Re: Where to install the firewall scripts

2002-12-15 Thread Jeff 
bong sabolboro, 2002-Dec-15 19:43 -0800:
> All of these discussions deal with the rules.  Where
> would one place the routing and forwarding commands 
> considering they should be last to be activated after
> rules have been set up, in case="start" of
> /etc/init.d/networking?

Here's the order of my iptables script:

1.  set variables and do file exec tests (test -x /sbin/iptables)
2.  load modules (ipt_MASQUERADE, ipt_state, etc.)
3.  build chains (add rules)
a.  set default policies for my chains
b.  enable forwarding
c.  add INPUT rules
d.  add postrouting masquarade rule


I hope this helps,
jc

-- 
Jeff CoppockSystems Engineer
Diggin' Debian  Admin and User

Re: Dedicated Firewall + snmpd smux 199/tcp

2002-12-15 Thread Jean-Francois Dive 
smux stand for multiplexed agents, basically, you have a frontend main
agent and some smux sub agent, managing only a part of the mib, the main
agent querying the sub agent when the tree is requested. This is deprecated
and replaced by agentx protocol (same story of agent/sub agent). 

I dont thing this is a bug, this is a maintainer choice to enable smux, it
have been for a while and people using it (ok, there must not be a lot of those)
wont be happy.  Filtering / recompiling are the best solutions.

JeF

On Sun, Dec 15, 2002 at 04:39:14AM -0400, Gerard MacNeil wrote:
> On Sat, 14 Dec 2002, Javier [iso-8859-1] Fernández-Sanguino Peña wrote:
> > 
> > PS: BTW what is smux for? On a (brief) search it seems to be a way to
> > associate managers to MIBs that are later provided in the SNMP daemon to
> > management statiosn...
> > 
> 
> I have seen smux used for session management by freeradius.
> 
> --
> Gerard
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

-- 

-> Jean-Francois Dive
--> [EMAIL PROTECTED]

  There is no such thing as randomness.  Only order of infinite
  complexity.  - _The Holographic Universe_, Michael Talbot

Re: Where to install the firewall scripts

2002-12-15 Thread bong sabolboro 
All of these discussions deal with the rules.  Where
would one place the routing and forwarding commands 
considering they should be last to be activated after
rules have been set up, in case="start" of
/etc/init.d/networking?

Thanks to all who shared their expertise in the
discussions here.  I've learned a lot already.

Renato


--- Tim Haynes <[EMAIL PROTECTED]>
wrote:
> Nicolas Boullis <[EMAIL PROTECTED]> writes:
> 
> [snip]
> >> # Drop spoofed packets
> >> iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3
> -d 0.0.0.0/0
> 

__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Re: firewall advice

2002-12-15 Thread andrew lattis 
On 2002/12/15 07:15:25PM -0800, Sun, Torrin wrote:
> I changes the subject and started a new thread here.  Anyway . . .
> 
> >>> # Drop spoofed packets
> >>> iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0
> 
> >What about outgoing spoofed packets? They didn't get dropped in this
> >script
> >at all. It's only a selfish half-hearted firewall if all it does is to
> >protect yourself against incoming nasties; there's always a
> >responsibility
> >not to inflict dodgy packets on others, as much as possible.
> 
> OK, but how do you tell if a packet is spoofed going out?  I can tell
> coming in by looking at the source address and the interface.


#Packets leaving this server

#connections to lo
$iptables -A OUTPUT -p ALL -o $lo_iface -s $lo_ip -j ACCEPT

#allow the rest
$iptables -A OUTPUT -p ALL -o $eth_iface -s $eth_ip -j ACCEPT

#log the rest
$iptables -A OUTPUT -m limit --limit $log_limit --limit-burst $log_limit_burst 
-p tcp -j LOG --log-prefix "output tcp:"
$iptables -A OUTPUT -m limit --limit $log_limit --limit-burst $log_limit_burst 
-p udp -j LOG --log-prefix "output udp:"

i believe this should get it, not that i have gotten around to spoofing
anything to verify that it does drop it...


pgpLApyXF4zMl.pgp
Description: PGP signature

firewall advice

2002-12-15 Thread Torrin 
I changes the subject and started a new thread here.  Anyway . . .

Nicolas Boullis wrote:
> You should add the rule:
>
>$IPTABLES -A INPUT -j ACCEPT -i eth0 -m state --state ESTABLISHED,RELATED

Thanks, those rules that I gave as an example are from my workstation which
has 2.4 kernel installed.  I will add this connection tracking
stuff on my workstation.  But, my server has a 2.2 kernel installed
and from the man page, there doesn't seem to be connection tracking
in ipchains.  Correct?

>>> # Drop spoofed packets
>>> iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0

>What about outgoing spoofed packets? They didn't get dropped in this
>script
>at all. It's only a selfish half-hearted firewall if all it does is to
>protect yourself against incoming nasties; there's always a
>responsibility
>not to inflict dodgy packets on others, as much as possible.

OK, but how do you tell if a packet is spoofed going out?  I can tell
coming in by looking at the source address and the interface.

>>> iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port
>>> domain #53
>>> iptables -A INPUT -i eth0 -j ACCEPT -p UDP -s 0.0.0.0/0 --source-port
>>> domain #53
>"Hey! I'm a nice port, let me in!". 
>
>Oops.

You're right, I should probably change that to be the address of the DNS
server.  I'll also add connection tracking in my iptables script.  Is
there anything I can do in my ipchains script?

-- 
http://www.torrin.net

Re: Where to install the firewall scripts

2002-12-15 Thread Jeff 
bong sabolboro, 2002-Dec-15 19:43 -0800:
> All of these discussions deal with the rules.  Where
> would one place the routing and forwarding commands 
> considering they should be last to be activated after
> rules have been set up, in case="start" of
> /etc/init.d/networking?

Here's the order of my iptables script:

1.  set variables and do file exec tests (test -x /sbin/iptables)
2.  load modules (ipt_MASQUERADE, ipt_state, etc.)
3.  build chains (add rules)
a.  set default policies for my chains
b.  enable forwarding
c.  add INPUT rules
d.  add postrouting masquarade rule


I hope this helps,
jc

-- 
Jeff CoppockSystems Engineer
Diggin' Debian  Admin and User


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Dedicated Firewall + snmpd smux 199/tcp

2002-12-15 Thread Jean-Francois Dive 
smux stand for multiplexed agents, basically, you have a frontend main
agent and some smux sub agent, managing only a part of the mib, the main
agent querying the sub agent when the tree is requested. This is deprecated
and replaced by agentx protocol (same story of agent/sub agent). 

I dont thing this is a bug, this is a maintainer choice to enable smux, it
have been for a while and people using it (ok, there must not be a lot of those)
wont be happy.  Filtering / recompiling are the best solutions.

JeF

On Sun, Dec 15, 2002 at 04:39:14AM -0400, Gerard MacNeil wrote:
> On Sat, 14 Dec 2002, Javier [iso-8859-1] Fernández-Sanguino Peña wrote:
> > 
> > PS: BTW what is smux for? On a (brief) search it seems to be a way to
> > associate managers to MIBs that are later provided in the SNMP daemon to
> > management statiosn...
> > 
> 
> I have seen smux used for session management by freeradius.
> 
> --
> Gerard
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

-- 

-> Jean-Francois Dive
--> [EMAIL PROTECTED]

  There is no such thing as randomness.  Only order of infinite
  complexity.  - _The Holographic Universe_, Michael Talbot


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Where to install the firewall scripts

2002-12-15 Thread bong sabolboro 
All of these discussions deal with the rules.  Where
would one place the routing and forwarding commands 
considering they should be last to be activated after
rules have been set up, in case="start" of
/etc/init.d/networking?

Thanks to all who shared their expertise in the
discussions here.  I've learned a lot already.

Renato


--- Tim Haynes <[EMAIL PROTECTED]>
wrote:
> Nicolas Boullis <[EMAIL PROTECTED]> writes:
> 
> [snip]
> >> # Drop spoofed packets
> >> iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3
> -d 0.0.0.0/0
> 

__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: firewall advice

2002-12-15 Thread andrew lattis 
On 2002/12/15 07:15:25PM -0800, Sun, Torrin wrote:
> I changes the subject and started a new thread here.  Anyway . . .
> 
> >>> # Drop spoofed packets
> >>> iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0
> 
> >What about outgoing spoofed packets? They didn't get dropped in this
> >script
> >at all. It's only a selfish half-hearted firewall if all it does is to
> >protect yourself against incoming nasties; there's always a
> >responsibility
> >not to inflict dodgy packets on others, as much as possible.
> 
> OK, but how do you tell if a packet is spoofed going out?  I can tell
> coming in by looking at the source address and the interface.


#Packets leaving this server

#connections to lo
$iptables -A OUTPUT -p ALL -o $lo_iface -s $lo_ip -j ACCEPT

#allow the rest
$iptables -A OUTPUT -p ALL -o $eth_iface -s $eth_ip -j ACCEPT

#log the rest
$iptables -A OUTPUT -m limit --limit $log_limit --limit-burst $log_limit_burst -p tcp 
-j LOG --log-prefix "output tcp:"
$iptables -A OUTPUT -m limit --limit $log_limit --limit-burst $log_limit_burst -p udp 
-j LOG --log-prefix "output udp:"

i believe this should get it, not that i have gotten around to spoofing
anything to verify that it does drop it...



msg08182/pgp0.pgp
Description: PGP signature

firewall advice

2002-12-15 Thread Torrin 
I changes the subject and started a new thread here.  Anyway . . .

Nicolas Boullis wrote:
> You should add the rule:
>
>$IPTABLES -A INPUT -j ACCEPT -i eth0 -m state --state ESTABLISHED,RELATED

Thanks, those rules that I gave as an example are from my workstation which
has 2.4 kernel installed.  I will add this connection tracking
stuff on my workstation.  But, my server has a 2.2 kernel installed
and from the man page, there doesn't seem to be connection tracking
in ipchains.  Correct?

>>> # Drop spoofed packets
>>> iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0

>What about outgoing spoofed packets? They didn't get dropped in this
>script
>at all. It's only a selfish half-hearted firewall if all it does is to
>protect yourself against incoming nasties; there's always a
>responsibility
>not to inflict dodgy packets on others, as much as possible.

OK, but how do you tell if a packet is spoofed going out?  I can tell
coming in by looking at the source address and the interface.

>>> iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port
>>> domain #53
>>> iptables -A INPUT -i eth0 -j ACCEPT -p UDP -s 0.0.0.0/0 --source-port
>>> domain #53
>"Hey! I'm a nice port, let me in!". 
>
>Oops.

You're right, I should probably change that to be the address of the DNS
server.  I'll also add connection tracking in my iptables script.  Is
there anything I can do in my ipchains script?

-- 
http://www.torrin.net


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Where to install the firewall scripts

2002-12-15 Thread Tim Haynes 
Nicolas Boullis <[EMAIL PROTECTED]> writes:

[snip]
>> # Drop spoofed packets
>> iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0

What about outgoing spoofed packets? They didn't get dropped in this script
at all. It's only a selfish half-hearted firewall if all it does is to
protect yourself against incoming nasties; there's always a responsibility
not to inflict dodgy packets on others, as much as possible.

>> # let ICMP in and out
>> iptables -A OUTPUT -o eth0 -j ACCEPT -p ICMP
>> iptables -A INPUT -i eth0 -j ACCEPT -p ICMP

This is folly. At the very least, rate-limit the outgoing chain, e.g.:

 | iptables -A OUTPUT -p icmp -m limit \
 |  --limit 5/s --limit-burst 10 \
 |  -j ACCEPT
 | iptables -A OUTPUT -p icmp -j outlog
 | 
 | iptables -A OUTPUT -p udp -m limit \
 |  --limit 10/s --limit-burst 20 \
 |  -j ACCEPT
 | iptables -A OUTPUT -p udp -j outlog

otherwise there's potential for being used as an amplifier in a (D)DoS
attack.

>> iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port
>> domain #53
>> iptables -A INPUT -i eth0 -j ACCEPT -p UDP -s 0.0.0.0/0 --source-port
>> domain #53

"Hey! I'm a nice port, let me in!". 

Oops.

> Well, this ruleset looks realy dangerous to me since (unless I'm missing
> something obvious) you allow any machine to connect to any of your ports
> as soon as the connection is coming from ports 22 or 53. You should much
> better use connection tracking.

Agreed, most definitely. Connection-tracking adds more dimensions to the
question "did I really ask for this?".
And not only were the source-ports used as criteria for passing input
packets, but the source-port is the *sole* criterion. 

What happens to packets with zany flags (SYN+FIN, or various christmas-tree
combinations) set, from sport 22 to dport 22? They waltz right on in, and
can be used for remote OS fingerprinting as well! Yow.

> You should add the rule:
>
> $IPTABLES -A INPUT -j ACCEPT -i eth0 -m state --state ESTABLISHED,RELATED
>
> and then remove the explicit rules for answers...

Definitely. 

But more to the point, I'm not fussed on the layout of the above script
anyway. It might not be suited to all, but I suggest a look at the comments
in  might be
in order. Note the order in which what things are done.

~Tim
--

Re: Where to install the firewall scripts

2002-12-15 Thread Nicolas Boullis 
Hi!

On Sun, Dec 15, 2002 at 09:07:21AM -0800, Torrin wrote:

> /etc/network/if-pre-up.d/iptables
> 
> #!/bin/sh
> 
> if [ `uname -r | cut -b -3` != "2.4" ]; then
> #   echo "Not a 2.4 kernel.  Exiting iptables firewall script.";
>exit 0;
> fi
> 
> # This deletes existing tables
> iptables -F
> iptables -X
> 
> # Drop everything by default
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> 
> # Allow all internal network traffic
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> 
> # Drop spoofed packets
> iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0
> 
> # let ICMP in and out
> iptables -A OUTPUT -o eth0 -j ACCEPT -p ICMP
> iptables -A INPUT -i eth0 -j ACCEPT -p ICMP
> 
> # let domain (dns) requests out
> iptables -A OUTPUT -o eth0 -j ACCEPT -p TCP -d 0.0.0.0/0 --destination-port 
> domain   #53
> iptables -A OUTPUT -o eth0 -j ACCEPT -p UDP -d 0.0.0.0/0 --destination-port 
> domain   #53
> iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port domain  
>  #53
> iptables -A INPUT -i eth0 -j ACCEPT -p UDP -s 0.0.0.0/0 --source-port domain  
>  #53
> 
> # let ssh out
> iptables -A OUTPUT -o eth0 -j ACCEPT -p TCP -d 0.0.0.0/0 --destination-port 
> ssh  #22
> iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port ssh 
>  #22
> # let ssh in from the local network only
> #iptables -A OUTPUT -o eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port ssh 
> -d 192.168.0.0/16
> #iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 192.168.0.0/16 -d 0.0.0.0/0 
> --destination-port ssh

Well, this ruleset looks realy dangerous to me since (unless I'm missing 
something obvious) you allow any machine to connect to any of your ports 
as soon as the connection is coming from ports 22 or 53. You should much 
better use connection tracking.

You should add the rule:

$IPTABLES -A INPUT -j ACCEPT -i eth0 -m state --state ESTABLISHED,RELATED


and then remove the explicit rules for answers...


Regards,

Nicolas

Re: Where to install the firewall scripts

2002-12-15 Thread Tim van Erven 
On Sun, 15/12/2002 10:24 +0100, Vasarhelyi asd Daniel wrote:
> Putting it into /etc/rc.boot will not harm the system. I think it's the
> best place to put the script, it's ran before entering runlevel-2 which
> sets up network interfaces.

"The /etc/rc.boot directory is obsolete. It has been superseded by the
/etc/rcS.d directory." -- man rc.boot

-- 
Tim van Erven <[EMAIL PROTECTED]>
OpenPGP Key ID: 712CB811Fingerprint: F6C9 61EE 242C C012 36D5
 BBF8 6310 D557 712C B811

Re: Where to install the firewall scripts

2002-12-15 Thread Tim Haynes 
Nicolas Boullis <[EMAIL PROTECTED]> writes:

[snip]
>> # Drop spoofed packets
>> iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0

What about outgoing spoofed packets? They didn't get dropped in this script
at all. It's only a selfish half-hearted firewall if all it does is to
protect yourself against incoming nasties; there's always a responsibility
not to inflict dodgy packets on others, as much as possible.

>> # let ICMP in and out
>> iptables -A OUTPUT -o eth0 -j ACCEPT -p ICMP
>> iptables -A INPUT -i eth0 -j ACCEPT -p ICMP

This is folly. At the very least, rate-limit the outgoing chain, e.g.:

 | iptables -A OUTPUT -p icmp -m limit \
 |  --limit 5/s --limit-burst 10 \
 |  -j ACCEPT
 | iptables -A OUTPUT -p icmp -j outlog
 | 
 | iptables -A OUTPUT -p udp -m limit \
 |  --limit 10/s --limit-burst 20 \
 |  -j ACCEPT
 | iptables -A OUTPUT -p udp -j outlog

otherwise there's potential for being used as an amplifier in a (D)DoS
attack.

>> iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port
>> domain #53
>> iptables -A INPUT -i eth0 -j ACCEPT -p UDP -s 0.0.0.0/0 --source-port
>> domain #53

"Hey! I'm a nice port, let me in!". 

Oops.

> Well, this ruleset looks realy dangerous to me since (unless I'm missing
> something obvious) you allow any machine to connect to any of your ports
> as soon as the connection is coming from ports 22 or 53. You should much
> better use connection tracking.

Agreed, most definitely. Connection-tracking adds more dimensions to the
question "did I really ask for this?".
And not only were the source-ports used as criteria for passing input
packets, but the source-port is the *sole* criterion. 

What happens to packets with zany flags (SYN+FIN, or various christmas-tree
combinations) set, from sport 22 to dport 22? They waltz right on in, and
can be used for remote OS fingerprinting as well! Yow.

> You should add the rule:
>
> $IPTABLES -A INPUT -j ACCEPT -i eth0 -m state --state ESTABLISHED,RELATED
>
> and then remove the explicit rules for answers...

Definitely. 

But more to the point, I'm not fussed on the layout of the above script
anyway. It might not be suited to all, but I suggest a look at the comments
in  might be
in order. Note the order in which what things are done.

~Tim
-- 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Where to install the firewall scripts

2002-12-15 Thread Nicolas Boullis 
Hi!

On Sun, Dec 15, 2002 at 09:07:21AM -0800, Torrin wrote:

> /etc/network/if-pre-up.d/iptables
> 
> #!/bin/sh
> 
> if [ `uname -r | cut -b -3` != "2.4" ]; then
> #   echo "Not a 2.4 kernel.  Exiting iptables firewall script.";
>exit 0;
> fi
> 
> # This deletes existing tables
> iptables -F
> iptables -X
> 
> # Drop everything by default
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> 
> # Allow all internal network traffic
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> 
> # Drop spoofed packets
> iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0
> 
> # let ICMP in and out
> iptables -A OUTPUT -o eth0 -j ACCEPT -p ICMP
> iptables -A INPUT -i eth0 -j ACCEPT -p ICMP
> 
> # let domain (dns) requests out
> iptables -A OUTPUT -o eth0 -j ACCEPT -p TCP -d 0.0.0.0/0 --destination-port domain   
>#53
> iptables -A OUTPUT -o eth0 -j ACCEPT -p UDP -d 0.0.0.0/0 --destination-port domain   
>#53
> iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port domain   #53
> iptables -A INPUT -i eth0 -j ACCEPT -p UDP -s 0.0.0.0/0 --source-port domain   #53
> 
> # let ssh out
> iptables -A OUTPUT -o eth0 -j ACCEPT -p TCP -d 0.0.0.0/0 --destination-port ssh  
>#22
> iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port ssh  #22
> # let ssh in from the local network only
> #iptables -A OUTPUT -o eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port ssh -d 
>192.168.0.0/16
> #iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 192.168.0.0/16 -d 0.0.0.0/0 
>--destination-port ssh

Well, this ruleset looks realy dangerous to me since (unless I'm missing 
something obvious) you allow any machine to connect to any of your ports 
as soon as the connection is coming from ports 22 or 53. You should much 
better use connection tracking.

You should add the rule:

$IPTABLES -A INPUT -j ACCEPT -i eth0 -m state --state ESTABLISHED,RELATED


and then remove the explicit rules for answers...


Regards,

Nicolas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Where to install the firewall scripts

2002-12-15 Thread Tim van Erven 
On Sun, 15/12/2002 10:24 +0100, Vasarhelyi asd Daniel wrote:
> Putting it into /etc/rc.boot will not harm the system. I think it's the
> best place to put the script, it's ran before entering runlevel-2 which
> sets up network interfaces.

"The /etc/rc.boot directory is obsolete. It has been superseded by the
/etc/rcS.d directory." -- man rc.boot

-- 
Tim van Erven <[EMAIL PROTECTED]>
OpenPGP Key ID: 712CB811Fingerprint: F6C9 61EE 242C C012 36D5
 BBF8 6310 D557 712C B811


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Where to install the firewall scripts

2002-12-15 Thread Vasarhelyi asd Daniel 
Putting it into /etc/rc.boot will not harm the system. I think it's the
best place to put the script, it's ran before entering runlevel-2 which
sets up network interfaces.

asd
-- 
Daniel "asd" Vasarhelyi
PGP key avaible at http://asd.musichello.com/gpg-pub.key and public keyservers
Key fingerprint = EA00 AF4D A83C 1122 0967  DDF5 27BC 390F 181F 9954

Re: Where to install the firewall scripts

2002-12-15 Thread François TOURDE 
Hi,

Torrin <[EMAIL PROTECTED]> writes:

> > I presume you call these scripts from some other
> > script? From /etc/init.d/networking perhaps?
> No need to.  I've never seen documentation on this, but from what I
> understand, if you put a script in the if-pre-up.d directory it gets
> call automatically just before networking comes up.  Also, if you put a
> script in the if-post-down.d directory if gets called just after
> networking goes down.  Can anybody point us to the relevant
> documentation?

I use the /etc/init.d/iptables script to start, stop, save, etc my firewalling
directives. Once my rules seems OK, I run '/etc/init.d/iptables save active',
and each time my system boots up (Once a year...), it load the correct file.

There is 'active' and 'inactive' ruleset, and 2 other states (I can't remember
exactly the names) of firewalling ruleset.

My 2 cents.

-- 
THE OLD POOL SHOOTER had won many a game in his life. But now it was time
to hang up the cue. When he did, all the other cues came crashing go the floor.

"Sorry," he said with a smile.
-- Jack Handley, The New Mexican, 1988.
-- 
François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE
Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80
eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/

Re: Where to install the firewall scripts

2002-12-15 Thread Jamie Heilman 
> networking goes down.  Can anybody point us to the relevant
> documentation?

last I knew there wasn't any, it was a todo item

I wrote a quicky stub logger that logs its environment and how it was
called, this is what I found:

called as "/etc/network/if-pre-up.d/pre-up" (no arguments), nothing passed
in to stdin, id: uid=0(root) gid=0(root) groups=0(root)
environment:
 ADDRFAM=inet
 IFACE=eth0
 IF_ADDRESS=192.168.2.42
 IF_BROADCAST=192.168.2.255
 IF_GATEWAY=192.168.2.1
 IF_NETMASK=255.255.255.0
 IF_NETWORK=192.168.2.0
 METHOD=static
 MODE=start
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 PWD=/tmp
 SHLVL=1
 _=/bin/run-parts

obviously your IPs may differ, looks like run-parts is used to call
everything in that script for every interface being taken down.  I
wouldn't count on PWD being /tmp I think that may have been an
artifact of my script (which I wrote a long time ago and don't have
anymore).  Anyway, you get the idea.

-- 
Jamie Heilman   http://audible.transient.net/~jamie/
"You came all this way, without saying squat, and now you're trying
 to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile?
 I liked you better when you weren't saying squat kid." -Buddy

Re: Where to install the firewall scripts

2002-12-15 Thread Vasarhelyi asd Daniel 
Putting it into /etc/rc.boot will not harm the system. I think it's the
best place to put the script, it's ran before entering runlevel-2 which
sets up network interfaces.

asd
-- 
Daniel "asd" Vasarhelyi
PGP key avaible at http://asd.musichello.com/gpg-pub.key and public keyservers
Key fingerprint = EA00 AF4D A83C 1122 0967  DDF5 27BC 390F 181F 9954


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: smtp-auth

2002-12-15 Thread Rick Moen 
Quoting pain ([EMAIL PROTECTED]):

> I need to add smtp-auth capabilities to a postfix MTA. The postifix
> documentation talks about sasl to do this. Is this method secure?
> Exist other (better or more secure) alternatives? 

The SMTP-AUTH service is part of the ESMTP extension, which in turn is a
profile of the SASL authentication mechanism.  So, they're not separable.  
Please see:  http://www.faqs.org/rfcs/rfc2554.html

Postfix incorporated SMTP-AUTH in 2000, using the Cyrus SASL library.
(In Debian, this is in package postfix-tls or postfix-snap-tls.)

(None of the above is from personal experience; I'm just reading docs.)

-- 
Cheers,  "Reality is not optional."
Rick Moen -- Thomas Sowell
[EMAIL PROTECTED]

Re: Where to install the firewall scripts

2002-12-15 Thread François TOURDE 
Hi,

Torrin <[EMAIL PROTECTED]> writes:

> > I presume you call these scripts from some other
> > script? From /etc/init.d/networking perhaps?
> No need to.  I've never seen documentation on this, but from what I
> understand, if you put a script in the if-pre-up.d directory it gets
> call automatically just before networking comes up.  Also, if you put a
> script in the if-post-down.d directory if gets called just after
> networking goes down.  Can anybody point us to the relevant
> documentation?

I use the /etc/init.d/iptables script to start, stop, save, etc my firewalling
directives. Once my rules seems OK, I run '/etc/init.d/iptables save active',
and each time my system boots up (Once a year...), it load the correct file.

There is 'active' and 'inactive' ruleset, and 2 other states (I can't remember
exactly the names) of firewalling ruleset.

My 2 cents.

-- 
THE OLD POOL SHOOTER had won many a game in his life. But now it was time
to hang up the cue. When he did, all the other cues came crashing go the floor.

"Sorry," he said with a smile.
-- Jack Handley, The New Mexican, 1988.
-- 
François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE
Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80
eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Where to install the firewall scripts

2002-12-15 Thread Jamie Heilman 
> networking goes down.  Can anybody point us to the relevant
> documentation?

last I knew there wasn't any, it was a todo item

I wrote a quicky stub logger that logs its environment and how it was
called, this is what I found:

called as "/etc/network/if-pre-up.d/pre-up" (no arguments), nothing passed
in to stdin, id: uid=0(root) gid=0(root) groups=0(root)
environment:
 ADDRFAM=inet
 IFACE=eth0
 IF_ADDRESS=192.168.2.42
 IF_BROADCAST=192.168.2.255
 IF_GATEWAY=192.168.2.1
 IF_NETMASK=255.255.255.0
 IF_NETWORK=192.168.2.0
 METHOD=static
 MODE=start
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 PWD=/tmp
 SHLVL=1
 _=/bin/run-parts

obviously your IPs may differ, looks like run-parts is used to call
everything in that script for every interface being taken down.  I
wouldn't count on PWD being /tmp I think that may have been an
artifact of my script (which I wrote a long time ago and don't have
anymore).  Anyway, you get the idea.

-- 
Jamie Heilman   http://audible.transient.net/~jamie/
"You came all this way, without saying squat, and now you're trying
 to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile?
 I liked you better when you weren't saying squat kid." -Buddy


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

smtp-auth

2002-12-15 Thread pain 

Hello,

I need to add smtp-auth capabilities to a postfix MTA. The postifix
documentation talks about sasl to do this. Is this method secure?
Exist other (better or more secure) alternatives? 

thanks to all,

bye

Re: Where to install the firewall scripts

2002-12-15 Thread Torrin 
> /etc/network/if-pre-up.d/iptables
Oops, that second script is supposed to be

/etc/network/if-post-down.d/iptables
 ^^
> #!/bin/sh
> 
> if [ `uname -r | cut -b -3` != "2.4" ]; then
> #   echo "Not a 2.4 kernel.  Exiting iptables firewall script.";
>exit 0;
> fi
> 
> # This deletes existing tables
> iptables -F
> iptables -X

-- 
http://www.torrin.net

Re: smtp-auth

2002-12-15 Thread Rick Moen 
Quoting pain ([EMAIL PROTECTED]):

> I need to add smtp-auth capabilities to a postfix MTA. The postifix
> documentation talks about sasl to do this. Is this method secure?
> Exist other (better or more secure) alternatives? 

The SMTP-AUTH service is part of the ESMTP extension, which in turn is a
profile of the SASL authentication mechanism.  So, they're not separable.  
Please see:  http://www.faqs.org/rfcs/rfc2554.html

Postfix incorporated SMTP-AUTH in 2000, using the Cyrus SASL library.
(In Debian, this is in package postfix-tls or postfix-snap-tls.)

(None of the above is from personal experience; I'm just reading docs.)

-- 
Cheers,  "Reality is not optional."
Rick Moen -- Thomas Sowell
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Where to install the firewall scripts

2002-12-15 Thread Torrin 
> I presume you call these scripts from some other
> script? From /etc/init.d/networking perhaps?
No need to.  I've never seen documentation on this, but from what I
understand, if you put a script in the if-pre-up.d directory it gets
call automatically just before networking comes up.  Also, if you put a
script in the if-post-down.d directory if gets called just after
networking goes down.  Can anybody point us to the relevant
documentation?

> Care to share "some" of the contents of your script so
> that I do not have to start from scratch?
Sure, no problem.

You said you were using iptables right.  OK.  That first part is because
I use both 2.2 and 2.4 kernels, so I have a similar script for 2.2.  If
2.6 uses iptables also, you'll have to change the script.  Also, I read
on one of these lists that it's not a good idea to drop packets because
it just breaks standards.  Any comments on this from anybody.  By the
way, on the spoofed packets line, you're going to want to put in your
own ip address.

/etc/network/if-pre-up.d/iptables

#!/bin/sh

if [ `uname -r | cut -b -3` != "2.4" ]; then
#   echo "Not a 2.4 kernel.  Exiting iptables firewall script.";
   exit 0;
fi

# This deletes existing tables
iptables -F
iptables -X

# Drop everything by default
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow all internal network traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Drop spoofed packets
iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0

# let ICMP in and out
iptables -A OUTPUT -o eth0 -j ACCEPT -p ICMP
iptables -A INPUT -i eth0 -j ACCEPT -p ICMP

# let domain (dns) requests out
iptables -A OUTPUT -o eth0 -j ACCEPT -p TCP -d 0.0.0.0/0 --destination-port 
domain   #53
iptables -A OUTPUT -o eth0 -j ACCEPT -p UDP -d 0.0.0.0/0 --destination-port 
domain   #53
iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port domain   
#53
iptables -A INPUT -i eth0 -j ACCEPT -p UDP -s 0.0.0.0/0 --source-port domain   
#53

# let ssh out
iptables -A OUTPUT -o eth0 -j ACCEPT -p TCP -d 0.0.0.0/0 --destination-port ssh 
 #22
iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port ssh  
#22
# let ssh in from the local network only
#iptables -A OUTPUT -o eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port ssh -d 
192.168.0.0/16
#iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 192.168.0.0/16 -d 0.0.0.0/0 
--destination-port ssh


/etc/network/if-pre-up.d/iptables

#!/bin/sh

if [ `uname -r | cut -b -3` != "2.4" ]; then
#   echo "Not a 2.4 kernel.  Exiting iptables firewall script.";
   exit 0;
fi

# This deletes existing tables
iptables -F
iptables -X

There you have it.  I left out a bunch of rules for running things like
yahoo messenger and letting out ftp and such, but that should be enough
to get you started.  Basically, the first script sets things up and the
second script will delete all tables.

By the way, since I did put these rules out here, I'd appreciate
comments on where they could be improved.

-- 
http://www.torrin.net

smtp-auth

2002-12-15 Thread pain 

Hello,

I need to add smtp-auth capabilities to a postfix MTA. The postifix
documentation talks about sasl to do this. Is this method secure?
Exist other (better or more secure) alternatives? 

thanks to all,

bye


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Where to install the firewall scripts

2002-12-15 Thread Torrin 
> /etc/network/if-pre-up.d/iptables
Oops, that second script is supposed to be

/etc/network/if-post-down.d/iptables
 ^^
> #!/bin/sh
> 
> if [ `uname -r | cut -b -3` != "2.4" ]; then
> #   echo "Not a 2.4 kernel.  Exiting iptables firewall script.";
>exit 0;
> fi
> 
> # This deletes existing tables
> iptables -F
> iptables -X

-- 
http://www.torrin.net


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Where to install the firewall scripts

2002-12-15 Thread Torrin 
> I presume you call these scripts from some other
> script? From /etc/init.d/networking perhaps?
No need to.  I've never seen documentation on this, but from what I
understand, if you put a script in the if-pre-up.d directory it gets
call automatically just before networking comes up.  Also, if you put a
script in the if-post-down.d directory if gets called just after
networking goes down.  Can anybody point us to the relevant
documentation?

> Care to share "some" of the contents of your script so
> that I do not have to start from scratch?
Sure, no problem.

You said you were using iptables right.  OK.  That first part is because
I use both 2.2 and 2.4 kernels, so I have a similar script for 2.2.  If
2.6 uses iptables also, you'll have to change the script.  Also, I read
on one of these lists that it's not a good idea to drop packets because
it just breaks standards.  Any comments on this from anybody.  By the
way, on the spoofed packets line, you're going to want to put in your
own ip address.

/etc/network/if-pre-up.d/iptables

#!/bin/sh

if [ `uname -r | cut -b -3` != "2.4" ]; then
#   echo "Not a 2.4 kernel.  Exiting iptables firewall script.";
   exit 0;
fi

# This deletes existing tables
iptables -F
iptables -X

# Drop everything by default
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow all internal network traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Drop spoofed packets
iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0

# let ICMP in and out
iptables -A OUTPUT -o eth0 -j ACCEPT -p ICMP
iptables -A INPUT -i eth0 -j ACCEPT -p ICMP

# let domain (dns) requests out
iptables -A OUTPUT -o eth0 -j ACCEPT -p TCP -d 0.0.0.0/0 --destination-port domain   
#53
iptables -A OUTPUT -o eth0 -j ACCEPT -p UDP -d 0.0.0.0/0 --destination-port domain   
#53
iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port domain   #53
iptables -A INPUT -i eth0 -j ACCEPT -p UDP -s 0.0.0.0/0 --source-port domain   #53

# let ssh out
iptables -A OUTPUT -o eth0 -j ACCEPT -p TCP -d 0.0.0.0/0 --destination-port ssh  
#22
iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port ssh  #22
# let ssh in from the local network only
#iptables -A OUTPUT -o eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port ssh -d 
192.168.0.0/16
#iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 192.168.0.0/16 -d 0.0.0.0/0 
--destination-port ssh


/etc/network/if-pre-up.d/iptables

#!/bin/sh

if [ `uname -r | cut -b -3` != "2.4" ]; then
#   echo "Not a 2.4 kernel.  Exiting iptables firewall script.";
   exit 0;
fi

# This deletes existing tables
iptables -F
iptables -X

There you have it.  I left out a bunch of rules for running things like
yahoo messenger and letting out ftp and such, but that should be enough
to get you started.  Basically, the first script sets things up and the
second script will delete all tables.

By the way, since I did put these rules out here, I'd appreciate
comments on where they could be improved.

-- 
http://www.torrin.net


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Dedicated Firewall + snmpd smux 199/tcp

2002-12-15 Thread Gerard MacNeil 
On Sat, 14 Dec 2002, Javier [iso-8859-1] Fern?ndez-Sanguino Pe?a wrote:
> 
> PS: BTW what is smux for? On a (brief) search it seems to be a way to
> associate managers to MIBs that are later provided in the SNMP daemon to
> management statiosn...
> 

I have seen smux used for session management by freeradius.

--
Gerard

Re: Dedicated Firewall + snmpd smux 199/tcp

2002-12-15 Thread Gerard MacNeil 
On Sat, 14 Dec 2002, Javier [iso-8859-1] Fernández-Sanguino Peña wrote:
> 
> PS: BTW what is smux for? On a (brief) search it seems to be a way to
> associate managers to MIBs that are later provided in the SNMP daemon to
> management statiosn...
> 

I have seen smux used for session management by freeradius.

--
Gerard


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]