<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Hi Costa<div><br></div><div>Question.</div><div><br></div><div>We are about to do the engineering so we can support firehol 2 through our networks.</div><div><br></div><div>One thing I have noticed about firewalld (used in Fedora at least) is that it now uses “zones”. Many of the commercial firewall devices do this too. I can sort of see how this helps in that it does give another level of access control.</div><div><br></div><div>Are you planning to add an extra command to firehol - zone - to define zones and their characteristics?</div><div><br><div apple-content-edited="true">
<table> <tbody><tr> <td style="font-size: 9pt; vertical-align: top"> <b>Rick Marshall</b><br> Technical Director <br>Zenucom Pty Ltd<br>0411 287 530</td> <td><img height="57" width="59" apple-inline="yes" id="17ADCF59-0A39-4F7B-BAD7-EA8F5A149DF8" apple-width="yes" apple-height="yes" src="cid:227861F3-B6F5-44D3-AF30-0179CC848816"></td> <td style="font-size: 9pt; vertical-align: top"> <span class="Apple-style-span" style="color: rgb(0, 113, 228); -webkit-text-decorations-in-effect: underline;"><a href="http://www.zenucom.com">http://www.zenucom.com</a></span> <br>Help Desk | 1300 752 172<br> PO Box 1465, Port Macquarie NSW 2444<br></td></tr></tbody></table> <hr> <div style="font-size: 7pt; color: silver;"> <b>IMPORTANT NOTICE:</b><br> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.</div>
</div>
<br><div><div>On 3 Sep 2014, at 10:04 am, Tsaousis, Costa <<a href="mailto:costa@tsaousis.gr">costa@tsaousis.gr</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div dir="ltr">Also, since in your setup I don't see windows machines or linux servers accessible from the internet, I don't really see the risk.<div>Linux does not suffer from malware to the extend the windows world does. I believe you are ok the way you are now.</div>
<div><br></div><div>Of course, if you just want to learn, Rick's suggestion is perfect...</div><div><br></div><div>Costa</div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Wed, Sep 3, 2014 at 2:46 AM, Rick Marshall <span dir="ltr"><<a href="mailto:rjm@zenucom.com" target="_blank">rjm@zenucom.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">You need to have your main machine act as the firewall - ie all traffic routed to it and then it routes to the modem/router.<div><br></div><div>{home network} <-> {ubuntu firewall} <-> {ADSL modem}</div>
<div><br></div><div>ie the ADSL modem should only work as a switch and the default route for all machines should be via your firewall. Then you can be happy.</div><div><br></div><div>NB your firewall will work best with 2 interfaces, but this is not essential. The home network can use the ADSL modem as a switch, but again a separate switch would be better.</div>
<div><br><div>
<table> <tbody><tr> <td style="font-size:9pt;vertical-align:top"> <b>Rick Marshall</b><br> Technical Director <br>Zenucom Pty Ltd<br>0411 287 530</td> <td><span><z4.png></span></td>
<td style="font-size:9pt;vertical-align:top"> <span style="color:rgb(0,113,228)"><a href="http://www.zenucom.com/" target="_blank">http://www.zenucom.com</a></span> <br>Help Desk | 1300 752 172<br> PO Box 1465, Port Macquarie NSW 2444<br>
</td></tr></tbody></table> <hr> <div style="font-size:7pt;color:silver"> <b>IMPORTANT NOTICE:</b><br> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.</div>
</div><div><div class="h5">
<br><div><div>On 3 Sep 2014, at 9:25 am, Robin <<a href="mailto:rgs@creasehuggett.co.uk" target="_blank">rgs@creasehuggett.co.uk</a>> wrote:</div><br><blockquote type="cite">
<div style="background-color:rgb(255,255,255);font-family:Arial;font-size:19px" bgcolor="#FFFFFF" text="#000000">
My setup is that I have a main desktop Ubuntu machine, and a second
ubuntu machine that I use as a media center that is attached to my
TV and accesses the internet via the same ADSL router. I also have
a dvr that is directly connected to the router, and that is used to
access videos stored on the main desktop machine. I use rygel as the
DLNA controller. I also use VPN occasionally. Then there is the
suggestion from Costa, which I would like to incorporate into the
setup.<br>
<br>
Has anyone done something similar in Firehol that I could copy or at
least use as a starter or am I being over ambitious in what I would
like to do with Firehol?<br>
<br>
Robin<br>
<br>
<blockquote style="border-left:2px solid #009900;border-right:2px solid #009900;padding:0px 15px 0px 15px;margin:8px 2px;background-color:null;color:null" type="cite"><span style="font-family:sans-serif;font-size:12px;font-weight:normal">
<div>Tsaousis, Costa wrote on 03/09/14
00:04:<br>
</div>
<br>
<br>
</span>
<div dir="ltr">Firehol will do just fine allowing very specific
services from your LAN machines to the internet.
<div>For HTTP/HTTPS I suggest to install a proxy and control the
allowed URLs there. So, direct layer 3 HTTP/HTTPS should not
be allowed. Only through the proxy. Firehol can also setup a
transparent HTTP proxy for you (but not HTTPS - HTTPS cannot
be intercepted - the clients will have to be configured to use
the proxy for HTTPS).</div>
<div><br>
</div>
<div>Costa</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Sep 3, 2014 at 1:35 AM, Whit
Blauvelt <span dir="ltr"><<a href="mailto:whit@transpect.com" target="_blank">whit@transpect.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">To the
degree it can set what types of services you can be a client
of, yes.<br>
But if the key logger or whatever is using an HTTP(S) POST
or GET to send<br>
your data across, and you allow HTTP(S) clients out over the
firewall,<br>
you've still got trouble.<br>
<br>
You could allow only HTTP(S) clients to connect to specific
IPs. For most of<br>
us, that would be a nonstarter. But if you wanted to have a
system that<br>
could only connect to your bank, and your bank's at a fixed
IP, you could<br>
easily do that.<br>
<br>
Whit<br>
<div>
<div><br>
On Tue, Sep 02, 2014 at 08:45:14PM +0100, Robin wrote:<br>
> I feel I need to install a firewall and ubuntu
comes with a very simple one,<br>
> but I noticed it did not stop outgoing comms, or
provide for a white list,<br>
> dealing with communications going from key
loggers, zombie machines, etc.<br>
> Does firehol help in this regard?<br>
><br>
><br>
<br>
</div>
</div>
> _______________________________________________<br>
> Firehol-support mailing list<br>
> <a href="mailto:Firehol-support@lists.firehol.org" target="_blank">Firehol-support@lists.firehol.org</a><br>
> <a href="http://lists.firehol.org/mailman/listinfo/firehol-support" target="_blank">http://lists.firehol.org/mailman/listinfo/firehol-support</a><br>
<br>
_______________________________________________<br>
Firehol-support mailing list<br>
<a href="mailto:Firehol-support@lists.firehol.org" target="_blank">Firehol-support@lists.firehol.org</a><br>
<a href="http://lists.firehol.org/mailman/listinfo/firehol-support" target="_blank">http://lists.firehol.org/mailman/listinfo/firehol-support</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
_______________________________________________<br>Firehol-support mailing list<br><a href="mailto:Firehol-support@lists.firehol.org" target="_blank">Firehol-support@lists.firehol.org</a><br><a href="http://lists.firehol.org/mailman/listinfo/firehol-support" target="_blank">http://lists.firehol.org/mailman/listinfo/firehol-support</a></blockquote>
</div><br></div></div></div></div><br>_______________________________________________<br>
Firehol-support mailing list<br>
<a href="mailto:Firehol-support@lists.firehol.org">Firehol-support@lists.firehol.org</a><br>
<a href="http://lists.firehol.org/mailman/listinfo/firehol-support" target="_blank">http://lists.firehol.org/mailman/listinfo/firehol-support</a><br></blockquote></div><br></div>
</blockquote></div><br></div></body></html>