Need help tweaking rc.firewall from alien bobs site
 

Hi all,

I just went thru Alien Bob's firewall builder, as I'm trying to learn IP/tables etc and not have my hand held via other app's that are more gui driven.

However, I cannot locate where in the rc.firewall that I put for samba/windows shares.

Would I just add this to "Network File System" Section:
Also, I believe that I should probably also un-comment where 'netbios' packets are to be dropped, correct?

Lastly, I was wondering, there is a section on the script builder that let's you add in custom ports. The script only allows you to do one port for custom, tcp or udp. If I have more custom ports that I want configured, do I simply add them right there below that line?

Am I missing anything else. Thank you.

I don't know if it helps (I'm not familiar with AlienBob's firewall), but here is how I allow Samba access on my LAN:

As far as where it should go, you just need to make sure that there are no rules in front of it that would do something with SAMBA packets before they hit these rules.

The same would go for the custom ports. You just need to check if there is a rule in front of the rule for the custom port that would do something with the packet. Otherwise, you should be able to open as many custom ports as you like.

Well it is not my firewall :-) I only found it and modified it just a little so that it would apply to Slackware.

Actually, look for and insert your line right after that. By the way, port 631 is the CUPS printing port, it has nothing to do with Fileservers... but I assume you were aware of that?

If the firewalled box is to act as a Samba fileserver, yes.

Yes, if you want to add additional port ranges, you can copy and paste the relevant lines, and change the port number. The script generator does the basic work for you, after that it's all yours to adapt.

Eric

Hi all,

Thank you for the replies.

Handog mention's that I should be sure that there are no 'rules' set up before my custom rules, so basically, if I understand this correctly, rules at top in the rc.firewall file have more "priority" per se' then rules lower in the file? Correct.

@alien bob: regarding 631 port, actually, I forgot that was printing :D and it is presently being dropped now on that machine according to dmesg, tho I didnt test printing yet. ok I gotta set up my cups too then, np.

it depends... you wanna focus on what the end-result in the actual chain is - not so much what you see in the script... rules in chains are interpreted from top to bottom... when you append (-A) a rule to a chain, it goes to the end of the chain... when you insert (-I) a rule, it goes to the top of the chain...

example #1:example #2:in example #1, 192.168.100.22 will be able to connect to port 80 on our box... in example #2, it will NOT - because the second rule was inserted and went to the top of the INPUT chain...

you *usually* won't see inserts (-I) in iptables scripts, as one could simply edit the appends to have the rules execute in the wanted order... however, inserts are VERY useful from the command-line, or from automated-response scripts... but i'm getting off-topic now - too much coffee... =/

Hey Fogie!

Can I ask where you got the firewall builder script? I looked on Eric's page but didn't see it. I was hoping to pull some ideas from it. I'm about to start work on my own utility and wanted to brainstorm some ideas. (sorry if this is considered thread hi-jacking. I'm not really sure what the actual definition is).

Thanks!
...drkstr

Hi drkstr

here is the link http://www.slackware.com/~alien/efg/

thanks for the info win32 much appreciated, that makes sense.

hmmm...

I put this into /etc/rc.firewall:

$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 631:631 -j ACCEPT

But I keep getting this in my dmesg:
INPUT packet died: IN=eth1 OUT= MAC= SRC=192.168.XXX.XXX DST=192.168.XXX.255 LEN=1 95 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=175

which is obviously that pc broadcasting to others on my local lan that I have a printer service on that pc on port 631 but it's blocking it still? any thoughts thank you :D

i'm not sure, but i would think you'd need a separate rule in order to accept broadcasts... BTW, it really isn't necessary to censor your internal IPs when you post... :)

Could it be a syntax problem? I'm not sure you need the range specification if you are accepting at a single port (i.e. --destination-port 631 -j ACCEPT).

although that specification isn't necessary and looks sloppy, it seems like it would have no negative impact... i did this quick test to make sure:

Alien Bob,

I was just wondering, I should be ok to use the "easy firewall script" on your site for slack11? correct?

It should just work - after all it is just a script of iptables commands that it produces. I guess if you start using IPV6, you'll need something else.

Eric

Thank you for quick reply Bob, I'm going to give it a shot.

No IPV6 devices here, from the little I have read, I need to have hardware to support it, so shouldn't be an issue I suppose.

Tho it does get modprobe'd, I might take that out of my loaded modules at boot time.

Thanks again.

I am not an iptables expert, but I think there are some potential conceptual errors in this thread.

If you trust all the boxes on your LAN, then all you need do is configure the firewall script builder at Eric's web site such that all LAN traffic is trusted. After you do that, you need not worry about specific rules for specific ports on the LAN side.

If you allow access to your LAN from outside the LAN, then usually you need to add additional rules for those ports. But the LAN interface and the internet interface are two different sets of rules. The port exceptions would be on the INET interface, not the LAN interface.

I use the same approach with my Windows firewall. I trust my LAN and allow all such traffic. The bulk of my rule set is concerned with blocking the parasites outside my LAN.

Take a closer look at the rules generated by the script builder at Eric's site, which basically is a modified version of the script builder found at http://easyfwgen.morizot.net/gen/. I believe Eric's version basically addresses path name issues unique to Slackware (such as the path to the iptables executable). However, the rule set generated by this online script builder should have references to both the LAN and internet (INET) interfaces. Within the LAN you do not (normally) need additional rules to pass specific ports because the LAN is trusted and all traffic is passed and forwarded. Only the INET interface needs special attention and only if allowing outside access to specific LAN ports.

I run Samba, SSH, VSFTP on my LAN and I have no rules addressing those specific ports on the LAN side. I only have the rules addressing the basic LAN interface and I accept all traffic on the LAN. Even on the LAN side, any point not shared through Samba or allowed by SSH is simply ignored and the firewall rules have no part in that process because the ports are not open. I do not have any special rules addressing CUPS (port 631) or Samba (ports 139, 445, etc.). On my gateway box, on the INET interface I have rules added such that with some simple variable modifications, I can grant external outside access to those services. For example, if I go on the road and I want SSH or FTP access to my LAN, I toggle those variables, restart my firewall script, and those ports then are accessible from the outside world. But these mods always affect only the INET interface, and not the LAN interface.

A key to using the online firewall script builder is understanding the difference between the two interfaces (LAN and INET). Although adding additional security at each workstation in a LAN with local iptables firewall rules is a good idea, the critical point is the box that provides gateway and NAT services between the LAN and the internet. That box, unlike others in the LAN, is unique because there are at least two interfaces. Most if not all the other boxes on the LAN have only one interface. For those boxes, using the online script builder is straightforward---simply build a rule set for one interface---and that interface is also the interface for the internet because to a LAN box, the LAN gateway is the internet.

In other words, for people with LANs, generate two sets of firewall rules. Build one rule set for the generic LAN boxes and one for the box that provides gateway and NAT services. For people using stand-alone boxes, generate only one rule set because the internet interface is the only interface needing rules. That interface might be a NIC, a phone modem, or ISDN. Simply select the appropriate device.

The best way to understand the online script builder is to generate three sets of rules: 1) for a stand-alone box, 2) for a LAN box, and 3) for a gateway box. Then use a file comparison tool (in KDE, Kompare is excellent) to study the differences. Again, I am not an iptables expert, but this approach is how I learned the unique differences among the different interfaces and needs.

Because I am not an iptables expert, I welcome any corrections to my post.

One little things I want to add...

I wouldn't recommend this if you have a wireless access point on your network. Wireless encryption keys are easily cracked and it's possible to make a homemade wifi antena that extends a malicious user's reach quite a bit.

If you have a wireless access point anywhere on your network, I would recomend leaving the local network as semi untrusted, or assign wireless connections to a different (untrusted) subnet.

For instance, I allow ssh connections from any local machine, but I do not export nfs mounts to the local network. Instead, I lock in each of my boxen by mac address and export only to a specific machine. (note: this is not fool proof, but should stop the common script kiddie/war driver)

regards,
...drkstr