Setting up a personal firewall on Debian using Guarddog
From NewbieDOC
- Chris Lale
- chrislale AT users DOT berlios DOT de
Latest version
You can find the latest version of this document at http://newbiedoc.berlios.de.
Revision History
0.1 | 6th February 2006 | Revised by Chris Lale |
Initial Release. |
Abstract
This HOWTO describes how to install and use the Guarddog firewall configuration tool in Debian GNU/Linux. Guarddog use a simple but flexible GUI interface to configure iptables. It makes a great personal firewall for a standalone or networked PC.
Contents |
1 Documentation
- The Guarddog handbook: http://www.simonzone.com/software/guarddog/manual2/index.html
- The documentation installed with the Debian package is in
/usr/share/doc/razor
.
2 Introduction
A firewall is software that stops your computer communicating with other computers. A PC that cannot communicate with other computers is not much good if you want to use the internet. You must make holes in the firewall to permit communication in particular protocols (languages). Having a firewall does not mean that you can forget about other security measures.
For example, the language of web pages is the HTTP protocol. The languages of email are the SMTP and POP3 protocols. You make holes in the firewall to allow these protocols by opening ports.
Guarddog sets up a firewall using iptables
. iptables
is the standard way of firewalling in Debian GNU/Linux. iptables
is very flexible but it is difficult to set up manually. Guarddog provides an easy way of mangaging a firewall through a Graphical User Interface (GUI), with the power of iptables
but without the need to know iptables
syntax.
Guarddog is a configuration tool iptables
. iptables
continues to run even after you exit from Guarddog. iptables
will run automatically every time you boot your PC, so you only need to run Guarddog if you wish to change the firewall's configuration.
3 Installing Guarddog
Install this package using Synaptic, Aptitude or apt-get
:
guarddog
During installation you may see a message like this:
Setting up guarddog (2.4.0-1) ... Unable to start guarddog firewall - /etc/rc.firewall does not exist
Don't worry. The /etc/rc.firewall
configuration file will be created the first time you run Guarddog.
4 Run Guarddog
Run guarddog
as root
From Gnome:
- Applications -> System Tools -> Run as different user
- Run: guarddog
- As user: root
- OK
From KDE:
- Applications -> Guarddog
The first time you run Guarddog you may get this warning:
Guarddog was unable to find a Guarddog firewall at /etc/rc.firewall. This is probably ok, it just means that this is the first time Guarddog has been run on this system. But please be aware that the firewall settings shown may not represent the system's current firewalling configuration. Your Guarddog firewall will take effect once you use the 'Apply' button or exit Guarddog using 'Ok'.
You do not need to take any action. Just be aware that the default settings are not necessarily those of any existing firewall.
- OK
5 Configuring an Internet firewall on your Local PC
5.1 Zones
By default, Guarddog has two zones.
- Internet
- This zone includes all hosts (computers) on the other side of your modem or DSL/ADSL broadband router.
- Local
- This is the computer that the firewall is running on - your PC.
5.2 Permitting the Domain Name System (DNS) protocol
The DNS protocol enables you to access computers on the internet using a name like google.co.uk
rather than an IP address like 216.239.59.147
. You need to open a port for DNS in order to use the web. Do this from the Protocol tab.
- Protocol tab
- Defined Network Zones: Internet
- Protocols served from zone 'Internet' to clients in zones: + Network (expand)
- Network Protocol
- DNS - Domain Name Server
- Local
- protocol is permitted (tick)
- Network Protocol

Save and continue
- Apply
You are about to modify the system's firewall configuration. These changes may disrupt current network connections. Do you wish to continue?
- Continue
Starting firewall... Output: Using iptables. Resetting firewall rules. Loading kernel modules. Setting kernel parameters. Configuring firewall rules. Finished.
- OK
5.2.1 Test the firewall
The DNS protocol is now permitted, but HTTP is not (its Local box is still unticked). To test this, run a web browser and try to visit a site, eg google:
http://google.co.uk
Since the HTTP protocol is blocked, you should not be able to access the web page. The firewall is working!
Disable the firewall by putting a cross in the Disable Firewall box.
- Advanced (tab)
- Disable Firewall (cross)
- Apply
You are about to disable the system's firewall. This will allow all network traffic and potentially leave your system vulnerable to attack. Unless you are an advanced user and know what you are doing I recommend that you cancel this action. These changes may also disrupt current network connections. Do you wish to continue?
- Continue
Resetting firewall... Output: Using iptables. Resetting firewall rules. Finished.
- OK
Check that you can now receive web pages. Try again to visit google:
http://google.co.uk
You should see the web page! The firewall is disabled, so the HTTP protocol (and all the others) is permitted again.
5.3 Permitting the web page (HTTP) protocol

You must permit the HTTP protocol in order to be able to view web pages in your web browser. Some web pages use the secure HTTPS protocol instead eg if you are buying something online.
- Protocol tab
- Defined Network Zones: Internet
- Protocols served from zone 'Internet' to clients in zones: + File Transfer (expand)
- Network Protocol
- HTTP - World Wide Web
- Local
- protocol is permitted (tick)
- Network Protocol
- HTTPS - World Wide Web over SSL
- Local
- protocol is permitted (tick)
- Network Protocol
Save and continue
- Apply
Check that you can receive web pages with the firewall enabled. Try again to visit google:
http://google.co.uk
You should receive a web page.
6 Permit other protocols you may need
You probably need more than just HTTP. If you send email you probably use an SMTP server, and if you receive email a POP3 server. If you have a website hosted remotely you probably need to permit the FTP or SSH protocols. You may also use network tools, such as PING, on the internet. Permit just the protocols that you need. Here is a list of some common protocols that you can permit to be served from the Internet zone to the Local zone.
- web pages
- HTTP
- HTTPS
- DNS
- sending email
- SMTP
- receiving email
- POP3
- may also require ident/auth for authentication
- transferring files to and from a remote host (eg a hosted website)
- FTP
- SSH
- network tests you may wish to use on the internet
- PING
There are others you may need like chat, games, media, etc. Just look through the Protocol tree in the Protocols tab. If you need something not listed, you can always add user-defined protocols to the list.
Make the changes that you need and apply them with the Apply button. Test the new firewall configuration. When you are satisfied that everything is working correctly, save and exit by clicking on the OK button.
- OK
7 Using guarddog with a Samba Network
Samba is a great way to run a small office or home network. Samba allows you to have both Linux and Windows computers on the network. Samba uses the SMB application level protocol. You must permit Windows Networking (NETBIOS) and Microsoft SMB over TCP for Windows 2000 and later. You need to know your local network's broadcast address and the addresses or address range of the computers on the network.

ifconfig
.7.1 Set up a zone for the local network
This example shows how to create a zone Home for a home LAN network with the address range 192.168.1.0/255.255.255.0 with a broadcast address of 192.168.1.255.
Create a new zone:
- Protocol tab
- Defined Network Zones: New Zone
Select the new zone and modify its properties:
- Protocol tab
- Defined Network Zones: new zone
- Zone Properties
- Name: Home
- Comment: Home LAN
- New Address
- 192.168.1.255
- New Address
- 192.168.1.0/255.255.255.0
7.2 Allow you PC to connect to the network
Join the Home zone to the Local zone:
- Protocol tab
- Connection
- Local (ticked)
- Connection
Apply the changes.
- Apply
7.3 Test the network connections
Check that you can access your PC from another station on the network. For Windows machines, look in 'Network Neighborhood'. For Linux machines use LinNeighborhood, or use Nautilus (Gnome File Manager) or Konqueror (KDE File Manager) to look at smb:///
.
8 Adding user-defined protocols for Vipul's Razor
Check the Razor2 FAQs to find the ports you need. The FAQs are in the package documentation directory:
/usr/share/doc/razor/FAQ
For Debian Sarge, the information is:
Outgoing TCP port 2703 (Razor2) and TCP port 7 (Echo). Razor2 uses TCP pings to discover what servers are closest to it.
8.1 Add new ports for Razor2 and Echo
- Advanced tab
- User Defined Protocols:
- New Protocol button
- Name: Razor2
- Type: TCP
- Ports: 2703 - 2703
- New Protocol button
- Name: Echo
- Type: TCP
- Ports: 7 - 7
- User Defined Protocols:
- Apply
8.2 Permit Razor2 and Echo
- Protocol tab
- Defined Network Zones: Internet
- Protocols served from zone 'Internet' to clients in zones: + User Defined (expand)
- Network Protocol
- Echo
- Local
- protocol is permitted (tick)
- Network Protocol
- Razor2
- Local
- protocol is permitted (tick)
- Network Protocol
- Apply
8.3 Permit PING
- Protocol tab
- Defined Network Zones: Internet
- Protocols served from zone 'Internet' to clients in zones: + Network (expand)
- Network Protocol
- Ping
- Local
- protocol is permitted (tick)
- Network Protocol
- Apply
8.4 Test Razor
Run razor-admin
as a normal user to discover razor servers. Use the debug mode:
$ razor-admin -d -discover
If successful, you should see this line at the end of the debug messages:
razor-admin finished successfully.
If the firewall is still blocking razor, it continues to try and discover the servers, but without success.
9 Appendix A: Licence
Copyright (c) 2006 Chris Lale. chrislale AT users DOT berlios DOT de.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license can be found at http://www.fsf.org/copyleft/fdl.html.
Content is available under GNU Free Documentation License 1.2, unless otherwise stated.