On 02/27/2011 09:32 PM, Paul Cupis wrote: > On 26/02/11 12:57, Charles Munson wrote: >> Actually I take that back ... the firewall doesn't appear to be working at >> all for incoming connections anymore. Even in restrictive mode connections >> to my services can still be made. Maybe the priority should be raised to >> critical rather than normal. > > Can you please provide the output of "iptables -nL" (as root) once you > have started firestarter? > > I am seeing firestarter create the firewall properly under 2.6.37 as > under earlier kernels. > > Regards, >
I have attached the iptables output; it seems to be setting rules, but iptables is still allowing all inbound traffic to connect to the machine (even non-established traffic). I think the "ACCEPT all -- 0.0.0.0/0 0.0.0.0/0" is trumping all other rules there. Also, nothing is showing up any longer under 'Active connections'. I'm not sure if this is a related issue or not. I noticed the issues after upgrading to 2.6.37, so I am assuming they are related to the kernel upgrade. Thanks, Charles
Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 10.7.0.248 0.0.0.0/0 tcp flags:!0x17/0x02 ACCEPT udp -- 10.7.0.248 0.0.0.0/0 ACCEPT tcp -- 193.48.224.212 0.0.0.0/0 tcp flags:!0x17/0x02 ACCEPT udp -- 193.48.224.212 0.0.0.0/0 ACCEPT tcp -- 193.48.224.116 0.0.0.0/0 tcp flags:!0x17/0x02 ACCEPT udp -- 193.48.224.116 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 LSI udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:33434 LSI icmp -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 255.255.255.255 DROP all -- 0.0.0.0/0 10.10.255.255 DROP all -- 224.0.0.0/8 0.0.0.0/0 DROP all -- 0.0.0.0/0 224.0.0.0/8 DROP all -- 255.255.255.255 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID LSI all -f 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 INBOUND all -- 0.0.0.0/0 0.0.0.0/0 LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Input' Chain FORWARD (policy DROP) target prot opt source destination LSI udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:33434 LSI icmp -- 0.0.0.0/0 0.0.0.0/0 LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Forward' Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 10.10.0.1 10.7.0.248 tcp dpt:53 ACCEPT udp -- 10.10.0.1 10.7.0.248 udp dpt:53 ACCEPT tcp -- 10.10.0.1 193.48.224.212 tcp dpt:53 ACCEPT udp -- 10.10.0.1 193.48.224.212 udp dpt:53 ACCEPT tcp -- 10.10.0.1 193.48.224.116 tcp dpt:53 ACCEPT udp -- 10.10.0.1 193.48.224.116 udp dpt:53 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 224.0.0.0/8 0.0.0.0/0 DROP all -- 0.0.0.0/0 224.0.0.0/8 DROP all -- 255.255.255.255 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID OUTBOUND all -- 0.0.0.0/0 0.0.0.0/0 LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Output' Chain INBOUND (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED LSI all -- 0.0.0.0/0 0.0.0.0/0 Chain LOG_FILTER (5 references) target prot opt source destination Chain LSI (6 references) target prot opt source destination LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain LSO (1 references) target prot opt source destination LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound ' REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain OUTBOUND (1 references) target prot opt source destination ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED LSO all -- 0.0.0.0/0 0.0.0.0/0