Re: [newbie] PMFirewall and IPchains
Peter; The questions you answered from my previous post were meant as rhetorical ones, but well done. I wasn't expecting answers! However, I'm still hoping that Linux will become considerably more popular to the masses, and I see easy-to-use-and-install packages as one of the ways that the appeal of Linux can be greatly enhanced. Thanks for your comments. Dan LaBine Registered Linux User #190712 - Original Message - From: "Peter Smith" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 17, 2001 7:19 PM Subject: Re: [newbie] PMFirewall and IPchains --- Dan LaBine [EMAIL PROTECTED] wrote: snip! Why are many Linux-based programs so complicated to set up?? Here we are, snip! I'm no expert but I've got a few theories for you. Theory 1: Hacking code is fun. Writing a polished interface isn't so much fun. Since most of what you use under Linux has been written by volunteers who're writing code for the love of writing code, you get software that is robust and powerful but lacks polish and/or good documentation (until someone else comes along and writes the latter). Theory 2: It's danged hard to write an 'easy-to-use' interface that doesn't limit access to the software in some way. One of my primary reasons for trying to wean myself off of Windows is that every version that comes out puts more barriers between me and the machine. More and more, M$ 'guesses' at what I really want to do, and does it. If it guesses wrong, I have to recourse. I'll project my annoyance with this onto the Linux community in general (who, from what I've seen, really enjoy having full control of the OS) and guess that the people who write this software are loathe to do anything that might limit what you can do with it in any way. Now, a comment... things surely are getting better. I'm in my 3rd or 4th attempt at becoming a full time Linux user. The first time I tried was with RedHat 5, iirc, and it was a huge challenge to get that installed. Compare that installation to the one in Mandrake 7.2 and there's an amazing improvement in ease-of-use. If/when Linux starts to make real in-roads into the desktop space, there'll be commercial incentive to pay people to craft nice interfaces to existing utilities... until then we'll have to make do, or develop the coding skills needed to create nice interfaces and build 'wrappers' for powerful but unwieldy utilities... All the above is just my opinion, of course, and be aware that I am NOT a hard-core linux geek (yet). I'm trying to get there, though... every time I boot Windows these days, I feel a sense of defeat... I'll get there! = ~~~ Peter Smith, Cambridge, MA, USA Various bookmarks = http://people.ne.mediaone.net/jaded Chat about games, movies and tv = http://jadedspub.com ~~~ "They were playing Wagner. It's the most fun I've had in about six months" -Tyr Anasazi __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/
Re: [newbie] PMFirewall and IPchains
To all! As a followup to my previous post to the mandrake group, I did some snooping around, and found something VERY interesting! Check out this web-site for something you might find useful - http:/www.securepoint.cc . They have a complete firewall kit which includes Linux and Windows Administration Clients, as well as thier own version of Linux with it's own firewall system included. Download all the english files for the FREEWARE edition ( Man! I just love that term! ). The large file includes a CD image in ".c2d" format, so a CD burner is required, and get the separate client and manual files. This firewall system is designed to be used on a separate firewall PC (Check the manual for minimum requirements). This one looks really good. I'll be setting it up in the next few days myself. Hope this helps everyone! Dan LaBine Registered Linux User #190712
Re: [newbie] PMFirewall and IPchains
Peter, Sounds like a very well informed opinion formed by someone who has done their homework and put in the time. Mark Peter Smith wrote: --- Dan LaBine [EMAIL PROTECTED] wrote: snip! Why are many Linux-based programs so complicated to set up?? Here we are, snip! I'm no expert but I've got a few theories for you. Theory 1: Hacking code is fun. Writing a polished interface isn't so much fun. Since most of what you use under Linux has been written by volunteers who're writing code for the love of writing code, you get software that is robust and powerful but lacks polish and/or good documentation (until someone else comes along and writes the latter). Theory 2: It's danged hard to write an 'easy-to-use' interface that doesn't limit access to the software in some way. One of my primary reasons for trying to wean myself off of Windows is that every version that comes out puts more barriers between me and the machine. More and more, M$ 'guesses' at what I really want to do, and does it. If it guesses wrong, I have to recourse. I'll project my annoyance with this onto the Linux community in general (who, from what I've seen, really enjoy having full control of the OS) and guess that the people who write this software are loathe to do anything that might limit what you can do with it in any way. Now, a comment... things surely are getting better. I'm in my 3rd or 4th attempt at becoming a full time Linux user. The first time I tried was with RedHat 5, iirc, and it was a huge challenge to get that installed. Compare that installation to the one in Mandrake 7.2 and there's an amazing improvement in ease-of-use. If/when Linux starts to make real in-roads into the desktop space, there'll be commercial incentive to pay people to craft nice interfaces to existing utilities... until then we'll have to make do, or develop the coding skills needed to create nice interfaces and build 'wrappers' for powerful but unwieldy utilities... All the above is just my opinion, of course, and be aware that I am NOT a hard-core linux geek (yet). I'm trying to get there, though... every time I boot Windows these days, I feel a sense of defeat... I'll get there! = ~~~ Peter Smith, Cambridge, MA, USA Various bookmarks = http://people.ne.mediaone.net/jaded Chat about games, movies and tv = http://jadedspub.com ~~~ "They were playing Wagner. It's the most fun I've had in about six months" -Tyr Anasazi __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/
Re: [newbie] PMFirewall and IPchains
Dan...In some ways we're saying similar things, except as to the point of "what" Pmfirewall is. And it is definately "not" a firewall, rather it is merely a means to get the ipchains firewall rule-set configured to a point to where it's functional. Notice I didn't say ready for prime time, but functional. Enough for the user then to open the rules file and begin to tweak and fine tune the rule-set so that it becomes what you mentioned having setup after uninstalling PM. Were it not for PM I would have had to spend a lot more time reading the Ipchains docs and scratching my head to get my firewall running. Since then I've made "many" additions and modifications to the rule-set that is "more" the firewall itself then anything else. What I've said and have maintained all along is that PM is nothing more then a front end, (of sorts...albeit a console front end and not a GUI) configuration utility for IPchains. And a darn good one for newbies to cut their teeth on and get exposed to the use of Ipchains. And, God's blessings to you on your endeavor to quit smoking. I know what you're going through having been there myself 7 years ago. Your opinions were stated just fine. I should have added that my comments were given "tongue-in-cheek." Mark If PMfirewall is only going to "Filter" ports ( ie: Ports # 139, 443, 631, etc,..) It's not good enough. The fact that it doesn't tell you this during the configuration, is also misleading. And you're right Mark,...It's not a Windows Program, It's a Linux/Unix program. By default, it should therefore be a MUCH BETTER program !!!
Re: [newbie] PMFirewall and IPchains
Getting back to PMfirewall leaving some ports open: I've got a complete mental block when it comes to comprehending the ipchains rules. I'm at even more of a total loss with the new iptables in 2.4.x kernels. I have found that I can completely secure my box, all ports, using a combination of PMfirewall (all default answers) to write the ipchains rules for me, and then also starting portsentry (simple instructions for portsentry setup are in it's docs). Then going to: http://www.sdesign.com/cgi-bin/fwtest.cgi?APPLY=Scan+Me+Now and doing the basic scan. Besides their report, I can then read root's mail (I have kmail set up for this) and the 'attack alert' goes on for ever. Skimming thru it, SecureDesign's scanner is rejected for every port ! Almost daily while reading root's mail I see a few (prob'ly benign) attempts to scan or connect to me, all similarly rejected. -- Dale Earnhardt, the greatest stock car driver ever, he's won his 8th and His Greatest Championship Tom Brinkman [EMAIL PROTECTED] Galveston Bay On Saturday 17 March 2001 08:44 am, Mark Weaver wrote: Dan...In some ways we're saying similar things, except as to the point of "what" Pmfirewall is. And it is definately "not" a firewall, rather it is merely a means to get the ipchains firewall rule-set configured to a point to where it's functional. Notice I didn't say ready for prime time, but functional. Enough for the user then to open the rules file and begin to tweak and fine tune the rule-set so that it becomes what you mentioned having setup after uninstalling PM. Were it not for PM I would have had to spend a lot more time reading the Ipchains docs and scratching my head to get my firewall running. Since then I've made "many" additions and modifications to the rule-set that is "more" the firewall itself then anything else. What I've said and have maintained all along is that PM is nothing more then a front end, (of sorts...albeit a console front end and not a GUI) configuration utility for IPchains. And a darn good one for newbies to cut their teeth on and get exposed to the use of Ipchains. And, God's blessings to you on your endeavor to quit smoking. I know what you're going through having been there myself 7 years ago. Your opinions were stated just fine. I should have added that my comments were given "tongue-in-cheek." Mark If PMfirewall is only going to "Filter" ports ( ie: Ports # 139, 443, 631, etc,..) It's not good enough. The fact that it doesn't tell you this during the configuration, is also misleading. And you're right Mark,...It's not a Windows Program, It's a Linux/Unix program. By default, it should therefore be a MUCH BETTER program !!!
Re: [newbie] PMFirewall and IPchains
Tom, That's how I've got my system running and I've found the combination to a very good one. As for wrapping your brain around the IPchains rules and such. I can appreciate how you're feeling having been there myself. It took a little while of looking at the man pages and then reading and re-reading the HOWTO for IPchains about 6 times, and even after all that I didn't really start to catch on until after I installed PMfirewall. I started studying the actual rule-set and seeing how they're constructed and things gradually began to dawn on me about what they're doing. Also how to manipulate them to get them to do what I want them to do. Mark Tom Brinkman wrote: Getting back to PMfirewall leaving some ports open: I've got a complete mental block when it comes to comprehending the ipchains rules. I'm at even more of a total loss with the new iptables in 2.4.x kernels. I have found that I can completely secure my box, all ports, using a combination of PMfirewall (all default answers) to write the ipchains rules for me, and then also starting portsentry (simple instructions for portsentry setup are in it's docs). Then going to: http://www.sdesign.com/cgi-bin/fwtest.cgi?APPLY=Scan+Me+Now and doing the basic scan. Besides their report, I can then read root's mail (I have kmail set up for this) and the 'attack alert' goes on for ever. Skimming thru it, SecureDesign's scanner is rejected for every port ! Almost daily while reading root's mail I see a few (prob'ly benign) attempts to scan or connect to me, all similarly rejected. -- Dale Earnhardt, the greatest stock car driver ever, he's won his 8th and His Greatest Championship Tom Brinkman [EMAIL PROTECTED] Galveston Bay On Saturday 17 March 2001 08:44 am, Mark Weaver wrote: Dan...In some ways we're saying similar things, except as to the point of "what" Pmfirewall is. And it is definately "not" a firewall, rather it is merely a means to get the ipchains firewall rule-set configured to a point to where it's functional. Notice I didn't say ready for prime time, but functional. Enough for the user then to open the rules file and begin to tweak and fine tune the rule-set so that it becomes what you mentioned having setup after uninstalling PM. Were it not for PM I would have had to spend a lot more time reading the Ipchains docs and scratching my head to get my firewall running. Since then I've made "many" additions and modifications to the rule-set that is "more" the firewall itself then anything else. What I've said and have maintained all along is that PM is nothing more then a front end, (of sorts...albeit a console front end and not a GUI) configuration utility for IPchains. And a darn good one for newbies to cut their teeth on and get exposed to the use of Ipchains. And, God's blessings to you on your endeavor to quit smoking. I know what you're going through having been there myself 7 years ago. Your opinions were stated just fine. I should have added that my comments were given "tongue-in-cheek." Mark If PMfirewall is only going to "Filter" ports ( ie: Ports # 139, 443, 631, etc,..) It's not good enough. The fact that it doesn't tell you this during the configuration, is also misleading. And you're right Mark,...It's not a Windows Program, It's a Linux/Unix program. By default, it should therefore be a MUCH BETTER program !!!
RE: [newbie] PMFirewall and IPchains
I just got pmfirewall working in my unusual circumstances.. ie hosting multiple domains,, (virtual IP's for ppp0) and before the firewall would only work on the static IP of the dialup, not the actual domain names.. it now works exactly as I wanted, and I have added alot to the ruleset as well.. ie, apart from working on all the domains, I also watch the portsentry emails, (which are directed to my home account) and when I see a port being scanned, if I am not using it, I add it to the rules... so all the commonly scanned ports get denied or rejected by default. I am starting to feel better about my security level. (still paranoid though.) I think one of the best things you can do, is to make sure you are not using any unencrypted ports over the net. ie no pop3, no FTP no telnet, or any others, if you aint using it, turn it off, and most of all, keep updated. just my thoughts, if anyone wants to know how I got pmfirewall working with virtual IP's or domains... drop me a line... regards Frank Hauptle / / _ ---/ / (_)__ __ __ --/ /__/ / _ \/ // /\ \/ / -//_/_//_/\_,_/ /_/\_\ Gshop Network Payment Solutions. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tom Brinkman Sent: Saturday, 17 March 2001 11:29 PM To: [EMAIL PROTECTED] Subject: Re: [newbie] PMFirewall and IPchains Getting back to PMfirewall leaving some ports open: I've got a complete mental block when it comes to comprehending the ipchains rules. I'm at even more of a total loss with the new iptables in 2.4.x kernels. I have found that I can completely secure my box, all ports, using a combination of PMfirewall (all default answers) to write the ipchains rules for me, and then also starting portsentry (simple instructions for portsentry setup are in it's docs). Then going to: http://www.sdesign.com/cgi-bin/fwtest.cgi?APPLY=Scan+Me+Now and doing the basic scan. Besides their report, I can then read root's mail (I have kmail set up for this) and the 'attack alert' goes on for ever. Skimming thru it, SecureDesign's scanner is rejected for every port ! Almost daily while reading root's mail I see a few (prob'ly benign) attempts to scan or connect to me, all similarly rejected. -- Dale Earnhardt, the greatest stock car driver ever, he's won his 8th and His Greatest Championship Tom Brinkman [EMAIL PROTECTED] Galveston Bay On Saturday 17 March 2001 08:44 am, Mark Weaver wrote: Dan...In some ways we're saying similar things, except as to the point of "what" Pmfirewall is. And it is definately "not" a firewall, rather it is merely a means to get the ipchains firewall rule-set configured to a point to where it's functional. Notice I didn't say ready for prime time, but functional. Enough for the user then to open the rules file and begin to tweak and fine tune the rule-set so that it becomes what you mentioned having setup after uninstalling PM. Were it not for PM I would have had to spend a lot more time reading the Ipchains docs and scratching my head to get my firewall running. Since then I've made "many" additions and modifications to the rule-set that is "more" the firewall itself then anything else. What I've said and have maintained all along is that PM is nothing more then a front end, (of sorts...albeit a console front end and not a GUI) configuration utility for IPchains. And a darn good one for newbies to cut their teeth on and get exposed to the use of Ipchains. And, God's blessings to you on your endeavor to quit smoking. I know what you're going through having been there myself 7 years ago. Your opinions were stated just fine. I should have added that my comments were given "tongue-in-cheek." Mark If PMfirewall is only going to "Filter" ports ( ie: Ports # 139, 443, 631, etc,..) It's not good enough. The fact that it doesn't tell you this during the configuration, is also misleading. And you're right Mark,...It's not a Windows Program, It's a Linux/Unix program. By default, it should therefore be a MUCH BETTER program !!!
Re: [newbie] PMFirewall and IPchains
Mark, Tom, and anyone else who can shed a little light on the subject; Mark, Thanks for your response. And your support. I was about to "Light one Up" when I received your email. I owe you one. And now for a question that's probably going to open a "Can Of Worms". I will start by apologising up front for any offense loyal/fanatical Linux users may infer from this. I apologise. There, that's done! Now, for the question. Why are many Linux-based programs so complicated to set up?? Here we are, getting involved in a conversation about a type of program which should be relatively simple to install/setup/configure, and I'm sure that this won't be the last time someone has a problem with IPchains/PMfirewall, or some other package. I'm just curious though, why is it a real pain? You gents are talking about using 2 or more techniques to accomplish something that should be relatively easy. What's the big point that I'm not seeing? What I mean is that although Linux is in a constant state of development, some of the technologies are relatively constant. TCP/IP has been around for quite some time, and is probably considered a "Standard" protocol these days, and I would think that the rules governing it and ways to block/close ports would also be pretty consistent. So why then does it take so much to tackle a setup that should be a piece of cake? I realise that I may be understating the issue, but what ever happened to a nice simple procedure? What ports do you want to leave open? What ports do you want to close? Enable masquerading ? Yes/No? etc,etc. Run these rules each time you start this PC? Okey Dokey, We're done! Have a nice day!! You know, Simple. Personally, I'm glad I've broken away from most M$ products, and all the various apps that used to cost Way Too Much. But many of them did perform background tasks without having to be "Tweaked" ( assuming you're not including all the various updates/patches/bug fixes/service packs! ). But as an comparison, I used to use firewall/proxy apps that did exactly what they said. Install and configure them and your done. In a GUI no less. Mark, why should you have to read the ipchains HOW-TO 6 times??!! Tom, why should you have to use PMfirewall AND PortSentry? Why does PMfirewall ask the setup questions that it asks, and then leaves ports open or just filtered, instead of totally closed? See what I mean? I'm a firm beleiver in Linux and all it has to offer, but I'm wondering why it has to be so darn tricky? I've tried using some of the frontends for ipchains, and same thing. Not clear about what they're doing or confusing to use. One of the things that I am very happy with is the System Administration Wizard in LM 7.2 Corp Server, and don't get me started on the merits of Webmin! That's a marvelous example of how to make a setup easy! There's quite a few others out there, I'm sure. Since Linux is arguably much better than other O/Ses out there and the Linux community does a fabulous job of bringing us great packages, office suites, etc.,why do some of these things have to be enough to warrant a trip to the shrink?? ( Insert deepest apology to psychiatrists reading this! ). I'm under the impression that there's a conspiracy going on! Someone is deliberately trying to make us think! I hate it when that happens! I have a tough enough time paying my bills on time, so why make these things harder to install and setup than they need to be? OK, I'm done. Just wanted to vent, and maybe to get the creative juices flowing! I don't know about you guys, but I'd pay good money for someone to write up a quick and nasty Wizard/GUI for ipchains that would walk you through the setup, step-by-step, and write the results to the ipchains configuration file. Mom wanted me to be a "Rocket Scientist", but no, no, no! I had to become a brain surgeon! Serves me right! Dan LaBine Registered Linux User #190712
Re: [newbie] PMFirewall and IPchains
Ok, so what are some good ways to convert PMFirewall rules to IPChains? I'm running IPChains now, witht the rules set up by PMFirewall (added a rule to close port 1024 which PMFirewall left open). But how do I make it close (as opposed to filter) ports. ALso, any specific unnecessary ports PMF leaves open that I should close with IPChains? -Paul R Tom Brinkman wrote: Getting back to PMfirewall leaving some ports open: I've got a complete mental block when it comes to comprehending the ipchains rules. I'm at even more of a total loss with the new iptables in 2.4.x kernels. I have found that I can completely secure my box, all ports, using a combination of PMfirewall (all default answers) to write the ipchains rules for me, and then also starting portsentry (simple instructions for portsentry setup are in it's docs). Then going to: http://www.sdesign.com/cgi-bin/fwtest.cgi?APPLY=Scan+Me+Now and doing the basic scan. Besides their report, I can then read root's mail (I have kmail set up for this) and the 'attack alert' goes on for ever. Skimming thru it, SecureDesign's scanner is rejected for every port ! Almost daily while reading root's mail I see a few (prob'ly benign) attempts to scan or connect to me, all similarly rejected. _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Re: [newbie] PMFirewall and IPchains
On Saturday 17 March 2001 05:49 pm, Paul R wrote: Ok, so what are some good ways to convert PMFirewall rules to IPChains? PMfirewall is nothing more than a script you run, answer some straightforward questions, and then it writes ipchains rules according to the answers you give. .or maybe I don't understand your question ? I'm running IPChains now, witht the rules set up by PMFirewall (added a rule to close port 1024 which PMFirewall left open). But how do I make it close (as opposed to filter) ports. ALso, any specific unnecessary ports PMF leaves open that I should close with IPChains? I believe this is what portsentry does. Type 'whereis portsentry' in a terminal, to see if it's already installed. Many Mandrake installs include it. 'locate portsentry' will show you where the docs are. -- Dale Earnhardt, the greatest stock car driver ever, he's won his 8th and His Greatest Championship Tom Brinkman [EMAIL PROTECTED] Galveston Bay Tom Brinkman wrote: Getting back to PMfirewall leaving some ports open: I've got a complete mental block when it comes to comprehending the ipchains rules. I'm at even more of a total loss with the new iptables in 2.4.x kernels. I have found that I can completely secure my box, all ports, using a combination of PMfirewall (all default answers) to write the ipchains rules for me, and then also starting portsentry (simple instructions for portsentry setup are in it's docs). Then going to: http://www.sdesign.com/cgi-bin/fwtest.cgi?APPLY=Scan+Me+Now and doing the basic scan. Besides their report, I can then read root's mail (I have kmail set up for this) and the 'attack alert' goes on for ever. Skimming thru it, SecureDesign's scanner is rejected for every port ! Almost daily while reading root's mail I see a few (prob'ly benign) attempts to scan or connect to me, all similarly rejected.
Re: [newbie] PMFirewall and IPchains
--- Dan LaBine [EMAIL PROTECTED] wrote: snip! Why are many Linux-based programs so complicated to set up?? Here we are, snip! I'm no expert but I've got a few theories for you. Theory 1: Hacking code is fun. Writing a polished interface isn't so much fun. Since most of what you use under Linux has been written by volunteers who're writing code for the love of writing code, you get software that is robust and powerful but lacks polish and/or good documentation (until someone else comes along and writes the latter). Theory 2: It's danged hard to write an 'easy-to-use' interface that doesn't limit access to the software in some way. One of my primary reasons for trying to wean myself off of Windows is that every version that comes out puts more barriers between me and the machine. More and more, M$ 'guesses' at what I really want to do, and does it. If it guesses wrong, I have to recourse. I'll project my annoyance with this onto the Linux community in general (who, from what I've seen, really enjoy having full control of the OS) and guess that the people who write this software are loathe to do anything that might limit what you can do with it in any way. Now, a comment... things surely are getting better. I'm in my 3rd or 4th attempt at becoming a full time Linux user. The first time I tried was with RedHat 5, iirc, and it was a huge challenge to get that installed. Compare that installation to the one in Mandrake 7.2 and there's an amazing improvement in ease-of-use. If/when Linux starts to make real in-roads into the desktop space, there'll be commercial incentive to pay people to craft nice interfaces to existing utilities... until then we'll have to make do, or develop the coding skills needed to create nice interfaces and build 'wrappers' for powerful but unwieldy utilities... All the above is just my opinion, of course, and be aware that I am NOT a hard-core linux geek (yet). I'm trying to get there, though... every time I boot Windows these days, I feel a sense of defeat... I'll get there! = ~~~ Peter Smith, Cambridge, MA, USA Various bookmarks = http://people.ne.mediaone.net/jaded Chat about games, movies and tv = http://jadedspub.com ~~~ "They were playing Wagner. It's the most fun I've had in about six months" -Tyr Anasazi __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/
