📄 securityfocus home infocus a comparison of iptables automation tools.htm
字号:
<P class=text>AGT is a C program that parses the
configuration files to configure iptables. The
code seems to be in the early stages of
development. Some Makefile editing is required to
compile it (no automake support yet). The program
is not well documented, but comes with the sample
configuration files. Here is the excerpt (with
comments removed) from one of the configuration
files: </P><PRE>-----------------------------------------------------------------------------
NEW | FROM-INT
NEW | RESET
|| FROM-INT | icmp | ACCEPT |||||
|| FROM-INT | tcp | ACCEPT ||||| pop3
|| FROM-INT | tcp | ACCEPT ||||| imap
|| RESET | tcp | REJECT --reject-with tcp-reset |||||
-----------------------------------------------------------------------------
</PRE>
<P class=text>This configuration file format,
combined with the lack of documentation, presents
a serious challenge to iptables configuration.
Despite the inclusion of helpful comments, the
effort required to understand the structure of the
files is better spent on learning iptables. The
program does run out of the box. </P>
<P class=title><B>Knetfilter </B></P>
<P class=text>Knetfilter is a nice GUI for
configuring iptables. Unfortunately, I was only
able to test knetfilter-1.2.4 (the last with KDE1
support), so the description is not applicable to
knetfilter-2.2.0 (the latest), that is said to
have many new features. GUI fans will appreciate
its easy way to configure rules for host-based
protection, list, save and restore them and also
test them (tcpdump network sniffer can also be run
from the same panel) in real time with just
several mouse clicks. It also provides NAT and
masquerading support configuration. Knetfilter
does not appear to be the best way to protect a
dialup workstation since it requires the local IP
for configuration (probe interface only works for
eth0 interface and not for ppp0). Documentation
for the project is not quite there yet; however,
the interface is intuitive enough to be used
without the assistance of a manual. </P><!-- OAS -->
<P class=title><B>gSshield </B></P>
<P class=text>gShield (bash shell script) seems to
be the most mature tool of the current comparison.
It comes with extensive documentation, has
reasonably intuitive configuration files with many
comments (sample follows) and allows the setup of
NAT. It handles both dynamic (typically, bound to
ppp0 interface) and static (eth0) IP addresses.
</P>
<P class=text>Optional GUI (gShieldConf), which is
still in the early stages of development, can be
obtained from <A
href="http://members.home.com/vhodges/gshieldconf.html"
target=nonlocal>http://members.home.com/vhodges/gshieldconf.html</A>.
However it seems to be compatible with only the
early (1.x) versions of gShield. </P>
<P class=text>Here is the sample configuration
file with comments removed (excerpt): </P><PRE>-----------------------------------------------------------
FW_ROOT="/etc/firewall"
IPTABLES=`which iptables`
LOCALIF="eth0"
DNS="24.31.195.65"
LTIME="20/m"
ALLOW_DHCP_LEASES="YES"
...
-----------------------------------------------------------
</PRE>
<P class=text>gShield runs out of the box with
secure settings and is ideal for users who would
rather not mess with the configuration files;
however, the author wisely recommends at least
reading through the entire configuration file. The
README states that "adds tcpwrapper-like
functionality for access to services" is
implemented, which means that to block/allow some
service, one should not be required to think in
terms of packets flowing in both directions, but
rather in terms of what client connects to what
server. </P>
<P class=text>Here is the table summarizing the
tools. </P><PRE>------------------------------------------------------------------------------
TOOL VERSION TYPE METHOD OF CONF
---------------------------------------------------------------------------------
agt 0.82 C program confusing
configuration files
knetfilter 1.2.4 GUI (C++,Qt) GUI
ferm 0.17 perl script C-like conf language
gShield 2.0.3 shell script (opt GUI) configuration files or GUI
MM firewall 2.3.5 shell script edit script
firewall-iptables.sh shell script autogenerated
configuration files and
edit script
---------------------------------------------------------------------------------
</PRE>
<P class=title><B>Conclusion </B></P>
<P class=text>In the opinion of the author, the
idea of a tool to configure the reliable firewall
for either network protection or host protection
(which is significantly simpler than the previous
task of network protection) still has not found
its implementation, particularly one to be used by
people who do not understand the technical details
of packet filtering and its Linux implementation
together with at least some of the iptables
internals. The best way to configure iptables
still seems to be "iptables -N" (create a new
chain), "iptables -A" (append a new rule to a
chain), "iptables -D" (delete a rule in a chain),
etc (see the man page for more). In other words,
if one can learn to successfully operate some of
the tools described herein, one can just as easily
learn to configure iptables from the command line.
The rest of the tools lack support for some of the
iptables features (such as NAT) or use confusing
and not well-documented configuration files.
However, I hope that such tools will be developed
in the future, or that the above tools will
mature, as the need exists for the simple firewall
configuration support due to widespread use of
Linux in an insecure Internet environment. </P>
<P class=text>
<P class=bio>Anton Chuvakin
(http://www.chuvakin.org) is in his final year of
graduate studies at SUNY (State University of New
York) Stony Brook. Upon completing his PhD he
intends to pursue a career in information
security. Linux is one of his hobbies.
</P></TD></TR></TBODY></TABLE></TD>
<TD><IMG height=10 alt=""
src="C:\Documents and Settings\hlm\My Documents\文档\防火墙技术\SecurityFocus HOME Infocus A Comparison of iptables Automation Tools.files\1x1_spacer(1).gif"
width=10></TD></TR></TBODY></TABLE></P><!-- Article ends --><BR><BR></TD></TR></TBODY></TABLE><!-- T2 ends --></TD><!-- col1 ends --><!-- col2 -->
<TD width=1 bgColor=#0b2135><IMG height=1 alt=""
src="SecurityFocus HOME Infocus A Comparison of iptables Automation Tools.files/1x1_spacer.gif"
width=1></TD>
<TD vAlign=top width=190 bgColor=#e9e9e0><!-- T2 -->
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD><IMG height=1 alt=""
src="SecurityFocus HOME Infocus A Comparison of iptables Automation Tools.files/1x1_spacer.gif"
width=8></TD>
<TD vAlign=top>
<SCRIPT language=JavaScript><!--OAS_AD('Right1');OAS_AD('Middle');//--></SCRIPT>
<BR><BR><BR></TD>
<TD><IMG height=1 alt=""
src="SecurityFocus HOME Infocus A Comparison of iptables Automation Tools.files/1x1_spacer.gif"
width=8></TD></TR></TBODY></TABLE><!-- T2 ends --></TD>
<TD width=1 bgColor=#0b2135><IMG height=1 alt=""
src="SecurityFocus HOME Infocus A Comparison of iptables Automation Tools.files/1x1_spacer.gif"
width=1></TD><!-- col2 ends --><!-- footer --><!-- T1 --></TR></TBODY></TABLE>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR vAlign=top>
<TD><!-- T2 -->
<TABLE cellSpacing=0 cellPadding=0 width=471 border=0>
<TBODY>
<TR>
<TD width=471 height=7><IMG style="DISPLAY: block" height=7
alt=""
src="SecurityFocus HOME Infocus A Comparison of iptables Automation Tools.files/footer_lft.gif"
width=471></TD></TR>
<TR>
<TD class=bodytextxsm><!-- T3 -->
<TABLE cellSpacing=4 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD class=bodytextsm><FONT color=#666666><A
class=bulletlink
href="javascript:popUp('/popups/copyright/privacy.shtml')">Privacy
Statement</A><BR>Copyright ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -