Re: filtering access to internet via programs - HOW?

• Previous message: Newsbox: "Re: filtering access to internet via programs - HOW?"
• In reply to: MR: "filtering access to internet via programs - HOW?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 22 Aug 2005 12:28:42 +0100

MR wrote:

> i'm new to linux as i have just switched from xp and zonealarm to SuSe 9.3
<snip>
> #iptables --list
> i get the following as one of my lines:
> target prot opt source destination
> DROP all -- anywhere anywhere
>
> which should as far as i understand drop all connections coming from
> anywhere and going to anywhere.

Only if they have not been matched by a rule earlier in the chain.

> so the question is, how the heck does the suse firewall manage to mess
> with my iptables so that these seem to do nothing? and how do i change
> that.
>
> for example, most of the time i would simply like two programs to be
> allowed
> to access the internet. realplayer and firefox. how could i possible
> create a settings environment where only these two are allowed to access
> the outside, and on top of that, do so at only particular ports?

On UNIX systems there is a clear seperation between userspace and
kernelspace - so the kind of learning model applied in Microsoft based
firewall tools is not really practical. Using a policy driven model is
often a better idea for security anyway.

While it is possible to resolve which executable is making which connection,
it is not really possible to make a policy out of this using iptables.

Typically on a Linux/Unix machine, you decide which *services* to
allow/deny.

SuSEfirewall2 does allow a great deal of flexibility in configuring your
firewall. I would never advocate that somebody whom wasn't 100% sure of
what they were doing tweak their iptables rules by hand. OTOH if you prefer
to use a learning system you might want to disable SuSEfirewall2 and use
firestarter instead.

HTH

C.

• Previous message: Newsbox: "Re: filtering access to internet via programs - HOW?"
• In reply to: MR: "filtering access to internet via programs - HOW?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages IPTables Established connection problem. ... I posted a couple weeks ago about IPTables possibly losing state. ... My established connections still freeze if I have firewalling ... $IPT -F OUTPUT ... #Log martians (packets with impossible addresses) ... (comp.os.linux.security) Re: network / performance problems ... > due to some bug in whatever is dynamically adding firewall rules to your system. ... I *do* run iptables on all of these machines. ... # Allow this host to establish new connections. ... (Linux-Kernel) Re: network / performance problems ... > adopted the habit of compiling netfilter stuff as modules, ... > statically link everything and run it that way to see what I can see. ... and use iptables to set up connection tracking rules (as ... # Allow this host to establish new connections. ... (Linux-Kernel) Re: firewall problems killing tomcat and apache ... I am trying to run apache and tomcat servers to serve content and apps for the internal LAN, ... I know tomcat needs ports 8009, 8080 and 8443 by default, and I studied my iptables script but it looks fine. ... I remember Netscape used to do IPC through TCP/IP connections to localhost. ... (Debian-User) Re: IPTables Port Forwarding ... ESTABLISHED and RELATED connections: ... packets will go back through your firewall). ... Then the client gets an answer from "192.168.1.50", ... iptables -t nat -F ... (Debian-User)