On Sun, 2003-12-14 at 10:28, Bryan Phinney wrote: > On Sunday 14 December 2003 12:37 am, Lyvim Xaphir wrote: > > > I have to disagree here, since I was able to install 9.2 on a firewall > > box with 2 nics, then use Drakconf to share the connection. The > > firewall box is minimal hardware, 200 mhz Pentium I MMX with 80 megs of > > memory; not costly at all. > > Compared to a $50 or less broadband router device.
Well this stuff was mostly stuff on the way to be trashed; whereupon it was intercepted by yours truly. So I've got maybe, well....NOTHING, actually, in this box. If you look around, old stuff is not hard to find. Schools, corporations, government installations, even Ebay; lots of peeps getting rid of old stuff all the time. Not real hard to find these days, especially with this newfangled internet thing. ;) > > > All this depends on the intentions of the > > newbie; which is whether they are going for a functional installation to > > "do stuff" on the internet with or whether they are in this for the > > learning process. Most newbies are here to learn, and attack a learning > > curve, not run from it. > > Fact is, there is nothing that says that you can not operate a router at the > same time that you operate a firewall. I run both a firewall and a router > device. I still prefer the hardware device that disables portscans on my > system, again, you may prefer to see those types of attacks, I just want to > block them. > > However, I do not know of any non-techie computer people that just happen to > have a spare box lying around, YMMV. Absent a box, there is not really any > way to build a standalone firewall box that is going to cost less than the > $50 that a hardware router will run you. Installing the firewall on your > primary system is not as good as a hardware router device. I have already proven your statement about a firewall box being less than 50 bucks false, since I have a resurrected box right here; and I never have stated that the firewall should be on your primary system. What I have said is that an MDK firewall box built using the MDK installation routines is better than a router appliance, which that statement derives directly from scans against both. > > > If they are in it for the greater understanding of what is going on > > underneath, which alot of newbies are, then the ideal route to go is a > > Mandrake firewall running 9.2, with internet connection sharing enabled > > which btw automatically enables Shorewall, which is of course a > > firewall. Even at it's basic configuration, Shorewall is much better > > than a hardware router. > > Well, your experience with newbies appears to differ from mine. In my > experience, they are simply looking for a solution that works, not > necessarily one that enables them to know what is going on underneath. That depends on whether you are instructing newbies at a LUG or at Wal Mart. > There > is time for learning after your computer is running and doing the things that > you want it to do. I definitely would not suggest to someone coming from the > Windows world whose current idea of a good firewall is Kerio with a system > tray icon on their primary machine, that they should jump full bore into the > world of shorewall and iptables while their current machine is open to attack > from the Internet. That I agree with; that's why I made this statement: "Hardware routers are generally for Mac users or non-tech types. That's fine, but if you are looking for knowledge, a router appliance is not going to get you there; in fact I recommend against it." > > That being said, running a firewall on the same box that you use as your > primary computer is simply not a good idea. It needs to be a standalone box > that sits between you and the Internet. In fact, in most corporate setups > the chain goes, Router - Firewall - Router - Internal lan. There is a reason > for setting up routers between those boxes. Where in the heck are you getting the idea that I said anything about running the firewall on the primary box? This is what I said -- "it is best to let Mandrake install programs set up internet connection sharing using two nics in the firewall; one for the local lan and the other for connection" Note the term "local lan", which in this case implies that I have a local lan. A large segment of the population these days has more than one computer system. > > > Hardware routers are generally for Mac users or non-tech types. That's > > fine, but if you are looking for knowledge, a router appliance is not > > going to get you there; in fact I recommend against it. > > We will just have to disagree there. I don't know of any large enterprise > that doesn't run a router appliance We are not talking about Cisco's; we are talking about the home market here and $50-$100 router appliances, where some individuals seek better control over their internet access, and don't have access to Cisco boxes. > and can't even begin to imagine why a > home user, provided he can afford it, would not want to gain the same > benefits as they do. WHAT benefits? I despise the Cisco interface compared to running a bona fide bash shell. And like I said, there is better security in an MDK firewall box than a hardware appliance as long as the MDK box is correct. I know about Cisco vulns; they've been a major concern in the past. They've been a major problem with DoS's, also, besides the fact that their updates will never be on a par with the frequency of MDK updates. > Granted, you will receive less information as some > portscans and obvious probes against your machine are blocked so that you > never see them unless you check your router log. I don't have a problem with > that since they are, in fact, blocked. Well, I don't know what router appliance you've got but obviously it's different than the model I have. There were ports on my router that were open by default. It was also open to ICMP. > > > Having said all that, to avoid standard newbie frustrations when you are > > implementing a solution for learning purposes, it is best to let > > Mandrake install programs set up internet connection sharing using two > > nics in the firewall; one for the local lan and the other for connection > > to DSL. Packet filtering/mangling can then occur between the two nics > > inside the firewall box. When internet connection sharing is set up > > (using Drakconf), Shorewall is automatically installed/activated. The > > newbie should then back up his /etc directory before he messes around > > with Drakconf any more; then he should start examining the Shorewall > > config files in /etc/shorewall. > > > > This will give a better understanding of a default firewall setup, from > > which they can begin making changes. > > Or, if you are looking for a very simple solution that provides a fair amount > of protection with a minimal amount of issues getting setup, you can plug in > a router appliance that provides a hardware firewall, it prevents access to > your system from outside and until you physically open up ports, you can't > run any servers inside your box. You can still check the log on the device > to see all of the traffic that is being blocked. > > For instance, here you can see all of the Windows traffic (port 137) that my > own router is rejecting: > > WAN Type: PPP over Ethernet (2.57 build 3) > Display time: Sun 14 Dec 2003 10:27:10 AM EST > Sun 14 Dec 2003 08:40:24 AM EST Unrecognized access from 81.250.114.141:137 to > UDP port 137 > Sun 14 Dec 2003 08:40:25 AM EST Unrecognized access from 81.250.114.141:137 to > UDP port 137 > Sun 14 Dec 2003 08:40:54 AM EST Unrecognized access from 81.129.70.76:1039 to > UDP port 137 Glad you are getting absolute minimal information. However since I myself are running an MDK firewall I have the option of running Snort on *all* incoming packets (since my appliance is in bridge mode and not router mode) and therefore with the latest Snort intrusion analysis I can record all incoming packets, their IP, the time and date they came in, plus get a good analysis of what the packet was doing at my IP address. I can also log all this to an MySQL database for future reference and examination. The following is a very small fraction of all the intrusions I have detected over the last two weeks. Thus, an NMAP scan attempt: [**] SCAN nmap TCP [**] 12/10-15:43:07.889367 12.44.244.5:80 -> 67.41.80.144:53 TCP TTL:51 TOS:0x0 ID:24934 IpLen:20 DgmLen:40 ***A**** Seq: 0x3E7 Ack: 0x0 Win: 0x578 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] SCAN nmap TCP [**] 12/10-15:43:13.006448 12.44.244.5:80 -> 67.41.80.144:53 TCP TTL:51 TOS:0x0 ID:25072 IpLen:20 DgmLen:40 ***A**** Seq: 0x3FD Ack: 0x0 Win: 0x578 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ An M$-SQL worm propagation attempt: [**] MS-SQL Worm propagation attempt [**] 12/11-15:21:07.260103 172.179.117.32:3608 -> 67.41.80.144:1434 UDP TTL:112 TOS:0x0 ID:49097 IpLen:20 DgmLen:404 Len: 376 04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE ....B.........p. 42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9 B.p.B........h.. B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01 .B.....1...P..5. 01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33 ...P..Qh.dllhel3 32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B 2hkernQhounthick 43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64 ChGetTf.llQh32.d 68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66 hws2_f.etQhsockf B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45 .toQhsend....B.E D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50 .P..P.E.P.E.P..P BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05 ....B....=U..Qt. BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1 ....B....1.QQP.. 03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B ..........Q.E.P. 45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45 E.P..j.j.j...P.E C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61 .P.E.P........<a D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2 [EMAIL PROTECTED] C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D ...).......E.j.. 45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50 E.P1.Qf..x.Q.E.P 8B 45 AC 50 FF D6 EB CA .E.P.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Another: [**] MS-SQL Worm propagation attempt [**] 12/08-18:34:19.824599 194.78.94.150:2282 -> 67.41.80.144:1434 UDP TTL:109 TOS:0x0 ID:346 IpLen:20 DgmLen:404 Len: 376 04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE ....B.........p. 42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9 B.p.B........h.. B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01 .B.....1...P..5. 01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33 ...P..Qh.dllhel3 32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B 2hkernQhounthick 43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64 ChGetTf.llQh32.d 68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66 hws2_f.etQhsockf B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45 .toQhsend....B.E D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50 .P..P.E.P.E.P..P BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05 ....B....=U..Qt. BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1 ....B....1.QQP.. 03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B ..........Q.E.P. 45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45 E.P..j.j.j...P.E C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61 .P.E.P........<a D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2 [EMAIL PROTECTED] C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D ...).......E.j.. 45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50 E.P1.Qf..x.Q.E.P 8B 45 AC 50 FF D6 EB CA .E.P.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ And another: [**] MS-SQL Worm propagation attempt [**] 12/07-19:17:58.019172 195.121.232.114:1571 -> 67.41.80.144:1434 UDP TTL:115 TOS:0x0 ID:44451 IpLen:20 DgmLen:404 Len: 376 04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE ....B.........p. 42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9 B.p.B........h.. B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01 .B.....1...P..5. 01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33 ...P..Qh.dllhel3 32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B 2hkernQhounthick 43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64 ChGetTf.llQh32.d 68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66 hws2_f.etQhsockf B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45 .toQhsend....B.E D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50 .P..P.E.P.E.P..P BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05 ....B....=U..Qt. BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1 ....B....1.QQP.. 03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B ..........Q.E.P. 45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45 E.P..j.j.j...P.E C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61 .P.E.P........<a D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2 [EMAIL PROTECTED] C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D ...).......E.j.. 45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50 E.P1.Qf..x.Q.E.P 8B 45 AC 50 FF D6 EB CA .E.P.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ And finally, an M$ script kiddie looking for easter eggs, multiple attempts over multiple days: [**] ICMP PING CyberKit 2.2 Windows [**] 12/08-06:34:34.177324 65.37.14.71 -> 67.41.80.144 ICMP TTL:114 TOS:0x0 ID:37132 IpLen:20 DgmLen:92 Type:8 Code:0 ID:768 Seq:25135 ECHO AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ICMP PING CyberKit 2.2 Windows [**] 12/08-10:51:34.187469 65.37.14.71 -> 67.41.80.144 ICMP TTL:114 TOS:0x0 ID:12321 IpLen:20 DgmLen:92 Type:8 Code:0 ID:768 Seq:16658 ECHO AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ICMP PING CyberKit 2.2 Windows [**] 12/09-10:08:14.816600 65.37.14.71 -> 67.41.80.144 ICMP TTL:114 TOS:0x0 ID:29100 IpLen:20 DgmLen:92 Type:8 Code:0 ID:768 Seq:11238 ECHO AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ICMP PING CyberKit 2.2 Windows [**] 12/10-23:38:39.957787 65.37.14.71 -> 67.41.80.144 ICMP TTL:114 TOS:0x0 ID:34787 IpLen:20 DgmLen:92 Type:8 Code:0 ID:768 Seq:39606 ECHO AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ICMP PING CyberKit 2.2 Windows [**] 12/11-01:43:39.471497 65.37.14.71 -> 67.41.80.144 ICMP TTL:114 TOS:0x0 ID:20241 IpLen:20 DgmLen:92 Type:8 Code:0 ID:768 Seq:168 ECHO AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ICMP PING CyberKit 2.2 Windows [**] 12/11-03:47:45.405671 65.37.14.71 -> 67.41.80.144 ICMP TTL:114 TOS:0x0 ID:2157 IpLen:20 DgmLen:92 Type:8 Code:0 ID:768 Seq:27033 ECHO AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ICMP PING CyberKit 2.2 Windows [**] 12/11-12:04:43.241691 65.37.14.71 -> 67.41.80.144 ICMP TTL:114 TOS:0x0 ID:9976 IpLen:20 DgmLen:92 Type:8 Code:0 ID:768 Seq:14431 ECHO AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
