[CentOS] Firewall question

[Jerry Geis]

Hi - When updating my CentOS 7 - firewalld why does the virt-manager loose
connections to all GUI's ?  I just close the virt-manager main window -
select the virt-manager from gnome side panel and re-run - and then they
all come back after you click on them - but why is the connection to the
GUI lost ?  Can I prevent that somehow ?

Thanks,

Jerry
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewall-cmd - bug or bad design

[Jon LaBadie]

In my firewall I use an ipset as a geographical blacklist.

A single addresses can be entered into the blacklist using
CIDR notation or not, i.e.

111.222.111.222/32  OR  111.222.111.222

while a block of IP addresses can be entered using CIDR notation:

111.222.111.0/24

Both the ipset and firewall-cmd commands have ways to ask if an address
has already been entered into the blacklist.  The basic syntax is

  ipset test  

  firewall-cmd --ipset= --query-entry=

With ipset I can test a single address using CIDR or not regardless
of how it was entered.  If the entry was a block of addresses, any
address within the block is reported as "in the ipset".

firewall-cmd responds differently.  If I entered "111.222.111.222/32"
(i.e. using CIDR) into the list, firewall-cmd reports the address as
"NOT entered" if I query the simple form "111.222.111.222" even though
they are the same single address.  Conversely, if the original entry
was simple, the CIDR form is reported as "NOT entered".

With block entries like 111.222.111.0/24, any address within the block
is reported as "NOT entered"!  Only the actual string entered,
111.222.111.0/24, is considered "entered".

I use these types of queries to decided whether an ip address is already
being blocked.  Clearly relying  the firewall-cmd query would lead to
unnecessary entries.

What do you think, Should I consider this simply a poor design decision
or a reportable "bug"?

-- 
Jon H. LaBadie  j...@labadie.us
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall questions

[tbuchanan]

working on it.  some other issues got in the way of testing.


-- 
Ted Buchanan
Computer/Network Analyst - Vincennes University
tbucha...@vinu.edu



From:   "Jon LaBadie" 
To: "Jon LaBadie" 
Date:   06/22/2020 04:57 PM
Subject:    Re: [CentOS] firewall questions
Sent by:"CentOS" 



On Sun, Jun 21, 2020 at 02:33:18PM -0500, Chuck Campbell wrote:
> I'm running Centos 7.8.2003, with firewalld.
> 
> I was getting huge numbers of ssh attempts per day from a few specific 
ip
> blocks.
> 
> The offenders are 45.0.0.0/24, 49.0.0.0/24, 51.0.0.0/24, 111.0.0.0/24 
and
> 118.0.0.0/24, and they amounted to a multiple thousands of attempts per 
day.
> I installed and configured fail2ban, but still saw a lot of attempts in 
the
> logs, and the ipset created was filling up.
> 
What type of ipset did you create, perhaps hash:ip where individual
addresses are listed?  If so, consider switching to hash:net which
uses CIDR style entries.  Individual addresses become 1.2.3.4/32
but blocks can be included with a single entry.  My ipset has about
40,000 entries, but covers millions of IP addresses.

If you do switch look on the net for a program called "cidrmerge".
It takes a list of IP addresses and CIDR networks, sorts them
and merges multiple entries into a single network where possible.

Jon
-- 
Jon H. LaBadie  j...@labadie.us
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall questions

[Jon LaBadie]

On Sun, Jun 21, 2020 at 02:33:18PM -0500, Chuck Campbell wrote:
> I'm running Centos 7.8.2003, with firewalld.
> 
> I was getting huge numbers of ssh attempts per day from a few specific ip
> blocks.
> 
> The offenders are 45.0.0.0/24, 49.0.0.0/24, 51.0.0.0/24, 111.0.0.0/24 and
> 118.0.0.0/24, and they amounted to a multiple thousands of attempts per day.
> I installed and configured fail2ban, but still saw a lot of attempts in the
> logs, and the ipset created was filling up.
> 
What type of ipset did you create, perhaps hash:ip where individual
addresses are listed?  If so, consider switching to hash:net which
uses CIDR style entries.  Individual addresses become 1.2.3.4/32
but blocks can be included with a single entry.  My ipset has about
40,000 entries, but covers millions of IP addresses.

If you do switch look on the net for a program called "cidrmerge".
It takes a list of IP addresses and CIDR networks, sorts them
and merges multiple entries into a single network where possible.

Jon
-- 
Jon H. LaBadie  j...@labadie.us
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall questions

[Erick Perez - Quadrian Enterprises]

Please take a look at https://www.wireguard.com/quickstart/
we now reduced the attack vector to only the things offered to the public
(https, smtp tls and imaps/s)

On Sun, Jun 21, 2020 at 3:58 PM Pete Biggs  wrote:

> On Sun, 2020-06-21 at 16:47 -0400, mailist wrote:
> > On 2020-06-21 15:33, Chuck Campbell wrote:
> > > I'm running Centos 7.8.2003, with firewalld.
> > >
> > > I was getting huge numbers of ssh attempts per day from a few specific
> > > ip blocks.
> >
> > If you can control the ssh clients, switch your port number to a
> > non-standard
> > port.  Pick one in /etc/services that does not seem to be allocated.
> > Then change
> > "Port" in ssh_config and sshd_config;  If other clients are being used
> > (like Putty),
> > it is easy to change it there.
> >
> > We used to get at least 50 probes per day on port 22.  Now we get zero.
> >
> I used this technique for a number of years - then it got leaked to the
> script kiddies the port that was used. We don't have anything
> particularly valuable that they were looking for (I don't think!), but
> there are lists of subnets & ports out there that the kiddies use so
> once one found it, the flood gates opened.  SSH is now protected behind
> a VPN.
>
> It's a valid thing to do and makes things much saner, but don't assume
> it is a forever solution and don't use it as an excuse to reduce other
> protections you may have.
>
> P.
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>


-- 

-
Erick Perez
Quadrian Enterprises S.A. - Panama, Republica de Panama
Skype chat: eaperezh
WhatsApp IM: +507-6675-5083
-
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall questions

[Pete Biggs]

On Sun, 2020-06-21 at 16:47 -0400, mailist wrote:
> On 2020-06-21 15:33, Chuck Campbell wrote:
> > I'm running Centos 7.8.2003, with firewalld.
> > 
> > I was getting huge numbers of ssh attempts per day from a few specific
> > ip blocks.
> 
> If you can control the ssh clients, switch your port number to a 
> non-standard
> port.  Pick one in /etc/services that does not seem to be allocated.  
> Then change
> "Port" in ssh_config and sshd_config;  If other clients are being used 
> (like Putty),
> it is easy to change it there.
> 
> We used to get at least 50 probes per day on port 22.  Now we get zero.
> 
I used this technique for a number of years - then it got leaked to the
script kiddies the port that was used. We don't have anything
particularly valuable that they were looking for (I don't think!), but
there are lists of subnets & ports out there that the kiddies use so
once one found it, the flood gates opened.  SSH is now protected behind
a VPN.

It's a valid thing to do and makes things much saner, but don't assume
it is a forever solution and don't use it as an excuse to reduce other
protections you may have.

P.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall questions

[mailist]

On 2020-06-21 15:33, Chuck Campbell wrote:

I'm running Centos 7.8.2003, with firewalld.

I was getting huge numbers of ssh attempts per day from a few specific
ip blocks.


If you can control the ssh clients, switch your port number to a 
non-standard
port.  Pick one in /etc/services that does not seem to be allocated.  
Then change
"Port" in ssh_config and sshd_config;  If other clients are being used 
(like Putty),

it is easy to change it there.

We used to get at least 50 probes per day on port 22.  Now we get zero.

Todd Merriman
Software Toolz, Inc.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall questions

[Pete Biggs]

On Sun, 2020-06-21 at 14:33 -0500, Chuck Campbell wrote:
> I'm running Centos 7.8.2003, with firewalld.
> 
> I was getting huge numbers of ssh attempts per day from a few specific 
> ip blocks.
> 
> The offenders are 45.0.0.0/24, 49.0.0.0/24, 51.0.0.0/24, 111.0.0.0/24 
> and 118.0.0.0/24, and they amounted to a multiple thousands of attempts 
> per day.

It seems oddly coincidental that they are all x.0.0.y addresses - the
netblocks they belong to are all much bigger than /24.  I can
understand getting attacks from a range of IPs from an ISP or the like,
but the 51.0.0.0/24 is part of a UK government network and I think they
would be all over it if a range of their network was being used for
naughty purposes.

> 
> I did some more research, and decided to use a few rich rules to block 
> these attempts. I currently have these in place:
> 
> #firewall-cmd --list-all
> public (active)
>target: default
>icmp-block-inversion: no
>interfaces: p3p1
>sources:
>services: dhcpv6-client ftp http https imap imaps pop3 pop3s 
> smtp-submission smtps ssh
>ports: 110/tcp 995/tcp 143/tcp 993/tcp 25/tcp 21/tcp
>protocols:
>masquerade: no
>forward-ports:
>source-ports:
>icmp-blocks:
>rich rules:
>  rule family="ipv4" source address="49.0.0.0/24" reject
>  rule family="ipv4" source address="51.0.0.0/24" reject
>  rule family="ipv4" source address="111.0.0.0/24" reject

Is that the correct interface referred to in the zone?  Can you see the
rich rules implemented properly in the output of 'iptables -L'? (They
should be in the chain IN_public_deny.)

> 
> But I still get hundreds of attempts reported in my fail2ban logs from 
> these ip blocks. How is it that the rich rules don't drop these packets 
> before pam/ssh/fail2ban ever get to see them?

Is fail2ban stopping the individual hosts? Do you have the recidive
rule enabled to permaban them?

Do you get legitimate SSH connections from anywhere?  Can you remove
the ssh service and add rich rules to allow certain hosts or netblocks
to connect via port 22?

Finally, do you have a network firewall that can be used to block the
connections?

> There must be some precedence in the firewalling I don't understand.

Yes, there is a precedence, but it should be working in your favour -
the chain 'IN_public' contains the public inbound chain and it should
contain:

   # iptables -L IN_public
   Chain IN_public (2 references)
   target prot opt source   destination 
   IN_public_log  all  --  anywhere anywhere
   IN_public_deny  all  --  anywhere anywhere
   IN_public_allow  all  --  anywhere anywhere
   ACCEPT icmp --  anywhere anywhere

So it should be denying packets before the allowing them (and
the IN_public_allow chain is what contains your ssh service
definition).

P.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall questions

[John Pierce]

On Sun, Jun 21, 2020 at 12:33 PM Chuck Campbell 
wrote:

> I'm running Centos 7.8.2003, with firewalld.
>
> I was getting huge numbers of ssh attempts per day from a few specific
> ip blocks.
>
> The offenders are 45.0.0.0/24, 49.0.0.0/24, 51.0.0.0/24, 111.0.0.0/24
> and 118.0.0.0/24,
>


so just 45.0.0.0 through 45.0.0.255 and not other 45.x.y blocks ?  ditto
your other networks?sure you didn't mean /8 or another sized subnet on
there?

doing some whois,  the actual 45.0.0.0 block has a netmask of /15, which is
45.0.0.0 through 45.1.255.255, and belongs to Interop, the IT trade show.
45.2.0.0/16 belongs to Frontier Networks in Ontario, CA
45.3.0.0/19 belongs to Start Cable in Ontario
45.3.32.0/19 belongs to someone in Los Vegas.
45.3.64.0/18 belongs to Virginia Polytechnic
45.3.128.0/17 belongs to Charter Cable (formerly Bright House Networks)
45.4.0.0/14 is LANIC, and further diced into a multitude of Latin America
networks.
45.8.0.0/13 is RIPE, and diced into various european networks.
etc etc etc.


anyways, I didn't see your rules explicitly blocking 22/tcp, which is ssh...

-- 
-john r pierce
  recycling used bits in santa cruz
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewall questions

[Chuck Campbell]

I'm running Centos 7.8.2003, with firewalld.

I was getting huge numbers of ssh attempts per day from a few specific 
ip blocks.


The offenders are 45.0.0.0/24, 49.0.0.0/24, 51.0.0.0/24, 111.0.0.0/24 
and 118.0.0.0/24, and they amounted to a multiple thousands of attempts 
per day. I installed and configured fail2ban, but still saw a lot of 
attempts in the logs, and the ipset created was filling up.


I did some more research, and decided to use a few rich rules to block 
these attempts. I currently have these in place:


#firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: p3p1
  sources:
  services: dhcpv6-client ftp http https imap imaps pop3 pop3s 
smtp-submission smtps ssh

  ports: 110/tcp 995/tcp 143/tcp 993/tcp 25/tcp 21/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
    rule family="ipv4" source address="49.0.0.0/24" reject
    rule family="ipv4" source address="51.0.0.0/24" reject
    rule family="ipv4" source address="111.0.0.0/24" reject

But I still get hundreds of attempts reported in my fail2ban logs from 
these ip blocks. How is it that the rich rules don't drop these packets 
before pam/ssh/fail2ban ever get to see them?


There must be some precedence in the firewalling I don't understand.


-chuck



--
ACCEL Services, Inc.| Specialists in Gravity, Magnetics |  (713)993-0671 ph.
|   and Integrated Interpretation   |  (713)993-0608 fax
448 W. 19th St. #325|Since 1992 |  (713)306-5794 cell
 Houston, TX, 77008 |  Chuck Campbell   | campb...@accelinc.com
|  President & Senior Geoscientist  |

 "Integration means more than having all the maps at the same scale!"

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[Tony Mountifield]

In article ,
Paul Heinlein  wrote:
> On Tue, 16 Jun 2020, Leroy Tennison wrote:
> 
> > I have a gateway machine (currently Centos 7 with IPV4 only) with two
> > NICs.  One is connected to the internet, the other to an internal
> > network (10.0.0.0/24) of mixed hardware (windows7, android tablets,
> > android phones, linux boxes) using NAT.  I wish to block all outgoing
> > connects to any external IP address on port 22 (ssh) originating from
> > any internal machine except one (which has a known internal IP address).
> >
> > I've tried some commands using 'iptables' to accomplish this, but so
> > far have failed.  If anyone has a suggestion, I'd really appreciate
> > it.  In addition, a suitable version for 'firewalld' could be useful,
> > as an upgrade to Centos 8 is in plan.
> >
> > Examples of what I've tried, and then tested.  None of them stopped
> > an outgoing SSH from an internal system.
> >
> >   iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
> >   iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
> 
> I'm not sure it's your INPUT table that needs that rule. I don't have 
> any NAT machines for experimentation, but my initial hunch is that 
> you'd want OUTPUT rules, e.g.,
> 
> iptables -A OUTPUT -p tcp --dport 22 -s ${GOODIP}/32 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 22 -s 10.0.0.0/24  -j REJECT

No, the OUTPUT chains apply to traffic originating within the machine
itself (the gateway machine).

But for traffic being forwarded by the gateway, it will use the FORWARD
chains rather than the INPUT chains. So probably something like this:

iptables -A FORWARD -p tcp --dport 22 -s ${GOODIP}/32 -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -s 10.0.0.0/24  -j REJECT

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request (solved)

[Simon Matter via CentOS]

> At 03:47 PM 6/16/2020, Kenneth Porter wrote:
>>The rule is in the wrong chain. The INPUT chain affects packets that
>>terminate at the same machine. You want to block packets that will
>>be passed on to the Internet, so your rule needs to be in the
>>FORWARD chain. (The OUTPUT chain affects packets that originate at
>>your machine.)
>>
>>Here's a nice collection of diagrams showing how packets flow
>>through the system:
>>
>>
>
>
> Ah ... Caught it.  So here is the IPTABLES method to block output on
> port 22 from internal machines on a gateway:
>
>iptables -I FORWARD -p tcp --dport 22 -i
> {name-of-internal-interface} -j DROP
>
> So, for example, if your internal interface is, for example,
> /dev/enp2s0, you'd write
>
>iptables -I FORWARD -p tcp --dport 22 -i enp2s0 -j DROP
>
> If you want to log such attempts, preceed it with a log
> request.  Since I'm using the -I command (insert at top), it means
> the log request is entered second:
>
>iptables -I FORWARD -p tcp --dport 22 -i
> {name-of-internal-interface} -j LOG --log-prefix "LOOK HERE"
>
>
> If someone can suggest a firewall-cmd equivalent, it would be nice.

For that kind of firewalling, I suggest to use Shorewall instead:

https://shorewall.org/

IMHO it's the better tool for where you need more than a "personal" firewall.

Regards,
Simon

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request (solved)

[Kenneth Porter]

--On Tuesday, June 16, 2020 5:20 PM -0700 david  wrote:


If someone can suggest a firewall-cmd equivalent, it would be nice.


Alas, firewalld is targeted at end nodes and doesn't really provide much 
facility for routers. Its big advantage there is in setting up a reasonable 
default firewall for the gateway itself. The only real gateway support is 
to enable masquerade on the external interface.


I use firewalld direct rules for controlling the forwarded packets. They 
look like iptables rules and get injected into firewalld's own subchains. 
Use "iptables -L -v -n" to dump the whole mess into a file for examination.


In /etc/firewalld/direct.xml, you could add an XML passthrough node like 
this:


-I FWDI_internal_deny 1 -p tcp --dport 22 -j 
DROP


This assumes your internal zone is named internal. Change the chain name to 
match your zone name. You don't need to specify the interface name here 
because the FWDI_internal chain is only invoked if the inbound interface 
matches an interface in that zone.


Also note that the -I option takes a chain name and a number indicating 
where to insert a rule. I use 1 to put the rule at the start of any rules 
that firewalld has already inserted. So if you need a LOG rule, you'll want 
to put the nodes in reverse order in the XML file so they get inserted 
backwards, last rule first. Ie. insert the DROP rule, then the LOG rule.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request (solved)

[david]

At 03:47 PM 6/16/2020, Kenneth Porter wrote:
The rule is in the wrong chain. The INPUT chain affects packets that 
terminate at the same machine. You want to block packets that will 
be passed on to the Internet, so your rule needs to be in the 
FORWARD chain. (The OUTPUT chain affects packets that originate at 
your machine.)


Here's a nice collection of diagrams showing how packets flow 
through the system:






Ah ... Caught it.  So here is the IPTABLES method to block output on 
port 22 from internal machines on a gateway:


  iptables -I FORWARD -p tcp --dport 22 -i 
{name-of-internal-interface} -j DROP


So, for example, if your internal interface is, for example, 
/dev/enp2s0, you'd write


  iptables -I FORWARD -p tcp --dport 22 -i enp2s0 -j DROP

If you want to log such attempts, preceed it with a log 
request.  Since I'm using the -I command (insert at top), it means 
the log request is entered second:


  iptables -I FORWARD -p tcp --dport 22 -i 
{name-of-internal-interface} -j LOG --log-prefix "LOOK HERE"



If someone can suggest a firewall-cmd equivalent, it would be nice.

David in SF

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[Kenneth Porter]

The rule is in the wrong chain. The INPUT chain affects packets that 
terminate at the same machine. You want to block packets that will be 
passed on to the Internet, so your rule needs to be in the FORWARD chain. 
(The OUTPUT chain affects packets that originate at your machine.)


Here's a nice collection of diagrams showing how packets flow through the 
system:




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[Paul Heinlein]

On Tue, 16 Jun 2020, Leroy Tennison wrote:


I have a gateway machine (currently Centos 7 with IPV4 only) with two
NICs.  One is connected to the internet, the other to an internal
network (10.0.0.0/24) of mixed hardware (windows7, android tablets,
android phones, linux boxes) using NAT.  I wish to block all outgoing
connects to any external IP address on port 22 (ssh) originating from
any internal machine except one (which has a known internal IP address).

I've tried some commands using 'iptables' to accomplish this, but so
far have failed.  If anyone has a suggestion, I'd really appreciate
it.  In addition, a suitable version for 'firewalld' could be useful,
as an upgrade to Centos 8 is in plan.

Examples of what I've tried, and then tested.  None of them stopped
an outgoing SSH from an internal system.

  iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
  iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP


I'm not sure it's your INPUT table that needs that rule. I don't have 
any NAT machines for experimentation, but my initial hunch is that 
you'd want OUTPUT rules, e.g.,


iptables -A OUTPUT -p tcp --dport 22 -s ${GOODIP}/32 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -s 10.0.0.0/24  -j REJECT

--
Paul Heinlein
heinl...@madboa.com
45°38' N, 122°6' W
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[John Pierce]

On Tue, Jun 16, 2020 at 1:26 PM david  wrote:

>
> ...  I'm assuming
> that your advice about LAN represents the internal network because on
> most routers, it is, and WAN is the internet connection.
>
>
>
yeah, LAN == Local Area Network,  WAN == Wide Area Network, generally
meaning the internet.


-- 
-john r pierce
  recycling used bits in santa cruz
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[david]

At 12:30 PM 6/16/2020, John Pierce wrote:

On Tue, Jun 16, 2020 at 12:26 PM david  wrote:

>
> Examples of what I've tried, and then tested.  None of them stopped
> an outgoing SSH from an internal system.
>
>iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
>iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
>
>
>
which interface is that bound to?   I don't see a -i eth0 or whatever, but
you want that rule on your LAN interface.

note these rules will also prevent any host on 10.0.0.0/24 from ssh'ing to
the gateway machine itself.


At your suggestion, the command became

iptables -I INPUT -p tcp --dport 22 -i enp3s0 -s 10.0.0.0/24 -j DROP

where enp3s0 is the internal NIC with address 10.0.0.1.  I'm assuming 
that your advice about LAN represents the internal network because on 
most routers, it is, and WAN is the internet connection.


And ssh worked :-(
unfortunately

I know that many ISPs block outgoing port 25, so I know this is do-able.

David 


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewall help request

[Leroy Tennison]

Is your policy accept?  It is possible to trace the packet through the 
netfilter path by setting up raw table rules with TRACE as the target and 
logging turned on (search the web for details - probably too much to post here) 
but be aware that you need a very controlled test because the syslog entries 
will likely be an order of magnitude greater than the actual packet count.


From: CentOS  on behalf of david 
Sent: Tuesday, June 16, 2020 2:21 PM
To: CentOS mailing list 
Subject: [EXTERNAL] [CentOS] firewall help request

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.


Folks

I'm struggling with my firewall settings, and would appreciate some help.

I have a gateway machine (currently Centos 7 with IPV4 only) with two
NICs.  One is connected to the internet, the other to an internal
network (10.0.0.0/24) of mixed hardware (windows7, android tablets,
android phones, linux boxes) using NAT.  I wish to block all outgoing
connects to any external IP address on port 22 (ssh) originating from
any internal machine except one (which has a known internal IP address).

I've tried some commands using 'iptables' to accomplish this, but so
far have failed.  If anyone has a suggestion, I'd really appreciate
it.  In addition, a suitable version for 'firewalld' could be useful,
as an upgrade to Centos 8 is in plan.

Examples of what I've tried, and then tested.  None of them stopped
an outgoing SSH from an internal system.

   iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
   iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP

Much thanks

David

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Harriscomputer

Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com


[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com<http://www..com>


This message has been sent on behalf of a company that is part of the Harris 
Operating Group of Constellation Software Inc.

If you prefer not to be contacted by Harris Operating Group please notify 
us<http://subscribe.harriscomputer.com/>.



This message is intended exclusively for the individual or entity to which it 
is addressed. This communication may contain information that is proprietary, 
privileged or confidential or otherwise legally exempt from disclosure. If you 
are not the named addressee, you are not authorized to read, print, retain, 
copy or disseminate this message or any part of it. If you have received this 
message in error, please notify the sender immediately by e-mail and delete all 
copies of the message.




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[John Pierce]

On Tue, Jun 16, 2020 at 12:26 PM david  wrote:

>
> Examples of what I've tried, and then tested.  None of them stopped
> an outgoing SSH from an internal system.
>
>iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
>iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
>
>
>
which interface is that bound to?   I don't see a -i eth0 or whatever, but
you want that rule on your LAN interface.

note these rules will also prevent any host on 10.0.0.0/24 from ssh'ing to
the gateway machine itself.


-- 
-john r pierce
  recycling used bits in santa cruz
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewall help request

[david]

Folks

I'm struggling with my firewall settings, and would appreciate some help.

I have a gateway machine (currently Centos 7 with IPV4 only) with two 
NICs.  One is connected to the internet, the other to an internal 
network (10.0.0.0/24) of mixed hardware (windows7, android tablets, 
android phones, linux boxes) using NAT.  I wish to block all outgoing 
connects to any external IP address on port 22 (ssh) originating from 
any internal machine except one (which has a known internal IP address).


I've tried some commands using 'iptables' to accomplish this, but so 
far have failed.  If anyone has a suggestion, I'd really appreciate 
it.  In addition, a suitable version for 'firewalld' could be useful, 
as an upgrade to Centos 8 is in plan.


Examples of what I've tried, and then tested.  None of them stopped 
an outgoing SSH from an internal system.


  iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
  iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP

Much thanks

David

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall trouble with Kickstart

[Patrick Begou]

Damned! I do not know how many time I check this line without finding my error!
Thanks Mark :-)

Mark Milhollan wrote:

On Fri, 21 Sep 2018, Patrick Begou wrote:


firewall --enabled --ssh --service=nfs --port=111:tcp,111:upd,875:tcp,875:upd

udp not upd.


/mark
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos




--
===
|  Equipe M.O.S.T. |  |
|  Patrick BEGOU   | mailto:patrick.be...@grenoble-inp.fr |
|  LEGI|  |
|  BP 53 X | Tel 04 76 82 51 35   |
|  38041 GRENOBLE CEDEX| Fax 04 76 82 52 71   |
===

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall trouble with Kickstart

[Mark Milhollan]

On Fri, 21 Sep 2018, Patrick Begou wrote:

> firewall --enabled --ssh --service=nfs --port=111:tcp,111:upd,875:tcp,875:upd

udp not upd.


/mark
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall-config not functional

[Jonathan Billings]

On Jun 8, 2016, at 6:48 AM, Steve Clark  wrote:
> I must be missing something here, so the system comes up, ip(s) are assigned 
> to the interface, routes, etc then sometime later the switch comes up and you
> ssh in. Never been a problem for me.

Even with static configurations, I’ve had this problem.  At least in RHEL6, if 
the switch doesn’t indicate the interface is up during boot, the ‘network’ 
service detects the down interface and never starts the network service.  full 
stop.  I’ve also seen this happen when the switch has a broadcast storm or some 
other networking problem and doesn’t become active for more than a minute after 
boot.  Often I’ll have to add a line to the ifcfg-* script to have it just 
sleep for 60 seconds before even trying to activate the interface, when I know 
the system is on a switch that takes a long time to perform its splay tree 
calculation.  (Many of my systems are on networks I have no control over, so I 
have to just work around problems like this.)

I’ve always used NM in RHEL7 so I’m not aware if systemd is smart about dynamic 
interface activation of the ‘network’ service.  NM in RHEL7 is so much better 
than in RHEL6 so I haven’t really needed anything else.

--
Jonathan Billings 


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall-config not functional

[Steve Clark]

On 06/07/2016 04:46 PM, Jonathan Billings wrote:

On Jun 7, 2016, at 13:03, Emmett Culley  wrote:

I can see no use case for NetwortManager on our systems.  All network 
connections are static.

There are a couple reasons I still use NetworkManager on servers, but one big 
one is that the 'network' service runs once, on boot.  If there is no network 
connection, your server's network connection will never come up until you log 
in at a console to fix it or reboot. With the speed of computers these days, 
our servers often boot up faster than the networking equipment after a power 
cut.

I must be missing something here, so the system comes up, ip(s) are assigned to 
the interface, routes, etc then sometime later the switch comes up and you
ssh in. Never been a problem for me.


--
Jonathan Billings
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos




--
Stephen Clark
*NetWolves Managed Services, LLC.*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall-config not functional

[Emmett Culley]

On 06/07/2016 01:46 PM, Jonathan Billings wrote:
> On Jun 7, 2016, at 13:03, Emmett Culley  wrote:
>>
>> I can see no use case for NetwortManager on our systems.  All network 
>> connections are static.
> 
> There are a couple reasons I still use NetworkManager on servers, but one big 
> one is that the 'network' service runs once, on boot.  If there is no network 
> connection, your server's network connection will never come up until you log 
> in at a console to fix it or reboot. With the speed of computers these days, 
> our servers often boot up faster than the networking equipment after a power 
> cut. 
> 
> --
> Jonathan Billings

As far as I know the network service, in most cases started by systemd, will 
not fail simply because the network an interface is connected to is not up.  
Unless, of course, the interface is set up to use DHCP.


Emmett
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall-config not functional

[m . roth]

Frank Cox wrote:
> On Tue, 7 Jun 2016 17:20:23 -0400
> m.r...@5-cent.us wrote:
>
>> Um, huh? ssh server;service network restart is certainly faster than a
>> reboot.
>
> By what magical incantation will you ssh into a server with no current
> network connection?
>
Plugging in my monitor-on-a-stick. It's still faster than rebooting.

  mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall-config not functional

[Frank Cox]

On Tue, 7 Jun 2016 17:20:23 -0400
m.r...@5-cent.us wrote:

> Um, huh? ssh server;service network restart is certainly faster than a
> reboot.

By what magical incantation will you ssh into a server with no current network 
connection?

-- 
MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall-config not functional

[m . roth]

Jonathan Billings wrote:
> On Jun 7, 2016, at 13:03, Emmett Culley 
> wrote:
>>
>> I can see no use case for NetwortManager on our systems.  All network
>> connections are static.
>
> There are a couple reasons I still use NetworkManager on servers, but one
> big one is that the 'network' service runs once, on boot.  If there is no
> network connection, your server's network connection will never come up
> until you log in at a console to fix it or reboot. With the speed of
> computers these days, our servers often boot up faster than the networking
> equipment after a power cut.
>
Um, huh? ssh server;service network restart is certainly faster than a
reboot.

 mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall-config not functional

[Jonathan Billings]

On Jun 7, 2016, at 13:03, Emmett Culley  wrote:
> 
> I can see no use case for NetwortManager on our systems.  All network 
> connections are static.

There are a couple reasons I still use NetworkManager on servers, but one big 
one is that the 'network' service runs once, on boot.  If there is no network 
connection, your server's network connection will never come up until you log 
in at a console to fix it or reboot. With the speed of computers these days, 
our servers often boot up faster than the networking equipment after a power 
cut. 

--
Jonathan Billings
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall-config not functional

[cpolish]

On 2016-06-07 10:03, Emmett Culley wrote:
> On 06/07/2016 05:05 AM, James Hogarth wrote:
> > On 7 Jun 2016 12:44, "Emmett Culley"  wrote:
> >>
> >> I have a number of machines (hardware and VMs) running CentOS 7.  I all
> > cases firewall-config is not functional.

Just a thought - CentOS7 _minimal_ install doesn't install 
a firewall. There were attempts to get Red Hat to reconsider
this, but they fixed it with documentation. 

If this is your problem, then "yum install firewall-config firewalld" 
might fix it.

HTH, HAND,
-- 
Charles Polisherr

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall-config not functional

[Emmett Culley]

On 06/07/2016 05:05 AM, James Hogarth wrote:
> On 7 Jun 2016 12:44, "Emmett Culley"  wrote:
>>
>> I have a number of machines (hardware and VMs) running CentOS 7.  I all
> cases firewall-config is not functional.
>>
>> First, the service check boxes are not functional.  When you click on
> one, it  don't change to "checked", and nothing changes on the firewall.
> However you do see a "Changes applied"
>>
>> Sometimes, f you go to permanent mode and attempt to edit a zone, the
> whole desktop locks up as soon as you click on the default target dropdown.
>>
>> When I run firewall-config from the command line I see the following:
>>
>> --
>>
>> org.freedesktop.DBus.Error.ServiceUnknown: The name
> org.freedesktop.NetworkManager was not provided by any .service files
>>
>> (firewall-config:5079): Gtk-CRITICAL **: gtk_tree_view_get_path_at_pos:
> assertion 'tree_view != NULL' failed
>>
>> --
>> with the second line repeating many times and often while attempting to
> interact with the GUI.
>>
>> We don't use NetworkManager except on laptops, and so do not install it.
> Though we do install NetworkManager-glib, if only because some packages
> require it.
>>
>> After seeing a similar bug on the RHEL I also installed
> NetworkManager-libnm, but that did not make a difference.  That RHEL bug
> also mentioned this problem only occurs on KDE, and not Gnome.  And we only
> install KDE when a GUI is required, or desired.
>>
> 
> I'd suggest you install and test with NetworkManager
> 
> Do note that the EL7 NM is a far cry from the one that shipped with EL6 and
> unless you specifically need a facility not exposed by NM it is strongly
> recommended you use it.
> 
> Take a look at my article on nmcli - it's rather lovely to use now:
> 
> https://www.hogarthuk.com/?q=node/8
> 
> As for the firewall tool... don't use it ... it's horrible
> 
> Either use firewall-cmd to configure at the CLI or switch to iptables and
> configure that as you did EL6

I actually like the firewall config tool as it provides easy, out of the box, 
management of servers that don't require complicated iptables rules.  At least 
it was easy when it worked.  For more complicated servers, like gateways, we 
use shorewall.

I can see no use case for NetwortManager on our systems.  All network 
connections are static.

The exception to that is a couple of laptops, and I agree that NetworkManager 
has gotten very handy in that single use case.

Making any application dependent on NetworkManager is just plain silly.  Even 
requiring installation of the NetworkManager libs should not be required.

I suspect that this should probably be brought with the KDE group as it seems 
to be a problem with how some GTK apps are working within the KDE environment.

Emmett


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall-config not functional

[James Hogarth]

On 7 Jun 2016 12:44, "Emmett Culley"  wrote:
>
> I have a number of machines (hardware and VMs) running CentOS 7.  I all
cases firewall-config is not functional.
>
> First, the service check boxes are not functional.  When you click on
one, it  don't change to "checked", and nothing changes on the firewall.
However you do see a "Changes applied"
>
> Sometimes, f you go to permanent mode and attempt to edit a zone, the
whole desktop locks up as soon as you click on the default target dropdown.
>
> When I run firewall-config from the command line I see the following:
>
> --
>
> org.freedesktop.DBus.Error.ServiceUnknown: The name
org.freedesktop.NetworkManager was not provided by any .service files
>
> (firewall-config:5079): Gtk-CRITICAL **: gtk_tree_view_get_path_at_pos:
assertion 'tree_view != NULL' failed
>
> --
> with the second line repeating many times and often while attempting to
interact with the GUI.
>
> We don't use NetworkManager except on laptops, and so do not install it.
Though we do install NetworkManager-glib, if only because some packages
require it.
>
> After seeing a similar bug on the RHEL I also installed
NetworkManager-libnm, but that did not make a difference.  That RHEL bug
also mentioned this problem only occurs on KDE, and not Gnome.  And we only
install KDE when a GUI is required, or desired.
>

I'd suggest you install and test with NetworkManager

Do note that the EL7 NM is a far cry from the one that shipped with EL6 and
unless you specifically need a facility not exposed by NM it is strongly
recommended you use it.

Take a look at my article on nmcli - it's rather lovely to use now:

https://www.hogarthuk.com/?q=node/8

As for the firewall tool... don't use it ... it's horrible

Either use firewall-cmd to configure at the CLI or switch to iptables and
configure that as you did EL6
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewall-config not functional

[Emmett Culley]

I have a number of machines (hardware and VMs) running CentOS 7.  I all cases 
firewall-config is not functional.

First, the service check boxes are not functional.  When you click on one, it  
don't change to "checked", and nothing changes on the firewall.  However you do 
see a "Changes applied"

Sometimes, f you go to permanent mode and attempt to edit a zone, the whole 
desktop locks up as soon as you click on the default target dropdown.

When I run firewall-config from the command line I see the following:

--

org.freedesktop.DBus.Error.ServiceUnknown: The name 
org.freedesktop.NetworkManager was not provided by any .service files

(firewall-config:5079): Gtk-CRITICAL **: gtk_tree_view_get_path_at_pos: 
assertion 'tree_view != NULL' failed

--
with the second line repeating many times and often while attempting to 
interact with the GUI.

We don't use NetworkManager except on laptops, and so do not install it.  
Though we do install NetworkManager-glib, if only because some packages require 
it.

After seeing a similar bug on the RHEL I also installed NetworkManager-libnm, 
but that did not make a difference.  That RHEL bug also mentioned this problem 
only occurs on KDE, and not Gnome.  And we only install KDE when a GUI is 
required, or desired.

Emmett
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Firewall-config NetworkManager Problem (Centos-7( 1))

[Günther J . Niederwimmer]

Hello

I installed the Firewall-config on a new system and have bad Errors

The firewall-config brake with a error line 53 can't load NetworkManager
and on a reboot I have this Message.

ABRT hat 1 Fehler festgestellt. (Für weitere Informationen: abrt-cli list --
since 1428305986)
[root@ipa1 ~]# abrt-cli list --since 1428305986
id 659c6c2d4ec4cc75b8e2156b5be69375e551b82a
reason: firewall-config:34:module:ImportError: cannot import name 
NetworkManager
time:   Mo 06 Apr 2015 09:19:58 CEST
cmdline:/usr/bin/python -Es /usr/bin/firewall-config
package:firewall-config-0.3.9-11.el7
uid:0 (root)
count:  2
Directory:  /var/tmp/abrt/Python-2015-04-06-09:19:58-3224

Have any a Hint?
-- 
mit freundlichen Grüßen / best Regards,

  Günther J. Niederwimmer
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall question

[Deno Sayangda Dangpaliw]

Hi,

There's something weird happening to my CentOS VMs, cannot switch back to GUI. 
Black screen with a single underscore character at top left of the screen.

Ok so I have ESXI 5.1 host, with 3 VM all running CentOS. I rebooted the esxi 
host yesterday for a power maintenance. All went well... until I switched 
console on the vms.

I was able to login using the GUI, then I pressed Alt F5, then I was sent to 
the text console... I usually do this to save energy. I did the same for all 
the Centos vm... now I wanted to switch back to GUI but I can't. I even pressed 
all the keys from F1 to F12 but were not able to get back to the GUI for all 
the VMs.

Can you please advise where Im missing?

Regards,
Deno

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Firewall question

[Jerry Geis]

I have a firewall rule to drop packets from certain addresses: (email spam)
my /etc/sysconfig/iptables begins as:

# Generated by iptables-save v1.4.7 on Thu Jun 26 09:11:09 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:148]
-A INPUT -m pkttype --pkt-type multicast -j ACCEPT
-A INPUT -s 223.255.229.0/24 -j DROP
-A INPUT -s 218.96.0.0/24 -j DROP
-A INPUT -s 216.227.128.0/24 -j DROP
-A INPUT -s 216.156.135.0/24 -j DROP
-A INPUT -s 213.251.189.0/24 -j DROP
-A INPUT -s 213.239.219.0/24 -j DROP
-A INPUT -s 213.205.32.0/24 -j DROP
-A INPUT -s 213.136.70.0/24 -j DROP
-A INPUT -s 212.178.110.0/24 -j DROP
-A INPUT -s 212.83.141.0/24 -j DROP
-A INPUT -s 212.83.136.0/24 -j DROP
-A INPUT -s 212.83.134.0/24 -j DROP
-A INPUT -s 210.107.197.0/24 -j DROP
-A INPUT -s 209.239.123.0/24 -j DROP
-A INPUT -s 209.133.56.0/24 -j DROP
-A INPUT -s 209.126.73.0/24 -j DROP
-A INPUT -s 209.126.72.0/24 -j DROP
-A INPUT -s 209.126.71.0/24 -j DROP
-A INPUT -s 209.126.70.0/24 -j DROP
-A INPUT -s 198.101.11.0/24 -j DROP

then /var/log/maillog gices this entry.

from=grif...@dree.eu, size=9037, class=0, nrcpts=1, msgid=
3542.159.259897.271...@dree.eu , proto=ESMTP, daemon=MTA,
relay=[198.101.11.141]


How is that coming through???

Why is the firewall not dropping the packets?
I have restarted iptables so the rules are active .

And just to make sure:
iptables -L -n | grep 198.101
DROP   all  --  198.101.11.0/24  0.0.0.0/0

Thoughts?

Thanks.

Jerry
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall question

[Steve Clark]

On 06/26/2014 09:18 AM, Jerry Geis wrote:
 I have a firewall rule to drop packets from certain addresses: (email spam)
 my /etc/sysconfig/iptables begins as:

 # Generated by iptables-save v1.4.7 on Thu Jun 26 09:11:09 2014
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [1:148]
 -A INPUT -m pkttype --pkt-type multicast -j ACCEPT
 -A INPUT -s 223.255.229.0/24 -j DROP
 -A INPUT -s 218.96.0.0/24 -j DROP
 -A INPUT -s 216.227.128.0/24 -j DROP
 -A INPUT -s 216.156.135.0/24 -j DROP
 -A INPUT -s 213.251.189.0/24 -j DROP
 -A INPUT -s 213.239.219.0/24 -j DROP
 -A INPUT -s 213.205.32.0/24 -j DROP
 -A INPUT -s 213.136.70.0/24 -j DROP
 -A INPUT -s 212.178.110.0/24 -j DROP
 -A INPUT -s 212.83.141.0/24 -j DROP
 -A INPUT -s 212.83.136.0/24 -j DROP
 -A INPUT -s 212.83.134.0/24 -j DROP
 -A INPUT -s 210.107.197.0/24 -j DROP
 -A INPUT -s 209.239.123.0/24 -j DROP
 -A INPUT -s 209.133.56.0/24 -j DROP
 -A INPUT -s 209.126.73.0/24 -j DROP
 -A INPUT -s 209.126.72.0/24 -j DROP
 -A INPUT -s 209.126.71.0/24 -j DROP
 -A INPUT -s 209.126.70.0/24 -j DROP
 -A INPUT -s 198.101.11.0/24 -j DROP

 then /var/log/maillog gices this entry.

 from=grif...@dree.eu, size=9037, class=0, nrcpts=1, msgid=
 3542.159.259897.271...@dree.eu , proto=ESMTP, daemon=MTA,
 relay=[198.101.11.141]


 How is that coming through???

 Why is the firewall not dropping the packets?
 I have restarted iptables so the rules are active .

 And just to make sure:
 iptables -L -n | grep 198.101
 DROP   all  --  198.101.11.0/24  0.0.0.0/0

 Thoughts?

 Thanks.

 Jerry
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

If you add a -v to your

iptables -L -n | grep 198.101

are you seeing the rule get hit?


-- 
Stephen Clark
*NetWolves Managed Services, LLC.*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall question

[Jerry Geis]

yes I am seeing it hit.

 iptables --list -n -v | grep 198.101
8   416 DROP   all  --  *  *   198.101.11.0/24
0.0.0.0/0

Jerry
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall question

[Private Sender]

Try

watch iptables -nvL INPUT

Do you see anything?

Also try moving your ACCEPT statements below all of your drops. Iptables
operates in sequential order, from the top down.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall question

[Jerry Geis]

Actually I think I was wrong... Somehow the mail is landing on my box (from
an address I am not blocking)
and this particular email is requesting going OUT of my box. Seems the
firewall operating fine. I just
looked at it incorrectly.

Jerry
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[Steve Clark]

On 10/15/2013 06:05 PM, SilverTip257 wrote:
 On Tue, Oct 15, 2013 at 2:31 PM, Steve Clark scl...@netwolves.com wrote:

 Hi,

 we are running 51 ipsec vpns on an Atom D510 at 1.66ghz and the load
 average is .07.

 @Steve:
 Based on your statement, I figure you do not have a crypto accelerator and
That is correct - we do you AES which is an easier calculation than 3DES
 the CPU is handling all the crypto.  Correct?

 @Terre:
 I don't know how VIA C7 CPUs stack up against the Intel Atom CPUs in terms
 of performance, but they're low power consuming x86 processors.  And
 there's the VIA Padlock [0] security/encryption engine.

 AMD Geode CPUs like those in PC Engines ALIX [1] hardware have an
 integrated crypto accelerator [2].  If it wasn't for your web proxy
 requirements, etc an ALIX might fit the bill (with the right embedded OS -
 think Voyage Linux). You're better off with the hardware you're researching
 right now though.

 [0] http://www.via.com.tw/en/initiatives/padlock/hardware.jsp
 [1] http://www.pcengines.ch/alix.htm
 [2] http://www.twam.info/hardware/alix/using-geodes-aes-engine-on-alix3d3


 HTH,
 Steve

 On 10/15/2013 02:13 PM, Terre Porter wrote:
 I've not worked with Atom processors but I'll look in to it.

 Thanks for the info.


 -Original Message-
 From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
 Behalf
 Of SilverTip257
 Sent: Tuesday, October 15, 2013 12:36 PM
 To: CentOS mailing list
 Subject: Re: [CentOS] Firewall/Gateway Hardware Question

 On Tue, Oct 15, 2013 at 12:29 PM, Terre Porter 
 tpor...@webpage-builders.com
 wrote:
 I've given up on getting the other machine to work so I'm looking at
 building a new one.

 The machine will be a firewall/gateway running NAT, Web Proxy with
 Dansguardian, DHCP, DNS, NTP and VPN (~6 clients).

 I read so much about VPN encryption and the processor needs, now I am
 unsure if this will work.

 You'll likely need to determine how many VPN tunnels you're going to run
 simultaneously and then find benchmarks on the web.


 I can get this for AMD FX-8120 Zambezi 3.1GHz Socket AM3+ 125W
 Eight-Core
 Desktop Processor for under $120 (it's on sale), would it work ?

 Seems like overkill to me.

 I'd suggest more along the lines of an Atom-CPU based system.  One of
 those
 mini-ITX setups that use 20W or thereabouts.

 Just my two cents.


 Any thoughts?

 Thanks,
 Terre


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos



 --
 Stephen Clark
 *NetWolves*
 Director of Technology
 Phone: 813-579-3200
 Fax: 813-882-0209
 Email: steve.cl...@netwolves.com
 http://www.netwolves.com
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos





-- 
Stephen Clark
*NetWolves*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[Mihamina RKTMB]

On 10/15/2013 07:29 PM, Terre Porter wrote:
 I can get this for AMD FX-8120 Zambezi 3.1GHz Socket AM3+ 125W Eight-Core
 Desktop Processor for under $120 (it's on sale), would it work ?


Except for HTTP cache, my opinion is an OpenWRT box will do it.
If you need an HDD, I would go for a Lanner with HDD: http://goo.gl/52mXqx

-- 
+261 34 81 738 69

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Firewall/Gateway Hardware Question

[Terre Porter]

I've given up on getting the other machine to work so I'm looking at
building a new one.

The machine will be a firewall/gateway running NAT, Web Proxy with
Dansguardian, DHCP, DNS, NTP and VPN (~6 clients). 

I read so much about VPN encryption and the processor needs, now I am unsure
if this will work.

I can get this for AMD FX-8120 Zambezi 3.1GHz Socket AM3+ 125W Eight-Core
Desktop Processor for under $120 (it's on sale), would it work ?

Any thoughts?

Thanks,
Terre


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[SilverTip257]

On Tue, Oct 15, 2013 at 12:29 PM, Terre Porter tpor...@webpage-builders.com
 wrote:

 I've given up on getting the other machine to work so I'm looking at
 building a new one.

 The machine will be a firewall/gateway running NAT, Web Proxy with
 Dansguardian, DHCP, DNS, NTP and VPN (~6 clients).

 I read so much about VPN encryption and the processor needs, now I am
 unsure
 if this will work.


You'll likely need to determine how many VPN tunnels you're going to run
simultaneously and then find benchmarks on the web.



 I can get this for AMD FX-8120 Zambezi 3.1GHz Socket AM3+ 125W Eight-Core
 Desktop Processor for under $120 (it's on sale), would it work ?


Seems like overkill to me.

I'd suggest more along the lines of an Atom-CPU based system.  One of those
mini-ITX setups that use 20W or thereabouts.

Just my two cents.



 Any thoughts?

 Thanks,
 Terre


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
---~~.~~---
Mike
//  SilverTip257  //
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[Terre Porter]

I've not worked with Atom processors but I'll look in to it.

Thanks for the info.


-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf
Of SilverTip257
Sent: Tuesday, October 15, 2013 12:36 PM
To: CentOS mailing list
Subject: Re: [CentOS] Firewall/Gateway Hardware Question

On Tue, Oct 15, 2013 at 12:29 PM, Terre Porter tpor...@webpage-builders.com
 wrote:

 I've given up on getting the other machine to work so I'm looking at 
 building a new one.

 The machine will be a firewall/gateway running NAT, Web Proxy with 
 Dansguardian, DHCP, DNS, NTP and VPN (~6 clients).

 I read so much about VPN encryption and the processor needs, now I am 
 unsure if this will work.


You'll likely need to determine how many VPN tunnels you're going to run
simultaneously and then find benchmarks on the web.



 I can get this for AMD FX-8120 Zambezi 3.1GHz Socket AM3+ 125W Eight-Core
 Desktop Processor for under $120 (it's on sale), would it work ?


Seems like overkill to me.

I'd suggest more along the lines of an Atom-CPU based system.  One of those
mini-ITX setups that use 20W or thereabouts.

Just my two cents.



 Any thoughts?

 Thanks,
 Terre


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
---~~.~~---
Mike
//  SilverTip257  //
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[Steve Clark]

Hi,

we are running 51 ipsec vpns on an Atom D510 at 1.66ghz and the load
average is .07.

HTH,
Steve

On 10/15/2013 02:13 PM, Terre Porter wrote:
 I've not worked with Atom processors but I'll look in to it.

 Thanks for the info.


 -Original Message-
 From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf
 Of SilverTip257
 Sent: Tuesday, October 15, 2013 12:36 PM
 To: CentOS mailing list
 Subject: Re: [CentOS] Firewall/Gateway Hardware Question

 On Tue, Oct 15, 2013 at 12:29 PM, Terre Porter tpor...@webpage-builders.com
 wrote:
 I've given up on getting the other machine to work so I'm looking at
 building a new one.

 The machine will be a firewall/gateway running NAT, Web Proxy with
 Dansguardian, DHCP, DNS, NTP and VPN (~6 clients).

 I read so much about VPN encryption and the processor needs, now I am
 unsure if this will work.

 You'll likely need to determine how many VPN tunnels you're going to run
 simultaneously and then find benchmarks on the web.


 I can get this for AMD FX-8120 Zambezi 3.1GHz Socket AM3+ 125W Eight-Core
 Desktop Processor for under $120 (it's on sale), would it work ?

 Seems like overkill to me.

 I'd suggest more along the lines of an Atom-CPU based system.  One of those
 mini-ITX setups that use 20W or thereabouts.

 Just my two cents.


 Any thoughts?

 Thanks,
 Terre


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos





-- 
Stephen Clark
*NetWolves*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[Fred Smith]

On Tue, Oct 15, 2013 at 02:31:03PM -0400, Steve Clark wrote:
 Hi,
 
 we are running 51 ipsec vpns on an Atom D510 at 1.66ghz and the load
 average is .07.
 
 HTH,
 Steve

Some years back I used to run Smoothwall/GPL as a home firewall/router
on things such as 90 MHz pentiums (with 64 or even 128 MB RAM), or at
one point a 500 MHz AMD K6, and it had no load problems at all handling
the 3 or 4 of us here who share the household LAN. Therefore I'd think
that something such as an Atom would be entirely up to the task. There
are a number of (relatively) inexpensive Atom boards in a Micro-ATX or
Mini-ATX format that you could use, for example.

Fred

-- 
---
 .Fred Smith   /  
( /__  ,__.   __   __ /  __   : / 
 //  /   /__) /  /  /__) .+'   Home: fre...@fcshome.stoneham.ma.us 
//  (__ (___ (__(_ (___ / :__ 781-438-5471 
 Jude 1:24,25 -
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[SilverTip257]

On Tue, Oct 15, 2013 at 2:31 PM, Steve Clark scl...@netwolves.com wrote:

 Hi,

 we are running 51 ipsec vpns on an Atom D510 at 1.66ghz and the load
 average is .07.


@Steve:
Based on your statement, I figure you do not have a crypto accelerator and
the CPU is handling all the crypto.  Correct?

@Terre:
I don't know how VIA C7 CPUs stack up against the Intel Atom CPUs in terms
of performance, but they're low power consuming x86 processors.  And
there's the VIA Padlock [0] security/encryption engine.

AMD Geode CPUs like those in PC Engines ALIX [1] hardware have an
integrated crypto accelerator [2].  If it wasn't for your web proxy
requirements, etc an ALIX might fit the bill (with the right embedded OS -
think Voyage Linux). You're better off with the hardware you're researching
right now though.

[0] http://www.via.com.tw/en/initiatives/padlock/hardware.jsp
[1] http://www.pcengines.ch/alix.htm
[2] http://www.twam.info/hardware/alix/using-geodes-aes-engine-on-alix3d3



 HTH,
 Steve

 On 10/15/2013 02:13 PM, Terre Porter wrote:
  I've not worked with Atom processors but I'll look in to it.
 
  Thanks for the info.
 
 
  -Original Message-
  From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
 Behalf
  Of SilverTip257
  Sent: Tuesday, October 15, 2013 12:36 PM
  To: CentOS mailing list
  Subject: Re: [CentOS] Firewall/Gateway Hardware Question
 
  On Tue, Oct 15, 2013 at 12:29 PM, Terre Porter 
 tpor...@webpage-builders.com
  wrote:
  I've given up on getting the other machine to work so I'm looking at
  building a new one.
 
  The machine will be a firewall/gateway running NAT, Web Proxy with
  Dansguardian, DHCP, DNS, NTP and VPN (~6 clients).
 
  I read so much about VPN encryption and the processor needs, now I am
  unsure if this will work.
 
  You'll likely need to determine how many VPN tunnels you're going to run
  simultaneously and then find benchmarks on the web.
 
 
  I can get this for AMD FX-8120 Zambezi 3.1GHz Socket AM3+ 125W
 Eight-Core
  Desktop Processor for under $120 (it's on sale), would it work ?
 
  Seems like overkill to me.
 
  I'd suggest more along the lines of an Atom-CPU based system.  One of
 those
  mini-ITX setups that use 20W or thereabouts.
 
  Just my two cents.
 
 
  Any thoughts?
 
  Thanks,
  Terre
 
 
  ___
  CentOS mailing list
  CentOS@centos.org
  http://lists.centos.org/mailman/listinfo/centos
 
 
 


 --
 Stephen Clark
 *NetWolves*
 Director of Technology
 Phone: 813-579-3200
 Fax: 813-882-0209
 Email: steve.cl...@netwolves.com
 http://www.netwolves.com
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
---~~.~~---
Mike
//  SilverTip257  //
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[S.Tindall]

On Tue, 2013-10-15 at 18:05 -0400, SilverTip257 wrote:

 @Steve:
 Based on your statement, I figure you do not have a crypto accelerator and
 the CPU is handling all the crypto.  Correct?

 @Terre:
 I don't know how VIA C7 CPUs stack up against the Intel Atom CPUs in terms
 of performance, but they're low power consuming x86 processors.  And
 there's the VIA Padlock [0] security/encryption engine.

 AMD Geode CPUs like those in PC Engines ALIX [1] hardware have an
 integrated crypto accelerator [2].  If it wasn't for your web proxy
 requirements, etc an ALIX might fit the bill (with the right embedded OS -
 think Voyage Linux). You're better off with the hardware you're researching
 right now though.
 
 [0] http://www.via.com.tw/en/initiatives/padlock/hardware.jsp
 [1] http://www.pcengines.ch/alix.htm
 [2] http://www.twam.info/hardware/alix/using-geodes-aes-engine-on-alix3d3

You should look at the single board computers sold by Soekris
Engineering.

 http://soekris.com

Specifically the net6501 series:

 http://soekris.com/products/net6501.html

 Specifications:

  •  600 Mhz to 1.6 Ghz Intel Atom E6xx single chip processor
 with EG20T companion chip 
  •  512 to 2048 Mbyte DDR2-SDRAM, soldered on board 
  •  2x SATA 3 Gbit interfaces with +5V and +12V power header
  •  4x Intel 82574L Gigabit Ethernet ports, Auto-MDIX RJ-45,
 protected to 700W/40A Surge 
  •  2x Serial ports, DB9 and 10 pins internal header
  •  USB 2.0 interface, 2x internal, 1x external port, bootable 
  •  1 Full Mini-PCI Express shared with mSATA socket.
  •  1 USB only Mini-PCI Express shared with mSATA socket
  •  2x PCI Express Slots, right angle 
  •  16 bit general purpose I/O, 24 pins header, connected to FPGA

...in either a tiny or a rackable box.

The number of lan slots can be increased above 4 by using expansion
cards.

Steve



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[Terre Porter]

Interesting looking hardware... thanks for the info

-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of 
S.Tindall
Sent: Tuesday, October 15, 2013 8:29 PM
To: CentOS mailing list
Subject: Re: [CentOS] Firewall/Gateway Hardware Question

On Tue, 2013-10-15 at 18:05 -0400, SilverTip257 wrote:

 @Steve:
 Based on your statement, I figure you do not have a crypto accelerator 
 and the CPU is handling all the crypto.  Correct?

 @Terre:
 I don't know how VIA C7 CPUs stack up against the Intel Atom CPUs in 
 terms of performance, but they're low power consuming x86 processors.  
 And there's the VIA Padlock [0] security/encryption engine.

 AMD Geode CPUs like those in PC Engines ALIX [1] hardware have an 
 integrated crypto accelerator [2].  If it wasn't for your web proxy 
 requirements, etc an ALIX might fit the bill (with the right embedded 
 OS - think Voyage Linux). You're better off with the hardware you're 
 researching right now though.
 
 [0] http://www.via.com.tw/en/initiatives/padlock/hardware.jsp
 [1] http://www.pcengines.ch/alix.htm
 [2] 
 http://www.twam.info/hardware/alix/using-geodes-aes-engine-on-alix3d3

You should look at the single board computers sold by Soekris Engineering.

 http://soekris.com

Specifically the net6501 series:

 http://soekris.com/products/net6501.html

 Specifications:

  •  600 Mhz to 1.6 Ghz Intel Atom E6xx single chip processor
 with EG20T companion chip
  •  512 to 2048 Mbyte DDR2-SDRAM, soldered on board
  •  2x SATA 3 Gbit interfaces with +5V and +12V power header
  •  4x Intel 82574L Gigabit Ethernet ports, Auto-MDIX RJ-45,
 protected to 700W/40A Surge
  •  2x Serial ports, DB9 and 10 pins internal header
  •  USB 2.0 interface, 2x internal, 1x external port, bootable
  •  1 Full Mini-PCI Express shared with mSATA socket.
  •  1 USB only Mini-PCI Express shared with mSATA socket
  •  2x PCI Express Slots, right angle
  •  16 bit general purpose I/O, 24 pins header, connected to FPGA

...in either a tiny or a rackable box.

The number of lan slots can be increased above 4 by using expansion cards.

Steve



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[Terre Porter]

I have must have been in a hardware vacuum, have a clue any of that hardware
you mentioned.

Added it to the research list - haha!

Thanks

-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf
Of SilverTip257
Sent: Tuesday, October 15, 2013 6:05 PM
To: CentOS mailing list
Subject: Re: [CentOS] Firewall/Gateway Hardware Question

On Tue, Oct 15, 2013 at 2:31 PM, Steve Clark scl...@netwolves.com wrote:

 Hi,

 we are running 51 ipsec vpns on an Atom D510 at 1.66ghz and the load 
 average is .07.


@Steve:
Based on your statement, I figure you do not have a crypto accelerator and
the CPU is handling all the crypto.  Correct?

@Terre:
I don't know how VIA C7 CPUs stack up against the Intel Atom CPUs in terms
of performance, but they're low power consuming x86 processors.  And there's
the VIA Padlock [0] security/encryption engine.

AMD Geode CPUs like those in PC Engines ALIX [1] hardware have an integrated
crypto accelerator [2].  If it wasn't for your web proxy requirements, etc
an ALIX might fit the bill (with the right embedded OS - think Voyage
Linux). You're better off with the hardware you're researching right now
though.

[0] http://www.via.com.tw/en/initiatives/padlock/hardware.jsp
[1] http://www.pcengines.ch/alix.htm
[2] http://www.twam.info/hardware/alix/using-geodes-aes-engine-on-alix3d3



 HTH,
 Steve

 On 10/15/2013 02:13 PM, Terre Porter wrote:
  I've not worked with Atom processors but I'll look in to it.
 
  Thanks for the info.
 
 
  -Original Message-
  From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] 
  On
 Behalf
  Of SilverTip257
  Sent: Tuesday, October 15, 2013 12:36 PM
  To: CentOS mailing list
  Subject: Re: [CentOS] Firewall/Gateway Hardware Question
 
  On Tue, Oct 15, 2013 at 12:29 PM, Terre Porter 
 tpor...@webpage-builders.com
  wrote:
  I've given up on getting the other machine to work so I'm looking 
  at building a new one.
 
  The machine will be a firewall/gateway running NAT, Web Proxy with 
  Dansguardian, DHCP, DNS, NTP and VPN (~6 clients).
 
  I read so much about VPN encryption and the processor needs, now I 
  am unsure if this will work.
 
  You'll likely need to determine how many VPN tunnels you're going to 
  run simultaneously and then find benchmarks on the web.
 
 
  I can get this for AMD FX-8120 Zambezi 3.1GHz Socket AM3+ 125W
 Eight-Core
  Desktop Processor for under $120 (it's on sale), would it work ?
 
  Seems like overkill to me.
 
  I'd suggest more along the lines of an Atom-CPU based system.  One 
  of
 those
  mini-ITX setups that use 20W or thereabouts.
 
  Just my two cents.
 
 
  Any thoughts?
 
  Thanks,
  Terre
 
 
  ___
  CentOS mailing list
  CentOS@centos.org
  http://lists.centos.org/mailman/listinfo/centos
 
 
 


 --
 Stephen Clark
 *NetWolves*
 Director of Technology
 Phone: 813-579-3200
 Fax: 813-882-0209
 Email: steve.cl...@netwolves.com
 http://www.netwolves.com
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




--
---~~.~~---
Mike
//  SilverTip257  //
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[John R Pierce]

On 10/15/2013 3:05 PM, SilverTip257 wrote:
 I don't know how VIA C7 CPUs stack up against the Intel Atom CPUs in terms
 of performance, but they're low power consuming x86 processors.  And
 there's the VIA Padlock [0] security/encryption engine.

I think the Atoms pretty much beat the living daylights out of the C7 
stuff, which were based on an architecture many generations old. some of 
the core I3/i5 laptop chips are very low power, too, and nearly as 
powerful as modern 2-4 core desktop processors..the current 
'Pentiums' are somewhere in between the Atom and the low end of the Core 
line.



-- 
john r pierce  37N 122W
somewhere on the middle of the left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Firewall will not disable - stumped!

[Bob Metelsky]

very perplexed here - I need to turn off iptables. Ive tried

service iptables save
service iptables stop
chkconfig iptables off

service ip6tables save
service ip6tables stop
chkconfig ip6tables off

edited
OPGX280 ~ # cat  /etc/sysconfig/system-config-firewall
# Configuration file for system-config-firewall
--disabled
--service=ssh

OPGX280 ~ :( # cat  /etc/selinux/config
SELINUX=disabled

OPGX280 ~ :( # chkconfig |grep ip
ip6tables   0:off   1:off   2:off   3:off   4:off   5:off   6:off
ipmievd 0:off   1:off   2:off   3:off   4:off   5:off   6:off
ipsec   0:off   1:off   2:off   3:off   4:off   5:off   6:off
iptables0:off   1:off   2:off   3:off   4:off   5:off   6:off
ipvsadm 0:off   1:off   2:off   3:off   4:off   5:off   6:off


Yet - when I reboot  iptables gets started  - if I run

OPGX280 ~ # /etc/rc.d/init.d/iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target prot opt source   destination
1ACCEPT udp  --  0.0.0.0/00.0.0.0/0   udp dpt:53
2ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   tcp dpt:53
3ACCEPT udp  --  0.0.0.0/00.0.0.0/0   udp dpt:67
4ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   tcp dpt:67

Chain FORWARD (policy ACCEPT)
num  target prot opt source   destination
1ACCEPT all  --  0.0.0.0/0192.168.122.0/24state
RELATED,ESTABLISHED
2ACCEPT all  --  192.168.122.0/24 0.0.0.0/0
3ACCEPT all  --  0.0.0.0/00.0.0.0/0
4REJECT all  --  0.0.0.0/00.0.0.0/0
reject-with icmp-port-unreachable
5REJECT all  --  0.0.0.0/00.0.0.0/0
reject-with icmp-port-unreachable


Note --  192.168.122.0/24 is NOT my network, I just want the status to
tell me iptables is NOT running

What else can I look for??

Thanks
Bob
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall will not disable - stumped!

[Earl A Ramirez]

On 7 July 2013 20:57, Bob Metelsky bob.metel...@gmail.com wrote:

 very perplexed here - I need to turn off iptables. Ive tried

 service iptables save
 service iptables stop
 chkconfig iptables off

 service ip6tables save
 service ip6tables stop
 chkconfig ip6tables off

 edited
 OPGX280 ~ # cat  /etc/sysconfig/system-config-firewall
 # Configuration file for system-config-firewall
 --disabled
 --service=ssh

 OPGX280 ~ :( # cat  /etc/selinux/config
 SELINUX=disabled

 OPGX280 ~ :( # chkconfig |grep ip
 ip6tables   0:off   1:off   2:off   3:off   4:off   5:off   6:off
 ipmievd 0:off   1:off   2:off   3:off   4:off   5:off   6:off
 ipsec   0:off   1:off   2:off   3:off   4:off   5:off   6:off
 iptables0:off   1:off   2:off   3:off   4:off   5:off   6:off
 ipvsadm 0:off   1:off   2:off   3:off   4:off   5:off   6:off


 Yet - when I reboot  iptables gets started  - if I run

 OPGX280 ~ # /etc/rc.d/init.d/iptables status
 Table: filter
 Chain INPUT (policy ACCEPT)
 num  target prot opt source   destination
 1ACCEPT udp  --  0.0.0.0/00.0.0.0/0   udp
 dpt:53
 2ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   tcp
 dpt:53
 3ACCEPT udp  --  0.0.0.0/00.0.0.0/0   udp
 dpt:67
 4ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   tcp
 dpt:67

 Chain FORWARD (policy ACCEPT)
 num  target prot opt source   destination
 1ACCEPT all  --  0.0.0.0/0192.168.122.0/24state
 RELATED,ESTABLISHED
 2ACCEPT all  --  192.168.122.0/24 0.0.0.0/0
 3ACCEPT all  --  0.0.0.0/00.0.0.0/0
 4REJECT all  --  0.0.0.0/00.0.0.0/0
 reject-with icmp-port-unreachable
 5REJECT all  --  0.0.0.0/00.0.0.0/0
 reject-with icmp-port-unreachable


 Note --  192.168.122.0/24 is NOT my network, I just want the status to
 tell me iptables is NOT running

 What else can I look for??

 Thanks
 Bob
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos


Hi Bob,

I am just shooting in the dark here, have you tried /sbin/iptables -F

-- 
Kind Regards
Earl Ramirez
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall will not disable - stumped!

[Bob Metelsky]

this is very strange

I ran your flush command.. worked untill reboot

I  came across this article
http://www.thegeekstuff.com/2011/01/redhat-iptables-flush/

Basically tell me  how to save a wide open rules file - I did this and
behaved like the doc describes

This is what I have now

OPGX280 ~ :( # cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Sun Jul  7 09:14:11 2013
*filter
:INPUT ACCEPT [32:4712]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [40:5160]
COMMIT
# Completed on Sun Jul  7 09:14:11 2013

- until I reboot then I get the same jibberish...

OPGX280 ~ # /etc/rc.d/init.d/iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num  target prot opt source   destination

Chain POSTROUTING (policy ACCEPT)
num  target prot opt source   destination
1MASQUERADE  tcp  --  192.168.122.0/24!192.168.122.0/24masq
ports: 1024-65535
2MASQUERADE  udp  --  192.168.122.0/24!192.168.122.0/24masq
ports: 1024-65535
3MASQUERADE  all  --  192.168.122.0/24!192.168.122.0/24

Chain OUTPUT (policy ACCEPT)
num  target prot opt source   destination

Table: mangle
Chain PREROUTING (policy ACCEPT)
num  target prot opt source   destination

Chain INPUT (policy ACCEPT)
num  target prot opt source   destination

Chain FORWARD (policy ACCEPT)
num  target prot opt source   destination

Chain OUTPUT (policy ACCEPT)
num  target prot opt source   destination

Chain POSTROUTING (policy ACCEPT)
num  target prot opt source   destination
1CHECKSUM   udp  --  0.0.0.0/00.0.0.0/0   udp
dpt:68 CHECKSUM fill

Table: filter
Chain INPUT (policy ACCEPT)
num  target prot opt source   destination
1ACCEPT udp  --  0.0.0.0/00.0.0.0/0   udp dpt:53
2ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   tcp dpt:53
3ACCEPT udp  --  0.0.0.0/00.0.0.0/0   udp dpt:67
4ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   tcp dpt:67

Chain FORWARD (policy ACCEPT)
num  target prot opt source   destination
1ACCEPT all  --  0.0.0.0/0192.168.122.0/24state
RELATED,ESTABLISHED
2ACCEPT all  --  192.168.122.0/24 0.0.0.0/0
3ACCEPT all  --  0.0.0.0/00.0.0.0/0
4REJECT all  --  0.0.0.0/00.0.0.0/0
reject-with icmp-port-unreachable
5REJECT all  --  0.0.0.0/00.0.0.0/0
reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
num  target prot opt source   destination

I don't understand what or why  iptables is being called?

 I believe anything in /etc/rc.d/init.d/* will get run on startup. If I
move those files out of there - obviously the command wont work - but I
need to understand whats going on


I want status to tell me OFF

 /etc/rc.d/init.d/iptables status





On Sun, Jul 7, 2013 at 9:02 AM, Earl A Ramirez earlarami...@gmail.comwrote:

 On 7 July 2013 20:57, Bob Metelsky bob.metel...@gmail.com wrote:

  very perplexed here - I need to turn off iptables. Ive tried
 
  service iptables save
  service iptables stop
  chkconfig iptables off
 
  service ip6tables save
  service ip6tables stop
  chkconfig ip6tables off
 
  edited
  OPGX280 ~ # cat  /etc/sysconfig/system-config-firewall
  # Configuration file for system-config-firewall
  --disabled
  --service=ssh
 
  OPGX280 ~ :( # cat  /etc/selinux/config
  SELINUX=disabled
 
  OPGX280 ~ :( # chkconfig |grep ip
  ip6tables   0:off   1:off   2:off   3:off   4:off   5:off   6:off
  ipmievd 0:off   1:off   2:off   3:off   4:off   5:off   6:off
  ipsec   0:off   1:off   2:off   3:off   4:off   5:off   6:off
  iptables0:off   1:off   2:off   3:off   4:off   5:off   6:off
  ipvsadm 0:off   1:off   2:off   3:off   4:off   5:off   6:off
 
 
  Yet - when I reboot  iptables gets started  - if I run
 
  OPGX280 ~ # /etc/rc.d/init.d/iptables status
  Table: filter
  Chain INPUT (policy ACCEPT)
  num  target prot opt source   destination
  1ACCEPT udp  --  0.0.0.0/00.0.0.0/0   udp
  dpt:53
  2ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   tcp
  dpt:53
  3ACCEPT udp  --  0.0.0.0/00.0.0.0/0   udp
  dpt:67
  4ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   tcp
  dpt:67
 
  Chain FORWARD (policy ACCEPT)
  num  target prot opt source   destination
  1ACCEPT all  --  0.0.0.0/0192.168.122.0/24state
  RELATED,ESTABLISHED
  2ACCEPT all  --  192.168.122.0/24 0.0.0.0/0
  3ACCEPT all  --  0.0.0.0/00.0.0.0/0
  4REJECT all  --  0.0.0.0/00.0.0.0/0
  reject-with icmp-port-unreachable
  5REJECT all  --  0.0.0.0/00.0.0.0/0
  reject-with icmp-port-unreachable
 
 
  Note --  

Re: [CentOS] Firewall will not disable - stumped!

[Alexander Dalloz]

Am 07.07.2013 14:57, schrieb Bob Metelsky:
 very perplexed here - I need to turn off iptables. Ive tried

Why do you have to turn off the local firewall?

 service iptables save
 service iptables stop
 chkconfig iptables off
 
 service ip6tables save
 service ip6tables stop
 chkconfig ip6tables off
 
 edited
 OPGX280 ~ # cat  /etc/sysconfig/system-config-firewall
 # Configuration file for system-config-firewall
 --disabled
 --service=ssh
 
 OPGX280 ~ :( # cat  /etc/selinux/config
 SELINUX=disabled

Bad practice.

 OPGX280 ~ :( # chkconfig |grep ip
 ip6tables   0:off   1:off   2:off   3:off   4:off   5:off   6:off
 ipmievd 0:off   1:off   2:off   3:off   4:off   5:off   6:off
 ipsec   0:off   1:off   2:off   3:off   4:off   5:off   6:off
 iptables0:off   1:off   2:off   3:off   4:off   5:off   6:off
 ipvsadm 0:off   1:off   2:off   3:off   4:off   5:off   6:off
 
 
 Yet - when I reboot  iptables gets started  - if I run
 
 OPGX280 ~ # /etc/rc.d/init.d/iptables status
 Table: filter
 Chain INPUT (policy ACCEPT)
 num  target prot opt source   destination
 1ACCEPT udp  --  0.0.0.0/00.0.0.0/0   udp dpt:53
 2ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   tcp dpt:53
 3ACCEPT udp  --  0.0.0.0/00.0.0.0/0   udp dpt:67
 4ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   tcp dpt:67
 
 Chain FORWARD (policy ACCEPT)
 num  target prot opt source   destination
 1ACCEPT all  --  0.0.0.0/0192.168.122.0/24state
 RELATED,ESTABLISHED
 2ACCEPT all  --  192.168.122.0/24 0.0.0.0/0
 3ACCEPT all  --  0.0.0.0/00.0.0.0/0
 4REJECT all  --  0.0.0.0/00.0.0.0/0
 reject-with icmp-port-unreachable
 5REJECT all  --  0.0.0.0/00.0.0.0/0
 reject-with icmp-port-unreachable
 
 
 Note --  192.168.122.0/24 is NOT my network, I just want the status to
 tell me iptables is NOT running

That's a VMware (ESXi or such) based virtual machine, right?
192.168.122.0/24 is the default VMware NAT network assignment. It comes
from the VMware tools. These tools take care that a NAT network setup
will work.

 What else can I look for??
 
 Thanks
 Bob

Alexander

P.S. If you reply then please follow the general rule to not top-post
and to trim your quotes. Thanks.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall will not disable - stumped!

[Markus Falb]

On 07.Jul.2013, at 14:57, Bob Metelsky wrote:

 very perplexed here - I need to turn off iptables. Ive tried
 …
 Yet - when I reboot  iptables gets started  - if I run
 ...
 Note --  192.168.122.0/24 is NOT my network

This could be the default network from libvirt. The kvm host does NAT from that 
network if the guest is configured to use it. You can undefine it with some 
virsh foo

$ virsh net-destroy default
$ virsh net-undefine default
-- 
Markus Falb

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall will not disable - stumped!

[Bob Metelsky]

On Sun, Jul 7, 2013 at 9:38 AM, Alexander Dalloz ad+li...@uni-x.org wrote:

 Am 07.07.2013 14:57, schrieb Bob Metelsky:
  very perplexed here - I need to turn off iptables. Ive tried

 Why do you have to turn off the local firewall?

 
  OPGX280 ~ :( # cat  /etc/selinux/config
  SELINUX=disabled

 Bad practice.


 Alexander

 P.S. If you reply then please follow the general rule to not top-post
 and to trim your quotes. Thanks.




I appreciate the admonitions on bad practices - but for now I need to
understand why something is happening and stop it


OPGX280 ~ # yum remove virt*


 Package ArchVersion  Repository
Size

Removing:
 virt-manageri6860.9.0-18.el6 @base
5.4 M
 virt-topi6861.0.4-3.15.el6   @base
922 k
 virt-viewer i6860.5.2-18.el6_4.2 @updates
 751 k
 virt-what   i6861.11-1.2.el6 @base
 35 k

Transaction Summary

Remove4 Package(s)

Installed size: 7.1 M
Is this ok [y/N]: y
...
Removed:
  virt-manager.i686 0:0.9.0-18.el6  virt-top.i686 0:1.0.4-3.15.el6
  virt-viewer.i686 0:0.5.2-18.el6_4.2   virt-what.i686 0:1.11-1.2.el6

Complete!
OPGX280 ~ #

OPGX280 ~ :( # chkconfig|grep virt
libvirt-guests  0:off   1:off   2:off   3:off   4:off   5:off   6:off
libvirtd0:off   1:off   2:off   3:off   4:off   5:off   6:off

reboot


OK!!! Nice call on the virt*

 after reboot...

OPGX280 ~ # /etc/rc.d/init.d/iptables status
iptables: Firewall is not running.

My goodness I would have never guessed that an unneeded package  would have
caused that - THANK YOU!

Now I can move on to the work I need to do - Thank you again








___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos Firewall - router with virtual IP

[me]

On Fri, 4 Nov 2011, Fajar Priyanto wrote:


On Fri, Nov 4, 2011 at 10:15 AM, KevinO ke...@kevino.org wrote:

anyways, whatever, yes, you can do it with iptables, but not all off the
shelf firewall script generators will support multiple LAN subnets.   I
usually write my own iptables rulesets.


I can say first hand that fwbuilder easily handles managing scripts for multiple
subnets and aliased addressing on NIC's. I use separate interface cards for each
subnet, however. (5 NIC's, 4 internal subnets, 3 public IP's on the one external
facing NIC)


Hi Kevin,
Expanding my original question.
I have a need to open and close iptables rules based on particular
time, say 1 week later, 1 month later, etc.
Currently I have a simple script to do that:
- Create the rules.
- Create atd job to delete the rule based on the defined time.
- Log it.
It works, but not elegant :)

Does fwbuilder have that function?


Fwbuilder does indeed have time objects in it, although I have never used them.

The docs at http://fwbuilder.org are pretty extensive and the devs hang out on
the mailing lists and regularly answer questions or provide pointers to the
relevant docs.

Hope this helps.

--
Tom m...@tdiehl.org Spamtrap address
me...@tdiehl.org___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos Firewall - router with virtual IP

[Fajar Priyanto]

On Sat, Nov 5, 2011 at 11:19 PM,  m...@tdiehl.org wrote:
 Does fwbuilder have that function?

 Fwbuilder does indeed have time objects in it, although I have never used
 them.

 The docs at http://fwbuilder.org are pretty extensive and the devs hang out
 on
 the mailing lists and regularly answer questions or provide pointers to the
 relevant docs.

Hi Tom! You're right.
http://www.fwbuilder.org/4.0/docs/users_guide/time-interval-objects.html
Perfect for me!!
Thank you :)
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos Firewall - router with virtual IP

[News]

Il 03/11/2011 3.34, Fajar Priyanto ha scritto:
 Hi all,
 I haven't found anything in Google about this.

 I'm creating a firewall router with Centos with few virtual IP using iptables.

 May I ask for your experience?
 Is there any pitfall or bad side of using virtual IP for this purpose?
 I'm using few virtual IP to accommodate few subnets that go through
 this firewall/router.

 Thank you.
 Fajar.
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos


I use shorewall for this
http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html

Amedeo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos Firewall - router with virtual IP

[Lorenzo Martínez Rodríguez]

El 03/11/11 11:16, News escribió:
 Il 03/11/2011 3.34, Fajar Priyanto ha scritto:
 Hi all,
 I haven't found anything in Google about this.

 I'm creating a firewall router with Centos with few virtual IP using 
 iptables.

 May I ask for your experience?
 Is there any pitfall or bad side of using virtual IP for this purpose?
 I'm using few virtual IP to accommodate few subnets that go through
 this firewall/router.

 Thank you.
 Fajar.
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

 I use shorewall for this
 http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html

 Amedeo
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos


I use Firewall Builder http://www.fwbuilder.org to manage the ruleset 
and I am very happy with it.
For spanish list subscribers, here you have a post I have written for my 
blog: 
http://www.securitybydefault.com/2011/09/firewall-builder-la-gui-para-tu.html

-- 


Lorenzo Martinez Rodriguez

Visit me:   http://www.lorenzomartinez.es
Mail me to: lore...@lorenzomartinez.es
My blog: http://www.securitybydefault.com
My twitter: @lawwait
PGP Fingerprint: 97CC 2584 7A04 B2BA 00F1 76C9 0D76 83A2 9BBC BDE2

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos Firewall - router with virtual IP

[Ljubomir Ljubojevic]

Vreme: 11/03/2011 11:16 AM, News piše:
 Il 03/11/2011 3.34, Fajar Priyanto ha scritto:
 Hi all,
 I haven't found anything in Google about this.

 I'm creating a firewall router with Centos with few virtual IP using 
 iptables.

 May I ask for your experience?
 Is there any pitfall or bad side of using virtual IP for this purpose?
 I'm using few virtual IP to accommodate few subnets that go through
 this firewall/router.

 I use shorewall for this
 http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html
+1

You also need to be sure what you want to do exactly. If subnets need to 
be behind hat firewall, but routed and not NATed, then you are not to 
use Virtual IP's, but to implement pass-through/routing. Virtual IP's 
are only used for NAT-ing, not for routing subnets.

-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos Firewall - router with virtual IP

[me]

On Thu, 3 Nov 2011, Lorenzo Martínez Rodríguez wrote:


El 03/11/11 11:16, News escribió:

Hi all,
I haven't found anything in Google about this.

I'm creating a firewall router with Centos with few virtual IP using iptables.

May I ask for your experience?
Is there any pitfall or bad side of using virtual IP for this purpose?
I'm using few virtual IP to accommodate few subnets that go through
this firewall/router.


I would not know why there would be a problem. My external interface on my 
iptables
firewall has 30 ip addresses on it. Been running it that way for 8 or 10 years.


I use Firewall Builder http://www.fwbuilder.org to manage the ruleset
and I am very happy with it.



+1 for fwbuilder. I have been using it since it was version 1.x. It is now 5.x 
and you would be hard pressed to pry it out of my cold dead hands. :-)


Besides the fact that the program does a very good job of managing iptables 
firewalls, the devs are very responsive to bug fixes and feature enhancements.


Regards,

--
Tom m...@tdiehl.org Spamtrap address
me...@tdiehl.org___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos Firewall - router with virtual IP

[John R Pierce]

On 11/02/11 7:34 PM, Fajar Priyanto wrote:
 I'm creating a firewall router with Centos with few virtual IP using iptables.

 May I ask for your experience?
 Is there any pitfall or bad side of using virtual IP for this purpose?
 I'm using few virtual IP to accommodate few subnets that go through
 this firewall/router.

now, when you say 'virtual IP', do you mean alias IPs on your WAN 
(outside) interface(s), or multiple private subnets on the LAN (inside) 
interface(s) ?   none of those are 'virtual' in any sense I'd use that 
adjective.


-- 
john r pierceN 37, W 122
santa cruz ca mid-left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos Firewall - router with virtual IP

[Fajar Priyanto]

On Fri, Nov 4, 2011 at 6:59 AM, John R Pierce pie...@hogranch.com wrote:
 On 11/02/11 7:34 PM, Fajar Priyanto wrote:
 I'm creating a firewall router with Centos with few virtual IP using 
 iptables.

 May I ask for your experience?
 Is there any pitfall or bad side of using virtual IP for this purpose?
 I'm using few virtual IP to accommodate few subnets that go through
 this firewall/router.

 now, when you say 'virtual IP', do you mean alias IPs on your WAN
 (outside) interface(s), or multiple private subnets on the LAN (inside)
 interface(s) ?   none of those are 'virtual' in any sense I'd use that
 adjective.

Hi John, thanks for asking.
My firewall setup is like this:
Physical NIC:
eth0 - to outside world
eth1 - to LAN
There is masquerading in eth0 so LAN can go to internet

Now, I'm adding some virtual interface eth1:0, eth1:1... so on to
accommodate new subnets created in the LAN.

My concern comes from question... how does the MAC addressing is
handled (by the switches and the OS)? Because wouldn't eth1:0, etc be
sharing the same MAC address as eth1? Will there be any problem or
confusion in the network?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos Firewall - router with virtual IP

[John R Pierce]

On 11/03/11 5:43 PM, Fajar Priyanto wrote:
 Now, I'm adding some virtual interface eth1:0, eth1:1... so on to
 accommodate new subnets created in the LAN.

whats the point of having multiple subnets on the same physical LAN 
segment ?   if you want to isolate separate local networks, you really 
should use separate physical adapters with separate switches... or VLAN 
switching if you have a switch that supports VLAN trunking.

anyways, whatever, yes, you can do it with iptables, but not all off the 
shelf firewall script generators will support multiple LAN subnets.   I 
usually write my own iptables rulesets.

-- 
john r pierceN 37, W 122
santa cruz ca mid-left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos Firewall - router with virtual IP

[KevinO]

On 11/03/2011 06:54 PM, John R Pierce wrote:
 On 11/03/11 5:43 PM, Fajar Priyanto wrote:
 Now, I'm adding some virtual interface eth1:0, eth1:1... so on to
 accommodate new subnets created in the LAN.
 
 whats the point of having multiple subnets on the same physical LAN 
 segment ?   if you want to isolate separate local networks, you really 
 should use separate physical adapters with separate switches... or VLAN 
 switching if you have a switch that supports VLAN trunking.
 
 anyways, whatever, yes, you can do it with iptables, but not all off the 
 shelf firewall script generators will support multiple LAN subnets.   I 
 usually write my own iptables rulesets.
 
I can say first hand that fwbuilder easily handles managing scripts for multiple
subnets and aliased addressing on NIC's. I use separate interface cards for each
subnet, however. (5 NIC's, 4 internal subnets, 3 public IP's on the one external
facing NIC)

-- 
KevinO
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos Firewall - router with virtual IP

[Fajar Priyanto]

On Fri, Nov 4, 2011 at 10:15 AM, KevinO ke...@kevino.org wrote:
 anyways, whatever, yes, you can do it with iptables, but not all off the
 shelf firewall script generators will support multiple LAN subnets.   I
 usually write my own iptables rulesets.

 I can say first hand that fwbuilder easily handles managing scripts for 
 multiple
 subnets and aliased addressing on NIC's. I use separate interface cards for 
 each
 subnet, however. (5 NIC's, 4 internal subnets, 3 public IP's on the one 
 external
 facing NIC)

Hi Kevin,
Expanding my original question.
I have a need to open and close iptables rules based on particular
time, say 1 week later, 1 month later, etc.
Currently I have a simple script to do that:
- Create the rules.
- Create atd job to delete the rule based on the defined time.
- Log it.
It works, but not elegant :)

Does fwbuilder have that function?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos Firewall - router with virtual IP

[KevinO]

On 11/03/2011 08:03 PM, Fajar Priyanto wrote:
 On Fri, Nov 4, 2011 at 10:15 AM, KevinO ke...@kevino.org wrote:
 anyways, whatever, yes, you can do it with iptables, but not all off the
 shelf firewall script generators will support multiple LAN subnets.   I
 usually write my own iptables rulesets.

 I can say first hand that fwbuilder easily handles managing scripts for 
 multiple
 subnets and aliased addressing on NIC's. I use separate interface cards for 
 each
 subnet, however. (5 NIC's, 4 internal subnets, 3 public IP's on the one 
 external
 facing NIC)
 
 Hi Kevin,
 Expanding my original question.
 I have a need to open and close iptables rules based on particular
 time, say 1 week later, 1 month later, etc.
 Currently I have a simple script to do that:
 - Create the rules.
 - Create atd job to delete the rule based on the defined time.
 - Log it.
 It works, but not elegant :)
 
 Does fwbuilder have that function?
I'm not sure, and I don't have time to fire it up and check right now. I don't
have the latest version, anyway. I think there is an extensive manual on the
project's website and that will give you all of the details.


-- 
KevinO
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Centos Firewall - router with virtual IP

[Fajar Priyanto]

Hi all,
I haven't found anything in Google about this.

I'm creating a firewall router with Centos with few virtual IP using iptables.

May I ask for your experience?
Is there any pitfall or bad side of using virtual IP for this purpose?
I'm using few virtual IP to accommodate few subnets that go through
this firewall/router.

Thank you.
Fajar.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 2 questions on CentOS firewall

[Timothy Murphy]

Ljubomir Ljubojevic wrote:

 I take a look at Billion manual. It seams that you have to use it's
 firewall to add an allow rule for protocol icmp? and source IP 0.0.0.0.
 Destination might be also 0.0.0.0, haven't had the time to study it.
 This should allow pings from outside.

Thanks very much.
Actually protocol ICMP does not seem to be allowed 
in the Firewall on my Billion 5200S RC.
But I see that this protocol is allowed in Access Management.
I just tried adding a rule with ICMP protocol,
but it seemed to have a bad effect!
(I was cut off from the outside world.)
I'm sure this is the right way to go, anyway,
so I'll continue my experiments.

Thanks again.

-- 
Timothy Murphy  
e-mail: gayleard /at/ eircom.net
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[John Hodrien]

On Wed, 20 Jul 2011, hadi motamedi wrote:

 If we cannot find the exact application name for centos, say MATLAB
 for centos does not exist, so we must search for 'Mathematics
 laboratory for centos' ? Or if Pspice for centos does not exist so we
 must search for 'Electronics circuit schematics editor and simulator
 for centos' ? If there any reference site that we can select centos
 application with respect to their functionality deffinition but not
 just the application name?

Stop googling for CentOS.  If you're looking for commercial packages, they'll
either claim to support Redhat or just linux, but they're very unlikely to
mention CentOS.

But this problem isn't linux specific.  How do you find matlab-like software
for windows?

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[hadi motamedi]

On 7/20/11, John Hodrien j.h.hodr...@leeds.ac.uk wrote:
 On Wed, 20 Jul 2011, hadi motamedi wrote:

 If we cannot find the exact application name for centos, say MATLAB
 for centos does not exist, so we must search for 'Mathematics
 laboratory for centos' ? Or if Pspice for centos does not exist so we
 must search for 'Electronics circuit schematics editor and simulator
 for centos' ? If there any reference site that we can select centos
 application with respect to their functionality deffinition but not
 just the application name?

 Stop googling for CentOS.  If you're looking for commercial packages,
 they'll
 either claim to support Redhat or just linux, but they're very unlikely to
 mention CentOS.

 But this problem isn't linux specific.  How do you find matlab-like software
 for windows?

 jh
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

You are right. But here, people use windows more than Linux. So
hearing about MATLAB for windows comes natural. I need to switch
completely to my centos so I need to do everything with my centos as I
did them on my windows. It sounds a little bit hard to find one-one
exact match between the application on windows and their equivalent on
centos. Isn't it ?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Keith Roberts]

On Wed, 20 Jul 2011, hadi motamedi wrote:

*snip*

 So you've installed Octave but it's not as powerful as MATLAB on windows.
 I know this is crazy talk, but have you tried MATLAB on CentOS?

 There is no one-to-one relationship between applications on one OS and on
 another.

Hi Hadi.

If you are looking for Electronics and EDA things, why not 
take a look at the FEL - Fedora Electronics Lab spin:

http://spins.fedoraproject.org/fel/#downloads

You can d/l the FEL Live CD iso from here:

http://archive.nl.eu.kernel.org/fedora-alt/spins/linux/releases/14/Spins/i686/

HTH

Keith Roberts

-
Websites:
http://www.karsites.net
http://www.php-debuggers.net
http://www.raised-from-the-dead.org.uk

All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[John Hodrien]

On Wed, 20 Jul 2011, hadi motamedi wrote:

 You are right. But here, people use windows more than Linux. So
 hearing about MATLAB for windows comes natural. I need to switch
 completely to my centos so I need to do everything with my centos as I
 did them on my windows. It sounds a little bit hard to find one-one
 exact match between the application on windows and their equivalent on
 centos. Isn't it ?

In the case of matlab it's very easy: matlab.

In the case of other specialist software, the point is every bit of software
is different.  If you know an exact bit of software meets your needs, you are
the person best placed to know why.  The rest of it is a case of searching
google/yum/freshmeat using your domain specific knowledge as to exactly what
you need.

It would be exactly the same ball game if you were switching to using an
Apple, or indeed if Mathworks stopped selling matlab on windows.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 2 questions on CentOS firewall

[Timothy Murphy]

Timothy Murphy wrote:

 Ljubomir Ljubojevic wrote:
 
 (1) I can open port 22 on the Billion, allowing me to ssh in from
 outside. But for some reason I cannot ping the same address from
 outside.
 
 This is due to modem refuses to answer to pings. You might have option
 to allow it in modem config.
 
 Ping (ICMP) does not use ports but it is packet of type 8.
 
 Thanks again for your response.
 Could CentOS be preventing me from pinging the system?

Further to my question,
how can I determine if it is the Billion 5200S modem/router
that is preventing pings, or if it is the CentOS-6 MicroServer
attached to the modem/router?

I don't see any reference to ICMP on the modem web-page.

On the other hand the CentOS firewall seems to allow ICMP
unless explicitly rejected (which I haven't done).

Surely it would be slightly odd for a modem/router
to reject pings by default?

Is there any simple way, short of using something like ethereal,
of determining if ICMP packets are reaching the computer,
and being rejected there?



-- 
Timothy Murphy  
e-mail: gayleard /at/ eircom.net
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 2 questions on CentOS firewall

[Ljubomir Ljubojevic]

Timothy Murphy wrote:
 Further to my question,
 how can I determine if it is the Billion 5200S modem/router
 that is preventing pings, or if it is the CentOS-6 MicroServer
 attached to the modem/router?
 
 I don't see any reference to ICMP on the modem web-page.
 
 On the other hand the CentOS firewall seems to allow ICMP
 unless explicitly rejected (which I haven't done).
 
 Surely it would be slightly odd for a modem/router
 to reject pings by default?
 
 Is there any simple way, short of using something like ethereal,
 of determining if ICMP packets are reaching the computer,
 and being rejected there?
 

ICMP packets are blocked by Billion, it's 99% chance, since public IP 
resides on the Billion. Only way (known to me) to pass ICMP to your 
CentOS server (on cheap modem/routers) is to do 1:1 NAT (all connections 
to all ports are redirected to system behind it with set IP).

If you need to be able to ping CemtOS system and not Billion, then you 
should set modem to bridge mode and pass public IP to CentOS. But caveat 
is that this would mean that if you turn on CentOS firewall or set it 
improperly you would be wide open, and that you will not be able to 
willfully bypass CentOS server (if he is down) and just plug PC's to 
modem directly.


-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 2 questions on CentOS firewall

[Markus Falb]

On 20.7.2011 12:51, Timothy Murphy wrote:

 Further to my question,
 how can I determine if it is the Billion 5200S modem/router
 that is preventing pings, or if it is the CentOS-6 MicroServer
 attached to the modem/router?
...
 Is there any simple way, short of using something like ethereal,
 of determining if ICMP packets are reaching the computer,
 and being rejected there?

I would use tcpdump on the CentOS Server to be sure the icmp echo
requests are arriving or not. tcpdump is something like ethereal but it
could be as easy as

$ tcpdump -l proto \\icmp
or
$ tcpdump -l proto \\icmp and host sourceip
or
$ tcpdump -li ethX proto \\icmp
or
...

-- 
Kind Regards, Markus Falb



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 2 questions on CentOS firewall

[Always Learning]

On Wed, 2011-07-20 at 14:21 +0200, Ljubomir Ljubojevic wrote:

 Ljubomir Ljubojevic
 (Love is in the Air)

Congratulations.

Are you planning to invite us to the wedding :-)


-- 
With best regards,

Paul.
England,
EU.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Marko Vojinovic]

On Wednesday 20 July 2011 05:07:23 hadi motamedi wrote:
 If we cannot find the exact application name for centos, say MATLAB
 for centos does not exist, so we must search for 'Mathematics
 laboratory for centos' ?

MATLAB stands for *matrix* laboratory, not mathematics. See

http://en.wikipedia.org/wiki/MATLAB

Searching for MATLAB on CentOS is too naive. Rather, you just want to keep in 
mind that CentOS is binary-compatibile with RHEL, go to the MATLAB website and 
find out that there is a supported version for RHEL:

http://www.mathworks.com/support/sysreq/current_release/linux.html

It costs about 2000 USD for a basic standalone installation (btw, the price is 
the same for Linux, Windows and Mac).

The functionality of MATLAB for CentOS is completely equivalent to the one on 
Windows. There is no alternative (free or otherwise) version which will 
provide equivalent functionality. That said, there are alternative apps which 
are equivalently powerful, but there are always differences.

HTH, :-)
Marko

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[m . roth]

Marko Vojinovic wrote:
 On Wednesday 20 July 2011 05:07:23 hadi motamedi wrote:
 If we cannot find the exact application name for centos, say MATLAB
 for centos does not exist, so we must search for 'Mathematics
 laboratory for centos' ?

 MATLAB stands for *matrix* laboratory, not mathematics. See

 http://en.wikipedia.org/wiki/MATLAB

 Searching for MATLAB on CentOS is too naive. Rather, you just want to keep
 in mind that CentOS is binary-compatibile with RHEL, go to the MATLAB
snip
I'll guarantee that it runs just fine under CentOS. We have several
installs running.

mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 2 questions on CentOS firewall

[Les Mikesell]

On 7/20/2011 5:51 AM, Timothy Murphy wrote:

 Further to my question,
 how can I determine if it is the Billion 5200S modem/router
 that is preventing pings, or if it is the CentOS-6 MicroServer
 attached to the modem/router?

 I don't see any reference to ICMP on the modem web-page.

 On the other hand the CentOS firewall seems to allow ICMP
 unless explicitly rejected (which I haven't done).

 Surely it would be slightly odd for a modem/router
 to reject pings by default?

Do you only have one public IP?  This sort of router is generally 
configured to do one-many source nat for a private network behind it. 
For tcp and udp packets there are more specified fields (port/socket 
info) that can be used to map inbound packets to the right private 
target either with configured entries or the dynamically maintained NAT 
table.  But there's no way to distinguish whether an inbound ping should 
be answered by the modem itself or passed through if you have specified 
a default 'dmz' target.  GRE packets (as used in pptp or router tunnels) 
have a similar problem of not having documented info that can be used to 
track the source NAT when there are multiple active sessions, although 
some routers manage to do it using microsoft conventions in the packets.

 Is there any simple way, short of using something like ethereal,
 of determining if ICMP packets are reaching the computer,
 and being rejected there?

A sniffer like tcpdump or wireshare is the simple way.  However, note 
that these see packets before they hit the host's iptables firewall so 
even if you see packets arriving, they may not be reaching any applications.

-- 
   Les Mikesell
lesmikes...@gmail.com

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 2 questions on CentOS firewall

[Ljubomir Ljubojevic]

Always Learning wrote:
 On Wed, 2011-07-20 at 14:21 +0200, Ljubomir Ljubojevic wrote:
 
 Ljubomir Ljubojevic
 (Love is in the Air)
 
 Congratulations.
 
 Are you planning to invite us to the wedding :-)
 
 

Hehehehe, no.

My first name (Ljubomir) is old Slavic name that means He who loves 
peace, or peace lover. Based on that and my skills in IT, I was given 
nickname Dr.Love by a customer, now long time friend. It spread around 
and I grew to love it. And since my skill set expanded because of the 
wireless (in the air), and I am a disco generation, I borrowed a song 
name from John Paul Young as a signature for StarOS forums, and then LQ 
and now mailing lists.. It fits like a glove.

-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Ljubomir Ljubojevic]

Les Mikesell wrote:
 The biggest searchable, up to date collection of open source software project 
 descriptions is probably http://freshmeat.net, but once you locate an 
 interesting project you might want to see if you can find an RPM-packaged 
 version at EPEL, rpmforge, etc. for easy installation and updates instead of 
 trying to build from source yourself.

I use http://rpm.pbone.net/ to search for CentOS/RHEL and Fedora packages.

It says that there is matlab 7.4.0 rpm for Fedora 5 and 10-15.

Fedora 5 version should be good for CentOS 5 , and Fedora 12 package for 
CentOS 6.

Link for Fedora 5 package:
http://apt.unl.edu/apt/fedora/redhat/5/i386/unl/RPMS/


-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[m . roth]

Ljubomir Ljubojevic wrote:
 Les Mikesell wrote:
snip
 I use http://rpm.pbone.net/ to search for CentOS/RHEL and Fedora packages.

 It says that there is matlab 7.4.0 rpm for Fedora 5 and 10-15.
snip
Couple problems: first, it *is* COTS, and if you live in a country that
cares, you could be in steep legal trouble. Second, MATLAB uses a license
server; if you don't have a license, you can't use it.

   mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[John Hodrien]

On Wed, 20 Jul 2011, Ljubomir Ljubojevic wrote:

 I use http://rpm.pbone.net/ to search for CentOS/RHEL and Fedora packages.

Valid.

 It says that there is matlab 7.4.0 rpm for Fedora 5 and 10-15.

 Fedora 5 version should be good for CentOS 5 , and Fedora 12 package for
 CentOS 6.

 Link for Fedora 5 package:
 http://apt.unl.edu/apt/fedora/redhat/5/i386/unl/RPMS/

Not in any way sensible, so don't go anywhere near this.

This just looks like an indexed internal directory at a university full of
packages you're really unlikely to want to install.  It's old commercial
software that won't work without a license.  Matlab installs just fine on
CentOS from the direct download from Mathworks.  Packaging it up is also
trivial.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Ljubomir Ljubojevic]

John Hodrien wrote:
 On Wed, 20 Jul 2011, Ljubomir Ljubojevic wrote:
 
 I use http://rpm.pbone.net/ to search for CentOS/RHEL and Fedora packages.
 
 Valid.
 
 It says that there is matlab 7.4.0 rpm for Fedora 5 and 10-15.

 Fedora 5 version should be good for CentOS 5 , and Fedora 12 package for
 CentOS 6.

 Link for Fedora 5 package:
 http://apt.unl.edu/apt/fedora/redhat/5/i386/unl/RPMS/
 
 Not in any way sensible, so don't go anywhere near this.
 
 This just looks like an indexed internal directory at a university full of
 packages you're really unlikely to want to install.  It's old commercial
 software that won't work without a license.  Matlab installs just fine on
 CentOS from the direct download from Mathworks.  Packaging it up is also
 trivial.
 

OK.

If it needs license, what would be the harm if you install (newer) 
version from rpm? Their source RPM is actually nosrc.rpm so they just 
package  it for easier install. I was assuming this when I suggested the 
packages.

-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[John Hodrien]

On Wed, 20 Jul 2011, Ljubomir Ljubojevic wrote:

 OK.

 If it needs license, what would be the harm if you install (newer)
 version from rpm? Their source RPM is actually nosrc.rpm so they just
 package  it for easier install. I was assuming this when I suggested the
 packages.

What I meant was, those were old RPMs.  You'd buy a license and either install
using the installer, or package up your own RPM.  You wouldn't go near those.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 2 questions on CentOS firewall

[Timothy Murphy]

Markus Falb wrote:

 I would use tcpdump on the CentOS Server to be sure the icmp echo
 requests are arriving or not. tcpdump is something like ethereal but it
 could be as easy as
 
 $ tcpdump -l proto \\icmp
 or
 $ tcpdump -l proto \\icmp and host sourceip
 or
 $ tcpdump -li ethX proto \\icmp
 or
 ...

Thanks for the instructions.
Nothing seems to get through:
--
[tim@helen ~]$ ping anghiari.homelinux.com
PING anghiari.homelinux.com (79.46.6.203) 56(84) bytes of data.

--- anghiari.homelinux.com ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms
--

--
[root@alfred tim]# tcpdump -l proto \\icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

--

So I assume the modem is rejecting the ICMP packets.
As I said, I don't see anything about this
in the modem documentation or on the modem web-site.


-- 
Timothy Murphy  
e-mail: gayleard /at/ eircom.net
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 2 questions on CentOS firewall

[Ljubomir Ljubojevic]

Timothy Murphy wrote:
 Markus Falb wrote:
 
 I would use tcpdump on the CentOS Server to be sure the icmp echo
 requests are arriving or not. tcpdump is something like ethereal but it
 could be as easy as

 $ tcpdump -l proto \\icmp
 or
 $ tcpdump -l proto \\icmp and host sourceip
 or
 $ tcpdump -li ethX proto \\icmp
 or
 ...
 
 Thanks for the instructions.
 Nothing seems to get through:
 --
 [tim@helen ~]$ ping anghiari.homelinux.com
 PING anghiari.homelinux.com (79.46.6.203) 56(84) bytes of data.
 
 --- anghiari.homelinux.com ping statistics ---
 3 packets transmitted, 0 received, 100% packet loss, time 2000ms
 --
 
 --
 [root@alfred tim]# tcpdump -l proto \\icmp
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
 
 --
 
 So I assume the modem is rejecting the ICMP packets.
 As I said, I don't see anything about this
 in the modem documentation or on the modem web-site.
 
 

ICMP packet always reaches the system with destination IP, unless it was 
purposely redirected by the system with the IP. In your case this is 
modem/router, so he responds.

-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 2 questions on CentOS firewall

[Timothy Murphy]

Ljubomir Ljubojevic wrote:

 ICMP packets are blocked by Billion, it's 99% chance, since public IP
 resides on the Billion. Only way (known to me) to pass ICMP to your
 CentOS server (on cheap modem/routers) is to do 1:1 NAT (all connections
 to all ports are redirected to system behind it with set IP).
 
 If you need to be able to ping CemtOS system and not Billion, then you
 should set modem to bridge mode and pass public IP to CentOS. But caveat
 is that this would mean that if you turn on CentOS firewall or set it
 improperly you would be wide open, and that you will not be able to
 willfully bypass CentOS server (if he is down) and just plug PC's to
 modem directly.

Thanks for the response.
I don't really mind if external sites cannot ping the machine;
I was just a little surprised at this,
particularly as I didn't see anything about it in the documentation.

I'll try asking on the Billion site.

-- 
Timothy Murphy  
e-mail: gayleard /at/ eircom.net
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 2 questions on CentOS firewall

[Timothy Murphy]

Timothy Murphy wrote:

 So I assume the modem is rejecting the ICMP packets.
 As I said, I don't see anything about this
 in the modem documentation or on the modem web-site.

I suppose another possibility is that some site along the way
rejects ICMP packets?

traceroute seems to timeout in Milan:
---
[root@helen tim]# traceroute anghiari.homelinux.com
traceroute to anghiari.homelinux.com (79.46.6.203), 30 hops max, 40 byte 
packets
 1  netopia (192.168.1.254)  0.951 ms  1.132 ms  1.389 ms
 2  isp (159.134.155.19)  37.238 ms  39.560 ms  42.027 ms
...
12  telecomitalia.par02.atlas.cogentco.com (130.117.14.82)  67.140 ms 
telecomitalia.par02.atlas.cogentco.com (130.117.15.138)  92.952 ms ibs-
resid.milano50.mil.seabone.net (93.186.128.246)  87.098 ms
13  * * *
...
30  * * *
---
tcptraceroute gets to the modem, but after some timeouts:
---
[root@helen tim]# tcptraceroute anghiari.homelinux.com
traceroute to anghiari.homelinux.com (79.46.6.203), 30 hops max, 40 byte 
packets
 1  netopia (192.168.1.254)  1.491 ms  1.534 ms  1.784 ms
 2  isp (159.134.155.19)  36.195 ms  38.794 ms  41.328 ms
...
12  ibs-resid.milano50.mil.seabone.net (93.186.128.246)  85.084 ms  84.599 
ms  86.881 ms
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  host203-6-dynamic.46-79-r.retail.telecomitalia.it (79.46.6.203)  115.381 
ms  107.416 ms  114.875 ms
---

If anyone can interpret these for me, I shall be grateful.

-- 
Timothy Murphy  
e-mail: gayleard /at/ eircom.net
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 2 questions on CentOS firewall

[Ljubomir Ljubojevic]

Timothy Murphy wrote:
 Timothy Murphy wrote:
 
 So I assume the modem is rejecting the ICMP packets.
 As I said, I don't see anything about this
 in the modem documentation or on the modem web-site.
 
 I suppose another possibility is that some site along the way
 rejects ICMP packets?
 
 traceroute seems to timeout in Milan:
 ---
 [root@helen tim]# traceroute anghiari.homelinux.com
 traceroute to anghiari.homelinux.com (79.46.6.203), 30 hops max, 40 byte 
 packets
  1  netopia (192.168.1.254)  0.951 ms  1.132 ms  1.389 ms
  2  isp (159.134.155.19)  37.238 ms  39.560 ms  42.027 ms
 ...
 12  telecomitalia.par02.atlas.cogentco.com (130.117.14.82)  67.140 ms 
 telecomitalia.par02.atlas.cogentco.com (130.117.15.138)  92.952 ms ibs-
 resid.milano50.mil.seabone.net (93.186.128.246)  87.098 ms
 13  * * *
 ...
 30  * * *
 ---
 tcptraceroute gets to the modem, but after some timeouts:
 ---
 [root@helen tim]# tcptraceroute anghiari.homelinux.com
 traceroute to anghiari.homelinux.com (79.46.6.203), 30 hops max, 40 byte 
 packets
  1  netopia (192.168.1.254)  1.491 ms  1.534 ms  1.784 ms
  2  isp (159.134.155.19)  36.195 ms  38.794 ms  41.328 ms
 ...
 12  ibs-resid.milano50.mil.seabone.net (93.186.128.246)  85.084 ms  84.599 
 ms  86.881 ms
 13  * * *
 14  * * *
 15  * * *
 16  * * *
 17  * * *
 18  host203-6-dynamic.46-79-r.retail.telecomitalia.it (79.46.6.203)  115.381 
 ms  107.416 ms  114.875 ms
 ---
 
 If anyone can interpret these for me, I shall be grateful.
 
Those timeouts are normal occurrence. Some/most heavily loaded routers 
are configured to ignore traceroute requests, possibly even ICMP except 
for certain whitelisted IP's but cant remember of the top of my head.

Blocking ICMP's for customer IP's is not something ISP's do, for various 
reasons.

I take a look at Billion manual. It seams that you have to use it's 
firewall to add an allow rule for protocol icmp? and source IP 0.0.0.0. 
Destination might be also 0.0.0.0, haven't had the time to study it. 
This should allow pings from outside.

-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[John Hodrien]

On Sun, 17 Jul 2011, Always Learning wrote:

 If using SSH, FTP, phpmyadmin etc. etc. then DO NOT use the standard
 ports. Allocate a different IP address (if you have several) and use a
 non-web IP address for SSH and a different non-web IP address for
 phpmyadmin etc. WITH non-standard ports (you can go as high as about
 64000). Also consider ONLY allowing access from predefined static IP
 addresses (under your control). Do not make it easy for the hackers.
 Give them a difficult time.

Running on non-default ports (especially high numbered ports) always strikes
me as the wrong way of doing things.  You've come out of the admin shelter of
low ports meaning you're now vulnerable to local attacks - if I can make ftp
(one of your examples) crash, I can potentially steal its port and run my own
ftp server, stealing everyone's password if I have a local account.  At the
same time, you're still vulnerable to plenty of scanning attacks.

If you want accessible services to be accessible, I say make them accessible,
and secure that service as much as you reasonably can.

If you want to restrict access to make it more secure, put them behind a VPN
or other protection.  That way you *really* get the security benefit that you
wanted in the first place.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[hadi motamedi]

On 7/19/11, John Hodrien j.h.hodr...@leeds.ac.uk wrote:
 On Sun, 17 Jul 2011, Always Learning wrote:

 If using SSH, FTP, phpmyadmin etc. etc. then DO NOT use the standard
 ports. Allocate a different IP address (if you have several) and use a
 non-web IP address for SSH and a different non-web IP address for
 phpmyadmin etc. WITH non-standard ports (you can go as high as about
 64000). Also consider ONLY allowing access from predefined static IP
 addresses (under your control). Do not make it easy for the hackers.
 Give them a difficult time.

 Running on non-default ports (especially high numbered ports) always strikes
 me as the wrong way of doing things.  You've come out of the admin shelter
 of
 low ports meaning you're now vulnerable to local attacks - if I can make ftp
 (one of your examples) crash, I can potentially steal its port and run my
 own
 ftp server, stealing everyone's password if I have a local account.  At the
 same time, you're still vulnerable to plenty of scanning attacks.

 If you want accessible services to be accessible, I say make them
 accessible,
 and secure that service as much as you reasonably can.

 If you want to restrict access to make it more secure, put them behind a VPN
 or other protection.  That way you *really* get the security benefit that
 you
 wanted in the first place.

 jh
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

Dear All
With respect to the references you gave me, I figured out to add the
following line to my /etc/sysconfig/iptables :
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
Then I issued:
#service iptables restart
And now the windows machine can browse valid url . Thank you for your help.
I want to put more stuff on my centos 5.6 machine. To this end, I
installed ultraedit, octave, gschem,shorewall on my centos 5.6
machine. But I don't see one-to-one relationship between these
applications and the ones I have on my windows machine. For example,
the octave does not have  the same power as MATLAB on windows machine
or Pspice on windows is more powerful than the the one I have on my
centos. Can you please let me know where powerful centos stuffs for
various purposes can be selected and installed from the internet?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[John Hodrien]

On Tue, 19 Jul 2011, hadi motamedi wrote:

 Dear All
 With respect to the references you gave me, I figured out to add the
 following line to my /etc/sysconfig/iptables :
 -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
 Then I issued:
 #service iptables restart
 And now the windows machine can browse valid url . Thank you for your help.
 I want to put more stuff on my centos 5.6 machine. To this end, I
 installed ultraedit, octave, gschem,shorewall on my centos 5.6
 machine. But I don't see one-to-one relationship between these
 applications and the ones I have on my windows machine. For example,
 the octave does not have  the same power as MATLAB on windows machine
 or Pspice on windows is more powerful than the the one I have on my
 centos. Can you please let me know where powerful centos stuffs for
 various purposes can be selected and installed from the internet?

So you've installed Octave but it's not as powerful as MATLAB on windows.
I know this is crazy talk, but have you tried MATLAB on CentOS?

There is no one-to-one relationship between applications on one OS and on
another.

Keep googling.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[John Doe]

From: hadi motamedi motamed...@gmail.com

 centos. Can you please let me know where powerful centos stuffs for
 various purposes can be selected and installed from the internet?

Hum... powerful stuff for various purposes is usually mysterious secret 
knowledge handed from masters to disciples...
Do you think you could handle such powerful stuff...?!?

JD
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[hadi motamedi]

On 7/19/11, John Doe jd...@yahoo.com wrote:
 From: hadi motamedi motamed...@gmail.com

 centos. Can you please let me know where powerful centos stuffs for
 various purposes can be selected and installed from the internet?

 Hum... powerful stuff for various purposes is usually mysterious secret
 knowledge handed from masters to disciples...
 Do you think you could handle such powerful stuff...?!?

 JD
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

Sorry for not being specific in the question. I mean engineering
centos stuff with one-to-one relationship for windows ones like Visual
C , MATLAB , Pspice , etc. ?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos