Linux Firewalls 91
David Martinjak writes "Linux Firewalls, authored by Michael Rash and published by No Starch Press, covers five main topics: traditional packet filtering with iptables, port scan detection, snort rule translation, port knocking, and log visualization. At first I considered only skimming the chapters regarding iptables packet filtering. I have a good amount of experience with iptables, and have been running it for several years. Thankfully I decided to give the first chapter a good read. Right from the start, the book presented valuable information and pulled me in." Read on for the rest of David's review.
The chapters about iptables packet filtering are crucial for any reader new to networking or firewall administration. Experienced users might pick up a tip or two, as well. Linux Firewalls contained a wealth of knowledge about packet structure in addition to a solid explanation of iptables usage. I was rather impressed by the variety of information presented in the early chapters. The book of course detailed the syntax and logistics of iptables, but also provided detailed examples of attacks at the network, transport, and application layers.
Linux Firewalls | |
author | Michael Rash |
pages | 336 |
publisher | No Starch Press |
rating | 9 |
reviewer | David Martinjak |
ISBN | 1-59327-141-7 |
summary | Linux Firewalls discusses the technical details of the iptables firewall and the Netfilter framework that are built into the Linux kernel. |
Packet filtering was followed by port scan detection. When I first started using GNU/Linux, one application in my toolbox was PortSentry. PortSentry was designed to counter-act port scans, and minimized the amount of information that could be discovered from a scan. I lost track of PortSentry for some reason, but was glad to have almost re-discovered it in a new form. PSAD is the Port Scan Attack Detector and was developed by the book's author, Michael Rash, along with contributions from the open source community.
PSAD was created as a lightweight network intrusion detection component. The book explained how PSAD can quickly react to port scans by analyzing iptables log entries; and effectively reduce the surface area exposed to the attacker. The differences between PSAD and PortSentry were also enumerated, which showed several advantages for using PSAD.
Linux Firewalls did a fantastic job of detailing how to install and configure PSAD. This seems to be par for the course with No Starch Press as each book I have read from them was meticulous with regards to installation and configuration specifics. Additionally, the topics of installing and configuring the book's other two main applications, fwsnort and fwknop, were also properly addressed.
I don't want to give away too much of the material in Linux Firewalls; so I will just say that the chapters on fwsnort, fwknop, and log visualization were all on par with the earlier sections of the book. The information did not let up at any point — there were useful examples and details throughout each chapter. Additionally, there was a good amount of consistency with regard to how the chapters progressed, and the type of information that was presented along the way. All together, Linux Firewalls was an impressive read.
There were no real disappointments with this book. The reading did get a bit tedious at times with regard to configuration specifics, but it was only due to the depth of helpful explanation. Had I been working with the applications while reading (instead of just reading), the content would have been much more relevant. In the end, however, the variety resulted in a rather impressive and enjoyable book. The coverage of psad, fwsnort, and fwknop were welcomed additions. Each of the central topics were thoroughly explained in an informative, yet engaging manner. Essentially, I did not want to stop reading.
The netfilter/iptables software is licensed under the GNU General Public License, and can be found at http://netfilter.org. The psad, fwsnort, and fwknop applications are licensed under the GNU General Public License Version 2, and can be downloaded from http://cipherdyne.org.
The publisher hosts a Web page which contains an online copy of the table of contents, portions of reviews, links to purchase the electronic and print versions of the book, and a sample chapter ("Chapter 10: Deploying fwsnort") in PDF format.
David Martinjak is a programmer, GNU/Linux addict, and the director of 2600 in Cincinnati, Ohio. He can be reached at david.martinjak@gmail.com.
You can purchase Linux Firewalls from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Good book (Score:1, Interesting)
Re: (Score:2, Insightful)
Sounds like an awesome book (Score:2, Interesting)
Re:Sounds like an awesome book (Score:4, Funny)
Re: (Score:3, Informative)
http://www.cse.msu.edu/~minutsil/iptables.html [msu.edu]
Re: (Score:2)
iptables (Score:5, Funny)
Re: (Score:1, Funny)
Re:iptables (Score:4, Informative)
warning: commands will be executed using
> # put some undo commands here
> # get them right!
> ^D
$ # risky stuff here
then you can use atq and atrm to cancel the undo, assuming you didn't screw up.
Re: (Score:2, Informative)
screen 0
sleep 180 ; {undo stuff here}
screen 1
scary stuff here
Re: (Score:1)
Re: (Score:1)
I issued the standard Homerism, "DOH". Why did I do that?
Fortunately we have a KVM/IP device connected to my machine that saved a trip to the data center and two hours of traffic into LA during rush hour.
Re: (Score:1)
The only question is, can anyone top:
/var/www/tmp# rm -rf
that was around the same time.
There's something to be said for the school of hard-knocks way. I'm not yet sure what it is, but someday I'll figgure it out.
Kompressor
Re: (Score:2)
I would suggest the time then I visited slashdot for the first time, that was a huge mistake
Re: (Score:2)
Re: (Score:1)
In my case, it recursed, and included .. as matching .*, which went up a directory, matched .., and eventually .. equated to /.
No, that's not quite right...
That's better.
[offtopic] Do you dance? (Score:1)
Re: (Score:2)
rm
And yes, I too used to use revert scripts on atd to recover in 5 mins - but I'm so l33t these days...
Re: (Score:2)
OS X lets you drag and drop files onto the terminal and it will automatically insert the file name. It's a nice mix between GUI and command line (rsync -a [drag folder] remotehost:dest)
One day I tried deleting a ton of files doing rm -rf [drag folders]. Problem is I had too many and it truncated the input. I ended up doing a rm -rf or lots of files and
That was fun.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Another good solution would be to add cron job to wipe out all the rules every 30 min or so. You get nice ~25 min to figure out "why the heck I did that" and possibly some time to explain to your boss why that fw isn't yet working. When you've finally got the rules right, remember to remove the cron job or you get more "nice" time to seek out for a new job ;)
OT: Your .sig (Score:1)
Re:iptables (Score:5, Funny)
Its more fun to mess it up on purpose [ex-parrot.com]...
Tm
Re: (Score:1)
Re: (Score:2)
Then atleast you can ask someone who is at the location to pull the plug and start it back up.
Re: (Score:2)
Re: (Score:2)
Sometimes there is no easy solution to prevent your self from shooting yourself in the foot.
Re: (Score:1, Informative)
Re: (Score:2)
I call it the Geek equivalent to the walk of shame....gonna have to get up and go reboot it.
Re: (Score:1)
OpenBSD PF Firewalls (Score:5, Informative)
Re: (Score:1)
Re: (Score:2)
Re:OpenBSD PF Firewalls (Score:5, Informative)
I've been using OpenBSD PF [openbsd.org] for years and is much better than iptables. There is also a nice, up-to-date User's Guide [openbsd.org] available as well.
Re:OpenBSD PF Firewalls for Linux (Score:2, Insightful)
Yeah, when can we get OpenBSD PF on Linux? Seriously.
I've been using PF on FreeBSD and IPF before that. I really think both are a lot simpler to understand than IPTables, which, quite frankly, is a disaster to administer.
Re: (Score:1)
Even tho you got modded troll I want to ask you your reasons for thinking OpenBSD is better.
Re:OpenBSD PF Firewalls (Score:4, Insightful)
(somebody had to have ported the thing by now... if not, damn that'd be an idea...)
Re: (Score:1)
I personally think they're both clumsy tools, but that's probably because I've yet to find a simple GUI to work them. Yes, a GUI. I can work simple rules from the command line, but it would be nice to be able to visualize long chains full of jumps.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Hate to break it to you, but if you want a gui, you should[n't] be involved in the firewall, period.
I take it you've never heard of Checkpoint?
GUI vs. CLI aside, I have no kick against a GUI... I have no personal use for it, but some folks do. A layout showing what rules take priority and showing parent-child relationships sounds kinda cool. Not quite sure how you'd visualize things like NAT, but it would be interesting to find out.
(BTW, I should've qualified my original post with ipf/FreeBSD, not pf/OpenBSD... IIRC they are close enough to be nearly identical in ruleset syntax, yes? )
Re: (Score:2)
So by that logic: MRI's, CT scans, and Laproscopy cameras make a surgeon worthless?
Err, yeah.
Re: (Score:2)
Re: (Score:2)
Lifelines [sourceforge.net]
BitTorrent-curses [cyberciti.biz]
:)
Re: (Score:1)
It would have been very nice to see a slashdot review, but for obvious reasons I can not contribute one myself :)
Re: (Score:2)
Portsentry a good idea? (Score:4, Interesting)
I've used it where I thought it a good idea in the past, but if knowledge of it's existence is apparent to attackers, it becomes a tool for DoS (through spoofing.) Wouldn't a snort+netfilter IPS solution make more sense?
Re: (Score:2, Informative)
Re: (Score:3, Insightful)
Re:Portsentry a good idea? (Score:5, Informative)
Re: (Score:3, Insightful)
Portsentry was made by Psionic. They were bought out [cisco.com] by Cisco in 2002. So Cisco pretty much hired the main developer and that eventually killed the project. The code was open source but obviously a community never really formed around it other then people wondering what happened to it. I welcome the alternative, PSAD, and am planning on to give it a test drive...
--Ajay
Re: (Score:1)
Strange... (Score:3, Funny)
Re: (Score:1)
Re: (Score:1)
Fireballs?
You were thinking chairs when you said that right?
OMG, Spoiler Alert!!1!! (Score:5, Funny)
The reviewer wrote:
I totally stopped reading right there. Jeez man, don't spoil the technical manual! The suspense is all I read for!
^_^;
Does anybody still filter based on ports? (Score:2)
Re: (Score:2)
Placing a fireewall in the right spot allows you to have some network services remain locally open without having to filter at the service itself based on addys or a netmask (esp. since some can't).
Also, I'm
Re: (Score:1)
Re: (Score:2)
You basically want to only open up the ports that you're actively listening on (port 80 on a webserver) for input and block everything else. Also, you want to block outgoing ports for anything that you're not using for output.
In my setup, I block everything going out except for LDAP and mysql, but I restrict those outgoing requests to the addresses of the ldap and mysql serve
not impressed (Score:2)