Image via Wikipedia

The developers behind a Linux distribution known as Fedora have been working on a new type of firewall system known as Dynamic Firewall.  Since Fedora 15, users could install Dynamic Firewall.  It’s kind of a disappointment for me to see the latest Fedora 16 isn’t yet shipped with the Dynamic Firewall.  Nonetheless, as how Fedora 15 was, users can still install Dynamic Firewall with Fedora 16.

For your information, Fedora 16 isn’t enabling any firewall by default.  Yes, Fedora 16 is still shipping with the traditional IPTables firewall system.  The question is, why users want to use Fedora’s Dynamic Firewall over the traditional IPTables type of firewall?  It’s because Dynamic Firewall is somewhat smarter.

I’d made a video which shows you how to disable the traditional firewall, enable the Dynamic Firewall, and how to revert back to the traditional firewall from Dynamic Firewall.  The video also points out why and how Dynamic Firewall is smarter than the traditional firewall (i.e., IPTables).  You can check out the video right after the break.

Related articles

• Fedora 16 released (h-online.com)
• Disabling, Enabling, Starting, Stopping, And Restarting Services On Fedora 16 (essayboard.com)
• Fedora launches community knowledge base (h-online.com)
• Users decide Fedora 17 will be ‘Beefy Miracle’ (go.theregister.com)
• Six Good Reasons to Try Fedora 16 (pcworld.com)

Questions:

1. Do you think Norton Internet Security 2011 was a good product?
2. Do you think that you’re going to try out Norton Internet Security 2012?

Please leave your answers in the comment section below this post.  Thank you!

Fortunately, responsible ISPs will definitely roll out newer firmwares to update customers’ routers/gateways so IPV6 will be supported.  In the worse case scenario, customers may have to demand for newer routers/gateways from their ISPs before IPV6 will be enabled in their home/office networks.

Not only the routers/gateways have to be IPV6 enabled, each user’s computer must be configured to support IPV6.  I’d read somewhere that IPV6 will expose all internal devices to the Internet, because IPV6′s IP distribution is more tied to the world than not (i.e., there are countless more IP addresses from IPV6 than IPV4).  To put this in a clearer context for some people, IPV6 forgoes NAT and other private features.  NAT stands for Network Address Translation where it acts as a barrier and correlation between public IP addresses and private network IP addresses (e.g., 192.168.x.x).  This is why people definitely have to learn how to enabling firewall for IPV6 so their devices’ IP addresses won’t be exposed.

Customers who are relying on premium security suites from well known brands might not have to do much for them to have a functioning IPV6 firewall, because newer updates to their security suite software will come with active IPV6 firewall, I guess.  Linux users on the other hand might have to get down and dirty.  I’m not sure if Linux users can clone IPV4′s iptables to protect their IPV6′s network.  The user space application program for IPV6′s Linux kernel firewall has to be ip6tables.  I’m definitely going to look more into how to enable firewall for IPV6 in Linux.

Update:  Apparently, I don’t think it’s hard to enable IPV6 firewall in certain Linux distributions such as Ubuntu 11.04!  As long Uncomplicated Firewall is enabled in such Linux distributions and the users know how to use UFW, then they can easily configure UFW to protect their devices on IPV6 network.  UFW has a graphical version which is known as Gufw, and so it should be a lot easier to use the Gufw than the command line version UFW.  For your information UFW/Gufw is very easy to use, because I’ve tested UFW/Gufw on Ubuntu 11.04.  I’ve found UFW/Gufw to be simple and more intuitive than most Linux’s frontend programs for iptables/ip6tables.

Click here to go to the screenshot’s source!

Come to think of it, dynamic firewall sounds like a firewall that Windows users are familiar with such as Norton 2011′s firewall.  To my knowledge, Norton 2011′s firewall asks users to make decisions base on app by app basis and also base on connection by connection basis.  Anyhow, dynamic firewall is still too new to me, and so I don’t even know what I’m writing on this blog post is having any merit on facts at all.  In fact, I fear what I’m writing here will all be gibberish, because one needs to test out the product first before one can truly know the merits of the product.  Nonetheless, the news is that Fedora 15 won’t use IP tables.

Personally, I think even the firewall means well when it presents to the users with several choices in term of allowing an outgoing connection or incoming connection, it’s still a bad thing for users.  Why?  Some computer users may not know enough about their systems, therefore they may choose the wrong choices.  Choosing the wrong choices can render their systems less secure.  An example would be a user who was presented with choices of allowing or not allowing an incoming connection of an app on his or her system, but for some strange reasons the user didn’t know enough about this specific app and didn’t look on the Internet for additional information on such app and yet he or she had allowed an incoming connection.  In the end, a user’s system was hacked, because it was compromised by a hacker who had deliberately tricked the user to download an app earlier.  This is only one example among many, and yet it has already told us that even with the best firewall, it’s still depending on a user’s decisions/actions most.

Perhaps, a firewall should present users will less choices, and it would be better for users in term of securing their systems.  Even better, allowing expert users to use advance mode, because veteran computer users can make better choices than novice computer users in term of allowing certain connections to be interacted with their systems.  Advance mode of such firewall should present to veteran computer users with more choices so they can make sound decisions.  Basic mode of such firewall should present less choices so novice computer users won’t have to choose the wrong choices, consequently improving the overall security of the computers and networks.

What you think about dynamic firewall of Fedora 15?  Do you think that it’s better for a firewall to present users with more choices in term of allowing users to make decisions for incoming and outgoing connections?  Do you think that dynamic firewall is an improvement over IP tables?

Source:  http://www.esecurityplanet.com/news/article.php/3934151/Fedora-15-Boosts-Linux-Security.htm

In this blog post, I won’t go into detail of how to configure your APF firewall since each network is unique and each server is unique.  Each server uses different software, therefore different custom ports are required to be opened.  Instead, I will focus on installing APF firewall, highlighting the important configuration options inside APF’s configuration file, and showing you how to get APF firewall starting on boot/reboot for your Ubuntu system.

You can download APF firewall at here.  After downloading it, go to the location that you have saved the download of APF, and execute the command [tar xvzf yourdownload-package] — make sure you replace yourdownload-package with the APF’s package that you had downloaded earlier.  Change into the APF directory that you had extracted when you executed the command above.  Inside there, execute the command [sh install.sh] without using the square brackets.

Now you can begin to configure your APF firewall.  Just execute the command [vim.tiny /etc/apf/conf.apf].  In conf.apf, you need to read everything so you can change the settings to your liking.  Since each network and server/computer is unique, therefore you must rely on the understanding of your network’s structure in details.  Still, I’m going to highlight some important configuration settings you need to change.

First, if you are ssh into your Ubuntu box remotely, do not change the line that says DEVEL_MODE=”1″ to DEVEL_MODE=”0″ until you have satisfied with the changes you have made to file conf.apf.  Also, don’t leave DEVEL_MODE=”1″ forever there, because it’s only a testing mode which prevents you from being locked out of your Ubuntu server/box in case you have made a wrong modification to the file conf.apf.

Second, on the lines that say IFACE_IN=”eth0″ and IFACE_OUT=”eth0″, make sure you make the right change if you’re using wireless adapter or virtualization network setting.  If you’re using normal Ethernet connection for your Ubuntu server/box, then you can just leave these two lines alone.  Still unsure?  You can do ifconfig inside shell/terminal to pull up all network information.

Third, the line that says IG_TCP_CPORTS= is very important!  Whatever ports you add to this line will allow your Ubuntu server/box to accept incoming connection.  For an example, if you want to make an ssh connection to your Ubuntu server on port 2222 instead of port 22, then you need to remove port 22 and add port 2222 on this line.

Fourth, the line says EFG=”0″, make sure you change this to EFG=”1″ — this line tells APF to filter outgoing connection.  Unless you don’t care about outgoing connection, you must make the change.

Fifth, the line says EG_TCP_CPORTS= is where you want to prescribe which ports are available for outgoing connection on your Ubuntu server/box.  For an example, if you want your Ubuntu server/box to be able to download software through FTP connection, then you must add port 21 to this line.  Another example, if you want your Ubuntu server/box to be able to connect your browser through a standard port 80 so you can browse the Internet, then you must add port 80 to this line.

Everything else, you need to read more so you can customize those other settings to you liking.

After you have done with the modification of conf.apf file, please save it!  It’s now time for you to start your APF firewall and test it to see if your APF firewall is actually blocking and allowing certain ports.

To run or start APF firewall, you need to do [/usr/local/sbin/apf -s].  To restart APF, just do [/usr/local/sbin/apf -r].  When I say you need to do, it means you type whatever inside the square brackets onto your terminal.

Wondering if APF is actually running?  Just do [iptables -L].  If you’re not familiar with IPFilter, then just open up conf.apf, remove a port you want to use, and try to make the connection to see if your software is blocked or not.  Example, remove port 22 for your ssh connection, and then try to ssh into your Ubuntu server/box to see APF is actually blocking you from making a connection on port 22.  Doing the opposite to see if you can ssh into your Ubuntu server/box.

Here comes another important tip!  Usually, this isn’t necessary if you’re running CentOS or Fedora or RedHat, but on Ubuntu, you must edit the file /etc/rc.local by doing [vim.tiny /etc/rc.local], and add the line [sh -c "/etc/apf/apf -s" &] above the line that says [exit 0].  Don’t use the square brackets!  Save the file /etc/rc.local and then reboot.  So what is this procedure for?  It’s necessary for Ubuntu to start APF firewall on reboot or on fresh boot.  Usually, other Linux OS would use [chkconfig --add apf] and [chkconfig --level 345 apf on], but since Ubuntu doesn’t have chkconfig installed by default, therefore you must modify your /etc/rc.local with the line I mentioned above.  When restarting your Ubuntu server/box, you may see a bunch of gibberish code spitting onto your shell, don’t be alarmed!  Just wait till your shell is stop spitting out code completely, and you can hit the enter key on your keyboard to see the login prompt!  Those gibberish code which spat onto your shell/terminal’s screen notified you that Ubuntu started APF.  Log inside as root and do [iptables -L] to confirm APF indeed is running!