Slashdot Mirror

An anonymous reader writes "NFTables is queued up for merging into the Linux 3.13 kernel. NFTables is a four-year-old project by the creators of Netfilter to write a new packet filtering / firewall engine for the Linux kernel to deprecate iptables (though it now offers an iptables compatibility layer too). NFTables promises to be more powerful, simpler, reduce code complication, improve error reporting, and provide more efficient handling of packet filter rules. The code was merged into net-next for the Linux 3.13 kernel. Iptables will still be present until NFTables is finished, but it is possible to try it out now. LWN also has a writeup on NFTables."

David Martinjak writes "Linux Firewalls, authored by Michael Rash and published by No Starch Press, covers five main topics: traditional packet filtering with iptables, port scan detection, snort rule translation, port knocking, and log visualization. At first I considered only skimming the chapters regarding iptables packet filtering. I have a good amount of experience with iptables, and have been running it for several years. Thankfully I decided to give the first chapter a good read. Right from the start, the book presented valuable information and pulled me in." Read on for the rest of David's review. Linux Firewalls author Michael Rash pages 336 publisher No Starch Press rating 9 reviewer David Martinjak ISBN 1-59327-141-7 summary Linux Firewalls discusses the technical details of the iptables firewall and the Netfilter framework that are built into the Linux kernel. The chapters about iptables packet filtering are crucial for any reader new to networking or firewall administration. Experienced users might pick up a tip or two, as well. Linux Firewalls contained a wealth of knowledge about packet structure in addition to a solid explanation of iptables usage. I was rather impressed by the variety of information presented in the early chapters. The book of course detailed the syntax and logistics of iptables, but also provided detailed examples of attacks at the network, transport, and application layers.

Packet filtering was followed by port scan detection. When I first started using GNU/Linux, one application in my toolbox was PortSentry. PortSentry was designed to counter-act port scans, and minimized the amount of information that could be discovered from a scan. I lost track of PortSentry for some reason, but was glad to have almost re-discovered it in a new form. PSAD is the Port Scan Attack Detector and was developed by the book's author, Michael Rash, along with contributions from the open source community.

PSAD was created as a lightweight network intrusion detection component. The book explained how PSAD can quickly react to port scans by analyzing iptables log entries; and effectively reduce the surface area exposed to the attacker. The differences between PSAD and PortSentry were also enumerated, which showed several advantages for using PSAD.

Linux Firewalls did a fantastic job of detailing how to install and configure PSAD. This seems to be par for the course with No Starch Press as each book I have read from them was meticulous with regards to installation and configuration specifics. Additionally, the topics of installing and configuring the book's other two main applications, fwsnort and fwknop, were also properly addressed.

I don't want to give away too much of the material in Linux Firewalls; so I will just say that the chapters on fwsnort, fwknop, and log visualization were all on par with the earlier sections of the book. The information did not let up at any point — there were useful examples and details throughout each chapter. Additionally, there was a good amount of consistency with regard to how the chapters progressed, and the type of information that was presented along the way. All together, Linux Firewalls was an impressive read.

There were no real disappointments with this book. The reading did get a bit tedious at times with regard to configuration specifics, but it was only due to the depth of helpful explanation. Had I been working with the applications while reading (instead of just reading), the content would have been much more relevant. In the end, however, the variety resulted in a rather impressive and enjoyable book. The coverage of psad, fwsnort, and fwknop were welcomed additions. Each of the central topics were thoroughly explained in an informative, yet engaging manner. Essentially, I did not want to stop reading.

The netfilter/iptables software is licensed under the GNU General Public License, and can be found at http://netfilter.org. The psad, fwsnort, and fwknop applications are licensed under the GNU General Public License Version 2, and can be downloaded from http://cipherdyne.org.

The publisher hosts a Web page which contains an online copy of the table of contents, portions of reviews, links to purchase the electronic and print versions of the book, and a sample chapter ("Chapter 10: Deploying fwsnort") in PDF format.

David Martinjak is a programmer, GNU/Linux addict, and the director of 2600 in Cincinnati, Ohio. He can be reached at david.martinjak@gmail.com.

You can purchase Linux Firewalls from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Yesterday's story about a creative approach to dealing with uninvited (and unwanted) users on a private wireless network -- by intercepting and modifying the images received downstream -- provoked some thoughtful comments on open wireless networks, and a storm of analogies about networks and property generally. Read on for some of the most interesting comments in the Backslash summary of the conversation.

Several readers offered comments on the methods of network interference suggested in the examples linked from the story, or offered other creative ways to impede network freeloaders. First, reader blantonl offers some insight into implementing the same image-flipping technique:

For those that are struggling to understand how the author of this article is accomplishing his approach, here is some further information.

The author obviously has a Linux server in his house, that is running DHCPD

To selectively send some clients to some locations, and others to the normal internet, he assigns an IP address on a different network to clients that don't have MAC Addresses that he knows about.

Forwarding on to sites of his choice is done by using IPTables, which is a utility that allows you to configure the packet filtering components of the Linux TCP/IP Stack. In this instance, the Linux box is just functioning as a firewall, and he is selectively sending requests from certain IP addresses to different hosts of his choosing.

Finally, the Up-side-down and blurry-image conversions is accomplished by sending page requests from those before-mentioned IP addresses to a proxy server, which in this case is Squid — and then allowing the proxy server to run a script which calls an ImageMagick command called mogrify which allows you to resize an image, blur, crop, despeckle, dither, draw on, flip, join, re-sample, and much more.

(Writing "I'm paranoid - I work in information security," reader hab136 points out some potential vulnerabilities in the system as described.)

As to the actual methods of annoyance, jpellino writes

Upside down is cute, but blurry is just too fantastic. You know they were on the horn to the vendor after punching every monitor control and several loud screaming matches and an expensive service call for a monitor that then worked just fine on the bench... As a webmaster I can now say April 1 just got very far away...

Reader Sloppy also admires the "blurry-net" approach ("That's subtle and I love it"), but suggests that image manipulation is only for starters

The next step is to spy on them and see what websites they visit, and then insert some fake content one day. For example, if they use it to read CNN, insert a casual story about a nuclear weapon getting used in the Middle-East or South Asia, or a story about the president of USA selecting a new vice-president due to the assassination last week ("What?! I didn't hear about that!"), or the CDC in Atlanta is investigating the recent rash of improbable claims about the dead returning to life to feast on the flesh of the living, etc. If they visit Slashdot, then the jig is probably up, but maybe it would be great to have a story where a security study found Windows98 to kick OpenBSD's ass and then a bunch of comments where everyone agrees that the findings pretty much match their own experience, along with complains about "how is this news for nerds?!"

And perhaps the ultimate in annoyance-as-warning, reader Midnight Thunder writes

I suppose you could also add a frame to every page and then sell advertising space. Since you probably know a bit about your neighbour it is much easier make targeted advertising. Of course you could always make the top frame read:

"This is borrowed bandwidth. Have you thought about getting your own connection."

Oh and make sure it is flashing. Actually you could make it so that the whole content flash.

Not all uninvited users are actually unwanted users, though, at least for some readers. Reader Elektroschock writes

Sorry, I am a supporter of open networks. I think the freifunk olsr-protocol approach of open wireless networks is best. We don't need internet providers and we don't need internet providers which leak our communication data to the governments and endanger the freedom of the net. The net should be a net and wireless technology is great for the creation of a real P2P internet.

I cannot support any action against people who use your network. It is against my understanding of hacker ethics. When you don't like it then close your network. But no childish games please.

I may even say that I find it unethical to exclude your neighbours from using your network but I respect your opinions. When your network is open it means: Be free to use it. Not: You can use it but I will fuck up or intercept your communication.

Similarly, trewornan writes

I chose to leave my wireless network open so that if someone nearby needed a connection it would be available for them. If someone was to impose an unreasonable load on the network I might do something about it but so far (12 months) I've had about half a dozen people connect and download relatively small amounts of data - my guess is they were checking email. Why would I object to that? No . . . why would *you* object to that? The way I see it it's a chance to do something nice for other people, why not get yourself some good karma.

Even without that sort of altruism, many readers feel that, as geekoid puts it,

[By]leaving it open he is inviting other people to connect.

Some computer says to the router "Hey, can I come in?" and the router says "Sure." Now, the moment you put something up, like needing a password, then you are no longer inviting people in.

• Computer says "Hey, can I come in" router says "Sure, if you know the password."
• Or you can encrypt it; Computer says "Hey, can I come in?" the router says "KE*jd7638JDEJE*834899(&^&#nd&#&bd*e#"

Not so fast, goes an argument exemplified in another comment from R2.0:

Yes, the computer is "asking" the router "permission," and the router is "granting permission" — the only problem is, the words we use to describe these actions may appear to be descriptive of thinking and volition, but they really mean neither. Computers and routers simply CANNOT give "permission" in any legal or moral sense.

To use the yard analogy that seems to be popular for these threads, lets supposed your neighbor's massively retarded child asks your massively retarded child for permission for his Daddy to use your yard, and your child agrees. Neighbor then comes over and stages a cookout on your lawn, or for that matter just walks across it.

When you confront him, he says "But my kid asked your kid, and he said yes." This is binding? Common sense and the law would say no, yet you would allow devices with an order of magnitude less analytical power than a retarded child to give and receive similar permissions.

Repeat after me folks: devices cannot give and receive permission for human actions without those permissions expressly being granted via some other means.

A traffic light doesn't give you permission to cross the street; the government (that you studied to get your license) gives you permission to cross the intersection when a light is green, and denies it when red.

Your ID badge doesn't ask permission to enter your building, and the security system doesn't grant permission; YOU ask for permission by presenting the badge, and your employer grants it by programming said system to accept your request.

Closer to the typical small-time network admin, perhaps, bennomatic writes

If I leave my bike outside unlocked for 10 minutes, am I giving explicit permission to anyone who sees it that they can take it? No. Am I allowing it to happen through negligence? Sure, but call it what it is; it's still stealing, or at least trespassing.

Even something as amorphous as bandwidth is a limited resource. To paraphrase the head of the commerce committee, an open wireless connection is not a dump truck you can just load up with as much as you like; it's a tube!

Various forms of the same disagreement surfaced in various corners of the discussion: squiggleslash, for instance, writes

[I]t makes sense that no implied permission is given by simply having your router be unsecured, given "unsecured" is the default configuration of most off-the-shelf routers.)

It really isn't an issue in practice. If you want to use someone else's network, all you have to do is ask them. With 802.11, you're close enough to be able to do so. There's no reason not to ask, other than knowing that "No" is likely to be the answer. And I think that's why people tell themselves the myth that somehow they have implied permission simply because the "door" was left unlocked.

The figurative "visibility" of an open wireless network also isn't enough to convince reader R2.0 that it's fair game for passers by. He writes:

So the router is "visible," with an option to make it invisible. Big deal. My garden is visible from the street, but I can put a tarp around it to obscure its existence. What you are saying is that, unless I put a tarp up around my garden, everyone has a right to use it.

Wireless networks may make themselves conspicuous, but that does not confer an invitation to use them. The connection between "visible" and "inviting" is not legally or morally valid. (I am excepting the concept of "attractive nuisance," but I don't think open routers will come under that area of liability)

Reader 4e617474 fired the next volley in this battle of analogies:

No, actually we're saying that if your garden pelts us with carrots and peas as we walk past on the public street, we're at liberty to catch them and consume them. Only if you place anti-vegetable-flight netting around your garden (or stop planting vegetables that lend themselves to comparison to an unsecured WAP) does it become incumbent upon us to behave as good citizens.

Hey! Analogies are fun! Somebody compare Internet privacy law to hunting and fishing licenses!

Readers like ShawnDoc make a case persuasive for discouraging bandwidth borrowing on the basis of enlightened self-interest.

If someone uses your connection for illegal activity (downloading Meet the Fockers, kiddie porn) it will be your IP address that the RIAA/MPAA/FBI will trace. Good luck convincing them it wasn't you. You might be able to do it, but it will take up time and money (lawyers) to clear your name. And in the case of kiddie porn or other criminal act, expect every computer, PDA, and cell phone in your home to be confiscated to be analyzed for incriminating data. The second problem is you are allowing strangers access to not only your Internet connection, but also your LAN. I have multiple computers and put files in shared folders so I can access them from different machines. I don't want some strange to have access to those files, or worse, have their computer be infected with a worm/virus that propagates across the network.

Thanks to all the readers whose comments informed this conversation, and in particular to those whose comments are quoted above.

michaelrash writes "I have just released a new version of fwknop that implements a single-packet authorization scheme using libpcap (similar to what Simple Nomad has proposed for the upcoming BlackHat Briefings). Fwknop has made Slashdot once before as the first tool that combines port knocking and passive OS fingerprinting. However, this new single-packet method has many advantages over port knocking, including non-replayable messages, much more data can be sent (including complete commands), an attacker cannot break sequences simply by connecting to spurious ports on the target, and more. By using Netfilter to intercept packets within the kernel, anyone scanning for a service protected by this method cannot even talk directly to the IP stack without being authorized; that makes even 0-day exploits largely toothless."

Harald Welte writes "The netfilter/iptables project has just been granted a preliminary injunction against a GPL infringing WLAN AP Vendor. The project is trying to fight against the increasing number of products sold in violation of the GPL. Following a number of out-of-court settlements, this is the first case where a company refused to sign a letter to cease and desist. So we took the logical next step and applied for a preliminary injunction. The court reviewed the case and confirmed that Sitecom is in fact in violation of the GPL license terms."

Harald Welte writes "The netfilter/iptables project has just been granted a preliminary injunction against a GPL infringing WLAN AP Vendor. The project is trying to fight against the increasing number of products sold in violation of the GPL. Following a number of out-of-court settlements, this is the first case where a company refused to sign a letter to cease and desist. So we took the logical next step and applied for a preliminary injunction. The court reviewed the case and confirmed that Sitecom is in fact in violation of the GPL license terms."

neomage86 asks: "I recently had to set up a router for a small company, only five users at any given time, and the needed VPN capabilities are built in. So, instead of using a Cisco or other embedded router, I decided to just install Linux and IPTables on an old 200 MHz PII I had lying around. It's been working fine, and I'm thinking about doing something like this for a much larger network (3000+ users). Does anyone have suggestions on how much I will have to beef up the hardware to provide IP Masquerading for about 1000 users on a T3; provide network-layer filtering of the transmission; and route between 4-5 internal subnets?"

Elektroschock writes "LWN has coverage of a GPL dispute settled in a constructive manner. Allnet GmbH, German manufacturer and distributor of networking equipment, including switches, routers, NICs and wireless adapters, infringed the GNU Public License of netfilter/iptables. As part of the settlement Allnet GmbH will donate money to tax-exempt not-for-profit organizations, i.e. FSF Europe and FFII. Both organisations lobby for better copyright and patent legislation in Europe."

An anonymous reader writes "There is a nice presentation on the L.A.S. Linux site entitled "Managing Data Center Functions with Open Source Tools" which was presented at Comdex 2003. It covers everything from IPtables to OpenNMS. As well as covering some less known but nice tools like NeDi, which lets you easily manage Cisco routers and swiches from a web browser."

Anonymous Coward writes "Michael Rash has written a howto for the Linux Journal on getting Linux to run on a Nokia IP 330. Now we can use a free firewall on a platform normally designed to run Check Point Firewall-1. In these troubling times where IT departments all across the landscape are trying to reduce costs, this will allow companies to say 'No' to expensive support contracts and upgrade costs and still maintain security without having to buy new hardware."