Hello everybody,

My pc is behind a hardware router with NAT, but i just want to secure my
outbounnd connections. Any recommendations on which rules I have to focus?

I was googling for firewall log analyzers, but the most aren't that recent
anymore and i just want something simple. Any tips?

Thanks in advance,

--Ronny

Ronny Prinse wrote:
> Hello everybody,
>
> My pc is behind a hardware router with NAT, but i just want to secure my
> outbounnd connections. Any recommendations on which rules I have to focus?
>
> I was googling for firewall log analyzers, but the most aren't that recent
> anymore and i just want something simple. Any tips?
>
> Thanks in advance,
>
> --Ronny

nessus:

www.nessus.org

snort:

www.snort.org

On 2006-01-05, Ronny Prinse <rprinse@planet.nl> wrote:
> Hello everybody,
>
> My pc is behind a hardware router with NAT, but i just want to secure my
> outbounnd connections. Any recommendations on which rules I have to focus?
>
> I was googling for firewall log analyzers, but the most aren't that recent
> anymore and i just want something simple. Any tips?


I'm not sure what you're asking here. On one hand, it sounds as if
you want to do some filtering of what's leaving your computer/LAN,
but then your second paragraph sounds as if you want something like
Chris suggested in his reply (snort, et al).

Which is it, or is it both?

RW

--

http://rlworkman.net

Robby Workman wrote:

> On 2006-01-05, Ronny Prinse <rprinse@planet.nl> wrote:
>> Hello everybody,
>>
>> My pc is behind a hardware router with NAT, but i just want to secure my
>> outbounnd connections. Any recommendations on which rules I have to
>> focus?
>>
>> I was googling for firewall log analyzers, but the most aren't that
>> recent anymore and i just want something simple. Any tips?
>
>
> I'm not sure what you're asking here. On one hand, it sounds as if
> you want to do some filtering of what's leaving your computer/LAN,
> but then your second paragraph sounds as if you want something like
> Chris suggested in his reply (snort, et al).
>
> Which is it, or is it both?
>
> RW
>

I'm sorry if I was unclear. I meant both. It should be considered as 2
questions :P I was looking for a simple log analyser to debug my firewall,
which i'm creating to give a little bit security to my outgoing
connections, not a php/mysql/perl/web frontend.

Thanks,

--Ronny

On 2006-01-06, Ronny Prinse <rprinse@planet.nl> wrote:
> Robby Workman wrote:
>
>> On 2006-01-05, Ronny Prinse <rprinse@planet.nl> wrote:
>>> Hello everybody,
>>>
>>> My pc is behind a hardware router with NAT, but i just want to secure my
>>> outbounnd connections. Any recommendations on which rules I have to
>>> focus?
>>>
>>> I was googling for firewall log analyzers, but the most aren't that
>>> recent anymore and i just want something simple. Any tips?
>>
>>
>> I'm not sure what you're asking here. On one hand, it sounds as if
>> you want to do some filtering of what's leaving your computer/LAN,
>> but then your second paragraph sounds as if you want something like
>> Chris suggested in his reply (snort, et al).
>>
>> Which is it, or is it both?
>>
>
> I'm sorry if I was unclear. I meant both. It should be considered as 2
> questions :P I was looking for a simple log analyser to debug my firewall,
> which i'm creating to give a little bit security to my outgoing
> connections, not a php/mysql/perl/web frontend.


Well, I'm going to ramble a bit... :-)

If your computer is behind a router which also serves a firewall, then I
wouldn't be too concerned about reading logs. IMHO, packet filtering
logs don't have much use except for debugging purposes (and satisfying
curiosity about what's getting hit the most).

If I understand you correctly, you want to filter outbound traffic
from the box in question using iptables. That's certainly do-able, but
I question the benefits of doing so. If you want application-level
filtering, you'll need to look into layer 7 filtering (l7) which is
available as an add-on to iptables (netfilter patch-o-matic) or a
proxy, and proxy will be your best bet, as l7 filtering introduces
some serious overhead.
Furthermore, OUTPUT filtering is of limited usefulness anyway unless
you have untrusted users on the box, which is a problem in itself, as
anyone who gains root access on the box (which is trivial for a local
user) can easily disable OUTPUT filtering.

Was I totally off base here?

RW

--

http://rlworkman.net

Robby Workman wrote:

> On 2006-01-06, Ronny Prinse <rprinse@planet.nl> wrote:
>> Robby Workman wrote:
>>
>>> On 2006-01-05, Ronny Prinse <rprinse@planet.nl> wrote:
>>>> Hello everybody,
>>>>
>>>> My pc is behind a hardware router with NAT, but i just want to secure
>>>> my outbounnd connections. Any recommendations on which rules I have to
>>>> focus?
>>>>
>>>> I was googling for firewall log analyzers, but the most aren't that
>>>> recent anymore and i just want something simple. Any tips?
>>>
>>>
>>> I'm not sure what you're asking here. On one hand, it sounds as if
>>> you want to do some filtering of what's leaving your computer/LAN,
>>> but then your second paragraph sounds as if you want something like
>>> Chris suggested in his reply (snort, et al).
>>>
>>> Which is it, or is it both?
>>>
>>
>> I'm sorry if I was unclear. I meant both. It should be considered as 2
>> questions :P I was looking for a simple log analyser to debug my
>> firewall, which i'm creating to give a little bit security to my outgoing
>> connections, not a php/mysql/perl/web frontend.
>
>
> Well, I'm going to ramble a bit... :-)
>
> If your computer is behind a router which also serves a firewall, then I
> wouldn't be too concerned about reading logs. IMHO, packet filtering
> logs don't have much use except for debugging purposes (and satisfying
> curiosity about what's getting hit the most).
>
> If I understand you correctly, you want to filter outbound traffic
> from the box in question using iptables. That's certainly do-able, but
> I question the benefits of doing so. If you want application-level
> filtering, you'll need to look into layer 7 filtering (l7) which is
> available as an add-on to iptables (netfilter patch-o-matic) or a
> proxy, and proxy will be your best bet, as l7 filtering introduces
> some serious overhead.
> Furthermore, OUTPUT filtering is of limited usefulness anyway unless
> you have untrusted users on the box, which is a problem in itself, as
> anyone who gains root access on the box (which is trivial for a local
> user) can easily disable OUTPUT filtering.
>
> Was I totally off base here?
>
> RW
>

I think you understood me. I am the only user, as it is my pc, so I have
nothing to do with untrusted users. I just wanted to make sure I'm safe
behind NAT of the router as I don't know if that is safe enough for normal
daily use. I dan't want to have a false sense of security. Trojans on my pc
for instance can simply make a connection to the outside. Not that it is
very likely that my pc is infected trojans offcourse :P I think it's too
much overhead to go that far (layer7 filtering) I really appreciate your
help Robby thank you!

--Ronny