LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-02-2005, 10:02 AM   #1
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Rep: Reputation: 30
firewall setting


How can i view the Fedora core 3 firewall setting and how to access it ? Pls advise, thanks

Regards
Daniel
 
Old 10-02-2005, 10:34 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
To see the actual rules in your firewall, open a terminal and as root run the command: iptables -vnL. There is also a rudimentary utility for configuring the firewall that can be found in ""Start"->System Settings->Security Level. You can access the same utility from the command line with system-config-securitylevel.
 
Old 10-03-2005, 07:41 AM   #3
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
How to ensure my linux is not being tampered/hacked ? Below is my iptables. Thanks
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2049 1998K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0. 0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0. 0.0.0/0

Chain OUTPUT (policy ACCEPT 2139 packets, 1695K bytes)
pkts bytes target prot opt in out source destination

Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
1153 1520K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 56 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
19 2322 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
754 467K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
122 7993 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited


Quote:
Originally posted by Capt_Caveman
To see the actual rules in your firewall, open a terminal and as root run the command: iptables -vnL. There is also a rudimentary utility for configuring the firewall that can be found in ""Start"->System Settings->Security Level. You can access the same utility from the command line with system-config-securitylevel.
 
Old 10-03-2005, 08:06 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Are there any services running on this system that you need other machines to be able to access. Is it acting as a print server?
 
Old 10-03-2005, 07:05 PM   #5
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
Just NFS and DNS server for now. Is that secure ? Are there unnecessary services or ports running ?

Rgds
Daniel


Quote:
Originally posted by Capt_Caveman
Are there any services running on this system that you need other machines to be able to access. Is it acting as a print server?
 
Old 10-03-2005, 09:47 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Just NFS and DNS server for now.
Is it running an actual DNS server (like BIND) on the machine itself or do you mean that it connects to some other remote DNS server for hostname resolution (i.e. it acts as a DNS client)?

Is that secure ?
There are serious security considerations for either one, but they can be run reasonably safely if done so properly. Both DNS and NFS were not really design for use in a hostile environment (at least for most implementations). So if at all possible, they should really be run behind a firewall so that only LAN clients can access them. In some cases though it's not an option and you really need to lockdown and harden the server as best you can. I certainly wouldn't recommend running DNS and NFS on your firewall machine, as they should really be running on a seperate box(es), preferably in a DMZ. If this system is just a DNS/NFS client and you don't have the resources necessary for multiple boxes, then I would just use a decent firewall and do some standard hardening (turning off unneeded services, install a file integrity scanner like tripwire/aide/samhain, etc).

Are there unnecessary services or ports running?
Dunno. Run "netstat -pantu" as root and post the output.
 
Old 10-04-2005, 09:09 AM   #7
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address Stat e PID/Program name
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LIST EN -
tcp 0 0 0.0.0.0:32769 0.0.0.0:* LIST EN 2391/rpc.statd
tcp 0 0 0.0.0.0:32770 0.0.0.0:* LIST EN -
tcp 0 0 0.0.0.0:779 0.0.0.0:* LIST EN 2720/rpc.mountd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LIST EN 2370/portmap
tcp 0 0 218.111.5.196:53 0.0.0.0:* LIST EN 2660/named
tcp 0 0 192.168.0.5:53 0.0.0.0:* LIST EN 2660/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LIST EN 2660/named
tcp 0 0 127.0.0.1:631 0.0.0.0:* LIST EN 2580/cupsd
tcp 0 0 127.0.0.1:5335 0.0.0.0:* LIST EN 2544/mDNSResponder
tcp 0 0 127.0.0.1:25 0.0.0.0:* LIST EN 2757/sendmail: acce
tcp 0 0 127.0.0.1:953 0.0.0.0:* LIST EN 2660/named
tcp 0 0 0.0.0.0:763 0.0.0.0:* LIST EN 2703/rpc.rquotad
tcp 0 0 60.48.91.156:32823 66.94.234.72:80 TIME _WAIT -
tcp 0 0 60.48.91.156:32826 66.94.234.72:80 TIME _WAIT -
tcp 0 0 60.48.91.156:32827 64.179.4.149:80 TIME _WAIT -
tcp 0 0 60.48.91.156:32777 203.106.50.8:80 ESTA BLISHED 3877/firefox-bin
tcp 0 0 60.48.91.156:32778 203.106.50.8:80 ESTA BLISHED 3877/firefox-bin
tcp 0 0 60.48.91.156:32832 216.239.57.103:80 ESTA BLISHED 3877/firefox-bin
tcp 0 0 60.48.91.156:32830 216.239.57.103:80 ESTA BLISHED 3877/firefox-bin
tcp 0 0 60.48.91.156:32779 66.218.70.70:443 ESTA BLISHED 3877/firefox-bin
tcp 0 0 60.48.91.156:32794 203.106.50.9:80 ESTA BLISHED 3877/firefox-bin
tcp 0 0 60.48.91.156:32821 66.35.229.145:80 ESTA BLISHED 3877/firefox-bin
tcp 0 0 60.48.91.156:32787 203.106.50.16:80 ESTA BLISHED 3877/firefox-bin
tcp 0 0 :::22 :::* LIST EN 2673/sshd
udp 0 0 0.0.0.0:32768 0.0.0.0:* 2391/rpc.statd
udp 0 0 0.0.0.0:2049 0.0.0.0:* -
udp 0 0 0.0.0.0:32769 0.0.0.0:* 2660/named
udp 0 0 0.0.0.0:32772 0.0.0.0:* -
udp 0 0 0.0.0.0:776 0.0.0.0:* 2720/rpc.mountd
udp 0 0 218.111.5.196:53 0.0.0.0:* 2660/named
udp 0 0 192.168.0.5:53 0.0.0.0:* 2660/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 2660/named
udp 0 0 0.0.0.0:871 0.0.0.0:* 2391/rpc.statd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2544/mDNSResponder
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2544/mDNSResponder
udp 0 0 0.0.0.0:111 0.0.0.0:* 2370/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 2580/cupsd
udp 0 0 0.0.0.0:760 0.0.0.0:* 2703/rpc.rquotad
udp 0 0 :::32770 :::* 2660/named


Quote:
Originally posted by Capt_Caveman
Just NFS and DNS server for now.
Is it running an actual DNS server (like BIND) on the machine itself or do you mean that it connects to some other remote DNS server for hostname resolution (i.e. it acts as a DNS client)?

Is that secure ?
There are serious security considerations for either one, but they can be run reasonably safely if done so properly. Both DNS and NFS were not really design for use in a hostile environment (at least for most implementations). So if at all possible, they should really be run behind a firewall so that only LAN clients can access them. In some cases though it's not an option and you really need to lockdown and harden the server as best you can. I certainly wouldn't recommend running DNS and NFS on your firewall machine, as they should really be running on a seperate box(es), preferably in a DMZ. If this system is just a DNS/NFS client and you don't have the resources necessary for multiple boxes, then I would just use a decent firewall and do some standard hardening (turning off unneeded services, install a file integrity scanner like tripwire/aide/samhain, etc).

Are there unnecessary services or ports running?
Dunno. Run "netstat -pantu" as root and post the output.
 
Old 10-04-2005, 09:17 AM   #8
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
It is just a caching DNS server for local network. Why do you say dns and nfs server not recommended to run on a firewall machine ? Don't they run behind firewall is consider safer instead of running them in DMZ that is exposed to outsider attack? Btw what should i need to look at in the firewall to make it more hardening ? Are we taking abt SELinux now also ? Thanks alot

Regards
Daniel


Quote:
Originally posted by Capt_Caveman
Just NFS and DNS server for now.
Is it running an actual DNS server (like BIND) on the machine itself or do you mean that it connects to some other remote DNS server for hostname resolution (i.e. it acts as a DNS client)?

Is that secure ?
There are serious security considerations for either one, but they can be run reasonably safely if done so properly. Both DNS and NFS were not really design for use in a hostile environment (at least for most implementations). So if at all possible, they should really be run behind a firewall so that only LAN clients can access them. In some cases though it's not an option and you really need to lockdown and harden the server as best you can. I certainly wouldn't recommend running DNS and NFS on your firewall machine, as they should really be running on a seperate box(es), preferably in a DMZ. If this system is just a DNS/NFS client and you don't have the resources necessary for multiple boxes, then I would just use a decent firewall and do some standard hardening (turning off unneeded services, install a file integrity scanner like tripwire/aide/samhain, etc).

Are there unnecessary services or ports running?
Dunno. Run "netstat -pantu" as root and post the output.
 
Old 10-05-2005, 06:39 AM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
It is just a caching DNS server for local network. Why do you say dns and nfs server not recommended to run on a firewall machine ?
The gateway/border firewall should really not have any services running on it at all, especially unhardened services like NFS or DNS. If either of these are compromised, then the firewall machine is controlled by the attacker which puts your entire network at risk (for example, they could easily route traffic through their box and perform a MitM attack against your entire network). If the DNS server is just used for the local network, then it should be on a seperate box inside the LAN.

Don't they run behind firewall is consider safer instead of running them in DMZ that is exposed to outsider attack?
Yes, I was describing a situation in which you had no choice but to run an exposed DNS server. Because yours is supporting only a LAN, then you absolutely want to put it behind the firewall.

Btw what should i need to look at in the firewall to make it more hardening?
Remove unneeded services and software, use a good firewall script, do some kernel hardening (like PaX or grsecurity), also checkout the hardening guides in the Security References thread.
 
Old 10-05-2005, 07:39 AM   #10
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
Does my firewall consider secure and any good example of a good firewall script ? MitM stands for ? Thanks

Rgds
Daniel




Quote:
Originally posted by Capt_Caveman
It is just a caching DNS server for local network. Why do you say dns and nfs server not recommended to run on a firewall machine ?
The gateway/border firewall should really not have any services running on it at all, especially unhardened services like NFS or DNS. If either of these are compromised, then the firewall machine is controlled by the attacker which puts your entire network at risk (for example, they could easily route traffic through their box and perform a MitM attack against your entire network). If the DNS server is just used for the local network, then it should be on a seperate box inside the LAN.

Don't they run behind firewall is consider safer instead of running them in DMZ that is exposed to outsider attack?
Yes, I was describing a situation in which you had no choice but to run an exposed DNS server. Because yours is supporting only a LAN, then you absolutely want to put it behind the firewall.

Btw what should i need to look at in the firewall to make it more hardening?
Remove unneeded services and software, use a good firewall script, do some kernel hardening (like PaX or grsecurity), also checkout the hardening guides in the Security References thread.
 
Old 10-05-2005, 06:10 PM   #11
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Does my firewall consider secure and any good example of a good firewall script?
I usually point to this as an example of basic core firewall for a single host. Obviously you'd need to modify it to you're own requirements, like interface names as well as any other services you'd run. If you are trying to use this for your border/gateway firewall then you'll need to add rules for forwarding traffic. If you are using this inside the LAN then you may need to remove rules blocking amy of your private LAN IP addresses listed in the "bogons" section.

MitM stands for?
Man-in-the-Middle. Attacker maliciously causes traffic destined for other hosts to be routed through a system under their control and sniffs traffic, injects packets, or highjacks sessions.
 
Old 10-05-2005, 07:26 PM   #12
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
Hi, forget to ask which file is for the firewall script and what is bogons ? Thankslot

Rgds
Daniel


Quote:
Originally posted by Capt_Caveman
Does my firewall consider secure and any good example of a good firewall script?
I usually point to this as an example of basic core firewall for a single host. Obviously you'd need to modify it to you're own requirements, like interface names as well as any other services you'd run. If you are trying to use this for your border/gateway firewall then you'll need to add rules for forwarding traffic. If you are using this inside the LAN then you may need to remove rules blocking amy of your private LAN IP addresses listed in the "bogons" section.

MitM stands for?
Man-in-the-Middle. Attacker maliciously causes traffic destined for other hosts to be routed through a system under their control and sniffs traffic, injects packets, or highjacks sessions.
 
Old 10-05-2005, 09:36 PM   #13
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
On FC3, first backup your existing firewall using:

iptables-save > firewall-backup

Next save the new script as a text file, make it executable with 'chmod +x filename and then run the script. Next run iptables -vnL to verify that the script executed properly and the new rules have been loaded. Finally do the following to save new rules and have the reloaded at boot:

service iptables save
(alternatively you can use: iptables-save > /etc/sysconfig/iptables)

You can also have the script directly run by init at boot, but the trick is to have the script run before the networking facilities have been brought up.

see here for bogon definition.

Last edited by Capt_Caveman; 10-05-2005 at 09:38 PM.
 
Old 10-16-2005, 09:10 AM   #14
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
Hi, why do i need to save the "firewall-backup" script again as text file and then make it executable again ? how to save the new script as text file ?

Regards
Daniel



Quote:
Originally posted by Capt_Caveman
On FC3, first backup your existing firewall using:

iptables-save > firewall-backup

Next save the new script as a text file, make it executable with 'chmod +x filename and then run the script. Next run iptables -vnL to verify that the script executed properly and the new rules have been loaded. Finally do the following to save new rules and have the reloaded at boot:

service iptables save
(alternatively you can use: iptables-save > /etc/sysconfig/iptables)

You can also have the script directly run by init at boot, but the trick is to have the script run before the networking facilities have been brought up.

see here for bogon definition.
 
Old 10-16-2005, 07:20 PM   #15
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
Hi, i just read through that you did mention i would need firewall and harderning. What firewall is that ? Tripwire can protect against what threat that firewall can't ? Doesn't firewall would be blocking ports ?

Rgds
Daniel

Quote:
Originally posted by Capt_Caveman
Just NFS and DNS server for now.
Is it running an actual DNS server (like BIND) on the machine itself or do you mean that it connects to some other remote DNS server for hostname resolution (i.e. it acts as a DNS client)?

Is that secure ?
There are serious security considerations for either one, but they can be run reasonably safely if done so properly. Both DNS and NFS were not really design for use in a hostile environment (at least for most implementations). So if at all possible, they should really be run behind a firewall so that only LAN clients can access them. In some cases though it's not an option and you really need to lockdown and harden the server as best you can. I certainly wouldn't recommend running DNS and NFS on your firewall machine, as they should really be running on a seperate box(es), preferably in a DMZ. If this system is just a DNS/NFS client and you don't have the resources necessary for multiple boxes, then I would just use a decent firewall and do some standard hardening (turning off unneeded services, install a file integrity scanner like tripwire/aide/samhain, etc).

Are there unnecessary services or ports running?
Dunno. Run "netstat -pantu" as root and post the output.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
setting the firewall one_ro SUSE / openSUSE 2 02-17-2005 05:10 PM
Setting up a firewall myguest Linux - Security 5 08-02-2004 12:32 PM
setting up a firewall behind a router mattmc97 Linux - Security 3 05-05-2004 04:36 PM
Setting up MDK 9.2 Firewall raysr Linux - Newbie 13 01-05-2004 07:46 PM
Setting up firewall linuxfond Linux - Newbie 3 02-21-2003 01:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration