1. Eztables: Simple Yet Powerful Firewall Configuration for Linux

    November 16, 2013

    I've created and released Eztables on Github. Anyone who ever has a need to setup a firewall on Linux may be interested in this project.

    It doesn't matter if you need to protect a laptop, server or want to setup a network firewall. Eztables supports it all.

    If you're not afraid to touch the command line and edit a text file, you may be quite pleased with Eztables.

    Go check it out!

  2. Why Filtering DHCP Traffic Is Not Always Possible With Iptables

    December 27, 2010

    When configuring my new firewall using iptables, I noticed something very peculiar. Even if all input, forward and output traffic was dropped, DHCP traffic to and from my DHCP server was not blocked even if there were no rules permitting this traffic.

    I even flushed all rules, put a drop all rule on all chains and only allowed SSH to the box. It did not matter. The DHCP server received the DHCP requests and happily answered back.

    How on earth is this possible? In my opinion, a firewall should block all traffic no matter what.

    But at least I found out the cause of this peculiar behaviour. The ISC DHCP daemon does not use the TCP/UDP/IP stack of the kernel. It uses RAW sockets. Raw sockets bypass the whole netfilter mechanism and thus the firewall.

    So remember: applications using RAW sockets cannot be fire walled by default. Applications need root privileges to use RAW sockets, so RAW sockets thankfully cannot be used by arbitrary unprivileged users on a system, but never the less. Be aware of this issue.

    Please understand that if a serious security vulnerability is found in the ISC DHCP daemon, you cannot protect your daemon with a local firewall on your system. Patching or disabling would then be the only solution.

Page 1 / 1