Re: [leaf-user] Interesting Issue?
David Pitts wrote: Just a bit more. The connection is made from a client provided by the Tax Office. However, on their website they say that to use the software you must have a browser capable of 128 bit SSL installed, so its possible they're using the browser protocol (HTTP?) and port. Just curious, David, what's the relationship of the client provided by the Tax Office with the browser? Is it some sort of plug-in or is it a standalone? Most of the major browsers of today support 128 bit, I'm still using Netscape 4.8, which uses 128-bit, to reach my own bank I don't even know for sure that the thing will work through a NATted firewall at all. If you initiate the connection from your own side of the firewall surely you must have it configured to accept reply packets. I use IE 5.5 and/or Netscape 4.8 to do tax returns here in Stockholm, with either Dachstein-ipchains or Slackware-Shorewall, no problems. It's only a https connection. Maybe your client needs authentication via certificates, popular with the banks. Does the lack of any relevant entries in my log (shorewall.log) mean that there is no relevant traffic being blocked? I do have some shorewall.log entries showing rejected connections. Should every rejected attempt to access any port be logged, unless there is a statement that specifically stops the logging? What I need to know is whether the lack of logs means there is no blocking or I'm not logging the right thing. It's difficult to say without seeing an excerpt from your logs. Regards, -- Patrick Benson Stockholm, Sweden --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Interesting Issue?
On Wed, 2003-07-16 at 22:11, David Pitts wrote: Does the lack of any relevant entries in my log (shorewall.log) mean that there is no relevant traffic being blocked? I do have some shorewall.log entries showing rejected connections. Should every rejected attempt to access any port be logged, unless there is a statement that specifically stops the logging? What I need to know is whether the lack of logs means there is no blocking or I'm not logging the right thing. Shorewall generates rules to log every attempt to access any protocol/port provided that: a) You have the standard net-all policy: net all DROPULOG b) You don't have a rule that handles the port in another way. c) The connection is not silently dropped or rejected in the 'common' chain (shorewall show common). d) The connection isn't being dropped/rejected by some other Shorewall feature (blacklist, tcpflags, rfc1918, etc.) -Tom -- Tom Eastep\ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Interesting Issue?
On Thu, 17 Jul 2003 10:59:20 +0800, David Pitts [EMAIL PROTECTED] wrote: or do I need to DNAT each port to the to the particular loc IP? If you are using masquerading then the answer is YES. Thanks for your thoughts. Doesn't anyone ever look at their logs? -Tom -- Tom Eastep\ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Interesting Issue?
Tom, my logs are showing nothing. I take it from your comment that my logs should be showing blocked traffic on whatever port is being used? David Pitts -Original Message- From: Tom Eastep [mailto:[EMAIL PROTECTED] Sent: Thursday, 17 July 2003 11:14 AM To: David Pitts; [EMAIL PROTECTED] Subject: Re: [leaf-user] Interesting Issue? On Thu, 17 Jul 2003 10:59:20 +0800, David Pitts [EMAIL PROTECTED] wrote: or do I need to DNAT each port to the to the particular loc IP? If you are using masquerading then the answer is YES. Thanks for your thoughts. Doesn't anyone ever look at their logs? -Tom -- Tom Eastep\ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Interesting Issue?
On Thu, 17 Jul 2003 11:27:23 +0800, David Pitts [EMAIL PROTECTED] wrote: Tom, my logs are showing nothing. I take it from your comment that my logs should be showing blocked traffic on whatever port is being used? Exactly -- if your logs aren't showing anything being blocked (and your logging is set up in the standard way and actually works) then adding all of the rules in the world won't change anything. -Tom -- Tom Eastep\ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Interesting Issue?
At 10:59 AM 7/17/2003 +0800, David Pitts wrote: Hi guys. I have just fallen over an interesting (I think) issue with firewalls in general that I'm hoping you can give me some ideas about. I'm trying to access an online tax return service provided by the Australian Tax Office. They're using some sort of SSL protocol for security. They won't tell me what ports it requires open because they say that impacts on their security. You should think carefully before you trust sensitive information to a site that is run by someone who thinks he can keep secret the ports an active service uses. Put more bluntly, if someone really told you that, he or she is a jackass. I have found a list of SSL ports required for various protocols (ie ftp ssl, http ssl etc) but I'm not sure which protocols the Tax Office is using and there's no guarantee they've used standard ports anyway. How are you making the initial connection? If it is from a browser, the browser has to know what destination port to send to. Even sniffing the LAN will get you that much info ... SSL does not encrypt the IP and TCP headers (it cannot, since intermediaries need to read them to route the packets). Anyone have any ideas how to get a round this? If I booted my Bering as a router only (ie not firewall) would that help? I think I can select that option from the Network configuration file? It depends. If you currently use NAT for your LAN, then you need to run a firewall, not just a router ... NAT'ing is part of what a firewall does. About the only ways I can think of to sort this one out without cooperation from the other end are: 1. Bypass the Bering firewall entirely and connect your workstation directly to the Internet. You can assess the risks of this approach. 2. Check the logs on the Bering router to see what ports it is DENYing traffic to or from that involve connections to the Tax Office site (I assume they don't think they can keep their IP address secret too). You may have to increase Bering's logging to accomplish this. 3. Open -AND- port forward to your workstation any likely destination ports. 4. Complain to the Aussie equivalent of your Congressman. But before you muck with any of this, you might want to get a better understanding of this some sort of SSL protocol fuzziness. Opening and forwarding ports accomplishes nothing if your workstation does not have something listening on each of the ports, and people (even WIndows users) typically do not have a haphazard assortment of servers running just in case someone wants to run a bizarre and secretive security protocol. If that's not an option, I would like to have a play with allowing net to loc on all the ports I can find that look like they might have an SSL association. Do I just add an: ACCEPT net loc tcp 443 ACCEPT net loc tcp 990 etc or do I need to DNAT each port to the to the particular loc IP? Yes. In this context, DNAT is what I refer to above as port forwarding. But note my caveat above as well; I don't think doing all of this will actually help you. Whatever I do I wouldn't keep it as a permanent thing. If I were faced with this problem, I'd take #2 of my suggested approaches. I don't think #3 will actually work for you, and #1 requires more trust in government (and the Internet) than I have for *any* government (or system on the far side of my firewall). --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Interesting Issue?
Just a bit more. The connection is made from a client provided by the Tax Office. However, on their website they say that to use the software you must have a browser capable of 128 bit SSL installed, so its possible they're using the browser protocol (HTTP?) and port. I don't even know for sure that the thing will work through a NATted firewall at all. Does the lack of any relevant entries in my log (shorewall.log) mean that there is no relevant traffic being blocked? I do have some shorewall.log entries showing rejected connections. Should every rejected attempt to access any port be logged, unless there is a statement that specifically stops the logging? What I need to know is whether the lack of logs means there is no blocking or I'm not logging the right thing. Thanks. David Pitts -Original Message- From: Ray Olszewski [mailto:[EMAIL PROTECTED] Sent: Thursday, 17 July 2003 11:31 AM To: [EMAIL PROTECTED] Subject: Re: [leaf-user] Interesting Issue? At 10:59 AM 7/17/2003 +0800, David Pitts wrote: Hi guys. I have just fallen over an interesting (I think) issue with firewalls in general that I'm hoping you can give me some ideas about. I'm trying to access an online tax return service provided by the Australian Tax Office. They're using some sort of SSL protocol for security. They won't tell me what ports it requires open because they say that impacts on their security. You should think carefully before you trust sensitive information to a site that is run by someone who thinks he can keep secret the ports an active service uses. Put more bluntly, if someone really told you that, he or she is a jackass. I have found a list of SSL ports required for various protocols (ie ftp ssl, http ssl etc) but I'm not sure which protocols the Tax Office is using and there's no guarantee they've used standard ports anyway. How are you making the initial connection? If it is from a browser, the browser has to know what destination port to send to. Even sniffing the LAN will get you that much info ... SSL does not encrypt the IP and TCP headers (it cannot, since intermediaries need to read them to route the packets). Anyone have any ideas how to get a round this? If I booted my Bering as a router only (ie not firewall) would that help? I think I can select that option from the Network configuration file? It depends. If you currently use NAT for your LAN, then you need to run a firewall, not just a router ... NAT'ing is part of what a firewall does. About the only ways I can think of to sort this one out without cooperation from the other end are: 1. Bypass the Bering firewall entirely and connect your workstation directly to the Internet. You can assess the risks of this approach. 2. Check the logs on the Bering router to see what ports it is DENYing traffic to or from that involve connections to the Tax Office site (I assume they don't think they can keep their IP address secret too). You may have to increase Bering's logging to accomplish this. 3. Open -AND- port forward to your workstation any likely destination ports. 4. Complain to the Aussie equivalent of your Congressman. But before you muck with any of this, you might want to get a better understanding of this some sort of SSL protocol fuzziness. Opening and forwarding ports accomplishes nothing if your workstation does not have something listening on each of the ports, and people (even WIndows users) typically do not have a haphazard assortment of servers running just in case someone wants to run a bizarre and secretive security protocol. If that's not an option, I would like to have a play with allowing net to loc on all the ports I can find that look like they might have an SSL association. Do I just add an: ACCEPT net loc tcp 443 ACCEPT net loc tcp 990 etc or do I need to DNAT each port to the to the particular loc IP? Yes. In this context, DNAT is what I refer to above as port forwarding. But note my caveat above as well; I don't think doing all of this will actually help you. Whatever I do I wouldn't keep it as a permanent thing. If I were faced with this problem, I'd take #2 of my suggested approaches. I don't think #3 will actually work for you, and #1 requires more trust in government (and the Internet) than I have for *any* government (or system on the far side of my firewall). --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html