
Isowall: Mini-firewall that completely isolates a device from the local network - DocFeind
https://github.com/robertdavidgraham/isowall
======
clarry
Interesting.. is this a joke?

    
    
      LOG(0, " [hint] need to sudo or run as root or something\n");
      LOG(0, " [hint] I've got some local priv escalation "
                              "0days that might work\n");
    

EDIT: I shall forget I ever looked in the code. There's no LICENSE file, but
there's this...

    
    
      /* Copyright: (c) 2009-2010 by Robert David Graham
      ** License: This code is private to the author, and you do not
      ** have a license to run it, or own a copy, unless given
      ** a license personally by the author. This is
      ** explained in the LICENSE file at the root of the project.
      **/

~~~
kylemaxwell
FWIW, I just talked to the author (Robert Graham) about it, and he responded:

"bah, I need to fix that"

[https://twitter.com/ErrataRob/status/399979105854058497](https://twitter.com/ErrataRob/status/399979105854058497)

EDIT: And he pushed a LICENSE file just now.

"I provide this code with no warrantee whatsoever. But hey, if you want to
take the risk and run it, go for it."

~~~
robertgraham
I think that's FOSS compatible.

~~~
clarry
I wonder what you mean by FOSS compatible? Copyright by default is rather
restrictive; to make something free, you must explicitly grant these freedoms.
A warranty disclaimer does not grant people the freedom to copy, modify, sell,
redistribute, etc.

------
peterwwillis
So this is a software DMZ? I haven't done this before, but it should be doable
in netfilter or routing tables without an ip stack on the interface.

I should also add that choosing to rely on new, custom code for a specific
purpose like this is much more dangerous than relying on the decades-old Linux
netfilter and ip stack. One netfilter rule would prevent a DMZ'd host from
fucking with the transparent firewall.

[http://www.netfilter.org/documentation/HOWTO//netfilter-
exte...](http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-
HOWTO-4.html#ss4.5) [http://www.netfilter.org/documentation/HOWTO//netfilter-
exte...](http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-
HOWTO-4.html#ss4.4) [http://www.linuxjournal.com/content/linux-advanced-
routing-t...](http://www.linuxjournal.com/content/linux-advanced-routing-
tutorial?page=0,3)

------
randywaterhouse
Easy to configure, simple functionality, niche-use.

I think it's a pretty cool idea, and definitely might come to use it if I ever
get a machine in-house infected with something interesting and I want to just
toy with it (/ keep an eye on what it's doing). I'm sure this would be useful
for security professionals dealing with all kinds of network-required
infections (or not, as all the "BadBIOS" talk suggests).

Pretty cool stuff, I'm wondering if one could simply set this up with a set of
iptables rules (on a Linux router, i.e. DD-WRT). Just drop all packets that
aren't destined to the open internet, and even control which ports the
isolated machine has access to (i.e. cut off port 80 and see if the
infection/process tries to reach out on port xyz or something else).

~~~
noonespecial
Just using iptables would be easier but has the disadvantage that the
quarantined box "knows you're there" and could attack or behave differently.
The advantage of this solution is that the firewall is almost (but not quite)
fully transparent.

------
danielrhodes
How about unplugging the Ethernet cable?

~~~
mvikramaditya
Paraphrasing from the article, this tool allows the machine to have internet
access while being isolated from the local network.

~~~
AsymetricCom
This should be enforced at the switch level.

~~~
hack_edu
Sometimes Ops takes 48 hours to resolve tickets.

------
j_s
_the infected targetted cannot touch the firewall machine in any way, except
as allowed within the is_allowed() function_

The security guarantee is derived from the minimal attack surface of this
is_allowed() method, but fails to consider the dependency on libpcap!

