One thing that the hardening packages do not provide is tools for protecting your systems via firewalls. This absence belies their importance in securing your systems, as a short search of Debian packages will show many tools for building firewalls. They vary from simple to complex, and from command line to full graphic interface. Nearly all are frontends for IPTABLES, the Linux kernel firewall modules and associated commands, and produce appropriate configuration files. Some provide a simple configuration language that is more readable than the standard iptables commands, which the tool then translates into the proper commands for you. Some provide a way of defining firewall policies, which are then translated into proper iptables configuration commands.
Even ifyour system is already behind a firewall, it is good practice to provide its own firewall as well. This multilayer approach provides additional protection in case the first firewall is somehow compromised.
Of course, with the variety of firewall packages available, itis difficult to recommend any particular package over the others. Each has strengths and weaknesses. However, if we restrict ourselves to the more popular packages, there are a few general recommendations that can be made.
First, for desktop and development systems which don't require extremely complex configurations, firestarter (for GNOME) or guarddog (KDE) are good starting points. They are oriented towards beginners but have advanced options that can be useful to more experienced users. Both are graphical applications. A special case is fireflier, which actually analyzes the applications traffic on the system and recommends rules. Mason is a similar application, but it does not offer a graphical interface.
For servers or systems that require more robust protection, consider fwbuilder. Itis similar to many enterprise firewall management systems and can provide configuration not only for Unux (both IPTABLES and IPCHAINS ruIes), but also BSD, Mac OS/X, and Osco access-lists as well. Configurations for muItiple servers can be kept in one place and installed remotely as needed. Refer to http://www. fwbuilder.org/ for more information.
A popular alternative is Shorewall, which can also handle traffic shaping and IPsec to some extent. Shorewall uses text configuration files rather than a graphic interface. More information may be found at http : / / shorewall .net/.
In all cases, for Debian Linux, the firewall packages control traffic by generating the IPTABLES rules used by the kernel modules to recognize, analyze, and control network traffic.