Re: [SLUG] Firewalls???
* Lyle Chapman ([EMAIL PROTECTED]) wrote: my problem is a noisy (fan + drive ... I am not sure which way to proceed, ... thanks to any advice - What about a nice new 13db fan from PC Case Gear, or i-tech, or secret.net ? ACS 2L Arctic-Cooling Copper Silent 2L ($29). N -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Firewalls???
I currently have running a smoothwall 2 box which has been great for the past 6 months or so although my problem is a noisy (fan + drive in 5 year old machine = 2 young children being woken up in the middle of the night from slipping and whining fans). I am not sure which way to proceed, I have plenty of old 200mhz machines floating about but will probably end up with the same problem. Does anyone know of a good hardware firewall for under $125? Are billion firewalls any good? thanks to any advice - it is always greatly appreciated! -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firewalls???
Hi, If you fancy going wireless you could get a linksys wrt54g (as recommended in another discussion) and flash the firmware with something like the sveasoft firmware, which gives you a ssh-able router that you can set up iptables on, and do clever things such as traffic shaping too. There are other firmwares available (quit possibly for free, too), but I have a friend running the sveasoft one, and he rates it very highly. http://www.sveasoft.com/ http://www.sveasoft.com/modules/phpBB2/index.php http://www.linksys.com/products/product.asp?prid=508scid=35 HTH Rob. On Mon, 17 Jan 2005 13:28:09 +1100, Lyle Chapman [EMAIL PROTECTED] wrote: I currently have running a smoothwall 2 box which has been great for the past 6 months or so although my problem is a noisy (fan + drive in 5 year old machine = 2 young children being woken up in the middle of the night from slipping and whining fans). I am not sure which way to proceed, I have plenty of old 200mhz machines floating about but will probably end up with the same problem. Does anyone know of a good hardware firewall for under $125? Are billion firewalls any good? thanks to any advice - it is always greatly appreciated! -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- Rob Sharp e: [EMAIL PROTECTED] w: quannum.co.uk j: [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Firewalls
G'day all, I've noticed that there are a number of firewall products discussed on this list. I've been using straight iptables rules for firewalling. I'm educated in security, and am wondering how firewall rules applied straight to the kernel via iptables/netfilter compare and contrast with using a firewall product. All the best. Mike --- Michael S. E. Kraus Administration Capital Holdings Group (NSW) Pty Ltd [EMAIL PROTECTED] phone (02) 9955 8000 fax (02) 9955 8144 -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
-BEGIN PGP SIGNED MESSAGE- On Friday 14 Feb 2003 11:47 am, [EMAIL PROTECTED] wrote: I've been using straight iptables rules for firewalling. I'm educated in security, and am wondering how firewall rules applied straight to the kernel via iptables/netfilter compare and contrast with using a firewall product. A firewall is not so much a product or a feature as an architecture. You can build a firewall on one system, or you can build it out of a number of systems. A firewall is usually made up of a packet filter of some sort (either stateful or stateless, it used to be the latter, usually the former these days) and a collection of proxies and services. These days you can add an IDS of some sort on top of that as well. The idea is that as many protocols as possible are forced to be proxied through the firewall system. These proxies are intended to constrain the protocol being transmitted to sane values, to control who can talk to who, to force extra authentication, etc. So, for instance, a typical firewall would have proxies for HTTP, FTP, SMTP, Telnet, Real Audio, etc. These could be colocated on the same system, or if you're really paranoid split across systems so a compromise of one would be contained to just that system. Typically things like CyberGuard and Gauntlet combine all of these features onto one box, but people have built good firewalls with screening routers and some PC's to run as the proxies. cheers! Chris - -- Chris SamuelWollongong, NSW -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iQEVAwUBPkx0H41yjaOTJg85AQEJGAf+PtaDs+PV2oub5qX5nfk6s/MAP5BoolVV js/4GPOUdKiHKKL1ZL3zX7dCFgDIr1aQ+n6uVpKhknqpS7Aaw09Imvg0PKjFIOUV fxxW97tO03ZFK10aSYNEjXl0s88Egp47tGtItdl8WcqVDGX2Q1gPS0x4sF8h83xo Plp6BvNv51exP9c0ACBBajtYuf+tHi553gS+f1fThE1yGAt3gpcmsCdgAct5TeaH xcJ+fxjflMBZHjBXYFhWeY1Oe9KhBE5R2z2ufvYFH5NoIIjD4bFJ8RtZNI0fU1yI kRxOQqziV4z7m0RxTv7QRLugHnWN6fqdxswt6tyOuh0A7W99AljaQw== =BUKH -END PGP SIGNATURE- -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
To add to this, and looking at it from a few steps back, one can summarize the base functionality of a firewall as something which sits in between various areas of a network (or networks) with differing levels of trust and enforces the semantics of these levels. //umar. A firewall is not so much a product or a feature as an architecture. You can build a firewall on one system, or you can build it out of a number of systems. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls ident service
so is there any problems at all with rejecting ident requests? (not just smtp, anything else as well?) The advantage of dropping an unwanted packet over rejecting it is that the originator has to wait for the delay, I.E if you drop the packet they don't know if your server is up down or if the connection is just slow, or even if there is a device at that address at all, So it slows down their script. If you reject the packet then they know that there is something there and can decide whether to keep trying to break in. if rejecting them is what's commonly done, why does pretty much every smtpd still send them? Because the act of rejecting tells the smtp something, I.E that there is a device at that address that is doing the rejecting. If you just drop them, then the smtp server is left wondering, gee I just received a request from ip address w.x.y.z but when I try to send an ident request to that address I get no reply. I wonder if that is a real server trying to contact me or just a desktop hacker hiding behind a masqueraded connection. So the problem is that the same technique is being used by the hackers to identify that there is a real device there, as is being used by the smtp service. But given that your mail server has to listen on port 25 anyway's your not giving any infomation away by rejecting idents that the hacker can't get by probing port 25. HTH rgds Pete -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls ident service
At the moment I just let then fall thru until they hit the policy, which is DROP, Do you sometimes find that your outbound mail queue is rather full? Had a problem a while back with this, the outbound mail queue on a sendmail server hiding behind a firewall nearly overflowed the disk. Changed the firewall to reject ident requests to that server instead of dropping them and the queue shrank immediately. The explaination seems to be; Your smtp servere contacts the destination smtp server, the destination server doesn't initially respond to the smtp request but instead sends an ident request to your machine. I believe that the purpose of this is to try to estabilish that there is an actual machine sitting at the from ip address in the smtp packet and not just a desktop nat'd from inside an ISP. Because you drop the ident request the destination smtp server has to wait until the ident times out before deciding if it should respond to your original smtp request. If your servers smtp timeout is shorter than the destinations ident timeout, then guess what? Your server decides that the destination server is down and puts the outbound email into the queue. If however instead of dropping the ident you reject it, the destination smtp server gets a response immediately and then responds to your original smtp request before your server reaches the tcp/ip timeout. The fact that you didn't actually reply to the ident but just rejected it seems to be enough for the server to go ahead with the smtp. I just put the following in the iptable iptables -A INPUT --dport 113 -j REJECT HTH Pete -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls ident service
On Sun, 2002-07-28 at 16:42, Peter Rundle wrote: The fact that you didn't actually reply to the ident but just rejected it seems to be enough for the server to go ahead with the smtp. so is there any problems at all with rejecting ident requests? (not just smtp, anything else as well?) if rejecting them is what's commonly done, why does pretty much every smtpd still send them? Dave. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls ident service
I think the reason people dont send reject is that it returns a rejection reply, Your going to increase your bandwith charges and some people can relay a DOS of you by faking the orginators address. - Original Message - From: David Fitch [EMAIL PROTECTED] To: slug [EMAIL PROTECTED] Sent: Sunday, July 28, 2002 8:01 PM Subject: Re: [SLUG] Firewalls ident service On Sun, 2002-07-28 at 16:42, Peter Rundle wrote: The fact that you didn't actually reply to the ident but just rejected it seems to be enough for the server to go ahead with the smtp. so is there any problems at all with rejecting ident requests? (not just smtp, anything else as well?) if rejecting them is what's commonly done, why does pretty much every smtpd still send them? Dave. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls ident service
On Sun, 28 Jul 2002, Ben de Luca wrote: I think the reason people dont send reject is that it returns a rejection reply, Your going to increase your bandwith charges and some people can relay a DOS of you by faking the orginators address. Why would you get a rejection reply from a site that has originated an ident request and received a rejection; it doesn't make sense. I do agree about the DDoS opportunity though. -- Howard. LANNet Computing Associates - Your Linux people Contact detail at http://www.lannetlinux.com I tried having cybersex once, but I kept getting a busy signal. - You've Got Mail -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls ident service
I wasnt following the thread to closly, just throwing in my 2c at the last moment. I was refering to packets that match the reject request would get rejected, Im not sure how that would effect ident. Does any one think that Ident is a good service to be running accross the internet? - Original Message - From: Howard Lowndes [EMAIL PROTECTED] To: Ben de Luca [EMAIL PROTECTED] Cc: slug [EMAIL PROTECTED] Sent: Monday, July 29, 2002 3:40 AM Subject: Re: [SLUG] Firewalls ident service On Sun, 28 Jul 2002, Ben de Luca wrote: I think the reason people dont send reject is that it returns a rejection reply, Your going to increase your bandwith charges and some people can relay a DOS of you by faking the orginators address. Why would you get a rejection reply from a site that has originated an ident request and received a rejection; it doesn't make sense. I do agree about the DDoS opportunity though. -- Howard. LANNet Computing Associates - Your Linux people Contact detail at http://www.lannetlinux.com I tried having cybersex once, but I kept getting a busy signal. - You've Got Mail -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls ident service
On Tue, 2002-06-25 at 20:33, Andy Eager wrote: I know this question is open to debate, but is it wise or desireable to offer auth services through a firewall? I gather it is only used when sending mail by the remote smtpd to identify the sender. At the moment I reject incomming packets bound for port 113 with a tcp-reset. did you get any answers to this? I too have wondered the same thing but currently I allow 113. Dave. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls ident service
On 28 Jul 2002, David Fitch wrote: On Tue, 2002-06-25 at 20:33, Andy Eager wrote: I know this question is open to debate, but is it wise or desireable to offer auth services through a firewall? I gather it is only used when sending mail by the remote smtpd to identify the sender. At the moment I reject incomming packets bound for port 113 with a tcp-reset. did you get any answers to this? I too have wondered the same thing but currently I allow 113. At the moment I just let then fall thru until they hit the policy, which is DROP, logging them just before they reach there. I suppose it would be friendlier if I did send a tcp-reset instead, and also for other TCP packets that end up on the floor. What are other folks thoughts on a general REJECT policy (I believe that REJECT is not possible as a -P setting) as opposed to a DROP -P policy. -- Howard. LANNet Computing Associates - Your Linux people Contact detail at http://www.lannetlinux.com He, who will not reason, is a bigot; he, who cannot, is a fool; and he, who dares not, is a slave. - William Drummond, Scottish writer (1585-1649) -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
[SLUG] Firewalls ident service
Hi all, I know this question is open to debate, but is it wise or desireable to offer auth services through a firewall? I gather it is only used when sending mail by the remote smtpd to identify the sender. At the moment I reject incomming packets bound for port 113 with a tcp-reset. On another point, what about incomming traceroutes. Are they really dangerous? Any thoughts? Regards, Andy E. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
Andrew Burrows wrote: Hi All, I was wondering if someone could advise me on the best firewall produce to use on a Linux OS Looking for something that may resemble say Firewall1 or similar?? Andrew -- -- SLUG - Sydney Linux User Group Mailing List - http://slugorgau/ More Info: http://listsslugorgau/listinfo/slug Andrew Try firewall-config can be found on red-hat distro CD-1 or at redhatcom or http://wwwlinuxorg/apps/AppId_3126html This I think will only work on RED-HAT 61 I feel you are better of learning all the command line options for ipchains or tables and the files that they effect This in-turn will help you later if something unusual happens to the configuration of your firewall I have just stated to learn about networking myself Get a book on you distro and read it till all hours of the morning make sure that it covers all you want, when this fails take a drive to the Maquarie Shopping Center library (Boarders Books) where you can read to you hearts content Regards Darren -- SLUG - Sydney Linux User Group Mailing List - http://slugorgau/ More Info: http://listsslugorgau/listinfo/slug
Re: [SLUG] Firewalls
At 09:39 27/02/02 +1100, Matthew Palmer wrote: On Wed, 27 Feb 2002, Andrew Burrows wrote: I was wondering if someone could advise me on the best firewall produce to use on a Linux OS. Oh dear. We shall all don our asbestos underwear before getting into this one again. Ouch !!! Firewall-1 is a Checkpoint product which runs on a variety of OS's - we use it on our dedicated Nokia Firewalls... I'm unaware of a Linux version, but you could check www.checkpoint.com Jon P.S. There are a number of good IPTABLES tutorials for you to roll your own firewall . I'd recommend a google search on iptables how-to -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
On Wed, 27 Feb 2002 13:47, [EMAIL PROTECTED] wrote: iptables -A INPUT -j DROP or set the INPUT policy to DROP. Or if the offending attacks are from a particular IP address, get IPTABLES to re-direct that address to your favorite porn site...:-)) Jon - There are 5.6 billion people in the world, and approximately 400 million installed operating systems. That means 5.2 billion people have yet to choose their operating system, and we have to get to them before Bill does. - Jon maddog Hall -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
RE: [SLUG] Firewalls
No don't give that porn site the benefit of a hit on their site which will bring them revenue, instead direct the address to a chargen service and pump a whole heap of useless crap to them =o) -- -Original Message- From: Jon Biddell [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 27 February 2002 10:16 PM To: [EMAIL PROTECTED]; Slug Subject: Re: [SLUG] Firewalls On Wed, 27 Feb 2002 13:47, [EMAIL PROTECTED] wrote: iptables -A INPUT -j DROP or set the INPUT policy to DROP. Or if the offending attacks are from a particular IP address, get IPTABLES to re-direct that address to your favorite porn site...:-)) Jon - There are 5.6 billion people in the world, and approximately 400 million installed operating systems. That means 5.2 billion people have yet to choose their operating system, and we have to get to them before Bill does. - Jon maddog Hall -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug Searching for A Better Way to a home loan ?. Call RAMS on 13 7267, or go to http://www.rams.com.au The e-mail and any attachments may contain confidential information. If you receive it in error you must not use or disclose the information. You must tell us and delete it. We do not waive any legal privilege by sending it. RAMS does not promise that the email is free from virus defect or error. -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
On Wed, 27 Feb 2002, Andrew Burrows wrote: I was wondering if someone could advise me on the best firewall produce to use on a Linux OS. Looking for something that may resemble say Firewall1 or similar?? Firewall1. :-) Yes, Checkpoint sell a version of Firewall1 that runs on Linux, and is configured just like the WindoZe version via a GUI interface on the desktop. DaZZa -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls - Tiny not Tint - sorry
my mistake, sorry: Tiny Personal Firewall http://www.tinysoftware.com Phil Phil Colbourn IT Systems Manager Argus Telecommunications GPO Box 47, Sydney 2001 (for all mail) L7, 133 Castlereagh St. Sydney Ph: 02 9224 4065 (34065) Fax: 02 9379 2165 (92165) Mob: 0419 637 047 32-34 Queen St. Chippendale 2008 Ph: 02 9379 4457 (94457) Andrei Ogrin [EMAIL PROTECTED] 27/02/2002 23:05 To: [EMAIL PROTECTED] cc: Subject:Re: [SLUG] Firewalls this is off [SLUG] because it kinda involves linux i have a question if u don't mind.. BTW: if you need something for Windows, checkout Tint Personal Firewall - I like it, and it is certainly a good way to learn about firewalling using a GUI interface. could u pls direct me to a website where i could find this software? google doesn't seem to know anything about it... thanks a lot, SMB -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
-- From: DaZZa [EMAIL PROTECTED] Date: Thu, 28 Feb 2002 08:07:53 +1100 (EST) To: Andrew Burrows [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [SLUG] Firewalls On Wed, 27 Feb 2002, Andrew Burrows wrote: I was wondering if someone could advise me on the best firewall produce to use on a Linux OS. Looking for something that may resemble say Firewall1 or similar?? Firewall1. :-) Yes, Checkpoint sell a version of Firewall1 that runs on Linux, and is configured just like the WindoZe version via a GUI interface on the desktop. Yes I have used this in the passed and it works great but my quote for 25 users was $6000 to $7000 so I think I will have a better look into some of the Linux source to see what I can find. Andrew DaZZa -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
[SLUG] Firewalls
Hi All, I was wondering if someone could advise me on the best firewall produce to use on a Linux OS. Looking for something that may resemble say Firewall1 or similar?? Andrew -- -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
On Wed, 27 Feb 2002, Andrew Burrows wrote: I was wondering if someone could advise me on the best firewall produce to use on a Linux OS. Oh dear. We shall all don our asbestos underwear before getting into this one again. Linux doesn't have 'firewall products', per se. You use one of ipfwadm, ipchains, or iptables (depending on kernel version) to set up rules in the kernel which are then used to block/allow/filter/redirect/whatever traffic between interfaces. Since ipfoo doesn't have the most idiot-friendly interface, there is a vast host of programs written to make your life simpler. The difficulty is that no two people can agree on which one to use. To avoid getting roasted by people who don't like my personal choice, I will simply recommend that you look at your distro, freshmeat, and google, to find the choices on offer, and then proceed to evaluate based on your own subjective criteria. I will mention the other breed of firewalling for Linux (which may not suit you since you seem to want one for a going machine) is to find a dedicated distribution which is customised for firewalling. Again, no recommendations will issue forth from this correspondent. However, lwn.net has a comprehensive list of distros from which you may choose. Looking for something that may resemble say Firewall1 or similar?? Never heard of it, can't comment. -- --- #include disclaimer.h Matthew Palmer [EMAIL PROTECTED] -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
RE: [SLUG] Firewalls
I think he's talking about a program for linux that helps you setup firewalling...like CheckPoint...thats what we use here..Last I checked CheckPoint wasn't free...i don't know how much money your planning to spend Andrew -- -Original Message- From: Matthew Palmer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 27 February 2002 9:40 AM To: Andrew Burrows Cc: [EMAIL PROTECTED] Subject: Re: [SLUG] Firewalls On Wed, 27 Feb 2002, Andrew Burrows wrote: I was wondering if someone could advise me on the best firewall produce to use on a Linux OS. Oh dear. We shall all don our asbestos underwear before getting into this one again. Linux doesn't have 'firewall products', per se. You use one of ipfwadm, ipchains, or iptables (depending on kernel version) to set up rules in the kernel which are then used to block/allow/filter/redirect/whatever traffic between interfaces. Since ipfoo doesn't have the most idiot-friendly interface, there is a vast host of programs written to make your life simpler. The difficulty is that no two people can agree on which one to use. To avoid getting roasted by people who don't like my personal choice, I will simply recommend that you look at your distro, freshmeat, and google, to find the choices on offer, and then proceed to evaluate based on your own subjective criteria. I will mention the other breed of firewalling for Linux (which may not suit you since you seem to want one for a going machine) is to find a dedicated distribution which is customised for firewalling. Again, no recommendations will issue forth from this correspondent. However, lwn.net has a comprehensive list of distros from which you may choose. Looking for something that may resemble say Firewall1 or similar?? Never heard of it, can't comment. -- --- #include disclaimer.h Matthew Palmer [EMAIL PROTECTED] -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug Searching for A Better Way to a home loan ?. Call RAMS on 13 7267, or go to http://www.rams.com.au The e-mail and any attachments may contain confidential information. If you receive it in error you must not use or disclose the information. You must tell us and delete it. We do not waive any legal privilege by sending it. RAMS does not promise that the email is free from virus defect or error. -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
quote who=Matthew Palmer Linux doesn't have 'firewall products', per se. You use one of ipfwadm, ipchains, or iptables (depending on kernel version) to set up rules in the kernel which are then used to block/allow/filter/redirect/whatever traffic between interfaces. All of which are crazy-crack and hard to configure (the elitists in the back row can kiss my...) - I believe the poster is looking for firewall configuration software, not the chunks of metal shavings that actually do the work down at the bottoms levels of Obscurity Central Station. :) - Jeff -- And that's what it sounds like if you *download* it! - John, They Might Be Giants -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
On Wed, Feb 27, 2002 at 10:26:12AM +1100, Jeff Waugh wrote: quote who=Matthew Palmer Linux doesn't have 'firewall products', per se. You use one of ipfwadm, ipchains, or iptables (depending on kernel version) to set up rules in the kernel which are then used to block/allow/filter/redirect/whatever traffic between interfaces. All of which are crazy-crack and hard to configure (the elitists in the back row can kiss my...) - I believe the poster is looking for firewall configuration software, not the chunks of metal shavings that actually do the work down at the bottoms levels of Obscurity Central Station. Doing my usual plug for freshmeat ;) - there are a lot of projects around on freshmeat - so many they're coming out of my ears! Well, not exactly. Anyway, have a look around there - a new ratings system has come in recently that might help you find a good one. Personally I've only ever used Bastille Linux to 'harden' a box, and have sat down with the 'Linux Firewalls' book by Ziegler (excellent excellent reference) and taught myself ip[chains|tables] because I didn't really trust the script generators myself :-) HTH Catie -- More humorous freshmeat contributors: How do I get it out of my computer? disconnect does not work, It comes right back..I dont know how it got there in the first place...Thank you --- http://www.liedra.net -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
I agree but I don't mind getting my teeth into something if it is going to do the job but I don't wish to spend hour going down a road and find the solution is not suitable. Andrew -- From: Jeff Waugh [EMAIL PROTECTED] Date: Wed, 27 Feb 2002 10:26:12 +1100 To: Matthew Palmer [EMAIL PROTECTED] Cc: Andrew Burrows [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [SLUG] Firewalls quote who=Matthew Palmer Linux doesn't have 'firewall products', per se. You use one of ipfwadm, ipchains, or iptables (depending on kernel version) to set up rules in the kernel which are then used to block/allow/filter/redirect/whatever traffic between interfaces. All of which are crazy-crack and hard to configure (the elitists in the back row can kiss my...) - I believe the poster is looking for firewall configuration software, not the chunks of metal shavings that actually do the work down at the bottoms levels of Obscurity Central Station. :) - Jeff -- And that's what it sounds like if you *download* it! - John, They Might Be Giants -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
That sounds like a good place to start, thanks and I will keep you posted. I will also find out how much checkpoints firewall1 is and let you know. Andrew -- From: Catie Flick [EMAIL PROTECTED] Date: Wed, 27 Feb 2002 10:35:15 +1100 To: [EMAIL PROTECTED] Subject: Re: [SLUG] Firewalls On Wed, Feb 27, 2002 at 10:26:12AM +1100, Jeff Waugh wrote: quote who=Matthew Palmer Linux doesn't have 'firewall products', per se. You use one of ipfwadm, ipchains, or iptables (depending on kernel version) to set up rules in the kernel which are then used to block/allow/filter/redirect/whatever traffic between interfaces. All of which are crazy-crack and hard to configure (the elitists in the back row can kiss my...) - I believe the poster is looking for firewall configuration software, not the chunks of metal shavings that actually do the work down at the bottoms levels of Obscurity Central Station. Doing my usual plug for freshmeat ;) - there are a lot of projects around on freshmeat - so many they're coming out of my ears! Well, not exactly. Anyway, have a look around there - a new ratings system has come in recently that might help you find a good one. Personally I've only ever used Bastille Linux to 'harden' a box, and have sat down with the 'Linux Firewalls' book by Ziegler (excellent excellent reference) and taught myself ip[chains|tables] because I didn't really trust the script generators myself :-) HTH Catie -- More humorous freshmeat contributors: How do I get it out of my computer? disconnect does not work, It comes right back..I dont know how it got there in the first place...Thank you --- http://www.liedra.net -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
Perhaps sluggers could suggest basic iptables config files or scripts that they have found useful in a given scenario? eg. Home desktop, linux domino server, proxy server I'll start with mine if people are interested. BTW: if you need something for Windows, checkout Tint Personal Firewall - I like it, and it is certainly a good way to learn about firewalling using a GUI interface. Phil -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
On Wed, 27 Feb 2002, Andrew Burrows wrote: I agree but I don't mind getting my teeth into something if it is going to do the job but I don't wish to spend hour going down a road and find the solution is not suitable. Andrew - just a tip - don't 'top-post' (google if you don't know what this means) - makes it hard to see exactly what point you are commenting on. My ten cents worth is install an easy to maintain distro that is Firewall rated on your gateway box if can spare a machine to run a gateway. eg. SME 5.1.2. (formerly e-smith). Security updates, if ever required, are easy to install via its web management tool. Doesn't need to be a high-fallutin machine, just minimum p100, 64mb ram, though it will chug along on less. Order an install iso from www.everythinglinux.com.au for ten bucks. -=-=-==-=-=--=-=-=-=-=-=-=-=-=-=-=-= Graeme Robinson - Graenet consulting www.graenet.com - internet solutions -=-=-=-=-=-=-=-=-=-=-==---=-=--=-=-= -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
quote who=Andrew Burrows I agree but I don't mind getting my teeth into something if it is going to do the job but I don't wish to spend hour going down a road and find the solution is not suitable. As it happens, this was just mentioned elsewhere: http://fwbuilder.sourceforge.net/ iptables will do what you want, but it's a very raw method of defining firewall rules. I (and many other sluggers) use it directly every day, but having a good user interface to build your rules - at least an initial template - is far faster (especially if you don't have a cookie-cut network to deal with). (Please snip full quotes out of your replies. Thanks.) - Jeff -- I think hot Chinese girls who kick ass are the wave of the future, as far as films go. - Cody Russell -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
Thanks Kerry I will have a look at Lokkit. I have only ever used Firewall1 + I have the hardening rules for Solaris but not linux. It has been a white since I worked in this area so I don't know how easy it would be to transfer the hardening rules form Solaris to Linux maybe someone out there has the documents for Linux hardening already. Andrew -- From: Kerry Seibold [EMAIL PROTECTED] Date: Wed, 27 Feb 2002 11:18:19 +1100 To: Andrew Burrows [EMAIL PROTECTED] Subject: Re: [SLUG] Firewalls Hi Andrew, But what do you want to do Firewall1 is expensive and a monster. If your needs are basic Redhat has Lokkit which prompts for some really basic options and sets up an ipchains firewall. Dead simple. At your leisure you can read up and add your own rules. Kerry. - Original Message - From: Andrew Burrows [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, February 27, 2002 9:33 AM Subject: [SLUG] Firewalls Hi All, I was wondering if someone could advise me on the best firewall produce to use on a Linux OS. Looking for something that may resemble say Firewall1 or similar?? Andrew -- -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
-- From: Graeme Robinson [EMAIL PROTECTED] Date: Wed, 27 Feb 2002 11:25:14 +1100 (EST) To: Andrew Burrows [EMAIL PROTECTED] Cc: Jeff Waugh [EMAIL PROTECTED], Slug [EMAIL PROTECTED] Subject: Re: [SLUG] Firewalls On Wed, 27 Feb 2002, Andrew Burrows wrote: I agree but I don't mind getting my teeth into something if it is going to do the job but I don't wish to spend hour going down a road and find the solution is not suitable. Andrew - just a tip - don't 'top-post' (google if you don't know what this means) - makes it hard to see exactly what point you are commenting on. My ten cents worth is install an easy to maintain distro that is Firewall rated on your gateway box if can spare a machine to run a gateway. eg. SME 5.1.2. (formerly e-smith). Security updates, if ever required, are easy to install via its web management tool. Doesn't need to be a high-fallutin machine, just minimum p100, 64mb ram, though it will chug along on less. Order an install iso from www.everythinglinux.com.au for ten bucks. Thanks for the tip on top-posting I agree, this is my first time on this group and the responses are fantastic. I have a machine that will do the job, Could you confirm the name of the firewall produce please. Andrew -=-=-==-=-=--=-=-=-=-=-=-=-=-=-=-=-= Graeme Robinson - Graenet consulting www.graenet.com - internet solutions -=-=-=-=-=-=-=-=-=-=-==---=-=--=-=-= -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
At 11:35 27/02/2002 +1100, Andrew Burrows wrote: Thanks for the tip on top-posting I agree, this is my first time on this group and the responses are fantastic. I have a machine that will do the job, Could you confirm the name of the firewall produce please. SME 5.1.2 (formerly e-smith) Just do a search on www.everythinglinux.com.au for SME to order the installer. For info on the distribution, the install manuals online in html, and specialised public forum assistance go to www.e-smith.org Install is highly automated and usually quite without the need for linux expertise. -=-=-==-=-=--=-=-=-=-=-=-=-=-=-=-=-= Graeme Robinson - Graenet consulting www.graenet.com - internet solutions -=-=-=-=-=-=-=-=-=-=-==---=-=--=-=-= -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
On Wed, 2002-02-27 at 10:35, Catie Flick wrote: Personally I've only ever used Bastille Linux to 'harden' a box, and have sat down with the 'Linux Firewalls' book by Ziegler (excellent excellent reference) and taught myself ip[chains|tables] because I didn't really trust the script generators myself :-) I'm using firestarter (Gnome) to set my iptables up for me. I guess I'm trusting that it does the right thing and a quick look through the generated scripts seems OK - mind you I'm no expert and not sure I have time to read the book you mention ;-) -- ** * Simon Wong * ** -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
Linux doesn't have 'firewall products', per se. You use one of ipfwadm, ipchains, or iptables (depending on kernel version) to set up rules in the kernel which are then used to block/allow/filter/redirect/whatever traffic between interfaces. A question on iptables if I may? Firestarter generates a script for me setting up iptables which seems to work (hits are showing up etc). Is it right (secure) that any user initiated connections e.g. icq are allowed through as they are connecting in response to an internal request? Though, this seems useable and a good thing for a *single* user. However, if I wanted to explicitly block ports always, what would I have to do? -- ** * Simon Wong * ** -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
quote who=Simon Wong Is it right (secure) that any user initiated connections e.g. icq are allowed through as they are connecting in response to an internal request? That's a basic stateful setup, so yes, it's okay. Other networks may require more stringent rules, however. :) However, if I wanted to explicitly block ports always, what would I have to do? Not sure what you'd have to do within the context of your firewall building software, but: iptables -A INPUT -j DROP -d $ipaddress/$netmask --dport 22 would stop you from ssh'ing in to your machine... Probably not a good idea, but it's a good example. ;) - Jeff -- What do you get when you cross a web server and a hen? Apoache. -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
Hi Graeme, I had a look at www.e-smith.org looks ok I will install and let you know how I go. Thanks Andrew -- From: Graeme Robinson [EMAIL PROTECTED] Date: Wed, 27 Feb 2002 11:54:25 +1100 To: Andrew Burrows [EMAIL PROTECTED] Cc: Slug [EMAIL PROTECTED] Subject: Re: [SLUG] Firewalls At 11:35 27/02/2002 +1100, Andrew Burrows wrote: Thanks for the tip on top-posting I agree, this is my first time on this group and the responses are fantastic. I have a machine that will do the job, Could you confirm the name of the firewall produce please. SME 5.1.2 (formerly e-smith) Just do a search on www.everythinglinux.com.au for SME to order the installer. For info on the distribution, the install manuals online in html, and specialised public forum assistance go to www.e-smith.org Install is highly automated and usually quite without the need for linux expertise. -=-=-==-=-=--=-=-=-=-=-=-=-=-=-=-=-= Graeme Robinson - Graenet consulting www.graenet.com - internet solutions -=-=-=-=-=-=-=-=-=-=-==---=-=--=-=-= -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
On Wed, 2002-02-27 at 12:13, Jeff Waugh wrote: iptables -A INPUT -j DROP -d $ipaddress/$netmask --dport 22 would stop you from ssh'ing in to your machine... Probably not a good idea, but it's a good example. ;) Is there something to drop all connections to ports so you could set that after you had explicitly allowed certain ports? e.g. iptables -A INPUT -j DROP -d $ipaddress/$netmask --dport ALL ;-) -- ** * Simon Wong * ** -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
quote who=Simon Wong Is there something to drop all connections to ports so you could set that after you had explicitly allowed certain ports? e.g. iptables -A INPUT -j DROP -d $ipaddress/$netmask --dport ALL ;-) If you don't define a destination port, you're just dropping all packages to that ipaddress/netmask. So, yes. :) - Jeff -- GIMP is the primary tool in my graphics work. It is my gcc and Emacs. - Tuomas Kuosmanen -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls
iptables -A INPUT -j DROP or set the INPUT policy to DROP. Phil Simon Wong [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 27/02/2002 13:14 To: Slug [EMAIL PROTECTED] cc: Subject:Re: [SLUG] Firewalls On Wed, 2002-02-27 at 12:13, Jeff Waugh wrote: iptables -A INPUT -j DROP -d $ipaddress/$netmask --dport 22 would stop you from ssh'ing in to your machine... Probably not a good idea, but it's a good example. ;) Is there something to drop all connections to ports so you could set that after you had explicitly allowed certain ports? e.g. iptables -A INPUT -j DROP -d $ipaddress/$netmask --dport ALL ;-) -- ** * Simon Wong * ** -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
RE: [SLUG] Firewalls
Looking through the scripts isn't going to give you much of an idea of weather your firewall is going to do what you want unless you're an absolute guru when it comes to networking and network security and ipchains/ iptables/ ipfwadm you really need to bash your box with nessus and nmap to find out if your exploitable. Even this may not technique may not discover all holes and exploits but it's a whole lot more reliable than reading through a script and trying to interpret what the script will do. -- -Original Message- From: Simon Wong [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 27 February 2002 11:56 AM To: Slug List Subject: Re: [SLUG] Firewalls On Wed, 2002-02-27 at 10:35, Catie Flick wrote: Personally I've only ever used Bastille Linux to 'harden' a box, and have sat down with the 'Linux Firewalls' book by Ziegler (excellent excellent reference) and taught myself ip[chains|tables] because I didn't really trust the script generators myself :-) I'm using firestarter (Gnome) to set my iptables up for me. I guess I'm trusting that it does the right thing and a quick look through the generated scripts seems OK - mind you I'm no expert and not sure I have time to read the book you mention ;-) Searching for A Better Way to a home loan ?. Call RAMS on 13 7267, or go to http://www.rams.com.au The e-mail and any attachments may contain confidential information. If you receive it in error you must not use or disclose the information. You must tell us and delete it. We do not waive any legal privilege by sending it. RAMS does not promise that the email is free from virus defect or error. -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Firewalls, X, etc (was: Network Security Fest)
On Mon, 23 Oct 2000, chesty wrote: So far I've looked at TIS firewall toolkit, but its not ideal, out of the box you have to use xhost to allow the firewall to connect to your X terminal, telnet to the firewall, login to the firewall, start the X proxy, telnet to the remote box, login to the remote box, set your display then start your X applications. Its clunky and not very secure (xhost and telnet), which defeats the whole purpose of putting a firewall in. No, please... ;-) SSH has X-proxying inbuilt. It is authenticated and encrypted - very secure. The alternative is a commercial firewall, which some people are pushing for anyway. I'm hoping to get something up and running using linux, then let them decide if they still want to go with commercial firewall, or stay with Thinking of a red box (WatchguardII)? Well guess what, it is just a linux box inside (actually dual linux box if my memory serves me correctly). So really with a bit of work you can do the same on your PC - just as good. But really, the tricky bit is to get the rules in there (and correct rules at that). You will find that the example in the ipchains howto is not really a good example even though it gets you started. tom. Consultant AUSSECPhone: 61 4 1768 2202 339 Blaxland Rd., Ryde NSW 2112 Email: [EMAIL PROTECTED] -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://slug.org.au/lists/listinfo/slug