Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Would it be possible to setup a inline firewall, inline IDS (snort), and a stealth syslog server all on one box? I've read how to create a steath syslog server by having snort capture traffic destined to a unused IP and having it passed to the syslog daemon, but could you do that and have snort running in IDS mode? Having a box acting as a firewall, IDS, and syslog server all completely undectectable since it doesn't have a IP would be very very cool
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
You could configure a snort signature to just listen for traffic to a specific IP on the syslogd port, so yes you could easily do all that on one box and still have fully functional snort.
Originally posted by chort You could configure a snort signature to just listen for traffic to a specific IP on the syslogd port, so yes you could easily do all that on one box and still have fully functional snort.
Thanks, it should be interesting seting that up.
Unfortunately i just found out that you can't use NAT with a stealth, transparent, inline, bridging, layer-2 firewall (i think EIA/TIA needs to standardize a name for this). You can use NAT with it but you would have to have a public IP address which would defeat its purpose. Anyone know why you can't keep it stealthy and use NAT?
Originally posted by MrH0TT Forgive me for asking this....but,
What exactly is the purpose of this box? I'm fairly new to linux, but this sounds cool. What is it used for?
It would act as both a Intrusion Detection System, and a syslog server where all the PC's on your network could send their logs too. Since this box wouldn't have an IP address it wouldn't be impossible to hack remotely. I believe the worest thing it could be vulnerable to is the crashing of snort if a new vulnerability is discovered. I'm pretty sure a vulnerability like that has been discovered and patched a while ago but by keeping snort updated it shouldn't be a problem...
Apparently you can't have a transparent firewall if your going to be using NAT. I'm assuming that is the reason why transparent firewalls aren't as popular as i thought they should of been... Its pretty disapointing, this had a lot of potential. If anyone knows of a way to have a transparent firewall with NAT please let me know.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
How can you use NAT with what is essentially a layer-2 device? It's operating at the link-layer, not at the network layer. NAT uses IPs, which is layer-3 (network). As mentioned, you would need at least one IP to NAT the internal net to outside, and of course that would defeat the purpose of being a bridging firewall.
Originally posted by chort How can you use NAT with what is essentially a layer-2 device? It's operating at the link-layer, not at the network layer. NAT uses IPs, which is layer-3 (network). As mentioned, you would need at least one IP to NAT the internal net to outside, and of course that would defeat the purpose of being a bridging firewall.
Ahhhh so you can have a NAT'd network, you just can't run NAT on the same box as the transparent firewall?
It seems like every site i've been to that talks about transparent firwealls mentions that you can't use NAT with it. If you just can't have NAT on the firewall then thats not a big deal at all...
I don't understand why transparent firewalls aren't more popular. I would think a firewall that can't be hacked would become standard pretty quickly. Instead the most popular way now to make your firewall hackproof seems to be to use a bootable CD, but that can still be hacked... it would be fixed as soon as you reboot, but by then it would probably be to late...
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Well theoretically it can still get cracked. Someone already mentioned taking advantage of Snort, or possibly tcpdump or Ethereal if you're running either of those to check traffic. Also, although it doesn't have an IP it does have hwaddrs, so someone particularly clever can still attack you using your MAC addr. After all, there has to be some way of getting traffic to it to inspect (for the packet filter) so there is also a vector for malicious traffic as well.
In any case, I suspect the main reasons are as follows: a) it requires roughly double the hardware (probably will need one NAT device per firewall), b) it's more complicated, network administrators don't like complications c) most firewall compromises are because of bad rules, not insecure platforms; in fact most of the time it's not the firewall that got compromised at all, someone just found a way through it to their end target.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.