[gentoo-user] Re: Best *SIMPLE* firewall?

[Grant Edwards]

On 2018-02-28, taii...@gmx.com  wrote:

> Is there a windows style application layer firewall?

Can you describe what that means? (For the benefit of those of us that
aren't familiar with Windows.)

-- 
Grant Edwards   grant.b.edwardsYow! Bo Derek ruined
  at   my life!
  gmail.com

[gentoo-user] Re: Best *SIMPLE* firewall?

[Ian Zimmerman]

On 2018-02-28 13:28, Jorge Almeida wrote:

> > Is there something besides iptables?  It seems to be like
> > systemd/perl/python, continuously expanding its scope.  And no, I'm
> > not looking for an "easy-peasy front-end gui" that'll probably pull
> > in 90% of QT as dependancies.  I fondly remember IPCHAINS.
> 
> shorewall seems to be the most powerful one. Lots of documentation,
> configured via text files.  firehol is much simpler to use, but less
> well documented and the mailing list doesn't show much life. None has
> any useless GUI. I find both usable.
> 
> I would just use iptables if I were iptables-wise enough.

Isn't iptables (the userspace program) just a very thin wrapper over the
underlying kernel interface (netfilter)?  AFAIK there is no other kernel
interface, at least not in stable kernels, so all the other packages
just abstract and simplify it more - I would not consider that reduction
of scope.

I actually like iptables, of course I'll never learn about _all_ its
features, but I've already used some not quite trivial ones.

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet and on broken lists
which rewrite From, fetch the TXT record for no-use.mooo.com.

Re: [gentoo-user] [OT] Best *SIMPLE* firewall?

[Grant Taylor]

On 02/28/2018 02:15 PM, Walter Dnes wrote:

Is there something besides iptables?


nftables

I think BPF may come into context here, but I've mostly ignored it, so 
I'm not sure.



It seems to be like systemd/perl/python, continuously expanding its scope.


What do you mean?

I've seen newer match extensions and targets over the years.  But those 
are simply additional optional bits.  I.e. you need to have the module 
loaded or compiled into your kernel.



I fondly remember IPCHAINS.


I vaguely remember ipchains.  I don't remember what was before it, 
ipfwadm(?).


Maybe it was my ignorance at the time, but I wouldn't use the word 
"fondly" to describe my experience with ipchains.


I am fond of iptables / ebtables / arptables.

I've looked at nftables a few times in the last 18 months and have 
decided not to take that plunge yet.  Usually it's because I feel like I 
don't have feature parity between iptables and nftables for the iptables 
features that I use.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [gentoo-user] Re: Best *SIMPLE* firewall?

[Grant Taylor]

On 02/28/2018 04:22 PM, taii...@gmx.com wrote:

Is there a windows style application layer firewall?


I'm not aware of one.

I know that iptables can filter based on a process owner and cgroup. 
So, depending on how the applications are running, you might be able to 
come close to what you're after.


I think I've seen a few firewall packages / solutions over the years 
that run a client on workstations that publish state on a central 
firewall, which will then filter flows based on their (lack of) 
registration state.  -  I've never messed with anything like this.


I get that it doesn't stop truly malicious programs but I am simply 
wanting to stop random programs doing connections without my consent 
which due to the lennart potterings's of the world now are not just a 
windows freeware problem.


I think for now, you have to block everything by default and explicitly 
allow what you want through.  Or use something like a SOCKS server that 
can do some different types of filtering than can be done with iptables.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [gentoo-user] Re: Best *SIMPLE* firewall?

[Grant Taylor]

On 02/28/2018 04:47 PM, Grant Taylor wrote:
I know that iptables can filter based on a process owner and cgroup. So, 
depending on how the applications are running, you might be able to come 
close to what you're after.


You might be able to punt (metadata about) packets into a user space 
program that can then make decisions based on additional information. 
I.e. what process owns the originating / terminating socket, and ACCEPT 
/ DROP / REJECT packets based on that.


I've never heard of such, but I see how it could work.  E.g. DROP / 
REJECT packets by default, and ACCEPT any packets that have a paternal 
process tied to the /usr/bin/thunderbird file.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [gentoo-user] Re: Best *SIMPLE* firewall?

[Rich Freeman]

On Wed, Feb 28, 2018 at 6:22 PM, taii...@gmx.com  wrote:
> Is there a windows style application layer firewall?

Windows doesn't have an "application layer firewall" as far as I know.
I believe that it does the filtering at the OS level, the same as
Linux.

Now, it is true that the UI for the Windows Firewall is typically used
to set rules on a per-application basis.  However, I'm pretty sure
this can also be done with netfilter.  I'm not sure if any of the more
convenient netfilter front-ends offer this capability.

> I get that it doesn't
> stop truly malicious programs

As far as I'm aware there is nothing really wrong with the Windows
Firewall.  I wouldn't expect it to be any less secure than netfilter.
There is something to be said for having layers of defense and running
a firewall that isn't on the server being protected, but that is true
of both Linux and Windows.  Of course the Windows implementation could
contain a bug that the Linux implementation lacks, but the reverse is
also true.  Like everybody around here I prefer a FOSS implementation,
and would trust it more due to the "many eyes" philosophy, but I'd
stop short of saying that the Windows software firewall is
particularly insecure.

And of course if you want to filter based on process you have no
choice but to implement it on the host running the process.  This
doesn't prevent you from also having a separate firewall at the
network perimeter either.

-- 
Rich

Re: [gentoo-user] [okey..] [OT] Best *SIMPLE* firewall?

[Dale]

Nils Freydank wrote:
>
> PS: What about the "suspected spam" in your subject? Is that a bug in the ML 
> software or does that one come from you?
>

I might add, I've got this on other messages as well.  I was wondering
about why that was there. 

Dale

:-)  :-) 

Re: [gentoo-user] [okey..] [OT] Best *SIMPLE* firewall?

[Nils Freydank]

Am Mittwoch, 28. Februar 2018, 22:15:59 CET schrieb Walter Dnes:
>   Is there something besides iptables?  It seems to be like
> systemd/perl/python, continuously expanding its scope.  And no, I'm not
> looking for an "easy-peasy front-end gui" that'll probably pull in 90%
> of QT as dependancies.  I fondly remember IPCHAINS.

Personally I like nftables (the iptables successor) more. Mostly the same, but 
in my eyes it's more convenient.

There are plenty frontends, many of them in net-firewall/ in our tree ;)

(I tried to use ufw some years ago, but I found it more annoying then 
helpful.)


PS: What about the "suspected spam" in your subject? Is that a bug in the ML 
software or does that one come from you?

-- 
GPG fingerprint: '00EF D31F 1B60 D5DB ADB8 31C1 C0EC E696 0E54 475B'
Nils Freydank

signature.asc
Description: This is a digitally signed message part.

[gentoo-user] [SUSPECTED SPAM] [OT] Best *SIMPLE* firewall?

[Walter Dnes]

  Is there something besides iptables?  It seems to be like
systemd/perl/python, continuously expanding its scope.  And no, I'm not
looking for an "easy-peasy front-end gui" that'll probably pull in 90%
of QT as dependancies.  I fondly remember IPCHAINS.

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] Re: Best *SIMPLE* firewall?

[taii...@gmx.com]

Is there a windows style application layer firewall? I get that it 
doesn't stop truly malicious programs but I am simply wanting to stop 
random programs doing connections without my consent which due to the 
lennart potterings's of the world now are not just a windows freeware 
problem.

Re: [gentoo-user] [SUSPECTED SPAM] [OT] Best *SIMPLE* firewall?

[Jorge Almeida]

On Wed, Feb 28, 2018 at 1:15 PM, Walter Dnes  wrote:
>   Is there something besides iptables?  It seems to be like
> systemd/perl/python, continuously expanding its scope.  And no, I'm not
> looking for an "easy-peasy front-end gui" that'll probably pull in 90%
> of QT as dependancies.  I fondly remember IPCHAINS.

shorewall seems to be the most powerful one. Lots of documentation,
configured via text files.
firehol is much simpler to use, but less well documented and the
mailing list doesn't show much life. None has any useless GUI. I find
both usable.

I would just use iptables if I were iptables-wise enough.

Cheers

Jorge Almeida

Re: [gentoo-user] [SUSPECTED SPAM] [OT] Best *SIMPLE* firewall?

[Heiko Baums]

Am Wed, 28 Feb 2018 16:15:59 -0500
schrieb "Walter Dnes" :

>   Is there something besides iptables?  It seems to be like
> systemd/perl/python, continuously expanding its scope.  And no, I'm
> not looking for an "easy-peasy front-end gui" that'll probably pull
> in 90% of QT as dependancies.  I fondly remember IPCHAINS.

I don't know what you're looking for exactly.

If you want a command line tool for configuring your firewall with an
easier syntax than iptables you could try ufw.

I don't know nftables, yet, but from what I read so far they seem to
got their inspiration from ufw's syntax.

ufw itself uses iptables and generates iptables rules.

Principally all those firewall tools do the same. They configure the
kernel's own firewall netfilter. And most if not all of those tools use
themselves iptables which is besides nftables the official tool for
configuring netfilter. 

Fun fact: iptables is the successor of ipchains. And it's a very long
time ago that ipchains was replaced by iptables.

Re: [gentoo-user] Re: Best *SIMPLE* firewall?

[mad.scientist.at.large]

All microsoft software is inherently less secure.  You see, like many companies 
based here in amerika microsoft notifies nsa of bugs and does not patch them or 
notify anyone else until nsa says so, i.e. not unless/until nsa thinks they 
don't need the indirect back door "accidentally" included back door.  much 
harder but not impossible with linux and not at all difficult when you 
infiltrate development, as nsa did with one of the encrypted filesystems.  
please see 
 for an 
idea of how it really works here and elsewhere.   And don't think they 
harass/pressure/or are cooperated with by companies world wide.  The point 
being that once backdoors are in there is little to do.  Hp and Dell (and 
doubtless others we still don't know about) put backdoors in their server 
hardware bios's that they claim to not know the workings of.

Remember the "Iran hostage 'crisis'", one of the 3 taken hostage, and likely 
the trigger, was working for a SWISS encryption company that had put nsa 
backdoors into it's encryption products.  One of their' employees had the 
misfortune to be servicing the product in Iran when it leaked out.

the point being that anyone who leaves/creates backdoors is making a way for 
others to violate the system.  This is seriously damaging the value (in 
financial terms) as people realize how grossly insecure it is and indeed that 
some of that is deliberate.  some of it is ignorance, badly implemented 
security can make things worse and all software adds bugs to a secure system 
(part of why it's very bad practice to use a whole pc and os as part of a 
voting machine, simpler is nearly always more secure).  Most security breaches 
of encrypted and non-encrypted systems is due to a software but, though often 
partially a lack of good systems administration.   Apparently the math is good, 
but realize nsa employs more mathematicians than any other agency/company, 
about 2500+ as i recall, they know things about math that no one else does.  

p.s., there are good people at nsa, though fewer than there used to be and 
sadly bad attitudes seem now to be required for administrative jobs.  Many have 
left do to the most recent "return to the bad old days" as one of them put it 
(i.e. during the sixties when amongst other things doctor King, and countless 
others were spied on for political ends, i.e. in one of kings hotel rooms there 
were over 50 fbi bugs!  that would be a lot of bugs now.

and 702 is still law here, even though it explicitly allows law enforcement 
data illegally obtained by "homeland security"( a classic example of new speak) 
in court and to LIE about where it came from, i.e. it legalizes perjury on the 
part of the state in many cases, the type of thing that usually causes a 
mistrial and get's people disbarred and sent to prison, though the defense can 
still get in trouble, sometimes.  currently the "rule of law" only applies when 
there is no goverment interest.

My country is adding back doors to routers and likely other electronics at 
customs, outbound at least but very likely inbound as well.  Despite public 
statements many of the tech companies still aid in illegal surveilance, 
partially because it makes more of their' privacy policies void and allows them 
to collect, process, and sell your' privacy.

do you have a samsung voice controlled tv?  samsung has allowed nsa to use 
these tv sets as bugs, which is likely the case with cell phone makers as well. 
 Hence the "creepy" notice in the manual that vocal commands are processed off 
site, i.e. remotely over the net in all cases.

what happens when a company doesn't comply with illegal orders from nsa?  they 
get shut down, remember Qwest (the former provider in colorado etc.), out of 
business and replaced by a very slimy competitor, all because they made a "big 
deal" over providing nsa with peoples "meta data", often very, very usefull.

I feel badly that my countrie's abandonment of of basic human liberties and our 
own constitution/bill of rights, worse about how it is enabling other countries 
to do the same and worse.  It is severely damaging the value of the internet 
and will result in financial losses globally. 

mad.scientist.at.large (a good madscientist)
--
God bless the rich, the greedy and the corrupt politicians they have put into 
office.   God bless them for helping me do the right thing by giving the rich 
my little pile of cash.  After all, the rich know what to do with money.


28. Feb 2018 17:26 by ri...@gentoo.org:


> On Wed, Feb 28, 2018 at 6:22 PM, > taii...@gmx.com>  <> taii...@gmx.com> > 
> wrote:
>> Is there a windows style application layer firewall?
>
> Windows doesn't have an "application layer firewall" as far as I know.
> I believe that it does the filtering at the OS level, the same as
> Linux.
>
> Now, it is true that the UI for the Windows Firewall is typically used
> to set rules on a per-application basis. 

Re: [gentoo-user] [okey..] [OT] Best *SIMPLE* firewall?

[Walter Dnes]

On Thu, Mar 01, 2018 at 12:11:12AM +0100, Nils Freydank wrote

> PS: What about the "suspected spam" in your subject? Is that a bug
> in the ML software or does that one come from you?

  Probably my ISP, I'll have to ask on their support forum.

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] Re: Blacklist one of the pool's rsync server?

[Neil Bothwick]

On Wed, 28 Feb 2018 02:18:37 + (UTC), Grant Edwards wrote:

> > Is it possible to add it to your hosts file and point it to local
> > IP?   
> 
> No.  Because the name is rsync://rsync.us.gentoo.org/gentoo-portage.  

> > Obviously, if it is a numbered IP then this likely won't work.   
> 
> I could, however, set up a static route for the IP in question and
> point it to something that isn't listening on the rsync port.  That
> won't make it avoid trying to use that server, but it would make it
> fail immediately rather than let it crawl along along until it hangs
> or I hit Ctrl-C. :)

Or you could set the route to point to the IP address of one of the good
hosts.


-- 
Neil Bothwick

Scientists decode the first confirmed alien transmission from outer space
...
"This really works! Just send 5*10^50 H atoms to each of the five star
systems listed below. Then, add your own system to the top of the list,
delete the system at the bottom, and send out copies of this message to
100 other solar systems. If you follow these instructions, within 0.25 of
a galactic rotation you are guaranteed to receive enough hydrogen in
return to power your civilization until entropy reaches its maximum!"


pgpqYBWa_2nGU.pgp
Description: OpenPGP digital signature