Re: Firewall software.

From: Jeffrey Goldberg (nobody_at_goldmark.org)
Date: 09/29/05 

Date: Wed, 28 Sep 2005 20:16:53 -0500

TLOlczyk wrote:

> For the first time, I am going to have a Linux box on the web [...]

Sorry to be pedantic, but it is probably better to call it the Internet,
or 'net instead of the web.

> Before I connect the computer to the web,
> there is one thing I feel I must do. Install a firewall.

Most modern Linux systems come with firewall installed with reasonable
defaults (but you always should check the settings yourself).

> Now the first thing, I want to clarify what I mean by firewall, since
> it seems that the way the term is used in the Windows world and
> the networking world in general is different. I mean a piece of
> software that examines packets as they are being sent to and from
> the TCP/IP stack, and either blocks the packet or lets it through,
> depending on cetain criteria. I will call this a "softwarer firewall".

Fine. Another term you will here is "host based firewall". That is,
where the firewall is running on the machine it is supposed to be
protecting, instead of a "network firewall" which runs on some router or
bridge or something that selectively lets packets through it. In a
sense, they are all software if you count firmware as software.

> From what I've seen there appears to be only one true software
> firewall for Linux: ipchains.

iptables. ipchains has been largely replaced by iptables. iptables
does everything that ipchains does and more.

> All other software firewalls are really
> enhancements to ipchains, built on top of it. Can someone clarify.

That's about right. Most of the software is about managing iptables for
you.

> 1) Dynamic control of ports.
> By this I mean that I want to be able to open or close a port
> without haviing to reboot or restart a daemon.

Yes with iptables (and also ipchains even its predecessor, ipfw) you can
modify the tables (chains, rules) on the fly.

> 2) Control of both incoming and outgoing packets.

Yes, iptables (and predecessors) do this.

I don't know how the individual firewall management packages do this.
But the capability is there and so the full featured packages will help
manage this.

> 3) Application specific control.
> I don't simply want to say "open port 80". I want to say "open port 80
> for firefox, but not for ssh or ftp".

Not to my knowledge. Does ZoneAlarm really do that? If so, how?

-j

Relevant Pages

  • PPPOE xDSL Firewall with IPTABLES
    ... don't know how to modify my firewall to account for this. ... Starts and stops the IPTABLES packet filter \ ... # Kill malformed XMAS packets ... # server/client to server query or response ...
    (comp.os.linux.networking)
  • Re: A Question On Ipchains Input Rules
    ... If RH72 allows using iptables instead of ipchains, ... return packets for any established connections, ... outbound SMTP sessions, you just allow outbound SMTP, and the ...
    (comp.os.linux.security)
  • Re: possible problem with iptables/ip_conntrack in 2.6.9-22 kernel
    ... It works fine with the firewall off. ... I have no problems with the 2.4.21-40 kernel ... I assume that you omited part of your iptables script. ... before packets are dropped. ...
    (RedHat)
  • Re: Konvertierung ipchains -> iptables
    ... >> Firewall umsetzen muss, ist das leider nicht so einfach. ... > Die Kunden werden Dir kaum opaque ipchains-Zeilen geliefert haben, ... > iptables am besten stateful neu, wonach man schon mal halb so viele Regeln ... >> Die Umstellung von ipchains auf iptables hat rein technische Gruende. ...
    (de.comp.os.unix.networking.misc)
  • Re: ipchains question
    ... > 3389 through a firewall using ipchains. ... > The packets should go to 192.168.1.10, ... > in the private network behind the firewall. ... > iptables run as a simple firewall. ...
    (comp.os.linux.development.system)