[TriLUG] host-based dynamic app/port firewall?

Kevin Hunter hunteke at earlham.edu
Wed Oct 24 00:57:26 EDT 2012


Hullo List,

I've found myself pondering the fact that I have intermittent network 
services on my machine.  That is to say, sometimes I start Apache, 
disable SSH, or temporarily fire-up a DHCP server.

IPTables is fan-friggin-tastic, but if I at all want to nerd out and 
enable/disable the ports when the service is (not) running I must do it 
manually.  For example, after I start Apache:

# iptables -A INPUT -i eth0 -p tcp –dport 80 -j ACCEPT

Of course, if I have ufw handy, I can use the simpler syntax of:

# ufw deny http; ufw reload

Or something to that effect.  However, I'm wondering if someone hasn't 
already packaged up an automation script for this sort of behavior that 
I'm not seeing in my various googlings.  Succinctly: is there a tool in 
a distro repo that automatically and _dynamically_ enables and disables 
a port in the firewall depending on the specific binding of applications 
to ports, and according to user-defined rules?

Or, since no application would be listening on a port, is it a complete 
non-issue?  (For example, if Apache is disabled, and since nothing else 
should be listening on port 80, does it amount to the same thing as if 
there were a firewall rule denying access?)

So far, I've only been able to find the standard firewall appliance 
packet filtering and stateful inspection, which clearly doesn't apply to 
my question as it's a separate host.

Thanks for any insight.

Kevin




More information about the TriLUG mailing list