[SLUG] Firewall Distributions, Questions.
# cross post /u-au/slug I am looking to set up a hardware firewall using an old computer and a Linux distribution and am curious about a few things. To start with, I'll attempt a diagram to show you how my network is currently set up. My home network is set up like so : Modem/Router | _Switch_ | || | | | MBMF FS DT U1 U2 *(MB) - Mythbuntu Back-end *(MF) - Mythbuntu Frontend *(FS) - Fileserver *(DT) - Dedicated Torrent | Downloader *(U1) User (me) *(U2) User (wife) I am assuming with 2 NICs in the old computer, you dump it between the switch and the router and connect both the switch and modem/router to it. So it would look something like Modem/Router | NIC1 Firewall NIC2 | _Switch_ | || | | | MBMF FS DT U1 U2 Based on my set-up, which of the following would you recommend and why? pfSense, MoNoWaLL, Clark Connect. (Do you know any others?) I understand policies could be configured for all of them to allow SSH etc, but I'd like something that does not require me to mess with modules extenively as I am not *tha*t technically savvy. From what I've read pfSense seems to be the go, but I wouldn't know why exactly. Smoothwall is out of the question due to its lacking NIC driver support. Any suggestions greatly appreceated, Harrison. -- Harrison Ghys. http://www.sydney-linux.com -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Distributions, Questions.
Only heard good reports of monowall But for mine, iptables is easy enough once you understand it. Kind Regards Kyle Blindraven wrote: Based on my set-up, which of the following would you recommend and why? pfSense, MoNoWaLL, Clark Connect. (Do you know any others?) -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Distributions, Questions.
Blindraven wrote: Based on my set-up, which of the following would you recommend and why? pfSense, MoNoWaLL, Clark Connect. (Do you know any others?) ubuntu-server and shorewall. the documentation for shorewall two-interface setup should be all you need. http://shorewall.net/two-interface.htm You get the most bang for your buck going this route. dave -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Distributions, Questions.
G'day Harrison, On Monday 02 March 2009 19:57, Blindraven wrote: snip Smoothwall is out of the question due to its lacking NIC driver support. Have you considered IPCop http://www.ipcop.org/ (an early fork from smoothwall) or Endian http://www.endian.com/en/ (a commercial fork from IPCop). Both have more hardware support than Smoothwall. For supported hardware see ... http://www.ipcop.org/index.php?module=pnWikkatag=IPCopHCLv01 http://www.ipcop.org/index.php?module=pnWikkatag=IPCopIDMap HTH Glen -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Distributions, Questions.
Glen Cunningham wrote: G'day Harrison, On Monday 02 March 2009 19:57, Blindraven wrote: snip Smoothwall is out of the question due to its lacking NIC driver support. Have you considered IPCop http://www.ipcop.org/ (an early fork from smoothwall) or Endian http://www.endian.com/en/ (a commercial fork from IPCop). Both have more hardware support than Smoothwall. For supported hardware see ... http://www.ipcop.org/index.php?module=pnWikkatag=IPCopHCLv01 http://www.ipcop.org/index.php?module=pnWikkatag=IPCopIDMap HTH Glen I second IPcop, its really simple to setup, all niceley web based. makes life nice and simple, all pointy clicky web based stuff ;- I had terrible trouble trying to get PFsense to run a bridged ADSL modem. (IE I couldn't get it to work at all) some problem with the pppoe thing they started using that can handle multiple bridged ADSL connections or something, that's all good, but it doesn't seem to work for a single connection any more :- ipcop i was up and running in 15 minutes. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Distributions, Questions
Only heard good reports of monowall But for mine, iptables is easy enough once you understand it. ... Firehol, a pretty high level language of writing iptables rules (http://firehol.sourceforge.net/, also available as an rpm package) might be of help. It is for me. Cheers, -- Jack -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Distributions, Questions
Jack Olszewski ja...@hermes.net.au writes: Only heard good reports of monowall But for mine, iptables is easy enough once you understand it. ... Firehol, a pretty high level language of writing iptables rules (http://firehol.sourceforge.net/, also available as an rpm package) might be of help. It is for me. I strongly recommend firehol if the OP is looking to use a generic Linux system to build a firewall and router from. OTOH, I understood from his comments that what he really wanted was to replace one appliance with another, even if it was Linux underneath.[1] Regards, Daniel Footnotes: [1] Actually, given the way many modem/router appliances are built these days it may well be Linux underneath in both cases, but the on desktop hardware version is likely to be less resource constrained. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Distributions, Questions.
I burned off Smoothwall, IPCop, Clark Connect, Monowell and pfSense. I installed all of them and spent around half an hour with each of the web interfaces. Shorewall looked promising in theory but did not have Wifi shaping which is something I was after. After having a good play with all of them I found pfSense to be the most complete package, especially it's speed distribution and shaping which is perfect for my torrent box. It took 8 minutes to install and about 20 minutes to get working under the right configuration using it's web interface. It's defaults are also very sane and were more complete and in my opinion better implemeted than IPCop which would have been my second favourite from the lot. Again, it did not have the dynamic shaping, and only supported a 50/50 scenario. Thanks heaps for the tips ! Harrison. On Tue, Mar 3, 2009 at 12:25 PM, Jake Anderson ya...@vapourforge.comwrote: Glen Cunningham wrote: G'day Harrison, On Monday 02 March 2009 19:57, Blindraven wrote: snip Smoothwall is out of the question due to its lacking NIC driver support. Have you considered IPCop http://www.ipcop.org/ (an early fork from smoothwall) or Endian http://www.endian.com/en/ (a commercial fork from IPCop). Both have more hardware support than Smoothwall. For supported hardware see ... http://www.ipcop.org/index.php?module=pnWikkatag=IPCopHCLv01 http://www.ipcop.org/index.php?module=pnWikkatag=IPCopIDMap HTH Glen I second IPcop, its really simple to setup, all niceley web based. makes life nice and simple, all pointy clicky web based stuff ;- I had terrible trouble trying to get PFsense to run a bridged ADSL modem. (IE I couldn't get it to work at all) some problem with the pppoe thing they started using that can handle multiple bridged ADSL connections or something, that's all good, but it doesn't seem to work for a single connection any more :- ipcop i was up and running in 15 minutes. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- None are so hopelessly enslaved as those who falsely believe they are free. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
On Wed, 2006-07-12 at 19:59 +1000, Christopher Vance wrote: Soekris (US) make the net4801, and PC-Engines (Switzerland) make the WRAP. Both companies make a range of boards. Yawarra distributes both in Aus with a variety of cases available, and sells wireless cards which work well with them. Paul is also a nice guy. :-) ah, thanks for the lead, this might be the answer to some of my Linux prayers! The net4801 looks like what I've been trying to find... -- Simon Wong [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
On Tuesday 11 July 2006 11:01, Christopher Vance [EMAIL PROTECTED] wrote:
On Tue, Jul 11, 2006 at 12:31:16AM +1000, Simon Wong wrote:
The biggest problem I have come across looking at these is finding
something with 3 NICs without spending a fortune on a multiple interface
card from Intel.
The soekris and pc-engines wrap both have 3 NICs, and are available
from Yawarra.
Besides some minor quirks, Linux works well on the Yawarra WRAP and net4801
(which is what I think you mean by soekris, which is just a case style).
A good alternative is pfSense [http://www.pfsense.com/], which is
FreeBSD-based.
At home, I have HyperWRT running on a Linksys WRT-54GS v1.1. It runs like a
champ.
--
Sridhar Dhanapalan
{GnuPG/OpenPGP: http://www.dhanapalan.com/yama.asc
0x049D38B4 : A7A9 8A02 78CB AB1B FCE4 EEC6 2DD9 249B 049D 38B4}
Although about 3 million computers get sold every year in China, people don't
pay for the software. Someday they will, though. And as long as they're going
to steal it, we want them to steal ours. They'll get sort of addicted, and
then we'll somehow figure out how to collect sometime in the next decade.
- Bill Gates at the University of Washington, 1998
pgpyVodbra9DL.pgp
Description: PGP signature
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
On Wed, Jul 12, 2006 at 05:27:46PM +1000, Sridhar Dhanapalan wrote: Date: Wed, 12 Jul 2006 17:27:46 +1000 From: Sridhar Dhanapalan [EMAIL PROTECTED] Subject: Re: [SLUG] Firewall Device Opinions To: SLUG list slug@slug.org.au On Tuesday 11 July 2006 11:01, Christopher Vance [EMAIL PROTECTED] wrote: On Tue, Jul 11, 2006 at 12:31:16AM +1000, Simon Wong wrote: The biggest problem I have come across looking at these is finding something with 3 NICs without spending a fortune on a multiple interface card from Intel. The soekris and pc-engines wrap both have 3 NICs, and are available from Yawarra. Besides some minor quirks, Linux works well on the Yawarra WRAP and net4801 (which is what I think you mean by soekris, which is just a case style). Soekris (US) make the net4801, and PC-Engines (Switzerland) make the WRAP. Both companies make a range of boards. Yawarra distributes both in Aus with a variety of cases available, and sells wireless cards which work well with them. Paul is also a nice guy. :-) I run OpenBSD quite happily from CF on one of each, including firewalling with ipsec and ipv6. If all you're doing is a firewall, you really don't need much CPU. If you want 4 NICs, I believe Commell (Taiwan?) make some stuff, but I believe it's more expensive. A good alternative is pfSense [http://www.pfsense.com/], which is FreeBSD-based. At home, I have HyperWRT running on a Linksys WRT-54GS v1.1. It runs like a champ. -- Christopher Vance -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
On Wednesday 12 July 2006 19:59, Christopher Vance [EMAIL PROTECTED] wrote:
On Wed, Jul 12, 2006 at 05:27:46PM +1000, Sridhar Dhanapalan wrote:
Date: Wed, 12 Jul 2006 17:27:46 +1000
From: Sridhar Dhanapalan [EMAIL PROTECTED]
Subject: Re: [SLUG] Firewall Device Opinions
To: SLUG list slug@slug.org.au
On Tuesday 11 July 2006 11:01, Christopher Vance [EMAIL PROTECTED] wrote:
The soekris and pc-engines wrap both have 3 NICs, and are available
from Yawarra.
Besides some minor quirks, Linux works well on the Yawarra WRAP and
net4801 (which is what I think you mean by soekris, which is just a
case style).
Soekris (US) make the net4801, and PC-Engines (Switzerland) make
the WRAP. Both companies make a range of boards.
I stand corrected. They list Soekris green as a case style/colour, so I took
it at face value.
--
Sridhar Dhanapalan
{GnuPG/OpenPGP: http://www.dhanapalan.com/yama.asc
0x049D38B4 : A7A9 8A02 78CB AB1B FCE4 EEC6 2DD9 249B 049D 38B4}
Using a GUI amounts to hiding the true system modifications from the system
administrators and operators. UNIX operators like the sense of control that
comes from their ability to modify system tables and configuration files more
directly. - Microsoft, 'Converting a UNIX .COM Site to Windows', 2000-22-08
pgp2mXajE9ZDB.pgp
Description: PGP signature
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
On Tue, Jul 11, 2006 at 09:21:36 +0800, [EMAIL PROTECTED] wrote: A lot of work. Not really. Modifying the case to allow for the extra NIC took the most time, the rest was just Linux installation configuration which is quick easy. Satisfying. Yes. About 200M last time I counted, although I used a 30M version in my 285MB, but I'm sure I could reduce that if I really cared :-) Cheers, John -- I wonder why, when I just did kind of normal things-- some good engineering and just what I wanted to do in life-- why everywhere I go, some people think that I'm some kind of hero or a special person. -- Steve Wozniak -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall
On Mon, 2006-07-10 at 14:02 +1000, James Gray wrote: If you need to manage multiple firewalls with a consistent policy/framework across multiple platforms (Linux/BSD and even Cisco PIX, Linksys, etc too) then fwbuilder might be another candidate. Fwbuilder is a personal favourite too. I have nice (encrypted) collection of FWB files for all the firewalls I'm responsible for. Very handy for re-creating in emergency situations as well as cloning. -- Cheers, Craige, signature.asc Description: This is a digitally signed message part -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Firewall Device Opinions
Hi I'm after opinions on the following two options in terms of a straight firewall. Since I have never used OpenWRT devices before I don't have any idea how they rate against a full pc running as a firewall. The options are: 1. OpenWRT on a Linksys device 2. Small form factor pc with some sort of solid state memory running linux. The only caveat is that it (the fw) has to allow for a DMZ, and may have to run multiple internet (WAN) connections (I am currently investigating/googling whether an OpentWRT device can do this) in the future. Otherwise fairly straight forward. This is for a business environment. Fil -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
On Mon, Jul 10, 2006 at 05:45:51 +1000, Phil Scarratt wrote: 2. Small form factor pc with some sort of solid state memory running linux. I'm doing this at home. I'm running a cut-down ubuntu dapper installation, initially installed as a breezy server then any packages I didn't need removed, followed by a dist-upgrade to dapper when it was released. It has about 200 packages and uses less than 300MB of flash. The h/w is one of those VIA PCs that Vini Engel was selling a month or two ago. I've added a PCI NIC (an SMC card which was small enough to fit in the case) and a PCMCIA NIC to give me LAN, WAN and DMZ. It took some work to install the PCI NIC -- there were no holes in the back of the case for it and the power connector was a bit too close to the PCI slot, but it wasn't hard, just fiddly. It runs off a 512MB CF card via a CF-IDE adapter, because although the board has a CF slot the BIOS can't boot from it. Apparently there is a BIOS upgrade available but I couldn't find it easily, and the CF-IDE adapter wasn't expensive enough for me to care. The box has a fan, but it's very quiet. I could probably disconnect it without anything overheating, but the noise is insignificant -- there are other much more noisy things in the room :-) I did make a few changes to reduce the number of writes to the CF card to extend its life: - mount / noatime - use tmpfs for /tmp (with a max size limit so it can't take all the RAM) - no swap - syslog to a LAN host and stop syslog being restarted each day if there are no local log files (causes a write to /dev) - change ntp.conf so that the drift file is in /tmp and copy it to /var once a week if it's changed (and on boot/shutdown). I think that was all. The only caveat is that it (the fw) has to allow for a DMZ, and may have to run multiple internet (WAN) connections (I am currently I don't know whether any of the VIA motherboards have more than one PCI slot. If not, you'd need to use a case with enough room for a larger PCI card with more than one network port, or use a USB ethernet adaptor. Cheers, John -- Nothing is perfect. Not even Windows sucks perfectly. -- Jay Maynard -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
On Mon, 2006-07-10 at 17:45 +1000, Phil Scarratt wrote: 2. Small form factor pc with some sort of solid state memory running linux. The biggest problem I have come across looking at these is finding something with 3 NICs without spending a fortune on a multiple interface card from Intel. Another issue seems to be that they are sold as whole units, you can't replace many parts or even the MoBo without returning the whole unit. -- Simon Wong [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
Phil Scarratt wrote: Hi I'm after opinions on the following two options in terms of a straight firewall. Since I have never used OpenWRT devices before I don't have any idea how they rate against a full pc running as a firewall. The options are: 1. OpenWRT on a Linksys device 2. Small form factor pc with some sort of solid state memory running linux. The only caveat is that it (the fw) has to allow for a DMZ, and may have to run multiple internet (WAN) connections (I am currently investigating/googling whether an OpentWRT device can do this) in the future. Otherwise fairly straight forward. This is for a business environment. The DMZ might be a problem for the WRT54GL since they only have three routable interfaces (wireless, Internet and LAN). I don't think that the four 100Base-TX ports are independently routable. You could certainly work around that -- such as having a DMZ tunnel. My testing has the WRT54GL running out of grunt at around 45Mbps of large packet traffic. So I wouldn't use it as a firewall for anything more than a ADSL link otherwise denying service is just a matter of sending a lot of back-to-back small packets. I'm very impressed by the OpenWRT software -- the packaging is really well thought out and it is a joy to use. We use it for a access points, since we want them to run IPv6, which isn't supported by the manufcturer's firmware. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
quote who=Phil Scarratt I'm after opinions on the following two options in terms of a straight firewall. Since I have never used OpenWRT devices before I don't have any idea how they rate against a full pc running as a firewall. The only caveat is that it (the fw) has to allow for a DMZ, and may have to run multiple internet (WAN) connections (I am currently investigating/googling whether an OpentWRT device can do this) in the future. Otherwise fairly straight forward. This is for a business environment. So, OpenWRT is rad if you want a fairly complete Debian-style environment on your router, but if you would prefer to have a replacement for the normal firmware that has way more features and a much groovier web admin console, try dd-wrt. It handles DMZ, setting up the ports differently, etc. - Jeff -- linux.conf.au 2007: Sydney, Australia http://lca2007.linux.org.au/ It's the most fun I've had without the use of a water-based lubricant. - Stephen Fry on directing his first film -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
On Tue, Jul 11, 2006 at 12:31:16AM +1000, Simon Wong wrote: The biggest problem I have come across looking at these is finding something with 3 NICs without spending a fortune on a multiple interface card from Intel. The soekris and pc-engines wrap both have 3 NICs, and are available from Yawarra. -- Christopher Vance -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
On Tuesday 11 July 2006 01:29, [EMAIL PROTECTED] wrote: 2. Small form factor pc with some sort of solid state memory running linux. I'm doing this at home. I'm running a cut-down ubuntu dapper installation, initially installed as a breezy server then any packages I didn't need removed, followed by a dist-upgrade to dapper when it was released. It has about 200 packages and uses less than 300MB of flash. The h/w is one of those VIA PCs that Vini Engel was selling a month or two ago. I've added a PCI NIC (an SMC card which was small enough to fit in the case) and a PCMCIA NIC to give me LAN, WAN and DMZ. It took some work to install the PCI NIC -- there were no holes in the back of the case for it and the power connector was a bit too close to the PCI slot, but it wasn't hard, just fiddly. It runs off a 512MB CF card via a CF-IDE adapter, because although the board has a CF slot the BIOS can't boot from it. Apparently there is a BIOS upgrade available but I couldn't find it easily, and the CF-IDE adapter wasn't expensive enough for me to care. The box has a fan, but it's very quiet. I could probably disconnect it without anything overheating, but the noise is insignificant -- there are other much more noisy things in the room :-) I did make a few changes to reduce the number of writes to the CF card to extend its life: - mount / noatime - use tmpfs for /tmp (with a max size limit so it can't take all the RAM) - no swap - syslog to a LAN host and stop syslog being restarted each day if there are no local log files (causes a write to /dev) - change ntp.conf so that the drift file is in /tmp and copy it to /var once a week if it's changed (and on boot/shutdown). I think that was all. The only caveat is that it (the fw) has to allow for a DMZ, and may have to run multiple internet (WAN) connections (I am currently I don't know whether any of the VIA motherboards have more than one PCI slot. If not, you'd need to use a case with enough room for a larger PCI card with more than one network port, or use a USB ethernet adaptor. A lot of work. Satifying. http://www.ltsp.org does it more elegantly: main FS is RO /tmp is RAM writable stuff sym-linked to /tmp eg logs, dynamic xorg.conf etc About 200M last time I counted, although I used a 30M version in my olive-pickers (5s boot, wireless) http://tigger.ws/vtigger/main.php?g2_itemId=3985 (I don't use X here) James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall Device Opinions
Christopher Vance wrote: On Tue, Jul 11, 2006 at 12:31:16AM +1000, Simon Wong wrote: The biggest problem I have come across looking at these is finding something with 3 NICs without spending a fortune on a multiple interface card from Intel. The soekris and pc-engines wrap both have 3 NICs, and are available from Yawarra. VIA also make a motherboard with 2 NIC's and a PCI slot. ELX sell boxes with these in them I believe. Thanks for the comments. The general consensus (and from my searching) seems to be there is not much difference between the embedded type and the full pc type as long as the embedded type chosen has a processor capable of maintaining a high enough throughput of packets for the chosen application. Fil -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: Hi my ongoing frustrations: 1) How to setup a firewall in ubuntu? It seems suitable iptables settings do work but that's awefully primitive. This article did not help http://www.linux.com/article.pl?sid=06/06/26/1556259 (no lokkit or guarddog can be found by apt-get) 2) How to manipulate and configure services. I CAN and have been sym-linking /etc/init.d/service to rc2.d/SNNservice. That too is awefully primitive. system - administration - services lists 8 services from anacron to ssh. What about the zillion others? Help shows not available pictures: each service [] with a [] checkbox [] Thanks James If you need to manage multiple firewalls with a consistent policy/framework across multiple platforms (Linux/BSD and even Cisco PIX, Linksys, etc too) then fwbuilder might be another candidate. Obviously it can be used to configure a single firewall too :) Check it out: http://www.fwbuilder.org/ FWIW, some of the commercial firewalls, like PIX, require a plug-in that will cost $$$. However it's completely free (beer and speech) for Linux/BSD firewalls. Cheers, James -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEsdE6wBHpdJO7b9ERArcsAKCVW7iUzKachnVFE//gX9Z8CWUBpgCcCAmN hvnKXrgUaRuW0aYK/r1CNlc= =ZACq -END PGP SIGNATURE- -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall
On Saturday 08 July 2006 14:14, [EMAIL PROTECTED] wrote: If you want something simple, firehol is pretty good. Debian (and therefore probably Ubuntu) has a bunch of example config files that are really easy to use. The advantage to say shorewall (although things may have changed) is that with fussy protocols like SMB, you just enable it and it works, where as I found with shorewall that you needed to worry about traffic directions and such. It also lets you do NATting and stuff extremely simply. And that's my 5 cents. Yes, same with Firestarter. I used Shorewall for quite some time on a Linux router. It is good, but something like Firestarter is (I think) the way to go for a simple Ubuntu setup. Doesn't do as much as Shorewall, but it is dead simple to set up and run a simple desktop protection firewall. My 5 cents. Thanks Alan guidedog guarddog worked. It seems that there is no option to: * trust the local network (everything allowed) * allow ESTABLISHED/RELATED packets back * allow arbitary complex stuff (still investigating) eg for my openvpn iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT But its mostly working James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Firewall
Hi my ongoing frustrations: 1) How to setup a firewall in ubuntu? It seems suitable iptables settings do work but that's awefully primitive. This article did not help http://www.linux.com/article.pl?sid=06/06/26/1556259 (no lokkit or guarddog can be found by apt-get) 2) How to manipulate and configure services. I CAN and have been sym-linking /etc/init.d/service to rc2.d/SNNservice. That too is awefully primitive. system - administration - services lists 8 services from anacron to ssh. What about the zillion others? Help shows not available pictures: each service [] with a [] checkbox [] Thanks James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall
[EMAIL PROTECTED] wrote: Hi my ongoing frustrations: 1) How to setup a firewall in ubuntu? It seems suitable iptables settings do work but that's awefully primitive. This article did not help http://www.linux.com/article.pl?sid=06/06/26/1556259 (no lokkit or guarddog can be found by apt-get) If you enable universe you can get these: erikd apt-cache search guarddog guarddog - firewall configuration utility for KDE guidedog - NAT/masquerading/port-forwarding configuration tool for KDE erikd apt-cache search lokkit gnome-lokkit - basic interactive firewall configuration tool (GNOME interface) lokkit - basic interactive firewall configuration tool (console interface) 2) How to manipulate and configure services. I CAN and have been sym-linking /etc/init.d/service to rc2.d/SNNservice. That too is awefully primitive. Yes. For a commandline way of doing this on Debian/Ubuntu try update-rc.d. I'm pretty sure there are gui tools for this as well. Erik -- +---+ Erik de Castro Lopo +---+ These are the finest moments in (post)modern life, when satire is completly indistinguishable from reality... I usually have to rely on the presidential elections for such dada. -- frenomulax on Jesux a christian Linux distro. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall
On Fri, 7 Jul 2006 16:19:21 +0800 [EMAIL PROTECTED] wrote: Hi my ongoing frustrations: 1) How to setup a firewall in ubuntu? It seems suitable iptables settings do work but that's awefully primitive. This article did not help http://www.linux.com/article.pl?sid=06/06/26/1556259 (no lokkit or guarddog can be found by apt-get) Firestarter is a nice simple firewall. 2) How to manipulate and configure services. I CAN and have been sym-linking /etc/init.d/service to rc2.d/SNNservice. That too is awefully primitive. system - administration - services lists 8 services from anacron to ssh. What about the zillion others? Help shows not available pictures: each service [] with a [] checkbox [] Thanks James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670Mobile: +61 427 486 206 Fax: +61 2 4782 7092FWD: 615662 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall
On Saturday 08 July 2006 05:35, [EMAIL PROTECTED] wrote: Hi my ongoing frustrations: 1) How to setup a firewall in ubuntu? It seems suitable iptables settings do work but that's awefully primitive. This article did not help http://www.linux.com/article.pl?sid=06/06/26/1556259 (no lokkit or guarddog can be found by apt-get) If you enable universe you can get these: erikd apt-cache search guarddog guarddog - firewall configuration utility for KDE guidedog - NAT/masquerading/port-forwarding configuration tool for KDE erikd apt-cache search lokkit gnome-lokkit - basic interactive firewall configuration tool (GNOME interface) lokkit - basic interactive firewall configuration tool (console interface) Thanks for all the help! The missing link: I DID enable universe, I needed to apt-get update I did not understand that I needed to do that on a new install: jam apt-cache search lokkit jam James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall
* On Fri, Jul 07, 2006 at 04:19:21PM +0800, [EMAIL PROTECTED] wrote: 1) How to setup a firewall in ubuntu? It seems suitable iptables settings do work but that's awefully primitive. This article did not help http://www.linux.com/article.pl?sid=06/06/26/1556259 (no lokkit or guarddog can be found by apt-get) I use shorewall [1], basically a perl wrapper on iptables. Easy to config with a collection of files in /etc/shorewall, and very flexible - from a single laptop to a large network. [1] http://www.shorewall.net -- Sonia Hamilton. GPG key A8B77238. . Complaining that Linux doesn't work well with Windows is like ... oh, say, evaluating an early automobile and complaining that there's no place to hitch up a horse. (Daniel Dvorkin) -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall
On Sat, Jul 08, 2006 at 11:33:44AM +1000, Sonia Hamilton wrote: * On Fri, Jul 07, 2006 at 04:19:21PM +0800, [EMAIL PROTECTED] wrote: 1) How to setup a firewall in ubuntu? It seems suitable iptables settings do work but that's awefully primitive. This article did not help http://www.linux.com/article.pl?sid=06/06/26/1556259 (no lokkit or guarddog can be found by apt-get) I use shorewall [1], basically a perl wrapper on iptables. Easy to config with a collection of files in /etc/shorewall, and very flexible - from a single laptop to a large network. [1] http://www.shorewall.net If you want something simple, firehol is pretty good. Debian (and therefore probably Ubuntu) has a bunch of example config files that are really easy to use. The advantage to say shorewall (although things may have changed) is that with fussy protocols like SMB, you just enable it and it works, where as I found with shorewall that you needed to worry about traffic directions and such. It also lets you do NATting and stuff extremely simply. And that's my 5 cents. Byron -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall
Metrics wrote: On Sat, Jul 08, 2006 at 11:33:44AM +1000, Sonia Hamilton wrote: * On Fri, Jul 07, 2006 at 04:19:21PM +0800, [EMAIL PROTECTED] wrote: 1) How to setup a firewall in ubuntu? It seems suitable iptables settings do work but that's awefully primitive. This article did not help http://www.linux.com/article.pl?sid=06/06/26/1556259 (no lokkit or guarddog can be found by apt-get) I use shorewall [1], basically a perl wrapper on iptables. Easy to config with a collection of files in /etc/shorewall, and very flexible - from a single laptop to a large network. [1] http://www.shorewall.net If you want something simple, firehol is pretty good. Debian (and therefore probably Ubuntu) has a bunch of example config files that are really easy to use. The advantage to say shorewall (although things may have changed) is that with fussy protocols like SMB, you just enable it and it works, where as I found with shorewall that you needed to worry about traffic directions and such. It also lets you do NATting and stuff extremely simply. In the current release, to block or permit SMB traffic, all you do in rules is you do SMB/REJECT or SMB/ACCEPT. The macros are in /usr/share/shorewall. You can make up macros for any service. O Plameras -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall
On Sat, 8 Jul 2006 12:20:20 +1000 Metrics [EMAIL PROTECTED] wrote: On Sat, Jul 08, 2006 at 11:33:44AM +1000, Sonia Hamilton wrote: * On Fri, Jul 07, 2006 at 04:19:21PM +0800, [EMAIL PROTECTED] wrote: 1) How to setup a firewall in ubuntu? It seems suitable iptables settings do work but that's awefully primitive. This article did not help http://www.linux.com/article.pl?sid=06/06/26/1556259 (no lokkit or guarddog can be found by apt-get) I use shorewall [1], basically a perl wrapper on iptables. Easy to config with a collection of files in /etc/shorewall, and very flexible - from a single laptop to a large network. [1] http://www.shorewall.net If you want something simple, firehol is pretty good. Debian (and therefore probably Ubuntu) has a bunch of example config files that are really easy to use. The advantage to say shorewall (although things may have changed) is that with fussy protocols like SMB, you just enable it and it works, where as I found with shorewall that you needed to worry about traffic directions and such. It also lets you do NATting and stuff extremely simply. And that's my 5 cents. Yes, same with Firestarter. I used Shorewall for quite some time on a Linux router. It is good, but something like Firestarter is (I think) the way to go for a simple Ubuntu setup. Doesn't do as much as Shorewall, but it is dead simple to set up and run a simple desktop protection firewall. My 5 cents. Alan Byron -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670Mobile: +61 427 486 206 Fax: +61 2 4782 7092FWD: 615662 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Firewall log
What does this mean? I have a modem connection that times out after 5 hours - dial on demand. When it restarts, my firewall log shows *lot* of these entries: Feb 27 13:22:42 kernel: Shorewall:all2all:REJECT:IN=eth0 OUT= MAC=00:20:35:73:71:2a:00:50:bf:e6:77:b1:08:00 SRC=192.168.1.4 DST=192.168.1.2 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=68 DPT=67 LEN=308 Feb 27 13:22:42 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.2 DST=192.168.1.4 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=36216 DF PROTO=UDP SPT=67 DPT=68 LEN=308 They always come in pairs like that. The firewall is 192.168.1.2 and the other machine is the only one operating on the network. Thanks, Alan -- -- Alan L Tyree http://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670 Mobile: +61 405 084 990 Fax: +61 2 4782 7092 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall log
I will take a stab Log entry 1 is comming in on eth0, and machine 192.168.1.4 is making a bootp/dhcp request, which you machine is reject. Log entry 1 is going out on eth0 from 192.168.1.2 which is a reply to the boot/DHCP request from before. Note from memory the dchp server attachs to the interface in such a way that netfilter can't stop it. Why this happens when you loose conection not sure. A On Fri, Feb 27, 2004 at 01:41:33PM +1100, Alan L Tyree wrote: What does this mean? I have a modem connection that times out after 5 hours - dial on demand. When it restarts, my firewall log shows *lot* of these entries: Feb 27 13:22:42 kernel: Shorewall:all2all:REJECT:IN=eth0 OUT= MAC=00:20:35:73:71:2a:00:50:bf:e6:77:b1:08:00 SRC=192.168.1.4 DST=192.168.1.2 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=68 DPT=67 LEN=308 Feb 27 13:22:42 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.2 DST=192.168.1.4 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=36216 DF PROTO=UDP SPT=67 DPT=68 LEN=308 They always come in pairs like that. The firewall is 192.168.1.2 and the other machine is the only one operating on the network. Thanks, Alan -- -- Alan L Tyree http://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670 Mobile: +61 405 084 990 Fax: +61 2 4782 7092 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html signature.asc Description: Digital signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] firewall logfile analysis
Hey All, I am using Gentoo. I use Metalog as a logger. I use Fwbuilder to design my rulesets. What can I use to analyse my log files - I have tried fwanalog but it does not look like it likes the way Metalog logs. any recommendations ? Hilton. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] firewall logfile analysis
It is said that Hilton De Meillon wrote: I am using Gentoo. I use Metalog as a logger. I use Fwbuilder to design my rulesets. What can I use to analyse my log files - I have tried fwanalog but it does not look like it likes the way Metalog logs. any recommendations ? First, for live analasys of of your logs you will want to turn off metalogs buffering by running: killall -USR1 metalog I usually read my logs with view (which is basically vi[m]) Or, for live analasys I use tail, which shows your logs as your logging daemon writes the logs. To turn metalogs buffers back on: killall -USR2 metalog - Chris -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewall appliance box
Hi, Since it came up, I've done a fair amount of hacking recently to get IPCop to install via PXE. Useful because most of these appliance boxes don't contain a floppy disk drive, and the FD controller is fairly hard to get at even when you open the box up. Red Hat is easy because they give you PXE capable vmlinuz and initrd.img files (i.e. ones that don't ask for a driver floppy, and that have all of the network drivers bundled). IPCop typically installs off 2 floppies with LILO and ext2 filesystems on them so it took a bit of messing about to get it not to want a floppy disk (or not to grizzle when it didn't get one). It's a bit of a work in progress but if anyone wants to see what I've done contact me off-list. -- Del -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall appliance box
It is said that Kevin Saenz wrote: Maybe Anthony could tell me where I should look. :) I thought it would be under hardware. http://www.everythinglinux.com.au/cat/systems/thinclients - Chris [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall appliance box
Has anyone installed Linux on these thin clients? What are the things I would have to be concerned about? It is said that Kevin Saenz wrote: Maybe Anthony could tell me where I should look. :) I thought it would be under hardware. http://www.everythinglinux.com.au/cat/systems/thinclients - Chris [EMAIL PROTECTED] -- Regards, Kevin Saenz Spinaweb I.T consultants Ph: 02 4620 5130 Fax: 02 4625 9243 Mobile: 0418455661 Web: http://www.spinaweb.com.au -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall appliance box
Hi Kevin, Yes we use a Mini-iTx motherboard. Our box and the Everything Linux are roughly the same size ours is 295 x 260 x 65mm (W x D x H) If you want an internal PSU (also fanless) and the option of 2 PCI slots go for our box. Our market is mainly firewalls. If you want an external PSU go for Anthony's box. His market is mainly thin clients. It's your choice. Cheers, - Guy. At 03:58 PM 6/10/2003 +1000, you wrote: what are the dimensions of the box. This system seems to be based vaguely on the concept of mini-box motherboard. but uses a 240 volt input rather than a 12 volt. Hi Kevin, We can do 3 Eth easily with our box http://www.traverse.com.au/products/default.asp?p=42 The Fanless model has no moving parts. Drop me a line if you are interested. Cheers, - Guy. At 01:39 PM 6/10/2003 +1000, you wrote: Hi all, I am looking for a box that will be about the size of an ADSL router, with about 512 RAM, multi NIC prefered min 3, to build a firewall. Does anyone know where I could source such a box? It would be helpful if it had a CPU and NVRam -- Regards, Kevin Saenz Spinaweb I.T consultants Ph: 02 4620 5130 Fax: 02 4625 9243 Mobile: 0418455661 Web: http://www.spinaweb.com.au -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- Guy Ellis [EMAIL PROTECTED] Traverse Technologies ABN 98 078 657 324 652 Smith St., Clifton Hill, Victoria, 3068 AUSTRALIA http://www.traverse.com.au Tel (+613) 9486 7775 Fax (+613) 9482 7754 Mobile 0419 398 234 -- -- Regards, Kevin Saenz Spinaweb I.T consultants Ph: 02 4620 5130 Fax: 02 4625 9243 Mobile: 0418455661 Web: http://www.spinaweb.com.au -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- Guy Ellis [EMAIL PROTECTED] Traverse Technologies ABN 98 078 657 324 652 Smith St., Clifton Hill, Victoria, 3068 AUSTRALIA http://www.traverse.com.au Tel (+613) 9486 7775 Fax (+613) 9482 7754 Mobile 0419 398 234 -- -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall appliance box
Kevin Saenz wrote: Has anyone installed Linux on these thin clients? What are the things I would have to be concerned about? Hi, I have Red Hat 7.3 running on a couple and IPCop running on some more of them. -- Del -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
[SLUG] Firewall appliance box
Hi all, I am looking for a box that will be about the size of an ADSL router, with about 512 RAM, multi NIC prefered min 3, to build a firewall. Does anyone know where I could source such a box? It would be helpful if it had a CPU and NVRam -- Regards, Kevin Saenz Spinaweb I.T consultants Ph: 02 4620 5130 Fax: 02 4625 9243 Mobile: 0418455661 Web: http://www.spinaweb.com.au -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall appliance box
Hi Kevin, We can do 3 Eth easily with our box http://www.traverse.com.au/products/default.asp?p=42 The Fanless model has no moving parts. Drop me a line if you are interested. Cheers, - Guy. At 01:39 PM 6/10/2003 +1000, you wrote: Hi all, I am looking for a box that will be about the size of an ADSL router, with about 512 RAM, multi NIC prefered min 3, to build a firewall. Does anyone know where I could source such a box? It would be helpful if it had a CPU and NVRam -- Regards, Kevin Saenz Spinaweb I.T consultants Ph: 02 4620 5130 Fax: 02 4625 9243 Mobile: 0418455661 Web: http://www.spinaweb.com.au -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- Guy Ellis [EMAIL PROTECTED] Traverse Technologies ABN 98 078 657 324 652 Smith St., Clifton Hill, Victoria, 3068 AUSTRALIA http://www.traverse.com.au Tel (+613) 9486 7775 Fax (+613) 9482 7754 Mobile 0419 398 234 -- -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall appliance box
It is said that Kevin Saenz wrote: I am looking for a box that will be about the size of an ADSL router, with about 512 RAM, multi NIC prefered min 3, to build a firewall. Does anyone know where I could source such a box? It would be helpful if it had a CPU and NVRam I beleive everythinglinux.com.au may have what you are after. - Chris [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall appliance box
Maybe Anthony could tell me where I should look. :) I thought it would be under hardware. It is said that Kevin Saenz wrote: I am looking for a box that will be about the size of an ADSL router, with about 512 RAM, multi NIC prefered min 3, to build a firewall. Does anyone know where I could source such a box? It would be helpful if it had a CPU and NVRam I beleive everythinglinux.com.au may have what you are after. - Chris [EMAIL PROTECTED] -- Regards, Kevin Saenz Spinaweb I.T consultants Ph: 02 4620 5130 Fax: 02 4625 9243 Mobile: 0418455661 Web: http://www.spinaweb.com.au -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall / router for BigPond
Guarddog is pretty good on Linux www.simonzone.com -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
[SLUG] Firewall / router for BigPond
Dear list, Before I reinvent the wheel. I am looking at using VNC to control Win98 boxen remotely. I need a firewall / router for basic protection, is there any cheap routers eg DLink that are worth it? It is easy enough to just use IPTables but is there a template / pre-written rules floating around. What are the advantages / disadvantages or IPCop or Smoothwall? Is it overkill? Richard Hayes Nada Marketing - Australia UK 2/713 Pacific Hwy Gordon Australia 2072 Ph +(61-2) 9418 4545 Fax +(61-2) 9418 4348 Mob +(61) 0414 618 425 www.nada.com.au --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.515 / Virus Database: 313 - Release Date: 9/1/2003 -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall / router for BigPond
Dear list, Before I reinvent the wheel. I am looking at using VNC to control Win98 boxen remotely. I need a firewall / router for basic protection, is there any cheap routers eg DLink that are worth it? It is easy enough to just use IPTables but is there a template / pre-written rules floating around. I have Linux kernel version 2.4.20. I am using templates. You may find these at, http://www.acay.com.au/~oscarp/howto There are two scripts: 1. 'firewall-2.4.sh' is fired up with 'start', 'stop', or 'restart' as required, as follows: firewall-2.4.sh start. 2. 'rc.firewall-2.4' is the script that kicks off when script on '1.' is selected with a 'start' parameter Please note to modify 'rc.firewall-2.4' for your requirements. Please also note Linux Kernel version requirements and all legal stuff as indicated within these scripts. Oscar Plameras http://www.acay.com.au/~oscarp/disclaimer.html -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
[SLUG] Firewall / IP Monitor
I am looking for a program which will act as a firewall, do port forwarding, and monitor all the traffic that comes in and out, I would like it to basically report on how much data has passed through for each internal IP Address and if possible to enable and disable certain internal IP Addresss from accessing the internet. You help on this is would be highly appreciated. Regards, Terry Denovan
Re: [SLUG] Firewall MD5 signatures on processes
This one time, at band camp, [EMAIL PROTECTED] wrote: I've found a few bits of Linux software which do part of the job. They associate a particular pathname with network permission. What they don't do as far as I can tell is associate a pathname + md5 with a particular port/protocol/direction. (though it's possible I haven't browsed hard enough) Something similar... in a way: iptables can firewall local services based on the username of a process, so you can restrict outbound smtp to the postfix user, for example, if you are running postfix as non-root. With a bit of creative suiding and so on, you can restrict which binaries are allowed to use the network. -- [EMAIL PROTECTED] http://spacepants.org/jaq.gpg -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall MD5 signatures on processes
This one time, at band camp, [EMAIL PROTECTED] wrote: Someone wrote... And totally unimplementable on a machine where the same binaries can have different MD5 sums across different installations, e.g. the one you all are (most likely) reading this mail on now. Why whould they be different? I guess I'm sorta asking what do you mean by installation? Distributions? Versions? I should have elaborated: Assuming you build some of your software from source, then you can't have a vendor-supplied tripwire-like firewall that has a hardcoded list of checksums. Assuming. But real users just suck down packages from their nearest mirror (near being the USA in the case of up2date and Red Hat (you current users quiet down) :-) so I guess a commercial Linux vendor could in fact start distributing a hardcoded checksum database. Of course then you get into the issue of trust... You certainly wouldn't see anything like this implemented on Debian testing or unstable... and most likely no-one could be bothered. tripwire, aide, osiris, and samhain are all packaged. -- [EMAIL PROTECTED] http://spacepants.org/jaq.gpg -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall MD5 signatures on processes
This one time, at band camp, Glen Turner wrote: -- expand until their configuration file syntax is Turing-complete (sendmail, Emacs, iptables). -- proliferate options beyond human ken (ls, ps). -- provide a handful of differing APIs and subsystems to perform the same task, each with their own religious cult (X fonts and rendering, output to text terminals, text file manipulation). You forgot evolve into a mailreader. Some famous quote somewhere. -- [EMAIL PROTECTED] http://spacepants.org/jaq.gpg -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall MD5 signatures on processes
This one time, at band camp, Matt M wrote: And totally unimplementable on a machine where the same binaries can have different MD5 sums across different installations, e.g. the one you all are (most likely) reading this mail on now. Unless the MD5 sums table is build when you install the machine/software or configure the feature. I use tripwire at work; taking MD5 sums and so forth to check the filesystem for modified binaries isn't difficult. The context of my reply was to Jeff's example of Windos based personal firewalls, and he alluded to the personal firewall hardcoding the checksums for common programs within them. My point was that no-one could sell a product that had the binary checksums hardcoded into it. Then again, perhaps there was no implication of hardcoded checksums. I only assume that proprietary software is going to do dumb things ;-) -- [EMAIL PROTECTED] http://spacepants.org/jaq.gpg -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall MD5 signatures on processes
This one time, at band camp, Jeff Waugh wrote: quote who=Jean-Francois Dive In your first post, you talk about md5 *signature*, now about md5 checksums. These are 2 different things. Checking file integrity is definitively not the job of the networking stack at all. Minh is talking about a feature of some 'host firewalls' that checks the md5 checksum of software trying to access the network. That way, it can allow and disallow access to executables that have been changed on disk, or not explicitly listed as allowed to access the network. Dunno if this sort of stuff has been done on other systems before, but it seems to be the in-thing with the latest Windows 'host firewalls'. It also sounds like a totally dodgy and easily breakable consumer marketing oriented feature. :-) And totally unimplementable on a machine where the same binaries can have different MD5 sums across different installations, e.g. the one you all are (most likely) reading this mail on now. ObBigot: Go free software! yay! -- [EMAIL PROTECTED] http://spacepants.org/jaq.gpg -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall MD5 signatures on processes
And totally unimplementable on a machine where the same binaries can have different MD5 sums across different installations, e.g. the one you all are (most likely) reading this mail on now. Unless the MD5 sums table is build when you install the machine/software or configure the feature. Matt -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall MD5 signatures on processes
At 23:49 29/01/2003, Matt M sent this up the stick: And totally unimplementable on a machine where the same binaries can have different MD5 sums across different installations, e.g. the one you all are (most likely) reading this mail on now. Unless the MD5 sums table is build when you install the machine/software or configure the feature. Correctamundo! Y'all should remember, these Windows firewalls are designed to be installed on a single machine (hence the term personal firewall) and - while they will work on a box acting as a gateway - they will only verify MD5 sums of local software. So in effect, these apps combine a bit of Tripwire/Aide with a packet filter. Unix software rule: Do one thing, and do it well Windows sofware rule: Do everything cheers, Rob :) -- Create your own opportunity. Blackmail a senior executive. This is random quote 419 of a collection of 1273 Distance from the centre of the brewing universe: [15200.8 km (8207.8 mi), 262.8 deg](Apparent) Rennerian Public Key fingerprint = 6219 33BD A37B 368D 29F5 19FB 945D C4D7 1F66 D9C5 -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall MD5 signatures on processes
Rob B wrote: Unix software rule: Do one thing, and do it well Windows sofware rule: Do everything Can't say I've ever noticed that. I have noticed that UNIX programs either: -- expand until their configuration file syntax is Turing-complete (sendmail, Emacs, iptables). Think about it -- you can teach people Java in a semester. Would you dare say the same of sendmail or emacs :-) -- proliferate options beyond human ken (ls, ps). Common quiz question, what option letter isn't used in ps. -- provide a handful of differing APIs and subsystems to perform the same task, each with their own religious cult (X fonts and rendering, output to text terminals, text file manipulation). Even file I/O f = open(...) f = fopen(...) Regards, Glen -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall MD5 signatures on processes
I've found a few bits of Linux software which do part of the job. They associate a particular pathname with network permission. What they don't do as far as I can tell is associate a pathname + md5 with a particular port/protocol/direction. (though it's possible I haven't browsed hard enough) http://lsm.immunix.org/ http://www.lids.org/ Recent LIDS are based on lsm apparently. http://www.intersectalliance.com/projects/Snare/ That last one is an Aussie company. And they've got Redhat 8 rpms. woohoo! Matt -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall MD5 signatures on processes
Someone wrote... And totally unimplementable on a machine where the same binaries can have different MD5 sums across different installations, e.g. the one you all are (most likely) reading this mail on now. Why whould they be different? I guess I'm sorta asking what do you mean by installation? Distributions? Versions? Matt -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall MD5 signatures on processes
I think the problem is that Minh is a little confused about what exactly a firewall is (No thanks to windows personal firewall vendors, I'm sure). In my, perhaps a little conservative view, it's just a packet filter, whether you're referring to a black box or an application on a host. The talk about MD5 sums and the like goes more towards system integrity than firewalling, in fact it's basically tripwire with a sprinkling of crack, and definitely would not be implemented as part of a firewall/tcp stack (more likely a separate module with a wrapper for the network calls in the kernel). Why you'd need to stop altered applications accessing the internet is a little bit baffling for me; if your system has been compromised, well, that's the end of it, really. The only really advantage I could see would be limiting someone who's trying to use your machine as a D/DOS platform, and really, if you're keeping a good eye on the machine, this shouldn't be too much of an issue. That said, it does have a little security value -- everything that makes it harder for attackers has some security value. But for the cost of implementing somethng like this, I really don't see the point. Cheers, Matt At 19:51 27/01/2003, Jamie Wilkinson wrote: This one time, at band camp, Minh Van Le wrote: I feel I must point out that, the point of MD5 checksums on applications is to identify which applications have changed or have been trojaned. If the firewall can identify altered file(s) then both the firewall and administrator will have a chance to be alerted. This is significant security. When you say firewall, do you mean the packet filter itself or an entire machine whose job is to sit between networks? If the latter, then yes this is possible, ideal and very simple. If the former, then you are entering an entire world of complexity and, most likely, pain. File integrity should be part of the network access layer, Right, so you *do* mean the packet filter itself. A packet filter looks at packets. It doesn't know nor care whether it's transferring a file or a program or a trojanned binary. Adding the required code to look at the packets and work out that a file is being transferred means your're going to start adding entire file transfer protocols (FTP, HTTP, SSH to name a few) which is going to be a painful process, let alone the ability to then check these files against a central database of MD5 sums. and checked by both the firewall and other file integrity audit programs, because the latter (eg. Tripwire) won't do anything to stop trojans from bypassing/tricking the firewall. Or do you *really* mean the firewall machine? Forgive me if I seem a little confused, your terminology isn't making a lot of sense to me. Perhaps it's because I've just gotten off a plane, but I am inclined to think that you've got things mixed up a little, too. But I'm interested to hear your ideas on how you'd make the firewall and other file integrity ... programs stop trojans. -- [EMAIL PROTECTED] http://spacepants.org/jaq.gpg -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall MD5 signatures on processes
Not really, it only has to do once on loading. With the windows firewall Minh Van Le mentioned (kerio) and another one (zonealarm) the extra load is unnoticeable, even on a lower end machine. (my windows machine is a amd k2-350) You're lucky. I guess it depends on the user that installs the damn thing :) -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall MD5 signatures on processes
On 27 Jan 2003 08:42:10 +1100 Kevin Saenz [EMAIL PROTECTED] wrote: [ ... ] . You would be required to install the firewall on each machine, as it will behave like an antivirus doing live checks on files, which is very expensive in resources. Not really, it only has to do once on loading. With the windows firewall Minh Van Le mentioned (kerio) and another one (zonealarm) the extra load is unnoticeable, even on a lower end machine. (my windows machine is a amd k2-350) Also the firewall you have informed us about doesn't not look at files on the network layer, it looks at files on the OS layer, Lack of a positive is not a negative. Matt -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
RE: [SLUG] Firewall MD5 signatures on processes
In your first post, you talk about md5 *signature*, now about md5 checksums. These are 2 different things. Checking file integrity is definitively not the job of the networking stack at all. This does not bring any security benefit. As soon as a box is compromised (as detected by a valid alert on file integrity), changing its network stack configuration to react to that is useless as it could be changed back by the attacking worms. Now if you want to see md5 signed checks on a per process basis, this is a lot of overhead and still does not bring you anything more. Good security is a security which fails nicely. JeF On Sun, 2003-01-26 at 22:27, Minh Van Le wrote: I feel I must point out that, the point of MD5 checksums on applications is to identify which applications have changed or have been trojaned. If the firewall can identify altered file(s) then both the firewall and administrator will have a chance to be alerted. This is significant security. File integrity should be part of the network access layer, and checked by both the firewall and other file integrity audit programs, because the latter (eg. Tripwire) won't do anything to stop trojans from bypassing/tricking the firewall. If a box is hacked, and the intruder has root access then security is finished. The best thing to do is to rebuild with better security prevention. I'm not proposing a be-all-end-all solution, because there're many aspects of security that's handled by different things. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jean-Francois Dive Sent: Saturday, 25 January 2003 23:45 To: Minh Van Le Cc: [EMAIL PROTECTED] Subject: Re: [SLUG] Firewall MD5 signatures on processes As well, if a trojan enter the system, it'll be 90% of the time trough a network application so, which have access to the network -- this wont avoid much at the end of the day. On Fri, Jan 24, 2003 at 10:50:59PM +1100, Minh Van Le wrote: Various firewalls for Windows(TM) have a feature that identify, permit, and deny packets sent by authorised applications. (I use Kerio Personal Firewall [www.kerio.com]). These firewalls use a method for creating and checking MD5 signatures on applications that attempt to access the low-level network layers or device drivers. This feature exists to prevent trojans or unauthorised replacement of binaries eg. a trojaned httpd, that tries to access/bypass the firewall. I know that IPChains and IPTables are packet filtering firewalls, and basically work on src/dest:port [protocol] IP headers, but these internet daemons eg. httpd can be configured to use different ports ... My question is, does IPTables support identifying packets sent from specific applications, or any MD5 checksums on applications or even verifying full path and filename details of any binary that accesses the kernel networking layer ? This would atleast help in identifying what processes are trying to access the firewall. Should checksums be left to file system integrity programs like Tripwire ? -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- - Jean-Francois Dive -- [EMAIL PROTECTED] There is no such thing as randomness. Only order of infinite complexity. - Marquis de LaPlace - deterministic Principles - -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall MD5 signatures on processes
quote who=Jean-Francois Dive In your first post, you talk about md5 *signature*, now about md5 checksums. These are 2 different things. Checking file integrity is definitively not the job of the networking stack at all. Minh is talking about a feature of some 'host firewalls' that checks the md5 checksum of software trying to access the network. That way, it can allow and disallow access to executables that have been changed on disk, or not explicitly listed as allowed to access the network. Dunno if this sort of stuff has been done on other systems before, but it seems to be the in-thing with the latest Windows 'host firewalls'. It also sounds like a totally dodgy and easily breakable consumer marketing oriented feature. :-) - Jeff -- Linux is not like Novell, it isn't going to run out of money - it started off bankrupt, in a way. - Steve Ballmer -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall MD5 signatures on processes
On Tue, Jan 28, 2003 at 02:06:44PM +1100, Jeff Waugh wrote: quote who=Jean-Francois Dive In your first post, you talk about md5 *signature*, now about md5 checksums. Those terms seem to be used interchangeably. These are 2 different things. Checking file integrity is definitively not the job of the networking stack at all. I don't think anyone said it was. Minh is talking about a feature of some 'host firewalls' that checks the md5 checksum of software trying to access the network. That way, it can allow and disallow access to executables that have been changed on disk, or not explicitly listed as allowed to access the network. Dunno if this sort of stuff has been done on other systems before, but it seems to be the in-thing with the latest Windows 'host firewalls'. It also sounds like a totally dodgy and easily breakable consumer marketing oriented feature. :-) It's not useless, though it can of course be compromised easily if the firewall software doing the checksumming runs as the same user as the application itself, which is the case under most versions of windows. In fact, already some viruses disable the firewall, and put up an icon in the system tray to make it look like it still running. On Linux though, I can easily imagine this being implemented in a more secure manner. Matt -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall MD5 signatures on processes
It's not useless, though it can of course be compromised easily if the firewall software doing the checksumming runs as the same user as the application itself, which is the case under most versions of windows. In fact, already some viruses disable the firewall, and put up an icon in the system tray to make it look like it still running. On Linux though, I can easily imagine this being implemented in a more secure manner. The only problem I see here is that these sort firewalls are only as good as their latest updates, just like anti-virus. Here is a question for those experts with kerio and zonealarm, once the application does it's checksums and the like where does that database go? Is it on the local system?. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
RE: [SLUG] Firewall MD5 signatures on processes
Well if you think that this is a necessity that is missing from security. Start up a project. :-) That's the beauty of Opensource. But I think you are a little misguided about the concept of firewalls and their functions. I don't think professional firewalls like gauntlet, checkpoint-1, or pix will do this as file systems are not part of the TCP/IP Stack. See the problem with the application you have for a firewall is that it won't protect multiple machines behind the firewall. You would be required to install the firewall on each machine, as it will behave like an antivirus doing live checks on files, which is very expensive in resources. Also the firewall you have informed us about doesn't not look at files on the network layer, it looks at files on the OS layer, just like tripwire. it does not do any packet inspections 7bit MIME-Version: 1.0 Content-Type: text/plain; charset=Windows-1252 Content-Transfer-Encoding: 7bit 7bit I feel I must point out that, the point of MD5 checksums on applications is to identify which applications have changed or have been trojaned. If the firewall can identify altered file(s) then both the firewall and administrator will have a chance to be alerted. This is significant security. File integrity should be part of the network access layer, and checked by both the firewall and other file integrity audit programs, because the latter (eg. Tripwire) won't do anything to stop trojans from bypassing/tricking the firewall. If a box is hacked, and the intruder has root access then security is finished. The best thing to do is to rebuild with better security prevention. I'm not proposing a be-all-end-all solution, because there're many aspects of security that's handled by different things. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jean-Francois Dive Sent: Saturday, 25 January 2003 23:45 To: Minh Van Le Cc: [EMAIL PROTECTED] Subject: Re: [SLUG] Firewall MD5 signatures on processes As well, if a trojan enter the system, it'll be 90% of the time trough a network application so, which have access to the network -- this wont avoid much at the end of the day. On Fri, Jan 24, 2003 at 10:50:59PM +1100, Minh Van Le wrote: Various firewalls for Windows(TM) have a feature that identify, permit, and deny packets sent by authorised applications. (I use Kerio Personal Firewall [www.kerio.com]). These firewalls use a method for creating and checking MD5 signatures on applications that attempt to access the low-level network layers or device drivers. This feature exists to prevent trojans or unauthorised replacement of binaries eg. a trojaned httpd, that tries to access/bypass the firewall. I know that IPChains and IPTables are packet filtering firewalls, and basically work on src/dest:port [protocol] IP headers, but these internet daemons eg. httpd can be configured to use different ports ... My question is, does IPTables support identifying packets sent from specific applications, or any MD5 checksums on applications or even verifying full path and filename details of any binary that accesses the kernel networking layer ? This would atleast help in identifying what processes are trying to access the firewall. Should checksums be left to file system integrity programs like Tripwire ? -- Kevin Saenz [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall MD5 signatures on processes
Linux iptables have the possibility to make matches based on userid, groupid, windows based networking could apply the same technique i suppose. In any case, you better check that the passwd is not accessible from the 'bad' processes. Tripwire check file integrity, this have nothing to do with network access layer, excpet that they are security related features which helps in trojan prevention. Finally, remember that trojans or insiders may have system / root access which deny this whole protection scheme. JeF On Fri, Jan 24, 2003 at 10:50:59PM +1100, Minh Van Le wrote: Various firewalls for Windows(TM) have a feature that identify, permit, and deny packets sent by authorised applications. (I use Kerio Personal Firewall [www.kerio.com]). These firewalls use a method for creating and checking MD5 signatures on applications that attempt to access the low-level network layers or device drivers. This feature exists to prevent trojans or unauthorised replacement of binaries eg. a trojaned httpd, that tries to access/bypass the firewall. I know that IPChains and IPTables are packet filtering firewalls, and basically work on src/dest:port [protocol] IP headers, but these internet daemons eg. httpd can be configured to use different ports ... My question is, does IPTables support identifying packets sent from specific applications, or any MD5 checksums on applications or even verifying full path and filename details of any binary that accesses the kernel networking layer ? This would atleast help in identifying what processes are trying to access the firewall. Should checksums be left to file system integrity programs like Tripwire ? -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- - Jean-Francois Dive -- [EMAIL PROTECTED] There is no such thing as randomness. Only order of infinite complexity. - Marquis de LaPlace - deterministic Principles - -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
[SLUG] Firewall MD5 signatures on processes
Various firewalls for Windows(TM) have a feature that identify, permit, and deny packets sent by authorised applications. (I use Kerio Personal Firewall [www.kerio.com]). These firewalls use a method for creating and checking MD5 signatures on applications that attempt to access the low-level network layers or device drivers. This feature exists to prevent trojans or unauthorised replacement of binaries eg. a trojaned httpd, that tries to access/bypass the firewall. I know that IPChains and IPTables are packet filtering firewalls, and basically work on src/dest:port [protocol] IP headers, but these internet daemons eg. httpd can be configured to use different ports ... My question is, does IPTables support identifying packets sent from specific applications, or any MD5 checksums on applications or even verifying full path and filename details of any binary that accesses the kernel networking layer ? This would atleast help in identifying what processes are trying to access the firewall. Should checksums be left to file system integrity programs like Tripwire ? -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall MD5 signatures on processes
It sounds like you are talking about packet analysers, you could have a look at www.snort.org there is some info with configuring snort with iptables to create an active firewall. Tripwire is pretty much useful to inform you after the fact that someone has modified a file on you system, as long as you have stored the files created by tripwire on a floppy, probably best if you have tripwire binary on the floppy as well. You'll never know how good (or bad) a cracker/worm wants too be. Various firewalls for Windows(TM) have a feature that identify, permit, and deny packets sent by authorised applications. (I use Kerio Personal Firewall [www.kerio.com]). These firewalls use a method for creating and checking MD5 signatures on applications that attempt to access the low-level network layers or device drivers. This feature exists to prevent trojans or unauthorised replacement of binaries eg. a trojaned httpd, that tries to access/bypass the firewall. I know that IPChains and IPTables are packet filtering firewalls, and basically work on src/dest:port [protocol] IP headers, but these internet daemons eg. httpd can be configured to use different ports ... My question is, does IPTables support identifying packets sent from specific applications, or any MD5 checksums on applications or even verifying full path and filename details of any binary that accesses the kernel networking layer ? This would atleast help in identifying what processes are trying to access the firewall. Should checksums be left to file system integrity programs like Tripwire ? -- Kevin Saenz [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
[SLUG] Firewall log entry
Hi, I puzzled - what does this mean? SRC is the IP of my firewall, DST is the machine that I am currently working on. Jan 16 11:36:27 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.2 DST=192.168.1.4 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=64962 DF PROTO=UDP SPT=68 DPT=67 LEN=308 Thanks for help - is there any documentation on how to read these logs? Cheers, Alan -- -- Alan L Tyree[EMAIL PROTECTED] http://www.law.usyd.edu.au/~alant Tel: +61 2 4782 2670 Mobile: +61 419 638 170 Fax: +61 2 4782 7092 -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall log entry
quote who=[EMAIL PROTECTED] Jan 16 11:36:27 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.2 DST=192.168.1.4 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=64962 DF PROTO=UDP SPT=68 DPT=67 LEN=308 ^^^ Is your DHCP not working? :-) - Jeff -- I look forward to someday putting foo-colored ribbons on my homepage declaring 'port 25 is for spam', and 'just say no to the Spam Message Transmission Protocol!' - Raph Levien -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
RE: [SLUG] firewall
Hi Michael, I've been using 64MB Compact Flash for 0.1.1 IPCop 0.1.2 final was just released a few days ago so I will try this today and see if it still fits in 64MB. If you want to have a go at this you will find a utility called mkflash in the IPCop CVS. Cheers, - Guy. 64mb? hrmm bit big. I've installed emBSD onto a 32mb card, and it worked perfect. I might look at doing this again down the track, when we finally have ADSL sometime. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
RE: [SLUG] firewall
Hi Gaza, Try IPCop it's great. I'm using 0.1.2 and have used 0.1.1 prior to that for nearly a year www.ipcop.org v0.1.2beta = 2.2.23 v0.1.3alpha = 2.4.20 It's small enough to fit on a Compact Flash, and includes support for 3 PSTN, ISDN, Ethernet and PCI ADSL. For ADSL Bridged ethernet, PPPoE and PPPoA are supported. 0.1.2 even includes ISDN DOV support. You can have up to 3 interfaces (Green, Red and Orange), it also includes a proxy cache plus IPSec. Typically what size compact flash? 32mb? wouldn't mind putting an old ide - cf convertor to use ;) -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
[SLUG] firewall
I have an old PII 200Mhz pc I would like to load linux on it and make it a firewall I was wondering what linux could I use and what firewall software could I use. Thanks in advance Merry Christmas everyone Gaza -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] firewall
On Tue, 2002-12-24 at 15:12, Gaza wrote: I have an old PII 200Mhz pc I would like to load linux on it and make it a firewall I run a single floppy distribution on an old 486. Bering from http://leaf.sourceforge.net/ It is easy to use and configure, uses Shorewall to configure iptables. Cheers, Alan I was wondering what linux could I use and what firewall software could I use. Thanks in advance Merry Christmas everyone Gaza -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- -- Alan L Tyree[EMAIL PROTECTED] http://www.law.usyd.edu.au/~alant Tel: +61 2 4782 2670 Mobile: +61 419 638 170 Fax: +61 2 4782 7092 -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] firewall - Smoothwall, IPcop
* Gaza [EMAIL PROTECTED] wrote: I have an old PII 200Mhz pc I would like to load linux on it and make it a firewall I was wondering what linux could I use and what firewall software could I use. Check out Smoothwall www.smoothwall.org - a firewall appliance distro. Doesn't require much linux experience to run. There's been some ruckus around Smoothwall (search google), so some of the developers have released a branch called IPcop. I used Smoothwall really like it. Check out quarkav.com for additional doco. -- Savanna | Free as in 'free speech', GnuPG Pub Key E40FAE08 | not 'free beer'. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] firewall
Linux is Linux, For my firewall I have used RedHat, now I am using Mandrake, probably move to another distro later on. As for the firewall you only have one free option, iptables that comes standard in the kernel. There are a few guis that will help in building a firewall, also there are a few tutorials that will help you understand how iptables work I have an old PII 200Mhz pc I would like to load linux on it and make it a firewall I was wondering what linux could I use and what firewall software could I use. Thanks in advance Merry Christmas everyone Gaza -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
[SLUG] firewall blocking telnet to smtp port
Hi Guys, I'm trying to test smtp by telneting to it but I am being blocked by the firewall on the server running the smtp daemon. I've tried adding iptables rules to allow me through however nothing I am doing is working. If I disable the firewall totally, then my telnet works. Currently the iptables rules that are running are listed below (output from iptables -L): * Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- localhost.localdomain localhost.localdomain ACCEPT all -- go.read.the.RFC.this.server.doesnt.resolve.rfc1918 anywhere ACCEPT all -- go.read.the.RFC.this.server.doesnt.resolve.rfc1918 anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT udp -- anywhere anywhere udp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT udp -- anywhere anywhere udp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:postgres ACCEPT udp -- anywhere anywhere udp spt:domain ACCEPT tcp -- anywhere anywhere tcp spt:auth ACCEPT tcp -- anywhere anywhere tcp dpt:auth ACCEPT icmp -- pop02.iprimus.net.au anywhere icmp echo-reply ACCEPT icmp -- pop01.iprimus.net.au anywhere icmp echo-reply ACCEPT icmp -- pop01.iprimus.net.au anywhere icmp destination-unreachable ACCEPT icmp -- pop02.iprimus.net.au anywhere icmp destination-unreachable ACCEPT icmp -- pop01.iprimus.net.au anywhere icmp time-exceeded ACCEPT icmp -- pop02.iprimus.net.au anywhere icmp time-exceeded firewall icmp -- anywhere anywhere firewall tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN firewall udp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 flags:SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere tcp dpts:32000:36000 ACCEPT icmp -- 157.d.004.brs.iprimus.net.au anywhere icmp echo-reply ACCEPT icmp -- 157.d.004.brs.iprimus.net.au anywhere icmp destination-unreachable ACCEPT icmp -- 157.d.004.brs.iprimus.net.au anywhere icmp time-exceeded ACCEPT tcp -- 157.d.004.brs.iprimus.net.au anywhere ACCEPT udp -- 157.d.004.brs.iprimus.net.au anywhere ACCEPT icmp -- 157.d.004.brs.iprimus.net.au anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:telnet flags:SYN,RST,ACK/SYN ACCEPT udp -- anywhere anywhere udp dpt:telnet ACCEPT tcp -- anywhere anywhere tcp dpt:telnet Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain firewall (3 references) target prot opt source destination LOGall -- anywhere anywhere LOG level info prefix `Firewall:' DROP all -- anywhere anywhere * I've been playing around so you will see some weird entries above, however can you let me know if there is anything I am missing here? Even when I ssh to the box and try the telnet locally, it still is blocked. I can see the blocked entries in /var/log/messages. I am running RH 7.3 with kernel 2.4.19 TIA Anthony _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] firewall blocking telnet to smtp port
On Wed, 2002-10-09 at 23:30, Anthony Gray wrote: snipped Chain INPUT (policy DROP) target prot opt source destination snipped firewall icmp -- anywhere anywhere firewall tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN firewall udp -- anywhere anywhere Everything below this in the INPUT chain will never be reached, this catches everything, logs it and drops it. ACCEPT tcp -- anywhere anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN There should be no need to use these flags, in fact I think this will prevent normal traffic to this port which isn't an initial connection. When you try to telnet in from the machine itself, is it appearring in the logs with a source address of 127.0.0.1 or the network IP (Which is not explicity unblocked due to a failure to resolve the name)? Cheers, Malcolm V. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
[SLUG] firewall allergic to kernel 2.4.18.
A little while ago I posted about my poor firewall that was running at half speed after a fairly major upgrade. I was reasonably convinced it wasn't hardware, so today I decided I'd try un-upgrading bits and pieces to see what was wrong. I firstly un-upgraded pppd back to the version I had on there before (I think). No difference. Then I switched back to the 2.2.18 kernel I had on it before, and after a reboot, all my downloads were running at their normal speed again (around 5.6-kbps). Now, I would be surprised if there was actually a relevant bug in the 2.4.18 kernel, so I suspect it's a kernel option that I've set. Can anyone think of any kernel options which would have the speed of either 1. Serial ports 2. PPP connections. ? Thanks, James. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] firewall allergic to kernel 2.4.18.
On Sun, Aug 18, 2002 at 06:31:17PM +1000, James Gregory wrote: A little while ago I posted about my poor firewall that was running at half speed after a fairly major upgrade. I was reasonably convinced it wasn't hardware, so today I decided I'd try un-upgrading bits and pieces to see what was wrong. I firstly un-upgraded pppd back to the version I had on there before (I think). No difference. Then I switched back to the 2.2.18 kernel I had on it before, and after a reboot, all my downloads were running at their normal speed again (around 5.6-kbps). Now, I would be surprised if there was actually a relevant bug in the 2.4.18 kernel, so I suspect it's a kernel option that I've set. Can anyone think of any kernel options which would have the speed of either 1. Serial ports 2. PPP connections. I, too have noticed remarkably poor performance of kernel 2.4.18 when used in a IP masquerading gateway. When I 'upgraded' to kernel 2.4.18, I experienced between 20 to 60% packet loss from my gateway to elsewhere. I don't know what is wrong, but it really doesn't do an awful lot of good for useability. I'll be upgrading to 2.4.19 seeing as it has now been released, ASAP. I'll see how it goes. -- Jon Teh -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
[SLUG] firewall bewilderment
So a little while ago I made the discovery that Sydney Uni (which I happen to attend) had a reasonably recent mirror of debian. I decided that this was a great chance for me to upgrade the debian install on my firewall (mostly so I could get a 2.4 kernel, which I ended up not getting after a dist-upgrade, and turned out to be about 5 days of messing around to get working, but these are tangential issues). After a week of fooling around with random things my firewall is now running debian 3.0 with kernel 2.4.18 and doing minimalist firewalling, NATting and port forwarding with iptables. So far so good, and the iptables interface is much nicer than the old ipchains/ipmasqadm set up I had. My problem is that the new firewall set up runs quite literally half as fast as the old configuration. I have no idea why. By this I mean that the download from mirror.aarnet I'm currently doing (which as I understand it is routed through sydney uni's connection to aarnet and just a few days ago was running at 5k/s) is running at about 2.4k/s. Unintersting information about my firewall: 56k net connection. 3c509 network card 486DX40 processor. 16MB RAM. 32MB swap. vanishingly small hard drives. no other drives. unused VLB video card of some description. The machine runs sshd, iptable-ey stuff, pppd, dhcpd and well.. that's about all. I do know that apt-get broke my pppd configuration by replacing my /etc/ppp/options (which it strongly recommended that it do). That's fixed now, and I let it keep most of the options it wanted to set since I figured it would have a good reason for making such a recommendation. But why is my connection so slow? Any pointers would be much appreciated. James. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] firewall bewilderment
On Tue, 13 Aug 2002, James Gregory wrote: My problem is that the new firewall set up runs quite literally half as fast as the old configuration. I have no idea why. By this I mean that the download from mirror.aarnet I'm currently doing (which as I understand it is routed through sydney uni's connection to aarnet and just a few days ago was running at 5k/s) is running at about 2.4k/s. Unintersting information about my firewall: 56k net connection. Check to make sure that the connection is being compressed. PPP has compression modules, and your modem might have compression too. It is possible that the Uni's pipe is being saturated a little more than it was a few days ago, or your connections might be throttled now, introduced coincidentally with your new firewall. (These are the sorts of things that Unis do to annoy people). -- --- #include disclaimer.h Matthew Palmer, Geek In Residence http://ieee.uow.edu.au/~mjp16 -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] firewall
Ken Wilson wrote: thanks for modem answers and ISP stuff Megan gave me a hand and found that the firewall was stopping email and web on high setting, anyone have some firewall rules that they would like to share. I only do personal dial up email and www stuff. no network, no server. thanks Ken Redhat 7.2 uses these settings for its High security level option, which will give you email and web browsing: Chain input (policy ACCEPT): targetprot opt sourcedestination ports ACCEPTall -- anywhere anywhere n/a REJECTtcp -y anywhere anywhere any - any REJECTudp -- anywhere anywhere any - any Chain forward (policy ACCEPT) : Chain output (policy ACCEPT) : Regards John -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
[SLUG] firewall
thanks for modem answers and ISP stuff Megan gave me a hand and found that the firewall was stopping email and web on high setting, anyone have some firewall rules that they would like to share. I only do personal dial up email and www stuff. no network, no server. thanks Ken -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
[SLUG] Firewall hardware
I'll be moving to Central Coast NSW in December and have gathered some network hardware to bring with me. I think it is what I will need to put a 486 between me and the dial up modem. I understand cable or DSL is not available to me. I have a screamer of a PC to bring with me, SuSE distro of course, and will pick up a 486 for the firewall when I get to OZ. I'm bringing an SMC 10/100 LAN card and a Linksys 10/100. I also have an RJ-45 cable. Will this hardware do the job? Do I need anything more. Also, as far as software is concerned, there is a lot available, at this time I'm thinking Smoothwall might be a good choice. I'm currently running Bastille on my Linux SuSE-7.0 which dual boots with Windoze. Comments, anyone Regards, Bob Bob Hubbard St.Albert, Ab CANADA -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall hardware
G'day Bob, apart from amusing but disparaging annecdotes about the Central Coast removed are you aware that your .ca gear may require some sort of power adapters to function in Aus? I'm unsure of what .ca power points are like but the .au ones are: / \ | Some devices may also require the voltage switch to be flicked over or perhaps even require a converter. Just some things to think about and investigate. On Fri, 2001-10-26 at 05:00, Bob Hubbard wrote: Comments, anyone -- Cheers, Craige. PGP signature
Re: [SLUG] Firewall hardware
On 26 Oct 2001, Craige McWhirter wrote: G'day Bob, apart from amusing but disparaging annecdotes about the Central Coast removed are you aware that your .ca gear may require some sort of power adapters to function in Aus? Thanks, Craige. I think I have everything organized as far as power is concerned. The CPU power supply has a slide switch for 240V and my Monitor is self adjusting, so they tell me at the factory (110-250 not 110/250). As far as the power chords go, I just need to buy one of yours (ours - I'm an Aussie) and I'm in business, the point on the PC box is a universal point. regards, Bob -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall hardware
Craige McWhirter was once rumoured to have said: G'day Bob, apart from amusing but disparaging annecdotes about the Central Coast removed are you aware that your .ca gear may require some sort of power adapters to function in Aus? One other important thing is telephony equipment - If you have any existing modems, phones, NTUs, etc, that you want to bring here, make sure that they have austel certiciation before trying to connect them to the phone network, otherwise you run the risk of big nasty fines if you get caught. Fortunately modems are cheap nowadays, so you might be best off picking up one here when you come over. Also, you might want to check to see if OnRamp Home Highway is availible in that area when you arrive, since if it is, you can get reasonably affordable ISDN connectivity as long as you can find an ISP within range that supports Data over Voice ISDN connections. C. -- --==-- Crossfire | This email was brought to you [EMAIL PROTECTED] | on 100% Recycled Electrons --==-- -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall hardware
Thanks, C. Didn't know about the modem certification and thanks for the tip re ISP. Not sure what is meant by Data over Voice ISDN but will certainly check it out. Regards, Bob -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall hardware
On Thu, Oct 25, 2001 at 06:50:46PM -0600, Bob Hubbard wrote: Thanks, C. Didn't know about the modem certification and thanks for the tip re ISP. Not sure what is meant by Data over Voice ISDN but will certainly check it out. i wouldn't worry too much about the modem and Austel/ACA certification, it's pretty much a crock, wait and see if your current modem doesn't work properly before considering buying a new one. DoV is a trick, it's normal ISDN (it's ETSI in Australia, different system to the US, I presume Canada uses the US system?) but if you use DoV the carrier thinks it's a voice call and with the Onramp Home Highway service they have different call rates for voice verses data so you get a data-over-voice connection for the normal untimed voice rate of 19.8c (rather than data is $1.10 per hour). (plus your ISP charges in top of that of course) (if you're getting two phone lines, it's worth getting an ORHH service instead, you effectively get 2 digital lines for the same price as 2 analogue ones) You can find ORHH info by searching under www.telstra.com, and DoV info from www.traverse.com.au or local central coast ISPs. Re your comment about cable/adsl not available another option is satellite. Again telstra/bigpond have it, also www.ihug.com.au and various ihug resellers (most of whom do a better deal than going direct to ihug). I gather there's others too but I haven't manage to find out about them (eg. Austar). Dave. -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall hardware
Re your comment about cable/adsl not available another option is satellite. Again telstra/bigpond have it, also www.ihug.com.au and various ihug resellers (most of whom do a better deal than going direct to ihug). I gather there's others too but I haven't manage to find out about them (eg. Austar). Satellite, in its' present one-way form, sucks BIG time... Useless for on-line gaming (too much lag time), plus you still need a phone line. Wait until January - there will be two-way satellite trials commencing (I have my name on the list to trial the system). I can't give you much more information than that (apart from the fact that I don't know any more yet, I was sworn to secrecy by the installation technician that told me - and I'm in the process of converting him to Linux !!), but as soon as the trials begin, I will post more. Jon -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall hardware
David Fitch was once rumoured to have said: On Thu, Oct 25, 2001 at 06:50:46PM -0600, Bob Hubbard wrote: Thanks, C. Didn't know about the modem certification and thanks for the tip re ISP. Not sure what is meant by Data over Voice ISDN but will certainly check it out. i wouldn't worry too much about the modem and Austel/ACA certification, it's pretty much a crock, wait and see if your current modem doesn't work properly before considering buying a new one. It may be a crock, but its an expensive one if you get caught. I doubt the fine is worth the $100 savings from not buying a new external modem. C. -- --==-- Crossfire | This email was brought to you [EMAIL PROTECTED] | on 100% Recycled Electrons --==-- -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall hardware
It may be a crock, but its an expensive one if you get caught. I doubt the fine is worth the $100 savings from not buying a new external modem. Possibly not - I checked this AGES ago with out Telstra rep. and he basically said that Telstra are responsible up to the socket on the wall (for domestic or normal business servces), or to the socket on the NTU that they provide before it goes into your network. What you plus in they don't give a damn about - it's your call. If your equipment causes damage to their network, they charge you for it. If you're equipment is non-approved and there's a fault on the line, they'll INSIST you remove it before testing the line. I can extract further clarification from him if necessary... Jon -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
[SLUG] Firewall Hardware
OK chaps, many thanks for the many responses. I'll sort through them and make a hard copy to bring to OZ with me. Regards to all. Temp minus 10 Celsius. Should be minus 30 by the time we leave Dec 19. Bob Bob Hubbard St.Albert, Ab CANADA -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall Hardware
Wow, That's about a 2 degree increase for every hour of plane flight :) -30 to +30 should be an interesting transition. Adam - Original Message - From: Bob Hubbard [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 26, 2001 1:26 PM Subject: [SLUG] Firewall Hardware OK chaps, many thanks for the many responses. I'll sort through them and make a hard copy to bring to OZ with me. Regards to all. Temp minus 10 Celsius. Should be minus 30 by the time we leave Dec 19. Bob Bob Hubbard St.Albert, Ab CANADA -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewall security audit report
On Wed, Feb 28, 2001 at 08:50:32PM +1100, Umar Goldeli wrote:
Anyway, he'll need root to put ethx into promisc mode..
On a related note, its possible to remove promiscous mode capability
from the kernel, plus a whole bunch more, eg set the immutable bit
on some files, append only on others and remove the kernels capability
to modify the immutable and append only attributes.
Agreed throughly about the turn of all listening services bit. :)
Sorry, did you say something?
When you're first setting up the box, make sure you Detonate(tm) all
listening services that you don't specifically want. The less ports
listening, the better ("none" is good. :)
You agreed about turning off all listen services, and I pretended I didn't
hear you. get it? funny, no? :)
It was a joke Joyce.
If you don't like my jokes, you should hear me sing.
--
chesty
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
Re: [SLUG] Firewall security audit report
On Wed, Feb 28, 2001 at 10:45:58AM +1100, Howard Lowndes wrote: I actually burn my private keys, locked with an access phrase, onto one of those credit card CDs, ... This probably still doesn't overcome the problem of the CD image being carried in user memory space tho. Anyone know how to stop the CD image being carried in memory space? the problem is not so much the key being in memory (it needs to get into memory if it's ever gonna go through the cpu) but that when that memory gets paged to disk it can potentially be read by someone else later; you don't want that key you've taken pains to put on CD to be sitting in the swap space of every box you use. the software that accesses the data has to handle this. see mlock(2) Conrad. -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://slug.org.au/lists/listinfo/slug
Re: [SLUG] Firewall security audit report
chesty was once rumoured to have said:
On Wed, Feb 28, 2001 at 10:49:32AM +1100, Umar Goldeli wrote:
Removing uname isn't going to buy me much.
find /proc -exec less {} \;
/proc is bad, mmmkay.
I've never tried to run a box without proc, I might give it a go.
It won't work very well. A lot of stuff relies on /proc.
We have been advised to run ntp on the firewall so log time stamps are in
sync. Another potential access point.
Bind ntp to a particular interface and only allow port 123 from your ntp
server, also turn on the funky auth features (or you could do ipsec to
your ntp box ;)
You bring up a good point about ntp auth, obviously ntp will be
filtered, but that won't stop forged packets (and unfortunately,
neither will some of our routers (yet)). I wonder if someone could
send bogus ntp packets and shift the time on the firewall?
This is what stateful inspection firewalls or very tight firewall
rulesets are for. Only accept NTP replies from systems you've
queried, that way they have to compromise the time server(s) too.
C.
--
--==--
Crossfire | This email was brought to you
[EMAIL PROTECTED] | on 100% Recycled Electrons
--==--
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
