iptables script + δυνατότητες

[Alexandros Papadopoulos]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 15 October 2002 19:55, Άγγελος Οικονομόπουλος wrote:
> On Wednesday 16 October 2002 02:08, Alexandros Papadopoulos wrote:
> > On Tuesday 15 October 2002 03:50, Άγγελος Οικονομόπουλος wrote:
> > > giati ta en logw products einai auto akribws: ths plakas. (pragmatika
> > > den
 mporw na katalabw se ti mporei na boh8hsei ena tetoiou eidous fw
> > > ektos apo to na sou dwsei mia pseudais8hsh asfaleias - gia auth th
> > > douleia kalutera einai ta arkoudakia). An pali esu eisai pepeismenos
> > > oti xreiazesai auto to feature, tipota den se empodizei na ftia3eis ena
> > > xrhsth
> > > "netfilter_immunity", na tou dwseis ta executables pou 8eleis na
> > > pernoun
 kai na prosarmoseis katallhla to firewall.
> >
> > bah, poly inflexible lysh.
>
> se ti se periorizei?
>
> > Ta application level fw 8a mporousan na
> > leitourghsoun san distributed firewall (se application level) pisw apo
> > ena 
 packet filtering firewall pou 8a einai mprosta apo olo to diktyo.
>
> gia poio logo na to kaneis auto? bazontas ena deutero, periorismeno, metro
> asfaleias pisw apo to pf fw den au3aneis th asfaleia tou diktiou
>
> > > gegonos omws einai oti epikinduna einai ta packeta, oxi ta
> > > programmata,
 akoma kai an o ekastote admin 8ewrei oti mporei na ta
> > > empisteuetai.
> > >
> > > > GNU-based συστήματος το firewalling και γι'αυτό πάει ο κόσμος και τα
> > > > σκάει στη Cisco;
> > >
> > > nai, giati ta cisco exoun auto to feature, swsta?
> >
> > Oxi, giayto kai yparxei to parapanw skeptiko.
>
> poio skeptiko? oti to tiny personal fw (h opoiodhpote application level fw)
> exei nohma pisw apo cisco (h opoiodhpote pf fw)? pws to uposthrizeis auto
> (to "kalo einai na uparxei" den einai epixeirhma)?

Apantaw se ola mazi - sorry pou hmoun asafhs prin, alla hmoun se mia 
parousiash ths Apple kai eblepa asterakia.

To skeptiko mou einai oti

- - xrhsimopoieis iptables / Pix / otidhpote gia na prostatepseis to diktyo se 
epipedo packet filtering, sto shmeio X (pes router)

kai

- - bazeis ena application level firewall tou styl Tiny stous clients pisw apo 
to X, to opoio pros8etei to feature pou moiraia leipei apo to firewall tou X, 
dhladh krataei database me checksums me applications pou exoun dikaiwma na 
kanoun tis xy diktyakes drasthriothtes.

Ara san synolo, exoume ena diktyo to opoio kai kanei to paradosiako packet 
filtering, kai periorizei ta applications pou mporoun na dhmiourghsoun to 
opoiodhpote traffic. 

Milwntas gia *ena* standalone mhxanhma, to skeptiko mou einai oti 8a h8ela na 
ta exw kai ta dyo mazi, se ena application (dhladh mia pio ekseligmenh 
version tou iptables/netfilter). Etsi pros8eteis ena extra epipedo asfaleias 
(prepei o assos na perasei to firewall mesw enos well-known prwtokollou, na 
allaksei thn database me ta hashes twn executables pou exw kanei authorize na 
exoun network activity, na topo8ethsei trojaned versions twn executables ktl 
ktl. E, opoios exei ftasei ws ekei, tou bgazw to kapelo kai tou dinw kai to 
laptop mou na paiksei. Megalo maniki! :-)

Me thn parapanw me8odo ypo8etw oti apokleieis mia megalh taksh automated 
attacks/rootkits ktl, epeidh akoma kai an exeis trojaned binary sto systhma 
sou, periorizetai apo to application firewall kai den mporei na milhsei me 
ton eksw kosmo. Nai, nai, kserw, mporeis na to antikatasthseis kai ayto an 
8eleis, alla eipame, apolyth asfaleia den yparxei, security is a process ktl 
ktl.

- -A

- -- 
http://www.andrew.cmu.edu/~apapadop/pub_key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE9rNK8gmAMwQt1gmURAqw6AJ4vU+wMPWv0uXaEVS3VzBXK5IozwwCeL86v
wSSNdUs5r1avlGJvWO1Vdpk=
=8xEg
-----END PGP SIGNATURE-----