Re: [Setup-tool-hackers] I thought I would check and see first...




Right, ok sounds good... if this is see as in line with xst arch I will
start working on this tonight :)

--------------------[-- burra@colorado.edu --]--------------------------

On Tue, 24 Jul 2001, Mitch Allmond wrote:

> I think the allowed services for each interface option, the added port option for each
> interface, a close all other ports not mentioned, and a masquerading option should be
> shown by default. All the other stuff like syn flood protection, anti spoofing, etc....
> should all be under a advanced tab/button.
>
>
> Burra wrote:
>
> > Right... so how about this for the "basic" configuration dialog:
> >
> > Allowed Services:
> > SSH []  FTP []  TELNET []  Ping []
> >    ... etc ...
> >
> > Anti Spoofing protection []
> > Syn flood protection []
> > Port scan protection []
> > Accept all local packets []
> > Accept all established connections []
> > Accept all  related connections []
> > Trusted hosts: _____________________________________
> > Block hosts: _____________________________________
> >
> > ... something like the above, but I will make it much easier to use and
> > multi-interface compat.
> >
> > I think for the "more options" area I will give the option of adding your
> > own rules.. of course ;)
> >
> > Also, in the end, I will add a panel applet to monitor your firewall.
> >
> > --------------------[-- burra@colorado.edu --]--------------------------
> >
> > On Tue, 24 Jul 2001, Mitch Allmond wrote:
> >
> > > I think such a tool is seriously needed. I say go for it. However, try to keep it
> > > very elegant. A 13 year old ought to be able to make sense of it.  I kind of liked
> > > my diagram of it where each device is shown, the common services with their ports,
> > > spaces for manual port input, and then check boxes to select which device has that
> > > service/port blocked and which doesn't. It just makes more sense like that to
> > > people that have no clue about firewalls. All they'll see is that "if I click this
> > > button, no one outside can access my ssh server."
> > >
> > >
> > > Burra wrote:
> > >
> > > > Yes, I guess a firewall configurator makes more sense if xst is just for
> > > > system configuration files. I could do this very easily... I can do rules
> > > > to open up/block specific ports, allow trusted hosts, disallow untrusted
> > > > hosts, block typicaly dos attacks and block port scans for iptables,
> > > > ipchains, and ipf.
> > > >
> > > > We might put this under "Security" and tie in host.allow/hosts.deny
> > > > configuration, PAM configuration, and other /etc based security config
> > > > files.
> > > >
> > > > Thoughts?
> > > >
> > > > --------------------[-- burra@colorado.edu --]--------------------------
> > > >
> > > > On Tue, 24 Jul 2001, Mitch Allmond wrote:
> > > >
> > > > > what about a firewall configurator? Is this in the works? It would be great to
> > > > > have a tool in xst that can configure iptable firewalls, and give the option
> > > > > for it to be activated on boot or not.  I'll do a little text example
> > > > > below. The idea is to show each ethernet device, supply check boxes to block
> > > > > or open that service/port to that device, to allow user input for specific
> > > > > ports, and to allow masquerading.
> > > > >
> > > > >     Eth0                                Eth1
> > > > >         _                ssh                _
> > > > >
> > > > >         _                smtp             _
> > > > >
> > > > >         _                http               _
> > > > >
> > > > >         _                etc...              _
> > > > >
> > > > >         _                X11               _
> > > > >
> > > > >         _            | insert port |    _
> > > > >
> > > > >         _            | insert port |    _
> > > > >
> > > > > ---------------------------------------
> > > > > _    masquerade virtual ips (default 192.168.0.0) manual _____________
> > > > > _    close all ports/services not handled above
> > > > >
> > > > >
> > > > > etc......... you get the point
> > > > >
> > > > > if there was
> > > > >
> > > > > Chema Celorio wrote:
> > > > >
> > > > > > On 23 Jul 2001 21:15:27 -0600, Burra wrote:
> > > > > > >
> > > > > > > Hi setup-tool hackers,
> > > > > > > After successfully creating the basic componets of a setup tool, I am
> > > > > > > about to (currently actually) impliment a "security-setup-tool". This
> > > > > > > tool will check your file system, services, network, the list goes on...,
> > > > > > > and offer fixes once it has encountered a security problem.
> > > > > > >
> > > > > > > I thought I would check and see first if someone is already impliemnting
> > > > > > > this... Anyone? I guess I am looking for a blessing from everyone to go
> > > > > > > ahead :)
> > > > > >
> > > > > > The idea sounds great, but i am not sure it belong inside XST. XST read
> > > > > > system configuration and write system configuration. This security
> > > > > > program sounds good but does not quite fit in the architecture.
> > > > > >
> > > > > > >
> > > > > > > If no one is already doing this, I will post my code, once I get all
> > > > > > > basic functions in place, for approval to add it to cvs, hopefully :)
> > > > > > >
> > > > > > > --------------------[-- burra@colorado.edu --]--------------------------
> > > > > > >
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > setup-tool-hackers maillist  -  setup-tool-hackers@ximian.com
> > > > > > > http://lists.ximian.com/mailman/listinfo/setup-tool-hackers
> > > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > setup-tool-hackers maillist  -  setup-tool-hackers@ximian.com
> > > > > > http://lists.ximian.com/mailman/listinfo/setup-tool-hackers
> > > > >
> > >
>


_______________________________________________
setup-tool-hackers maillist  -  setup-tool-hackers@ximian.com
http://lists.ximian.com/mailman/listinfo/setup-tool-hackers



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]