Re: [Cooker] tinyfirewall disable dns on simple DSL setup
The grep command cleared up how everything worked together, thanks. > The idea is that one should configure tinyfirewall when connected to the > net in order to have a ppp interface ... wich is a bit stupid. We'll have > indeed to check for a ipppx or pppx interface. > > I'll have a look at it. I was looking at shorewall web site and there is a small reference to configuring ppp0 DSL connections. This was the source of the problem. I remember ppp0 from this simple fact you connect to ppp0 not eth0. > shields up ? A simple web site for checking for common open ports on windoze system. It reports on open, closed, stealth ports. https://grc.com/x/ne.dll?bh0bkyd2 > what do mean by "limited outgoing connections" ? Opps, "limited *to* outgoing connections, which I figured out is the default. I think there is some confusion over leaving ports open for servers (e.g., ftp server or a dns server) and no open ports at all. Apps will open ports when needed, thus limited to outgoing connections. now I would recommend including a "Standalone workstation (no server connections)" option to tinyfirewall. This is what is missing and I believe many people will be looking for. Add the ppp0 checks and it should cover the average user, which is the point, no? the result of grep now is /etc/shorewall/zones:netNet Internet zone /etc/shorewall/interfaces:net ppp0detect /etc/shorewall/policy:fwnet ACCEPT /etc/shorewall/policy:net all DROPinfo /etc/shorewall/policy:all all REJECT info when I did the test again port 80 was not stealth but closed and this probably do to the browser so technically with no programs running the firewall should make the connection invisible (stealth) to any outside connections. You would have to test that on a network setup thou. I am use to using ZoneLabs 'ZoneAlarm' on Windows (excellent program) that is an adaptive firewall so all ports are stealth by default, even if a program is actively using a port. Gabriel
Re: [Cooker] tinyfirewall disable dns on simple DSL setup
> > --- > the result of grep command after first configuration > > /etc/shorewall/zones:net Net Internet zone > /etc/shorewall/interfaces:net eth0detect > /etc/shorewall/policy:fw net ACCEPT > /etc/shorewall/policy:net all DROPinfo > /etc/shorewall/policy:all all REJECT info > /etc/shorewall/rules:ACCEPT net fw udp 53 - > /etc/shorewall/rules:ACCEPT net fw tcp 53,109,110,143 - > > > masq file has no entries > > I figured it out, the interface entry should be ppp0 not eth0 even > though in the example 1 in the interface configuration file it has a DSL > being reference as eth0. > > My setup would be the default for a standalone workstation with DSL so > many people will have the same problem. A check for a pppX connection > should be done. The idea is that one should configure tinyfirewall when connected to the net in order to have a ppp interface ... wich is a bit stupid. We'll have indeed to check for a ipppx or pppx interface. I'll have a look at it. > Also I would include a welcoming note if any problems occur that > returning to tinyfirewall and selecting no firewall will undo any > settings. I so-so understand how the firewall works now imagine someone > who makes the adjustment and loses their connection? The support lines > will light up. > > > All I did was change eth0 to ppp0 after running firewall and it worked. > > /etc/shorewall/zones:net Net Internet zone > /etc/shorewall/interfaces:net ppp0detect > /etc/shorewall/policy:fw net ACCEPT > /etc/shorewall/policy:net all DROPinfo > /etc/shorewall/policy:all all REJECT info > /etc/shorewall/rules:ACCEPT net fw udp 53 - > /etc/shorewall/rules:ACCEPT net fw tcp 53,109,110,143 - > > > > Since I have your attention... I tested using shields up and those port shields up ? > still accept connections from outside sources. Grant not a large > security risk but for a standalone workstation all ports should be > reject connections - total stealth. Now this would become important if > someone has a static IP since the machine can still be detected and > attacked. > > I would recommend client or server setups. The server setup would allow > incoming connections. The client would refuse all incoming connections > and allow limited outgoing connections. Speaking of which do you know of > where I can find example of the latter? what do mean by "limited outgoing connections" ? > Gabriel > > -- Florin http://www.mandrakesoft.com http://people.mandrakesoft.com/~florin/
Re: [Cooker] tinyfirewall disable dns on simple DSL setup
On Wed, 2002-08-28 at 08:57, Florin wrote: > [EMAIL PROTECTED] (Gabriel Phoenix) writes: > > > On Tue, 2002-08-27 at 23:31, Pixel wrote: > > > Gabriel Phoenix <[EMAIL PROTECTED]> writes: > > > > > > > Shouldn't tinyfirewall allow or have an option for DNS? > > > > > > it's there (Domain Name Server). ? > > > > > > > > I meant DNS client lookup. As I read it those options allow for servers > > connection. What about client connections? > > > > I selected it and the same classic DNS error of cannot find such and > > such url. > > > > I clear Shorewall and everything works so it's related to Shorewall's > > configuration. > > > > gabriel > > ok, > > simply configure your tinyfirewall and then send us the result of the > command: > > grep -v ^# /etc/shorewall/{zones,interfaces,policy,rules}|grep -v ^$ > > have a nice day, > -- > Florinhttp://www.mandrakesoft.com > http://people.mandrakesoft.com/~florin/ > --- the result of grep command after first configuration /etc/shorewall/zones:netNet Internet zone /etc/shorewall/interfaces:net eth0detect /etc/shorewall/policy:fwnet ACCEPT /etc/shorewall/policy:net all DROPinfo /etc/shorewall/policy:all all REJECT info /etc/shorewall/rules:ACCEPT net fw udp 53 - /etc/shorewall/rules:ACCEPT net fw tcp 53,109,110,143 - masq file has no entries I figured it out, the interface entry should be ppp0 not eth0 even though in the example 1 in the interface configuration file it has a DSL being reference as eth0. My setup would be the default for a standalone workstation with DSL so many people will have the same problem. A check for a pppX connection should be done. Also I would include a welcoming note if any problems occur that returning to tinyfirewall and selecting no firewall will undo any settings. I so-so understand how the firewall works now imagine someone who makes the adjustment and loses their connection? The support lines will light up. All I did was change eth0 to ppp0 after running firewall and it worked. /etc/shorewall/zones:netNet Internet zone /etc/shorewall/interfaces:net ppp0detect /etc/shorewall/policy:fwnet ACCEPT /etc/shorewall/policy:net all DROPinfo /etc/shorewall/policy:all all REJECT info /etc/shorewall/rules:ACCEPT net fw udp 53 - /etc/shorewall/rules:ACCEPT net fw tcp 53,109,110,143 - Since I have your attention... I tested using shields up and those port still accept connections from outside sources. Grant not a large security risk but for a standalone workstation all ports should be reject connections - total stealth. Now this would become important if someone has a static IP since the machine can still be detected and attacked. I would recommend client or server setups. The server setup would allow incoming connections. The client would refuse all incoming connections and allow limited outgoing connections. Speaking of which do you know of where I can find example of the latter? Gabriel
Re: [Cooker] tinyfirewall disable dns on simple DSL setup
[EMAIL PROTECTED] (Gabriel Phoenix) writes: > On Tue, 2002-08-27 at 23:31, Pixel wrote: > > Gabriel Phoenix <[EMAIL PROTECTED]> writes: > > > > > Shouldn't tinyfirewall allow or have an option for DNS? > > > > it's there (Domain Name Server). ? > > > > > I meant DNS client lookup. As I read it those options allow for servers > connection. What about client connections? > > I selected it and the same classic DNS error of cannot find such and > such url. > > I clear Shorewall and everything works so it's related to Shorewall's > configuration. > > gabriel same thing for /etc/shorewall/masq -- Florin http://www.mandrakesoft.com http://people.mandrakesoft.com/~florin/
Re: [Cooker] tinyfirewall disable dns on simple DSL setup
[EMAIL PROTECTED] (Gabriel Phoenix) writes: > On Tue, 2002-08-27 at 23:31, Pixel wrote: > > Gabriel Phoenix <[EMAIL PROTECTED]> writes: > > > > > Shouldn't tinyfirewall allow or have an option for DNS? > > > > it's there (Domain Name Server). ? > > > > > I meant DNS client lookup. As I read it those options allow for servers > connection. What about client connections? > > I selected it and the same classic DNS error of cannot find such and > such url. > > I clear Shorewall and everything works so it's related to Shorewall's > configuration. > > gabriel ok, simply configure your tinyfirewall and then send us the result of the command: grep -v ^# /etc/shorewall/{zones,interfaces,policy,rules}|grep -v ^$ have a nice day, -- Florin http://www.mandrakesoft.com http://people.mandrakesoft.com/~florin/
Re: [Cooker] tinyfirewall disable dns on simple DSL setup
Gabriel Phoenix <[EMAIL PROTECTED]> writes: > Shouldn't tinyfirewall allow or have an option for DNS? it's there (Domain Name Server). ?
[Cooker] tinyfirewall disable dns on simple DSL setup
Still trying to understand Shorewall configuration. I tried tinyfirewall since it is for a simple standalone setup. The result is the lost of DNS lookup. I have standalone workstation and a DSL modem with a dedicate NIC. A simple setup. Humiliating yes that I havn't figured it out by now. Shouldn't tinyfirewall allow or have an option for DNS? Guarddog is one of the best intuitive designs I have seen... it fulfills the ability hide the complexity of the configuration firewall with an easy to understand gui. Basically a list of common ports and three options, accept, block or reject. Point and click and it didn't take long to figure it out. At least tinyfirewall could have a list of common ports. Now if something similar to Guarddog can be created then more users would be able to configure a firewall themselves with being an expert beforehand. Gabriel
Re: [Cooker] tinyfirewall missing dependencies
[EMAIL PROTECTED] (Alastair Scott) writes: > If you set up a non-server workstation (nothing selected, apart from a > window manager or managers, in the right-hand column of the top-level > package list) running tinyfirewall asks for shorewall and iptables to be > installed. > > Given that tinyfirewall is always installed as part of the Mandrake > Control Centre, should these packages not be installed by default? > > Alastair tinyfirewall is a series of scripts on the MCC backend. This needs shorewall and iptables to work proprely. If one doesn't want to configure a firewall ... why install these packages then ? -- Florin http://www.mandrakesoft.com http://people.mandrakesoft.com/~florin/
Re: [Cooker] tinyfirewall missing dependencies
Alastair Scott <[EMAIL PROTECTED]> writes: > If you set up a non-server workstation (nothing selected, apart from a > window manager or managers, in the right-hand column of the top-level > package list) running tinyfirewall asks for shorewall and iptables to be > installed. > > Given that tinyfirewall is always installed as part of the Mandrake > Control Centre, should these packages not be installed by default? Since tinyfirewall is in drakxtools-newt, it will not depend on shorewall, but ask for installing them instead.
[Cooker] tinyfirewall missing dependencies
If you set up a non-server workstation (nothing selected, apart from a window manager or managers, in the right-hand column of the top-level package list) running tinyfirewall asks for shorewall and iptables to be installed. Given that tinyfirewall is always installed as part of the Mandrake Control Centre, should these packages not be installed by default? Alastair
Re: [Cooker] tinyfirewall (drakxtools)
On Sun, 2002-01-20 at 08:43, Daouda LO wrote: > Roger <[EMAIL PROTECTED]> writes: > > > Already installed packages: > > drakxtools-1.1.7-59mdk.src.rpm > > ipchains-1.3.10-5mdk.src.rpm iptables-1.2.4-2mdk.src.rpm > > Bastille-1.2.0-2mdk (cooker is now at 4mdk) > > > > tinyfirewall trys to install iptables and Bastille even though they are > > already installed! also, it was having problem finding cdrom drive & > > the cdrom, so i commented out the following. > > > > Starting @ linux #236 of /usr/lib/libDrakX/tinyfirewall.pm > > > > Gtk->main_iteration while Gtk->events_pending; > > #if (!$in->do_pkgs->install(Kernel22() ? "ipchains" : "iptables", > > "Bastille")) { > > # $in->ask_warn('', _("Failure installing the needed packages : %s > > and Bastille. > > #Try to install them manually.", Kernel22() ? "ipchains" : > > "iptables") ); > > #$dialog->destroy; > > #$in->exit(0); > > #} > > ReadConfig; > > DoInterface($in); > > > > i don't know much perl (if any) but this simpley looks to see if it's > > This lines have been commented (# ) so there is no chance they do anything. That's because some malicious hacker (like me) commented them out ;-) yes. i commented them out to force the tinyfirewall to skip checking for the (obsolete?) requires since i already have them installed. signature.asc Description: This is a digitally signed message part
Re: [Cooker] tinyfirewall (drakxtools)
Roger <[EMAIL PROTECTED]> writes: > Already installed packages: > drakxtools-1.1.7-59mdk.src.rpm > ipchains-1.3.10-5mdk.src.rpm iptables-1.2.4-2mdk.src.rpm > Bastille-1.2.0-2mdk (cooker is now at 4mdk) > > tinyfirewall trys to install iptables and Bastille even though they are > already installed! also, it was having problem finding cdrom drive & > the cdrom, so i commented out the following. > > Starting @ linux #236 of /usr/lib/libDrakX/tinyfirewall.pm > > Gtk->main_iteration while Gtk->events_pending; > #if (!$in->do_pkgs->install(Kernel22() ? "ipchains" : "iptables", > "Bastille")) { > # $in->ask_warn('', _("Failure installing the needed packages : %s > and Bastille. > #Try to install them manually.", Kernel22() ? "ipchains" : > "iptables") ); > #$dialog->destroy; > #$in->exit(0); > #} > ReadConfig; > DoInterface($in); > > i don't know much perl (if any) but this simpley looks to see if it's This lines have been commented (# ) so there is no chance they do anything.
[Cooker] tinyfirewall (drakxtools)
Already installed packages: drakxtools-1.1.7-59mdk.src.rpm ipchains-1.3.10-5mdk.src.rpm iptables-1.2.4-2mdk.src.rpm Bastille-1.2.0-2mdk (cooker is now at 4mdk) tinyfirewall trys to install iptables and Bastille even though they are already installed! also, it was having problem finding cdrom drive & the cdrom, so i commented out the following. Starting @ linux #236 of /usr/lib/libDrakX/tinyfirewall.pm Gtk->main_iteration while Gtk->events_pending; #if (!$in->do_pkgs->install(Kernel22() ? "ipchains" : "iptables", "Bastille")) { # $in->ask_warn('', _("Failure installing the needed packages : %s and Bastille. #Try to install them manually.", Kernel22() ? "ipchains" : "iptables") ); #$dialog->destroy; #$in->exit(0); #} ReadConfig; DoInterface($in); i don't know much perl (if any) but this simpley looks to see if it's checking that iptables & Bastille are simply installed (no versioning check), mmm kernel 2.4.17 here... Also, get an error after completeing the tinyfirewall tool: # tinyfirewall WARNING: reverting to default settings (dropping firewall) disabling IP forwarding... done. unloading masquerading modules... done. resetting default input rules to accept... done. resetting default output rule to accept... done. resetting default forward rule to accept... done. flushing INPUT rules... done. flushing OUTPUT rules... done. flushing FORWARD rules... done. removing user-defined chains... done. Setting up IP spoofing protection... done. Allowing traffic from trusted interfaces... done. Setting up chains for public/internal interface traffic... done. Setting up general rules...iptables v1.2.4: invalid TCP port/service `linuxconf' specified Try `iptables -h' or 'iptables --help' for more information. done. Setting up outbound rules... done. Notice the line: "Setting up general rules...iptables v1.2.4: invalid TCP port/service `linuxconf' specified Try `iptables -h' or 'iptables --help' for more information." signature.asc Description: This is a digitally signed message part
[Cooker] tinyfirewall is not working
<<< No Message Collected >>>
[Cooker] tinyfirewall
tinyfirewall is broke, it says bastille and iptables are not installed, however they are installed, and i have reinstalled them several times... any ideas anyone? dave