I use a script by Brian Hatch that i am sure i got from a post on this here forum ;
http://www.linuxquestions.org/questi...d.php?t=449022 - 64k
as googled for " brian hatch's firewall script " .I am not sure i understand everything in the script but it did seem to be the easiest way for me to get a firewall going in slackware.

I got it, but the issue is not whether you want it to or not- it's "how do you know what all your many and varied apps are exposing?" if you don't have an application-level firewall?

If you know what you're doing, and you run a network trace the whole time your system(s) are running, and you examine it constantly, then I say (1) you're doing a fine job! and (2) you're spending too much time administering your system(s). I agree with you in principle- software should not do bad things. But the reality is we have many thousands of apps and systems software packages and it's not realistic to manage this by tracing things all the time (at least not for most people).

I don't understand what you are saying here. Are you saying that if it becomes commonplace to run application firewalls (which btw can be set to allow nothing- which is how I started when I ran winbloze (out out damn spot!) and then over the days and weeks to follow I allow or not as I use each app) then people will start adding exploits to their apps because if people don't want the exploit they'll just block it? You can't be saying that, because according to what you just said, if you found an app like that you would raise hell with the devs So what did you mean?

Any big system has millions of lines of source behind it. It's not realistic to examine that much source manually and I haven't heard that people are writing tools to do that (which anyway wouldn't be 100%). Do you really look at all the source for everything you run? It's just not practical.

What I am saying is that administering a system is a lot of work, and I don't trust apps generally. I personally would like a way to control not only inbound traffic, but outbound traffic. I would love an app like ZoneAlarm or Kerio or some other app-level firewall that I can set to deny everything on my system and then get prompted to allow or not on a app by app basis. It should also allow you to do packet filtering and all kinds of other setup manually if you want. This would be the simplest, best way to manage this situation. The problem will only grow as more and more people are moving to Linux and more and more people are writing apps for Linux. Eventually (if not already judging from what I have seen) spyware, malware, etc. are coming to the *NIX world. Unlike winbloze, we should be ready before they get here.

Firestarter does this to an extent .. it sits in the tray, when it blocks it changes colour, you can open the gui and in the events tab you can see what was blocked.

So if you're trying to access a samba share or some such it will show an access on port (what is it, ?) 139 (?) and you can decide then (via right click menu) to add a policy such as "allow outbound service for everyone". Policies can then be altered manually to fit better.

There's at least one zonealarms type program, but I can't be arsed to google for it!

I always thought that shorewall was only a firewall distro, but I've been wrong before too!

From the little I've seen now it looks harder than a manual iptables config?

Shorewall is merely a set of scripts and configuration files to set up Iptables. It's distribution agnositic, and doesn't require a GUI.

I never learned to write iptables entries manually, so I don't have an opinion as to how easy/hard that is. But the firewall on my desktop includes two NICs and a bridge and Tun/Tap interface (for Qemu using Vde) -- I did not have too much trouble getting shorewall to handle these the way I wanted.

Thanks for the tip, I don't know why I didn't think of that

Haha - no, I don't run a net trace (nor monitor one) the whole time, but I do periodically monitor various system stats (including network activity). On a related note, this is probably the *only* good thing about dialup internet access - if something is sending network traffic unexpectedly, then it's going to be noticed.
Yes, I'm still on dialup - not by choice, but because it's the only option available out here where I live...

Well, yes and no I'm simply stating that it's easier for someone to decide "well, it's okay - I can block it with my {application level firewall}" instead of "Aw, hell no." Note that the term "exploit" is a bit strong here, but the idea is the same, I guess...

Agreed - it's not (and of course I don't) However, you can bet that I do some investigating if an app starts talking to the internet without a good reason

On that point, you'll get no argument from me

RW

The "Brian Hatch" script is at http://www.hackinglinuxexposed.com/a.../20030709.html ... but it doesn't work for me as it seems to prevent name resolution ... if I had half a clue about this stuff I'd know why!!

I can't see why everyone things shorewall is so easy to configure ... easy like procmail presumably. I must be missing something, is there a good front end (other than webmin)?

This blocks all incoming connections, and permits only packets related to existing outgoing connections.

Linux Firewall version 2.0 (final) -- 07/25/06
http://lfw.sf.net/

I visited a whack of tutorial and other sites and did a lot of reading and HOW-TO's. After trying a few similar rc.firewall scripts which were giving me errors, and also trying a couple 'packaged' firewalls from the likes of sourceforge and freshmeat, I downloaded this little package named above (can't remember exactly where from, but there's the homepage named within the script) and followed the instructions to recompile my kernel again, with a bunch of IPTABLES and related stuff into it and swapped it in place of my original Slack rc.firewall script.
It's complete, functional, and seems to be working fine, starting up on boot. My learning is an ongoing thing; as I learn stuff, I tweak stuff.
I'm on a LAN so I'm not too concerned at the moment, but between me and the big bad internet is a W1nd0w5 machine, so can't be too careful I also installed a firewall-log scanner and two rootkit-hunters, run by cron twice per day.
Also, and I recommend this to anyone: read everything up-to-date about securing and hardening your distribution, and keep on top of security updates and patches.

You just might want to add a note about the bug in the 'recent' module in older kernels. I really liked your solution and started testing it out, and just got bit by it on an old Slack 10.2 box running 2.6.13.

http://blog.blackdown.de/2005/05/09/...filter-module/

While there's a patch that can be applied to older kernels, it seems like it's not fully fixed until 2.6.18 when 'recent' was rewritten. (At least that's what I gather from the discussion)

What's really interesting is if you connect to a machine within 5 minutes of booting, then you'll be locked out on your second ssh connection after that 5 minute window. If you wait more than 5 minutes after booting for your first connection, then you're good for ~25 days.

Just thought I'd mention it in case someone's left wondering why they're getting locked out of their machines.

Where's the option "hand-written"? :}

I used to use ferm in the past which I still think is quite nice.


Cheers,
Tink

"Some other script ..."

Will that do.

I didn't see the point in distinguishing between scripts that you wrote yourself and little known scripts that one can copy. Oftentimes people start with the later and end with the former anyway - ie download and modify beyond all recognition.

HTH

Not *quite* ... can't provide a link to it ;}



Cheers,
Tink