[Firehol-support] Key loggers and others that communicate back to a base
Phil Whineray
phil at sanewall.org
Thu Sep 4 08:22:42 CEST 2014
On Wed, Sep 03, 2014 at 02:23:26PM +0300, Tsaousis, Costa wrote:
> On Wed, Sep 3, 2014 at 4:09 AM, Rick Marshall <rjm at zenucom.com> wrote:
> >
> > One thing I have noticed about firewalld (used in Fedora at least) is that
> > it now uses “zones”. Many of the commercial firewall devices do this too. I
> > can sort of see how this helps in that it does give another level of access
> > control.
> >
> > Are you planning to add an extra command to firehol - zone - to define
> > zones and their characteristics?
>
> Rick, I think interface and router statements in firehol define zones. In
> fact firehol is very flexible in this area. Using the 'group with'
> statement you can have any number of subzones, even subzones within
> subzones in any depth.
>
> What control would you like to have at the zone level, that firehol does
> not already provide in interfaces and routers?
Costa,
I think that zones are more of a "I am now on a public wireless LAN",
"I am now on my home WLAN", "I am now on my work LAN" and so my trust
varies within a single interface kind of thing.
Rick, firehol scripts can alread have conditionals, so provided the
firewall can be triggered to restart on network change and with the
appropriate zone passed in, it should already be possible.
A lightweight alternative where all rules are loaded in netfilter and
changes the behaviour happen in response to an external event without
a restart would be more difficult. Custom actions or something similar
might be able to help?
http://firehol.org/firehol-manual/firehol-action/
Cheers
Phil
More information about the Firehol-support
mailing list