LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-13-2007, 08:36 AM   #1
ghborrmann
Member
 
Registered: May 2004
Location: Louisville KY
Distribution: Fedora 25
Posts: 32

Rep: Reputation: 0
Windows vs Linux Firewalls


I have only recently started to acquaint myself with linux firewall capabilities. I have studied information on ipchains and iptables, and have switched my Red Hat 7.3 system from its default ipchains to iptables. I think I understand the basics of ip and port blocking.

On my Win98 system, I have a firewall that blocks internet access depending on the application requesting it. Is that capability available on linux? That same firewall has the capability of interrogating the user when a new application attempts access. Can that be accomplished in linux?
 
Old 07-13-2007, 08:55 AM   #2
Kaamos
Member
 
Registered: Jun 2007
Location: Chile
Distribution: Some ubuntu mixes, Suse, FC
Posts: 36

Rep: Reputation: 15
i'm not quite sure (i'm beginning in this thing of the security), but the differences are that the FW's in Windows are more "graphical", compared with linux FW's ...
Also the fact that almost firewall in Linux are in shell is the complete control of its functions and the capacity to tune it up at your taste, instead the products most used in Windows (Zone Alarm, Sygate, Agnitum, etc.)

If i'm wrong, please correct me.
 
Old 07-13-2007, 09:29 AM   #3
theYinYeti
Senior Member
 
Registered: Jul 2004
Location: France
Distribution: Arch Linux
Posts: 1,897

Rep: Reputation: 66
Firestarter was said to be a good GUI firewall, last time I checked (years ago). I don't know if it has the features you want though:
http://www.fs-security.com/

Yves.
 
Old 07-13-2007, 03:44 PM   #4
ghborrmann
Member
 
Registered: May 2004
Location: Louisville KY
Distribution: Fedora 25
Posts: 32

Original Poster
Rep: Reputation: 0
Thanks for your reply, Yves.

Quote:
Firestarter was said to be a good GUI firewall, last time I checked (years ago). I don't know if it has the features you want though:
http://www.fs-security.com/
Yes, Firestarter does some of what I want. It appears to allow access to logs of denied connections and permits changing rules to permit them. It seems to be primarily a GUI interface to iptables, so I don't think it can deny access based upon the application requesting it.
 
Old 07-13-2007, 04:41 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
On my Win98 system, I have a firewall that blocks internet access depending on the application requesting it. Is that capability available on linux? That same firewall has the capability of interrogating the user when a new application attempts access. Can that be accomplished in linux?
Check out http://www.linuxquestions.org/linux/...larm_for_Linux
 
Old 07-13-2007, 07:05 PM   #6
ghborrmann
Member
 
Registered: May 2004
Location: Louisville KY
Distribution: Fedora 25
Posts: 32

Original Poster
Rep: Reputation: 0
unSpawn: Your blog certainly provides a lot of information relative to this topic -- just what I was looking for. It looks like I have a considerable amount of homework to do! I appreciate the help you've provided in getting me up to speed in this area.
 
Old 07-17-2007, 08:41 AM   #7
nightmare6667
LQ Newbie
 
Registered: Feb 2004
Posts: 17

Rep: Reputation: 0
Hi ghborrmann, just been reading your posts about GUI firewall's. I was looking for much the same as you in the end i used Fedora Core 4, webmin to administer the firewall and shorewall as my ip tables interface. In webmin under network it allows you to configure shorewall and this has blocked everything from going out on my network, then i used squid as a transparent proxy set to allow everything through for web traffic for my content filtering i used dansguardian you can setup custom text editors to allow changes to dansguardian's settings. all applications use ports obviously and I just enable certain ports to allow certain things out using my shorewall interface and well the rest get blocked.
 
Old 07-17-2007, 11:01 AM   #8
fair_is_fair
Member
 
Registered: May 2005
Posts: 516

Rep: Reputation: 52
I've had quite a go-around with gui linux firewalls lately. Firestarter is not that great for kde but will run if the right dependencies are met. Guarddog is ok but it will not allow ssl smtp for us gmail users or anyone else needing a ssl connection on alternate ports. I have had 0 luck with Kmyfirewall.

There does not seem to be a lot of developement in the gui firewall department. Guarddog is working on a new version. Firestarter is a 1.5 years old.

A new firewall similiar to Sygate would be a great idea.
 
Old 07-17-2007, 10:07 PM   #9
Kaamos
Member
 
Registered: Jun 2007
Location: Chile
Distribution: Some ubuntu mixes, Suse, FC
Posts: 36

Rep: Reputation: 15
yeah ... In the windows platform, Sygate Rulz.
Is the best FW you can find.
Mmmm ... You should try FW Builder, i heard is pretty tight in security and not hard to configure.

Last edited by Kaamos; 07-18-2007 at 07:48 AM.
 
Old 07-19-2007, 09:03 AM   #10
rsean
LQ Newbie
 
Registered: Jun 2007
Posts: 15

Rep: Reputation: 0
Quote:
Originally Posted by ghborrmann
On my Win98 system, I have a firewall that blocks internet access depending on the application requesting it. Is that capability available on linux? That same firewall has the capability of interrogating the user when a new application attempts access. Can that be accomplished in linux?
SafeSquid (http://freshmeat.net/projects/safesquid/) is an application layer firewall that identifies applications by looking into the Request Header Pattern, and can be used to allow / deny requests from a specific application.

It uses RegEx to match the Request Header Pattern strings, Like -
IE - 'Mozilla/4.0.* MSIE.*'
Firefox - 'User-Agent.*Mozilla.*Firefox.*'
Google Talk - 'User-Agent: Google Talk'
F-Prot Antivirus Updater - 'User-Agent.*FPAV_Update_Monitor*', etc.

The SafeSquid 'Header Filter' can also be used to block uploads larger that a specified size, or to block private information that is reveled on the net while surfing.
 
Old 07-19-2007, 11:29 AM   #11
rocket357
Member
 
Registered: Mar 2007
Location: 127.0.0.1
Distribution: OpenBSD-CURRENT
Posts: 485
Blog Entries: 187

Rep: Reputation: 74
http://www.linuxtopia.org/Linux_Fire...les/x2682.html

Section 10.3.12 lists mechanisms for matching packets based on the uid of the process, the owner's id, the command that created the packet, etc...seems like it wouldn't be difficult to modify a GUI app to make use of this?

Last edited by rocket357; 07-19-2007 at 11:31 AM.
 
Old 07-22-2007, 09:27 AM   #12
catworld
Member
 
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198

Rep: Reputation: 36
I have written custom iptables configurations manually, but when I played around with GUI interfaces, I found Guarddog to be the most comprehensive, the best based on my underlying understanding of iptables.

Nothing beats understanding iptables directly, I suggest this excellent resource:

http://iptables-tutorial.frozentux.n...-tutorial.html

Give Guarddog a try, I think you'll like it.

BTW a software "firewall" running on windows is NO firewall, in my book. Everyone on the planet NEEDS a smoothwall, it runs on 486 or first gen Pentium junk, and gives big buck commercial firewalls a run for the money:

www.smoothwall.org

Then in addition, run shorewall or guarddog on your host(s) and you're safe and sound.

cat
 
Old 07-22-2007, 12:36 PM   #13
rocket357
Member
 
Registered: Mar 2007
Location: 127.0.0.1
Distribution: OpenBSD-CURRENT
Posts: 485
Blog Entries: 187

Rep: Reputation: 74
Quote:
Originally Posted by catworld
Everyone on the planet NEEDS a smoothwall, it runs on 486 or first gen Pentium junk, and gives big buck commercial firewalls a run for the money
If you're going for simple packet filtering, then yes smoothwall or ipcop work pretty good. If you need a bit more secure of a setup, I prefer setting an OpenBSD pf machine out in front of an ipcop proxy. With antivirus scanning on the proxy (for http, ftp, mail, etc...) you really can't go wrong for protecting your Windows machines.
 
Old 07-22-2007, 01:22 PM   #14
catworld
Member
 
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198

Rep: Reputation: 36
Well, I do believe BSD is where it's at for security. Just haven't played with it, ergo I'm unfamiliar. No time to learn it, either, with all the other stuff the boss keeps shoveling on me.

But BSD is definitely on my personal "to do" list. Maybe right after I grab a me a Grammy, Oscar and a Nobel Prize...?
 
Old 07-23-2007, 09:19 AM   #15
rocket357
Member
 
Registered: Mar 2007
Location: 127.0.0.1
Distribution: OpenBSD-CURRENT
Posts: 485
Blog Entries: 187

Rep: Reputation: 74
Quote:
Originally Posted by catworld
Well, I do believe BSD is where it's at for security.
Every time someone comes to me to ask advice on security (the usual "Help! My Windows machine just barfed...I think I have a virus!"), I check to make sure they have a good hardware firewall for the same reasons you've already mentioned. If they have an old machine lying around or can swing purchasing a junker, I set them up an OpenBSD firewall and give them a run-down on what the firewall can do, and it's limitations (it won't help if they download a virus, for example).

I've had quite a few people (after being protected by an OpenBSD firewall for a few months) swear up down left and right that there was voodoo magic involved...but the truth is that it's just the solid coding of the OpenBSD project and sane firewall rules...but it does make a world of difference (OpenBSD is just my personal preference...smoothwall and ipcop would accomplish the same goals, IMHO).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Software Firewalls VS Hardware Firewalls metallica1973 Linux - Security 7 03-17-2006 02:21 PM
Firewalls for Linux? M O L8ingN2dust Linux - Software 6 10-27-2005 10:08 PM
Samba and firewalls on Linux/Windows network - where to start? abovett Linux - Security 9 06-21-2004 06:18 PM
Linux Firewalls [iso firewalls] yoogie Linux - Networking 3 01-28-2002 06:56 PM
SNF and windows firewalls PenguinOs Linux - Networking 0 11-25-2001 05:02 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration