Guarddog Firewall 2.0 Almost Ready For Release

Friday, 3 May 2002  |  Sedwards

Guarddog is an easy to use, yet powerful, firewall for Linux machines running KDE 2 or 3. Guarddog isn't just a pretty GUI face thrown over the standard command-line firewalling utilities, it allows you to quickly and easily specify your firewall policy at a high-level, and then takes care of the rest. The first release candidate, version 1.9.15, is out and now needs heavy user testing. Everyone is encouraged to test it on as many weird and wonderful network setups as possible and report their experiences before the final official 2.0 release. The full announcement follows.

After over a year of development, version 2 of Guarddog firewall is nearing completion. I now wish to invite all in the Linux community to help test the current development version of Guarddog on as many different network configurations and with as many varied network clients as possible to help shake out any bugs. As well as bug reports, I'm also interested in hearing about which features are successfully being used, so that I can try to determine what features can be trusted and which not.

Guarddog is a user-friendly firewall configuration utility for Linux designed for the KDE 2 and KDE 3 desktop environment. Unlike other firewall utilities, Guarddog takes a goal-oriented approach allowing you to specify on a high-level what it must permitted without having to painfully spell out a list of rules.

Features:

  • Direct support for over 60 common network protocols.
  • Allows you to divide machines into different 'Zones'. Where each zone can have different security policies.
  • Uses Linux's native iptables or ipchains packet filtering faciltities.
  • Paranoid and fail-safe by design.
  • Extensive documentation and tutorials.
  • Published under the GNU GPL.

Guarddog is available at:

http://www.simonzone.com/software/guarddog/

RPMs are available for most popular distributions. Information about testing and results are available at:

http://www.simonzone.com/software/guarddog/testing.php

Kind regards,

Simon Edwards
Guarddog Developer
simon@simonzone.com

Comments:

a killer app - ac - 2002-05-03

This app could be a killer app for Linux. Think small Linux boxes acting as user-friendly firewalls. Think power of Linux firewalling with the user-friendliness of Windoze. Hot stuff.

excellent! - Carsten Pfeiffer - 2002-05-03

This is a great utility -- I'm using it for about a year already. No need to learn the lowlevel details of firewall configuration, that change with every major kernel version ;) The only thing I'm missing is a better logging configuration. E.g. in the uni network, my logs get spammed quickly by some windows computers trying to assimilate My Computer ;)

I love guard dog - Dog Lover - 2002-05-03

The most user-friendly firewall app for KDE. Mainstream users do not need to learn all the cryptic codes at all. Great work! :-)

Protection against Trojans? - ZoneAlarm user - 2002-05-03

I'm just wondering if this is the type of firewall that just blocks incoming traffic or if it also can force network access rules onto specific programs on an app-per-app basis? The latter is just as important in high security environments like military institutions where the "enemy" is not just your average script-kiddie.

Re: Protection against Trojans? - Stig - 2002-05-03

I like to know this too. Norton Personal Firewall 2002 also has this feature, and it is very comfortable to be able to control and watch which applications tries to access the Internet.

Re: Protection against Trojans? - fler - 2002-05-03

yeap but you're not supposed to have spyware and trojans on your linux box :) From the screenshot it looks like by default you have to open in and outgoing ports which is a pain compared to good old statefull

Re: Protection against Trojans? - fler - 2002-05-03

btw you can block specified apps /pids / users from accessing the network with iptables's owner match support For ex to prevent mozilla from going anywhere iptables -A OUTPUT -m owner --cmd-owner mozilla -j DROP you could of course do it the other way around and block all outgoing traffic by default and allow only specified apps to access the network

Re: Protection against Trojans? - Ian Monroe - 2002-05-03

So a good idea would be to have a program which blocks all outgoing traffic by default, and then prompts you to let programs access the internet or open up a port, like ZoneAlarm. It would be complicated, because it really should prompt in an anogistic fashion, whether your in KDE, gnome, console whatever. Though having a program which prompts you say, only in KDE, and requires editing a text file otherwise would still be handy. Though is the only way it differenates programs is by their name? Couldn't someone write a trojan named Mozilla and then bypass the rules?

Re: Protection against Trojans? - theorz - 2002-05-03

Yes a zonealarm type system would be nice. Guarddog is a great piece of software, but it is made to work with, ipchains and iptables. This prevents them from getting the most out of iptables. It would be nice if ipchains support is dropped in the future. Though I do not have any spyware problems with linux now, so guarddog is more than adequate for now.

Re: Protection against Trojans? - Simon Edwards - 2002-05-03

It blocks incoming *and* outgoing traffic. Unfortunately it doesn't work on an app by app basis. Linux doesn't support that kind of security out of the box (yet), and implementing that now would require quite a bit of kernel hacking, and the results wouldn't work easily on stock distros the way Guarddog does now. I believe Linux is getting a more pluggable security architecture in the next kernel series, which should make this kind thing much easier to do. Also bear in mind that blocking on a per app basis only works for apps running on the same machine as the firewall. i.e. it won't work for packets that didn't originate on the firewall machine. -- Simon

Re: Protection against Trojans? - Evan "JabberWokky" E. - 2002-05-03

:: Linux doesn't support that kind of security out of the box IIRC, that was one of the advantages of iptables over ipchains, which is why iptables are the new preferred Linux network control method. -- Evan

Re: Protection against Trojans? - Simon Edwards - 2002-05-03

iptables doesn't really let you do per app stuff. The big advantage of iptables over ipchains is the connection tracking features. Besides, if wanted to block a local application from sending data, the obvious place to do that is on the kernel call level, and not down at the packet level. -- Simon

Re: Protection against Trojans? - Dude - 2002-05-03

Fler wrote: btw you can block specified apps /pids / users from accessing the network with iptables's owner match support For ex to prevent mozilla from going anywhere iptables -A OUTPUT -m owner --cmd-owner mozilla -j DROP you could of course do it the other way around and block all outgoing traffic by default and allow only specified apps to access the network So it looks like you can filter on an app by app basis.

Re: Protection against Trojans? - Michael - 2002-05-05

Only if it's running on the same machine though - and you're better having a separate firewall Remember ZA is fiction-ware, if you run malware code on windows 98 you are toast as there's no security model to prevent bypassing ZA. It's only that numerous malware hasn't yet appeared to demonstrate that, which means you even gain any benefit from ZA yet. A few things you need to think about if you really want to stop apps connecting to the internet a) `mv malware mozilla-bin` - you need crypto to prove that mozilla is mozilla and that it hasn't changed. b) export LD_LIBRARY_PATH=~/malware-libs / export LD_PRELOAD=~/malware/lib - lets me use mozilla's access to run my program. c) ... thousands of others... If you want to stop an app doing something - and there's a lot more an app might do than access the network, a bigger problem that you can't really expect a front-end to packet filtering to solve, look at running it under a chrooted user-mode-linux environment - give it root then if you like ;o)

Door Locks - Ian M - 2002-05-06

Just because you can break in through the window, doesn't mean you shouldn't lock your door. When GRC was talking to Microsoft about the full implementation of TCP/IP in Windows XP Microsoft had a hard time grasping this concept. They argued that because drivers could be installed in current machines giving windows machines raw sockets (and thus ip-spoofing capablity), what could be so bad about giving alll windows machines this by default? Having ZoneAlarm-like functionality would be nice in Linux because the crackers would have to go through the extra effort to get a program to connect to the internet without user permission. Though your right, checksums would be needed to verify programs or else getting around the firewall would be way to easy. Ian http://ian.webhop.org

Re: Door Locks - Simon - 2002-05-06

This is a good comment. Zone-alarm is protecting us from "legitimate" software calling out without our knowledge ie spyware. Further the spyware is only really hostile in the same sense that Mcdonalds is hostile, it's just something you want to keep under control before it does do you harm This software can only crawl so far up the hostility ladder before the principals will fall foul of anti-hacking laws. Commercial spyware that renames itself as mozilla to dial out would probably be illegal. Light protection could be quite effective against spyware.

Re: Door Locks - Michael - 2002-05-07

If you don't trust your applications, you need sandboxing. Sandboxing, as I hinted above, is more than a 'yes/no' question to "can program X connect to x.x.x.x on port Y". By definition, that's a lot of questions to answer for your web browser - or else you allow your web browser all access on port 80? In which case, what are you protecting by asking the question? Perhaps you really want your web browser not to send personal info? "Protect the info" then seems a better idea than pretending you've secured the network against information leakage, no? You have to learn from the mistakes windows software has made, not copy what they do to try and reach the same unsatisfactory point.

Re: Door Locks - Michael - 2002-05-07

No, simply put, ZA doesn't make anything harder for code running on the same machine as ZA. Period. (I would expand further on the performing moustaches stuff about raw sockets, but there's plenty of that elsewhere - suffice to say linux tcp/ip has them and I doubt you'll get far trying to get them removed - certainly not with cliched statements about doors and windows)

Re: Protection against Trojans? - Bloke - 2005-01-22

No, you're wrong. You don't need "crypto". You need the OS to tell you the path to the program that is trying to access the internet, or it to tell you the path to the program that is originally calling the library. Crypto. Wtf!

remote machines - Richard Stellingwerff - 2002-05-03

Is it possible to use Guarddog to configure a firewall on a remote machine that doesn't have KDE installed?

Re: remote machines - Carsten Pfeiffer - 2002-05-03

Guarddog creates a shell script /etc/rc.firewall, that you can easily transfer to another machine and execute there.

Re: remote machines - Per Wigren - 2002-05-08

It would be wonderful if that could be automated with ssh or something! To make watchdog scp /etc/rc.firewall from the firewall when it starts and scp it back when it is done. And run "ssh firewall /etc/init.d/firewall reload". :)

linux junky - Mark - 2002-05-03

Does it make sense to have a window manager on a firewall. Won't this open up uneeded ports and have uneeded programs running.

Re: linux junky - Matthew Trump - 2002-05-03

You're absolutely right. This is the approach which <a href="http://www.smoothwall.org>smoothwall</a> uses: keep what's running on the firewall to a minimum. --m--

Re: linux junky - Josh - 2002-05-04

Smoothwall is probably higher assurance and less vulnerable than Guarddog. Smoothwall is fine if you can support it yourself. If you can't, then you'll probably run into Richard Morrell or one of his minions. Freshmeat has some choice comments about Smoothwall support...even the paying customers get crapped on, while GPL users are beneath dirt. http://freshmeat.net/projects/smoothwall/?topic_id=253 (scroll down to messageboard) If you just need to block portscans and script kiddie attacks, then Guarddog is sufficient for what you need. Simon on the other hand has been very helpful in the give and take with the KDE community. Thanks Simon!

Re: linux junky - Christian A Strømmen [Number1/NumeroUno] - 2002-05-03

You're missing the point.. This is about having a firewall on a normal desktop workstation. Also, the script that it generates can be used on other machines.

Re: linux junky - Simon Edwards - 2002-05-03

You could run a firewall along side the window manager to block the extra ports. .. ;-) -- Simon

Re: linux junky - Chad Kitching - 2002-05-03

Or you just tell X and kdm/xdm not to listen on a TCP/IP port, and you're just as safe as not running X. The "-nolisten tcp" command line will prevent XFree86 from opening TCP (all communication will be done via UNIX domain sockets instead).

Re: linux junky - Michael - 2002-05-07

> and you're just as safe as not running X. No you aren't. Precisely because by running applications on the firewall you risk bugs in those applications compromising that machine. 2 examples a) Using them to connect to the internet and some untrusted data compromising the application (consider a bug in, say, konqueror that was exploited by visiting a site, or a bug in mozilla that was compromised by reading an email) b) Having them used by a successful exploit to a normal user account to gain higher privileges - plenty of old exploits have exercised bugs in XFree to do this. Bugs like these on a desktop / firewall using the same machine compounds the damage - precisely why best practise would recommend running services / applications off the firewall and running the minimum on the firewall (certainly not using it at a desktop with all your personal data / passwords etc on it)

Re: linux junky - fault - 2002-05-06

Why should it matter? A firewall would block those open ports from usage anyways.If it doesn't, it's not a firewall. Besides, if you are uncomfortable with this, just copy the guarddog-generated script from your desktop computer to your firewall.

Kcontrol Module? - Pablo Liska - 2002-05-03

This would make for a nice kcontrol module, if anyone is looking for something to work on.

Re: Kcontrol Module? - tzanger - 2002-05-03

AMEN I totally agree! I would also suggest being able have the ability to manually enter port numbers (with a description) for those wacky protocols that 0.5% of people use but since the firewall doesn't have it listed they can't configure. A KControl module and having everything exposed via DCOP would absolutely rule.

Re: Kcontrol Module? - Carsten Pfeiffer - 2002-05-04

> I would also suggest being able have the ability to manually enter port > numbers (with a description) for those wacky protocols that 0.5% of people > use but since the firewall doesn't have it listed they can't configure. What about trying it out? This is possible already.

Re: Kcontrol Module? - fault - 2002-05-06

ugh, please don't complicate kcontrol even more. It's been far too cluttered for far too long.

Re: Kcontrol Module? - Pablo Liska - 2002-05-06

You mean too functional? As far as I see it: better to consolidate/organize functions in one place than have hundreds of "uncluttered" programs/files/places that only do one thing. It would be great if kcontrol did what control panel does in windows, but organized things a bit better, thanks to kparts. Windows 2000 server has this extra section called "computer management" that is like kcontrol (but with less stuff in it and therefore somewhat harder to find and creating more "clutter" -- lots of icons in the admin section of control panel). "Computer Management" includes interfaces for the logical volume manager, the firewal configurator (which btw has a bunch of user-friendly wizards and also allows fine-grained control), user management, etc. Maybe we should have two kcontrols? one for basic stuff and one for things like this? I think its better to have it in one "place" (not really one place since its just kparts pulling in other progs -- as far as i understand) and just organize things well.

Re: Kcontrol Module? - Michael - 2002-05-07

> I think its better to have it in one "place" (not really one place since its > just kparts pulling in other progs -- as far as i understand) and just organize > things well. Yeah, but it's not better that you decide where we want things. It's better if we can configure something to put arbitrary things in one place, or not, as we see fit.

firestarter ownz j00 all - joe99 - 2002-05-04

this program is a wannabe "firestarter" ...keep on believing that kde rocks, and keep on being "OwN3d" by trolltech bitches.

Re: firestarter ownz j00 all - foo - 2002-05-04

> ...keep on believing that kde rocks, Hmm, keep on dreaming that there'll be anything else that's decent for linux in next .. hmm, let's say for another 2 or 3 years. So far, i'm gonna stick with the best there is - KDE3. > and keep on being "OwN3d" by trolltech bitches. Interesting point. If you own a VCR you're "OwN3d" by the company that made it ? Never thought of it that way ;)

Re: firestarter ownz j00 all - uh - 2002-05-06

joe99 is a wannabe "troll" ...keep on believing that you troll well, and keep on being "OwN3d" by real trolling bitches.

IP forwarding? - R2D3 - 2002-05-06

I had really hard time getting IP Masquerading/Forwarding to work to share my cable modem connection through my Linux box also to my Windows computer. I have no intent in learning to understand what that what I did to accomplish that really means and how it works, but I'd really like to do the same using a simple GUI-based tool. So is it possible to use Guarddog to create not only firewall, but also IP Forw/Masq-rules?

Re: IP forwarding? - Anonymous - 2002-05-13

The same guy who does GuardDog has a little app called GuideDog that does this for you.

Re: IP forwarding? - Ted - 2002-05-23

It is possible. I have a Network of Window Computers running off my Linux RH 7.2 machine (2.4 kernel, so using iptables). I also have an ADSL connection (via Verizon). To do the masquerading I used Guidedog. There are a couple other things to do which I would be happy to share with you. Just email me if you are still interested and if my set-up sounds similar to yours.

Re: IP forwarding? - Ted - 2002-05-23

It is possible. I have a Network of Window Computers running off my Linux RH 7.2 machine (2.4 kernel, so using iptables). I also have an ADSL connection (via Verizon). To do the masquerading I used Guidedog. There are a couple other things to do which I would be happy to share with you. Just email me if you are still interested and if my set-up sounds similar to yours.

Re: IP forwarding? - Rob - 2004-11-06

I am trying to get guidedog to work with teh guarddog firewall. The firewall works well on my Fedora core 1 box, but I am unable to get guidedog to work at port forwarding for my windows boxes to work. I have P2P software that use port 2234 and 1124 but when i try starting them, they are not working. Any help will be nice for setting up guidedog to work.