LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-21-2008, 10:53 AM   #1
harryhaller
Member
 
Registered: Sep 2004
Posts: 429

Rep: Reputation: Disabled
Port attacks from linuxquestions.org, wikipedia, yahoo, youtube, etc. etc.


My firestarter firewall is blocking port attacks from respectable sites such as lq, wikipedia, youtube, yahoo etc.

The attacks are in the 30000 range. And they change with each attempt.

Also they are not just tcp, but also 'unknown' etc.

The result is, of course, that these sites have been blocked from accessing them - in order to post this I have had to switch off my firewall!

Changing firestarter to accept from trusted sites access on those ports does not seem to help because then the attacks try using a different service, hence if I allow access for tcp, the attacks start using 'unknown' service, udp etc.

It seems as if the attacks intend to force me to turn off my firewall.
A sort of denial of services, so to speak, in reverse.

I am using slackware 10.1 and I am connected via cable.

Since this is clearly not a wide spread problem - iow I do not think that the problem originates from the sites being accessed, I suppose that it may be related to my ISP or that I am specifically being targeted (which I doubt).

The only other strange thing that I can report is that my cable modem seems to re-train very often - even when idle.

I would be most grateful if anybody can throw some light on this matter.
 
Old 02-21-2008, 10:55 AM   #2
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Care to post some of your firewall logs?
 
Old 02-21-2008, 11:09 AM   #3
harryhaller
Member
 
Registered: Sep 2004
Posts: 429

Original Poster
Rep: Reputation: Disabled
Here is a small section of the log relating to linuxquestions.org (75.126.162.205)


Time:Feb 18 19:45:15 Direction: Inbound In:eth0 Out: Port:32995 Source:75.126.162.205 De
stination:xxx.xx.xxx.xxx Length:44 TOS:0x00 Protocol:TCP Service:Unknown
Time:Feb 18 19:45:35 Direction: Inbound In:eth0 Out: Port:32996 Source:75.126.162.205 De
stination:xxx.xx.xxx.xxx Length:44 TOS:0x00 Protocol:TCP Service:Unknown
Time:Feb 18 19:45:35 Direction: Inbound In:eth0 Out: Port:32997 Source:75.126.162.205 De
stination:xxx.xx.xxx.xxx Length:44 TOS:0x00 Protocol:TCP Service:Unknown
Time:Feb 18 19:45:35 Direction: Inbound In:eth0 Out: Port:32998 Source:75.126.162.205 De
stination:xxx.xx.xxx.xxx Length:44 TOS:0x00 Protocol:TCP Service:Unknown
Time:Feb 18 19:45:35 Direction: Inbound In:eth0 Out: Port:32999 Source:75.126.162.205 De
stination:xxx.xx.xxx.xxx Length:44 TOS:0x00 Protocol:TCP Service:Unknown
Time:Feb 18 19:45:36 Direction: Inbound In:eth0 Out: Port:33000 Source:75.126.162.205 De
stination:xxx.xx.xxx.xxx Length:44 TOS:0x00 Protocol:TCP Service:Unknown
Time:Feb 18 19:45:36 Direction: Inbound In:eth0 Out: Port:33001 Source:75.126.162.205 De
stination:xxx.xx.xxx.xxx Length:44 TOS:0x00 Protocol:TCP Service:Unknown
Time:Feb 18 19:45:36 Direction: Inbound In:eth0 Out: Port:33002 Source:75.126.162.205 De
stination:xxx.xx.xxx.xxx Length:44 TOS:0x00 Protocol:TCP Service:Unknown
Time:Feb 18 19:45:36 Direction: Inbound In:eth0 Out: Port:32995 Source:75.126.162.205 De
stination:xxx.xx.xxx.xxx Length:44 TOS:0x00 Protocol:TCP Service:Unknown
Time:Feb 18 19:45:38 Direction: Inbound In:eth0 Out: Port:32996 Source:75.126.162.205 De
stination:xxx.xx.xxx.xxx Length:44 TOS:0x00 Protocol:TCP Service:Unknown
Time:Feb 18 19:45:38 Direction: Inbound In:eth0 Out: Port:32997 Source:75.126.162.205 De
stination:xxx.xx.xxx.xxx Length:44 TOS:0x00 Protocol:TCP Service:Unknown
Time:Feb 18 19:45:38 Direction: Inbound In:eth0 Out: Port:32998 Source:75.126.162.205 De
stination:xxx.xx.xxx.xxx Length:44 TOS:0x00 Protocol:TCP Service:Unknown
Time:Feb 18 19:45:38 Direction: Inbound In:eth0 Out: Port:32999 Source:75.126.162.205 De
stination:xxx.xx.xxx.xxx Length:44 TOS:0x00 Protocol:TCP Service:Unknown
Time:Feb 18 19:45:39 Direction: Inbound In:eth0 Out: Port:32997 Source:75.126.162.205 De
stination:xxx.xx.xxx.xxx Length:44 TOS:0x00 Protocol:TCP Service:Unknown
Time:Feb 18 19:45:39 Direction: Inbound In:eth0 Out: Port:33000 Source:75.126.162.205 De
stination:xxx.xx.xxx.xxx Length:44 TOS:0x00 Protocol:TCP Service:Unknown
Time:Feb 18 19:45:39 Direction: Inbound In:eth0 Out: Port:33001 Source:75.126.162.205 De
stination:xxx.xx.xxx.xxx Length:44 TOS:0x00 Protocol:TCP Service:Unknown
Time:Feb 18 19:45:39 Direction: Inbound In:eth0 Out: Port:33002 Source:75.126.162.205 De
stination:xxx.xx.xxx.xxx Length:44 TOS:0x00 Protocol:TCP Service:Unknown
Time:Feb 18 19:45:40 Direction: Inbound In:eth0 Out: Port:33000 Source:75.126.162.205 De
stination:xxx.xx.xxx.xxx Length:44 TOS:0x00 Protocol:TCP Service:Unknown
 
Old 02-21-2008, 11:39 AM   #4
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
I'm going to make some assumptions and ask some questions and rely on you to confirm, deny or provide answers:

1. With the blocked traffic, was or is there established connections? For instance, is the LQ traffic initiated by you by a browser session? The reason I'm asking is that its quite possible that your firewall rules may be misconfigured. The reason why I'm leaning toward that is that when reading FW logs, I sometimes see inversed traffic that may look bad until I realize that the traffic is actually the return part of bidirectional traffic. Remember, this is an assumption based on the fact that I need more info...

2. When did you notice this traffic?

3. Did you recently alter your FW policy?

4. Can you post your FW rules?

One observation is that in the last few weeks, I've noticed spam hitting my home network (on port 25) from wikipedia.org (although its remotely possible that the spam is spoofed). While I doubt that LQ may be running an open relay, I've seen stranger things.

EDIT: oh yeah...that Service:Unknown bit irks me. Your firewall is doing service resolution? Something is not right. Looking at your logs, it appears that LQ is port scanning you, but I seriously doubt that. Those ports may be ephemeral, which would mean that the destination port (which we don't see) may be key in determining what's happening here. I can't believe that your firewall is trying to associate services with ephemeral ports, either...

Last edited by unixfool; 02-21-2008 at 11:46 AM.
 
Old 02-21-2008, 12:34 PM   #5
harryhaller
Member
 
Registered: Sep 2004
Posts: 429

Original Poster
Rep: Reputation: Disabled
Quote:
1. With the blocked traffic, was or is there established connections?
Yes - I was trying to contact the site and the site was responding - but blocked by the firewall. I first noticed the problem because the browser would time out the connection.

Quote:
2. When did you notice this traffic?
I first noticed it about 2 months ago with wikipedia - and thought, of course it was wikipedia's problem. Then it occurred with youtube, then with lq and now with yahoo - I can't get my mail.

NB - it seems to be getting worse - and I can say with almost certainty that it did not occur for all sites at the same time.

However - please note that I am not monitoring my fw log all the time, because thee is always activity from strange sites - I assume that it is normal, pls tell me if this is not the case. I have only posted an extract which refers exclusively to lq.

Quote:
3. Did you recently alter your FW policy?
No - in fact I never changed the policy until after these problems occurred - I tried to allow the specific IP's to access those ports - but then their activity changed eg, using icmp instead of tcp - I gave up trying to give them specific access.

The only policy I can see on firestarter now is to allow incoming traffic from localhost.

Quote:
4. Can you post your FW rules?
yes. Here is the output from iptables -L
I've had to anonymise some addresses since they are so similar to my own.
That includes the DNS servers which I have defined in my resolv.conf.




Quote:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- dns.myISP.dom anywhere tcp flags:!SYN,RST,ACK/SYN
ACCEPT udp -- dns.myISP.dom anywhere
ACCEPT tcp -- host-xxx-xx-xxx-xxx.myISP.dom anywhere tcp flags:!SYN,RST,ACK/SYN
ACCEPT udp -- host-xxx-xx-xxx-xxx.myISP.dom anywhere
ACCEPT all -- anywhere anywhere
LSI udp -- anywhere anywhere udp dpt:33434
LSI icmp -- anywhere anywhere
NR all -- !host-xxx-xx-xxx-0.myISP.dom/24 anywhere
DROP all -- anywhere 255.255.255.255
DROP all -- anywhere host-xxx-xx-xxx-255.myISP.dom
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state INVALID
LSI all -f anywhere anywhere limit: avg 10/min burst 5
INBOUND all -- anywhere anywhere
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Input'

Chain FORWARD (policy DROP)
target prot opt source destination
LSI udp -- anywhere anywhere udp dpt:33434
LSI icmp -- anywhere anywhere
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Forward'

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- host-xxx-xx-xxx-xxx.myISP.dom dns.myISP.dom tcp dpt:domain
ACCEPT udp -- host-xxx-xx-xxx-xxx.myISP.dom dns.myISP.dom udp dpt:domain
ACCEPT tcp -- host-xxx-xx-xxx-xxx.myISP.dom host-xxx-xx-xxx-xxx.myISP.dom tcp dpt:domain
ACCEPT udp -- host-xxx-xx-xxx-xxx.myISP.dom host-xxx-xx-xxx-xxx.myISP.dom udp dpt:domain
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state INVALID
OUTBOUND all -- anywhere anywhere
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Output'

Chain INBOUND (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- localhost anywhere
LSI all -- anywhere anywhere

Chain LOG_FILTER (5 references)
target prot opt source destination
DROP all -- 74.125.10.91 anywhere
DROP tcp -- anywhere anywhere tcp dpt:41758
DROP udp -- anywhere anywhere udp dpt:41758
DROP tcp -- anywhere anywhere tcp dpt:41759
DROP udp -- anywhere anywhere udp dpt:41759

Chain LSI (93 references)
target prot opt source destination
LOG_FILTER all -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound '
DROP all -- anywhere anywhere

Chain LSO (0 references)
target prot opt source destination
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound '
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain NR (1 references)
target prot opt source destination
LSI all -- 0.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 1.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 2.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 5.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 7.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 10.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 23.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 27.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 31.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 36.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 37.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 39.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 41.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 42.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 49.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 50.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 73.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- h-74-0-0-0.dllatx37.covad.net/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- adsl-75-0-0-0.dsl.renocs.sbcglobal.net/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- mo-76-0-0-0.dhcp.embarqhsd.net/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- frnk-4d000000.pool.mediaWays.net/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 78-0-0-0.adsl.net.t-com.hr/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 79.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 89.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- AMontpellier-257-1-113-net.w90-0.abo.wanadoo.fr/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 91.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 92.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 0.0.0-93.rev.gaoland.net/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 94.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 95.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 96.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 0.sub-97-0-0.myvzw.com/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 98.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 99.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 100.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 101.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 102.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 103.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 104.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 105.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 106.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 107.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 108.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 109.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 110.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 111.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 112.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 113.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 114.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 115.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 116.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 117.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 118.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 119.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 120.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- nip-121-0-0-0.onqnetworks.net/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 122.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- UNKNOWN-123-0-0-0.yahoo.com/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 124.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- ppp-net.infoweb.ne.jp/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- softbank126000000000.bbtec.net/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- loopback/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 169.254.0.0/16 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 172.16.0.0/12 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 173.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 174.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 175.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 176.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 177.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 178.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 179.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 180.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 181.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 182.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 183.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 184.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 185.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 186.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 187.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- ip-189-0-0-0.user.vivozap.com.br/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 190.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 192.0.2.0/24 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 192.168.0.0/16 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 197.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 198.18.0.0/15 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- 223.0.0.0/8 host-xxx-xx-xxx-0.myISP.dom/24
LSI all -- BASE-ADDRESS.MCAST.NET/3 host-xxx-xx-xxx-0.myISP.dom/24

Chain OUTBOUND (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

btw - I also have tcpdump.-vvvS running at the moment, if that helps.
 
Old 03-02-2008, 06:40 AM   #6
evilDagmar
Member
 
Registered: Mar 2005
Location: Right behind you.
Distribution: NBG, then randomed.
Posts: 480

Rep: Reputation: 31
Man you need to seriously rethink those log rules. There's very little point in complicating things by adding a bunch of explicit deny rules for traffic that's already going to get caught by the global drop policy--all it does is add more visual noise that makes it hard to troubleshoot things. Only make rules for the traffic you want to allow. Everything else should be dropped by default.
 
Old 03-14-2008, 01:27 AM   #7
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Rep: Reputation: 36
"Service unknown" probably just means that there is no corresponding label in /etc/services for the port, which would be the case for high ports. Looks like you are running an over-zelous firewall that is missing a few accept Established,Related and/or state/conntrack rules and is logging normal network traffic (in this case, probably you interacting with the LQ site) as attacks.
 
Old 03-14-2008, 07:16 AM   #8
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
nevermind...misread the previous post...my bad.

Last edited by unixfool; 03-14-2008 at 07:22 AM.
 
Old 03-18-2008, 05:48 AM   #9
harryhaller
Member
 
Registered: Sep 2004
Posts: 429

Original Poster
Rep: Reputation: Disabled
I am just running "firestarter" with its default configuration - I haven't added any rules.

Should I change my firewall program?
 
Old 03-18-2008, 06:26 AM   #10
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
I'd try running the firewall without firestarter, with a simple set of rules. I've never manually created such a beefy policy, so I agree with jayjwa on this one...firestarter appears to be rather overzealous.
 
Old 03-18-2008, 07:27 AM   #11
harryhaller
Member
 
Registered: Sep 2004
Posts: 429

Original Poster
Rep: Reputation: Disabled
Thamks unixfool. I'll start doing that.

As a complete newbie with regard to IP tables etc., can you give me some pointers? (links you recommend).

How do you set up your firewall?
 
Old 03-18-2008, 09:57 AM   #12
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by harryhaller View Post
Thamks unixfool. I'll start doing that.

As a complete newbie with regard to IP tables etc., can you give me some pointers? (links you recommend).

How do you set up your firewall?
I'm at work but if no one has done this by the time I get home (within 5-6 hrs), I'll attempt to assist.
 
Old 03-18-2008, 11:38 PM   #13
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
A few things first:

1. Below is an example. You should already have an idea of what you want to allow/disallow.
2. You can use the below example as a template and convert your existing ruleset to something a bit more simple.

I'm hoping I'm not moving so quickly that I've forgotten something, but here goes.

OK, I've a host that is internal to my network that runs Slackware 12.0 but doesn't run a firewall script. It normally doesn't serve content but I needed a box to experiment with (I'm more proficient with PF, although once you know one FW, you pretty much know them all).

I created rc.firewall and placed it in /etc/rc.d (this is where Slackware keeps it's init scripts...your distro may vary). Then I added the following to rc.firewall:

Code:
    #!/bin/sh

    # This is a very basic LAN NAT script, allowing only SSH to the firewall from
    # the external interface, allowing all outbound LAN traffic, and allowing only
    # established/related traffic back into the LAN.
    #
    # eth1 = external NIC (ISP)
    # eth0 = internal NIC (LAN)
    #
    # allows connections to port 443 for web services
    # allows connections to port 22 for ssh access

    ipt=/usr/sbin/iptables
    extip=99.99.99.99 # replace with your EXTERNAL IP - eth1
    lan=10.10.10.0/24 # your LAN CIDR range - eth0

    # start firewall
    start_firewall() {

      echo "Enabling IP forwarding."
      echo 1 > /proc/sys/net/ipv4/ip_forward

      echo "Enabling iptables firewall."
      # default policies
      $ipt -P INPUT DROP
      $ipt -P FORWARD DROP

      # NAT
      $ipt -t nat -A POSTROUTING -o eth1 -j SNAT --to-source $extip

      # INPUT chain
      $ipt -A INPUT -i lo -j ACCEPT
      $ipt -A INPUT -i eth0 -s $lan -j ACCEPT
      $ipt -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
      $ipt -A INPUT -p tcp --destination-port 443 -j ACCEPT
      $ipt -A INPUT -p tcp --destination-port 22 -j ACCEPT

      # FORWARD chain
      $ipt -A FORWARD -i eth0 -s $lan -j ACCEPT
      $ipt -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

    }

    # stop firewall
    stop_firewall() {

      $ipt -P INPUT DROP
      $ipt -P OUTPUT DROP
      $ipt -P FORWARD DROP
      # allow internal traffic
      $ipt -A INPUT -i eth0 -j ACCEPT
      $ipt -A OUTPUT -o eth0 -j ACCEPT

    }

    # flushing, removing and zeroing tables
    reset_firewall() {

      chains=`cat /proc/net/ip_tables_names`
      for i in $chains; do
        $debug $ipt -t $i -F
        $debug $ipt -t $i -X
        $debug $ipt -t $i -Z
      done

    }

    case "$1" in

      start|restart|reload)
        reset_firewall
        start_firewall
        ;;
      stop)
        reset_firewall
        stop_firewall
        ;;
      *)
        echo "Usage: $0 {start|stop|restart|reload}";
        exit 1
        ;;

    esac
This is a script but you can actually see the breakdown of the chains. You can experiment with this script to add what you want to any chain.

iptables has an extensive manual. There are also extensive tutorials/howtos/FAQs that can be located via google. For expediency-sake, I grabbed the above from slackwiki.org/security and edited it just to see how quickly I get a bare-bones FW ruleset implemented. Took me like 10 minutes max. Tuning this script to your environment/host should be pretty easy.

I'll leave you now, to experiment. You'll find that managing your rules manually isn't difficult and is probably more efficient than relying on a GUI (unless you've a ton of firewalls to manage), though YMMV.

Last edited by unixfool; 03-19-2008 at 06:31 AM. Reason: added a paragraph at the beginning to explain the fact that the example is just an example :)
 
Old 03-19-2008, 08:14 PM   #14
harryhaller
Member
 
Registered: Sep 2004
Posts: 429

Original Poster
Rep: Reputation: Disabled
Thanks unixfool.

That's what I was thinking of - a basic script which I can "play around with"

I'm not happy with GUI's either - it's like working in the dark and they often have their own bugs.

I use Slackware (10.1) and I use the rc.firewall script to start firestarter - but that is now going to change.

Thanks again - and also for pointing that I wasn't "under attack" but that my firewall was too strong - a weight off my mind!

Last edited by harryhaller; 03-19-2008 at 08:15 PM.
 
  


Reply

Tags
firewall, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
do we need linuxquestions.org at wikipedia masand LQ Suggestions & Feedback 13 05-07-2005 09:12 AM
Linuxquestions.org Yahoo News Article darin3200 LQ Suggestions & Feedback 3 06-21-2004 03:56 PM
images.linuxquestions.org port #? Aeiri LQ Suggestions & Feedback 8 06-04-2004 01:44 AM


All times are GMT -5. The time now is 09:24 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration