Re: [Setup-tool-hackers] I thought I would check and see first...



I think the allowed services for each interface option, the added port option for each
interface, a close all other ports not mentioned, and a masquerading option should be
shown by default. All the other stuff like syn flood protection, anti spoofing, etc....
should all be under a advanced tab/button.


Burra wrote:

> Right... so how about this for the "basic" configuration dialog:
>
> Allowed Services:
> SSH []  FTP []  TELNET []  Ping []
>    ... etc ...
>
> Anti Spoofing protection []
> Syn flood protection []
> Port scan protection []
> Accept all local packets []
> Accept all established connections []
> Accept all  related connections []
> Trusted hosts: _____________________________________
> Block hosts: _____________________________________
>
> ... something like the above, but I will make it much easier to use and
> multi-interface compat.
>
> I think for the "more options" area I will give the option of adding your
> own rules.. of course ;)
>
> Also, in the end, I will add a panel applet to monitor your firewall.
>
> --------------------[-- burra@colorado.edu --]--------------------------
>
> On Tue, 24 Jul 2001, Mitch Allmond wrote:
>
> > I think such a tool is seriously needed. I say go for it. However, try to keep it
> > very elegant. A 13 year old ought to be able to make sense of it.  I kind of liked
> > my diagram of it where each device is shown, the common services with their ports,
> > spaces for manual port input, and then check boxes to select which device has that
> > service/port blocked and which doesn't. It just makes more sense like that to
> > people that have no clue about firewalls. All they'll see is that "if I click this
> > button, no one outside can access my ssh server."
> >
> >
> > Burra wrote:
> >
> > > Yes, I guess a firewall configurator makes more sense if xst is just for
> > > system configuration files. I could do this very easily... I can do rules
> > > to open up/block specific ports, allow trusted hosts, disallow untrusted
> > > hosts, block typicaly dos attacks and block port scans for iptables,
> > > ipchains, and ipf.
> > >
> > > We might put this under "Security" and tie in host.allow/hosts.deny
> > > configuration, PAM configuration, and other /etc based security config
> > > files.
> > >
> > > Thoughts?
> > >
> > > --------------------[-- burra@colorado.edu --]--------------------------
> > >
> > > On Tue, 24 Jul 2001, Mitch Allmond wrote:
> > >
> > > > what about a firewall configurator? Is this in the works? It would be great to
> > > > have a tool in xst that can configure iptable firewalls, and give the option
> > > > for it to be activated on boot or not.  I'll do a little text example
> > > > below. The idea is to show each ethernet device, supply check boxes to block
> > > > or open that service/port to that device, to allow user input for specific
> > > > ports, and to allow masquerading.
> > > >
> > > >     Eth0                                Eth1
> > > >         _                ssh                _
> > > >
> > > >         _                smtp             _
> > > >
> > > >         _                http               _
> > > >
> > > >         _                etc...              _
> > > >
> > > >         _                X11               _
> > > >
> > > >         _            | insert port |    _
> > > >
> > > >         _            | insert port |    _
> > > >
> > > > ---------------------------------------
> > > > _    masquerade virtual ips (default 192.168.0.0) manual _____________
> > > > _    close all ports/services not handled above
> > > >
> > > >
> > > > etc......... you get the point
> > > >
> > > > if there was
> > > >
> > > > Chema Celorio wrote:
> > > >
> > > > > On 23 Jul 2001 21:15:27 -0600, Burra wrote:
> > > > > >
> > > > > > Hi setup-tool hackers,
> > > > > > After successfully creating the basic componets of a setup tool, I am
> > > > > > about to (currently actually) impliment a "security-setup-tool". This
> > > > > > tool will check your file system, services, network, the list goes on...,
> > > > > > and offer fixes once it has encountered a security problem.
> > > > > >
> > > > > > I thought I would check and see first if someone is already impliemnting
> > > > > > this... Anyone? I guess I am looking for a blessing from everyone to go
> > > > > > ahead :)
> > > > >
> > > > > The idea sounds great, but i am not sure it belong inside XST. XST read
> > > > > system configuration and write system configuration. This security
> > > > > program sounds good but does not quite fit in the architecture.
> > > > >
> > > > > >
> > > > > > If no one is already doing this, I will post my code, once I get all
> > > > > > basic functions in place, for approval to add it to cvs, hopefully :)
> > > > > >
> > > > > > --------------------[-- burra@colorado.edu --]--------------------------
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > setup-tool-hackers maillist  -  setup-tool-hackers@ximian.com
> > > > > > http://lists.ximian.com/mailman/listinfo/setup-tool-hackers
> > > > > >
> > > > >
> > > > > _______________________________________________
> > > > > setup-tool-hackers maillist  -  setup-tool-hackers@ximian.com
> > > > > http://lists.ximian.com/mailman/listinfo/setup-tool-hackers
> > > >
> >


_______________________________________________
setup-tool-hackers maillist  -  setup-tool-hackers@ximian.com
http://lists.ximian.com/mailman/listinfo/setup-tool-hackers



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]