Re: [Setup-tool-hackers] I thought I would check and see first...

From: Mitch Allmond <gte203h prism gatech edu>
To: Burra <burra colorado edu>
Cc: Chema Celorio <chema XIMIAN COM>, setup-tool-hackers XIMIAN COM
Subject: Re: [Setup-tool-hackers] I thought I would check and see first...
Date: Tue, 24 Jul 2001 17:04:36 -0400
Sounds awesome  :)


Speaking of services, is there a tool in xst planned for activating services like pop3,
imap, http, telnet, ssh, ftp, etc....? If these things were coordinated with xst, configured
via the appropriate files, and recorded in gconf, it would be much nicer for the firewall
setup in showing only  services that are running. Then again, maybe it would be better to
set firewall rules even for the services you aren't running in case they want to fire it up
for a little bit. Any thoughts?

Burra wrote:

> Right, ok sounds good... if this is see as in line with xst arch I will
> start working on this tonight :)
>
> --------------------[-- burra@colorado.edu --]--------------------------
>
> On Tue, 24 Jul 2001, Mitch Allmond wrote:
>
> > I think the allowed services for each interface option, the added port option for each
> > interface, a close all other ports not mentioned, and a masquerading option should be
> > shown by default. All the other stuff like syn flood protection, anti spoofing, etc....
> > should all be under a advanced tab/button.
> >
> >
> > Burra wrote:
> >
> > > Right... so how about this for the "basic" configuration dialog:
> > >
> > > Allowed Services:
> > > SSH []  FTP []  TELNET []  Ping []
> > >    ... etc ...
> > >
> > > Anti Spoofing protection []
> > > Syn flood protection []
> > > Port scan protection []
> > > Accept all local packets []
> > > Accept all established connections []
> > > Accept all  related connections []
> > > Trusted hosts: _____________________________________
> > > Block hosts: _____________________________________
> > >
> > > ... something like the above, but I will make it much easier to use and
> > > multi-interface compat.
> > >
> > > I think for the "more options" area I will give the option of adding your
> > > own rules.. of course ;)
> > >
> > > Also, in the end, I will add a panel applet to monitor your firewall.
> > >
> > > --------------------[-- burra@colorado.edu --]--------------------------
> > >
> > > On Tue, 24 Jul 2001, Mitch Allmond wrote:
> > >
> > > > I think such a tool is seriously needed. I say go for it. However, try to keep it
> > > > very elegant. A 13 year old ought to be able to make sense of it.  I kind of liked
> > > > my diagram of it where each device is shown, the common services with their ports,
> > > > spaces for manual port input, and then check boxes to select which device has that
> > > > service/port blocked and which doesn't. It just makes more sense like that to
> > > > people that have no clue about firewalls. All they'll see is that "if I click this
> > > > button, no one outside can access my ssh server."
> > > >
> > > >
> > > > Burra wrote:
> > > >
> > > > > Yes, I guess a firewall configurator makes more sense if xst is just for
> > > > > system configuration files. I could do this very easily... I can do rules
> > > > > to open up/block specific ports, allow trusted hosts, disallow untrusted
> > > > > hosts, block typicaly dos attacks and block port scans for iptables,
> > > > > ipchains, and ipf.
> > > > >
> > > > > We might put this under "Security" and tie in host.allow/hosts.deny
> > > > > configuration, PAM configuration, and other /etc based security config
> > > > > files.
> > > > >
> > > > > Thoughts?
> > > > >
> > > > > --------------------[-- burra@colorado.edu --]--------------------------
> > > > >
> > > > > On Tue, 24 Jul 2001, Mitch Allmond wrote:
> > > > >
> > > > > > what about a firewall configurator? Is this in the works? It would be great to
> > > > > > have a tool in xst that can configure iptable firewalls, and give the option
> > > > > > for it to be activated on boot or not.  I'll do a little text example
> > > > > > below. The idea is to show each ethernet device, supply check boxes to block
> > > > > > or open that service/port to that device, to allow user input for specific
> > > > > > ports, and to allow masquerading.
> > > > > >
> > > > > >     Eth0                                Eth1
> > > > > >         _                ssh                _
> > > > > >
> > > > > >         _                smtp             _
> > > > > >
> > > > > >         _                http               _
> > > > > >
> > > > > >         _                etc...              _
> > > > > >
> > > > > >         _                X11               _
> > > > > >
> > > > > >         _            | insert port |    _
> > > > > >
> > > > > >         _            | insert port |    _
> > > > > >
> > > > > > ---------------------------------------
> > > > > > _    masquerade virtual ips (default 192.168.0.0) manual _____________
> > > > > > _    close all ports/services not handled above
> > > > > >
> > > > > >
> > > > > > etc......... you get the point
> > > > > >
> > > > > > if there was
> > > > > >
> > > > > > Chema Celorio wrote:
> > > > > >
> > > > > > > On 23 Jul 2001 21:15:27 -0600, Burra wrote:
> > > > > > > >
> > > > > > > > Hi setup-tool hackers,
> > > > > > > > After successfully creating the basic componets of a setup tool, I am
> > > > > > > > about to (currently actually) impliment a "security-setup-tool". This
> > > > > > > > tool will check your file system, services, network, the list goes on...,
> > > > > > > > and offer fixes once it has encountered a security problem.
> > > > > > > >
> > > > > > > > I thought I would check and see first if someone is already impliemnting
> > > > > > > > this... Anyone? I guess I am looking for a blessing from everyone to go
> > > > > > > > ahead :)
> > > > > > >
> > > > > > > The idea sounds great, but i am not sure it belong inside XST. XST read
> > > > > > > system configuration and write system configuration. This security
> > > > > > > program sounds good but does not quite fit in the architecture.
> > > > > > >
> > > > > > > >
> > > > > > > > If no one is already doing this, I will post my code, once I get all
> > > > > > > > basic functions in place, for approval to add it to cvs, hopefully :)
> > > > > > > >
> > > > > > > > --------------------[-- burra@colorado.edu --]--------------------------
> > > > > > > >
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > setup-tool-hackers maillist  -  setup-tool-hackers@ximian.com
> > > > > > > > http://lists.ximian.com/mailman/listinfo/setup-tool-hackers
> > > > > > > >
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > setup-tool-hackers maillist  -  setup-tool-hackers@ximian.com
> > > > > > > http://lists.ximian.com/mailman/listinfo/setup-tool-hackers
> > > > > >
> > > >
> >
>
> _______________________________________________
> setup-tool-hackers maillist  -  setup-tool-hackers@ximian.com
> http://lists.ximian.com/mailman/listinfo/setup-tool-hackers


_______________________________________________
setup-tool-hackers maillist  -  setup-tool-hackers@ximian.com
http://lists.ximian.com/mailman/listinfo/setup-tool-hackers
References:
- Re: [Setup-tool-hackers] I thought I would check and see first...
  - From: Burra
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]