Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: NFTables IPTables-Replacement Queued For Linux 3.13

  1. #11
    Join Date
    Dec 2012
    Posts
    459

    Default

    Quote Originally Posted by Pallidus View Post
    Rexillion, in windows or os x where you have a million services and system components dialing home, yes whitelisting can be problematic and difficult but in linux distros it wouldn't be.
    I beg to differ. What about renaming devices? How are updates handled? Using the argument that another OS has implies Linux needs it too is just having it because others have it too. That is not a sound argument if you ask me.

    Besides, on Windows it fails if you only look at the .exe files. svchost.exe will load just anything that has .dll in it's name keeping svchost.exe itself legit.

    Quote Originally Posted by Pallidus View Post
    At least you would have a chance, let's say a legit service gets compromised, to see who it was dialing too.
    Netfilter has logging capabilities. Furthermore, there is Selinux, PAX and all the other 'Security Subsystems' in the linux kernel dealing with that.

    Quote Originally Posted by Pallidus View Post
    I maintain that little snitch is one of the best firewalls I've seen and it allows you to define rules like app x can only dial to ip y via port z once
    Why not make sure that the service does not get compromised in the first place? No need for tedious maintaining of rulesets that have the tendency to change on each update (furthermore, these rulesets have proven to be ineffective (i.e. almost every piece of malware uses port 80 or 443). If a service get's compromised you already lost.

    I get your idea, I did this myself in Windows XP once. It was hell. Stuff just randomly broke.

  2. #12

    Default

    Quote Originally Posted by Rexilion View Post
    I just really hope I won't have to rewrite my rules, I spend ages on the current ones .
    From http://netfilter.org/projects/nftables/ :
    backward compatibility iptables/ip6tables user-space utility at:
    http://git.netfilter.org/iptables-nftables/

  3. #13
    Join Date
    Dec 2012
    Posts
    459

    Default

    Quote Originally Posted by oibaf View Post
    Should have been more specific. I know about the backward compatibility. BUT, what I really ment was: Hopefully will simply replacing the old rules with the new syntax yield the same behaviour. I.e. no subtle changes that could imply a radical change.

    My firewall is kind of 'complicated' (yes, I like reading docs).

    The backward thing is kind off nice at best, but I would probably not be able to resist to rewrite once I get my hands on this. Fortunately, I'm stuck with 3.10 for the nvidia blob since nouveau causes my card to deadlock at really random moments.

  4. #14
    Join Date
    Oct 2011
    Posts
    42

    Default

    Quote Originally Posted by tesfabpel View Post
    Will finally be possible with nftables to block certain programs to send or receive from the net (optionally filtered by the port too)?
    :P
    IPTABLES(8) iptables 1.4.4 IPTABLES(8)

    NAME
    iptables - administration tool for IPv4 packet filtering and NAT

    [ ....................... ]

    owner
    This module attempts to match various characteristics of the packet creator, for locally generated packets. This match is only valid in the OUTPUT and POSTROUTING chains. Forwarded
    packets do not have any socket associated with them. Packets from kernel threads do have a socket, but usually no owner.

    [!] --uid-owner username

    [!] --uid-owner userid[-userid]
    Matches if the packet socket's file structure (if it has one) is owned by the given user. You may also specify a numerical UID, or an UID range.

    [!] --gid-owner groupname

    [!] --gid-owner groupid[-groupid]
    Matches if the packet socket's file structure is owned by the given group. You may also specify a numerical GID, or a GID range.

    [!] --socket-exists
    Matches if the packet is associated with a socket.

  5. #15
    Join Date
    Dec 2012
    Posts
    459

    Default

    Quote Originally Posted by dibal View Post
    IPTABLES(8) iptables 1.4.4 IPTABLES(8)

    NAME
    iptables - administration tool for IPv4 packet filtering and NAT

    [ ....................... ]

    owner
    This module attempts to match various characteristics of the packet creator, for locally generated packets. This match is only valid in the OUTPUT and POSTROUTING chains. Forwarded
    packets do not have any socket associated with them. Packets from kernel threads do have a socket, but usually no owner.

    [!] --uid-owner username

    [!] --uid-owner userid[-userid]
    Matches if the packet socket's file structure (if it has one) is owned by the given user. You may also specify a numerical UID, or an UID range.

    [!] --gid-owner groupname

    [!] --gid-owner groupid[-groupid]
    Matches if the packet socket's file structure is owned by the given group. You may also specify a numerical GID, or a GID range.

    [!] --socket-exists
    Matches if the packet is associated with a socket.
    Well... yes. If you like creating a new user for each user/program combo then yes... .

    Btw, this does not work for NFS and other kernel mounting protocols. Let alone incoming connections (OUTPUT and POSTROUTING) only.

    Whatever works for you .

  6. #16
    Join Date
    Sep 2008
    Location
    Vilnius, Lithuania
    Posts
    2,601

    Default

    Quote Originally Posted by Rexilion View Post
    My firewall is kind of 'complicated' (yes, I like reading docs).
    I like that, too. And Gentoo docs say pretty much "you don't need a firewall if you're behind NAT, dummy!". So I'm cool with following that advice.

    Quote Originally Posted by Rexilion View Post
    Fortunately, I'm stuck with 3.10 for the nvidia blob since nouveau causes my card to deadlock at really random moments.
    Wait, yours too? Please see this: https://bugs.freedesktop.org/show_bug.cgi?id=69882

  7. #17
    Join Date
    Oct 2011
    Posts
    42

    Default

    Quote Originally Posted by Rexilion View Post
    Well... yes. If you like creating a new user for each user/program combo then yes... .

    Btw, this does not work for NFS and other kernel mounting protocols. Let alone incoming connections (OUTPUT and POSTROUTING) only.

    Whatever works for you .
    The NSA has a solution for you: selinux. And maybe you have control what your programs are listen to.

  8. #18
    Join Date
    Apr 2010
    Posts
    771

    Default

    Quote Originally Posted by Rexilion View Post
    My firewall is kind of 'complicated' (yes, I like reading docs).
    I wouldn't say that's a good thing.... a complicated firewall is much more likely to have holes in it than a simple one....

  9. #19
    Join Date
    Dec 2012
    Posts
    459

    Default

    Quote Originally Posted by GreatEmerald View Post
    Quote Originally Posted by Rexilion View Post
    My firewall is kind of 'complicated' (yes, I like reading docs).
    I like that, too. And Gentoo docs say pretty much "you don't need a firewall if you're behind NAT, dummy!". So I'm cool with following that advice.
    Yes, if you are behind a NAT device then everything is cool (in theory). But I like my laptop to not respond to closed ports (TCP, UDP) whenever something is not listening on it. I find this convenient if I'm at an unknown network. And once you have that figured out, why apply it to the desktop as well just to make the conf file management easier .

    Furthermore, I also use a VPN (IPSEC) and allow internet connection sharing. You have to be careful of not allowing the person using your internet connection to access the other side of your IPSEC VPN (ever thought about that?). This could happen if you have a default rule for masquerading, which I require for my qemu hosts to work properly (this way they can access my home network).

    Standard firewall is not safe once you have a slightly adventurous setup. And as you can see, I'm able to use netfilter to do some really nifty things. And yes, there have been moments where there was a hole. But it was never worse than the default configuration.

    That being said, I don't trust my router which implies I'm replicating NAT on each box (your very own router can be hacked as well, why blindly trust it?). And then I also slapped some basic DDOS protection on it while I'm there.

    I think, on and off, I have tweaked the firewall quite a few years. But I haven't touched in ages for a while, it's working *exactly* how I want it and how I expect it to do. Furthermore, tinkering like this helps you explorer more stuff about Linux. I leaned about ip, routing tables, MAC addresses, tcpdump (godsend), wireshark (tcpdump made cool) and the netfilter connection tracking tables.

    I even went in the RFC docs once to differentiate NAT UDP packets that were either part of IKE (some bitfield is zero) or part of ESP itself. This taught me about bitfields.

    Quote Originally Posted by GreatEmerald View Post
    Quote Originally Posted by Rexilion View Post
    Fortunately, I'm stuck with 3.10 for the nvidia blob since nouveau causes my card to deadlock at really random moments.
    Wait, yours too? Please see this: https://bugs.freedesktop.org/show_bug.cgi?id=69882
    Nope, at least you get output in dmesg. I get squat: https://bugs.freedesktop.org/show_bug.cgi?id=70566 . I even tried netconsole -> no output. Switched to the blob to rule out a defect card.

    I wouldn't be surprised these cards are exhibiting this behaviour since nouveau does not reclock their engine's. We are actually using them in a way that they were not designed to.

    Quote Originally Posted by dibal View Post
    The NSA has a solution for you: selinux. And maybe you have control what your programs are listen to.
    Lol, look here at the first post. I call that insane.

    Quote Originally Posted by Delgarde View Post
    I wouldn't say that's a good thing.... a complicated firewall is much more likely to have holes in it than a simple one....
    Agreed. I block all protocols except TCP, UDP and ICMP. Then I make a policy based on the addrtype extension. If you really put some hard though in your design, then you can in fact create a nice structured firewall without losing oversight. I think I'll take my risk

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •