Docs/SysAdmin/Networking/InteractiveFirewall
From Mandriva Community Wiki
Interactive Firewall is a framework designed to alert users from intrusions or any event happening on their network.
Contents |
Concept
The Mandriva Interactive Firewall monitors IP traffic and checks for traffic that it considers a potential security risk. When such traffic is detected, a brightly visible window with a warning message is popped up on the user's desktop and the message is stored in the log file of the Interactive Firewall.
User interface
The warning popup window
< text to be written>
The management window
The management window has three tabs:
- the Log tab displays and manages the list of warning messages issued by the interactive firewall; it has pushbuttons that serve for adding hosts to the blacklist and the whitelist of the interactive firewall;
- the Whitelist tab displays the list of hosts that the firewall will consider as safe, it will not issue warning messages for traffic from theses hosts;
- the Blacklist tab displays the list of hosts that figure in the blacklist of the interactive firewall; hosts in this list will be automatically purged from the list after one hour.
Preventing popup messages from the Interactive Firewall
In Mandriva 2008.1, it happens that the firewall considers some perfectly legitimate traffic as a security risk and issues its warning messages - which may be quite annoying and disruptive to the user. This Section proposes two alternatives how unwanted popup messages from the interactive firewall can be inhibited.
Disable the Interactive Firewall
- This approach is quite radical: it simply switches the interactive firewall off. Whether the interactive firewall is active nor not can be controlled in the setup process of the personal firewall. Take the following actions:
- Mandriva Control Center -> Security -> Setup your personal firewall.
- In the first window of the personal firewall, select the protocols you want the personal firewall to let pass, conclude by hitting OK.
- The second window looks like a confirmation of the first window, but the first checkbutton now allows to disable the interactive firewall - uncheck that button to inhibit the interactive firewall.
- Continue and complete the following steps of the setup process of the personal firewall.
Make traffic from specific hosts accepted without warnings ("whitelist")
There are several ways to add hosts to this whitelist or to remove them.
Using /usr/sbin/drakids
- Do the following sequence of steps:
- Become root and run /usr/sbin/drakids
- A the management window of the firewall will be displayed; it starts with a display of the log of the popup messages that have been issued by the interactive firewall.
- In this list, select (highlight) any message that concerns the host that you want to add to the whitelist.
- Click the "Whitelist" button in the bottom bar.
- If necessary, repeat for additional hosts to be whitelisted.
Using the "Process Attack" popup-window button
- Some of the warning messages that pop up on the desktop have a Process Attack button. If you hit that button, you are offered a choice of things to do - amongst other to add the offending host to the whitelist. After this kind of warning message, also the taskbar will have a flashing warning triangle. Hitting this triangle also brings you into the management window of the interactive firewall.
Manually editing the Whitelist
- The whitelist is a plain text file. It can be edited with any text editor, as long as you have root privileges. The contents of this file are one-line entries, one for each whitelisted host: its IP address or its name.
Configuration, files
- The netfilter matches are stored in /etc/ifw/rules
- The whitelist is stored in /etc/ifw/whitelist
- The blacklist is stored in /etc/ifw/blacklist
Documentation: Interactive Firewall 2006 project description
- This article provides some information on the design of the Interactive Firewall
