LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-24-2007, 12:00 PM   #16
bakfupai
Member
 
Registered: Apr 2006
Location: Sweden
Distribution: CentOS, RHEL, SourceMage, OpenBSD
Posts: 40

Rep: Reputation: 15

If you do want to learn more about OpenBSD and primarily PF, this book is very helpful:
http://www.amazon.com/Building-Firew.../dp/8391665119
 
Old 07-24-2007, 12:23 PM   #17
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Just wanted to point out this:
http://nufw.org/
This has been developped by several of the netfilter team so it should be quite efficient.

Quote:
nufw dependencies

The nufw daemon only depends on :

*

iptables : libipq.a is necessary to compile the nufw server
*

libgnutls : nufw speaks to nuauth via a TLS encrypted channel

User marking requirement

The system needs a patched version of the ip_queue module and of its "sibling" library libipq.
Using nfnetlink and getting all latest NuFW features

On kernel superior to 2.6.14, ipq is now deprecated in favor of libnetfilter_queue which uses the new nfnetlink system. We encourage you to switch to this library as it is the future. On top of that nfnetlink also provides libnetfilter_conntrack which is used by NuFW to implement time-based acls.

To be able to use this features, the following libraries are needed:

*

libnfnetlink
*

libnetfilter_queue
*

libnetfilter_conntrack
But I think it's not 100% proof, like zonealarm and such. If people are able to inject wrong signature (cpcclient in this case) they can bypass the application firewall.
It's a tradeoff. At the moment, the signature is calculated on userland. Using a lowlevel driver or grsec such would be harder to tamper.

Last edited by nx5000; 07-24-2007 at 12:24 PM.
 
Old 07-24-2007, 12:27 PM   #18
catworld
Member
 
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198

Rep: Reputation: 36
Funny, I was doing like the 500th Mandriva install the other day and noticed the nufw packages for the first time. Figured I ought to have a look at it.

Shorewall has long been a bugaboo, the proverbial mystery wrapped in an enigma surrounded by a riddle...

cat
 
Old 07-30-2007, 09:11 AM   #19
Crito
Senior Member
 
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168

Rep: Reputation: 53
Quote:
Originally Posted by catworld
Nothing beats understanding iptables directly, I suggest this excellent resource:

http://iptables-tutorial.frozentux.n...-tutorial.html
I'm a big fan of Firestarter but it seems to break my KVM/QEMU environment -- I think because dnsmasq is a dependency. So learning to use iptables-save and iptables-restore has been very helpful. In fact, I'll be updating my "block google" page so people don't have to type all those addresses in manually.

Thanks for the link!
 
Old 08-09-2007, 07:10 PM   #20
Cogar
Senior Member
 
Registered: Oct 2005
Location: It varies, but usually within 100 feet of a keyboard.
Distribution: Fedora 10, Kubuntu 8.04, Puppy 4.1.2, openSUSE 11.2
Posts: 1,126

Rep: Reputation: 52
Quote:
Originally Posted by fair_is_fair
I've had quite a go-around with gui linux firewalls lately. Firestarter is not that great for kde but will run if the right dependencies are met. Guarddog is ok but it will not allow ssl smtp for us gmail users or anyone else needing a ssl connection on alternate ports. I have had 0 luck with Kmyfirewall.

There does not seem to be a lot of developement in the gui firewall department. Guarddog is working on a new version. Firestarter is a 1.5 years old.

A new firewall similiar to Sygate would be a great idea.
As an update, Guarddog (2.6 and possibly earlier versions) will now allow the protocol to be set permitting the Internet zone to independently serve both SSL SMTP and SSL POP3 to the local machine.

Last edited by Cogar; 08-09-2007 at 07:11 PM.
 
Old 08-09-2007, 07:37 PM   #21
catworld
Member
 
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198

Rep: Reputation: 36
Crito, others...

Quote:
Originally Posted by Crito
I'm a big fan of Firestarter but it seems to break my KVM/QEMU environment -- I think because dnsmasq is a dependency. So learning to use iptables-save and iptables-restore has been very helpful. In fact, I'll be updating my "block google" page so people don't have to type all those addresses in manually.

Thanks for the link!
I'm actually replying to your signature line... ! You say "how to block Google..."

This is all of my browsers' home page:

http://www.scroogle.org/cgi-bin/scraper.htm

And everybody should run firefox with "adblock plus" and (especially) "no script" extensions. Add to this the preference to ask what to do with every last cookie, and you've fairly well locked things down.

Cross-site scripting is a big problem...

...like the .pdf spam I've been getting in droves lately. If this stuff were junk postal snail-mail, at least I could burn it to cook and heat the house with!

cat
 
Old 08-09-2007, 08:07 PM   #22
ocavid
LQ Newbie
 
Registered: Mar 2005
Posts: 24

Rep: Reputation: 15
Quote:
Originally Posted by ghborrmann
...so I don't think it can deny access based upon the application requesting it.

http://www.novell.com/linux/security/apparmor/

that might be what you need.
 
Old 08-10-2007, 09:29 AM   #23
AlucardZero
Senior Member
 
Registered: May 2006
Location: USA
Distribution: Debian
Posts: 4,824

Rep: Reputation: 615Reputation: 615Reputation: 615Reputation: 615Reputation: 615Reputation: 615
yeah ... In the windows platform, Sygate Rulz.
I agreed until two years ago when Symantec bought it and killed it. Now I use Sunbelt.
 
Old 08-12-2007, 05:11 AM   #24
FredrikN
Member
 
Registered: Nov 2001
Location: Sweden
Distribution: GNU/Linux since -97
Posts: 149

Rep: Reputation: 15
Quote:
Originally Posted by ghborrmann
I have only recently started to acquaint myself with linux firewall capabilities. I have studied information on ipchains and iptables, and have switched my Red Hat 7.3 system from its default ipchains to iptables. I think I understand the basics of ip and port blocking.

On my Win98 system, I have a firewall that blocks internet access depending on the application requesting it. Is that capability available on linux? That same firewall has the capability of interrogating the user when a new application attempts access. Can that be accomplished in linux?
What you are talking about is a packet filter. A packet filtering firewall sorts packet with the help from eg. source address of the packet, the destination address of the packet, the protocol type of the packet eg. TCP, UDP, ICMP.

Is your kernel compiled with CONFIG_IP_NF_MATCH_OWNER ?
If so you can allow or reject packets on a per command ground, like:

iptables -A OUTPUT -m owner --cmd-owner MassRip -j DROP

A proxy firewall do not route, it operates on the application layer. This type of firewalls can look at more specific parts of information than a packet filter can do, like check if someone is trying to download any virus with Firefox or if some user recived an OO document in their email.

Last edited by FredrikN; 08-12-2007 at 05:33 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Software Firewalls VS Hardware Firewalls metallica1973 Linux - Security 7 03-17-2006 02:21 PM
Firewalls for Linux? M O L8ingN2dust Linux - Software 6 10-27-2005 10:08 PM
Samba and firewalls on Linux/Windows network - where to start? abovett Linux - Security 9 06-21-2004 06:18 PM
Linux Firewalls [iso firewalls] yoogie Linux - Networking 3 01-28-2002 06:56 PM
SNF and windows firewalls PenguinOs Linux - Networking 0 11-25-2001 05:02 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration