Domain: linux-firewall-tools.com
Stories and comments across the archive that link to linux-firewall-tools.com.
Comments · 18
-
The author's response to just the question you askcan be found here on his web site.
Question: Is the Firewall Design Program for sale, or is the source code available?
Firestarter might be useful to you though. Good Luck.
No to both questions. -
Re:All prevention no response...
Well that's your choice, I guess. Personally, I don't want to deal with recovery unless a natural disaster hits. I try to focus my efforts on avoiding getting compromised. It's not that difficult to setup a hardened server these days. We have nicely designed softwares like qmail, djbdns, vsftpd, etc. that were all designed with security in mind from the get-go (incidentally you'll notice that these softwares I listed have very small codebases, and that's no coincidence...) There are also nice kernel patches (frex: grsecurity.net), that make the would-be-hacker's like very difficult. Unless your machines have nothing important on them, it's a shame if you don't use such a kernel patch (with properly configured least-privilege ACL's). A firewall is a good thing, but if you're depending on that for security, I think you're bound to keep getting hacked. There's a saying that goes something like "hackers love networks with hard crunchy outside and soft chewy inside", and that's how a lot of networks are setup even today... The firewall is good, but it should only be one of the layers of defense... just something to prevent IP spoofing and to make sure the packets that hit your apps are well-formed. I wouldn't rely on it too much more than that. Well you can use it to fuck with the scanners a bit too, like in this setup.
-
Bastille + books betterBastille is a great tool, but it's no match for understanding what you're doing. It has really nice explanations of all the things it could do, but it doesn't actuall yshow you how to do them. Also, it doesn't do well with non-recent installs, and if you end up installing software later that could have been modified by bastille, it's too late to change the config.
If you want to do it right, you want to learn about how to secure your machine yourself. That means not being scared by coniguration files, and knowing how to use netstat on the command line to find the servers you're running, knowing what inetd or xinetd do, etc. bastille won't teach you that.
(I'm not dissing Bastille - it does exactly what it is supposed to do, but it's not a teacher, it's a tool.)
The only linux security books out there that are worth their salt are hacking linux exposed, 2nd edition, followed by the Linux Firewalls, 2nd edition book. The former doesn't have enough space to cover firewalls in enough depth, while the later fills that need perfectly.
If you want a lot of disjointed hacks, the recent O'Reilly hacks books are good fun. I learned a lot from the google hacks book, for example. However they are far from comprehensive (that's not their mandate) and this cookbook really should have been in the *hacks line. Their building secure servers with linux book falls into the same hole - it was based on linux journal entries, and is not a comprehensive security book.
If you want to learn about linux security in a complete fashion, HLE and LF are the only contenders.
(I'd also vote for the Linux Security newsletter which was meantioned below by an AC. Very good. Of course, it falls into the small tidbits of wisdom camp, rather than being a complete solution/education, but that's what you expect in a mailing list.)
-
Re:How does it stack up against...I don't think any one book is a good way to have an overall picture of security. Just like you need defense in depth, you need investigation/learning in depth.
This second edition super does a job of updating the original, and it's about time. For unix security people I'd suggest you also read Hacking Linux Exposed because it has very in depth coverage of everything from a Linux standpoint. (Unix really, but they focus on Linux for their answers about how you fix things. Pathnames may differ for other Unix systems, like BSD.)
O'Reilly's BIF is good, but I'd suggest a Linux-specific firewall book too, like Linux Firewalls, Second Edition.
For those people not familiar with Hacker's Challenge (1st and 2nd editions) it's a book chock full of real-world (presumably sanitized) cracking examples where they tell you what happened, copies of of log data, and you try to figure out what happened. Very good book.
I'd also like to note that Hacker's Challenge (and Hacking Linux Exposed, for that matter) are not Foundstone books. Hacker's Challenge's lead author is Mike Schiffman, director of security at @stake, which is definately not Foundstone. Foundstone is doing poorly, going so far as to patent port scanning.
-
Ripped from my bookmarks: other distrosSome other fits-onna-floppy distros; many of these are security-focused, firewall-appliance type efforts. Disclaimer, this list is of stuff I
/want; to check out when I get the time: I'vfe no idea how good or bad they are, beyond Theo's famous comment about entrusting the most important piece of one's network to the most unreliable piece of hardware in modern computers (approximately). Some of them may actually NOT be floppy-distros, I need to clean up these bookmarks... jesus where did the time go... *sigh*
- http://www.superant.com/smalllinux/
- http://ibiblio.org/vectorlinux/
- http://www.zelow.no/floppyfw/
- http://www.xandros.net/
- http://www.gentoo.org/
- Smoothwall
... - http://www.ipcop.org/
- http://www.mandrakesoft.com/products/snf
- http://www.freesco.org/
- http://www.coyotelinux.com/
- http://leaf.sourceforge.net/
- http://www.gnatbox.com/Pages/gblight.html
(this ones based on BSD IIRC) - http://www.bbiagent.com/
- http://www.clarkconnect.org/"
- http://www.linux-firewall-tools.com/
- http://www.superant.com/smalllinux/
-
Re:Homebuilt Hardware Firewall
And here is some information on doing the same thing with Linux. With modern linux distributions, the installation is a snap, too!
-
network firewall issuesanyone know specifically what ipchains rules are necessary to play this? I constructed my firewall from Rob Ziegler's site. With this firewall and ip masquerading I can't play RTCW over the net unless I bring the firewall down first.
I suspect it might be linked to the fact that RTCW seems to request both the server port (which is normal) and a specific client port (which is rare). Ie- port 27960 on both client and server. This might be interferring with ip masquerading. I'm not sure. Anyone get it going?
-
Re:AT&T Block blocking port 80 due to Code Red
Just move your services to different ports
-
well...
Sharky's Home LAN Guide
Gamecenter's "Build a Home LAN"
"Configuring an Internet Firewall and Home LAN With Linux"
The CNET home LAN guide (if you're not a /. reader)
The Home LAN Project
The do-it-yourself under 50 bucks home LAN guide
whew. um... anyone got something that ain't covered already? -
Re:Is security a linux problem?
For a nice ipchains firewall setup, go to linux-firewall-tools.com.
This site will generate a nicely working ipchains firewall script in a few minutes. -
Re:DHCP? Yes. Changing IP? No.
Sunrpc is remote procedure call, which is a VERY DANGEROUS service to leave open. It is used primarily for NFS(Network Failure^H^H^H^H^H^H^ile System)and NIS(Network Information System), which is basically the same as windows file shares. Usually you don't have NFS mounts available by default, but on some systems you might. Yes you should learn about IP chains. Here is a great site that will custom-build you a firewall on the fly. Firewall Forensics is also a great page to find out what port scans are looking for. Be careful, I see quite a few scans for RPC in my logs, if you leave it open, you will be comprimised sooner or later.
Enigma -
Amateurs . . .
OK, I'm sorry. I shouldn't talk down to people, but that "cloaking debian" article, while definately helpful, smacked of an amateurish failure to fully comprehend how these things work. For starters he has you turn on ip forwarding w/o even mentioning what it's for and letting you decide if you really want it. (tip, unless your linux box is a router, you don't)
There is a MUCH better free resource on the issue - http://www.linux-fire wall-tools.com/linux/firewall/index.html
Run it. Read it. Study it. Compare it with the documentation. OK, just use it, but using it and working with it can help you get a far better grip on what's going on. The script it will generate for you is FAR better at keeping a lid on your network connection.
-
What ARIN doesn't tell you...There's a fairly good discussion on why this new decision sucks, so we don't need to rehash that.
But, according to linux-firewall-tools.com, the following address spaces are reserved by the IANA;
# Refuse addresses defined as reserved by the IANA.
# Note: this list includes the loopback, multicast, & reserved addresses.
# 0.*.*.* - Can't be blocked for DHCP users.
# 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
# 31.*.*.*, 36.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*
# 49-50.*.*.*, 58-60.*.*.*
# 67-127.*.*.*
# 169.254.*.* - Link Local Networks
# 192.0.2.* - TEST-NET
# 197.*.*.*, 217-255.*.*.*
Now, obviously the IANA can't release addresses like 192.x and 217-255, but why is 49/50 reserved
What about 58-60?
There are a significant number of useable IP addresses the IANA is just sitting on, and I may be stupid, but I haven't heard of any good reasons for this; maybe someone can enlighten me.
Instead of trying to be fascists about IP addresses, the IANA/ARIN/APNIC/Big-Brother-of-the-Internet should just release the addresses it's sitting on, or get IPv6 out the door; I hate this kind of gestapo crap, where they have to make stupid decisions because of their lack of planning in the first place.
ARIN shouldn't care what I use my IP addresses for, as long as I'm using them...frankly, it's none of their god damn business.
-
Re:My experiences
Visit the Linux firewall tools website and use the firewall design tool to generate a nice set of ipchain rules for your system. I used the generated rules as the basis for my rule set on my K6-300 dual NIC'd gateway/firewall box for my cable modem.
http://www.linux-firewall-tools.com
P.S. Make sure you understand exactly what the generated rule set is doing before you start using it since it may not be setup exactly like you want. It's nice not to have to type all of that stuff in by hand but it's good to know how to tweak the rule set so it works properly for your setup.
-
Linux Security
Take a look at http://www.linux-firewall-tools.com/linu x
-
Firewall Info
Here's some Firewall info I've referred to many times.
Check out the Trinity OS Paper . It gives some excellent advice on Securing your Linux System. This paper also comes with various IPCHAINS Rule-Sets you can use. Don't try to print it out though. It's atleast 1,400 pages long and growing.
This Firewall Site allows you to configure an excellent firewall Script just by answering some simple questions. I know of many people who have used this site to configure their firewalls.
-
ipchains is the answer
Just set up some tough rules for ipchains. Check out the following web site. It sets up a pretty good firewall which can be made to suit your needs.
-
Re:Learning "Good" system administration?
Linux Firewall Tools is a nice resource for those starting out in the security game, and is highly recommended for all those who are 'rolling their own' Linux Cable/DSL router/firewall.