Windows vs Linux Firewalls

bakfupai · 07-24-2007, 12:00 PM

If you do want to learn more about OpenBSD and primarily PF, this book is very helpful:
http://www.amazon.com/Building-Firew.../dp/8391665119

nx5000 · 07-24-2007, 12:23 PM

Just wanted to point out this:
http://nufw.org/
This has been developped by several of the netfilter team so it should be quite efficient.

Quote:

nufw dependencies

The nufw daemon only depends on :

*

iptables : libipq.a is necessary to compile the nufw server
*

libgnutls : nufw speaks to nuauth via a TLS encrypted channel

User marking requirement

The system needs a patched version of the ip_queue module and of its "sibling" library libipq.
Using nfnetlink and getting all latest NuFW features

On kernel superior to 2.6.14, ipq is now deprecated in favor of libnetfilter_queue which uses the new nfnetlink system. We encourage you to switch to this library as it is the future. On top of that nfnetlink also provides libnetfilter_conntrack which is used by NuFW to implement time-based acls.

To be able to use this features, the following libraries are needed:

*

libnfnetlink
*

libnetfilter_queue
*

libnetfilter_conntrack

But I think it's not 100% proof, like zonealarm and such. If people are able to inject wrong signature (cpcclient in this case) they can bypass the application firewall.
It's a tradeoff. At the moment, the signature is calculated on userland. Using a lowlevel driver or grsec such would be harder to tamper.

catworld · 07-24-2007, 12:27 PM

Funny, I was doing like the 500th Mandriva install the other day and noticed the nufw packages for the first time. Figured I ought to have a look at it.

Shorewall has long been a bugaboo, the proverbial mystery wrapped in an enigma surrounded by a riddle...

cat

Crito · 07-30-2007, 09:11 AM

Quote:

Originally Posted by catworld

Nothing beats understanding iptables directly, I suggest this excellent resource:

http://iptables-tutorial.frozentux.n...-tutorial.html

I'm a big fan of Firestarter but it seems to break my KVM/QEMU environment -- I think because dnsmasq is a dependency. So learning to use iptables-save and iptables-restore has been very helpful. In fact, I'll be updating my "block google" page so people don't have to type all those addresses in manually.

Thanks for the link!

Cogar · 08-09-2007, 07:10 PM

Quote:

Originally Posted by fair_is_fair

I've had quite a go-around with gui linux firewalls lately. Firestarter is not that great for kde but will run if the right dependencies are met. Guarddog is ok but it will not allow ssl smtp for us gmail users or anyone else needing a ssl connection on alternate ports. I have had 0 luck with Kmyfirewall.

There does not seem to be a lot of developement in the gui firewall department. Guarddog is working on a new version. Firestarter is a 1.5 years old.

A new firewall similiar to Sygate would be a great idea.

As an update, Guarddog (2.6 and possibly earlier versions) will now allow the protocol to be set permitting the Internet zone to independently serve both SSL SMTP and SSL POP3 to the local machine.

catworld · 08-09-2007, 07:37 PM

Quote:

Originally Posted by Crito

I'm a big fan of Firestarter but it seems to break my KVM/QEMU environment -- I think because dnsmasq is a dependency. So learning to use iptables-save and iptables-restore has been very helpful. In fact, I'll be updating my "block google" page so people don't have to type all those addresses in manually.

Thanks for the link!

I'm actually replying to your signature line... ! You say "how to block Google..."

This is all of my browsers' home page:

http://www.scroogle.org/cgi-bin/scraper.htm

And everybody should run firefox with "adblock plus" and (especially) "no script" extensions. Add to this the preference to ask what to do with every last cookie, and you've fairly well locked things down.

Cross-site scripting is a big problem...

...like the .pdf spam I've been getting in droves lately. If this stuff were junk postal snail-mail, at least I could burn it to cook and heat the house with!

cat

ocavid · 08-09-2007, 08:07 PM

Quote:

Originally Posted by ghborrmann

...so I don't think it can deny access based upon the application requesting it.

http://www.novell.com/linux/security/apparmor/

that might be what you need.

AlucardZero · 08-10-2007, 09:29 AM

yeah ... In the windows platform, Sygate Rulz.
I agreed until two years ago when Symantec bought it and killed it. Now I use Sunbelt.

FredrikN · 08-12-2007, 05:11 AM

Quote:

Originally Posted by ghborrmann

I have only recently started to acquaint myself with linux firewall capabilities. I have studied information on ipchains and iptables, and have switched my Red Hat 7.3 system from its default ipchains to iptables. I think I understand the basics of ip and port blocking.

On my Win98 system, I have a firewall that blocks internet access depending on the application requesting it. Is that capability available on linux? That same firewall has the capability of interrogating the user when a new application attempts access. Can that be accomplished in linux?

What you are talking about is a packet filter. A packet filtering firewall sorts packet with the help from eg. source address of the packet, the destination address of the packet, the protocol type of the packet eg. TCP, UDP, ICMP.

Is your kernel compiled with CONFIG_IP_NF_MATCH_OWNER ?
If so you can allow or reject packets on a per command ground, like:

iptables -A OUTPUT -m owner --cmd-owner MassRip -j DROP

A proxy firewall do not route, it operates on the application layer. This type of firewalls can look at more specific parts of information than a packet filter can do, like check if someone is trying to download any virus with Firefox or if some user recived an OO document in their email.