Projects/Interactive Firewall
From Mandriva
Interactive Firewall is a framework designed to alert users from intrusions or any event happening on their network.
Contents |
Components
- netfilter modules to detect intrusions
- a new netfilter target, IFWLOG
- iptables
- ipset
- shorewall (optionnal)
- mandi, a root socket to user apps bridge, using D-Bus
- net_applet, which receives alerts
- drakids, a blacklist/whitelist management tool
Operating mode
Intrusions are detected by netfilter matches, such as the psd (port scan detector). More matches are planned. Our netfilter IFWLOG target forwards intrusion detection data to the mandi daemon through a netlink.
The "Interactive Firewall" plugin of mandi has two operating modes:
- it blacklists the intruder in automatic mode
- it sends a notification to a user interface through D-Bus in interactive mode
An intruder blacklist is maintained by the daemon, using ipset. This blacklist is stored in memory by ipset. A whitelist is also available, using ipset too, it is saved in a file. ipset basically allows to group a list of addresses, and to use them in a single iptables rule.
Graphical interface
Network applet
When an attack is detected, a notification bubble appears to warn the user.
On click, a popup will be displayed. It allows to choose which action should be done on the attacker.
Some details about the attack can be shown by expanding the arrow.
The network applet offers links to Interactive Firewall actions and settings.
- (1) allows to run the management window (only when it blinks, which means an attack has been detected)
- (2) allows to choose if the intruder has to be blacklisted automatically
- (3) allows to run the management window
Management window
The management window is divided in three tabs, to supervice logs, manage blacklist and whitelist.
Integration status
Interactive Firewall is almost mature now (while 2006 is about to be released). The mandi daemon and the user interfaces (net_applet, drakids) are ready. The IFWLOG target is pretty straight-forward and stable.
False-positives
To avoid legitimate connections (e.g. DNS servers) to be matched by netfilter rules, these ones use stateful detection with -m state --state NEW,INVALID However, some harmless connections are still considered as offensive. For example, some game clients send broadcast packets on the networks scanning a port range, which is (correctly) detected as a port scan.
A temporary blacklisting mechanism
The blacklist is temporary: blacklisted addresses are kept in memory for one hour. When this period expires, the address is removed from the blacklist.
Known bugs
- closing the popup window may also make net_applet quit
- the blacklist isn't refreshed when blacklisted addresses expires
How to try it
- urpmi mandi-ifw
- run "service messagebus restart" and "service mandi start" (only if you didn't restart your system after installing mandi-ifw)
- run drakfirewall to configure firewalling on your system
- scan your system from another box (nmap mysystem -p 100-110 -P0)
- it should pop-up an alert window from net_applet
- drakids can be used to manage the blacklist and whitelist
- you check the status of blacklist and whitelist using ipset --list
Configuration
The netfilter matches are stored in /etc/ifw/rules.
To Do
- allow to specify event group
- make net_applet display an icon associated to the event group
References
- kernel patch to add the IFWLOG netfilter target (Mandriva SVN)
- the mandi daemon (Mandriva CVS)
- perl-Net-DBus (CPAN)
- the drakxtools (Mandriva SVN, look for dbus_object.pm, network/ifw.pm, standalone/net_applet, standalone/drakids)
