Re: firewall advice

2002-12-16 Thread Lars Ellenberg 
On Sun, Dec 15, 2002 at 07:15:25PM -0800, Torrin wrote:

  I'll also add connection tracking in my iptables script.  Is
 there anything I can do in my ipchains script?

did you ever look at the SuSEfirewall{,2} scripts by marc heuse?
GPL, will work with any distro, maybe small changes where to find the config
files etc.
v2 is for iptables, v1 for ipchains.
for a simple bash script quite cool. concept and all.
commented config file. good faq by togan somwhere in the suse faq on sf.net.

sorry, no url, but you'll find it for sure on the suse site and elsewhere.

Lars
-- 
no need to reinvent the wheel, though that is always enlightening fun :)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: firewall advice

2002-12-16 Thread Jeffrey Taylor 
I am using the v1 scripts on Debian 3.0r0.  IIRC, I had to change one
directory in the INSTALL script.  SuSE puts the symlinks in
/etc/init.d/rcX.d and Debian puts them in /etc/rcX.d/.  Edit the
script before running it.  I like it because it works at the policy
level of Internet, DMZ, and internal zones, services, trusted
networks, etc.  Plus rules to block attacks the author is knowledgable
about that few of us know about (e.g., ICMP).  And does not require X.
All other tools I tried were just GUI interfaces to add individual
rules to IPchains/IPtables.  The result is no better than my
knowledge.  The SuSEfirewall scripts are expert in a script.

The URL is http://www.suse.com/~marc/SuSE.html.

HTH,
  Jeffrey

Quoting Lars Ellenberg [EMAIL PROTECTED]:
 On Sun, Dec 15, 2002 at 07:15:25PM -0800, Torrin wrote:
 
   I'll also add connection tracking in my iptables script.  Is
  there anything I can do in my ipchains script?
 
 did you ever look at the SuSEfirewall{,2} scripts by marc heuse?
 GPL, will work with any distro, maybe small changes where to find the config
 files etc.
 v2 is for iptables, v1 for ipchains.
 for a simple bash script quite cool. concept and all.
 commented config file. good faq by togan somwhere in the suse faq on sf.net.
 
 sorry, no url, but you'll find it for sure on the suse site and elsewhere.
 
   Lars


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: firewall advice

2002-12-16 Thread Rolf Kutz 
* Quoting andrew lattis ([EMAIL PROTECTED]):

 
 #connections to lo
 $iptables -A OUTPUT -p ALL -o $lo_iface -s $lo_ip -j ACCEPT
 
 #allow the rest
 $iptables -A OUTPUT -p ALL -o $eth_iface -s $eth_ip -j ACCEPT
 
 #log the rest
 $iptables -A OUTPUT -m limit --limit $log_limit --limit-burst 
 $log_limit_burst -p tcp -j LOG --log-prefix output tcp:
 $iptables -A OUTPUT -m limit --limit $log_limit --limit-burst 
 $log_limit_burst -p udp -j LOG --log-prefix output udp:

You should not forget to log other protokols like
icmp, ... It's best to log any packet here.

- rk

-- 
Ahahahahaha! Ahahahaha! Aahahaha!
BEWARE!
Yrs sincerely
The Opera Ghost

Re: firewall advice

2002-12-16 Thread Lars Ellenberg 
On Sun, Dec 15, 2002 at 07:15:25PM -0800, Torrin wrote:

  I'll also add connection tracking in my iptables script.  Is
 there anything I can do in my ipchains script?

did you ever look at the SuSEfirewall{,2} scripts by marc heuse?
GPL, will work with any distro, maybe small changes where to find the config
files etc.
v2 is for iptables, v1 for ipchains.
for a simple bash script quite cool. concept and all.
commented config file. good faq by togan somwhere in the suse faq on sf.net.

sorry, no url, but you'll find it for sure on the suse site and elsewhere.

Lars
-- 
no need to reinvent the wheel, though that is always enlightening fun :)

Re: firewall advice

2002-12-16 Thread Vineet Kumar 
* Torrin ([EMAIL PROTECTED]) [021215 19:21]:
 Nicolas Boullis wrote:
  * Torrin ([EMAIL PROTECTED]):
   iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port
   domain #53
   iptables -A INPUT -i eth0 -j ACCEPT -p UDP -s 0.0.0.0/0 --source-port
   domain #53
 Hey! I'm a nice port, let me in!. 
 
 Oops.
 
 You're right, I should probably change that to be the address of the DNS
 server.  I'll also add connection tracking in my iptables script.  Is
 there anything I can do in my ipchains script?

You don't need these rules at all, if you're allowing state
ESTABLISHED,RELATED packets.  The packets coming from your nameservers
(in response to your DNS requests) will be allowed via connection
tracking.  The above rules would be used in the case when you want to
allow incoming connections, which you probably don't need to accept
from your nameserver.

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
Computer Science is no more about computers
than astronomy is about telescopes.  -- E.W. Dijkstra


pgpKCczaXTjpt.pgp
Description: PGP signature

Re: firewall advice

2002-12-16 Thread Jeffrey Taylor 
I am using the v1 scripts on Debian 3.0r0.  IIRC, I had to change one
directory in the INSTALL script.  SuSE puts the symlinks in
/etc/init.d/rcX.d and Debian puts them in /etc/rcX.d/.  Edit the
script before running it.  I like it because it works at the policy
level of Internet, DMZ, and internal zones, services, trusted
networks, etc.  Plus rules to block attacks the author is knowledgable
about that few of us know about (e.g., ICMP).  And does not require X.
All other tools I tried were just GUI interfaces to add individual
rules to IPchains/IPtables.  The result is no better than my
knowledge.  The SuSEfirewall scripts are expert in a script.

The URL is http://www.suse.com/~marc/SuSE.html.

HTH,
  Jeffrey

Quoting Lars Ellenberg [EMAIL PROTECTED]:
 On Sun, Dec 15, 2002 at 07:15:25PM -0800, Torrin wrote:
 
   I'll also add connection tracking in my iptables script.  Is
  there anything I can do in my ipchains script?
 
 did you ever look at the SuSEfirewall{,2} scripts by marc heuse?
 GPL, will work with any distro, maybe small changes where to find the config
 files etc.
 v2 is for iptables, v1 for ipchains.
 for a simple bash script quite cool. concept and all.
 commented config file. good faq by togan somwhere in the suse faq on sf.net.
 
 sorry, no url, but you'll find it for sure on the suse site and elsewhere.
 
   Lars

firewall advice

2002-12-15 Thread Torrin 
I changes the subject and started a new thread here.  Anyway . . .

Nicolas Boullis wrote:
 You should add the rule:

$IPTABLES -A INPUT -j ACCEPT -i eth0 -m state --state ESTABLISHED,RELATED

Thanks, those rules that I gave as an example are from my workstation which
has 2.4 kernel installed.  I will add this connection tracking
stuff on my workstation.  But, my server has a 2.2 kernel installed
and from the man page, there doesn't seem to be connection tracking
in ipchains.  Correct?

 # Drop spoofed packets
 iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0

What about outgoing spoofed packets? They didn't get dropped in this
script
at all. It's only a selfish half-hearted firewall if all it does is to
protect yourself against incoming nasties; there's always a
responsibility
not to inflict dodgy packets on others, as much as possible.

OK, but how do you tell if a packet is spoofed going out?  I can tell
coming in by looking at the source address and the interface.

 iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port
 domain #53
 iptables -A INPUT -i eth0 -j ACCEPT -p UDP -s 0.0.0.0/0 --source-port
 domain #53
Hey! I'm a nice port, let me in!. 

Oops.

You're right, I should probably change that to be the address of the DNS
server.  I'll also add connection tracking in my iptables script.  Is
there anything I can do in my ipchains script?

-- 
http://www.torrin.net


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: firewall advice

2002-12-15 Thread andrew lattis 
On 2002/12/15 07:15:25PM -0800, Sun, Torrin wrote:
 I changes the subject and started a new thread here.  Anyway . . .
 
  # Drop spoofed packets
  iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0
 
 What about outgoing spoofed packets? They didn't get dropped in this
 script
 at all. It's only a selfish half-hearted firewall if all it does is to
 protect yourself against incoming nasties; there's always a
 responsibility
 not to inflict dodgy packets on others, as much as possible.
 
 OK, but how do you tell if a packet is spoofed going out?  I can tell
 coming in by looking at the source address and the interface.


#Packets leaving this server

#connections to lo
$iptables -A OUTPUT -p ALL -o $lo_iface -s $lo_ip -j ACCEPT

#allow the rest
$iptables -A OUTPUT -p ALL -o $eth_iface -s $eth_ip -j ACCEPT

#log the rest
$iptables -A OUTPUT -m limit --limit $log_limit --limit-burst $log_limit_burst -p tcp 
-j LOG --log-prefix output tcp:
$iptables -A OUTPUT -m limit --limit $log_limit --limit-burst $log_limit_burst -p udp 
-j LOG --log-prefix output udp:

i believe this should get it, not that i have gotten around to spoofing
anything to verify that it does drop it...



msg08182/pgp0.pgp
Description: PGP signature

firewall advice

2002-12-15 Thread Torrin 
I changes the subject and started a new thread here.  Anyway . . .

Nicolas Boullis wrote:
 You should add the rule:

$IPTABLES -A INPUT -j ACCEPT -i eth0 -m state --state ESTABLISHED,RELATED

Thanks, those rules that I gave as an example are from my workstation which
has 2.4 kernel installed.  I will add this connection tracking
stuff on my workstation.  But, my server has a 2.2 kernel installed
and from the man page, there doesn't seem to be connection tracking
in ipchains.  Correct?

 # Drop spoofed packets
 iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0

What about outgoing spoofed packets? They didn't get dropped in this
script
at all. It's only a selfish half-hearted firewall if all it does is to
protect yourself against incoming nasties; there's always a
responsibility
not to inflict dodgy packets on others, as much as possible.

OK, but how do you tell if a packet is spoofed going out?  I can tell
coming in by looking at the source address and the interface.

 iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port
 domain #53
 iptables -A INPUT -i eth0 -j ACCEPT -p UDP -s 0.0.0.0/0 --source-port
 domain #53
Hey! I'm a nice port, let me in!. 

Oops.

You're right, I should probably change that to be the address of the DNS
server.  I'll also add connection tracking in my iptables script.  Is
there anything I can do in my ipchains script?

-- 
http://www.torrin.net

Re: firewall advice

2002-12-15 Thread andrew lattis 
On 2002/12/15 07:15:25PM -0800, Sun, Torrin wrote:
 I changes the subject and started a new thread here.  Anyway . . .
 
  # Drop spoofed packets
  iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0
 
 What about outgoing spoofed packets? They didn't get dropped in this
 script
 at all. It's only a selfish half-hearted firewall if all it does is to
 protect yourself against incoming nasties; there's always a
 responsibility
 not to inflict dodgy packets on others, as much as possible.
 
 OK, but how do you tell if a packet is spoofed going out?  I can tell
 coming in by looking at the source address and the interface.


#Packets leaving this server

#connections to lo
$iptables -A OUTPUT -p ALL -o $lo_iface -s $lo_ip -j ACCEPT

#allow the rest
$iptables -A OUTPUT -p ALL -o $eth_iface -s $eth_ip -j ACCEPT

#log the rest
$iptables -A OUTPUT -m limit --limit $log_limit --limit-burst $log_limit_burst 
-p tcp -j LOG --log-prefix output tcp:
$iptables -A OUTPUT -m limit --limit $log_limit --limit-burst $log_limit_burst 
-p udp -j LOG --log-prefix output udp:

i believe this should get it, not that i have gotten around to spoofing
anything to verify that it does drop it...


pgpLApyXF4zMl.pgp
Description: PGP signature