LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   How do I know that my firewall is operating correctly? (http://www.linuxquestions.org/questions/linux-security-4/how-do-i-know-that-my-firewall-is-operating-correctly-278031/)

shawn59 01-15-2005 06:59 AM

How do I know that my firewall is operating correctly?
 
I have just started to use suse 9.1, having previously used Windows XP I used Zone Alarm Firewall. This was fine and I was asked by applications whether they were to be allowed internet access. However with Suse , and have configured the firewall., I get no such questions and i do not have any icon to show that a firewall is active. Is this usual for Linux or should i download a further firewall. please help as i am very security conscious, but am slightly baffled ny linux as I have only used it for a day or so.

koen plessers 01-15-2005 10:05 AM

Hello

Yes, ZoneAlarm, it is very good indead, but there is no such thing for Linux. Unless someone came up with it lately?

But that doesn't mean that there are no good firewalls for Linux. Linux even has one build in. I repeat for the people in Redmond: Linux has one build in. They aren't listening...

But how to use it? I use Shorewall, you can download it from www.shorewall.net.

Two tips I give you:

- to not give a tcmp echo (people won't even notice your there) add this to /etc/shorewall/rules:
DROP net fw tcp 113,135
DROP net fw icmp 8

- you can test your security settings at https://www.grc.com/x/ne.dll?bh0bkyd2

Have a lot of safe fun ;-)

Koen Plessers

Capt_Caveman 01-15-2005 01:52 PM

Might also want to have a look at guaddog and firestarter. Firestarter has a look and feel similar to ZoneAlarm in particular.

shawn59 01-22-2005 11:28 AM

THANKS YOU GUYS FOR YOUR ADVICE. I AM USING SHOREWALL AT PRESENT, BUT FIND IT STRANGE THAT I NEVER GET A REQUEST TO ALLOW ACCESS TO THE INTERNET OR TO RECEIVE. IS THIS USUAL OR AM iM,ISSING SOMETHING.

Capt_Caveman 01-22-2005 12:08 PM

I AM USING SHOREWALL AT PRESENT, BUT FIND IT STRANGE THAT I NEVER GET A REQUEST TO ALLOW ACCESS TO THE INTERNET OR TO RECEIVE. IS THIS USUAL OR AM iM,ISSING SOMETHING.

Not really. Most linux firewalls don't prompt a user to make on-the-fly decisions on whether or not to allow certain types of traffic or allow certain applications to connect out (in fact I'm not aware of any). In my opinion, that's probably a good thing, because for the most part users will just click "OK" and allow traffic even though they may not know whether it's legitimate or not, which basically turns the firewall into swiss cheese after time. Plus along those lines, the average user isn't going to know what "Svchost.exe" is anyway and the warning messages that Zone alarm-like apps produce are basically worthless. If you'd like to be notified about odd connection attempts, you can add a iptables rule that logs any outbound connection attempts on non-standard ports.

From a security standpoint though, there are probably more effective means for detecting intrusions, like file alteration detection, host/network IDS, rootkit detection, etc.

edsmithers 01-28-2005 03:57 AM

more about application level control
 
i use iptables with guarddog on slackware. i'm not very familiar with the intrusion detection options (rootkit etc) given but I assume its is easier/better to configure a complete security solution with linux.

however, i'm still unclear about whether i'm missing out on something without application level control through iptables. as long as i have no malicious software installed, then my firewall will reject all illegal connections. but if for some reason an evil app is hidden on my system, can it not access the internet through a valid port and protocol and do some kind of damage, since iptables will see it only as permissible connection and not a dissallowed app? so i would need a security system in addition to iptables to protect against this?

i think in windows the problem is that its so easy to get spyware and other crap auto installed and not even know about it. even though this is far less likely in linux, if it did happen i don't see how i could stop it with my current configuration.


All times are GMT -5. The time now is 12:32 AM.