IPTables frontends

Discussion in 'all things UNIX' started by funkydude, May 24, 2012.

Thread Status:
Not open for further replies.
  1. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Are there any frontends around that resemble the Windows Firewall functionality? Mainly:

    Simple popup per program access request (not floods of them).
    Predefined rules for public (airport) or private (home) networks and asking you to choose said profile when a new connection is detected.

    I'm mainly looking for something that would be simple to use for a travelling laptop.
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    GUFW is the easiest one to use but it is not as simple as what Windows provides at all.

    edit: I don't know what distro you're using but (and you probably already know this) there isn't really too great a need to use a Firewall since there are no ports open by default.
     
  3. jitte

    jitte Registered Member

    Joined:
    May 2, 2012
    Posts:
    67
    Without a firewall you'll respond to ping.

    With one you don't appear to be there at all.

    Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-04-28 10:55 CDT
    NSE: Loaded 63 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating Ping Scan at 10:55
    Scanning 172.16.1.35 [8 ports]
    Completed Ping Scan at 10:55, 2.01s elapsed (1 total hosts)
    Nmap scan report for 172.16.1.35 [host down]
    NSE: Script Post-scanning.
    Read data files from: /usr/pbi/zenmap-i386/share/nmap
    Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
    Nmap done: 1 IP address (0 hosts up) scanned in 3.06 seconds
    Raw packets sent: 16 (640B) | Rcvd: 0 (0B)

    It's your machine and whether or not you run a firewall or not is your business, but I wouldn't connect to the net without one in place.
     
  4. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Hmm, no, not necessarily. If he's behind a NAT router he will be "stealthed". Also, again, in many distros, there are no open ports. No open ports, no getting in really. And as far as outbound traffic, well, no malware to call home, no need really to control outbound traffic (unless you want strict control over even legit programs). If I remember correctly, he is behind a pretty hardened router, therefore a software firewall (which I'm assuming you're referring to), is rather pointless unless, again, you wish to control outbounds even with a clean system.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    There's a reason Ubuntu doesn't have one by default. Who cares if you respond to a ping? The whole "Stealth" vs "Closed" thing... last time I was in IRC one of the pentesters had a very funny rant about how idiotic it all is.

    That, and over 70% of users are behind routers.
     
  6. jitte

    jitte Registered Member

    Joined:
    May 2, 2012
    Posts:
    67
    Which is not the case with OP.

    The results from the nmap scan I posted were from the OpenBSD pf firewall.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Can you explain why it matters whether a port is stealthed as opposed to closed?

    edit: And I know what both do. Closed rejects the packet and stealthed drops it. I don't see any significant different in terms of security.
     
  8. jitte

    jitte Registered Member

    Joined:
    May 2, 2012
    Posts:
    67
    Who is the idiot and who is not is debatable, but I'm not going to engage in it further.

     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Please feel free to explain why you think that dropping a packet is more secure than rejecting it. Is it actually going to make your system harder to hack?

    Really, do tell.
     
  10. Umm. Re "legit" programs, I think it's worth noting that Skype opens up a high port (something in the 50k range), and its functionality is not impaired by blocking that port. Not all (semi-)legitimate programs can be trusted not to do something stupid.
     
  11. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I think the whole stealth vs closed debate is about people scanning your ports not finding anything to scan instead of seeing the ports and being told "no", by the firewall. The general consensus was that if a hacker sees nothing, they won't keep trying. It really does not matter in terms of one being more secure than the other. if they can't get in, they can't get in. Plus there are far uglier things to worry about than someone using a port scanner on you (which basically happens constantly as long as you're connected to the net, you just don't see it unless you have your firewall configured to tell you about them.
     
  12. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Opening a port in that range isn't a big deal, plus it gets closed again when the program assigned to it is shut down. Skype picks a random port upon installation, and you can choose to only open ports 443 and 80. Also, you're probably blocking incoming TCP and not outgoing, as that would definitely cause issues. There are only a handful of "dangerous" ranges.
     
    Last edited: May 24, 2012
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    When you consider that:
    1) Any listening service on a port will respond
    2) You can only stealth a closed port

    it starts to seem a bit silly to go through any trouble at all to do this. If the port is stealthed they won't see it and if the port is closed they can't really do a hell of a lot to it anyways. If there's a listening port they know you're there.

    A hacker typically is not going to break through a closed port they're going to try to circumvent/ get in through an open port or by hijacking a connection.

    I mean, sure, if all it takes is the push of a button go for it. But... it's really not providing a hell of a lot and while I'm not advocating to disable it (I run behind a router with all ports stealthed) I don't see there being a big difference.

    It's really a lot of hype about something that's only a bit better.

    But if anyone like jitte has some new information on the subject they can feel free to bring it to the table.
     
  14. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,122
    There is no such thing as stealth, if a host does not exist, the attacker will receive a "host unreachable" message. When in the so called stealth the attacker will receive nothing, which means that a firewall is dropping the packets.
    -http://www.hansenonline.net/Networking/stealth.html
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    That's true as well. I've heard people talking about having one of the host uncreachable messages sent back instead of no response.

    That would be interesting.

    But all of this goes against the default TCP/IP.

    edit: Anyways, like I said, it's really not worth any hassle whatsoever. I don't think it hurts for a home user (it does if you do some networking stuff... sometimes quite a lot) but I don't really see it saving anyone either.

    A closed port is not insecure. I think that this idea of "stealthed ports" makes people think otherwise.
     
  16. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Coming back to the OP: any directly relevant answers? From the little I've seen, I don't think there are simple (GUI) frontends for what OP wants. Correct?

    That they are not needed or may not be needed is also an answer, albeit indirectly, with the caveat that the device won't be used as a server. Is that correct?
     
  17. Mandriva/Mageia/PCLinuxOS has an interactive firewall GUI that will tell you when you're being scanned and such. You might be able to grab the source and install it on whatever you're running (assuming it can run without the weird Mandriva network manager).
     
  18. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    I don't think any of the answers were relevant (no offense) :p No it won't be used as a server but I was trying to emphasize that it needs to be able to run in an untrusted public environment with potentially hostile users, which is why I wanted a "public" mode, basically a setting I can have that lets my programs have internet access but keeps me protected on a completely untrusted network.

    Telling me when I'm being scanned is too much information, I'm not interested in such things. Just something that alerts me when a program wants internet access and alerts me to choose a predefined set of rules when a network is connected. I guess I could sacrifice the latter request if the firewall was permanently in a "public" state, which I guess most Linux firewalls might be?
     
  19. BrandiCandi

    BrandiCandi Guest

    Nope, I don't know of any that function like that. I would say that if you have strong outbound rules that only allow services you use and default deny incoming, then you would be good in a public or private place.

    If you had services such as Samba or any kind of server running on this machine, I would want to disable them when I was on a public wifi. Perhaps change those services to turn on manually instead of automatically at startup.
     
  20. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    vuurmuur is an iptables frontend. See here

    Haven't used it myself.
     
  21. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Yeah, I saw that when I did a search before I posted. Unfortunately the flash videos don't make it look very simple at all and the 90's UI isn't the greatest :p
     
  22. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    So does nothing like that exist then?
     
  23. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Nope. Like I said there isn't anything like that that I've ever heard of, and I've looked.
     
Loading...
Thread Status:
Not open for further replies.