Re: OT - Desktop Linux

In article <du8vhg$5cp$1@xxxxxxxxxxxxxxxxxx>
dim@xxxxxxxxxxxxxxxxxxxxxx (D. Gerasimatos) wrote:

In article <120fk97jp0vnk4b@xxxxxxxxxxxxxxxxxx>,
L.A. Purple <zen@xxxxxxxxxxxx> wrote:

[snip!]

If one is already online, and not logged in as "root,"

That is a very, very bad idea.
Disable logging remote logging to SSH as root, add a user that does not
have a root access privileges, and when you need to have root access, su
root.

If you are logged in locally, do not, I repeat, do not use the root
account.

Use another account that you need to add for yourself, su root when
needed.

how is one sup-
posed to allow a new legitimate application through the firewall on
short notice without first going offline, logging in as "root," mak-
ing the necessary changes, and restarting the desktop (if required)?


Through iptables?
You don't need to go offline.

Since you are new to linux, I suggest installing webmin from
http://www.webmin.com , as it will make life easier for you to handle
few things, iptables included, although that is not enough all by itself
for a firewall.


You have to be root or have access to root.

Log in as any user, su root, type your password when asked.

You can modify the ruleset
and reload the filters. You don't have to go offline or restart the desktop.


Exactly.


And for Linux, there doesn't seem to be any fully-developed applica-
tion-based firewall solution. Or is there? (ZoneAlarm for Linux?!)


There's TuxGuardian, but I've never used it.


I haven't used it too.

There is a nice tiny package called APF (Advanced Firewall Policy),
which is very easy to use and uses IPtables with easier scripting.
I highly recommend it.

http://www.rfxnetworks.com/apf.php

Installation tutorial.
http://www.webhostgear.com/61_print.html

They also have a brute force detection package if you are interested.


Is there any way to set up the Netfilter/iptables firewall to allow a
web browser through the firewall for websurfing on port 80, while si-
multaneously blocking spyware/trojans from "calling home" on port 80?


No, not as far as I know. On the other hand, how do you expect that
spyware to be installed on your system? Spyware isn't really an issue
under Linux. Don't install software if you don't know what it does.



Trojans and Rootkits are an issue on Linux.

Download, uncompress, compile and run the following.
http://www.chkrootkit.org/

Caution: It may give you some false positives.


What if one is browsing a trusted website, and wants to download some-
thing which requires the browser to communicate on a port which is not
already open in Netfilter/iptables? How does one deal with that quick-
ly without having to go through a whole bunch of hassle logging in as
"root," etc., and fiddle-fucking around with esoteric iptables scripts?


You don't. It's not much hassle, though.


Use APF.
All you have to do is edit the configuration file, and then restart the
process.


How have you guys configured your Linux firewalls, if I might ask?


Block almost everything inbound and almost nothing outbound.

Block everything except the ports that you need, anything other than
this is suicidal.

If I need to block something outbound then I've already been compromised.

Not necessarily.
Look at the default installation ruleset of industrial strength firewall
software.
.