Mailinglist Archive: opensuse (3100 mails)
| < Previous | Next > |
Re: [SLE] SUSE Firewall not like ZoneAlarm...
- From: "Andre Truter" <andre.truter@xxxxxxxxx>
- Date: Sun, 12 Mar 2006 20:39:01 +0200
- Message-id: <173f0b9f0603121039o61e57e3g54dd248c8a60489c@xxxxxxxxxxxxxx>
On 3/10/06, Shriramana Sharma <samjnaa@xxxxxxxxx> wrote:
> I wonder how SUSE Firewall works.
>
Like a real firewall
> Back in Windows, with ZoneAlarm, when I first install it, it asks me for
> permission and preconfigures my default browser and mail client to access the
> net. After that, every new application that tries to access the net or every
> incoming connection from the net, it asks me for permission.
>
> But SUSE Firewall never asks me anything.
>
A firewall is not supposed to ask you questions, it is supposed to
protect you from the outside.
Again the Windows philosophy has managed to screw up the perception of
how a computer (or in this case a firewall) is suppsoed to work.
ZoneAlarm protects your PC from outside access (or at least that is
what it is suppsoed to do), but it also protects the rest of the world
against your PC.
Because Windows suffers from viruses and spyware which sends out
information to the outside world and "phone home" or infect other
machines, you need to also monitor outgoing connections on a Windows
box, that is why ZoneAlarm asks you every time an app tries to contact
the outside world.
But, on Linux, we do not have the virus and spyware problem, so we
don't need to police our own machine so intensely. The normal
firewalls (like what UNIX and Linux, etc use) normally only blocks
incoming traffic, as it is suppsosed to protect you from the outside
world and not the other way around.
But, it is also possible to let a real firewall check both ways of the
traffic and I believe this is normally done when the internal network
contains Windows machines or when they want to prevent employees from
using certain protocols.
So, under normal circumstances, you do not need to worry about which
application is accessing what, except if you think that your machine
has been compromised, but then you need to use a rootkit tool to find
the breach.
> How do I know which applications it forbids and which it allows? How does it
> know which applications to forbid and which to allow?
>
THe firewall do not monitor appications, but ports and it normally
only monitor ports for outside access.
You can set up your firewall to log everything and then you see in the
logs exactly what it is doing.
You can also use "netstat -pant" to show you all the active
connections and which applications are using it. Or you can use
something like etherreal to see exactly what traffic is going where on
your machine.
There are other tools available too, but I cannot think of the names now.
> I would much prefer a ZoneAlarm-like firewall that tells me what it is doing.
>
I don't trust ZoneAlarm as far as I can throw it, because I am not
really sure what it is doing. The fact that it pops up a nice little
window that informs me that FireFox wants to access the net does not
give me much confidence.
I am interested in who is acessing which ports on my machine and I
want to see it in real-time as close to the source as possible.
I don't have a clue what ZoneAlarm is really doing and what it is
showing me. Is it the same thing? ZA feels to me like a black box and
I have to trust that what the UI is showing me is what it is actually
doing, but I cannot go and look inside to see what is really
happening.
With the Linux fkirewall I can go and do a dump of the iptables rules
and see what it is supposed to do and then I can check my ports and
traffic to see if it is really doing what it should.
Hopes this helps a bit to explain a bit of how a firewall works.
(Although I am not a security expert, but I have played around with a
few firewalls and experimented a bit)
If you don't trust your own PC or the users of your PC, you can use
AppArmour to only allow certain applications to be used.
This can be very handy, but it is also a process to set it up, as your
need to know precicely which libraries are acessed by an application,
etc. But it should prevent unauthorised applications (like spyware, if
any exist and is viable for Linux) from running.
--
Andre Truter | Software Engineer | Registered Linux user #185282
ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za
~ A dinosaur is a salamander designed to Mil Spec ~
> I wonder how SUSE Firewall works.
>
Like a real firewall
> Back in Windows, with ZoneAlarm, when I first install it, it asks me for
> permission and preconfigures my default browser and mail client to access the
> net. After that, every new application that tries to access the net or every
> incoming connection from the net, it asks me for permission.
>
> But SUSE Firewall never asks me anything.
>
A firewall is not supposed to ask you questions, it is supposed to
protect you from the outside.
Again the Windows philosophy has managed to screw up the perception of
how a computer (or in this case a firewall) is suppsoed to work.
ZoneAlarm protects your PC from outside access (or at least that is
what it is suppsoed to do), but it also protects the rest of the world
against your PC.
Because Windows suffers from viruses and spyware which sends out
information to the outside world and "phone home" or infect other
machines, you need to also monitor outgoing connections on a Windows
box, that is why ZoneAlarm asks you every time an app tries to contact
the outside world.
But, on Linux, we do not have the virus and spyware problem, so we
don't need to police our own machine so intensely. The normal
firewalls (like what UNIX and Linux, etc use) normally only blocks
incoming traffic, as it is suppsosed to protect you from the outside
world and not the other way around.
But, it is also possible to let a real firewall check both ways of the
traffic and I believe this is normally done when the internal network
contains Windows machines or when they want to prevent employees from
using certain protocols.
So, under normal circumstances, you do not need to worry about which
application is accessing what, except if you think that your machine
has been compromised, but then you need to use a rootkit tool to find
the breach.
> How do I know which applications it forbids and which it allows? How does it
> know which applications to forbid and which to allow?
>
THe firewall do not monitor appications, but ports and it normally
only monitor ports for outside access.
You can set up your firewall to log everything and then you see in the
logs exactly what it is doing.
You can also use "netstat -pant" to show you all the active
connections and which applications are using it. Or you can use
something like etherreal to see exactly what traffic is going where on
your machine.
There are other tools available too, but I cannot think of the names now.
> I would much prefer a ZoneAlarm-like firewall that tells me what it is doing.
>
I don't trust ZoneAlarm as far as I can throw it, because I am not
really sure what it is doing. The fact that it pops up a nice little
window that informs me that FireFox wants to access the net does not
give me much confidence.
I am interested in who is acessing which ports on my machine and I
want to see it in real-time as close to the source as possible.
I don't have a clue what ZoneAlarm is really doing and what it is
showing me. Is it the same thing? ZA feels to me like a black box and
I have to trust that what the UI is showing me is what it is actually
doing, but I cannot go and look inside to see what is really
happening.
With the Linux fkirewall I can go and do a dump of the iptables rules
and see what it is supposed to do and then I can check my ports and
traffic to see if it is really doing what it should.
Hopes this helps a bit to explain a bit of how a firewall works.
(Although I am not a security expert, but I have played around with a
few firewalls and experimented a bit)
If you don't trust your own PC or the users of your PC, you can use
AppArmour to only allow certain applications to be used.
This can be very handy, but it is also a process to set it up, as your
need to know precicely which libraries are acessed by an application,
etc. But it should prevent unauthorised applications (like spyware, if
any exist and is viable for Linux) from running.
--
Andre Truter | Software Engineer | Registered Linux user #185282
ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za
~ A dinosaur is a salamander designed to Mil Spec ~
| < Previous | Next > |