5 Jun 2005 11:58
Re: l7-filter
Stephan Hermann <sh <at> sourcecode.de>
2005-06-05 09:58:17 GMT
2005-06-05 09:58:17 GMT
Hey Ante, Am Sunday 05 June 2005 11:22 schrieb Ante Karamatić: > On Sun, 2005-06-05 at 11:11 +0200, Ante Karamatić wrote: > > Fabio said patching of kernel is possible if userland tools would > > be developed. That's why I'm crossposting this, cause I know there > > are few people interested in creating easy to use firewall on > > ubuntu-devel. > As I said on IRC: A firewall is a concept, not a piece of software, even a "personal firewall" is not only a piece of software. Regarding the "home user", what he needs is a simple way to manage incoming and outgoing requests. Regarding the e.g. "business user" aka "a company" they need higher levels of security. The easiest thing to do, is to allowing or denying applications to have an incoming/outgoing connection. Like MS is doing it with their personal firewall, it's the easiest way to convience the "home user" to use such a tool. Incoming connections accordingly. To make it straight: The "home user" doesn't know anything about OSI layers, packetfiltering or quality of service. He wants to do this: "I want "this P2P Network", please let me use it. Application "P2PX" is this application which handles those connections. Let it go in and out as it wishes". It means, it's enough to play around with osi layer 3+4 on router basis. For the "home user" there should be a list of applications which are already preconfigured for in- and outgoing ports. ++++++++++++++++++++++++++ Speaking of "business users" it's different. They need "a bit" more controlling over their network. It means, there must be a solution for setting up a detailed, fine granulated solution. The concept behind a "business solution" is more difficult, then for the most common "home user". For a "business solution" you need to go from OSI 1 to OSI 7 in this order. You have to think about macfilter, packetfilter, proxy server and strong authentication for exceptions to special users inside the network. A really good example is "Securecomputing Sidewinder" as one part of such a concept. Together with "Securecomputing Safeword" and some other software parts, you can deal with a big network infrastructure and most of the things are done. ++++++++++++++++++++++++++ Well, after all, I don't know so much about P2P networks and other "home user" wishes, and all of my text right now is a quick shot. But speaking of "security", it's not easy to find a "good solution". At least, for the "home user" it should be easy and transparent. Most of the problems regarding "it security in a home enviroment" is, that the "normal home user" doesn't have any clue, what he's doing in this moment, he clicks this button or closing this port or filtering this application protocol. Regards, \sh -- -- Stephan Hermann eMail: sh <at> sourcecode.de JID: sh <at> linux-server.org Tel.: +49700sourcecode Skype: s.hermann Blog: http://linux.blogweb.de/
RSS Feed