[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Firewall config tools, formerly wqPhoebe2 install report

John Summerfield wrote:
On Tue, 28 Jan 2003, Tommy McNeely wrote:

agreed.. FireStarter would be nice in the "extras" section of say System
Tools as "Advanced Firewall Builder" ... but LOKKIT just needs some
re-working... not sure if I could come up with 3 levels (high/med/low)
but I certainly could come up with ON/OFF :) ... maybe make the current

I'm not sure I'd classify high/medium/low, but for your simple
ex-Windows user, blocking all incoming connections seems right, and
maybe you need to block selective outgoing ports and destination ports.
Probably you don't want to talk to that slammer virus, for example.

I don't usually block any outgoing traffic... that has always burned me. The way I understand OUTPUT rules is that it only affects packets originating from the firewall machine itself, and it basically only restricts ability to connect TO stuff FROM the firewall.. I don't want to restrict what I can do.. I want to restrict what others can do to me :). Besides, unless there is going to be weekly updates of the "firewall rules" blocking certain ports for certain viruses would be futile.

If you're handling the Internet connection for a bunch of Windows boxes, you don't want to leak NETBIOS. True, a client with _one_ XP box attached to a RHL box attached to ADSL and running Clark COnnect's firewall logs a lot of blocked leaks.

This type of firewall (involving nat) should be handled by the "advanced" firwall builder...I think we need to keep the installer (LOKKIT) to be a simple HOST firewall only.. the simpler the better.. thats kinda why I vote for ON/OFF and selectable "holes" for ssh/www/smtp/etc.

You probably don't want to accept packets to/from private IP addresses.

That remains up for debate... what if I install a machine on some untrusted, but "internal" network .. like wireless... I absolutely want to have a firewall, but if I block the reserved private ip ranges, that could potentially lead to connectivity issues :)

but... (and this is already getting too complicated) maybe there should be a list of interfaces (eth0 eth1 eth2 ...) and a selection for "internet" "internal lan" "trusted network" ??

IMO any "internet" connected interface should -j PublicFilter (below)

[0:0] -A PublicFilter -m state --state INVALID -j MyDROP
[0:0] -A PublicFilter -s -j MyDROP
[0:0] -A PublicFilter -d -j MyDROP
[0:0] -A PublicFilter -s -j MyDROP
[0:0] -A PublicFilter -s -j MyDROP
[0:0] -A PublicFilter -s -j MyDROP
[0:0] -A PublicFilter -s -j MyDROP
[0:0] -A PublicFilter -s -j MyDROP
[0:0] -A PublicFilter -s -j MyDROP

(I am sure you can figure out what "MyDROP" does)

I've spent some time perusing sourceforge. I quite like the look of this, though the interface is a text editor: http://firehol.sourceforge.net/

Host does this syntax grab you?
	transparent_squid 8080 "squid root" inface eth0
	interface eth0 mylan
		policy accept
	interface ppp+ internet
		server smtp accept
		server http accept
		server ftp accept
		server ssh accept src trusted.example.com
		client all accept
	router mylan2internet inface eth0 outface ppp+
		route all accept

I've not tried it, and there are several hundred projects in the same category, many of them firewalls for Linux.

easy for me to understand, but we are talking about the "installer" needing to be very very simple... simpler than that... but maybe lokkit or some derivitive work could write that code?? :-/

This looks promising too: http://shorewall.sourceforge.net/

One or two are webmin modules; I can live with that for what I want, but
they're not easy replacements for lokkit. I think firehol could be.

I bet there are more firewall builders for linux than you could "shake a stick at" ... some good some bad... I have not tried shorewall nor firehol.. I think I tried firestarter once.. but a while ago...

sound good?

Tommy McNeely      --     Tommy McNeely Sun COM
Sun Microsystems - IT Ops - Broomfield Campus Support
Phone:  x50888 / 303-464-4888   --  Fax:  720-566-3168
Pager:  800-200-5968 / 2005968 skytel com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]