Re: Starting iptables
[EMAIL PROTECTED] writes: On Thu, Oct 19, 2006 at 05:22:24PM -0700, John L Fjellstad wrote: [EMAIL PROTECTED] writes: If you look at the number of lines of rules you make, and compare it to the number of lines (pages!) of iptables rules it makes, you see that shorewall is easier. Also the syntax is easier. Changes are far easier. Besides, the shorewall book is the best book I've found for understanding iptables. shorewall creates pages of iptables rules and that is considered a good thing? What happened to KISS? Yes it is a good thing. The purpose of a firewall is to block anything that you don't explicitly want through. If you don't want anything don't put any 'allow' stuff. Then the default rules of deny all is in effect. The issue is that there are different protocols for the same service (e.g. UDP, UTP, etc). Each little pinprick you want opened takes a few rules to keep it to a specific pinprick. If you did it manually with fewer rules you would have a more porus firewall or you wouldn't have the services you want traversing the firewall. If you used too few rules you would have a screen door. Bull. How does few rules create a screen door as opposed to pages of rules? How many services do you have that you need pages of rules? How does each pinprick you open not create another entry point? How does fewer pinprick opened create less security, while more pinpricks create more security? How is this keeping it simple? For comparision, go to tldp and get the securing-linux manual (redhat edition). Its in pdf format. That author took the same approach you suggest and does everything except the base install by hand. Read the section on firewall. See the pages of rules he has in his firewall script. He explains it all too. I couldn't find the article you were talking about, but I did find a Securing-Optimizing-Linux-The-Ultimate-Solution-v2.0. And the number of rules are insane. Why would you have an explicit DROP rule when you have a DROP policy? Where is the logging? (Yes, he has a comment about how he logs selected denied packages, but no logging actually occur) Of course, if you want to be the ultimate-solution, why would you want to keep it simple? Sigh... The only ways I know of to KISS a firewall are ipmasq and shorewall. Shorewall makes a better firewall so it makes more rules. KISS. Keep It Simple. As in as few rules as possible. What do you need? Take a home user. What does he need? Well, he needs to open the loopback. Rule 1. He wants any packages that he started to be let through (RELATED, ESTABLISHED). Rule 2. Maybe he wants to use p2p. That's a range. If you use bittorrent, you might have to open an additional port for the control package. That's 4 rules. End it with a LOG rule with rate limit. That's _five rules_. Use DROP as a policy. How is this _less_ secure than having pages of rules? How is having _fewer_ rules create more insecurity? -- John L. Fjellstad web: http://www.fjellstad.org/ Quis custodiet ipsos custodes -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
John Hasler [EMAIL PROTECTED] writes: John L. Fjellstad writes: shorewall creates pages of iptables rules and that is considered a good thing? You'd rather write them all by hand? You think creating pages of rules is Keeping It Simple? -- John L. Fjellstad web: http://www.fjellstad.org/ Quis custodiet ipsos custodes -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
Advanced Policy Firewall is good for the home user, http://www.rfxnetworks.com/apf.php Its a very simple one file configuration with some optional perks. Define the untrusted IF, its egreess, ingress, tweaks (default values are already sane) and such stick it in init.d - done. I believe it now has a semi-guided installer. Very well documented and well suited for home use. Nowhere near as capable as shorewall, but I think that's the argument to be made for it in that setting. The web hosting industry relies on it rather heavily for shared web servers. It gets clunky after a few hundred rules, but when would an average user ever have a few hundred rules? :) HTH -Tim On Sun, 2006-10-22 at 09:43 -0700, John L Fjellstad wrote: [EMAIL PROTECTED] writes: On Thu, Oct 19, 2006 at 05:22:24PM -0700, John L Fjellstad wrote: [EMAIL PROTECTED] writes: If you look at the number of lines of rules you make, and compare it to the number of lines (pages!) of iptables rules it makes, you see that shorewall is easier. Also the syntax is easier. Changes are far easier. Besides, the shorewall book is the best book I've found for understanding iptables. shorewall creates pages of iptables rules and that is considered a good thing? What happened to KISS? Yes it is a good thing. The purpose of a firewall is to block anything that you don't explicitly want through. If you don't want anything don't put any 'allow' stuff. Then the default rules of deny all is in effect. The issue is that there are different protocols for the same service (e.g. UDP, UTP, etc). Each little pinprick you want opened takes a few rules to keep it to a specific pinprick. If you did it manually with fewer rules you would have a more porus firewall or you wouldn't have the services you want traversing the firewall. If you used too few rules you would have a screen door. Bull. How does few rules create a screen door as opposed to pages of rules? How many services do you have that you need pages of rules? How does each pinprick you open not create another entry point? How does fewer pinprick opened create less security, while more pinpricks create more security? How is this keeping it simple? For comparision, go to tldp and get the securing-linux manual (redhat edition). Its in pdf format. That author took the same approach you suggest and does everything except the base install by hand. Read the section on firewall. See the pages of rules he has in his firewall script. He explains it all too. I couldn't find the article you were talking about, but I did find a Securing-Optimizing-Linux-The-Ultimate-Solution-v2.0. And the number of rules are insane. Why would you have an explicit DROP rule when you have a DROP policy? Where is the logging? (Yes, he has a comment about how he logs selected denied packages, but no logging actually occur) Of course, if you want to be the ultimate-solution, why would you want to keep it simple? Sigh... The only ways I know of to KISS a firewall are ipmasq and shorewall. Shorewall makes a better firewall so it makes more rules. KISS. Keep It Simple. As in as few rules as possible. What do you need? Take a home user. What does he need? Well, he needs to open the loopback. Rule 1. He wants any packages that he started to be let through (RELATED, ESTABLISHED). Rule 2. Maybe he wants to use p2p. That's a range. If you use bittorrent, you might have to open an additional port for the control package. That's 4 rules. End it with a LOG rule with rate limit. That's _five rules_. Use DROP as a policy. How is this _less_ secure than having pages of rules? How is having _fewer_ rules create more insecurity? -- John L. Fjellstad web: http://www.fjellstad.org/ Quis custodiet ipsos custodes -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
On 10/19/2006 12:39 AM, cothrige wrote: * John Hasler ([EMAIL PROTECTED]) wrote: The name is misleading. Ipmasq configures both NAT and firewalling. The default configuration is suitable for most, but you can tweak the scripts to do whatever you need. However, it is not clear that you need a firewall at all. If you have only the one machine, just don't open any ports. I guess I have never really thought about it that way. I have just assumed that I was better off for having something like a firewall in place on any computer connected to the internet. And I have opened no ports intentionally, but now I am wondering just how to find out what ports are open and how they got that way? Any recommendations? Patrick This site, http://www.grc.com , has a service called Shields-Up that will help you find out what, if any, ports are open on your computer. Also, netstat -putl will let you find out what listening ports are open. -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
* Mumia W.. ([EMAIL PROTECTED]) wrote: This site, http://www.grc.com , has a service called Shields-Up that will help you find out what, if any, ports are open on your computer. Also, netstat -putl will let you find out what listening ports are open. Many thanks. Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
On 10/19/2006 06:40 AM, L.V.Gandhi wrote: On 10/19/06, Mumia W.. [EMAIL PROTECTED] wrote: On 10/19/2006 12:39 AM, cothrige wrote: * John Hasler ([EMAIL PROTECTED]) wrote: The name is misleading. Ipmasq configures both NAT and firewalling. The default configuration is suitable for most, but you can tweak the scripts to do whatever you need. However, it is not clear that you need a firewall at all. If you have only the one machine, just don't open any ports. I guess I have never really thought about it that way. I have just assumed that I was better off for having something like a firewall in place on any computer connected to the internet. And I have opened no ports intentionally, but now I am wondering just how to find out what ports are open and how they got that way? Any recommendations? Patrick This site, http://www.grc.com , has a service called Shields-Up that will help you find out what, if any, ports are open on your computer. Also, netstat -putl will let you find out what listening ports are open. In my machine, following is the output. can you explain the significance of [the] columns? How to interpret it? [EMAIL PROTECTED]:~# netstat -putl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 localhost.localdo:mysql *:* LISTEN 4303/mysqld tcp0 0 *:34637 *:* LISTEN 4539/rpc.statd tcp0 0 *:sunrpc*:* LISTEN 3932/portmap tcp0 0 *:auth *:* LISTEN 4485/inetd tcp0 0 localhost.localdom:smtp *:* LISTEN 4475/exim4 tcp6 0 0 *:ssh *:* LISTEN 4514/sshd udp0 0 *:32769 *:*4539/rpc.statd udp0 0 *:899 *:*4539/rpc.statd udp0 0 *:bootpc *:*3913/dhclient udp0 0 *:sunrpc *:*3932/portmap (Re-directed to the list.) Read man netstat to get the documentation on netstat. Reveal the port numbers using netstat -putln You should go to http://www.grc.com/ and use the Shields-Up service. There they talk about the port numbers and their meanings. On your machine, mysql is listening on tcp port 3306. RPC (Remote Procedure Call) is listening on tcp port 34637 and udp ports 32769, 899 and 111. Sshd is listening on tcp port 22, and exim4 is listening on tcp port 25. Take a look at the GRC site. -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
[EMAIL PROTECTED] writes: If you look at the number of lines of rules you make, and compare it to the number of lines (pages!) of iptables rules it makes, you see that shorewall is easier. Also the syntax is easier. Changes are far easier. Besides, the shorewall book is the best book I've found for understanding iptables. shorewall creates pages of iptables rules and that is considered a good thing? What happened to KISS? -- John L. Fjellstad web: http://www.fjellstad.org/ Quis custodiet ipsos custodes -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
On Thu, Oct 19, 2006 at 05:22:24PM -0700, John L Fjellstad wrote: [EMAIL PROTECTED] writes: If you look at the number of lines of rules you make, and compare it to the number of lines (pages!) of iptables rules it makes, you see that shorewall is easier. Also the syntax is easier. Changes are far easier. Besides, the shorewall book is the best book I've found for understanding iptables. shorewall creates pages of iptables rules and that is considered a good thing? What happened to KISS? Yes it is a good thing. The purpose of a firewall is to block anything that you don't explicitly want through. If you don't want anything don't put any 'allow' stuff. Then the default rules of deny all is in effect. The issue is that there are different protocols for the same service (e.g. UDP, UTP, etc). Each little pinprick you want opened takes a few rules to keep it to a specific pinprick. If you did it manually with fewer rules you would have a more porus firewall or you wouldn't have the services you want traversing the firewall. If you used too few rules you would have a screen door. For comparision, go to tldp and get the securing-linux manual (redhat edition). Its in pdf format. That author took the same approach you suggest and does everything except the base install by hand. Read the section on firewall. See the pages of rules he has in his firewall script. He explains it all too. The only ways I know of to KISS a firewall are ipmasq and shorewall. Shorewall makes a better firewall so it makes more rules. Your choice. Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
John L. Fjellstad writes: shorewall creates pages of iptables rules and that is considered a good thing? You'd rather write them all by hand? -- John Hasler -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
Doug writes: If you did it manually with fewer rules you would have a more porus firewall or you wouldn't have the services you want traversing the firewall. If you used too few rules you would have a screen door. Not only is it important to have the right rules, but it is also important to bring them up and/or change them in the right order. -- John Hasler -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
cothrige wrote: I was wondering about the best way to start iptables with each boot in Debian and so I did some googling. I found a Debian Wiki and it gave instructions concerning update-rc.d, but this requires a script for iptables in init.d and this does not exist. At least not in my system. Can anyone give me a quick idea of the correct way to start iptables at boot? I suppose I could just add something to rc.local, but I was sort of assuming there was a more appropriate way. If you are running your own firewall script (as opposed to using something like shorewall) then you can do: (assuming your script is /etc/init.d/firewall.sh) # cd /etc/rc2.d # ln -s ../init.d/firewall.sh S41firewall.sh Hope this helps, -- George Borisov DXSolutions Ltd signature.asc Description: OpenPGP digital signature
Re: Starting iptables
On Tue, Oct 17, 2006 at 05:45:34PM -0500, cothrige wrote: I was wondering about the best way to start iptables with each boot in Debian and so I did some googling. I found a Debian Wiki and it gave instructions concerning update-rc.d, but this requires a script for iptables in init.d and this does not exist. At least not in my system. Can anyone give me a quick idea of the correct way to start iptables at boot? I suppose I could just add something to rc.local, but I was sort of assuming there was a more appropriate way. Many thanks, Hi Patrick, most folks just run 'shorewall'! And you can add more rules if you need to. =Kev -- | .''`. == Debian GNU/Linux == | my web site: | | : :' : The Universal | debian.home.pipeline.com | | `. `' Operating System| go to counter.li.org and | | `-http://www.debian.org/ |be counted! #238656 | | my keysever: pgp.mit.edu | my NPO: cfsg.org | signature.asc Description: Digital signature
Re: Starting iptables
* Kevin Mark ([EMAIL PROTECTED]) wrote: Hi Patrick, most folks just run 'shorewall'! And you can add more rules if you need to. =Kev This does seem to be the consensus here. However, as I have never used this tool it is a bit intimidating. And the documentation is so vast it may be a bit of an overkill for my very simple purposes. You see, I have only one NIC which is connected to a Linksys router, which in turn is connected to the modem. My modem does its own firewalling, but I cannot bring myself to rely entirely on it, and always set up my own as well. But, because I have only one NIC I can never quite figure out what to do with loc in the zones, which in the documentation and such is always eth1, which I don't have. Should I not have a loc zone? Or do I just have eth0 for both net and loc? Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
On Wed, Oct 18, 2006 at 09:06:10AM -0500, cothrige wrote: * Kevin Mark ([EMAIL PROTECTED]) wrote: Hi Patrick, most folks just run 'shorewall'! And you can add more rules if you need to. =Kev This does seem to be the consensus here. However, as I have never used this tool it is a bit intimidating. And the documentation is so vast it may be a bit of an overkill for my very simple purposes. You see, I have only one NIC which is connected to a Linksys router, which in turn is connected to the modem. My modem does its own firewalling, but I cannot bring myself to rely entirely on it, and always set up my own as well. But, because I have only one NIC I can never quite figure out what to do with loc in the zones, which in the documentation and such is always eth1, which I don't have. Should I not have a loc zone? Or do I just have eth0 for both net and loc? read this http://www.shorewall.net/standalone.htm A signature.asc Description: Digital signature
Re: Starting iptables
* Andrew Sackville-West ([EMAIL PROTECTED]) wrote: read this http://www.shorewall.net/standalone.htm A Well, there you go. I was completely on the wrong side of the docs. Thanks for this shortcut. It seems pretty straightforward too. Took me about five minutes to follow it and get things going. The well commented config files, especially intefaces, made things a little better too. Many thanks, Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
On Wed, Oct 18, 2006 at 09:06:10AM -0500, cothrige wrote: * Kevin Mark ([EMAIL PROTECTED]) wrote: Hi Patrick, most folks just run 'shorewall'! And you can add more rules if you need to. =Kev This does seem to be the consensus here. However, as I have never used this tool it is a bit intimidating. And the documentation is so vast it may be a bit of an overkill for my very simple purposes. You see, I have only one NIC which is connected to a Linksys router, which in turn is connected to the modem. My modem does its own firewalling, but I cannot bring myself to rely entirely on it, and always set up my own as well. But, because I have only one NIC I can never quite figure out what to do with loc in the zones, which in the documentation and such is always eth1, which I don't have. Should I not have a loc zone? Or do I just have eth0 for both net and loc? Under shorewall, you would not have a loc since you don't have a local network. You would only have 'fw', your one-and-only box is the firewall. As I see it, you have two choices. If you just want something that should do what you want and don't want to have to set anything up, just install ipmasq. It determines what the untrusted network is by where the default route or gateway points; its automatic. If you want the tightest firewall with only the ports you want open, then go with shorewall. The documentation is vast; its like a book. You wouldn't buy a big book on network security and open it to the middle and expect to know what was going on. Start at the beginning and just read it through. Trust your brain to synthesize and develop a plan for your situation. Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
* [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote: As I see it, you have two choices. If you just want something that should do what you want and don't want to have to set anything up, just install ipmasq. It determines what the untrusted network is by where the default route or gateway points; its automatic. If you want the tightest firewall with only the ports you want open, then go with shorewall. Interesting what you say about ipmasq. How automatic is it? I would have assumed that it had more to do with making your machine a gateway, which mine isn't, than firewalling itself. I am assuming that it does both? The documentation is vast; its like a book. You wouldn't buy a big book on network security and open it to the middle and expect to know what was going on. Start at the beginning and just read it through. Trust your brain to synthesize and develop a plan for your situation. I know what you mean there. I think it turned out to be something like 550 pages, give or take. And I actually was reading it from the beginning, but you can imagine what a task that is just to set up a couple of rules. And I was beginning to think that it was not set up to handle a situation as simple as mine. Of course, I was wrong. But, this all begs the question of what Shorewall is really trying to do. I would think that the point of these firewall tools would be to get around the rather difficult process of figuring out iptables. However, shorewall seems to simply replace the very archaic and tricky iptables commands and structure with its own equally difficult version. Why is that exactly? Couldn't somebody with that kind of need simply take the same time and learn the very thing that Shorewall is manipulating, i.e. iptables? Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
cothrige wrote: * H.S. ([EMAIL PROTECTED]) wrote: Well, my custom firewall script does take start, stop and restart arguments and so I could call it using the rc method. However, I have thus far used it by calling it with a pre-up line in the stanza for my eth0: pre-up /etc/myfirewall/firewall.sh restart You added that line to /etc/network/interfaces, right? Does it matter just where you put it in the script? Patrick Yes, it does. You need to put that line in the stanza corresponding to the interface you want to bring up the firewall with. For example, if you want to execute the script right before eth0 is brought up, then you will need to put the line in the eth0 stanza: iface eth0 inet dhcp pre-up /etc/firewall-hs/fw-masq.sh restart The line beginning with pre-up means to execute the following command before the current interface (in whose stanza the line is) is brought up. -HS -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
cothrige writes: Interesting what you say about ipmasq. How automatic is it? I would have assumed that it had more to do with making your machine a gateway, which mine isn't, than firewalling itself. I am assuming that it does both? The name is misleading. Ipmasq configures both NAT and firewalling. The default configuration is suitable for most, but you can tweak the scripts to do whatever you need. However, it is not clear that you need a firewall at all. If you have only the one machine, just don't open any ports. -- John Hasler -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
* H.S. ([EMAIL PROTECTED]) wrote: [snip] The line beginning with pre-up means to execute the following command before the current interface (in whose stanza the line is) is brought up. Very important to know. Many thanks. Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
On Wed, Oct 18, 2006 at 01:32:52PM -0500, cothrige wrote: * [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote: Interesting what you say about ipmasq. How automatic is it? I would have assumed that it had more to do with making your machine a gateway, which mine isn't, than firewalling itself. I am assuming that it does both? Yes. The documentation is vast; its like a book. You wouldn't buy a big book on network security and open it to the middle and expect to know what was going on. Start at the beginning and just read it through. Trust your brain to synthesize and develop a plan for your situation. I know what you mean there. I think it turned out to be something like 550 pages, give or take. And I actually was reading it from the beginning, but you can imagine what a task that is just to set up a couple of rules. And I was beginning to think that it was not set up to handle a situation as simple as mine. Of course, I was wrong. But, this all begs the question of what Shorewall is really trying to do. I would think that the point of these firewall tools would be to get around the rather difficult process of figuring out iptables. However, shorewall seems to simply replace the very archaic and tricky iptables commands and structure with its own equally difficult version. Why is that exactly? Couldn't somebody with that kind of need simply take the same time and learn the very thing that Shorewall is manipulating, i.e. iptables? If you look at the number of lines of rules you make, and compare it to the number of lines (pages!) of iptables rules it makes, you see that shorewall is easier. Also the syntax is easier. Changes are far easier. Besides, the shorewall book is the best book I've found for understanding iptables. My only beef with shorewall is the length of time it took my poor 486 to process everything: 2 minutes. I use ipmasq when I'm building the smallest system I can, only accessing the internet for email, web browsing, and chrony. For a full-size system, I use shorewall. Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
* John Hasler ([EMAIL PROTECTED]) wrote: The name is misleading. Ipmasq configures both NAT and firewalling. The default configuration is suitable for most, but you can tweak the scripts to do whatever you need. However, it is not clear that you need a firewall at all. If you have only the one machine, just don't open any ports. I guess I have never really thought about it that way. I have just assumed that I was better off for having something like a firewall in place on any computer connected to the internet. And I have opened no ports intentionally, but now I am wondering just how to find out what ports are open and how they got that way? Any recommendations? Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
On Tue, Oct 17, 2006 at 05:45:34PM -0500, cothrige wrote: I was wondering about the best way to start iptables with each boot in Debian and so I did some googling. I found a Debian Wiki and it gave instructions concerning update-rc.d, but this requires a script for iptables in init.d and this does not exist. At least not in my system. Can anyone give me a quick idea of the correct way to start iptables at boot? I suppose I could just add something to rc.local, but I was sort of assuming there was a more appropriate way. isn't iptables part of the kernel and therefor up by default when the kernel starts executing? A signature.asc Description: Digital signature
Re: Starting iptables
* Andrew Sackville-West ([EMAIL PROTECTED]) wrote: isn't iptables part of the kernel and therefor up by default when the kernel starts executing? A Yes, iptables as far as I know is part of the kernel, but the rules must be loaded. In Slackware I would create a script and put it in rc.d to be loaded. I suppose that I could do something similar with Debian, but would like to make sure that there is not some more correct way to handle it first. Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
On Tue, Oct 17, 2006 at 07:08:47PM -0500, cothrige wrote: * Andrew Sackville-West ([EMAIL PROTECTED]) wrote: isn't iptables part of the kernel and therefor up by default when the kernel starts executing? A Yes, iptables as far as I know is part of the kernel, but the rules must be loaded. In Slackware I would create a script and put it in rc.d to be loaded. I suppose that I could do something similar with Debian, but would like to make sure that there is not some more correct way to handle it first. right, okay, I understand. sorry. Yeah, there is surely some Debian way to do it. sorry, don't know it. A signature.asc Description: Digital signature
Re: Starting iptables
On Tue, Oct 17, 2006 at 05:45:34PM -0500, cothrige wrote: I was wondering about the best way to start iptables with each boot in Debian and so I did some googling. I found a Debian Wiki and it gave instructions concerning update-rc.d, but this requires a script for iptables in init.d and this does not exist. At least not in my system. Can anyone give me a quick idea of the correct way to start iptables at boot? I suppose I could just add something to rc.local, but I was sort of assuming there was a more appropriate way. Use shorewall. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Starting iptables
On Tue, Oct 17, 2006 at 05:15:19PM -0700, Andrew Sackville-West wrote: On Tue, Oct 17, 2006 at 07:08:47PM -0500, cothrige wrote: * Andrew Sackville-West ([EMAIL PROTECTED]) wrote: isn't iptables part of the kernel and therefor up by default when the kernel starts executing? A Yes, iptables as far as I know is part of the kernel, but the rules must be loaded. In Slackware I would create a script and put it in rc.d to be loaded. I suppose that I could do something similar with Debian, but would like to make sure that there is not some more correct way to handle it first. right, okay, I understand. sorry. Yeah, there is surely some Debian way to do it. sorry, don't know it. I'd recommend using shorewall or another such firewall system. Shorewall is a very capable system for configuring iptables (or other backend), and does provide a startup file in /etc/init.d/. Shorewall doesn't run as a daemon, rather it runs once to set up the kernel iptables (or other) and then it's done. -- Ken Irving, [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
* Roberto C. Sanchez ([EMAIL PROTECTED]) wrote: Use shorewall. Regards, -Roberto I was just looking at a howto on this. I have never used any of these tools before as I already had a firewall script which worked. But, maybe now is as good a time as any to learn how this works. Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrew Sackville-West wrote: On Tue, Oct 17, 2006 at 07:08:47PM -0500, cothrige wrote: * Andrew Sackville-West ([EMAIL PROTECTED]) wrote: isn't iptables part of the kernel and therefor up by default when the kernel starts executing? A Yes, iptables as far as I know is part of the kernel, but the rules must be loaded. In Slackware I would create a script and put it in rc.d to be loaded. I suppose that I could do something similar with Debian, but would like to make sure that there is not some more correct way to handle it first. right, okay, I understand. sorry. Yeah, there is surely some Debian way to do it. sorry, don't know it. A Greetings Andres: The Debian way to do it is to use the directories in /etc/network. There are 4 directories: if-down.d if-post-down.d if-pre-up.d if-up.d You put scripts into each of these folders, and then they are run when each interface goes through one of these states. You need to be careful with this for firewall rules - if your box has 3 interfaces and you put a script into if-up.d/ the script will be run three times, once for each interface that is brought up. This can cause your rules to be loaded repeatedly. You will probably want to include if/then sections in your script to load rules based on the interface being brought up. A similar method (that might be a little easier for you to use for loading iptables rules) involves using options similar to the directories listed in the /etc/network/interfaces file. The following directives are understood: pre-up up post-up pre-down down post-down You would load your rules into a script and run the script using the up command in one of your interfaces. The man page for interfaces can give you the details. Good Luck. - -Scott -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFNX3SS7FYdPX6+iYRAj+zAJwIWuVGUqxq4Lp5qtffYNdScJS+KACffO4d iW98SPHKFw1lScO7x7n77+g= =M5tZ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
Patrick writes: I suppose that I could do something similar with Debian, but would like to make sure that there is not some more correct way to handle it first. No more correct but more sensible would be to install one of the several packages that do exactly what you want. I like ipmasq. -- John Hasler -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
On Tue, Oct 17, 2006 at 05:45:34PM -0500, cothrige wrote: I was wondering about the best way to start iptables with each boot in Debian and so I did some googling. I found a Debian Wiki and it gave instructions concerning update-rc.d, but this requires a script for iptables in init.d and this does not exist. At least not in my system. Can anyone give me a quick idea of the correct way to start iptables at boot? I suppose I could just add something to rc.local, but I was sort of assuming there was a more appropriate way. Many thanks, Patrick As far as I know, iptables itself, part of the kernel, is always 'running', its just that unless you add rules, it doesn't actually do anything. You either have to add those rules by hand, write a script that does that, or use a piece of software that does. This is what various 'firewall' packages does. For basic dialup, you can just use ipmasq. If you want total controll go with shorewall. If you want a great piece of documentation that explains the issues, read the shorewall docs, theres a great html-format book. Even if you end up deciding to go with ipmasq, I highly recommend the shorewall docs. Install it, read, learn, then decide. Note when doing reading, that iptables is also known as NetFilter. Enjoy, Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
* John Hasler ([EMAIL PROTECTED]) wrote: Patrick writes: I suppose that I could do something similar with Debian, but would like to make sure that there is not some more correct way to handle it first. No more correct but more sensible would be to install one of the several packages that do exactly what you want. I like ipmasq. In the process of googling for info on this I did find a page at http://www.debian-administration.org/articles/445 which had a fairly simple approach. There it recommends putting a script in /etc/network/if-up.d to run iptables-restore. This is similar to the Gentoo way, except that was somewhat automated with a script in init.d which, oddly, Debian is lacking. Assuming this works it does have simplicity on its side though, and that is always a good thing. Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
On Tue, Oct 17, 2006 at 05:45:34PM -0500, cothrige wrote: I was wondering about the best way to start iptables with each boot in Debian and so I did some googling. I found a Debian Wiki and it gave instructions concerning update-rc.d, but this requires a script for iptables in init.d and this does not exist. At least not in my system. Can anyone give me a quick idea of the correct way to start iptables at boot? I suppose I could just add something to rc.local, but I was sort of assuming there was a more appropriate way. There was once a script supplied with the iptables package that would save iptables 'active' and 'inactive' states, and could be dropped into /etc/init.d and used in exactly the fashion you request. For reasons unclear to me, this was dropped. It can still be found on Debian Sarge at: /usr/share/doc/iptables/examples/oldinitdscript.gz Maybe someone can explain to me why it was so bad that it warranted removal :) Cheers, Paul -- Paul Dwerryhouse| PGP Key ID: 0x6B91B584 A look at Ubuntu Server Edition: http://nepotismia.com/review/ubuntu/server/6.06/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
cothrige wrote: I was wondering about the best way to start iptables with each boot in Debian and so I did some googling. I found a Debian Wiki and it gave instructions concerning update-rc.d, but this requires a script for iptables in init.d and this does not exist. At least not in my system. Can anyone give me a quick idea of the correct way to start iptables at boot? I suppose I could just add something to rc.local, but I was sort of assuming there was a more appropriate way. Many thanks, Patrick Well, my custom firewall script does take start, stop and restart arguments and so I could call it using the rc method. However, I have thus far used it by calling it with a pre-up line in the stanza for my eth0: pre-up /etc/myfirewall/firewall.sh restart With this line, before the interface is brought up, the script is called with the restart argument. It has worked so far, in my router machine which connects with my adsl modem and also does masquarading and also on my desktop machines on my home lan. good luck, -HS -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
Patrick writes: There it recommends putting a script in /etc/network/if-up.d to run iptables-restore. This is similar to the Gentoo way, except that was somewhat automated with a script in init.d which, oddly, Debian is lacking. The various firewall packages install appropriate scripts. -- John Hasler -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Starting iptables
* H.S. ([EMAIL PROTECTED]) wrote: Well, my custom firewall script does take start, stop and restart arguments and so I could call it using the rc method. However, I have thus far used it by calling it with a pre-up line in the stanza for my eth0: pre-up /etc/myfirewall/firewall.sh restart You added that line to /etc/network/interfaces, right? Does it matter just where you put it in the script? Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]