Guardian 1.0


This is my cheap hack at an active firewall. Right now it only works on linux.
In the future it might work with other OSes, espically OSes which can deny
packets on the fly without having to restart a daemon.. 

Guardian watches the output from Snort, a lightweight intrustion detection
system, and uses ipchains to deny any further packets from the attacker to get
to the system. 

Before it does this, it checks to make sure we are allowed to block
the attackers ip address. This prevents Guardian from blocking spoofed packets
which look like they originated from a trusted machine.. 


Getting Started:

First, you need to install Snort. Information on snort, and a link to download
it can be found here http://www.clark.net/~roesch/security.html

DON'T forget to download the libpcap, which snort needs to compile. It can be
found here ftp://ftp.ee.lbl.gov/libpcap.tar.Z


Now that you have snort installed and working, lets get down to buisness with
Guardian. 

Its important to remember that both Snort and Guardian need to run as root.
Guardian needs to run as root so that it can issue ipchains commands. 

First, you will need to edit the guardian.conf file. It is pretty straight
forward, and well documented (I hope :)

Now you need to copy the guardian.conf file to /etc/guardian.conf (the default
place it looks), or you can run Guardian with the -c option and tell it where
the config file is located at. 

Next, you will want to set up your ignore file. This is the file you defined in
the guardian.conf file with the IgnoreFile keyword..  It is a good idea to put
your DNS servers, gateway, and any other remote machine's IP you access often.

Once you have that in place, the next thing you need to do is create your log
file, just a simple 'touch /var/log/guardian.log' should work. 

Now we should be ready to run.. Just run Guardian. If snort is running, then
everything should work fine.. 

A quick word about snort rules.. While there are LOTS of snort rules available,
some rules are there for informative purposes only, and usually do not indicate
an attack. So you will need to go through the rules and think, if this gets
triggered, is it something I would want to deny on? If not, then don't use the
rule. 



