Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
07-13-2007, 08:36 AM
|
#1
|
Member
Registered: May 2004
Location: Louisville KY
Distribution: Fedora 25
Posts: 32
Rep:
|
Windows vs Linux Firewalls
I have only recently started to acquaint myself with linux firewall capabilities. I have studied information on ipchains and iptables, and have switched my Red Hat 7.3 system from its default ipchains to iptables. I think I understand the basics of ip and port blocking.
On my Win98 system, I have a firewall that blocks internet access depending on the application requesting it. Is that capability available on linux? That same firewall has the capability of interrogating the user when a new application attempts access. Can that be accomplished in linux?
|
|
|
07-13-2007, 08:55 AM
|
#2
|
Member
Registered: Jun 2007
Location: Chile
Distribution: Some ubuntu mixes, Suse, FC
Posts: 36
Rep:
|
i'm not quite sure (i'm beginning in this thing of the security), but the differences are that the FW's in Windows are more "graphical", compared with linux FW's ...
Also the fact that almost firewall in Linux are in shell is the complete control of its functions and the capacity to tune it up at your taste, instead the products most used in Windows (Zone Alarm, Sygate, Agnitum, etc.)
If i'm wrong, please correct me.
|
|
|
07-13-2007, 09:29 AM
|
#3
|
Senior Member
Registered: Jul 2004
Location: France
Distribution: Arch Linux
Posts: 1,897
Rep:
|
Firestarter was said to be a good GUI firewall, last time I checked (years ago). I don't know if it has the features you want though:
http://www.fs-security.com/
Yves.
|
|
|
07-13-2007, 03:44 PM
|
#4
|
Member
Registered: May 2004
Location: Louisville KY
Distribution: Fedora 25
Posts: 32
Original Poster
Rep:
|
Thanks for your reply, Yves.
Quote:
Firestarter was said to be a good GUI firewall, last time I checked (years ago). I don't know if it has the features you want though:
http://www.fs-security.com/
|
Yes, Firestarter does some of what I want. It appears to allow access to logs of denied connections and permits changing rules to permit them. It seems to be primarily a GUI interface to iptables, so I don't think it can deny access based upon the application requesting it.
|
|
|
07-13-2007, 04:41 PM
|
#5
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
On my Win98 system, I have a firewall that blocks internet access depending on the application requesting it. Is that capability available on linux? That same firewall has the capability of interrogating the user when a new application attempts access. Can that be accomplished in linux?
|
Check out http://www.linuxquestions.org/linux/...larm_for_Linux
|
|
|
07-13-2007, 07:05 PM
|
#6
|
Member
Registered: May 2004
Location: Louisville KY
Distribution: Fedora 25
Posts: 32
Original Poster
Rep:
|
unSpawn: Your blog certainly provides a lot of information relative to this topic -- just what I was looking for. It looks like I have a considerable amount of homework to do! I appreciate the help you've provided in getting me up to speed in this area.
|
|
|
07-17-2007, 08:41 AM
|
#7
|
LQ Newbie
Registered: Feb 2004
Posts: 17
Rep:
|
Hi ghborrmann, just been reading your posts about GUI firewall's. I was looking for much the same as you in the end i used Fedora Core 4, webmin to administer the firewall and shorewall as my ip tables interface. In webmin under network it allows you to configure shorewall and this has blocked everything from going out on my network, then i used squid as a transparent proxy set to allow everything through for web traffic for my content filtering i used dansguardian you can setup custom text editors to allow changes to dansguardian's settings. all applications use ports obviously and I just enable certain ports to allow certain things out using my shorewall interface and well the rest get blocked.
|
|
|
07-17-2007, 11:01 AM
|
#8
|
Member
Registered: May 2005
Posts: 516
Rep:
|
I've had quite a go-around with gui linux firewalls lately. Firestarter is not that great for kde but will run if the right dependencies are met. Guarddog is ok but it will not allow ssl smtp for us gmail users or anyone else needing a ssl connection on alternate ports. I have had 0 luck with Kmyfirewall.
There does not seem to be a lot of developement in the gui firewall department. Guarddog is working on a new version. Firestarter is a 1.5 years old.
A new firewall similiar to Sygate would be a great idea.
|
|
|
07-17-2007, 10:07 PM
|
#9
|
Member
Registered: Jun 2007
Location: Chile
Distribution: Some ubuntu mixes, Suse, FC
Posts: 36
Rep:
|
yeah ... In the windows platform, Sygate Rulz.
Is the best FW you can find.
Mmmm ... You should try FW Builder, i heard is pretty tight in security and not hard to configure.
Last edited by Kaamos; 07-18-2007 at 07:48 AM.
|
|
|
07-19-2007, 09:03 AM
|
#10
|
LQ Newbie
Registered: Jun 2007
Posts: 15
Rep:
|
Quote:
Originally Posted by ghborrmann
On my Win98 system, I have a firewall that blocks internet access depending on the application requesting it. Is that capability available on linux? That same firewall has the capability of interrogating the user when a new application attempts access. Can that be accomplished in linux?
|
SafeSquid ( http://freshmeat.net/projects/safesquid/) is an application layer firewall that identifies applications by looking into the Request Header Pattern, and can be used to allow / deny requests from a specific application.
It uses RegEx to match the Request Header Pattern strings, Like -
IE - 'Mozilla/4.0.* MSIE.*'
Firefox - 'User-Agent.*Mozilla.*Firefox.*'
Google Talk - 'User-Agent: Google Talk'
F-Prot Antivirus Updater - 'User-Agent.*FPAV_Update_Monitor*', etc.
The SafeSquid 'Header Filter' can also be used to block uploads larger that a specified size, or to block private information that is reveled on the net while surfing.
|
|
|
07-19-2007, 11:29 AM
|
#11
|
Member
Registered: Mar 2007
Location: 127.0.0.1
Distribution: OpenBSD-CURRENT
Posts: 485
Rep:
|
http://www.linuxtopia.org/Linux_Fire...les/x2682.html
Section 10.3.12 lists mechanisms for matching packets based on the uid of the process, the owner's id, the command that created the packet, etc...seems like it wouldn't be difficult to modify a GUI app to make use of this?
Last edited by rocket357; 07-19-2007 at 11:31 AM.
|
|
|
07-22-2007, 09:27 AM
|
#12
|
Member
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198
Rep:
|
I have written custom iptables configurations manually, but when I played around with GUI interfaces, I found Guarddog to be the most comprehensive, the best based on my underlying understanding of iptables.
Nothing beats understanding iptables directly, I suggest this excellent resource:
http://iptables-tutorial.frozentux.n...-tutorial.html
Give Guarddog a try, I think you'll like it.
BTW a software "firewall" running on windows is NO firewall, in my book. Everyone on the planet NEEDS a smoothwall, it runs on 486 or first gen Pentium junk, and gives big buck commercial firewalls a run for the money:
www.smoothwall.org
Then in addition, run shorewall or guarddog on your host(s) and you're safe and sound.
cat
|
|
|
07-22-2007, 12:36 PM
|
#13
|
Member
Registered: Mar 2007
Location: 127.0.0.1
Distribution: OpenBSD-CURRENT
Posts: 485
Rep:
|
Quote:
Originally Posted by catworld
Everyone on the planet NEEDS a smoothwall, it runs on 486 or first gen Pentium junk, and gives big buck commercial firewalls a run for the money
|
If you're going for simple packet filtering, then yes smoothwall or ipcop work pretty good. If you need a bit more secure of a setup, I prefer setting an OpenBSD pf machine out in front of an ipcop proxy. With antivirus scanning on the proxy (for http, ftp, mail, etc...) you really can't go wrong for protecting your Windows machines.
|
|
|
07-22-2007, 01:22 PM
|
#14
|
Member
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198
Rep:
|
Well, I do believe BSD is where it's at for security. Just haven't played with it, ergo I'm unfamiliar. No time to learn it, either, with all the other stuff the boss keeps shoveling on me.
But BSD is definitely on my personal "to do" list. Maybe right after I grab a me a Grammy, Oscar and a Nobel Prize...?
|
|
|
07-23-2007, 09:19 AM
|
#15
|
Member
Registered: Mar 2007
Location: 127.0.0.1
Distribution: OpenBSD-CURRENT
Posts: 485
Rep:
|
Quote:
Originally Posted by catworld
Well, I do believe BSD is where it's at for security.
|
Every time someone comes to me to ask advice on security (the usual "Help! My Windows machine just barfed...I think I have a virus!"), I check to make sure they have a good hardware firewall for the same reasons you've already mentioned. If they have an old machine lying around or can swing purchasing a junker, I set them up an OpenBSD firewall and give them a run-down on what the firewall can do, and it's limitations (it won't help if they download a virus, for example).
I've had quite a few people (after being protected by an OpenBSD firewall for a few months) swear up down left and right that there was voodoo magic involved...but the truth is that it's just the solid coding of the OpenBSD project and sane firewall rules...but it does make a world of difference (OpenBSD is just my personal preference...smoothwall and ipcop would accomplish the same goals, IMHO).
|
|
|
All times are GMT -5. The time now is 10:31 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|