Re: [expert] Network problems caused by 'Tiny Firewall' GUI in MDK
On Friday 09 November 2001 11:16, Franki wrote: > > I have still not found a simple script platform like pmfirewall that asks a > bunch of questions in a console at install > then writes a nice easy to read list of rules, one per line with nice Hi I asked some time ago little advice here on list,got very "tiny",but brave as I am started looking around the webFount qoite good place to start. Look http://www.linuxguruz.org/iptables I bet you can find from there quite suitable solutionI did. lets block Jarmo Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] Network problems caused by 'Tiny Firewall' GUI in MDK
just solved my problem of not being able to connect to internet from client using the iptables script at www.yolinux.com/TUTORIALS/LinuxTutorialNetworkGateway.html I didn't have the basic rules set up to Forward packets from eth1 Still no luck w/ mysql but I've got ideas now... -Original Message- From: Franki [mailto:[EMAIL PROTECTED]] Sent: Friday, November 09, 2001 2:05 AM To: [EMAIL PROTECTED] Cc: NEWBIE Mandrake List Subject: RE: [expert] Network problems caused by 'Tiny Firewall' GUI in MDK Ok, I have read your post, I will see what I can find out.. you didn't run msec at any stage and increase the security level did you? if you did, that would explain alot.. try lowering it to 3 and see what happens.. that has fixed things for me before.. it may also explain why your sockets not working any more.. msec does some weird shit, like changing heaps of permissions (file and directory), deleting files, closing access to nearly everything via tcpwrappers and some other stuff I haven't figured out yet. I don't use msec anymore, close everything myself, it has caused to much hassle and is too poorly documented to be of any use I think. If anything is in need of a mandrake forum or user write up, then msec is definatly it. (there may be one, but I have not found it.) rgds Frank -Original Message- From: Ben Nicolas [mailto:[EMAIL PROTECTED]] Sent: Friday, 9 November 2001 5:44 PM To: [EMAIL PROTECTED] Subject: RE: [expert] Network problems caused by 'Tiny Firewall' GUI in MDK Hey buddy, Thanks for e-mailing. I'm kinda new to these lists. I'm e-mailing you indivuidually and not back to the list because you're answer impressed me. It was nice to read because you're the first guy that seems like he might have an inkling of what my problem may be. Don't have an /etc/sysconfig/iptables file (don't know if that's cuz i'm running LM 8.0). I flushed the iptables anyway using >iptables -F , anyway. I posting a copy of my original post for you at www.dailystaple.com/mdk. If u could take a look at it and tell me if you think of anything, you'd be the man! > I have the 8.1 powerpack here, and it comes with a install and user > manual and a reference manual.. > > I will have a look in there for the tiny firewall details.. > > I haven't looked back see your initial question, but you might try > looking in /etc/sysconfig/iptables > > I think that may be where tiny firewall keeps its rules and stuff. > > I know one thing, for simple readability, ipchains beats the hell out > of iptables.. > > I have still not found a simple script platform like pmfirewall that > asks a bunch of questions in a console at install > then writes a nice easy to read list of rules, one per line with nice > comments on them, closes all the obvious gaps, and is really easy to > modify and add to... I have a massive list of rules in my 7.2 box in > ipchains and ipmasqadm, and I had the firewall setup to allow different > ports open on 7 of my domains being hosted on that box.. > > Its tough to figure out how I am going to do it easily in iptables. I > have a basic script, but nothing that does all that I want yet.. wish > someone had written an online ipchains -> iptables script with > Javascript or something, that would be very handy. I only just figured > out how to do port forwarding with iptables last night.. > > > rgds > > Frank > > > -----Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of J. Craig Woods > Sent: Friday, 9 November 2001 1:54 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: [expert] Network problems caused by 'Tiny Firewall' GUI in > MDK > > > Ben Nicolas wrote: >> >> You were right in assuming my basic topology consisted of 1 LM 8.0 >> server (acting as a gateway/router) with 2 nic's. Besides that all I >> have is one client machine running Win2K. >> >> Now that you mention it you're also right about not needing to have >> port 139 open externally to use samba betw. my server and client. >> Prior to this debacle I had never done any firewalling or used >> iptables/ipchains so my comment about needing 139 open earlier was due >> to lack of knowledge. Once I figure out what's preventing my client >> from accessing the internet and DBI from making to a connection to >> MySQL I will use iptables to secure up my network now that I >> understand how to create rules. For now I'm primarily concerned with >> figuring out why my server won't forward requests made to servers >> outside my internal micro-lan. >> > > I wish I could help you out with that Tiny crap stuff. I am just no
Re: [expert] Network problems caused by 'Tiny Firewall' GUI in MDK
Franki wrote: > > Its tough to figure out how I am going to do it easily in iptables. I have a > basic script, but nothing that does all that I want yet.. wish someone had > written an online ipchains -> iptables script with Javascript or something, > that would be very handy. I only just figured out how to do port> >forwarding with iptables last night.. > > rgds > > Frank > Frank, if you find some kind of conversion program, java or otherwise, please let me know here on the list. I have a long list of rules for ipchains written on one box, and something like a ipchains <--> iptables conversion would be great. Thanks, Craig Woods UNIX/NT SA -Art is the illusion of spontaneity- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] Network problems caused by 'Tiny Firewall' GUI in MDK
I have the 8.1 powerpack here, and it comes with a install and user manual and a reference manual.. I will have a look in there for the tiny firewall details.. I haven't looked back see your initial question, but you might try looking in /etc/sysconfig/iptables I think that may be where tiny firewall keeps its rules and stuff. I know one thing, for simple readability, ipchains beats the hell out of iptables.. I have still not found a simple script platform like pmfirewall that asks a bunch of questions in a console at install then writes a nice easy to read list of rules, one per line with nice comments on them, closes all the obvious gaps, and is really easy to modify and add to... I have a massive list of rules in my 7.2 box in ipchains and ipmasqadm, and I had the firewall setup to allow different ports open on 7 of my domains being hosted on that box.. Its tough to figure out how I am going to do it easily in iptables. I have a basic script, but nothing that does all that I want yet.. wish someone had written an online ipchains -> iptables script with Javascript or something, that would be very handy. I only just figured out how to do port forwarding with iptables last night.. rgds Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of J. Craig Woods Sent: Friday, 9 November 2001 1:54 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [expert] Network problems caused by 'Tiny Firewall' GUI in MDK Ben Nicolas wrote: > > You were right in assuming my basic topology consisted of 1 LM 8.0 server > (acting as a gateway/router) with 2 nic's. Besides that all I have is one > client machine running Win2K. > > Now that you mention it you're also right about not needing to have port > 139 open externally to use samba betw. my server and client. Prior to > this debacle I had never done any firewalling or used iptables/ipchains so > my comment about needing 139 open earlier was due to lack of knowledge. > Once I figure out what's preventing my client from accessing the internet > and DBI from making to a connection to MySQL I will use iptables to secure > up my network now that I understand how to create rules. For now I'm > primarily concerned with figuring out why my server won't forward requests > made to servers outside my internal micro-lan. > I wish I could help you out with that Tiny crap stuff. I am just not sure what it has left behind, in view of the fact that you have cleaned it out from the usual directories. All I can say is dust off the old 'grep', and start a fine tooth search for any kind of "Tiny" or "firewall" string in any file located in all of the usual directories. BTW what does a "netstat -rn" output look like on your two machines? If you need some assistance with the gateway/router set up, you are welcome to call on me. I have set up this kind of thing before with Samba and name server running on a LAN with W2K. Do let me know what the resolution is to the Tiny (big) headache -- J. Craig Woods UNIX/NT SA -Art is the illusion of spontaneity- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Network problems caused by 'Tiny Firewall' GUI in MDK
Ben Nicolas wrote: > > You were right in assuming my basic topology consisted of 1 LM 8.0 server > (acting as a gateway/router) with 2 nic's. Besides that all I have is one > client machine running Win2K. > > Now that you mention it you're also right about not needing to have port > 139 open externally to use samba betw. my server and client. Prior to > this debacle I had never done any firewalling or used iptables/ipchains so > my comment about needing 139 open earlier was due to lack of knowledge. > Once I figure out what's preventing my client from accessing the internet > and DBI from making to a connection to MySQL I will use iptables to secure > up my network now that I understand how to create rules. For now I'm > primarily concerned with figuring out why my server won't forward requests > made to servers outside my internal micro-lan. > I wish I could help you out with that Tiny crap stuff. I am just not sure what it has left behind, in view of the fact that you have cleaned it out from the usual directories. All I can say is dust off the old 'grep', and start a fine tooth search for any kind of "Tiny" or "firewall" string in any file located in all of the usual directories. BTW what does a "netstat -rn" output look like on your two machines? If you need some assistance with the gateway/router set up, you are welcome to call on me. I have set up this kind of thing before with Samba and name server running on a LAN with W2K. Do let me know what the resolution is to the Tiny (big) headache -- J. Craig Woods UNIX/NT SA -Art is the illusion of spontaneity- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Network problems caused by 'Tiny Firewall' GUI in MDK
You were right in assuming my basic topology consisted of 1 LM 8.0 server (acting as a gateway/router) with 2 nic's. Besides that all I have is one client machine running Win2K. Now that you mention it you're also right about not needing to have port 139 open externally to use samba betw. my server and client. Prior to this debacle I had never done any firewalling or used iptables/ipchains so my comment about needing 139 open earlier was due to lack of knowledge. Once I figure out what's preventing my client from accessing the internet and DBI from making to a connection to MySQL I will use iptables to secure up my network now that I understand how to create rules. For now I'm primarily concerned with figuring out why my server won't forward requests made to servers outside my internal micro-lan. > Ben Nicolas wrote: >> >> Mr. Woods Thank you very much for replying to my post. >> >> port 139 I was leaving open for samba. I use samba so that I can >> download stuff straight from the internet to my linux box from my >> Win2K box. (At least I was back when my win2K box could connect to the >> internet). As for port 6000 I may want to close that up you're right >> but right now I more concerned with removing security than adding >> anything. I am trying to remove everything that stupide Firewall GUI >> added. If u look at my original post you'll see I've flushed my >> iptables and removed any file beginning with rc.firewall* from my rc.d >> directory. And obviously before I took any of those measures I went >> through the firewall GUI itself and undid as much as possible. You're >> right I need someone who knows what the f#$k the 'Tiny Firewall' GUI >> does, I'm finding that impossible. I even paid $15 for an expert to >> answer this question at MandrakeExpert.com. The response I got was >> totally useless some guy that clearly didn't read my post clearly >> simply told me to turn off my firewall and then told me how to close >> off all the ports I listed as open via the nmap -v my_ip snapshot >> prior to this debacle... >> >> Trust me I'll never use a GUI app in Linux again (I've already learned >> the hard way that RPM's were the brain child of Lucifer...) >> >> If anyone out there knows anything about how the specifics of what the >> 'Tiny Firewall' app does, I would highly appreciate your input >> relating to my problem >> >> Thank you >> > > OK, I am confused. Maybe we should back track a bit. I was under the > impression that this was a gateway/router box with two NIC's, one > internal and one external. In which case, you would not want any port > open, such as netbios/samba (port 139), to the external side. If you > would explain your network typology, maybe we could help... > > -- > J. Craig Woods > UNIX/NT SA > > -Art is the illusion of spontaneity- "" Description: Binary data Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Network problems caused by 'Tiny Firewall' GUI in MDK
Ben Nicolas wrote: > > Mr. Woods Thank you very much for replying to my post. > > port 139 I was leaving open for samba. I use samba so that I can download > stuff straight from the internet to my linux box from my Win2K box. (At > least I was back when my win2K box could connect to the internet). As for > port 6000 I may want to close that up you're right but right now I more > concerned with removing security than adding anything. I am trying to > remove everything that stupide Firewall GUI added. If u look at my > original post you'll see I've flushed my iptables and removed any file > beginning with rc.firewall* from my rc.d directory. And obviously before > I took any of those measures I went through the firewall GUI itself and > undid as much as possible. You're right I need someone who knows what the > f#$k the 'Tiny Firewall' GUI does, I'm finding that impossible. I even > paid $15 for an expert to answer this question at MandrakeExpert.com. The > response I got was totally useless some guy that clearly didn't read my > post clearly simply told me to turn off my firewall and then told me how > to close off all the ports I listed as open via the nmap -v my_ip snapshot > prior to this debacle... > > Trust me I'll never use a GUI app in Linux again (I've already learned the > hard way that RPM's were the brain child of Lucifer...) > > If anyone out there knows anything about how the specifics of what the > 'Tiny Firewall' app does, I would highly appreciate your input relating to > my problem > > Thank you > OK, I am confused. Maybe we should back track a bit. I was under the impression that this was a gateway/router box with two NIC's, one internal and one external. In which case, you would not want any port open, such as netbios/samba (port 139), to the external side. If you would explain your network typology, maybe we could help... -- J. Craig Woods UNIX/NT SA -Art is the illusion of spontaneity- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Network problems caused by 'Tiny Firewall' GUI in MDK
Thanks for replying Richard, The link you gave me basically told me it could connect to every port that Nmap could except 3306 which is where MySQL is listening. That might explain why Scoop isn't working but I still don't get it because apache should be connecting to MySQL locally via sockets not externally via TCP which is why the link you gave me failed and running nmap locally worked. Like I mentioned below I double checked that both my mysql.sock file and the dir it lives in both have 777 permissions. My problem is that my Win2K client is still not able to use my MDK server as a gateway to the internet. After I used the 'Tiny Firewall' application it did something that prevents my server from acting like a gateway and prevents access to the 3306 port MySQL is listening on. I was hoping one of the experts in this forum would be able to tell me exactly what the 'Tiny Firewall' GUI does so that I could back out all of the changes it's made and use my network again... -Ben > Hi Ben , dont get caught by using nmap from the same machine, I did !!! > got similar results, had a port scan done externally and it was OK. try > http://mycgiserver.com/~kalish/ > > > HTH > > Ben Nicolas wrote: >> >> I apologize if this message has reached this list multiple times, I'm >> using a web-based e-mail program I'm not familiar with because of the >> problem discussed below >> >> Network Setup >> Server/Internet Gateway/Router: Linux-Mandrake 8.0 >> Client: Windows 2000 >> >> What I did: >> My network was running fine until I ran the "Tiny Firewall" gui app >> (part of the Mandrake Control Center under Security) >> >> Problem: >> Now client can't connect to the internet. >> I was running "Scoop" which is an apache/mod-perl based web app that >> interacts heavily with MySQL via the Perl DBI module. DBI can no >> longer connect to the MySQLdatabase. >> When I look at the error logs I see: >> failed: Can't connect to local MySQL server through socket >> '/var/lib/mysql/mysql.sock' >> And yes I have double checked to make sure the the socket mysql.sock >> is there and that both the dir /var/lib/mysql and the mysql.sock file >> are executable. >> >> Interesting info: >> The Server can still connect to the internet. >> I can still ping back and forth between both machines. I can even >> ping the server by host name because I'm running my own DNS. >> I've tried iptables (-F, -X, and -Z) as well as run scripts I've found >> that supposedly reset iptables to their default values. >> I have also deleted all the rc.firewall* files in the /etc/rc.d dir >> created by the stupid GUI >> I can access mysql from the command line no prob using the username >> and password that apache connects as. >> I've scoured the internet to the best of my ability and have not been >> able to find any info to help me solve this utterly deabilitating >> problem. >> >> what nmap -v my_ip said were open pre-debacle: >> 21/tcp openftp >> 22/tcp openssh >> 23/tcp opentelnet >> 25/tcp opensmtp >> 53/tcp opendomain >> 80/tcp openhttp >> 110/tcpopenpop-3 >> 111/tcpopensunrpc >> 139/tcpopennetbios-ssn >> 631/tcpopenunknown >> 901/tcpopensamba-swat >> 3128/tcp opensquid-http >> 3306/tcp openmysql >> 6000/tcp openX11 >> 32770/tcp opensometimes-rpc3 >> >> what nmap -v my_ip says is open post-debacle: >> (this is basically what I want) >> 21/tcp openftp >> 22/tcp openssh >> 25/tcp opensmtp >> 53/tcp opendomain >> 80/tcp openhttp >> 139/tcpopennetbios-ssn >> 3128/tcp opensquid-http >> 3306/tcp openmysql >> 6000/tcp openX11 >> >> >>Name: >>Type: unspecified type (application/octet-stream) >>Encoding: base64 >> >> >> Want to buy your Pack or Services from MandrakeSoft? >> Go to http://www.mandrakestore.com > > -- > Richard Bown > Ericsson Microwave Systems AB > SE-431 84 Mölndal > e-mail [EMAIL PROTECTED] > tel +46 31 74 72422 > mobile +46 7098 72422 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Network problems caused by 'Tiny Firewall' GUI in MDK
Mr. Woods Thank you very much for replying to my post. port 139 I was leaving open for samba. I use samba so that I can download stuff straight from the internet to my linux box from my Win2K box. (At least I was back when my win2K box could connect to the internet). As for port 6000 I may want to close that up you're right but right now I more concerned with removing security than adding anything. I am trying to remove everything that stupide Firewall GUI added. If u look at my original post you'll see I've flushed my iptables and removed any file beginning with rc.firewall* from my rc.d directory. And obviously before I took any of those measures I went through the firewall GUI itself and undid as much as possible. You're right I need someone who knows what the f#$k the 'Tiny Firewall' GUI does, I'm finding that impossible. I even paid $15 for an expert to answer this question at MandrakeExpert.com. The response I got was totally useless some guy that clearly didn't read my post clearly simply told me to turn off my firewall and then told me how to close off all the ports I listed as open via the nmap -v my_ip snapshot prior to this debacle... Trust me I'll never use a GUI app in Linux again (I've already learned the hard way that RPM's were the brain child of Lucifer...) If anyone out there knows anything about how the specifics of what the 'Tiny Firewall' app does, I would highly appreciate your input relating to my problem Thank you > Ben Nicolas wrote: >> >> Thanks for replying Richard, >> >> The link you gave me basically told me it could connect to every port >> that Nmap could except 3306 which is where MySQL is listening. That >> might explain why Scoop isn't working but I still don't get it because >> apache should be connecting to MySQL locally via sockets not >> externally via TCP which is why the link you gave me failed and >> running nmap locally worked. Like I mentioned below I double checked >> that both my mysql.sock file and the dir it lives in both have 777 >> permissions. My problem is that my Win2K client is still not able to >> use my MDK server as a gateway to the internet. After I used the 'Tiny >> Firewall' application it did something that prevents my server from >> acting like a gateway and prevents access to the 3306 port MySQL is >> listening on. I was hoping one of the experts in this forum would be >> able to tell me exactly what the 'Tiny Firewall' GUI does so that I >> could back out all of the changes it's made and use my network >> again... >> >> >> what nmap -v my_ip says is open post-debacle: >> >> (this is basically what I want) >> >> 21/tcp openftp >> >> 22/tcp openssh >> >> 25/tcp opensmtp >> >> 53/tcp opendomain >> >> 80/tcp openhttp >> >> 139/tcpopennetbios-ssn >> >> 3128/tcp opensquid-http >> >> 3306/tcp openmysql >> >> 6000/tcp openX11 >> >> >> >> > > Apache will connect via unix sockets, and, if MySQL is on the same box > as Apache, it will not be using TCP. It seems "Tiny Firewalls" is your > culprit but you already know this. That is why I do not like that kind > of shit. You are better off writing your own rules. Can you just > un-install that crap? You don't really need an expert. You need someone > that has used that "Tiny Firewalls" stuff. > > My question is why do you want all those ports open. Do you mean to > say, for example, that you want to leave port 139, 6000 open? > > > -- > J. Craig Woods > UNIX/NT SA > > -Art is the illusion of spontaneity- "" Description: Binary data Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com