Re: firewall advice
On Sun, Dec 15, 2002 at 07:15:25PM -0800, Torrin wrote: I'll also add connection tracking in my iptables script. Is there anything I can do in my ipchains script? did you ever look at the SuSEfirewall{,2} scripts by marc heuse? GPL, will work with any distro, maybe small changes where to find the config files etc. v2 is for iptables, v1 for ipchains. for a simple bash script quite cool. concept and all. commented config file. good faq by togan somwhere in the suse faq on sf.net. sorry, no url, but you'll find it for sure on the suse site and elsewhere. Lars -- no need to reinvent the wheel, though that is always enlightening fun :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: firewall advice
I am using the v1 scripts on Debian 3.0r0. IIRC, I had to change one directory in the INSTALL script. SuSE puts the symlinks in /etc/init.d/rcX.d and Debian puts them in /etc/rcX.d/. Edit the script before running it. I like it because it works at the policy level of Internet, DMZ, and internal zones, services, trusted networks, etc. Plus rules to block attacks the author is knowledgable about that few of us know about (e.g., ICMP). And does not require X. All other tools I tried were just GUI interfaces to add individual rules to IPchains/IPtables. The result is no better than my knowledge. The SuSEfirewall scripts are expert in a script. The URL is http://www.suse.com/~marc/SuSE.html. HTH, Jeffrey Quoting Lars Ellenberg [EMAIL PROTECTED]: On Sun, Dec 15, 2002 at 07:15:25PM -0800, Torrin wrote: I'll also add connection tracking in my iptables script. Is there anything I can do in my ipchains script? did you ever look at the SuSEfirewall{,2} scripts by marc heuse? GPL, will work with any distro, maybe small changes where to find the config files etc. v2 is for iptables, v1 for ipchains. for a simple bash script quite cool. concept and all. commented config file. good faq by togan somwhere in the suse faq on sf.net. sorry, no url, but you'll find it for sure on the suse site and elsewhere. Lars -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: firewall advice
* Quoting andrew lattis ([EMAIL PROTECTED]): #connections to lo $iptables -A OUTPUT -p ALL -o $lo_iface -s $lo_ip -j ACCEPT #allow the rest $iptables -A OUTPUT -p ALL -o $eth_iface -s $eth_ip -j ACCEPT #log the rest $iptables -A OUTPUT -m limit --limit $log_limit --limit-burst $log_limit_burst -p tcp -j LOG --log-prefix output tcp: $iptables -A OUTPUT -m limit --limit $log_limit --limit-burst $log_limit_burst -p udp -j LOG --log-prefix output udp: You should not forget to log other protokols like icmp, ... It's best to log any packet here. - rk -- Ahahahahaha! Ahahahaha! Aahahaha! BEWARE! Yrs sincerely The Opera Ghost
Re: firewall advice
On Sun, Dec 15, 2002 at 07:15:25PM -0800, Torrin wrote: I'll also add connection tracking in my iptables script. Is there anything I can do in my ipchains script? did you ever look at the SuSEfirewall{,2} scripts by marc heuse? GPL, will work with any distro, maybe small changes where to find the config files etc. v2 is for iptables, v1 for ipchains. for a simple bash script quite cool. concept and all. commented config file. good faq by togan somwhere in the suse faq on sf.net. sorry, no url, but you'll find it for sure on the suse site and elsewhere. Lars -- no need to reinvent the wheel, though that is always enlightening fun :)
Re: firewall advice
* Torrin ([EMAIL PROTECTED]) [021215 19:21]: Nicolas Boullis wrote: * Torrin ([EMAIL PROTECTED]): iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port domain #53 iptables -A INPUT -i eth0 -j ACCEPT -p UDP -s 0.0.0.0/0 --source-port domain #53 Hey! I'm a nice port, let me in!. Oops. You're right, I should probably change that to be the address of the DNS server. I'll also add connection tracking in my iptables script. Is there anything I can do in my ipchains script? You don't need these rules at all, if you're allowing state ESTABLISHED,RELATED packets. The packets coming from your nameservers (in response to your DNS requests) will be allowed via connection tracking. The above rules would be used in the case when you want to allow incoming connections, which you probably don't need to accept from your nameserver. good times, Vineet -- http://www.doorstop.net/ -- Computer Science is no more about computers than astronomy is about telescopes. -- E.W. Dijkstra pgpKCczaXTjpt.pgp Description: PGP signature
Re: firewall advice
I am using the v1 scripts on Debian 3.0r0. IIRC, I had to change one directory in the INSTALL script. SuSE puts the symlinks in /etc/init.d/rcX.d and Debian puts them in /etc/rcX.d/. Edit the script before running it. I like it because it works at the policy level of Internet, DMZ, and internal zones, services, trusted networks, etc. Plus rules to block attacks the author is knowledgable about that few of us know about (e.g., ICMP). And does not require X. All other tools I tried were just GUI interfaces to add individual rules to IPchains/IPtables. The result is no better than my knowledge. The SuSEfirewall scripts are expert in a script. The URL is http://www.suse.com/~marc/SuSE.html. HTH, Jeffrey Quoting Lars Ellenberg [EMAIL PROTECTED]: On Sun, Dec 15, 2002 at 07:15:25PM -0800, Torrin wrote: I'll also add connection tracking in my iptables script. Is there anything I can do in my ipchains script? did you ever look at the SuSEfirewall{,2} scripts by marc heuse? GPL, will work with any distro, maybe small changes where to find the config files etc. v2 is for iptables, v1 for ipchains. for a simple bash script quite cool. concept and all. commented config file. good faq by togan somwhere in the suse faq on sf.net. sorry, no url, but you'll find it for sure on the suse site and elsewhere. Lars
firewall advice
I changes the subject and started a new thread here. Anyway . . . Nicolas Boullis wrote: You should add the rule: $IPTABLES -A INPUT -j ACCEPT -i eth0 -m state --state ESTABLISHED,RELATED Thanks, those rules that I gave as an example are from my workstation which has 2.4 kernel installed. I will add this connection tracking stuff on my workstation. But, my server has a 2.2 kernel installed and from the man page, there doesn't seem to be connection tracking in ipchains. Correct? # Drop spoofed packets iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0 What about outgoing spoofed packets? They didn't get dropped in this script at all. It's only a selfish half-hearted firewall if all it does is to protect yourself against incoming nasties; there's always a responsibility not to inflict dodgy packets on others, as much as possible. OK, but how do you tell if a packet is spoofed going out? I can tell coming in by looking at the source address and the interface. iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port domain #53 iptables -A INPUT -i eth0 -j ACCEPT -p UDP -s 0.0.0.0/0 --source-port domain #53 Hey! I'm a nice port, let me in!. Oops. You're right, I should probably change that to be the address of the DNS server. I'll also add connection tracking in my iptables script. Is there anything I can do in my ipchains script? -- http://www.torrin.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: firewall advice
On 2002/12/15 07:15:25PM -0800, Sun, Torrin wrote: I changes the subject and started a new thread here. Anyway . . . # Drop spoofed packets iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0 What about outgoing spoofed packets? They didn't get dropped in this script at all. It's only a selfish half-hearted firewall if all it does is to protect yourself against incoming nasties; there's always a responsibility not to inflict dodgy packets on others, as much as possible. OK, but how do you tell if a packet is spoofed going out? I can tell coming in by looking at the source address and the interface. #Packets leaving this server #connections to lo $iptables -A OUTPUT -p ALL -o $lo_iface -s $lo_ip -j ACCEPT #allow the rest $iptables -A OUTPUT -p ALL -o $eth_iface -s $eth_ip -j ACCEPT #log the rest $iptables -A OUTPUT -m limit --limit $log_limit --limit-burst $log_limit_burst -p tcp -j LOG --log-prefix output tcp: $iptables -A OUTPUT -m limit --limit $log_limit --limit-burst $log_limit_burst -p udp -j LOG --log-prefix output udp: i believe this should get it, not that i have gotten around to spoofing anything to verify that it does drop it... msg08182/pgp0.pgp Description: PGP signature
firewall advice
I changes the subject and started a new thread here. Anyway . . . Nicolas Boullis wrote: You should add the rule: $IPTABLES -A INPUT -j ACCEPT -i eth0 -m state --state ESTABLISHED,RELATED Thanks, those rules that I gave as an example are from my workstation which has 2.4 kernel installed. I will add this connection tracking stuff on my workstation. But, my server has a 2.2 kernel installed and from the man page, there doesn't seem to be connection tracking in ipchains. Correct? # Drop spoofed packets iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0 What about outgoing spoofed packets? They didn't get dropped in this script at all. It's only a selfish half-hearted firewall if all it does is to protect yourself against incoming nasties; there's always a responsibility not to inflict dodgy packets on others, as much as possible. OK, but how do you tell if a packet is spoofed going out? I can tell coming in by looking at the source address and the interface. iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port domain #53 iptables -A INPUT -i eth0 -j ACCEPT -p UDP -s 0.0.0.0/0 --source-port domain #53 Hey! I'm a nice port, let me in!. Oops. You're right, I should probably change that to be the address of the DNS server. I'll also add connection tracking in my iptables script. Is there anything I can do in my ipchains script? -- http://www.torrin.net
Re: firewall advice
On 2002/12/15 07:15:25PM -0800, Sun, Torrin wrote: I changes the subject and started a new thread here. Anyway . . . # Drop spoofed packets iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0 What about outgoing spoofed packets? They didn't get dropped in this script at all. It's only a selfish half-hearted firewall if all it does is to protect yourself against incoming nasties; there's always a responsibility not to inflict dodgy packets on others, as much as possible. OK, but how do you tell if a packet is spoofed going out? I can tell coming in by looking at the source address and the interface. #Packets leaving this server #connections to lo $iptables -A OUTPUT -p ALL -o $lo_iface -s $lo_ip -j ACCEPT #allow the rest $iptables -A OUTPUT -p ALL -o $eth_iface -s $eth_ip -j ACCEPT #log the rest $iptables -A OUTPUT -m limit --limit $log_limit --limit-burst $log_limit_burst -p tcp -j LOG --log-prefix output tcp: $iptables -A OUTPUT -m limit --limit $log_limit --limit-burst $log_limit_burst -p udp -j LOG --log-prefix output udp: i believe this should get it, not that i have gotten around to spoofing anything to verify that it does drop it... pgpLApyXF4zMl.pgp Description: PGP signature