Firewall software.

For the first time, I am going to have a Linux box on the web.
( Before I had a Windows box on the web, principly for work
reasons. I only kept one box on the web; the idea being that
if anyone broke into it I would be limiting the damage to the one
computer. ) I haave completed the base installation and am now
preparing to go on. Before I connect the computer to the web,
there is one thing I feel I must do. Install a firewall.

Now the first thing, I want to clarify what I mean by firewall, since
it seems that the way the term is used in the Windows world and
the networking world in general is different. I mean a piece of
software that examines packets as they are being sent to and from
the TCP/IP stack, and either blocks the packet or lets it through,
depending on cetain criteria. I will call this a "softwarer firewall".

From what I've seen there appears to be only one true software
firewall for Linux: ipchains. All other software firewalls are really
enhancements to ipchains, built on top of it. Can someone clarify.

Assuming there are other software firewalls, there are three major
properties I am looking for (these are the aspects of ZoneAlarm that
I really think are necessary):

1) Dynamic control of ports.
By this I mean that I want to be able to open or close a port
without haviing to reboot or restart a daemon. By example, let
us say that firefox is trying to access
http://www.somedomain.com:7999, but fails. I check the firewall
logs and see that the firewall blocked the request because port 7999
is not open to firefox. I then "send a message" to the firewall saying
open port 7999. Then I retry getting the page. This time the firewall
lets the request through.

2) Control of both incoming and outgoing packets.
Some firewalls only prevent incoming packets from coming in,
presumably to prevent someone from breaking into your computer.
But these days a lot of time when you computer has been subverted,
it is used to break into other computers.

3) Application specific control.
I don't simply want to say "open port 80". I want to say "open port 80
for firefox, but not for ssh or ftp".

Suggestions?

Thanks


The reply-to email address is (E-Mail Removed).
This is an address I ignore.
To reply via email, remove 2002 and change yahoo to
interaccess,

**
Thaddeus L. Olczyk, PhD

There is a difference between
*thinking* you know something,
and *knowing* you know something.

TLOlczyk <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

<SNIP>

> From what I've seen there appears to be only one true software
> firewall for Linux: ipchains. All other software firewalls are really
> enhancements to ipchains, built on top of it. Can someone clarify.

Not ipchains, iptables. Actually iptables is just the program that lets you
configure the actual firewall which is Netfilter.

http://www.netfilter.org/

>
> Assuming there are other software firewalls, there are three major
> properties I am looking for (these are the aspects of ZoneAlarm that
> I really think are necessary):
>
> 1) Dynamic control of ports.
> By this I mean that I want to be able to open or close a port
> without haviing to reboot or restart a daemon. By example, let
> us say that firefox is trying to access
> http://www.somedomain.com:7999, but fails. I check the firewall
> logs and see that the firewall blocked the request because port 7999
> is not open to firefox. I then "send a message" to the firewall saying
> open port 7999. Then I retry getting the page. This time the firewall
> lets the request through.

You can add or delete rules on the fly using iptables.


> 2) Control of both incoming and outgoing packets.
> Some firewalls only prevent incoming packets from coming in,
> presumably to prevent someone from breaking into your computer.
> But these days a lot of time when you computer has been subverted,
> it is used to break into other computers.

Netfilter was based the the old ipchains concept. There are three built in
filtering chains provided by netfilter. The chain called INPUT is invoked
for any packet which has a destination ip address that matches a local
address on the firewall itself. Similarly the OUTPUT chain is invoked for
any packet sourced from the firewall. The third filtering chain is called
FORWARD and is invoked by any packets passing through the firewall. The
FORWARD chain is only used when your firewall is acting as a router/gateway
for other devices. The rules themselves can check which interface the
packet was received on or destined to. There are also a couple of other
chains that are used for doing address translation and packet mangling. You
can also create your own chains which you can invoke from the built in
chains.

>
> 3) Application specific control.
> I don't simply want to say "open port 80". I want to say "open port 80
> for firefox, but not for ssh or ftp".

Netfilter does not do this. i.e as it stands, it doesn't care which actual
program tries to open a connection to a particular port. It is only looking
at the packets.

Klazmon.



>
> Suggestions?
>
> Thanks
>
>
> The reply-to email address is (E-Mail Removed).
> This is an address I ignore.
> To reply via email, remove 2002 and change yahoo to
> interaccess,
>
> **
> Thaddeus L. Olczyk, PhD
>
> There is a difference between
> *thinking* you know something,
> and *knowing* you know something.
>

TLOlczyk wrote:

> For the first time, I am going to have a Linux box on the web [...]

Sorry to be pedantic, but it is probably better to call it the Internet,
or 'net instead of the web.

> Before I connect the computer to the web,
> there is one thing I feel I must do. Install a firewall.

Most modern Linux systems come with firewall installed with reasonable
defaults (but you always should check the settings yourself).

> Now the first thing, I want to clarify what I mean by firewall, since
> it seems that the way the term is used in the Windows world and
> the networking world in general is different. I mean a piece of
> software that examines packets as they are being sent to and from
> the TCP/IP stack, and either blocks the packet or lets it through,
> depending on cetain criteria. I will call this a "softwarer firewall".

Fine. Another term you will here is "host based firewall". That is,
where the firewall is running on the machine it is supposed to be
protecting, instead of a "network firewall" which runs on some router or
bridge or something that selectively lets packets through it. In a
sense, they are all software if you count firmware as software.

> From what I've seen there appears to be only one true software
> firewall for Linux: ipchains.

iptables. ipchains has been largely replaced by iptables. iptables
does everything that ipchains does and more.

> All other software firewalls are really
> enhancements to ipchains, built on top of it. Can someone clarify.

That's about right. Most of the software is about managing iptables for
you.

> 1) Dynamic control of ports.
> By this I mean that I want to be able to open or close a port
> without haviing to reboot or restart a daemon.

Yes with iptables (and also ipchains even its predecessor, ipfw) you can
modify the tables (chains, rules) on the fly.

> 2) Control of both incoming and outgoing packets.

Yes, iptables (and predecessors) do this.

I don't know how the individual firewall management packages do this.
But the capability is there and so the full featured packages will help
manage this.

> 3) Application specific control.
> I don't simply want to say "open port 80". I want to say "open port 80
> for firefox, but not for ssh or ftp".

Not to my knowledge. Does ZoneAlarm really do that? If so, how?

-j

[Distribution snipped in followups.]

In comp.os.linux.setup TLOlczyk <(E-Mail Removed)> wrote:

(You're deploying a Linux box for the first time, and want IP/port filtering.)

> Now the first thing, I want to clarify what I mean by firewall, since
> it seems that the way the term is used in the Windows world and
> the networking world in general is different.

Indeed.

> From what I've seen there appears to be only one true software
> firewall for Linux: ipchains.

As others have said, that's the old one, now somewhat obsolete. The
current implentation is iptables / netfilter: packet filtering at the
IP/port level, IP & port translation (NAT, implemented as "IP
Maquerading" -- which isn't useful in your context), and "other packet
mangling".

> 1) Dynamic control of ports.
> By this I mean that I want to be able to open or close a port
> without haviing to reboot or restart a daemon.

No sweat.

> 2) Control of both incoming and outgoing packets.

Ditto.

> 3) Application specific control.

And this one generally isn't done. When I encountered this during my
infrequent forays into the MS-Windows world, it was originally really
confusing, until I got my mind around the concept. I'd speculate that,
maybe, the reason it's not really part of the security smorgasbord on
Unix is that (1) the Unix world prefers to have clean abstraction layers
between levels of software. Having specific hooks from the application
to transport layers would be messy. (2) There isn't a history of rogue
applications that need to be coralled. (3) The Unix world tends to look
upon network services that don't have well-defined, fixed port
assignments (and that aren't thus easily controlled by port number) with
suspicion. E.g., NIS and NFS both rest on the Sun-invented RPC
portmapper, _but_ they're widely regarded as a security nightmare and to
be avoided where possible. That's in marked contrast to the NT/W2K/XP
system model, which uses RPC-based services with wild abandon, which in
turn has been its downfall in numerous "worm" outbreaks.

(4) Relevant to that point, if a port used by application A should be
blocked, then why shouldn't it be likewise blocked if addressed by
similar application B? The assumption behind that question, of course,
is that ports that have security ramifications will have standard
identity assignments, and that the convention that TCP/UDP ports under
1024 will be privileged. Those assumptions hold on (uncompromised) Unix
systems, but not on MS-Windows ones.

If I'm completely off-base or are missing something important, I hope
and trust that others will step in to address the matter.

--
Cheers,
Rick Moen Support your local medical examiner: Die strangely.
(E-Mail Removed)

On Thu, 29 Sep 2005 00:02:12 +0000, TLOlczyk wrote:

> For the first time, I am going to have a Linux box on the web. ( Before I
> had a Windows box on the web, principly for work reasons. I only kept one
> box on the web; the idea being that if anyone broke into it I would be
> limiting the damage to the one computer. ) I haave completed the base
> installation and am now preparing to go on. Before I connect the computer
> to the web, there is one thing I feel I must do. Install a firewall.
> SNIP
> Thaddeus L. Olczyk, PhD
>
> There is a difference between
> *thinking* you know something,
> and *knowing* you know something.

As others have said, iptables is what you will need to use. Since you did
not specify which distribution you're planning to deploy, I won't
guarantee that the following is appropriate, but have a look at Bastille
Linux (google is your friend!). Not a distribution, but it is a set of
"hardening scripts which will rapidly help you accomplish what you want to
do, such as denying inbound requests, and limiting protocols to certain
ports using iptables, as well as tightening up overall system security.

--
Many come here seeking wisdom, finding only themselves and disappointment.
A precious few find only themselves. This, my brother, is wisdom.

Nemomarii

Jeffrey Goldberg <(E-Mail Removed)> wrote in news:11jmg45rdt2frd6
@news.supernews.com:

> TLOlczyk wrote:
>
>> For the first time, I am going to have a Linux box on the web [...]
>
> Sorry to be pedantic, but it is probably better to call it the Internet,
> or 'net instead of the web.
>
>> Before I connect the computer to the web,
>> there is one thing I feel I must do. Install a firewall.
>
> Most modern Linux systems come with firewall installed with reasonable
> defaults (but you always should check the settings yourself).
>
>> Now the first thing, I want to clarify what I mean by firewall, since
>> it seems that the way the term is used in the Windows world and
>> the networking world in general is different. I mean a piece of
>> software that examines packets as they are being sent to and from
>> the TCP/IP stack, and either blocks the packet or lets it through,
>> depending on cetain criteria. I will call this a "softwarer firewall".
>
> Fine. Another term you will here is "host based firewall". That is,
> where the firewall is running on the machine it is supposed to be
> protecting, instead of a "network firewall" which runs on some router or
> bridge or something that selectively lets packets through it. In a
> sense, they are all software if you count firmware as software.
>
>> From what I've seen there appears to be only one true software
>> firewall for Linux: ipchains.
>
> iptables. ipchains has been largely replaced by iptables. iptables
> does everything that ipchains does and more.
>
>> All other software firewalls are really
>> enhancements to ipchains, built on top of it. Can someone clarify.
>
> That's about right. Most of the software is about managing iptables for
> you.
>
>> 1) Dynamic control of ports.
>> By this I mean that I want to be able to open or close a port
>> without haviing to reboot or restart a daemon.
>
> Yes with iptables (and also ipchains even its predecessor, ipfw) you can
> modify the tables (chains, rules) on the fly.
>
>> 2) Control of both incoming and outgoing packets.
>
> Yes, iptables (and predecessors) do this.
>
> I don't know how the individual firewall management packages do this.
> But the capability is there and so the full featured packages will help
> manage this.
>
>> 3) Application specific control.
>> I don't simply want to say "open port 80". I want to say "open port 80
>> for firefox, but not for ssh or ftp".
>
> Not to my knowledge. Does ZoneAlarm really do that? If so, how?
>

Yes. It has a hook in the Windows OS that gets invoked when any program
tries to open any sort of ip connection. Zonealarm prompts you to either
permit or deny. If you permit the connection it stores a checksum of the
binary and name of the program along with the protocol and port allowed.
This means it will only ask again if you install an updated version of the
program that you had previously ok'd or the program tries to open a
different port etc. Actually most of the Windows desktop firewalls do that
these days. Many of the worms/viruses make a point to shutdown Zonealarm or
any other such firewall they recognise to get around this.

Klazmon.





> -j
>

Le Thu, 29 Sep 2005 13:09:48 +1200, Llanzlan Klazmon a écrit*:
>>
>> 3) Application specific control.
>> I don't simply want to say "open port 80". I want to say "open port 80
>> for firefox, but not for ssh or ftp".
>
> Netfilter does not do this. i.e as it stands, it doesn't care which actual
> program tries to open a connection to a particular port. It is only looking
> at the packets.
>
> Klazmon.
>

Netfilter acts like a layer 3/4 firewall but it can be patched
with third party modules to do Layer 7 filtering ie. L7-filter (patch).

--
=Gilles=

gilles wrote:

> Le Thu, 29 Sep 2005 13:09:48 +1200, Llanzlan Klazmon a écritÂ*:
>>>
>>> 3) Application specific control.
>>> I don't simply want to say "open port 80". I want to say "open port 80
>>> for firefox, but not for ssh or ftp".
>>
>> Netfilter does not do this. i.e as it stands, it doesn't care which
>> actual program tries to open a connection to a particular port. It is
>> only looking at the packets.
>>
>> Klazmon.
>>
>
> Netfilter acts like a layer 3/4 firewall but it can be patched
> with third party modules to do Layer 7 filtering ie. L7-filter (patch).

You need some kind of inspection module to look into the http traffic. If
the traffic is not http, the inspection module will reject this. I t hink
FireWall-1 has some kind of inspection module for http protocols.

--
Jørn Dahl-Stamnes
http://www.dahl-stamnes.net/dahls/

gilles <(E-Mail Removed)> wrote in
news(E-Mail Removed):

> Le Thu, 29 Sep 2005 13:09:48 +1200, Llanzlan Klazmon a écrit*:
>>>
>>> 3) Application specific control.
>>> I don't simply want to say "open port 80". I want to say "open port 80
>>> for firefox, but not for ssh or ftp".
>>
>> Netfilter does not do this. i.e as it stands, it doesn't care which
>> actual program tries to open a connection to a particular port. It is
>> only looking at the packets.
>>
>> Klazmon.
>>
>
> Netfilter acts like a layer 3/4 firewall but it can be patched
> with third party modules to do Layer 7 filtering ie. L7-filter (patch).
>

I was aware of that but can you recommend any such third modules that do
what the op wants?

Klazmon.




> --
> =Gilles=

Llanzlan Klazmon wrote:
> Jeffrey Goldberg <(E-Mail Removed)> wrote in news:11jmg45rdt2frd6
> @news.supernews.com:
>
>> TLOlczyk wrote:

>>> 3) Application specific control.
>>> I don't simply want to say "open port 80". I want to say "open port 80
>>> for firefox, but not for ssh or ftp".
>> Not to my knowledge. Does ZoneAlarm really do that? If so, how?

> Yes. [...] If you permit the connection it stores a checksum of the
> binary and name of the program along with the protocol and port allowed.

Interesting. Thanks for that. I suppose that working with the innards
of lsof, one could do the same thing on linux.

Initially, I can imagine uses; I do like the idea of just enumerating
what is allowed. For the program name, you'd of course need the full
path, and this system, of course, would provide no protection if the
host gets rooted. But it's an interesting feature.

> Many of the worms/viruses make a point to shutdown Zonealarm or
> any other such firewall they recognise to get around this.

Of course. Once a system is rooted, no host based firewall is going to
protect it. But since Linux is much better at keeping user initiated
processes under user ownership, this could be a way of detecting and
limiting user targeted trojans. I don't know how many such trojans
there are, but I could see some value in this. Particularly in work
places where the desktop machines are configured by an administrator
with a security policy.

-j