[Firehol-support] Key loggers and others that communicate back to a base

Thu Sep 4 08:06:41 BST 2014

I was going to write a more detailed response later, but going to run out of time. So here is my quick - at present poorly educated - take on this.

First zones are a cisco marketing strategy. Differentiation. Redhat has picked up on it and so I guess will everyone.

Having said that there are some implications - network engineers are now starting to think in terms of zones; firewall products need to take that approach to be accessible by the new gen of network engineers; and there is a subtle realisation that conceptually zones reverse our perception of firewalls from the interfaces to the collections of devices - an important consideration as IoT gets traction.

I think there is room too to make firewall definition easier by extending the concept of zones so that interfaces and devices can take part in several zones. Haven’t thought this through properly but I think a zone characterised by an interface, ports, src and dst subnets and ips and routing between zones as well as interfaces is kind of what I think the future will be.

A long term concept that integrates dhcp so that it can hand out a zone as well would be awesome.

In the meantime I know I can do most if not all of this with firehol (and in fact I probably do) - it’s just fitting with the current buzzwords for the current functions.

Rick Marshall
Technical Director 
Zenucom Pty Ltd
0411 287 530		http://www.zenucom.com 
Help Desk | 1300 752 172
PO Box 1465, Port Macquarie NSW 2444
IMPORTANT NOTICE:
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

On 4 Sep 2014, at 4:22 pm, Phil Whineray <phil at sanewall.org> wrote:

> On Wed, Sep 03, 2014 at 02:23:26PM +0300, Tsaousis, Costa wrote:
>> On Wed, Sep 3, 2014 at 4:09 AM, Rick Marshall <rjm at zenucom.com> wrote:
>>> 
>>> One thing I have noticed about firewalld (used in Fedora at least) is that
>>> it now uses “zones”. Many of the commercial firewall devices do this too. I
>>> can sort of see how this helps in that it does give another level of access
>>> control.
>>> 
>>> Are you planning to add an extra command to firehol - zone - to define
>>> zones and their characteristics?
>> 
>> Rick, I think interface and router statements in firehol define zones. In
>> fact firehol is very flexible in this area. Using the 'group with'
>> statement you can have any number of subzones, even subzones within
>> subzones in any depth.
>> 
>> What control would you like to have at the zone level, that firehol does
>> not already provide in interfaces and routers?
> 
> Costa,
> 
> I think that zones are more of a "I am now on a public wireless LAN",
> "I am now on my home WLAN", "I am now on my work LAN" and so my trust
> varies within a single interface kind of thing.
> 
> Rick, firehol scripts can alread have conditionals, so provided the
> firewall can be triggered to restart on network change and with the
> appropriate zone passed in, it should already be possible.
> 
> A lightweight alternative where all rules are loaded in netfilter and
> changes the behaviour happen in response to an external event without
> a restart would be more difficult. Custom actions or something similar
> might be able to help?
>    http://firehol.org/firehol-manual/firehol-action/
> 
> Cheers
> Phil