Re: [CentOS] Firewall frustration
Christopher Chan wrote: Now I have to hop over to the Asterisk list to figure why with one firewall the INVITE properly redirects the RTP to the RTP server, and the with the other firewall this is not in the INVITE so the RTP flow does not. ARGH! I hope you are not trying to get around a double nat situation. client - nat - nat - asterisk. I never managed to get things to work in that scenario. I have a vpn setup to get things to work. No. That in part of my frustration. I have 64 publicly routed addresses. My open net is 8 addresses, for 6 systems. DSL router and so far 2 firewalls standard (occational honeypot). I assigned 8 addresses for my VoIPnet. All Trixboxes on VoIPnet have 2 NICs. Their second NIC is to an 192.168 addressed net with the various VoIP clients. So I have a WRT54g running sveasoft with NAT turned off. But even with NAT turned off, the box is basically brain-dead. It would only allow the ONE server defined as the DMZ server to be accessed even when the firewall is disabled! And I have 2 Trixboxes (part of my testing. Have to learn DUNDI too). So I now have a REAL firewall; well Centos wiht Shorewall. And it seemed to be working, but the SIP/SDP INVITE when I have the sveasoft box has a redirect from the SIP server to the actual RTP server. But with Shorewall, that information is NOT in the INVITE so the SIP server responds with an ICMP of no such port. And so far I have not figured this out... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
Toby Bluhm wrote: Robert Moskowitz wrote: qsm wrote: maybe shorewall can do your live so easy. It does not support the rtl8150 chipset. That is what the I have in the way of USB ethernet dongles. Which is another reason to go with a Centos based solution when you need to put something up as you go. Which is how I have shorewall/shoreline working . . . . OOPS... I was thinking you were saying Smoothwall! There I go again. Yes, it IS Shorewall that I am using with the Webmin front end (though more and more now I am doing quick edits to add rules via VI). [EMAIL PROTECTED] ~]$ cat /etc/redhat-release CentOS release 5 (Final) [EMAIL PROTECTED] ~]$ rpm -qi shorewall Name: shorewallRelocations: (not relocatable) Version : 4.0.2 Vendor: Invoca Systems Release : 3 Build Date: Mon Aug 20 09:03:41 2007 Install Date: Mon Aug 20 09:05:25 2007 Build Host: nutube Group : System Environment/Base Source RPM: shorewall-4.0.2-3.src.rpm Size: 483558 License: GPL Signature : (none) Packager: Simon Matter [EMAIL PROTECTED] URL : http://www.shorewall.net/ Summary : Shoreline Firewall is an iptables-based firewall for Linux systems Description : The Shoreline Firewall, more commonly known as Shorewall, is a Netfilter (iptables) based firewall that can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall offers two alternative firewall compilers, shorewall-perl and shorewall-shell. The shorewall-perl compiler is suggested for new installed systems and shorewall-shell is provided for backwards compability and smooth legacy system upgrades because shorewall perl is not fully compatible with all legacy configurations. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
qsm wrote: maybe shorewall can do your live so easy. It does not support the rtl8150 chipset. That is what the I have in the way of USB ethernet dongles. Which is another reason to go with a Centos based solution when you need to put something up as you go. -- *-- Original Message ---* From: Robert Moskowitz [EMAIL PROTECTED] To: CentOS mailing list centos@centos.org Sent: Thu, 3 Jan 2008 08:03:09 -0500 Subject: Re: [CentOS] Firewall frustration Christopher Chan wrote: I tried it. I had everything open. Then I blocked everything. Then I set up a rule to allow SSH in to eth0 and out eth1 (and the other way). At least I thought that was what the rules said, but no SSH connectivity through the firewall. That was when I realized that I had not found the necessary incantation, and I had already shot most of tuesday. Too bad you missed the documentation on netfilter then. And that is the crux of the problem. Finding the right documentation And to look at documentation on netfilter besides iptables. It would have told you that the INPUT chain controls what comes to the box, the OUTPUT chain what originates from the box and the FORWARD chain what goes through the box. You would have needed a rule in FORWARD to allow ssh connections through the box. The rules in the INPUT and OUTPUT chains would have zero effect on connections going through. Anyways, you have something now but in case you want to give iptables another go... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Este mensaje ha sido analizado por MailScanner en busca de virus y otros contenidos peligrosos, y se considera que está limpio. For all your IT requirements visit: http://www.transtec.co.uk http://www.transtec.co.uk/ *--- End of Original Message ---* -- Este mensaje ha sido analizado por *MailScanner* http://www.mailscanner.info/ en busca de virus y otros contenidos peligrosos, y se considera que está limpio. MailScanner agradece a transtec Computers http://www.transtec.co.uk/ por su apoyo. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
Marko A. Jennings wrote: On Thu, January 3, 2008 8:18 am, Robert Moskowitz wrote: Steven Haigh wrote: On 03/01/2008, at 3:34 PM, Robert Moskowitz wrote: Christopher Chan wrote: I spent much of the past 24 hours trying to find out how to set up iptables for firewall routing WITHOUT NATing. Could not find anything. Eh? You just need to enable ip forwarding to enable routing. After that, it is put up the firewall rules as is necessary, build the appropriate routing tables on the firewall box and the boxes on the intranet(s). iptables does not handle routing. No, but iptables controls what is allowed to route, I think this is where you are getting confused and causing yourself issues. iptables has ZERO effect on what is allowed to route. It is a simple YES or NO as to if it should be allowed to pass or be filtered. I have been tested as having a significant language usage problem, and am working on it. 'what is allowed to route', was a poor choice of wording. What you wrote above is much closer to what I wanted to say. ip src/dest is used for routing decisions by the kernel. The IP state machine (check the RFC or any decent TCP/IP textbook) is really quite simple. But iptables sticks its nose into the center of that state machine and can mangle addresses to change how packets flow through the machine, or just simplely yank packets right out of the machine with a simple NO (drop). So in my mind's eye of the IP state machine (my MSU CPS 410 prof was death on state machines; turn in a perfectly executing assignment without one and there went half your grade. See HIP for its state machine) is dictated by iptables as to what it is allowed to route. Those little words, put up the firewall rules as necessary are equivalent to and magic happens here. It's actually not magical at all... Work with the mindset of I want to allow X, Y, and Z, then deny everything else. This translates easily into iptables rules -j ACCEPT and then your last rule (or policy) should be a deny/drop/reject. That is exactly what I tried to do. I just used the wrong bit of pixie dust (during some of the 'heated' IPsec meeting debates one fellow would try to sneak up a speaker 'that just did not get it' and sprinkle some glitter on them. He had labeled his tube of glitter as 'security pixie dust'). If you are interested in learning how iptables work, I suggest reading this book: Linux Firewalls, Second Edition by Robert L. Ziegler ISBN 0-7357-1099-6 It covers everything from packet filtering concepts to practical examples. Now here is a recommendation to follow up on. Thanks! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
Christopher Chan wrote: ip src/dest is used for routing decisions by the kernel. The IP state machine (check the RFC or any decent TCP/IP textbook) is really quite simple. But iptables sticks its nose into the center of that state machine and can mangle addresses to change how packets flow through the machine, or just simplely yank packets right out of the machine with a simple NO (drop). So in my mind's eye of the IP state machine (my MSU CPS 410 prof was death on state machines; turn in a perfectly executing assignment without one and there went half your grade. See HIP for its state machine) is dictated by iptables as to what it is allowed to route. That just means iptables can influence routing by manipulating packet headers. Routing is still controlled by the kernel. We are playing with words here, and english tends to be too rich in interpretation. I work on standards. I let one regional joke left in an RFC: 2410, the Null ESP cipher. There we joke about the null cipher having a key length of zero. A very America joke for at the time we were killing aspects of the ITAR control on crypto export. But a few years later, over at my day job at ICSAlabs, we are trying to figure out why this one firewall product for TW is not working with the others. The connections are terminated in the ISAKMP negotiation. We dig down and find that there is an ISAKMO ESP-NULL proposal with a key payload with a value of zero. No one else is accepting this and rejects the whole ISAKMP exchange per the ISAKMP RFC. We then find a few other IPsec implementations coming out like this and all the authors are people following on, just reading the RFCs and NOT getting the joke. There are some MAD developers as they have to change their code,and some blushing IETFers as we realize we have to maintain the lore of the RFC development as there are other RFCs with zingers in them. Over at the IEEE 802, we are voting ballots on wording that can be interpreted on way with the Webster dictionary and another with the Oxford dictionary. So I am right about iptables controlling routing and you are right about iptables NOT controlling routing, only influencing it. What does 'control' mean in this context? IEEE is really big on state machines and truly covers the transfer of 'control' from one layer to another. Look at the MLME in 802.11. Look at the 802.1X machines. So since I have to live this control architecture and work in live debates about what layer is controling what, I have a particular language set. BTW, should we table this debate? Webster says that means stopping, 'taking the subject off the table.' Oxford says that means to start, 'placing the subject on the table.' Boy did we have some moments back in the mid-90s with the ISO crowd descended on the IETF. Also can we reach a concensus here? Webster will accept a majority, Oxford wants complete agreement. (Or at least that is what these sources said back in the mid-90s when we lived Bernard Shaw's line of: 'Two nations separated by a common language') :) Now I have to hop over to the Asterisk list to figure why with one firewall the INVITE properly redirects the RTP to the RTP server, and the with the other firewall this is not in the INVITE so the RTP flow does not. ARGH! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
Over at the IEEE 802, we are voting ballots on wording that can be interpreted on way with the Webster dictionary and another with the Oxford dictionary. So I am right about iptables controlling routing and you are right about iptables NOT controlling routing, only influencing it. What does 'control' mean in this context? IEEE is really big on state machines and truly covers the transfer of 'control' from one layer to another. Look at the MLME in 802.11. Look at the 802.1X machines. So since I have to live this control architecture and work in live debates about what layer is controling what, I have a particular language set. Kernel routing code makes decision, iptables can influence that decision. :P BTW, should we table this debate? Webster says that means stopping, 'taking the subject off the table.' Oxford says that means to start, 'placing the subject on the table.' Boy did we have some moments back in the mid-90s with the ISO crowd descended on the IETF. Also can we reach a concensus here? Webster will accept a majority, Oxford wants complete agreement. (Or at least that is what these sources said back in the mid-90s when we lived Bernard Shaw's line of: 'Two nations separated by a common language') ^O^ :) Now I have to hop over to the Asterisk list to figure why with one firewall the INVITE properly redirects the RTP to the RTP server, and the with the other firewall this is not in the INVITE so the RTP flow does not. ARGH! I hope you are not trying to get around a double nat situation. client - nat - nat - asterisk. I never managed to get things to work in that scenario. I have a vpn setup to get things to work. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
Robert Moskowitz wrote: qsm wrote: maybe shorewall can do your live so easy. It does not support the rtl8150 chipset. That is what the I have in the way of USB ethernet dongles. Which is another reason to go with a Centos based solution when you need to put something up as you go. Which is how I have shorewall/shoreline working . . . . [EMAIL PROTECTED] ~]$ cat /etc/redhat-release CentOS release 5 (Final) [EMAIL PROTECTED] ~]$ rpm -qi shorewall Name: shorewallRelocations: (not relocatable) Version : 4.0.2 Vendor: Invoca Systems Release : 3 Build Date: Mon Aug 20 09:03:41 2007 Install Date: Mon Aug 20 09:05:25 2007 Build Host: nutube Group : System Environment/Base Source RPM: shorewall-4.0.2-3.src.rpm Size: 483558 License: GPL Signature : (none) Packager: Simon Matter [EMAIL PROTECTED] URL : http://www.shorewall.net/ Summary : Shoreline Firewall is an iptables-based firewall for Linux systems Description : The Shoreline Firewall, more commonly known as Shorewall, is a Netfilter (iptables) based firewall that can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall offers two alternative firewall compilers, shorewall-perl and shorewall-shell. The shorewall-perl compiler is suggested for new installed systems and shorewall-shell is provided for backwards compability and smooth legacy system upgrades because shorewall perl is not fully compatible with all legacy configurations. -- Toby Bluhm Alltech Medical Systems America, Inc. 30825 Aurora Road Suite 100 Solon Ohio 44139 440-424-2240 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
On Thursday 03 January 2008 12:37:56 Christopher Chan wrote: Too bad you missed the documentation on netfilter then. It would have told you that the INPUT chain controls what comes to the box, the OUTPUT chain what originates from the box and the FORWARD chain what goes through the box. You would have needed a rule in FORWARD to allow ssh connections through the box. The rules in the INPUT and OUTPUT chains would have zero effect on connections going through. It might also help if we put a rule that will log what happens for troubleshooting. Put these lines in the last of your rules (pls mind the word wrap): iptables -A INPUT -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** INPUT DROP ** ' iptables -A OUTPUT -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** OUTPUT DROP ** ' iptables -A FORWARD -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** FORWARD DROP ** ' We can now see the result in /var/log/messages HTH, -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 17:14:40 up 9:52, 2.6.22-14-generic GNU/Linux Let's use OpenOffice. http://www.openoffice.org The real challenge of teaching is getting your students motivated to learn. signature.asc Description: This is a digitally signed message part. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
On 03/01/2008, at 3:34 PM, Robert Moskowitz wrote: Christopher Chan wrote: I spent much of the past 24 hours trying to find out how to set up iptables for firewall routing WITHOUT NATing. Could not find anything. Eh? You just need to enable ip forwarding to enable routing. After that, it is put up the firewall rules as is necessary, build the appropriate routing tables on the firewall box and the boxes on the intranet(s). iptables does not handle routing. No, but iptables controls what is allowed to route, I think this is where you are getting confused and causing yourself issues. iptables has ZERO effect on what is allowed to route. It is a simple YES or NO as to if it should be allowed to pass or be filtered. or it seems when you read the tutorials on iptables. I know about routing, Comer taught me, and I reviewed Stevens book. I know about firewalls; Belovin and I go back quite a ways. But configuring software to do what **I** want, well that is were the car hits the brick wall. As Belovin would say, Here be Dragons. Those little words, put up the firewall rules as necessary are equivalent to and magic happens here. It's actually not magical at all... Work with the mindset of I want to allow X, Y, and Z, then deny everything else. This translates easily into iptables rules -j ACCEPT and then your last rule (or policy) should be a deny/drop/reject. I tried it. I had everything open. Then I blocked everything. Then I set up a rule to allow SSH in to eth0 and out eth1 (and the other way). At least I thought that was what the rules said, but no SSH connectivity through the firewall. That was when I realized that I had not found the necessary incantation, and I had already shot most of tuesday. Again, you are using the wrong mindset here... You rule would translate to: iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth0 -d my.ssh.server.ip.here -p tcp -m state -- state NEW -m tcp --dport 22 -j ACCEPT iptables -A FORWARD -j DROP This allows you to put PER HOST restrictions on what you want to do. If you want to do it on a per interface basis, then you will have the same rules for every host in your subnet. Easy, but not ideal. To break down that rule into bitesized chunks for learning: -A FORWARD = adds this rule to the forwarding chain - as this will pass through us. -i eth0 = if the traffic comes in on eth0 -d my.ssh.server.ip.here = the destination of where the traffic will end up -p tcp = this rule only applies to the tcp protocol -m state --state NEW = We'll allow the SYN packet so that the rest will be accepted by a RELATED,ESTABLISHED rule. -m tcp = part of the stateful matching off the top of my head --dport = this rule only applies to things heading to port 22 (our earlier TCP flag will make sure we only act on tcp/22 traffic). -j ACCEPT = allow the traffic to pass. As an exercise for the reader, write down a rule that would accept traffic from eth0, and destined for a web server on 1.2.3.4. You should notice that the rules will be pretty much identical. You would insert this rule somewhere after the related/established, and somewhere before the -j DROP rule. Now keep in mind that iptables is a VERY simple beast and will apply the first rule that matches! Consider the following: iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth0 -p tcp -d 1.2.3.4 -m state --state NEW -m tcp --dport 22 -j ACCEPT iptables -A FORWARD -i eth0 -p tcp --dport 22 -j DROP What would happen here, is that an incoming request for ssh to 1.2.3.4 would be accepted by rule #2, but the rule inspection would never make it to rule #3 to be dropped - so take care in the ordering of your rules. Up and running. I can understand what shorewall rules are saying. And I can see the results. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Steven Haigh Email: [EMAIL PROTECTED] Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
maybe shorewall can do your live so easy. -- -- Original Message --- From: Robert Moskowitz [EMAIL PROTECTED] To: CentOS mailing list centos@centos.org Sent: Thu, 3 Jan 2008 08:03:09 -0500 Subject: Re: [CentOS] Firewall frustration Christopher Chan wrote: I tried it. I had everything open. Then I blocked everything. Then I set up a rule to allow SSH in to eth0 and out eth1 (and the other way). At least I thought that was what the rules said, but no SSH connectivity through the firewall. That was when I realized that I had not found the necessary incantation, and I had already shot most of tuesday. Too bad you missed the documentation on netfilter then. And that is the crux of the problem. Finding the right documentation And to look at documentation on netfilter besides iptables. It would have told you that the INPUT chain controls what comes to the box, the OUTPUT chain what originates from the box and the FORWARD chain what goes through the box. You would have needed a rule in FORWARD to allow ssh connections through the box. The rules in the INPUT and OUTPUT chains would have zero effect on connections going through. Anyways, you have something now but in case you want to give iptables another go... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Este mensaje ha sido analizado por MailScanner en busca de virus y otros contenidos peligrosos, y se considera que está limpio. For all your IT requirements visit: http://www.transtec.co.uk --- End of Original Message --- -- Este mensaje ha sido analizado por MailScanner en busca de virus y otros contenidos peligrosos, y se considera que est limpio. MailScanner agradece a transtec Computers por su apoyo. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
On Thu, January 3, 2008 8:18 am, Robert Moskowitz wrote: Steven Haigh wrote: On 03/01/2008, at 3:34 PM, Robert Moskowitz wrote: Christopher Chan wrote: I spent much of the past 24 hours trying to find out how to set up iptables for firewall routing WITHOUT NATing. Could not find anything. Eh? You just need to enable ip forwarding to enable routing. After that, it is put up the firewall rules as is necessary, build the appropriate routing tables on the firewall box and the boxes on the intranet(s). iptables does not handle routing. No, but iptables controls what is allowed to route, I think this is where you are getting confused and causing yourself issues. iptables has ZERO effect on what is allowed to route. It is a simple YES or NO as to if it should be allowed to pass or be filtered. I have been tested as having a significant language usage problem, and am working on it. 'what is allowed to route', was a poor choice of wording. What you wrote above is much closer to what I wanted to say. ip src/dest is used for routing decisions by the kernel. The IP state machine (check the RFC or any decent TCP/IP textbook) is really quite simple. But iptables sticks its nose into the center of that state machine and can mangle addresses to change how packets flow through the machine, or just simplely yank packets right out of the machine with a simple NO (drop). So in my mind's eye of the IP state machine (my MSU CPS 410 prof was death on state machines; turn in a perfectly executing assignment without one and there went half your grade. See HIP for its state machine) is dictated by iptables as to what it is allowed to route. Those little words, put up the firewall rules as necessary are equivalent to and magic happens here. It's actually not magical at all... Work with the mindset of I want to allow X, Y, and Z, then deny everything else. This translates easily into iptables rules -j ACCEPT and then your last rule (or policy) should be a deny/drop/reject. That is exactly what I tried to do. I just used the wrong bit of pixie dust (during some of the 'heated' IPsec meeting debates one fellow would try to sneak up a speaker 'that just did not get it' and sprinkle some glitter on them. He had labeled his tube of glitter as 'security pixie dust'). If you are interested in learning how iptables work, I suggest reading this book: Linux Firewalls, Second Edition by Robert L. Ziegler ISBN 0-7357-1099-6 It covers everything from packet filtering concepts to practical examples. Marko ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Firewall frustration
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marko A. Jennings Sent: Thursday, January 03, 2008 7:29 AM To: centos@centos.org Subject: Re: [CentOS] Firewall frustration On Thu, January 3, 2008 8:18 am, Robert Moskowitz wrote: Steven Haigh wrote: On 03/01/2008, at 3:34 PM, Robert Moskowitz wrote: Christopher Chan wrote: I spent much of the past 24 hours trying to find out how to set up iptables for firewall routing WITHOUT NATing. Could not find anything. Eh? You just need to enable ip forwarding to enable routing. After that, it is put up the firewall rules as is necessary, build the appropriate routing tables on the firewall box and the boxes on the intranet(s). iptables does not handle routing. No, but iptables controls what is allowed to route, I think this is where you are getting confused and causing yourself issues. iptables has ZERO effect on what is allowed to route. It is a simple YES or NO as to if it should be allowed to pass or be filtered. I have been tested as having a significant language usage problem, and am working on it. 'what is allowed to route', was a poor choice of wording. What you wrote above is much closer to what I wanted to say. ip src/dest is used for routing decisions by the kernel. The IP state machine (check the RFC or any decent TCP/IP textbook) is really quite simple. But iptables sticks its nose into the center of that state machine and can mangle addresses to change how packets flow through the machine, or just simplely yank packets right out of the machine with a simple NO (drop). So in my mind's eye of the IP state machine (my MSU CPS 410 prof was death on state machines; turn in a perfectly executing assignment without one and there went half your grade. See HIP for its state machine) is dictated by iptables as to what it is allowed to route. Those little words, put up the firewall rules as necessary are equivalent to and magic happens here. It's actually not magical at all... Work with the mindset of I want to allow X, Y, and Z, then deny everything else. This translates easily into iptables rules -j ACCEPT and then your last rule (or policy) should be a deny/drop/reject. That is exactly what I tried to do. I just used the wrong bit of pixie dust (during some of the 'heated' IPsec meeting debates one fellow would try to sneak up a speaker 'that just did not get it' and sprinkle some glitter on them. He had labeled his tube of glitter as 'security pixie dust'). If you are interested in learning how iptables work, I suggest reading this book: Linux Firewalls, Second Edition by Robert L. Ziegler ISBN 0-7357-1099-6 It covers everything from packet filtering concepts to practical examples. Marko Thanks, I was just going to ask Dennis ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
ip src/dest is used for routing decisions by the kernel. The IP state machine (check the RFC or any decent TCP/IP textbook) is really quite simple. But iptables sticks its nose into the center of that state machine and can mangle addresses to change how packets flow through the machine, or just simplely yank packets right out of the machine with a simple NO (drop). So in my mind's eye of the IP state machine (my MSU CPS 410 prof was death on state machines; turn in a perfectly executing assignment without one and there went half your grade. See HIP for its state machine) is dictated by iptables as to what it is allowed to route. That just means iptables can influence routing by manipulating packet headers. Routing is still controlled by the kernel. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
I spent much of the past 24 hours trying to find out how to set up iptables for firewall routing WITHOUT NATing. Could not find anything. Eh? You just need to enable ip forwarding to enable routing. After that, it is put up the firewall rules as is necessary, build the appropriate routing tables on the firewall box and the boxes on the intranet(s). iptables does not handle routing. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
Christopher Chan wrote: I spent much of the past 24 hours trying to find out how to set up iptables for firewall routing WITHOUT NATing. Could not find anything. Eh? You just need to enable ip forwarding to enable routing. After that, it is put up the firewall rules as is necessary, build the appropriate routing tables on the firewall box and the boxes on the intranet(s). iptables does not handle routing. No, but iptables controls what is allowed to route, or it seems when you read the tutorials on iptables. I know about routing, Comer taught me, and I reviewed Stevens book. I know about firewalls; Belovin and I go back quite a ways. But configuring software to do what **I** want, well that is were the car hits the brick wall. As Belovin would say, Here be Dragons. Those little words, put up the firewall rules as necessary are equivalent to and magic happens here. I tried it. I had everything open. Then I blocked everything. Then I set up a rule to allow SSH in to eth0 and out eth1 (and the other way). At least I thought that was what the rules said, but no SSH connectivity through the firewall. That was when I realized that I had not found the necessary incantation, and I had already shot most of tuesday. Up and running. I can understand what shorewall rules are saying. And I can see the results. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
I tried it. I had everything open. Then I blocked everything. Then I set up a rule to allow SSH in to eth0 and out eth1 (and the other way). At least I thought that was what the rules said, but no SSH connectivity through the firewall. That was when I realized that I had not found the necessary incantation, and I had already shot most of tuesday. Too bad you missed the documentation on netfilter then. It would have told you that the INPUT chain controls what comes to the box, the OUTPUT chain what originates from the box and the FORWARD chain what goes through the box. You would have needed a rule in FORWARD to allow ssh connections through the box. The rules in the INPUT and OUTPUT chains would have zero effect on connections going through. Anyways, you have something now but in case you want to give iptables another go... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
Mark Weaver wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 31 Dec 2007 12:21:34 -0500 Robert Moskowitz [EMAIL PROTECTED] wrote: William L. Maltby wrote: On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote: Peter Farrell wrote: Problem is I want a REAL router/firewall with little work. Run a smoothwall installtion and replace your CentOS install. http://www.smoothwall.org/ well first challenge is my unit's USB ethernet dongles. Centos uses the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 8169... I've used this at home for years. I don't know if it's suitable, but it seems *very* flexible. Allows for NAT or not, has typical zones, reporting, IPTables modification support, ... http://www.ipcop.org/ Has run/tested successfully on various configurations here. It's another ditch your CentOS solution though. But you can put it on any old junk laying around and it'ss probably work. Using cable modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium 200MHz pci gives = 700MB/sec - both from decent sites. Tested using both ISA and PCI bus adapters through both twisted pair and thin coax. As I thought about things this morning, trying to put up smoothwall, I realized that one of my goals is to have a tool to turn a Centos system that I am using for foo, into a firewall for bar for a day. I have Astaro for my serious firewall needs (see later post), but need something 'portable'. You see I have these plans with some small itx systems have you considered linux that fits on a floppy disk? http://mypage.uniserve.ca/~thelinuxguy/small_and_floppy_linux/ http://www.linuxlinks.com/Distributions/Floppy/ http://www.dmoz.org/Computers/Software/Operating_Systems/Linux/Distributions/Tiny/Floppy_Sized/ get one running and configured and save to floppy... things go south reboot the machine and everything is back. no hard drives to worry about... Have you ever thought about how rare floppy drives are now? At best you go with a bootable usb, if your notebook supports bootable USB. My Libretto does have a bootable floppy, but that is something extra to carry. It will not boot from anything else (besides its HD). My nc4010 (this notebook) will boot from usb. My corp notebook (nc2400) is locked down; and I don't see any value at getting corp IT bent out of shape. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
On Tue, 1 Jan 2008, Robert Moskowitz wrote: Mark Weaver wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 31 Dec 2007 12:21:34 -0500 Robert Moskowitz [EMAIL PROTECTED] wrote: William L. Maltby wrote: On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote: Peter Farrell wrote: Problem is I want a REAL router/firewall with little work. Run a smoothwall installtion and replace your CentOS install. http://www.smoothwall.org/ well first challenge is my unit's USB ethernet dongles. Centos uses the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 8169... I've used this at home for years. I don't know if it's suitable, but it seems *very* flexible. Allows for NAT or not, has typical zones, reporting, IPTables modification support, ... http://www.ipcop.org/ Has run/tested successfully on various configurations here. It's another ditch your CentOS solution though. But you can put it on any old junk laying around and it'ss probably work. Using cable modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium 200MHz pci gives = 700MB/sec - both from decent sites. Tested using both ISA and PCI bus adapters through both twisted pair and thin coax. As I thought about things this morning, trying to put up smoothwall, I realized that one of my goals is to have a tool to turn a Centos system that I am using for foo, into a firewall for bar for a day. I have Astaro for my serious firewall needs (see later post), but need something 'portable'. You see I have these plans with some small itx systems have you considered linux that fits on a floppy disk? http://mypage.uniserve.ca/~thelinuxguy/small_and_floppy_linux/ http://www.linuxlinks.com/Distributions/Floppy/ http://www.dmoz.org/Computers/Software/Operating_Systems/Linux/Distributions/Tiny/Floppy_Sized/ get one running and configured and save to floppy... things go south reboot the machine and everything is back. no hard drives to worry about... Have you ever thought about how rare floppy drives are now? At best you go with a bootable usb, if your notebook supports bootable USB. My Libretto does have a bootable floppy, but that is something extra to carry. It will not boot from anything else (besides its HD). My nc4010 (this notebook) will boot from usb. My corp notebook (nc2400) is locked down; and I don't see any value at getting corp IT bent out of shape. Yes, floppy drives are rare - but they are still incredibly valuable. I've dealt with needing to install drivers from floppy for OSes, and the OSse are looking to floppy. I've needed DOS' fdisk to get me out of problems at times, and having a bootable copy of DOS on-hand has done the job. Some BIOS updates are only available from a bootable floppy (won't install to anything else). Saves times and frusteration in having a reusable floppy around than having to sometimes create a bootable CD to put the files on. Reuse the floppy as often as needed. Old hardware still exists and is usable, and sometimes only work, or work best, with floppies. Sometimes old school is still good school. We still often use VT100 or 3270 emulation for remote connectivity... Think about their origins. Scott ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 1 Jan 2008 08:57:22 -0500 Robert Moskowitz [EMAIL PROTECTED] wrote: Have you ever thought about how rare floppy drives are now? At best you go with a bootable usb, if your notebook supports bootable USB. My Libretto does have a bootable floppy, but that is something extra to carry. It will not boot from anything else (besides its HD). My nc4010 (this notebook) will boot from usb. My corp notebook (nc2400) is locked down; and I don't see any value at getting corp IT bent out of shape. why would you even think about using a Notebook computer as a firewall? I was assuming you were going to delegate this task to an older machine with sufficient resources to handle the task and not give the task to a notebook computer. - -- Mark Drunkenness is not an excuse for stupidity. If you're stupid when you're sober then that's one thing, but if you're sober when you're stupid, then you're just plain stupid! == Powered by CentOS5 (RHEL5) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHelHmAHUWFbtwPigRAnENAJ4lTmw4Y/zYA0o2UoLkS9kfS0BmBgCfdCaY MMt82ApSGiXMHn10XOFXslQ= =fm8P -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
Mark Weaver wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 1 Jan 2008 08:57:22 -0500 Robert Moskowitz [EMAIL PROTECTED] wrote: Have you ever thought about how rare floppy drives are now? At best you go with a bootable usb, if your notebook supports bootable USB. My Libretto does have a bootable floppy, but that is something extra to carry. It will not boot from anything else (besides its HD). My nc4010 (this notebook) will boot from usb. My corp notebook (nc2400) is locked down; and I don't see any value at getting corp IT bent out of shape. why would you even think about using a Notebook computer as a firewall? I was assuming you were going to delegate this task to an older machine with sufficient resources to handle the task and not give the task to a notebook computer. Of course in my lab, the firewall is a 'older' machine. But I want to learn from this so that when I am at a conference or trade show and need a firewall 'fast', I can put up the services on one of my Centos notebooks. BTW, WRT 'older' machines. I am looking more at the cost of running these machines (power draw). It is not just a matter of the $0.124/KWH that I pay, but the cost to add another circuit (my NOC shares two circuits that were already runnning at 50% utilizatoin), and the cost of cooling in the summer (we added a tap into the cold air return system by the rack fans to capture the computer heat for the winter). I just got the firewall running (see later note) on a decTOP micro PC that I pulled the 10Gb 3.5 drive and installed a 2.5 6Gb drive. The system pulls about 10W! Compared to ~100W for some of my Compaq SFFs. Let's see 90W/day = 2.16KWH = ~$0.27/day = ~$97.76/year. That can pay for replacing another old Compaq with another decTOP (well not really as you have to add memory, switch out drives, and add a second USB ethernet dongle; guess the ROI is around 2 years). ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
Firewall is up and running. Used Shorewall with Webmin. Les Bell wrote: Robert Spangler [EMAIL PROTECTED] wrote: While IPTABLES might be CHEAP (price) it is a very good firewall. Learn to set it up from the command line, it isn't that hard. Amen. I've been using CentOS for firewalls here for a long time now, with hand-written rules. Besides, generic firewall configuration tools don't - can't - know about many of the more advanced modules and features of iptables. I spent much of the past 24 hours trying to find out how to set up iptables for firewall routing WITHOUT NATing. Could not find anything. So I decided to try out shorewall, which has a front end in Webmin. The 'nice' thing about this was as I built a portion of Shorewall (say the zones), I could sue the Webmin edit the conf file directly to see the 'raw' config file and looky there, a URL for a help page! Taking it slow, I got Shorewall up in about 1 hour. But I have questions for the Shorewall people. They talk about iptables, then netfilter. The site says that Shorewall is not a deamon. Well I see a Shorewall service running. Can't see that is using any cpu cycles or how much memory. The iptables have the same content they had when I used the upstream's tool at Centos install time to set up basic 'firewall' features. So what gives ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
On 02/01/2008, at 4:11 AM, Robert Moskowitz wrote: I spent much of the past 24 hours trying to find out how to set up iptables for firewall routing WITHOUT NATing. Could not find anything. *boggle* Is it really that hard? ## Clear up whatever is in there at the moment. iptables -F INPUT iptables -F FORWARD iptables -F OUTPUT iptables -t nat -F POSTROUTING ## Accept anything related to existing connections iptables -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT ## I want to allow incoming port 80 to 1.2.3.4 iptables -A FORWARD -i ppp0 -d 1.2.3.4 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT ## I want to allow incoming port 123 (ntp) to 1.2.3.6 iptables -A FORWARD -i ppp0 -d 1.2.3.6 -p udp -m udp --dport 123 -j ACCEPT ## Lets block ALL other incoming things iptables -A INPUT -j DROP iptables -A FORWARD -j DROP There you go. That's a very basic firewall using iptables in about 3 minutes :) -- Steven Haigh Email: [EMAIL PROTECTED] Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
Steven Haigh kirjoitti viestissään (lähetysaika tiistai, 1. tammikuuta 2008 20:23): On 02/01/2008, at 4:11 AM, Robert Moskowitz wrote: I spent much of the past 24 hours trying to find out how to set up iptables for firewall routing WITHOUT NATing. Could not find anything. There you go. That's a very basic firewall using iptables in about 3 minutes :) -- Steven Haigh How about look: http://easyfwgen.morizot.net/gen/ It has been quite long time very easy tool for n00bs to generate rules... I've using it for ages now. After generation very easy to use and configure more rules, if needed. Jarmo ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
Thanks I will read this through a bit later. Perhaps I was making more of it than needed, but my attempts were not working. And all I was trying for at first was to allow SSH through. Steven Haigh wrote: On 02/01/2008, at 4:11 AM, Robert Moskowitz wrote: I spent much of the past 24 hours trying to find out how to set up iptables for firewall routing WITHOUT NATing. Could not find anything. *boggle* Is it really that hard? ## Clear up whatever is in there at the moment. iptables -F INPUT iptables -F FORWARD iptables -F OUTPUT iptables -t nat -F POSTROUTING ## Accept anything related to existing connections iptables -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT ## I want to allow incoming port 80 to 1.2.3.4 iptables -A FORWARD -i ppp0 -d 1.2.3.4 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT ## I want to allow incoming port 123 (ntp) to 1.2.3.6 iptables -A FORWARD -i ppp0 -d 1.2.3.6 -p udp -m udp --dport 123 -j ACCEPT ## Lets block ALL other incoming things iptables -A INPUT -j DROP iptables -A FORWARD -j DROP There you go. That's a very basic firewall using iptables in about 3 minutes :) -- Steven Haigh Email: [EMAIL PROTECTED] Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
Problem is I want a REAL router/firewall with little work. Run a smoothwall installtion and replace your CentOS install. http://www.smoothwall.org/ -Peter On 31/12/2007, Matt Shields [EMAIL PROTECTED] wrote: On Dec 31, 2007 12:13 AM, Robert Moskowitz [EMAIL PROTECTED] wrote: Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables Maybe Shoreline with webmin Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing. Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it If you've ever used a Checkpoint firewall, FWBuilder is exactly like that interface. It even comes with a module that will let you modify Checkpoint firewalls. -- -matt ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
Matt Shields wrote: On Dec 31, 2007 12:13 AM, Robert Moskowitz [EMAIL PROTECTED] wrote: Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables Maybe Shoreline with webmin Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing. Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it If you've ever used a Checkpoint firewall, FWBuilder is exactly like that interface. It even comes with a module that will let you modify Checkpoint firewalls. I noticed the later, also a PIX module. No I have not personally needed that costly of a firewall. Full discloser time. My day job is with ICSAlabs. My area is security protocols research (like setttin up the initial IPsec certification criteria), but when I visit the labs there are all those firewall products up and running So, yeah, I know checkpoint. I talk with the gang over in the labs about 'simple' firewalls, but there are only certain things the boss funds here. So then I have to go cheap. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
Peter Farrell wrote: Problem is I want a REAL router/firewall with little work. Run a smoothwall installtion and replace your CentOS install. http://www.smoothwall.org/ well first challenge is my unit's USB ethernet dongles. Centos uses the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 8169... So have to see what info I can get on their website. Astaro 6 cannot recognize the dongles either. Shorewall still looks like an option. I do have Centos (and DSL) on these units -Peter On 31/12/2007, Matt Shields [EMAIL PROTECTED] wrote: On Dec 31, 2007 12:13 AM, Robert Moskowitz [EMAIL PROTECTED] wrote: Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables Maybe Shoreline with webmin Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing. Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it If you've ever used a Checkpoint firewall, FWBuilder is exactly like that interface. It even comes with a module that will let you modify Checkpoint firewalls. -- -matt ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
Robert Moskowitz wrote: Peter Farrell wrote: Problem is I want a REAL router/firewall with little work. Run a smoothwall installtion and replace your CentOS install. http://www.smoothwall.org/ well first challenge is my unit's USB ethernet dongles. Centos uses the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 8169... So have to see what info I can get on their website. Astaro 6 cannot recognize the dongles either. Shorewall still looks like an option. I do have Centos (and DSL) on these units -Peter On 31/12/2007, Matt Shields [EMAIL PROTECTED] wrote: On Dec 31, 2007 12:13 AM, Robert Moskowitz [EMAIL PROTECTED] wrote: Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables Maybe Shoreline with webmin Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing. Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it If you've ever used a Checkpoint firewall, FWBuilder is exactly like that interface. It even comes with a module that will let you modify Checkpoint firewalls. -- -matt ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos There is also Ipcop - http://ipcop.org/ Rob ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote: Peter Farrell wrote: Problem is I want a REAL router/firewall with little work. Run a smoothwall installtion and replace your CentOS install. http://www.smoothwall.org/ well first challenge is my unit's USB ethernet dongles. Centos uses the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 8169... I've used this at home for years. I don't know if it's suitable, but it seems *very* flexible. Allows for NAT or not, has typical zones, reporting, IPTables modification support, ... http://www.ipcop.org/ Has run/tested successfully on various configurations here. It's another ditch your CentOS solution though. But you can put it on any old junk laying around and it'ss probably work. Using cable modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium 200MHz pci gives = 700MB/sec - both from decent sites. Tested using both ISA and PCI bus adapters through both twisted pair and thin coax. snip HTH -- Bill ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Firewall frustration
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Moskowitz Sent: Sunday, December 30, 2007 9:13 PM To: CentOS mailing list Subject: [CentOS] Firewall frustration Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables Maybe Shoreline with webmin Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing. Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it I just turned off my Astaro Gateway, as it pissed me off by continually throttling my 10M/10M FIOS connection.:^ I liked the integration of services in the box, and I likely would have kept it for that one item. I'll be looking at an IPCOP/Smoothwall/Monowall replacement. I have an IPCOP box at work for our public access DSL connection. (Customers kept surfing p*rn in the waiting area. Squidguard on IPcop fixed that..) Uptime on that box (Compaq P2-733) is around 250 days right now. I had to move the box, so it would be more like 400 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
On Mon December 31 2007 07:58, Robert Moskowitz wrote: Full discloser time. My day job is with ICSAlabs. My area is security protocols research (like setttin up the initial IPsec certification criteria), but when I visit the labs there are all those firewall products up and running So, yeah, I know checkpoint. I talk with the gang over in the labs about 'simple' firewalls, but there are only certain things the boss funds here. So then I have to go cheap. While IPTABLES might be CHEAP (price) it is a very good firewall. Learn to set it up from the command line, it isn't that hard. Try the following to learn it; http://iptables.rlworkman.net/chunkyhtml/index.html Forget those GUI interfaces. -- Regards Robert Smile... it increases your face value! Linux User #296285 http://counter.li.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
Robert Spangler wrote: While IPTABLES might be CHEAP (price) it is a very good firewall. Learn to set it up from the command line, it isn't that hard. Try the following to learn it; http://iptables.rlworkman.net/chunkyhtml/index.html Forget those GUI interfaces. one thing that bugs me about most canned iptables rulesets, including the ones generated by most of those GUI packages, is that they are way more complex than needed, its like they are trying to reinvent the entire tcp stack. eg: you really don't need to reject non-SYN packets on unopened connections, tcp will do that quite nicely on its own and far more efficiently than a pile of iptables rules. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
William L. Maltby wrote: On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote: Peter Farrell wrote: Problem is I want a REAL router/firewall with little work. Run a smoothwall installtion and replace your CentOS install. http://www.smoothwall.org/ well first challenge is my unit's USB ethernet dongles. Centos uses the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 8169... I've used this at home for years. I don't know if it's suitable, but it seems *very* flexible. Allows for NAT or not, has typical zones, reporting, IPTables modification support, ... http://www.ipcop.org/ Has run/tested successfully on various configurations here. It's another ditch your CentOS solution though. But you can put it on any old junk laying around and it'ss probably work. Using cable modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium 200MHz pci gives = 700MB/sec - both from decent sites. Tested using both ISA and PCI bus adapters through both twisted pair and thin coax. As I thought about things this morning, trying to put up smoothwall, I realized that one of my goals is to have a tool to turn a Centos system that I am using for foo, into a firewall for bar for a day. I have Astaro for my serious firewall needs (see later post), but need something 'portable'. You see I have these plans with some small itx systems ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
Dennis McLeod wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Moskowitz Sent: Sunday, December 30, 2007 9:13 PM To: CentOS mailing list Subject: [CentOS] Firewall frustration Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables Maybe Shoreline with webmin Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing. Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it I just turned off my Astaro Gateway, as it pissed me off by continually throttling my 10M/10M FIOS connection.:^ For all that it does, you would need it on a pretty hefty box of 10M. But then I have seen LAN-LAN 10M working here I liked the integration of services in the box, and I likely would have kept it for that one item. I'll be looking at an IPCOP/Smoothwall/Monowall replacement. I have an IPCOP box at work for our public access DSL connection. (Customers kept surfing p*rn in the waiting area. Squidguard on IPcop fixed that..) Uptime on that box (Compaq P2-733) is around 250 days right now. I had to move the box, so it would be more like 400 I run Astaro on a Compaq SFF 1Ghz with 512Mb memory. It has a 4-port 10/100 card as well as the internal ethernet. I use VLANing extensively, as I have ~12 LANs connected to the box. I have the public net on one port, then all the others are plugged into a HP 2650 48-port switch. I can move systems to the subnet I need for whatever testing or production I use. I ONLY use the firewall for packet filtering. No SPAM control, web proxying, etc ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
Robert Spangler wrote: On Mon December 31 2007 07:58, Robert Moskowitz wrote: Full discloser time. My day job is with ICSAlabs. My area is security protocols research (like setttin up the initial IPsec certification criteria), but when I visit the labs there are all those firewall products up and running So, yeah, I know checkpoint. I talk with the gang over in the labs about 'simple' firewalls, but there are only certain things the boss funds here. So then I have to go cheap. While IPTABLES might be CHEAP (price) it is a very good firewall. Learn to set it up from the command line, it isn't that hard. Try the following to learn it; http://iptables.rlworkman.net/chunkyhtml/index.html Forget those GUI interfaces. This might be best for my current needs... thanks ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
On Dec 31, 2007 7:58 AM, Robert Moskowitz [EMAIL PROTECTED] wrote: Matt Shields wrote: On Dec 31, 2007 12:13 AM, Robert Moskowitz [EMAIL PROTECTED] wrote: Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables Maybe Shoreline with webmin Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing. Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it If you've ever used a Checkpoint firewall, FWBuilder is exactly like that interface. It even comes with a module that will let you modify Checkpoint firewalls. I noticed the later, also a PIX module. No I have not personally needed that costly of a firewall. Full discloser time. My day job is with ICSAlabs. My area is security protocols research (like setttin up the initial IPsec certification criteria), but when I visit the labs there are all those firewall products up and running So, yeah, I know checkpoint. I talk with the gang over in the labs about 'simple' firewalls, but there are only certain things the boss funds here. So then I have to go cheap. If you're running a single firewall, then maybe FWBuilder isn't for you, although it will do what you want. The real benefit of FWBuilder is when you have more than one firewall in your network and you want to use common objects to to simplify maintaining rules. For example, the company I work for has 4 datacenters, plus a number of leased servers (like Rackspace). At each of the datacenters we have at least 1 pair of redundant firewalls. On all our firewalls we have common rules to allow traffic from every other datacenter/server that we own. So we define an object for each datacenter, the object is a subnet. Then we define a group called datacenters which includes all the previous subnets objects. Then when building a new firewall we just include the same rule that says from datacenters allow all. If we add a new datacenter or leased server, we add a new subnet object and include it in the datacenter group. We then just recompile and redeploy each of the firewalls without having to add anything to the firewalls, because they already have the datacenter rule. When you maintain a large network you really see the benefit of FWBuilder. If you're running Windows there is a $50 license fee, but for those people who are network admins but do not like Linux on the desktop it's well worth the price for the Windows license. -- -matt ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
Matt Shields wrote: On Dec 31, 2007 7:58 AM, Robert Moskowitz [EMAIL PROTECTED] wrote: Matt Shields wrote: On Dec 31, 2007 12:13 AM, Robert Moskowitz [EMAIL PROTECTED] wrote: Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables Maybe Shoreline with webmin Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing. Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it If you've ever used a Checkpoint firewall, FWBuilder is exactly like that interface. It even comes with a module that will let you modify Checkpoint firewalls. I noticed the later, also a PIX module. No I have not personally needed that costly of a firewall. Full discloser time. My day job is with ICSAlabs. My area is security protocols research (like setttin up the initial IPsec certification criteria), but when I visit the labs there are all those firewall products up and running So, yeah, I know checkpoint. I talk with the gang over in the labs about 'simple' firewalls, but there are only certain things the boss funds here. So then I have to go cheap. If you're running a single firewall, then maybe FWBuilder isn't for you, although it will do what you want. The real benefit of FWBuilder is when you have more than one firewall in your network and you want to use common objects to to simplify maintaining rules. For example, the company I work for has 4 datacenters, plus a number of leased servers (like Rackspace). At each of the datacenters we have at least 1 pair of redundant firewalls. On all our firewalls we have common rules to allow traffic from every other datacenter/server that we own. So we define an object for each datacenter, the object is a subnet. Then we define a group called datacenters which includes all the previous subnets objects. Then when building a new firewall we just include the same rule that says from datacenters allow all. If we add a new datacenter or leased server, we add a new subnet object and include it in the datacenter group. We then just recompile and redeploy each of the firewalls without having to add anything to the firewalls, because they already have the datacenter rule. When you maintain a large network you really see the benefit of FWBuilder. If you're running Windows there is a $50 license fee, but for those people who are network admins but do not like Linux on the desktop it's well worth the price for the Windows license. I saw that about fwbuilder. Going to have to ask the crew back in the labs about it. But, yes. I 'run' a research facility out of my house. I have to pay the electric bill, never convinced the boss to allow me to expense it; they have bought some of my equip and pay for part of the ISP cost. So as a lab, I have need for flexiblity, not replicatiblity. Also I might be at a conference and need to get something up running on one of the notebooks I travel with ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
Robert Spangler [EMAIL PROTECTED] wrote: While IPTABLES might be CHEAP (price) it is a very good firewall. Learn to set it up from the command line, it isn't that hard. Amen. I've been using CentOS for firewalls here for a long time now, with hand-written rules. Besides, generic firewall configuration tools don't - can't - know about many of the more advanced modules and features of iptables. Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 31 Dec 2007 12:21:34 -0500 Robert Moskowitz [EMAIL PROTECTED] wrote: William L. Maltby wrote: On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote: Peter Farrell wrote: Problem is I want a REAL router/firewall with little work. Run a smoothwall installtion and replace your CentOS install. http://www.smoothwall.org/ well first challenge is my unit's USB ethernet dongles. Centos uses the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 8169... I've used this at home for years. I don't know if it's suitable, but it seems *very* flexible. Allows for NAT or not, has typical zones, reporting, IPTables modification support, ... http://www.ipcop.org/ Has run/tested successfully on various configurations here. It's another ditch your CentOS solution though. But you can put it on any old junk laying around and it'ss probably work. Using cable modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium 200MHz pci gives = 700MB/sec - both from decent sites. Tested using both ISA and PCI bus adapters through both twisted pair and thin coax. As I thought about things this morning, trying to put up smoothwall, I realized that one of my goals is to have a tool to turn a Centos system that I am using for foo, into a firewall for bar for a day. I have Astaro for my serious firewall needs (see later post), but need something 'portable'. You see I have these plans with some small itx systems have you considered linux that fits on a floppy disk? http://mypage.uniserve.ca/~thelinuxguy/small_and_floppy_linux/ http://www.linuxlinks.com/Distributions/Floppy/ http://www.dmoz.org/Computers/Software/Operating_Systems/Linux/Distributions/Tiny/Floppy_Sized/ get one running and configured and save to floppy... things go south reboot the machine and everything is back. no hard drives to worry about... - -- Mark Drunkenness is not an excuse for stupidity. If you're stupid when you're sober then that's one thing, but if you're sober when you're stupid, then you're just plain stupid! == Powered by CentOS5 (RHEL5) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHeZKZAHUWFbtwPigRAqlLAJ9NrXCoPuh0vyCET81GKQ7a27RQ0QCbBvkT Ez253XYLAOfSJS7u5ij36U4= =jb20 -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Firewall frustration
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Weaver Sent: Monday, December 31, 2007 8:09 PM To: centos@centos.org Subject: Re: [CentOS] Firewall frustration -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 31 Dec 2007 12:21:34 -0500 Robert Moskowitz [EMAIL PROTECTED] wrote: William L. Maltby wrote: On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote: Peter Farrell wrote: Problem is I want a REAL router/firewall with little work. Run a smoothwall installtion and replace your CentOS install. http://www.smoothwall.org/ well first challenge is my unit's USB ethernet dongles. Centos uses the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 8169... I've used this at home for years. I don't know if it's suitable, but it seems *very* flexible. Allows for NAT or not, has typical zones, reporting, IPTables modification support, ... http://www.ipcop.org/ Has run/tested successfully on various configurations here. It's another ditch your CentOS solution though. But you can put it on any old junk laying around and it'ss probably work. Using cable modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium 200MHz pci gives = 700MB/sec - both from decent sites. Tested using both ISA and PCI bus adapters through both twisted pair and thin coax. As I thought about things this morning, trying to put up smoothwall, I realized that one of my goals is to have a tool to turn a Centos system that I am using for foo, into a firewall for bar for a day. I have Astaro for my serious firewall needs (see later post), but need something 'portable'. You see I have these plans with some small itx systems have you considered linux that fits on a floppy disk? http://mypage.uniserve.ca/~thelinuxguy/small_and_floppy_linux/ http://www.linuxlinks.com/Distributions/Floppy/ http://www.dmoz.org/Computers/Software/Operating_Systems/Linux/Distribut ions/Tiny/Floppy_Sized/ get one running and configured and save to floppy... things go south reboot the machine and everything is back. no hard drives to worry about... - -- Mark Drunkenness is not an excuse for stupidity. If you're stupid when you're sober then that's one thing, but if you're sober when you're stupid, then you're just plain stupid! == Powered by CentOS5 (RHEL5) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHeZKZAHUWFbtwPigRAqlLAJ9NrXCoPuh0vyCET81GKQ7a27RQ0QCbBvkT Ez253XYLAOfSJS7u5ij36U4= =jb20 -END PGP SIGNATURE- I have this vision of a live CD that would come up and pull down it's config via SCP or HTTPS and run. Or maybe a PGP encrypted file over TFTP. No writable media in the machine at all, no access to write to the configs, just a dumb device that knows where to get it's config. Any compromise could be fixed with just a reboot, the config could even be reloaded at some interval automatically, off machine logging, perhaps even without an interface. You could more than likely go one step further and use PXE to load everything over NFS or something, then you are at no moving parts. Unfortunately, I have the ideas but not the knowledge or time. In my opinion, this would be the ultimate evolution of things like IP Cop and Smoothwall. I want to say that monowall had this on the roadmap, but I haven't looked lately. Appears someone has done some work on it: http://people.freebsd.org/~nik/m0n0wall/pxe+nfs/article.html ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 31 Dec 2007 21:36:09 -0500 Mark A. Lewis [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Weaver Sent: Monday, December 31, 2007 8:09 PM To: centos@centos.org Subject: Re: [CentOS] Firewall frustration -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 31 Dec 2007 12:21:34 -0500 Robert Moskowitz [EMAIL PROTECTED] wrote: William L. Maltby wrote: On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote: Peter Farrell wrote: Problem is I want a REAL router/firewall with little work. Run a smoothwall installtion and replace your CentOS install. http://www.smoothwall.org/ well first challenge is my unit's USB ethernet dongles. Centos uses the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 8169... I've used this at home for years. I don't know if it's suitable, but it seems *very* flexible. Allows for NAT or not, has typical zones, reporting, IPTables modification support, ... http://www.ipcop.org/ Has run/tested successfully on various configurations here. It's another ditch your CentOS solution though. But you can put it on any old junk laying around and it'ss probably work. Using cable modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium 200MHz pci gives = 700MB/sec - both from decent sites. Tested using both ISA and PCI bus adapters through both twisted pair and thin coax. As I thought about things this morning, trying to put up smoothwall, I realized that one of my goals is to have a tool to turn a Centos system that I am using for foo, into a firewall for bar for a day. I have Astaro for my serious firewall needs (see later post), but need something 'portable'. You see I have these plans with some small itx systems have you considered linux that fits on a floppy disk? http://mypage.uniserve.ca/~thelinuxguy/small_and_floppy_linux/ http://www.linuxlinks.com/Distributions/Floppy/ http://www.dmoz.org/Computers/Software/Operating_Systems/Linux/Distribut ions/Tiny/Floppy_Sized/ get one running and configured and save to floppy... things go south reboot the machine and everything is back. no hard drives to worry about... - -- Mark Drunkenness is not an excuse for stupidity. If you're stupid when you're sober then that's one thing, but if you're sober when you're stupid, then you're just plain stupid! == Powered by CentOS5 (RHEL5) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHeZKZAHUWFbtwPigRAqlLAJ9NrXCoPuh0vyCET81GKQ7a27RQ0QCbBvkT Ez253XYLAOfSJS7u5ij36U4= =jb20 -END PGP SIGNATURE- I have this vision of a live CD that would come up and pull down it's config via SCP or HTTPS and run. Or maybe a PGP encrypted file over TFTP. No writable media in the machine at all, no access to write to the configs, just a dumb device that knows where to get it's config. Any compromise could be fixed with just a reboot, the config could even be reloaded at some interval automatically, off machine logging, perhaps even without an interface. You could more than likely go one step further and use PXE to load everything over NFS or something, then you are at no moving parts. Unfortunately, I have the ideas but not the knowledge or time. In my opinion, this would be the ultimate evolution of things like IP Cop and Smoothwall. I want to say that monowall had this on the roadmap, but I haven't looked lately. Appears someone has done some work on it: http://people.freebsd.org/~nik/m0n0wall/pxe+nfs/article.html I seem to remember there being distro ISO tools out there that allow one to roll their own distro, but for the life of me can't remember what it's called. Anyway, if you're feeling ambitious you could load an OS, season to taste and then create your OS using the Live CD technology that's out there. - -- Mark Drunkenness is not an excuse for stupidity. If you're stupid when you're sober then that's one thing, but if you're sober when you're stupid, then you're just plain stupid! == Powered by CentOS5 (RHEL5) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHebdaAHUWFbtwPigRAvj8AJ9oIHAwN4NEopzJFJ8q+mxtTsQEGwCfUk6N 6DnfuAGUJR6WYDi1HUlKcaI= =rE1u -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Firewall frustration
Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables Maybe Shoreline with webmin Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing. Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
On Mon, 31 Dec 2007 00:13:22 -0500 Robert Moskowitz [EMAIL PROTECTED] wrote: Well FWbuilder is NOT easy. The documentation does not match Take a look at FireStarter: http://www.fs-security.com/ It very easy to set and use. It's only a front-end for iptables. But watch out, it has it's limitations in the scenarios that it can handle. On the other hand, you can use it to generate the iptables rules and then just use it in text mode only. -- Thanks http://www.911networks.com When the network has to work ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall frustration
On Dec 31, 2007 12:13 AM, Robert Moskowitz [EMAIL PROTECTED] wrote: Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables Maybe Shoreline with webmin Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing. Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it If you've ever used a Checkpoint firewall, FWBuilder is exactly like that interface. It even comes with a module that will let you modify Checkpoint firewalls. -- -matt ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
