Re: Firewall Setup

[Andrei Popescu]

On Ma, 02 aug 11, 15:20:27, Paul Stuffins wrote:
> 
> I have decided to go with Shorewall as it seems that it is fairly simple to
> implement.
> 
> While that may be the case, I just want to check my setup before I enable it
> and lock myself out of the server.

Just for the archives: the default shorewall.conf has

ADMINISABSENTMINDED=Yes

which means it won't cut any *existing* (ssh) connections, even if the 
new rule(s) would not allow them.

This allows one to changes the firewall and still fix things from the 
existing session. It doesn't help much if you have flacky internet 
and/or power though.

Hope this helps,
Andrei
-- 
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic


signature.asc
Description: Digital signature

Re: Firewall Setup

[Bob Proulx]

Paul Stuffins wrote:
> My setup really only needs to allow access, from the internet to the server,
> on ports 80 and 443, for Apache, 6, for ssh and 3306, for MySQL along
> with access from the server to the Debian repos and 3306, I have a couple
> database servers that I manage from one central location hence needing
> access to and from the server on 3306.

Personally it would make me nervous to expose the mysql port to the
world.

> When I run "shorewall check" I get the following output:
> shorewall check
> Checking...
> Processing /etc/shorewall/shorewall.conf...
> ERROR: FOREWARD_CLEAR_MARK=Yes requires MARK Target in your kernel
> and iptables
> 
> What do I need to ask my provider to enable on the host node?

Tom Eastep the Shorewall author responded to a very similar question
with this response:

  
http://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg10570.html

Bob


signature.asc
Description: Digital signature

Re: Firewall Setup

[mark]

On Monday 01 August 2011 8:08:00 pm Scott Ferguson wrote:
>
> If you're not comfortable just using SSH to push across rulesets
> created using Guarddog (my choice), then you "might" consider using
> (the non-Debian) Webmin/Usermin/Virtualmin:-
> http://www.webmin.com/firewall.html
> http://prdownloads.sourceforge.net/webadmin/webmin_1.550_all.deb
>
I have used and really liked guardog, but it is not being maintained 
and it is throwing warnings about some rules being depricated and 
will be ignored in the next release of iptables/netfilter.  I'm going 
to try other tools myself.

Mark


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201108021757.34770.m...@neidorff.com

Re: Firewall Setup

[Paul Stuffins]

On Tue, Aug 2, 2011 at 2:37 PM, Camaleón  wrote:

> On Mon, 01 Aug 2011 21:56:08 +0100, Paul Stuffins wrote:
>
> > I am trying to set iptables up, but am getting into a right mess editing
> > the rules direct in the init script.
> >
> > What are peoples recommendations of a front end, either one that I can
> > run via an Apache VirtualHost, obviously on a secured and locked down
> > VirtualHost so that only I can access it, or via SSH.
>
> There is a good set of firewall/iptables front-ends at debian wiki:
>
> http://wiki.debian.org/Firewalls
>
> Greetings,
>
> --
> Camaleón
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> Archive: http://lists.debian.org/pan.2011.08.02.13.37...@gmail.com
>
>
Hi Guys,

I have decided to go with Shorewall as it seems that it is fairly simple to
implement.

While that may be the case, I just want to check my setup before I enable it
and lock myself out of the server.

My setup really only needs to allow access, from the internet to the server,
on ports 80 and 443, for Apache, 6, for ssh and 3306, for MySQL along
with access from the server to the Debian repos and 3306, I have a couple
database servers that I manage from one central location hence needing
access to and from the server on 3306.

After following the walk through on http://wiki.debian.org/HowTo/shorewall,
my /etc/shorewall/policy is:
net all DROP
fw all ACCEPT
all all REJECT

ACCEPT net fw tcp 80,443, 3306,6
ACCEPT fw net tcp 3306
ACCEPT fw net:128.101.240.212 tcp 80

My /etc/shorewall/zones is:
fw firewall
net ipv4

My /etc/shorewall/interfaces is:
net venet0:0 detect dhcp,routefilter,tcpflags ( I run on an OpenVZ VPS
hence venet0:0 for my interface. )

and I have turned on IP_FORWARDING in /etc/shorewall/shorewall.conf

When I run "shorewall check" I get the following output:
shorewall check
Checking...
Processing /etc/shorewall/shorewall.conf...
ERROR: FOREWARD_CLEAR_MARK=Yes requires MARK Target in your kernel
and iptables

What do I need to ask my provider to enable on the host node?

Many thanks for your help
--Paul

Re: Firewall Setup

[Camaleón]

On Mon, 01 Aug 2011 21:56:08 +0100, Paul Stuffins wrote:

> I am trying to set iptables up, but am getting into a right mess editing
> the rules direct in the init script.
> 
> What are peoples recommendations of a front end, either one that I can
> run via an Apache VirtualHost, obviously on a secured and locked down
> VirtualHost so that only I can access it, or via SSH.

There is a good set of firewall/iptables front-ends at debian wiki:

http://wiki.debian.org/Firewalls

Greetings,

-- 
Camaleón


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/pan.2011.08.02.13.37...@gmail.com

Re: Firewall Setup

[Jerome BENOIT]

quid firehole ?

On 02/08/11 09:04, Jude DaShiell wrote:

Why not check out arnos-iptables-firewall?

On Tue, 2 Aug 2011, Alan Chandler wrote:


On 01/08/11 21:56, Paul Stuffins wrote:

Hi Guys,

I am trying to set iptables up, but am getting into a right mess editing
the rules direct in the init script.

What are peoples recommendations of a front end, either one that I can
run via an Apache VirtualHost, obviously on a secured and locked down
VirtualHost so that only I can access it, or via SSH.

--Paul



I am not sure I understand exactly what you mean, but this is my set of
firewall rules which I reference in /etc/network/interfaces/pre-up. They are
stored in file /etc/firewall

Unlike the other replies I hand crafted these from scratch quite a few years
ago now and they seem to have stood me in good stead.  Although some of the
destination changing rules refer to programs I haven't used for at least 5
years (GPL refers to Grand Prix Legends - a car racing sim)

The only other rules are generated by fail2ban dynamically locking out smtp
attempts to send me junk.

#!/bin/sh
#
#

INETIF=$1

KANGA="192.168.0.12"
POOH="192.168.0.11"


test -x /sbin/iptables || exit 0

#set -e
echo "Setting up firewall on interface $INETIF"
#
#   Start up ensuring that the tables are all empty
#   (ignoring any errors because there is nothing there yet)
#
 iptables -F
 iptables -t nat -F
 iptables -t mangle -F
 iptables -X

#
#   This is for established communications coming in from the internet just
#   so that I can get an idea what sort of packets they are.
#
 iptables -N i-estab
 iptables -A i-estab -p tcp --sport www -j ACCEPT
 iptables -A i-estab -p tcp --sport imap -j ACCEPT
 iptables -A i-estab -p tcp --sport imaps -j ACCEPT
 iptables -A i-estab -p tcp --sport nntp -j ACCEPT
 iptables -A i-estab -p tcp --sport domain -j ACCEPT
 iptables -A i-estab -p tcp --dport ssh -j ACCEPT
 iptables -A i-estab -p tcp --sport ftp -j ACCEPT
 iptables -A i-estab -p tcp --sport ftp-data -j ACCEPT
 iptables -A i-estab -p tcp --sport 9418 -j ACCEPT

#   Accept everything not so far accepted
 iptables -A i-estab -j ACCEPT
#
#   Route packets going out from here onto a new table so that we can do
#   things with them (logging etc)
#
 iptables -N to-inet
#
#   Just want to count a few things
#
 iptables -A to-inet -p tcp --dport www -j ACCEPT
 iptables -A to-inet -p tcp --dport imap -j ACCEPT
 iptables -A to-inet -p udp --dport domain -j ACCEPT
 iptables -A to-inet -p tcp --dport nntp -j ACCEPT
 iptables -A to-inet -p udp --dport 67:68 -j ACCEPT
 iptables -A to-inet -p tcp --dport iax -j ACCEPT
 iptables -A to-inet -p udp --dport iax -j ACCEPT
#
#Note ICMP packets I am sending out
#
 iptables -A to-inet -p icmp --icmp-type destination-unreachable -j ACCEPT
 iptables -A to-inet -p icmp --icmp-type source-quench -j ACCEPT
 iptables -A to-inet -p icmp --icmp-type time-exceeded -j ACCEPT
 iptables -A to-inet -p icmp --icmp-type parameter-problem -j ACCEPT
 iptables -A to-inet -p icmp --icmp-type echo-request -j ACCEPT
 iptables -A to-inet -p icmp --icmp-type echo-reply -j ACCEPT
#
#   Prevent any netbios stuff leaking out from here
#
 iptables -A to-inet -p tcp --dport netbios-ns:netbios-ssn -j LOG
 iptables -A to-inet -p tcp --dport netbios-ns:netbios-ssn -j DROP
 iptables -A to-inet -p udp --dport netbios-ns:netbios-ssn -j LOG
 iptables -A to-inet -p udp --dport netbios-ns:netbios-ssn -j DROP
#
#
#   Accept every thing else
#
 iptables -A to-inet -j ACCEPT
#
#   Now make the connection to the table
#
 iptables -A OUTPUT -o $INETIF -j to-inet
#
#   Common internet Stuff
#
 iptables -N from-inet
#
#   Stuff already established is allowed but jump to chain to count things
#
 iptables -A from-inet -m state --state ESTABLISHED,RELATED -j i-estab
#
#Deal with ICMP packets
#
 iptables -A from-inet -p icmp --icmp-type destination-unreachable -j
ACCEPT
 iptables -A from-inet -p icmp --icmp-type source-quench -j ACCEPT
 iptables -A from-inet -p icmp --icmp-type time-exceeded -j ACCEPT
 iptables -A from-inet -p icmp --icmp-type parameter-problem -j ACCEPT
 iptables -A from-inet -p icmp --icmp-type echo-request -j ACCEPT
#   Already accepted by related
 iptables -A from-inet -p icmp --icmp-type echo-reply -j ACCEPT
#
#   ftp-data started by mine  (already accepted in related)
#
 iptables -A from-inet -m state --state NEW -p tcp --dport ftp-data -j
ACCEPT
#
#   Socks probes should be dropped so that IRC does not thing we are
screwwing them
#
 iptables -A from-inet -p tcp --dport socks -j DROP
#
#   Drop these before logging them (just collecting them to see what
they are)
#
 iptables -A from-inet -p tcp --dport 1635 -j DROP
 iptables -A from-inet -p tcp --dport 1370 -j DROP
#
#   DHCP messsages - I need to drop server requests
#
 iptables -A from-inet -p u

Re: Firewall Setup

[Jude DaShiell]

Why not check out arnos-iptables-firewall?

On Tue, 2 Aug 2011, Alan Chandler wrote:

> On 01/08/11 21:56, Paul Stuffins wrote:
> > Hi Guys,
> >
> > I am trying to set iptables up, but am getting into a right mess editing
> > the rules direct in the init script.
> >
> > What are peoples recommendations of a front end, either one that I can
> > run via an Apache VirtualHost, obviously on a secured and locked down
> > VirtualHost so that only I can access it, or via SSH.
> >
> > --Paul
> 
> 
> I am not sure I understand exactly what you mean, but this is my set of
> firewall rules which I reference in /etc/network/interfaces/pre-up. They are
> stored in file /etc/firewall
> 
> Unlike the other replies I hand crafted these from scratch quite a few years
> ago now and they seem to have stood me in good stead.  Although some of the
> destination changing rules refer to programs I haven't used for at least 5
> years (GPL refers to Grand Prix Legends - a car racing sim)
> 
> The only other rules are generated by fail2ban dynamically locking out smtp
> attempts to send me junk.
> 
> #!/bin/sh
> #
> #
> 
> INETIF=$1
> 
> KANGA="192.168.0.12"
> POOH="192.168.0.11"
> 
> 
> test -x /sbin/iptables || exit 0
> 
> #set -e
> echo "Setting up firewall on interface $INETIF"
> #
> #   Start up ensuring that the tables are all empty
> #   (ignoring any errors because there is nothing there yet)
> #
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
> iptables -X
> 
> #
> #   This is for established communications coming in from the internet just
> #   so that I can get an idea what sort of packets they are.
> #
> iptables -N i-estab
> iptables -A i-estab -p tcp --sport www -j ACCEPT
> iptables -A i-estab -p tcp --sport imap -j ACCEPT
> iptables -A i-estab -p tcp --sport imaps -j ACCEPT
> iptables -A i-estab -p tcp --sport nntp -j ACCEPT
> iptables -A i-estab -p tcp --sport domain -j ACCEPT
> iptables -A i-estab -p tcp --dport ssh -j ACCEPT
> iptables -A i-estab -p tcp --sport ftp -j ACCEPT
> iptables -A i-estab -p tcp --sport ftp-data -j ACCEPT
> iptables -A i-estab -p tcp --sport 9418 -j ACCEPT
> 
> #   Accept everything not so far accepted
> iptables -A i-estab -j ACCEPT
> #
> #   Route packets going out from here onto a new table so that we can do
> #   things with them (logging etc)
> #
> iptables -N to-inet
> #
> #   Just want to count a few things
> #
> iptables -A to-inet -p tcp --dport www -j ACCEPT
> iptables -A to-inet -p tcp --dport imap -j ACCEPT
> iptables -A to-inet -p udp --dport domain -j ACCEPT
> iptables -A to-inet -p tcp --dport nntp -j ACCEPT
> iptables -A to-inet -p udp --dport 67:68 -j ACCEPT
> iptables -A to-inet -p tcp --dport iax -j ACCEPT
> iptables -A to-inet -p udp --dport iax -j ACCEPT
> #
> #Note ICMP packets I am sending out
> #
> iptables -A to-inet -p icmp --icmp-type destination-unreachable -j ACCEPT
> iptables -A to-inet -p icmp --icmp-type source-quench -j ACCEPT
> iptables -A to-inet -p icmp --icmp-type time-exceeded -j ACCEPT
> iptables -A to-inet -p icmp --icmp-type parameter-problem -j ACCEPT
> iptables -A to-inet -p icmp --icmp-type echo-request -j ACCEPT
> iptables -A to-inet -p icmp --icmp-type echo-reply -j ACCEPT
> #
> #   Prevent any netbios stuff leaking out from here
> #
> iptables -A to-inet -p tcp --dport netbios-ns:netbios-ssn -j LOG
> iptables -A to-inet -p tcp --dport netbios-ns:netbios-ssn -j DROP
> iptables -A to-inet -p udp --dport netbios-ns:netbios-ssn -j LOG
> iptables -A to-inet -p udp --dport netbios-ns:netbios-ssn -j DROP
> #
> #
> #   Accept every thing else
> #
> iptables -A to-inet -j ACCEPT
> #
> #   Now make the connection to the table
> #
> iptables -A OUTPUT -o $INETIF -j to-inet
> #
> #   Common internet Stuff
> #
> iptables -N from-inet
> #
> #   Stuff already established is allowed but jump to chain to count things
> #
> iptables -A from-inet -m state --state ESTABLISHED,RELATED -j i-estab
> #
> #Deal with ICMP packets
> #
> iptables -A from-inet -p icmp --icmp-type destination-unreachable -j
> ACCEPT
> iptables -A from-inet -p icmp --icmp-type source-quench -j ACCEPT
> iptables -A from-inet -p icmp --icmp-type time-exceeded -j ACCEPT
> iptables -A from-inet -p icmp --icmp-type parameter-problem -j ACCEPT
> iptables -A from-inet -p icmp --icmp-type echo-request -j ACCEPT
> #   Already accepted by related
> iptables -A from-inet -p icmp --icmp-type echo-reply -j ACCEPT
> #
> #   ftp-data started by mine  (already accepted in related)
> #
> iptables -A from-inet -m state --state NEW -p tcp --dport ftp-data -j
> ACCEPT
> #
> #   Socks probes should be dropped so that IRC does not thing we are 
> screwwing them
> #
> iptables -A from-inet -p tcp --dport socks -j DROP
> #
> #   Drop these before logging them (just collecting them to see what 
> they are)
> #
> ipt

Re: Firewall Setup

[Alan Chandler]

On 01/08/11 21:56, Paul Stuffins wrote:

Hi Guys,

I am trying to set iptables up, but am getting into a right mess editing
the rules direct in the init script.

What are peoples recommendations of a front end, either one that I can
run via an Apache VirtualHost, obviously on a secured and locked down
VirtualHost so that only I can access it, or via SSH.

--Paul



I am not sure I understand exactly what you mean, but this is my set of 
firewall rules which I reference in /etc/network/interfaces/pre-up. 
They are stored in file /etc/firewall


Unlike the other replies I hand crafted these from scratch quite a few 
years ago now and they seem to have stood me in good stead.  Although 
some of the destination changing rules refer to programs I haven't used 
for at least 5 years (GPL refers to Grand Prix Legends - a car racing sim)


The only other rules are generated by fail2ban dynamically locking out 
smtp attempts to send me junk.


#!/bin/sh
#
#

INETIF=$1

KANGA="192.168.0.12"
POOH="192.168.0.11"


test -x /sbin/iptables || exit 0

#set -e
echo "Setting up firewall on interface $INETIF"
#
#   Start up ensuring that the tables are all empty
#   (ignoring any errors because there is nothing there yet)
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

#
#   This is for established communications coming in from the internet just
#   so that I can get an idea what sort of packets they are.
#
iptables -N i-estab
iptables -A i-estab -p tcp --sport www -j ACCEPT
iptables -A i-estab -p tcp --sport imap -j ACCEPT
iptables -A i-estab -p tcp --sport imaps -j ACCEPT
iptables -A i-estab -p tcp --sport nntp -j ACCEPT
iptables -A i-estab -p tcp --sport domain -j ACCEPT
iptables -A i-estab -p tcp --dport ssh -j ACCEPT
iptables -A i-estab -p tcp --sport ftp -j ACCEPT
iptables -A i-estab -p tcp --sport ftp-data -j ACCEPT
iptables -A i-estab -p tcp --sport 9418 -j ACCEPT

#   Accept everything not so far accepted
iptables -A i-estab -j ACCEPT
#
#   Route packets going out from here onto a new table so that we can do
#   things with them (logging etc)
#
iptables -N to-inet
#
#   Just want to count a few things
#
iptables -A to-inet -p tcp --dport www -j ACCEPT
iptables -A to-inet -p tcp --dport imap -j ACCEPT
iptables -A to-inet -p udp --dport domain -j ACCEPT
iptables -A to-inet -p tcp --dport nntp -j ACCEPT
iptables -A to-inet -p udp --dport 67:68 -j ACCEPT
iptables -A to-inet -p tcp --dport iax -j ACCEPT
iptables -A to-inet -p udp --dport iax -j ACCEPT
#
#Note ICMP packets I am sending out
#
iptables -A to-inet -p icmp --icmp-type destination-unreachable -j 
ACCEPT

iptables -A to-inet -p icmp --icmp-type source-quench -j ACCEPT
iptables -A to-inet -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A to-inet -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A to-inet -p icmp --icmp-type echo-request -j ACCEPT
iptables -A to-inet -p icmp --icmp-type echo-reply -j ACCEPT
#
#   Prevent any netbios stuff leaking out from here
#
iptables -A to-inet -p tcp --dport netbios-ns:netbios-ssn -j LOG
iptables -A to-inet -p tcp --dport netbios-ns:netbios-ssn -j DROP
iptables -A to-inet -p udp --dport netbios-ns:netbios-ssn -j LOG
iptables -A to-inet -p udp --dport netbios-ns:netbios-ssn -j DROP
#
#
#   Accept every thing else
#
iptables -A to-inet -j ACCEPT
#
#   Now make the connection to the table
#
iptables -A OUTPUT -o $INETIF -j to-inet
#
#   Common internet Stuff
#
iptables -N from-inet
#
#   Stuff already established is allowed but jump to chain to count things
#
iptables -A from-inet -m state --state ESTABLISHED,RELATED -j i-estab
#
#Deal with ICMP packets
#
iptables -A from-inet -p icmp --icmp-type destination-unreachable 
-j ACCEPT

iptables -A from-inet -p icmp --icmp-type source-quench -j ACCEPT
iptables -A from-inet -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A from-inet -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A from-inet -p icmp --icmp-type echo-request -j ACCEPT
#   Already accepted by related
iptables -A from-inet -p icmp --icmp-type echo-reply -j ACCEPT
#
#   ftp-data started by mine  (already accepted in related)
#
iptables -A from-inet -m state --state NEW -p tcp --dport ftp-data 
-j ACCEPT

#
#   Socks probes should be dropped so that IRC does not thing we are 
screwwing them

#
iptables -A from-inet -p tcp --dport socks -j DROP
#
#   Drop these before logging them (just collecting them to see what 
they are)

#
iptables -A from-inet -p tcp --dport 1635 -j DROP
iptables -A from-inet -p tcp --dport 1370 -j DROP
#
#   DHCP messsages - I need to drop server requests
#
iptables -A from-inet -p udp --dport 67 -j DROP
#
#   log and drop the rest (except 192.168 stuff which we silently loose)
#
iptables -A from-inet -s 192.168.0.0/16 -j DROP
#   iptables -A from-in

Re: Firewall Setup

[Bob Proulx]

Csanyi Pal wrote:
> Paul Stuffins writes:
> > What are peoples recommendations of a front end, either one that I can
> > run via an Apache VirtualHost, obviously on a secured and locked down
> > VirtualHost so that only I can access it, or via SSH. 
> 
> I'm using shorewall to setup my firewall.

+1.  I am also using shorewall and recommend it.

Bob


signature.asc
Description: Digital signature

Re: Firewall Setup

[Csanyi Pal]

Paul Stuffins  writes:

> What are peoples recommendations of a front end, either one that I can
> run via an Apache VirtualHost, obviously on a secured and locked down
> VirtualHost so that only I can access it, or via SSH. 

I'm using shorewall to setup my firewall.

-- 
Regards, Pal



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87sjpk4gof.fsf@debian-asztal.excito

Re: Firewall Setup

[Scott Ferguson]

On 02/08/11 06:56, Paul Stuffins wrote:

Hi Guys,

I am trying to set iptables up, but am getting into a right mess editing
the rules direct in the init script.

What are peoples recommendations of a front end, either one that I can
run via an Apache VirtualHost, obviously on a secured and locked down
VirtualHost so that only I can access it, or via SSH.

--Paul


If you're not comfortable just using SSH to push across rulesets created 
using Guarddog (my choice), then you "might" consider using (the 
non-Debian) Webmin/Usermin/Virtualmin:-

http://www.webmin.com/firewall.html
http://prdownloads.sourceforge.net/webadmin/webmin_1.550_all.deb

If you do, consider installing Webmin just after the basic build, before 
your server package selections as it pulls in a few non-debian, but 
debianized, packages.


Cheers


--
“You know all that money we spend on the military ever year - trillions 
of dollars? Instead, if we use this money to feed and clothe the poor of 
this world, which it would do many times over, then we can explore 
space, inner and outer, together, as one race.”

~ Bill Hicks


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/4e373fe0.60...@gmail.com

Re: Firewall Setup

[Glenn English]

On Aug 1, 2011, at 2:56 PM, Paul Stuffins wrote:

> I am trying to set iptables up, but am getting into a right mess editing the 
> rules direct in the init script.
> 
> What are peoples recommendations of a front end, either one that I can run 
> via an Apache VirtualHost, obviously on a secured and locked down VirtualHost 
> so that only I can access it, or via SSH.


What I did was a lot of work up front, but a lot less out back...

I wrote a huge shell script that creates the whole thing. 

INPUT:

> root@server:/etc/ipfilterfiles# pfil status INPUT
> 
>Running on host: server.slsware.dmz
> 
>   --- FILTER table---
> 
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> num   pkts bytes target prot opt in out source   
> destination 
> 135662 9574K ACCEPT all  --  lo *   127.0.0.1
> 0.0.0.0/0   
> 2  112  9916 ACCEPT all  --  lo *   192.168.2.218
> 0.0.0.0/0   
> 3  135  6216 REJECT tcp  --  *  *   0.0.0.0/0
> 0.0.0.0/0   state INVALID reject-with icmp-port-unreachable 
> 49458K  502M IDS_BLKall  --  *  *   0.0.0.0/0
> 0.0.0.0/0   
> 59458K  502M TMP_BLKall  --  *  *   0.0.0.0/0
> 0.0.0.0/0   
> 69407K  500M ACCEPT all  --  *  *   0.0.0.0/0
> 0.0.0.0/0   state RELATED,ESTABLISHED 
> 70 0 ACCEPT all  -f  *  *   0.0.0.0/0
> 0.0.0.0/0   
> 80 0 DROP   tcp  --  *  *   0.0.0.0/0
> 0.0.0.0/0   tcp flags:!0x17/0x02 
> 9   87  7308 ACCEPT all  --  tun+   *   0.0.0.0/0
> 192.168.0.204   
> 10   50590 2850K NUISANCES  all  --  *  *   0.0.0.0/0
> 0.0.0.0/0   
> 11   50590 2850K SPOOFQ all  --  *  *   0.0.0.0/0
> 0.0.0.0/0   
> 12   12874  834K UDPIN  udp  --  *  *   0.0.0.0/0
> 0.0.0.0/0   
> 13   30513 1813K TCPIN  tcp  --  *  *   0.0.0.0/0
> 0.0.0.0/0   
> 147203  202K ICMP_CHK   icmp --  *  *   0.0.0.0/0
> 0.0.0.0/0   
> 15   0 0 IGMP_CHK   2--  *  *   0.0.0.0/0
> 0.0.0.0/0   
> 16   7   360 REJECT all  --  *  *   0.0.0.0/0
> 0.0.0.0/0   reject-with icmp-port-unreachable 
> 17   0 0all  --  *  *   0.0.0.0/0
> 0.0.0.0/0   /* Loaded Sun Jun 19 07:07:21 MDT 2011 */ 
> 


for example, does a little filtering to get rid of IDS and MS noise and spoofs 
and stuff, then splits on TCP/UDP/ICMP/etc. to locally created chains. In these 
chains, the packets are processed by port number -- traffic to port 24 has 
another chain full of spammers I've seen in the last month or so, and so forth.

The main program has some utilities in it to modify the chains. ssh is a good 
tool for getting to it.

You only have to do it once...

-- 
Glenn English


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/af88ca6a-8678-45df-a374-03a9e041c...@slsware.com

Firewall Setup

[Paul Stuffins]

Hi Guys,

I am trying to set iptables up, but am getting into a right mess editing the
rules direct in the init script.

What are peoples recommendations of a front end, either one that I can run
via an Apache VirtualHost, obviously on a secured and locked down
VirtualHost so that only I can access it, or via SSH.

--Paul

Re: firewall setup xdsl: eth0/eth1/ppp0?

[Andreas Bohnert]

Doug MacFarlane wrote:

On Wed, 05 Nov 2003 01:15:18 -0900, Ken Irving wrote:

 

On Wed, Nov 05, 2003 at 09:52:42AM +0100, Andreas Bohnert wrote:
   

Hi,
  I don't know how to setup my firewall for my new xdsl connection. I
saw some posting concerning adsl, so maybe there are some
people, who know how to handle this.
 

I'm not sure what you're talking about, with xdsl and lokal, but I'd
recommend the shorewall firewall.
   

I, too, can strongly endorse shorewall.
 

yes, I will have a look at shorewall. it is mentioned many times.

Fundamentally, your internal interface is eth0 and external is ppp0, which
I assume is a pppoe interface, and not pptp like you said.  The pppoe
protocol does NOT use the ethernet interface's IP address for
communications.
it is pptp. pppoe is very common but in austria we use mostly pptp.
I have to setup the ppp daemon and connect with pptp 'router-ip'.
but maybe with pptp the ethernet interface's IP address will also not be 
used..


 Most implementations don't even require it to be
configured with one.  The only way anyone is going to be able to route
traffic to eth1 with a 10. address on it is if they source-route it all
the way AND your, their, and all the ISP's in between, have configured
their routers poorly.
So, setup shorewall with eth0 as the internal, lan, or local interface,
and ppp0 as the external or internet interface.
If you are really paranoid, setup eth1 as a dmz interface, and don't
accept anything into or out of the dmz.
madmac

 

thanks, I will try that!
andreas




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: firewall setup xdsl: eth0/eth1/ppp0?

[Doug MacFarlane]

On Wed, 05 Nov 2003 01:15:18 -0900, Ken Irving wrote:

> On Wed, Nov 05, 2003 at 09:52:42AM +0100, Andreas Bohnert wrote:
>> Hi,
>>I don't know how to setup my firewall for my new xdsl connection. I 
>> saw some posting concerning adsl, so maybe there are some 
>> people, who know how to handle this.
> 
> I'm not sure what you're talking about, with xdsl and lokal, but I'd
> recommend the shorewall firewall.

I, too, can strongly endorse shorewall.

Fundamentally, your internal interface is eth0 and external is ppp0, which
I assume is a pppoe interface, and not pptp like you said.  The pppoe
protocol does NOT use the ethernet interface's IP address for
communications.  Most implementations don't even require it to be
configured with one.  The only way anyone is going to be able to route traffic to eth1 
with a 10.
address on it is if they source-route it all the way AND your, their, and
all the ISP's in between, have configured their routers poorly.

So, setup shorewall with eth0 as the internal, lan, or local interface,
and ppp0 as the external or internet interface.

If you are really paranoid, setup eth1 as a dmz interface, and don't
accept anything into or out of the dmz.

madmac 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: firewall setup xdsl: eth0/eth1/ppp0?

[Doug MacFarlane]

On Wed, 05 Nov 2003 01:15:18 -0900, Ken Irving wrote:

> On Wed, Nov 05, 2003 at 09:52:42AM +0100, Andreas Bohnert wrote:
>> Hi,
>>I don't know how to setup my firewall for my new xdsl connection. I
>> saw some posting concerning adsl, so maybe there are some
>> people, who know how to handle this.
> 
> I'm not sure what you're talking about, with xdsl and lokal, but I'd
> recommend the shorewall firewall.

I, too, can strongly endorse shorewall.

Fundamentally, your internal interface is eth0 and external is ppp0, which
I assume is a pppoe interface, and not pptp like you said.  The pppoe
protocol does NOT use the ethernet interface's IP address for
communications.  Most implementations don't even require it to be
configured with one.  The only way anyone is going to be able to route
traffic to eth1 with a 10. address on it is if they source-route it all
the way AND your, their, and all the ISP's in between, have configured
their routers poorly.

So, setup shorewall with eth0 as the internal, lan, or local interface,
and ppp0 as the external or internet interface.

If you are really paranoid, setup eth1 as a dmz interface, and don't
accept anything into or out of the dmz.

madmac


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: firewall setup xdsl: eth0/eth1/ppp0?

[Ken Irving]

On Wed, Nov 05, 2003 at 09:52:42AM +0100, Andreas Bohnert wrote:
> Hi,
>I don't know how to setup my firewall for my new xdsl connection. I 
> saw some posting concerning adsl, so maybe there are some 
> people, who know how to handle this.

I'm not sure what you're talking about, with xdsl and lokal, but I'd
recommend the shorewall firewall.  It takes a bit of configuration, but
pretty minimal, and straightforward if you follow the docs and examples.
I've used it for a dsl connection with pppoe on interface eth0, internal
network on eth1.  The woody/stable package is not exactly current, but
very workable and the docs and examples are available for it.  I'm sure
unstable is at the latest version, so might be preferable especially
if you feel the need to request help (most questions on the shorewall
list are answered by the developer, often to implore folks to read
and follow the docs).

Maybe this is off the mark for your situation, I don't know.  Good luck!

Ken

> 
>here is my situation:
> 
>eth0 is connect to my private network (192.168.0.1).
>my eth1 gets an lokal ip from my xdsl router (subnet 10.x.x.x).
>than I have to build up a tunnel connection with my router with pptp.
>now I have ppp0, which is my xdsl interface.
>   
>this works fine, but now I have to setup my firewall!
>   
>I know ppp0 is my external interface now, but what about eth1 (which 
> is connect to my router)?
>I looked around and some people say, they setup the firewall like this:
>eth0 (private)   = FW_DEV_INT
>eth1 (connect to router) = FW_DEV_INT !!
>ppp0 (xdsl)  = FW_DEV_EXT
>   
>but somehow I think, eth1 should be FW_DEV_EXT as well, because it's 
> phyiscally connected to the internet.
>also, what about the firewall between ppp0 and eth1 - it shouldn't 
> block communication.
>   
>so, what do you think, if I configure eth1 as external?
> 
>thanks for any advice!
> 
> andreas
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
> with a subject of "unsubscribe". Trouble? Contact 
> [EMAIL PROTECTED]
> 

-- 
Ken Irving, Research Analyst, [EMAIL PROTECTED], 907-474-6152
Water and Environmental Research Center
Institute of Northern Engineering
University of Alaska, Fairbanks


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

firewall setup xdsl: eth0/eth1/ppp0?

[Andreas Bohnert]

Hi,
   I don't know how to setup my firewall for my new xdsl connection. I 
saw some posting concerning adsl, so maybe there are some 
people, who know how to handle this.

   here is my situation:

   eth0 is connect to my private network (192.168.0.1).
   my eth1 gets an lokal ip from my xdsl router (subnet 10.x.x.x).
   than I have to build up a tunnel connection with my router with pptp.
   now I have ppp0, which is my xdsl interface.
  
   this works fine, but now I have to setup my firewall!
  
   I know ppp0 is my external interface now, but what about eth1 (which 
is connect to my router)?
   I looked around and some people say, they setup the firewall like this:
   eth0 (private)   = FW_DEV_INT
   eth1 (connect to router) = FW_DEV_INT !!
   ppp0 (xdsl)  = FW_DEV_EXT
  
   but somehow I think, eth1 should be FW_DEV_EXT as well, because it's 
phyiscally connected to the internet.
   also, what about the firewall between ppp0 and eth1 - it shouldn't 
block communication.
  
   so, what do you think, if I configure eth1 as external?

   thanks for any advice!

andreas



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: linux odd firewall setup help.

[HdV]

On Thu, 17 Oct 2002, Sheldon Lee-Wen wrote:

> What do I need to do to set this same thing up on linux? I've looked at proxy
> arp bridging, but I'm not sure if this is what I need, or if it will work.

Hi,

I solved a similar problem on our network by using the SNAT and DNAT
facilities available in iptables (on a multiple-homed system running
as a firewall). I learned about it when reading a nice tutorial on
iptables I found at

http://iptables-tutorial.haringstad.com/iptables-tutorial.html

It has some examples on how to achieve this.

HTH,

-- 
HdV



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Firewall setup

[Jay Kelly]

Hello Debians,
Im am trying to setup a Debian firewall using ipchains, But I need some help
in setting up the PCI Ethernet cards. One is an Linksys and the other a
Kingston. Both should work under the Tulip driver but I dont know how to add
the second eth1 card. The system detects the first and not the second. Where
would I add the eth1?

is my firewall setup good?

[Jean-Yves BARBIER]

Hi all,

As I'm not a network specialist, I'd like your advices about
my firewall setup.

CONFIG: station, 2.2.10, (192.168.1.2)
server, 2.2.10, (192.168.1.1), 2 ehernet cards, 
LAN in 192.168.1.0, WEB (cable-modem) in DHCP lease ADDR
ipmasq,
(no IP-in-IP, nor encapsulation, ...)

As there are some jerks, especially in france, who already tryied
to access my server, I don't want anybody to do that. But I'd like
to acces anywhere from the station and the server.

Any constructive criticisms will be welcomed.

JY
# Firewall Setup

#   1999-13-09 - Ver. 1.31   #
  DATA GENERAL

IF_LAN=eth1
IF_WEB=eth0
IF_LAN_ADDR=192.168.1.1/32
LAN_ADDR=192.168.1.0/30 
# Recover the DHCP leased ADDR from ifconfig
IF_WEB_ADDR=`/sbin/ipofif $IF_WEB`

  POLICIES &/| TESTS

# Flush all
ipchains -F input
ipchains -F output
ipchains -F forward

# TEST ONLY
#ipchains -F LAN-WEB
#ipchains -F WEB-LAN
#ipchains -F ICMP-FLT
#ipchains -F IFinWEB
#ipchains -F IFoutWEB
#ipchains -F IFinLAN
#ipchains -F IFoutLAN

## ATTENTION: If policies = DENY => DON'T WORK <=> ACCEPT (?)
## Every docs says DENY but it don't work!
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT

  SECURE LAN & WEB DURING SETUP

ipchains -A input   -i ! lo -j DENY
ipchains -A output  -i ! lo -j DENY
ipchains -A forward -j DENY

  ICMPs FILTER

## NO ENDING DENY: Only under-chains returning to caller

# ICMPs chain
ipchains -N ICMP-FLT

# Let valid ICMPs passing through
ipchains -A ICMP-FLT -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A ICMP-FLT -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A ICMP-FLT -p icmp --icmp-type parameter-problem -j ACCEPT
ipchains -A ICMP-FLT -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A ICMP-FLT -p icmp --icmp-type pong -j ACCEPT

# log bad ICMPs demands
ipchains -A ICMP-FLT -p icmp --icmp-type address-mask-request -j DENY -l
ipchains -A ICMP-FLT -p icmp --icmp-type router-solicitation -j DENY -l
ipchains -A ICMP-FLT -p icmp --icmp-type redirect -j DENY -l
ipchains -A ICMP-FLT -p icmp --icmp-type timestamp-request -j DENY -l

   INPUT

# INPUT chains & jumps
ipchains -N IFinLAN
ipchains -A input -i $IF_LAN -j IFinLAN
ipchains -N IFinWEB
ipchains -A input -i $IF_WEB -j IFinWEB
# Local Ok
ipchains -A input -i 127.0.0.1 -j ACCEPT

# I/F LAN --- INPUT
ipchains -A IFinLAN -i $IF_LAN -s ! $LAN_ADDR -d 0/0 -j DENY -l
ipchains -A IFinLAN -i $IF_LAN -s 0/0 -d 0/0 -j ACCEPT
ipchains -A IFinLAN -i $IF_LAN -s 0/0 -d 0/0 -j DENY -l

# I/F WEB --- INPUT
ipchains -A IFinWEB -i $IF_WEB -s 0/0 -d ! $IF_WEB_ADDR/32 -j DENY  # if 
ADDR <> DHCP-WEB, DENY
# Classe C (192.168.0.0 - 192.168.255.0)
ipchains -A IFinWEB -i $IF_WEB -s 192.168.0.0/255.255.0.0 -d $IF_WEB_ADDR/32 -j 
DENY -l
# local IF (127.0.0.0-127.0.0.1)
ipchains -A IFinWEB -i $IF_WEB -s 127.0.0.0/31 -d $IF_WEB_ADDR/32  -j DENY -l
# Classe B (172.16.0.0 - 176.31.0.0)
ipchains -A IFinWEB -i $IF_WEB -s 172.16.0.0/255.240.0.0 -d $IF_WEB_ADDR/32 -j 
DENY -l
# Classe A (10.0.0.0)
ipchains -A IFinWEB -i $IF_WEB -s 10.0.0.0/255.0.0.0 -d $IF_WEB_ADDR/32 -j DENY 
-l

# AUTHORISATIONS
ipchains -A IFinWEB -i $IF_WEB -s 0/0 -d $IF_WEB_ADDR/32 -p tcp --dport 
1024:5999 -j ACCEPT # TCP
ipchains -A IFinWEB -i $IF_WEB -s 0/0 -d $IF_WEB_ADDR/32 -p tcp --dport 
6011:65535 -j ACCEPT# TCP
ipchains -A IFinWEB -i $IF_WEB -s 0/0 -d $IF_WEB_ADDR/32 -p udp --dport 
1024:65535 -j ACCEPT# UDP
ipchains -A IFinWEB -i $IF_WEB -s 0/0 -d $IF_WEB_ADDR/32 -p udp --dport 
6011:65535 -j ACCEPT# UDP
ipchains -A IFinWEB -i $IF_WEB -s 0/0 -d $IF_WEB_ADDR/32 -p icmp -j ICMP-FLT
## ?? Netscape seems to need this port to be opened (w/88?)
ipchains -A IFinWEB -i $IF_WEB -s 0/0 -d $IF_WEB_ADDR/32 -p tcp --dport 113 -j 
ACCEPT   # TCP
# log the rest
ipchains -A IFinWEB -i $IF_WEB -s 0/0 -d 0/0 -j DENY -l

   OUTPUT

# OUTPUT chains & jumps
ipchains -N IFoutLAN
ipchains -A output -i $IF_LAN -j IFoutLAN
ipchains -N IFoutWEB
ipchains -A output -i $IF_WEB -j IFoutWEB
# Local Ok
ipchains -A output -i 127.0.0.1 -j ACCEPT

# I/F LAN --- OUTPUT
ipchains -A IFoutLAN -i $IF_LAN -s 0/0 -d ! $LAN_ADDR -j DENY -l
# if ADDR <> LAN, DENY & log
ipchains -A IFoutLAN -i $IF_LAN -s 0/0 -d 0/0 -j ACCEPT

# I/F WEB --- OUTPUT
ipchains -A IFoutWEB -i $IF_WEB -s 0/0 -d 0/0 -p tcp --dport 1:1023 -j ACCEPT   
ipchains -A IFoutWEB -i $IF_WEB -s 0/0 -d 0/0 -p udp --dport 1:1023 -j ACCEPT
ipchains -A IFoutWEB -i $IF_WEB -s 0/0 -d 0/0 -p icmp -j ACCEPT 
ipchains -A IFoutWEB -i $IF_WEB -j DENY -l

  FORWARDING LAN <-> WEB