Slashdot Mirror


The Sound of Your Firewall

upside writes "It had to be done. Once The Spinning Cube of Potential Doom gave us a 3D visualization of a firewall, someone was bound to ask themselves 'What does your firewall sound like?'."

8 of 232 comments (clear)

  1. Anthem / Midi? by CommanderData · · Score: 5, Interesting

    I really like these concepts for alternate ways to visualize large amounts of data. Reminds me of Douglas Adam's Dirk Gently books. There was a character who wrote a program called Anthem that would interpret a company's stock data and vital statistics and play a tune based on that data.

    Rather than using a Wav. file, maybe this could be written to play a variety MIDI tones to account for all kinds of activity on your network!

    --
    Urge to post... fading... fading... RISING!... fading... fading... gone.
  2. how about... by wwest4 · · Score: 4, Interesting

    moudulating the pitch on the dropped/blocked port numbers? I bet it could sound like a windchime with the proper modulus.

    1. Re:how about... by digitalsushi · · Score: 4, Interesting

      Hrm. One of the things I let my server do for me is emulate a giant grandfather clock. Cron plays the wave files. People always ask me where the clock is, but it's just coming out the stereo.

      If I set it up to do quarter hour chimes, that would be a rather interesting way to announce network meta-data: The louder the volume, the more stuff going on that I probably don't want. I could make it two dimensional by using sound and pitch, and I wouldn't even have to do any fancy math stuff I don't know. I could just make 8 different pitches and gradiate using that.

      --
      slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
  3. I did that. by digitalsushi · · Score: 5, Interesting

    I've been doing exactly this same thing for a while. I found that it got extrememly obnoxious, so I dumbed mine down to just play a wave file whenever I get pinged by someone pinging me from a command line ping. I don't know why the length is different than the crap pings that come in every 8 or 9 seconds, but with this swatch definition below, it seems to trigger only when I am pinged by hand.

    So, put this in your swatch file that watches your firewall log:

    watchfor /firewall-ping.*LEN=84/
    exec "/usr/local/site/bin/ping-wave.sh ping.wav"

    That script just locks the darned thing so it doesnt pop and crack if i get pinged twice:

    ping-wave.sh:
    if `grep OPEN /etc/pingwatch.lock 1>/dev/null`
    then (echo -n > /etc/pingwatch.lock) && (/usr/bin/play /usr/local/site/etc/soun
    ds/$1) && (echo OPEN > /etc/pingwatch.lock)
    fi

    And here's a link to my ping wave for you to use:

    ping .wav

    I also used the naturalvoices website to make a nerdy computer lady announcing new entries in my arp table. You can grab wave file too if you want. Here's the script I have for that:

    put this in your /etc/crontab or whatever:

    0-59 * * * * root /usr/local/site/bin/arp-watch

    and then make the above command contain this:

    #!/bin/bash

    for each in `arp -n |grep -v "Address"|grep -v "eth0"|awk '{print $3}'`
    do
    if grep $each /etc/arptable 1>/dev/null
    then :
    else /usr/bin/play /usr/local/site/etc/sounds/new.arp.entry.wav && echo $each >> /etc/arptable
    fi
    done

    if anyone can improve upon my bash, please, i have no ego. :D

    --
    slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
    1. Re:I did that. by AndroidCat · · Score: 5, Interesting

      I was curious about all the Sasser mutants and such trying to hit my port 445, so I whipped up a program to open the port and see if they were trying to say anything. (Boring, they want my end to say something first.) I used the text-to-speech to have it say "Poink!" when it opened the port and "Splat!" when it closed. When a few hit at the same time, it's "Poink! Poink! Poink! Splat! Splat! Splat!". Almost as entertaining as having a few beers out back listening to the bug-zapper. (It would be better if my end sent a buffer-overflow to crash attempted attacks, but too much work.)

      --
      One line blog. I hear that they're called Twitters now.
  4. IDS by Aliencow · · Score: 4, Interesting

    I'd rather have a silent firewall... I'm not the kind of people who likes having a big warning everytime some script kiddy scans my port 31337 or pings me... hell ZoneAlarm will warn you if there's a DHCP server on your network... and people who don't know better think that OMG IT'S A HAX!!!!!!11111111...

    Maybe it could be nice on an IDS system though..

  5. It sounds like popcorn popping. by Saint+Aardvark · · Score: 4, Interesting
    You know when you've got popcorn going and it gets to that crazy insane stage when things just go nuts? That's my firewall these days.

    I send firewall logs to DShield.org, and you should to. The firewall is set to only log 100 denied packets at a time, so lazy bastard that I am I set a cronjob to reset the counters every hour. That was a few months ago.

    Last week I happened to be looking at the logfiles, and I noticed something: an hour was no longer enough. The counter hits 100 within 10 or 15 minutes. I can watch the hits come in, and it's all Windows crap: Port 445. Port 137. Port 139. Port 1026. That's it. Nothing interesting -- you know, no stealthy scans by l33t cr5X0rZ, no probing for open relays, nothing.

    Two thoughts before I go:

    First, this makes for excellent demonstration material. A coworker mentioned that he was considering moving from Windows to Linux because he was tired of all the viruses and worms. I showed him what tail -f on my firewall logs looked like, pointed out that it was all Windows junk, and he was convinced. Gave him a Knoppix CD and made another notch on my belt. :-)

    Second, I'm lucky: my ISP has not yet started firewalling ports yet. A friend's ISP just started, and now his web and mail server, which I'm doing DNS for, are no longer available from outside -- they've started blocking those along with 445, 137, 139, and so on. Sadly, it looks like the ISP has no provision for lifting this if you can prove you're l33t enough, so it looks like he's screwed.

    Honestly, though, I'm not surprised. Yeah, it sucks that the Internet is no longer open -- but it sucks that the Internet is no longer friendly, too, and the one is a consequence of the other. As much as I bitch about Windows and Microsoft, I don't think they're entirely to blame...you get that many people joining something, and you're going to have enough asshats to ruin it pretty quickly.

  6. Totally useless by Rayder · · Score: 4, Interesting

    What you need to ear is not the DROPed packets, but the ACCEPTed ones.

    If you make a diferent sound for every port/address/whatever packet you receive it becomes easy to recognice when the traffic is anormal.