Re: [SLUG] Firewall Distributions, Questions.

[Blindraven]

I burned off Smoothwall, IPCop, Clark Connect, Monowell and pfSense.

I installed all of them and spent around half an hour with each of the web
interfaces.
Shorewall looked promising in theory but did not have Wifi shaping which is
something I was after.

After having a good play with all of them I found pfSense to be the most
complete package, especially it's speed distribution and shaping which is
perfect for my torrent box.

It took 8 minutes to install and about 20 minutes to get working under the
right configuration using it's web interface. It's defaults are also very
sane and were more complete and in my opinion better implemeted than IPCop
which would have been my second favourite from the lot. Again, it did not
have the dynamic shaping, and only supported a 50/50 scenario.

Thanks heaps for the tips !

Harrison.








On Tue, Mar 3, 2009 at 12:25 PM, Jake Anderson wrote:

> Glen Cunningham wrote:
>
>> G'day Harrison,
>>
>> On Monday 02 March 2009 19:57, Blindraven wrote:
>> 
>>
>>
>>> Smoothwall is out of the question due to its lacking NIC driver
>>> support.
>>>
>>>
>>>
>>   Have you considered IPCop  (an early fork from
>> smoothwall) or Endian  (a commercial fork from
>> IPCop).  Both have more hardware support than Smoothwall.
>>   For supported hardware see ...
>> 
>> 
>>
>> HTH
>> Glen
>>
>>
> I second IPcop, its really simple to setup, all niceley web based.
> makes life nice and simple, all pointy clicky web based stuff ;->
>
> I had terrible trouble trying to get PFsense to run a bridged ADSL modem.
> (IE I couldn't get it to work at all)
> some problem with the pppoe thing they started using that can handle
> multiple bridged ADSL connections or something, that's all good, but it
> doesn't seem to work for a single connection any more :-<
>
> ipcop i was up and running in 15 minutes.
>
> --
> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
>



-- 
"None are so hopelessly enslaved as those who falsely believe they are
free."
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall Distributions, Questions

[Daniel Pittman]

Jack Olszewski  writes:
>> Only heard good reports of monowall
>>
>> But for mine, iptables is easy enough once you understand it.  ...
>
> Firehol, a pretty high level language of writing iptables rules
> (http://firehol.sourceforge.net/, also available as an rpm package)
> might be of help. It is for me.

I strongly recommend firehol if the OP is looking to use a generic Linux
system to build a firewall and router from.  OTOH, I understood from his
comments that what he really wanted was to replace one appliance with
another, even if it was Linux underneath.[1]

Regards,
Daniel

Footnotes: 
[1]  Actually, given the way many modem/router appliances are built
 these days it may well be Linux underneath in both cases, but the
 "on desktop hardware" version is likely to be less resource
 constrained.

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall Distributions, Questions

[Jack Olszewski]

> Only heard good reports of monowall
> 
> But for mine, iptables is easy enough once you understand it.
> ...

Firehol, a pretty high level language of writing iptables rules 
(http://firehol.sourceforge.net/, also available as an rpm package) might be of 
help. It is for me.

Cheers,
--
Jack
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall Distributions, Questions.

[Jake Anderson]

Glen Cunningham wrote:

G'day Harrison,

On Monday 02 March 2009 19:57, Blindraven wrote:

  

Smoothwall is out of the question due to its lacking NIC driver
support.


   Have you considered IPCop  (an early fork from 
smoothwall) or Endian  (a commercial fork 
from IPCop).  Both have more hardware support than Smoothwall.

   For supported hardware see ...



HTH
Glen
  

I second IPcop, its really simple to setup, all niceley web based.
makes life nice and simple, all pointy clicky web based stuff ;->

I had terrible trouble trying to get PFsense to run a bridged ADSL modem.
(IE I couldn't get it to work at all)
some problem with the pppoe thing they started using that can handle 
multiple bridged ADSL connections or something, that's all good, but it 
doesn't seem to work for a single connection any more :-<


ipcop i was up and running in 15 minutes.
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall Distributions, Questions.

[Glen Cunningham]

G'day Harrison,

On Monday 02 March 2009 19:57, Blindraven wrote:

>
> Smoothwall is out of the question due to its lacking NIC driver
> support.
>
   Have you considered IPCop  (an early fork from 
smoothwall) or Endian  (a commercial fork 
from IPCop).  Both have more hardware support than Smoothwall.
   For supported hardware see ...



HTH
Glen
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall Distributions, Questions.

[Dave Kempe]

Blindraven wrote:


Based on my set-up, which of the following would you recommend and why?

pfSense, MoNoWaLL, Clark Connect. (Do you know any others?)


  
ubuntu-server and shorewall. the documentation for shorewall 
two-interface setup should be all you need.


http://shorewall.net/two-interface.htm

You get the most bang for your buck going this route.


dave
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall Distributions, Questions.

[Kyle]

Only heard good reports of monowall

But for mine, iptables is easy enough once you understand it.


Kind Regards

Kyle

Blindraven wrote:



Based on my set-up, which of the following would you recommend and why?

pfSense, MoNoWaLL, Clark Connect. (Do you know any others?)



--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall Device Opinions

[Simon Wong]

On Wed, 2006-07-12 at 19:59 +1000, Christopher Vance wrote:
> Soekris (US) make the net4801, and PC-Engines (Switzerland) make
> the WRAP.  Both companies make a range of boards.
> 
> Yawarra distributes both in Aus with a variety of cases available, and
> sells wireless cards which work well with them.  Paul is also a nice
> guy.  :-)

ah, thanks for the lead, this might be the answer to some of my Linux
prayers!

The net4801 looks like what I've been trying to find...

-- 
Simon Wong <[EMAIL PROTECTED]>

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall Device Opinions

[Sridhar Dhanapalan]

On Wednesday 12 July 2006 19:59, Christopher Vance <[EMAIL PROTECTED]> wrote:
> On Wed, Jul 12, 2006 at 05:27:46PM +1000, Sridhar Dhanapalan wrote:
> >Date: Wed, 12 Jul 2006 17:27:46 +1000
> >From: Sridhar Dhanapalan <[EMAIL PROTECTED]>
> >Subject: Re: [SLUG] Firewall Device Opinions
> >To: SLUG list 
> >
> >On Tuesday 11 July 2006 11:01, Christopher Vance <[EMAIL PROTECTED]> wrote:
> >> The soekris and pc-engines wrap both have 3 NICs, and are available
> >> from Yawarra.
> >
> >Besides some minor quirks, Linux works well on the Yawarra WRAP and
> > net4801 (which is what I think you mean by "soekris", which is just a
> > case style).
>
> Soekris (US) make the net4801, and PC-Engines (Switzerland) make
> the WRAP.  Both companies make a range of boards.

I stand corrected. They list "Soekris green" as a case style/colour, so I took 
it at face value.


-- 
Sridhar Dhanapalan
  {GnuPG/OpenPGP: http://www.dhanapalan.com/yama.asc
   0x049D38B4 : A7A9 8A02 78CB AB1B FCE4 EEC6 2DD9 249B 049D 38B4}

"Using a GUI amounts to hiding the true system modifications from the system 
administrators and operators. UNIX operators like the sense of control that 
comes from their ability to modify system tables and configuration files more 
directly." - Microsoft, 'Converting a UNIX .COM Site to Windows', 2000-22-08


pgp2mXajE9ZDB.pgp
Description: PGP signature
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall Device Opinions

[Christopher Vance]

On Wed, Jul 12, 2006 at 05:27:46PM +1000, Sridhar Dhanapalan wrote:

Date: Wed, 12 Jul 2006 17:27:46 +1000
From: Sridhar Dhanapalan <[EMAIL PROTECTED]>
Subject: Re: [SLUG] Firewall Device Opinions
To: SLUG list 

On Tuesday 11 July 2006 11:01, Christopher Vance <[EMAIL PROTECTED]> wrote:

On Tue, Jul 11, 2006 at 12:31:16AM +1000, Simon Wong wrote:
>The biggest problem I have come across looking at these is finding
>something with 3 NICs without spending a fortune on a multiple interface
>card from Intel.

The soekris and pc-engines wrap both have 3 NICs, and are available
from Yawarra.


Besides some minor quirks, Linux works well on the Yawarra WRAP and net4801 
(which is what I think you mean by "soekris", which is just a case style).


Soekris (US) make the net4801, and PC-Engines (Switzerland) make
the WRAP.  Both companies make a range of boards.

Yawarra distributes both in Aus with a variety of cases available, and
sells wireless cards which work well with them.  Paul is also a nice
guy.  :-)

I run OpenBSD quite happily from CF on one of each, including
firewalling with ipsec and ipv6.  If all you're doing is a firewall,
you really don't need much CPU.

If you want 4 NICs, I believe Commell (Taiwan?) make some stuff, but I
believe it's more expensive.

A good alternative is pfSense [http://www.pfsense.com/], which is 
FreeBSD-based.


At home, I have HyperWRT running on a Linksys WRT-54GS v1.1. It runs like a 
champ.


--
Christopher Vance
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall Device Opinions

[Sridhar Dhanapalan]

On Tuesday 11 July 2006 11:01, Christopher Vance <[EMAIL PROTECTED]> wrote:
> On Tue, Jul 11, 2006 at 12:31:16AM +1000, Simon Wong wrote:
> >The biggest problem I have come across looking at these is finding
> >something with 3 NICs without spending a fortune on a multiple interface
> >card from Intel.
>
> The soekris and pc-engines wrap both have 3 NICs, and are available
> from Yawarra.

Besides some minor quirks, Linux works well on the Yawarra WRAP and net4801 
(which is what I think you mean by "soekris", which is just a case style).

A good alternative is pfSense [http://www.pfsense.com/], which is 
FreeBSD-based.

At home, I have HyperWRT running on a Linksys WRT-54GS v1.1. It runs like a 
champ.

-- 
Sridhar Dhanapalan
  {GnuPG/OpenPGP: http://www.dhanapalan.com/yama.asc
   0x049D38B4 : A7A9 8A02 78CB AB1B FCE4 EEC6 2DD9 249B 049D 38B4}

"Although about 3 million computers get sold every year in China, people don't 
pay for the software. Someday they will, though. And as long as they're going 
to steal it, we want them to steal ours. They'll get sort of addicted, and 
then we'll somehow figure out how to collect sometime in the next decade."
- Bill Gates at the University of Washington, 1998


pgpyVodbra9DL.pgp
Description: PGP signature
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall Device Opinions

[John Clarke]

On Tue, Jul 11, 2006 at 09:21:36 +0800, [EMAIL PROTECTED] wrote:

> A lot of work.

Not really.  Modifying the case to allow for the extra NIC took the 
most time, the rest was just Linux installation & configuration
which is quick & easy.

> Satisfying.

Yes.

> About 200M last time I counted, although I used a 30M version in my 

285MB, but I'm sure I could reduce that if I really cared :-)


Cheers,

John
-- 
"I wonder why, when I just did kind of normal things-- some good
engineering and just what I wanted to do in life-- why everywhere I go,
some people think that I'm some kind of hero or a special person." 
-- Steve Wozniak 
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall Device Opinions

[Phil Scarratt]

Christopher Vance wrote:

On Tue, Jul 11, 2006 at 12:31:16AM +1000, Simon Wong wrote:

The biggest problem I have come across looking at these is finding
something with 3 NICs without spending a fortune on a multiple interface
card from Intel.


The soekris and pc-engines wrap both have 3 NICs, and are available
from Yawarra.



VIA also make a motherboard with 2 NIC's and a PCI slot. ELX sell boxes 
with these in them I believe.


Thanks for the comments. The general consensus (and from my searching) 
seems to be there is not much difference between the embedded type and 
the full pc type as long as the embedded type chosen has a processor 
capable of maintaining a high enough throughput of packets for the 
chosen application.


Fil
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall Device Opinions

[jam]

On Tuesday 11 July 2006 01:29, [EMAIL PROTECTED] wrote:
> > 2. Small form factor pc with some sort of solid state memory running
> > linux.
>
> I'm doing this at home.  I'm running a cut-down ubuntu dapper
> installation, initially installed as a breezy server then any packages I
> didn't need removed, followed by a dist-upgrade to dapper when it was
> released.  It has about 200 packages and uses less than 300MB of flash.
>
> The h/w is one of those VIA PCs that Vini Engel was selling a month or
> two ago.  I've added a PCI NIC (an SMC card which was small enough to
> fit in the case) and a PCMCIA NIC to give me LAN, WAN and DMZ.  It took
> some work to install the PCI NIC -- there were no holes in the back of
> the case for it and the power connector was a bit too close to the PCI
> slot, but it wasn't hard, just fiddly.
>
> It runs off a 512MB CF card via a CF-IDE adapter, because although the
> board has a CF slot the BIOS can't boot from it.  Apparently there is a
> BIOS upgrade available but I couldn't find it easily, and the CF-IDE
> adapter wasn't expensive enough for me to care.
>
> The box has a fan, but it's very quiet.  I could probably disconnect it
> without anything overheating, but the noise is insignificant -- there
> are other much more noisy things in the room :-)
>
> I did make a few changes to reduce the number of writes to the CF card
> to extend its life:
>
>     - mount / noatime
>     - use tmpfs for /tmp (with a max size limit so it can't take all
>         the RAM)
>     - no swap
>     - syslog to a LAN host and stop syslog being restarted each day if
>         there are no local log files (causes a write to /dev)
>     - change ntp.conf so that the drift file is in /tmp and copy it to
>         /var once a week if it's changed (and on boot/shutdown).
>
> I think that was all.
>
> > The only caveat is that it (the fw) has to allow for a DMZ, and may have
> > to run multiple internet (WAN) connections (I am currently
>
> I don't know whether any of the VIA motherboards have more than one PCI
> slot.  If not, you'd need to use a case with enough room for a larger
> PCI card with more than one network port, or use a USB ethernet adaptor.

A lot of work. Satifying. http://www.ltsp.org does it more elegantly:
main FS is RO
/tmp is RAM
writable stuff sym-linked to /tmp
eg logs, dynamic xorg.conf etc
About 200M last time I counted, although I used a 30M version in my 
olive-pickers (5s boot, wireless) 
http://tigger.ws/vtigger/main.php?g2_itemId=3985

(I don't use X here)
James
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall Device Opinions

[Christopher Vance]

On Tue, Jul 11, 2006 at 12:31:16AM +1000, Simon Wong wrote:

The biggest problem I have come across looking at these is finding
something with 3 NICs without spending a fortune on a multiple interface
card from Intel.


The soekris and pc-engines wrap both have 3 NICs, and are available
from Yawarra.

--
Christopher Vance
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall Device Opinions

[Jeff Waugh]

> I'm after opinions on the following two options in terms of a straight
> firewall. Since I have never used OpenWRT devices before I don't have any
> idea how they rate against a full pc running as a firewall.

> The only caveat is that it (the fw) has to allow for a DMZ, and may have
> to run multiple internet (WAN) connections (I am currently
> investigating/googling whether an OpentWRT device can do this) in the
> future. Otherwise fairly straight forward. This is for a business
> environment.

So, OpenWRT is rad if you want a fairly complete Debian-style environment on
your router, but if you would prefer to have a replacement for the normal
firmware that has way more features and a much groovier web admin console,
try dd-wrt. It handles DMZ, setting up the ports differently, etc.

- Jeff

-- 
linux.conf.au 2007: Sydney, Australia   http://lca2007.linux.org.au/
 
"It's the most fun I've had without the use of a water-based
   lubricant." - Stephen Fry on directing his first film
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall Device Opinions

[Glen Turner]

Phil Scarratt wrote:

Hi

I'm after opinions on the following two options in terms of a straight 
firewall. Since I have never used OpenWRT devices before I don't have 
any idea how they rate against a full pc running as a firewall. The 
options are:


1. OpenWRT on a Linksys device
2. Small form factor pc with some sort of solid state memory running linux.

The only caveat is that it (the fw) has to allow for a DMZ, and may have 
to run multiple internet (WAN) connections (I am currently 
investigating/googling whether an OpentWRT device can do this) in the 
future. Otherwise fairly straight forward. This is for a business 
environment.


The DMZ might be a problem for the WRT54GL since they only
have three routable interfaces (wireless, "Internet" and
"LAN").  I don't think that the four 100Base-TX ports are
independently routable.

You could certainly work around that -- such as having a
DMZ tunnel.

My testing has the WRT54GL running out of grunt at around
45Mbps of large packet traffic.  So I wouldn't use it as
a firewall for anything more than a ADSL link otherwise
denying service is just a matter of sending a lot of
back-to-back small packets.

I'm very impressed by the OpenWRT software -- the packaging
is really well thought out and it is a joy to use.  We use
it for a access points, since we want them to run IPv6, which
isn't supported by the manufcturer's firmware.

--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall Device Opinions

[Simon Wong]

On Mon, 2006-07-10 at 17:45 +1000, Phil Scarratt wrote:
> 2. Small form factor pc with some sort of solid state memory running linux.

The biggest problem I have come across looking at these is finding
something with 3 NICs without spending a fortune on a multiple interface
card from Intel.

Another issue seems to be that they are sold as whole units, you can't
replace many parts or even the MoBo without returning the whole unit.

-- 
Simon Wong <[EMAIL PROTECTED]>

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall Device Opinions

[John Clarke]

On Mon, Jul 10, 2006 at 05:45:51 +1000, Phil Scarratt wrote:

> 2. Small form factor pc with some sort of solid state memory running linux.

I'm doing this at home.  I'm running a cut-down ubuntu dapper
installation, initially installed as a breezy server then any packages I
didn't need removed, followed by a dist-upgrade to dapper when it was
released.  It has about 200 packages and uses less than 300MB of flash.

The h/w is one of those VIA PCs that Vini Engel was selling a month or
two ago.  I've added a PCI NIC (an SMC card which was small enough to
fit in the case) and a PCMCIA NIC to give me LAN, WAN and DMZ.  It took
some work to install the PCI NIC -- there were no holes in the back of
the case for it and the power connector was a bit too close to the PCI
slot, but it wasn't hard, just fiddly.

It runs off a 512MB CF card via a CF-IDE adapter, because although the
board has a CF slot the BIOS can't boot from it.  Apparently there is a
BIOS upgrade available but I couldn't find it easily, and the CF-IDE
adapter wasn't expensive enough for me to care.

The box has a fan, but it's very quiet.  I could probably disconnect it
without anything overheating, but the noise is insignificant -- there
are other much more noisy things in the room :-)

I did make a few changes to reduce the number of writes to the CF card
to extend its life: 

- mount / noatime
- use tmpfs for /tmp (with a max size limit so it can't take all
the RAM)
- no swap
- syslog to a LAN host and stop syslog being restarted each day if
there are no local log files (causes a write to /dev)
- change ntp.conf so that the drift file is in /tmp and copy it to
/var once a week if it's changed (and on boot/shutdown).

I think that was all.

> The only caveat is that it (the fw) has to allow for a DMZ, and may have 
> to run multiple internet (WAN) connections (I am currently 

I don't know whether any of the VIA motherboards have more than one PCI
slot.  If not, you'd need to use a case with enough room for a larger
PCI card with more than one network port, or use a USB ethernet adaptor.


Cheers,

John
-- 
Nothing is perfect. Not even Windows sucks perfectly.
-- Jay Maynard
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall

[Craige McWhirter]

On Mon, 2006-07-10 at 14:02 +1000, James Gray wrote:

> If you need to manage multiple firewalls with a consistent
> policy/framework across multiple platforms (Linux/BSD and even Cisco
> PIX, Linksys, etc too) then "fwbuilder" might be another candidate.

Fwbuilder is a personal favourite too. I have nice (encrypted)
collection of FWB files for all the firewalls I'm responsible for. Very
handy for re-creating in emergency situations as well as cloning.

--
Cheers,
  Craige,


signature.asc
Description: This is a digitally signed message part
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall

[James Gray]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[EMAIL PROTECTED] wrote:
> Hi
> my ongoing frustrations:
>
> 1) How to setup a firewall in ubuntu? It seems suitable iptables settings do
> work but that's awefully primitive. This article did not help
> http://www.linux.com/article.pl?sid=06/06/26/1556259 (no lokkit or guarddog
> can be found by apt-get)
>
> 2) How to manipulate and configure services. I CAN and have been
> sym-linking /etc/init.d/service to rc2.d/SNNservice. That too is awefully
> primitive. system -> administration -> services lists 8 services from anacron
> to ssh. What about the zillion others?
>
> Help shows not available pictures:
> each service []
> with a   []
> checkbox []
>
> Thanks
> James

If you need to manage multiple firewalls with a consistent
policy/framework across multiple platforms (Linux/BSD and even Cisco
PIX, Linksys, etc too) then "fwbuilder" might be another candidate.

Obviously it can be used to configure a single firewall too :)

Check it out: http://www.fwbuilder.org/

FWIW, some of the "commercial" firewalls, like PIX, require a plug-in
that will cost $$$.  However it's completely free (beer and speech) for
Linux/BSD firewalls.

Cheers,

James
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEsdE6wBHpdJO7b9ERArcsAKCVW7iUzKachnVFE//gX9Z8CWUBpgCcCAmN
hvnKXrgUaRuW0aYK/r1CNlc=
=ZACq
-END PGP SIGNATURE-
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall

[jam]

On Saturday 08 July 2006 14:14, [EMAIL PROTECTED] wrote:
> > If you want something simple, firehol is pretty good. Debian (and
> > therefore probably Ubuntu) has a bunch of example config files that
> > are really easy to use. The advantage to say shorewall (although
> > things may have changed) is that with fussy protocols like SMB, you
> > just enable it and it works, where as I found with shorewall that you
> > needed to worry about traffic directions and such. It also lets you
> > do NATting and stuff extremely simply.
> >
> > And that's my 5 cents.
>
> Yes, same with Firestarter. I used Shorewall for quite some time on a
> Linux router. It is good, but something like Firestarter is (I think)
> the way to go for a simple Ubuntu setup. Doesn't do as much as
> Shorewall, but it is dead simple to set up and run a simple desktop
> protection firewall.
>
> My 5 cents.

Thanks Alan
guidedog
guarddog
worked. It seems that there is no option to:
* trust the local network (everything allowed)
* allow ESTABLISHED/RELATED packets back
* allow arbitary complex stuff (still investigating) eg for my openvpn
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
But its mostly working
James
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall

[Alan L Tyree]

On Sat, 8 Jul 2006 12:20:20 +1000
Metrics <[EMAIL PROTECTED]> wrote:

> On Sat, Jul 08, 2006 at 11:33:44AM +1000, Sonia Hamilton wrote:
> > * On Fri, Jul 07, 2006 at 04:19:21PM +0800, [EMAIL PROTECTED] wrote:
> > > 1) How to setup a firewall in ubuntu? It seems suitable iptables
> > > settings do work but that's awefully primitive. This article did
> > > not help http://www.linux.com/article.pl?sid=06/06/26/1556259 (no
> > > lokkit or guarddog can be found by apt-get)
> > 
> > I use shorewall [1], basically a perl wrapper on iptables. Easy to
> > config with a collection of files in /etc/shorewall, and very
> > flexible - from a single laptop to a large network.
> > 
> > [1] http://www.shorewall.net
> > 
> 
> If you want something simple, firehol is pretty good. Debian (and
> therefore probably Ubuntu) has a bunch of example config files that
> are really easy to use. The advantage to say shorewall (although
> things may have changed) is that with fussy protocols like SMB, you
> just enable it and it works, where as I found with shorewall that you
> needed to worry about traffic directions and such. It also lets you
> do NATting and stuff extremely simply.
> 
> And that's my 5 cents.

Yes, same with Firestarter. I used Shorewall for quite some time on a
Linux router. It is good, but something like Firestarter is (I think)
the way to go for a simple Ubuntu setup. Doesn't do as much as
Shorewall, but it is dead simple to set up and run a simple desktop
protection firewall.

My 5 cents.

Alan

> 
> Byron
> -- 
> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
> 


-- 
Alan L Tyreehttp://www2.austlii.edu.au/~alan
Tel: +61 2 4782 2670Mobile: +61 427 486 206
Fax: +61 2 4782 7092FWD: 615662
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall

[O Plameras]

Metrics wrote:

On Sat, Jul 08, 2006 at 11:33:44AM +1000, Sonia Hamilton wrote:
  

* On Fri, Jul 07, 2006 at 04:19:21PM +0800, [EMAIL PROTECTED] wrote:

1) How to setup a firewall in ubuntu? It seems suitable iptables settings do 
work but that's awefully primitive. This article did not help
http://www.linux.com/article.pl?sid=06/06/26/1556259 (no lokkit or guarddog 
can be found by apt-get)
  

I use shorewall [1], basically a perl wrapper on iptables. Easy to
config with a collection of files in /etc/shorewall, and very flexible -
from a single laptop to a large network.

[1] http://www.shorewall.net




If you want something simple, firehol is pretty good. Debian (and
therefore probably Ubuntu) has a bunch of example config files that are
really easy to use. The advantage to say shorewall (although things may
have changed) is that with fussy protocols like SMB, you just enable it
and it works, where as I found with shorewall that you needed to worry
about traffic directions and such. It also lets you do NATting and stuff
extremely simply.
  


In the current release, to block or permit SMB traffic, all you do in 
"rules" is you

do "SMB/REJECT" or "SMB/ACCEPT". The macros are in /usr/share/shorewall.
You can make up macros for any service.

O Plameras

--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall

[Metrics]

On Sat, Jul 08, 2006 at 11:33:44AM +1000, Sonia Hamilton wrote:
> * On Fri, Jul 07, 2006 at 04:19:21PM +0800, [EMAIL PROTECTED] wrote:
> > 1) How to setup a firewall in ubuntu? It seems suitable iptables settings 
> > do 
> > work but that's awefully primitive. This article did not help
> > http://www.linux.com/article.pl?sid=06/06/26/1556259 (no lokkit or guarddog 
> > can be found by apt-get)
> 
> I use shorewall [1], basically a perl wrapper on iptables. Easy to
> config with a collection of files in /etc/shorewall, and very flexible -
> from a single laptop to a large network.
> 
> [1] http://www.shorewall.net
> 

If you want something simple, firehol is pretty good. Debian (and
therefore probably Ubuntu) has a bunch of example config files that are
really easy to use. The advantage to say shorewall (although things may
have changed) is that with fussy protocols like SMB, you just enable it
and it works, where as I found with shorewall that you needed to worry
about traffic directions and such. It also lets you do NATting and stuff
extremely simply.

And that's my 5 cents.

Byron
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall

[Sonia Hamilton]

* On Fri, Jul 07, 2006 at 04:19:21PM +0800, [EMAIL PROTECTED] wrote:
> 1) How to setup a firewall in ubuntu? It seems suitable iptables settings do 
> work but that's awefully primitive. This article did not help
> http://www.linux.com/article.pl?sid=06/06/26/1556259 (no lokkit or guarddog 
> can be found by apt-get)

I use shorewall [1], basically a perl wrapper on iptables. Easy to
config with a collection of files in /etc/shorewall, and very flexible -
from a single laptop to a large network.

[1] http://www.shorewall.net

--
Sonia Hamilton. GPG key A8B77238.
.
"Complaining that Linux doesn't work well with Windows is like ... oh,
say, evaluating an early automobile and complaining that there's no
place to hitch up a horse." (Daniel Dvorkin)
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall

[jam]

On Saturday 08 July 2006 05:35, [EMAIL PROTECTED] wrote:
> > Hi
> > my ongoing frustrations:
> >
> > 1) How to setup a firewall in ubuntu? It seems suitable iptables settings
> > do work but that's awefully primitive. This article did not help
> > http://www.linux.com/article.pl?sid=06/06/26/1556259 (no lokkit or
> > guarddog can be found by apt-get)
>
> If you enable universe you can get these:
>
>     erikd > apt-cache search guarddog
>     guarddog - firewall configuration utility for KDE
>     guidedog - NAT/masquerading/port-forwarding configuration tool for KDE
>     erikd > apt-cache search lokkit  
>     gnome-lokkit - basic interactive firewall configuration tool (GNOME
> interface) lokkit - basic interactive firewall configuration tool (console
> interface)

Thanks for all the help!
The missing link: I DID enable universe, I needed to 
apt-get update
I did not understand that I needed to do that on a new install:

jam> apt-cache search lokkit
jam>

James
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall

[Alan L Tyree]

On Fri, 7 Jul 2006 16:19:21 +0800
[EMAIL PROTECTED] wrote:

> Hi
> my ongoing frustrations:
> 
> 1) How to setup a firewall in ubuntu? It seems suitable iptables
> settings do work but that's awefully primitive. This article did not
> help http://www.linux.com/article.pl?sid=06/06/26/1556259 (no lokkit
> or guarddog can be found by apt-get)

Firestarter is a nice simple firewall.

> 
> 2) How to manipulate and configure services. I CAN and have been 
> sym-linking /etc/init.d/service to rc2.d/SNNservice. That too is
> awefully primitive. system -> administration -> services lists 8
> services from anacron to ssh. What about the zillion others?
> 
> Help shows not available pictures:
> each service []
> with a   []
> checkbox []
> 
> Thanks
> James
> -- 
> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
> 


-- 
Alan L Tyreehttp://www2.austlii.edu.au/~alan
Tel: +61 2 4782 2670Mobile: +61 427 486 206
Fax: +61 2 4782 7092FWD: 615662
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall

[Erik de Castro Lopo]

[EMAIL PROTECTED] wrote:

> Hi
> my ongoing frustrations:
> 
> 1) How to setup a firewall in ubuntu? It seems suitable iptables settings do 
> work but that's awefully primitive. This article did not help
> http://www.linux.com/article.pl?sid=06/06/26/1556259 (no lokkit or guarddog 
> can be found by apt-get)

If you enable universe you can get these:

erikd > apt-cache search guarddog
guarddog - firewall configuration utility for KDE
guidedog - NAT/masquerading/port-forwarding configuration tool for KDE
erikd > apt-cache search lokkit  
gnome-lokkit - basic interactive firewall configuration tool (GNOME 
interface)
lokkit - basic interactive firewall configuration tool (console interface)


> 2) How to manipulate and configure services. I CAN and have been 
> sym-linking /etc/init.d/service to rc2.d/SNNservice. That too is awefully 
> primitive.

Yes. For a commandline way of doing this on Debian/Ubuntu try
update-rc.d. I'm pretty sure there are gui tools for this as well.

Erik
-- 
+---+
  Erik de Castro Lopo
+---+
"These are the finest moments in (post)modern life, when satire is completly
indistinguishable from reality... I usually have to rely on the presidential
elections for such dada." -- frenomulax on Jesux a christian Linux distro.
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall log

[Alexander Samad]

I will take a stab

Log entry 1 is comming in on  eth0, and machine 192.168.1.4 is making a
bootp/dhcp request, which you machine is reject.

Log entry 1 is going out on eth0 from 192.168.1.2 which is 
a reply to the boot/DHCP request from before.

Note from memory the dchp server attachs to the interface in such a way
that netfilter can't stop it.

Why this happens when you loose conection not sure.

A

On Fri, Feb 27, 2004 at 01:41:33PM +1100, Alan L Tyree wrote:
> What does this mean? I have a modem connection that times out after 5
> hours - dial on demand. When it restarts, my firewall log shows *lot* of
> these entries:
> 
> Feb 27 13:22:42 kernel: Shorewall:all2all:REJECT:IN=eth0 OUT=
> MAC=00:20:35:73:71:2a:00:50:bf:e6:77:b1:08:00 SRC=192.168.1.4
> DST=192.168.1.2 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=68 DPT=67 LEN=308 
> 
> Feb 27 13:22:42 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0
> SRC=192.168.1.2 DST=192.168.1.4 LEN=328 TOS=0x00 PREC=0x00 TTL=64
> ID=36216 DF PROTO=UDP SPT=67 DPT=68 LEN=308
> 
> They always come in pairs like that. The firewall is 192.168.1.2 and the
> other machine is the only one operating on the network.
> 
> Thanks,
> Alan
> -- 
> --
> Alan L Tyree
> http://www2.austlii.edu.au/~alan
> Tel: +61 2 4782 2670
> Mobile: +61 405 084 990
> Fax: +61 2 4782 7092
> -- 
> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html


signature.asc
Description: Digital signature
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] firewall logfile analysis

[Chris Deigan]

It is said that Hilton De Meillon wrote:
>I am using Gentoo. I use Metalog as a logger. I use Fwbuilder to design
>my rulesets. What can I use to analyse my log files - I have tried
>fwanalog but it does not look like it likes the way Metalog logs. 
>
>any recommendations ?

First, for live analasys of of your logs you will want to turn off metalogs
buffering by running:
killall -USR1 metalog

I usually read my logs with view (which is basically vi[m])
Or, for live analasys I use tail, which shows your logs as
your logging daemon writes the logs.

To turn metalogs buffers back on:
killall -USR2 metalog

 - Chris
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Firewall appliance box

[Del]

Hi,

Since it came up, I've done a fair amount of hacking
recently to get IPCop to install via PXE.  Useful
because most of these appliance boxes don't contain
a floppy disk drive, and the FD controller is fairly
hard to get at even when you open the box up.
Red Hat is easy because they give you PXE capable vmlinuz
and initrd.img files (i.e. ones that don't ask for a
driver floppy, and that have all of the network drivers
bundled).  IPCop typically installs off 2 floppies with
LILO and ext2 filesystems on them so it took a bit of
messing about to get it not to want a floppy disk (or
not to grizzle when it didn't get one).
It's a bit of a work in progress but if anyone wants
to see what I've done contact me off-list.
--
Del
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall appliance box

[Del]

Kevin Saenz wrote:
Has anyone installed Linux on these thin clients?
What are the things I would have to be concerned about?
Hi,

I have Red Hat 7.3 running on a couple and IPCop running
on some more of them.
--
Del
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall appliance box

[Guy Ellis]

Hi Kevin,

Yes we use a Mini-iTx motherboard.

Our box and the Everything Linux are roughly the same size
ours is 295 x 260 x 65mm (W x D x H)
If you want an internal PSU (also fanless) and the option of 2 PCI slots go 
for our box. Our market is mainly firewalls.

If you want an external PSU go for Anthony's box. His market is mainly thin 
clients.

It's your choice.

Cheers,

 - Guy.

At 03:58 PM 6/10/2003 +1000, you wrote:
what are the dimensions of the box. This system seems to be based
vaguely on the concept of mini-box motherboard. but uses a 240 volt
input rather than a 12 volt.
> Hi Kevin,
>
> We can do 3 Eth easily with our box
>
> http://www.traverse.com.au/products/default.asp?p=42
>
> The Fanless model has no moving parts.
>
> Drop me a line if you are interested.
>
> Cheers,
>
>   - Guy.
>
> At 01:39 PM 6/10/2003 +1000, you wrote:
> >Hi all,
> >
> >I am looking for a box that will be about the size of
> >an ADSL router, with about 512 RAM, multi NIC prefered min 3,
> >to build a firewall. Does anyone know where I could source
> >such a box? It would be helpful if it had a CPU and NVRam
> >
> >
> >
> >--
> >Regards,
> >
> >Kevin Saenz
> >
> >Spinaweb
> >I.T consultants
> >
> >Ph: 02 4620 5130
> >Fax: 02 4625 9243
> >Mobile: 0418455661
> >Web: http://www.spinaweb.com.au
> >
> >--
> >SLUG - Sydney Linux User's Group - http://slug.org.au/
> >More Info: http://lists.slug.org.au/listinfo/slug
>
> --
> Guy Ellis
> [EMAIL PROTECTED]
>
> Traverse Technologies
> ABN 98 078 657 324
> 652 Smith St.,
> Clifton Hill, Victoria, 3068
> AUSTRALIA
> http://www.traverse.com.au
> Tel (+613) 9486 7775
> Fax (+613) 9482 7754
> Mobile 0419 398 234
> --
--
Regards,
Kevin Saenz

Spinaweb
I.T consultants
Ph: 02 4620 5130
Fax: 02 4625 9243
Mobile: 0418455661
Web: http://www.spinaweb.com.au
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
--
Guy Ellis
[EMAIL PROTECTED]
Traverse Technologies
ABN 98 078 657 324
652 Smith St.,
Clifton Hill, Victoria, 3068
AUSTRALIA
http://www.traverse.com.au
Tel (+613) 9486 7775
Fax (+613) 9482 7754
Mobile 0419 398 234
--
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall appliance box

[Kevin Saenz]

Has anyone installed Linux on these thin clients?
What are the things I would have to be concerned about?

> It is said that Kevin Saenz wrote:
> >Maybe Anthony could tell me where I should look. :)
> >I thought it would be under hardware.
> 
> http://www.everythinglinux.com.au/cat/systems/thinclients
> 
>  - Chris
[EMAIL PROTECTED]
-- 
Regards,

Kevin Saenz
 
Spinaweb
I.T consultants
 
Ph: 02 4620 5130
Fax: 02 4625 9243
Mobile: 0418455661
Web: http://www.spinaweb.com.au

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall appliance box

[Kevin Saenz]

Thanks that looks good.
> It is said that Kevin Saenz wrote:
> >Maybe Anthony could tell me where I should look. :)
> >I thought it would be under hardware.
> 
> http://www.everythinglinux.com.au/cat/systems/thinclients
> 
>  - Chris
[EMAIL PROTECTED]
-- 
Regards,

Kevin Saenz
 
Spinaweb
I.T consultants
 
Ph: 02 4620 5130
Fax: 02 4625 9243
Mobile: 0418455661
Web: http://www.spinaweb.com.au

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall appliance box

[Chris Deigan]

It is said that Kevin Saenz wrote:
>Maybe Anthony could tell me where I should look. :)
>I thought it would be under hardware.

http://www.everythinglinux.com.au/cat/systems/thinclients

 - Chris
[EMAIL PROTECTED]
-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall appliance box

[Kevin Saenz]

what are the dimensions of the box. This system seems to be based
vaguely on the concept of mini-box motherboard. but uses a 240 volt
input rather than a 12 volt.

> Hi Kevin,
> 
> We can do 3 Eth easily with our box
> 
> http://www.traverse.com.au/products/default.asp?p=42
> 
> The Fanless model has no moving parts.
> 
> Drop me a line if you are interested.
> 
> Cheers,
> 
>   - Guy.
> 
> At 01:39 PM 6/10/2003 +1000, you wrote:
> >Hi all,
> >
> >I am looking for a box that will be about the size of
> >an ADSL router, with about 512 RAM, multi NIC prefered min 3,
> >to build a firewall. Does anyone know where I could source
> >such a box? It would be helpful if it had a CPU and NVRam
> >
> >
> >
> >--
> >Regards,
> >
> >Kevin Saenz
> >
> >Spinaweb
> >I.T consultants
> >
> >Ph: 02 4620 5130
> >Fax: 02 4625 9243
> >Mobile: 0418455661
> >Web: http://www.spinaweb.com.au
> >
> >--
> >SLUG - Sydney Linux User's Group - http://slug.org.au/
> >More Info: http://lists.slug.org.au/listinfo/slug
> 
> --
> Guy Ellis
> [EMAIL PROTECTED]
> 
> Traverse Technologies
> ABN 98 078 657 324
> 652 Smith St.,
> Clifton Hill, Victoria, 3068
> AUSTRALIA
> http://www.traverse.com.au
> Tel (+613) 9486 7775
> Fax (+613) 9482 7754
> Mobile 0419 398 234
> --
-- 
Regards,

Kevin Saenz
 
Spinaweb
I.T consultants
 
Ph: 02 4620 5130
Fax: 02 4625 9243
Mobile: 0418455661
Web: http://www.spinaweb.com.au

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall appliance box

[Kevin Saenz]

Maybe Anthony could tell me where I should look. :)
I thought it would be under hardware.

> It is said that Kevin Saenz wrote:
> >I am looking for a box that will be about the size of
> >an ADSL router, with about 512 RAM, multi NIC prefered min 3,
> >to build a firewall. Does anyone know where I could source
> >such a box? It would be helpful if it had a CPU and NVRam
> 
> I beleive everythinglinux.com.au may have what you are after.
> 
>  - Chris
[EMAIL PROTECTED]
-- 
Regards,

Kevin Saenz
 
Spinaweb
I.T consultants
 
Ph: 02 4620 5130
Fax: 02 4625 9243
Mobile: 0418455661
Web: http://www.spinaweb.com.au

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall appliance box

[Chris Deigan]

It is said that Kevin Saenz wrote:
>I am looking for a box that will be about the size of
>an ADSL router, with about 512 RAM, multi NIC prefered min 3,
>to build a firewall. Does anyone know where I could source
>such a box? It would be helpful if it had a CPU and NVRam

I beleive everythinglinux.com.au may have what you are after.

 - Chris
[EMAIL PROTECTED]
-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall appliance box

[Guy Ellis]

Hi Kevin,

We can do 3 Eth easily with our box

http://www.traverse.com.au/products/default.asp?p=42

The Fanless model has no moving parts.

Drop me a line if you are interested.

Cheers,

 - Guy.

At 01:39 PM 6/10/2003 +1000, you wrote:
Hi all,

I am looking for a box that will be about the size of
an ADSL router, with about 512 RAM, multi NIC prefered min 3,
to build a firewall. Does anyone know where I could source
such a box? It would be helpful if it had a CPU and NVRam


--
Regards,
Kevin Saenz

Spinaweb
I.T consultants
Ph: 02 4620 5130
Fax: 02 4625 9243
Mobile: 0418455661
Web: http://www.spinaweb.com.au
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
--
Guy Ellis
[EMAIL PROTECTED]
Traverse Technologies
ABN 98 078 657 324
652 Smith St.,
Clifton Hill, Victoria, 3068
AUSTRALIA
http://www.traverse.com.au
Tel (+613) 9486 7775
Fax (+613) 9482 7754
Mobile 0419 398 234
--
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall / router for BigPond

[Ben Donohue]

Guarddog is pretty good on Linux
www.simonzone.com


--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall / router for BigPond

[Oscar Plameras]

> Dear list,
>
> Before I reinvent the wheel.  I am looking at using VNC to control Win98
> boxen remotely.
>
> I need a firewall / router for basic protection, is there any cheap
routers
> eg DLink that are worth it?
>
> It is easy enough to just use IPTables but is there a template /
> pre-written rules floating around.
>

I have Linux kernel version 2.4.20.

I am using templates. You may find these at,

http://www.acay.com.au/~oscarp/howto

There are two scripts:

1. 'firewall-2.4.sh' is fired up with 'start', 'stop', or 'restart'
as required, as follows:

firewall-2.4.sh start.

2. 'rc.firewall-2.4' is the script that kicks off when script
on '1.' is selected with a 'start' parameter

Please note to modify 'rc.firewall-2.4' for your requirements.

Please also note Linux Kernel version requirements and
all  legal stuff as indicated within these scripts.


Oscar Plameras
http://www.acay.com.au/~oscarp/disclaimer.html

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall MD5 signatures on processes

[Jamie Wilkinson]

This one time, at band camp, Glen Turner wrote:
> -- expand until their configuration file syntax
>is Turing-complete (sendmail, Emacs, iptables).
> -- proliferate options beyond human ken (ls, ps).
> -- provide a handful of differing APIs and subsystems
>to perform the same task, each with their own
>religious cult (X fonts and rendering, output
>to text terminals, text file manipulation).

You forgot "evolve into a mailreader."  Some famous quote somewhere.

-- 
[EMAIL PROTECTED]   http://spacepants.org/jaq.gpg
-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall MD5 signatures on processes

[Jamie Wilkinson]

This one time, at band camp, [EMAIL PROTECTED] wrote:
>Someone wrote...
>
>> >>And totally unimplementable on a machine where the same binaries can have
>> >>different MD5 sums across different installations, e.g. the one you all are
>> >>(most likely) reading this mail on now.
>
>Why whould they be different?  I guess I'm sorta asking
>what do you mean by installation?  Distributions?  Versions?

I should have elaborated:  Assuming you build some of your software from
source, then you can't have a vendor-supplied tripwire-like firewall that
has a hardcoded list of checksums.

Assuming.

But real users just suck down packages from their nearest mirror (near being
the USA in the case of up2date and Red Hat (you current users quiet down)
:-) so I guess a commercial Linux vendor could in fact start distributing a
hardcoded checksum database.   Of course then you get into the issue of
trust...

You certainly wouldn't see anything like this implemented on Debian testing
or unstable... and most likely no-one could be bothered.  tripwire, aide,
osiris, and samhain are all packaged.

-- 
[EMAIL PROTECTED]   http://spacepants.org/jaq.gpg
-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall MD5 signatures on processes

[Jamie Wilkinson]

This one time, at band camp, [EMAIL PROTECTED] wrote:
>I've found a few bits of Linux software which do part
>of the job.  They associate a particular pathname with
>network permission.  What they don't do as far as I can
>tell is associate a pathname + md5 with a particular
>port/protocol/direction.   (though it's possible I haven't
>browsed hard enough)

Something similar... in a way: iptables can firewall local services based on
the username of a process, so you can restrict outbound smtp to the postfix
user, for example, if you are running postfix as non-root.  With a bit of
creative suiding and so on, you can restrict which binaries are allowed to
use the network.

-- 
[EMAIL PROTECTED]   http://spacepants.org/jaq.gpg
-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall MD5 signatures on processes

[Jamie Wilkinson]

This one time, at band camp, Matt M wrote:
>
>
>>And totally unimplementable on a machine where the same binaries can have
>>different MD5 sums across different installations, e.g. the one you all are
>>(most likely) reading this mail on now.
>
>Unless the MD5 sums table is build when you install the machine/software or 
>configure the feature.

I use tripwire at work; taking MD5 sums and so forth to check the filesystem
for modified binaries isn't difficult.  The context of my reply was to
Jeff's example of Windos based "personal firewalls", and he alluded to the
"personal firewall" hardcoding the checksums for common programs within
them.  My point was that no-one could sell a product that had the binary
checksums hardcoded into it.

Then again, perhaps there was no implication of hardcoded checksums.  I only
assume that proprietary software is going to do dumb things ;-)

-- 
[EMAIL PROTECTED]   http://spacepants.org/jaq.gpg
-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall MD5 signatures on processes

[mlh]

Someone wrote...

> >>And totally unimplementable on a machine where the same binaries can have
> >>different MD5 sums across different installations, e.g. the one you all are
> >>(most likely) reading this mail on now.

Why whould they be different?  I guess I'm sorta asking
what do you mean by installation?  Distributions?  Versions?

Matt
-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall MD5 signatures on processes

[mlh]

I've found a few bits of Linux software which do part
of the job.  They associate a particular pathname with
network permission.  What they don't do as far as I can
tell is associate a pathname + md5 with a particular
port/protocol/direction.   (though it's possible I haven't
browsed hard enough)

http://lsm.immunix.org/
http://www.lids.org/

Recent LIDS are based on lsm apparently.

http://www.intersectalliance.com/projects/Snare/

That last one is an Aussie company. And they've
got Redhat 8 rpms.  woohoo!


Matt
-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall MD5 signatures on processes

[Glen Turner]

Rob B wrote:


Unix software rule:  Do one thing, and do it well
Windows sofware rule: Do everything


Can't say I've ever noticed that.  I have noticed that
UNIX programs either:

 -- expand until their configuration file syntax
is Turing-complete (sendmail, Emacs, iptables).

Think about it -- you can teach people Java in
a semester.  Would you dare say the same of
sendmail or emacs :-)

 -- proliferate options beyond human ken (ls, ps).

Common quiz question, "what option letter isn't
used in ps".

 -- provide a handful of differing APIs and subsystems
to perform the same task, each with their own
religious cult (X fonts and rendering, output
to text terminals, text file manipulation).

Even file I/O
   f = open(...)
   f = fopen(...)


Regards,
Glen

--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall MD5 signatures on processes

[Rob B]

At 23:49 29/01/2003, Matt M sent this up the stick:



And totally unimplementable on a machine where the same binaries can have
different MD5 sums across different installations, e.g. the one you all are
(most likely) reading this mail on now.


Unless the MD5 sums table is build when you install the machine/software 
or configure the feature.

Correctamundo!

Y'all should remember, these Windows "firewalls" are designed to be 
installed on a single machine (hence the term "personal firewall") and - 
while they will work on a box acting as a gateway - they will only verify 
MD5 sums of local software.  So in effect, these apps combine a bit of 
Tripwire/Aide with a packet filter.

Unix software rule:  Do one thing, and do it well
Windows sofware rule: Do everything

cheers,
Rob
:)


--
Create your own opportunity. Blackmail a senior executive.

This is random quote 419 of a collection of 1273

Distance from the centre of the brewing universe:
[15200.8 km (8207.8 mi), 262.8 deg](Apparent) Rennerian

Public Key fingerprint = 6219 33BD A37B 368D 29F5  19FB 945D C4D7 1F66 D9C5

--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall MD5 signatures on processes

[Matt M]

And totally unimplementable on a machine where the same binaries can have
different MD5 sums across different installations, e.g. the one you all are
(most likely) reading this mail on now.


Unless the MD5 sums table is build when you install the machine/software or 
configure the feature.


Matt


--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall MD5 signatures on processes

[Jamie Wilkinson]

This one time, at band camp, Jeff Waugh wrote:
>
>
>> In your first post, you talk about md5 *signature*, now about md5
>> checksums. These are 2 different things. Checking file integrity is
>> definitively not the job of the networking stack at all.
>
>Minh is talking about a feature of some 'host firewalls' that checks the
>md5 checksum of software trying to access the network. That way, it can
>allow and disallow access to executables that have been changed on disk, or
>not explicitly listed as allowed to access the network.
>
>Dunno if this sort of stuff has been done on other systems before, but it
>seems to be the in-thing with the latest Windows 'host firewalls'.
>
>It also sounds like a totally dodgy and easily breakable consumer marketing
>oriented "feature". :-)

And totally unimplementable on a machine where the same binaries can have
different MD5 sums across different installations, e.g. the one you all are
(most likely) reading this mail on now.

ObBigot: Go free software! yay!

-- 
[EMAIL PROTECTED]   http://spacepants.org/jaq.gpg
-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall MD5 signatures on processes

[Matt M]

I think the problem is that Minh is a little confused about what exactly a 
firewall is (No thanks to windows "personal firewall" vendors, I'm sure). 
In my, perhaps a little conservative view, it's just a packet filter, 
whether you're referring to a black box or an application on a host.

The talk about MD5 sums and the like goes more towards system integrity 
than firewalling, in fact it's basically tripwire with a sprinkling of 
crack, and definitely would not be implemented as part of a firewall/tcp 
stack (more likely a separate module with a wrapper for the network calls 
in the kernel). Why you'd need to stop altered applications accessing the 
internet is a little bit baffling for me; if your system has been 
compromised, well, that's the end of it, really. The only really advantage 
I could see would be limiting someone who's trying to use your machine as a 
D/DOS platform, and really, if you're keeping a good eye on the machine, 
this shouldn't be too much of an issue.

That said, it does have a little security value -- everything that makes it 
harder for attackers has some security value. But for the cost of 
implementing somethng like this, I really don't see the point.

Cheers,

Matt
At 19:51 27/01/2003, Jamie Wilkinson wrote:
This one time, at band camp, Minh Van Le wrote:
>I feel I must point out that, the point of MD5 checksums on applications is
>to identify which applications have changed or have been trojaned. If the
>firewall can identify altered file(s) then both the firewall and
>administrator will have a chance to be alerted. This is significant
>security.

When you say "firewall", do you mean the packet filter itself or an entire
machine whose job is to sit between networks?

If the latter, then yes this is possible, ideal and very simple.

If the former, then you are entering an entire world of complexity and, most
likely, pain.

>File integrity should be part of the network access layer,

Right, so you *do* mean the packet filter itself.

A packet filter looks at packets.  It doesn't know nor care whether it's
transferring a file or a program or a trojanned binary.  Adding the required
code to look at the packets and work out that a file is being transferred
means your're going to start adding entire file transfer protocols (FTP,
HTTP, SSH to name a few) which is going to be a painful process, let
alone the ability to then check these files against a central database of
MD5 sums.

>and checked by
>both the firewall and other file integrity audit programs, because the
>latter (eg. Tripwire) won't do anything to stop trojans from
>bypassing/tricking the firewall.

Or do you *really* mean the firewall machine?

Forgive me if I seem a little confused, your terminology isn't making a lot
of sense to me.  Perhaps it's because I've just gotten off a plane, but I
am inclined to think that you've got things mixed up a little, too.

But I'm interested to hear your ideas on how you'd make "the firewall and
other file integrity ... programs" stop trojans.

--
[EMAIL PROTECTED]   http://spacepants.org/jaq.gpg
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug



--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall MD5 signatures on processes

[Kevin Saenz]

> It's not useless, though it can of course be compromised easily if the firewall
> software doing the checksumming runs as the same user as the application itself,
> which is the case under most versions of windows.  In fact, already some viruses
> disable the firewall, and put up an icon in the system tray to make it look
> like it still running.
> 
> On Linux though, I can easily imagine this being implemented in a more secure
> manner. 
> 
The only problem I see here is that these sort "firewalls" are only as
good as their latest updates, just like anti-virus. Here is a question
for those experts with kerio and zonealarm, once the application does
it's checksums and the like where does that database go? Is it on the local
system?.



-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall MD5 signatures on processes

[mlh]

On Tue, Jan 28, 2003 at 02:06:44PM +1100, Jeff Waugh wrote:
> 
> 
> > In your first post, you talk about md5 *signature*, now about md5
> > checksums.

Those terms seem to be used interchangeably.

> > These are 2 different things. Checking file integrity is
> > definitively not the job of the networking stack at all.

I don't think anyone said it was.

> Minh is talking about a feature of some 'host firewalls' that checks the
> md5 checksum of software trying to access the network. That way, it can
> allow and disallow access to executables that have been changed on disk, or
> not explicitly listed as allowed to access the network.
> 
> Dunno if this sort of stuff has been done on other systems before, but it
> seems to be the in-thing with the latest Windows 'host firewalls'.
> 
> It also sounds like a totally dodgy and easily breakable consumer marketing
> oriented "feature". :-)


It's not useless, though it can of course be compromised easily if the firewall
software doing the checksumming runs as the same user as the application itself,
which is the case under most versions of windows.  In fact, already some viruses
disable the firewall, and put up an icon in the system tray to make it look
like it still running.

On Linux though, I can easily imagine this being implemented in a more secure
manner. 


Matt

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall MD5 signatures on processes

[Jeff Waugh]

> In your first post, you talk about md5 *signature*, now about md5
> checksums. These are 2 different things. Checking file integrity is
> definitively not the job of the networking stack at all.

Minh is talking about a feature of some 'host firewalls' that checks the
md5 checksum of software trying to access the network. That way, it can
allow and disallow access to executables that have been changed on disk, or
not explicitly listed as allowed to access the network.

Dunno if this sort of stuff has been done on other systems before, but it
seems to be the in-thing with the latest Windows 'host firewalls'.

It also sounds like a totally dodgy and easily breakable consumer marketing
oriented "feature". :-)

- Jeff

-- 
 "Linux is not like Novell, it isn't going to run out of money - it 
  started off bankrupt, in a way." - Steve Ballmer  
-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

RE: [SLUG] Firewall MD5 signatures on processes

[Jean-Francois Dive]

In your first post, you talk about md5 *signature*, now about md5
checksums. These are 2 different things. Checking file integrity is
definitively not the job of the networking stack at all. This does not
bring any security benefit. As soon as a box is compromised (as detected
by a valid alert on file integrity), changing its network stack
configuration to react to that is useless as it could be changed back by
the attacking worms. Now if you want to see md5 signed checks on a per
process basis, this is a lot of overhead and still does not bring you
anything more.

"Good security is a security which fails nicely".

JeF

On Sun, 2003-01-26 at 22:27, Minh Van Le wrote:
> I feel I must point out that, the point of MD5 checksums on applications is
> to identify which applications have changed or have been trojaned. If the
> firewall can identify altered file(s) then both the firewall and
> administrator will have a chance to be alerted. This is significant
> security.
> 
> File integrity should be part of the network access layer, and checked by
> both the firewall and other file integrity audit programs, because the
> latter (eg. Tripwire) won't do anything to stop trojans from
> bypassing/tricking the firewall.
> 
> If a box is hacked, and the intruder has root access then security is
> finished. The best thing to do is to rebuild with better security
> prevention. I'm not proposing a be-all-end-all solution, because there're
> many aspects of security that's handled by different things.
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Jean-Francois Dive
> Sent: Saturday, 25 January 2003 23:45
> To: Minh Van Le
> Cc: [EMAIL PROTECTED]
> Subject: Re: [SLUG] Firewall MD5 signatures on processes
> 
> 
> As well, if a trojan enter the system, it'll be 90% of the time trough
> a network application so, which have access to the network --> this wont
> avoid much at the end of the day.
> 
> On Fri, Jan 24, 2003 at 10:50:59PM +1100, Minh Van Le wrote:
> > Various firewalls for Windows(TM) have a feature that identify, permit,
> and
> > deny packets sent by authorised applications. (I use Kerio Personal
> Firewall
> > [www.kerio.com]). These firewalls use a method for creating and checking
> MD5
> > signatures on applications that attempt to access the low-level network
> > layers or device drivers. This feature exists to prevent trojans or
> > unauthorised replacement of binaries eg. a trojaned httpd, that tries to
> > access/bypass the firewall.
> >
> > I know that IPChains and IPTables are packet filtering firewalls, and
> > basically work on src/dest:port [protocol] IP headers, but these internet
> > daemons eg. httpd can be configured to use different ports ...
> >
> > My question is, does IPTables support identifying packets sent from
> specific
> > applications, or any MD5 checksums on applications or even verifying full
> > path and filename details of any binary that accesses the kernel
> networking
> > layer ? This would atleast help in identifying what processes are trying
> to
> > access the firewall.
> >
> > Should checksums be left to file system integrity programs like Tripwire ?
> 
> 
> -- 
> SLUG - Sydney Linux User's Group - http://slug.org.au/
> More Info: http://lists.slug.org.au/listinfo/slug
-- 

-> Jean-Francois Dive
--> [EMAIL PROTECTED]

  There is no such thing as randomness.  Only order of infinite
  complexity. - Marquis de LaPlace - deterministic Principles - 


-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall MD5 signatures on processes

[mlh]

On 27 Jan 2003 08:42:10 +1100
Kevin Saenz <[EMAIL PROTECTED]> wrote:
[ ... ]
. You would
> be required to install the firewall on each machine, as it will
> behave like an antivirus doing live checks on files, which is very
> expensive in resources.

Not really, it only has to do once on loading.  With the windows firewall
Minh Van Le mentioned (kerio) and another one (zonealarm) the extra
load is unnoticeable, even on a lower end machine. (my windows machine
is a amd k2-350)

>  Also the firewall you have informed us about
> doesn't not look at files on the network layer, it looks at files on
> the OS layer,

Lack of a positive is not a negative.

Matt
-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall MD5 signatures on processes

[Kevin Saenz]

> Not really, it only has to do once on loading.  With the windows firewall
> Minh Van Le mentioned (kerio) and another one (zonealarm) the extra
> load is unnoticeable, even on a lower end machine. (my windows machine
> is a amd k2-350)

You're lucky. I guess it depends on the user that installs the damn thing :)

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

RE: [SLUG] Firewall MD5 signatures on processes

[Kevin Saenz]

Well if you think that this is a necessity that is missing from
security. Start up a project. :-) That's the beauty of Opensource.

But I think you are a little misguided about the concept of firewalls
and their functions. I don't think professional firewalls like gauntlet,
checkpoint-1, or pix will do this as file systems are not part of the
TCP/IP Stack.

See the problem with the application you have for a firewall is that
it won't protect multiple machines behind the firewall. You would
be required to install the firewall on each machine, as it will
behave like an antivirus doing live checks on files, which is very
expensive in resources. Also the firewall you have informed us about
doesn't not look at files on the network layer, it looks at files on
the OS layer, just like tripwire. it does not do any packet inspections



> 7bit
> MIME-Version: 1.0
> Content-Type: text/plain; charset="Windows-1252"
> Content-Transfer-Encoding: 7bit
> 7bit
> 
> I feel I must point out that, the point of MD5 checksums on applications is
> to identify which applications have changed or have been trojaned. If the
> firewall can identify altered file(s) then both the firewall and
> administrator will have a chance to be alerted. This is significant
> security.
> 
> File integrity should be part of the network access layer, and checked by
> both the firewall and other file integrity audit programs, because the
> latter (eg. Tripwire) won't do anything to stop trojans from
> bypassing/tricking the firewall.
> 
> If a box is hacked, and the intruder has root access then security is
> finished. The best thing to do is to rebuild with better security
> prevention. I'm not proposing a be-all-end-all solution, because there're
> many aspects of security that's handled by different things.
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Jean-Francois Dive
> Sent: Saturday, 25 January 2003 23:45
> To: Minh Van Le
> Cc: [EMAIL PROTECTED]
> Subject: Re: [SLUG] Firewall MD5 signatures on processes
> 
> 
> As well, if a trojan enter the system, it'll be 90% of the time trough
> a network application so, which have access to the network --> this wont
> avoid much at the end of the day.
> 
> On Fri, Jan 24, 2003 at 10:50:59PM +1100, Minh Van Le wrote:
> > Various firewalls for Windows(TM) have a feature that identify, permit,
> and
> > deny packets sent by authorised applications. (I use Kerio Personal
> Firewall
> > [www.kerio.com]). These firewalls use a method for creating and checking
> MD5
> > signatures on applications that attempt to access the low-level network
> > layers or device drivers. This feature exists to prevent trojans or
> > unauthorised replacement of binaries eg. a trojaned httpd, that tries to
> > access/bypass the firewall.
> >
> > I know that IPChains and IPTables are packet filtering firewalls, and
> > basically work on src/dest:port [protocol] IP headers, but these internet
> > daemons eg. httpd can be configured to use different ports ...
> >
> > My question is, does IPTables support identifying packets sent from
> specific
> > applications, or any MD5 checksums on applications or even verifying full
> > path and filename details of any binary that accesses the kernel
> networking
> > layer ? This would atleast help in identifying what processes are trying
> to
> > access the firewall.
> >
> > Should checksums be left to file system integrity programs like Tripwire ?
-- 
Kevin Saenz <[EMAIL PROTECTED]>

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall MD5 signatures on processes

[Jean-Francois Dive]

Linux iptables have the possibility to make matches based on userid, groupid,
windows based networking could apply the same technique i suppose.

In any case, you better check that the passwd is not accessible from the 'bad'
processes.

Tripwire check file integrity, this have nothing to do with network access layer,
excpet that they are security related features which helps in trojan prevention.

Finally, remember that trojans or insiders may have system / root access
which deny this whole protection scheme.

JeF

On Fri, Jan 24, 2003 at 10:50:59PM +1100, Minh Van Le wrote:
> Various firewalls for Windows(TM) have a feature that identify, permit, and
> deny packets sent by authorised applications. (I use Kerio Personal Firewall
> [www.kerio.com]). These firewalls use a method for creating and checking MD5
> signatures on applications that attempt to access the low-level network
> layers or device drivers. This feature exists to prevent trojans or
> unauthorised replacement of binaries eg. a trojaned httpd, that tries to
> access/bypass the firewall.
> 
> I know that IPChains and IPTables are packet filtering firewalls, and
> basically work on src/dest:port [protocol] IP headers, but these internet
> daemons eg. httpd can be configured to use different ports ...
> 
> My question is, does IPTables support identifying packets sent from specific
> applications, or any MD5 checksums on applications or even verifying full
> path and filename details of any binary that accesses the kernel networking
> layer ? This would atleast help in identifying what processes are trying to
> access the firewall.
> 
> Should checksums be left to file system integrity programs like Tripwire ?
> 
> 
> -- 
> SLUG - Sydney Linux User's Group - http://slug.org.au/
> More Info: http://lists.slug.org.au/listinfo/slug

-- 

-> Jean-Francois Dive
--> [EMAIL PROTECTED]

  There is no such thing as randomness.  Only order of infinite
  complexity. - Marquis de LaPlace - deterministic Principles - 

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall MD5 signatures on processes

[Kevin Saenz]

It sounds like you are talking about packet analysers, you could have a
look at www.snort.org there is some info with configuring snort with
iptables to create an active firewall. 

Tripwire is pretty much useful to inform you after the fact that someone
has modified a file on you system, as long as you have stored the files
created by tripwire on a floppy, probably best if you have tripwire
binary on the floppy as well. You'll never know how good (or bad) a
cracker/worm wants too be.


> Various firewalls for Windows(TM) have a feature that identify, permit, and
> deny packets sent by authorised applications. (I use Kerio Personal Firewall
> [www.kerio.com]). These firewalls use a method for creating and checking MD5
> signatures on applications that attempt to access the low-level network
> layers or device drivers. This feature exists to prevent trojans or
> unauthorised replacement of binaries eg. a trojaned httpd, that tries to
> access/bypass the firewall.
> 
> I know that IPChains and IPTables are packet filtering firewalls, and
> basically work on src/dest:port [protocol] IP headers, but these internet
> daemons eg. httpd can be configured to use different ports ...
> 
> My question is, does IPTables support identifying packets sent from specific
> applications, or any MD5 checksums on applications or even verifying full
> path and filename details of any binary that accesses the kernel networking
> layer ? This would atleast help in identifying what processes are trying to
> access the firewall.
> 
> Should checksums be left to file system integrity programs like Tripwire ?
-- 
Kevin Saenz <[EMAIL PROTECTED]>

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall log entry

[Jeff Waugh]

>  Jan 16 11:36:27 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0
>  SRC=192.168.1.2 DST=192.168.1.4 LEN=328 TOS=0x00 PREC=0x00 TTL=64
>  ID=64962 DF PROTO=UDP SPT=68 DPT=67 LEN=308 

   ^^^ Is your DHCP not working? :-)

- Jeff

-- 
   "I look forward to someday putting foo-colored ribbons on my homepage
   declaring 'port 25 is for spam', and 'just say no to the Spam Message
   Transmission Protocol!'" - Raph Levien   
-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

RE: [SLUG] firewall

[Michael Fox]

>
> Hi Michael,
>
> I've been using 64MB Compact Flash for 0.1.1
>
> IPCop 0.1.2 final was just released a few days ago so I will
> try this today
> and see if it still fits in 64MB.
>
> If you want to have a go at this you will find a utility
> called mkflash in
> the IPCop CVS.
>
> Cheers,
>
>   - Guy.

64mb? hrmm bit big. I've installed emBSD onto a 32mb card, and it worked
perfect. I might look at doing this again down the track, when we finally
have ADSL sometime.


-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

RE: [SLUG] firewall

[Guy Ellis]

Hi Michael,

I've been using 64MB Compact Flash for 0.1.1

IPCop 0.1.2 final was just released a few days ago so I will try this today 
and see if it still fits in 64MB.

If you want to have a go at this you will find a utility called mkflash in 
the IPCop CVS.

Cheers,

 - Guy.

At 14:32 29/12/02 +1100, you wrote:


> Hi Gaza,
>
> Try IPCop it's great. I'm using 0.1.2 and have used 0.1.1
> prior to that for
> nearly a year
>
> www.ipcop.org
>
> v0.1.2beta = 2.2.23
> v0.1.3alpha = 2.4.20
>
> It's small enough to fit on a Compact Flash, and includes
> support for 3
> PSTN, ISDN, Ethernet and PCI ADSL. For ADSL Bridged ethernet,
> PPPoE and
> PPPoA are supported.
> 0.1.2 even includes ISDN DOV support. You can have up to 3 interfaces
> (Green, Red and Orange), it also includes a proxy cache plus IPSec.

Typically what size compact flash? 32mb? wouldn't mind putting an old ide ->
cf convertor to use ;)

--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug


*
Guy Ellis
[EMAIL PROTECTED]

Traverse Technologies Australia
652 Smith St.,
Clifton Hill, Vic. 3068,
Australia.
http://www.traverse.com.au

Tel (613) 9486 7775
Fax (613) 9482 7754
Mobile 0419 398 234

*

--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

RE: [SLUG] firewall

[Michael Fox]

> Hi Gaza,
>
> Try IPCop it's great. I'm using 0.1.2 and have used 0.1.1
> prior to that for
> nearly a year
>
> www.ipcop.org
>
> v0.1.2beta = 2.2.23
> v0.1.3alpha = 2.4.20
>
> It's small enough to fit on a Compact Flash, and includes
> support for 3
> PSTN, ISDN, Ethernet and PCI ADSL. For ADSL Bridged ethernet,
> PPPoE and
> PPPoA are supported.
> 0.1.2 even includes ISDN DOV support. You can have up to 3 interfaces
> (Green, Red and Orange), it also includes a proxy cache plus IPSec.

Typically what size compact flash? 32mb? wouldn't mind putting an old ide ->
cf convertor to use ;)

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] firewall

[Kevin Saenz]

Linux is Linux,
For my firewall I have used RedHat, now I am using Mandrake,
probably move to another distro later on.
As for the firewall you only have one free option, iptables
that comes standard in the kernel.

There are a few guis that will help in building a firewall,
also there are a few tutorials that will help you understand
how iptables work

> I have an old PII 200Mhz pc I would like to load linux on it and make it a
> firewall
> I was wondering what linux could I use and what firewall software could I
> use.
> 
> Thanks in advance
> Merry Christmas everyone
> 
> Gaza
> 
> 
> -- 
> SLUG - Sydney Linux User's Group - http://slug.org.au/
> More Info: http://lists.slug.org.au/listinfo/slug
> 


-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] firewall

[Guy Ellis]

Hi Gaza,

Try IPCop it's great. I'm using 0.1.2 and have used 0.1.1 prior to that for 
nearly a year

www.ipcop.org

v0.1.2beta = 2.2.23
v0.1.3alpha = 2.4.20

It's small enough to fit on a Compact Flash, and includes support for 3 
PSTN, ISDN, Ethernet and PCI ADSL. For ADSL Bridged ethernet, PPPoE and 
PPPoA are supported.
0.1.2 even includes ISDN DOV support. You can have up to 3 interfaces 
(Green, Red and Orange), it also includes a proxy cache plus IPSec.

Cheers,

 - Guy.

At 03:12 pm 24/12/2002 +1100, you wrote:
I have an old PII 200Mhz pc I would like to load linux on it and make it a
firewall
I was wondering what linux could I use and what firewall software could I
use.

Thanks in advance
Merry Christmas everyone

Gaza


--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug


--
Guy Ellis
[EMAIL PROTECTED]

Traverse Technologies
ABN 98 078 657 324
652 Smith St.,
Clifton Hill, Victoria, 3068
AUSTRALIA
http://www.traverse.com.au
Tel (+613) 9486 7775
Fax (+613) 9482 7754
Mobile 0419 398 234
--

--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] firewall -> Smoothwall, IPcop

[savanna]

* Gaza <[EMAIL PROTECTED]> wrote:
> I have an old PII 200Mhz pc I would like to load linux on it and make it a
> firewall
> I was wondering what linux could I use and what firewall software could I
> use.

Check out Smoothwall www.smoothwall.org - a firewall appliance distro.
Doesn't require much linux experience to run. There's been some ruckus
around Smoothwall (search google), so some of the developers have
released a branch called IPcop.

I used Smoothwall & really like it. Check out quarkav.com for additional
doco.

--
Savanna |  Free as in 'free speech',
GnuPG Pub Key E40FAE08  |  not 'free beer'.
-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] firewall

[Alan L Tyree]

On Tue, 2002-12-24 at 15:12, Gaza wrote:
> I have an old PII 200Mhz pc I would like to load linux on it and make it a
> firewall
I run a single floppy distribution on an old 486.

Bering from http://leaf.sourceforge.net/

It is easy to use and configure, uses Shorewall to configure iptables. 

Cheers,
Alan
> I was wondering what linux could I use and what firewall software could I
> use.
> 
> Thanks in advance
> Merry Christmas everyone
> 
> Gaza
> 
> 
> -- 
> SLUG - Sydney Linux User's Group - http://slug.org.au/
> More Info: http://lists.slug.org.au/listinfo/slug
> 
-- 
--
Alan L Tyree[EMAIL PROTECTED]
http://www.law.usyd.edu.au/~alant
Tel: +61 2 4782 2670
Mobile: +61 419 638 170
Fax: +61 2 4782 7092

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] firewall blocking telnet to smtp port

[Anthony Gray]

Thanks Malcolm,

I operlooked the fact that all the new rules I was adding were below the 
"drop/log all" section.  Once I changed this, all was fine ahhh.

Regards
Anthony


>From: Malcolm V <[EMAIL PROTECTED]>
>To: Sydney Linux Users Group Mailing List <[EMAIL PROTECTED]>
>Subject: Re: [SLUG] firewall blocking telnet to smtp port
>Date: 10 Oct 2002 00:14:03 +1000
>
>On Wed, 2002-10-09 at 23:30, Anthony Gray wrote:
>
> > Chain INPUT (policy DROP)
> > target prot opt source   destination
>
> > firewall   icmp --  anywhere anywhere
> > firewall   tcp  --  anywhere anywhere   tcp
> > flags:SYN,RST,ACK/SYN
> > firewall   udp  --  anywhere anywhere
>Everything below this in the INPUT chain will never be reached, this
>catches everything, logs it and drops it.
>
> > ACCEPT tcp  --  anywhere anywhere   tcp dpt:smtp
> > flags:SYN,RST,ACK/SYN
>There should be no need to use these flags, in fact I think this will
>prevent normal traffic to this port which isn't an initial connection.
>
>When you try to telnet in from the machine itself, is it appearring in
>the logs with a source address of 127.0.0.1 or the network IP (Which is
>not explicity "unblocked" due to a failure to resolve the name)?
>
>Cheers,
>Malcolm V.
>
>--
>SLUG - Sydney Linux User's Group - http://slug.org.au/
>More Info: http://lists.slug.org.au/listinfo/slug




_
Chat with friends online, try MSN Messenger: http://messenger.msn.com

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] firewall blocking telnet to smtp port

[Malcolm V]

On Wed, 2002-10-09 at 23:30, Anthony Gray wrote:

> Chain INPUT (policy DROP)
> target prot opt source   destination

> firewall   icmp --  anywhere anywhere
> firewall   tcp  --  anywhere anywhere   tcp 
> flags:SYN,RST,ACK/SYN
> firewall   udp  --  anywhere anywhere
Everything below this in the INPUT chain will never be reached, this
catches everything, logs it and drops it.

> ACCEPT tcp  --  anywhere anywhere   tcp dpt:smtp 
> flags:SYN,RST,ACK/SYN
There should be no need to use these flags, in fact I think this will
prevent normal traffic to this port which isn't an initial connection.

When you try to telnet in from the machine itself, is it appearring in
the logs with a source address of 127.0.0.1 or the network IP (Which is
not explicity "unblocked" due to a failure to resolve the name)?

Cheers,
Malcolm V.

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] firewall allergic to kernel 2.4.18.

[Jon Teh]

On Sun, Aug 18, 2002 at 06:31:17PM +1000, James Gregory wrote:
> A little while ago I posted about my poor firewall that was running at 
> half speed after a fairly major upgrade.
> 
> I was reasonably convinced it wasn't hardware, so today I decided I'd 
> try un-upgrading bits and pieces to see what was wrong. I firstly 
> un-upgraded pppd back to the version I had on there before (I think). No 
> difference. Then I switched back to the 2.2.18 kernel I had on it 
> before, and after a reboot, all my downloads were running at their 
> normal speed again (around 5.6-kbps). Now, I would be surprised if there 
> was actually a relevant bug in the 2.4.18 kernel, so I suspect it's a 
> kernel option that I've set. Can anyone think of any kernel options 
> which would have the speed of either
> 
> 1. Serial ports
> 2. PPP connections.

I, too have noticed remarkably poor performance of
kernel 2.4.18 when used in a IP masquerading gateway. When I 'upgraded' to 
kernel 2.4.18, I experienced between 20 to 60% packet loss from my gateway to
elsewhere. I don't know what is wrong, but it really doesn't do an awful 
lot of good for useability. I'll be upgrading to 2.4.19 seeing as it has
now been released, ASAP. I'll see how it goes.

-- Jon Teh

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] firewall bewilderment

[Matthew Palmer]

On Tue, 13 Aug 2002, James Gregory wrote:

> My problem is that the new firewall set up runs quite literally half as 
> fast as the old configuration. I have no idea why. By this I mean that 
> the download from mirror.aarnet I'm currently doing (which as I 
> understand it is routed through sydney uni's connection to aarnet and 
> just a few days ago was running at 5k/s) is running at about 2.4k/s.
> 
> Unintersting information about my firewall:
> 
> 56k net connection.

Check to make sure that the connection is being compressed.  PPP has
compression modules, and your modem might have compression too.  It is
possible that the Uni's pipe is being saturated a little more than it was a
few days ago, or your connections might be throttled now, introduced
coincidentally with your new firewall.  (These are the sorts of things that
Unis do to annoy people).


-- 
---
#include 
Matthew Palmer, Geek In Residence
http://ieee.uow.edu.au/~mjp16

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] firewall

[John Nicholls]

Ken Wilson wrote:

> thanks for modem answers and ISP stuff
> Megan gave me a hand and found that the firewall was stopping email and 
> web on high setting,  anyone have some firewall rules that they would 
> like to share. I only do personal dial up email and www stuff. no 
> network, no server.
> thanks Ken
> 

Redhat 7.2 uses these settings for its High security level option, which 
will give you email and web browsing:

Chain input (policy ACCEPT):
targetprot opt sourcedestination   ports
ACCEPTall  --  anywhere  anywhere  n/a
REJECTtcp  -y  anywhere  anywhere  any ->  any
REJECTudp  --  anywhere  anywhere  any ->  any
Chain forward (policy ACCEPT) :
Chain output (policy ACCEPT) :

Regards
John


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall Hardware

[Adam Kennedy]

Wow, 

That's about a 2 degree increase for every hour of plane flight :)

-30 to +30 should be an interesting transition.

Adam

- Original Message - 
From: "Bob Hubbard" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, October 26, 2001 1:26 PM
Subject: [SLUG] Firewall Hardware


> OK chaps, many thanks for the many responses. I'll sort through them and
> make a hard copy to bring to OZ with me.
> 
> Regards to all. 
> 
> Temp minus 10 Celsius. Should be minus 30 by the time we leave Dec 19.
> 
> Bob
> 
> 
> 
> 
> Bob Hubbard
> St.Albert, Ab
> CANADA
> 
> 
> -- 
> SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
> More Info: http://lists.slug.org.au/listinfo/slug
> 


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall hardware

[jon]

> It may be a crock, but its an expensive one if you get caught.  I
> doubt the fine is worth the $100 savings from not buying a new
> external modem.

Possibly not - I checked this AGES ago with out Telstra rep. and he basically 
said that Telstra are responsible up to the socket on the wall (for domestic 
or "normal" business servces), or to the socket on the NTU that they provide 
before it goes into your network. What you plus in they don't give a damn 
about - it's your call. If your equipment causes damage to their network, they 
charge you for it. If you're equipment is non-approved and there's a fault on 
the line, they'll INSIST you remove it before testing the line.

I can extract further clarification from him if necessary...

Jon

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall hardware

[Crossfire]

David Fitch was once rumoured to have said:
> On Thu, Oct 25, 2001 at 06:50:46PM -0600, Bob Hubbard wrote:
> > Thanks, C. Didn't know about the modem certification and thanks for the
> > tip re ISP. Not sure what is meant by Data over Voice ISDN but will
> > certainly check it out.
> 
> i wouldn't worry too much about the modem and Austel/ACA certification,
> it's pretty much a crock, wait and see if your current modem doesn't
> work properly before considering buying a new one.

It may be a crock, but its an expensive one if you get caught.  I
doubt the fine is worth the $100 savings from not buying a new
external modem.

C.
-- 
--==--
  Crossfire  | This email was brought to you
  [EMAIL PROTECTED] | on 100% Recycled Electrons
--==--

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall hardware

[jon]

> Re your comment about cable/adsl not available another option is
> satellite.  Again telstra/bigpond have it, also www.ihug.com.au
> and various ihug resellers (most of whom do a better deal than
> going direct to ihug).  I gather there's others too but I haven't
> manage to find out about them (eg. Austar).

Satellite, in its' present one-way form, sucks BIG time... Useless for on-line 
gaming (too much lag time), plus you still need a phone line.

Wait until January - there will be two-way satellite trials commencing (I have 
my name on the list to trial the system). I can't give you much more 
information than that (apart from the fact that I don't know any more yet, I 
was sworn to secrecy by the installation technician that told me - and I'm in 
the process of converting him to Linux !!), but as soon as the trials begin, I 
will post more.

Jon

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall hardware

[David Fitch]

On Thu, Oct 25, 2001 at 06:50:46PM -0600, Bob Hubbard wrote:
> Thanks, C. Didn't know about the modem certification and thanks for the
> tip re ISP. Not sure what is meant by Data over Voice ISDN but will
> certainly check it out.

i wouldn't worry too much about the modem and Austel/ACA certification,
it's pretty much a crock, wait and see if your current modem doesn't
work properly before considering buying a new one.

DoV is a "trick", it's normal ISDN (it's ETSI in Australia, different
system to the US, I presume Canada uses the US system?) but if
you use DoV the carrier thinks it's a voice call and with the Onramp
Home Highway service they have different call rates for voice
verses data so you get a data-over-voice connection for the normal 
untimed voice rate of 19.8c (rather than data is $1.10 per hour).
(plus your ISP charges in top of that of course)

(if you're getting two phone lines, it's worth getting an ORHH
service instead, you effectively get 2 digital lines for the same
price as 2 analogue ones)

You can find ORHH info by searching under www.telstra.com, and DoV
info from www.traverse.com.au or local central coast ISPs.

Re your comment about cable/adsl not available another option is
satellite.  Again telstra/bigpond have it, also www.ihug.com.au
and various ihug resellers (most of whom do a better deal than
going direct to ihug).  I gather there's others too but I haven't
manage to find out about them (eg. Austar).

Dave.

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall hardware

[Bob Hubbard]

Thanks, C. Didn't know about the modem certification and thanks for the
tip re ISP. Not sure what is meant by Data over Voice ISDN but will
certainly check it out.

Regards,

Bob





-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall hardware

[Crossfire]

Craige McWhirter was once rumoured to have said:
> G'day Bob, apart from  Central Coast removed> are you aware that your .ca gear may require some
> sort of power adapters to function in Aus?

One other important thing is telephony equipment - If you have any
existing modems, phones, NTUs, etc, that you want to bring here, make
sure that they have austel certiciation before trying to connect them
to the phone network, otherwise you run the risk of big nasty fines if
you get caught.

Fortunately modems are cheap nowadays, so you might be best off
picking up one here when you come over.

Also, you might want to check to see if OnRamp Home Highway is
availible in that area when you arrive, since if it is, you can get
reasonably affordable ISDN connectivity as long as you can find an ISP
within range that supports Data over Voice ISDN connections.

C.
-- 
--==--
  Crossfire  | This email was brought to you
  [EMAIL PROTECTED] | on 100% Recycled Electrons
--==--

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall hardware

[Bob Hubbard]

On 26 Oct 2001, Craige McWhirter wrote:

> G'day Bob, apart from  Central Coast removed> are you aware that your .ca gear may require some
> sort of power adapters to function in Aus?

Thanks, Craige. I think I have everything organized as far as power is
concerned.

The CPU power supply has a slide switch for 240V and my Monitor is self
adjusting, so they tell me at the factory (110-250 not 110/250). As far as
the power chords go, I just need to buy one of yours (ours - I'm an
Aussie) and I'm in business, the point on the PC box is a universal point.

regards,

Bob


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Firewall hardware

[Craige McWhirter]

G'day Bob, apart from  are you aware that your .ca gear may require some
sort of power adapters to function in Aus?

I'm unsure of what .ca power points are like but the .au ones are:

/ \
 |

Some devices may also require the voltage switch to be flicked over or
perhaps even require a converter. Just some things to think about and
investigate.

On Fri, 2001-10-26 at 05:00, Bob Hubbard wrote:

> Comments, anyone

-- 

Cheers,
  Craige.

 PGP signature

Re: [SLUG] Firewall security audit report

[chesty]

On Wed, Feb 28, 2001 at 08:50:32PM +1100, Umar Goldeli wrote:
> Anyway, he'll need root to put ethx into promisc mode.. 

On a related note, its possible to remove promiscous mode capability 
from the kernel, plus a whole bunch more, eg set the immutable bit
on some files, append only on others and remove the kernels capability 
to modify the immutable and append only attributes.

> > > Agreed throughly about the turn of all listening services bit. :)
> > 
> > Sorry, did you say something?

> When you're first setting up the box, make sure you Detonate(tm) all
> listening services that you don't specifically want. The less ports
> listening, the better ("none" is good. :)

You agreed about turning off all listen services, and I pretended I didn't 
hear you. get it? funny, no? :)

It was a joke Joyce.

If you don't like my jokes, you should hear me sing.

-- 
chesty


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Umar Goldeli]

> Stateful inspection is the only way to come remotely close to securing
> UDP without stepping to the point of not using it at all.

UDP == evil.

*grin*

(but this is getting way OT ;)



//umar.


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Crossfire]

Umar Goldeli was once rumoured to have said:
> > Hence why you use stateful inspection firewalls, not ipchains.
> > ipchains is completely unflexible in this regard.
> 
> It works, but even so, let's face it, stateful inspection in regards to
> UDP is still a kludge. ;)

Stateful inspection is the only way to come remotely close to securing
UDP without stepping to the point of not using it at all.

C.
-- 
--==--
  Crossfire  | This email was brought to you
  [EMAIL PROTECTED] | on 100% Recycled Electrons
--==--

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Herbert Xu]

chesty <[EMAIL PROTECTED]> wrote:
>
> It doesn't mention it in the report, but would mounting /home, /tmp and /var with 
> noexec help? It might stop a non root user from running their own programs, but it 
> won't stop root.

Unless used in conjunction with chroot, noexec is pointless on Linux.
-- 
Debian GNU/Linux 2.2 is out! ( http://www.debian.org/ )
Email:  Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Umar Goldeli]

> Hence why you use stateful inspection firewalls, not ipchains.
> ipchains is completely unflexible in this regard.

It works, but even so, let's face it, stateful inspection in regards to
UDP is still a kludge. ;)


//umar.


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Umar Goldeli]

You just missed Alan Cox by a few weeks I believe! :)

//umar.

> What sort of time/date/places do the Linux gurus, or those who others
> might consider to be gurus anticipate being around.  I anticipate I might
> have some beer money with me (8-)


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Crossfire]

Howard Lowndes was once rumoured to have said:
> On Wed, 28 Feb 2001, Crossfire wrote:
>> Howard Lowndes was once rumoured to have said:
>>> Can you do stateful inspections on ntp though?  It runs on udp.  Is this
>>> possible?  You can define what servers you will accept ntp from, but
>>> surely the source IP could be easily spoofed anyway.  I don't know how you
>>> would go trying to do an auth transfer from, say, CSIRO.
>>
>> Yes.  NTP is very simple protocol.
>>
>> You open the return path once you send the NTP "request" packet, and
>> close it within a reasonable timeframe.  If you're getting a large
>> number of reply packets any other time, you just block, and don't
>> open.
>
> I can see how this would be done if you were using something like cron,
> ipchains and ntpdate to query the server - something like "cron, include
> ipchain ACCEPT rule, ntpdate, sleep for a few seconds, delete ipchain
> rule", but what if you want to do the auto synch thing with your server as
> a strata server.  In this case the synch timing is handled by the ntpd
> daemon itself, or perhaps the ntpd daemon shouldn't be used like this.

Hence why you use stateful inspection firewalls, not ipchains.
ipchains is completely unflexible in this regard.

C.
-- 
--==--
  Crossfire  | This email was brought to you
  [EMAIL PROTECTED] | on 100% Recycled Electrons
--==--

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Crossfire]

Howard Lowndes was once rumoured to have said:
> Can you do stateful inspections on ntp though?  It runs on udp.  Is this
> possible?  You can define what servers you will accept ntp from, but
> surely the source IP could be easily spoofed anyway.  I don't know how you
> would go trying to do an auth transfer from, say, CSIRO.

Yes.  NTP is very simple protocol.

You open the return path once you send the NTP "request" packet, and
close it within a reasonable timeframe.  If you're getting a large
number of reply packets any other time, you just block, and don't
open.

Also, use the fact that ntpd permits multiple servers.

C.
-- 
--==--
  Crossfire  | This email was brought to you
  [EMAIL PROTECTED] | on 100% Recycled Electrons
--==--

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Howard Lowndes]

I can see how this would be done if you were using something like cron,
ipchains and ntpdate to query the server - something like "cron, include
ipchain ACCEPT rule, ntpdate, sleep for a few seconds, delete ipchain
rule", but what if you want to do the auto synch thing with your server as
a strata server.  In this case the synch timing is handled by the ntpd
daemon itself, or perhaps the ntpd daemon shouldn't be used like this.

-- 
Howard.

LANNet Computing Associates 
"...well, it worked before _you_ touched it!"   --me
"I trust just one person,
 and there are times when I don't even trust myself"
--me

On Wed, 28 Feb 2001, Crossfire wrote:

> Howard Lowndes was once rumoured to have said:
> > Can you do stateful inspections on ntp though?  It runs on udp.  Is this
> > possible?  You can define what servers you will accept ntp from, but
> > surely the source IP could be easily spoofed anyway.  I don't know how you
> > would go trying to do an auth transfer from, say, CSIRO.
>
> Yes.  NTP is very simple protocol.
>
> You open the return path once you send the NTP "request" packet, and
> close it within a reasonable timeframe.  If you're getting a large
> number of reply packets any other time, you just block, and don't
> open.
>
> Also, use the fact that ntpd permits multiple servers.
>
> C.
>


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Howard Lowndes]

Digressing slightly from this track, but still to some extent relevant.

This country boy is planning on heading for the smoke for the Linux Expo.

What sort of time/date/places do the Linux gurus, or those who others
might consider to be gurus anticipate being around.  I anticipate I might
have some beer money with me (8-)

-- 
Howard.

LANNet Computing Associates 
"...well, it worked before _you_ touched it!"   --me
"I trust just one person,
 and there are times when I don't even trust myself"
--me


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Howard Lowndes]

Can you do stateful inspections on ntp though?  It runs on udp.  Is this
possible?  You can define what servers you will accept ntp from, but
surely the source IP could be easily spoofed anyway.  I don't know how you
would go trying to do an auth transfer from, say, CSIRO.

-- 
Howard.

LANNet Computing Associates 
"...well, it worked before _you_ touched it!"   --me
"I trust just one person,
 and there are times when I don't even trust myself"
--me

On Wed, 28 Feb 2001, Crossfire wrote:

> This is what stateful inspection firewalls or very tight firewall
> rulesets are for.  Only accept NTP replies from systems you've
> queried, that way they have to compromise the time server(s) too.


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Umar Goldeli]

Or try two part authentication, ala secureid.. or at least SNK (challenge
response) as a minimum.. it doesn't fix the problem, but makes it more
difficult.

//umar.

> the problem is not so much the key being in memory (it needs to get into
> memory if it's ever gonna go through the cpu) but that when that memory
> gets paged to disk it can potentially be read by someone else later; you
> don't want that key you've taken pains to put on CD to be sitting in the
> swap space of every box you use.
> 
> the software that accesses the data has to handle this. see mlock(2)
> 
> Conrad.
> 


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Umar Goldeli]

> Theres no c compiler (but they could upload bin's I suppose) but there is
> perl, I'll have to check if perl is needed. 

Uploading a compiler is hard.. why not upload a binary straigt away? :)

But remember - if there are no ready tools, they'll find it very difficult
to readily suck a binary down in the first place.

> Unforunately, at the moment it has a proxy running.

Eek. Put a proxy behind the firewall?

> > Agreed throughly about the turn of all listening services bit. :)
> 
> Sorry, did you say something?

When you're first setting up the box, make sure you Detonate(tm) all
listening services that you don't specifically want. The less ports
listening, the better ("none" is good. :)

> Printers run out of paper (printer DoS), with some printers you can reverse 

I like this one.. I can see a script kiddy doing that now.. :)

> the paper back and write over stuff making it unreadable.

Well the men in green have appropriate printers for the job with lackeys
always watching the paper etc.. but hey, this is not my ideal solution.. I
like trees.

//umar.


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Umar Goldeli]

> filtered, but that won't stop them. If a cracker wants to spend time rooting
> the firewall I wish them well, at least while they are trying to get root on
> the firewall, they aren't trying to attack other hosts.

This has nothing to do with man pages anymore but as an aside, you're
assuming that he wants to attack other boxes.. what about if he wants to
sit and sniff.. and later collect his goodies? How many admins check their
segments regularly for promisc interfaces (use switches to mitigate risks
please!)? It could be months before someone realises... and by then
they're most probably gone without a trace. Especially if they're looking
for something specific, in which case his strange tcpdump
|grep combo won't output much at all and he'll
output it to "/dev/pty2345" which won't grow beyond 2k in months etc..

Anyway, he'll need root to put ethx into promisc mode.. Or what if he
wants to modify data going through the firewall for his own purposes with
netsed or similar? Think of how many thousands upon thousands of
applications are poorly coded and will quite happily accept packets
modified in transit.. think online banking, think shopping apps, think
live stock feeds etc... sit there and modify the share price of BHP down
or up by 10% for a day.. and then switch it around the next day.. confuse
the hell out of people and cause them to make silly mistakes.. or fiddle
with the data feed of a large merchant bank you've taken the firewall
of.. hey, you can make money out of this.. 

Of course we're assuming lots and lots and lots of things here, but you
get the drift..

There are a myriad of scenarious here. Any time an attacker spends on
*any* of your boxes is Bad Karma(tm).

> > Correct. As well as seemingly harmles binaries like "uname" and even the
> > layout of the filesystem.
> 
> Removing uname isn't going to buy me much.
> find  /proc -exec less {} \;
> /proc is bad, mmmkay.

*grin*

> I've never tried to run a box without proc, I might give it a go.

Bad Karma(tm) if you're using the box as a "multiuser" box.. if you're
just running it as a firewall with no actual users doing stuff on the box
- you should be fine.. just don't try anything exciting.. :)

> You bring up a good point about ntp auth, obviously ntp will be
> filtered, but that won't stop forged packets (and unfortunately,
> neither will some of our routers (yet)). I wonder if someone could
> send bogus ntp packets and shift the time on the firewall?

If you're running the xntpd as a "brodcastclient" (which I've seen a lot
of people do, as they get the router on the segment to be an ntp master
and get it to broadcast).. then yes, very easy to set the time remotely.

However, if you're logging elsewhere, and they change your time, it
doesn't really matter, as the logs you'll have elsewhere will show that
the time looks "strange" (in fact the syslog on the remote
logging box will timestamp it itself and the box that doing the logging 
won't offer a timestamp at all).. 

However if you're strange/paranoid/etc you can get syslog to "mark" every
x minutes etc.. and gauge it that way.

(note that these aren't ideal situations, but ideas to aid).

//umar.



-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Crossfire]

chesty was once rumoured to have said:
> On Wed, Feb 28, 2001 at 10:49:32AM +1100, Umar Goldeli wrote:
>
> Removing uname isn't going to buy me much.
> find  /proc -exec less {} \;
> /proc is bad, mmmkay.
> 
> I've never tried to run a box without proc, I might give it a go.

It won't work very well.  A lot of stuff relies on /proc.

> > > We have been advised to run ntp on the firewall so log time stamps are in
> > > sync. Another potential access point.
> > 
> > Bind ntp to a particular interface and only allow port 123 from your ntp
> > server, also turn on the funky auth features (or you could do ipsec to
> > your ntp box ;) 
> 
> You bring up a good point about ntp auth, obviously ntp will be
> filtered, but that won't stop forged packets (and unfortunately,
> neither will some of our routers (yet)). I wonder if someone could
> send bogus ntp packets and shift the time on the firewall?

This is what stateful inspection firewalls or very tight firewall
rulesets are for.  Only accept NTP replies from systems you've
queried, that way they have to compromise the time server(s) too.

C.
-- 
--==--
  Crossfire  | This email was brought to you
  [EMAIL PROTECTED] | on 100% Recycled Electrons
--==--

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug