Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am looking at doing some sort of automation for my firewall which is about 30 or so specialized rules in my iptables script. The problem is that I am not always around, when my fellow workers make rules they could make a error which may have consequences.
Are there any opensource utilities that do what I want?
Looking for one that checks to see if there are overlaps in the actual firewall rules that could provide invalidity for a particular ruleset. Something similar to how some OS's have privilege checkers (Windoze for example)so there can be no escalation or accidental elevation in rights.
I looked and saw a number of white papers by a Dr. Wool, however, it looks like there isn't an actual application for this?
One would think the contrary since this would probably be very useful in the IT world.
I have deny source 10.0.8.200 to 10.0.9.0/24 on the range of ports 20-25. Also includes broadcasts and multicasts.
Joe Blow decides hey, I'm going to circumvent this and allow a computer to do a broadcast from 8.x to the 9.x or a multicast. That there would then circumvent the first rule. Then Joe Blow allows another port which is included in the denies or allows and you can see where I am going with this....
I've never used a program that does this sort of iptables checking, so I don't know. If I didn't want Joe Blow messing with my iptables setup then I simply wouldn't let him mess with it (instead of trying to detect when he does mess with it). I'm not saying "don't let Joe Blow use iptables", cuz I'm assuming you don't have a choice about that. But perhaps set up an iptables chain for him - a chain which he can mess with all he wants without being able to affect your other chains. This should be easy to do with sudo I think.
Mhh the reason being is for firewall testing without going too much into detail so joe blow doesn't pass something when he shouldn't if you know what I mean or fail pending on the point of view. Thanks for the suggestion, that helps me out in another avenue. I'll see what I can drum up in my spare time.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.