-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I agree with you on the name of the product. But, why include routed
or gated if you don't intend the product to be used in a network that
I have designed? The firewall just sits before my private edge
router, and is the last hop before the Internet.
Like I said. I can manage the firewall remotely from another
segment, but not a single device can get to the Internet, except the
firewall itself.
Here is the bastille-firewall.conf file from my firewall:
# the configuration values should be whitespace-delimited lists of
# appropriate values, e.g.
# TCP_PUBLIC_SERVICES="80 smtp ssh"
# lists Web (port 80), SMTP mail, and Secure Shell ports
#
# This script is suitable for workstations or simple NAT firewalls;
# you may want to add more "output" restrictions for serious servers
# 0) DNS servers. You must list your DNS servers here so that
# the firewall will allow them to service your lookup requests
#
# List of DNS servers/networks to allow "domain" responses from
# This _could_ be nameservers as a list of <ip-address>/32 entries
#DNS_SERVERS="a.b.c.d/32 e.f.g.h/32"
# If you are running a caching nameserver, you'll need to allow from
# "0.0.0.0/0" so named can query any arbitrary nameserver
# (To enable a caching nameserver, you will also probably need to
# add "domain" to the TCP and UDP public service lists.)
#DNS_SERVERS="0.0.0.0/0"
#
# To have the DNS servers parsed from /etc/resolv.conf at runtime,
# as normal workstations will want, make this variable empty
#DNS_SERVERS=""
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
# ISPDrake: Allow all DNS reply if host is a DNS server else this
variable is set with resolv.conf value
DNS_SERVERS="192.168.150.1/32"
# 1) define your interfaces
# Note a "+" acts as a wildcard, e.g. ppp+ would match any PPP
# interface
#
# list internal/trusted interfaces
# traffic from these interfaces will be allowed
# through the firewall, no restrictions
#TRUSTED_IFACES="lo" # MINIMAL/SAFEST
#
# list external/untrusted interfaces
#PUBLIC_IFACES="eth+ ppp+ slip+" # SAFEST
#
# list internal/partially-trusted interfaces
# e.g. if this acts as a NAT/IP Masq server and you
# don't want clients on those interfaces having
# full network access to services running on this
# server (as the TRUSTED_IFACES allows)
#INTERNAL_IFACES="" # SAFEST
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
# ISPDrake: Fixed TRUSTED_IFACES, no routing beetween interfaces
TRUSTED_IFACES="lo eth0"
# ISPDrake: search for the public and external interface in backend
value
# When ADSL type is pppoe or pptp, the public interface must be ppp0
PUBLIC_IFACES="eth2 "
INTERNAL_IFACES="eth0 eth1 "
# 2) services for which we want to log access attempts to syslog
# Note this only audits connection attempts from public interfaces
#
# Also see item 12, LOG_FAILURES
#
#TCP_AUDIT_SERVICES="telnet ftp imap pop-3 finger sunrpc exec login
linuxconf ssh"
# anyone probing for BackOrifice?
#UDP_AUDIT_SERVICES="31337"
# how about ICMP?
#ICMP_AUDIT_TYPES=""
#ICMP_AUDIT_TYPES="echo-request" # ping/MS tracert
#
# To enable auditing, you must have syslog configured to log "kern"
# messages of "info" level; typically you'd do this with a line in
# syslog.conf like
# kern.info /var/log/messages
# though the Bastille port monitor will normally want these messages
# logged to a named pipe instead, and the Bastille script normally
# configures syslog for "kern.*" which catches these messages
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
# translate perl list in right shell executable list
TCP_AUDIT_SERVICES=""
UDP_AUDIT_SERVICES=""
ICMP_AUDIT_TYPES=""
# 3) services we allow connections to
#
# FTP note:
# To allow your machine to service "passive" FTP clients,
# you will need to make allowances for the passive data
# ports; Bastille users should read README.FTP for more
# information
#
# "public" interfaces:
# TCP services that "public" hosts should be allowed to connect to
#TCP_PUBLIC_SERVICES="" # MINIMAL/SAFEST
#
# UDP services that "public" hosts should be allowed to connect to
#UDP_PUBLIC_SERVICES="" # MINIMAL/SAFEST
#
# "internal" interfaces:
# (NB: you will need to repeat the "public" services if you want
# to allow "internal" hosts to reach those services, too.)
# TCP services that internal clients can connect to
#TCP_INTERNAL_SERVICES="" # MINIMAL/SAFEST
#
# UDP services that internal clients can connect to
#UDP_INTERNAL_SERVICES="" # MINIMAL/SAFEST
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
TCP_PUBLIC_SERVICES=""
UDP_PUBLIC_SERVICES=""
TCP_FORWARD_SERVICES=": domain "
UDP_FORWARD_SERVICES=": domain "
TCP_INTERNAL_SERVICES="ssh 8443"
UDP_INTERNAL_SERVICES=""
# 4) FTP is a firewall nightmare; if you allow "normal" FTP
connections,
# you must be careful to block any TCP services that are listening
# on high ports; it's safer to require your FTP clients to use
# "passive" mode.
#
# Note this will also force clients on machines
# that use this one for NAT/IP Masquerading to use passive mode
# for connections that go through this server (e.g. from the
# internal network to public Internet machines
#
# For more information about FTP, see the Bastille README.FTP doc
#
#FORCE_PASV_FTP="N"
#FORCE_PASV_FTP="Y" # SAFEST
#
FORCE_PASV_FTP="Y"
# 5) Services to explicitly block. See FTP note above
# Note that ranges of ports are specified with colons, and you
# can specify an open range by using only one number, e.g.
# 1024: means ports >= 1024 and :6000 means ports <= 6000
#
# TCP services on high ports that should be blocked if not forcing
passive FTP
# This should include X (6000:6010) and anything else revealed by
'netstat -an'
# (this does not matter unless you're not forcing "passive" FTP)
#TCP_BLOCKED_SERVICES="6000:6020"
#
# UDP services to block: this should be UDP services on high ports.
# Your only vulnerability from public interfaces are the DNS and
# NTP servers/networks (those with 0.0.0.0 for DNS servers should
# obviously be very careful here!)
#UDP_BLOCKED_SERVICES="2049"
#
# types of ICMP packets to allow
#ICMP_ALLOWED_TYPES="destination-unreachable" # MINIMAL/SAFEST
# the following allows you to ping/traceroute outbound
#ICMP_ALLOWED_TYPES="destination-unreachable echo-reply
time-exceeded"
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
TCP_BLOCKED_SERVICES="6000:6020"
UDP_BLOCKED_SERVICES="2049"
ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded
"
# 6) Source Address Verification helps prevent "IP Spoofing" attacks
#
ENABLE_SRC_ADDR_VERIFY="Y"
# 7) IP Masquerading / NAT. List your internal/masq'ed networks here
#
# Also see item 4, FORCE_PASV_FTP, as that setting affects
# clients using IP Masquerading through this machine
#
# Set this variable if you're using IP Masq / NAT for a local network
#IP_MASQ_NETWORK="" # DISABLE/SAFEST
#IP_MASQ_NETWORK="10.0.0.0/8" # example
#IP_MASQ_NETWORK="192.168.0.0/16" # example
#
# Have lots of masq hosts? uncomment the following six lines
# and list the hosts/networks in /etc/firewall-masqhosts
# the script assumes any address without a "/" netmask afterwards
# is an individual address (netmask /255.255.255.255):
#if [ -f /etc/firewall-masqhosts ]; then
# echo "Reading list of masq hosts from /etc/firewall-masqhosts"
# # Read the file, but use 'awk' to strip comments
# # Note the sed bracket phrase includes a space and tab char
# IP_MASQ_NETWORK=`cat /etc/firewall-masqhosts | awk -F\# '/\//
}print $1; next} /[0-9]/ }print $1"/32"}' |sed 's:[ ]*::g'`
#fi
#
# Masq modules
# NB: The script will prepend "ip_masq_" to each module name
#IP_MASQ_MODULES="cuseeme ftp irc quake raudio vdolive" # ALL (?)
#IP_MASQ_MODULES="ftp raudio vdolive" # RECOMMENDED
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
for i in ${INTERNAL_IFACES} ; do
IP_MASQ_NETWORK="${IP_MASQ_NETWORK} `LANG=en LANGUAGE=en ifconfig
${i} | grep "inet addr" | awk '{print $2":"$4}' | awk -F: '{print
$2"/"$4}'`"
done
IP_MASQ_MODULES="cuseeme ftp irc quake raudio vdolive dplay icq h323
"
# 8) How to react to disallowed packets
# whether to "REJECT" or "DENY" disallowed packets; if you're running
any
# public services, you probably ought to use "REJECT"; if in serious
stealth
# mode, choose "DENY" so simple probes don't know if there's anything
out there
# NOTE: disallowed ICMP packets are discarded with "DENY", as
# it would not make sense to "reject" the packet if you're
# trying to disallow ping/traceroute
#
REJECT_METHOD="DENY"
# 9) DHCP
# In case your server needs to get a DHCP address from some other
# machine (e.g. cable modem)
#DHCP_IFACES="eth0" # example, to allow you to query on eth0
#DHCP_IFACES="" # DISABLED
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
DHCP_IFACES=""
# 10) more UDP fun. List IP addresses or network space of NTP servers
#
#NTP_SERVERS="" # DISABLE NTP QUERIES / SAFEST
#NTP_SERVERS="a.b.c.d/32 e.f.g.h/32" # example, to allow querying 2
servers
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
NTP_SERVERS=""
# 11) more ICMP. Control the outbound ICMP to make yourself invisible
to
# traceroute probesMissing
#
#ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded"
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
ICMP_OUTBOUND_DISABLED_TYPES=""
# 12) Logging
# With this enabled, ipchains will log all blocked packets.
# ** this could generate huge logs **
# This is primarily intended for the port mointoring system;
# also note that you probably do not want to "AUDIT" any services
# that you are not allowing, as doing so would mean duplicate
# logging
LOG_FAILURES="N"
# 13) ADSL
# Set to yes if you a ADSL modem is plug to one of you external
interface
# For ADSL internet access firewall script let access to TCP port
1073 et need protocole 47
ADSL_INTERFACES=""
# 14) SQUID
# Redirect all packet for masquerade network from port 80 to SQUID
port (squid port)
SQUID_REDIRECT_PORT=""
# 15) OptimiozeTOS packet for specific protole, Thanks to Trinity os
for this !!!
# Though very FEW ISPs do anything with the TOS bits, I thought you'd
# like to see it. In theory, you can tell the Internet how to handle
# your traffic, be it sensitive to delay, throughput, etc.
#
# -t 0x01 0x10 = Minimum Delay
# -t 0x01 0x08 = Maximum Throughput
# -t 0x01 0x04 = Maximum Reliability
# -t 0x01 0x02 = Minimum Cost
TOS_MIN_DELAY=""
TOS_MAX_THROUGHPUT=""
TOS_MAX_RELIABILITY=""
TOS_MIN_COST=""
Do I have to modify Item 7 within this config file?
Thanks,
Chris
- -----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of et
Sent: Tuesday, May 28, 2002 1:53 PM
To: [EMAIL PROTECTED]
Subject: Re: [newbie] SNF 7.2 problems.
boy I don't know if stuff has changed or what, but used to be SINGLE
Network
firewall mean only one lan and one external interface no wonder you
have a
problem with SINGLE NETWORK on MULTIpul eth interfaces... have you
ever
considered useing only eth0 for the inside lan as the gateway
(192.168.0.1)
and eth1 as the (dhcp?) outside lan? and maybe consder a complete
distro
custom setup as a firewall machine to get all these other ETH2, ETH3,
ppp0,ppp1,ppp2, running at the same time?
On Tuesday 28 May 2002 04:02 pm, you wrote:
> Yes. The ETH interfaces are the gateways for the respected LAN
> segments. I do have RIPv2 running on the network and all of the
> routers "see" the other subnets. Like I said, I can SSH into the
> firewall from the IP Address 192.168.150.1, do what I need to do on
> the firewall, but I cannot get outside the firewall. Is there a
> script or config file you would like me to paste so you can look at
> it to see if there is a config problem? I haven't made any
> changes to any of the script files, except the init.rc (or the
> rc.local, which ever is the very last script to run during bootup)
> which I has to add the static routes to the other networks. Now,
> before anyone else jumps, I did add the static routes manually
> BEFORE I modified the init.rc script, and I was able to access the
> firewall via HTTPS and SSH, but I was still not able to get out to
> the Internet.
>
> Thanks,
>
> Chris
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Dennis Myers
> Sent: Tuesday, May 28, 2002 12:12 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [newbie] SNF 7.2 problems.
>
> On Tuesday 28 May 2002 12:41 pm, you wrote:
> > Does anyone have any good FAQ links for the Mandrake SNF 7.2
> > build, other than the one on Mandrake's site?
> >
> > Also, I have a problem with the firewall itself. I have the
> > firewall setup in the diagram attached. I have static routes in
> > the init.rc startup script, because I am unable to get routed
> > or gated to receive any RIPv1 or RIPv2 broadcasts from my Cisco
> > 2621 routers. Every time I try to start routed with the -q or
> > -a switch
> > (whichever switch is for listening only), routed says it cannot
> > bind to address.
> >
> > Anyway, I can access the firewall via the web management
> > interface, and also via SSH. The problem is that my clients on
> > any of the 192.168 networks cannot get out to the Internet. I
> > have allowed DNS (UDP only), HTTP, HTTPS, FTP, SSH, SFTP, and
> > SFC. Can anyone tell me what could be going on? BTW, I can get
> > out to the Internet from the
> > firewall by both pinging an IP address (both the Internet DNS
> > server and the IP address of 208.208.208.208), and by running
> > the TEST
> > INTERNET CONNECTION from the list after logging into the console
> > with admin.
> >
> > I have not installed any of the security updates, as this causes
> > a problem when restarting the system as it hangs on bringing up
> > the ETH2 interface. Can anyone recommend how to install the
> > security updates/patches?
> >
> > Thanks,
> >
> > Chris
> >
> >
> > PS. My apologies to the mod, as I don't have a website to upload
> > the image (only 20kb).
>
> OOps! hit the mouse button at the wrong moment, so previous message
> resembles
> the inner workings of my brain. Have you set up the LAN so that
> all of the
> system knows what the gateway address is?. You don't mention a
> gateway device. Just curious and hope to help.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
Comment: Public Key Signature for Chris Lynch
iQA/AwUBPPT+/Er5pFJx+BQ5EQLyCgCfY0+lSbtLlIM3Jw/Wtd8zHJIrohwAoLdP
KEQa7LtQ+YrxR3jT42XaIbe3
=zY97
-----END PGP SIGNATURE-----
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
