Posted by: Anonymous Coward
on February 27, 2007 11:02 PM
I appreciate your insight but, I assure you that I am very well versed in IPTables. I'm well aware that IPTables can block outbound traffic and that the use of strict egress filtering by way of deny all and allow only these ports/protocols/IP addresses could have a similar end result to what I requested. But, this is a rather cumbersome and tedious option that does NOT do the same thing as application firewalls like ZoneAlarm.
ZoneAlarm et al trap applications, not ports/protocols/addresses, that try to access the network. They then pop-up and advise the user what application it is that is attempting to access the network and wait for the user to authorize or deny access temporarily or permanently. Once authorized the user does not have to worry about other ports or protocols for that application. For instance while it would be necessary to configure multiple IPTables rules for ports and protocols, inbound and outbound, in order to authorize an IPSec VPN client, with ZoneAlarm the user would only have to authorize the FreeSWAN application and they're done.
But there is more to it than that. Suppose you have used IPTables to authorized SMTP outbound for your email client. IPTables will then allow any and all applications on that host outbound SMTP access. But, lets suppose that a worm gets on the system and starts sending spam. IPTables will happily permit that(I know about source and destination rules thanks). But with the likes of ZoneAlarm you would authorize Kmail to access the network for your email and when the worm tried to send its spam the user would get a message saying 'someworm.so is trying to access the network. Allow or Deny'. This gives the user control over what applications can access the network AND indicates that someworm.so is a file/application that needs to be investigated/eliminated.
There is also the matter of ease of use. While most users easily manage with the graphical Allow/Deny pop-ups from application "firewalls", I'm sure that you will agree that IPTables rules are not for amateurs. Granny can't configure IPTables, even with the best available graphical frontends. Just imaging dear old Grans wading through Firewall Builder or Firestarter. There's no way that's going to work! But, Granny has no problem clicking Allow/Deny when a message about someworm.so pops up. Even a mistake on her part may create undesirable results but is won't be an insurmountable configuration issue for her.
The application "firewall" to which I am referring is really quite different from a basic packet filter like IPTables. It may be possible to combine IPTables with other software to create such a "firewall" but, IPTables by itself or even in combination with AppArmor is definitely not it.
Thanks for your input. I'm sure that you didn't really mean for it to be as smug, condescending and incorrect as it seemed.
Learn about Linux
Download Linux
Get Linux help
Thanks - But, Not Exactly.
Posted by: Anonymous Coward on February 27, 2007 11:02 PMZoneAlarm et al trap applications, not ports/protocols/addresses, that try to access the network. They then pop-up and advise the user what application it is that is attempting to access the network and wait for the user to authorize or deny access temporarily or permanently. Once authorized the user does not have to worry about other ports or protocols for that application. For instance while it would be necessary to configure multiple IPTables rules for ports and protocols, inbound and outbound, in order to authorize an IPSec VPN client, with ZoneAlarm the user would only have to authorize the FreeSWAN application and they're done.
But there is more to it than that. Suppose you have used IPTables to authorized SMTP outbound for your email client. IPTables will then allow any and all applications on that host outbound SMTP access. But, lets suppose that a worm gets on the system and starts sending spam. IPTables will happily permit that(I know about source and destination rules thanks). But with the likes of ZoneAlarm you would authorize Kmail to access the network for your email and when the worm tried to send its spam the user would get a message saying 'someworm.so is trying to access the network. Allow or Deny'. This gives the user control over what applications can access the network AND indicates that someworm.so is a file/application that needs to be investigated/eliminated.
There is also the matter of ease of use. While most users easily manage with the graphical Allow/Deny pop-ups from application "firewalls", I'm sure that you will agree that IPTables rules are not for amateurs. Granny can't configure IPTables, even with the best available graphical frontends. Just imaging dear old Grans wading through Firewall Builder or Firestarter. There's no way that's going to work! But, Granny has no problem clicking Allow/Deny when a message about someworm.so pops up. Even a mistake on her part may create undesirable results but is won't be an insurmountable configuration issue for her.
The application "firewall" to which I am referring is really quite different from a basic packet filter like IPTables. It may be possible to combine IPTables with other software to create such a "firewall" but, IPTables by itself or even in combination with AppArmor is definitely not it.
Thanks for your input. I'm sure that you didn't really mean for it to be as smug, condescending and incorrect as it seemed.
#