MAY
3
2002

Guarddog Firewall 2.0 Almost Ready For Release

Guarddog is an easy to use, yet powerful, firewall for Linux machines running KDE 2 or 3. Guarddog isn't just a pretty GUI face thrown over the standard command-line firewalling utilities, it allows you to quickly and easily specify your firewall policy at a high-level, and then takes care of the rest. The first release candidate, version 1.9.15, is out and now needs heavy user testing. Everyone is encouraged to test it on as many weird and wonderful network setups as possible and report their experiences before the final official 2.0 release. The full announcement follows.

After over a year of development, version 2 of Guarddog firewall is nearing
completion. I now wish to invite all in the Linux community to help test
the current development version of Guarddog on as many different network
configurations and with as many varied network clients as possible to help
shake out any bugs. As well as bug reports, I'm also interested in hearing
about which features are successfully being used, so that I can try to
determine what features can be trusted and which not.

Guarddog is a user-friendly firewall configuration utility for Linux designed
for the KDE 2 and KDE 3 desktop environment. Unlike other firewall utilities,
Guarddog takes a goal-oriented approach allowing you to specify on a high-level what it must permitted without having to painfully spell out a list of
rules.

Features:

  • Direct support for over 60 common network protocols.
  • Allows you to divide machines into different 'Zones'. Where each zone can
    have different security policies.
  • Uses Linux's native iptables or ipchains packet filtering faciltities.
  • Paranoid and fail-safe by design.
  • Extensive documentation and tutorials.
  • Published under the GNU GPL.

Guarddog is available at:

http://www.simonzone.com/software/guarddog/

RPMs are available for most popular distributions. Information about testing
and results are available at:


http://www.simonzone.com/software/guarddog/testing.php

Kind regards,

Simon Edwards
Guarddog Developer
simon@simonzone.com

Comments

This app could be a killer app for Linux. Think small Linux boxes acting as user-friendly firewalls. Think power of Linux firewalling with the user-friendliness of Windoze. Hot stuff.


By ac at Fri, 2002/05/03 - 5:00am

This is a great utility -- I'm using it for about a year already. No need to learn the lowlevel details of firewall configuration, that change with every major kernel version ;)

The only thing I'm missing is a better logging configuration. E.g. in the uni network, my logs get spammed quickly by some windows computers trying to assimilate My Computer ;)


By Carsten Pfeiffer at Fri, 2002/05/03 - 5:00am

The most user-friendly firewall app for KDE.
Mainstream users do not need to learn all the cryptic codes at all.
Great work! :-)


By Dog Lover at Fri, 2002/05/03 - 5:00am

I'm just wondering if this is the type of firewall that just blocks incoming traffic or if it also can force network access rules onto specific programs on an app-per-app basis? The latter is just as important in high security environments like military institutions where the "enemy" is not just your average script-kiddie.


By ZoneAlarm user at Fri, 2002/05/03 - 5:00am

I like to know this too. Norton Personal Firewall 2002 also has this feature, and it is very comfortable to be able to control and watch which applications tries to access the Internet.


By stig at Fri, 2002/05/03 - 5:00am

yeap but you're not supposed to have spyware and trojans on your linux box :)

From the screenshot it looks like by default you have to open in and outgoing ports which is a pain compared to good old statefull


By fler at Fri, 2002/05/03 - 5:00am

btw you can block specified apps /pids / users from accessing the network with iptables's owner match support

For ex to prevent mozilla from going anywhere
iptables -A OUTPUT -m owner --cmd-owner mozilla -j DROP

you could of course do it the other way around and block all outgoing traffic by default and allow only specified apps to access the network


By fler at Fri, 2002/05/03 - 5:00am

So a good idea would be to have a program which blocks all outgoing traffic by default, and then prompts you to let programs access the internet or open up a port, like ZoneAlarm. It would be complicated, because it really should prompt in an anogistic fashion, whether your in KDE, gnome, console whatever. Though having a program which prompts you say, only in KDE, and requires editing a text file otherwise would still be handy.

Though is the only way it differenates programs is by their name? Couldn't someone write a trojan named Mozilla and then bypass the rules?


By Ian Monroe at Fri, 2002/05/03 - 5:00am

Yes a zonealarm type system would be nice. Guarddog is a great piece of software, but it is made to work with, ipchains and iptables. This prevents them from getting the most out of iptables. It would be nice if ipchains support is dropped in the future. Though I do not have any spyware problems with linux now, so guarddog is more than adequate for now.


By theorz at Fri, 2002/05/03 - 5:00am

It blocks incoming *and* outgoing traffic. Unfortunately it doesn't work on an app by app basis. Linux doesn't support that kind of security out of the box (yet), and implementing that now would require quite a bit of kernel hacking, and the results wouldn't work easily on stock distros the way Guarddog does now. I believe Linux is getting a more pluggable security architecture in the next kernel series, which should make this kind thing much easier to do.

Also bear in mind that blocking on a per app basis only works for apps running on the same machine as the firewall. i.e. it won't work for packets that didn't originate on the firewall machine.

--
Simon


By Simon Edwards at Fri, 2002/05/03 - 5:00am

:: Linux doesn't support that kind of security out of the box

IIRC, that was one of the advantages of iptables over ipchains, which is why iptables are the new preferred Linux network control method.

--
Evan


By Evan "JabberWok... at Fri, 2002/05/03 - 5:00am

iptables doesn't really let you do per app stuff. The big advantage of iptables over ipchains is the connection tracking features.

Besides, if wanted to block a local application from sending data, the obvious place to do that is on the kernel call level, and not down at the packet level.

--
Simon


By Simon Edwards at Fri, 2002/05/03 - 5:00am

Fler wrote:

btw you can block specified apps /pids / users from accessing the network with iptables's owner match support

For ex to prevent mozilla from going anywhere
iptables -A OUTPUT -m owner --cmd-owner mozilla -j DROP

you could of course do it the other way around and block all outgoing traffic by default and allow only specified apps to access the network

So it looks like you can filter on an app by app basis.


By Dude at Fri, 2002/05/03 - 5:00am

Only if it's running on the same machine though - and you're better having a separate
firewall

Remember ZA is fiction-ware, if you run malware code on windows 98 you are toast
as there's no security model to prevent bypassing ZA. It's only that numerous malware hasn't yet appeared to demonstrate that,
which means you even gain any benefit from ZA yet.

A few things you need to think about if you really want to stop apps connecting to the internet

a) `mv malware mozilla-bin` - you need crypto to prove that mozilla is mozilla and
that it hasn't changed.
b) export LD_LIBRARY_PATH=~/malware-libs / export LD_PRELOAD=~/malware/lib - lets me
use mozilla's access to run my program.
c) ... thousands of others...

If you want to stop an app doing something - and there's a lot more an app might
do than access the network, a bigger problem that you can't really expect a front-end
to packet filtering to solve, look at running it under a chrooted
user-mode-linux environment - give it root then if you like ;o)


By Michael at Sun, 2002/05/05 - 5:00am

Just because you can break in through the window, doesn't mean you shouldn't lock your door. When GRC was talking to Microsoft about the full implementation of TCP/IP in Windows XP Microsoft had a hard time grasping this concept. They argued that because drivers could be installed in current machines giving windows machines raw sockets (and thus ip-spoofing capablity), what could be so bad about giving alll windows machines this by default?

Having ZoneAlarm-like functionality would be nice in Linux because the crackers would have to go through the extra effort to get a program to connect to the internet without user permission. Though your right, checksums would be needed to verify programs or else getting around the firewall would be way to easy.

Ian
http://ian.webhop.org


By Ian M at Mon, 2002/05/06 - 5:00am

This is a good comment.
Zone-alarm is protecting us from "legitimate" software calling out without our knowledge ie spyware.
Further the spyware is only really hostile in the same sense that Mcdonalds is hostile, it's just something you want to keep under control before it does do you harm

This software can only crawl so far up the hostility ladder before the principals will fall foul of anti-hacking laws.
Commercial spyware that renames itself as mozilla to dial out would probably be illegal.

Light protection could be quite effective against spyware.


By Simon at Mon, 2002/05/06 - 5:00am

If you don't trust your applications, you need sandboxing.

Sandboxing, as I hinted above, is more than a 'yes/no' question to
"can program X connect to x.x.x.x on port Y".

By definition, that's a lot of questions to answer for your web browser -
or else you allow your web browser all access on port 80? In which case, what are
you protecting by asking the question?

Perhaps you really want your web browser not to send personal info?

"Protect the info" then seems a better idea than pretending you've secured
the network against information leakage, no?

You have to learn from the mistakes windows software has made,
not copy what they do to try and reach the same unsatisfactory point.


By Michael at Tue, 2002/05/07 - 5:00am

No, simply put, ZA doesn't make anything harder for code running on the
same machine as ZA.

Period.

(I would expand further on the performing moustaches stuff about raw sockets,
but there's plenty of that elsewhere - suffice to say linux tcp/ip has them and
I doubt you'll get far trying to get them removed - certainly not with
cliched statements about doors and windows)


By Michael at Tue, 2002/05/07 - 5:00am

No, you're wrong. You don't need "crypto".

You need the OS to tell you the path to the program that is trying to access the internet, or it to tell you the path to the program that is originally calling the library.

Crypto. Wtf!


By Bloke at Sat, 2005/01/22 - 6:00am

Is it possible to use Guarddog to configure a firewall on a remote machine that doesn't have KDE installed?


By Richard Stellin... at Fri, 2002/05/03 - 5:00am

Guarddog creates a shell script /etc/rc.firewall, that you can easily transfer to another machine and execute there.


By Carsten Pfeiffer at Fri, 2002/05/03 - 5:00am

It would be wonderful if that could be automated with ssh or something!
To make watchdog scp /etc/rc.firewall from the firewall when it starts and scp it back when it is done. And run "ssh firewall /etc/init.d/firewall reload". :)


By Per Wigren at Wed, 2002/05/08 - 5:00am

Does it make sense to have a window manager on a firewall. Won't this open up uneeded ports and have uneeded programs running.


By mark at Fri, 2002/05/03 - 5:00am

You're absolutely right. This is the approach which
smoothwall uses: keep what's running on the firewall to a minimum.

--m--


By Matthew Trump at Fri, 2002/05/03 - 5:00am

Smoothwall is probably higher assurance and less vulnerable than Guarddog. Smoothwall is fine if you can support it yourself. If you can't, then you'll probably run into Richard Morrell or one of his minions. Freshmeat has some choice comments about Smoothwall support...even the paying customers get crapped on, while GPL users are beneath dirt.
http://freshmeat.net/projects/smoothwall/?topic_id=253 (scroll down to messageboard)

If you just need to block portscans and script kiddie attacks, then Guarddog is sufficient for what you need. Simon on the other hand has been very helpful in the give and take with the KDE community. Thanks Simon!


By Josh at Sat, 2002/05/04 - 5:00am

You're missing the point.. This is about having a firewall on a normal desktop workstation. Also, the script that it generates can be used on other machines.


By Christian A Str... at Fri, 2002/05/03 - 5:00am

You could run a firewall along side the window manager to block the extra ports. .. ;-)

--
Simon


By Simon Edwards at Fri, 2002/05/03 - 5:00am

Or you just tell X and kdm/xdm not to listen on a TCP/IP port, and you're just as safe as not running X. The "-nolisten tcp" command line will prevent XFree86 from opening TCP (all communication will be done via UNIX domain sockets instead).


By Chad Kitching at Fri, 2002/05/03 - 5:00am

> and you're just as safe as not running X.

No you aren't.

Precisely because by running applications on the firewall you
risk bugs in those applications compromising that machine.

2 examples

a) Using them to connect to the internet and some untrusted data compromising
the application (consider a bug in, say, konqueror that was exploited
by visiting a site, or a bug in mozilla that was compromised by reading
an email)

b) Having them used by a successful exploit to a normal user account to gain
higher privileges - plenty of old exploits have exercised bugs in XFree to
do this.

Bugs like these on a desktop / firewall using the same machine compounds the
damage - precisely why best practise would recommend running services / applications
off the firewall and running the minimum on the firewall (certainly
not using it at a desktop with all your personal data / passwords etc on it)


By Michael at Tue, 2002/05/07 - 5:00am

Why should it matter? A firewall would block those open ports from usage anyways.If it doesn't, it's not a firewall.

Besides, if you are uncomfortable with this, just copy the guarddog-generated script from your desktop computer to your firewall.


By fault at Mon, 2002/05/06 - 5:00am

This would make for a nice kcontrol module, if anyone is looking for something to work on.


By Pablo Liska at Fri, 2002/05/03 - 5:00am

AMEN I totally agree!
I would also suggest being able have the ability to manually enter port numbers (with a description) for those wacky protocols that 0.5% of people use but since the firewall doesn't have it listed they can't configure.

A KControl module and having everything exposed via DCOP would absolutely rule.


By tzanger at Fri, 2002/05/03 - 5:00am

> I would also suggest being able have the ability to manually enter port
> numbers (with a description) for those wacky protocols that 0.5% of people
> use but since the firewall doesn't have it listed they can't configure.

What about trying it out? This is possible already.


By Carsten Pfeiffer at Sat, 2002/05/04 - 5:00am

ugh, please don't complicate kcontrol even more. It's been far too cluttered for far too long.


By fault at Mon, 2002/05/06 - 5:00am

You mean too functional?

As far as I see it: better to consolidate/organize functions in one place than have hundreds of "uncluttered" programs/files/places that only do one thing.

It would be great if kcontrol did what control panel does in windows, but organized things a bit better, thanks to kparts. Windows 2000 server has this extra section called "computer management" that is like kcontrol (but with less stuff in it and therefore somewhat harder to find and creating more "clutter" -- lots of icons in the admin section of control panel). "Computer Management" includes interfaces for the logical volume manager, the firewal configurator (which btw has a bunch of user-friendly wizards and also allows fine-grained control), user management, etc.

Maybe we should have two kcontrols? one for basic stuff and one for things like this? I think its better to have it in one "place" (not really one place since its just kparts pulling in other progs -- as far as i understand) and just organize things well.


By Pablo Liska at Mon, 2002/05/06 - 5:00am

> I think its better to have it in one "place" (not really one place since its
> just kparts pulling in other progs -- as far as i understand) and just organize > things well.

Yeah, but it's not better that you decide where we want things.
It's better if we can configure something to put arbitrary things in one place, or not, as we see fit.


By Michael at Tue, 2002/05/07 - 5:00am

this program is a wannabe "firestarter" ...keep on believing that kde rocks, and keep on being "OwN3d" by trolltech bitches.


By joe99 at Sat, 2002/05/04 - 5:00am

> ...keep on believing that kde rocks,

Hmm, keep on dreaming that there'll be anything else that's decent for linux in
next .. hmm, let's say for another 2 or 3 years. So far, i'm gonna stick with the
best there is - KDE3.

> and keep on being "OwN3d" by trolltech bitches.

Interesting point. If you own a VCR you're "OwN3d" by the company that made it ?
Never thought of it that way ;)


By foo at Sat, 2002/05/04 - 5:00am

joe99 is a wannabe "troll" ...keep on believing that you troll well, and keep on being "OwN3d" by real trolling bitches.


By uh at Mon, 2002/05/06 - 5:00am

I had really hard time getting IP Masquerading/Forwarding to work to share my cable modem connection through my Linux box also to my Windows computer. I have no intent in learning to understand what that what I did to accomplish that really means and how it works, but I'd really like to do the same using a simple GUI-based tool.

So is it possible to use Guarddog to create not only firewall, but also IP Forw/Masq-rules?


By R2D3 at Mon, 2002/05/06 - 5:00am

The same guy who does GuardDog has a little app called GuideDog that does this for you.


By Anonymous at Mon, 2002/05/13 - 5:00am

It is possible. I have a Network of Window Computers running off my Linux RH 7.2 machine (2.4 kernel, so using iptables). I also have an ADSL connection (via Verizon). To do the masquerading I used Guidedog. There are a couple other things to do which I would be happy to share with you. Just email me if you are still interested and if my set-up sounds similar to yours.


By Ted at Thu, 2002/05/23 - 5:00am

It is possible. I have a Network of Window Computers running off my Linux RH 7.2 machine (2.4 kernel, so using iptables). I also have an ADSL connection (via Verizon). To do the masquerading I used Guidedog. There are a couple other things to do which I would be happy to share with you. Just email me if you are still interested and if my set-up sounds similar to yours.


By Ted at Thu, 2002/05/23 - 5:00am

I am trying to get guidedog to work with teh guarddog firewall. The firewall works well on my Fedora core 1 box, but I am unable to get guidedog to work at port forwarding for my windows boxes to work. I have P2P software that use port 2234 and 1124 but when i try starting them, they are not working. Any help will be nice for setting up guidedog to work.


By Rob at Sat, 2004/11/06 - 6:00am