LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   RH 7.1 firewall-config ? (https://www.linuxquestions.org/questions/linux-security-4/rh-7-1-firewall-config-4696/)

zhenwu 07-24-2001 10:13 PM
RH 7.1 firewall-config ?
 
I had installed RH 7.1, and found the GUI interface of firewall-config very handy (still getting the hang of term window commands).

For an unrelated reason I had to re-install, and have since lost that command. I therefore need to figure out if a) I even HAVE a firewall running (I can ping my address from another comp.), and b) how to configure it.

I do know that when I installed this time I set the firewall to 'high' security...

Thanks for any help you can give.

d3funct 07-25-2001 05:59 PM
You can access that firewall configuration dialog by typing "setup" as root.

KevinJ 07-25-2001 09:19 PM
you can??

d3funct 07-26-2001 10:34 AM
Well,

I don't know if you can, but I can. Just su to root and type setup you get the "text mode setup utility 1.7" with a menu kinda like this

Choose a tool

Authentication Configuration
Firewall Configuration
Keyboard configuration
Mouse configuration
Network configuration
System services
Timezone configuration
X configuration

Run Tool Quit

if you choose the Firewall Configuration you get
_________________| Firewall Configuration|_____
A firewall protects against unauthorized network intrusions. High security blocks all incoming accesses. Medium blocks access to system services (such as telnet or printing), but allows other connections. No firewall allows all connections and is not recommended.

Security Level: (*) High ()Medium () No firewall

OK Customize Cancel
Have you ever done this one?

d3funct 07-26-2001 10:36 AM
Granted this is not real firewall configuration, but it is the firewall configuration you run through during installation/setup of the system.

KevinJ 07-26-2001 10:48 AM
Hrmm...I don't have that Firewall Config option. Maybe its something I left out during install.

d3funct 07-26-2001 11:17 AM
That could be, I installed everything with RH 7.1 because I wanted to look at all of it and see how it all worked together and look for buggy apps. I've been pretty happy, not much core dumping, but I'm still having great fun with IPtables doing masquerading and forwarding. Take it easy.

raz 07-27-2001 03:59 AM
Ok as the other guys answered your B question I'll answer your A question.

On RH7.1 you have 2 types of firewalls, iptables and ipchains. "iptables been the newer one"

To find out if you have any of these firewalls running type:

"as root"
/etc/rc.d/init.d/ipchains status

if nothing is returned then your not using ipchains.
If something is returned with all accept rules the your running a firewall with everything open "accept".

or type:
/sbin/iptables --list

If you get error messages then iptables is not working or installed correctly, otherwise you get a list of the policy settings.

/raz

zhenwu 07-31-2001 02:12 AM
Thanks raz, that helps.



So, then, here's one last question (for now ;) ) :

I went to the sygate site, and most things were blocked, a couple were closed but ICMP was wide open. I looked through my firewall script (ipchains) to see if I could find where that might be set, but wasn't able to.

Preferably I'd like to run silent, do you have any suggestions?

raz 08-01-2001 04:27 AM
Yes I have some suggestions:

Sorry for the late response, I was off on holiday.

To help make your firewall more stealthy add these lines to your current script.

sysctl -w net.ipv4.tcp_max_syn_backlog=256
sysctl -w net.ipv4.tcp_syn_retries=5
sysctl -w net.ipv4.vs.timeout_synack=60
sysctl -w net.ipv4.route.mtu_expires=512
sysctl -w net.ipv4.tcp_keepalive_time=7600
sysctl -w net.ipv4.icmp_echoreply_rate=10
sysctl -w net.ipv4.tcp_fin_timeout=360
sysctl -w net.ipv4.tcp_rfc1337=1
echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 61 > /proc/sys/net/ipv4/ip_default_ttl
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
ipchains -A input -p udp -d your_internet_ip_address -s 0/0 33434:33600 -j REJECT -l
ipchains -A output -p icmp -s 0/0 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 0 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 3 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 4 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 9 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 12 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 14 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 18 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 8 -d 0/0 -j DENY -l
ipchains -A input -p icmp -s 0/0 --icmp-type 11 -d 0/0 -j DENY -l
ipchains -A input -p icmp -s 0/0 --icmp-type 10 -d 0/0 -j DENY -l
# some of the other types of ICMP's won't work through ipchains like type 13 or 17 so leave them out

/Raz


All times are GMT -5. The time now is 09:39 AM.