firewall?

John dingo at coco2.arach.net.au
Sun Oct 3 09:50:03 UTC 2004 

Stuart Bishop wrote:

> In the XP firewall, when an application wants to open ports a dialog is
> popped up informing the user and allowing them to approve or deny it. In

How does that work if there's no administrator to hand?

> Ubuntu it would even be possible to do this securely, as the logged in
> user is not running with Administrator level priviledges which is the
> case on the bulk of XP installs.

I'm not sure that I understand what you mean here.

Informing the administrator when some program tries to make an 
unauthrorised connexion to outside, or to listen to an unauthorised port 
for incoming traffic are fine things to do, though I don't think there 
are tools for the second.

Detecting unauthorised incoming connexion requests requires a firewall 
of come kind, because that's how one can elect to log events such as these:


Oct  3 17:44:09 fw kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= 
SRC=129.59.31.26 DST=220.235.62.70 LEN=48 TOS=0x00 PREC=0xE0 TTL=106 
ID=14822 PROTO=TCP SPT=4655 DPT=1769 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  3 17:44:09 fw kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= 
SRC=129.59.31.26 DST=220.235.62.70 LEN=1341 TOS=0x00 PREC=0xE0 TTL=107 
ID=14821 PROTO=UDP SPT=1763 DPT=1769 LEN=1321
Oct  3 17:44:12 fw kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= 
SRC=129.59.31.26 DST=220.235.62.70 LEN=48 TOS=0x00 PREC=0xE0 TTL=106 
ID=14827 PROTO=TCP SPT=4655 DPT=1769 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  3 17:44:13 fw kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= 
SRC=129.59.31.26 DST=220.235.62.70 LEN=1341 TOS=0x00 PREC=0xE0 TTL=107 
ID=14828 PROTO=UDP SPT=1763 DPT=1769 LEN=1321
Oct  3 17:44:15 fw kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= 
SRC=129.59.31.26 DST=220.235.62.70 LEN=1341 TOS=0x00 PREC=0xE0 TTL=107 
ID=14832 PROTO=UDP SPT=1763 DPT=1769 LEN=1321
Oct  3 17:44:18 fw kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= 
SRC=129.59.31.26 DST=220.235.62.70 LEN=48 TOS=0x00 PREC=0xE0 TTL=106 
ID=14839 PROTO=TCP SPT=4655 DPT=1769 WINDOW=64240 RES=0x00 SYN URGP=0

Note that above three lines represents one of the logged info I pasted.

Conceivably I could run a script to analyse the log for such messages at 
intervals that seem good to me and produce reports for my inspection.


Or I could install and configure snort.

More information about the ubuntu-users mailing list