This is in direct relation to my recent trojan attack by some script kiddie. I know Linux has a built in firewall through ipchains, but what is your complete firewall/logging solution? I'm not running a server, so I don't want any inbound connections coming in without me starting them. I thought something like Firestarter would do this nicely. I was wrong. It looks like I am now going to have to reinstall in order to completely rid myself of this, it's disabled my system quite thoroughly.

IIRC, Firestarter is just a tool for making and loading rules, its not a firewall implementation in itself, and I don't know if it does checking, or relies on netfilter/ipchains to come up with error msgs. For accepting incoming TCP traffic you initiated you would specify "! -y" in a rule, the outgoing doesnt need "-y" IIRC, because youll be initiating the connection anyway. Note due to protocols this only works with TCP type connections.
in the end I don't think there's a "total firewall solution", carefully crafted rules are the best you can have, the essence is tho, if youve got no servers running (or startable) ppl can connect to, you should be safe on that part.

If you wherent running any servers the only way I can think of you getting infected by a trojan are downloading "goodies" tru http/ftp, or tru DCC, or IM type communications or and executing those incoming files, which is considered a Bad Thing. If that wasnt it, and you re-checked your logs/xinetd.conf/runlevel/netstat you wherent running any unnecessary stuff, Im curious what it was, plz run chkrootkit (checkrootkit.org) to find out if you don't know, else share if you can.

subnet_rx,

I would reinstall completely, or these things have a habit of coming back when you least except them.

The only safe network is a unplugged one. "That's how you get the C2 Cert for NT boxes" anyway as unSpawn has pointed out there are several methods to improve the current security level.

Patch the box for every known security bug.
Then only run the services you need to run, disabling all the others at start-up.
On the firewall side you need to do this:
Then set rules that don't allow any access from outside ip addresses to ports below 1024.
Then set rules that only allow sourceful ip addresses that are trusted to connect to particular ports. "like trusted DNS servers"
Then set rules to not trust your own internal ip addresses to port that it should connect to internally. "spoof protection, include 127.0.0.1 and Broadcast addresses"
Then set rules to deny ICMP types that shouldn't talk to your IP address.
Then set rules to deny all UDP accept from your DNS from source port 53.
Then set flood protecting by switching on SYS cookies and SYN timeouts, also set IP defrag so packets are reassembled before the firewall, also switch of redirects and stop your system from allowing them.
Then also disallow any system that requests a SYN flag to your IP address without you making the handshake in the first place.
Then create a network architect that shields each system from it's co-system on the network for damage control, like a Multi-DMZ with Multi tri-homed firewalls.
Oh yes, then use stateful inspection to check that protocols that are FTP or HTTP are just that.

This is just some of the stuff you need to do, but if you stick to these rules it will make it much harder to break into.

/Raz

Yes, I reinstalled. I'm really patiently awaiting Red Hat 7.2 and maybe the firewall implementation will be a little easier to understand. Until then, I just printed out a bunch of rules tutorials, so, I'm going to try to learn a bit.