Saturday, March 10, 2007

Windows firewall ... reloaded.

Somebody notice that it was a really short post about the Windows Firewall. Yes, it is true, it is a really short post about it because is nothing to say about it. It is a firewall.... but is not the smartest of them. For windows I really recommend a real firewall product. Unfortunatly you have to pay for it. If you want' security that's the only way on windows.
I think the best of all is the Avira Premium Security, is a integrated product that contain a firewall and also a very good antivirus. I think the best antivirus from the following reasons:

  • They have the best detection rate (Check www.av-comparatives.org and www.virusbtn.com)
  • Is very fast and it has a low memory footprint.
  • They have a nice simple interface, without fancy stupid stuff.
  • They have a grate response time. (They are usually the first that detect new samples in case of outbrakes)
  • They have a grate customer support and feedback.
  • They have also a product on Linux.
  • They have a free version that can be used at home.
  • Is not expensive.
So my opinion is that if you need security you should really buy a complete product that also protect you against viruses.

9 comments

Tuesday, February 13, 2007

Use the windows firewall

1 comments

Wednesday, February 7, 2007

What is a firewall ? (Non geek version !)

Somebody ask me what is a firewall. There are a lot of definitions out there for a firewall � but most of them are written by geek for geeks. So I will try to explain in a non geek way the general idea what firewall is.

First about IP�s and stuff. So you know that all the computers in internet have addresses that are something like 72.14.207. 192 (this for example is the blogspot IP address ). So the IP addresses are some number formed by 4 small numbers (between 0 and 255). There are also other kinds of notations but this one is the most used. So every computer connected to internet has an unique one. Sometimes the computers don�t have there own IP address; imagine that you are staying with parents so you don�t have your own address but the parents address. And if somebody tries to send you a letter it using your parents addresses but is writing on envelope �For Jon� assuming you are the only Jon in the family. This is called private address spaces and are usually 192.168.x.x or 10.x.x.x. Everybody can have a Jon in the family but when you say Jon only your family know about what Jon we are talking about. But you are not sending letters with the address Jon but the parents address.

Second element is the port. Every compute has ports (65535 of them). Ports are kind of type of services are offering. So for example imagine that you have announced in the newspaper that you lost your dog and also that you find a cat. When somebody sends you a letter will say something like �Regarding about your announce in the paper that you lost your dog. I found �it�. This are called services and every one has a port. For example to get the web pages from Blogger your browser is connecting to the Blogger address on port 80 that means something like About the thing with pages that you are giving: Give me the page of Jon

If you are connecting to a different port for example 25 is for sending mail and try the same request will mean something like Please send this email to: Give me the page for Jon so it don�t make sense. You have to send the request to the specified port.

So,now the very fast definition what is a firewall is a set of rules that are saying something like this:

  • If you are from Minnesota don�t ask me about the found cat because I am in California

  • If the address on the envelope is just Jon and I don�t have a Jon in my family throw it away.
  • If is from Jon and I am Jon , can't be from me so is something wrong with it throw it away.
So it kind of thing like sorting mails before you even open them just based on the address.

Even more, the viruses try to exploit some services like for example your mother will buy every kitchen item that is promoted. So your father don�t want to spend all the money on that kind of stuff so if it see that the mail is for your mother and say something like About kitchen items, or is form Big kitchen company, he will throw it away before your mother see it, protecting her.

6 comments

Sunday, February 4, 2007

You know it say that the child of a shoemaker don'...


You know it say that the child of a shoemaker don't have shoes. So it seams that the my computer at home don't have a firewall even if I am a firewall expert. That's relay lame i know but yesterday I have decided to make the smallest firewall I can and put it there because i had a lot of packets in my network, that didn't belong there so here is a snap from what I made ... the part for filtering out known viruses.



iptables -A FORWARD -m recent --name virus --rcheck --seconds 60  -j DROP

iptables -A FORWARD -p udp -m multiport --dports 135,445 -j LOG  --log-prefix "FW:DROP:VIR" --log-level 6

iptables -A FORWARD -p udp -m multiport --dports 135,445 -m recent --name virus --set -j DROP

iptables -A FORWARD -p udp -m udp --dport 137:139 -j LOG  --log-prefix "FW:DROP:VIR" --log-level 6

iptables -A FORWARD -p udp -m udp --dport 137:139  -m recent --name virus --set -j DROP

iptables -A FORWARD -p udp -m udp --sport 137 --dport 1024:65535 -j LOG  --log-prefix "FW:DROP:VIR" --log-level 6

iptables -A FORWARD -p udp -m udp --sport 137 --dport 1024:65535 -m recent --name virus --set -j DROP

iptables -A FORWARD -p tcp -m multiport --dports 135,139,445 -j LOG  --log-prefix "FW:DROP:VIR" --log-level 6

iptables -A FORWARD -p tcp -m multiport --dports 135,139,445 -m recent --name virus --set -j DROP

iptables -A FORWARD -p udp -m udp --dport 1900 -j LOG  --log-prefix "FW:DROP:VIR" --log-level 6

iptables -A FORWARD -p udp -m udp --dport 1900 -m recent --name virus --set -j DROP





This is filleting out dubious connections and also use the recent module to ban the infected host for 60 seconds.

The idea is that when a rule is matched the ip of the host generating the trouble (source ip) is inserted in to a table named virus by the command -m recent --name virus --set

 The first line it say to drop all the connections from the host that is in the list if 60 second has not elapsed from the time of the insertion. If the time has elapsed the host is removed from the list. And if it is still causing problem it start over again baning the host.

Also I log all packets that cause the banning of the IP so I get a general idea what happening

3 comments

Wednesday, December 27, 2006

Lame




I have decided that is to lame to make another iptables tutorial. So i am not going to make it anymore. I will put some tricks someday. Or maybe not.

Anyway. If you have some questions or you need some help with iptables just drop me a line and I will help you.



0 comments

Subscribe to: Posts (Atom)