Re: init.d startup sequence for shorewall
On Fri, Dec 13, 2002 at 05:47:19PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote: > On Fri, Dec 13, 2002 at 05:17:09PM +0200, Pavel Minev Penev wrote: > > /etc/network/interfaces > > > > pre-up > > > I know you can do it there. Unfortunately, firewall packages in > debian (even ones I have packaged) do not do this properyl (yet). That's why I always use the rc link building script to roll my own at a boot time(s) and place(s) of my choosing ;-)
Re: init.d startup sequence for shorewall
On Fri, Dec 13, 2002 at 05:47:19PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote: > On Fri, Dec 13, 2002 at 05:17:09PM +0200, Pavel Minev Penev wrote: > > /etc/network/interfaces > > > > pre-up > > > I know you can do it there. Unfortunately, firewall packages in > debian (even ones I have packaged) do not do this properyl (yet). That's why I always use the rc link building script to roll my own at a boot time(s) and place(s) of my choosing ;-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: init.d startup sequence for shorewall
On Fri, Dec 13, 2002 at 05:17:09PM +0200, Pavel Minev Penev wrote: > /etc/network/interfaces > > pre-up > I know you can do it there. Unfortunately, firewall packages in debian (even ones I have packaged) do not do this properyl (yet). Regards Javi pgpv1X9dTJ7IA.pgp Description: PGP signature
Re: init.d startup sequence for shorewall
On Fri, Dec 13, 2002 at 05:17:09PM +0200, Pavel Minev Penev wrote: > /etc/network/interfaces > > pre-up > I know you can do it there. Unfortunately, firewall packages in debian (even ones I have packaged) do not do this properyl (yet). Regards Javi msg08157/pgp0.pgp Description: PGP signature
Re: init.d startup sequence for shorewall
On Fri, Dec 13, 2002 at 09:25:02AM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
> On Thu, Dec 12, 2002 at 04:18:17PM -0500, Raymond Wood wrote:
> > There have been several responses to Yogesh's question, but none
> > of them provide a clear and straightforward answer.
>
> Ok. Let me try again: this is a security risk.
>
> A gateway firewall _needs_ to be setup the following way:
>
> 0.- setup a default DROP policy, flush all policies
> 1.- startup network interfaces (but w/o forwarding)
> 2.- setup proper firewall rules
> 3.- enable forwarding
/etc/network/interfaces
pre-up
--
Pav
,.,
,``:'',
That your internet traffic is {o ! o} My GPG/PGP key is now available at
vulnarable is NOT only a joke! ] -+- [ x-hkp://search.keyserver.net:11371.
\ ! /
`-'
`shell$ gpg --keyserver x-hkp://search.keyserver.net:11371 --recv-key 164C028F`
pgppKTwK1OZmW.pgp
Description: PGP signature
Re: init.d startup sequence for shorewall
On Fri, Dec 13, 2002 at 09:25:02AM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
> On Thu, Dec 12, 2002 at 04:18:17PM -0500, Raymond Wood wrote:
> > There have been several responses to Yogesh's question, but none
> > of them provide a clear and straightforward answer.
>
> Ok. Let me try again: this is a security risk.
>
> A gateway firewall _needs_ to be setup the following way:
>
> 0.- setup a default DROP policy, flush all policies
> 1.- startup network interfaces (but w/o forwarding)
> 2.- setup proper firewall rules
> 3.- enable forwarding
/etc/network/interfaces
pre-up
--
Pav
,.,
,``:'',
That your internet traffic is {o ! o} My GPG/PGP key is now available at
vulnarable is NOT only a joke! ] -+- [ x-hkp://search.keyserver.net:11371.
\ ! /
`-'
`shell$ gpg --keyserver x-hkp://search.keyserver.net:11371 --recv-key 164C028F`
msg08156/pgp0.pgp
Description: PGP signature
Re: init.d startup sequence for shorewall
On Thu, 12 Dec 2002 at 01:07:48PM -0800, Jeremy A. Puhlman wrote: > Actually that seems to be a highly secure firewall...Firewalls with no power > cannot > be compromised via the network:-) Wake on Lan? :) -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #124: Big to little endian conversion error
Re: init.d startup sequence for shorewall
On Thu, 12 Dec 2002 at 01:07:48PM -0800, Jeremy A. Puhlman wrote: > Actually that seems to be a highly secure firewall...Firewalls with no power cannot > be compromised via the network:-) Wake on Lan? :) -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #124: Big to little endian conversion error -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: init.d startup sequence for shorewall
On Thu, Dec 12, 2002 at 04:18:17PM -0500, Raymond Wood wrote: > There have been several responses to Yogesh's question, but none > of them provide a clear and straightforward answer. Ok. Let me try again: this is a security risk. A gateway firewall _needs_ to be setup the following way: 0.- setup a default DROP policy, flush all policies 1.- startup network interfaces (but w/o forwarding) 2.- setup proper firewall rules 3.- enable forwarding This makes sure that: a.- the firewall cannot be attacked from the time the network is brought up and the rules are setup (because of 0) b.- the systems protected by the firewall cannot be attacked from the time the network is brough up and forwarding is enabled (because 3 is done _after_ 1 and _after_ 2) Clear enough now? Any firewall that does not startup this way is introducing a security issue since the network (or the firewall) are _unprotected_ for some time during startup (or when the firewall is restarted) Of course: IMHO, YMMV... Regards Javi pgpVHTeHsge3L.pgp Description: PGP signature
Re: init.d startup sequence for shorewall
On Thu, Dec 12, 2002 at 01:07:48PM -0800, Jeremy A. Puhlman wrote: > > Actually that seems to be a highly secure firewall...Firewalls with no power > cannot > be compromised via the network:-) Neither can this one: http://www.ranum.com/pubs/a1fwall/ :) Javi pgprCjwQ1Z3Sc.pgp Description: PGP signature
Re: init.d startup sequence for shorewall
On Thu, Dec 12, 2002 at 04:18:17PM -0500, Raymond Wood wrote: > There have been several responses to Yogesh's question, but none > of them provide a clear and straightforward answer. Ok. Let me try again: this is a security risk. A gateway firewall _needs_ to be setup the following way: 0.- setup a default DROP policy, flush all policies 1.- startup network interfaces (but w/o forwarding) 2.- setup proper firewall rules 3.- enable forwarding This makes sure that: a.- the firewall cannot be attacked from the time the network is brought up and the rules are setup (because of 0) b.- the systems protected by the firewall cannot be attacked from the time the network is brough up and forwarding is enabled (because 3 is done _after_ 1 and _after_ 2) Clear enough now? Any firewall that does not startup this way is introducing a security issue since the network (or the firewall) are _unprotected_ for some time during startup (or when the firewall is restarted) Of course: IMHO, YMMV... Regards Javi msg08149/pgp0.pgp Description: PGP signature
Re: init.d startup sequence for shorewall
On Thu, Dec 12, 2002 at 01:07:48PM -0800, Jeremy A. Puhlman wrote: > > Actually that seems to be a highly secure firewall...Firewalls with no power cannot > be compromised via the network:-) Neither can this one: http://www.ranum.com/pubs/a1fwall/ :) Javi msg08148/pgp0.pgp Description: PGP signature
Re: init.d startup sequence for shorewall
On Thu, 2002-12-12 at 15:07, Jeremy A. Puhlman wrote: - Original Message - From: "Matt Zimmerman" <[EMAIL PROTECTED]> To: Sent: Thursday, December 12, 2002 12:55 PM Subject: Re: init.d startup sequence for shorewall > On Wed, Dec 11, 2002 at 05:39:37PM -0800, Yogesh Sharma wrote: > > > networking comes up at S35 in runlevel 0 so my internet is up and there > > is no firewall running so far. > > runlevel 0 is system shutdown and halt. The network is not brought up in > this runlevel. :-) > Actually that seems to be a highly secure firewall...Firewalls with no power cannot be compromised via the network:-) Jeremy > -- > - mdz > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > Well, check this article out from the Sysadmin (magazine) website: http://www.samag.com/documents/s=1824/sam0201d/0201d.htm It describes a method of using a system with a halted kernel as a firewall. Mitch Thompson, San Antonio TX Red Hat Certified Engineer (RHCE) http://home.satx.rr.com/mlthompson Key fingerprint = BBDA 3A2A 4483 BD0D 7CED B8A9 D183 C8F6 B0AF 66AE wget -O - http://home.satx.rr.com/mlthompson/pubkey.gpg | gpg --import -- America works less, when you say "Union Yes!"~ signature.asc Description: This is a digitally signed message part
Re: init.d startup sequence for shorewall
On Thu, 2002-12-12 at 15:07, Jeremy A. Puhlman wrote: - Original Message - From: "Matt Zimmerman" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 12, 2002 12:55 PM Subject: Re: init.d startup sequence for shorewall > On Wed, Dec 11, 2002 at 05:39:37PM -0800, Yogesh Sharma wrote: > > > networking comes up at S35 in runlevel 0 so my internet is up and there > > is no firewall running so far. > > runlevel 0 is system shutdown and halt. The network is not brought up in > this runlevel. :-) > Actually that seems to be a highly secure firewall...Firewalls with no power cannot be compromised via the network:-) Jeremy > -- > - mdz > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > Well, check this article out from the Sysadmin (magazine) website: http://www.samag.com/documents/s=1824/sam0201d/0201d.htm It describes a method of using a system with a halted kernel as a firewall. Mitch Thompson, San Antonio TX Red Hat Certified Engineer (RHCE) http://home.satx.rr.com/mlthompson Key fingerprint = BBDA 3A2A 4483 BD0D 7CED B8A9 D183 C8F6 B0AF 66AE wget -O - http://home.satx.rr.com/mlthompson/pubkey.gpg | gpg --import -- America works less, when you say "Union Yes!"~ signature.asc Description: This is a digitally signed message part
Re: init.d startup sequence for shorewall
> > > networking comes up at S35 in runlevel 0 so my internet is up and there > > > is no firewall running so far. > > > > runlevel 0 is system shutdown and halt. The network is not brought up in > > this runlevel. :-) > > > > Actually that seems to be a highly secure firewall...Firewalls with no power > cannot > be compromised via the network:-) http://www.samag.com/documents/s=1824/sam0201d/0201d.htm Halted firewalls? /Daniel -- File not found. Should I fake it (y/n)?
Re: init.d startup sequence for shorewall
On Thu, 2002-12-12 at 12:55, Matt Zimmerman wrote: > On Wed, Dec 11, 2002 at 05:39:37PM -0800, Yogesh Sharma wrote: > > > networking comes up at S35 in runlevel 0 so my internet is up and there > > is no firewall running so far. > > runlevel 0 is system shutdown and halt. The network is not brought up in > this runlevel. :-) > Sorry I type wrong runlevel, please read runlevel 1 > -- > - mdz -- Yogesh Sharma <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part
Re: init.d startup sequence for shorewall
On Thu, Dec 12, 2002 at 03:55:56PM -0500, Matt Zimmerman remarked: > On Wed, Dec 11, 2002 at 05:39:37PM -0800, Yogesh Sharma wrote: > > networking comes up at S35 in runlevel 0 so my internet is > > up and there is no firewall running so far. > runlevel 0 is system shutdown and halt. The network is not > brought up in this runlevel. :-) > -- > - mdz There have been several responses to Yogesh's question, but none of them provide a clear and straightforward answer. Does anyone know why Shorewall leaves the system unprotected between network startup and firewall startup, whether it is a security risk, and if so what can be done about it besides crude workarounds? Cheers, Raymond pgpRDYUvDjDmr.pgp Description: PGP signature
Re: init.d startup sequence for shorewall
- Original Message - From: "Matt Zimmerman" <[EMAIL PROTECTED]> To: Sent: Thursday, December 12, 2002 12:55 PM Subject: Re: init.d startup sequence for shorewall > On Wed, Dec 11, 2002 at 05:39:37PM -0800, Yogesh Sharma wrote: > > > networking comes up at S35 in runlevel 0 so my internet is up and there > > is no firewall running so far. > > runlevel 0 is system shutdown and halt. The network is not brought up in > this runlevel. :-) > Actually that seems to be a highly secure firewall...Firewalls with no power cannot be compromised via the network:-) Jeremy > -- > - mdz > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: init.d startup sequence for shorewall
On Wed, Dec 11, 2002 at 05:39:37PM -0800, Yogesh Sharma wrote: > networking comes up at S35 in runlevel 0 so my internet is up and there > is no firewall running so far. runlevel 0 is system shutdown and halt. The network is not brought up in this runlevel. :-) -- - mdz
Re: init.d startup sequence for shorewall
> > > networking comes up at S35 in runlevel 0 so my internet is up and there > > > is no firewall running so far. > > > > runlevel 0 is system shutdown and halt. The network is not brought up in > > this runlevel. :-) > > > > Actually that seems to be a highly secure firewall...Firewalls with no power cannot > be compromised via the network:-) http://www.samag.com/documents/s=1824/sam0201d/0201d.htm Halted firewalls? /Daniel -- File not found. Should I fake it (y/n)? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: init.d startup sequence for shorewall
On Thu, 2002-12-12 at 12:55, Matt Zimmerman wrote: > On Wed, Dec 11, 2002 at 05:39:37PM -0800, Yogesh Sharma wrote: > > > networking comes up at S35 in runlevel 0 so my internet is up and there > > is no firewall running so far. > > runlevel 0 is system shutdown and halt. The network is not brought up in > this runlevel. :-) > Sorry I type wrong runlevel, please read runlevel 1 > -- > - mdz -- Yogesh Sharma <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part
Re: init.d startup sequence for shorewall
On Thu, Dec 12, 2002 at 03:55:56PM -0500, Matt Zimmerman remarked: > On Wed, Dec 11, 2002 at 05:39:37PM -0800, Yogesh Sharma wrote: > > networking comes up at S35 in runlevel 0 so my internet is > > up and there is no firewall running so far. > runlevel 0 is system shutdown and halt. The network is not > brought up in this runlevel. :-) > -- > - mdz There have been several responses to Yogesh's question, but none of them provide a clear and straightforward answer. Does anyone know why Shorewall leaves the system unprotected between network startup and firewall startup, whether it is a security risk, and if so what can be done about it besides crude workarounds? Cheers, Raymond msg08141/pgp0.pgp Description: PGP signature
Re: init.d startup sequence for shorewall
- Original Message - From: "Matt Zimmerman" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 12, 2002 12:55 PM Subject: Re: init.d startup sequence for shorewall > On Wed, Dec 11, 2002 at 05:39:37PM -0800, Yogesh Sharma wrote: > > > networking comes up at S35 in runlevel 0 so my internet is up and there > > is no firewall running so far. > > runlevel 0 is system shutdown and halt. The network is not brought up in > this runlevel. :-) > Actually that seems to be a highly secure firewall...Firewalls with no power cannot be compromised via the network:-) Jeremy > -- > - mdz > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: init.d startup sequence for shorewall
On Wed, Dec 11, 2002 at 05:39:37PM -0800, Yogesh Sharma wrote: > networking comes up at S35 in runlevel 0 so my internet is up and there > is no firewall running so far. runlevel 0 is system shutdown and halt. The network is not brought up in this runlevel. :-) -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: init.d startup sequence for shorewall
On Tue, 2002-12-10 at 22:05, Gene wrote: > can you elaborate on your question, since you're using the box as a > firewall, this particular service should be up first to ensure that your > perimeter is in check.. also, if this is your gateway host, how else > would you get your internal network to go outside? > > i really didn't understand your question, so if you could elaborate on > what you want to do or your concern, i would be happy to reply back. > > take care, > /gene I am running following services on this box firewall (shorewall) ssh mailserver (qmail and courier-imap) webserver (apache) dhcp zope I have http, ssh, imap and smtp ports open. eth0 internet, eth1 interal hub (which allows 3 laptops to access internet). My concern/question is this: networking comes up at S35 in runlevel 0 so my internet is up and there is no firewall running so far. System will switch to runlevel 2 where it will start other serverices and at S90 it will start the firewall. So for this short time between S35networking and S90shorewall my system is not protected at all, this is my concern and question is "isn't this a security risk ?" Thanks Yogesh -- Yogesh Sharma <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part
Re: init.d startup sequence for shorewall
On Tue, 2002-12-10 at 22:05, Gene wrote: > can you elaborate on your question, since you're using the box as a > firewall, this particular service should be up first to ensure that your > perimeter is in check.. also, if this is your gateway host, how else > would you get your internal network to go outside? > > i really didn't understand your question, so if you could elaborate on > what you want to do or your concern, i would be happy to reply back. > > take care, > /gene I am running following services on this box firewall (shorewall) ssh mailserver (qmail and courier-imap) webserver (apache) dhcp zope I have http, ssh, imap and smtp ports open. eth0 internet, eth1 interal hub (which allows 3 laptops to access internet). My concern/question is this: networking comes up at S35 in runlevel 0 so my internet is up and there is no firewall running so far. System will switch to runlevel 2 where it will start other serverices and at S90 it will start the firewall. So for this short time between S35networking and S90shorewall my system is not protected at all, this is my concern and question is "isn't this a security risk ?" Thanks Yogesh -- Yogesh Sharma <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part
Re: init.d startup sequence for shorewall
On Tue, 2002-12-10 at 16:37, Kuba Jakubik wrote: > Yogesh Sharma wrote: > > In my opinion shorewall must be started as soon as network is up. > can't you just mv S90shorewall S35shorewall ? Yes, I can move this link but question is for security. In my opinion this should be fixed in package installation script not at the user end. > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > signature.asc Description: This is a digitally signed message part
Re: init.d startup sequence for shorewall
On Tue, 2002-12-10 at 16:37, Kuba Jakubik wrote: > Yogesh Sharma wrote: > > In my opinion shorewall must be started as soon as network is up. > can't you just mv S90shorewall S35shorewall ? Yes, I can move this link but question is for security. In my opinion this should be fixed in package installation script not at the user end. > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > signature.asc Description: This is a digitally signed message part
Re: init.d startup sequence for shorewall
On Tue, Dec 10, 2002 at 03:39:35PM -0800, Yogesh Sharma wrote: > > In my opinion shorewall must be started as soon as network is up. > > What does list sugguests ? Is this a security problem ? Yes this is a security issue, if you take iptables, for example, it is run in S10. Any firewalling script should run before (or at the same time) as the network is brought up. Otherwise, you have a few moments in which you are forwarding packets (if the networking script enables it) and you are not filtering them (unless you have a default DROP policy before configuring the firewall) Regards Javi pgpmKrVThw6ja.pgp Description: PGP signature
Re: init.d startup sequence for shorewall
Yogesh Sharma wrote: Hello, I am using shorewall as firewall for my system. It has got 2 ethernet cards one connected to internet and one for internal network. init.d/networking script is linked as S35networking and init.d/shorewall script is linked as S90shorewall. In my opinion shorewall must be started as soon as network is up. can't you just mv S90shorewall S35shorewall ? -- -BEGIN GEEK CODE BLOCK- Version: 3.12 GIT d--- s: a--- C UL P+ L+++ E--- W+ N o-- K++ w--- O M- V- PS++ PE Y PGP t 5 X R tv-- b+ DI+ D+ G++ e- h! r+ y+ --END GEEK CODE BLOCK--
Re: init.d startup sequence for shorewall
On Tue, Dec 10, 2002 at 03:39:35PM -0800, Yogesh Sharma wrote: > > In my opinion shorewall must be started as soon as network is up. > > What does list sugguests ? Is this a security problem ? Yes this is a security issue, if you take iptables, for example, it is run in S10. Any firewalling script should run before (or at the same time) as the network is brought up. Otherwise, you have a few moments in which you are forwarding packets (if the networking script enables it) and you are not filtering them (unless you have a default DROP policy before configuring the firewall) Regards Javi msg08110/pgp0.pgp Description: PGP signature
Re: init.d startup sequence for shorewall
Yogesh Sharma wrote: Hello, I am using shorewall as firewall for my system. It has got 2 ethernet cards one connected to internet and one for internal network. init.d/networking script is linked as S35networking and init.d/shorewall script is linked as S90shorewall. In my opinion shorewall must be started as soon as network is up. can't you just mv S90shorewall S35shorewall ? -- -BEGIN GEEK CODE BLOCK- Version: 3.12 GIT d--- s: a--- C UL P+ L+++ E--- W+ N o-- K++ w--- O M- V- PS++ PE Y PGP t 5 X R tv-- b+ DI+ D+ G++ e- h! r+ y+ --END GEEK CODE BLOCK-- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
