Re: [gentoo-user] rsync port - firewall config
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > > Firestarter seems to meet my needs. I had to do a little hacking to > > have it start on boot, though. The gentoo emerge of firestarter didn't > > install a /etc/init.d script. > > no it puts a line in /etc/ppp/if-up, since this will restart firestarter > whenever you get a new if assigned through dialup. > > > Jonathan I have Guarddog configuring my firewall and I needed to make a call to /etc/ rc.firewall from /etc/ppp/ip-up. Make sure /etc/ppp/ip-up isn't overwritten by /etc/init.d/net.ppp?. /etc/ppp/ip-up.local may be supported although I have't tried. - -- Daniel Black - -- Proudly a Gentoo Linux User. GnuPG/PGP signed and encrypted email preferred http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x32A64DC8 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/0Sw2TDSbtjKmTcgRAkXqAJwJuobmNIMkJPdw+VWlYlCdaWOI2gCghTI4 3PpQRw05X85hUTYc6jDrzqM= =yIYA -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] rsync port - firewall config
- Original Message - From: "collins" <[EMAIL PROTECTED]> To: "g2" <[EMAIL PROTECTED]> Sent: Friday, December 05, 2003 2:54 PM Subject: Re: [gentoo-user] rsync port - firewall config > On Thu, 2003-12-04 at 16:12, Jonathan Stickel wrote: > > SN wrote: > > > Firestarter is pretty good and it allows easy manuall adjustments. Since it > > > useses plain files ere you can insert ports or hosts and so on, very > > > flexible. > > > You can even use it for scripted actions. > > > > > > > > > > Firestarter seems to meet my needs. I had to do a little hacking to > > have it start on boot, though. The gentoo emerge of firestarter didn't > > install a /etc/init.d script. > > > > Shorewall is an excellent and easy-to-configure product. If shorewall wasn't so buggy all the time I'd say yes, but everytime the guy releases a new version there is some major bug in there. Shorewall is very powerful, but often just broken. > > -- > Collins Richey - Denver Area > Gentoo stable > > > -- > [EMAIL PROTECTED] mailing list > > > -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] rsync port - firewall config
On Thu, 2003-12-04 at 16:12, Jonathan Stickel wrote: > SN wrote: > > Firestarter is pretty good and it allows easy manuall adjustments. Since it > > useses plain files ere you can insert ports or hosts and so on, very > > flexible. > > You can even use it for scripted actions. > > > > > > Firestarter seems to meet my needs. I had to do a little hacking to > have it start on boot, though. The gentoo emerge of firestarter didn't > install a /etc/init.d script. > Shorewall is an excellent and easy-to-configure product. -- Collins Richey - Denver Area Gentoo stable -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] rsync port - firewall config
- Original Message - From: "Jonathan Stickel" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, December 05, 2003 12:12 AM Subject: Re: [gentoo-user] rsync port - firewall config > SN wrote: > > Firestarter is pretty good and it allows easy manuall adjustments. Since it > > useses plain files ere you can insert ports or hosts and so on, very > > flexible. > > You can even use it for scripted actions. > > > > > > Firestarter seems to meet my needs. I had to do a little hacking to > have it start on boot, though. The gentoo emerge of firestarter didn't > install a /etc/init.d script. no it puts a line in /etc/ppp/if-up, since this will restart firestarter whenever you get a new if assigned through dialup. > > Jonathan > > > -- > [EMAIL PROTECTED] mailing list > > > -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] rsync port - firewall config
SN wrote: Firestarter is pretty good and it allows easy manuall adjustments. Since it useses plain files ere you can insert ports or hosts and so on, very flexible. You can even use it for scripted actions. Firestarter seems to meet my needs. I had to do a little hacking to have it start on boot, though. The gentoo emerge of firestarter didn't install a /etc/init.d script. Jonathan -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] rsync port - firewall config
Firestarter is pretty good and it allows easy manuall adjustments. Since it useses plain files ere you can insert ports or hosts and so on, very flexible. You can even use it for scripted actions. - Original Message - From: "Jonathan Stickel" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 04, 2003 10:20 PM Subject: Re: [gentoo-user] rsync port - firewall config > I plead ignorance. I didn't see the gentoo announcement about the rsync > vulnerability until _after_ I made my post. > > I understand the basics of what you are saying, but apparently Guarddog > blocks all incoming and outgoing traffic except on specified ports. > I'll have to try another firewall gui (firestarter?). I want a simple > firewall for feel good security, but I don't want to learn all about them. > > Jonathan > > > SN wrote: > > Ah boy, now it made the round and people get crazy. > > > > > > Hey you don't have to block traffic from inside to outside, then in general > > you should block all ports and only open up ports you need for services that > > want to be accessed from outside. . The rsync problem only affects rsync > > servers not clients, clients aren't vulnerable, to do emerge sync you only > > need the client. > > > > Guys please do me a favour don't get crazy now because a server got hacked > > through rsync, rather read some basics about firewalling. > > > > > > > > > > ----- Original Message - > > From: "Jonathan Stickel" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Thursday, December 04, 2003 7:14 PM > > Subject: [gentoo-user] rsync port - firewall config > > > > > > > >>I've setup a firewall with Guarddog, which I use because it is > >>relatively simple but seems to be comprehensive. However, it does not > >>have rsync in its protocol list. I've tried to make a user-defined > >>protocol for port 873 (which is the rsync port I believe), but it > >>doesn't seem to work. I cannot use rsync unless I temporarily > >>deactivate the firewall. As you know, allowing rsync is necessary to do > >>an 'emerge sync'! > >> > >>I'm wondering if anyone else uses Guarddog and has come up with a > >>solution. If not, I will entertain simple iptable snippets that I can > >>manually enter into the Guarddog generated /etc/rc.firewall. > >> > >>Thanks, > >>Jonathan > >> > >> > >>-- > >>[EMAIL PROTECTED] mailing list > >> > >> > >> > > > > > > > > -- > > [EMAIL PROTECTED] mailing list > > > > > -- > [EMAIL PROTECTED] mailing list > > > -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] rsync port - firewall config
I plead ignorance. I didn't see the gentoo announcement about the rsync vulnerability until _after_ I made my post. I understand the basics of what you are saying, but apparently Guarddog blocks all incoming and outgoing traffic except on specified ports. I'll have to try another firewall gui (firestarter?). I want a simple firewall for feel good security, but I don't want to learn all about them. Jonathan SN wrote: Ah boy, now it made the round and people get crazy. Hey you don't have to block traffic from inside to outside, then in general you should block all ports and only open up ports you need for services that want to be accessed from outside. . The rsync problem only affects rsync servers not clients, clients aren't vulnerable, to do emerge sync you only need the client. Guys please do me a favour don't get crazy now because a server got hacked through rsync, rather read some basics about firewalling. - Original Message - From: "Jonathan Stickel" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 04, 2003 7:14 PM Subject: [gentoo-user] rsync port - firewall config I've setup a firewall with Guarddog, which I use because it is relatively simple but seems to be comprehensive. However, it does not have rsync in its protocol list. I've tried to make a user-defined protocol for port 873 (which is the rsync port I believe), but it doesn't seem to work. I cannot use rsync unless I temporarily deactivate the firewall. As you know, allowing rsync is necessary to do an 'emerge sync'! I'm wondering if anyone else uses Guarddog and has come up with a solution. If not, I will entertain simple iptable snippets that I can manually enter into the Guarddog generated /etc/rc.firewall. Thanks, Jonathan -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] rsync port - firewall config
SN wrote: Guys please do me a favour don't get crazy now because a server got hacked through rsync, rather read some basics about firewalling. Yeah. That server used an uncommon configuration (option chroot = no), and the hacker didn't get root access by hacking into rsync. He/she used a kernel exploit to get root access on that machine. Beyond that, the machine was only an rsync mirror, not an official gentoo server, and none of the distfiles have been altered, so there's absolutely no reason for panic.. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] rsync port - firewall config
Ah boy, now it made the round and people get crazy. Hey you don't have to block traffic from inside to outside, then in general you should block all ports and only open up ports you need for services that want to be accessed from outside. . The rsync problem only affects rsync servers not clients, clients aren't vulnerable, to do emerge sync you only need the client. Guys please do me a favour don't get crazy now because a server got hacked through rsync, rather read some basics about firewalling. - Original Message - From: "Jonathan Stickel" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 04, 2003 7:14 PM Subject: [gentoo-user] rsync port - firewall config > I've setup a firewall with Guarddog, which I use because it is > relatively simple but seems to be comprehensive. However, it does not > have rsync in its protocol list. I've tried to make a user-defined > protocol for port 873 (which is the rsync port I believe), but it > doesn't seem to work. I cannot use rsync unless I temporarily > deactivate the firewall. As you know, allowing rsync is necessary to do > an 'emerge sync'! > > I'm wondering if anyone else uses Guarddog and has come up with a > solution. If not, I will entertain simple iptable snippets that I can > manually enter into the Guarddog generated /etc/rc.firewall. > > Thanks, > Jonathan > > > -- > [EMAIL PROTECTED] mailing list > > > -- [EMAIL PROTECTED] mailing list
[gentoo-user] rsync port - firewall config
I've setup a firewall with Guarddog, which I use because it is relatively simple but seems to be comprehensive. However, it does not have rsync in its protocol list. I've tried to make a user-defined protocol for port 873 (which is the rsync port I believe), but it doesn't seem to work. I cannot use rsync unless I temporarily deactivate the firewall. As you know, allowing rsync is necessary to do an 'emerge sync'! I'm wondering if anyone else uses Guarddog and has come up with a solution. If not, I will entertain simple iptable snippets that I can manually enter into the Guarddog generated /etc/rc.firewall. Thanks, Jonathan -- [EMAIL PROTECTED] mailing list