Firewall Testing

[frpeter]

Hello,

I am in need of people willing to test a new firewall Its stable and secure. I've been running it for nearly 5 years now. If you are interested, please visit http://tanaya.net/BullDog/

Knowledge of IPTable and IPChains will be of benefit. Programming isn't that important. The software is GPL.

Thank you in advance.

[frpeter]

To clarify my previous post...

Yes BullDog is stable... as far as I can tell. As a programmer in the security field, I know that each update can introduce new bugs or break parts that were working. My goal is not to spam boards but to gather as much knowledge and experience from a wide and diverse group of people with different hardware and different software.

In developing this software, I have become very critical of it as I know many people do depend on it working (properly). Perhaps a bit too critical in my own programming.... But after running non-linux systems for many years and seeing each additional update break a previous update, I'm simply trying to avoid that dilema and make sure to the best of my ability that the people that do depend on it can be assured that it does work.

[Noia]

do I smell a sales ploy?!

[muert0]

Its is covered by the GPL and is FREE and always will be. I encourage and welcome anyone who wants to port and/or provide ideas/code to better this software.

I would like to see this software developed into a new breed of firewall that provides the best of security with ease of use.

This software was developed on Linux v2.2.16-17 and v2.4 with 64 megs to 1 Gig of RAM and supports ipchains and iptables. Bulldog will NOT run on Windows systems.

Doesn't seem like he can really get much out of advertising. Seems like he really does want help.

[Relyt]

I'll take her on the dance floor and see what happens......but

Doesn't seem like he can really get much out of advertising.

Before I download programs, I peruse the sites looking at the professionalism. If it’s missing, then I most likely won’t use any of their programs. With that thought in mind, the following comments are provided for constructive criticism.

His site http://tanaya.net/BullDog/index.shtml is full of typos and grammatical errors. Those alone could indicate a lack of quality in the product. With some folks, attention to detail is more important than the eye candy and the lack thereof could dissuade them from considering the product. (i.e. Its is covered…should be: It is covered…, …system., pen… should be: …system, pen…, I gues that… should be: I guess that…, pathetic exuses of … should be: pathetic excuses of… ) There are more but you get the idea. So what other mistakes are there? (I did enjoy the true rant and the step-by-step instructions!)

It appears that he has spent a lot of time and effort preparing this program and that should be applauded. However…

iptables or ipchains must be installed…

Isn’t Bulldog just a front-end for IP Tables etc., with a nice Canine touch for advertising. It comes wrapped with a lot of bells and whistles into one program, but is it a firewall by it’s own right? It is completely dependent upon already established means of armoring linux boxes. I guess the more important questions could be: Should I call a “Front-End” a “Firewall” and why would I need a front-end program if I am fluent with IP Tables and the other means of armoring a Linux box?

Just some thoughts…

cheers

[IKnowNot]

I guess the Board spamming has been covered, I’ll assume he is more used to mailing lists then a board such as this. I will also assume frpeter is “ Father Peter” that is associated with the program. I'm also glad to see that this thread did not die while I was doing a little research.

I will have to agree with Relyt that this appears to only support Iptables ( and 2.4.x kernels and above ) ; but since it is now in revision 7 the ipchains part may have been taken out ( further adding to Relyt’s comment about the web site ).

Remember, you asked for it. This should be considered constructive criticism.

Documentation is clearly lacking, including a configuration manual. EXAMPLE: You have to read through the web page to know you have to create your own “ bulldog.conf “ file which should be included, albeit only a sample, with the source.
From the file InitFW

for i in 208 209 210 211 212 213 214 215 ; do
for j in 22 23 59 67 68 79 110 111 119 135 136 137 138 139 143 389 445 ; do
$IPT -A Defense -$io eth0 -p tcp -s 63.230.33.$i --sport $j -j DROP
$IPT -A Defense -$io eth0 -p tcp -d 63.230.33.$i --dport $j -j DROP
$IPT -A Defense -$io eth0 -p udp -s 63.230.33.$i --sport $j -j DROP
$IPT -A Defense -$io eth0 -p udp -d 63.230.33.$i --dport $j -j DROP

Nothing tells you to change the IP address here ( the address of the program’s creator ), nor does anything tell you what it does. The “ i “ variable is apparently the addresses of different servers with public addresses behind the firewall which are NATed through the firewall box, the “ j “ variable is apparently service ports to be blocked. This creates a large, large table ( check it out with “ iptables –list –line-numbers “. )

I usually just use something like

# -----Block outgoing network protocols that aren't designed to leave the LAN -----
iptables -A FORWARD -p tcp -i eth0 --dport 135:139 -j DROP
iptables -A FORWARD -p tcp -o eth0 --sport 135:139 -j DROP
iptables -A FORWARD -p udp -i eth0 --dport 135:139 -j DROP
iptables -A FORWARD -p udp -o eth0 --sport 135:139 -j DROP

These need only be repeated for the service ports required, not for every port and every IP address, can be used for blocks of ports as above, and also covers the LAN addresses.

Programming isn't that important.

I am no programer, but I do believe that others here may not agree. The program is two-in-one in that it is not just an Iptables front-end, it also attempts to identify potential attackers and block them.

*** I found it particularly disturbing that after compiling Bulldog eht0 ( the internet facing device ) was placed in promiscious mode! Maybe that is why the /home/dns directory ( where the block list is stored ) needs to be 20 gigs or more!

It appears a lot of time and thought went into this program, but I think the statement that it is “Military Strength “ may be a bit much, though it does use resources like the military, and spawing numerious "children". ( ps -ae )

I repeat: Remember, you asked for it. This should be considered constructive criticism.

[frpeter]

Hello,

I will definately look into correcting the errors... Thank you for bring it to my attention. I send so much time in the code that I do have a tendency overlooking the web page.

My rants are generally knee-jerk haphazzard muses... I'm lucky thay even make sense at times

Yes, indeed BullDog is a front-end or more precisely an IPChains/IPTables manager. Though it is classified as a firewall by web site listings. Its use is best described by the limitations in the kernel, whereby it begins to degrade in performance (effecting the entire system) if there are more than 30,000 rules. BullDog allows a large number of rules and blocks only when a rule is not matched. After a certain time, the rule is removed, thus freeing resources. This allows for smaller block lists and to keep the kernel performance as high as possible. This approach is also the pivot point of its dynamic operations in that I do not have to be as explicit with large groups of IP addresses and
I can match by domain name as well as IP address.

Originally posted here by Relyt
I'll take her on the dance floor and see what happens......but

Before I download programs, I peruse the sites looking at the professionalism. If it?s missing, then I most likely won?t use any of their programs. With that thought in mind, the following comments are provided for constructive criticism.

His site http://tanaya.net/BullDog/index.shtml is full of typos and grammatical errors. Those alone could indicate a lack of quality in the product. With some folks, attention to detail is more important than the eye candy and the lack thereof could dissuade them from considering the product. (i.e. Its is covered?should be: It is covered?, ?system., pen? should be: ?system, pen?, I gues that? should be: I guess that?, pathetic exuses of ? should be: pathetic excuses of? ) There are more but you get the idea. So what other mistakes are there? (I did enjoy the true rant and the step-by-step instructions!)

It appears that he has spent a lot of time and effort preparing this program and that should be applauded. However?

Isn?t Bulldog just a front-end for IP Tables etc., with a nice Canine touch for advertising. It comes wrapped with a lot of bells and whistles into one program, but is it a firewall by it?s own right? It is completely dependent upon already established means of armoring linux boxes. I guess the more important questions could be: Should I call a ?Front-End? a ?Firewall? and why would I need a front-end program if I am fluent with IP Tables and the other means of armoring a Linux box?

Just some thoughts?

cheers

[frpeter]

Hello,

fr does mean father. Yes indeed I did ask and thank you.

It still does support IPChains as well. I use a script called BlockIP that call IPChains/IPTables or even a not yet/different method for access control.

Documentation has been one of my most difficult areas as so far, the poeple that have been downloading and installing BullDog tend to be as absent minded as I am as read the code. This is one of my main reasons for seeking out a wider audience so I can improce the docs and bring BullDog down to a more social level for the average linux as well as higher education or military facilities.

On the InitFW issue. I do state on the web page that the InitFW will need to be modified. That should be put at the top of the script though. The NAT is single IP based to emphasize that a /24 is not a good idea if you have only 10 active IP addresses.

Promiscious mode was a request in the earily generations by a high security business. The DNS database (/home/dns) is a literal domain database of the IP address and resolved name. It has been one of BullDog's best assets in blocking DOS attacks in that it need not go to the internet to resolve an address if it is already in the database. A few notable examples where this kept me online were nimda and SQL/worm.

The "military strength" has been pit to the test be looking up the specs and requirements for military usage. BullDog was also built "under fire." Meaning that I started programming for BullDog during an attack trying to block it. The kernel (IPChains at the time) was not flexible enough to handle the unpredictable attack patterns. The other side-effect is that I can leave one machine open as a honey pot. A blanket rule set doesn't allow that

The number of processes spawned can seem overwhelming but it allows BullDog to handle large volumes of packets without dropping them. This is configurable in the bulldog.h file. Also this approach allows more then one computer connected via NFS or similar to share the load, although I use one machine.

If I missed anything, please let me know.

Originally posted here by IKnowNot
I guess the Board spamming has been covered, I’ll assume he is more used to mailing lists then a board such as this. I will also assume frpeter is “ Father Peter” that is associated with the program. I'm also glad to see that this thread did not die while I was doing a little research.

I will have to agree with Relyt that this appears to only support Iptables ( and 2.4.x kernels and above ) ; but since it is now in revision 7 the ipchains part may have been taken out ( further adding to Relyt’s comment about the web site ).

Remember, you asked for it. This should be considered constructive criticism.

Documentation is clearly lacking, including a configuration manual. EXAMPLE: You have to read through the web page to know you have to create your own “ bulldog.conf “ file which should be included, albeit only a sample, with the source.
From the file InitFW
Nothing tells you to change the IP address here ( the address of the program’s creator ), nor does anything tell you what it does. The “ i “ variable is apparently the addresses of different servers with public addresses behind the firewall which are NATed through the firewall box, the “ j “ variable is apparently service ports to be blocked. This creates a large, large table ( check it out with “ iptables –list –line-numbers “. )

I usually just use something like

# -----Block outgoing network protocols that aren't designed to leave the LAN -----
iptables -A FORWARD -p tcp -i eth0 --dport 135:139 -j DROP
iptables -A FORWARD -p tcp -o eth0 --sport 135:139 -j DROP
iptables -A FORWARD -p udp -i eth0 --dport 135:139 -j DROP
iptables -A FORWARD -p udp -o eth0 --sport 135:139 -j DROP

These need only be repeated for the service ports required, not for every port and every IP address, can be used for blocks of ports as above, and also covers the LAN addresses.

I am no programer, but I do believe that others here may not agree. The program is two-in-one in that it is not just an Iptables front-end, it also attempts to identify potential attackers and block them.

*** I found it particularly disturbing that after compiling Bulldog eht0 ( the internet facing device ) was placed in promiscious mode! Maybe that is why the /home/dns directory ( where the block list is stored ) needs to be 20 gigs or more!

It appears a lot of time and thought went into this program, but I think the statement that it is “Military Strength “ may be a bit much, though it does use resources like the military, and spawing numerious "children". ( ps -ae )

I repeat: Remember, you asked for it. This should be considered constructive criticism.

[IKnowNot]

1st) You do not have to quote an entire post, just the pertinent parts and/or direct your response the poster: the reader can then determine where the response applies. Unlike mailing lists the posts here are displayed in top-down order. ( It makes reading easier ) And you do not have to reply to each post individually.

2nd)

I use a script called BlockIP that call IPChains/IPTables or even a not yet/different method for access control.

From the BlockIP file:

IPT=/usr/sbin/iptables

No mention here of ipchains. Maybe I missed something?

By the way, I did not mention before, but some Linux Distros do not place Iptables in the /usr/sbin directory: EXAMPLE: RedHat and Fedora use the /sbin directory. Thus the InitFW, UnBlockIP, and BlockIP files would have to be amended to reflect this.

3rd)

Promiscious mode was a request in the earily generations by a high security business. The DNS database (/home/dns) is a literal domain database of the IP address and resolved name. It has been one of BullDog's best assets in blocking DOS attacks in that it need not go to the internet to resolve an address if it is already in the database. A few notable examples where this kept me online were nimda and SQL/worm.

Ok, I need help here, this is BIG and I am sure I don’t know enough here.

a) I understand the reasoning behind the DNS database.

b) I don’t understand placing the Internet facing device in promiscuous mode, and then using it to evaluate possible attacks .... too great a possibility of false positives. EXAMPLE: I placed it INSIDE a LAN, attached it to a hub. It then restricted every address that every computer inside the LAN was communicating with, and because the traffic was not destined for what the firewall said was acceptable, it included those addresses in the DNS database. I.e. it caught ALL the traffic and made rules accordingly, not realizing the traffic was not meant for the firewall. Maybe I’m wrong, maybe I’m too drunk ( yes, everyone is home, granddaughter is sleeping, I’m one vacation, so I am drunk again ) but I believe this is how the DNS data base gets its addresses, isn’t it? Anyone here, correct me PLEASE if I am wrong, but submitting DSHield reports ( which is another undocumented option ) based on a device in promiscuous mode might be a little over-the-top!

c) not bragging, just a fact: I didn’t blink at “ nimda and SQL/WORM “ , just noticed the increased logs. Security isn’t confined ( as this Forum has pointed out repeatedly ) to firewalls, but includes proper patching, etc. Again, the term “ Layered Security” is the key.

4th)

The "military strength" has been pit to the test be looking up the specs and requirements for military usage. BullDog was also built "under fire." Meaning that I started programming for BullDog during an attack trying to block it. The kernel (IPChains at the time) was not flexible enough to handle the unpredictable attack patterns.

I have not looked into the military specs, but have been under fire. ( wait a minute, do you mean literally or figuratively? ) Anyway, I agree totally: ipchains, and you can quote me one this anytime, “ WAS NOT FLEXIBLE ENOUGH TO HANDLE THE UNPREDICTABLE ATTACK PATTERNS”. I never saw the advantage of ipchains. other then it was easier to configure then IPFWADM. Iptables is another story, which is why I never bothered with ipchains, but went right to Iptables from IPFWADM. Using an IDS interfaced with the firewall is not a new idea, but integrating it into the firewall front-end is, as far as I know , unique.

5th)

The other side-effect is that I can leave one machine open as a honey pot. A blanket rule set doesn't allow that

CSH Jump in here anytime : Ipatbles works in a top down fashion: ie. it responds to rules in an order. Just place an exception for your Honeypot BEFORE your DROP rules and it will fly.

Well, I hope this helped, I am too drunk to continue.

But not too drunk to wish ALL happy holidays .... Peace on Earth, and Good Will Toward Men ( and Women )

[frpeter]

Hello,

My apologies... I'm not used to the difference of this style yet.

The IPChains command can sumply be substituted for IPTables... I've made a note to document that...

That is true... Here is the perfect example of why I need more diversity... Unfortunately, I have no why to research other distrobutions and have had to pick common references. Can you provide the complete path to your IPTables/ I'll add an aditional comment to the scripts.

As previously mentioned, it was a request from one of BullDog's users. Prehaps that should be a compile time option... Making a note of that. Have only one machine where I am the only administrator doesn't often illuminate such issues. The rules, once properly configured tell BullDog what to ignore. the 'I' command in the config is for that exact purpose. You can tell BullDog, for example, to ignore your entire LAN, or just a specific machine.

The advantages of scanning all traffic including that not destined for the gateway/firewall is to block someone from relaying through your system due to a vulnerability or misconfiguration. Its a double-edged sword where advantages and disadvantages. You are right that it should be a feature that defaults as disabled.

True, which is why I state on the web page that BullDog is not a quick fix, but rather one step. Obviously, Amazon, Ebay and Yahoo had to learn this the hard way. All three sites were taken offline by these two viruses (see news archives for references).

The military spec are (for the most part) weird in what is expected. There is a great deal of good thinking that whent into drafting them. The application, IMHO, fell short of the protection. Go to Zone-H and do a lookup on .mil sites. You'll see a large number of military sites that have been defaced just on this one issue.

I will try to clarify this. It is in the context of the computer. The computer was under a heavy attack when I started writing the code for BullDog. At the time, I was running 2.2 (IPChains). I needed a way to counter the attack and still remain online. BullDog developed litterally from these attacks. I had at least to terms open in X watching the activity trying to block their attempts. I also must admit that I was new to linux and didn't have much experience in linux's internal defenses. I've looked into snort (and similar).. Its a good program, but I am only one person and I have to sleep sooner or later. I needed something that could react and block the attack, but still keep my server online even when I wasn't.

True... IPTables does an excellent job in in layered filtering. One of my requirements though, is to do all this on one machine. It would be nice to have a seperate one for a honey pot... However; the "honey" to by the pot is a bit low... Such as life, like everyone else, I make the best with what I have. Which, ironically, works in favor of BullDog, in that it still can compile on older platforms.

If I missed anything, please let me know.