2-way firewall for linux.

Discussion in 'all things UNIX' started by The Red Moon, Nov 26, 2015.

  1. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,871
    Currently i use the gufw for linux mint and this is a one way firewall.I know it can be configured to run 2-way if i was to put in time and effort.
    Is there any linux firewalls which can provide similar functionality like say comodo or outpost on windows.

    Thanks.
     
  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    That's "mandatory access control" on Linux. I would suggest trying AppArmor - it's easy to configure, and much finer grained than most Windows security suites.

    Edit: also, please note that a bidirectional iptables firewall is basically security through obscurity.
     
  3. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Not sure what you mean by this ?
     
  4. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    A reverse shell can be served up on any port. It could even use a common protocol on a common port - HTTP on port 80 maybe, or HTTPS on 443, or SSH on 22.

    Blocking reverse shells this way is doable, and probably applies for a lot of in-the-wild attacks. But if someone is actually bent on breaking into your network, they'll put up a better effort, and probably use ports that you allow (and protocols, if you use a proxy). Likewise, if everyone actually bothered to whitelist outbound destination ports, you'd see most malicious reverse shell and/or C&C communications on ports that weren't blocked.

    ... All IMO anyway. And there is "defense in depth" value in blocking weird ports. Even so, it's not something I'd put too much trust in.

    Edit: that said, you've got more experience than I with Linux systems programming and administration; so I'm interested in hearing your take on this.
     
  5. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    iptables allows more complex rules than just ports, you can define rules by source/destination ports, ip addresses and users (and probably more), which means unless you are rooted you can really lock down what connects in and out and to what, if you are rooted, then its game over as the firewall can be taken down.
    It you enable stateful inspection and you can block all inbound connections too.
     
  6. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Source ports -> I don't think that would really be relevant, except maybe for web servers where the connections are all on privileged ports. (Nothing wrong with forcing the www-data user to only accept connections on port 80, and not try to initiate any new ones, for instance.)

    Destination ports -> That's what I'm talking about above. Some script kiddy might be using reverse shells on weird high ports, but someone who knows they're up against a firewall will probably use likely holes in the whitelist - port 80, 443, etc. Or so I'd imagine.

    IP addresses -> blacklisting is not an effective long-term strategy IMO. Whitelisting is doable for office environments, but not for most desktop users. (Been there, tried that, doesn't work.)

    Users -> Okay, you can lock down outbound connections from your limited account; but what good does that do if the attacker's reverse shell is on port 80, on some dynamic Amazon cloud IP in a trusted range?

    Stateful inspection -> Well yeah, you don't want people starting connections to a desktop from outside. Not allowing new inbound connections is the default UFW behavior, when UFW is actually enabled anyway.

    My point is, a bidirectional firewall on a desktop is basically a stopgap measure. It literally works by making your setup obscure to an attacker. That's not to say it's useless, I just don't think too much trust should be put in such things.

    Edit: to be clear, when I say "bidirectional iptables firewall" above, I mean "configuration for iptables that involves bidirectional connection blocking." As distinct from e.g. the normal UFW stateful setup, which allows all outbound connections initiated by the host.
     
Loading...