Re: [expert] Firewall questions

[Anne Wilson]

On Thursday 30 Oct 2003 12:21 pm, Bryan Phinney wrote:
>
> > The problem for me is that the hardware router does not allow
> > GnomeMeeting to have a range of ports open (it uses h.323
> > tunneling), so I'm thinking that I will need, eventually, to set
> > my box dmz and rely on the software one, suitably configured.  I
> > am quite prepared to make the switch to dmz for the duration of a
> > session (it won't be too frequent), but I want the second layer
> > in first.  Consequently, I can use dmz to test the rules, going
> > back behind the hardware f/w as necessary.
>
> What kind do you have?  You should be able to open up an entire
> range, as small or large as you want and configure GnomeMeeting to
> simply confine to that range.  I have a range open for passive ftp
> and it appears to work fine.
>
SMC/7401BRA  We chose that one, knowing nothing about routers, because 
at least the manufacturer put the manual on the website, and it 
looked reasonable.  I've regretted it a bit, but that's hindsight.  
You can open around 10 ports, (total of tcp and udp), but no ranges.

Anne
-- 
Registered Linux User No.293302
Have you visited http://twiki.mdklinuxfaq.org yet?


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

RE: [expert] Firewall questions

[Tango Echo]

>-Original Message-
>From: Anne Wilson [mailto:[EMAIL PROTECTED]
>Sent: Thursday, October 30, 2003 5:37 AM
>To: [EMAIL PROTECTED]
>Subject: [expert] Firewall questions
>
>Currently I rely on a hardware firewall, but I would
like to add a
>personal software firewall.  I know that I will need
a slice of time
>to do sufficient reading to get the configuration
right, so I thought
>that I would browse using Webmin to see what I needed
to know,
>particularly since I don't want to affect the lan.
>
>Unfortunately, though logically, you can't do that
until you have
>installed iptables.  I see, though, that it offers
configuration for
>Linux Firewall and Shorewall.  If I install iptables
and/or shorewall
>do they come with completely hashed out configuration
files, or am I
>immediately committed to sorting it?
>
>Anne
>--

If you're looking for ease of use, Shorewall should
do.  It can be quickly enabled in
MCC>Security>DrakFirewall. 
It uses iptables as the underlying filter, but
configuration is much more simple IMHO.  Then again,
if you have the time and ambition to learn iptables
that's always a handy skill to have!

__
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall questions

[Bryan Phinney]

On Thursday 30 October 2003 07:01 am, Anne Wilson wrote:

> So installing iptables will have no 'built-in' rules?  That's what I
> want, so that I can build it up a little at a time.

Yes, that is the way that I am running it, to supplement the hardware router 
because hardware routers are not really suitable for filtering as opposed to 
blocking.

> The problem for me is that the hardware router does not allow
> GnomeMeeting to have a range of ports open (it uses h.323 tunneling),
> so I'm thinking that I will need, eventually, to set my box dmz and
> rely on the software one, suitably configured.  I am quite prepared
> to make the switch to dmz for the duration of a session (it won't be
> too frequent), but I want the second layer in first.  Consequently, I
> can use dmz to test the rules, going back behind the hardware f/w as
> necessary.

What kind do you have?  You should be able to open up an entire range, as 
small or large as you want and configure GnomeMeeting to simply confine to 
that range.  I have a range open for passive ftp and it appears to work fine.

> My experience with using it to set up samba does not encourage me to
> do it that way, but I thought that browsing the interface might give
> me a better idea of the questions I need answering before actually
> doing any configuration.

As your rules get extended, Webmin will evenually break down and time out 
trying to display them all.  At least, it does in my case, so I simply keep a 
bash script to issue the commands and periodically update and rerun the 
script to repopulate changes to my firewall.

-- 
Bryan Phinney
Software Test Engineer


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall questions

[Anne Wilson]

On Thursday 30 Oct 2003 11:03 am, J.C. Woods wrote:
>
> Just install iptables, and start "rolling your own" rules. There
> are loads of sites that document how to. 

So installing iptables will have no 'built-in' rules?  That's what I 
want, so that I can build it up a little at a time.

> You could start off by
> just replacing one rule at a time from your external router. For
> example, let's say your hardware does not allow any ping responses.
> So you write your first rule with iptables to disallow any ping
> responses, and turn that feature off on the router, so on and so
> forth until you feel good about your firewall rules, and have a
> better understanding of what is going on.
>
The problem for me is that the hardware router does not allow 
GnomeMeeting to have a range of ports open (it uses h.323 tunneling), 
so I'm thinking that I will need, eventually, to set my box dmz and 
rely on the software one, suitably configured.  I am quite prepared 
to make the switch to dmz for the duration of a session (it won't be 
too frequent), but I want the second layer in first.  Consequently, I 
can use dmz to test the rules, going back behind the hardware f/w as 
necessary.

> And you could do this a little at a time, as you learn new
> rules
>
> Because I have always wrote my own rules, since the days of
> ipchains, I do not know too much about Shorewall, and I would never
> trust Webmin to handle a vital function like firewalls. Just my two
> cents worth...
>
My experience with using it to set up samba does not encourage me to 
do it that way, but I thought that browsing the interface might give 
me a better idea of the questions I need answering before actually 
doing any configuration.

Thanks for the input

Anne
-- 
Registered Linux User No.293302
Have you visited http://twiki.mdklinuxfaq.org yet?


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall questions

[J.C. Woods]

Anne Wilson wrote:

Currently I rely on a hardware firewall, but I would like to add a 
personal software firewall.  I know that I will need a slice of time 
to do sufficient reading to get the configuration right, so I thought 
that I would browse using Webmin to see what I needed to know, 
particularly since I don't want to affect the lan.

Unfortunately, though logically, you can't do that until you have 
installed iptables.  I see, though, that it offers configuration for 
Linux Firewall and Shorewall.  If I install iptables and/or shorewall 
do they come with completely hashed out configuration files, or am I 
immediately committed to sorting it?

Anne
 

Just install iptables, and start "rolling your own" rules. There are 
loads of sites that document how to. You could start off by just 
replacing one rule at a time from your external router. For example, 
let's say your hardware does not allow any ping responses. So you write 
your first rule with iptables to disallow any ping responses, and turn 
that feature off on the router, so on and so forth until you feel good 
about your firewall rules, and have a better understanding of what is 
going on.

And you could do this a little at a time, as you learn new rules

Because I have always wrote my own rules, since the days of ipchains, I 
do not know too much about Shorewall, and I would never trust Webmin to 
handle a vital function like firewalls. Just my two cents worth...

drjung

--
J. Craig Woods
UNIX Network/System Engineer
http://www.trismegistus.net/resume.htm
Let him that would move the world, first move himself.
--Socrates


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] firewall question

[engage]

On Sunday 31 August 2003 11:43 am, Jack Coates wrote:
>On Sun, 2003-08-31 at 09:46, engage wrote:
>> Since setting up Shorewall to discard bad/malformed packets, I've been
>> getting a lot of log entries like this. Why? I know that the displayed
>> destination address is a broadcast address.
>>
>> Aug 31 08:31:18 n0sq kernel: Shorewall:badpkt:DROP:IN=eth1 OUT=
>> MAC=ff:ff:ff:ff:ff:ff:00:09:e8:b4:c6:c3:08:00 SRC=0.0.0.0
>> DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=128 ID=8093 PROTO=UDP
>> SPT=68 DPT=67 LEN=556
>
>that's a DHCP packet -- grab it with Ethereal and you can see what type.
>I'd guess client request.

I forgot that a lot of the new accounts at the ISP are now DHCP.

>
>> Also, I've been getting a lot of bad packets from many IP addresses that
>> belong to my ISP. The strange thing is that the packets have my address as
>> the destination address.
>
>Maybe they're scanning for services, or maybe other users on the ISP are
>scanning or have worms.

Possibly. I'm going to have to spend more time on network analysis. I might be 
able to get away from the computer someday.



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] firewall question

[Jack Coates]

On Sun, 2003-08-31 at 09:46, engage wrote:
> Since setting up Shorewall to discard bad/malformed packets, I've been getting 
> a lot of log entries like this. Why? I know that the displayed destination 
> address is a broadcast address.
> 
> Aug 31 08:31:18 n0sq kernel: Shorewall:badpkt:DROP:IN=eth1 OUT= 
> MAC=ff:ff:ff:ff:ff:ff:00:09:e8:b4:c6:c3:08:00 SRC=0.0.0.0 DST=255.255.255.255 
> LEN=576 TOS=0x00 PREC=0x00 TTL=128 ID=8093 PROTO=UDP SPT=68 DPT=67 LEN=556
> 

that's a DHCP packet -- grab it with Ethereal and you can see what type.
I'd guess client request.

> 
> Also, I've been getting a lot of bad packets from many IP addresses that 
> belong to my ISP. The strange thing is that the packets have my address as 
> the destination address.
> 

Maybe they're scanning for services, or maybe other users on the ISP are
scanning or have worms.

> This is sure taking up a lot of log space.

So don't do it :-) Scale back logging.

http://www.monkeynoodle.org/comp/reply-to

-- 
Jack Coates
Monkeynoodle: A Scientific Venture...


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall stuff SSH

[Michael Viron]

I've been lucky so far -- at the company I work for, I'm in charge of all
technology oriented activities (security, database, systems, helpdesk, and
so forth) so if I make a suggestion there is typically very little
resistance to it (since, after all, I've been right several times before
already -- proven track record always helps).

Michael

At 07:48 PM 1/11/2003 -0800, you wrote:
>On Sat, 2003-01-11 at 18:24, H.J.Bathoorn wrote:
>> On Sunday 12 January 2003 00:47, Lorne wrote:
>> > That is what I think. The reason I want to speak to him. I am not in the
>> > security section. I'm trying. I am positive they are in way over their
>> > heads and I told him it wasn't a matter if but when we got hacked. The
sad
>> > part is, they probably won't know it when they do, if the hacker is
smart.
>> 
>> Trouble is that as long as you're trying to get heard, they'll see you
as a 
>> threat. Meaning they (the security dep.)'ll be using all their energy to 
>> fight you instead of the cracker they've never ever felt before.
>> 
>> Don't ever try to fight ignorants face to face, play along and be their 
>> advisor in "hard times".
>> It's the only way, or be prepared to stick a lot of energy and time in 
>> battling their "back to the wall" tactics. You'll probably lose any which 
>> way!
>> 
>> Good luck,
>> HarM
>
>HarM...
>
>  Good bad or indifferent, you are unfortunately right. The best move in
>my opinion is to make your proposal in writing (so that you have a
>copy.) to the head of security... Then when he botches it... You are
>ahead.. If he likes what you suggest, then HE gets to go to the boss and
>win either way. You win.
>
>James
>
>
>
>Want to buy your Pack or Services from MandrakeSoft? 
>Go to http://www.mandrakestore.com
>


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall stuff SSH

[James Sparenberg]

On Sat, 2003-01-11 at 18:24, H.J.Bathoorn wrote:
> On Sunday 12 January 2003 00:47, Lorne wrote:
> > That is what I think. The reason I want to speak to him. I am not in the
> > security section. I'm trying. I am positive they are in way over their
> > heads and I told him it wasn't a matter if but when we got hacked. The sad
> > part is, they probably won't know it when they do, if the hacker is smart.
> 
> Trouble is that as long as you're trying to get heard, they'll see you as a 
> threat. Meaning they (the security dep.)'ll be using all their energy to 
> fight you instead of the cracker they've never ever felt before.
> 
> Don't ever try to fight ignorants face to face, play along and be their 
> advisor in "hard times".
> It's the only way, or be prepared to stick a lot of energy and time in 
> battling their "back to the wall" tactics. You'll probably lose any which 
> way!
> 
> Good luck,
> HarM

HarM...

  Good bad or indifferent, you are unfortunately right. The best move in
my opinion is to make your proposal in writing (so that you have a
copy.) to the head of security... Then when he botches it... You are
ahead.. If he likes what you suggest, then HE gets to go to the boss and
win either way. You win.

James




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall stuff SSH

[James Sparenberg]

As for why against... this network is my home and I can't afford to go
buy another comp and IP just to "protect" the 4 or 5 boxes behind it. 
*grin*

James


On Sat, 2003-01-11 at 10:24, Lorne wrote:
> On Saturday 11 January 2003 08:49 am, Mark Weaver wrote:
> > Lorne wrote:
> > > On Friday 10 January 2003 11:13 am, Todd Lyons wrote:
> > >>Lorne wrote on Fri, Jan 10, 2003 at 09:15:02AM -0700 :
> > >>>I've run coyote-linux for 5 years now and have NEVER been hacked. That
> > >>> is until September of 2002. I spoke with the author and he felt his
> > >>> system was secure and it couldn't have been his LRP based firewall that
> > >>> broke down. I DID have port 21 forwarded, so assumed it was the inside
> > >>> box that got compromised via port 21. I took the inside box off line,
> > >>> totally built it from scratch, hardened all boxes and made sure I had a
> > >>> secure intranet. I then brought the firewall back up. Within a month
> > >>> someone was poking around inside my intranet again. Now it seems that
> > >>> it takes about 48 hours for them to get back in. So I've been rebooting
> > >>> it every night until I can get my MNF box up. I believe there is some
> > >>> buffer overflow or other vulnerability that hasn't been identified yet
> > >>> with the LRP firewall system. So just a warning,
> > >>
> > >>Geez, you should be sitting there with tcpdump running nearly non-stop
> > >>and logging to a seperate host so that you can see exactly is occurring.
> > >>Get active and into it and you'll learn a LOT about security.  You may
> > >>_think_ you know a lot now, but when you watch a box getting 'sploited,
> > >>and then pull the plug and figure it all out, you'll come out of it with
> > >>some invaluable knowledge that you can put to use immediately!
> > >
> > > I prefer ethereal and sniffer pro and I have had really really limited
> > > time here at home. I've been getting more and more into packet analysis
> > > at work and it is pretty cool stuff. I've been to a couple of classes on
> > > it. I've had snort running on Mandrake snf and I'm putting the finishing
> > > touches on MNF. It has snort. I'm putting tripwire on it now. What I
> > > REALLY would like to do is set up a honey pot and then I'm truly in
> > > control and can watch with interest what is going on. I'm trying to talk
> > > my boss into letting me set up a honey pot at work, but corportate is
> > > against it. I need to talk to the fellow that is against it. I think he
> > > is wrong. :)
> >
> > why in the world would someone be "against" setting up a honeypot in
> > defense of a network and all the mission critical data stored thereon?
> > Yes, I understand that "honeypot" in and of itself does nothing to
> > actually protect a network, but in the overall scheme it is a part of
> > the process.
> 
> That is what I asked the director yesterday. He said the head dude is from the 
> "CIA" and he has always been against it.  WFT!?!? My response was, I need 
> to talk to this guy, because he either doesn't understand them or knows 
> something profound I've never thought or heard of. Like I tried to explain to 
> the director yesterday is that there should never ever be any legitimate 
> traffic to a honeypot so if there is activity, it is going to be improper. 
> Makes it pretty damned easy to catch activity on a busy network. Like you 
> said, it isn't protection, but what a cool tool to trigger alarms, watch what 
> they are doing, keep them busy until you figure out what is going on etc. :)
> 
> 
> __
> 
> Want to buy your Pack or Services from MandrakeSoft? 
> Go to http://www.mandrakestore.com



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall stuff SSH

[Lorne]

On Saturday 11 January 2003 07:25 pm, Mark Weaver wrote:
> On Saturday 11 January 2003 09:17 pm, Lorne scribbled incoherently:
> > Could very well be. Unfortunately the two guys that are in "charge" of it
> > are such buffoons that I would not work with them anyhow. I fully expect
> > them to get fired soon. They are not only ignorant, but arrogant to boot!
> > I can handle ignorance, and I can handle arrogance, but not both
> > together! they are in charge of setting it all up and it is such a joke.
> > I'm just hoping to make enoug comments to the director that he will know
> > I have some skills and am interested so that when they do get fired I'll
> > be considered.
> >
> > > Don't ever try to fight ignorants face to face, play along and be their
> > > advisor in "hard times".
> > > It's the only way, or be prepared to stick a lot of energy and time in
> > > battling their "back to the wall" tactics. You'll probably lose any
> > > which way!
> >
> > This is a really unique situation. The only thing I'm afraid of is that
> > if they F#$K it up too badly, that our parent company will take it away
> > from us and move it out of our building without me having a chance to
> > prove we can do it right. :( Oh well we'll see how it all shakes out.
> >
> > > Good luck,
> > > HarM
>
> well good luck and God speed to ya Lorne!

heh.. heh...thanks Mark! ;)


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall stuff SSH

[Mark Weaver]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Saturday 11 January 2003 09:17 pm, Lorne scribbled incoherently:
> Could very well be. Unfortunately the two guys that are in "charge" of it
> are such buffoons that I would not work with them anyhow. I fully expect
> them to get fired soon. They are not only ignorant, but arrogant to boot! I
> can handle ignorance, and I can handle arrogance, but not both together!
> they are in charge of setting it all up and it is such a joke. I'm just
> hoping to make enoug comments to the director that he will know I have some
> skills and am interested so that when they do get fired I'll be considered.
>
> > Don't ever try to fight ignorants face to face, play along and be their
> > advisor in "hard times".
> > It's the only way, or be prepared to stick a lot of energy and time in
> > battling their "back to the wall" tactics. You'll probably lose any which
> > way!
>
> This is a really unique situation. The only thing I'm afraid of is that if
> they F#$K it up too badly, that our parent company will take it away from
> us and move it out of our building without me having a chance to prove we
> can do it right. :( Oh well we'll see how it all shakes out.
>
> > Good luck,
> > HarM

well good luck and God speed to ya Lorne!
- -- 
Mark
- ---
Paid for by Penguins against modern appliances(R)
Linux User Since 1996
Powered by Mandrake Linux 8.2 & 9.0
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+INI2JuZ1geTzHgERAmEDAKDMoqckJnEpLlig9f/CujhGmwFRKwCfalN2
aKgNOXGv5HhecOgrI+CGZ4I=
=bk9F
-END PGP SIGNATURE-



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall stuff SSH

[Lorne]

On Saturday 11 January 2003 06:04 pm, Mark Weaver wrote:
> On Saturday 11 January 2003 07:47 pm, Lorne wrote:
> > On Saturday 11 January 2003 02:35 pm, Mark Weaver wrote:
> >
> > 
> >
> > > > That is what I asked the director yesterday. He said the head dude
> > > > is from the  "CIA" and he has always been against it.  WFT!?!?
> > > > My response was, I need  to talk to this guy, because he either
> > > > doesn't understand them or knows  something profound I've never
> > > > thought or heard of. Like I tried to explain to  the director
> > > > yesterday is that there should never ever be any legitimate  traffic
> > > > to a honeypot so if there is activity, it is going to be improper.
> > > > Makes it pretty damned easy to catch activity on a busy network.
> > > > Like you  said, it isn't protection, but what a cool tool to trigger
> > > > alarms, watch what  they are doing, keep them busy until you figure
> > > > out what is going on etc. :)
> > >
> > > that guy sounds more like someone who's technically in WAY over his
> > > head and hasn't got a single clue what he's doing.
> >
> > That is what I think. The reason I want to speak to him. I am not in the
> > security section. I'm trying. I am positive they are in way over their
> > heads and I told him it wasn't a matter if but when we got hacked. The
> > sad part is, they probably won't know it when they do, if the hacker is
> > smart.
>
> God help the cracker if he isn't! lets hope he isn't very smart at all.
>
> Mark

hahaha amen!


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall stuff SSH

[Mark Weaver]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Saturday 11 January 2003 07:47 pm, Lorne wrote:
> On Saturday 11 January 2003 02:35 pm, Mark Weaver wrote:
>
> 
>
> > > That is what I asked the director yesterday. He said the head dude
> > > is from the  "CIA" and he has always been against it.  WFT!?!?
> > > My response was, I need  to talk to this guy, because he either
> > > doesn't understand them or knows  something profound I've never
> > > thought or heard of. Like I tried to explain to  the director
> > > yesterday is that there should never ever be any legitimate  traffic
> > > to a honeypot so if there is activity, it is going to be improper.
> > > Makes it pretty damned easy to catch activity on a busy network.
> > > Like you  said, it isn't protection, but what a cool tool to trigger
> > > alarms, watch what  they are doing, keep them busy until you figure
> > > out what is going on etc. :)
> >
> > that guy sounds more like someone who's technically in WAY over his
> > head and hasn't got a single clue what he's doing.
>
> That is what I think. The reason I want to speak to him. I am not in the
> security section. I'm trying. I am positive they are in way over their
> heads and I told him it wasn't a matter if but when we got hacked. The sad
> part is, they probably won't know it when they do, if the hacker is smart.

God help the cracker if he isn't! lets hope he isn't very smart at all.

Mark
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+IL8QJuZ1geTzHgERAn4YAKCzhMxcXSmrPnJZyXM6hP/F5Q+VrwCeOVav
4SCSZdZ6bqyU7tTFbZbCvOM=
=arBd
-END PGP SIGNATURE-



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall stuff SSH

[Lorne]

On Saturday 11 January 2003 02:35 pm, Mark Weaver wrote:


> > That is what I asked the director yesterday. He said the head dude
> > is from the  "CIA" and he has always been against it.  WFT!?!?
> > My response was, I need  to talk to this guy, because he either
> > doesn't understand them or knows  something profound I've never
> > thought or heard of. Like I tried to explain to  the director
> > yesterday is that there should never ever be any legitimate  traffic
> > to a honeypot so if there is activity, it is going to be improper.
> > Makes it pretty damned easy to catch activity on a busy network.
> > Like you  said, it isn't protection, but what a cool tool to trigger
> > alarms, watch what  they are doing, keep them busy until you figure
> > out what is going on etc. :)
>
> that guy sounds more like someone who's technically in WAY over his
> head and hasn't got a single clue what he's doing.

That is what I think. The reason I want to speak to him. I am not in the 
security section. I'm trying. I am positive they are in way over their heads 
and I told him it wasn't a matter if but when we got hacked. The sad part is, 
they probably won't know it when they do, if the hacker is smart.


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall stuff SSH

[Lorne]

On Saturday 11 January 2003 08:49 am, Mark Weaver wrote:
> Lorne wrote:
> > On Friday 10 January 2003 11:13 am, Todd Lyons wrote:
> >>Lorne wrote on Fri, Jan 10, 2003 at 09:15:02AM -0700 :
> >>>I've run coyote-linux for 5 years now and have NEVER been hacked. That
> >>> is until September of 2002. I spoke with the author and he felt his
> >>> system was secure and it couldn't have been his LRP based firewall that
> >>> broke down. I DID have port 21 forwarded, so assumed it was the inside
> >>> box that got compromised via port 21. I took the inside box off line,
> >>> totally built it from scratch, hardened all boxes and made sure I had a
> >>> secure intranet. I then brought the firewall back up. Within a month
> >>> someone was poking around inside my intranet again. Now it seems that
> >>> it takes about 48 hours for them to get back in. So I've been rebooting
> >>> it every night until I can get my MNF box up. I believe there is some
> >>> buffer overflow or other vulnerability that hasn't been identified yet
> >>> with the LRP firewall system. So just a warning,
> >>
> >>Geez, you should be sitting there with tcpdump running nearly non-stop
> >>and logging to a seperate host so that you can see exactly is occurring.
> >>Get active and into it and you'll learn a LOT about security.  You may
> >>_think_ you know a lot now, but when you watch a box getting 'sploited,
> >>and then pull the plug and figure it all out, you'll come out of it with
> >>some invaluable knowledge that you can put to use immediately!
> >
> > I prefer ethereal and sniffer pro and I have had really really limited
> > time here at home. I've been getting more and more into packet analysis
> > at work and it is pretty cool stuff. I've been to a couple of classes on
> > it. I've had snort running on Mandrake snf and I'm putting the finishing
> > touches on MNF. It has snort. I'm putting tripwire on it now. What I
> > REALLY would like to do is set up a honey pot and then I'm truly in
> > control and can watch with interest what is going on. I'm trying to talk
> > my boss into letting me set up a honey pot at work, but corportate is
> > against it. I need to talk to the fellow that is against it. I think he
> > is wrong. :)
>
> why in the world would someone be "against" setting up a honeypot in
> defense of a network and all the mission critical data stored thereon?
> Yes, I understand that "honeypot" in and of itself does nothing to
> actually protect a network, but in the overall scheme it is a part of
> the process.

That is what I asked the director yesterday. He said the head dude is from the 
"CIA" and he has always been against it.  WFT!?!? My response was, I need 
to talk to this guy, because he either doesn't understand them or knows 
something profound I've never thought or heard of. Like I tried to explain to 
the director yesterday is that there should never ever be any legitimate 
traffic to a honeypot so if there is activity, it is going to be improper. 
Makes it pretty damned easy to catch activity on a busy network. Like you 
said, it isn't protection, but what a cool tool to trigger alarms, watch what 
they are doing, keep them busy until you figure out what is going on etc. :)


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall stuff SSH

[Lorne]

On Friday 10 January 2003 11:13 am, Todd Lyons wrote:
> Lorne wrote on Fri, Jan 10, 2003 at 09:15:02AM -0700 :
> > I've run coyote-linux for 5 years now and have NEVER been hacked. That is
> > until September of 2002. I spoke with the author and he felt his system
> > was secure and it couldn't have been his LRP based firewall that broke
> > down. I DID have port 21 forwarded, so assumed it was the inside box that
> > got compromised via port 21. I took the inside box off line, totally
> > built it from scratch, hardened all boxes and made sure I had a secure
> > intranet. I then brought the firewall back up. Within a month someone was
> > poking around inside my intranet again. Now it seems that it takes about
> > 48 hours for them to get back in. So I've been rebooting it every night
> > until I can get my MNF box up. I believe there is some buffer overflow or
> > other vulnerability that hasn't been identified yet with the LRP firewall
> > system. So just a warning,
>
> Geez, you should be sitting there with tcpdump running nearly non-stop
> and logging to a seperate host so that you can see exactly is occurring.
> Get active and into it and you'll learn a LOT about security.  You may
> _think_ you know a lot now, but when you watch a box getting 'sploited,
> and then pull the plug and figure it all out, you'll come out of it with
> some invaluable knowledge that you can put to use immediately!
>
I prefer ethereal and sniffer pro and I have had really really limited time 
here at home. I've been getting more and more into packet analysis at work 
and it is pretty cool stuff. I've been to a couple of classes on it. I've had 
snort running on Mandrake snf and I'm putting the finishing touches on MNF. 
It has snort. I'm putting tripwire on it now. What I REALLY would like to do 
is set up a honey pot and then I'm truly in control and can watch with 
interest what is going on. I'm trying to talk my boss into letting me set up 
a honey pot at work, but corportate is against it. I need to talk to the 
fellow that is against it. I think he is wrong. :)

> Just a suggestion at any rate.
>
> Blue skies... Todd



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall stuff SSH

[Lorne]

On Friday 10 January 2003 01:31 am, Ken Hawkins wrote:
> On Friday 10 January 2003 04:15 pm, Lorne wrote:
> > On Friday 10 January 2003 12:58 am, Ken Hawkins wrote:
>
> 
>
> > > I have run this against some online security test sites, and they have
> > > all never been able to get more from my computer behind the firewall
> > > than my browser version. It leaves a FEW things open by default, but
> > > those are easily corrected.
> > >
> > > Ken Hawkins
> >
> > ***ALERT***
> >
> > I've run coyote-linux for 5 years now and have NEVER been hacked. That is
> > until September of 2002. I spoke with the author and he felt his system
> > was secure and it couldn't have been his LRP based firewall that broke
> > down. I DID have port 21 forwarded, so assumed it was the inside box that
> > got compromised via port 21. I took the inside box off line, totally
> > built it from scratch, hardened all boxes and made sure I had a secure
> > intranet. I then brought the firewall back up. Within a month someone was
> > poking around inside my intranet again. Now it seems that it takes about
> > 48 hours for them to get back in. So I've been rebooting it every night
> > until I can get my MNF box up. I believe there is some buffer overflow or
> > other
> > vulnerability that hasn't been identified yet with the LRP firewall
> > system. So just a warning, don't trust it too much. :)
>
> OR:
> "Sure I'm paranoid...but am I paranoid enough?"
>
> Sorry, didn't mean to imply that I was invulnerable...just that it was a
> cheap & easy solution to be MUCH more secure that most people out there.
> Remember that there are millions of users out there still with windblows
> machines plugged straight into their DSL/Cable modems with NO firewalls.
>
Damned scary isn't it!? No need to appologize. :)

> When you say they were "poking around", had they been able to install s/w,
> read documents, change configs? Or was it just port scanning, "rattling the
> doorknobs" so to speak?
>
They had made it past my firewall and were rattling the door knobs on IP 
addresses beyond the firewall. So basically they had breached the moat and 
were trying doors in the castle. Scary and obviously the firewall is 
compromised when they do this. 

> Ken



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall stuff SSH

[Todd Lyons]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Lorne wrote on Fri, Jan 10, 2003 at 09:15:02AM -0700 :
> 
> I've run coyote-linux for 5 years now and have NEVER been hacked. That is 
> until September of 2002. I spoke with the author and he felt his system was 
> secure and it couldn't have been his LRP based firewall that broke down. I 
> DID have port 21 forwarded, so assumed it was the inside box that got 
> compromised via port 21. I took the inside box off line, totally built it 
> from scratch, hardened all boxes and made sure I had a secure intranet. I 
> then brought the firewall back up. Within a month someone was poking around 
> inside my intranet again. Now it seems that it takes about 48 hours for them 
> to get back in. So I've been rebooting it every night until I can get my MNF 
> box up. I believe there is some buffer overflow or other vulnerability that 
> hasn't been identified yet with the LRP firewall system. So just a warning, 

Geez, you should be sitting there with tcpdump running nearly non-stop
and logging to a seperate host so that you can see exactly is occurring.
Get active and into it and you'll learn a LOT about security.  You may
_think_ you know a lot now, but when you watch a box getting 'sploited,
and then pull the plug and figure it all out, you'll come out of it with
some invaluable knowledge that you can put to use immediately!

Just a suggestion at any rate.

Blue skies...   Todd
- -- 
   MandrakeSoft USA   http://www.mandrakesoft.com
   Easy things should be easy, and hard things should be possible.
--Larry Wall
   Cooker Version mandrake-release-9.1-0.1mdk Kernel 2.4.20-2mdk
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+Hw07lp7v05cW2woRArzrAJ9PRdcmTWiQg5dTKDGDRPoOhrcJcwCfd9N4
Sta7D9pmRrfVFAQNY+mdByg=
=Bgaf
-END PGP SIGNATURE-


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall stuff SSH

[Ken Hawkins]

On Friday 10 January 2003 04:15 pm, Lorne wrote:
> On Friday 10 January 2003 12:58 am, Ken Hawkins wrote:


> > I have run this against some online security test sites, and they have
> > all never been able to get more from my computer behind the firewall than
> > my browser version. It leaves a FEW things open by default, but those are
> > easily corrected.
> >
> > Ken Hawkins
>
> ***ALERT***
>
> I've run coyote-linux for 5 years now and have NEVER been hacked. That is
> until September of 2002. I spoke with the author and he felt his system was
> secure and it couldn't have been his LRP based firewall that broke down. I
> DID have port 21 forwarded, so assumed it was the inside box that got
> compromised via port 21. I took the inside box off line, totally built it
> from scratch, hardened all boxes and made sure I had a secure intranet. I
> then brought the firewall back up. Within a month someone was poking around
> inside my intranet again. Now it seems that it takes about 48 hours for
> them to get back in. So I've been rebooting it every night until I can get
> my MNF box up. I believe there is some buffer overflow or other
> vulnerability that hasn't been identified yet with the LRP firewall system.
> So just a warning, don't trust it too much. :)

OR:
"Sure I'm paranoid...but am I paranoid enough?"

Sorry, didn't mean to imply that I was invulnerable...just that it was a cheap 
& easy solution to be MUCH more secure that most people out there. Remember 
that there are millions of users out there still with windblows machines 
plugged straight into their DSL/Cable modems with NO firewalls.

When you say they were "poking around", had they been able to install s/w, 
read documents, change configs? Or was it just port scanning, "rattling the 
doorknobs" so to speak? 

Ken


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall / Internet sharing with Mandrake 7.2 - how to temporarily turn off?

[J. Craig Woods]

On Thursday 06 June 2002 22:37, you wrote:
> Yes that's it, pmfirewall.  A very handy little program.  Does the
> following command allow accepting of SSH if pmfirewall has turned it
> off? -
>
> ipchains -A input -p TCP -d any/0 22 -j ACCEPT
>
> I'm not very familiar with the command line program they should run
> to figure out if sshd is running.  Should they run: -
>
> chkconfig --list sshd
>
> Thanks!
> Damon
>

Add:

$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 22 -j ACCEPT

To your pmfirewall config file.
Restart pmfirewall startup script.

Check for SSH running.
Run:
service sshd status

If not started.
Run:
service sshd start. 

drjung
-- 
J. Craig Woods
UNIX/NT Network/System Administration
http://www.trismegistus.net/resume.html
Character is built upon the debris of despair --Emerson



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall / Internet sharing with Mandrake 7.2 - how totemporarily turn off?

[Damon Lynch]

Yes that's it, pmfirewall.  A very handy little program.  Does the
following command allow accepting of SSH if pmfirewall has turned it
off? -

ipchains -A input -p TCP -d any/0 22 -j ACCEPT

I'm not very familiar with the command line program they should run to
figure out if sshd is running.  Should they run: -

chkconfig --list sshd

Thanks!
Damon 

On Fri, 2002-06-07 at 14:21, William Kenworthy wrote:
> It was probably pmfirewall (excellent, and deservably popular at the
> time) - do a search and you may find it. If not, I may have a copy that
> I can look at and see what can be done - email me privately if so.
> 
> Alternative is to just email the other office the ipchains command to
> open port 22 and make sure sshd is running.
> 
> Billk
> 
> On Fri, 2002-06-07 at 06:12, Damon Lynch wrote:
> > Hi fellow Mandrake users,
> > 
> > I installed Mandrake 7.2 in my old office in India.  I setup a basic
> > firewall and Internet sharing using ipchains as I recall.  It was setup
> > using a simple script that was very likely recommended on MandrakeUser
> > at the time.  Sorry but I don't recall what the script was called! :-) 
> > It was pretty cool, it basically walked you through the steps by asking
> > questions and then set it up.
> > 
> > Now I'm in New Zealand and I need to SSH into their box to fix some
> > things for them.  I'm suspecting I won't be able to SSH in, since I
> > probably blocked that kind of external access with the firewall.  Could
> > someone please suggest a simple command to temporarily turn off the
> > firewall portion of the script?  Simple enough that a novice with root
> > access there could turn it off?  I guess it's OK if the Internet sharing
> > is also down for a while, as long as they or me can start it up again!
> > 
> > Thanks,
> > Damon 
> > -- 
> > Damon Lynch
> > Dev-Zone Program Officer
> > http://www.dev-zone.org Jabber Messaging: [EMAIL PROTECTED]
> > Tel: +64 4 496 9597 Yahoo Messaging:  [EMAIL PROTECTED]
> > 
> > 
> > 
> > 
> 
> > This message has been 'sanitized'.  This means that potentially
> > dangerous content has been rewritten or removed.  The following
> > log describes which actions were taken.
> > 
> > Sanitizer (start="1023401908"):
> >   Part (pos="2420"):
> > SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
> >   Match (rule="2"):
> > Enforced policy: accept
> > 
> >   Part (pos="3612"):
> > SanitizeFile (filename="message.footer", mimetype="text/plain"):
> >   Match (rule="default"):
> > Enforced policy: defang
> > 
> >   Replaced mime type with: application/DEFANGED-77
> >   Replaced file name with: message_footer.DEFANGED-77
> > 
> >   Total modifications so far: 1
> > 
> > 
> > Anomy 0.0.0 : Sanitizer.pm
> > $Id: Sanitizer.pm,v 1.54 2002/02/15 16:59:07 bre Exp $
> 
> 
> 
> 

> Want to buy your Pack or Services from MandrakeSoft? 
> Go to http://www.mandrakestore.com
-- 
Damon Lynch
Dev-Zone Program Officer
http://www.dev-zone.org Jabber Messaging: [EMAIL PROTECTED]
Tel: +64 4 496 9597 Yahoo Messaging:  [EMAIL PROTECTED]




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall / Internet sharing with Mandrake 7.2 - how totemporarily turn off?

[William Kenworthy]

It was probably pmfirewall (excellent, and deservably popular at the
time) - do a search and you may find it. If not, I may have a copy that
I can look at and see what can be done - email me privately if so.

Alternative is to just email the other office the ipchains command to
open port 22 and make sure sshd is running.

Billk

On Fri, 2002-06-07 at 06:12, Damon Lynch wrote:
> Hi fellow Mandrake users,
> 
> I installed Mandrake 7.2 in my old office in India.  I setup a basic
> firewall and Internet sharing using ipchains as I recall.  It was setup
> using a simple script that was very likely recommended on MandrakeUser
> at the time.  Sorry but I don't recall what the script was called! :-) 
> It was pretty cool, it basically walked you through the steps by asking
> questions and then set it up.
> 
> Now I'm in New Zealand and I need to SSH into their box to fix some
> things for them.  I'm suspecting I won't be able to SSH in, since I
> probably blocked that kind of external access with the firewall.  Could
> someone please suggest a simple command to temporarily turn off the
> firewall portion of the script?  Simple enough that a novice with root
> access there could turn it off?  I guess it's OK if the Internet sharing
> is also down for a while, as long as they or me can start it up again!
> 
> Thanks,
> Damon 
> -- 
> Damon Lynch
> Dev-Zone Program Officer
> http://www.dev-zone.org Jabber Messaging: [EMAIL PROTECTED]
> Tel: +64 4 496 9597 Yahoo Messaging:  [EMAIL PROTECTED]
> 
> 
> 
> 

> This message has been 'sanitized'.  This means that potentially
> dangerous content has been rewritten or removed.  The following
> log describes which actions were taken.
> 
> Sanitizer (start="1023401908"):
>   Part (pos="2420"):
> SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
>   Match (rule="2"):
> Enforced policy: accept
> 
>   Part (pos="3612"):
> SanitizeFile (filename="message.footer", mimetype="text/plain"):
>   Match (rule="default"):
> Enforced policy: defang
> 
>   Replaced mime type with: application/DEFANGED-77
>   Replaced file name with: message_footer.DEFANGED-77
> 
>   Total modifications so far: 1
> 
> 
> Anomy 0.0.0 : Sanitizer.pm
> $Id: Sanitizer.pm,v 1.54 2002/02/15 16:59:07 bre Exp $




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall / Internet sharing with Mandrake 7.2 - how totemporarily turn off?

[Sridhar Govindarajulu]

Try nmap, or the GUI front end nmapfe;

Sridhar

- Original Message -
From: "Damon Lynch" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, June 06, 2002 4:47 PM
Subject: Re: [expert] Firewall / Internet sharing with Mandrake 7.2 - how
totemporarily turn off?


> No it wasn't InteractiveBastille :-)  It was something downloaded from
> the net.  I'll try SSH first of course, but it's not easy trying to sort
> these things out when the other machine is on dial-up.  I'm pretty sure
> I stopped all outside activity.  What is the best program I can run on
> Mandrake 8.2 that will scan and report what is open and what is not on
> the Mandrake 7.2 box?
>
> Damon
>
>
> On Fri, 2002-06-07 at 11:35, et wrote:
> > InteractiveBastile,
> >
> > but have you tried SSH? you prolly turned off telnet, but might have
left SSH?
> >
> >
>
> > Want to buy your Pack or Services from MandrakeSoft?
> > Go to http://www.mandrakestore.com
> --
> Damon Lynch
> Dev-Zone Program Officer
> http://www.dev-zone.org Jabber Messaging: [EMAIL PROTECTED]
> Tel: +64 4 496 9597 Yahoo Messaging:  [EMAIL PROTECTED]
>
>
>






> Want to buy your Pack or Services from MandrakeSoft?
> Go to http://www.mandrakestore.com
>




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall / Internet sharing with Mandrake 7.2 - how totemporarily turn off?

[Damon Lynch]

No it wasn't InteractiveBastille :-)  It was something downloaded from
the net.  I'll try SSH first of course, but it's not easy trying to sort
these things out when the other machine is on dial-up.  I'm pretty sure
I stopped all outside activity.  What is the best program I can run on
Mandrake 8.2 that will scan and report what is open and what is not on
the Mandrake 7.2 box?

Damon 


On Fri, 2002-06-07 at 11:35, et wrote:
> InteractiveBastile, 
> 
> but have you tried SSH? you prolly turned off telnet, but might have left SSH?
> 
> 

> Want to buy your Pack or Services from MandrakeSoft? 
> Go to http://www.mandrakestore.com
-- 
Damon Lynch
Dev-Zone Program Officer
http://www.dev-zone.org Jabber Messaging: [EMAIL PROTECTED]
Tel: +64 4 496 9597 Yahoo Messaging:  [EMAIL PROTECTED]




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall / Internet sharing with Mandrake 7.2 - how to temporarily turn off?

[et]

InteractiveBastile, 

but have you tried SSH? you prolly turned off telnet, but might have left SSH?


On Thursday 06 June 2002 06:12 pm, you wrote:
> Hi fellow Mandrake users,
>
> I installed Mandrake 7.2 in my old office in India.  I setup a basic
> firewall and Internet sharing using ipchains as I recall.  It was setup
> using a simple script that was very likely recommended on MandrakeUser
> at the time.  Sorry but I don't recall what the script was called! :-)
> It was pretty cool, it basically walked you through the steps by asking
> questions and then set it up.
>
> Now I'm in New Zealand and I need to SSH into their box to fix some
> things for them.  I'm suspecting I won't be able to SSH in, since I
> probably blocked that kind of external access with the firewall.  Could
> someone please suggest a simple command to temporarily turn off the
> firewall portion of the script?  Simple enough that a novice with root
> access there could turn it off?  I guess it's OK if the Internet sharing
> is also down for a while, as long as they or me can start it up again!
>
> Thanks,
> Damon



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall + routing

[Mark Williamson]

Have a look at Mandrake 8.2  -- later versions of IPtables etc..   Then
have a look at Bastille http://www.bastille-linux.org . Just use
Rpmdrake to install it,yes it's on your Mandrake Cds, and configure it
using a command "InteractiveBastille" another excellent solution is have
a look at FireStarter http://firestarter.sourceforge.net/ .. and yes
that one is also on your Mandrake CDs. I have tested both of these and
they look excellent. Both solutions can configure IPtables to do port
forwarding.

Cheers
Mark 

On Tue, 2002-05-07 at 04:37, Belkie, Dan wrote:
> Hey Guys!
> I have a simple Mandrake 8.1 box as my router / firewall. I'm looking at
> putting a couple of web servers behind the firewall on my LAN. does anyone
> know of a good way to set up rules so that the FW can know to send port 80
> request to xyz.com to one server and abc.com to another?
> 
> I guess another question can anyone suggest a good firewall solution? I
> tried Mandrakes SNF 7.2 but it failed.
> 
> thoughts?
> 
> Thanks!!
> 
> --
> =
> Dan
> 
> 
> 

> Want to buy your Pack or Services from MandrakeSoft? 
> Go to http://www.mandrakestore.com





Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall + routing

[civileme]

Belkie, Dan wrote:

>Hey Guys!
>I have a simple Mandrake 8.1 box as my router / firewall. I'm looking at
>putting a couple of web servers behind the firewall on my LAN. does anyone
>know of a good way to set up rules so that the FW can know to send port 80
>request to xyz.com to one server and abc.com to another?
>
>I guess another question can anyone suggest a good firewall solution? I
>tried Mandrakes SNF 7.2 but it failed.
>
>thoughts?
>
>Thanks!!
>
>--
>=
>Dan
>
>
>
>
>Want to buy your Pack or Services from MandrakeSoft? 
>Go to http://www.mandrakestore.com
>
Actually you want to use squid to do that.  The trick is simple.  We 
call that accelerator mode since squid can cache some responses for both.

Accelerator--Squid can function as THE
connection on port 80 of a server and can relay requests to another
server or servers, caching the results to increase apparent speed.
Those other servers might be on the same machine or on different ones.

The method is called a custom redirect program and here is a simple example:

Custom redirect program This list of options was
quiet until this one arrived.  This setting allows
Squid to be an accelerator for Several or
all servers in the local network.  An example
would be two apache servers at, say 192.168.1.7
and 192.168.1.17 Squid
is on the internet gateway and exposing port 80 for
www.domain1.net and 
www.domain2.org.
The redirect program might look something like this.




Screen>
#

#!/usr/bin/perl


while (<>) {

s@http://192\.168\.1\.7@http://www.domain1.net

s@http://192\.168\.1\.17@http://www.domain2.org

print;

I think you can backtranslate the sgml codings here.  As you can see, 
the script is very simple.

Civileme

 





Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall + routing

[KevinO]

Belkie, Dan wrote:
> Hey Guys!
> I have a simple Mandrake 8.1 box as my router / firewall. I'm looking at
> putting a couple of web servers behind the firewall on my LAN. does anyone
> know of a good way to set up rules so that the FW can know to send port 80
> request to xyz.com to one server and abc.com to another?
> 
> I guess another question can anyone suggest a good firewall solution? I
> tried Mandrakes SNF 7.2 but it failed.
> 

Smoothwall : http://www.smoothwall.org/community/home/

I use the free, GPL version. See also ...

IpCop : http://www.ipcop.org/cgi-bin/twiki/view/IPCop/WebHome

I did use SNF for quite a while. I use smoothwall now with some minor tweaks 
so I could add portsentry to it ;-)


-- 
Kevin O'Connor

  "People will be free to devote themselves to activities that are fun ...

The GNU Manifesto - Copyright (C) 1985, 1993 Free Software Foundation, Inc.




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] firewall security

[Lee Roberts]

At 11:18 AM 3/1/2002 +0100, Fedneg wrote:
>I am using bastille-firewall. Scanned my computer in
sygatetech.com as
>you suggest and all UDP ports are closed.

That's my point. sygatetech.com shows them closed instead of
blocked. sygatetech.com showed some UDP ports open when another port
scanner shows them all blocked. Either the sygatetech.com scanner is
broken or it's some kind of marketing ploy to get us to buy their
software.




Encryption isn't just for secrets...

Re: [expert] firewall security

[Fedneg]

I am using bastille-firewall. Scanned my computer in sygatetech.com as
you suggest and all UDP ports are closed.
I configured it with "InteractiveBastille -x" I don't enter anything for
"UDP service names or port numbers to allow on public interfaces" and let
"UDP services to block" as default (i.e. 2049 6770).

Regards

Fedneg




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] firewall security

[Lee Roberts]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

It seems that the sygatetech.com scanner is broken. I got the AW Security
Port Scanner 4.02 for my windows box and used it to scan my linux box. It
shows all UDP ports to the public interface blocked. I ran the TCP and UDP
port scans on a friends linux box to verify that I was using it properly. :-D

BTW, has anyone had success using the nmap port to NT/2000?

At 05:21 PM 2/28/2002 -0700, Lee Roberts wrote:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA1
>
>I've tried tiny firewall, bastille-firewall, and one other (can't remember
>the name). NONE of them block access to the UDP services no matter what I
>do. In InteractiveBastille, I don't enter anything for "UDP service names
>or port numbers to allow on public interfaces" but I entered 1:65535 for
>"UDP services to block".

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use 
Comment: Encryption isn't just for secrets

iQA/AwUBPIA68FHWApkbcbVkEQJywQCgtTlz9HPyPmh2vVGAb7Btv7d43jsAoIK0
TeLO40oZOmApLFtf4MDBXiMi
=zOPA
-END PGP SIGNATURE-




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] firewall security

[J. Craig Woods]

Mike Rambo wrote:
> 
> Have you tried pmfirewall? My co-worker used it on his box.
> It was easy to set up and nmap found nothing when I ran it
> against the box afterward.
> 
> --
> Mike Rambo
> [EMAIL PROTECTED]

It seems his is using iptables, and pmfirewall will only work with
ipchains..

-- 
J. Craig Woods
UNIX/NT Network/System Administration

-Art is the illusion of spontaneity-



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] firewall security

[wim]

Mike Rambo wrote:

> Lee Roberts wrote:
> 
>>-BEGIN PGP SIGNED MESSAGE-
>>Hash: SHA1
>>
>>I've tried tiny firewall, bastille-firewall, and one other (can't remember
>>the name). NONE of them block access to the UDP services no matter what I
>>do. In InteractiveBastille, I don't enter anything for "UDP service names
>>or port numbers to allow on public interfaces" but I entered 1:65535 for
>>"UDP services to block".
>>
>>I've posted this message previously and some replies say they don't have
>>this problem with bastille. I'm using bastille on Mandrake 8.1 with
>>iptables and kernel 2.4.8-34.1mdk.
>>
>>Any suggestions other than suggesting that I learn iptables and write my
>>own rules?
>>
>>
> 
> Have you tried pmfirewall? My co-worker used it on his box.
> It was easy to set up and nmap found nothing when I ran it
> against the box afterward.
> 


Back to basics and use iptables (or ipchains). It isn't that difficult!

-- 
Kind regards,

Wim De Hul
Belgacom Belbone

  Mail   : [EMAIL PROTECTED]
  Ripe   : WDH25-RIPE
  Registered Linux User: #260015


> 
> 
> 
> 
> 
> Want to buy your Pack or Services from MandrakeSoft? 
> Go to http://www.mandrakestore.com
> 






Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] firewall security

[Lee Roberts]

pmfirewall doesn't use iptables. Besides, I used pmfirewall with Mandrake
7.2 and had the same problem. 

At 07:37 AM 3/1/2002 -0500, Mike Rambo wrote:
>Lee Roberts wrote:
>> 
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>> 
>> I've tried tiny firewall, bastille-firewall, and one other (can't remember
>> the name). NONE of them block access to the UDP services no matter what I
>> do. In InteractiveBastille, I don't enter anything for "UDP service names
>> or port numbers to allow on public interfaces" but I entered 1:65535 for
>> "UDP services to block".
>> 
>> I've posted this message previously and some replies say they don't have
>> this problem with bastille. I'm using bastille on Mandrake 8.1 with
>> iptables and kernel 2.4.8-34.1mdk.
>> 
>> Any suggestions other than suggesting that I learn iptables and write my
>> own rules?
>> 
>
>Have you tried pmfirewall? My co-worker used it on his box.
>It was easy to set up and nmap found nothing when I ran it
>against the box afterward.
>
>
>-- 
>Mike Rambo
>[EMAIL PROTECTED]
>
>Want to buy your Pack or Services from MandrakeSoft? 
>Go to http://www.mandrakestore.com




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] firewall security

[Mike Rambo]

Lee Roberts wrote:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> I've tried tiny firewall, bastille-firewall, and one other (can't remember
> the name). NONE of them block access to the UDP services no matter what I
> do. In InteractiveBastille, I don't enter anything for "UDP service names
> or port numbers to allow on public interfaces" but I entered 1:65535 for
> "UDP services to block".
> 
> I've posted this message previously and some replies say they don't have
> this problem with bastille. I'm using bastille on Mandrake 8.1 with
> iptables and kernel 2.4.8-34.1mdk.
> 
> Any suggestions other than suggesting that I learn iptables and write my
> own rules?
> 

Have you tried pmfirewall? My co-worker used it on his box.
It was easy to set up and nmap found nothing when I ran it
against the box afterward.


-- 
Mike Rambo
[EMAIL PROTECTED]



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] firewall security

[Lee Roberts]

sygatetech.com

At 09:34 AM 3/1/2002 +0800, William Kenworthy wrote:
>How are you checking that they are not being blocked?  i.e, outside
>scanner, nmap ...
>
>BillK
>
>
>On Fri, 2002-03-01 at 08:21, Lee Roberts wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>> 
>> I've tried tiny firewall, bastille-firewall, and one other (can't remember
>> the name). NONE of them block access to the UDP services no matter what I
>> do. In InteractiveBastille, I don't enter anything for "UDP service names
>> or port numbers to allow on public interfaces" but I entered 1:65535 for
>> "UDP services to block".
>> 
>> I've posted this message previously and some replies say they don't have
>> this problem with bastille. I'm using bastille on Mandrake 8.1 with
>> iptables and kernel 2.4.8-34.1mdk.
>> 
>> Any suggestions other than suggesting that I learn iptables and write my
>> own rules?
>> 
>> 
>> -BEGIN PGP SIGNATURE-
>> Version: PGPfreeware 6.5.8 for non-commercial use 
>> Comment: Encryption isn't just for secrets
>> 
>> iQA/AwUBPH7JZVHWApkbcbVkEQK8hwCgoQeTp9OlHH4gqH5yOg5nSwSOz7sAnjg9
>> P4C/2EUGg4serS1Gd6wjcTU5
>> =oa4V
>> -END PGP SIGNATURE-
>> 
>> 
>> 
>> 
>
>> This message has been 'sanitized'.  This means that potentially
>> dangerous content has been rewritten or removed.  The following
>> log describes which actions were taken.
>> 
>> Sanitizer (start="1014942564"):
>>   Part (pos="2415"):
>> SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
>>   Match (rule="2"):
>> Enforced policy: accept
>> 
>>   Part (pos="3401"):
>> SanitizeFile (filename="message.footer", mimetype="text/plain"):
>>   Match (rule="default"):
>> Enforced policy: defang
>> 
>>   Replaced mime type with: application/DEFANGED-4
>>   Replaced file name with: message_footer.DEFANGED-4
>> 
>>   Total modifications so far: 1
>> 
>> 
>> Anomy 0.0.0 : Sanitizer.pm
>> $Id: Sanitizer.pm,v 1.32 2001/10/11 19:27:15 bre Exp $
>
>
>
>Want to buy your Pack or Services from MandrakeSoft? 
>Go to http://www.mandrakestore.com




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] firewall security

[William Kenworthy]

How are you checking that they are not being blocked?  i.e, outside
scanner, nmap ...

BillK


On Fri, 2002-03-01 at 08:21, Lee Roberts wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> I've tried tiny firewall, bastille-firewall, and one other (can't remember
> the name). NONE of them block access to the UDP services no matter what I
> do. In InteractiveBastille, I don't enter anything for "UDP service names
> or port numbers to allow on public interfaces" but I entered 1:65535 for
> "UDP services to block".
> 
> I've posted this message previously and some replies say they don't have
> this problem with bastille. I'm using bastille on Mandrake 8.1 with
> iptables and kernel 2.4.8-34.1mdk.
> 
> Any suggestions other than suggesting that I learn iptables and write my
> own rules?
> 
> 
> -BEGIN PGP SIGNATURE-
> Version: PGPfreeware 6.5.8 for non-commercial use 
> Comment: Encryption isn't just for secrets
> 
> iQA/AwUBPH7JZVHWApkbcbVkEQK8hwCgoQeTp9OlHH4gqH5yOg5nSwSOz7sAnjg9
> P4C/2EUGg4serS1Gd6wjcTU5
> =oa4V
> -END PGP SIGNATURE-
> 
> 
> 
> 

> This message has been 'sanitized'.  This means that potentially
> dangerous content has been rewritten or removed.  The following
> log describes which actions were taken.
> 
> Sanitizer (start="1014942564"):
>   Part (pos="2415"):
> SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
>   Match (rule="2"):
> Enforced policy: accept
> 
>   Part (pos="3401"):
> SanitizeFile (filename="message.footer", mimetype="text/plain"):
>   Match (rule="default"):
> Enforced policy: defang
> 
>   Replaced mime type with: application/DEFANGED-4
>   Replaced file name with: message_footer.DEFANGED-4
> 
>   Total modifications so far: 1
> 
> 
> Anomy 0.0.0 : Sanitizer.pm
> $Id: Sanitizer.pm,v 1.32 2001/10/11 19:27:15 bre Exp $





Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall/Gateway ?

[Muzza]

On Sat, 26 Jan 2002 12:41, you wrote:
> on one of the snf mail lists there was a thread where i got told off!:-)
> for not reading advisories on how to update snf with regards to httpd-naat
> and apache, i forget which list but if iirc the procedure is to download
> the update rpms manually and to update apache first manually and then
> httpd-naat, naat-frontend-www-en manually, also iirc you have to uninstall
> httpd-naat first with --nodeps because of problems with some script or
> other, i had to reinstall recently after a failed upgrade to the new snf on
> cooker adn what i did was, install fresh, run the update from the web
> interface, note down all the rpms listed for upgrade and then fetch them
> manually, then, uninstalled httpd-naat and naat-frontend-www-en both
> --nodeps, then i uninstalled apache, php, mod_php, mod_auth_external (all
> these rpm names from memory) and some others - they were all listed as
> dependencies of the newer version of apache - using --nodeps, then i
> installed the newer apache and its dependencies, followed by httpd-naat,
> naat-backend and naat-frontend-www-en nad then any others,
> durng this process i noticed that i got a message saying that perl was not
> in the rpm database (or similar), it might be a good idea to make updating
> perl the first job before anythin else so that the rpm database has it
> listed anyway snf is now updated, i have all the users i should have,
> running update lists all the mirrors (doesn't find any updates presumably
> because there aren' any), and https://snfhost:8443 lets me in fine, whether
> this is the recommended way to do things i can't say but it seems to have
> worked for me the list that this got discussed in was either:
> [EMAIL PROTECTED]
> or
> [EMAIL PROTECTED]
> what archives exist i'm not sure
>
> bascule

Thank you for the reply Bascule.
The above appears to be an extremely intuiative method of doing things.
I should have tried uninstalling more than just a few packages first, then 
updating to the newer packages.
I will try your suggested method later today.
Thanks again,
-- 
CYA,
Muzza.
Registered Linux User 133740
Mandrake Linux 8.1
Kernel version 2.4.8-34.1mdk
Current Linux uptime: 4 days 18 hours 45 minutes.



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall/Gateway ?

[bascule]

on one of the snf mail lists there was a thread where i got told off!:-)
for not reading advisories on how to update snf with regards to httpd-naat 
and apache, i forget which list but if iirc the procedure is to download the 
update rpms manually and to update apache first manually and then httpd-naat, 
naat-frontend-www-en manually, also iirc you have to uninstall httpd-naat 
first with --nodeps because of problems with some script or other, i had to 
reinstall recently after a failed upgrade to the new snf on cooker adn what i 
did was, install fresh, run the update from the web interface, note down all 
the rpms listed for upgrade and then fetch them manually, then, uninstalled 
httpd-naat and naat-frontend-www-en both --nodeps, then i uninstalled apache, 
php, mod_php, mod_auth_external (all these rpm names from memory) and some 
others - they were all listed as dependencies of the newer version of apache 
- using --nodeps, then i installed the newer apache and its dependencies, 
followed by httpd-naat, naat-backend and naat-frontend-www-en nad then any 
others,
durng this process i noticed that i got a message saying that perl was not in 
the rpm database (or similar), it might be a good idea to make updating perl 
the first job before anythin else so that the rpm database has it listed
anyway snf is now updated, i have all the users i should have, running update 
lists all the mirrors (doesn't find any updates presumably because there 
aren' any), and https://snfhost:8443 lets me in fine, whether this is the 
recommended way to do things i can't say but it seems to have worked for me
the list that this got discussed in was either:
[EMAIL PROTECTED]
or
[EMAIL PROTECTED]
what archives exist i'm not sure

bascule

On Saturday 26 January 2002 3:19 am, you wrote:
>
>
> I've been "playing" with this on a P75 with 24Mb RAM where it goes onto the
> box either via the graphical install or the text install without any
> dramas. In this box I have 2 NIC's and both are detected very well.  The
> major hurdle I have now is trying to apply the updates.
> Httpd-naat (original) has a problem finding the offical mirrors - known
> problem and reason for the updated package.  I manually download updates
> from an official mirror.
>
> Httpd-naat wipes out the default user and refuses to run at all.
> Kernel updates goes well, but some of the modules are not found in the
> newer version during boot.
> Apache breaks totally once the update is installed - no socket error from
> "links http://127.0.0.1/";, which worked on the original packages.
> "urpmi webmin" can't locate the required perl-Net_SSLeay-1.05-4mdk package.
>
> Has anyone tested the update packages listed in the official updates
> directory with a clean install of snf7.2?
>
> In light of the problems I've experienced above, would it be about time for
> a newer version of snf7.2 to be released?



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall/Gateway ?

[Muzza]

On Sat, 26 Jan 2002 10:56, Civilme wrote:

> SNF is a wonderful product for this--put a box with two NICs between the
>   network and the Novell server and add one static IP on the network
> side--there you will need to set up a netmask to enclose your local IPs
> (and you can make them local addresses)  the other NIC attaches to the
> novell server.
>
> Now from any local station once you are installed, run a browser at
> https://(IP of SNF):8443 with login admin and password the admin
> password you set up at install time.  You can configure The internet
> connection, specify which traffic goes through each way, forward ports
> to ftp or web servers if you like, bust junk by blocking domains using
> squidguard, and so on.
>
> SNF is very stable technology, right now based on kernel 2.2, and it is
> annoying to some because it does not offer a DMZ, and because editing
> the usual files directly on the server as root doesn't make a permanent
> configuration.. The browser is the tool of choice or else the study of
> the code to find the files that load the config files.
>
> Anyway, it is a neat package that can work with an old P166 and 64M and
> a little disk to make your life much easier.
>
> Civileme
> QA Team

I've been "playing" with this on a P75 with 24Mb RAM where it goes onto the 
box either via the graphical install or the text install without any dramas.  
In this box I have 2 NIC's and both are detected very well.  The major hurdle 
I have now is trying to apply the updates.
Httpd-naat (original) has a problem finding the offical mirrors - known 
problem and reason for the updated package.  I manually download updates from 
an official mirror.

Httpd-naat wipes out the default user and refuses to run at all.
Kernel updates goes well, but some of the modules are not found in the newer 
version during boot.
Apache breaks totally once the update is installed - no socket error from 
"links http://127.0.0.1/";, which worked on the original packages.
"urpmi webmin" can't locate the required perl-Net_SSLeay-1.05-4mdk package.

Has anyone tested the update packages listed in the official updates 
directory with a clean install of snf7.2?

In light of the problems I've experienced above, would it be about time for a 
newer version of snf7.2 to be released?
-- 
CYA,
Muzza.
Registered Linux User 133740
Mandrake Linux 8.1
Kernel version 2.4.8-34.1mdk
Current Linux uptime: 4 days 16 hours 36 minutes.



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall/Gateway ?

[tester]

Aaron Winters wrote:

>  I have 49 Windows PCs (all but 2 are running Win2k and they are 98se), 
> 16 Macs one Win2k DC and 1 MDK 8.1 web, ftp, ssh server that I manage. 
> They are on a Win2k domain and the DC does all the DNS, the client PCs 
> all have static IPs. They all get there gateway out from a Novell server 
> that I have no control of. I would like to add some firewall protection 
> to my portion of the network (did I mention all the IPs are external!) 
> and I want to be able to block the IM clients like Yahoo, AIM by killing 
> their ports. Could I add a linux box to be the firewall and gateway 
> without to much knowledge of setting this stuff up under Linux. Would it 
> work by pointing the Linux box to the current gateway and change the 
> clients to point to it for their gateway?
> 
> Thanks,
> __
> You're just jealous because the voices are talking to me!
> 
>  
> 
>  
> 

SNF is a wonderful product for this--put a box with two NICs between the 
  network and the Novell server and add one static IP on the network 
side--there you will need to set up a netmask to enclose your local IPs 
(and you can make them local addresses)  the other NIC attaches to the
novell server.

Now from any local station once you are installed, run a browser at
https://(IP of SNF):8443 with login admin and password the admin 
password you set up at install time.  You can configure The internet 
connection, specify which traffic goes through each way, forward ports 
to ftp or web servers if you like, bust junk by blocking domains using 
squidguard, and so on.

SNF is very stable technology, right now based on kernel 2.2, and it is 
annoying to some because it does not offer a DMZ, and because editing 
the usual files directly on the server as root doesn't make a permanent 
configuration.. The browser is the tool of choice or else the study of 
the code to find the files that load the config files.

Anyway, it is a neat package that can work with an old P166 and 64M and 
a little disk to make your life much easier.

Civileme
QA Team




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

RE: [expert] Firewall/Gateway ?

[Marcus Breiden]

Hmm, 
for blocking of IM's take a look at
 
http://www.novell.com/coolsolutions/gov/features/tips/t_blocking_instant_messengers_gov.html
 
Best 
idea would be IMHO to block the login server e.g. login.oscar.aol.com in your 
firewall scripts, blocking the ports will not work.
 
Your 
idea will work, you will just have to configure the firewall a little bit ;-) 
but on the other side, if the Novell Server is running BorderManager this can be 
done directly on the Novell Server.
 
Bye
 
Marcus
 
 

  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On 
  Behalf Of Aaron WintersSent: Thursday, January 24, 2002 4:37 
  AMTo: Mandrake ExpertSubject: [expert] Firewall/Gateway 
  ?
   I have 49 Windows PCs (all but 2 are 
  running Win2k and they are 98se), 16 Macs one Win2k DC and 1 MDK 8.1 web, ftp, 
  ssh server that I manage. They are on a Win2k domain and the DC does all 
  the DNS, the client PCs all have static IPs. They all get there gateway out 
  from a Novell server that I have no control of. I would like to add some 
  firewall protection to my portion of the network (did I mention all the IPs 
  are external!) and I want to be able to block the IM clients like Yahoo, AIM 
  by killing their ports. Could I add a linux box to be the firewall and gateway 
  without to much knowledge of setting this stuff up under Linux. Would it work 
  by pointing the Linux box to the current gateway and change the clients to 
  point to it for their gateway?
  Thanks,__You're just jealous because the voices 
  are talking to me!
   
   

RE: [expert] Firewall install - smoothwall

[[EMAIL PROTECTED]]

I may go get myself a copy, I'll give Linux Emporium a call this morning.

I only have a v90 modem so downloading it is a no-no.

Thanks again,

Dave.

Original Message:
-
From: Vincent Danen [EMAIL PROTECTED]
Date: Mon, 21 Jan 2002 00:42:25 -0700
To: [EMAIL PROTECTED]
Subject: Re: Re[2]: [expert] Firewall install - smoothwall


On Sat Jan 12, 2002 at 12:53:32PM +, David Stevenson wrote:

> I was thinking about that, but I am put off by the 32mb or ram min quoted on the MDK 
>site. The laptop only has 8mb. I have succesfully loaded mdk 6 and 8 on the laptop, 
>although I did not install any WM's or X as I thought it might fall over. I am happy 
>configing a machine via manually editing text files. But, does SNF need to install X? 
>If I have to buy an old 486'ish box, then I may as well use smoothwall.
>
> Any comments on the SNF and X?

IIRC, SNF doesn't install X at all.  I think the 32mb requirement is
more for the installer as DrakX goes in GUI mode (but I think you can
do the install in text mode the same way as with 8.0).

All the SNF configuration is done via a special HTTPS port (8200 I
believe), so you do the configuration by connecting to it on that port
from another machine.

--
MandrakeSoft Security, OpenPGP key available on www.keyserver.net
1024D/FE6F2AFD   88D8 0D23 8D4B 3407 5BD7  66F9 2043 D0E5 FE6F 2AFD

Current Linux kernel 2.4.8-34.1mdk uptime: 9 days 11 hours 20 minutes.


mail2web - Check your email from the web at
http://mail2web.com/ .




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall for larger network?

[Jason Guidry]

> 
> On Mon, 2001-12-17 at 09:21, Dave Sherman wrote:
> > On Sun, 2001-12-16 at 21:08, Michael Seymour wrote:

> > 
> > I can't speak for Mandrake SNF, but the sysadmins at my local ISP have
> > told me that SmoothWall (www.smoothwall.org) is very powerful and
> > flexible.
> > 

Hey, before you check out smoothwall, you'll want to read the discussion at slashdot 
about the firewall.  it's by far the most productive discussion I've read their in 
weeks, with good points on all sides.  If I may sum up the discussion, half of the 
people who want to use smoothwall have been flamed on smoothwall's IRC by lead 
developers for 

a) not being a genius
b) not donating before asking an innocent question

I'm all for learning to read a manual and putting up some cash for the Community, but 
these come across as just plain mean IMO.  certainly a step down from the friendly 
help you get on this list =)

You can read the story, related article, and comments and decide for yourself.
http://slashdot.org/article.pl?sid=02/01/09/2050237&mode=thread

one reader points to a forked project @ www.ipcop.org

I've been reading about openBSD as a firewall in recent days and I've been _VERY_ 
impressed.  they even have a section in their FAQ (www.openbsd.org/faq) about 
migrating from linux.  with 4 years without a remote hole in the default installation, 
it's at least worth reading about.



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall for larger network?

[Greg Sarsons]

Originally to: All

This is a MIME-formatted message.  If you see this text it means that your
E-mail software does not support MIME-formatted messages.

--=_tcob1.net-7235-1008635601-0001-2
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

Have you considered www.astaro.com

Greg

On Mon, 2001-12-17 at 09:21, Dave Sherman wrote:
> On Sun, 2001-12-16 at 21:08, Michael Seymour wrote:
> > I have played around with SNF and found it to be adequate for a small
> > network and I currently use it at home; however, I will be looking for a
> > larger firewall over the next few months for my work environment.  We
> > have 3 e-mail servers and 3 web servers with unique IP addresses so I
> > will need to able to do static NAT etc.  Will a future version of SNF
> > support this?
> 
> I can't speak for Mandrake SNF, but the sysadmins at my local ISP have
> told me that SmoothWall (www.smoothwall.org) is very powerful and
> flexible.
> 
> Dave
> -- 
> Save a little money each month and at the end of the year you'll be
> surprised at how little you have.
>   -- Ernest Haskins
> 
> 
> 
> 

> Want to buy your Pack or Services from MandrakeSoft? 
> Go to http://www.mandrakestore.com




--=_tcob1.net-7235-1008635601-0001-2
Content-Type: text/plain; name="message.footer"; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="message.footer"
X-Mime-Autoconverted: from 8bit to 7bit by courier 0.36.1


<-> Gateway Information.
This message originated from a Fidonet System (http://www.fidonet.org)
and was gated at TCOB1 (http://www.tcob1.net)
Please do not respond direct to this message but via the list





Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall install - smoothwall

[David ..]

Your better off doing it like this:
>Inet<--->Firewall<--->Network Hub<--->all other clients


>From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
>Subject: [expert] Firewall install - smoothwall
>Date: Fri, 4 Jan 2002 06:38:44 -0500
>
>HI All,
>
>I will be installing a dedicated firewall box running smoothwall in the 
>near future. I just want to check some areas that will need to change.
>
>The box on my network connected to the internet via DUP on serial modem 
>uses IP Tables and Masquerading and Bastille to act as a gateway/firewall 
>for the other clients.
>
>When I install the Smoothwall firewall (an old Laptop), I will be adding a 
>second NIC to replace the modem, and connect this NIC to the firewall.
>
>Inet<--->Firewall<--->MDK8.0 Box<--->Network Hub<--->all other clients
>
>Do I still need IPTables/Masquerading? Can I just point all the clients to 
>the firewall IP, or as it will be connected directly to a box, rather than 
>the HUB, will the mdk box still be the gateway?
>
>Obviously, I will be removing the bastille firewall as this becomes 
>redundant.
>
>Thanks in advance.
>
>Dave.
>
>
>mail2web - Check your email from the web at
>http://mail2web.com/ .
>
>
>Want to buy your Pack or Services from MandrakeSoft?
>Go to http://www.mandrakestore.com


_
Send and receive Hotmail on your mobile device: http://mobile.msn.com




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

RE: Re: [expert] Firewall install - smoothwall

[[EMAIL PROTECTED]]

But does anyone know if smoothwall supports pcmcia NIC yet?

I know the old versions did not.

Original Message:
-
From: J. Craig Woods [EMAIL PROTECTED]
Date: Fri, 04 Jan 2002 06:32:26 -0600
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: [expert] Firewall install - smoothwall


At 06:38 AM 1/4/2002 -0500, [EMAIL PROTECTED] wrote:
>HI All,
>
>
>Obviously, I will be removing the bastille firewall as this becomes redundant.
>
>Thanks in advance.
>
>Dave.

And, yes, by all means get rid of the Bastille (hell, the French had the
right idea when they stormed it). If this list serves no other purpose
other than to point out to people what crap some of these shortcut firewall
programs are, it will have served a mighty purpose. Just read some of the
problems being encountered by users of Bastille on the list lately. That
should convince you to write your own rules.


J. Craig Woods
UNIX/NT SA
-Art is the illusion of spontaneity-




mail2web - Check your email from the web at
http://mail2web.com/ .




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall install - smoothwall

[J. Craig Woods]

At 06:38 AM 1/4/2002 -0500, [EMAIL PROTECTED] wrote:
>HI All,
>
>
>Obviously, I will be removing the bastille firewall as this becomes redundant.
>
>Thanks in advance.
>
>Dave.

And, yes, by all means get rid of the Bastille (hell, the French had the 
right idea when they stormed it). If this list serves no other purpose 
other than to point out to people what crap some of these shortcut firewall 
programs are, it will have served a mighty purpose. Just read some of the 
problems being encountered by users of Bastille on the list lately. That 
should convince you to write your own rules.


J. Craig Woods
UNIX/NT SA
-Art is the illusion of spontaneity-




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall install - smoothwall

[J. Craig Woods]

At 06:38 AM 1/4/2002 -0500, [EMAIL PROTECTED] wrote:
>When I install the Smoothwall firewall (an old Laptop), I will be adding a 
>second NIC to replace the modem, and connect this NIC to the firewall.
>
>Inet<--->Firewall<--->MDK8.0 Box<--->Network Hub<--->all other clients
>
>Do I still need IPTables/Masquerading? Can I just point all the clients to 
>the firewall IP, or as it will be connected directly to a box, rather than 
>the HUB, will the mdk box still be the gateway?
>
>Obviously, I will be removing the bastille firewall as this becomes redundant.
>
>Thanks in advance.
>
>Dave.

First, as I am sure you are aware, a firewall is only a firewall if it 
provides some kind of protection. You will need some kind of port filtering 
to occur, either iptables or ipchains. Now what I do not know about is 
"Smoothwall". Is this some kind of firewall software, and does it run with 
an OS or is it a stand alone firewall app? If you want clients on the 
private LAN to access the Internet by using one IP address,  you will need 
some kind of NAT and/or IP forwarding functioning on the gateway server, 
and this, from your diagram, looks like it will be the firewall machine. So 
without totally understanding what Smoothwall does, I would say you need 
firewall (iptables or ipchains) rules, NIDS rules, and IP forwarding to be 
on your firewall machine. Hope this helps a bit.


J. Craig Woods
UNIX/NT SA
-Art is the illusion of spontaneity-




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

RE: [expert] Firewall install - smoothwall

[[EMAIL PROTECTED]]

Just seen metioned that smoothie does not support pcmcia, as the laptop will be using 
a pcmcia NIC this could be a major problem. Has anyone got smoothie installed on a 
laptop with pcmcia NIC?

TIA
Dave

Original Message:
-
From: [EMAIL PROTECTED] [EMAIL PROTECTED]
Date: Fri, 4 Jan 2002 06:38:44 -0500
To: [EMAIL PROTECTED]
Subject: [expert] Firewall install - smoothwall


HI All,

I will be installing a dedicated firewall box running smoothwall in the near future. I 
just want to check some areas that will need to change.

The box on my network connected to the internet via DUP on serial modem uses IP Tables 
and Masquerading and Bastille to act as a gateway/firewall for the other clients.

When I install the Smoothwall firewall (an old Laptop), I will be adding a second NIC 
to replace the modem, and connect this NIC to the firewall.

Inet<--->Firewall<--->MDK8.0 Box<--->Network Hub<--->all other clients

Do I still need IPTables/Masquerading? Can I just point all the clients to the 
firewall IP, or as it will be connected directly to a box, rather than the HUB, will 
the mdk box still be the gateway?

Obviously, I will be removing the bastille firewall as this becomes redundant.

Thanks in advance.

Dave.


mail2web - Check your email from the web at
http://mail2web.com/ .




mail2web - Check your email from the web at
http://mail2web.com/ .




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall for larger network?

[Greg Sarsons]

Have you considered www.astaro.com

Greg

On Mon, 2001-12-17 at 09:21, Dave Sherman wrote:
> On Sun, 2001-12-16 at 21:08, Michael Seymour wrote:
> > I have played around with SNF and found it to be adequate for a small
> > network and I currently use it at home; however, I will be looking for a
> > larger firewall over the next few months for my work environment.  We
> > have 3 e-mail servers and 3 web servers with unique IP addresses so I
> > will need to able to do static NAT etc.  Will a future version of SNF
> > support this?
> 
> I can't speak for Mandrake SNF, but the sysadmins at my local ISP have
> told me that SmoothWall (www.smoothwall.org) is very powerful and
> flexible.
> 
> Dave
> -- 
> Save a little money each month and at the end of the year you'll be
> surprised at how little you have.
>   -- Ernest Haskins
> 
> 
> 
> 

> Want to buy your Pack or Services from MandrakeSoft? 
> Go to http://www.mandrakestore.com





Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall for larger network?

[Dave Sherman]

On Sun, 2001-12-16 at 21:08, Michael Seymour wrote:
> I have played around with SNF and found it to be adequate for a small
> network and I currently use it at home; however, I will be looking for a
> larger firewall over the next few months for my work environment.  We
> have 3 e-mail servers and 3 web servers with unique IP addresses so I
> will need to able to do static NAT etc.  Will a future version of SNF
> support this?

I can't speak for Mandrake SNF, but the sysadmins at my local ISP have
told me that SmoothWall (www.smoothwall.org) is very powerful and
flexible.

Dave
-- 
Save a little money each month and at the end of the year you'll be
surprised at how little you have.
-- Ernest Haskins




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

RE: [expert] Firewall Log Question

[Jose M. Sanchez]

Also add to this that there are 192.168.0.0 packets leaking onto the
internet from misconfigured routers all the time!

-JMS

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED]] On Behalf Of Ed Tharp
|Sent: Thursday, November 22, 2001 4:18 PM
|To: [EMAIL PROTECTED]
|Subject: Re: [expert] Firewall Log Question
|
|
|It's always been my understanding that one of the reasons to 
|have 192.168.x.x 
|Ip numbers in a internal network is to enable,,, oh say a GOOD 
|network (or 
|even a really lame) Admin to block those IPs frpom external 
|sources. just how 
|much do you "share" this network? just having THOSE ip numbers 
|don't mean 
|anything execpt that the ADMIN IS AN A$$. in my humble 
|opinion. to accuse 
|some one who owns a dog that looks like your dog of stealing 
|your dog, when 
|their dog ran away because they did not fed it or shelter it 
|seems...shall we 
|say...dis-inginuous. if the other Admin can not close his 
|system (might be a 
|M$winder$ system,,, why should he blame you, because you have a closed 
|(linux) system?
|




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall Log Question

[Tarragon Allen]

On Thu, 22 Nov 2001 14:41, eduardo wrote:
> Thanks for your help.
>
> With this I sent a small description about how network has bean
> setting up and the hardware that the we are using.
>
> Network 1 : 10.10.X.X / 255.255.0.0 (The Other Company/Firewall)
>
> Network 2 : 192.168.5.X.X / 255.255.0.0 (My company)
>
> The Switch we have 2 Vlans.
>
> The Switch and Gateway/Firewall is controlled by the other company.
>
> The Router connect us to the internet. The router is controlled by ISP
>
>
>  -
>
> |Router| |HUB   ||Comp. (Win)|(192.168.X.X)
> |Cisco |>|  |--->|Network 2  |
>
>  -
> (192.168.X.X)   | |_
> (10.10.X.X) |  |(port Vlan2)
> v  v
> -- --(Vlan 2) 192.168.X.X
>
> |Gateway | |Switch  |>NetWork 2 (Windows)
> |FireWall|>|3Com|(Vlan 1)
> |(Linux) | (port Vlan1)||>NetWork 1 (Windows)
>
> -- --  10.10.X.X
> (10.10.X.X)(10.10.X.X)

Well, the firewall logs you sent look like they were generated on the linux 
box.  The linux box is connected by a hub to your windows network.  Why are 
they suprised to see traffic from that network hit their linux box, when it's 
physically on the same network?

Also, just as a question of configuration, shouldn't the VLAN's be on 
different subnets to the main networks?  Is this 3COM switch handling the 
VLAN authentication and so forth?

Is eth0 on the linux box connected to the hub or to the switch?

t

-- 
PGP key : http://n12turbo.com/tarragon/public.key



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall Log Question

[eduardo]

Thanks for your help.

With this I sent a small description about how network has bean
setting up and the hardware that the we are using.

Network 1 : 10.10.X.X / 255.255.0.0 (The Other Company/Firewall)

Network 2 : 192.168.5.X.X / 255.255.0.0 (My company)

The Switch we have 2 Vlans.

The Switch and Gateway/Firewall is controlled by the other company.

The Router connect us to the internet. The router is controlled by ISP


 -
|Router| |HUB   ||Comp. (Win)|(192.168.X.X)
|Cisco |>|  |--->|Network 2  |
 -
(192.168.X.X)   | |_
(10.10.X.X) |  |(port Vlan2)
v  v
-- --(Vlan 2) 192.168.X.X
|Gateway | |Switch  |>NetWork 2 (Windows)
|FireWall|>|3Com|(Vlan 1)
|(Linux) | (port Vlan1)||>NetWork 1 (Windows)
-- --  10.10.X.X
(10.10.X.X)(10.10.X.X)



- Original Message -
From: "Tarragon Allen" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, November 20, 2001 11:32 PM
Subject: Re: [expert] Firewall Log Question


> On Wed, 21 Nov 2001 14:09, Eduardo Bencomo wrote:
> > We are in a mixed network, which includes a router Cisco, a 3COM swich
> > common to the two networks and a hub where gateway/fire wall linux
computer
> > is connected.
> >
> > One of the network is my company network (192.168.X.X / 255.255.0.0. I
am
> > in charge of it) and the other network belongs to other company
(10.10.X.X
> > / 255.255.0.0). This company has a VPN. Now, they are accusing me as
> > hacker, alleging we have tried to go into their VPN. As prove of tha t ,
> > they are showing the following type of message:
>
> How do they know it's your network?  The 192.168.x.x range is used by many
> many many people out there to define their internal networks, and is in
fact
> supplied on spec (in one of the RFC's) for this very purpose.  Just
showing
> some logs with that IP in it doesn't seem to constitute any proof
whatsoever
> that your particular network was involved.
>
> The actual packets they've listed here appear to be NetBIOS broadcasts.
> These are sent by Windows clients when they are trying to poll the network
> for other Windows machines.  It looks to me like Windows machines using
> 192.168.x.x is trying to poll something on their network.  Again, no
> indication that it's neccesarily from *your* network, it could be any
machine
> using those IPs with a subnet mask of 255.255.0.0.
>
> If they are seeing these packets, how did they make it there?  If they are
> running a VPN, the only way they could see these packets from your network
> would be if someone using that IP connected to their VPN and then
forwarded
> packets to them.  Unless they can provide more proof (perhaps with
> explanations of where they think the traffic is coming from, rather than a
> pile of oblique logs from a network and host you have no more information
> about) there's not much you can do.
>
> A "more information is required" situation.  Also, I'd assume it's not
> "hacking" - it feels more like some sort of misconfiguration to me.
>
> Btw, is this other company on the same network or share network hardware?
> What connections do you have to this company?  Could it be something as
> simple as a patch lead connecting two hubs together?
>
> t
>
> > Oct 21 04:09:49 localhost kernel: Packet log: input REJECT eth0 PROTO=6
> >
> > 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000
T=109
> > SYN (#70)
> >
> > Oct 21 04:09:55 localhost kernel: Packet log: input DENY eth0 PROTO=17
> > 192.168.2.185:138
> >
> > 192.168.255.255:138 L=229 S=0x00 I=43989 F=0x000 T=128 (#71)
> >
> > Oct 21 04:10:01 localhost kernel: Packet log: input REJECT eth0 PROTO=6
> >
> > 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000
T=109
> > SYN (#70)
>
> --
> PGP key : http://n12turbo.com/tarragon/public.key
>
>






> Want to buy your Pack or Services from MandrakeSoft?
> Go to http://www.mandrakestore.com
>



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall Log Question

[Tarragon Allen]

On Thu, 22 Nov 2001 10:08, Leif Madsen wrote:
> I have to agree with Tarragon here.  It doesn't look to me like any sort of
> hacking attempt as it looks like their firewall is just recieving packets
> to ports which they are blocking and it is dropping them.  It very well
> could be a machine on their network which has the IP address of 192.168.X.X
> misconfigured.

I doubt it's a single misconfigured machine using an IP in that range : there 
are denys for many different IP's in the range, which seems to indicate that 
the networks (whether it's Eduardo's or someone elses) are connected somehow.

t
-- 
PGP key : http://n12turbo.com/tarragon/public.key



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall Log Question

[Leif Madsen]

I have to agree with Tarragon here.  It doesn't look to me like any sort of
hacking attempt as it looks like their firewall is just recieving packets to
ports which they are blocking and it is dropping them.  It very well could
be a machine on their network which has the IP address of 192.168.X.X
misconfigured.

I'd be hesitant to say that it is you.. but if it is, how are you guys
connected together?

Anything physical or is this remote, over the internet?

If this is remote over the internet and they are saying that 192.168.X.X is
hacking them, I don't think it's you :)


Leif Madsen - Project Manager
[EMAIL PROTECTED]
http://www.plannettechnologies.com

- Original Message -
From: "Tarragon Allen" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, November 20, 2001 10:32 PM
Subject: Re: [expert] Firewall Log Question


> A "more information is required" situation.  Also, I'd assume it's not
> "hacking" - it feels more like some sort of misconfiguration to me.
>
> Btw, is this other company on the same network or share network hardware?
> What connections do you have to this company?  Could it be something as
> simple as a patch lead connecting two hubs together?





Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall Log Question

[kons Richard Bown]

Hiya, well looking at the port numbers 137 & 138 if I remember right
thats netbios ports,
are you running SAMBA ? on your network ?,
anyway if you turn off those two ports on outgoing packets that should
stop the other
company accusing you of hacking.
But if the other co had a real sys admin person they know thatr anyway.
HTH

Eduardo Bencomo wrote:
> 
>  We are in a mixed network, which includes a router Cisco, a 3COM
> swich common to the two networks and a hub where gateway/fire wall
> linux computer is connected.
> 
> One of the network is my company network (192.168.X.X / 255.255.0.0. I
> am in charge of it) and the other network belongs to other company
> (10.10.X.X / 255.255.0.0). This company has a VPN. Now, they are
> accusing me as hacker, alleging we have tried to go into their VPN. As
> prove of tha t , they are showing the following type of message:
> 
> Oct 21 04:09:49 localhost kernel: Packet log: input REJECT eth0
> PROTO=6
> 
> 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000
> T=109 SYN (#70)
> 
> Oct 21 04:09:55 localhost kernel: Packet log: input DENY eth0 PROTO=17
> 192.168.2.185:138
> 
> 192.168.255.255:138 L=229 S=0x00 I=43989 F=0x000 T=128 (#71)
> 
> Oct 21 04:10:01 localhost kernel: Packet log: input REJECT eth0
> PROTO=6
> 
> 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000
> T=109 SYN (#70)
> 
> Oct 21 04:10:08 localhost kernel: Packet log: input DENY eth0 PROTO=17
> 192.168.2.138:137
> 
> 192.168.255.255:137 L=78 S=0x00 I=49285 F=0x000 T=32 (#71)
> 
> Oct 21 04:10:16 localhost kernel: Packet log: input DENY eth0 PROTO=17
> 192.168.2.20:138
> 
> 192.168.2.255:138 L=238 S=0x00 I=56451 F=0x000 T=32 (#71)
> 
> Oct 21 04:10:20 localhost kernel: Packet log: input DENY eth0 PROTO=17
> 192.168.2.5:138
> 
> 192.168.2.255:138 L=234 S=0x00 I=39272 F=0x000 T=128 (#71)
> 
> Oct 21 04:11:08 localhost kernel: Packet log: input DENY eth0 PROTO=17
> 192.168.2.5:137
> 
> 192.168.2.255:138 L=78 S=0x00 I=39528 F=0x000 T=128 (#71)
> 
> Oct 21 04:12:00 localhost kernel: Packet log: input DENY eth0 PROTO=17
> 192.168.2.100:138
> 
> 192.168.255.255:138 L=241 S=0x00 I=31461 F=0x000 T=128 (#71)
> 
> Oct 21 04:14:04 localhost kernel: Packet log: input DENY eth0 PROTO=17
> 192.168.2.172:137
> 
> 192.168.255.255:137 L=78 S=0x00 I=50473 F=0x000 T=32 (#71)
> 
> They have as many as 40 pages of this type of messages , presenting
> this "deny" access as  the evidence we have tried to penetrate their
> network.
> 
> Since we are not int er ested is go into that VPN, nor we have tried
> to do it, please help me in find a technnical explanation for the
> "evidences" the have shown.
> 
> Thanks.

-- 
Richard Bown
Ericsson Microwave Systems AB
SE-431 84 Mölndal
e-mail [EMAIL PROTECTED]
tel +46 31 74 72422
mobile +46 7098 72422



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] Firewall Log Question

[Tarragon Allen]

On Wed, 21 Nov 2001 14:09, Eduardo Bencomo wrote:
> We are in a mixed network, which includes a router Cisco, a 3COM swich
> common to the two networks and a hub where gateway/fire wall linux computer
> is connected.
>
> One of the network is my company network (192.168.X.X / 255.255.0.0. I am
> in charge of it) and the other network belongs to other company (10.10.X.X
> / 255.255.0.0). This company has a VPN. Now, they are accusing me as
> hacker, alleging we have tried to go into their VPN. As prove of tha t ,
> they are showing the following type of message:

How do they know it's your network?  The 192.168.x.x range is used by many 
many many people out there to define their internal networks, and is in fact 
supplied on spec (in one of the RFC's) for this very purpose.  Just showing 
some logs with that IP in it doesn't seem to constitute any proof whatsoever 
that your particular network was involved.

The actual packets they've listed here appear to be NetBIOS broadcasts.  
These are sent by Windows clients when they are trying to poll the network 
for other Windows machines.  It looks to me like Windows machines using 
192.168.x.x is trying to poll something on their network.  Again, no 
indication that it's neccesarily from *your* network, it could be any machine 
using those IPs with a subnet mask of 255.255.0.0.

If they are seeing these packets, how did they make it there?  If they are 
running a VPN, the only way they could see these packets from your network 
would be if someone using that IP connected to their VPN and then forwarded 
packets to them.  Unless they can provide more proof (perhaps with 
explanations of where they think the traffic is coming from, rather than a 
pile of oblique logs from a network and host you have no more information 
about) there's not much you can do.

A "more information is required" situation.  Also, I'd assume it's not 
"hacking" - it feels more like some sort of misconfiguration to me.

Btw, is this other company on the same network or share network hardware?  
What connections do you have to this company?  Could it be something as 
simple as a patch lead connecting two hubs together?

t

> Oct 21 04:09:49 localhost kernel: Packet log: input REJECT eth0 PROTO=6
>
> 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109
> SYN (#70)
>
> Oct 21 04:09:55 localhost kernel: Packet log: input DENY eth0 PROTO=17
> 192.168.2.185:138
>
> 192.168.255.255:138 L=229 S=0x00 I=43989 F=0x000 T=128 (#71)
>
> Oct 21 04:10:01 localhost kernel: Packet log: input REJECT eth0 PROTO=6
>
> 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109
> SYN (#70)

-- 
PGP key : http://n12turbo.com/tarragon/public.key



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] firewall rules

[Arthur H. Johnson II]

Try /etc/Bastille

On 30 Oct 2001, Bill Kenworthy wrote:

> Hi, where are the rules for the tinyfirewall script kept.  I want to do
> some minor mods.
>
> BillK
>
>
>
>
>
>

-- 
Arthur H. Johnson II
[EMAIL PROTECTED]
The Linux Box
http://www.linuxbox.nu




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

[Fwd: Re: [expert] Firewall / Router Advice]

[Pierre Fortin]

  Is someone playing with the list's Reply-To: address...??
Sent this earlier; but it didn't make to the list because the list was not
included in my Reply...

Martyn, I've corrected my resonse below... was groggy when I replied this
morning and my brain was reversing base10 & base16 math...  :P

Pierre

 Original Message ----
Subject: Re: [expert] Firewall / Router Advice
Date: Fri, 27 Apr 2001 09:58:54 -0400
From: Pierre Fortin <[EMAIL PROTECTED]>
To: Martyn Wendon <[EMAIL PROTECTED]>
References: <A1E0FEB3E411D411AD1F0030050124811844CC@NEO>

Martyn Wendon wrote:
> 
> Hello Expert List!
> 
> If possible can anybody advise me on the following scenario:
> 
> My home network (4 pcs and a laptop of varying Windows / Linux versions)
> currently accesses the Internet via a 3Com OfficeConnect ISDN router.  The
> machines are connected to a hub, which in turn uplinks to the router.
> Currently the router has an internal IP address of 172.18.9.30 and the
> machines have IP's in the range of 172.18.9.* - On connecting to my ISP a
> dynamic IP is allocated to the external port of the router and it performs
> NAT accordingly.  The default gateway in each machine is set to the internal
> IP of the router and everything works fine.
> 
> What I'm trying to do is put a Linux box (Mandrake 7.2) as a proxy server /
> firewall in between the hub and the router to increase security and offer
> proxying facilities.  I'm fairly new to Linux (been playing with Mandrake
> for about 6 months), but have a reasonable knowledge of networking.

Then you should know that routing is a Layer 3 issue and requires separate
[sub]networks to be able to route between...

> So far I've fitted 2 network cards in the Linux box, eth0 is 172.18.9.100
> and is connected to the router and eth1 is 172.18.9.101 and is connected to

Even if you had managed to put .100 and .101 in different subnets with a 
mask=255.255.255.252 (or /30)), one would be a broadcast address (.100=01100100
& .101=01100101)

> the hub of the internal network.  I've enabled routing in linuxconf, and the
> default gateway is set at 172.18.9.30, at this point from this Linux box I
> assumed that I would be able to a:) ping the other machines on my network
> and b:) be able to ping the router / internet.  But I can only ping the
> router and the internet, not the internal network.  I also assumed
> (wrongly?) that I'd still be able to ping the router / internet from the
> rest of the machines.  So now I'm a little stuck - too many years of plug
> and pray with Microsoft have taken their toll!

Depending on the addresses of your internal machines you may have to
re-address/mask those boxes; but you WILL have to re-address eht0 and/or eth1.

The quickest fix (fewest changes will be to change 172.18.9.x on your router and
eth0 to 172.[16-31].[0-255].x (except 172.18.9.x) 

For those suggesting 192.168.x.y, that is valid but Martyn is using another
range of addresses as specified in RFC1918:

 10.0.0.0-   10.255.255.255  (10/8 prefix)
 172.16.0.0  -   172.31.255.255  (172.16/12 prefix)
 192.168.0.0 -   192.168.255.255 (192.168/16 prefix)

which is why I'm staying within his selected range.

> I'd appreciate any help on getting this all set up correctly, I've got a
> copy of PMFirewall and Squid - although I'm open to suggestions if there's
> anything better - but first things first I'd like to get the Linux box
> working as a simple "middle man" between the hub and router..

Just fix your addresses to allow the Linux box to have a clue as to how to
route...  :^)

Pierre


> Many thanks,
> 
> Martyn

-- 
Support Linux development:  http://www.linux-mandrake.com/donations/
Last reboot reason:  01/03/27: winter storm 6hr power outage

Re: [expert] Firewall / Router Advice

[John Wolford]

Martyn,

Doesn't it strike as a little weird that both interfaces are on the same
network? Which interface does it send to when it wants to ping 172.18.9.200?
Both? Or one of them, and then which one? You have two topologies going on in
the internal network: star topology on the side of the internal interface of
your linux firewall, and bus topology from the internal interface of the
firewall to the router. I just looked up your router and so i now know that
your internal network is 10BaseT. But 10BaseT doesn't work with a bus topology!
According to IEEE 802.3 10BaseT specifications, which is what your linux
firewall is going by, when you send a packet out of eth0, any of the rest of
that network, including the machines on the eth1 side of it, can hear it. So
really, if the linux firewall sends a packet only out of eth0, it's doing
nothing wrong.

The way i see it, you have two options:

1. Do the classic linux firewall thing and set up the network on eth1 to be
something like 192.168.1.0 and on eth1 to be on the 172.18.9.0 network, with
the router as your gateway, and do masq'ing from internal to external
interface. The point is that both NICs need to be on different subnets. For
this check out
http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html
http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html
http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html

2. This is the COOLEST option: set up your linux firewall as a bridge. This
would make it a transparent firewall - a bridge that is also a firewall. Much
less chance of your firewall box itself being compromised. For this check out
http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html
http://www.linuxdoc.org/HOWTO/BRIDGE-STP-HOWTO/index.html

I hope that makes some sense :-)
j


--- Martyn Wendon <[EMAIL PROTECTED]> wrote:
> Hello Expert List!
> 
> If possible can anybody advise me on the following scenario:
> 
> My home network (4 pcs and a laptop of varying Windows / Linux versions)
> currently accesses the Internet via a 3Com OfficeConnect ISDN router.  The
> machines are connected to a hub, which in turn uplinks to the router.
> Currently the router has an internal IP address of 172.18.9.30 and the
> machines have IP's in the range of 172.18.9.* - On connecting to my ISP a
> dynamic IP is allocated to the external port of the router and it performs
> NAT accordingly.  The default gateway in each machine is set to the internal
> IP of the router and everything works fine.
> 
> What I'm trying to do is put a Linux box (Mandrake 7.2) as a proxy server /
> firewall in between the hub and the router to increase security and offer
> proxying facilities.  I'm fairly new to Linux (been playing with Mandrake
> for about 6 months), but have a reasonable knowledge of networking.
> 
> So far I've fitted 2 network cards in the Linux box, eth0 is 172.18.9.100
> and is connected to the router and eth1 is 172.18.9.101 and is connected to
> the hub of the internal network.  I've enabled routing in linuxconf, and the
> default gateway is set at 172.18.9.30, at this point from this Linux box I
> assumed that I would be able to a:) ping the other machines on my network
> and b:) be able to ping the router / internet.  But I can only ping the
> router and the internet, not the internal network.  I also assumed
> (wrongly?) that I'd still be able to ping the router / internet from the
> rest of the machines.  So now I'm a little stuck - too many years of plug
> and pray with Microsoft have taken their toll!
> 
> I'd appreciate any help on getting this all set up correctly, I've got a
> copy of PMFirewall and Squid - although I'm open to suggestions if there's
> anything better - but first things first I'd like to get the Linux box
> working as a simple "middle man" between the hub and router..
> 
> Many thanks,
> 
> Martyn
> 


__
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/

Re: [expert] Firewall / Router Advice

[Craig Sprout]

Martyn Wendon wrote:
> So far I've fitted 2 network cards in the Linux box, eth0 is 172.18.9.100
> and is connected to the router and eth1 is 172.18.9.101 and is connected to
> the hub of the internal network.  I've enabled routing in linuxconf, and the
> default gateway is set at 172.18.9.30, at this point from this Linux box I
> assumed that I would be able to a:) ping the other machines on my network
> and b:) be able to ping the router / internet.  But I can only ping the
> router and the internet, not the internal network.  I also assumed
> (wrongly?) that I'd still be able to ping the router / internet from the
> rest of the machines.  So now I'm a little stuck - too many years of plug
> and pray with Microsoft have taken their toll!

At least you have seen the light now!  :)

To get this to work properly, you need to have packet forwarding enabled
in your kernel, so you will have to recompile your kernel.  It's in the
IP Settings, IP Firewalling.

Depending on the version of LM you have, you will be using iptables or
ipchains, which set up your firewall rules. 
http://www.bastille-linux.org is a good place to start on firewalling. 
It can be as simple or as complex as you desire.

I haven't touched iptables yet, and as I understand the situation, there
are still some potential security problems with iptables, so you may
want to steer clear for now.

Once you get the kernel rebuilt, have a look at the Firewall HOWTO to
get started with ipchains.

HTH.

-- 
Craig Sprout
Network Administrator
Crown Parts and Machine
http://www.crownpartsandmachine.com

Re: [expert] Firewall / Router Advice

[Dan Swartzendruber]

On Fri, 27 Apr 2001, Martyn Wendon wrote:

> So far I've fitted 2 network cards in the Linux box, eth0 is 172.18.9.100
> and is connected to the router and eth1 is 172.18.9.101 and is connected to
> the hub of the internal network.  I've enabled routing in linuxconf, and the
> default gateway is set at 172.18.9.30, at this point from this Linux box I
> assumed that I would be able to a:) ping the other machines on my network
> and b:) be able to ping the router / internet.  But I can only ping the
> router and the internet, not the internal network.  I also assumed
> (wrongly?) that I'd still be able to ping the router / internet from the
> rest of the machines.  So now I'm a little stuck - too many years of plug
> and pray with Microsoft have taken their toll!

you need to put the two interfaces in different subnets.

Re: [expert] Firewall.

[Mark Weaver]

Franki wrote:
> 
> hi all,
> 
> Has anyone used Kfirewall here?
> 
> I needed on in a hurry, so I setup kfirewall to block all the usual ports,
> and now I am having trouble getting it to keep its settings after reboot...
> is it only supposed to work while x is running?  if so thats a bit sad...
> is there a way to make the IPchains rules permanent?
> 
> Also, Since I did the above, ,I have been unable to remotely log into
> webmin,,
> 
> even though I didn't block 443 or 1,
> 
> anyone got any hints on that?
> 
> many thanks in Advance...
> 
> regards
> 
> Frank

Frank,

Have you tried setting up ipchains with Pmfirewall? That will setup
ipchains in a much more permanent fashion and works real nice.
-- 
Mark

"If you don't share your concepts and ideals, they end up being
worthless,"
"Sharing is what makes them powerful."

Re: [expert] Firewall.

[Michael O'Henly]

I haven't used Kfirewall so I can't help with this problem.

However, like many on this list, I use pmfirewall. It's very easy to 
configure, supports IPMASQ, and has a good reputation.

You can find it at: 

http://www.pointman.org/PMFirewall/

M.

On Saturday 17 February 2001 09:23, Franki wrote:
> hi all,
>
> Has anyone used Kfirewall here?
>
> I needed on in a hurry, so I setup kfirewall to block all the usual ports,
> and now I am having trouble getting it to keep its settings after reboot...
> is it only supposed to work while x is running?  if so thats a bit sad...
> is there a way to make the IPchains rules permanent?
>
> Also, Since I did the above, ,I have been unable to remotely log into
> webmin,,
>
> even though I didn't block 443 or 1,
>
> anyone got any hints on that?
>
> many thanks in Advance...
>
>
> regards
>
> Frank
>
> Perth Western Australia.
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Altoine B.
> Sent: Saturday, 17 February 2001 10:55 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [expert] 7.2 Updated and StarOffice 5.2 trouble
>
> Mark Belanger wrote:
> > Stig-Ørjan Smelror wrote:
> > > After I updated my installation of 7.2 StarOffice 5.2 won't run.
> > >
> > > I get "Failed to load necessary components" and did a "strace" to see
> > > what it was looking for. It says it can't find "libsmart_egcs29.so" or
> > > "libegcs29_smart.so" and I've no clue what so ever to where these files
> > > can be found/located...
>
> Sounds like you had the "stock" LM7.1. What I mean by that is it was in
> LM7.1 in the upgrade where gcc merged with egcs into one. LM7.2 should
> use the new gcc2.95 or higher (if you upgraded). That is why you are
> having your current problems. Your StarOffice 5.2 was statically linked
> to the old binaries. You will most likely have to reinstall StarOffice
> 5.2.
>
> --
>
>
>
>   .--. `
>
>   |__| .---.   Altoine Barker
>   |=.| |.-.|   Maximum Time, Inc
>   |--| ||$SEND||   Chicago Based Enterprise
>   |
>   |  | |'-'|   http://www.maximumtime.com
>   |
>   |__|~')_('

-- 
Michael O'Henly
TENZO Design

Re: [expert] firewall

[Jesus Roncero]

El Domingo 11 Febrero 2001 01:41, escribiste:
> I'll second the suggestion of pmfirewall. It's very easy to set up and does
> exactly what it's supposed to do.

Thanks to all who replied!

-- 
Saludos desde Sevilla

Re: [expert] firewall

[Bill Kenworthy]

Try installing pmfirewall to handle ipchains.  I used the DrakConf setup
once, and then had to go back and basicly undo the settings and then
installed pmfirewall with my mods.  DrakConf probably does a good job if
you have exactly the setup it expects, but if you dont or not if you
want to control what happens, and want to be sure that your system is
secure.

It is causing the fetchmail problems.  Run "fetchmailconf" (as the user
who owns the fetchmail process you are running) and select "edit server"
for the connection and add (ppp0 in my case) the network interface to
"network to monitor".  On my setup, fetchmail goes to sleep unless ppp0
is up.

Billk

> As a result of using drakconf and enabling the "sharing internet connection",
> fetchmail refuses to start when I am  not connected to the internet. I use it
> in daemon mode to download my mail every 11 minutes. Before I could execute
> it and sent it to background with any problem. Now it says it cannot find the
> DNS entry for my pop server... Any ideas? Is this related to the firewall?
> 
> Thanks a lot!
> --
> Saludos desde Sevilla

Re: [expert] firewall

[Chris Spackman]

On Sat, Feb 10, 2001 at 04:41:53PM -0800, Michael O'Henly wrote:
> I'll second the suggestion of pmfirewall. It's very easy to set up and does 
> exactly what it's supposed to do. 

[snip]

> -- 
> Michael O'Henly
> TENZO Design


I would suggest using portsentry in addition to something like pmfirewall.
It comes with 7.2 and is easy to set up.


-- 
Chris and Yoshiko Spackman

www.openhistory.org
[EMAIL PROTECTED]  (English)
[EMAIL PROTECTED]   (Japanese)

"I will not be pushed, filed, stamped, indexed, briefed, debriefed, or
numbered. My life is my own."
-The Prisoner

Re: [expert] firewall

[Michael O'Henly]

I'll second the suggestion of pmfirewall. It's very easy to set up and does 
exactly what it's supposed to do. 

M.

On Saturday 10 February 2001 16:28, Dave wrote:
> Jesus,
>
> >I am connecting to the internet via ppp and a modem. As I usually stay
> >connected during most part of the day I want to have a firewall.
>
> For a quick fix I'd suggest pmfirewall ... just download it, put it in
> /usr/local/src, do a tar -xvzf, cd to the pmfirewall directory and do a
> # sh install.sh
> Sure, it's a dummy type firewall, but it does work, it's a fast setup,
> and you can study its ipchains rules to see what it's doing.
>
> >That installed me Bind,
>
> Get rid of bind. You certainly don't need that for a stand-alone ppp
> dialup connection. Bind is a security problem, not a solution.
>
> dave.

-- 
Michael O'Henly
TENZO Design

RE: [expert] firewall

[Dave]

Jesus,

>I am connecting to the internet via ppp and a modem. As I usually stay 
>connected during most part of the day I want to have a firewall.

For a quick fix I'd suggest pmfirewall ... just download it, put it in
/usr/local/src, do a tar -xvzf, cd to the pmfirewall directory and do a 
# sh install.sh
Sure, it's a dummy type firewall, but it does work, it's a fast setup,
and you can study its ipchains rules to see what it's doing. 

>That installed me Bind,

Get rid of bind. You certainly don't need that for a stand-alone ppp
dialup connection. Bind is a security problem, not a solution.

dave.

Re: [expert] Firewall and NIC cards

[Ron Heron]

1) the only problem with multiple cards, is that you will have two
modules, and if you are using the LRP floppy, it may just take up room. 
Still shouldn't be a problem, though.
2)  the video is a bios setting, where you simply allow the computer to
boot without keyboard or video.
3) Check the Linux Router Project how-to for more specific info.

Ron
--- John W <[EMAIL PROTECTED]> wrote:
>  I am preparing to create a firewall/router to do ipmasqing. I am using
> a 
> p133 box and I have three NIC cards two are 3com 905 tx and the third is
> a 
> Dlink 530 FE using the Via Rhine driver in Linux. Would I be better off
> to 
> pair up the matching cards in the firewall machine or mix them? 
> I understand that you can also remove the monitor once it is up and
> running. 
> Would doing so require any special adapters to be plugged into the vid
> card 
> or can the card be removed as well?
> Thanks in advance,
> -- 
> John W
> 


__
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices. 
http://auctions.yahoo.com/

Re: [expert] Firewall....

[Tal Amir]

the need for a web client is not because i want something "easy to use".
i need to remotly be able to control and monitor that machine traffic.
i still need a web client. PMFirewall is cute and easy to use, but it will
not do for what i need...
any idea about a web-client ? cause that's the only thing i need to use
right now.


On Wed, 3 Jan 2001, Scott Patten wrote:

> Date: Wed, 03 Jan 2001 12:22:51 -0700
> From: Scott Patten <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED], Tal Amir <[EMAIL PROTECTED]>
> Subject: Re: [expert] Firewall
> 
> There is an IPChains module for Webmin.
> 
> http://www.niemueller.de/webmin/modules/ipchains/
> 
> I have not used this as I prefer PMFirewall.  If you want something quick 
> then why would you want to deal with setting up a web interface?  This 
> isn't something that typically changes every day so the interface shouldn't 
> really matter all that much.  Trust me.  PMFirewall is easier than setting 
> up a web interface to IPChains or (I suspect) any other firewall interface.
> 
> Good luck,
> 
> Scott
> 
> --On Wednesday, January 03, 2001 7:48 PM +0200 Tal Amir <[EMAIL PROTECTED]> 
> wrote:
> 
> > ok, and back to the original question :
> >
> > i am looking for a web-based firewall ap to run on top of my mandrake 7.2
> > with all due respect to stand alone servers like e-smith, i dont intend to
> > dedicate a machine for this issue.
> >
> > any1 ? i need it kinda urgent...
> >
> > 10x ;)
> >
> >
> > On Wed, 3 Jan 2001, Joseph S. Gardner wrote:
> >
> >> Date: Wed, 03 Jan 2001 11:58:38 -0500
> >> From: Joseph S. Gardner <[EMAIL PROTECTED]>
> >> Reply-To: [EMAIL PROTECTED]
> >> To: [EMAIL PROTECTED]
> >> Subject: Re: [expert] Firewall
> >>
> >> Tal Amir wrote:
> >>
> >> > well, as i anderstand, e-smith is a stand alone application that runs
> >> > on its own, and not on a platform.(correct me if i'm wrong..)
> >> >
> >> > i need something to run on top of my linux gateway, not as a atand
> >> > alone machine.
> >> >
> >>
> >> You are correct that E-Smith runs as a stand alone machine.  It is/can
> >> be a web server, email server, gateway, and firewall.  I use it strictly
> >> as a web and email server running behind a freeSCO
> >> router/firewall/gateway.  BTW both machines are old 486's I had lying
> >> around, the freeSCO only has a floppy and 16M of ram (no HDD) and the
> >> E-Smith has 64M ram and a 8G HDD.  And yes for all you Mandrake lovers I
> >> have 3 other machines running 7.1 8-)
> >>
> >>
> >> --
> >> Joseph S Gardner
> >>
> >> Senior Designer / Technical Support
> >> Kirby Co., Cleveland, OH
> >> [EMAIL PROTECTED]
> >>
> >> The box said,
> >> "Requires Windows 3.x or better",
> >> so I got Linux.
> >>
> >> Registered Linux user #1696600
> >>
> >>
> >>
> >
> > --
> > 
> >  _|_|_ Best Regard's ,
> >   ( )   *  Amir Tal,
> >   /v\  /   System Administrator
> > /(   )XIntercomp Ltd.
> >  (m_m) fax : 09-9526170
> > | |ICQ : 15748705
> > | (_)_ __  Office : 09-9526993.
> > | | | '_ \| | | \ \/ /  
> > | | | | | | |_| |>  <
> > |_)_|_|_| |_|\__,_/_/\
> > visit us at www.legacy2web.com.
> > 
> >
> 
> 
> 
> 

-- 

 _|_|_ Best Regard's ,
  ( )   *  Amir Tal,  
  /v\  /   System Administrator
/(   )XIntercomp Ltd.
 (m_m) fax : 09-9526170
| |ICQ : 15748705
| (_)_ __  Office : 09-9526993.
| | | '_ \| | | \ \/ /   
| | | | | | |_| |>  <
|_)_|_|_| |_|\__,_/_/\
visit us at www.legacy2web.com.  

Re: [expert] Firewall....

[Tal Amir]

ok, and back to the original question :

i am looking for a web-based firewall ap to run on top of my mandrake 7.2
with all due respect to stand alone servers like e-smith, i dont intend to
dedicate a machine for this issue.

any1 ? i need it kinda urgent...

10x ;)


On Wed, 3 Jan 2001, Joseph S. Gardner wrote:

> Date: Wed, 03 Jan 2001 11:58:38 -0500
> From: Joseph S. Gardner <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: [expert] Firewall
> 
> Tal Amir wrote:
> 
> > well, as i anderstand, e-smith is a stand alone application that runs on
> > its own, and not on a platform.(correct me if i'm wrong..)
> >
> > i need something to run on top of my linux gateway, not as a atand alone
> > machine.
> >
> 
> You are correct that E-Smith runs as a stand alone machine.  It is/can be a web 
>server,
> email server, gateway, and firewall.  I use it strictly as a web and email server
> running behind a freeSCO router/firewall/gateway.  BTW both machines are old 486's I 
>had
> lying around, the freeSCO only has a floppy and 16M of ram (no HDD) and the E-Smith 
>has
> 64M ram and a 8G HDD.  And yes for all you Mandrake lovers I have 3 other machines
> running 7.1 8-)
> 
> 
> --
> Joseph S Gardner
> 
> Senior Designer / Technical Support
> Kirby Co., Cleveland, OH
> [EMAIL PROTECTED]
> 
> The box said,
> "Requires Windows 3.x or better",
> so I got Linux.
> 
> Registered Linux user #1696600
> 
> 
> 

-- 

 _|_|_ Best Regard's ,
  ( )   *  Amir Tal,  
  /v\  /   System Administrator
/(   )XIntercomp Ltd.
 (m_m) fax : 09-9526170
| |ICQ : 15748705
| (_)_ __  Office : 09-9526993.
| | | '_ \| | | \ \/ /   
| | | | | | |_| |>  <
|_)_|_|_| |_|\__,_/_/\
visit us at www.legacy2web.com.  

Re: [expert] Firewall....

[Joseph S. Gardner]

Tal Amir wrote:

> well, as i anderstand, e-smith is a stand alone application that runs on
> its own, and not on a platform.(correct me if i'm wrong..)
>
> i need something to run on top of my linux gateway, not as a atand alone
> machine.
>

You are correct that E-Smith runs as a stand alone machine.  It is/can be a web server,
email server, gateway, and firewall.  I use it strictly as a web and email server
running behind a freeSCO router/firewall/gateway.  BTW both machines are old 486's I 
had
lying around, the freeSCO only has a floppy and 16M of ram (no HDD) and the E-Smith has
64M ram and a 8G HDD.  And yes for all you Mandrake lovers I have 3 other machines
running 7.1 8-)


--
Joseph S Gardner

Senior Designer / Technical Support
Kirby Co., Cleveland, OH
[EMAIL PROTECTED]

The box said,
"Requires Windows 3.x or better",
so I got Linux.

Registered Linux user #1696600

Re: [expert] Firewall....

[Tal Amir]

well, as i anderstand, e-smith is a stand alone application that runs on
its own, and not on a platform.(correct me if i'm wrong..)

i need something to run on top of my linux gateway, not as a atand alone
machine.




On Wed, 3 Jan 2001, Joseph S. Gardner wrote:

> Date: Wed, 03 Jan 2001 10:21:28 -0500
> From: Joseph S. Gardner <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: [expert] Firewall
> 
> Jack Malone wrote:
> 
> > At 11:50 AM 1/2/2001 -0500, you wrote:
> > >"Steven W.Laird" wrote:
> > >
> > > > On Friday 29 December 2000 14:49, [EMAIL PROTECTED] wrote:
> > > >
> > > > > > hi,
> > > > >
> > > > > can anyone recommand a firewall application with a web administration
> > > > > interface?
> > > > >
> > > > > thank's.
> > > >
> > > > Take a look at http://www.e-smith.com
> > > >
> > > > RH based gateway/router/firewall/samba solution that ANYONE can install and
> > > > configure. (Yes, browser based administration as well...)
> > > > --
> > > > Steve
> > >
> > >I second the e-smith (sorry Mandrake).  It works well "out ot the box".
> > What is the cost of e-smith if you do not mind, is there an version that
> > you can dl an burn to cd that is not an eval.
> >
> > jack
> 
> E-Smith is available for free download from www.e-smith.org  They offer a service
> contract that seems a bit steep but they do have a free support forum on line.
> 
> They are currently testing a new version (4.1 -b2) which offers SSH, SSL, web-mail
> etc.  I'm using 4.0 with a couple of add-ons for webmail.  Works great, easy
> install yada, yada.
> 
> Let me know if you need any help
> --
> Joseph S Gardner
> 
> Senior Designer / Technical Support
> Kirby Co., Cleveland, OH
> [EMAIL PROTECTED]
> 
> The box said,
> "Requires Windows 3.x or better",
> so I got Linux.
> 
> Registered Linux user #1696600
> 
> 
> 

-- 

 _|_|_ Best Regard's ,
  ( )   *  Amir Tal,  
  /v\  /   System Administrator
/(   )XIntercomp Ltd.
 (m_m) fax : 09-9526170
| |ICQ : 15748705
| (_)_ __  Office : 09-9526993.
| | | '_ \| | | \ \/ /   
| | | | | | |_| |>  <
|_)_|_|_| |_|\__,_/_/\
visit us at www.legacy2web.com.  

Re: [expert] Firewall....

[Joseph S. Gardner]

Jack Malone wrote:

> At 11:50 AM 1/2/2001 -0500, you wrote:
> >"Steven W.Laird" wrote:
> >
> > > On Friday 29 December 2000 14:49, [EMAIL PROTECTED] wrote:
> > >
> > > > > hi,
> > > >
> > > > can anyone recommand a firewall application with a web administration
> > > > interface?
> > > >
> > > > thank's.
> > >
> > > Take a look at http://www.e-smith.com
> > >
> > > RH based gateway/router/firewall/samba solution that ANYONE can install and
> > > configure. (Yes, browser based administration as well...)
> > > --
> > > Steve
> >
> >I second the e-smith (sorry Mandrake).  It works well "out ot the box".
> What is the cost of e-smith if you do not mind, is there an version that
> you can dl an burn to cd that is not an eval.
>
> jack

E-Smith is available for free download from www.e-smith.org  They offer a service
contract that seems a bit steep but they do have a free support forum on line.

They are currently testing a new version (4.1 -b2) which offers SSH, SSL, web-mail
etc.  I'm using 4.0 with a couple of add-ons for webmail.  Works great, easy
install yada, yada.

Let me know if you need any help
--
Joseph S Gardner

Senior Designer / Technical Support
Kirby Co., Cleveland, OH
[EMAIL PROTECTED]

The box said,
"Requires Windows 3.x or better",
so I got Linux.

Registered Linux user #1696600

Re: [expert] Firewall....

[Jack Malone]

At 11:50 AM 1/2/2001 -0500, you wrote:
>"Steven W.Laird" wrote:
>
> > On Friday 29 December 2000 14:49, [EMAIL PROTECTED] wrote:
> >
> > > > hi,
> > >
> > > can anyone recommand a firewall application with a web administration
> > > interface?
> > >
> > > thank's.
> >
> > Take a look at http://www.e-smith.com
> >
> > RH based gateway/router/firewall/samba solution that ANYONE can install and
> > configure. (Yes, browser based administration as well...)
> > --
> > Steve
>
>I second the e-smith (sorry Mandrake).  It works well "out ot the box".
What is the cost of e-smith if you do not mind, is there an version that 
you can dl an burn to cd that is not an eval.

jack 

Re: [expert] Firewall....

[Joseph S. Gardner]

"Steven W.Laird" wrote:

> On Friday 29 December 2000 14:49, [EMAIL PROTECTED] wrote:
>
> > > hi,
> >
> > can anyone recommand a firewall application with a web administration
> > interface?
> >
> > thank's.
>
> Take a look at http://www.e-smith.com
>
> RH based gateway/router/firewall/samba solution that ANYONE can install and
> configure. (Yes, browser based administration as well...)
> --
> Steve

I second the e-smith (sorry Mandrake).  It works well "out ot the box".


--
Joseph S Gardner

Senior Designer / Technical Support
Kirby Co., Cleveland, OH
[EMAIL PROTECTED]

The box said,
"Requires Windows 3.x or better",
so I got Linux.

Registered Linux user #1696600

Re: [expert] Firewall....

[Denis HAVLIK]

On Sat, 30 Dec 2000 [EMAIL PROTECTED] wrote:

:~>hi,
:~>
:~>can anyone recommand a firewall application with a web administration interface?
:~>
:~>thank's.

Not yet, but in a month or so... See here:

http://www.mandrakeforum.com/article.php3?sid=20001228025051

have fun!

Denis 
-- 
-
Dr. Denis Havlik   
Mandrakesoft   ||| e-mail: [EMAIL PROTECTED]
  (@ @)(private: [EMAIL PROTECTED])
--oOO--(_)--OOo-
The mailserver is on strike. It wants better working conditions,
paid days off and a female connector. ([EMAIL PROTECTED])

Re: Re: [expert] Firewall....

[Jim Dawson]

You might also want to check out SmoothWall at
www.smoothwall.org. It is also available on the December
2000 Linux Format Magazine CD which should still be
available as the US distribution is about a month behind.

> On Friday 29 December 2000 14:49, [EMAIL PROTECTED]
wrote:
> 
> > > hi,
> >
> > can anyone recommand a firewall application with a web
administration
> > interface?
> >
> > thank's.
> 
> Take a look at http://www.e-smith.com
> 
> RH based gateway/router/firewall/samba solution that
ANYONE can install and 
> configure. (Yes, browser based administration as well...)
> --
> Steve
> 
> 

Re: Re: [expert] Firewall....

[Jim Dawson]

You might also want to take a look at SmoothWall at www.smoothwall.org. 
It is also on the December Linux Format Magazine CD. (Probabally still on the 
newsstands as Linux Format
runs a month behind in the US, I just picked up my copy two days ago...)

> On Friday 29 December 2000 14:49, [EMAIL PROTECTED] wrote:
> 
> > > hi,
> >
> > can anyone recommand a firewall application with a web administration
> > interface?
> >
> > thank's.
> 
> Take a look at http://www.e-smith.com
> 
> RH based gateway/router/firewall/samba solution that ANYONE can install and 
> configure. (Yes, browser based administration as well...)
> --
> Steve
> 
> 

Re: Re: [expert] Firewall....

[Jim Dawson]

You might also want to take a look at SmoothWall at www.smoothwall.org. 
It is also on the December Linux Format Magazine CD. (Probabally still on the 
newsstands as Linux Format
runs a month behind in the US, I just picked up my copy two days ago...)

> On Friday 29 December 2000 14:49, [EMAIL PROTECTED] wrote:
> 
> > > hi,
> >
> > can anyone recommand a firewall application with a web administration
> > interface?
> >
> > thank's.
> 
> Take a look at http://www.e-smith.com
> 
> RH based gateway/router/firewall/samba solution that ANYONE can install and 
> configure. (Yes, browser based administration as well...)
> --
> Steve
> 
> 

Re: [expert] Firewall....

[Steven W . Laird]

On Friday 29 December 2000 14:49, [EMAIL PROTECTED] wrote:

> > hi,
>
> can anyone recommand a firewall application with a web administration
> interface?
>
> thank's.

Take a look at http://www.e-smith.com

RH based gateway/router/firewall/samba solution that ANYONE can install and 
configure. (Yes, browser based administration as well...)
--
Steve

Re: [expert] Firewall....

[Michael R. Batchelor]

>can anyone recommand a firewall application with a web administration
interface?

Just about any Linux distribution and pmfirewall work great. Just be
sure to make sure you examine the firewall rules after the pmfirewall
install an *UNDERSTAND* what's going on. Then you can decide if you need
to modify it. The default install does a great job, but security at
*YOUR* site is *YOUR* responsibility. Don't blindly assume that the
author understands *YOUR* particular circumstance. You probably fit
under the bell curve, but it's up to you to decide that.

Re: [expert] Firewall issues...

[Daniel Woods]

> I'm not sure if this pertains to your problems, but I did run into a problem when I 
>upped a firewall
> from 7.0 to 7.1.  The problem that I had was that I couldn't get mdk 7.1 to dhcp its 
>address on
> eth1. Seeing that eth0 seemed to be working properly, I switched eth0 and eth1 in 
>the configuration
> and switched cables.  I had the exact same problem, so I know it wasn't the NICs.  I 
>then
> reconfigured things so that eth1 was internal and eth0 was the Internet connected 
>NIC.  When I did
> this everything worked.
> 
> I looked at the updates for mdk 7.1 and I did find a couple for dhcp, which I 
>installed on that
> machine, but I never got around to testing out the updates.
> 
> Klar Brian D Contr MSG/SWS wrote:
> 
> > I have upgraded recently (Fresh install) to LM 7.1. My girlfriends machine runs 
>win98.
> > I had IP Masq'ing running fine on 7.0, and copied the rc.firewall file onto the 
>new 7.1 install.
> > Routes are fine, I can do anything internally but the win box will not connect to 
>the internet.
> > I have tried the simple 3 line masq routine, to no avail. I have tried pmfirewall, 
>to no good.
> > My friend who has like 5+ years with *nix can not see anything wrong with any of 
>the setup
> > however IP MASQ'ing will not work.
> >
> > Any help appreciated
> >
> > Brian D. Klar - CVE
> > OTS
> > WPAFB
> > (937)257-5773
> > 937-973-3125 (Pager)

I had a problem like this once...

Be sure to check 
# cat /etc/sysconfig/network
NETWORKING=yes
FORWARD_IPV4="yes"

Thanks... Dan.

Re: [expert] Firewall issues...

[JASON SNYDER]

I'm not sure if this pertains to your problems, but I did run into a problem when I 
upped a firewall
from 7.0 to 7.1.  The problem that I had was that I couldn't get mdk 7.1 to dhcp its 
address on
eth1. Seeing that eth0 seemed to be working properly, I switched eth0 and eth1 in the 
configuration
and switched cables.  I had the exact same problem, so I know it wasn't the NICs.  I 
then
reconfigured things so that eth1 was internal and eth0 was the Internet connected NIC. 
 When I did
this everything worked.

I looked at the updates for mdk 7.1 and I did find a couple for dhcp, which I 
installed on that
machine, but I never got around to testing out the updates.

Klar Brian D Contr MSG/SWS wrote:

> I have upgraded recently (Fresh install) to LM 7.1. My girlfriends machine runs 
>win98.
> I had IP Masq'ing running fine on 7.0, and copied the rc.firewall file onto the new 
>7.1 install.
> Routes are fine, I can do anything internally but the win box will not connect to 
>the internet.
> I have tried the simple 3 line masq routine, to no avail. I have tried pmfirewall, 
>to no good.
> My friend who has like 5+ years with *nix can not see anything wrong with any of the 
>setup
> however IP MASQ'ing will not work.
>
> Any help appreciated
>
> Brian D. Klar - CVE
> OTS
> WPAFB
> (937)257-5773
> 937-973-3125 (Pager)

RE: [expert] Firewall issues...

[Zaleski, Matthew (M.E.)]

It's been a while since I had to debug my firewall setup but here are a few
tips:
1. Do you have ip_forwarding (in /proc/net) enabled?
2. Are you binding 2 IPs to a single card?  If so, is it still doing it
since upgrading?
3. Zero the counters ('ipchains -Z') and then attempt a connect on 98 box
and check the counters ('ipchains -L input -v') again.  Repeat for 'output'
and 'masq' (or is it called 'forward') chains.

That should narrow down the list of possible problems.

Matt

> -Original Message-
> From: Klar Brian D Contr MSG/SWS [mailto:[EMAIL PROTECTED]]
> Sent: Friday, August 25, 2000 1:18 PM
> To: '[EMAIL PROTECTED]'
> Subject: [expert] Firewall issues...
> 
> 
> I have upgraded recently (Fresh install) to LM 7.1. My 
> girlfriends machine runs win98.
> I had IP Masq'ing running fine on 7.0, and copied the 
> rc.firewall file onto the new 7.1 install.
> Routes are fine, I can do anything internally but the win box 
> will not connect to the internet.
> I have tried the simple 3 line masq routine, to no avail. I 
> have tried pmfirewall, to no good.
> My friend who has like 5+ years with *nix can not see 
> anything wrong with any of the setup
> however IP MASQ'ing will not work.
> 
> Any help appreciated
> 
> Brian D. Klar - CVE
> OTS
> WPAFB
> (937)257-5773
> 937-973-3125 (Pager)
> 
> 
> 

Re: [expert] Firewall issues...

[Stephen Bosch]

On Fri, 25 Aug 2000, Klar Brian D Contr MSG/SWS wrote:

> I have upgraded recently (Fresh install) to LM 7.1. My girlfriends machine runs 
>win98.
> I had IP Masq'ing running fine on 7.0, and copied the rc.firewall file onto the new 
>7.1 install.
> Routes are fine, I can do anything internally but the win box will not connect to 
>the internet.
> I have tried the simple 3 line masq routine, to no avail. I have tried pmfirewall, 
>to no good.
> My friend who has like 5+ years with *nix can not see anything wrong with any of the 
>setup
> however IP MASQ'ing will not work.

How is the Windows machine set up? What is the internal IP of your IPMASQ 
box?

-Stephen-

RE: [expert] Firewall Rules

[Eric Peters]

I have these scripts for a basic firewall that will set ipchains to
block all icmp's, open basic services, and open high ports as you need them.
Also when a port scan is preformed it will show all 65,000 ports as open.

You will have to edit the files to show your eth configs, but I
tried to make it painless. Also included is a flush script that will flush
all ipchains settings.

Cheers,

Eric Peters 
System Administrator
Network Operations Inherent.com Inc.
[EMAIL PROTECTED]
(503) 224-6751 x224
Personal Site http://www.linuxsystems.net



-Original Message-
From: Sridhar Govindarajulu [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 22, 2000 9:11 PM
To: Mandrake Expert
Subject: [expert] Firewall Rules


I am trying to set up firewall rules. Can I use LinuxConf for that. If so
does it write the rules to rc.firewall in /etc/rc.d or any other file?

Cheers
Sridhar



begin 600 fire-wall
M(R$O8FEN+W-H#0HC#0HC($E00TA!24Y3+49)4D5704Q,(%8Q+C8N,G,-"B,-
M"B,@+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM
M+2TM+2TM+2T@27!C:&%I;G,@1FER97=A;&P@4V-R:7!T("T-"B,-"B,@3W)I
M9VEN86P@65R("AM86YU:V%`;F5R9&AE
M'-Y7!E($]F(%-E6]U#$P#0HD25!#2$%)3E,@+4$@;W5T<'5T("UP('1C<"`M9"`P+S`@=&5L
M;F5T("UT(#!X,#$@,'@Q,"`@(`T*)$E00TA!24Y3("U!(&]U='!U="`M<"!T
M8W`@+60@,"\P(&9T<"`M="`P>#`Q(#!X,3`-"F5C:&\@+6X@(BXN+B(-"@T*
M(R!3970@9G1P+61A=&$@9F]R(&UA>&EM=6T@=&AR;W5G:'!U=`T*)$E00TA!
M24Y3("U!(&]U='!U="`M<"!T8W`@+60@,"\P(&9T<"UD871A("UT(#!X,#$@
M,'@P.`T*96-H;R`M;B`B+B(-"@T*96-H;R`B+BXN+BXN1&]N92$B#0H-"B,@
M+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2!3<&5C:69I8R!P;W)T(&)L
M;V-K2`-"B,@:7!C:&%I;G,-"@T*96-H
M;R`M;B`B2&EG:"!0;W)T6]U(&%R92!G;VEN9R!T
4;R!G970A(@T*96-H;R`B(@T*#0H=
`
end

begin 600 flush
M(R$O8FEN+W-H#0HC#0HC($E00TA!24Y3+49,55-(#0HC($5R:6,@4&5T97)S
M("AE7-T
M96US+FYE=`T*(R`M+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM
M+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM($EN=&5R9F%C97,@+0T*
M(R!,;V-A;"!);G1E6]U71H:6YG(&EN('1H92!R97-T(&]F('1H:7,@71H:6YG+"!S=&%R="!F

Re: [expert] Firewall Rules

[vern]

Do a search on the web for PMfirewall, this little program is a script
which will write IPCHAINS rules.  It writes a basic firewall that you can
customize to your needs.
vern

Sridhar Govindarajulu wrote:
> 
> I am trying to set up firewall rules. Can I use LinuxConf for that. If so
> does it write the rules to rc.firewall in /etc/rc.d or any other file?
> 
> Cheers
> Sridhar

-- 
   V3rn waz h3r3!
 Help! My Linux doc. heap has fallen
 on me, and I can't get up!
 ILOVEYOU is a GNUish plot!

Re: [expert] Firewall Rules

[Ágoston]

"Sridhar Govindarajulu" <[EMAIL PROTECTED]> írta:

> I am trying to set up firewall rules. Can I use LinuxConf
for that. If so
> does it write the rules to rc.firewall in /etc/rc.d or any
other file?
I dunno but I dislike linuxconf. Try to setup a self-made
config (use the ipchains-HOWWTO or the TrinityOS docs) and
put it under a name like rc.firewall and call it from
rc.local. It works for me under RH (RH and MDK uses the same
init processes)
Bye,
Ago

Re: [expert] firewall

[paul]

One option would be to go to http://www.pointman.org/pmfirewall and
download pmfirewall which is really easy set up and will protect your
from common attacks (SMB , IP spoofing, BO, Trin00 etc) using Ip chains,
and will masquerade internal connections, if you have several machines on
your internal lan that want to access the internet, but have only one
valid IP address.

If you are really concerned about security, your firewall should be a
seperate machine, interspersed between your lan and the internet, with
mosts ports shut down, and running a minimum of services.

 
> Regards,
> 
> Ron. [AU] - sent by Linux.
> 

Re: [expert] firewall

[Ron Stodden]

_=+Richard+=_ wrote:
> 
> How do you start the firewall? I have comletly no idea what a firewall
> is but I heard it protects you from hackersis that right?

Read the ipchains HOWTO.

-- 

Regards,

Ron. [AU] - sent by Linux.

Re: [expert] Firewall is stopping my server from sending mail.

[Axalon Bloodstone]

On Mon, 29 Nov 1999, Stephen Carville wrote:

> On 29 Nov, Eric L. Damron wrote:
> - For some reason, when I run my firewall, my mail is not being relayed.  My
> - firewall is just a set of ipchain rules.   Here is an example of my maillog
> - file.  The first entry is something that I sent
> - after dropping my firewall and the second is after the firewall is back up:
> - 
> - Nov 29 18:29:43 C287853-A sendmail[12067]: SAA12065: [EMAIL PROTECTED],
> - ctladdr=root (0/0), delay=00:00:02, xdelay=00:00:02, mailer=esmtp,
> - relay=mx-rr.home.com. [24.0.0.194], stat=Sent (SAA24790 Message accepted for
> - delivery)
> - 
> - Nov 29 18:31:57 C287853-A sendmail[12244]: SAA12244: from=root, size=216,
> - class=0, pri=30216, nrcpts=1,
> - msgid=<[EMAIL PROTECTED]>,
> - relay=root@localhost
> - Nov 29 18:31:57 C287853-A sendmail[12246]: SAA12244: [EMAIL PROTECTED],
> - ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=esmtp,
> - relay=mx1.home.com. [24.0.0.31], stat=Deferred: Connection refused by
> - mx1.home.com.
> - 
> - Notice that the relay refuses a connection when my firewall is up!
> - 
> - Any idea why this would happen?
> 
> Just a shot in the dark but try to connecting to port 25 on the remote
>  host (telnet  25). Maybe one of your firewall rules is
>  preventing the handshake.
 
Also note that it's senting to two seperate relays in the above examples,
and that it's posible that "mx1.home.com" is/was down. But not seeing any
ipchains rules we can only guess.

--
MandrakeSoft  http://www.mandrakesoft.com/
--Axalon

Re: [expert] Firewall is stopping my server from sending mail.

[Stephen Carville]

On 29 Nov, Eric L. Damron wrote:
- For some reason, when I run my firewall, my mail is not being relayed.  My
- firewall is just a set of ipchain rules.   Here is an example of my maillog
- file.  The first entry is something that I sent
- after dropping my firewall and the second is after the firewall is back up:
- 
- Nov 29 18:29:43 C287853-A sendmail[12067]: SAA12065: [EMAIL PROTECTED],
- ctladdr=root (0/0), delay=00:00:02, xdelay=00:00:02, mailer=esmtp,
- relay=mx-rr.home.com. [24.0.0.194], stat=Sent (SAA24790 Message accepted for
- delivery)
- 
- Nov 29 18:31:57 C287853-A sendmail[12244]: SAA12244: from=root, size=216,
- class=0, pri=30216, nrcpts=1,
- msgid=<[EMAIL PROTECTED]>,
- relay=root@localhost
- Nov 29 18:31:57 C287853-A sendmail[12246]: SAA12244: [EMAIL PROTECTED],
- ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=esmtp,
- relay=mx1.home.com. [24.0.0.31], stat=Deferred: Connection refused by
- mx1.home.com.
- 
- Notice that the relay refuses a connection when my firewall is up!
- 
- Any idea why this would happen?

Just a shot in the dark but try to connecting to port 25 on the remote
 host (telnet  25). Maybe one of your firewall rules is
 preventing the handshake.

-- 
Stephen Carville

A well educated citizenry, being essential to the maintenance of a free
society, the right of the people, to keep and read books shall not be 
infringed.