ArchLUG Kwiki - www.archlug.org

Download the RSS XML Feed for this site

Download the RSS XML Feed for this site

Subscribe to this channel with Amphetadesk

Subscribe to this channel with RadioUserland

Add to Google

FirewallKwikis

Here are some helpful kwikis for running or using Linux with or as a firewall.

Be sure to also check the ArchLUG Kwiki page for kwikis that may be specific to your distribution of Linux.

Shorewall

Nuff said. http://www.shorewall.net/

This is an excellent firewall, with some of the best documentation around as to how your firewall actually works. It does not force you to learn the arcane options and black arts of the iptables and/or the deprecated ipchains commands. It is installed like a service, in /etc/init.d. It features dynamic blacklisting, and can be integrated into your Intrusion Detection System (IDS) to thwart attacks in progress. It can be configured for traffic shaping and IPsec use dynamically as well, for WiFi and secure VPN "road warrior" use.

It is simply an abstraction of the kernel's iptables firewall abilities into a simple set of text files that contain functional rules on how you want your firewall to work. Shorewall then parses those and executes the appropriate syntax for the iptables commands. Thus freeing you to concentrate on your policies, rules, and functions instead of syntax, arcane options, and manuals.

Steven Pritchard's genfw

For something a little different than what the distributions ship, you might want to try Steve's genfw script. It works by asking you some questions, and then generating a custom script with all the complicated iptables commands already done for you. Another benefit is that it is effectively 'hardcoded' for your system, so it doesn't have to parse any configuration files when you run the resulting script.

FireStarter

This project is shaping up to be a nice user-friendly personal firewall with a usable GUI. It is similar to the BlackICE and ZoneAlarm personal firewalls for Windows users. It is now included in the Debian, Fedora, and RedHat distributions, and is part of the default install for Xandros (which is Debian-based).

The FireStarter homepage is at http://firestarter.sourceforge.net/

Blocklists

There is an excellent client-side JavaScript application to convert IP lists in various formats into IP lists in other formats over at BlueTack.

http://bluetack.co.uk/convert.html

Some of the input list formats:

ARIN raw whois resultsFlowpoint Routers
BearShare hostiles.txtGnucleus GnuBlocked.net
BlackICE Defender firewall.iniMorpheus blacklist
BlockPost plugin for OutPost v1PeerGuardian plain text
BlockPost plugin for OutPost v2Plain IP ranges
Bob's Block List (BBL) FormatShareaza xml security digest
Cisco IOS Firewall ACLShoreline Firewall
DShield.org block listSygate Advanced Rules
eDonkey (eMule,cDonkey)TrustyFiles
ZoneAlarm v4 xml

Some of the output list formats (All of the above plus):

Azureus Bittorrent ClientKerio Personal Firewall v2
CIDR Notation (Shorewall)Kerio Personal Firewall v4
CIDR Notation with #commentsKerio WinRoute Firewall v5.1.x
Cisco Access Control List (ACL) PeerGuardian IPDB SQL Dump
Cisco IOS Firewall Deny ListPhex/ MacPhex
ipfw for *BSD/OSXPlain IP ranges - Comma Seperated
iptables bash scriptSmoothwall Express 2.0
Snort IDS

Some Blocklists:

Blocking crawler918.com aka nameprotect.com

Google and WHOIS show that crawler918.com is in fact owned by nameprotect.com:

  • NameProtect offers a comprehensive suite of research, watching and online brand monitoring services that assist brand professionals, attorneys, and other Intellectual Property specialists in building, protecting and managing their brands in the digital world.

You can decide for yourself if you think this webtroll run by this company or its customer has a legitimate purpose sucking your bandwidth and archiving or reviewing any of your content. It's obviously automated, and for now, you still get to decide who is authorized to access your systems and who isn't.

What to do?

Deny all TCP connections from any nameprotect.com IP address or their customers. It's a bit harsh, but it covers FTP, https, and other non-standard ports and services, not just the .htaccess files you remember to add it to.

The 'iptables' command to do this is below: 

# Denies 12.148.209.192/26 (nameprotect.com) to access your network
/sbin/iptables -I OUTPUT -s 12.148.209.192/26 -d 0/0 -j DROP

On a RedHat system, you should also run 'service iptables save' after adding your new rule to retain it after a reboot.

Shorewall users simply append it onto /etc/shorewall/blacklist or perform the following: 

# Ban nameprotect.com
shorewall drop 12.148.209.192/26
# Make it permanent
shorewall save
# Display the current dynamic blacklisting rules
shorewall show dynamic

See also:

Alternatively, you can selectively apply access control within your Apache webserver configuration. Put either of the following into your Apache configuration (httpd.conf) or .htaccess files: 

Deny from 12.148.209.192/26

Their User-Agent was 'NPBot-1/2.0', so add 

SetEnvIfNoCase User-Agent "NPBot" evil=1
Deny from env=evil

See Also: http://www.advogato.org/article/610.html

Scans from 216.162.106.3 aka proxyscanner.freenode.net

From the FreeNode FAQ at http://www.freenode.net/faq.shtml

Q: My firewall logs show that someone from your network is trying to crack my box. What's going on?

A: You're seeing our open proxy detector. Due to problems with clonebots, we've had to start checking for open proxies and similar software on the hosts of clients connecting to our network. We use BOPM for this. It's popular with a number of IRC networks, and it's very reliable. For more information, please see our policy page.

Limiting access per-user

See LimitingNetworkAccessByUser

Simple Security Scripts

Valid XHTML 1.0! Valid CSS!
InterTran (www.tranexp.com)
InterTran (www.tranexp.com)

Please MOVE AND HOLD your MOUSE CURSOR over any WORD in the translated web page in order to see a pop-up window with ALTERNATIVE TRANSLATIONS. Translations provided by: www.tranexp.com