You are not logged in.
- Topics: Active | Unanswered
#1 2016-09-09 00:04:53
- r0b0t
- Member
- From: /tmp
- Registered: 2009-05-24
- Posts: 505
Network monitoring/firewall application for LInux
I'v been researching this from quite some time, and after a long list here : https://blog.serverdensity.com/80-linux … ools-know/ and some suggestions at stackoverflow I came to the conclusion that there is no such tool for Linux and when I say such tool I mean:
1) To monitor everything (every protocol - tcpdump / wireshark like) not only http/https (tools like fiddler etc)
2) to be running in underground and notify you in case of the connections providing comprehensive details on the application , destination and the type of traffic
3) To give the possibility of a rule-set firewall based on iptables with maybe a good json GUI?
4) To be easy / small to manage , I know there is broids etc, that may provide some of this but this is a bit an overkill for what we are talking here.
As far as I can tell the only thing I find near to the description is : https://github.com/subgraph/fw-daemon
Post here any valid suggestion if you know of any application up for the job.
PS: of course also the mentioned application is not up for the task as it's more a firewall and notifies you only if unexpected binaries are trying to connect and it doesn't seem to collect any information about the rest.
Last edited by r0b0t (2016-09-09 14:09:03)
Offline
#2 2016-09-09 14:08:32
- r0b0t
- Member
- From: /tmp
- Registered: 2009-05-24
- Posts: 505
Re: Network monitoring/firewall application for LInux
So far also : http://douaneapp.com/ , far for being perfect and no statistics...
https://github.com/sha0coder/LAF looks interesting and https://github.com/crs-chin/lavender but lavender looks like not anymore being developed.
Last edited by r0b0t (2016-09-09 14:21:06)
Offline
#3 2016-09-09 19:07:01
- HiImTye
- Member
- From: Halifax, NS, Canada
- Registered: 2012-05-09
- Posts: 1,072
Re: Network monitoring/firewall application for LInux
you're looking for programs that are designed for Windows. the Unix philosophy is that a program should do one thing and do it well. there are front ends that combine functonality of one or more of the class of 'firewall' apps you're thinking of, but generally they just perform the backend work using the apps that you would otherwise use them in.
1) for seeing the network usage of an app, you can use something like iftop, nethogs, etc. there are a multitude of network monitoring apps you can use, and each has their own strengths and weaknesses
2) for notifications, you can set up iptables rules to write to the syslog. there are also tools to help with monitoring, such as psad
3) there are several front ends for iptables, but it's worthwhile to actually learn how to use iptables and not rely on front ends, for simplification of your configuration, or for if there's any bugs or they stop being maintained, or if you simply mess up a configuration, you can fix it later. there's a list of front ends on the wiki https://wiki.archlinux.org/index.php/firewalls
4) there will be no smaller app than learning how to use the backend apps. any front end adds complexity, and therefore space.
Offline
#4 2016-09-11 14:19:03
- r0b0t
- Member
- From: /tmp
- Registered: 2009-05-24
- Posts: 505
Re: Network monitoring/firewall application for LInux
As I mentioned in the first thread none of the tools are up for the task.
I may not be very updated on the latest changes of iptables but afaik iptables supports the user (processes based on the user of the process) and not the application filtering. If you integrate nDPI than yes, you may use it as l7 firewall, but yet it's just a firewall not a system monitor, and it's way to static for what we are talking here. NOTE: with static I mean that, let's suppose you allow firefox in outgoing, than allways firefox will be allowed to connect to anything no matter what. So far from being dynamic , learning the user usual network behaviour/patterns and adapting the rulesets.
As for psad it cannot be compared with other advanced IDS/IPS's already present and it lacks the application layer which is what our discussion is focused on this thread.
I'm not talking here about frontends as if the backend (netfilter) doesn't support something like it than forget about the frontends.
As for the Unix philosophy I really didn't hear this before, and if it's correct it's a bit outdated as now-days requirements are demanding ,and instead of multiple tools put together with tweaking , hacking through, to try and get a sorry result of what you are looking for a tool is required in this case to monitor , notify , and filter the outgoing traffic of the user.
I'm for the KISS , yet you can have what I'm asking here it wont go against KISS and as shown on the tools mentioned by me there are quite some projects trying to fulfil this BH in Linux.
Last edited by r0b0t (2016-09-11 14:21:44)
Offline