firewall
Hi, I don't know which firewall (http://wiki.debian.org/Firewalls) I should choose. Thanks ahead for recommendation, and it will be very nice if you tell me why you recommend this one. Best regards, -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAG9cJm=ygtrfu7ayqfqh-7--ivuimdehe1skyj7ds7+k8_z...@mail.gmail.com
FIREWALL
We are currently using cybermax firewall suite to provide us witha way to hook up multiple cmptuer to share a cable modem, but i wasn wondering who to set up gnu/linux debian to be a firewlal and IP router like the Cybermax suite is. thanks
firewall
Hi, Thank you all for helping on the 'ssh/telnet'. My next task is setting firewall. Would someone please let me know where can I find doc on this fireewall subject. Thanks! --- tcp [EMAIL PROTECTED]
Firewall
Yet another problem I have been having with a Debian install. Sorry to keep pestering. Here is my problem stated simply. I need to create a firewall between our internal network and the internet while still allowing the machines inside the network some limited access out and in. i.e.. keep our webservers etc. inside the firewall. I have two network cards installed in my machine and I have followed the FIREWALL-HOWTO to the "t". here is my configuration eth0 xxx.xxx.xxx.1 :Connected to the internal network eth1 xxx.xxx.xxx.2 :Connected to the internet. # note that the xxx.xxx.xxx are the same subnet since we are allocated a class C domain. my routing table looks similar to this: DESTINATIONGATEWAYGENMASK... IFACE xxx.xxx.xxx.2540.0.0.0255.255.255.255eth1 xxx.xxx.xxx.00.0.0.0255.255.255.0eth0 0.0.0.0 xxx.xxx.xxx.254 0.0.0.0 eth1 Sorry for the poor formatting. Right now all I can do is access both of the IP addresses from either the internet or the internal network. However no matter what I do I can't get past the firewall (it works too well). I have enabled PI forwarding in the kernel and set the IP_forward file to 1 as well as set the forward ipchains to wide open, as in: ipchains -A forward -j ACCEPT as the only rule. Any help would be greatly appreciated thanks. 0 / Derek Wueppelmann (D Libraxus Inc. / \ [EMAIL PROTECTED]
Firewall
I have some questions about building a firewall. I currently have a cable modem connection which of course gives me a static IP address. If I was to build a firewall using a old 486 could I still assign my Debian box the static IP address as it is needed for my server which I use for hosting. Or would the 486 use the static IP and assign the Debian box a private IP address? Also I know there are many firewall how to's out there but would appreciate any recommendations. Regards Eileen Orbell Software & Internet Applications Capitol College mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
firewall
Hi, I'd like to know if there is any firewall software for Debian? Thanks! --- tcp [EMAIL PROTECTED]
firewall
I've picked up an ORION 486DLC-33 w/386 BIOS that I want to set up as a firewall. Newer distr's of linux have min requirements above my system. What distr. should I use (Debian has been recommended)? Is there an outline somewhere of how to go about setting up a firewall and what packages I need to install to run one?
Firewall
Hi Debian users, I have a lab with about 10 machines and 1/4 of a IP C class to use. I want to do a firewall for my lab. Today I have the following structure: .65 .99 -- - | router | | Firewall | | hub 1 | -- | | - | | | || hub 2 | |- | - 64/97 | hub 3 | - Our netmask is 255.255.255.192. May I change it to 255.255.255.224? What will be the routes? How to do to login into the firewall, or better, how to uplink the two hubs? What I want is to make a firewall for my lab and still access the other IP range. Where I have to put the firewall (99)? How to set the firewall? After setting the firewall, how to configure the machines? Obrigado.
Firewall
I am attempting to setup a Firewall using IP-CHAINS for a small ISP. I was wondering what tools I could use to test the firewall? Thanks in advance, Greg
firewall?
Dear All I have put my windows machine behind my debian firewall server with just one NIC. At now, the windows machine can ping 192.9.9.3 but cannot resolve valid url (like www.google.com). I have set DNS for it as well. Can you please let me know what is the missing step? Thank you -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/ca+n+swju6ypjtodnxkooghm5rfeyxu5noinajbr4oh31dfj...@mail.gmail.com
Firewall
> 1) It's a 33MHz with 8Mb RAM, can it do the job? There will be two other > machines (Win98, Debian G/L) on my home network. Yes, but you'll be much happier if you spend $20 and buy more RAM > 2) How do I physically set this up? I've found info on the software > setup, but nothing about hardware. More details: > ..a) InterNet-facing line is cable which goes to cable "MODEM" > ..b) From "MODEM" to 10baseT Ethernet Hub. > ..c) From hub to: > 1) Win98 box (which is why I want the firewall; it's not mine!) > 2) Debian GNU/Linux laptop (which is not always connected) > 3) Does the firewall box need to be between the "MODEM" and the hub or > can it be parallel to the two machines now on the hub? > 4) If it is upstream of the hub, then do I need two NICs? Or is there a > special kind of NIC that I should use? Basically the firewall machine must have two NICs. One NIC is connected to the cable modem and that is the only NIC that the modem (and your ISP) sees. From their point of view, there is only one machine on the network. The rest of your network (that is, the hub) plugs into the second NIC. The first, "cable" NIC is set up according to ISP instructions (IP address, etc.). The second, "local" NIC is set up with your local LAN IP address (which you pick yourself subject to the usual conventions). You don't need any special NICs, any will do. Kaa ___ Get Free Email and Do More On The Web. Visit http://www.msn.com
Firewall :
Can anyone please direct me to a FAQ/Howto on implementing a very good firewall ? Any experiences you might like to share ? BRGDS Mike Rae
Firewall
Hello Everybody , i need to found a package in Debian who can provide a solid firewall easy to setup. Any idea ? Thanks per advance for reply Tony Schonfeld - F5GIT - GRENOBLE - Phone: (33) 0610104815 Email: [EMAIL PROTECTED] - WWW: http://schonfeld.iscool.net Hamnet (ax25): [EMAIL PROTECTED] - [EMAIL PROTECTED]
Firewall
How to reach the firewall and manage the same as well in sarge?? default installed on a desktop connected to a router I looked around and found no way to get in touch with the firewallsettings -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Firewall
Hi all, My thanks to [EMAIL PROTECTED] for his solution on setting up my PS/2 mouse. I eventually gave up on X11 though, never got more than a blank screen. I'll come back to it when I get a chance. Now for my next questions: 1) can anyone let me know there experiences with firewall software (SOCKS, TIS, ...) as I intend to setup an Internet firewall now 2) can anyone let me know where to find the above software. Thanks in advance "Simon Martin"<[EMAIL PROTECTED]> "Old software engineers never die, they just fail to boot" Any Trademarks used in this document are recognized as Registered Trademarks of their respective owners.
firewall
Hi! At the moment I've a RH firewall/router. It's quite unstable, so I would like to installa Debian as a firewall and router instead of RH. I need the box act as a firwall/router (I belive it's called masquarading) and enabled port forwarding. Is there any easy to go guides for this? Thanks in advance Allan Andersen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
http://www.linux-firewall-tools.com/linux/firewall/index.html
The script is for Red Had but can I use it for Debian as well? Has anyone here done this and if so how did it work? Thanks, Brett
stopping firewall
how do i confirm sudo systemctl stop firewalld.service works? charles zeitler -- The Perfect Is The Enemy Of The Good Enough
Firewall software
Hello, I am looking for a firewall building program like shorewall or fwbuilder but that supports IPv6 (ip6tables), any ideas ? Thanks. -- José Pablo Fernández [EMAIL PROTECTED]
Which firewall?
Hi all, I have to setup a firewall for a little network. The firewall machine will have multiple ip addresses for a physical lan card (eth0 eth0:1 eth0:2). Looking to the packages (for Etch) I see some firewall; so there is the question: Can anyone recommend to use (or to avoid) any of the following? fireflyer fwbuilder kmyfirewall shorewall Any information will be greately appreciated. Mirto -- __ Mirto Silvio Busico ICT Consultant Tel. +39 333 4562651 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Debian Firewall
I want to setup a firewall for my home LAN. I will have 5 - 10 PC's behind it. It will be running on a PPro 233 w/ 80mb RAM, and 2 Intel 100mb NIC's. I want a lot of features. I want a lot of features: Security, Security, Security SSH Daemon NAT (Masq) Port Forwarding Graphical (web based ?) Network Analysis PPPoE support VPN support Convenient Method of Configuration (Web based, GUI based ?) I would also like it to be fairly upgradable. I love APT-GET, and would love to have the core of this firewall be Debian so that I can do my updates with this method. I also would like to experiment with the CISH (Cisco simulated) shell provided by the Linux Router Project. What is the best apporach to creating this Firewall. Should I start with my own basic install of Debian and build from there ? Is there a floppy or CD based image worth trying that is based on Debian ? ben
Re: firewall
On Wed, 2012-07-04 at 11:19 +0800, lina wrote: > Hi, > > I don't know which firewall (http://wiki.debian.org/Firewalls) I should > choose. > > Thanks ahead for recommendation, and it will be very nice if you tell > me why you recommend this one. To answer drily: Test them and report what firewall does protect you the best against no attacks. Linux for home usage was safe, is safe, will be safe. Yes, it's safe regarding to things I criticize. I don't criticize protection per se, I only worry about t much security for nothing. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1341382519.2110.17.camel@precise
Re: firewall
On 4 Jul, 2012, at 14:15, Ralf Mardorf wrote: > On Wed, 2012-07-04 at 11:19 +0800, lina wrote: >> Hi, >> >> I don't know which firewall (http://wiki.debian.org/Firewalls) I should >> choose. >> >> Thanks ahead for recommendation, and it will be very nice if you tell >> me why you recommend this one. > > To answer drily: Test them and report what firewall does protect you the > best against no attacks. Linux for home usage was safe, is safe, will be > safe. Yes, it's safe regarding to things I criticize. I don't criticize > protection per se, I only worry about t much security for nothing. Ha... I just realized mine is exposed at least in our department. I can see the open ports and the OS. Just sometimes wish it can be invisible in some way. I tried firehol yesterday. It's orphed. Thanks. > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/1341382519.2110.17.camel@precise > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/b24c45dd-f0fb-47cf-a5ed-2163a377a...@gmail.com
Re: firewall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, On 04.07.2012 06:19, lina wrote: > Hi, > > I don't know which firewall (http://wiki.debian.org/Firewalls) I > should choose. > > Thanks ahead for recommendation, and it will be very nice if you > tell me why you recommend this one. > > Best regards, > > I recommend UFW. It's simple to use and does everything what firewall should do in my opinion. All commands are like "ufw allow 22/tcp" (allows connections to SSH port). It also has gui called GUFW. aptitude install ufw gufw - -- Mika Suomalainen NOTICE! I am on mobile broadband with very limited time, so I cannot read emails very much. The best time to contact me is probably weekends when I have better connectivity with good luck. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Homepage: http://mkaysi.github.com/ Comment: gpg --keyserver pool.sks-keyservers.net --recv-keys 82A46728 Comment: Public key: http://mkaysi.github.com/PGP/key.txt Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 Comment: Why do I (clear)sign emails? http://git.io/6FLzWg Comment: Please send plaintext instead of HTML. http://git.io/TAc0cg Comment: Please don't toppost. http://git.io/7-VB3g Comment: Charset of this message should be UTF-8. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP8/FPAAoJEE21PP6CpGcoMrAP/25aBYoVpV89NpzHkf3MCMwo pIddE3JamyDKQRDBl6Dicv3BMWPu67UX2CgJ02w1FoQKH6rCyxbwRbwDsHibrWwS G9c6Zk0S9e4LyA+agVsTEYChTDG0O9HwDNT5jTpipb5x0SIqfi9QhNhHAmD5A87b FdUKnL3T8UjAkyHW/+78v3+WgR5id0qDtM/X7aoeEehyBPOGLIAHYYAYdowTCPeF AQiLb02a8s88k6UvUDeBhofx8lDGpWOtDAmoZ/LwCAe93l6dMKui8S65mfwBvpFQ 5JbUtqGwmsNFWLaErvt8Df1q9jZVso346jYulD6YRF5i0YOdqzraC/pNHTYo5H2N fkQR+GZqOLd1SnjcBLyKNjWaey6LI+ltXBnNytGH7CGVxhxN23UqATwTNxdHLgi7 WIrHLQaV/KAeE3xTXaaL1MrzuRFD2CpfId4JdaaGYJvkk7/90uT512eoPfARwrCX 0hFxsd5QJisIOtyBWNOIPWnYL+10gIbtue8BPeJVxMfrrlKoTZsTVHK4akc05Gsh 4wgrxNoA6Nps+gVHaSvpD6vL69EcfY0McOIJYz25fCHfSiH5KbUGIa1XxVKQWN/E HvZEr0smY4jYneABESfJcG+PF0w/Ujyrc8gGmKyOrhTz/okCNe5oTd5OFnhfWmBP tUBGQoF5QepoLcUR8XsL =QfLY -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ff3f153.2000...@hotmail.com
Re: firewall
On Wed, 2012-07-04 at 15:04 +0800, lina wrote: > On 4 Jul, 2012, at 14:15, Ralf Mardorf wrote: > > > On Wed, 2012-07-04 at 11:19 +0800, lina wrote: > >> Hi, > >> > >> I don't know which firewall (http://wiki.debian.org/Firewalls) I should > >> choose. > >> > >> Thanks ahead for recommendation, and it will be very nice if you tell > >> me why you recommend this one. > > > > To answer drily: Test them and report what firewall does protect you the > > best against no attacks. Linux for home usage was safe, is safe, will be > > safe. Yes, it's safe regarding to things I criticize. I don't criticize > > protection per se, I only worry about t much security for nothing. > > Ha... I just realized mine is exposed at least in our department. I can see > the open ports and the OS. > Just sometimes wish it can be invisible in some way. > > I tried firehol yesterday. It's orphed. > > Thanks. *chuckle* A trillion years ago I used a firewall myself. "Ports" are an issue, I wasn't able to down- or upload by ftp. BUT, How many serious attacks did you notice around the last 30 days? Nobody tried to simply open your DVD drive, let alone really serious attacks. Regarding to the security "Linux Land" is "Pony land", there aren't serious attacks to home computers using Linux and even serious attacks against Linux server-users usually go /dev/null ... Hard to believe, but Linux is Pony Land regarding to attacks. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1341387514.2110.29.camel@precise
Re: firewall
Web base Firewall (IPCOP) very powerful with the addon called BOT (block out traffice) base on IPtables. On Wed, Jul 4, 2012 at 12:38 PM, Ralf Mardorf wrote: > On Wed, 2012-07-04 at 15:04 +0800, lina wrote: >> On 4 Jul, 2012, at 14:15, Ralf Mardorf wrote: >> >> > On Wed, 2012-07-04 at 11:19 +0800, lina wrote: >> >> Hi, >> >> >> >> I don't know which firewall (http://wiki.debian.org/Firewalls) I should >> >> choose. >> >> >> >> Thanks ahead for recommendation, and it will be very nice if you tell >> >> me why you recommend this one. >> > >> > To answer drily: Test them and report what firewall does protect you the >> > best against no attacks. Linux for home usage was safe, is safe, will be >> > safe. Yes, it's safe regarding to things I criticize. I don't criticize >> > protection per se, I only worry about t much security for nothing. >> >> Ha... I just realized mine is exposed at least in our department. I can see >> the open ports and the OS. >> Just sometimes wish it can be invisible in some way. >> >> I tried firehol yesterday. It's orphed. >> >> Thanks. > > *chuckle* A trillion years ago I used a firewall myself. "Ports" are an > issue, I wasn't able to down- or upload by ftp. BUT, How many serious > attacks did you notice around the last 30 days? > > Nobody tried to simply open your DVD drive, let alone really serious > attacks. > > Regarding to the security "Linux Land" is "Pony land", there aren't > serious attacks to home computers using Linux and even serious attacks > against Linux server-users usually go /dev/null ... Hard to believe, but > Linux is Pony Land regarding to attacks. > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/1341387514.2110.29.camel@precise > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAGWVfMkBFCuWuPS0ef6Z5HG_JtZScAYzm93Mej=6t_yc+yz...@mail.gmail.com
Re: firewall
On 7/4/12 10:46 AM, Muhammad Yousuf Khan wrote: > Web base Firewall (IPCOP) very powerful with the addon called BOT > (block out traffice) base on IPtables. In some ways it's easier just to work with IPtables directly. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ff3f65c.7060...@gmail.com
Re: firewall
On Wed, 4 Jul 2012 15:04:03 +0800 lina wrote: > > Ha... I just realized mine is exposed at least in our department. I > can see the open ports and the OS. Just sometimes wish it can be > invisible in some way. > Most ports can be closed by configuration, even the infamous portmap can be limited to localhost if you're not using it externally e.g. for NIS or NFS. If you have a standalone Linux machine in a foreign network, pretty much everything can be closed. I'd have thought most of the simple firewall frontends would do what you need. If they are simple to configure, then they tend not to be very flexible, so if you need the full power of iptables, you have no choice but to learn to use it. But just to keep out random automatic attacks, which may or may not be looking for Linux machines in a Windows network, one of the simple ones should work. I gave firestarter a go on my workstation, but it didn't really suit me and is now not under development. The package description suggests gufw as a modern replacement, but I know nothing about that. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120704090444.3d496...@jretrading.com
Re: firewall
On Wed, Jul 4, 2012 at 12:53 PM, Lars Noodén wrote: > On 7/4/12 10:46 AM, Muhammad Yousuf Khan wrote: >> Web base Firewall (IPCOP) very powerful with the addon called BOT >> (block out traffice) base on IPtables. > > In some ways it's easier just to work with IPtables directly. not just easy but i think it is better but for just starting and understanding i think GUI is a good start. > > Regards, > /Lars > > > > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/4ff3f65c.7060...@gmail.com > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cagwvfmnen6q5mpja5qtxyb0sann-syazwzjtvn_qok3uze8...@mail.gmail.com
Re: firewall
Thanks all. Actually I even don't know how to check where there was/is attach or not. I am looking for a firewall is mainly to have some sense of guarantee, otherwise I will definitely freak out in front of attack. I will start learning something about iptables. Just know so little ^_^ Thanks again, Best regards, -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cag9cjmmgdtnk9blp5p6dv4qerr5dabvcgmmqwzp-nz31-sq...@mail.gmail.com
Re: firewall
On Wed, 2012-07-04 at 12:46 +0500, Muhammad Yousuf Khan wrote: > Web base Firewall (IPCOP) very powerful with the addon called BOT > (block out traffice) base on IPtables. I don't care, but I certain that I know some guys (no women) how recommend IPCOP too, for good reasons. At least for my usage it's overdosed. Believing does ... Wow, there's no shortcut for my "new needs" so simply believe the hype. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1341389813.2110.44.camel@precise
Re: firewall
> Hi, > > I don't know which firewall (http://wiki.debian.org/Firewalls) I should > choose. APF (Advanced Policy Firewall) > > Thanks ahead for recommendation, and it will be very nice if you tell > me why you recommend this one. Easy to configure and comprehensively used by many ISPs. Other reasons are best summed up here: http://www.rfxn.com/projects/advanced-policy-firewall/ Regards, Weaver -- Religion is regarded by the common people as true, by the wise as false, and by the rulers as useful. — Lucius Annæus Seneca. Terrorism, the new religion. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/df6f984ff0bbee4965f2835ad4c4f4e3.squir...@fulvetta.riseup.net
Re: firewall
On Wed, 2012-07-04 at 11:19 +0800, lina wrote: > Hi, > > I don't know which firewall (http://wiki.debian.org/Firewalls) I should > choose. > > Thanks ahead for recommendation, and it will be very nice if you tell > me why you recommend this one. > > Best regards, > > I think you don't need anything else than Iptables. You should learn Iptables if you want to use linux as a firewall. But my suggestion is PF on BSD. PF is a very powerful stateful firewall. I use PF on FreeBSD and I show 1-2 million states at attack times. Also my firewall cpu and memory usage is very low shown (I have 1 cpu and 4GB memory). If you want to more easy solution than PF+BSD you can use pfsense. pfsense is web based management tool for PF on FreeBSD. You must do some settings as manual on terminal but I think pfsense is better solution for you. -- M.Atıf CEYLAN -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1341393750.3632.54.camel@debian
Re: firewall
On Wed, Jul 4, 2012 at 1:16 PM, Ralf Mardorf wrote: > On Wed, 2012-07-04 at 12:46 +0500, Muhammad Yousuf Khan wrote: >> Web base Firewall (IPCOP) very powerful with the addon called BOT >> (block out traffice) base on IPtables. > > I don't care, but I certain that I know some guys (no women) how > recommend IPCOP too, for good reasons. At least for my usage it's > overdosed. Believing does ... Wow, there's no shortcut for my "new > needs" so simply believe the hype. > IPcop is a SOHO firewall. with squid, iptables, snort , openvpn and all the other useful stuff. BTW due to the GUI limitation i am also moving towards more CLI base. thats why i join debian list but i am sure for those who are beginners lina and want to use some open source stuff is quite good option. there are several other firewalls like pfsence, monowall, utangle, etc but i found IPCop more easier to configure, -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cagwvfmkt5oq2sty6g4lhwd2dvoelpjscy__-yawojw6yap5...@mail.gmail.com
Re: firewall
OK, I see that this might be flamebait ... On Tuesday 03 July 2012 23:19:06 lina wrote: > Hi, > > I don't know which firewall (http://wiki.debian.org/Firewalls) I should > choose. > > Thanks ahead for recommendation, and it will be very nice if you tell > me why you recommend this one. > > Best regards, It seems that you want a firewall on the computer which you are working with. As regards to closing unnecessary ports or limiting them to localhost, Joe gave good advice already. Some may call me a security paranoid and a control freak but ... I'm afraid that learning about IPtables is necessary before one is able to appreciate what the higher layer of administration s/w does to it. A firewall frontend may deceive you into thinking that you have full control over the firewall while it does things that the frontend developer THINKS you want - but do you? e.g. For some years I was using Webmin to maintain my servers until it did atrocious things to my Samba configuration. Now I'm a lot more wary and double check against the config files. Backups and etckeeper (using git) help to avoid catastrophies. I personally do not think much of firewalls which reside on the same machine which I want to protect. I'd choose an older PC to play with and install OpenBSD on it. Then setup a firewall - you might even have a look at a bridging firewall if you want to make it invisible to the network. As long as you have keyboard and screen access to the machine you won't need a third network port for maintenance. Although it comes in handy for upgrades. http://www.openbsd.org/faq/faq6.html#Bridge http://bio3d.colorado.edu/tor/sadocs/tcpip/bridge.html#what%20is%20a%20bridging%20firewall see also: Firewalling with OpenBSD’s PF packet filter Peter N. M. Hansteen To get started with OpenBSD "Secure Architectures With OpenBSD" by Palmer and Nazario The OpenBSD documentation is excellent and very helpful. Later when everything is working as planned and if I'm tight on office space I'd get one of those Soekris boxes or similar and install my firewall there. Then you can tuck it safely under your desk. I once tried out a GUI to handle my OpenBSD firewall but gave it up and I do prefer editing the pf.conf file with vim. I installed Denyhosts on the firewall as well. There is no OpenBSD port for it but setup is easy with the Denyhosts documentation. It is quite funny to see all the attempts to break into your box on port 22. Changing SSH to another port quiets this immediately. Kind regards Eike -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201207040821.10855.zp6...@gmx.net
Re: firewall
On Wed, Jul 04, 2012 at 10:53:00AM +0300, Lars Noodén wrote: > On 7/4/12 10:46 AM, Muhammad Yousuf Khan wrote: > > Web base Firewall (IPCOP) very powerful with the addon called BOT > > (block out traffice) base on IPtables. > > In some ways it's easier just to work with IPtables directly. Except on Debian you are required to do a fair amount of work to make your rules persistent across reboots and ensure you get ordering right to not lock yourself out of the box (if remote): all problems that do not exist if you install and use ufw. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120704141610.GA10717@debian
Re: firewall
Hi, Following the instructions from http://wiki.debian.org/iptables I am kinda of "running" the iptables now? (perhaps I understand wrong. welcome correction.) One thing a bit unexpected (to me) is that there are continuously rolling info as following: Jul 4 22:18:07 Debian dhclient: DHCPREQUEST on eth0 to 172.21.4.192 port 67 Jul 4 22:18:10 Debian kernel: [42251.607781] --log-prefixIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1b:78:4a:c7:5f:08:00 SRC=172.21.51.33 DST=255.255.255.255 LEN=149 TOS=0x00 PREC=0x00 TTL=127 ID=0 DF PROTO=UDP SPT=43619 DPT=17500 LEN=129 Jul 4 22:18:23 Debian kernel: [42264.062275] --log-prefixIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:26:55:e3:4e:29:08:00 SRC=172.21.48.111 DST=172.21.51.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=11802 PROTO=UDP SPT=137 DPT=137 LEN=58 Is it normal? or I set something wrong? Here is the output of the iptables -L c# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT icmp -- anywhere anywhere icmp echo-request LOGall -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "--log-prefix" REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere Thanks ahead for your suggestions, Best regards, -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAG9cJmnRjvgoe0QYwYXhM86mB4LSuNfh2m7O4v1X4Myq=tp...@mail.gmail.com
Re: firewall
P.S. Your guys are great. Sometimes even I didn't reply item by item, or thanks one by one, but I read every sentences in the emails. Many times read more than once. So please kindly realize that your suggestions are very valuable and highly appreciated (most time silently). BTW, I didn't realize there is a etckeeper before. just installed. And for iptables I have spent 5 hours on it based on the suggestions. Thanks again. Best regards, -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAG9cJmm10vYHujOUvJ=GyDWb5OFN4nQQxJ==tj6mcrqwej6...@mail.gmail.com
Re: firewall
On Wed, Jul 4, 2012 at 2:15 AM, Ralf Mardorf wrote: > On Wed, 2012-07-04 at 11:19 +0800, lina wrote: >> Hi, >> >> I don't know which firewall (http://wiki.debian.org/Firewalls) I should >> choose. >> >> Thanks ahead for recommendation, and it will be very nice if you tell >> me why you recommend this one. > > To answer drily: Test them and report what firewall does protect you the > best against no attacks. Linux for home usage was safe, is safe, will be > safe. Yes, it's safe regarding to things I criticize. I don't criticize > protection per se, I only worry about t much security for nothing. I disagree. Its about defense in depth. Because what happens if you get a piece of bad software that opens a vulnerability? And yes, that could happen to a home Linux user as easily as a corporate one, since they are using the same update mechanisms. In fact, I would posit that a home user could be at *more* risk, since, in theory, a corporate user would be limited in the amount and types of software installed...Corporate server vs home workstation. So a piece of bad software gets introduced into the repos. It could happen...And having a firewall in place (an external firewall would have the advantage of not being able to be turned off by said malware). So it comes down to where the line between "protection" and "too much". Which means it comes down to the following two questions. "What are you trying to protect?" and "Who are you trying to defend against?" For a home user, the obvious answer, like with corporate users is "your data." Consider what that data consists of. Personal documents, banking information, pictures, etc, would all be valid types of data. The types of data may be different, but the exercise of protecting it would be the same as a corporate user. Now as for the second question, who are you trying to defend against, let's look at the windows world. You have people taking over boxes, using them in botnets, stealing information, a whole niche market for antivirus and antimalware products. IMHO, there are three things that keep us from being in a similar situation. First, Linux users are generally more savvy than Windows users (and less arrogant than Mac users :) ); second, Linux has a higher bar for base security. Use of a firewall, IDS, reading your logs only enhances that. But the fact that the bar is higher doesn't mean its insurmountable. The third reason we are not in the same boat as windows is that we have a much smaller attack surface than Windows. Windows still has over 90% penetration on the desktop, Therefore, they are the low hanging fruit. This doesn't mean that we will never be in that boat, and only vigilance will keep us out of it. Just my 2 cents. --b -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cakmzw+y+hv9dq2+v_d4psyrn9fla+jht_yu6p-oemaazox7...@mail.gmail.com
Re: firewall
On Wednesday 04 July 2012 17:14:29 Brad Alexander wrote: > The third reason we > are not in the same boat as windows is that we have a much smaller > attack surface than Windows. Windows still has over 90% penetration on > the desktop, Therefore, they are the low hanging fruit. How, then, do you explain the fact that Windows servers, which have a penetration of less than 50%, suffer on the Internet as do Windows home users, whilst Unix and family servers, which have over 50% penetration, still suffer from _far_ less malware? Lisi -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201207041811.14505.lisi.re...@gmail.com
Re: firewall
On Wed, 4 Jul 2012 18:11:14 +0100 Lisi wrote: > On Wednesday 04 July 2012 17:14:29 Brad Alexander wrote: > > The third reason we > > are not in the same boat as windows is that we have a much smaller > > attack surface than Windows. Windows still has over 90% penetration > > on the desktop, Therefore, they are the low hanging fruit. > > How, then, do you explain the fact that Windows servers, which have a > penetration of less than 50%, suffer on the Internet as do Windows > home users, whilst Unix and family servers, which have over 50% > penetration, still suffer from _far_ less malware? > All kinds of reasons, beginning with the fact that most malware designed for Windows desktops works just fine on the servers, too, though I think most servers are somewhat better protected than a home PC. People don't sit in front of them and surf the Web, for one thing (at least not in sensible companies). But while there are excellent Windows admins, the fact is that it is a point-and-click environment, with qualifications obtainable from exams marked by computer, and hence multiple-choice. I'm not suggesting the exams are trivial, but by their nature they ask go-nogo questions, and the questions are mostly based on operating the Windows dialogue boxes. Microsoft has made its billions by making computers relatively easy to use, so you can go a long way as a junior admin or consultant by just knowing the right box to tick. There is a relatively small amount you can do wrong. I'm not just guessing here: I started in network admin by being given a small NT4 network to look after. I didn't install the server, and occasionally had to call in the company who did, but I bought the appropriate set of MS books with a view to going for the MSCE. That never happened, but I got fairly familiar with what was in the books and I could sort out most problems. I built a second PC at home and installed NT server and workstation software multi-booting with my production Win95 and Win98. Then I discovered Linux, at about Red Hat 5 if I remember rightly (long before RHEL and Fedora), and learned a great deal more about computer and network admin in a couple of months than I had in about two years of practical NT admin, having in that time learned what I estimated was most of the knowledge necessary for the NT4 MCSE. What was a little disturbing was that after a fairly short exposure to Linux, I now *understood* a lot more about what I had been doing by rote with NT, and that understanding was *not* required by the MCSE exam. The bottom line is that Linux is significantly harder to drive than Windows (and I've dabbled with Server 2000, 2003 and 2008, and a few Red Hats, Mandrakes and Debians) and the admins are likely to know more about what they're actually doing, because they need to. On the other hand, a lot more Linux knowledge is transferable, because Linux developers don't have to sell new versions every few years. Windows doesn't actually change all that much between versions, but the GUI and in particular the GUI paradigms (I hate that word, but it is the right one for the mix of views and concepts that MS use to overlay the prosaic world of IP addresses and daemons) must change noticeably to convince buyers they're getting something better. So Windows admins have to learn a different method of access to many configurations with each version, getting further and further away from the nuts and bolts, and Linux admins just need to keep track of what has now migrated into /etc/default, or that a big configuration file is now split into many smaller ones. The current limit is reached with MS Small Business Server, which aims to be a full-featured server for people who know no IT whatever. It's very limited compared to the full Server version, because almost everything is hard-coded. There are a lot of these about now, and some of the people who own them do some extremely stupid things with them... -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120704204605.22653...@jretrading.com
Re: firewall
On Wed, Jul 4, 2012 at 3:46 PM, Joe wrote: > On Wed, 4 Jul 2012 18:11:14 +0100 > Lisi wrote: > >> On Wednesday 04 July 2012 17:14:29 Brad Alexander wrote: >> > The third reason we >> > are not in the same boat as windows is that we have a much smaller >> > attack surface than Windows. Windows still has over 90% penetration >> > on the desktop, Therefore, they are the low hanging fruit. >> >> How, then, do you explain the fact that Windows servers, which have a >> penetration of less than 50%, suffer on the Internet as do Windows >> home users, whilst Unix and family servers, which have over 50% >> penetration, still suffer from _far_ less malware? >> > > All kinds of reasons, beginning with the fact that most malware > designed for Windows desktops works just fine on the servers, too, > though I think most servers are somewhat better protected than a home > PC. People don't sit in front of them and surf the Web, for one thing > (at least not in sensible companies). > > But while there are excellent Windows admins, the fact is that it is a > point-and-click environment, with qualifications obtainable from exams > marked by computer, and hence multiple-choice. I'm not suggesting the > exams are trivial, but by their nature they ask go-nogo questions, and > the questions are mostly based on operating the Windows dialogue boxes. > > Microsoft has made its billions by making computers relatively easy to > use, so you can go a long way as a junior admin or consultant by just > knowing the right box to tick. There is a relatively small amount you > can do wrong. Excellent points, Joe. In addition, Windows was designed from the ground up as a single-user operating system, which means that all of the files on a system were accessible by the user. Then, over the course of time security and file restrictions were bolted on. Unix/Linux, OTOH, were designed as multiuser environments. So the concept of file permissions, root-only parts of the filesystem and so forth were baked in early on. The latter approach is far easier to maintain/enhance than the former. Add to that the fact that MS (and apple) packs software in a black box and tosses it over the wall to consumers. This means any vulnerability that the Bad Guys are able to reverse engineer are in the wild until the company gets around to patching it. Which is something MS has gotten very, very good at over the years. Call it reactive security. With Open Source software, OTOH, anyone can find a problem and fix it. Consequently, in a lot of cases, the fix for a problem is included with the description of the problem. No, this does not happen all of the time, witness the recent authentication bypass in MySQL or the kernel bug that was there for 8 years...But then again, there is a bug in the 16-bit code in windows that was first reported in 1994 that MS says that they will not fix...So there are corner cases on both sides. > The bottom line is that Linux is significantly harder to drive than > Windows (and I've dabbled with Server 2000, 2003 and 2008, and a few > Red Hats, Mandrakes and Debians) and the admins are likely to know > more about what they're actually doing, because they need to. I disagree with this. I have been doing Linux almost exclusively since 1998, and in fact, have only had a windows box on my desk for a total of 1 year in that period. I'm as lost in a windows environment as a windows user would be if dropped cold-turkey into Linux. --b -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKmZw+YgX3gSREFKT_6-Cunj9e3jOVcvK9pWy4=qd4p_puz...@mail.gmail.com
Re: firewall
On 04/07/12 10:31, Mika Suomalainen wrote: > On 04.07.2012 06:19, lina wrote: >> >> I don't know which firewall (http://wiki.debian.org/Firewalls) I >> should choose. >> >> [...] >> > I recommend UFW. It's simple to use and does everything what firewall > should do in my opinion. > > All commands are like "ufw allow 22/tcp" (allows connections to SSH port). > > It also has gui called GUFW. Agreed. This is what I use. ufw is great for home PC/laptop use. And the GUI, GUFW makes it as easy as a firewall can be. Fire and forget. Of course, knowing a bit about iptables is recommended, to understand what happens behind the scenes. firestarter is also nice and easy to work with. -- Adrian Fita -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ff4ad95.4080...@gmail.com
Re: firewall
On Wed, Jul 4, 2012 at 4:04 AM, Joe wrote: > > Most ports can be closed by configuration, even the infamous portmap > can be limited to localhost if you're not using it externally e.g. for > NIS or NFS. If you have a standalone Linux machine in a foreign > network, pretty much everything can be closed. With nfsv4, you don't have to expose 111; you can just have 2049 open (I've never tried to close 111 with nfsv3; perhaps it works too). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=sxtqajjxou0pdxwqjxu-umwjljntvo01f93blasdoc...@mail.gmail.com
Re: firewall
On Wed, Jul 4, 2012 at 3:38 AM, Ralf Mardorf wrote: > > *chuckle* A trillion years ago I used a firewall myself. "Ports" are an > issue, I wasn't able to down- or upload by ftp. BUT, How many serious > attacks did you notice around the last 30 days? Your aversion to security is interesting. You dismissed selinux in a previous thread and are now belittling iptables. Why don;t just publish your username and password on the net if you think that there are no dangers out there? :) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=SzSbr51O2jL_xDvcMb=oxc+uthv0yzuepr_ki0agsd...@mail.gmail.com
Re: firewall
On Wed 04 Jul 2012 at 11:19:06 +0800, lina wrote: > I don't know which firewall (http://wiki.debian.org/Firewalls) I > should choose. > > Thanks ahead for recommendation, and it will be very nice if you tell > me why you recommend this one. You can either manipulate netfilter directly with iptables or have something else (like the suggested ufw or gufw) do it for you. using iptables is not for the faint hearted. Alternatively, you could detail why you need a firewall. The only reason you have given up to now is fear. This leads to strange things being done: for example, your 'iptables -L' output in another post shows connections to a webserver and sshd being accepted from anywhere, as are ICMP requests. Nothing wrong with that. But why bother with an iptables rule if that is what you had in the first place? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120704213108.GA28931@desktop
Re: firewall
On Wed 04 Jul 2012 at 12:14:29 -0400, Brad Alexander wrote: > On Wed, Jul 4, 2012 at 2:15 AM, Ralf Mardorf > wrote: > > > > To answer drily: Test them and report what firewall does protect you the > > best against no attacks. Linux for home usage was safe, is safe, will be > > safe. Yes, it's safe regarding to things I criticize. I don't criticize > > protection per se, I only worry about t much security for nothing. > > I disagree. Its about defense in depth. Because what happens if you A commonly used phrase - military in origin, I imagine. One day I must investigate how a firewall can protect my mail server. Until then I will just continue to accept connections from anywhere. > get a piece of bad software that opens a vulnerability? And yes, that I'd rather you were specific here about the sort of vulnerability in the service you are thinking about but, talking in general and using Debian, the fix would become available, you would download it and move on. No problem, no fuss, no firewall needed. [Snip] > So a piece of bad software gets introduced into the repos. It could > happen...And having a firewall in place (an external firewall would > have the advantage of not being able to be turned off by said > malware). A firewall will not give protection from a software defect in a running service. Not unless you lock the service down so much it becomes useless. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120704220425.GB28931@desktop
Re: firewall
On Wed 04 Jul 2012 at 08:21:10 -0400, Eike Lantzsch wrote: > OK, I see that this might be flamebait ... > > On Tuesday 03 July 2012 23:19:06 lina wrote: > > Hi, > > > > I don't know which firewall (http://wiki.debian.org/Firewalls) I should > > choose. > > > > Thanks ahead for recommendation, and it will be very nice if you tell > > me why you recommend this one. > > > > Best regards, > > It seems that you want a firewall on the computer which you are working with. > As regards to closing unnecessary ports or limiting them to localhost, Joe > gave good advice already. The very best way of closing a port is to shut down the service or remove it from the machine. I cannot think of a single service which doesn't allow connections to be limited without the use of a firewall. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120704223924.GC28931@desktop
Re: firewall
On Wed, Jul 4, 2012 at 6:04 PM, Brian wrote: > A commonly used phrase - military in origin, I imagine. One day I must > investigate how a firewall can protect my mail server. Until then I will > just continue to accept connections from anywhere. I will give you an example of this. Your mailserver runs, say, roundcube or some other webmail. You want port 80 (or 443) available on your local LAN, but not to the internet. A perimeter firewall could block access from outside your perimeter. Just as an example. Or for that matter, you could insert imap/imaps, pop3/pop3s, etc. >> get a piece of bad software that opens a vulnerability? And yes, that > > I'd rather you were specific here about the sort of vulnerability in the > service you are thinking about but, talking in general and using Debian, > the fix would become available, you would download it and move on. No > problem, no fuss, no firewall needed. Using the above example, suppose your mail server had to run sendmail (I know, a stretch nowadays, but in the not-to-distant past, a distinct possibility). Sendmail had a tradition of having more holes than Swiss cheese, and vulnerabilities were fixed almost weekly. When a new version was uploaded to the repos, I guarantee not all of the holes had been fixed. This is the concept of the 0day vulnerability. An unknown, unpublished vulnerability. A firewall *might* help blunt a possible attack or block an attack vector. But it is a game of chances. As I have told people before, "Security times usability is a constant: The only secure system is one that is unplugged from the network, powered off, packed in concrete, and fired into the sun...But at that point, it isn't very usable, is it?" --b > [Snip] > >> So a piece of bad software gets introduced into the repos. It could >> happen...And having a firewall in place (an external firewall would >> have the advantage of not being able to be turned off by said >> malware). > > A firewall will not give protection from a software defect in a running > service. Not unless you lock the service down so much it becomes > useless. > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/20120704220425.GB28931@desktop > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cakmzw+ya3pfon4robbx2jgtdzgm52-_jktngaqzr6lowcaf...@mail.gmail.com
Re: firewall
On Thu, Jul 5, 2012 at 5:31 AM, Brian wrote: > On Wed 04 Jul 2012 at 11:19:06 +0800, lina wrote: > >> I don't know which firewall (http://wiki.debian.org/Firewalls) I >> should choose. >> >> Thanks ahead for recommendation, and it will be very nice if you tell >> me why you recommend this one. > > You can either manipulate netfilter directly with iptables or have > something else (like the suggested ufw or gufw) do it for you. using > iptables is not for the faint hearted. > > Alternatively, you could detail why you need a firewall. The only reason > you have given up to now is fear. This leads to strange things being > done: for example, your 'iptables -L' output in another post shows > connections to a webserver and sshd being accepted from anywhere, as are > ICMP requests. Nothing wrong with that. But why bother with an iptables > rule if that is what you had in the first place? Indeed, I found actually the system is no much difference than before under current iptable configuration. > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/20120704213108.GA28931@desktop > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAG9cJm=eaop_vaore8x9cb8v3in2mcqxcmnyhe5shd87jkg...@mail.gmail.com
Re: firewall
> On Wed, Jul 4, 2012 at 3:38 AM, Ralf Mardorf > wrote: >> >> *chuckle* A trillion years ago I used a firewall myself. "Ports" are an >> issue, I wasn't able to down- or upload by ftp. BUT, How many serious >> attacks did you notice around the last 30 days? > > Your aversion to security is interesting. You dismissed selinux in a > previous thread and are now belittling iptables. Why don;t just > publish your username and password on the net if you think that there > are no dangers out there? :) Yes! With a big text file with all your bank account passwords and other highly sensitive information, along with details of imaginary deals with the PLO in supplying them with container loads of automatic weaponry, and get back to us when your social life develops in interesting directions. > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: > http://lists.debian.org/CAOdo=SzSbr51O2jL_xDvcMb=oxc+uthv0yzuepr_ki0agsd...@mail.gmail.com > > -- Religion is regarded by the common people as true, by the wise as false, and by the rulers as useful. — Lucius Annæus Seneca. Terrorism, the new religion. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/6a547b363875d9be027937c028fd6090.squir...@fruiteater.riseup.net
Re: firewall
On 04 Jul 2012, Brad Alexander wrote: > On Wed, Jul 4, 2012 at 2:15 AM, Ralf Mardorf > wrote: > > On Wed, 2012-07-04 at 11:19 +0800, lina wrote: > >> Hi, > >> > >> I don't know which firewall (http://wiki.debian.org/Firewalls) I should > >> choose. > >> > >> Thanks ahead for recommendation, and it will be very nice if you tell > >> me why you recommend this one. > > > > To answer drily: Test them and report what firewall does protect you the > > best against no attacks. Linux for home usage was safe, is safe, will be > > safe. Yes, it's safe regarding to things I criticize. I don't criticize > > protection per se, I only worry about t much security for nothing. > > I disagree. Its about defense in depth. Because what happens if you > get a piece of bad software that opens a vulnerability? And yes, that > could happen to a home Linux user as easily as a corporate one, since > they are using the same update mechanisms. In fact, I would posit that > a home user could be at *more* risk, since, in theory, a corporate > user would be limited in the amount and types of software > installed...Corporate server vs home workstation. > I have a home network. A few years ago I was attacked and the ownership of some files was changed. I restoreed them to normal and it happened again, so I reinstalled. Since then I've been using sborewall and there have been no further intrusions. AC -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120705080519.ga6...@acampbell.org.uk
Re: firewall
On 2012-07-05 10:05, Anthony Campbell wrote: > On 04 Jul 2012, Brad Alexander wrote: > >> On Wed, Jul 4, 2012 at 2:15 AM, Ralf Mardorf wrote: >> >>> On Wed, 2012-07-04 at 11:19 +0800, lina wrote: >>> >>>> Hi, I don't know which firewall (http://wiki.debian.org/Firewalls [1]) I should choose. Thanks ahead for recommendation, and it will be very nice if you tell me why you recommend this one. >>> To answer drily: Test them and report what firewall does protect you the best against no attacks. Linux for home usage was safe, is safe, will be safe. Yes, it's safe regarding to things I criticize. I don't criticize protection per se, I only worry about t much security for nothing. >> I disagree. Its about defense in depth. Because what happens if you get a piece of bad software that opens a vulnerability? And yes, that could happen to a home Linux user as easily as a corporate one, since they are using the same update mechanisms. In fact, I would posit that a home user could be at *more* risk, since, in theory, a corporate user would be limited in the amount and types of software installed...Corporate server vs home workstation. > > I have a home network. A few years ago I was attacked and the ownership > of some files was changed. I restoreed them to normal and it happened > again, so I reinstalled. Since then I've been using sborewall and there > have been no further intrusions. > > AC Your problem is not a firewall problem. Firewall doesn't mean IPS/IDS or L7 Filter. Also a firewall must be a netfilter, NAT, routing etc. Inbound or outbound network traffic and packets are permitted or blocked/rejected or port forwarding by firewall. If there is a vulnerability on your OS or apps you must use IPS/IDS or L7 filter or UTM (netfilter + ips + any stuff...) -- /** * @AUTHOR Atıf CEYLAN * Software Developer & System Admin * http://www.atifceylan.com */ Links: -- [1] http://wiki.debian.org/Firewalls [2] mailto:ralf.mard...@alice-dsl.net
Re: firewall
On Wed, Jul 04, 2012 at 04:52:10PM -0400, Brad Alexander wrote: > Excellent points, Joe. In addition, Windows was designed from the ground up > as a single-user operating system, which means that all of the files on a > system were accessible by the user. This is not true for the NT-based Windows systems, i.e. all of them released in the last 11 years. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120705123653.GA32553@debian
Re: firewall
Your reply (the text/plain portion) was completely illegible I'm afraid. Please refrain from sending HTML mail. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120705123811.GB32553@debian
Re: firewall
On 07/05/2012 08:31 AM, Atıf CEYLAN wrote: On 2012-07-05 10:05, Anthony Campbell wrote: On 04 Jul 2012, Brad Alexander wrote: On Wed, Jul 4, 2012 at 2:15 AM, Ralf Mardorf mailto:ralf.mard...@alice-dsl.net>> wrote: On Wed, 2012-07-04 at 11:19 +0800, lina wrote: Hi, I don't know which firewall (http://wiki.debian.org/Firewalls) I should choose. Thanks ahead for recommendation, and it will be very nice if you tell me why you recommend this one. To answer drily: Test them and report what firewall does protect you the best against no attacks. Linux for home usage was safe, is safe, will be safe. Yes, it's safe regarding to things I criticize. I don't criticize protection per se, I only worry about t much security for nothing. I disagree. Its about defense in depth. Because what happens if you get a piece of bad software that opens a vulnerability? And yes, that could happen to a home Linux user as easily as a corporate one, since they are using the same update mechanisms. In fact, I would posit that a home user could be at *more* risk, since, in theory, a corporate user would be limited in the amount and types of software installed...Corporate server vs home workstation. I have a home network. A few years ago I was attacked and the ownership of some files was changed. I restoreed them to normal and it happened again, so I reinstalled. Since then I've been using sborewall and there have been no further intrusions. AC Your problem is not a firewall problem. Firewall doesn't mean IPS/IDS or L7 Filter. Also a firewall must be a netfilter, NAT, routing etc. Inbound or outbound network traffic and packets are permitted or blocked/rejected or port forwarding by firewall. If there is a vulnerability on your OS or apps you must use IPS/IDS or L7 filter or UTM (netfilter + ips + any stuff...) -- For someone who doesn't understand firewalls in the first place--I'm one, also--your answer might as well be written in Chinese! --doug -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ff61484.9030...@optonline.net
Re: firewall
On Thursday 05 July 2012 18:26:12 Doug wrote: > On 07/05/2012 08:31 AM, Atıf CEYLAN wrote: > > On 2012-07-05 10:05, Anthony Campbell wrote: > >> On 04 Jul 2012, Brad Alexander wrote: > >>> On Wed, Jul 4, 2012 at 2:15 AM, Ralf Mardorf > >>> > >>> mailto:ralf.mard...@alice-dsl.net>> wrote: > >>>> On Wed, 2012-07-04 at 11:19 +0800, lina wrote: [snip Lina's request for recommendation on firewalls] [snip Ralf Mardorf's dry answer] [snip Brad Alexander's disagreement] [snip Anthony Campbell's anecdotal experience] [Atif CEYLAN's statement follows] > > Your problem is not a firewall problem. Firewall doesn't mean IPS/IDS > > or L7 Filter. Also a firewall must be a netfilter, NAT, routing etc. > > > > Inbound or outbound network traffic and packets are permitted or > > blocked/rejected or port forwarding by firewall. > > > > If there is a vulnerability on your OS or apps you must use IPS/IDS or > > L7 filter or UTM (netfilter + ips + any stuff...) IDS = Intrusion Detection System IPS = Intrusion Prevention System L7-Filter see https://en.wikipedia.org/wiki/L7-filter UTM can be anything from "Unified Threat Management" over "University of Toronto at Mississauga (Canada)" to "Universal Transport Medium" see http://www.acronymfinder.com/UTM.html HTH SCNR GWPF [Doug's puzzled comment follows] > > For someone who doesn't understand firewalls in the first place--I'm > one, also--your answer might as well be written in Chinese! > > --doug Kind regards, Eike -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201207052010.38237.zp6...@gmx.net
Re: firewall
On Mi, 04 iul 12, 15:16:10, Jon Dowland wrote: > > Except on Debian you are required to do a fair amount of work to make > your rules persistent across reboots and ensure you get ordering right > to not lock yourself out of the box (if remote): all problems that > do not exist if you install and use ufw. apt-cache show iptables-persistent Kind regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: firewall
On Fri, Jul 06, 2012 at 05:39:47PM +0300, Andrei POPESCU wrote: > On Mi, 04 iul 12, 15:16:10, Jon Dowland wrote: > > > > Except on Debian you are required to do a fair amount of work to make > > your rules persistent across reboots and ensure you get ordering right > > to not lock yourself out of the box (if remote): all problems that > > do not exist if you install and use ufw. > > apt-cache show iptables-persistent I didn't know about that - about time someone did it! My point still stands though, since this is not out-of-the-box. Also read the long description: > "Since this is aimed at experienced administrators, there is no configuration wizard." -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120706144747.GB10959@debian
Re: firewall
On Wed, Jul 04, 2012 at 11:19:06AM +0800, lina wrote: > Hi, > > I don't know which firewall (http://wiki.debian.org/Firewalls) I should > choose. > > Thanks ahead for recommendation, and it will be very nice if you tell > me why you recommend this one. Have a read of: http://www.debian-administration.org/articles/552 -- "If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing." --- Malcolm X -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120710231854.GE3873@tal
Re: firewall
On Wed, Jul 04, 2012 at 11:19:06AM +0800, lina wrote: > Hi, > > I don't know which firewall (http://wiki.debian.org/Firewalls) I should > choose. > > Thanks ahead for recommendation, and it will be very nice if you tell > me why you recommend this one. >From other posts on this thread, it sounds like you've made progress. I'll just add a plug for firestarter, as no one else has mentioned it. This is by far the easiest. I configured it quickly with the wizard, then discovered my IMAP connection wasn't going through. In the Events list I could see that port 993 was being blocked. I edited the rule to add port 993 to the IMAP line. Done. iptables -L -n shows a much more complicated set of rules than I could understand or configure myself -- at least without devoting a great deal of time to it. OTOH, my use case is rather simple, a noteback behind a router, so I don't need the level of fine tuned control and hardness that a server would require. I could see how one could start with firestarter, then later migrate to a more advanced utility such as firehol. cheers, Joel > Best regards, -- Joel Roth -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120715004544.GA31771@sprite
Firewall Logs
Hi List I'm running Debian Potato, upgraded to Kernel 2.4.17 via Bunk.. Where are the logs for IPTables kept, and how readable are they? If they're tough to read, is there a (non-GUI) utility to make it easier? I'm running a simple router/firewall with a Herc graphics card, so I can't have anything graphic =] TIA -- - Alan Poulton ([EMAIL PROTECTED]) - I demand happiness -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
firewall ruleset
Hi. First of all, sorry for my english... I'm running Debian 2.2 (potato). I have configured my linux box as a firewall and masquerade server for my internal LAN and everything is ok. Now, I get a small set of real IP address (7 exactly) and I need to put those workstations behind th firewall. The actual layout is like this: -- | Internet | -- ||| ||| ||| | Router | INTERNET_IP.1/29 | - |H U B | INTERNAL_IP.2/24 - INTERNET_IP.3/29 . || || || || || || || || || || || || || || || || || INTERNET_IP.4/29 . | | INTERNET_IP.5/29 INTERNAL_IP.255/24 | | INTERNET_IP.6/29 | | INTERNET_IP.7/29 | -- | | |Linux | | | | Masquerading | | --| Firewall |- eth1 INTERNAL_IP.1/24 -- eth0 INTERNET_IP.2/29 As you can see, all the machines with INTERNET_IP are before the firewall, so the security is a trivial joke (the machins are running Window$ :). My idea is add an interface(eth2) to my linux box and put a cross utp between the router and eth0, and eth1/2 connected to the HUB. What I have in my head is the following: -- | Internet | -- ||| | Router | INTERNET_IP.1/29 | | Cross UTP | eth0 INTERNET_IP.2/29 -- |Linux | eth1 INTERNAL_IP.1/24 | Masquerading | eth2 INTERNET_IP.3/29 --| Firewall |-- | -- | || - |H U B | - || || || || || || || || || || || || || || || || || INTERNAL_IP.2/24INTERNET_IP.4/29 . INTERNET_IP.5/29 . INTERNET_IP.6/29 INTERNAL_IP.255/24 INTERNET_IP.7/29 The problem is that I have very short time to change the layout, so I can't probe it. How should I configure the linux box to handle this system. Is it posible to work. How can a TCP packet that come from INTERNET to my INTERNET_IP.6 knows that it have to pass through the eth0,eth2,HUB? I hope you can understand my ugly description but my english is too bad. Thanks. -- :%s/Micros~1/GNU\/Linux/g :wq!
DSL & Firewall
My "Mom & Pop" phone company had an insert in my latest phone bill that indicated they would be providing DSL service in the very near future. A friend of mine suggested that if I get the DSL service that I should set up a firewall to protect myself. He also suggested that I start with a page on the net (TrinityOS at http://24.7.216.129:8192/) that has some basic ipchain configurations. I don't understand any of this stuff, but the TrinityOS pages had a 100 line rc.firewall script and a 1300 line ipchains config file. Is all of this really necessary? Why cant I just set my "/etc/hosts.deny" file to "ALL: PARANOID", comment out the "telnet" "ftp" and "http" lines out of my "/etc/inetd.conf" file? Wouldn't that be enough protection for my system? -- Christopher W. Aiken, Scenery Hill, Pa, USA chris at cwaiken dot com, www.cwaiken.com Current O/S: Debian 2.2 GNU/Linux
Re: FIREWALL
dude <[EMAIL PROTECTED]> writes: > but i wasn wondering who to set up gnu/linux debian to be a firewlal > and IP router like the Cybermax suite is. I don't know Cybermax, but there are many good howtos on this subject. If you don't have the howtos already installed, search a bit at http://www.linuxdoc.org... moritz -- /* Moritz Schulte <[EMAIL PROTECTED]> * http://hp9001.fh-bielefeld.de/~moritz/ * PGP-Key available, encrypted Mail is welcome. */
Re: firewall
* Timothy C Phan <[EMAIL PROTECTED]> writes: > My next task is setting firewall. Would someone please let > me know where can I find doc on this fireewall subject. /usr/doc/HOWTO/IPCHAINS-HOWTO
Re: firewall
> My next task is setting firewall. Would someone please > let me know where can I find doc on this fireewall > subject. There is a site at <http://www.linux-firewall-tools.com/linux/> (or somewhere below that link) that contains a web-based firewall script generator. Myself, I didn't like the code it put out; some of it seemed redundant and it seemed way too complex for what it needs to do. IMHO, a better place to start is at Debian's own "ipmasq" package. For reading up on the topic, I'd suggest the Firewall and Proxy Server how-to at <http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html> but overall, I don't think this how-to is one of the stronger ones. I found a much more useful article at the Linux Gazette in the article <http://www.linuxgazette.com/issue46/pollman.html>. -- Regards, | Do you like browsing the web, independent of whatever .| type of computer you are talking to on the other end? Randy| "Enhancements" to public standards and protocols is the | way the WWW will be turned into a proprietary nightmare.
Re: Firewall
On Wed, 28 Jun 2000, Derek Wueppelmann wrote: > Yet another problem I have been having with a Debian install. Sorry to keep > pestering. > > Here is my problem stated simply. I need to create a firewall between our > internal network and the internet while still allowing the machines inside > the network some limited access out and in. i.e.. keep our webservers etc. > inside the firewall. > > I have two network cards installed in my machine and I have followed the > FIREWALL-HOWTO to the "t". here is my configuration > > eth0 xxx.xxx.xxx.1 :Connected to the internal network > eth1 xxx.xxx.xxx.2 :Connected to the internet. > # note that the xxx.xxx.xxx are the same subnet since we are allocated a > class C domain. > > my routing table looks similar to this: > DESTINATIONGATEWAYGENMASK... IFACE > xxx.xxx.xxx.2540.0.0.0255.255.255.255eth1 > xxx.xxx.xxx.00.0.0.0255.255.255.0eth0 > 0.0.0.0 xxx.xxx.xxx.254 0.0.0.0 > eth1 > > Sorry for the poor formatting. > > Right now all I can do is access both of the IP addresses from either the > internet or the internal network. However no matter what I do I can't get > past the firewall (it works too well). I have enabled PI forwarding in the > kernel and set the IP_forward file to 1 as well as set the forward ipchains > to wide open, as in: > > ipchains -A forward -j ACCEPT > > as the only rule. > What you need is subnetting your class C network in several smaller subnets. The first one would be x.x.x.0/255.255.255.252 (or 248 if you want several addresses outside your firewall, for an i.e. Intrusion detection system) The other ones would fit your needs. The firewall would then have a NIC (eth0) in the first subnet (x.x.x.0/30 (or/29)), and the second one (eth1) would be in any other. Then, you can proxy-arp the different subnets or ask your ISP to route all trafic to your subnets through eth0. That's what I've done, as it's easier for me to manage than to modify my arp table each time I add/remove a computer. I've been told that ISP usually don't make problems for routing. Enjoy ! -- Marc Dubrowski Kind of a Network Administrator K.B.I.N.I.R.Sc.N.B. 29 rue Vautier B-1040 Brussels, Belgium
Re: Firewall
>> eth0 xxx.xxx.xxx.1 :Connected to the internal network >> eth1 xxx.xxx.xxx.2 :Connected to the internet. >> # note that the xxx.xxx.xxx are the same subnet since we are allocated a >> class C domain. >> >> my routing table looks similar to this: >> DESTINATIONGATEWAYGENMASK... IFACE >> xxx.xxx.xxx.2540.0.0.0255.255.255.255eth1 >> xxx.xxx.xxx.00.0.0.0255.255.255.0eth0 >> 0.0.0.0 xxx.xxx.xxx.254 0.0.0.0 >> eth1 >> > Sorry for the poor formatting. > >What you need is subnetting your class C network in several smaller subnets. >The first one would be x.x.x.0/255.255.255.252 (or 248 if you want several >addresses outside your firewall, for an i.e. Intrusion detection system) >The other ones would fit your needs. > >The firewall would then have a NIC (eth0) in the first subnet (x.x.x.0/30 >(or/29)), and the second one (eth1) would be in any other. >-- Well I tried all of that and it didn't seem to help me out. I am stuck using the gateway to the internet as xxx.xxx.xxx.254 and I can't change this. I have only been trying to get out right now, which shouldn't involve our ISP doing any routing work. I subneted our class C network using a netmask of 255.255.255.252 and put the gateway address as xxx.xxx.xxx.1 and the machine inside the firewall as xxx.xxx.xxx.2, the firewall machine can still see the outside and inside world and the inside machine can still see both IP addresses of the firewall machine. Any other thoughts? 0 / Derek Wueppelmann (D Libraxus Inc. / \ [EMAIL PROTECTED]
Re: Firewall
Derek Wueppelmann wrote: > > >> eth0 xx.xx.xx.1 :Connected to the internal network > >> eth1 xx.xx.xx.2 :Connected to the internet. > >> # note that the xxx.xxx.xxx are the same subnet since > >> we are allocated a class C domain. Minor correction: to the Internet these addresses are in the same _network_, not _subnet_, if you have a class C. > >> my routing table looks similar to this: [abbreviations made] > >> DESTINATIONGATEWAY GENMASK... IFACE > >> xx.xx.xx.254 0.0.0.0 255.255.255.255 eth1 > >> xx.xx.xx.0 0.0.0.0 255.255.255.0 eth0 > >> 0.0.0.0xx.xx.xx.254 0.0.0.0 eth1 > >> ... > > What you need is subnetting your class C network in several smaller > > subnets. The first one would be x.x.x.0/255.255.255.252 (or 248 > > if you want severaladdresses outside your firewall, for an i.e. > > Intrusion detection system) The other ones would fit your needs. > > > >The firewall would then have a NIC (eth0) in the first subnet > > (x.x.x.0/30(or/29)), and the second one (eth1) would be in any other. > >-- > > Well I tried all of that and it didn't seem to help me out. > I am stuck using the gateway to the internet as xxx.xxx.xxx.254 > and I can't change this. I have only been trying to get out right > now, which shouldn't involve our ISP doing any routing work. > I subneted our class C network using a netmask of 255.255.255.252 > and put the gateway address as xxx.xxx.xxx.1 and the machine inside > the firewall as xxx.xxx.xxx.2, the firewall machine can still see > the outside and inside world and the inside machine can still > see both IP addresses of the firewall machine. Any other thoughts? You missed his point of having the NIC on the "inside" in a different subnet than that of the NIC on the "outside". But let me ask first: isn't the IP on the ISP's side one out of the ISP's net? Or are you allocating one of your IP to your ISP's router? It should be one or the other, to wit: URC=YOURCLASSC inet===ISP.n1/router/ISP.n2===ISP.n2|n3/yours/URC.x===urnet or inet===ISP.x/router/YOURCLASSC.n1===URC.n1|n2/yours/URC.n3===urnet With the former, you don't need any subnetting, really, and is preferable. With the later, you may need to subnet ...252 with the far end as one of those, and the near end as the other. The other NIC would be _not_ in that subnet. The /etc/defaultrouter, or equiv, on the hosts in urnet=URC.n3. On your router/firewall, default dest (0.0.0.0) gateway is the IP on the ISPs router. With you giving the IP to the ISP, dest xx.xx.xx.0 netmask ...252 gateway xx.xx.xx.yourend If you're subnetting ...252, _don't_ put two addresses in _that_ subnet on two of the NICs in your router/firewall.
Re: Firewall
If it can help, here is the scheme of our network. There are of course three NICS on the packet filter. Network 193.x.x.0/30 (= 193.x.x.0/24 for the internet, static routing table setup by our ISP: the rest of the world knows that the trafic must pass through x.x.x.2 to reach our network) gateway x.x.x.1 (don't know the other IP of the |router ) +-+ | x.x.x.2 | Packet filter---|=| | x.x.x.9 | x.x.x.33 | | (Gateway)|(Gateway) | +-+ / | / | / | /| Subnet 1:x.x.x.8/29/ | Subnet 2:x.x.x.32/27 / | +-+ | | Bastion Host: | | | x.x.x.10(BH out) | | +---+ | x.x.x.11(BH in) | |--| Server1 (x.x.x.34)| +-+ | +---+ | | | +---+ |--| server2 (x.x.x.43)| | +---+ | | +---+ |--| server3 (x.x.x.44)| | +---+ | | | +-+ | x.x.x.42 (gateway to private net) | |=| | 192.168.x.1 (Private Gateways) | | 172.16.x.1 (Private Gateways) | +-+ Of course, every machine in subnet x.x.x.0/30 has a netmask of 255.255.255.252; every machine in subnet x.x.x.8/29 has a netmask of 255.255.255.248; every machine in subnet x.x.x.32/27 has a netmask of 255.255.255.224. There are no possible contacts through hubs or cables except the packet-filter. The packet filter is configured to route the IP packets (of course :-) The routing table of the packet filter is (it's OpenBSD, but the principle is the same) DestinationGatewayFlags Refs UseMtu Interface defaultx.x.x.1UGS 0 9300794 1500 de0 127/8 127.0.0.1 UGRS00 32972 lo0 127.0.0.1 127.0.0.1 UH 2 97 32972 lo0 172.16/16 x.x.x.51 UGS 0 80 1500 de2 192.168/16 x.x.x.51 UGS 0 124529 1500 de2 x.x.x.0/30 link#1 UC 00 1500 de0 x.x.x.8/29 link#2 UC 00 1500 de1 x.x.x.32/27link#3 UC 00 1500 de2 I'm not sure that arp could manage to proxy three differents subnets, but with two, there are no problems at all: Let's say the subnet 2 (x.x.x.8) is still in x.x.x.0/24 for the net: all I have to do is to publish the MAC address of the router for all IPs inside x.x.x.8. All the machines in subnet x.x.x.8 would know thy are in that subnet, and their gateway would be x.x.x.9. (in fact, I think linux's arp can manage to proxy complete subnets, which Obsd can't: it need to be checked) By the way, asking your ISP to change his routing tables once the disgn of your network is made would be a beter solution. Marc Dubrowski Kind of a Network Administrator K.B.I.N.I.R.Sc.N.B. 29 rue Vautier B-1040 Brussels, Belgium
firewall script
Hi all Debian users, anyone has a firewall script that can send me. I already know ipchains well but with a script (commented) it will better. :) Thanks, Paulo Henrique
Firewall tutorial
I am a complete beginner to firewalls, I would like to know if they can do these things: - record history of packets grouping by port number, TCP or UDP (or whatever?), data size if any, and any suspicious things like ICMP flood. - record the actual data as a packet sniffer for a PPP link (my dialup modem). I am suspicious of what's going on. I want to see ALL that stuff moving over my link, printing it to a file or perhaps sending it to my PostgreSQL db in tables where I can select by PASS: USER: etc etc and of course just inspect the raw data. Also, need a tut for writing firewall rules. Got to be for a really stupid beginner who knows nothing! :) Thanks -- Penguin [EMAIL PROTECTED] "Girls are for pleasure; boys are for ecstasy."
Firewall woes...
I am setting up a packet-filter firewall and everything seems to be going fine except for one thing: ftp uploads are ridiculously slow (1 or 2 packets every 10 sec.). If I turn logging on (-l), the upload speed picks up to close to normal speed. If I turn it off, it slows back down again. This makes no sense! How should having logging off slow things down? I am using ipchains ver. 1.3.9 and kernel 2.2.15. Any help would be appreciated. Thanks Kelly -- -- Kelly Corbin -- [EMAIL PROTECTED] -- -- On the web @ http://www.theiqgroup.com -- The IQ Group, Inc. -- 5018 Hadley Ave. -- Overland Park, KS 66203 -- (913)-722-6700 -- Fax (913)722-7264
Firewall Box
Hi, I need to implement a firewall at work. It will be for the most part a pretty simple set up. I am going to set one of our Linux Boxes between the Router and the Switch. The Box has 3 NICs, one for the router side, one for the switch, and one for a backup cable connection. We have a block of IPs, and we will need to get to machines behind the firewall from the out side so I don't want to use ipmasq. What I plan on doing is just using ipchains to shutoff any unused ports, and strip the box of any questionable software (ie ssh instead of telnet). Has any one tried such a set up? And if they have could you pass on any pointers or things to watch out for? I also see there are a few packages out there to aid setup, how well do they work? Thanks, -Matt- ---+--+ [EMAIL PROTECTED] | | http://www.flni.com| A long time ago, in a state far, far away... | Web Guru, Perl jocky, | OKLAHOMA!| Linux bum, etc... |http://www.waldotheatre.org | --Debian GNU/Linux-- | | ---+--+
firewall (fwd)
-- Forwarded message -- Date: Wed, 27 Sep 2000 21:28:47 -0500 (EST) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: firewall Hello All, Has anyone found making a debian machine with firewall support useful? What are firewalls useful for? Do they simply prevent packets from passing through the firewall into the rest of the network? Would a firewall necessarly have to be also configured to be a router? Any info you guys can provide would be useful. I was thinking about making one of my debian machies a firewall, but don't really know what I would do with it:) Thanks, D. Ghost
Firewall Rules
I have 2 nics in my Linux box. One connected to my cable modem, and the other has a windows machine attached to it, which I do masquerading for. I need to be able to connection via VPN from the windows box to an outside host. Is there a way to easily determine what ports needs to be opened to accomplish this, or is there a way to masquerade for the windows machine, but not do any firewalling for that machine specifically, while still protecting my linux box? And lastly, can any one tell me what rule I could implement to still be able to use Napster? TIA, jdk
dselect/firewall
At work, our internet access is from a proxyserver. Is there anyway I can set dselect on my Debian 2.2r2 laptop to access through the proxyserver, while I'm at work. Wayne
Re: Firewall
I set up a firewall for my cable modem using FreeBSD, mostly b/c I had a friend's firewall I could use as an example and wanted to learn another Unix. I have a desktop behind the firewall running Debian. You do assign the firewall your static IP from your cable, then give everything behind the firewall a private IP address. My scenario looks like this... +--+ +--+ +-+ --> Desktop (192.168.1.2) | Internet |-->| Firewall |-->| Hub | +--+ +--+ +-+ --> Laptop (192.168.1.1) (cable) eth1^ eth2 | --- 12.34.56.78 <- the IP from the cable into the first ethernet card 192.168.1.254 <- the private IP for 2nd ethernet card In FreeBSD, you can use natd (Network Address Translation Daemon (?)) to remap packets from different ports, so if you were running a webserver on port 80 on your desktop, natd would send all those packets to your desktop instead of your firewall. The Linux equivalent is ipchains (I believe). It also keeps track of who requested what and sends the result back to the right computer on the private IP. I'm not exactly sure how this works, but it's cool. :) I'm not sure what extra packages debian has to add firewalling capabilities. I'd be interested to find out more about a debian based firewall. FreeBSD has ipfw, which can deny or re-route packets from specific IPs. Combined with portsentry, which listens on specific ports for portscans (via TCP or UDP), you can deny packets from people port scanning you. Just an FYI, as I'm sure a debian firewall would be about the same ... without extra software (vim, lynx, less, mutt, and other programs I'm used to) the install for the complete firewall was about 120MB. I'm running a 486 computer with 32MB RAM, 2 ne2000 compatible network cards (ISA) and a 250MB hard drive. That's about all I know. -Rob > On 20010130.1144, [EMAIL PROTECTED] said ... > > I have some questions about building a firewall. I currently have a cable > modem connection which of course gives me a static IP address. If I was to > build a firewall using a old 486 could I still assign my Debian box the > static IP address as it is needed for my server which I use for > hosting. Or would the 486 use the static IP and assign the Debian box a > private IP address? Also I know there are many firewall how to's out there > but would appreciate any recommendations. > > Regards > > > Eileen Orbell > Software & Internet Applications > Capitol College > mailto:[EMAIL PROTECTED] > mailto:[EMAIL PROTECTED] -- Q: How does a UNIX Guru pick up a girl? A: look; grep; which; eval; nice; uname; talk; date;
Re: Firewall
> modem connection which of course gives me a static IP address. If I was to > build a firewall using a old 486 could I still assign my Debian box the > static IP address as it is needed for my server which I use for > hosting. Or would the 486 use the static IP and assign the Debian box a > private IP address? Also I know there are many firewall how to's out there > but would appreciate any recommendations. You may assign real IPs to firewall and to your server. Of course, you will need to different IPs. The more secure way is to assign private IP to your server and implement masquerading. Of course, it will take more efforts to tune :) I use at home firewall with real IP at 486 (well, it's FreeBSD-based, but it doesn't matter) and 192.168.1.0 net for all my home network. -- Alexey Vyskubov (at home) Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!
Re: Firewall
On Tue, Jan 30, 2001 at 11:44:29AM -0500, [EMAIL PROTECTED] wrote: > I have some questions about building a firewall. I currently have a cable > modem connection which of course gives me a static IP address. If I was to > build a firewall using a old 486 could I still assign my Debian box the > static IP address as it is needed for my server which I use for > hosting. Or would the 486 use the static IP and assign the Debian box a > private IP address? Also I know there are many firewall how to's out there > but would appreciate any recommendations. if you're using debian for your firewall: apt-get install ipmasq here's the setup: +--+ ] eth0 = your.ip.number --> internet | debian | | firewall | +--+ ] eth1 = 192.168.1.1--> +-+ --> | | box1 = 192.168.1.39 --> | hub | --> | | boxn = 192.168.1.215 --> +-+ edit /etc/network/interfaces to mirror your configuration: # /etc/network/interfaces -- configuration file for ifup(8), ifdown(8) # The loopback interface iface lo inet loopback iface eth1 inet static address 192.168.1.1 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 # other localnet addrs can be anything in # the 192.168.1.[2-254] range # if your address isn't static, do this: # iface eth0 inet dhcp iface eth0 inet static address YOUR.REAL.IP.NUMBER netmask 255.255.255.0 network YOUR.REAL.IP.0 broadcast YOUR.REAL.IP.255 gateway YOUR.UPSTREAM.NET.NUMBER # for me, it's my cablemodem number # which is only 1 different from my # debian/internet address. yours might # just be your ISP server addr... and then just ipmasq -v to implement it. i think. :) if this reformats your hard drive, gives your neightbors shingles, or straightens out the earth's axis, don't use it. -- See, if you were allowed to keep the money, you wouldn't create jobs with it. You'd throw it in the bushes or something. But the government will spend it, thereby creating jobs. -- Dave Barry [EMAIL PROTECTED]***http://www.dontUthink.com/ http://groups.yahoo.com/group/newbieDoc -- next week's newbie needs your brain: document your experience today!
Re: Firewall
On Tue, 30 Jan 2001 [EMAIL PROTECTED] wrote: > I have some questions about building a firewall. I currently have a > cable modem connection which of course gives me a static IP address. > If I was to build a firewall using a old 486 could I still assign my > Debian box the static IP address as it is needed for my server which I No. The firewall system has to have the "real" IP address. What you need to do is use IP Masquerading on the firewall system. You can then use ipmasqadm to redirect whatever ports you need to the system(s) behind the firewall.
firewall advice
I'm getting a wireless T1 feed tomorrow and I want to connect my network of windows and Linux machines to the internet securely. I will only have one IP of course. What is the best way to implement this using Corel Linux? Chris Mason Box 340, The Valley, Anguilla, British West Indies Tel: 264 497 5670 Fax: 264 497 8463 USA Fax (561) 382-7771 Take a virtual tour of the island http://net.ai/ The Anguilla Guide Find out more about NetConcepts www.netconcepts.ai bwz*mq
Firewall running
Thanks to everyone who help, my PMfirewall is running on Corel Linux. Happy to help anyone else who needs any help getting this running Chris Mason Box 340, The Valley, Anguilla, British West Indies Tel: 264 497 5670 Fax: 264 497 8463 USA Fax (561) 382-7771 Take a virtual tour of the island http://net.ai/ The Anguilla Guide Find out more about NetConcepts www.netconcepts.ai bwz*mq
Firewall problems
--- Begin Message --- I can also ping the firewall from the workstations, and the workstations from the firewall. I have ipchains -P forward ACCEPT. What am I doing wrong? -- Please always Cc to me when replying to me on the lists. "Real hackers mostly think crackers are lazy, irresponsible, and not very bright, and object that being able to break security doesn't make you a hacker any more than being able to hotwire cars makes you an automotive engineer." -- The Hacker HOWTO Dwayne C. Litzenberger - [EMAIL PROTECTED] See the mail headers for GPG/advertising/homepage information. --- End Message --- pgpJcSpW6kEuE.pgp Description: PGP signature
firewall-scripts
Hi, All, what is the recommended way to include my firewall scripts in potato? In slink I used to place it in /etc/init.d and started it from /etc/init.d/network. Regards Andreas
Firewall setup
Hello Debians, Im am trying to setup a Debian firewall using ipchains, But I need some help in setting up the PCI Ethernet cards. One is an Linksys and the other a Kingston. Both should work under the Tulip driver but I dont know how to add the second eth1 card. The system detects the first and not the second. Where would I add the eth1?
Firewall Q's
What's needs to be added to a Debian firewall to make it completely stealth. So from the outside my firewall doesn't exist. Im looking to better me security and need some idea's how to got about it. Thanks you guys are a huge help Jay
Re: firewall
On Fri, Jun 02, 2000 at 04:04:13PM -0500, Timothy C. Phan wrote: > Hi, > > I'd like to know if there is any firewall software > for Debian? Firewalling is done in the kernel and set up with ipchains. Debian has a couple of packages which can be useful with this, ipchains-perl and ipmasq. -- Bob Nielsen, N7XY (RN2) [EMAIL PROTECTED] Bainbridge Island, WA http://www.oz.net/~nielsen
Re: firewall
Also, check out ftp://ftp.interlinx.bc.ca/pub/spf/ for stateful filtering capabilities. Bob Nielsen wrote: > > On Fri, Jun 02, 2000 at 04:04:13PM -0500, Timothy C. Phan wrote: > > Hi, > > > > I'd like to know if there is any firewall software > > for Debian? > > Firewalling is done in the kernel and set up with ipchains. > > Debian has a couple of packages which can be useful with this, > ipchains-perl and ipmasq. > > -- > Bob Nielsen, N7XY (RN2) [EMAIL PROTECTED] > Bainbridge Island, WA http://www.oz.net/~nielsen > > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
Re: firewall
On Fri, 2 Jun 2000, Timothy C. Phan wrote: > Hi, > > I'd like to know if there is any firewall software > for Debian? > And a'm want too firewall for Debian . > Thanks! > > --- > tcp > [EMAIL PROTECTED] > > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null > > > --- WBR, Michael Vlasov, Matrix NOC, MICHAEL-RIPN (095) 961-2109 [ www.matrix.ru ] ICQ:12612617
Re: firewall
On Fri, 2 Jun 2000, Bob Nielsen wrote: > On Fri, Jun 02, 2000 at 04:04:13PM -0500, Timothy C. Phan wrote: > > Hi, > > > > I'd like to know if there is any firewall software > > for Debian? > > Firewalling is done in the kernel and set up with ipchains. > > Debian has a couple of packages which can be useful with this, > ipchains-perl and ipmasq. > Sorry, but ipchains has more problewms in security with ipmasq. > -- > Bob Nielsen, N7XY (RN2) [EMAIL PROTECTED] > Bainbridge Island, WA http://www.oz.net/~nielsen > > > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null > > > --- WBR, Michael Vlasov, Matrix NOC, MICHAEL-RIPN (095) 961-2109 [ www.matrix.ru ] ICQ:12612617
Re: firewall
On Sat, Jun 03, 2000 at 11:54:44AM +0400, Michael Vlasov wrote: > Sorry, but ipchains has more problewms in security with ipmasq. I'd like to catch up on this question of ipchains & security. Do you have any URL's handy? -- Bob Bernstein at http://www.ruptured-duck.com Esmond, R.I., USA
Re: firewall
On Sat, 3 Jun 2000, Eric 'Alibut wrote: > On Sat, Jun 03, 2000 at 11:54:44AM +0400, Michael Vlasov wrote: > > > Sorry, but ipchains has more problewms in security with ipmasq. > > I'd like to catch up on this question of ipchains & security. Do you have > any URL's handy? > See bugtraq maillist arhive on http://www.securityfocus.com > -- > Bob Bernstein > at http://www.ruptured-duck.com > Esmond, R.I., USA > > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null > > > --- WBR, Michael Vlasov, Matrix NOC, MICHAEL-RIPN (095) 961-2109 [ www.matrix.ru ] ICQ:12612617
Firewall question
Hi. I have a question about how powerful my firewall computer should be. I want to make a firewall for a small constellation of computers in my living room. Behind the firewall I will have two Win98 computers, one computer which boots Win98 or several flavors of Unix/Linux, and one Hurd box. This system will be entirely single user at any one time, though there may be different users. The network application will mostly be using VPN software to use Outlook and downloading source files through a CM system. Think of it as using CVS on a 1.0e6 line SW project, with 10 or so engineers making changes. I will need to fetch changed files from the internal network. I have an old 486DX120 machine which needs memory. I was planning to put 32Mb in it and letting it be the firewall. The two Win98 machines are on one subnet, and one hub, and everything else is on a second hub and subnet, so the firewall box will handle routing between the two subnets. I need this to work this way for the VPN on the Win98 machines. The other machines are not involved in the VPN at all. Does this computer seem reasonably powerful? Thanks.
Re: firewall
I use debian both on my brand new athlon as one my old 486 SX 33, where that good old 486 is being used as: gateway (firewall), dns-server, mail-shit, ssh-server, apache-server and ftp-server. All goes fine (pine is mostly slow, but that's because of this mailinglist and me not deleteing messages and me too lazy too figure out procmail) so debian should be a fine choice... Ron On Wed, 16 Feb 2000, mountaincable.net wrote: > I've picked up an ORION 486DLC-33 w/386 BIOS that I want to set up as a > firewall. Newer distr's of linux have min requirements above my system. > What distr. should I use (Debian has been recommended)? Is there an outline > somewhere of how to go about setting up a firewall and what packages I need > to install to run one? >
Re: firewall
On Wed, Feb 16, 2000 at 04:03:50PM -0500, mountaincable.net wrote: > I've picked up an ORION 486DLC-33 w/386 BIOS that I want to set up as > a firewall. Newer distr's of linux have min requirements above my system. > What distr. should I use (Debian has been recommended)? Is there an > outline somewhere of how to go about setting up a firewall and what > packages I need to install to run one? Is this to be a dial-up router? If so, I'd say to look at: http://mpsdr.unx.nu/MINI/ This thing runs off of a single 3.5" floppy - doesn't even use the hard drive. I've got it running here on a 486DX2/66 with 16 megs RAM, but it's advertised as being able to run on anything down to a 386 with 8 megs RAM. Once I had it downloaded and onto a floppy, it took all of about 10 minutes to setup. It does demand dialing, IP Masq, and cacheing DNS. I like it. A lot. -- Mike Werner KA8YSD | "Where do you want to go today?" ICQ# 12934898 | "As far from Redmond as possible!" '91 GS500E| Morgantown WV | Only dead fish go with the flow.
Re: firewall
On Wed, Feb 16, 2000 at 04:03:50PM -0500, mountaincable.net generated a stream of 1s and 0s: > I've picked up an ORION 486DLC-33 w/386 BIOS that I want to set up as a > firewall. Newer distr's of linux have min requirements above my system. > What distr. should I use (Debian has been recommended)? Is there an outline > somewhere of how to go about setting up a firewall and what packages I need > to install to run one? Just beware of BIOS Y2K problem if this machine has it. -- Get the truth or risk frying your brains! --> www.truthinlabeling.org <--
Re: firewall
> Is this to be a dial-up router? If so, I'd say to look at: > http://mpsdr.unx.nu/MINI/ > This thing runs off of a single 3.5" floppy - doesn't even use the > hard drive. I've got it running here on a 486DX2/66 with 16 megs > RAM, but it's advertised as being able to run on anything down to > a 386 with 8 megs RAM. Once I had it downloaded and onto a floppy, > it took all of about 10 minutes to setup. It does demand dialing, > IP Masq, and cacheing DNS. I like it. A lot. Sounds nice and the infos at there homepage looks good, but where to get it? Uwe
Re: firewall
On Wed, Feb 16, 2000 at 11:46:45PM +0100, [EMAIL PROTECTED] wrote: > > > Is this to be a dial-up router? If so, I'd say to look at: > > http://mpsdr.unx.nu/MINI/ > > This thing runs off of a single 3.5" floppy - doesn't even use the > > hard drive. I've got it running here on a 486DX2/66 with 16 megs > > RAM, but it's advertised as being able to run on anything down to > > a 386 with 8 megs RAM. Once I had it downloaded and onto a floppy, > > it took all of about 10 minutes to setup. It does demand dialing, > > IP Masq, and cacheing DNS. I like it. A lot. > Sounds nice and the infos at there homepage looks good, but where to get > it? Down at the bottom of the page - there's a banner labelled Download. Under that banner are two links: "Download by http" and "Download by ftp" -- Mike Werner KA8YSD | "Where do you want to go today?" ICQ# 12934898 | "As far from Redmond as possible!" '91 GS500E| Morgantown WV | Only dead fish go with the flow.
