LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-09-2001, 07:47 PM   #16
mjakob
Member
 
Registered: Feb 2001
Posts: 69

Rep: Reputation: 15

Yes, it is confusing. There must be a ruleset somewhere.

Let me ask another question, are you dialing up to the internet or are you on a cable modem or DSL or otherwise broadband connection?

If you're dialing up, the ruleset in effect may come from whatever dials. Not sure.

Check for something like /etc/rc.d/rc.firewall

If you *still* can't find anything, try this:

updatedb
(This will build a database that contains all file paths in the file system)

Then type:
locate ipchains
locate firewall
locate (whatever else you can think of searching for)

-Mark
 
Old 02-09-2001, 08:20 PM   #17
_TK_
Member
 
Registered: Feb 2001
Posts: 54

Original Poster
Rep: Reputation: 15
I'm connecting via dsl. I'm using the roaring penguin client to connect. It has a firewall of its own called 'firewall-masq' I have set up the dsl client with its firewall installed and without as they give you the option during setup. In both cases I still could not ident. So it lead me to believe that the ident is not a function of this firewall.

I'm going to generate that list you suggested in the last reply and will return my results.
 
Old 02-09-2001, 08:29 PM   #18
mjakob
Member
 
Registered: Feb 2001
Posts: 69

Rep: Reputation: 15
Well, whatever firewall is running, it's using ipchains to block stuff.

Do what you're going to do, and also give me a list of what's in your /etc/rc.d/rc3.d/

Let's see what all is starting.

-Mark
 
Old 02-09-2001, 08:35 PM   #19
_TK_
Member
 
Registered: Feb 2001
Posts: 54

Original Poster
Rep: Reputation: 15
Here are the results from searching for ipchains and firewall. I have omitted all the help and html documents that came up with these so as to weed out the junk.


[root@localhost ppp]# locate ipchains
/etc/rc.d/init.d/ipchains
/etc/rc.d/rc0.d/K92ipchains
/etc/rc.d/rc1.d/K92ipchains
/etc/rc.d/rc2.d/S08ipchains
/etc/rc.d/rc3.d/S08ipchains
/etc/rc.d/rc4.d/S08ipchains
/etc/rc.d/rc5.d/S08ipchains
/etc/rc.d/rc6.d/K92ipchains
/sbin/ipchains
/sbin/ipchains-restore
/sbin/ipchains-save
/usr/include/linux/netfilter_ipv4/ipchains_core.h






[root@localhost ppp]# locate firewall
/etc/ppp/firewall-standalone
/etc/ppp/firewall-masq.old
/etc/ppp/firewall-masq
/usr/include/linux/netfilter_ipv4/compat_firewall.h
/usr/lib/linuxconf/descriptions/eng/firewall
/usr/lib/linuxconf/descriptions/es/firewall
/usr/lib/linuxconf/descriptions/fr/firewall
/usr/lib/linuxconf/descriptions/ko/firewall
/usr/lib/linuxconf/descriptions/pt/firewall
/usr/lib/linuxconf/descriptions/se/firewall
/usr/lib/linuxconf/descriptions/sk/firewall
/usr/lib/linuxconf/help.bg5/firewall-msg-1.19r2.bg5
/usr/lib/linuxconf/help.cn/firewall-msg-1.19r2.cn
/usr/lib/linuxconf/help.cs/firewall-msg-1.19r2.cs
/usr/lib/linuxconf/help.de/firewall-msg-1.19r2.de
/usr/lib/linuxconf/help.eng/firewall
/usr/lib/linuxconf/images/firewall.xpm
/usr/lib/linuxconf/modules/firewall.so.1.19.2
/usr/lib/linuxconf/redhat/firewall.daemons
/usr/lib/linuxconf/std/firewall.daemons
/usr/src/linux-2.2.16/include/linux/firewall.h
/usr/src/linux-2.2.16/include/linux/modules/firewall.stamp
/usr/src/linux-2.2.16/include/linux/modules/firewall.ver
/usr/src/linux-2.2.16/net/core/firewall.c


I'm running out of ideas.
 
Old 02-09-2001, 08:40 PM   #20
mjakob
Member
 
Registered: Feb 2001
Posts: 69

Rep: Reputation: 15
Just hang in there

Let me see the contents of /etc/ppp/firewall-masq

-Mark
 
Old 02-09-2001, 08:50 PM   #21
_TK_
Member
 
Registered: Feb 2001
Posts: 54

Original Poster
Rep: Reputation: 15
ok, here is /etc/ppp/firewall-masq


#!/bin/sh
#
#Script to set up firewall.
# NOTE: Any reference to /sbin/ipchains should be changed to ipchains.
# Anti-spoofing

if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo -n "Setting up IP spoofing protection..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
echo "done."
else
echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED.
echo
fi

#Clean up any existing rules
ipchains -F
ipchains -X

#Local connections. Need this or nothing will work
ipchains -A input -i lo -j ACCEPT


#Default to allowing nothing in, everything out.
#ipchains -P input DENY
ipchains -P output ACCEPT
ipchains -P forward DENY

#Chain for ppp connections
ipchains -N ppp

#Direct all incoming ppp traffic to ppp chain
ipchains -A input -i ppp+ -j ppp

#Allow all tcp packets to unprivileged ports
#except those requesting connection
ipchains -A ppp -p tcp ! -y -s 0/0 -d 0/0 1024: -j ACCEPT

#If you want a simpler (but less secure life) you could just
#accept any connection to ports over 1024 with
#
#/sbin/ipchains -A ppp -p tcp -s 0/0 -d 0/0 1024: -j ACCEPT

#allow udp/tcp for DNS. This assumes your nameservers are in /etc/resolv.conf

DNS=`grep nameserver /etc/resolv.conf | awk ' { print $2 } '`

for dns in $DNS
do
ipchains -A ppp -p udp -s $dns 53 -d 0/0 1024: -j ACCEPT
ipchains -A ppp -p tcp -s $dns 53 -d 0/0 1024: -j ACCEPT
done

# Next we deal with ident.
#ipchains -A ppp -p tcp -s 0/0 -d 0/0 113 -j REJECT

# This rule will be fine for most people, it just REJECTS any requests to
# identd out of hand. If you deal with an irc or ftp server that insists
# on talking to identd before letting you proceed then you will need a different
# rule. Here's a replacement to allow access to identd from anywhere.
ipchains -A ppp -p tcp -s 0/0 -d 0/0 113 -j ACCEPT
#ipchains -A ppp -p tcp -s 0/0 -d 0/0 22 -j ACCEPT
#ipchains -A ppp -p tcp -s 0/0 -d 0/0 21 -j ACCEPT
#ipchains -A ppp -p tcp -s 0/0 -d 0/0 23 -j ACCEPT
#
# (Of course if you have such a rule you also need to allow access
# in /etc/hosts.allow and you need to uncomment it from inetd.conf.)
# identd is only required by some servers so it's more secure to just to allow
# access to those servers, rather than everyone. identd can be used by a
# cracker to discover your user's usernames.
#
# The behaviour of this script is to default DENY packets unless we
# explictly ACCEPT them so you might wonder why I bothered to REJECT
# packets to 113 when they would be denied by default.
#
# The reason is that there is a subtle difference between REJECTing and
# DENYing packets.
# When you REJECT a packet you immediately send a message back to the
# host that is requesting access saying access denied. On the other hand,
# when you DENY packets you send no message at all (it's as if you aren't
# there). So for most ports DENY is best because it inconveniences crackers
# the most. They have to wait for the connection attempt to time out.
# But port 113 is an exception. This is because many times when you
# connect to a server they will routinely send an ident request to you
# on port 113. The server may not at all be troubled if you don't
# respond or refuse access to 113 but you don't want to be waiting for their
# request to timeout before you get access to the service YOU want on
# the server. That's why you should either ACCEPT packets to 113
# or REJECT them rather than DENYing them. Of course you can have a mixture
# of the two; mostly REJECTing but ACCEPTing for specific servers that
# really do insist you run identd.
#
# On my machine I run identd and allow arbitrary access to it.
#

# Insert your own rules to allow in access to other services
# ****Here****

# Here are some examples.
#
# Allow access from anywhere to sshd. This is a more secure replacement for
# telnet and ftp. You can get it from http://www.openssh.com
# A useful tip is to remove the suid root bit from the ssh binary.
# chmod -s `which ssh`
# Otherwise when you ssh to a remote host they will talk back to you
# on a privileged port, which falls foul of *this* firewall
ipchains -A ppp -p tcp -s 0/0 -d 0/0 22 -j ACCEPT

# Allow telnet in from IP 195.92.193.217
#/sbin/ipchains -A ppp -p tcp -s 195.92.193.217 -d 0/0 23 -j ACCEPT

# Allow access to your web server to all addresses 195.92.xxx.xxx
#/sbin/ipchains -A ppp -p tcp -s 195.92.0.0/255.255.0.0 -d 0/0 80 -j ACCEPT
#/sbin/ipchains -A ppp -p udp -s 195.92.0.0/255.255.0.0 -d 0/0 80 -j ACCEPT

# Allow anyone access to sendmail. Achh! Are you sure?
#/sbin/ipchains -A ppp -p tcp -s 0/0 -d 0/0 25 -j ACCEPT

#all done

echo "Filtering firewall active"

#allow ping and unreachables
ipchains -A ppp -p icmp -s 0/0 -d 0/0 0 -j ACCEPT
ipchains -A ppp -p icmp -s 0/0 -d 0/0 1 -j ACCEPT
ipchains -A ppp -p icmp -s 0/0 -d 0/0 3 -j ACCEPT

#Log all unauthorised packets. Any packet that gets denied will
#be reported in /var/log/messages. This is a good way to spot
#if your rules are too restrictive for a service you want to run.
ipchains -l -A ppp -p tcp -j DENY
ipchains -l -A ppp -p udp -j DENY
ipchains -l -A ppp -p icmp -j DENY
echo "Logging all unauthorised packets"

#everything else is caught by input policy DENY
# end of script

# Do masquerading
ipchains -A forward -j MASQ
echo 1 > /proc/sys/net/ipv4/ip_forward



You'll notice in there it mentions ident. I have uncommented the line to allow ident but it also mentions uncommenting in the inetd.conf file which i don't have. I have the xinetd.d which uses the linuxconf-web file. Also I don't believe this system is using the hosts.allow or deny files either since it is running xinetd but at this point I'll try anything.
 
Old 02-09-2001, 09:10 PM   #22
mjakob
Member
 
Registered: Feb 2001
Posts: 69

Rep: Reputation: 15
Ok, if you made the changes to this to make it appear as it does now, you should be good to go. You commented the REJECT rule and you un-commented the ACCEPT rule. It says to uncomment identd from inetd.conf, but I went to one of my 6.2 servers and looked in it's inetd.conf file and here is what it says:

#
# identd is run standalone now
#
#auth stream tcp wait root /usr/sbin/in.identd in.identd -e -o
#

This means I was right in saying that identd is no longer started from inetd and therefore the tcp wrappers in hosts.allow and deny won't control it. So, the fact that you have xinetd should have no bearing on the fact. If you modified the file to the above state, I'd say reboot the box so we KNOW the file changes took effect. Then it should work.

Post the results of ipchains -L now that you made the changes...

-Mark
 
Old 02-09-2001, 09:29 PM   #23
_TK_
Member
 
Registered: Feb 2001
Posts: 54

Original Poster
Rep: Reputation: 15
I had actually made those changes awhile ago but rebooted again just to be sure. Still no luck. I have posted the ipchains info below. It would seem that they ipchains are correct for ident so maybe I should be looking elsewhere like to identd or something.


[root@localhost /root]# ipchains -L
Chain input (policy ACCEPT):
target prot opt source destination ports
ACCEPT all ------ anywhere anywhere n/a
ppp all ------ anywhere anywhere n/a
Chain forward (policy DENY):
target prot opt source destination ports
MASQ all ------ anywhere anywhere n/a
Chain output (policy ACCEPT):
Chain ppp (1 references):
target prot opt source destination ports
ACCEPT tcp !y---- anywhere anywhere any -> 1024:65535
ACCEPT udp ------ dns1.sympatico.ca anywhere domain -> 1024:65535
ACCEPT tcp ------ dns1.sympatico.ca anywhere domain -> 1024:65535
ACCEPT udp ------ dns2.sympatico.ca anywhere domain -> 1024:65535
ACCEPT tcp ------ dns2.sympatico.ca anywhere domain -> 1024:65535
ACCEPT tcp ------ anywhere anywhere any -> auth
ACCEPT tcp ------ anywhere anywhere any -> ssh
ACCEPT icmp ------ anywhere anywhere any -> 0
ACCEPT icmp ------ anywhere anywhere any -> 1
ACCEPT icmp ------ anywhere anywhere any -> 3
DENY tcp ----l- anywhere anywhere any -> any
DENY udp ----l- anywhere anywhere any -> any
DENY icmp ----l- anywhere anywhere any -> any



[root@localhost /root]# ipchains -nL
Chain input (policy ACCEPT):
target prot opt source destination ports
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
ppp all ------ 0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY):
target prot opt source destination ports
MASQ all ------ 0.0.0.0/0 0.0.0.0/0 n/a
Chain output (policy ACCEPT):
Chain ppp (1 references):
target prot opt source destination ports
ACCEPT tcp !y---- 0.0.0.0/0 0.0.0.0/0 * -> 1024:65535
ACCEPT udp ------ 204.101.251.1 0.0.0.0/0 53 -> 1024:65535
ACCEPT tcp ------ 204.101.251.1 0.0.0.0/0 53 -> 1024:65535
ACCEPT udp ------ 204.101.251.2 0.0.0.0/0 53 -> 1024:65535
ACCEPT tcp ------ 204.101.251.2 0.0.0.0/0 53 -> 1024:65535
ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 113
ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 22
ACCEPT icmp ------ 0.0.0.0/0 0.0.0.0/0 * -> 0
ACCEPT icmp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1
ACCEPT icmp ------ 0.0.0.0/0 0.0.0.0/0 * -> 3
DENY tcp ----l- 0.0.0.0/0 0.0.0.0/0 * -> *
DENY udp ----l- 0.0.0.0/0 0.0.0.0/0 * -> *
DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 * -> *

 
Old 02-09-2001, 09:31 PM   #24
mjakob
Member
 
Registered: Feb 2001
Posts: 69

Rep: Reputation: 15
and you see a few identd entries running if you do a ps aux?
 
Old 02-09-2001, 09:34 PM   #25
_TK_
Member
 
Registered: Feb 2001
Posts: 54

Original Poster
Rep: Reputation: 15
yes these here:


nobody 527 0.0 0.5 7620 728 ? S 21:21 0:00 identd -e -o
nobody 531 0.0 0.5 7620 728 ? S 21:21 0:00 identd -e -o
nobody 532 0.0 0.5 7620 728 ? S 21:21 0:00 identd -e -o
nobody 533 0.0 0.5 7620 728 ? S 21:21 0:00 identd -e -o
nobody 534 0.0 0.5 7620 728 ? S 21:21 0:00 identd -e -o
 
Old 02-09-2001, 09:37 PM   #26
mjakob
Member
 
Registered: Feb 2001
Posts: 69

Rep: Reputation: 15
Then life should be good. Not sure what to say. I'm not sure how to test identd.... maybe if I were to telnet to your ip on port 113?
 
Old 02-09-2001, 09:46 PM   #27
_TK_
Member
 
Registered: Feb 2001
Posts: 54

Original Poster
Rep: Reputation: 15
Email sent with info.
 
Old 02-09-2001, 10:07 PM   #28
_TK_
Member
 
Registered: Feb 2001
Posts: 54

Original Poster
Rep: Reputation: 15
Email sent with info.
 
Old 04-03-2001, 10:43 AM   #29
schmidtamylee
LQ Newbie
 
Registered: Mar 2001
Location: Boston, MA
Posts: 4

Rep: Reputation: 0
This doc is great for RH7 newbies

As a newbie, I have found this document especially useful. Here's the link to "Red Hat Linux 7 Gotchas and Workarounds", look especially at the "Post Install Problems" section:
http://www.redhat.com/support/docs/g...as-7.html#toc7
 
Old 05-30-2001, 12:40 AM   #30
nurhafiza
LQ Newbie
 
Registered: May 2001
Posts: 1

Rep: Reputation: 0
Thumbs up

Quote:
Originally posted by mjakob
Ok, how about your ipchains? Copy what happens when you do this:

ipchains -L

You may want to change your own IP to X.X.X.X or something, but otherwise copy over the output of the above command.

-Mark
Hi, I feel like a relief when i read both of your conversation, because i had the same thing with the same problem. But mine is even more. I cant even use the comman ipchains -L. Someone had advised me to install a new ipchains and I did. This is the result of the installation,
"package ipchains-1.3.9-17(which is newer than ipchains-1.3.9-1)is already installed." Unfortunately, it still gimme the bash comman message when i type ipchain -L. I just want my telnet and ftp work. And I did follow your instruction above to uncomment the port 113. Thank you for reading my problem. I hope you will help me to solve this thing. Bye and Thanks. P/S My xinetd had the same file as _tk_.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Where is inetd.conf....? vous Mandriva 5 02-15-2005 04:18 PM
psyBNC from inetd wont find psybnc.conf marol Linux - General 0 02-29-2004 10:17 AM
convert from inetd.conf to xinetd.conf linuxturtle Linux - Networking 7 11-12-2003 05:23 AM
inetd.conf yet again cli_man Linux - Software 4 03-02-2003 02:14 PM
inetd.conf jondean Linux - Networking 2 12-05-2000 01:28 PM


All times are GMT -5. The time now is 06:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration