Re: [gentoo-user] Personal firewall for Linux?
Hi Matt, on Monday, 2005-08-29 at 14:54:46, you wrote: I'm not trying to do anything complicated like protect a LAN or include a DMZ or run an ftp server or anything like that. I'm just looking for a quick and easy way to add another layer of protection to my desktop by closing all unused ports. Well, if they are unused, they are closed, no need to worry about them. The only thing you'd need some packet filter (a firewall is something different, although the term sounds so good that the marketroids have established it even for simpler things than iptables) for is if you want *restrictions* on some ports, like to open your web server to the LAN but not the internet. On Windows, the situation is a little different as you don't have a lot of control about what program opens what ports if you don't know your system inside-out. And many programs love to connect to their masters and tell them all kinds of stuff about your system, so you'd usually want to block these on an application level. If you just want something that pops up once in a while and gives scary messages, there's the ususal Perl one-liner :) perl -e 'use Tk;while(1){sleep(rand(290)+10);new MainWindow(title,Boo!)-Button(-text,HackAttack!!!one!\n\nBlock)-pack;MainLoop}' cheers! Matthias -- I prefer encrypted and signed messages. KeyID: 90CF8389 Fingerprint: 8E 1F 10 81 A4 66 29 46 B9 8A B9 E2 09 9F 3B 91 pgpM7m657YFsn.pgp Description: PGP signature
Re: [gentoo-user] Personal firewall for Linux?
I'm not trying to do anything complicated like protect a LAN or include a DMZ or run an ftp server or anything like that. I'm just looking for a quick and easy way to add another layer of protection to my desktop by closing all unused ports. Go to gentoo-wiki.com and search for newbie iptables there's a quickstart guide that should tell you in 3 minutes or less the things that you need to know. -- 8^) Laterz- ~Alvin http://CoolAJ86.Havenite.net --- Dad: There's good-looking, there's excellent looking, and then there's me. begin:vcard fn:Alvin A ONeal Jr n:ONeal;Alvin adr;dom:;;34 Fletcher Lane;Shelburne;VT;05482 email;internet:[EMAIL PROTECTED] tel;work:1.802.877.2938 tel;home:1.802.985.5277 tel;cell:1.802.578.0599 note;quoted-printable:DoB: 19860616=0D=0A= x-mozilla-html:FALSE url:http://coolaj86.havenite.net version:2.1 end:vcard
Re: [gentoo-user] Personal firewall for Linux?
Matt Randolph wrote: I've seen related threads here recently, but I think my question is different enough to warrant a new thread. I'm looking for a personal firewall along the lines of the ZoneAlarm product for Windows. I don't want to take the time to teach myself Not an answer but a follow up question: Is there a firewall for Linux that can do application level filtering (probably wrong terms but...), that is is there a program that can block foo from web access but allow it to imap and at the same time allow bar web access? (like most Win* firewalls can) -- Naga -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Personal firewall for Linux?
Nagatoro schreef: Matt Randolph wrote: I've seen related threads here recently, but I think my question is different enough to warrant a new thread. I'm looking for a personal firewall along the lines of the ZoneAlarm product for Windows. I don't want to take the time to teach myself Not an answer but a follow up question: Is there a firewall for Linux that can do application level filtering (probably wrong terms but...), Please anybody, correct me if I'm wrong, but afaik, this assumption that there are multiple firewall programs in the first place is incorrect. There is one. IPtables. All right, two, if you count IPchains, which IPtables replaced. that is is there a program that can block foo from web access but allow it to imap and at the same time allow bar web access? (like most Win* firewalls can) It's all about the ruleset. In this case, it looks like this option is involved: owner This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match. --uid-owner userid Matches if the packet was created by a process with the given effective user id. --gid-owner groupid Matches if the packet was created by a process with the given effective group id. --pid-owner processid Matches if the packet was created by a process with the given process id. --sid-owner sessionid Matches if the packet was created by a process in the given session group. --cmd-owner name Matches if the packet was created by a process with the given command name. (this option is present only if iptables was compiled under a kernel supporting this feature) Obviously, one would have to read more of man iptables than I did, or get a GUI front end that handles this more 'intuitively' to actually write the appropriate rule, but clearly it is possible. Hope this helps, Holly -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Personal firewall for Linux?
Nagatoro wrote: [snip] Not an answer but a follow up question: Is there a firewall for Linux that can do application level filtering (probably wrong terms but...), that is is there a program that can block foo from web access but allow it to imap and at the same time allow bar web access? (like most Win* firewalls can) echo net-firewall/iptables extensions /etc/portage/package.use emerge -av net-firewall/iptables visit http://l7-filter.sf.net; for howto and faqs -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Personal firewall for Linux?
Holly Bostick wrote: [snip] Not an answer but a follow up question: Is there a firewall for Linux that can do application level filtering (probably wrong terms but...), Please anybody, correct me if I'm wrong, but afaik, this assumption that there are multiple firewall programs in the first place is incorrect. There is one. IPtables. All right, two, if you count IPchains, which IPtables replaced. Not really, there is the ipt* kernel modules, than there is the program iptables, then the various programs that use the iptables program. the iptables program is a frontend, all the other are frontends that use it, it's a question of how much the piece you're looking at is near to the nucleus. that is is there a program that can block foo from web access but allow it to imap and at the same time allow bar web access? (like most Win* firewalls can) It's all about the ruleset. In this case, it looks like this option is involved: owner This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match. --uid-owner userid Matches if the packet was created by a process with the given effective user id. --gid-owner groupid Matches if the packet was created by a process with the given effective group id. --pid-owner processid Matches if the packet was created by a process with the given process id. --sid-owner sessionid Matches if the packet was created by a process in the given session group. --cmd-owner name Matches if the packet was created by a process with the given command name. (this option is present only if iptables was compiled under a kernel supporting this feature) Obviously, one would have to read more of man iptables than I did, or get a GUI front end that handles this more 'intuitively' to actually write the appropriate rule, but clearly it is possible. Hope this helps, Holly See what l7 provide as application level filtering to have some other ideas. never worked with advanced options like --cmd-owner name , this one sound promising for a personal firewall but sound difficult to maintain. A question: there are front-ends (graphical or not) that use this kind of options ? Just because I've found rather ugly maintain directly iptables rules. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Personal firewall for Linux?
Holly Bostick wrote: It's all about the ruleset. In this case, it looks like this option is involved: [...] Thanks. This seems like it would do the trick. -- Naga -- gentoo-user@gentoo.org mailing list
[gentoo-user] Personal firewall for Linux?
I've seen related threads here recently, but I think my question is different enough to warrant a new thread. I'm looking for a personal firewall along the lines of the ZoneAlarm product for Windows. I don't want to take the time to teach myself iptables if there is a simple alternative. I'm not trying to do anything complicated like protect a LAN or include a DMZ or run an ftp server or anything like that. I'm just looking for a quick and easy way to add another layer of protection to my desktop by closing all unused ports. A GUI is preferred but is not required. Any suggestions? (If you dare answer,) what firewall do you use and why did you choose it? -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Personal firewall for Linux?
KFireWall (I think it's called) if you use KDE.Regards,Martin S
Re: [gentoo-user] Personal firewall for Linux?
Matt Randolph schreef: I've seen related threads here recently, but I think my question is different enough to warrant a new thread. I think you're not quite right :), but I can see why you'd think this. I'm looking for a personal firewall along the lines of the ZoneAlarm product for Windows. I don't want to take the time to teach myself iptables if there is a simple alternative. Sure there is; just use one of the many GUI front ends for iptables that are pre-set, as it were, for personal (workstation) settings, rather than router or server settings. As far as I can see, iptables *is* the firewall, but that doesn't mean you have to go all full-bore with it. I'm not trying to do anything complicated like protect a LAN or include a DMZ or run an ftp server or anything like that. I'm just looking for a quick and easy way to add another layer of protection to my desktop by closing all unused ports. A GUI is preferred but is not required. Any suggestions? (If you dare answer,) what firewall do you use and why did you choose it? I use (the) firestarter (frontend for iptables). It seems quite clever; I still appear to ShieldsUP! as stealth (including those ports I have forwarded to be open to specific apps), but those applications/services which are set to use specific ports via UDP (azureus, for example), are able to pass through without issue (and in fact without my having to specifically configure Firestarter to allow them to, although I did, because of the UDP, I believe). Firestarter has specific pre-sets to allow various known services through the firewall, and runs as a daemon, though there's a GUI you can run in the tray if you often need to check or reconfigure something. I ran the tray applet the first day; it seemed to work well, so I don't run it any more unless something changes on my system as a whole (I started running an ftp server, for example), and I would need to reconfigure slightly. Firestarter was recommended to me by the Shorewall page: Shorewall is not the easiest to use of the available iptables configuration tools but I believe that it is the most flexible and powerful. So if you are looking for a simple point-and-click set-and-forget Linux firewall solution that requires a minimum of networking knowledge, I would encourage you to check out the following alternatives: * http://www.m0n0.ch/wall/ * http://www.fs-security.com/ Firestarter is the second link. HTH, Holly -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Personal firewall for Linux?
I use shorewall on my gateways / firewalls, but it's probably a bit overkill for you. A really simple setup can be done with firehol(.sf.net), but I don't think running a firewall on a unix desktop is necessary. Oscar On Mon, 29 Aug 2005 14:54:46 -0400 Matt Randolph [EMAIL PROTECTED] wrote: I've seen related threads here recently, but I think my question is different enough to warrant a new thread. I'm looking for a personal firewall along the lines of the ZoneAlarm product for Windows. I don't want to take the time to teach myself iptables if there is a simple alternative. I'm not trying to do anything complicated like protect a LAN or include a DMZ or run an ftp server or anything like that. I'm just looking for a quick and easy way to add another layer of protection to my desktop by closing all unused ports. A GUI is preferred but is not required. Any suggestions? (If you dare answer,) what firewall do you use and why did you choose it? -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Personal firewall for Linux?
iptables really isn't that difficult if you just want to do what the average home user wants to do- accept certain services and block everything else. Provided that you have kernel support for iptables you can just copy/paste some example code in a text file. http://gentoo-wiki.com/HOWTO_Iptables_for_newbies#QuickStart http://gentoo-wiki.com/GWikInstall_Essential_Daemons#Firewall_with_netfilter.2Fiptables -- 8^) Laterz- ~Alvin http://CoolAJ86.Havenite.net --- SlickC92: I'd rather die than have people point and laugh at me all of the time! CoolAJ86: But don't they do that anyway? begin:vcard fn:Alvin A ONeal Jr n:ONeal;Alvin adr;dom:;;34 Fletcher Lane;Shelburne;VT;05482 email;internet:[EMAIL PROTECTED] tel;work:1.802.877.2938 tel;home:1.802.985.5277 tel;cell:1.802.578.0599 note;quoted-printable:DoB: 19860616=0D=0A= x-mozilla-html:FALSE url:http://coolaj86.havenite.net version:2.1 end:vcard
Re: [gentoo-user] Personal firewall for Linux? [OT]
but I don't think running a firewall on a unix desktop is necessary. I certainly do. What about ssh multiple-login attacks? I know that pam can easily fix this (http://gentoo-wiki.com/GWikInstall_Essential_Daemons#Securing_SSH), but I know there are other services (portmap) that can be vulnerable if not blocked or selectively filtered. Most geeks know to set a good password, but to generalize unix desktop - that includes a number of grandmas, believe it or not. -- 8^) Laterz- ~Alvin http://CoolAJ86.Havenite.net --- Did I say that? Well, if I did, I've changed my mind - And it just goes to show that I still have one! begin:vcard fn:Alvin A ONeal Jr n:ONeal;Alvin adr;dom:;;34 Fletcher Lane;Shelburne;VT;05482 email;internet:[EMAIL PROTECTED] tel;work:1.802.877.2938 tel;home:1.802.985.5277 tel;cell:1.802.578.0599 note;quoted-printable:DoB: 19860616=0D=0A= x-mozilla-html:FALSE url:http://coolaj86.havenite.net version:2.1 end:vcard
Re: [gentoo-user] Personal firewall for Linux?
Matt, Check out net-firewall/firestarter, http://www.fs-security.com/, it is a gui frontend for iptables and has a way to monitor the communication. Sean On Monday 29 August 2005 02:54 pm, Matt Randolph wrote: I've seen related threads here recently, but I think my question is different enough to warrant a new thread. I'm looking for a personal firewall along the lines of the ZoneAlarm product for Windows. I don't want to take the time to teach myself iptables if there is a simple alternative. I'm not trying to do anything complicated like protect a LAN or include a DMZ or run an ftp server or anything like that. I'm just looking for a quick and easy way to add another layer of protection to my desktop by closing all unused ports. A GUI is preferred but is not required. Any suggestions? (If you dare answer,) what firewall do you use and why did you choose it? -- Sean Higgins, [EMAIL PROTECTED] http://www.systura.com - Where information becomes knowledge. -- gentoo-user@gentoo.org mailing list