[Fwd: Firewall-easy setup difficulties]
--- Begin Message --- Hi, Could someone kindly help me with firewall setup with my home cable (dhcp) internet connection? I wish to use firewall-easy purely because I know nothing about configuration of firewalls. I can't recall having changed the firewall-easy.conf file (attached). I'm using debian unstable, 2.6.7 kernel. The output I currently see is below: debian:/home/tim# firewall-easy start Running kernel 2.6.7 2.4 kernel support -> iptables list OK 2.2 kernel support NO ipchains list, firewall kernel support? NO ipmasqadm list, port forwarding kernel support? 2.0 kernel support NO ipfwadm list, firewall kernel support? firewall-easy: iptables support detected firewall-easy: iptables support detected AUTODETECTION loopback = 127.0.0.0/255.0.0.0 local net = local IP = DNS servers = 62.31.176.39 194.117.134.19 195.188.53.175 ADSL iface = gw = -> Securing kernel (secure-kernel-24) -> Setting up firewall (firewall-iptables) STATUS:1 iptables -A ACCEPTLOG -m limit --limit 3/minute -j LOG --log-prefix ACCEPT-> iptables: No chain/target/match by that name STATUS:1 iptables -A DROPLOG -m limit --limit 3/minute -j LOG --log-prefix DROP-> iptables: No chain/target/match by that name STATUS:1 iptables -A RST -p tcp -j REJECT --reject-with tcp-reset iptables: No chain/target/match by that name STATUS:1 iptables -A RST -p udp -j REJECT iptables: No chain/target/match by that name STATUS:1 iptables -A RSTLOG -m limit --limit 3/minute -j LOG --log-prefix REJECT-> iptables: No chain/target/match by that name STATUS:1 iptables -A RSTLOG -p tcp -j REJECT --reject-with tcp-reset iptables: No chain/target/match by that name STATUS:1 iptables -A RSTLOG -p udp -j REJECT iptables: No chain/target/match by that name STATUS:1 iptables -t mangle -A PREROUTING -j TOS --set-tos 0x10 -p tcp -d 0/0 --dport 1024:65535 -s 0/0 --sport www iptables: No chain/target/match by that name STATUS:1 iptables -t mangle -A PREROUTING -j TOS --set-tos 0x10 -p tcp -s 0/0 --sport 1024:65535 -d 0/0 --dport www iptables: No chain/target/match by that name STATUS:1 iptables -t mangle -A PREROUTING -j TOS --set-tos 0x08 -p tcp -d 0/0 --dport 1024:65535 -s 0/0 --sport rsync iptables: No chain/target/match by that name STATUS:1 iptables -t mangle -A PREROUTING -j TOS --set-tos 0x08 -p tcp -s 0/0 --sport 1024:65535 -d 0/0 --dport rsync iptables: No chain/target/match by that name STATUS:1 iptables -t mangle -A PREROUTING -j TOS --set-tos 0x08 -p tcp -d 0/0 --dport 1024:65535 -s 0/0 --sport 1024:65535 iptables: No chain/target/match by that name STATUS:1 iptables -t mangle -A PREROUTING -j TOS --set-tos 0x08 -p tcp -s 0/0 --sport 1024:65535 -d 0/0 --dport 1024:65535 iptables: No chain/target/match by that name TESTING FIREWALL debian:/home/tim# (no error messages, just a command prompt) My kernel .configs I think are relevant are: CONFIG_SYSVIPC=y CONFIG_SYSCTL=y CONFIG_BLK_DEV_LOOP=y CONFIG_SYN_COOKIES=y CONFIG_INET_AH=y CONFIG_INET_ESP=y CONFIG_INET_IPCOMP=y CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_MATCH_STATE=m CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_IP_NF_MANGLE=m CONFIG_PROC_FS=y CONFIG_PROC_KCORE=y CONFIG_SYSFS=y # firewall-easy.conf # # use vars as with bash format (no spaces allowed before/after the equal) # HOME USER CONFIG LOCALNET_IFACES= #LOCALNET_IFACES=eth0 # Interfaces without firewall (better none) ADSL_IFACES= #ADSL_IFACES=eth1 # To get ADSL config by DHCP # HIGH SECURITY OPTION FTP="" # active FTP not available # MEDIUM SECURITY OPTION #FTP="1.1.1.1 2.2.2.2" # My active FTP servers (FTP is usually passive) # LOW SECURITY OPTION #FTP="0/0" # NOT RECOMMENDED: This allow all active ftp at the # price of being visible to scanings from port 20 NTP="" # Time servers (NTP) to access in Internet NO_IP=""# Remote IPs to deny access to our system CONFIG OPTIONS # no matter their value, just if they exist or not TESTFW=yes # Uncomment to do firewall test in start #NOLOG=yes # Uncomment to NOT do ANY LOG (only 2.2 kernel) #LOGALLDENY=yes# Uncomment to log all denied rule (debug) #DEBUG=yes # Uncomment to debug # STRATEGY NO SERVICES (only 2.4 kernel) # Instead of being invisible which is the default config, you
Re: preserving sendmail configuration security hacks
On Wed, 10 Nov 2004, Duncan Simpson wrote: > I can put the rulesets Local_check_* rulesets in the LOCAL_RULESETS in > sendmail.mc and delete the blank ones make sendmail.cf generates > manually but this is suboptimal. Is there a way of writing the > sendmail.mc file so the extra rules in the Local_check_* rulesets > appear. I do stuff like this all the time (in sendmail.mc, or include): LOCAL_RULESETS # Allow etrn,expn,vrfy from anyplace allowed to relay through us SLocal_check_commands ... # No pause for port 587(MSP) as authentication is required SLocal_greet_pause ... The last case does cause two occurances of Slocal_greet_pause... but unlike the Bat book V2 (still gotta get V3), sendmail doesn't complain - and does the right thing. I'd be happy to look over you setup if you'd like... If you've got anything that might be generally applicable, I'd love to merge it into what I'm putting together... a set of hacks to increase security and simplify things as much as possible. -- Rick Nelson "What you end up with, after running an operating system concept through these many marketing coffee filters, is something not unlike plain hot water." (By Matt Welsh) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
preserving sendmail configuration security hacks
One of my mail servers runs sendmail and some extra security features are implemented in the Local_check_relay ruleset---in particualr it only allows a small list of IP addresses to connect. There are also a few other Local_check_* rulesets which are non-standard and do things like tweaking the relay restrictions and providing additional resistance to thrid party relaying. I can put the rulesets Local_check_* rulesets in the LOCAL_RULESETS in sendmail.mc and delete the blank ones make sendmail.cf generates manually but this is suboptimal. Is there a way of writing the sendmail.mc file so the extra rules in the Local_check_* rulesets appear. I read the m4 source and saw items for handling LOCAL_RULE_0 and LOCAL_RULE_3 (both of which I use for some special effects) but nothign similar appears where the blank Local_check_* rulsets are defined. I have my doubts about the ability of postfix and exim to handle everythign required. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
