Re: [newbie] Firewall for allowing ports selectively
On Tuesday 05 Apr 2005 01:11, Bryan Phinney wrote: So, when someone suggests that a Linux app be coded to provide the same false sense of security to users, when there are myriad choices of real firewalls as well as methods to lock the system down that are not trivially bypassed, some of us simply don't take the suggestion seriously. I think what people really want is something like a dialogue box on any dial-out from an application that gives the option of this session always never so that they can block automatic dial outs but allow genuine ones. So far many people have said that iptables rules should be used, but no-one has actually shown that it can be done - at least they hadn't up to last night. I haven't finished reading this morning. Anne -- Registered Linux User No.293302 (http://counter.li.org/) Have you visited http://twiki.mdklinuxfaq.org yet? Mandrake at all levels pgpejHYL6n4nq.pgp Description: PGP signature
Re: [newbie] Firewall for allowing ports selectively
On Tuesday 05 April 2005 04:49, Anne Wilson wrote: On Tuesday 05 Apr 2005 01:11, Bryan Phinney wrote: So, when someone suggests that a Linux app be coded to provide the same false sense of security to users, when there are myriad choices of real firewalls as well as methods to lock the system down that are not trivially bypassed, some of us simply don't take the suggestion seriously. I think what people really want is something like a dialogue box on any dial-out from an application that gives the option of this session always never so that they can block automatic dial outs but allow genuine ones. An app that knows the difference between these two things? That's not asking for much now, is it? If I could build such a thing, nobody on this group could afford it, Cisco and the other router manufacturers would be in a bidding war to buy it for themselves. So far many people have said that iptables rules should be used, but no-one has actually shown that it can be done - at least they hadn't up to last night. I haven't finished reading this morning. This has really been covered previously, Anne. If you, as a user, can allow/deny packets, then a rogue process that you installed on your machine can do the same thing for its own packets. It need merely know HOW to do so. If you have a single personal firewall-like app for Linux, that problem is solved. If you install such an app and count on it to protect you from insecure software, you are living in a fool's paradise. Again, I don't have any problem with someone coding this, nor with running it, I simply don't see the point. It is Windows dressing, nothing more. -- Bryan Phinney Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall for allowing ports selectively
On Tuesday 05 Apr 2005 11:13, Bryan Phinney wrote: I think what people really want is something like a dialogue box on any dial-out from an application that gives the option of this session always never so that they can block automatic dial outs but allow genuine ones. An app that knows the difference between these two things? That's not asking for much now, is it? If I could build such a thing, nobody on this group could afford it, Cisco and the other router manufacturers would be in a bidding war to buy it for themselves. No, a user that knows the difference. If you, as a user, can allow/deny packets, then a rogue process that you installed on your machine can do the same thing for its own packets. It need merely know HOW to do so. That sounds a valid point, to me. If you have a single personal firewall-like app for Linux, that problem is solved. If you install such an app and count on it to protect you from insecure software, you are living in a fool's paradise. Again, I don't have any problem with someone coding this, nor with running it, I simply don't see the point. It is Windows dressing, nothing more. I don't think so. I accept that it is not good control, but the alternative seems to be complete absence of control. If an application needs to reach out to get data, as Acrobat Reader does, then it has to have that ability, and I see no reason why it could not equally well send out packets. Perhaps that's because I don't understand firewalling deeply enough, but the discussions on both lists are not explaining the things we need to understand, like this point. The problem is that security is a huge subject. People who need to understand security for their business invest a great deal of time in learning it well, but for users that need only to protect themselves from a few things they see as threats while getting on with their real need there is no easy way to get an overview of the subject. We don't need the same level of security, really, though obviously it would be nice, but this isn't utopia. Frankly, the issue that started the discussion on Expert, that of Acrobat Reader being capable of telling an author who is reading his work, doesn't worry me personally. I'm just concerned that we are being told to either invest the time that a professional would, or 'take a running jump' - not that you would be so rude :-) Anne -- Registered Linux User No.293302 (http://counter.li.org/) Have you visited http://twiki.mdklinuxfaq.org yet? Mandrake at all levels pgphQ1tLnNlOe.pgp Description: PGP signature
Re: [newbie] Firewall for allowing ports selectively
On Tuesday 05 April 2005 06:26, Anne Wilson wrote: An app that knows the difference between these two things? That's not asking for much now, is it? If I could build such a thing, nobody on this group could afford it, Cisco and the other router manufacturers would be in a bidding war to buy it for themselves. No, a user that knows the difference. Should have been more clear here. Two scenarios, first a user that has access which I covered below, second, an app that can do it at root level without user access which I was pointing out is quite a stretch. If you have a single personal firewall-like app for Linux, that problem is solved. If you install such an app and count on it to protect you from insecure software, you are living in a fool's paradise. Again, I don't have any problem with someone coding this, nor with running it, I simply don't see the point. It is Windows dressing, nothing more. I don't think so. I accept that it is not good control, but the alternative seems to be complete absence of control. If an application needs to reach out to get data, as Acrobat Reader does, then it has to have that ability, and I see no reason why it could not equally well send out packets. Perhaps that's because I don't understand firewalling deeply enough, but the discussions on both lists are not explaining the things we need to understand, like this point. Well, let's cover that really quickly. If Acroread is only being used to access local data, it needs no Internet access at all. Thus, you could firewall it off and still use it. However, as I understand things, it integrates into a browser and may actually pull the pdf file itself. Assuming that is the functionality you want, there is an outgoing request to pull the data from the web, and then incoming packets that contain the pdf file. You could probably block posts which is what is being suggested, but this implies an intimate knowledge of the workings of the app, knowing what to block versus accept. Given the audience for this, I think that assumes entirely too much. Also, if Acroread is really using embedded javascript/java for this type of thing, it is possible that someone can code the web bug such that communication is sent on a port other than port 80 and well above what would be considered a security area that fits within the first 1024 ports. Again, this requires some type of intimate knowledge of what is being done and thus what needs to be blocked. If you want local access to pdf's only, then use an OS pdf viewer. What is much more likely to happen is that Acroread will request access to pull the pdf, the user will click allow and then Acroread will yank the pdf and then try to send a web bug to the source and since it has already been given permission, it will send its data. Another scenario is that the user will click Allow for get and then deny for second Post attempt in which case, perhaps the PDF will not display which will cause the user to click Allow for the second and the web but goes out. The only point that I can see that is possibly valid is the idea of having a firewall to block heretofore unknown requests from apps that should not need network access. Things like the spyware and adware apps that are bundled with other apps. However, again, I would point out that if you go around installing untrusted apps on your machine, I don't think that any personal firewall-like app is going to salvage your security. You will be compromised. Just as so many Windows users are compromised even though they have personal firewalls installed. The problem is that security is a huge subject. People who need to understand security for their business invest a great deal of time in learning it well, but for users that need only to protect themselves from a few things they see as threats while getting on with their real need there is no easy way to get an overview of the subject. We don't need the same level of security, really, though obviously it would be nice, but this isn't utopia. There are trade-offs to everything. If you tighten things down too much, a platform becomes nearly unusable for certain things. For instance, locking down a web server makes it an unsuitable platform for development, or building applications. If you lock down your desktop to the level that it is impossible for any local app to communicate out, you are going to likely end up with either a nightmare administration scenario or an unusable desktop. I still truly feel that this discussion is misplaced. Someone wants to run an app they don't trust and they want a second app to protect them from the first. The premise is faulty, the real solution is to not run untrusted apps. For example, Internet Explorer is a bad browser for a lot of reasons but one of which is that it allows ActiveX applications to run without user interaction or approval. Acroread sounds
Re: [newbie] Firewall for allowing ports selectively
On Tuesday 05 Apr 2005 11:57, Bryan Phinney wrote: Well, I did suggest that they pay someone to develop such an app as I didn't think that there would be a big Linux audience for it. (The fact that there is not a current project for such a thing, to my knowledge, would tend to bear that out.) However, I don't think that suggestion is so much rude as simply realistic. Thank you, Bryan. Your exposition of what actually happens, and would be likely to happen in a variety of situations is just what is needed to help us understand the issues. Personally I'm not terribly worried by this, and I quite take the point that if it is really necessary for someone they can buy the expertise. What I was really referring to was the constant RTFM in that thread, when, according to your exposition, that does not really address the issue. As I said, thanks for making things much more clear. Anne -- Registered Linux User No.293302 (http://counter.li.org/) Have you visited http://twiki.mdklinuxfaq.org yet? Mandrake at all levels pgpByO8cbgwiF.pgp Description: PGP signature
Re: [newbie] Firewall for allowing ports selectively
From: Bryan Phinney [EMAIL PROTECTED]
On Tuesday 05 April 2005 06:26, Anne Wilson wrote:
An app that knows the difference between these two things? That's not
asking for much now, is it? If I could build such a thing, nobody on
this group could afford it, Cisco and the other router manufacturers
would be in a bidding war to buy it for themselves.
No, a user that knows the difference.
Should have been more clear here. Two scenarios, first a user that has
access
which I covered below, second, an app that can do it at root level without
user access which I was pointing out is quite a stretch.
If you have a single personal firewall-like app for Linux, that
problem
is solved. If you install such an app and count on it to protect you
from insecure software, you are living in a fool's paradise.
Again, I don't have any problem with someone coding this, nor with
running it, I simply don't see the point. It is Windows dressing,
nothing more.
I don't think so. I accept that it is not good control, but the
alternative seems to be complete absence of control. If an application
needs to reach out to get data, as Acrobat Reader does, then it has to
have
that ability, and I see no reason why it could not equally well send out
packets. Perhaps that's because I don't understand firewalling deeply
enough, but the discussions on both lists are not explaining the things
we
need to understand, like this point.
Well, let's cover that really quickly. If Acroread is only being used to
access local data, it needs no Internet access at all. Thus, you could
firewall it off and still use it. However, as I understand things, it
integrates into a browser and may actually pull the pdf file itself.
Assuming that is the functionality you want, there is an outgoing request
to
pull the data from the web, and then incoming packets that contain the pdf
file. You could probably block posts which is what is being suggested,
but
this implies an intimate knowledge of the workings of the app, knowing
what
to block versus accept. Given the audience for this, I think that assumes
entirely too much.
Also, if Acroread is really using embedded javascript/java for this type
of
thing, it is possible that someone can code the web bug such that
communication is sent on a port other than port 80 and well above what
would
be considered a security area that fits within the first 1024 ports.
Again,
this requires some type of intimate knowledge of what is being done and
thus
what needs to be blocked.
So you simply block all ports for AcroRead. That's as easy as only
blocking port 80.
The cute problem is when you want to read a pdf file in your browser.
It is probably better to save the pdf file and only allow AcroRead to
access local files. So watch, the Acrobat people will include a little
app that AcroRead talks to and that little app accesses the net. It has
a different name so it can still communicate. You get into an arms race
quite literally.
It may be that the way to handle this is in the court of public opinion.
Spray this information around to all your friends. If they stop using
AcroRead and use other tools instead maybe Adobe will get the message.
(For that matter - why use AcroRead on Linux, anyway?)
{^_^}Joanne
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall for allowing ports selectively
On Tuesday 05 Apr 2005 19:37, jdow wrote: So you simply block all ports for AcroRead. That's as easy as only blocking port 80. The cute problem is when you want to read a pdf file in your browser. It is probably better to save the pdf file and only allow AcroRead to access local files. I do tend to view the pdf in a browser first, then save it if it looks useful. So watch, the Acrobat people will include a little app that AcroRead talks to and that little app accesses the net. It has a different name so it can still communicate. You get into an arms race quite literally. It may be that the way to handle this is in the court of public opinion. Spray this information around to all your friends. If they stop using AcroRead and use other tools instead maybe Adobe will get the message. (For that matter - why use AcroRead on Linux, anyway?) In theory, I don't mind a bit if an author wants to know about his work being read. The problem, of course, is in how it can be abused. As to why us AcroRead - things may have improved lately, but I first installed AcroRead because it handled scaleable printing better - printing 2-up, or A4 onto A5 paper. Certainly at that time I couldn't do it in any other package. Anne -- Registered Linux User No.293302 (http://counter.li.org/) Have you visited http://twiki.mdklinuxfaq.org yet? Mandrake at all levels pgpWP90zcUWC4.pgp Description: PGP signature
Re: [newbie] Firewall for allowing ports selectively
Il mar, 2005-04-05 alle 21:05, Anne Wilson ha scritto: On Tuesday 05 Apr 2005 19:37, jdow wrote: The cute problem is when you want to read a pdf file in your browser. It is probably better to save the pdf file and only allow AcroRead to access local files. I do tend to view the pdf in a browser first, then save it if it looks useful. Anne , when you open a Pdf embed in a web page ,your browser download it in its cache so you have a copy saved locally . So it's the same thing open the pdf or save it and display later Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall for allowing ports selectively
From: frengoGorgia [EMAIL PROTECTED]
Il mar, 2005-04-05 alle 21:05, Anne Wilson ha scritto:
On Tuesday 05 Apr 2005 19:37, jdow wrote:
The cute problem is when you want to read a pdf file in your browser.
It is probably better to save the pdf file and only allow AcroRead to
access local files.
I do tend to view the pdf in a browser first, then save it if it looks
useful.
Anne ,
when you open a Pdf embed in a web page ,your browser download it in its
cache so you have a copy saved locally .
So it's the same thing open the pdf or save it and display later
Are you sure it works that way, Frengo? There are indications that at
least one widely distributed (more's the shame) Web browser launches
AcroRead to reside in the browser window and passes it the file name
so that the file is downloaded by AcroRead.
{o.o}
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall for allowing ports selectively
Il mer, 2005-04-06 alle 04:11, jdow ha scritto: From: frengoGorgia [EMAIL PROTECTED] Il mar, 2005-04-05 alle 21:05, Anne Wilson ha scritto: On Tuesday 05 Apr 2005 19:37, jdow wrote: The cute problem is when you want to read a pdf file in your browser. It is probably better to save the pdf file and only allow AcroRead to access local files. I do tend to view the pdf in a browser first, then save it if it looks useful. Anne , when you open a Pdf embed in a web page ,your browser download it in its cache so you have a copy saved locally . So it's the same thing open the pdf or save it and display later Are you sure it works that way, Frengo? There are indications that at least one widely distributed (more's the shame) Web browser launches AcroRead to reside in the browser window and passes it the file name so that the file is downloaded by AcroRead. 8^) you are correct , jdow i mean only that there is no difference downloading the PDFfile with the browser plug-in or saving it manually with a right-click, and so the user don't have a prewiev of the file that save from downloading the complete file if the content of file isn't what he is looking for. The spyware-behaviour of acro-reader could only be prevented allowing it to open only local files . -- Regards, Francesco Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall for allowing ports selectively
- Original Message - From: Angus Auld [EMAIL PROTECTED] - Original Message - From: Paul Smith [EMAIL PROTECTED] To: newbie@linux-mandrake.com Subject: [newbie] Firewall for allowing ports selectively Date: Sun, 3 Apr 2005 16:15:01 +0100 Dear All Is there some firewall (working through iptables) able to open selectively a port for a specific program and not to all programs installed? (Shorewall is not suitable for that purpose.) Thanks in advance, Paul ** Paul, shorewall can do what you desire. Go to; mcc security firewall, and click on the advanced radio button on the bottom. That will open up an area where you can specify special ports to open. HTH. Best regards. --Angus * I'm sorry Paul, I didn't read your post carefully enough. Shorewall doesn't have the facility to do as you requirejust as you noted. :-) Best regards. --Angus Let us not look back in anger or forward in fear, but around in awareness. -- James Thurber *** ~Linux Laptop, Powered by Mandrake 10.1~ *** ~Reg. Linux User #278931~ *** -- _ Web-based SMS services available at http://www.operamail.com. From your mailbox to local or overseas cell phones. Powered by Outblaze Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall for allowing ports selectively
On Apr 3, 2005 9:02 PM, Angus Auld [EMAIL PROTECTED] wrote: Is there some firewall (working through iptables) able to open selectively a port for a specific program and not to all programs installed? (Shorewall is not suitable for that purpose.) ** Paul, shorewall can do what you desire. Go to; mcc security firewall, and click on the advanced radio button on the bottom. That will open up an area where you can specify special ports to open. Unfortunately, Angus, it is not true: http://shorewall.net/Shorewall_Doesnt.html Regards, Paul Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
RE: [newbie] Firewall for allowing ports selectively
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mandrake.com] On Behalf Of Angus Auld Sent: 04 April 2005 11:10 To: newbie@linux-mandrake.com Subject: Re: [newbie] Firewall for allowing ports selectively - Original Message - From: Angus Auld [EMAIL PROTECTED] - Original Message - From: Paul Smith [EMAIL PROTECTED] To: newbie@linux-mandrake.com Subject: [newbie] Firewall for allowing ports selectively Date: Sun, 3 Apr 2005 16:15:01 +0100 Dear All Is there some firewall (working through iptables) able to open selectively a port for a specific program and not to all programs installed? (Shorewall is not suitable for that purpose.) Thanks in advance, Paul ** Paul, shorewall can do what you desire. Go to; mcc security firewall, and click on the advanced radio button on the bottom. That will open up an area where you can specify special ports to open. HTH. Best regards. --Angus * I'm sorry Paul, I didn't read your post carefully enough. Shorewall doesn't have the facility to do as you requirejust as you noted. :-) Best regards. --Angus I do belive this is being discussed in some context in the expert list as well? Might be worth joining to follow the thread. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall for allowing ports selectively
On Apr 4, 2005 11:01 PM, Stephen Furlong [EMAIL PROTECTED] wrote: Is there some firewall (working through iptables) able to open selectively a port for a specific program and not to all programs installed? (Shorewall is not suitable for that purpose.) ** Paul, shorewall can do what you desire. Go to; mcc security firewall, and click on the advanced radio button on the bottom. That will open up an area where you can specify special ports to open. * I'm sorry Paul, I didn't read your post carefully enough. Shorewall doesn't have the facility to do as you requirejust as you noted. :-) I do belive this is being discussed in some context in the expert list as well? Might be worth joining to follow the thread. Since nobody answered suggesting a firewall with that feature, it may be very complicated to achieve that, in case of being possible. Paul Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall for allowing ports selectively
On Monday 04 April 2005 18:32, Paul Smith wrote: I do belive this is being discussed in some context in the expert list as well? Might be worth joining to follow the thread. Since nobody answered suggesting a firewall with that feature, it may be very complicated to achieve that, in case of being possible. I certainly think that it is possible, just not useful. There have been myriad conversations on this and other lists pointing out that personal firewall apps on Windows are simply panaceas that give windows users the illusion of security while actually not providing much of anything useful. So, when someone suggests that a Linux app be coded to provide the same false sense of security to users, when there are myriad choices of real firewalls as well as methods to lock the system down that are not trivially bypassed, some of us simply don't take the suggestion seriously. Certainly, it would be possible to set up a gui that provides interactive user level functions in iptables, but you would have to run as administrator, which is something that is far worse that what you would seek to protect yourself from in doing so. -- Bryan Phinney Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
[newbie] Firewall for allowing ports selectively
Dear All Is there some firewall (working through iptables) able to open selectively a port for a specific program and not to all programs installed? (Shorewall is not suitable for that purpose.) Thanks in advance, Paul Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall for allowing ports selectively
- Original Message - From: Paul Smith [EMAIL PROTECTED] To: newbie@linux-mandrake.com Subject: [newbie] Firewall for allowing ports selectively Date: Sun, 3 Apr 2005 16:15:01 +0100 Dear All Is there some firewall (working through iptables) able to open selectively a port for a specific program and not to all programs installed? (Shorewall is not suitable for that purpose.) Thanks in advance, Paul ** Paul, shorewall can do what you desire. Go to; mcc security firewall, and click on the advanced radio button on the bottom. That will open up an area where you can specify special ports to open. HTH. Best regards. --Angus Let us not look back in anger or forward in fear, but around in awareness. -- James Thurber *** ~Linux Laptop, Powered by Mandrake 10.1~ *** ~Reg. Linux User #278931~ *** -- _ Web-based SMS services available at http://www.operamail.com. From your mailbox to local or overseas cell phones. Powered by Outblaze Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] firewall
On January 6, 2005 08:53 am, Ronald J. Hall wrote: On Wednesday 05 January 2005 11:34 pm, Miark wrote: On Sun, 2 Jan 2005 16:03:10 -0800, John wrote: I wish I could say that Mr Eastep was either helpful or nice. I've actually found him quite the arrogant, insulting boor. Particularly when he knows you use Mandrake. Oh well, perhaps it's just me :) You just have that effect on people YOU ASSHOLE! ;-) Miark I'm subscribed to the Shorewall list and found Tom E. to be very helpful. He helped me, even though he knew I was using Mandrake. He did make the comment that Mandrake did a few things in a non-standard way. He is very direct, but he didn't insult me. As with so many things Linux, he does expect a person to read all the FAQs and docs, *before* posting a question. Just my experience. Ahhh, so it is me then :) Either that or I caught us both on a bad day. I'll try again. :) ttfn John -- *** Composed on a 100% Microsoft Free Computer Guaranteed Virus Free Mandrake Linux 10.0 OE Registered Linux User 362316 *** Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] firewall
On Wednesday 05 January 2005 11:34 pm, Miark wrote: On Sun, 2 Jan 2005 16:03:10 -0800, John wrote: I wish I could say that Mr Eastep was either helpful or nice. I've actually found him quite the arrogant, insulting boor. Particularly when he knows you use Mandrake. Oh well, perhaps it's just me :) You just have that effect on people YOU ASSHOLE! ;-) Miark I'm subscribed to the Shorewall list and found Tom E. to be very helpful. He helped me, even though he knew I was using Mandrake. He did make the comment that Mandrake did a few things in a non-standard way. He is very direct, but he didn't insult me. As with so many things Linux, he does expect a person to read all the FAQs and docs, *before* posting a question. Just my experience. -- /\ Dark Lord \/ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] firewall
On Sun, 2 Jan 2005 16:03:10 -0800, John wrote: I wish I could say that Mr Eastep was either helpful or nice. I've actually found him quite the arrogant, insulting boor. Particularly when he knows you use Mandrake. Oh well, perhaps it's just me :) You just have that effect on people YOU ASSHOLE! ;-) Miark Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] firewall
On December 29, 2004 04:09 pm, Fajar Priyanto wrote: snip Yes shorewall is a good one. I appreciate Mandrake includes it. A little confusing at first, but once we read the tutorial, it's not that hard to setup. And Tom Eastep - the writer - is very active in the shorewall list. However, don't be offended by his sharp words though (especially when he knows we use mandrake) :) He's actually a very nice person, really :) His sharp words come because he's also a good writer on the documentation, so our problem regarding shorewall mostly has been covered in it. I wish I could say that Mr Eastep was either helpful or nice. I've actually found him quite the arrogant, insulting boor. Particularly when he knows you use Mandrake. Oh well, perhaps it's just me :) ttfn John -- *** Composed on a 100% Microsoft Free Computer Guaranteed Virus Free Mandrake Linux 10.0 OE Registered Linux User 362316 *** Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] firewall
On Thursday 30 December 2004 02:31 pm, neo wrote: could someone tell me a good firewall for mandrake 10.1 thank you I've been using Firehol (http://firehol.sourceforge.net/) successfully for about a year now (on half a dozen Linux machines - some being servers, some being just desktop units, and then my home PC as well). There's no GUI, etc., but it is VERY thorough. It takes one single configuration file, and you can actually do advanced stuff with your firewall (for instance, one of our machines has dual nic cards due to the fact it sits on the internal network AND the external network - I use the same configuration file for 4 servers, and it has a section for eth1 which is only executed IF there is an eth1 - which would be on that one particular server. This way I have scripts that grab the firewall off of the main server when it's changed, and then it restarts Firehol, so we do not have to go in and manually copy the firewall files and restart Firehol, etc.). There are numerous example configuration files, which actually make things look harder than what they have to be, but is also a good way to see what it's capable of. You can also use things like iptables tarpit with it too. The possibilities are endless - but you can have the firewall up and running with 10 minutes of installing it - and if you've created firewalls with it before, then you can have one on a new machine within a minute or so. -- Take care, Randall Hobbs Programmer - System Administrator - Acquire Technology, LLC Web Hosting * Programming * Software http://www.chipcastle.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
[newbie] firewall
could someone tell me a good firewall for mandrake 10.1 thank you Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] firewall
On Thu, 30 Dec 2004 15:31:07 -0500, neo [EMAIL PROTECTED] wrote: could someone tell me a good firewall for mandrake 10.1 thank you iptables.Try it with firestarter(http://www.fs-security.com/). -- Is that a 286 or are you just running Windows? Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] firewall
On Thursday 30 December 2004 03:31 pm, neo wrote: could someone tell me a good firewall for mandrake 10.1 thank you For a basic setup which in my opinion is very good, install iptables and shorewall. This will get you started. I use iptables and firestarter which can be found here. www.fs-security.com/ The thing to keep in mind is, iptables is what makes the rules and shoewall or firestarter is just a front end to help you more easily create the rules. There are others on this list that are far more familiar with iptables and shorewall than I. Regards, Dan Gordon -- Wed Dec 29 15:53:55 EST 2004 15:53:55 up 1:04, 1 user, load average: 0.09, 0.08, 0.04 I know it all. I just can't remember it all at once. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
[newbie] firewall
thank you for the information i will look into it n Thursday 30 December 2004 03:31 pm, neo wrote: could someone tell me a good firewall for mandrake 10.1 thank you For a basic setup which in my opinion is very good, install iptables and shorewall. This will get you started. I use iptables and firestarter which can be found here. www.fs-security.com/ The thing to keep in mind is, iptables is what makes the rules and shoewall or firestarter is just a front end to help you more easily create the rules. There are others on this list that are far more familiar with iptables and shorewall than I. Regards, Dan Gordon -- Wed Dec 29 15:53:55 EST 2004 15:53:55 up 1:04, 1 user, load average: 0.09, 0.08, 0.04 I know it all. I just can't remember it all at
Re: [newbie] firewall
On Thursday 30 December 2004 04:03 am, Dan Gordon wrote: On Thursday 30 December 2004 03:31 pm, neo wrote: could someone tell me a good firewall for mandrake 10.1 thank you For a basic setup which in my opinion is very good, install iptables and shorewall. This will get you started. I use iptables and firestarter which can be found here. www.fs-security.com/ The thing to keep in mind is, iptables is what makes the rules and shoewall or firestarter is just a front end to help you more easily create the rules. There are others on this list that are far more familiar with iptables and shorewall than I. Regards, Dan Gordon Yes shorewall is a good one. I appreciate Mandrake includes it. A little confusing at first, but once we read the tutorial, it's not that hard to setup. And Tom Eastep - the writer - is very active in the shorewall list. However, don't be offended by his sharp words though (especially when he knows we use mandrake) :) He's actually a very nice person, really :) His sharp words come because he's also a good writer on the documentation, so our problem regarding shorewall mostly has been covered in it. -- Fajar Priyanto | Reg'd Linux User #327841 | http://linux2.arinet.org 07:05:32 up 25 min, Mandrakelinux release 10.1 (Official) for i586 public key: https://www.arinet.org/fajar-pub.key Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
[newbie] firewall
Thank you for all the information i am reading in i as i write this e mail looks like a really good program for a firewall im glad to be apart of this group all of you have been very helpful to me thank you once again for the help and you advice n Thursday 30 December 2004 04:03 am, Dan Gordon wrote: On Thursday 30 December 2004 03:31 pm, neo wrote: could someone tell me a good firewall for mandrake 10.1 thank you For a basic setup which in my opinion is very good, install iptables and shorewall. This will get you started. I use iptables and firestarter which can be found here. www.fs-security.com/ The thing to keep in mind is, iptables is what makes the rules and shoewall or firestarter is just a front end to help you more easily create the rules. There are others on this list that are far more familiar with iptables and shorewall than I. Regards, Dan Gordon Yes shorewall is a good one. I appreciate Mandrake includes it. A little confusing at first, but once we read the tutorial, it's not that hard to setup. And Tom Eastep - the writer - is very active in the shorewall list. However, don't be offended by his sharp words though (especially when he knows we use mandrake) :) He's actually a very nice person, really :) His sharp words come because he's also a good writer on the documentation, so our problem regarding shorewall mostly has been covered in it. --
Re: [newbie] firewall
Hello, You could also consider http://www.ipcop.org/. This will stop just about anything. Good luck. N. - Original Message - From: neo To: newbie@linux-mandrake.com Sent: Friday, December 31, 2004 12:31 AM Subject: [newbie] firewall Thank you for all the information i am reading in i as i write this e mail looks like a really good program for a firewall im glad to be apart of this group all of you have been very helpful to me thank you once again for the help and you advice n Thursday 30 December 2004 04:03 am, Dan Gordon wrote: On Thursday 30 December 2004 03:31 pm, neo wrote: could someone tell me a good firewall for mandrake 10.1 thank you For a basic setup which in my opinion is very good, install iptables and shorewall. This will get you started. I use iptables and firestarter which can be found here. www.fs-security.com/ The thing to keep in mind is, iptables is what makes the rules and shoewall or firestarter is just a front end to help you more easily create the rules. There are others on this list that are far more familiar with iptables and shorewall than I. Regards, Dan Gordon Yes shorewall is a good one. I appreciate Mandrake includes it. A little confusing at first, but once we read the tutorial, it's not that hard to setup. And Tom Eastep - the writer - is very active in the shorewall list. However, don't be offended by his sharp words though (especially when he knows we use mandrake) :) He's actually a very nice person, really :) His sharp words come because he's also a good writer on the documentation, so our problem regarding shorewall mostly has been covered in it. --
Re: [newbie] Firewall
On Sat, 2004-11-27 at 01:25, Derek Jennings wrote: On Friday 26 November 2004 15:16, Jay Warwick wrote: Yep, nothing related to the firewall left in updates. jay On Fri, 2004-11-26 at 22:50, Derek Jennings wrote: On Friday 26 November 2004 14:12, Jay Warwick wrote: How do I get the firewall to accept my changes in 10.0? Every time I change the settings they revert back to the previous settings when I check. I have tried logging out and back-in after the changes and even rebooting. Thanks Jay Have you done your updates? derek So you have updated drakxtools to drakxtools-10-34.3.100mdk I thought that update fixed that bug. In any case you can administer your firewall easily using webmin. Install the webmin package and navigate to https://localhost:1 The webmin firewall GUI is better than the Mandrake one. Both the webmin GUI and the Mandrake GUI control the same firewall (shorewall) If you prefer you can edit the shorewall files directly by hand. Look in /etc/shorewall/rules and you will see detailed instructions. derek Thanks Derek, I did have drakxtools-10-34.3.100mdk installed, but am now using webmin. Should know soon whether this saves my firewall configurations. Jay Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
[newbie] Firewall
How do I get the firewall to accept my changes in 10.0? Every time I change the settings they revert back to the previous settings when I check. I have tried logging out and back-in after the changes and even rebooting. Thanks Jay Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall
On Friday 26 November 2004 14:12, Jay Warwick wrote: How do I get the firewall to accept my changes in 10.0? Every time I change the settings they revert back to the previous settings when I check. I have tried logging out and back-in after the changes and even rebooting. Thanks Jay Have you done your updates? derek -- www.jennings.homelinux.net http://twiki.mdklinuxfaq.org Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall
Yep, nothing related to the firewall left in updates. jay On Fri, 2004-11-26 at 22:50, Derek Jennings wrote: On Friday 26 November 2004 14:12, Jay Warwick wrote: How do I get the firewall to accept my changes in 10.0? Every time I change the settings they revert back to the previous settings when I check. I have tried logging out and back-in after the changes and even rebooting. Thanks Jay Have you done your updates? derek Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall
On Friday 26 November 2004 15:16, Jay Warwick wrote: Yep, nothing related to the firewall left in updates. jay On Fri, 2004-11-26 at 22:50, Derek Jennings wrote: On Friday 26 November 2004 14:12, Jay Warwick wrote: How do I get the firewall to accept my changes in 10.0? Every time I change the settings they revert back to the previous settings when I check. I have tried logging out and back-in after the changes and even rebooting. Thanks Jay Have you done your updates? derek So you have updated drakxtools to drakxtools-10-34.3.100mdk I thought that update fixed that bug. In any case you can administer your firewall easily using webmin. Install the webmin package and navigate to https://localhost:1 The webmin firewall GUI is better than the Mandrake one. Both the webmin GUI and the Mandrake GUI control the same firewall (shorewall) If you prefer you can edit the shorewall files directly by hand. Look in /etc/shorewall/rules and you will see detailed instructions. derek -- www.jennings.homelinux.net http://twiki.mdklinuxfaq.org Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall Admin? - wandering on to proFTP and ssh
On Monday 08 November 2004 00:55, Fajar Priyanto wrote: On Saturday 06 November 2004 03:34 am, Eric Scott wrote: Hold up. Reinstalling proftpd got me a default that worked... supposedly... but then why does it say 220 (vsFTPd 2.0.1) when I ftp into my domain. lol. Gee wizzle this is getting confusing. Here I thought I was dealing with proFTP, and now there's vsFTP... which I didn't even remember I installed. Anyway; since it's already running... where's the vsFTPd config file? lol. Sigma It should be in /etc/vsftpd.conf However, back to proftpd. On default installation (without any config to edit), you should be able to connect to your FTP server, using your system username and password. Well I got proFTPd working. Somehow (Don't ask me how) I got vsFTPd insatlled earlier from source with the config file someplace else. I couldn't find it in etc or anywhere. But yeah, I disabled vsFTPd and now proFTPd works fine. Thanx, ES -- Registered Linux user #366862 Not that you care, but this message was sent from a 750MHz Athlon system running SuSE Linux 9.1 (Kernal 2.6.5) and KMail 1.62. I aslo run Red Hat Linux 8.0 (Kernal 2.4.18), Debian GNU/Linux 3.0 (Kernal 2.2.20), Mandrake Linux 9.2 (Kernal 2.4.22), and YellowDog Linux 3.0 (Kernal 2.4.20) on various systems and architectures for various reasons. Yeah, and there's a old Mac OS in there somewhere that I use as a bootloader for Linux, and a Windows XP box used as a router for my Linux-based network, but they don't count, 'cuz they aren't real OS's. Who me? Biased? Nah! Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall Admin? - wandering on to proFTP and ssh
On Saturday 06 November 2004 03:34 am, Eric Scott wrote: Hold up. Â Reinstalling proftpd got me a default that worked... supposedly... but then why does it say 220 (vsFTPd 2.0.1) when I ftp into my domain. lol. Gee wizzle this is getting confusing. Â Here I thought I was dealing with proFTP, and now there's vsFTP... which I didn't even remember I installed. Anyway; since it's already running... where's the vsFTPd config file? lol. Â Sigma It should be in /etc/vsftpd.conf However, back to proftpd. On default installation (without any config to edit), you should be able to connect to your FTP server, using your system username and password. -- Fajar Priyanto | Reg'd Linux User #327841 | http://linux2.arinet.org 13:53:39 up 6:15, Mandrakelinux release 10.1 (Community) for i586 public key: https://www.arinet.org/fajar-pub.key Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
[newbie] Firewall Admin?
Yo. Â In risk of showing my ignorance; how to I configure my firewall on Mandrake 9.2? Â I need to make sure the FTP port is open. Â (FTP's not working... and by golly if there's a firewall on it it wouldn't work then, would it?) Â Anyway, I know nothing of firewalls and need some basics. Â Â Â Â Â Thanx, Â Â Â Â Â Â Â Â SigmaChi -- Registered Linux user #366862 Not that you care, but this message was sent from a 750MHz Athlon system running SuSE Linux 9.1 (Kernal 2.6.4) and KMail 1.62. I aslo run Red Hat Linux 8.0 (Kernal 2.4.18), Debian GNU/Linux 3.0 (Kernal 2.2.20), Mandrake Linux 9.2 (Kernal 2.4.22), and YellowDog Linux 3.0 (Kernal 2.4.20) on various systems and architectures for various reasons. Yeah, and there's a old Mac OS in there somewhere that I use as a bootloader for Linux, and a Windows XP box used as a router for my Linux-based network, but they don't count, 'cuz they aren't real OS's. Who me? Biased? Nah! Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall Admin?
On Friday 05 November 2004 16:47, Eric Scott wrote: Yo. Â In risk of showing my ignorance; how to I configure my firewall on Mandrake 9.2? Â I need to make sure the FTP port is open. Â (FTP's not working... and by golly if there's a firewall on it it wouldn't work then, would it?) Â Anyway, I know nothing of firewalls and need some basics. Â Â Â Â Â Thanx, Â Â Â Â Â Â Â Â SigmaChi MenuSystemConfigureConfigureYourComputerSecurityFirewall Tick the box for FTP server Or if you want to learn about how the firewall works in depth, read the files in /etc/shorewall and visit www.shorewall.net derek -- www.jennings.homelinux.net http://twiki.mdklinuxfaq.org Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall Admin?
On Friday 05 November 2004 16:47, Eric Scott wrote: Yo. In risk of showing my ignorance; how to I configure my firewall on Mandrake 9.2? I need to make sure the FTP port is open. (FTP's not working... and by golly if there's a firewall on it it wouldn't work then, would it?) Anyway, I know nothing of firewalls and need some basics. Thanx, SigmaChi MenuSystemConfigureConfigureYourComputerSecurityFirewall Tick the box for FTP server Or if you want to learn about how the firewall works in depth, read the files in /etc/shorewall and visit www.shorewall.net derek Lol, I should of at least checked the control center before I posted. But anyway, my firewall is totally off. ProFTPD seems to be running smoothly... but not letting me access. Allow me to quote my previous post: quote Yo people. I've got a Mandrake Linux 9.2 server running ProFTP v1.28. I thought I had it all set up to run with anonymous FTP access (Using a sample /etc/proftpd.config from proftpd.org for now), and starting through xinetd... but apparently it isn't set up right, or at least it's not wanting to be just jiggy with me. Here's my setup and what happens when I try to access the ftp site: details My config file is a standard example (temporaraly) that can be found at http://proftpd.org/docs/configs/anonymous.conf After copying the above file in to /etc/proftpd.conf, I restarted xinetd. (I know next to nothing about xinetd or how to run proftpd under it, but for what it's worth, there's a 'proftpd-xinetd' file in /etc/xinetd.d/) Here's what gets my relatively-novice Linux mind boggled. Something seems to be running, but I only sorta get an ftp connection when the client connects: At this point 'netstat -a | grep ftp' gives: tcp0 0 *:ftp *:* LISTEN Seems chipper, from what I can gather from the limited proftpd howtos I've found. When I start to connect with a client and do netstat I get (domains are aliased): tcp0 0 [MyDomain]:ftp [ClientDomain] ESTABLISHED The client says Connected to [MyDomain] ([MyIP]) A few seconds later it goes: 421 Service not available, remote server has closed connection /details Now this is probably way too much of the wrong info needed to solve my problem, which I suspect is relatively simple. I'm obviously new to FTP and fairly new to Linux; but I need this FTP server up and (eventually) configured to my requirements. any help? /quote I'm starting to get pretty frustrated with this. Couldn't I just skip the newbie part and know everything? I'll probably show up this weekend asking how to get a POP3 server up, so if you have any pre-emptive tips fire away. Thanx, ES -- Registered Linux user #366862 Not that you care, but this message was sent from a 750MHz Athlon system running SuSE Linux 9.1 (Kernal 2.6.4) and KMail 1.62. I aslo run Red Hat Linux 8.0 (Kernal 2.4.18), Debian GNU/Linux 3.0 (Kernal 2.2.20), Mandrake Linux 9.2 (Kernal 2.4.22), and YellowDog Linux 3.0 (Kernal 2.4.20) on various systems and architectures for various reasons. Yeah, and there's a old Mac OS in there somewhere that I use as a bootloader for Linux, and a Windows XP box used as a router for my Linux-based network, but they don't count, 'cuz they aren't real OS's. Who me? Biased? Nah! Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall Admin?
Eric Scott wrote: On Friday 05 November 2004 16:47, Eric Scott wrote: Yo. In risk of showing my ignorance; how to I configure my firewall on Mandrake 9.2? I need to make sure the FTP port is open. (FTP's not working... and by golly if there's a firewall on it it wouldn't work then, would it?) Anyway, I know nothing of firewalls and need some basics. Thanx, SigmaChi MenuSystemConfigureConfigureYourComputerSecurityFirewall Tick the box for FTP server Or if you want to learn about how the firewall works in depth, read the files in /etc/shorewall and visit www.shorewall.net derek Lol, I should of at least checked the control center before I posted. But anyway, my firewall is totally off. ProFTPD seems to be running smoothly... but not letting me access. Allow me to quote my previous post: quote Yo people. I've got a Mandrake Linux 9.2 server running ProFTP v1.28. I thought I had it all set up to run with anonymous FTP access (Using a sample /etc/proftpd.config from proftpd.org for now), and starting through xinetd... but apparently it isn't set up right, or at least it's not wanting to be just jiggy with me. Here's my setup and what happens when I try to access the ftp site: details My config file is a standard example (temporaraly) that can be found at http://proftpd.org/docs/configs/anonymous.conf After copying the above file in to /etc/proftpd.conf, I restarted xinetd. (I know next to nothing about xinetd or how to run proftpd under it, but for what it's worth, there's a 'proftpd-xinetd' file in /etc/xinetd.d/) Here's what gets my relatively-novice Linux mind boggled. Something seems to be running, but I only sorta get an ftp connection when the client connects: At this point 'netstat -a | grep ftp' gives: tcp0 0 *:ftp *:* LISTEN Seems chipper, from what I can gather from the limited proftpd howtos I've found. When I start to connect with a client and do netstat I get (domains are aliased): tcp0 0 [MyDomain]:ftp [ClientDomain] ESTABLISHED The client says Connected to [MyDomain] ([MyIP]) A few seconds later it goes: 421 Service not available, remote server has closed connection /details Now this is probably way too much of the wrong info needed to solve my problem, which I suspect is relatively simple. I'm obviously new to FTP and fairly new to Linux; but I need this FTP server up and (eventually) configured to my requirements. any help? /quote I'm starting to get pretty frustrated with this. Couldn't I just skip the newbie part and know everything? I'll probably show up this weekend asking how to get a POP3 server up, so if you have any pre-emptive tips fire away. Thanx, ES Chech you log files - the messages generated when you try to connect should be helpful. It may be that xinetd is listening because of the proftpd-xinetd file. If so, and the path to proftpd is wrong, you will get this kind of response. You will also get it if proftpd is not configured properly. You could also be running into a problem because of /etc/hosts.allow and /etc/hosts.deny. A lot of daemons check these files to see if the system trying to connect is allowed to use the service. Everything run through xinetd is subject to these rules. But the error message doesn't really indicate this problem. In any case, it is not a firewall problem right now, because you do connect, but the connection is dropped afterworlds. Mikkel -- Do not meddle in the affairs of dragons, for you are crunchy and taste good with ketchup. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall Admin?
On Friday 05 November 2004 11:52, Mikkel L. Ellertson wrote: Eric Scott wrote: On Friday 05 November 2004 16:47, Eric Scott wrote: Yo. In risk of showing my ignorance; how to I configure my firewall on Mandrake 9.2? I need to make sure the FTP port is open. (FTP's not working... and by golly if there's a firewall on it it wouldn't work then, would it?) Anyway, I know nothing of firewalls and need some basics. Thanx, SigmaChi MenuSystemConfigureConfigureYourComputerSecurityFirewall Tick the box for FTP server Or if you want to learn about how the firewall works in depth, read the files in /etc/shorewall and visit www.shorewall.net derek Lol, I should of at least checked the control center before I posted. But anyway, my firewall is totally off. ProFTPD seems to be running smoothly... but not letting me access. Allow me to quote my previous post: quote Yo people. I've got a Mandrake Linux 9.2 server running ProFTP v1.28. I thought I had it all set up to run with anonymous FTP access (Using a sample /etc/proftpd.config from proftpd.org for now), and starting through xinetd... but apparently it isn't set up right, or at least it's not wanting to be just jiggy with me. Here's my setup and what happens when I try to access the ftp site: details My config file is a standard example (temporaraly) that can be found at http://proftpd.org/docs/configs/anonymous.conf After copying the above file in to /etc/proftpd.conf, I restarted xinetd. (I know next to nothing about xinetd or how to run proftpd under it, but for what it's worth, there's a 'proftpd-xinetd' file in /etc/xinetd.d/) Here's what gets my relatively-novice Linux mind boggled. Something seems to be running, but I only sorta get an ftp connection when the client connects: At this point 'netstat -a | grep ftp' gives: tcp0 0 *:ftp *:* LISTEN Seems chipper, from what I can gather from the limited proftpd howtos I've found. When I start to connect with a client and do netstat I get (domains are aliased): tcp0 0 [MyDomain]:ftp [ClientDomain] ESTABLISHED The client says Connected to [MyDomain] ([MyIP]) A few seconds later it goes: 421 Service not available, remote server has closed connection /details Now this is probably way too much of the wrong info needed to solve my problem, which I suspect is relatively simple. I'm obviously new to FTP and fairly new to Linux; but I need this FTP server up and (eventually) configured to my requirements. any help? /quote I'm starting to get pretty frustrated with this. Couldn't I just skip the newbie part and know everything? I'll probably show up this weekend asking how to get a POP3 server up, so if you have any pre-emptive tips fire away. Thanx, ES Chech you log files - the messages generated when you try to connect should be helpful. It may be that xinetd is listening because of the proftpd-xinetd file. If so, and the path to proftpd is wrong, you will get this kind of response. You will also get it if proftpd is not configured properly. You could also be running into a problem because of /etc/hosts.allow and /etc/hosts.deny. A lot of daemons check these files to see if the system trying to connect is allowed to use the service. Everything run through xinetd is subject to these rules. But the error message doesn't really indicate this problem. In any case, it is not a firewall problem right now, because you do connect, but the connection is dropped afterworlds. Mikkel Aha! Would it be because my /etc/proftpd.conf file has severtype set to standalone? What to I replace standalone with to tell it to work through xinetd? just inetd or xinetd? thanx, ES -- Registered Linux user #366862 Not that you care, but this message was sent from a 750MHz Athlon system running SuSE Linux 9.1 (Kernal 2.6.4) and KMail 1.62. I aslo run Red Hat Linux 8.0 (Kernal 2.4.18), Debian GNU/Linux 3.0 (Kernal 2.2.20), Mandrake Linux 9.2 (Kernal 2.4.22), and YellowDog Linux 3.0 (Kernal 2.4.20) on various systems and architectures for various reasons. Yeah, and there's a old Mac OS in there somewhere that I use as a bootloader for Linux, and a Windows XP box used as a router for my Linux-based network, but they don't count, 'cuz they aren't real OS's. Who me? Biased? Nah! Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall Admin?
On Friday 05 November 2004 17:43, Eric Scott wrote: On Friday 05 November 2004 16:47, Eric Scott wrote: Yo. Â In risk of showing my ignorance; how to I configure my firewall on Mandrake 9.2? Â I need to make sure the FTP port is open. Â (FTP's not working... and by golly if there's a firewall on it it wouldn't work then, would it?) Â Anyway, I know nothing of firewalls and need some basics. Thanx, Â Â Â Â Â Â Â Â SigmaChi MenuSystemConfigureConfigureYourComputerSecurityFirewall Tick the box for FTP server Or if you want to learn about how the firewall works in depth, read the files in /etc/shorewall and visit www.shorewall.net derek Lol, I should of at least checked the control center before I posted. But anyway, my firewall is totally off. Â ProFTPD seems to be running smoothly... but not letting me access. Â Allow me to quote my previous post: quote Yo people. Â I've got a Mandrake Linux 9.2 server running ProFTP v1.28. Â I thought I had it all set up to run with anonymous FTP access (Using a sample /etc/proftpd.config from proftpd.org for now), and starting through SNIP The newbie way of getting proFTP to work is to uninstall proFTP and remove the config file you are using, then install the drakwizard package and Mandrake Control Centre will have a new 'Server' section. It will reinstall and configure proFTP for you. derek -- www.jennings.homelinux.net http://twiki.mdklinuxfaq.org Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall Admin?
On Friday 05 November 2004 12:13, Derek Jennings wrote: On Friday 05 November 2004 17:43, Eric Scott wrote: On Friday 05 November 2004 16:47, Eric Scott wrote: Yo. In risk of showing my ignorance; how to I configure my firewall on Mandrake 9.2? I need to make sure the FTP port is open. (FTP's not working... and by golly if there's a firewall on it it wouldn't work then, would it?) Anyway, I know nothing of firewalls and need some basics. Thanx, SigmaChi MenuSystemConfigureConfigureYourComputerSecurityFirewall Tick the box for FTP server Or if you want to learn about how the firewall works in depth, read the files in /etc/shorewall and visit www.shorewall.net derek Lol, I should of at least checked the control center before I posted. But anyway, my firewall is totally off. ProFTPD seems to be running smoothly... but not letting me access. Allow me to quote my previous post: quote Yo people. I've got a Mandrake Linux 9.2 server running ProFTP v1.28. I thought I had it all set up to run with anonymous FTP access (Using a sample /etc/proftpd.config from proftpd.org for now), and starting through SNIP The newbie way of getting proFTP to work is to uninstall proFTP and remove the config file you are using, then install the drakwizard package and Mandrake Control Centre will have a new 'Server' section. It will reinstall and configure proFTP for you. derek Sounds dandy... but there's no cd drive in the system, and it's five miles away at the moment. (I'm using tightvnc/ssh/webmin to admin it) Anyplace I could download and install the same packages and config software? Thanx, ES -- Registered Linux user #366862 Not that you care, but this message was sent from a 750MHz Athlon system running SuSE Linux 9.1 (Kernal 2.6.4) and KMail 1.62. I aslo run Red Hat Linux 8.0 (Kernal 2.4.18), Debian GNU/Linux 3.0 (Kernal 2.2.20), Mandrake Linux 9.2 (Kernal 2.4.22), and YellowDog Linux 3.0 (Kernal 2.4.20) on various systems and architectures for various reasons. Yeah, and there's a old Mac OS in there somewhere that I use as a bootloader for Linux, and a Windows XP box used as a router for my Linux-based network, but they don't count, 'cuz they aren't real OS's. Who me? Biased? Nah! Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall Admin? - wandering on to proFTP and ssh
On Friday 05 November 2004 18:32, Eric Scott wrote: On Friday 05 November 2004 12:13, Derek Jennings wrote: On Friday 05 November 2004 17:43, Eric Scott wrote: On Friday 05 November 2004 16:47, Eric Scott wrote: Yo. Â In risk of showing my ignorance; how to I configure my firewall on Mandrake 9.2? Â I need to make sure the FTP port is open. Â (FTP's not working... and by golly if there's a firewall on it it wouldn't work then, would it?) Â Anyway, I know nothing of firewalls and need some basics. Thanx, Â Â Â Â Â Â Â Â SigmaChi MenuSystemConfigureConfigureYourComputerSecurityFirewall Tick the box for FTP server Or if you want to learn about how the firewall works in depth, read the files in /etc/shorewall and visit www.shorewall.net derek Lol, I should of at least checked the control center before I posted. But anyway, my firewall is totally off. Â ProFTPD seems to be running smoothly... but not letting me access. Â Allow me to quote my previous post: quote Yo people. Â I've got a Mandrake Linux 9.2 server running ProFTP v1.28. Â I thought I had it all set up to run with anonymous FTP access (Using a sample /etc/proftpd.config from proftpd.org for now), and starting through SNIP The newbie way of getting proFTP to work is to uninstall proFTP and remove the config file you are using, then install the drakwizard package and Mandrake Control Centre will have a new 'Server' section. Â It will reinstall and configure proFTP for you. derek Sounds dandy... but there's no cd drive in the system, and it's five miles away at the moment. (I'm using tightvnc/ssh/webmin to admin it) Â Anyplace I could download and install the same packages and config software? Â Â Â Â Â Thanx, Â Â Â Â Â Â Â ES Go to http://easyurpmi.zarb.org/ declare a urpmi source for 'main' and 'contrib' and you will never be asked for a CD. It will get everything off the net. derek -- www.jennings.homelinux.net http://twiki.mdklinuxfaq.org Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall Admin? - wandering on to proFTP and ssh
On Friday 05 November 2004 12:51, Derek Jennings wrote: On Friday 05 November 2004 18:32, Eric Scott wrote: On Friday 05 November 2004 12:13, Derek Jennings wrote: On Friday 05 November 2004 17:43, Eric Scott wrote: On Friday 05 November 2004 16:47, Eric Scott wrote: Yo. In risk of showing my ignorance; how to I configure my firewall on Mandrake 9.2? I need to make sure the FTP port is open. (FTP's not working... and by golly if there's a firewall on it it wouldn't work then, would it?) Anyway, I know nothing of firewalls and need some basics. Thanx, SigmaChi MenuSystemConfigureConfigureYourComputerSecurityFirewall Tick the box for FTP server Or if you want to learn about how the firewall works in depth, read the files in /etc/shorewall and visit www.shorewall.net derek Lol, I should of at least checked the control center before I posted. But anyway, my firewall is totally off. ProFTPD seems to be running smoothly... but not letting me access. Allow me to quote my previous post: quote Yo people. I've got a Mandrake Linux 9.2 server running ProFTP v1.28. I thought I had it all set up to run with anonymous FTP access (Using a sample /etc/proftpd.config from proftpd.org for now), and starting through SNIP The newbie way of getting proFTP to work is to uninstall proFTP and remove the config file you are using, then install the drakwizard package and Mandrake Control Centre will have a new 'Server' section. It will reinstall and configure proFTP for you. derek Sounds dandy... but there's no cd drive in the system, and it's five miles away at the moment. (I'm using tightvnc/ssh/webmin to admin it) Anyplace I could download and install the same packages and config software? Thanx, ES Go to http://easyurpmi.zarb.org/ declare a urpmi source for 'main' and 'contrib' and you will never be asked for a CD. It will get everything off the net. derek Well I did what you said and got it reinstalled. I installed everything that came up when I searched for proftp, but there's still no server section in the control center. I installed gproftpd, but it only works for standalone, and I'd prefer to run it via xinetd (Which is the default setup.) I've found enough howto's that I might be able to dig and and config it manually via the /etc/proftpd.conf file... maybe :-P. One plus: I know the server works now. lol; in konqueror when I go to ftp://[mydomain] it logs in and gives me an empty directory with a pub folder... it's a start. Anyway, do you know the package for the proftp server config module you mentioned? Thanx, SigmaChi -- Registered Linux user #366862 Not that you care, but this message was sent from a 750MHz Athlon system running SuSE Linux 9.1 (Kernal 2.6.4) and KMail 1.62. I aslo run Red Hat Linux 8.0 (Kernal 2.4.18), Debian GNU/Linux 3.0 (Kernal 2.2.20), Mandrake Linux 9.2 (Kernal 2.4.22), and YellowDog Linux 3.0 (Kernal 2.4.20) on various systems and architectures for various reasons. Yeah, and there's a old Mac OS in there somewhere that I use as a bootloader for Linux, and a Windows XP box used as a router for my Linux-based network, but they don't count, 'cuz they aren't real OS's. Who me? Biased? Nah! Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall Admin? - wandering on to proFTP and ssh
Yo. In risk of showing my ignorance; how to I configure my firewall on Mandrake 9.2? I need to make sure the FTP port is open. (FTP's not working... and by golly if there's a firewall on it it wouldn't work then, would it?) Anyway, I know nothing of firewalls and need some basics. Thanx, SigmaChi MenuSystemConfigureConfigureYourComputerSecurityFirewall Tick the box for FTP server Or if you want to learn about how the firewall works in depth, read the files in /etc/shorewall and visit www.shorewall.net derek Lol, I should of at least checked the control center before I posted. But anyway, my firewall is totally off. ProFTPD seems to be running smoothly... but not letting me access. Allow me to quote my previous post: quote Yo people. I've got a Mandrake Linux 9.2 server running ProFTP v1.28. I thought I had it all set up to run with anonymous FTP access (Using a sample /etc/proftpd.config from proftpd.org for now), and starting through SNIP The newbie way of getting proFTP to work is to uninstall proFTP and remove the config file you are using, then install the drakwizard package and Mandrake Control Centre will have a new 'Server' section. It will reinstall and configure proFTP for you. derek Sounds dandy... but there's no cd drive in the system, and it's five miles away at the moment. (I'm using tightvnc/ssh/webmin to admin it) Anyplace I could download and install the same packages and config software? Thanx, ES Go to http://easyurpmi.zarb.org/ declare a urpmi source for 'main' and 'contrib' and you will never be asked for a CD. It will get everything off the net. derek Well I did what you said and got it reinstalled. I installed everything that came up when I searched for proftp, but there's still no server section in the control center. I installed gproftpd, but it only works for standalone, and I'd prefer to run it via xinetd (Which is the default setup.) I've found enough howto's that I might be able to dig and and config it manually via the /etc/proftpd.conf file... maybe :-P. One plus: I know the server works now. lol; in konqueror when I go to ftp://[mydomain] it logs in and gives me an empty directory with a pub folder... it's a start. Anyway, do you know the package for the proftp server config module you mentioned? Thanx, SigmaChi Hold up. Reinstalling proftpd got me a default that worked... supposedly... but then why does it say 220 (vsFTPd 2.0.1) when I ftp into my domain. lol. Gee wizzle this is getting confusing. Here I thought I was dealing with proFTP, and now there's vsFTP... which I didn't even remember I installed. Anyway; since it's already running... where's the vsFTPd config file? lol. Sigma -- Registered Linux user #366862 Not that you care, but this message was sent from a 750MHz Athlon system running SuSE Linux 9.1 (Kernal 2.6.4) and KMail 1.62. I aslo run Red Hat Linux 8.0 (Kernal 2.4.18), Debian GNU/Linux 3.0 (Kernal 2.2.20), Mandrake Linux 9.2 (Kernal 2.4.22), and YellowDog Linux 3.0 (Kernal 2.4.20) on various systems and architectures for various reasons. Yeah, and there's a old Mac OS in there somewhere that I use as a bootloader for Linux, and a Windows XP box used as a router for my Linux-based network, but they don't count, 'cuz they aren't real OS's. Who me? Biased? Nah! Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
[newbie] Firewall blocks off virtual network
I have set up with much toil, blood, tears and sweat, a VMware virtual network. However, this will only function with Shorewall switched off - not a desirable state of affairs, I'm sure you will all agree. The following output from dmesg seems relevant: Shorewall:OUTPUT:REJECT:IN= OUT=vmnet1 SRC=172.16.210.1 DST=172.16.210.255 LEN=113 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=93 Shorewall:OUTPUT:REJECT:IN= OUT=vmnet8 SRC=192.168.8.1 DST=192.168.8.255 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=92 My knowledge of Shorewall consists of little beyond the ability to switch it on and off. Could some of you good folks suggest what I need to do to enable the network without letting any intruders in from elsewhere. Thank y'all. -- Graham Watkins On the whole, I preferred cats to women because cats seldom if ever used the word relationship.(Kinky Friedman - Greenwich Killing Time) Registered Linux user number 265254 http://counter.li.org Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Firewall
Hello, I tried to setup a firewall since my notebook will be personal... I went to mandrake control center and removed the cross in no firewall at the Drakfirewall.(I left all the boxes blank... hope this is good so) Then It asked me if I want to install the shorewall package. I clicked ok. I put cd1 like it requested. And then Mandatory package missing. I browsed the cd and I found a package called /shorewall-1.4.6c-2mdk.noarch.rpm/ If that is the package it is already installed. So how can I then setup the firewall? Thank you Christophe Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall
On Thursday 27 November 2003 05:44, Cenora wrote: How do I configure a powerful firewall in 9.2? I never know what to block. I use mozilla, gtk-gnutella, mozilla-mail and Licq. Shorewall is on your CD's. Go to Mandrake Control Center -- Security-- Personal Firewall. Personally I uncheck everything, letting nothing from the outside access my box. Works very well according to various security services, such as : http://www. sygatetech.com You can verify that from a console, typing dmesg. After a few minutes online you'll see an astonishing amount of rejected penetration-attempts. And if you are curious, try whois xxx.xxx.xxx.xxx , whre the x's are the IP numbers dmesg prints out. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall
On Thu, 27 Nov 2003 21:57:06 + Kaj Haulrich [EMAIL PROTECTED] wrote: You can verify that from a console, typing dmesg. After a few minutes online you'll see an astonishing amount of rejected penetration-attempts. And if you are curious, try whois xxx.xxx.xxx.xxx , whre the x's are the IP numbers dmesg prints Friend of mine set it up so his Apache server would beep every time it got hit by Code Red. He had to shut it off after five minutes, it was drivin' him nuts. -- JoeHill ++ ICQ # 280779813 Registered Linux user #282046 Homepage: www.orderinchaos.org +++ Reality is what you can get away with. -- Robert Anton Wilson Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Firewall
How do I configure a powerful firewall in 9.2? I never know what to block. I use mozilla, gtk-gnutella, mozilla-mail and Licq. Thanks Carrot, The Warrior Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Firewall Rules Won't Stick
This question relates to the older Mandrake Linux Firewall 7.2. Through the firewall's admin functions I set up a public rule that allows all SMTP inbound traffic through the firewall and forwards it to 192.168.3.3 Once I set up that rule everything works fine and the mailserver on 192.168.3.3 receives inbound port 25 mail normally...BUT.If I ever shut down or reboot the firewall system I MUST go back into the admin function and reset this rule to allow SMTP through the firewall and to forward it to 192.168.3.3 Obviously this rule does not stick and only lasts for the current session. ?? Is there somewhere I can make this rule in the config files so it becomes permanent rather than having to go into the admin functions at each reboot? Rocket Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall logging
On Monday 17 Nov 2003 5:42 am, Greg Meyer wrote: I have Shorewall set up on my laptop, but I am finding that my logs are getting inundated with messages from Shorewall telling me about all the packets being dropped from the Windows machines on my network. How can I reduce the amount of logging that goes on and is it safe to do so. Do I really need to know about every one of these stray packets? Two solutions. The easy one is to remove the 'info' from the entries in /etc/shorewall/policy That will kill all shorewall logging of dropped packets. The second solution for those with plenty of time is to edit /etc/syslog.conf so that shorewall info log entries are not put into syslog and instead go in a different log. (You will also need to set up logrotate to rotate that log) See 'man syslogd' derek -- -- www.jennings.homelinux.net http://twiki.mdklinuxfaq.org Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Firewall logging
I have Shorewall set up on my laptop, but I am finding that my logs are getting inundated with messages from Shorewall telling me about all the packets being dropped from the Windows machines on my network. How can I reduce the amount of logging that goes on and is it safe to do so. Do I really need to know about every one of these stray packets? -- /g Outside of a dog, a man's best friend is a book, inside a dog it's too dark to read -Groucho Marx Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Firewall questions/ mlDonkey won't connect to servers
Hello. I urpmi'ed mldonkey but it won't connect to any server. It will find files, but will fail to download them. In MCC, I put down the firewall for testing purposes (to the question which services would you like the internet to connect to? I ticked everything (no firewall) (after testing, I did put the firewall back). In webmin, I also have this rule: Accept If protocol is TCP and source port is 4660:4666 but I still cannot connect to any server. Please advise. I am a complete newbie as far as firewalls are concerned and I fail to see how the mcc firewall and the webmin firewall interact. One look so simple (just untick all the boxes in mcc) while the other looks so complex for a newbie. What if both are setup? Which one takes precedence? Will they conflict? How can one test the firewall? http://mandrake.vmlinuz.ca/bin/view/Main/FireWall This is a bit empty right now and I'd like to put some things in it. Alternatively, you can reply directly by posting there. Thank you for providing some pointers. Anguo -- When I see any Web site claim to be only readable using particular hardware or software, I cringe--they are pining for the bad old days when each piece of information needed a different program to access it. -- Tim Berners-Lee, founder of the World Wide Web Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Firewall
When I activated the firewall in LM9.1 I blocked the ability of my two w2k LAN clients to see my samba server. No surprise. How can I allow the clients (and hopefully only those clients) through the firewall? TIA Paul Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall
On Tue, 2003-09-02 at 12:32, Paul Kaplan wrote: When I activated the firewall in LM9.1 I blocked the ability of my two w2k LAN clients to see my samba server. No surprise. How can I allow the clients (and hopefully only those clients) through the firewall? TIA Paul Shorewall? When i activate it, even following the docs, it blocks everything. I used firestarter. works well... Blessings, Toran Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall
On Tuesday 02 Sep 2003 11:32 am, Paul Kaplan wrote: When I activated the firewall in LM9.1 I blocked the ability of my two w2k LAN clients to see my samba server. No surprise. How can I allow the clients (and hopefully only those clients) through the firewall? TIA Paul Shorewall (as defined in the Mandrake Config) has three zones net - Internet connectio masq - A Masqueraded local network fw - The Mandrake box itself When the firewall is activated all traffic is blocked from net to fw , from net to masq, and from masq to fw. If you want to allow access from your local network to services running on the firewall (such as Samba), then edit the file /etc/shorewall/policy and make it look like this :- fw net ACCEPT fw masqACCEPT masqnet ACCEPT net all DROPinfo all all REJECT info Any fine tuning you require (such as opening ports to the internet) is performed in /etc/shorewall/rules So if for example you wanted local users to have access to the Samba server but not other services then instead of editing policy you would put this in rules ACCEPT masqfw tcp 137,138,139 (Ports 137,138,139 are used by Windows networking ) When you have finished shorewall restart The text files are very informative, but if you really prefer using a GUI there is one in Webmin (install webmin RPM then https://localhost:1 in a browser ) HTH derek -- -- www.jennings.homelinux.net http://twiki.mdklinuxfaq.org Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall
Doh! I missed out a line. It should be :- fwnet ACCEPT fwmasqACCEPT masq net ACCEPT masqfw ACCEPT net all DROPinfo all all REJECT info derek -- -- www.jennings.homelinux.net http://twiki.mdklinuxfaq.org Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall Oddities
Thanks for the help Derek. /etc/shorewall/interfaces only had my wireless card (eth1) set to the loc zone, instead of net. After setting it, it's now working great. Terry Derek Jennings wrote: On Friday 29 Aug 2003 3:50 pm, Terry Sheltra wrote: I'm having some interesting happenings using the Firewall utility in MCC. I'm using a laptop that has both a wireless card, as well as a wired NIC. My wireless works just fine until I try to turn on the firewall. As soon as I do, the firewall effectively blocks all connections with my wireless card. The only way I can access the outside world with the firewall on is by connecting to a wired network. Running ifconfig shows that my wireless card is eth1 and my NIC is eth0. Any suggestions on what I can do to get the firewall to play nicely with my wireless card? Thanks! Terry The Firewall GUI in MCC has a habit of getting the interfaces to the internet and the local network back to front. Take a look at /etc/shorewall/interfaces that file decides which interface is which. /etc/shorewall/policy determines how to treat packets coming from each interface. /etc/shorewall/rules defines the 'exceptions' to the general policy. /etc/shorewall/masq defines internet connection sharing (masquerading) After making any change 'shorewall restart' See www.shorewall.net for detailed documentation. HTH derek Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com -- Terry Sheltra PC Support Technician/Asst. Network Administrator University of Virginia School of Architecture 434.982.3047 [EMAIL PROTECTED] -- Available via instant messenger -- Composed on a 100% Microsoft-free PC Registered Linux User #218330 -- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall Oddities
On Friday 29 Aug 2003 3:50 pm, Terry Sheltra wrote: I'm having some interesting happenings using the Firewall utility in MCC. I'm using a laptop that has both a wireless card, as well as a wired NIC. My wireless works just fine until I try to turn on the firewall. As soon as I do, the firewall effectively blocks all connections with my wireless card. The only way I can access the outside world with the firewall on is by connecting to a wired network. Running ifconfig shows that my wireless card is eth1 and my NIC is eth0. Any suggestions on what I can do to get the firewall to play nicely with my wireless card? Thanks! Terry The Firewall GUI in MCC has a habit of getting the interfaces to the internet and the local network back to front. Take a look at /etc/shorewall/interfaces that file decides which interface is which. /etc/shorewall/policy determines how to treat packets coming from each interface. /etc/shorewall/rules defines the 'exceptions' to the general policy. /etc/shorewall/masq defines internet connection sharing (masquerading) After making any change 'shorewall restart' See www.shorewall.net for detailed documentation. HTH derek -- -- www.jennings.homelinux.net Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [newbie] Firewall Oddities
Take a look at the two-nic firewall sample config. It is substantially different from the one-nic config that many use. I bet you'll find the issue there. On a side note, the configs are very simple. Since I got familiar with them, I haven't gone back to the MCC for firewall management. HTH Brandon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Terry Sheltra Sent: Friday, August 29, 2003 7:50 AM To: [EMAIL PROTECTED] Subject: [newbie] Firewall Oddities I'm having some interesting happenings using the Firewall utility in MCC. I'm using a laptop that has both a wireless card, as well as a wired NIC. My wireless works just fine until I try to turn on the firewall. As soon as I do, the firewall effectively blocks all connections with my wireless card. The only way I can access the outside world with the firewall on is by connecting to a wired network. Running ifconfig shows that my wireless card is eth1 and my NIC is eth0. Any suggestions on what I can do to get the firewall to play nicely with my wireless card? Thanks! Terry Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Firewall apps
Russ, quick question, do you have an old 486 laying around.. if so you should try IPCOP..its quick and easy. and when your secure in your knowledge about IPTABLES.. you can go and setup your linux box as a firewall.. I have a SOHO setup in my private (home school) here in japan 12 boxes, multi platformed everything from M$98 to MDK9.1 and I've had no problems since I started IPCOP. please note that ipcop needs its own box.. its 100% firewall.. and you can access it from any station. just an idea from a newbie to a newbie!! -- Gavin Rollins C/O GES Japan Sent 2u on a M$ free system! Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] firewall hits by newsserver
This may be OT but, I have to ask. The below is from my firestarter log, are these incoming or outgoing hits to earthlinks news servers? time:Jul 26 09:53:09 in:eth0 out: port:40478 source:news03.west.earthlink.net dest:192.168.1.2 len:1440 tos:0x00 protocol:tcp service:unknown time:Jul 26 09:54:24 in:eth0 out: port:40480 source:news04.west.earthlink.net dest:192.168.1.2 len:1440 tos:0x00 protocol:tcp service:unknown time:Jul 26 10:02:21 in:eth0 out: port:40479 source:news01.west.earthlink.net dest:192.168.1.2 len:1440 tos:0x00 protocol:tcp service:unknown time:Jul 26 10:03:57 in:eth0 out: port:40478 source:news03.west.earthlink.net dest:192.168.1.2 len:1440 tos:0x00 protocol:tcp service:unknown time:Jul 26 10:06:37 in:eth0 out: port:40479 source:news01.west.earthlink.net dest:192.168.1.2 len:1440 tos:0x00 protocol:tcp service:unknown time:Jul 26 21:18:42 in:eth0 out: port:42611 source:news02.west.earthlink.net dest:192.168.1.2 len:1440 tos:0x00 protocol:tcp service:unknown time:Jul 26 21:28:47 in:eth0 out: port:42611 source:news02.west.earthlink.net dest:192.168.1.2 len:699 tos:0x00 protocol:tcp service:unknown time:Jul 26 21:34:44 in:eth0 out: port:42611 source:news02.west.earthlink.net dest:192.168.1.2 len:1440 tos:0x00 protocol:tcp service:unknown time:Jul 26 21:35:29 in:eth0 out: port:42612 source:news01.west.earthlink.net dest:192.168.1.2 len:699 tos:0x00 protocol:tcp service:unknown I'm still confused about things like this, of course a lot of simple things confuse me. -- Regards Chris A 100% Microsoft free computer Registered Linux User 283774 http://counter.li.org 9:41pm up 35 days, 3:57, 6 users, load average: 0.24, 0.17, 0.12 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] firewall question
On Tuesday 08 Jul 2003 00:41, Chris wrote: I've setup firestarter and when I ran the test at www.grc.com all my ports show closed except for 21, 23, and 80. I would think that these should be at least closed. Anyone using firestarter know of how to do this? Thanks Chris I'm running firestarter out of the box and GRC shows these ports closed for me. However, if you run the firestarter GUI there is a tab for rules and under that you can enter port numbers to block or stealth, I would give that a try HTH Pete ArdnamurchanScotland Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] firewall question
I've setup firestarter and when I ran the test at www.grc.com all my ports show closed except for 21, 23, and 80. I would think that these should be at least closed. Anyone using firestarter know of how to do this? Thanks Chris -- Regards Chris A 100% Microsoft free computer Registered Linux User 283774 http://counter.li.org 6:34pm up 16 days, 47 min, 6 users, load average: 0.02, 0.01, 0.00 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [newbie] Firewall logs getting too big
Hey Harm, As it is an old machine I hope you have a backup. It could be your disk is also on the way out if it is making such a racket. Although I admit I also have polling every 3 seconds from edonkey 4662 port. It is a real bind. Peter -- [EMAIL PROTECTED] FR Mobile: +33 (0)6 0874 8707(preferred) UK Mobile: +44 (0)7960 160 173 Msg service: voice: +44 (0)7050 685 985 fax__: +44 (0)7050 685 986 Oracle Architect Latest CV http://www.lomax.cc/users/peter/business_section.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of H.J.Bathoorn Sent: 13 March 2003 00:53 To: [EMAIL PROTECTED] Subject: Re: [newbie] Firewall logs getting too big On Tuesday 11 March 2003 13:34, mycal62 wrote: this is what that port does : efs 520/tcpextended file name server router 520/udplocal routing process (on site); # uses variant of Xerox NS routing # information protocol - RIP here's a handy reference to all ports and their use : http://www.iana.org/assignments/port-numbers Mike I've been there, though I must admit I'm not sure what exactly is meant by (on site). My poblem is how to get rid of all these log entries. Reading the logs isn't the real problem 'cause filtering out port 520 using grep -v works quit well. When the (400Mb) HD gets to 100% full everything gets quiet but then I don't get anymore logs. Like I said all this logging activity makes a lot of noise as well. My firewall is an old P133 with smoothwall on it. AL the fans have been removed leaving only the HD that physically moves/makes noise and I've even packed that in isolation foam. Especially early mornings, when I feel lucky if I find the coffee machine without falling down the cellar-stairs first, I tend to get nerved by the clicketyclicking. Frankly, those are the realy serious mornings 'cause we don't even have a cellar here being below sea-level:o( I would like to block these scans from my ISP but like I said I'm not sure what the consequences might be. These boxes are up 24/24 and I'm away quite often i.e. don't have physical acces so I have to be 100% sure of what I'm doing. Not logging these scans was a sort of compromise (with maybe a slight risk) from my point of view but I don't know how to do that. Good hunting, HarM Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall logs getting too big
On Tuesday 11 March 2003 13:34, mycal62 wrote: this is what that port does : efs 520/tcpextended file name server router 520/udplocal routing process (on site); # uses variant of Xerox NS routing # information protocol - RIP here's a handy reference to all ports and their use : http://www.iana.org/assignments/port-numbers Mike I've been there, though I must admit I'm not sure what exactly is meant by (on site). My poblem is how to get rid of all these log entries. Reading the logs isn't the real problem 'cause filtering out port 520 using grep -v works quit well. When the (400Mb) HD gets to 100% full everything gets quiet but then I don't get anymore logs. Like I said all this logging activity makes a lot of noise as well. My firewall is an old P133 with smoothwall on it. AL the fans have been removed leaving only the HD that physically moves/makes noise and I've even packed that in isolation foam. Especially early mornings, when I feel lucky if I find the coffee machine without falling down the cellar-stairs first, I tend to get nerved by the clicketyclicking. Frankly, those are the realy serious mornings 'cause we don't even have a cellar here being below sea-level:o( I would like to block these scans from my ISP but like I said I'm not sure what the consequences might be. These boxes are up 24/24 and I'm away quite often i.e. don't have physical acces so I have to be 100% sure of what I'm doing. Not logging these scans was a sort of compromise (with maybe a slight risk) from my point of view but I don't know how to do that. Good hunting, HarM Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Firewall logs getting too big
Hello all, Going through my firewall logs tends to get tedious i.e. the logfiles too big because of the recurring nameserver scans by my IP on port 520. Not only that but this permanent logging causes constant disk activity and thus noise!:o( Anybody got any simple pointers how to put a stop to this? I suppose I could just block all these probes I'm just not sure what effect that'll have though. Just not having these probes being logged would suffice methinks. Well at least it'll save the trouble of clearing out the HD every month and reduce the noise. TIA, HarM Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall logs getting too big
On Tuesday 11 Mar 2003 11:18 pm, H.J.Bathoorn wrote: Hello all, Going through my firewall logs tends to get tedious i.e. the logfiles too big because of the recurring nameserver scans by my IP on port 520. Not only that but this permanent logging causes constant disk activity and thus noise!:o( Anybody got any simple pointers how to put a stop to this? I suppose I could just block all these probes I'm just not sure what effect that'll have though. Just not having these probes being logged would suffice methinks. Well at least it'll save the trouble of clearing out the HD every month and reduce the noise. For any rule you do not want logged make sure that the rule does not state 'info' TIA, HarM If you are using shorewall then you can edit /etc/shorewall/policy and remove 'info' from the logging policy. Then restart shorewall. Another thing you could do is run fwlogwatch to go through your logs for you and send you a weekly condensed email. You can find it on your CDs derek -- -- www.jennings.homelinux.net Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall logs getting too big
this is what that port does : efs 520/tcpextended file name server router 520/udplocal routing process (on site); # uses variant of Xerox NS routing # information protocol - RIP here's a handy reference to all ports and their use : http://www.iana.org/assignments/port-numbers Mike H.J.Bathoorn wrote: Hello all, Going through my firewall logs tends to get tedious i.e. the logfiles too big because of the recurring nameserver scans by my IP on port 520. Not only that but this permanent logging causes constant disk activity and thus noise!:o( Anybody got any simple pointers how to put a stop to this? I suppose I could just block all these probes I'm just not sure what effect that'll have though. Just not having these probes being logged would suffice methinks. Well at least it'll save the trouble of clearing out the HD every month and reduce the noise. TIA, HarM Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Firewall Builder under Mdk 9.0
Hi all, Has anyone managed to get Firewall Builder to work under Mdk 9.0? Installing the 8.2 rpm doesn't work. I get an error when trying to run it. I also tried compiling it from the source rpm. Libfwbuilder compiles fine but fwbuilder itself doesn't. Does anybody know where I can get Firewall Builder rpms for 9.0??? TIA, Guilherme Cirne [EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie]Firewall NIC, problem solved update
A while back I was posting asking for some help with an SNF Install 2 NICs I had in the box. It seemed one of them, a DLink, had a light on it like all NICs but the light wouldn't go on at boot time. That seemed strange. So I thought it was a dead card. Almost threw out a decent card! Seems after installing an 8.2 ver of MDK On the same box with some different hardware (i was testing 2 vid cards I have), I decided to try the Dlink again. Sure enough, it wouldn't light up. So I fiddled around with it, and finally installed it through the Mandrake Control Centre. Works fine now. Stumped as to why now it lights up like a Xmas tree, and before it wouldn't even blink once! Any ideas ladies gents? If not its fine. The card works. Now all I must do is figure out how to screw around on the LAN with the card installed only the firewall working. :) New challenges! --- Femme Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall Builder
Ya, I run it in KDE. I get the errors too, but they don't affect how Firestarter actually works. Miark Tommy Eaton [EMAIL PROTECTED] saith: Firestarter IS good... almost has that easy Zone Alarm interface that will display hits live. However, firestarter was written for gnome. I can't seem to get it to start on KDE without some errors popping up. Have any of you successfully made Firestarter run on KDE (w/mdk 8.2)?? If so, how did you do it? Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall Builder
On Wed, 28 Aug 2002 12:07:52 -0300 Damian G [EMAIL PROTECTED] wrote: On Wed, 28 Aug 2002 07:44:55 -0400 Tommy Eaton [EMAIL PROTECTED] wrote: Firestarter IS good... almost has that easy Zone Alarm interface that will display hits live. However, firestarter was written for gnome. I can't seem to get it to start on KDE without some errors popping up. Have any of you successfully made Firestarter run on KDE (w/mdk 8.2)?? If so, how did you do it? the 'eeors' ... do you mean those GTK-CRITICAL messages that appear when you open it up and press buttons? dimply ignore them, it works just as well anyway. Damian wow.. what a tough day i must be having... look at all those typos.. i must be really stressed. :oP Damian Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Firewall Builder
Hi all, I've started messing around with Firewall Builder now and would like to know people's opinion about it. And also about other firewall GUI's. Ok, I know the best thing would be to write an iptables script by hand, but I really don't have the time now. And with fwbuilder I can see the generated script and apply manual modifications. Cheers, Guilherme Cirne Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [newbie] Need Newbie Firewall recommendation
just cos an app says its for gnome doesn't mean that you can't run it in KDE.. I run both gnome and kde apps and I use Icewm on one of my boxes, works find. install firestarter and try it.. rgds Frank -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tommy EatonSent: Tuesday, July 30, 2002 12:27 AMTo: [EMAIL PROTECTED]Subject: [newbie] Need Newbie Firewall recommendation Hi, I am looking for a good newbie firewall to run on KDE on mdk 8.2. The ideal firewall would be very similar to ZoneAlarm as far as the interface is concerned (i.e. alerting to hits, very simplistic, restricting in/out programs, etc). I found Firestarter and it appears to be exactly what I'm looking for. However, I cannot find it for KDE - only GNOME. Do any of you know if it's possible to get Firestarter for KDE? I've already tried Guarddog and did not like it... Thanks!
Re: [newbie] Need Newbie Firewall recommendation
In reply to Tommy's mail, d.d. Mon, 29 Jul 2002 12:26:41 -0400: programs, etc). I found Firestarter and it appears to be exactly what I'm looking for. However, I cannot find it for KDE - only GNOME. Do any of you know if it's possible to get Firestarter for KDE? If you have the gnome libraries installed, Firestarter should run in KDE also. Check for gnome-libs: [paul@tbird paul]$ rpm -qa | grep gnome-lib gnome-libs-1.4.1.4-5mdk Good luck! Paul -- To solve big problems you have to be willing to do unpopular things. -Lee Iacocca http://nlpagan.net-Linux Mandrake 8.2 - Sylpheed 0.8.0 Help Microsoft combat software piracy: give Linux to a friend today! Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Need Newbie Firewall recommendation
Hi, I am looking for a good newbie firewall to run on KDE on mdk 8.2. The ideal firewall would be very similar to ZoneAlarm as far as the interface is concerned (i.e. alerting to hits, very simplistic, restricting in/out programs, etc). I found Firestarter and it appears to be exactly what I'm looking for. However, I cannot find it for KDE - only GNOME. Do any of you know if it's possible to get Firestarter for KDE? I've already tried Guarddog and did not like it... Thanks!
Re: [newbie] Firewall
On Wed, 5 Jun 2002, JL Conradie wrote: Hi I'm running the bastille-firewall included with mandrake 8.1. I use the InteractiveBastille command to configure it. When I configure it, it asks which interface is the public interface and what services to block from this interface, but then it also blocks the services from the other interface( not specified as public interfaces). I also wondered if anyone could tell me what ports do i have to allow connections to, to enable connections to webmin. thanks for your help in advance! the webmin server lives on port 1. -- Mark a.k.a. daRcmaTTeR -- If your wife told you NOT to do it there's probably a real good reason! - REGISTERED LINUX USER #186492 Penguinized since 1997 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Firewall
Hi I'm running the bastille-firewall included with mandrake 8.1. I use the InteractiveBastille command to configure it.When I configure it, it asks which interface is the public interface and what services to block from this interface, but then it also blocks the services from the other interface( not specified as public interfaces). I also wondered if anyone could tell me what ports do i have to allow connections to, to enable connections to webmin. thanks for your help in advance!
Re: [newbie] Firewall
JL Conradie wrote: Hi I'm running the bastille-firewall included with mandrake 8.1. I use the InteractiveBastille command to configure it. When I configure it, it asks which interface is the public interface and what services to block from this interface, but then it also blocks the services from the other interface( not specified as public interfaces). I also wondered if anyone could tell me what ports do i have to allow connections to, to enable connections to webmin. thanks for your help in advance! port 1 Well if you want to add more ports on the local side (and it is VERY conservative on that side) edit /etc/Bastille/bastille-firewall.cfg # Please make sure variable assignments are on single lines; do NOT # use the \ continuation character (so Bastille can change the # values if it is run more than once) TCP_PUBLIC_SERVICES= UDP_PUBLIC_SERVICES= TCP_INTERNAL_SERVICES= UDP_INTERNAL_SERVICES= There for example if you wanted internal services wide open TCP_INTERNAL_SERVICES=15:65535 And still some will be blocked later in the script. You can enter individual ports separated by commas and groups of consecutive ports by colons, but be careful to keep it on one line. Now with all that said, I DID see an opportunity to open local ports in the interactive dialogue while I was running it to set this up. Tiny Firewall does not give you that opportunity and is useful perhaps only for computers which do no NAT and do not offer any files by SAMBA or nfs or appletalk. Civileme Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall
On Wednesday 05 June 2002 11:59 am, you wrote: Hi I'm running the bastille-firewall included with mandrake 8.1. I use the InteractiveBastille command to configure it. When I configure it, it asks which interface is the public interface and what services to block from this interface, but then it also blocks the services from the other interface( not specified as public interfaces). I also wondered if anyone could tell me what ports do i have to allow connections to, to enable connections to webmin. thanks for your help in advance! To access webmin all you need to do is open a browser and type in the url box: https://127.0.0.1:1 That should get you into webmin and you shouldn't need to open the port unless you are telnet into a box from another. -- Dennis M. linux user #180842 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] firewall broken in 8.2
Hello mike, Monday, May 20, 2002, 11:30:32 PM, you wrote: m Hi m I have tried to set up a bastille firewall in LM 8.2 m after going through the InteractiveBastille setup m the firewall is still not as secure as it was in 8.0. m How can I set it up to where it will show ports as stealthed as in 8.0? m or how can I be surt it's actually secure once setup? m thanks for any help m Mike McNeese To test your firewall, goto http://grc.com -- Best regards, Colinmailto:[EMAIL PROTECTED] 4:20pm up 8 days, 6:39, 2 users, load average: 0.00, 0.00, 0.00 The two most abundant things in the universe are Hydrogren and stupidity. ..registered linux user #223862 .. _ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] firewall broken in 8.2
- Original Message - From: mike [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 20, 2002 9:30 AM Subject: [newbie] firewall broken in 8.2 Hi I have tried to set up a bastille firewall in LM 8.2 after going through the InteractiveBastille setup the firewall is still not as secure as it was in 8.0. How can I set it up to where it will show ports as stealthed as in 8.0? or how can I be surt it's actually secure once setup? thanks for any help Mike McNeese Mike, In order to show up as stealth you must be dropping the packets as opposed to rejecting them. Check your /etc/Bastille/bastille-firewall.cfg file to see what your policies are doing with the packets. Are they set to DROP or REJECT? daRcmaTTeR Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] firewall broken in 8.2
Hi I have tried to set up a bastille firewall in LM 8.2 after going through the InteractiveBastille setup the firewall is still not as secure as it was in 8.0. How can I set it up to where it will show ports as stealthed as in 8.0? or how can I be surt it's actually secure once setup? thanks for any help Mike McNeese Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall
On Sat, 20 Apr 2002 04:16:00 +0200, RM.Krijgsman [EMAIL PROTECTED] wrote: After my problems, getting on the net with my USB modem, I now am interested in a good firewall... I know I know I should read some howto's or whatever, the fact is I don't have time for that, I just wan't a good firewall running, so I can learn at my own speed and when I have the time to read stuff I will... I downloaded a firewall script, specially designed for ADSL users, but that doesn't work, it shuts down the whole connection. I figured out I can use linuxconf, to configure a firewall, now how do I set up a basic firewall?? Or are there any good programs around, scripts, whatever. I used Zone Alarm on my windows pc, are there any firewall for linux like that? To be blunt, ZoneAlarm is a piece of junk. There is no way that any application can make Windows secure. Software (_especially_ an operating system) needs to be written to be secure from the ground upwards. Please help me with this, all the people on IRC don't give straight answers, very irritating, I'm a newbie, but hey isn't everybody been one? Try Bastille. It is designed to 'harden' a system (there is more to security than just a firewall) and it teaches you along the way. Make sure you have the following Mandrake packages installed: Bastille Bastille-Chooser Bastille-Tk-module Then open a root terminal and type 'InteractiveBastille'. -- Sridhar Dhanapalan And I'm not just saying that. I'm really not a very nice person. I can say I don't care with a straight face, and really mean it. -- Linus Torvalds Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall setup
On Friday 08 March 2002 01:38, Dr Joe Brand wrote: iptables and Bastille are installed, but drakconf still can't find them. I've removed them and reinstalled them to no avail. I think there is a problem with drakconf and the wizards it uses. When I start drakconf the following message apears in the shell window Subroutine _ redefined at /usr/X11R6/bin/drakconf.real line 271. Subroutine translate redefined at /usr/X11R6/bin/drakconf.real line 276. wizard-3.2.1-5mdk Then I click on the security-firewall and this error message appears. no package named iptables no package named Bastille What needs to be done to fix this? You could try updating your rpm database. In a terminal as root type # rpm --rebuilddb skinky -- oxymoron: Microsoft Works Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall setup
iptables and Bastille are installed, but drakconf still can't find them. I've removed them and reinstalled them to no avail. I think there is a problem with drakconf and the wizards it uses. When I start drakconf the following message apears in the shell window Subroutine _ redefined at /usr/X11R6/bin/drakconf.real line 271. Subroutine translate redefined at /usr/X11R6/bin/drakconf.real line 276. wizard-3.2.1-5mdk Then I click on the security-firewall and this error message appears. no package named iptables no package named Bastille What needs to be done to fix this? Joe Ashley Reynolds wrote: On Wed, 6 Mar 2002, Dr Joe Brand wrote: Where can I get information on configuring a firewall? The GUI in drakconf is hosed. It says I need to install iptables and Basstille. You could easily install iptables and Bastille to fix DrakConf, by issuing the following commands, as root: urpmi iptables urpmi Bastille I would rather understand how to configure manually and what files need to be edited. You might want to look for documentation on 'iptables' then. Ashley -- Ashley Reynolds [EMAIL PROTECTED] http://www.binarytide.net An eye for an eye leaves the whole world blind. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Firewall setup
Where can I get information on configuring a firewall? The GUI in drakconf is hosed. It says I need to install iptables and Basstille. I would rather understand how to configure manually and what files need to be edited. Joe Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall setup
On Wed, 6 Mar 2002, Dr Joe Brand wrote: Where can I get information on configuring a firewall? The GUI in drakconf is hosed. It says I need to install iptables and Basstille. You could easily install iptables and Bastille to fix DrakConf, by issuing the following commands, as root: urpmi iptables urpmi Bastille I would rather understand how to configure manually and what files need to be edited. You might want to look for documentation on 'iptables' then. Ashley -- Ashley Reynolds [EMAIL PROTECTED] http://www.binarytide.net An eye for an eye leaves the whole world blind. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [newbie] Firewall and win
Firewall can only block ports but not program specific, i.e., if you block everything but leave web open, any web browser would work. If you really want to lock it down to one program, i.e. Netscape instead of IE, try something like Norton Personal Firewall. There are quite a few others out there, Zone Alarm and so on, but since I don't use them, I cannot comment on those. HTH Robin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Stojs Sent: Friday, February 22, 2002 8:25 AM To: [EMAIL PROTECTED] Subject: [newbie] Firewall and win I have a lan connection to the internet and would like to have one smoothwall linux firewall computer connected to the internet. This smoothwall would be connected to a mandrake linux computer wich would be connected to a win2000 machine. Is it possible to have the windows computer totally shut off from the internet exept for one program (direct connect)? If it ispossible, is it a good choice? Would it be better to have mandrake run a firewall, and skip the smoothwall machine? Or should I have a firewall in the windows machine instead? Thanks in advance, Stojs _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall and win
Robin wrote: Firewall can only block ports but not program specific, i.e., if you block everything but leave web open, any web browser would work. If you really want to lock it down to one program, i.e. Netscape instead of IE, try something like Norton Personal Firewall. There are quite a few others out there, Zone Alarm and so on, but since I don't use them, I cannot comment on those. I think Zone Alarm does the same thing as Norton Personal Firewall. I use Zone Alarm (the free personal edition -- not sure it's available anymore) and it seems that I can block access by specific program. When it finds a program trying to connect from my machine to the Internet, it tells me the name of the program, it asks me if I want to allow that specific program to access the Internet, and maintains a list of the programs I have enabled to do so. (I can delete programs from that list if I wish.) Not sure how incoming connections are handled because I use a NAT based gateway which only allows incoming connections associated with an outgoing request. Randy Kramer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall and win
Take a look at Tiny Personal Firewall as well, www.tinysoftware.com. It has some insteresting features that are not available on ZoneAlarm. Tiny is also free. Rodrigo Randy Kramer wrote: Robin wrote: Firewall can only block ports but not program specific, i.e., if you block everything but leave web open, any web browser would work. If you really want to lock it down to one program, i.e. Netscape instead of IE, try something like Norton Personal Firewall. There are quite a few others out there, Zone Alarm and so on, but since I don't use them, I cannot comment on those. I think Zone Alarm does the same thing as Norton Personal Firewall. I use Zone Alarm (the free personal edition -- not sure it's available anymore) and it seems that I can block access by specific program. When it finds a program trying to connect from my machine to the Internet, it tells me the name of the program, it asks me if I want to allow that specific program to access the Internet, and maintains a list of the programs I have enabled to do so. (I can delete programs from that list if I wish.) Not sure how incoming connections are handled because I use a NAT based gateway which only allows incoming connections associated with an outgoing request. Randy Kramer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall and win
Rodrigo wrote: Take a look at Tiny Personal Firewall as well, www.tinysoftware.com. It has some insteresting features that are not available on ZoneAlarm. Tiny is also free. Rodrigo, Thanks, I'll take a look. Randy Kramer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Firewall and win
I have a lan connection to the internet and would like to have one smoothwall linux firewall computer connected to the internet. This smoothwall would be connected to a mandrake linux computer wich would be connected to a win2000 machine. Is it possible to have the windows computer totally shut off from the internet exept for one program (direct connect)? If it ispossible, is it a good choice? Would it be better to have mandrake run a firewall, and skip the smoothwall machine? Or should I have a firewall in the windows machine instead? Thanks in advance, Stojs Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall - Thanks !!!
Thanks to all that answered my mail !!! The sites are very nice to test the firewall and also now I know that iptables is the one that does the work. Thank you all very much ! Rodrigo Brian Parish wrote: On Thu, 2002-02-14 at 10:07, David Stevenson wrote: On Tue, 12 Feb 2002 20:28:05 -0200 Rodrigo [EMAIL PROTECTED] wrote: Hello all ! What is the best way to make a firewall for a desktop station ? There aren't any servers running on my computer. Right after installing mdk8.1 I ran the control center and set the firewall answering the questions. Some time ago I decided to explore the BastilleInteractive options (I was curious) and left almost all the items set with the default options. I think it didn't make much difference for me and I have the same settings I had with the control center's firewall, but there is a doubt: how can I make sure that my firewall is running ? I don't see any process called Bastille or iptables with ps -ax, I only see a message during the boot process, initializing Bastille Firewall [OK]. Another question, are all the standard firewall that come with mdk8.1 dependant on Bastille or I can disable Bastille at start-up ? Thanks, Rodrigo Don't be fooled by the name Bastille, it is nothing more than a glorified rules generator for the iptables system. Iptables is a kernel system so that you will not see a daemon running. It is a set of rules that each packet entering or leaving the system will pass thru. I posted a mail to this or the expert list within the last month detailing the basic rules to lock your system. /sbin/iptables -l as root will show you what rules are in place. If you read the iptables man pages etc, you will never go back to Bastille or any other rule generator, the best firewall is always the one that you write yourself only if you know what you are doing. And that does not take long with iptables! Thats enough from me for now! ATB Dave Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Make that /sbin/iptables -L Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall
mike wrote: Rodrigo wrote: Hello all ! What is the best way to make a firewall for a desktop station ? There aren't any servers running on my computer. Right after installing mdk8.1 I ran the control center and set the firewall answering the questions. Some time ago I decided to explore the BastilleInteractive options (I was curious) and left almost all the items set with the default options. I think it didn't make much difference for me and I have the same settings I had with the control center's firewall, but there is a doubt: how can I make sure that my firewall is running ? I don't see any process called Bastille or iptables with ps -ax, I only see a message during the boot process, initializing Bastille Firewall [OK]. Another question, are all the standard firewall that come with mdk8.1 dependant on Bastille or I can disable Bastille at start-up ? Thanks, You can test your firewall to see if it's protecting you here: https://grc.com/x/ne.dll?bh0bkyd2 Mike There has been discussion about these port scanners on the list before. That one seems specifically aimed at windows users. Nice accompanying FAQ. This link points to a more thorough scanner. http://www.mycgiserver.com/~kalish/ It has also been pointed out that some discrepancies could occur at your ISP's computers. Michael -- To a Californian, the basic difference between the people and the pigeons in New York is that the pigeons don't shit on each other. -- From East vs. West: The War Between the Coasts Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall
On Tue, 12 Feb 2002 20:28:05 -0200 Rodrigo [EMAIL PROTECTED] wrote: Hello all ! What is the best way to make a firewall for a desktop station ? There aren't any servers running on my computer. Right after installing mdk8.1 I ran the control center and set the firewall answering the questions. Some time ago I decided to explore the BastilleInteractive options (I was curious) and left almost all the items set with the default options. I think it didn't make much difference for me and I have the same settings I had with the control center's firewall, but there is a doubt: how can I make sure that my firewall is running ? I don't see any process called Bastille or iptables with ps -ax, I only see a message during the boot process, initializing Bastille Firewall [OK]. Another question, are all the standard firewall that come with mdk8.1 dependant on Bastille or I can disable Bastille at start-up ? Thanks, Rodrigo Don't be fooled by the name Bastille, it is nothing more than a glorified rules generator for the iptables system. Iptables is a kernel system so that you will not see a daemon running. It is a set of rules that each packet entering or leaving the system will pass thru. I posted a mail to this or the expert list within the last month detailing the basic rules to lock your system. /sbin/iptables -l as root will show you what rules are in place. If you read the iptables man pages etc, you will never go back to Bastille or any other rule generator, the best firewall is always the one that you write yourself only if you know what you are doing. And that does not take long with iptables! Thats enough from me for now! ATB Dave Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Firewall
On Thu, 2002-02-14 at 10:07, David Stevenson wrote: On Tue, 12 Feb 2002 20:28:05 -0200 Rodrigo [EMAIL PROTECTED] wrote: Hello all ! What is the best way to make a firewall for a desktop station ? There aren't any servers running on my computer. Right after installing mdk8.1 I ran the control center and set the firewall answering the questions. Some time ago I decided to explore the BastilleInteractive options (I was curious) and left almost all the items set with the default options. I think it didn't make much difference for me and I have the same settings I had with the control center's firewall, but there is a doubt: how can I make sure that my firewall is running ? I don't see any process called Bastille or iptables with ps -ax, I only see a message during the boot process, initializing Bastille Firewall [OK]. Another question, are all the standard firewall that come with mdk8.1 dependant on Bastille or I can disable Bastille at start-up ? Thanks, Rodrigo Don't be fooled by the name Bastille, it is nothing more than a glorified rules generator for the iptables system. Iptables is a kernel system so that you will not see a daemon running. It is a set of rules that each packet entering or leaving the system will pass thru. I posted a mail to this or the expert list within the last month detailing the basic rules to lock your system. /sbin/iptables -l as root will show you what rules are in place. If you read the iptables man pages etc, you will never go back to Bastille or any other rule generator, the best firewall is always the one that you write yourself only if you know what you are doing. And that does not take long with iptables! Thats enough from me for now! ATB Dave Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Make that /sbin/iptables -L Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
