From Mandriva Community Wiki
- netfilter modules to detect intrusions
- a new netfilter target, IFWLOG
- shorewall (optional)
- mandi, a root socket to user apps bridge, using D-Bus
- net_applet, which receives alerts
- drakids, a blacklist/whitelist management tool
Intrusions are detected by netfilter matches, such as the psd (port scan detector). More matches are planned. Our netfilter IFWLOG target forwards intrusion detection data to the mandi daemon through a netlink.
The "Interactive Firewall" plugin of mandi has two operating modes:
- it blacklists the intruder in automatic mode
- it sends a notification to a user interface through D-Bus in interactive mode
An intruder blacklist is maintained by the daemon, using ipset. This blacklist is stored in memory by ipset. A whitelist is also available, using ipset too, it is saved in a file. ipset basically allows to group a list of addresses, and to use them in a single iptables rule.
When an attack is detected, a notification bubble appears to warn the user.
On click, a popup will be displayed. It allows to choose which action should be done on the attacker.
Some details about the attack can be shown by expanding the arrow.
The network applet offers links to Interactive Firewall actions and settings.
- (1) allows to run the management window (only when it blinks, which means an attack has been detected)
- (2) allows to choose if the intruder has to be blacklisted automatically
- (3) allows to run the management window
The management window is divided in three tabs, to supervise logs, manage blacklist and whitelist.
- the Log tab displays and manages the list of warning messages issued by the interactive firewall; it has pushbuttons that serve for adding hosts to the blacklist and the whitelist of the interactive firewall;
- the Whitelist tab displays the list of hosts that the firewall will consider as safe, it will not issue warning messages for traffic from theses hosts;
- the Blacklist tab displays the list of hosts that figure in the blacklist of the interactive firewall; hosts in this list will be automatically purged from the list after one hour.
Interactive Firewall is almost mature now (while 2006 is about to be released). The mandi daemon and the user interfaces (net_applet, drakids) are ready. The IFWLOG target is pretty straight-forward and stable.
To avoid legitimate connections (e.g. DNS servers) to be matched by netfilter rules, these ones use stateful detection with -m state --state NEW,INVALID However, some harmless connections are still considered as offensive. For example, some game clients send broadcast packets on the networks scanning a port range, which is (correctly) detected as a port scan. In Mandriva 2008.1, it happens that the firewall considers some perfectly legitimate traffic as a security risk and issues its warning messages - which may be quite annoying and disruptive to the user. This Section proposes two alternatives how unwanted popup messages from the interactive firewall can be inhibited.
Disable the Interactive Firewall
- This approach is quite radical: it simply switches the interactive firewall off. Whether the interactive firewall is active nor not can be controlled in the setup process of the personal firewall. Take the following actions:
- Mandriva Control Center -> Security -> Setup your personal firewall.
- In the first window of the personal firewall, select the protocols you want the personal firewall to let pass, conclude by hitting OK.
- The second window looks like a confirmation of the first window, but the first checkbutton now allows to disable the interactive firewall - uncheck that button to inhibit the interactive firewall.
- Continue and complete the following steps of the setup process of the personal firewall.
Make traffic from specific hosts accepted without warnings ("whitelist")
There are several ways to add hosts to this whitelist or to remove them.
- Do the following sequence of steps:
- Become root and run /usr/sbin/drakids
- A the management window of the firewall will be displayed; it starts with a display of the log of the popup messages that have been issued by the interactive firewall.
- In this list, select (highlight) any message that concerns the host that you want to add to the whitelist.
- Click the "Whitelist" button in the bottom bar.
- If necessary, repeat for additional hosts to be whitelisted.
Using the "Process Attack" popup-window button
- Some of the warning messages that pop up on the desktop have a Process Attack button. If you hit that button, you are offered a choice of things to do - amongst other to add the offending host to the whitelist. After this kind of warning message, also the taskbar will have a flashing warning triangle. Hitting this triangle also brings you into the management window of the interactive firewall.
Manually editing the Whitelist
- The whitelist is a plain text file. It can be edited with any text editor, as long as you have root privileges. The contents of this file are one-line entries, one for each whitelisted host: its IP address or its name.
A temporary blacklisting mechanism
The blacklist is temporary: blacklisted addresses are kept in memory for one hour. When this period expires, the address is removed from the blacklist.
- closing the popup window may also make net_applet quit
- the blacklist isn't refreshed when blacklisted addresses expires
How to try it
- urpmi mandi-ifw
- run "service messagebus restart" and "service mandi start" (only if you didn't restart your system after installing mandi-ifw)
- run drakfirewall to configure firewalling on your system
- scan your system from another box (nmap mysystem -p 100-110 -P0)
- it should pop-up an alert window from net_applet
- drakids can be used to manage the blacklist and whitelist
- you check the status of blacklist and whitelist using ipset --list
- The netfilter matches are stored in /etc/ifw/rules.
- The whitelist is stored in /etc/ifw/whitelist
- The blacklist is stored in /etc/ifw/blacklist
- allow to specify event group
- make net_applet display an icon associated to the event group