DebianThis forum is for the discussion of Debian Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How can I open a port (ssh, http) for incomming connections using guarddog?
Answer:
Got this reply from a good soul on guarddog mailing list:
Click the Protocol tab then select the "local" zone.
On the right, expand "Interactive sessions". Find SSH and check (not X) the boxes to allow the local zone to provide SSH services to whatever other zones you choose.
Originally posted by macondo Read the sticky 'Debian Configuration Post-Install' at the top.
Do yourself a favor, read the WHOLE thing, including the other posts within the thread, it will save you some posting.
I did read it through.
your tutorial shows how to allow outbound connections from local applications, what I need is to allow incomming connections from the internet.
everything you select (afaik) in the protocls section is opening outbound only.
when I use shields-up to check it (you see I read it? ) , all of the ports are blocked - and still I have no problems to access the web or do anything.
I suspect its just not possible with guarddog - and if thats the case, I`ll use the less convinient (to my taste) firestarter.
"everything you select (afaik) in the protocls section is opening outbound only."
Maybe somebody who uses SSH, can explain this, i sure am ignorant about this subject."
"when I use shields-up to check it (you see I read it? "
attaboy!
"all of the ports are blocked - and still I have no problems to access the web or do anything.
I suspect its just not possible with guarddog - and if thats the case, I`ll use the less convinient (to my taste) firestarter."
No, i don't think so, if it is as you say, Firestarter configuration is the same (you enable the ports open), maybe there is some way of doing in both, but we don't know.
Have you tried to ssh to your computer? what does it say?
locally it works fine.
and remotly it works only when the firewall is disabled.
about firestarter - the first time I ran it it asked me if I want to make certain services public, which is just what I need.
but now firestarter seems broken - it says some files /etc/firestarter/firewall.sh is missing.
tried to purge it and re-install, but its still missing.
FireHOL is another firewall. It doesn't have gui but the configuration syntax is very simple. There's a tutorial for FireHOL http://firehol.sourceforge.net/tutorial.html See if that makes sense to you and if it does, just remove the other firewalls ("aptitude purge guarddog" && "aptitude purge firestarter") and install FireHOL.
But DON'T attempt to use many firewalls at the same time!
Dead Parrot:
last night i was bored with the presidential debate, and disinstalled Guarddog and installed Firestarter, which gave me some open ports at grc.com, uninstalled that and installed Firehol, which was easy to set up (default, did nothing) but also showed some red ports at grc.com, uninstalled too, So far, Guarddog is the only one that gives me a clean bill of health at grc.com .
This is going to require some serious reading this weekend. I like Firehol, it was a snap. Then, following one of your posts, i uninstalled XDM, which took with it 'x-window-system' but left 'x-window-system-core', with the hope of eliminating a bunch of worthless fonts, rebooted, and came back to the console login, which was fine, but still i'm getting all those attempts by some companies to go out, which has to do with the configuration of the firewall. Any ideas?
What's your config on Firehol, and do you get these messages when you are at the console for a while?
I get these messages too.
the most annoying thing is that they pop up when you are at your lowest, with just terminal.
whats the deal with the companies? what companies?
@macondo:
Thanks for the tip! I've only tested FireHOL (basic setup via "firehol-wizard") in the "Shields UP!!" page -- seemed to be OK. Must try other tests too, the FireHOL page at Sourceforge recommends installing Nessus.
I'm very ignorant on the topic of iptables/netfilter. Have always thought there's plenty of time to study it later on.
Ah, grc.com is the same as "Shields UP!!". Well, my FireHOL setup passed it cleanly.
My /etc/firehol/firehol.conf looks like this:
Code:
version 5
# Accept all client traffic on any interface
interface any world
client all accept
My /etc/default/firehol looks like this:
Code:
START_FIREHOL=YES
In addition, I have "S38firehol" in /etc/rcS.d/. Before testing FireHOL make sure that you haven't got any other firewall scripts in /etc/rcS.d/ or /etc/rc{2-5}.d/. It's better to remove other firewall programs with "aptitude purge" to make sure that they don't interfere.
About those annoying console messages: You can quiet them down by adding the line:
The steps to enable FireHOL are:
1) Install Firehol.
2) Edit /etc/default/firehol (change "START_FIREHOL=NO" to "START_FIREHOL=YES").
3) Run (as root) "firehol-wizard"
4) Start FireHOL (as root) with "/etc/init.d/firehol restart".
5) Test if your firewall works as expected: https://grc.com/x/ne.dll?bh0bkyd2 http://scan.sygate.com/
Last edited by Dead Parrot; 10-01-2004 at 01:06 PM.
did a fresh installation on my neighbor's box, he wanted Sarge, did the ReiserFS/x-window-system-core/fluxbox/Firehol/kernel-image -2.6-686 bit, we followed your instructions to the letter, did the configuration, he is so happy 'cause his box never been so fast! it worked like a charm, we left the matter of the messages for tomorrow. FireHOL only showed stealth and closed ports.
did a fresh installation on my neighbor's box, he wanted Sarge, did the ReiserFS/x-window-system-core/fluxbox/Firehol/kernel-image -2.6-686 bit [--] he is so happy 'cause his box never been so fast!
Debian is sweet.
However, there's a potential security problem in installing x-window-system-core and using .xinitrc -- it doesn't automatically invoke xauth (like xdm does), which leaves doors wide open for anyone to remotely access your Xserver.
The simple solution is to add
Code:
xhost +localhost
to the beginning of .xinitrc.
Or, alternatively, you can edit /etc/X11/xinit/xserverrc and make Xserver call xauth:
Apparently using xauth is the solution that most people recommend, but for normal users xhost should be safe enough, especially when you have a good firewall.
Edit:
I had to edit the xserverrc lines a bit (tested the earlier version with Nessus and noticed it didn't work, but now it works ).
Last edited by Dead Parrot; 10-01-2004 at 05:45 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.