net protection - firewalls
Hi all, Two comments in recent threads have prompted me to ask this... Firstly, someone mentioned that ipmasq isn't a firewall, but is a good starting point. And secondly, there's been talk of people receiving attempts to crack their machines, which I guess must be happening to me too. Ok. I installed ipmasq on my linux 'gateway' for NATing (I think that's correct?) my linux and windows home machines that sit behind it. It's been running for about 3 months. I don't have any firewalls on the machine behind the gateway, so the gateway is the only security. I've left ipmasq as it comes out of the box and it all seems to work fine. Is this insecure? Which log should I be checking for possible intruders? Action for me... I was wondering if I understand this correctly - I could replace ipmasq with firehol (which is 'stateful'?)? Are they interchangable? Do they do the same thing? Are they both called 'firewalls' of sorts? Or should I just leave well alone and keep a watchful eye somewhere? Thanks in advance. -- Matt ___ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: net protection - firewalls
Matt Johnson wrote: Hi all, Two comments in recent threads have prompted me to ask this... Firstly, someone mentioned that ipmasq isn't a firewall, but is a good starting point. And secondly, there's been talk of people receiving attempts to crack their machines, which I guess must be happening to me too. Ok. I installed ipmasq on my linux 'gateway' for NATing (I think that's correct?) my linux and windows home machines that sit behind it. It's been running for about 3 months. I don't have any firewalls on the machine behind the gateway, so the gateway is the only security. I've left ipmasq as it comes out of the box and it all seems to work fine. Is this insecure? Which log should I be checking for possible intruders? Action for me... I was wondering if I understand this correctly - I could replace ipmasq with firehol (which is 'stateful'?)? Are they interchangable? Do they do the same thing? Are they both called 'firewalls' of sorts? Or should I just leave well alone and keep a watchful eye somewhere? Thanks in advance. Hosts on the internet can only connect to other hosts that they can see. In you case, they can see your gateway, but not the rest of the LAN. Mostly, hosts on the internet can only connect to ports that are open. I say mostly, because there have been bugs in various IP stacks that allowed other hosts to do evil things without finding an open port. Probably the most famous was Teardrop that affected, amongst other things, Windows 95, Windows 98 (well after the fix for Windows 95 was released!) and Linux. Famously, the Linux fix was available in less than 24 hours. Mostlly, though, attacks succeed through open ports such as 25 (incoming mail) 80 (web servers) and such. Actually, a firewall isn't going to do a lot to help you there _unless_ you have one that detects bad traffic (such as connects to ports nobody has any business connecting to on _your_ system) and then denies access to from the bad side to all your network. ISPs could do a lot of good here by detecting code red (it's still around) and other nasties and a) Shutting down sources in their own networks b) shutting out sources from outside their networks. You can use firewall software on your gateway to block and log all traffic you don't want. You will see lots of traffic from people hammering on your door. This can also help to block connexions to misconfigured daemons on your gateway: if you happen to be running postgresl there, you could have it listening to all IP addresses, but connexion from external hosts can't reach it because your firewall rules block them. Better, of course, to configure postgresql properly, but that can be tricky. Something I've been puzzling over lately is this setup: net --- Billion DSL router --- host 1 --- host2 --- host 3 host 1 runs a server, for the Internet, but the Billion's got the external IP. I can have internal and external traffic both arriving on the one interface, say eth0 with an internal IP, say 192.168.1.1 Writing firewall rules using iptables is not a task for a beginner, and there are several higher-level packages available to help with the task. I use shorewall, but there are others. Now, despite your firewall, there's traffic that comes right through it _at your invitation,_ no less! Consider www requests such as that 26 Mbyte SP2 for XP. Email. Those can do bad things too, and that's where content filters such as spamassassin (email), MimeDefang (email), Squidguard, DansGuardian and your AV software come in. Fifty bucks please:-) -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: net protection - firewalls
--- John Summerfield [EMAIL PROTECTED] wrote: Hosts on the internet can only connect to other hosts that they can see. In you case, they can see your gateway, but not the rest of the LAN. Mostly, hosts on the internet can only connect to ports that are open. I say mostly, because there have been bugs in various IP stacks that allowed other hosts to do evil things without finding an open port. Probably the most famous was Teardrop that affected, amongst other things, Windows 95, Windows 98 (well after the fix for Windows 95 was released!) and Linux. Famously, the Linux fix was available in less than 24 hours. Mostlly, though, attacks succeed through open ports such as 25 (incoming mail) 80 (web servers) and such. Actually, a firewall isn't going to do a lot to help you there _unless_ you have one that detects bad traffic (such as connects to ports nobody has any business connecting to on _your_ system) and then denies access to from the bad side to all your network. ISPs could do a lot of good here by detecting code red (it's still around) and other nasties and a) Shutting down sources in their own networks b) shutting out sources from outside their networks. You can use firewall software on your gateway to block and log all traffic you don't want. You will see lots of traffic from people hammering on your door. This can also help to block connexions to misconfigured daemons on your gateway: if you happen to be running postgresl there, you could have it listening to all IP addresses, but connexion from external hosts can't reach it because your firewall rules block them. Better, of course, to configure postgresql properly, but that can be tricky. Writing firewall rules using iptables is not a task for a beginner, and there are several higher-level packages available to help with the task. I use shorewall, but there are others. Now, despite your firewall, there's traffic that comes right through it _at your invitation,_ no less! Consider www requests such as that 26 Mbyte SP2 for XP. Email. Those can do bad things too, and that's where content filters such as spamassassin (email), MimeDefang (email), Squidguard, DansGuardian and your AV software come in. Thanks for taking the time to put together such a comprehensive answer. Fifty bucks please:-) Yes, well... check's in the post (!) ;) -- Matt ___ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: net protection - firewalls
Matt Johnson wrote: Now, despite your firewall, there's traffic that comes right through it _at your invitation,_ no less! Consider www requests such as that 26 Mbyte SP2 for XP. Email. Those can do bad things too, and that's where content filters such as spamassassin (email), MimeDefang (email), Squidguard, DansGuardian and your AV software come in. Thanks for taking the time to put together such a comprehensive answer. Fifty bucks please:-) Yes, well... check's in the post (!) ;) Oh good. For an encore, see this: http://linuxgazette.net/105/odonovan.html Understand it before acting on it, and take salt with item 4. If you don't know what you're doing you will stuff things up. I went to a LUG meeting once where one of the Gods of iiNet was to speak on Linux security. He was a little hoarse so someone else stepped in. Between them they enumerated lots of binaries that don't need to be setuid root. I took the advice and borked several things including my ability to print. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]