instead of KLOGD="" it should read: KLOGD="-c 1"
This is necessary in order to have the firewall logging
Then enter: /etc/init.d/klogd restart
cd /etc/picofirewall
--> Configure the very few things in the head of the file
/etc/picofirewall/picofirewall.conf (configuration is explained there)
If you want further configuration infos, read the file
CONFIGURATION coming with the distribution.
STARTING/STOPPING picoFirewall
To start picoFirewall, enter as user root /etc/init.d/picofirewall start
- on Debian, picoFirewall is started automatically after installation.
To stop picoFirewall, enter as user root /etc/init.d/picofirewall stop
Using picoFirewall and other iptables commands
Should you want to execute additional iptables commands for your own purposes,
you may create an executable file /etc/picofirewall/commands_after_start.sh,
which will be executed after picoFirewall is started.
Similarly, if you want to execute iptables commands after having picoFirewall
stopped, create an executable file /etc/picofirewall/commands_after_stop.sh,
which will be executed after picoFirewall has been stopped.
In order to have a nice view of the entries in the log file, I recommend to also install picoFIRESCAN. picoFIRESCAN analyses the entries in the logfile of picoFIREWALL and creates HTML pages in order to get a quick overview of what happened to incoming and outgoing packets.
And: let me know, if you like the program (and also, if you do not like it...).