Free firewall system software for linux

The Firewall Tester (FTester) is a tool designed for testing firewalls filtering policies and Intrusion Detection System (IDS) capabilities.The tool consists of two perl scripts, a packet injector (ftest) and the listening sniffer (ftestd). The first script injects custom packets, defined in ftest.conf, with a signature in the data part while the sniffer listens for such marked packets. The scripts both write a log file which is in the same form for both scripts. A diff of the two produced files (ftest.log and ftestd.log) shows the packets that were unable to reach the sniffer due to filtering rules if these two scripts are ran on hosts placed on two different sides of a firewall. Stateful inspection firewalls are handled with the connection spoofing option. A script called freport is also available for automatically write to log files.
Of course this is not an automated process, ftest.conf must be crafted for every different situation. Examples and rules are included in the attached configuration file.
The IDS (Intrusion Detection System) testing feature can be used either with ftest only or with the additional support of ftestd for handling stateful inspection IDS, ftest can also use common IDS evasion techniques. Instead of using the configuration syntax currently the script can also process snort rule definition file.
These two scripts were written because I was tired of doing this by hand (with packet-crafting tools and tcpdump), I know that there are at least two dozens of other methods to do this but another reason was to learn some perl ;). I hope that you enjoy them.
Main features:
- firewall testing
- IDS testing
- simulation of real tcp connections for stateful inspection firewalls and IDS
- connection spoofing
- IP fragmentation / TCP segmentation
- IDS evasion techniques

Firewall by Jim is a firewall that takes advantage of tcp_wrappers information to block users. I got tired of the firewall scripts out there not doing what I wanted them to.. I wanted a firewall that was flexible to use, but did its job. I wanted one that could be configured to any circumstance easily without changing the script itself. That is why I designed my firewall to use simple text files for configuration ease.

I have built in mutlple mean of protection into the firewall itself. Of the most notable is the hacker, trojan, spam, and blacklist capabilities.

The hacker protection will prevent the outside world from running unwanted commands. If you choose to enable this function.

The hacker protection will prevent the outside world from running unwanted commands. The trojan protection has two different levels. Standard and Intensive. The standard protection only protections from known linux and unix trojans. Where as the intensive will protect from all known trojans from windows, linux, and unix based.

The spam protection will block any IP address which is in list, from sending mail to your SMTP server.

The blacklist protection will block total communications to a site. I have also included a blacklist update script which will pull blacklist information from http://www.dshield.org .

DMZ IP Firewall script project is a script for Linux 2.4.x and iptables.

Sample:

# Configuration options, these will speed you up getting this script to work with your own setup.

# your LANs IP range and localhost IP. /24 means to only use the first 24 bits of the 32 bit IP adress. the same as netmask 255.255.255.0

# STATIC_IP is used by me to allow myself to do anything to myself, might be a security risc but sometimes I want this. If you dont have a static IP, I suggest not using this option at all for now but its still enabled per default and will add some really nifty security bugs for all those who skips reading the documentation

LAN_IP="192.168.0.2"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"

INET_IP="194.236.50.152"
INET_IFACE="eth0"

HTTP_IP="194.236.50.153"
DNS_IP="194.236.50.154"
DMZ_HTTP_IP="192.168.1.2"
DMZ_DNS_IP="192.168.1.3"
DMZ_IP="192.168.1.1"
DMZ_IFACE="eth2"

LO_IP="127.0.0.1"
LO_IFACE="lo"


IPTABLES="/usr/local/sbin/iptables"

PCX Firewall is an IPTables firewalling solution that uses Perl to generate static shell scripts based upon the users configuration settings.
This allows the firewall to startup quickly, as it does not have to parse config files every time it starts.
Enhancements:
- All known bugs have been fixed. Support has been added for Debian Sarge and Red Hat FC[1-3] as "official" distributions to work with when generating init scripts. The ability has been added to just install the generated firewall script into /etc/init.d or /etc/pcx-firewall without starting it.

KMyFirewall attempts to make it easier to setup IPTables based firewalls on Linux systems.
KMyFirewall will be the right tool if you like to have a so called "Personal Firewall" running on your Linux box, but dont have the time and/or the interest to spend hours in front of the IPTables manual just to setup a Firewall that keeps the "bad" people out.
There is also the possibility to save entire rule sets, so you only have to configure your rule set one time and then you can use it on several computers giving each of them a similar configuration (p.e. school networks, office, university etc.). For a complete list of the features have a look at the Features section
Programs cant do any magic so you still will have to know what your firewall should do to setup your rule set. KMyFirewall just tries to help you as much as possible, but you decide what it will do.
Enhancements:
- Adding some more protocols to the Protocol library
- Fix spelling bug in Workstation template
- Small code cleanup
- Deleted old Parser and Wizrad files
- Fix rule index handling
- Allow insert of rules.
- Fix Rule renamed canceled bug
- cleanup interface add parameter to select the config part to show insted of different methods
- Add posibilty to export a package containing the scripts needed to install the ruleset on the system
- Add commandline parameter to define the GUI interface to startup with
- Fix chain log prefix saving bug
- Fix multiport ruleoption bug

SINUS project is a application which assess the potential of security without obscurity.
The SINUS Firewall is a TCP/IP packet filter for the Linux operating system. It is distributed under the GNU General Public Licence and comes with complete source code, as the Linux operating system does.
The SINUS firewall is a free and easy way to protect your network from the malware of the Internet. It does not guarantee perfect security, however it comes with a wealth of features, including:
Filtering of all header fields in the IP, TCP, UDP, ICMP, IGMP packets.
Intelligent RIP and FTP support.
Easy to understand, text-based configuration.
Graphical management interface for configuration of several firewalls.
Dynamic rules, including counters and time-outs.
Extensive logging, alerting, and counter intelligence.
Prevention of packet and address spoofing - GNU GPL license.
To install the software, you need a Linux 2.0.x based system. We suggest you install a bare-bone system without X or any of the other nifty features which tend to have security holes. You should not install user accounts on the firewall system. Log-ins other than from the console should be forbidden (if you absolutely have to log in remotely, we strongly suggest you install a copy of ssh).
Although the software has been subject to thorough testing, and has been continuously running without crashes for over 12 months, we are confident someone will eventually unconver A BUG in the software. Therefore, it is version "0.1".
Please do not use this software as the sole means to protect your top secret data. This software is intended for:
People who want to study firewalls
People who dont trust their current firewall
People who currently dont have any protection at all (even if there are serious bugs, it cannot get worse, can it?)
Enhancements:
- NEW FEATURES
- user level authentification between firewall and management interface
- compiles and runs on libc6 (glibc2) systems.
- CHANGES
- management interface now written as Java application (JDK 1.1.6)
- detect land attack
- changed name from sf to sifi (SINUS firewall) due to change of maintainer (now Harald Weidner ).
- BUG FIXES
- TCP RST of established connections now pass through the firewall
- fixed a segfault bug in the passive FTP code

InJoy Firewall is a flexible firewall security solution for businesses of any size. It offers preconfigured policy templates, including full customization options, IPSec VPN integration, gateway capabilities, intuitive management, access control, many documented deployment examples, and comprehensive documentation.

Without question, the Linux Operating System provides a proven and cost-effective platform, as well as a wealth of high-quality open source software. For business use, however, it often proves difficult to find supported linux firewall solutions that provide the required level of confidence, reliability and trust. With the InJoy Firewall™, businesses can benefit from Linux without having to give up the safety of a responsible vendor and a traditional business relationship.

Security as never before — the InJoy Firewall™ for Linux provides customers with next generation intrusion and anomaly detection. These technologies provides network administrators with the ultimate tools to keep track of network activity and eliminate Internet threats of any type.

As a busy and responsible network administrator, you will find great relief in the InJoy Firewall™. As the only Linux firewall, it is designed from the ground up to be self-contained, thus ensuring optimal performance and minimum impact from third-party problems. This means you dont have to worry about dependencies with Linux connectivity software, software libraries or kernel compilation.


Manage your remote Linux-based Firewall Server from your Windows-based desktop (or any other supported Operating Systems), using the intuitive InJoy firewall™ GUI. Linux users that prefer plain-text configuration can opt for that with the InJoy firewall™ as well.

The InJoy firewall™ works the same under all the supported operating systems, meaning you can deploy a complete and unified protection strategy throughout the business and effortlessly set up fully capable VPNs without having to worry about interoperability issues.

The InJoy firewall™ installs in minutes and can be prepared for distributed, company-wide deployment, using the same simple installation scripts everywhere.

Linux Firewall is a robust, well-designed firewall for Linux 2.4 based on netfilter/iptables. The Projectfiles.com Linux Firewall is the swiss army knife of Linux firewall software. Based on the netfilter-iptables tools, the firewall is a single shell executable written in bash with configuration options and basic documentation included in the same file. It is designed for use with all types of systems: workstations, routers, and servers, and includes advanced features for expert users and Internet Service Providers.

Here are some installation tips:

1. Download the latest rc.firewall [wget http://projectfiles.com/firewall/rc.firewall]
2. Edit the options at the beginning of the file with your favorite text editor. The script comes pre-configured to deny all incoming connections. This is suitable for a typical workstation installation. Refer to the configuration page for in depth explanation of available options.
3. Make the script executable [chmod +x ./rc.firewall]
4. Become root [su]
5. Run the script [./rc.firewall]
6. After you verify that the firewall runs without errors, you may want it to be run automatically on boot. To accomplish this, move the script to the appropriate startup script directory for your distribution [/etc/rc.d/ for Slackware, /etc/init.d/ for Gentoo] and add the following lines in your startup scripts at some point after your ethernet interfaces are configured [for example /etc/rc.d/rc.local for Slackware, and /etc/conf.d/local.start for Gentoo].

Slackware
if [ -x /etc/rc.d/rc.firewall ]; then
/etc/rc.d/rc.firewall
fi
Gentoo
if [ -x /etc/init.d/rc.firewall ]; then
/etc/init.d/rc.firewall
fi

See forum for alternate installation methods.
7. If you are using this firewall on a machine to which you do not have physical access, but can reboot remotely (for example a collocated server or a Linux router at a computer illiterate friends house), you might want to think about putting in a short delay between the time the machine boots and the initialization of the firewall. This would give you a chance to log in and disable the firewall [chmod -x] if something goes wrong. A good example might be if you have the script configured to allow you to connect from a specific remote IP address and your address changes. If you choose to implement this idea, it can be done with the following code in rc.local:

if [ -x /etc/rc.d/rc.firewall ]; then
sleep 30 && /etc/rc.d/rc.firewall | logger -t rc.firewall &
echo "Firewall init in 30 seconds. Check syslog for results."
fi