Re: Firewall software.

spike1_at_freenet.co.uk
Date: 09/30/05


Date: Fri, 30 Sep 2005 12:05:21 GMT

TLOlczyk <olczyk2002@yahoo.com> did eloquently scribble:
> From what I've seen there appears to be only one true software
> firewall for Linux: ipchains. All other software firewalls are really
> enhancements to ipchains, built on top of it. Can someone clarify.

iptables. IPChains was the old version used in 2.2 kernels.
As firewalling is built into the kernel itself, the only things out there
tend to be scripts used to configure the firewall.
 
> Assuming there are other software firewalls, there are three major
> properties I am looking for (these are the aspects of ZoneAlarm that
> I really think are necessary):
>
> 1) Dynamic control of ports.
> By this I mean that I want to be able to open or close a port
> without haviing to reboot or restart a daemon. By example, let
> us say that firefox is trying to access
> http://www.somedomain.com:7999, but fails. I check the firewall
> logs and see that the firewall blocked the request because port 7999
> is not open to firefox.

Ports tend to be open for outgoing on linux, blocked for incoming.
Occasionally, they'll be blocked for outgoing, but usually only by employers
to stop their workers wasting time on irc or online games.

After all, why would you block an outgoing port? If you want to access a
port on someone elses computer from your machine, why would the machine
decide "no, you can't do that"?

(In the windows world of viruses and spyware, it might be a neccessity, but
not in linux)

> 2) Control of both incoming and outgoing packets.
> Some firewalls only prevent incoming packets from coming in,
> presumably to prevent someone from breaking into your computer.
> But these days a lot of time when you computer has been subverted,
> it is used to break into other computers.
>
> 3) Application specific control.
> I don't simply want to say "open port 80". I want to say "open port 80
> for firefox, but not for ssh or ftp".

Linux doesn't do application firewalling... yet.
Don't know if it ever will.

-- 
-----------------------------------------------------------------------------
|   spike1@freenet.co.uk   |   Windows95 (noun): 32 bit extensions and a    |
|                          | graphical shell for a 16 bit patch to an 8 bit |
|Andrew Halliwell BSc(hons)| operating system originally  coded for a 4 bit |
|            in            |microprocessor, written by a 2 bit company, that|
|     Computer Science     |        can't stand 1 bit of competition.       |
-----------------------------------------------------------------------------


Relevant Pages

  • RE: seeking a better understanding
    ... were to breach that port, could they do more than deface my website? ... or do I need a middle box running some form of firewall ... Other boxes are Linux. ... use on a linux machine, and do the spot trojans as the MS ones do? ...
    (Security-Basics)
  • Re: seeking a better understanding
    ... > were to breach that port, could they do more than deface my website? ... Other boxes are Linux. ... I know this is a firewall, but I don't think it is like the ... > use on a linux machine, and do the spot trojans as the MS ones do? ...
    (Security-Basics)
  • RE: seeking a better understanding
    ... were to breach that port, could they do more than deface my website? ... or do I need a middle box running some form of firewall ... Other boxes are Linux. ... use on a linux machine, and do the spot trojans as the MS ones do? ...
    (Security-Basics)
  • Re: iptables firewall script for linux
    ... "ipchains: Incompatible with this kernel". ... port is shown as LISTENING. ... What's wrong with reading the HOWTOs? ... included for their basic firewall concepts. ...
    (comp.security.firewalls)
  • RE: seeking a better understanding
    ... Good and ideal security should encourage you to use a dual- barrel ... non known port, NBT, known trojan, etc... ... or do I need a middle box running some form of firewall ... Other boxes are Linux. ...
    (Security-Basics)