KMyFirewall
Source (link to git-repo or to original if based on someone elses unmodified work): Add the source-code for this project on opencode.net
KMyFirewall attempts to make it easier to setup IPTables based firewalls on Linux systems.
It will be the right tool if you like to have a so called "Personal Firewall" running on your Linux box, but don't have the time and/or the interest to spend hours in front of the IPTables manual just to setup a Firewall that keeps the "bad" people out.
13 years ago
Hi,
Donatas Glodenis provides KMyFirewall 1.1.1 and patched kdesudo packages for Ubuntu/Kubuntu at http://dg.lapas.info/share/paketai/ubuntu-gutsy/
thanks for his support!
greetz,
chris
---
Hi,
As reported by Donatas Gloden the installation process in version 1.1.0 is seriously broken - IT DOES NOT INSTALL A VALID SCRIPT!
So please Update to v1.1.1 that i've just released on sf.net if you are using 1.1.0!
---
Hi,
With great thanks to Donatas Glodenis here is a much better fix solving the "kdesu -t issue". Here are the instructions form his email:
The kdesudo version 2.1, available for the coming version of Ubuntu Hardy
Heron (8.4), already has the -t option implemented. You can build your own
kdesudo package for gutsy by following these steps:
1. Download these packages from the repositories:
$ wget http://archive.ubuntu.com/ubuntu/pool/main/k/kdesudo/kdesudo_2.1-0ubuntu1.dsc
$ wget
http://archive.ubuntu.com/ubuntu/pool/main/k/kdesudo/kdesudo_2.1.orig.tar.gz
$ wget
http://archive.ubuntu.com/ubuntu/pool/main/k/kdesudo/kdesudo_2.1-0ubuntu1.diff.gz
2. setup sources:
$ dpkg-source -x kdesudo_2.1-0ubuntu1.dsc
3. Build package:
$ cd kdesudo-2.1/
$ sudo apt-get build-dep kdesudo
$ dpkg-buildpackage -rfakeroot -uc -b
4. Install package
$ cd ../
$ sudo dpkg -i kdesudo*.deb
Here is the apt-get source for KMyFirewall and the patched KDEsudo
http://dg.lapas.info/share/paketai/ubuntu-gutsy/
greetings,
chris
---
Release of KMyFirewall 1.1.0
Well, it has been a while since the last release, almost 2 years ;)
Sorry for the slow progress until now, but i hope the new KMyFirewall 1.1.0 release will excuse the long waiting.
This release includes lots of cool new features (e.g. multi target configuration, remote installation etc.) and fixes all known bugs. Again the document format has changed a bit but i did my best to make it compatible with rule sets created using v1.0.x
Multi Target Configuration & Remote firewall control
With KMyFirewall 1.1.0 you are now able to define so called Targets (accessible in the MyNetwork View), those are the computers you like to manage using KMyFirewall.
After configuring a target (IP address and SSH port) you simply set it as the "Active Target" and edit it's rule set as you did for localhost. The only requirement is that the target allows SSH connections and has a bash shell installed.
With the help of KDE's KIO technology you can install, run, show configuration etc. on the remote host, as you did on localhost before.
All communication between KMyFirewall and the target is encrypted using SSH.
New Undo/Redo Engine
As consequence to the lots of trouble the current undo/redo implementation has made, i re-designed it and as result the engine is faster, more reliable and much easier to use as a developer.
Custom Protocols (Generic Interface)
This solves on of the most annoying problems of the Generic Interface. In KMyFirewall's settings dialog you now can define your own protocols.
So if you find any important protocol still missing, simply create it and if you like send it to chubinger_AT_irrsinnig_DOT_org so that i can add it for the next release. (For the future i plan to implement a KHotNewStuff service to allow online updates of the protocol library.)
Improved Auto Configuration
The auto configuration capabilities have been moved to a small bash script and therefore can also be used for remote targets. If your system is not detected correctly please send your configuration to chubinger_AT_irrsinnig_DOT_org so that i can add them to the auto configuration script.
So finally i just like to say have fun managing your firewalls using KMyFirewall 1.1.0
Feedback and burg reports are very welcome.
greetings,
Chris
----
Release of KMyFirewall 1.0.1
* Adding some more protocols to the Protocol library
* Fix spelling bug in Workstation template
* Small code cleanup
* Deleted old Parser and Wizrad files
* Fix rule index handling
* Allow insert of rules.
* Fix Rule renamed canceled bug
* cleanup interface add parameter to select the config part to show insted of different methods
* Add posibilty to export a package containing the scripts needed to install the ruleset on the system
* Add commandline parameter to define the GUI interface to startup with
* Fix chain log prefix saving bug
* Fix multiport ruleoption bug
-----
Release of KMyFirewall 1.0
Important: As the file format used to save the rulesets has changed, rulesets created with KMyFirewall < 1.0beta1 WILL NOT work, don't even try it!
Since the last stable release KMF has been completely rewritten in order to be even more flexible and on the other hand easier to use.
New plugin framework
Most parts of the application has been rewritten introducing a plugin framework that allows to add new IPTables rule option editors to be written within a few hours (well maybe days depends on the options complexity :).
This will allow us (and contributors) to easily implement the fast growing number of IPTables ruleoptions without the need of understanding the whole application.
The backend generating the IPTables rules itself has been extended to allow the registration of new rule options by defining them in an XML description file. For a detailed description about how to write such plugins have a look at the application handbook in the current CVS version.
So feel free to contribute plugins, there are lots of options still not implemented.
New Easy-To-Use platform independent interface
As I often got mails complaining about the to complex nature of KMF and the very limited possibilities the wizard provides i simply removed the wizard and implemented a completely new interface.
Features of the new Interface
As the new interface works on an abstract descrioption of the generated rules the new plugin structure allows us top implement script compilers that support other firewalling backends than just netfilter/iptables.
To support a new tool kit it is required to write a compiler and an installer plugin for the new framework. Currently just the iptables/linux compiler and installer is implemented. As with the rule option plugins of the IPTables interface it shouldn't bee too much work to develop those plugins.
IPTables vs. Generic interface
The main difference between those two interfaces is that the new Generic Interface is OS and toolkit independant while the IPTables interface is an improved version of the well known KMF GUI and therefore tight bound to the netfiler/iptables toolkit and can therefore only be used with Linux as operating system.
Why two different interfaces?
Especially when concerning security related applications you (as developer) need to decide if you like to build an application used by expert users (e.g. experienced system administrators) or if you like to provide a tool that everybody can handle.
It hasn't been an easy decision to implement one interface for each user group but after pondering about concepts to merge those two requirements into one interface we decided that it is much better to separate them.
This allows us to concentrate on the wishes and wanted features for each of the user groups.
---
Homepage Update
Some developer documentation has been added. Have a look ath the "Documentation" section to see whats new.
---
Uploaded Suse 9.2 rpms.
Thanks to Marcus for contributing those.
APT users may install from the following repository:
ftp://ftp.gwdg.de/pub/linux/suse/apt SuSE/9.2-i386 suser-tux
---
Updating links to www.rockersoft.org Fedora Core 1/2 rpms.
They should also work for FC3
---
Adding debian testing/ustable package contributed by Raphael Lechner
---
New homepage online!
I'm very happy to announce the availability of the new fresh designed KMyFirewall homepage.
The design and implementation was done by Anton Frennevi who also designed a new icon set for KMF.
Unfortuantely he won't have anymore time to work with us so a big thank you very much to him.
---
0.9.6.1 -> 0.9.6.2
Fixed rule creation bug in Wizard
Made adding of other devvice types then the defaults possible
Several small fixes
---
Rockersoft made packages for Fedora Core 1 available via their download server at:
http://www.rockerssoft.com/apt/fedora/1/en/i386/RPMS.rockerssoft/
Those packages are also available via an apt-get repository at:
http://www.rockerssoft.com/apt/fedora/1/en/i386/
Thanks a lot to the guys at Rockerssoft:
http://www.rockerssoft.com/forum/
13 years ago
Hi,
Donatas Glodenis provides KMyFirewall 1.1.1 and patched kdesudo packages for Ubuntu/Kubuntu at http://dg.lapas.info/share/paketai/ubuntu-gutsy/
thanks for his support!
greetz,
chris
---
Hi,
As reported by Donatas Gloden the installation process in version 1.1.0 is seriously broken - IT DOES NOT INSTALL A VALID SCRIPT!
So please Update to v1.1.1 that i've just released on sf.net if you are using 1.1.0!
---
Hi,
With great thanks to Donatas Glodenis here is a much better fix solving the "kdesu -t issue". Here are the instructions form his email:
The kdesudo version 2.1, available for the coming version of Ubuntu Hardy
Heron (8.4), already has the -t option implemented. You can build your own
kdesudo package for gutsy by following these steps:
1. Download these packages from the repositories:
$ wget http://archive.ubuntu.com/ubuntu/pool/main/k/kdesudo/kdesudo_2.1-0ubuntu1.dsc
$ wget
http://archive.ubuntu.com/ubuntu/pool/main/k/kdesudo/kdesudo_2.1.orig.tar.gz
$ wget
http://archive.ubuntu.com/ubuntu/pool/main/k/kdesudo/kdesudo_2.1-0ubuntu1.diff.gz
2. setup sources:
$ dpkg-source -x kdesudo_2.1-0ubuntu1.dsc
3. Build package:
$ cd kdesudo-2.1/
$ sudo apt-get build-dep kdesudo
$ dpkg-buildpackage -rfakeroot -uc -b
4. Install package
$ cd ../
$ sudo dpkg -i kdesudo*.deb
Here is the apt-get source for KMyFirewall and the patched KDEsudo
http://dg.lapas.info/share/paketai/ubuntu-gutsy/
greetings,
chris
---
Release of KMyFirewall 1.1.0
Well, it has been a while since the last release, almost 2 years ;)
Sorry for the slow progress until now, but i hope the new KMyFirewall 1.1.0 release will excuse the long waiting.
This release includes lots of cool new features (e.g. multi target configuration, remote installation etc.) and fixes all known bugs. Again the document format has changed a bit but i did my best to make it compatible with rule sets created using v1.0.x
Multi Target Configuration & Remote firewall control
With KMyFirewall 1.1.0 you are now able to define so called Targets (accessible in the MyNetwork View), those are the computers you like to manage using KMyFirewall.
After configuring a target (IP address and SSH port) you simply set it as the "Active Target" and edit it's rule set as you did for localhost. The only requirement is that the target allows SSH connections and has a bash shell installed.
With the help of KDE's KIO technology you can install, run, show configuration etc. on the remote host, as you did on localhost before.
All communication between KMyFirewall and the target is encrypted using SSH.
New Undo/Redo Engine
As consequence to the lots of trouble the current undo/redo implementation has made, i re-designed it and as result the engine is faster, more reliable and much easier to use as a developer.
Custom Protocols (Generic Interface)
This solves on of the most annoying problems of the Generic Interface. In KMyFirewall's settings dialog you now can define your own protocols.
So if you find any important protocol still missing, simply create it and if you like send it to chubinger_AT_irrsinnig_DOT_org so that i can add it for the next release. (For the future i plan to implement a KHotNewStuff service to allow online updates of the protocol library.)
Improved Auto Configuration
The auto configuration capabilities have been moved to a small bash script and therefore can also be used for remote targets. If your system is not detected correctly please send your configuration to chubinger_AT_irrsinnig_DOT_org so that i can add them to the auto configuration script.
So finally i just like to say have fun managing your firewalls using KMyFirewall 1.1.0
Feedback and burg reports are very welcome.
greetings,
Chris
----
Release of KMyFirewall 1.0.1
* Adding some more protocols to the Protocol library
* Fix spelling bug in Workstation template
* Small code cleanup
* Deleted old Parser and Wizrad files
* Fix rule index handling
* Allow insert of rules.
* Fix Rule renamed canceled bug
* cleanup interface add parameter to select the config part to show insted of different methods
* Add posibilty to export a package containing the scripts needed to install the ruleset on the system
* Add commandline parameter to define the GUI interface to startup with
* Fix chain log prefix saving bug
* Fix multiport ruleoption bug
-----
Release of KMyFirewall 1.0
Important: As the file format used to save the rulesets has changed, rulesets created with KMyFirewall < 1.0beta1 WILL NOT work, don't even try it!
Since the last stable release KMF has been completely rewritten in order to be even more flexible and on the other hand easier to use.
New plugin framework
Most parts of the application has been rewritten introducing a plugin framework that allows to add new IPTables rule option editors to be written within a few hours (well maybe days depends on the options complexity :).
This will allow us (and contributors) to easily implement the fast growing number of IPTables ruleoptions without the need of understanding the whole application.
The backend generating the IPTables rules itself has been extended to allow the registration of new rule options by defining them in an XML description file. For a detailed description about how to write such plugins have a look at the application handbook in the current CVS version.
So feel free to contribute plugins, there are lots of options still not implemented.
New Easy-To-Use platform independent interface
As I often got mails complaining about the to complex nature of KMF and the very limited possibilities the wizard provides i simply removed the wizard and implemented a completely new interface.
Features of the new Interface
As the new interface works on an abstract descrioption of the generated rules the new plugin structure allows us top implement script compilers that support other firewalling backends than just netfilter/iptables.
To support a new tool kit it is required to write a compiler and an installer plugin for the new framework. Currently just the iptables/linux compiler and installer is implemented. As with the rule option plugins of the IPTables interface it shouldn't bee too much work to develop those plugins.
IPTables vs. Generic interface
The main difference between those two interfaces is that the new Generic Interface is OS and toolkit independant while the IPTables interface is an improved version of the well known KMF GUI and therefore tight bound to the netfiler/iptables toolkit and can therefore only be used with Linux as operating system.
Why two different interfaces?
Especially when concerning security related applications you (as developer) need to decide if you like to build an application used by expert users (e.g. experienced system administrators) or if you like to provide a tool that everybody can handle.
It hasn't been an easy decision to implement one interface for each user group but after pondering about concepts to merge those two requirements into one interface we decided that it is much better to separate them.
This allows us to concentrate on the wishes and wanted features for each of the user groups.
---
Homepage Update
Some developer documentation has been added. Have a look ath the "Documentation" section to see whats new.
---
Uploaded Suse 9.2 rpms.
Thanks to Marcus for contributing those.
APT users may install from the following repository:
ftp://ftp.gwdg.de/pub/linux/suse/apt SuSE/9.2-i386 suser-tux
---
Updating links to www.rockersoft.org Fedora Core 1/2 rpms.
They should also work for FC3
---
Adding debian testing/ustable package contributed by Raphael Lechner
---
New homepage online!
I'm very happy to announce the availability of the new fresh designed KMyFirewall homepage.
The design and implementation was done by Anton Frennevi who also designed a new icon set for KMF.
Unfortuantely he won't have anymore time to work with us so a big thank you very much to him.
---
0.9.6.1 -> 0.9.6.2
Fixed rule creation bug in Wizard
Made adding of other devvice types then the defaults possible
Several small fixes
---
Rockersoft made packages for Fedora Core 1 available via their download server at:
http://www.rockerssoft.com/apt/fedora/1/en/i386/RPMS.rockerssoft/
Those packages are also available via an apt-get repository at:
http://www.rockerssoft.com/apt/fedora/1/en/i386/
Thanks a lot to the guys at Rockerssoft:
http://www.rockerssoft.com/forum/
Support-Box
KMyFirewall is part of Apps, Games and Add-ons, which is supported by the following people:
Other Security:
Oceanwaves
11 years ago
I've switched to KDE4 recently and KMyFirewall is one of the last apps requiring KDE3.
Will there ever be a KDE4 version or was development of KMyFirewall stopped?
Oceanwaves
Report
rumbelino
12 years ago
Thanks
Report
marcel83
13 years ago
When I try to start my firewall with smb accepted I get this error:
Clearing iptables (created by KMyFirewall)... Done.
Starting iptables (created by KMyFirewall)...
Loading needed modules... Done.
Create custom chains... Done.
Settup Rules in Table FILTER:
Create Rules for Chain: INPUT
Error: iptables v1.3.8: multiport needs `-p tcp', `-p udp', `-p udplite', `-p sctp' or `-p dccp'
Error: Try `iptables -h' or 'iptables --help' for more information.
Setting up Rule: SMB_tcp FAILED!
Execution failed
Exit(Code): 1
Does anyone else have this problem? Is there any way to fix it?
The only "solution" I've found so far is to install the firewall anyway and then manually fix the affected line in the /etc/kmyfirewall/kmyfirewall.sh script myself.
I already posted this at the forum at Sourceforge but as it doesn't seem to be very active I'm trying it here.
Thanks in advance.
Report
marcel83
13 years ago
I edited the kmfruleoption_protocol_option.xml and added the '-p tcp' and '-p udp' options to the "command"-attributes of the tcp_multiport_opt and udp_multiport_opt definitions. So it looks like this (for tcp as example):
<ruleoptiondefinition name="tcp_multiport_opt" guiName="TCP Multiport">
<option guiName="" command="-p tcp --match multiport" />
...
Still it would be nice if this could be fixed for a next release.
Best regards.
Report
theanimal666
13 years ago
This issue is fixxed in v1.1.0
greetz,
chris
Report
LocoMojo
14 years ago
Since I didn't have the necessary dependencies from Gnome for Firestarter I tried Guarddog for a few days, but I found it to be rather confusing to configure and use.
Today I tried KMyFirewall and I found it to be very easy and intuitive to use. However, I ran into a small problem when trying to install the firewall to my Slackware system. Though I told KyMyFirewall that I was using Slackware, it kept trying to install the scripts to /etc/init.d which is not present on a Slackware system. The path selection for /etc/init.d was grayed out and it wouldn't allow me to change it so I told KMyFirewall that I was using an LSB distribution which then allowed me to change the init.d path to /etc/kmyfirewall. However, even though I got my soft links in my /etc/rc.d directory, the firewall would not start up at boot time. I removed those soft links and created a new soft link called rc.firewall which pointed to /etc/kmyfirewall/kmyfirewall
That worked because Slackware's rc.inet2 script looks for an rc.firewall script in rc.d and if it finds one it issues a rc.firewall start command.
You may want to fix that so it will install on a Slackware system properly.
Also, the cups protocol is missing from the protocol library which was easy enough to fix by editing the kmfprotocollibrary.xml file. Seeing as cups is a common printing service you may want to include that protocol in the install.
Thanks for a great app, I'm pleased so far.
LocoMojo
Report
theanimal666
14 years ago
greetings,
chris
Report
brazz
14 years ago
I am under PCLOS, when I try to ./configure I get a message like "checking for Qt... configure: error: Qt (>= Qt 3.2 and < 4.0) (library qt-mt) no t found. Please check your installation!
For more details about this problem, look at the end of config.log.
Make sure that you have compiled Qt with thread support!"
What is the trick and what can I do ?
Report
theanimal666
14 years ago
Make shure that you have the QT3 development headers installed - depending on the distribution they are normaly called qt-devel or libqt-dev, shouldn't be too hard to find out the right package name.
greetings,
chris
Report
kdemonster
14 years ago
Report
theanimal666
14 years ago
As i do not package the app my self i cannot tell you if/where are packages available.
I'd suggest you try to google for them - shoulkd be easy to find if some are available.
greetings,
chris
Report
tyrerj
15 years ago
I presume that your application requires certain Kernel options enabled to work. Could you PLEASE share this information with us!!!
It would be a GREAT help if you could include a text file that listed the options in the linix/.config file that need to be set to build a Kernel that would work with your app.
Report
theanimal666
15 years ago
As far as i remember you need at least the SynCookie support and the standard iptables modeules (connection tracking*, filtering, mangle, nat etc.) enabled.
For more detailed information plese send me the error you get and i'll try to help as good as can.
best regrads,
chris
Report
kaplun
15 years ago
Report
theanimal666
15 years ago
Please mak sure that the ebuild uses the right compile settings - as it works here very well - and i cannot reproduce the behaviour you are writing about.
greetings,
chris
Report
kaplun
15 years ago
Report
kaplun
15 years ago
./configure --prefix=/opt/kmyfirewall.
Then I've added
export PATH=/opt/kmyfirewall/bin:$PATH;
export LD_LIBRARY_PATH=/opt/kmyfirewall/lib64 (since I'm on amd64)
KDEDIRS=/opt/kmyfirewall:$KDEDIRS
Then I ran kmyfirewall (after cleaning its saved preference in my home). I created a file from a Workstation Temaplate and on the Konsole it printed this infos:
kmyfirewall: WARNING: KXMLGUIClient::setXMLFile: cannot find .rc file kmfgenericinterfaceparetui.rc
kmyfirewall: WARNING: KXMLGUIClient::setXMLFile: cannot find .rc file kmfinstallerpluginui.rc
kmyfirewall: WARNING: KXMLGUIClient::setXMLFile: cannot find .rc file kmfiptablescompiler.rc
Which are a clear message of misconfiguration. Where am I wrong?
Report
theanimal666
15 years ago
I've never tried to istall it into a seperate directory, so plese make shure that all environment variables are set right when running ./configure - the debian_woody_configure script does that for debian based systems - so ther you should see the option needed.
greetings,
chris
Report
dgvirtual
15 years ago
But I like it - since, to compare to Guarddog, here you can set a general policy, and then make exceptions. Hate to check all the protocols in Guarddog...
Report
theanimal666
15 years ago
Well this is an issue i'm working on. I just didn't had the time to finish that implementation.
But until the editor is available you may add your protocols to the protocollibrary.xml file installed in %APPDIR%/protocols/
It's a simple XML file so you shouldn't have problems to unserstand the syntax.
best regards,
chris
Report
dgvirtual
15 years ago
could you perhaps refer me to a source that would list the ports that the programs on Linux most often use?
In case I create some valuable improvements to the file you mentioned, I would forward my work to you as well :)
Report
theanimal666
15 years ago
I've taken the port numbers from the /etc/services file and googled a bit for each to find out which ports the protocolls actaually need to work in an connection tracking environment.
So no sorry, i do not any reliable source for that - thats also a reason why the list is still very small - maybe looking at the guarddog sources can help with that but i didn't had any time to do that yet.
thanks for the helkp offer & greetings,
chris
Report
mdriftmeyer
15 years ago
http://www.shorewall.net/
Report
mattepiu
15 years ago
Report
Shelton
15 years ago
Error: kdesu: Unknown option '-i'.
Error: kdesu: Use --help to get a list of available command line options.
Execution failed
Exit(Code): 254
Trying to run this:
Are you sure you want to execute the generated iptables script?
A wrongly configured iptables script may make your computer unusable!
If your system hangs after you start the firewall, switch to a text console (Ctrl+Alt+F1) and run the following commands to reset your iptables configuration:
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -F
iptables -t nat -X
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
I am on Mandriva 10.1 Official.
Regards
Shelton.
Report