[gentoo-user] [SUSPECTED SPAM] [OT] Best *SIMPLE* firewall?

[gentoo-user] [SUSPECTED SPAM] [OT] Best *SIMPLE* firewall?

[Walter Dnes]

  Is there something besides iptables?  It seems to be like
systemd/perl/python, continuously expanding its scope.  And no, I'm not
looking for an "easy-peasy front-end gui" that'll probably pull in 90%
of QT as dependancies.  I fondly remember IPCHAINS.

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] [SUSPECTED SPAM] [OT] Best *SIMPLE* firewall?

[Jorge Almeida]

On Wed, Feb 28, 2018 at 1:15 PM, Walter Dnes <waltdnes@waltdnes.org> wrote:
>   Is there something besides iptables?  It seems to be like
> systemd/perl/python, continuously expanding its scope.  And no, I'm not
> looking for an "easy-peasy front-end gui" that'll probably pull in 90%
> of QT as dependancies.  I fondly remember IPCHAINS.

shorewall seems to be the most powerful one. Lots of documentation,
configured via text files.
firehol is much simpler to use, but less well documented and the
mailing list doesn't show much life. None has any useless GUI. I find
both usable.

I would just use iptables if I were iptables-wise enough.

Cheers

Jorge Almeida

[gentoo-user] Re: Best *SIMPLE* firewall?

[Ian Zimmerman]

On 2018-02-28 13:28, Jorge Almeida wrote:

> > Is there something besides iptables?  It seems to be like
> > systemd/perl/python, continuously expanding its scope.  And no, I'm
> > not looking for an "easy-peasy front-end gui" that'll probably pull
> > in 90% of QT as dependancies.  I fondly remember IPCHAINS.
> 
> shorewall seems to be the most powerful one. Lots of documentation,
> configured via text files.  firehol is much simpler to use, but less
> well documented and the mailing list doesn't show much life. None has
> any useless GUI. I find both usable.
> 
> I would just use iptables if I were iptables-wise enough.

Isn't iptables (the userspace program) just a very thin wrapper over the
underlying kernel interface (netfilter)?  AFAIK there is no other kernel
interface, at least not in stable kernels, so all the other packages
just abstract and simplify it more - I would not consider that reduction
of scope.

I actually like iptables, of course I'll never learn about _all_ its
features, but I've already used some not quite trivial ones.

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet and on broken lists
which rewrite From, fetch the TXT record for no-use.mooo.com.

Re: [gentoo-user] [okey..] [OT] Best *SIMPLE* firewall?

[Nils Freydank]

[-- Attachment #1: Type: text/plain, Size: 806 bytes --]

Am Mittwoch, 28. Februar 2018, 22:15:59 CET schrieb Walter Dnes:
>   Is there something besides iptables?  It seems to be like
> systemd/perl/python, continuously expanding its scope.  And no, I'm not
> looking for an "easy-peasy front-end gui" that'll probably pull in 90%
> of QT as dependancies.  I fondly remember IPCHAINS.

Personally I like nftables (the iptables successor) more. Mostly the same, but 
in my eyes it's more convenient.

There are plenty frontends, many of them in net-firewall/ in our tree ;)

(I tried to use ufw some years ago, but I found it more annoying then 
helpful.)


PS: What about the "suspected spam" in your subject? Is that a bug in the ML 
software or does that one come from you?

-- 
GPG fingerprint: '00EF D31F 1B60 D5DB ADB8 31C1 C0EC E696 0E54 475B'
Nils Freydank

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Re: Best *SIMPLE* firewall?

[Taiidan]

Is there a windows style application layer firewall? I get that it 
doesn't stop truly malicious programs but I am simply wanting to stop 
random programs doing connections without my consent which due to the 
lennart potterings's of the world now are not just a windows freeware 
problem.

[gentoo-user] Re: Best *SIMPLE* firewall?

[Grant Edwards]

On 2018-02-28, Taiidan@gmx.com <Taiidan@gmx.com> wrote:

> Is there a windows style application layer firewall?

Can you describe what that means? (For the benefit of those of us that
aren't familiar with Windows.)

-- 
Grant Edwards               grant.b.edwards        Yow! Bo Derek ruined
                                  at               my life!
                              gmail.com            

Re: [gentoo-user] [OT] Best *SIMPLE* firewall?

[Grant Taylor]

[-- Attachment #1: Type: text/plain, Size: 1045 bytes --]

On 02/28/2018 02:15 PM, Walter Dnes wrote:
> Is there something besides iptables?

nftables

I think BPF may come into context here, but I've mostly ignored it, so 
I'm not sure.

> It seems to be like systemd/perl/python, continuously expanding its scope.

What do you mean?

I've seen newer match extensions and targets over the years.  But those 
are simply additional optional bits.  I.e. you need to have the module 
loaded or compiled into your kernel.

> I fondly remember IPCHAINS.

I vaguely remember ipchains.  I don't remember what was before it, 
ipfwadm(?).

Maybe it was my ignorance at the time, but I wouldn't use the word 
"fondly" to describe my experience with ipchains.

I am fond of iptables / ebtables / arptables.

I've looked at nftables a few times in the last 18 months and have 
decided not to take that plunge yet.  Usually it's because I feel like I 
don't have feature parity between iptables and nftables for the iptables 
features that I use.



-- 
Grant. . . .
unix || die


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 3982 bytes --]

Re: [gentoo-user] Re: Best *SIMPLE* firewall?

[Grant Taylor]

[-- Attachment #1: Type: text/plain, Size: 1099 bytes --]

On 02/28/2018 04:22 PM, Taiidan@gmx.com wrote:
> Is there a windows style application layer firewall?

I'm not aware of one.

I know that iptables can filter based on a process owner and cgroup. 
So, depending on how the applications are running, you might be able to 
come close to what you're after.

I think I've seen a few firewall packages / solutions over the years 
that run a client on workstations that publish state on a central 
firewall, which will then filter flows based on their (lack of) 
registration state.  -  I've never messed with anything like this.

> I get that it doesn't stop truly malicious programs but I am simply 
> wanting to stop random programs doing connections without my consent 
> which due to the lennart potterings's of the world now are not just a 
> windows freeware problem.

I think for now, you have to block everything by default and explicitly 
allow what you want through.  Or use something like a SOCKS server that 
can do some different types of filtering than can be done with iptables.



-- 
Grant. . . .
unix || die


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 3982 bytes --]

Re: [gentoo-user] [SUSPECTED SPAM] [OT] Best *SIMPLE* firewall?

[Heiko Baums]

Am Wed, 28 Feb 2018 16:15:59 -0500
schrieb "Walter Dnes" <waltdnes@waltdnes.org>:

>   Is there something besides iptables?  It seems to be like
> systemd/perl/python, continuously expanding its scope.  And no, I'm
> not looking for an "easy-peasy front-end gui" that'll probably pull
> in 90% of QT as dependancies.  I fondly remember IPCHAINS.

I don't know what you're looking for exactly.

If you want a command line tool for configuring your firewall with an
easier syntax than iptables you could try ufw.

I don't know nftables, yet, but from what I read so far they seem to
got their inspiration from ufw's syntax.

ufw itself uses iptables and generates iptables rules.

Principally all those firewall tools do the same. They configure the
kernel's own firewall netfilter. And most if not all of those tools use
themselves iptables which is besides nftables the official tool for
configuring netfilter. 

Fun fact: iptables is the successor of ipchains. And it's a very long
time ago that ipchains was replaced by iptables.

Re: [gentoo-user] Re: Best *SIMPLE* firewall?

[Grant Taylor]

[-- Attachment #1: Type: text/plain, Size: 722 bytes --]

On 02/28/2018 04:47 PM, Grant Taylor wrote:
> I know that iptables can filter based on a process owner and cgroup. So, 
> depending on how the applications are running, you might be able to come 
> close to what you're after.

You might be able to punt (metadata about) packets into a user space 
program that can then make decisions based on additional information. 
I.e. what process owns the originating / terminating socket, and ACCEPT 
/ DROP / REJECT packets based on that.

I've never heard of such, but I see how it could work.  E.g. DROP / 
REJECT packets by default, and ACCEPT any packets that have a paternal 
process tied to the /usr/bin/thunderbird file.



-- 
Grant. . . .
unix || die


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 3982 bytes --]

Re: [gentoo-user] [okey..] [OT] Best *SIMPLE* firewall?

[Dale]

Nils Freydank wrote:
>
> PS: What about the "suspected spam" in your subject? Is that a bug in the ML 
> software or does that one come from you?
>

I might add, I've got this on other messages as well.  I was wondering
about why that was there. 

Dale

:-)  :-) 

Re: [gentoo-user] Re: Best *SIMPLE* firewall?

[Rich Freeman]

On Wed, Feb 28, 2018 at 6:22 PM, Taiidan@gmx.com <Taiidan@gmx.com> wrote:
> Is there a windows style application layer firewall?

Windows doesn't have an "application layer firewall" as far as I know.
I believe that it does the filtering at the OS level, the same as
Linux.

Now, it is true that the UI for the Windows Firewall is typically used
to set rules on a per-application basis.  However, I'm pretty sure
this can also be done with netfilter.  I'm not sure if any of the more
convenient netfilter front-ends offer this capability.

> I get that it doesn't
> stop truly malicious programs

As far as I'm aware there is nothing really wrong with the Windows
Firewall.  I wouldn't expect it to be any less secure than netfilter.
There is something to be said for having layers of defense and running
a firewall that isn't on the server being protected, but that is true
of both Linux and Windows.  Of course the Windows implementation could
contain a bug that the Linux implementation lacks, but the reverse is
also true.  Like everybody around here I prefer a FOSS implementation,
and would trust it more due to the "many eyes" philosophy, but I'd
stop short of saying that the Windows software firewall is
particularly insecure.

And of course if you want to filter based on process you have no
choice but to implement it on the host running the process.  This
doesn't prevent you from also having a separate firewall at the
network perimeter either.

-- 
Rich

Re: [gentoo-user] [okey..] [OT] Best *SIMPLE* firewall?

[Walter Dnes]

On Thu, Mar 01, 2018 at 12:11:12AM +0100, Nils Freydank wrote

> PS: What about the "suspected spam" in your subject? Is that a bug
> in the ML software or does that one come from you?

  Probably my ISP, I'll have to ask on their support forum.

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] Re: Best *SIMPLE* firewall?

[mad.scientist.at.large]

[-- Attachment #1: Type: text/plain, Size: 6151 bytes --]



All microsoft software is inherently less secure.  You see, like many companies based here in amerika microsoft notifies nsa of bugs and does not patch them or notify anyone else until nsa says so, i.e. not unless/until nsa thinks they don't need the indirect back door "accidentally" included back door.  much harder but not impossible with linux and not at all difficult when you infiltrate development, as nsa did with one of the encrypted filesystems.  please see <https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html> for an idea of how it really works here and elsewhere.   And don't think they harass/pressure/or are cooperated with by companies world wide.  The point being that once backdoors are in there is little to do.  Hp and Dell (and doubtless others we still don't know about) put backdoors in their server hardware bios's that they claim to not know the workings of.

Remember the "Iran hostage 'crisis'", one of the 3 taken hostage, and likely the trigger, was working for a SWISS encryption company that had put nsa backdoors into it's encryption products.  One of their' employees had the misfortune to be servicing the product in Iran when it leaked out.

the point being that anyone who leaves/creates backdoors is making a way for others to violate the system.  This is seriously damaging the value (in financial terms) as people realize how grossly insecure it is and indeed that some of that is deliberate.  some of it is ignorance, badly implemented security can make things worse and all software adds bugs to a secure system (part of why it's very bad practice to use a whole pc and os as part of a voting machine, simpler is nearly always more secure).  Most security breaches of encrypted and non-encrypted systems is due to a software but, though often partially a lack of good systems administration.   Apparently the math is good, but realize nsa employs more mathematicians than any other agency/company, about 2500+ as i recall, they know things about math that no one else does.  

p.s., there are good people at nsa, though fewer than there used to be and sadly bad attitudes seem now to be required for administrative jobs.  Many have left do to the most recent "return to the bad old days" as one of them put it (i.e. during the sixties when amongst other things doctor King, and countless others were spied on for political ends, i.e. in one of kings hotel rooms there were over 50 fbi bugs!  that would be a lot of bugs now.

and 702 is still law here, even though it explicitly allows law enforcement data illegally obtained by "homeland security"( a classic example of new speak) in court and to LIE about where it came from, i.e. it legalizes perjury on the part of the state in many cases, the type of thing that usually causes a mistrial and get's people disbarred and sent to prison, though the defense can still get in trouble, sometimes.  currently the "rule of law" only applies when there is no goverment interest.

My country is adding back doors to routers and likely other electronics at customs, outbound at least but very likely inbound as well.  Despite public statements many of the tech companies still aid in illegal surveilance, partially because it makes more of their' privacy policies void and allows them to collect, process, and sell your' privacy.

do you have a samsung voice controlled tv?  samsung has allowed nsa to use these tv sets as bugs, which is likely the case with cell phone makers as well.  Hence the "creepy" notice in the manual that vocal commands are processed off site, i.e. remotely over the net in all cases.

what happens when a company doesn't comply with illegal orders from nsa?  they get shut down, remember Qwest (the former provider in colorado etc.), out of business and replaced by a very slimy competitor, all because they made a "big deal" over providing nsa with peoples "meta data", often very, very usefull.

I feel badly that my countrie's abandonment of of basic human liberties and our own constitution/bill of rights, worse about how it is enabling other countries to do the same and worse.  It is severely damaging the value of the internet and will result in financial losses globally. 

mad.scientist.at.large (a good madscientist)
--
God bless the rich, the greedy and the corrupt politicians they have put into office.   God bless them for helping me do the right thing by giving the rich my little pile of cash.  After all, the rich know what to do with money.


28. Feb 2018 17:26 by rich0@gentoo.org:


> On Wed, Feb 28, 2018 at 6:22 PM, > Taiidan@gmx.com>  <> Taiidan@gmx.com> > wrote:
>> Is there a windows style application layer firewall?
>
> Windows doesn't have an "application layer firewall" as far as I know.
> I believe that it does the filtering at the OS level, the same as
> Linux.
>
> Now, it is true that the UI for the Windows Firewall is typically used
> to set rules on a per-application basis.  However, I'm pretty sure
> this can also be done with netfilter.  I'm not sure if any of the more
> convenient netfilter front-ends offer this capability.
>
>> I get that it doesn't
>> stop truly malicious programs
>
> As far as I'm aware there is nothing really wrong with the Windows
> Firewall.  I wouldn't expect it to be any less secure than netfilter.
> There is something to be said for having layers of defense and running
> a firewall that isn't on the server being protected, but that is true
> of both Linux and Windows.  Of course the Windows implementation could
> contain a bug that the Linux implementation lacks, but the reverse is
> also true.  Like everybody around here I prefer a FOSS implementation,
> and would trust it more due to the "many eyes" philosophy, but I'd
> stop short of saying that the Windows software firewall is
> particularly insecure.
>
> And of course if you want to filter based on process you have no
> choice but to implement it on the host running the process.  This
> doesn't prevent you from also having a separate firewall at the
> network perimeter either.
>
> -- 
> Rich

[-- Attachment #2: Type: text/html, Size: 7172 bytes --]

[gentoo-user] Re: [SUSPECTED SPAM] [OT] Best *SIMPLE* firewall?

[Alberto Luaces]

Heiko Baums writes:

> Am Wed, 28 Feb 2018 16:15:59 -0500
> schrieb "Walter Dnes" <waltdnes@waltdnes.org>:
>
>>   Is there something besides iptables?  It seems to be like
>> systemd/perl/python, continuously expanding its scope.  And no, I'm
>> not looking for an "easy-peasy front-end gui" that'll probably pull
>> in 90% of QT as dependancies.  I fondly remember IPCHAINS.
>
> I don't know what you're looking for exactly.
>
> If you want a command line tool for configuring your firewall with an
> easier syntax than iptables you could try ufw.

Indeed.  And its graphical interface:

https://packages.gentoo.org/packages/net-firewall/ufw-frontends

-- 
Alberto

Re: [gentoo-user] [okey..] [OT] Best *SIMPLE* firewall?

[Peter Humphrey]

On Wednesday, 28 February 2018 23:11:12 GMT Nils Freydank wrote:

> PS: What about the "suspected spam" in your subject? Is that a bug in the
> ML software or does that one come from you?

I don't see that. Are you sure it isn't you?  :)

-- 
Regards,
Peter.

Re: [gentoo-user] [okey..] [OT] Best *SIMPLE* firewall?

[Peter Humphrey]

On Thursday, 1 March 2018 03:01:46 GMT Walter Dnes wrote:
> On Thu, Mar 01, 2018 at 12:11:12AM +0100, Nils Freydank wrote
> 
> > PS: What about the "suspected spam" in your subject? Is that a bug
> > in the ML software or does that one come from you?
> 
>   Probably my ISP, I'll have to ask on their support forum.

Sorry about my first post.

You can see from the headers where it was inserted, then direct your 
questions accordingly.

-- 
Regards,
Peter.

Re: [gentoo-user] Re: Best *SIMPLE* firewall?

[Wols Lists]

On 01/03/18 00:26, Rich Freeman wrote:
> Like everybody around here I prefer a FOSS implementation,
> and would trust it more due to the "many eyes" philosophy, but I'd
> stop short of saying that the Windows software firewall is
> particularly insecure.

Bear in mind that "many eyes" only works when said eyes are looking in
that direction.

The crucial take-away is that "many eyes" does not make products any
better, it just means that when a bug is found, it's a lot easier to
find the solution. Because any interested party can look for it rather
than hitting a notice "Kein Eintritt!"

Cheers,
Wol

Re: [gentoo-user] [okey..] [OT] Best *SIMPLE* firewall?

[Wols Lists]

On 01/03/18 09:56, Peter Humphrey wrote:
> On Wednesday, 28 February 2018 23:11:12 GMT Nils Freydank wrote:
> 
>> PS: What about the "suspected spam" in your subject? Is that a bug in the
>> ML software or does that one come from you?
> 
> I don't see that. Are you sure it isn't you?  :)
> 
I see it too. Intermediate mail-servers are prone to assume mailing
lists are spam.

I had great trouble with yahoo and a mailing list - it kept filing all
the ham (from mailing lists) as spam, and left all the spam (mostly
yahoo advertising crap :-( in the inbox.

Cheers,
Wol

Re: [gentoo-user] [SUSPECTED SPAM] [OT] Best *SIMPLE* firewall?

[Tom H]

On Wed, Feb 28, 2018 at 4:15 PM, Walter Dnes <waltdnes@waltdnes.org> wrote:
>
> Is there something besides iptables? It seems to be like
> systemd/perl/python, continuously expanding its scope. And no, I'm not
> looking for an "easy-peasy front-end gui" that'll probably pull in 90%
> of QT as dependancies. I fondly remember IPCHAINS.

iptables doesn't depend on systemd, perl, or python.

firewalld depends on dbus, polkit, and python.

ufw depends on python.

But there may be other iptables frontends that depend on more,
especially if they are graphical.

The advantage of iptables frontends is that you only have to allow
"your" ports (for a minimal customization) without having to worry
about all the other stuff that you need to set up when you use
iptables directly.

I've used apf, arno, and ufw. The first two depend on bash and simply
require you to set variables in "/etc/$firewall/".

Re: [gentoo-user] Re: Best *SIMPLE* firewall?

[Tom H]

On Wed, Feb 28, 2018 at 6:22 PM, Taiidan@gmx.com <Taiidan@gmx.com> wrote:
>
> Is there a windows style application layer firewall? I get that it doesn't
> stop truly malicious programs but I am simply wanting to stop random
> programs doing connections without my consent which due to the lennart
> potterings's of the world now are not just a windows freeware problem.

Switch to macOS and its running-by-default socketfilterfw ;)

You can set up OUTPUT iptables rules to allow certain ports and drop the others.

Re: [gentoo-user] [SUSPECTED SPAM] [OT] Best *SIMPLE* firewall?

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1279 bytes --]

On Thursday, 1 March 2018 17:58:44 GMT Tom H wrote:
> On Wed, Feb 28, 2018 at 4:15 PM, Walter Dnes <waltdnes@waltdnes.org> wrote:
> > Is there something besides iptables? It seems to be like
> > systemd/perl/python, continuously expanding its scope. And no, I'm not
> > looking for an "easy-peasy front-end gui" that'll probably pull in 90%
> > of QT as dependancies. I fondly remember IPCHAINS.
> 
> iptables doesn't depend on systemd, perl, or python.
> 
> firewalld depends on dbus, polkit, and python.
> 
> ufw depends on python.
> 
> But there may be other iptables frontends that depend on more,
> especially if they are graphical.
> 
> The advantage of iptables frontends is that you only have to allow
> "your" ports (for a minimal customization) without having to worry
> about all the other stuff that you need to set up when you use
> iptables directly.
> 
> I've used apf, arno, and ufw. The first two depend on bash and simply
> require you to set variables in "/etc/$firewall/".

+1 for net-firewall/arno-iptables-firewall if you need a script to set up 
iptables for you.

I am using vanilla iptables with simple hand-made scripts on a number of 
systems, so it shouldn't be too difficult to roll your own if your demands are 
relatively simple.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Re: Best *SIMPLE* firewall?

[Tom H]

On Wed, Feb 28, 2018 at 6:35 PM, Grant Edwards
<grant.b.edwards@gmail.com> wrote:
> On 2018-02-28, Taiidan@gmx.com <Taiidan@gmx.com> wrote:
>
>> Is there a windows style application layer firewall?
>
> Can you describe what that means? (For the benefit of those of us that
> aren't familiar with Windows.)

I don't use Windows but on macOS it means that you can allow an
application by name, without having to worry about possibly random
ports.

On my Mac:

# /usr/libexec/ApplicationFirewall/socketfilterfw --listapps
ALF: total number of apps = 2

1 :  /Applications/Skype.app
  ( Allow incoming connections )

2 :  /usr/local/bin/unbound
  ( Block incoming connections )

#

Re: [gentoo-user] [okey..] [OT] Best *SIMPLE* firewall?

[Grant Taylor]

[-- Attachment #1: Type: text/plain, Size: 317 bytes --]

On 03/01/2018 03:12 AM, Wols Lists wrote:
> I had great trouble with yahoo and a mailing list - it kept filing all 
> the ham (from mailing lists) as spam, and left all the spam (mostly 
> yahoo advertising crap  in the inbox.

Consider the source of your troubles.  ;-)



-- 
Grant. . . .
unix || die


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 3982 bytes --]

[gentoo-user] [OT] Best *SIMPLE* firewall?

[Walter Dnes]

On Thu, Mar 01, 2018 at 12:58:44PM -0500, Tom H wrote
> On Wed, Feb 28, 2018 at 4:15 PM, Walter Dnes <waltdnes@waltdnes.org> wrote:
> >
> > Is there something besides iptables? It seems to be like
> > systemd/perl/python, continuously expanding its scope. And no, I'm not
> > looking for an "easy-peasy front-end gui" that'll probably pull in 90%
> > of QT as dependancies. I fondly remember IPCHAINS.
> 
> iptables doesn't depend on systemd, perl, or python.

  It has become an all-in-one router/packet-mangler/firewall/QOS/etc
when I simply want a firewall.  The required kernel entries have
increased simply for the firewall functionality.

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] [OT] Best *SIMPLE* firewall?

[Rich Freeman]

On Thu, Mar 1, 2018 at 8:48 PM, Walter Dnes <waltdnes@waltdnes.org> wrote:
> On Thu, Mar 01, 2018 at 12:58:44PM -0500, Tom H wrote
>> On Wed, Feb 28, 2018 at 4:15 PM, Walter Dnes <waltdnes@waltdnes.org> wrote:
>> >
>> > Is there something besides iptables? It seems to be like
>> > systemd/perl/python, continuously expanding its scope. And no, I'm not
>> > looking for an "easy-peasy front-end gui" that'll probably pull in 90%
>> > of QT as dependancies. I fondly remember IPCHAINS.
>>
>> iptables doesn't depend on systemd, perl, or python.
>
>   It has become an all-in-one router/packet-mangler/firewall/QOS/etc
> when I simply want a firewall.  The required kernel entries have
> increased simply for the firewall functionality.
>

Has it really changed that much for the same requirements?  Google
suggests that blocking a port is still a one-liner.

They've certainly added a lot of functionality, but as far as I'm
aware you don't have to use most of it to just filter packets.

In any case, netfilter is entirely in the kernel, so you're going to
be using it one way or another if you want to use linux.  Using a
front-end is the easiest way to go with it.

I don't really see that Linus has much choice but to accept more scope
unless he wants to move netfilter out into userspace, since I'm sure
some people need those features and he hasn't really given them any
other way to have them.

If they did move netfilter to userspace, then it would probably end up
working a lot more like dbus,  I'm sure that would make you happier...
  It would enable you to use an alternative implementation, though.
Not that anybody will bother to write one because it is easier to let
RedHat do all the work.

That is generally how most of these things go.  Nobody really kills
off the ability for a simple tool to work.  However, what does happen
is that somebody comes up with a fancier tool that covers more edge
cases, then all the distros adopt it, because they're shipping it all
preconfigured so it isn't that big a deal if the new solution requires
35 configuration files since it isn't like their end-users are editing
those files directly.  Then more software ends up taking advantage of
some of the features offered by this tool, and it becomes harder to
avoid using it.

If anything netfilter staying in the kernel and picking up all those
other features is probably going to be more to your taste than the
alternatives...

-- 
Rich

Re: [gentoo-user] [OT] Best *SIMPLE* firewall?

[Heiko Baums]

Am Thu, 1 Mar 2018 21:45:46 -0500
schrieb Rich Freeman <rich0@gentoo.org>:

> If they did move netfilter to userspace, then it would

most likely be more insecure because a userspace process can be easier
bypassed, killed, hacked or whatever. That's a lot harder with the
kernel if not impossible.

See all those personal firewalls for Windows like Kerio Personal
Firewall, Zone Alarm or whatever when Windows didn't have its own
firewall.

I hope netfilter will never move to userspace. And I'm pretty sure it
won't.

Re: [gentoo-user] [OT] Best *SIMPLE* firewall?

[Rich Freeman]

On Fri, Mar 2, 2018 at 6:42 AM, Heiko Baums <lists@baums-on-web.de> wrote:
> Am Thu, 1 Mar 2018 21:45:46 -0500
> schrieb Rich Freeman <rich0@gentoo.org>:
>
>> If they did move netfilter to userspace, then it would
>
> most likely be more insecure because a userspace process can be easier
> bypassed, killed, hacked or whatever. That's a lot harder with the
> kernel if not impossible.

It is actually the opposite.  The whole appeal of microkernels is that
they can potentially be a lot more robust.

Consider something like netfilter.  The code in netfilter is exposed
to unfiltered network traffic.  If it contains a bug then a remote
attacker might be able to run arbitrary code in kernel space, where
there is no separation of privs.  That code can access everything on
the machine.

On the other hand, if netfilter were implemented in userspace such as
via a microkernel, then if it contained a bug the remote attacker
would be able to MITM all network traffic on the machine, but that
would be the extent of the access they have.  Granted, it still
wouldn't be ideal because it probably would include local traffic that
might not be encrypted (think localhost traffic and socket
connections/etc).  Then again, depending on the implementation
different interfaces or connections might run in separate processes in
which case a remote attacker might only be able to MITM his own
connection.  The process running the netfilter code doesn't need
anything other than a pipe back to the kernel to receive packets and
send packets back, so it can run with minimal privs otherwise.

The fact that there are convenient command-line utilities to kill a
process does not mean that they are less secure/robust than kernel
modules.  Generally you have to be running as root to kill a process
with a different UID, and bugs that allow this to be exploited are
treated as severe by the kernel team (and in a microkernel they would
be very severe since it is one of the few things the kernel actually
does, and since the kernel doesn't do much the things it does do get
more attention).  If you are root, then you can also mess with the
kernel if you want to.  You might not know how to do it, but messing
with kernel processes certainly isn't impossible, as is crashing your
machine.

This is why the Linux maintainers actually prefer to move stuff to
userspace when it makes sense.  They're not looking to transition to a
microkernel, but a lot of the boot-time mounting logic and devfs/etc
logic has gone away in favor of initramfs and udev.  This allows for
alternate implementations, and it helps cut down on the complexity of
kernel code.

And of course if this is done it is done correctly, and not as some
kind of userspace hack on top of an OS to add features that it lacks.

-- 
Rich

Re: [gentoo-user] [OT] Best *SIMPLE* firewall?

[Grant Taylor]

On 03/02/2018 05:08 AM, Rich Freeman wrote:
> On the other hand, if netfilter were implemented in userspace such as 
> via a microkernel, then if it contained a bug the remote attacker would 
> be able to MITM all network traffic on the machine, but that would 
> be the extent of the access they have.

I don't know that it would be the extent of the access the attacker 
would have.  It might also be a beachhead that could be used as a 
starting point for future attacks.

> The process running the netfilter code doesn't need anything other than 
> a pipe back to the kernel to receive packets and send packets back, 
> so it can run with minimal privs otherwise.

I think that more than a simple pipe (as in unix socket) is needed. 
Currently, any program that uses IP is expecting a socket to behave like 
it currently behaves.  I don't think a simple pipe can provide that.

I can see a way now, using existing technology, to have an isolated 
firewall that runs in user space.  Remove all IP processing from eth0 in 
the main kernel.  Connect eth0 to a User Mode Linux kernel which does 
the filtering (in user space) and routes the traffic back over another 
connection to the host kernel, i.e. uml0.

  +-----------------------------+
  | Host                        |
  |   +--------------+          |
  |   | UML Firewall |          |
-----+ eth0    eth1 +---uml0   |
  |   +--------------+          |
  +-----------------------------+

Processes running on the host can use the uml0 interface just like they 
formerly used the eth0 interface.

All the firewalling / filtering / routing happens in user space 
(possibly a container) and independent of the host kernel.

> a lot of the boot-time mounting logic and devfs/etc logic has gone away 
> in favor of initramfs and udev.

Please provide examples of this "…boot-time mounting logic and devfs/etc 
logic…" that used to be in kernel.

I'll argue that devfs is now in kernel when it used to be files on a 
file system or dynamically created by a user space process.  As far as I 
know, mounting (more than root as RO) has always been driven from user 
space via init scripts.

Sure, there's a LOT of changes going on in that space, particularly 
around (anti)systemd.  But IMHO this has been user space for as long as 
I have known.

Please provide examples where I'm wrong.  I'd like to learn.

> And of course if this is done it is done correctly, and not as some kind 
> of userspace hack on top of an OS to add features that it lacks.

???



-- 
Grant. . . .
unix || die

Re: [gentoo-user] [OT] Best *SIMPLE* firewall?

[Rich Freeman]

On Fri, Mar 2, 2018 at 6:34 PM, Grant Taylor
<gtaylor@gentoo.tnetconsulting.net> wrote:
> On 03/02/2018 05:08 AM, Rich Freeman wrote:
>>
>> On the other hand, if netfilter were implemented in userspace such as via
>> a microkernel, then if it contained a bug the remote attacker would be able
>> to MITM all network traffic on the machine, but that would be the extent of
>> the access they have.
>
>
> I don't know that it would be the extent of the access the attacker would
> have.  It might also be a beachhead that could be used as a starting point
> for future attacks.

How?  You'd need a local priv escalation vulnerability to do anything
further.  If the same bug existed in kernel space you'd already have
kernel privs and own the machine.

It would be the exact same code whether it is running in userspace or
kernelspace.  It isn't like code is magically immune to bugs if it is
in the kernel.  It would probably be maintained by the exact same
people either way.

>
>> The process running the netfilter code doesn't need anything other than a
>> pipe back to the kernel to receive packets and send packets back, so it can
>> run with minimal privs otherwise.
>
>
> I think that more than a simple pipe (as in unix socket) is needed.
> Currently, any program that uses IP is expecting a socket to behave like it
> currently behaves.  I don't think a simple pipe can provide that.

There would be no change to regular software.  They would use the same
system calls to open sockets.  They would send their packets to the
kernel.  The kernel would send them to the userspace netfilter
process.  The userspace netfilter process would send them back to the
kernel.  The kernel would then send them to the physical layer for
transport.

That is how microkernels work.  The kernel is still the central point
of contact and the system calls basically work the same way as they do
today.  However, the kernel offloads as much processing to userspace
as possible.

With filesystems it is no different with a microkernel.  You use the
same system calls to write to a file.  The data to be written goes to
the kernel.  However, instead of the kernel calling the filesystem
layer in kernel space it instead sends the data via IPC of some sort
to a filesystem driver running in userspace.  It then sends the raw
block device instructions back to the kernel, which then passes it to
the device driver for the disk.

>> a lot of the boot-time mounting logic and devfs/etc logic has gone away in
>> favor of initramfs and udev.
>
>
> Please provide examples of this "…boot-time mounting logic and devfs/etc
> logic…" that used to be in kernel.
>
> I'll argue that devfs is now in kernel when it used to be files on a file
> system or dynamically created by a user space process.  As far as I know,
> mounting (more than root as RO) has always been driven from user space via
> init scripts.

I'm talking about mounting root.  Capabilities such as identifying
devices by UUID have not been added to the kernel, with this being
done in an initramfs instead.  The trends has been in that direction
with assembling RAID arrays and such as well.  They haven't removed
much code that is working, but they haven't been enhancing it either.
If you use an initramfs the kernel automatically disables most of the
RAID handling.

I believe there was a period of time after devfs came along but before
udev came along that the complexity of hotplug/etc seemed to be
growing on the kernel side.  This was quickly recognized as a losing
battle which is why we have udev today (or its alternate
implementations - one of the benefits of moving this stuff out of the
kernel is that it makes it easier to use alternate implementations).

Obviously mounting filesystems other than root have never been in the kernel.

> Sure, there's a LOT of changes going on in that space, particularly around
> (anti)systemd.

Well, unless you're referring to udev (which got absorbed by systemd
though it is more-or-less still separate), I don't think there is
actually a great deal that systemd does that would otherwise be done
in kernel space.  Maybe some of the maintenance of CGROUPS, but that
was all done in userspace from the start, as this trend is fairly
established now and it was never done in kernel space.

>> And of course if this is done it is done correctly, and not as some kind
>> of userspace hack on top of an OS to add features that it lacks.
>
> ???
>

I said that because I think your view might be a bit tainted by
previous experiences in Windows/etc.  There is a difference between
designing a kernel subsystem to provide a capability but to offload
some of the work to userspace, and trying to layer some kind of
capability into an OS that otherwise lacks it.  All this stuff is
designed into linux so that it is robust.

There are pros and cons to microkernels, and of course linux will
probably never turn into a proper microkernel, and I'm not really even
saying it should.  However, the fact that stuff is done in userspace
doesn't mean that it needs to be done to a lower standard, or that it
is inherently less secure.  In fact, it is generally MORE secure in
the sense that problems get contained.

And Windows has gotten a lot better on these fronts as well.  I'm sure
anybody who plays games on windows will have noticed that video card
drivers can be updated without a reboot, or even logging out.  This is
because there is actually more isolation for these drivers in Windows,
and the OS can completely restart the video driver without really
affecting everything else that is running, despite the fact that
windows is even more GUI-centric than X11/linux/etc.  Windows isn't a
microkernel either, but it does have some isolation features that are
a bit more robust than on Linux.  (It would not surprise me if Linux
contained better isolation in other areas - a lot of this comes down
to xorg-server being unable to detach itself from a display - if you
could have X11 detatch from the display (while still serving clients),
have the kernel remove and reload the video module, and then have X11
re-attach, that would accomplish something similar to how Windows does
this.)

In any case, this is all academic, as there are no plans to move
netfilter to userspace.

-- 
Rich

Re: [gentoo-user] [OT] Best *SIMPLE* firewall?

[Walter Dnes]

On Wed, Feb 28, 2018 at 04:40:37PM -0700, Grant Taylor wrote
> On 02/28/2018 02:15 PM, Walter Dnes wrote:
> > Is there something besides iptables?
> 
> nftables

  Assuming I just want filtering, could I emerge nftables and unmerge
iptables and have a functional firewall? 

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] [OT] Best *SIMPLE* firewall?

[Tom H]

On Thu, Mar 1, 2018 at 8:48 PM, Walter Dnes <waltdnes@waltdnes.org> wrote:
> On Thu, Mar 01, 2018 at 12:58:44PM -0500, Tom H wrote
>> On Wed, Feb 28, 2018 at 4:15 PM, Walter Dnes <waltdnes@waltdnes.org> wrote:
>>>
>>> Is there something besides iptables? It seems to be like
>>> systemd/perl/python, continuously expanding its scope. And no, I'm not
>>> looking for an "easy-peasy front-end gui" that'll probably pull in 90%
>>> of QT as dependancies. I fondly remember IPCHAINS.
>>
>> iptables doesn't depend on systemd, perl, or python.
>
> It has become an all-in-one router/packet-mangler/firewall/QOS/etc
> when I simply want a firewall. The required kernel entries have
> increased simply for the firewall functionality.

Why should you care that iptables has many features that you might not
use? There's at most one program on your system for which you use
every single feature.

Re: [gentoo-user] [OT] Best *SIMPLE* firewall?

[Grant Taylor]

On 03/03/2018 05:55 PM, Walter Dnes wrote:
> Assuming I just want filtering, could I emerge nftables and unmerge 
> iptables and have a functional firewall?

Simplistically, yes.

It's my understanding that iptables and nftables are two completely 
different firewalling technologies.  So you will need to either write or 
find something to manage nftables for you.

Is there a reason not to stick with simple iptables without anything 
fancy to manage it?



-- 
Grant. . . .
unix || die

Re: [gentoo-user] [OT] Best *SIMPLE* firewall?

[Tom H]

On Sat, Mar 3, 2018 at 7:55 PM, Walter Dnes <waltdnes@waltdnes.org> wrote:
> On Wed, Feb 28, 2018 at 04:40:37PM -0700, Grant Taylor wrote
>> On 02/28/2018 02:15 PM, Walter Dnes wrote:
>>>
>>> Is there something besides iptables?
>>
>> nftables
>
> Assuming I just want filtering, could I emerge nftables and unmerge
> iptables and have a functional firewall?

nftables is a replacement of iptables. It's not less featureful.

https://wiki.nftables.org/wiki-nftables/index.php/Why_nftables%3F

[ You'll have to learn a new runtime and config-file syntax ]