Re: Firewall software.

spike1_at_freenet.co.uk
Date: 09/30/05


Date: Fri, 30 Sep 2005 12:05:21 GMT

TLOlczyk <olczyk2002@yahoo.com> did eloquently scribble:
> From what I've seen there appears to be only one true software
> firewall for Linux: ipchains. All other software firewalls are really
> enhancements to ipchains, built on top of it. Can someone clarify.

iptables. IPChains was the old version used in 2.2 kernels.
As firewalling is built into the kernel itself, the only things out there
tend to be scripts used to configure the firewall.
 
> Assuming there are other software firewalls, there are three major
> properties I am looking for (these are the aspects of ZoneAlarm that
> I really think are necessary):
>
> 1) Dynamic control of ports.
> By this I mean that I want to be able to open or close a port
> without haviing to reboot or restart a daemon. By example, let
> us say that firefox is trying to access
> http://www.somedomain.com:7999, but fails. I check the firewall
> logs and see that the firewall blocked the request because port 7999
> is not open to firefox.

Ports tend to be open for outgoing on linux, blocked for incoming.
Occasionally, they'll be blocked for outgoing, but usually only by employers
to stop their workers wasting time on irc or online games.

After all, why would you block an outgoing port? If you want to access a
port on someone elses computer from your machine, why would the machine
decide "no, you can't do that"?

(In the windows world of viruses and spyware, it might be a neccessity, but
not in linux)

> 2) Control of both incoming and outgoing packets.
> Some firewalls only prevent incoming packets from coming in,
> presumably to prevent someone from breaking into your computer.
> But these days a lot of time when you computer has been subverted,
> it is used to break into other computers.
>
> 3) Application specific control.
> I don't simply want to say "open port 80". I want to say "open port 80
> for firefox, but not for ssh or ftp".

Linux doesn't do application firewalling... yet.
Don't know if it ever will.

-- 
-----------------------------------------------------------------------------
|   spike1@freenet.co.uk   |   Windows95 (noun): 32 bit extensions and a    |
|                          | graphical shell for a 16 bit patch to an 8 bit |
|Andrew Halliwell BSc(hons)| operating system originally  coded for a 4 bit |
|            in            |microprocessor, written by a 2 bit company, that|
|     Computer Science     |        can't stand 1 bit of competition.       |
-----------------------------------------------------------------------------