Re: Proper place for IPCHAINS rules
To help you a little I have two scripts I use at boot:
/etc/init.d/ipchains and
/etc/init.d/sysctl
Don't ask me why they are not in base, they should be!
Or at least script that are similar ;-)
They are both security sensitive!
To enable them at boot I have done:
root# cd /etc/rcS.d
root# ln -s ../init.d/ipchains S39ipchains
root# ln -s ../init.d/sysctl S39sysctl
You should start ipchains as soon as you have your IP ;-)
!!! After the scripts is more info and example's of the .conf files !!!
Here are the scripts:
---> begin ipchains <
#! /bin/sh
# Script to setup ipchains
#
# Written by Onno Ebbinge <[EMAIL PROTECTED]>
# Version 1.1 (08-Jul-1999)
#
# Run this script before the network is launched.
#
# DHCP users must run this script as soon as they have their IP number.
# They will be vulnerable during this time but in most cases this will
# be a fraction of a second.
# If no ipchains, do nothing.
[ -f /sbin/ipchains ] || exit 0
case "$1" in
start)
echo -n "Setting up ipchains... "
/sbin/ipchains -P input DENY
/sbin/ipchains -P forward DENY
/sbin/ipchains -P output DENY
/sbin/ipchains -F
/sbin/ipchains -X
if [ -e /etc/ipchains.conf ]; then
/sbin/ipchains-restore < /etc/ipchains.conf >
/dev/null
echo "done."
else
echo "FAILED!"
echo "WARNING: Setting up ipchains with only the
loopback interface enabled!"
/sbin/ipchains -A input -i lo -j ACCEPT
/sbin/ipchains -A output -i lo -j ACCEPT
fi
;;
stop)
echo -n "Turning off ipchains, except loopback interface... "
/sbin/ipchains -P input DENY
/sbin/ipchains -P forward DENY
/sbin/ipchains -P output DENY
/sbin/ipchains -F
/sbin/ipchains -X
/sbin/ipchains -A input -i lo -j ACCEPT
/sbin/ipchains -A output -i lo -j ACCEPT
echo "done."
echo "BEWARE: Only the loopback interface is enabled!"
;;
*)
echo "Usage: /etc/init.d/ipchains {start|stop}"
exit 1
;;
esac
exit 0
---> end ipchains <
---> begin sysctl <
#! /bin/sh
# Script to setup various kernel parameters with sysctl
#
# Written by Onno Ebbinge <[EMAIL PROTECTED]>
# Version 1.0 (04-Jul-1999)
#
# Because there are kernel parameters that influence system and network
# security you should run this script before the network is launched.
# If no sysctl, do nothing.
[ -f /sbin/sysctl ] || exit 0
case "$1" in
start)
echo -n "Setting up various kernel parameters... "
# Kernel parameter settings can be put in /etc/sysctl.conf
# without the leading /proc/sys/ part.
# BEWARE: the version of sysctl that I use doesn't
# allow a newline at the end of the config file.
if [ -e /etc/sysctl.conf ]; then
/sbin/sysctl -p /etc/sysctl.conf > /dev/null
echo "done."
else
echo "FAILED!"
echo "WARNING: Some kernel security options could
be disabled!"
fi
# Any kernel parameter initialization that is similar
# in nature to the setup of IP spoof protection below
# should be done in a similar fashion as the IP spoof
# protection below.
echo -n "Setting up IP spoofing protection... "
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for d in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $d
done
echo "done."
else
echo "FAILED!"
echo "WARNING: You do NOT have IP spoofing
protection!"
echo "WARNING: This can be a SERIOUS security threat!"
fi
;;
stop)
echo -n "Turning 'off' various kernel parameters... "
# Turning 'off' kernel parameters sound a bit silly but
# there are circumstances that you would 'reset' some
# parameters.
/sbin/sysctl -w net/ipv4/ip_forward=0 > /dev/null
/sbin/sysctl -w net/ipv4/ip_local_port_range="1024 4999" >
/dev/null
echo "done."
;;
*)
echo "Usage: /etc/init.d/sysctl {start|stop}"
exit 1
;;
esac
exit 0
---> end sysctl <
To save our ipchains in the right conf file use:
root# ipchains-save > /etc/ipchains.
Re: Proper place for IPCHAINS rules
> Thanks, > Just out of curiosity, when in the boot process are the > scripts in /etc/rc.boot executed? > > Bryan > I don't remember, but I believe /usr/doc/sysvinit/README.runlevels.gz, which is quite short, answer this. > > On 16-Nov-99 Phil Brutsche wrote: > > A long time ago, in a galaxy far, far way, someone said... > > > >> I would like to setup IPChains on my machine. I can't seem to find > >> any file under /etc/init.d/ for ipchains (networking only handles > >> spoof protection). Where do you folks start your ipchains or ipfwadm > >> rules? > > > > I put a script called 'firewall' in /etc/rc.boot that sets up my > > firewalling. > > > > -- > > -- > > Phil Brutsche [EMAIL PROTECTED] > > > > "There are two things that are infinite; Human stupidity and the > > universe. And I'm not sure about the universe." - Albert Einstein > > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null >
Re: Proper place for IPCHAINS rules
thanks too all who replied. I think that for now, I will do something like what is suggested below, except to run it AFTER the networking is up, since the scripts depend on me knowing my IP Address, which I get through DHCP (so networking has to be up). Shouldn't leave me volnerable for more than a few msec. Bryan On 16-Nov-99 Onno wrote: > BEWARE: > > Follow the instructions in IPCHAINS HOWTO... BUT the HOWTO contains > SEVERE flaws!!! > > Create a script to setup ipchains and run it early in the bootup procedure. > I have a script called 'ipchains' in /etc/init.d and made a symbolic link > called 'S39ipchains' to '/etc/init.d/ipchains' in the > '/etc/rcS.d' directory. This way the script will be run before S40network > (sets the ethernet interfaces). It's better not to make a link in rc6.d > for shutdown... let the firewall die with the kernel ;-) > > PS: the script in IPCHAINS HOWTO is flawed too... > > Regards, > > Onno > > > At 09:54 PM 11/15/99 -0500, Bryan Scaringe wrote: >>I would like to setup IPChains on my machine. I can't seem to find >>any file under /etc/init.d/ for ipchains (networking only handles >>spoof protection). Where do you folks start your ipchains or ipfwadm >>rules? >> >>Thanks, >> Bryan >> >> >>-- >>Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < >>/dev/null > > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < > /dev/null
Re: Proper place for IPCHAINS rules
BEWARE: Follow the instructions in IPCHAINS HOWTO... BUT the HOWTO contains SEVERE flaws!!! Create a script to setup ipchains and run it early in the bootup procedure. I have a script called 'ipchains' in /etc/init.d and made a symbolic link called 'S39ipchains' to '/etc/init.d/ipchains' in the '/etc/rcS.d' directory. This way the script will be run before S40network (sets the ethernet interfaces). It's better not to make a link in rc6.d for shutdown... let the firewall die with the kernel ;-) PS: the script in IPCHAINS HOWTO is flawed too... Regards, Onno At 09:54 PM 11/15/99 -0500, Bryan Scaringe wrote: I would like to setup IPChains on my machine. I can't seem to find any file under /etc/init.d/ for ipchains (networking only handles spoof protection). Where do you folks start your ipchains or ipfwadm rules? Thanks, Bryan -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
Re: Proper place for IPCHAINS rules
On Mon, 15 Nov 1999, Bryan Scaringe wrote: Bryan. >I would like to setup IPChains on my machine. I can't seem to find Bryan. >any file under /etc/init.d/ for ipchains (networking only handles Bryan. >spoof protection). Where do you folks start your ipchains or ipfwadm Bryan. >rules? on my home box i store em in /etc/init.d/network on my servers i make my own seperate scripts for them (called ipchains-fw and ipfwadm-fw) and link to them manually .. nate [mailto:[EMAIL PROTECTED] ]-- Vice President Network Operations http://www.firetrail.com/ Firetrail Internet Services Limited http://www.aphroland.org/ Everett, WA 425-348-7336http://www.linuxpowered.net/ Powered By:http://comedy.aphroland.org/ Debian 2.1 Linux 2.0.36 SMPhttp://yahoo.aphroland.org/ -[mailto:[EMAIL PROTECTED] ]-- 7:39pm up 88 days, 7:12, 1 user, load average: 1.48, 1.71, 1.96
Re: Proper place for IPCHAINS rules
*- On 15 Nov, Bryan Scaringe wrote about "Re: Proper place for IPCHAINS rules" > Thanks, > Just out of curiosity, when in the boot process are the > scripts in /etc/rc.boot executed? > Note: The /etc/rc.boot directory is obsolete in the potato release. It is replaced by the /etc/rcS.d directory. See the man page for rc.boot in slink or potato. The /etc/rcS.d directory is read before the runlevel scripts are run and it is only run once per boot. See the README.runlevels.gz file in the sysvinit doc directory. Primarily you will find: 1. Boot. When the systems boots, the /etc/init.d/rcS script is executed. It in turn executes all the S* scripts in /etc/rcS.d in alphabetical (and thus numerical) order. The first argument passed to the executed scripts is "start". The runlevel at this point is "N" (none). Only things that need to be run once to get the system in a consistent state are to be run. The rcS.d directory is NOT ment to replace rc.local. One should not start daemons in this runlevel unless absolutely nessecary. Eg, NFS might need the portmapper, so it is OK to start it early in the bootprocess. But this is not the time to start the squid proxy server. 2. Going multiuser. After the rcS.d scripts have been executed, init switches to the default runlevel as specified in /etc/inittab, usually "2". Init then executes the /etc/init.d/rc script which takes care of starting the services in /etc/rc2.d. [] -- Brian Servis -- Mechanical Engineering | Never criticize anybody until you Purdue University | have walked a mile in their shoes, [EMAIL PROTECTED] | because by that time you will be a http://www.ecn.purdue.edu/~servis | mile away and have their shoes.
Re: Proper place for IPCHAINS rules
Thanks, Just out of curiosity, when in the boot process are the scripts in /etc/rc.boot executed? Bryan On 16-Nov-99 Phil Brutsche wrote: > A long time ago, in a galaxy far, far way, someone said... > >> I would like to setup IPChains on my machine. I can't seem to find >> any file under /etc/init.d/ for ipchains (networking only handles >> spoof protection). Where do you folks start your ipchains or ipfwadm >> rules? > > I put a script called 'firewall' in /etc/rc.boot that sets up my > firewalling. > > -- > -- > Phil Brutsche [EMAIL PROTECTED] > > "There are two things that are infinite; Human stupidity and the > universe. And I'm not sure about the universe." - Albert Einstein
Re: Proper place for IPCHAINS rules
A long time ago, in a galaxy far, far way, someone said... > I would like to setup IPChains on my machine. I can't seem to find > any file under /etc/init.d/ for ipchains (networking only handles > spoof protection). Where do you folks start your ipchains or ipfwadm > rules? I put a script called 'firewall' in /etc/rc.boot that sets up my firewalling. -- -- Phil Brutsche [EMAIL PROTECTED] "There are two things that are infinite; Human stupidity and the universe. And I'm not sure about the universe." - Albert Einstein
Proper place for IPCHAINS rules
I would like to setup IPChains on my machine. I can't seem to find any file under /etc/init.d/ for ipchains (networking only handles spoof protection). Where do you folks start your ipchains or ipfwadm rules? Thanks, Bryan
