[Wylug-help] firewall issues

lee at leeevans.org lee at leeevans.org
Fri Mar 17 14:42:08 GMT 2006


> I have a question related to using firewalls in Linux. I'm using SuSE 10.0
> and the firewall I'm running (unsurprisingly) is SuSEfirewall2.

I think the first and most important thing to point out is that the
Firewall you are using is infact IPTables. SuSEfirewall2 is simply a
frontend to make it easier for you to configure this. As such, it would be
well worth having a good read of the documentation at
http://netfilter.samba.org - this will give you a much better
understanding of what SuSEfirewall2 is actually doing for you and how you
might intervene if it isn't doing what you want it to do.

> I understand how to configure the blocking of incoming traffic. I've set
> the machine up as a Samba server, works fine.

I've never used it, but I would imagine SuSEfirewall does have some method
of configuring outgoing traffic as well.

> I've read around the subject of external, internal and demilitarized zones
> for the firewall and I *believe* that's mainly concerned with using the
> Linux box as the firewall for a network. So I could block outgoing traffic
>  from machines behind the firewall.

Yes, you're about right there

> Is there a way I can block local outgoing traffic from the Linux box? So
> if there is a trojan sending out my sensitive information** then it will
> be blocked. I don't *believe* it's doing that by default.

Absolutely - as I've said you're really just using IPTables. Using the
command line it would be fairly trivial to say:

/sbin/iptables -A OUTPUT -p tcp --dport 6667 -j DROP

which would stop your machine sending out IRC traffic, which is fairly
common behaviour for trojans. Of course, if you want to use IRC yourself
then that pretty much scuppers you, but it's fairly sensible to block all
outgoing traffic by default and then only open up particular ports that
you do need (HTTP, HTTPS etc)

> I could of course block it at the router (after reading the manual).

Maybe - depends on the router. Some of the more basic models don't allow
configuration of outgoing firewall rules. If you can, that would strike me
as being more sensible as it would cover your windows box as well.

Unless you are concerned about threats on your LAN you perhaps don't need
to run the firewall on the linux box at all.

> Thanks,
> J.

Lee
-- 
Lee Evans




More information about the Wylug-help mailing list