Douane
Douane is a personal firewall that protects a user's privacy by allowing a user to control which applications can connect to the internet from their GNU/Linux computer.
Installation
Until now (2017/05/22) there isn't Ubuntu packages available. You must build it from source.
These installation instructions are based on information from the Douane Wiki and tested on Ubuntu 16.04.2 64-bit.
Open a terminal (Ctrl+Alt+T) to run the commands.
Preparation
Update your system:
sudo apt update
sudo apt full-upgrade
If you get a notification asking to restart your computer, then restart it.
Install the dependencies
sudo apt install git build-essential dkms libboost-filesystem-dev libboost-regex-dev libboost-signals-dev policykit-1 libdbus-c++-dev libdbus-1-dev liblog4cxx10-dev libssl-dev libgtkmm-3.0-dev python3 python3-gi python3-dbus
Create a directory for compilation
cd
mkdir Douane
cd Douane
Build the kernel module
git clone https://github.com/Douane/douane-dkms
cd douane-dkms
sudo make dkms
Check if the module was built and installed correctly:
lsmod | grep douane
You should see something like:
douane 20480 0
Build the daemon
cd ~/Douane
git clone --recursive https://github.com/Douane/douane-daemon
cd douane-daemon
make
sudo make install
Build the dialog process
cd ~/Douane
git clone --recursive https://github.com/Douane/douane-dialog
cd douane-dialog
make
sudo make install
Start the dialog process:
/opt/douane/bin/douane-dialog &
Then check if it is running:
pgrep -a douane-dialog
You should see something like:
21621 /opt/douane/bin/douane-dialog
Build the configurator
cd ~/Douane
git clone https://github.com/Douane/douane-configurator
cd douane-configurator
sudo python3 setup.py install
Start the daemon and setup automatic starting
I had to insert the following text in the file /etc/init.d/douane
in order to enable the automatic starting of the daemon:
### BEGIN INIT INFO
# Provides: douane
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Douane firewall
### END INIT INFO
Open the file for edit:
sudo nano /etc/init.d/douane
Then paste the above text after the program description. Press Ctrl+O,Enter to save, then Ctrl+X to exit the editor.
This is the first 21 lines of the file after I inserted the text:
#!/bin/bash
#
# douane This shell script takes care of starting and stopping
# douane daemon (A modern firewall at application layer)
#
# Author: Guillaume Hain zedtux@zedroot.org
#
# description: douane is the daemon process of the Douane firewall application. \
# This firewall is limiting access to the internet on application bases.
### BEGIN INIT INFO
# Provides: douane
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Douane firewall
### END INIT INFO
# Source function library.
. /lib/lsb/init-functions
Now you can set up the auto start and start the daemon:
sudo systemctl daemon-reload
sudo systemctl enable douane
sudo systemctl start douane
Activate the filter and auto start the dialog
Start the configurator:
douane-configurator
Then make sure the switches Use Douane to filter my network traffic and Auto start Douane on boot are both turned on.
You can review the filtering rules in the Rules tab. Right clicking a rule you get an option to delete it.
Test
If everything is fine you should see the Douane window asking for permission when you open applications that uses network connections.
Yes, The iptables -F chain
will flush all of the iptables rules for that chain, and therefore only the default policy rule will be used.
It seems likely that the default policy for your references was ACCEPT
, while the default policy on your computer is DROP
.
Check via sudo iptables -xvnL
.
If you want to delete all of your rules in a chain, but maintain your ssh session, change the default policy to ACCEPT
first. You can change it back to DROP
after you have the rules you want in place, and you confirm your ssh packets are no longer relying on the default policy to get through.
sudo iptables -P INPUT ACCEPT
You might need it on the OUTPUT chain also.
Best Answer
First of all, the main reason behind Firestarter not being maintained any more is that Ubuntu comes in with the firewall called
ufw
by default. You can install a graphical interface to ufw by selecting it from the Ubuntu Software Center (package gufw) or by typingPlease note that any and every "firewall" in Ubuntu will be some kind of interface to the iptables. Some of these interfaces are graphical (like Firestarter), some not (like ufw), some are not graphical, but come with their own graphical interface. You will find more information on this page.
Also, please consider the following. Firewall can be of real use if you do understand iptables and the way TCP/IP works. If you do, then configuring the firewall using either naked iptables or some kind of text interface based on config files (like ufw) usually presents no problem.