As I get more and more mail about KMyFirewall, I decided to write this FAQ (Frequently Asked Questions) to answer some questions often asked. If you have a question and you think it should be in this FAQ, please don't hesitate to contact me.
- Can I setup application based firewalling (e.g. just allowing Konqueror to use the net) with KMyFirewall?
- Is KMyFirewall a Firewall Application similar to "Zone Alarm" or "Norton Internet Security"?
- Can I use KMyFirewall in combination with other firewalling tools?
- Do I need to have KDE installed to use KMyFirewall?
- Will KMyFirewall become part of the official KDE distribution?
- Will there be support for other operating systems like Free/Net/OpenBSD, AIX, Solaris, etc.?
- Where are the log files the firewall generates?
Install & Compile problems
- After starting KMyFirewall I can't click any button on the red window or do anything else. What's wrong?
Q: Can I setup application based firewalling (e.g. just allowing Konqueror to use the net) with KMyFirewall?
A: No, sorry. The reason is that KMyFirewall uses iptables to implement the ruleset. Therefore you cannot define different rules for different applications. The whole firewalling process runs in kernelspace and is completely independent from any other software - in fact iptables does not know anything about the applications using the network. All they do is decide if a port is reachable or not for each packet.
Q: Is KMyFirewall a Firewall Application similar to "Zone Alarm" or "Norton Internet
A: No. The main difference between KMyFirewall and tools from the Microsoft world is that KMyFirewall just generates a iptables scripts and installs it into the boot scripts. The configuration generated is static, which means that the ruleset does not change once generated, and you won't get messages like "Hey, Host: EvilGuy tried to connect to your computer. Should EvilGuy be banned permanently?.".
But that does not mean the firewall configured by KMyFirewall is less secure.
In fact, static configurations are often preferred to firewalls that are reacting to specific events (e.g. blocking a host that made a portscan) because they are much easier to maintain and to debug.
Q: Can I use KMyFirewall in combination with other firewalling tools?
A: Yes and no. As KMyFirewall deletes all existing iptables before setting up its own, you can not use it in combination with other iptables base tools like "Guard Dog"or "Firestarter". But there is no problem with using it in combination with TCP wrappers (/etc/hosts.allow /etc/hosts.deny) or any application level firewall.
Q: Do I need to have KDE installed to use KMyFirewall?
A: Well, you need KDE as it uses a lot of KDE specific stuff, but only for configuring the firewall. The script generated by KMyFirewall should run on any Linux Box using a kernel >= 2.4.x.
If you have problems with the generated scripts on other machienes than the one KMyFirewall runs on, you may need to correct some paths (e.g. path to the iptables binary etc.) at the beginning of the kmyfirewall.sh file.
Q: Will KMyFirewall become part of the official KDE distribution?
A: I hope so, but there is quite a lot to do before reaching that goal. Currently it's part of the KDE Extra Gear module, so I think there is a good chance that distributions will start to package it before it's in KDE.
Q: Will there be support for other operating systems like Free/Net/OpenBSD, AIX, Solaris, etc.?
A: Not in the near future. I tried to make KMyFirewall as flexible as possible so that it allows you to use almost every feature provided by iptables, and therefore it's design is very much influenced by the way iptables works. Adding support for another OS is not that easy.
Maybe I'll start working on *BSD support once 1.0 is finished, but please do not expect this to happen soon as I'm quite busy with work, university, etc at the moment.
Q: Where are the log files the firewall generates?
A: KMyFirewall uses the iptables LOG target to log packages. Iptables is using the system's logging daemon, so it depends on your system configuration for the location that these messages are written.
The most common place for those messages is /var/log/messages.
Install & Compile problems
Q: I'd like to help. What can I do, and who do I need to contact?
A: Please go on. As I'm doing most of the work alone, every kind of help (coding, testing, beer, packaging, documentation etc.) is very welcome.
Please feel free to contact me per e-mail - your help will be greatly appreciated.