Securing your workstation with Firestarter (NewsForge) [LWN.net]

graphical iptable interfaces - in general

Posted Jan 4, 2005 20:58 UTC (Tue) by ccyoung (guest, #16340) [Link]

although my servers are hardly extraordinary, nor am i an extraordinary security admin, i have yet to find a graphical iptable manager that comes close to setting up iptables.

imho there are three issues:

linux is not monolithic. if bind9 dns is added, 53 needs to be punched through the firewall (and when rh does it for me (when, how) then it only serves to confuse half-competent creatures as myself)

graphical tools that set iptables without a) explaining thoroughly the meaning and ramifications of the setting and b) showing the resultant code are, in my limited and bigoted experience, worse than useless.

since most servers are off-site, a graphical interface needs to be run on my computer connecting to the server via ssl (which it hopefully does not turn off)

on the other hand:

this tool seems to have some good, user friendly ideas about such things ans monitoring ips and blackballing them - certainly a step beyond my standards. talent-wise these guys are eons beyond me.

graphical iptable interfaces - in general

Posted Jan 4, 2005 21:44 UTC (Tue) by huffd (guest, #10382) [Link]

You might try portsentry, it's pretty simple to setup and does automatic IP blocking of aggressive behavior.

graphical iptable interfaces - in general

Posted Jan 5, 2005 1:07 UTC (Wed) by dlpierson (subscriber, #5124) [Link]

I agree. You might look into fireHOL. It's a mini-language for simply and clearly defining iptables firewall rules.

graphical iptable interfaces - in general

Posted Jan 5, 2005 11:00 UTC (Wed) by job (subscriber, #670) [Link]

This sounds confused. RH can not punch holes in a firewall, luckily,
unless you are talking about a "firewall" caused by Netfilter ACLs on the
localhost. That serves no other purpose than making sure only root
programs can listen to remote ports, which is useless security-wise for
most installations. Normally a firewall is used on a dedicated machine,
for the purpose of centrally managing what services a bunch of machines
which you may or may not have control over can run. And you wouldn't want
to install Bind on such a dedicated machine, that could completely
jeopardize your security (especially since Bind has had holes before).

clarifications - and still most important point

Posted Jan 5, 2005 20:51 UTC (Wed) by ccyoung (guest, #16340) [Link]

i think you are coming from higher up the foodchain than myself.

not untypically, most of my linux servers are on racks in Somewhere, US, and are not behind a firewalls - they must protect themselves, first with iptables. so the firewall is the same machine as DNS, http, &tc.

bind8 has had many problems; as of late bind9 seems pretty good. also, it seems almost all the security problems have come from one dns server syncing with another, something that, outside an enterprise, is seldom implimented.

old rh9, when enabling dns, would poke a hole through iptables. i don't remember if this was through the init script or through the "enable dns" gui. nonetheless the point is that service information is maintained independently for each service, and iptable info is maintained independently of those, so it's up to good sysadmin practice to marry the two requirements correctly - whereas if the system were monolithic then this would not be an issue.

i still maintain that security tools, such as a gui for iptables, should first present themselves as a learning aid - 1) this is what we want to know, 2) this is why, and 3) this is what will result, and also should write their rules to a scratch files, so that in the 95% possible situation the tool cannot be used as the sole configuration editor, at least second rate sysadmins such as myself can steal ane profit from the wisdom of the tools' developers.