Re: [IPCop-user] Nice ZoneAlarm feature for IPCop

[Rainer Z. <Use...@zo...>]

ja...@gu... 30.05.05 23:33


>> What Zonealarm does it somehow "know" what _program_ sent out the
>> packets.  It doesn't matter what port or protocol.
>> How can Windows tell that "This program is trying to access the
>> Internet"?
>>
>> How can Windows have this ability and Linux not?

Because Linuxer are not brain dead and don't beleave in woodoo?


>> ZA also somehow knows that a program is "asking for server rights"
>> but I'm not sure what that means - I _never_ say yes <g>.

That's blocked under Unix since generation.
Everyone who wanted to open a "server port" below 1024 must
by "root". So there was no need for something like ZA. But under
windows, every user is "root", because the gigantic userright 
management microsoft invented was too complicate for microsoft programmers 
and users...


>> I'd be happy to work on an iptables module myself if I had an idea
>> how to start.  Of course ZA knows but they are probably not telling!

>Box A sends Open 1.2.3.4:80, What does IPCop know of the OS, let
>alone the program that is making the request?
>All it sees is the request.

Why are you so unflexible?

IPcop *can* determine the "owner" of an IP connection.
There is an RfC protcol for it. 5 years back every mails server
did that: "ident"
It should not be impossible to teach the identd to
add the program name to user name it returns for the identd
request. The identd (running on the client) could easily determine 
who's program is trying to opn that port, or why is that
impossible?
As iptables on IPcop knows the state of the connection, it could
ask back: "Who are you who is trying to open port 25 
to IP 123.123.123.123 from port 4567?" only once per connection 
and not for very paket. So there should be no (big) performance
degree.


<rant about "killer argumenting" removed>


>If the user function was running in IPCop that would be another
>story.

>Really thing about cascading firewalls that I run: Box A send Open
>1.2.3.4:80 to IPcop 1 that sends Open 1.2.3.4:80 to IPcop 2 that
>sends Open 1.2.3.4:80 to IPcop 3 that send request on to the
>internet.  So what does IPcop 3 "know" of Box A????

Each IPcop would need an identd too, forwarding the connection info.
Why is that so impossible? (Exept no one will implement it, but that's
an other problem).


>THIS IS NOT A WINDOWS vs LINUX ISSUE.

ACK.

>This is a pure IP issue.  Just because a personal firewall 
>- that sits inside of an OS can see some
>thing does not make the a machine 4 hardware jumps  later be able to
>see the same thing.

With a PW it can be done very easy.
But as i wrote, it is not impossible for an external FW,
as it might look on the first view. It can't be done so easy.


>Please, if you believe that IPTABLE will do this GO FOR IT!!!
>We will chear when you are done.  I personally expect that will a
>long long long way off.

We do already user checking with iptables because have different 
user classes on one machine.
One kind of users are allowed to access the internet,
others are not.
On the front end (shell) machine iptables checks the owner of the pakets
(don't ask me how) and a "admin prohibited" ICMP (or so) is generated
if the logged on user is not allowed to access the internet.
If it would help IPcop developers i'll see if i can find documents for that
iptable features.

Rainer
Rainer---<=====>                         Vertraulich
             //
           //                              
         <=====>--------------ocholl, Kiel, Germany ------------