LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-16-2005, 07:33 PM   #16
Brian1
LQ Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 64

If you want to see what ports are open from the outside use one of those firewall tester sites like http://www.hackerwatch.org/probe/ . If there is a cable/dsl firewall router between the machine and the service provider then this test will only test the router. If this is behind a router and you have more than one machine on the lan side use a port scanning tool on it to scan the linux box.

But from what I see nothing is open accept cups so one can print to local printer. It looks like the default iptables for FC*. You mention NFS but I do not see and open port 2049 for that in post #3.

But all in all the more layers of security you can add the stronger it will be.

Brian1
 
Old 10-16-2005, 08:39 PM   #17
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
Hi Brian, yes in the first line of my service there is port 2049. How to add more layers ?

Rgds
Daniel


Quote:
Originally posted by Brian1
If you want to see what ports are open from the outside use one of those firewall tester sites like http://www.hackerwatch.org/probe/ . If there is a cable/dsl firewall router between the machine and the service provider then this test will only test the router. If this is behind a router and you have more than one machine on the lan side use a port scanning tool on it to scan the linux box.

But from what I see nothing is open accept cups so one can print to local printer. It looks like the default iptables for FC*. You mention NFS but I do not see and open port 2049 for that in post #3.

But all in all the more layers of security you can add the stronger it will be.

Brian1
 
Old 10-16-2005, 10:57 PM   #18
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
Brian, how do hacker print to my printer ? unless they know my IP and port scan ?

Rgds
Daniel


Quote:
Originally posted by DanielTan
Hi Brian, yes in the first line of my service there is port 2049. How to add more layers ?

Rgds
Daniel
 
Old 10-16-2005, 11:03 PM   #19
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Hi, why do i need to save the "firewall-backup" script again as text file and then make it executable again ?
No. You're saving the old firewall rules as a backup in case you need them in the future or something gets screwed up. You're then putting the new iptables ruleset in a different file and making that file executable.

how to save the new script as text file ?
Use your favorite text editor (like vi or emacs) or even something like kwrite or OpenOffice will work as long as you save the file as text.

What firewall is that
I posted an basic example earlier in the thread and there are a number availble in the security reference thread. There are also examples in the frozentux tutorial.

Tripwire can protect against what threat that firewall can't
Tripwire is a different type of security applilcation that is used for intrusion detection rather than prevention. If someone were able to gain access to your system (through an unpatched/unpublished vuln) then your firewall would likely not help much, whereas tripwires file alteration detection capabilities might.
 
Old 10-17-2005, 12:56 AM   #20
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
Hi, isn't the default firewall file is executable ? Also why need another firewall software in place ? Thanks alot

Rgds
Daniel



Quote:
Originally posted by Capt_Caveman
Hi, why do i need to save the "firewall-backup" script again as text file and then make it executable again ?
No. You're saving the old firewall rules as a backup in case you need them in the future or something gets screwed up. You're then putting the new iptables ruleset in a different file and making that file executable.

how to save the new script as text file ?
Use your favorite text editor (like vi or emacs) or even something like kwrite or OpenOffice will work as long as you save the file as text.

What firewall is that
I posted an basic example earlier in the thread and there are a number availble in the security reference thread. There are also examples in the frozentux tutorial.

Tripwire can protect against what threat that firewall can't
Tripwire is a different type of security applilcation that is used for intrusion detection rather than prevention. If someone were able to gain access to your system (through an unpatched/unpublished vuln) then your firewall would likely not help much, whereas tripwires file alteration detection capabilities might.
 
Old 10-17-2005, 01:02 AM   #21
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
Hi, in your thread earlier, i saw a file "rc.local" , what does it do ?

Rgds
Daniel


Quote:
Originally posted by Capt_Caveman
Hi, why do i need to save the "firewall-backup" script again as text file and then make it executable again ?
No. You're saving the old firewall rules as a backup in case you need them in the future or something gets screwed up. You're then putting the new iptables ruleset in a different file and making that file executable.

how to save the new script as text file ?
Use your favorite text editor (like vi or emacs) or even something like kwrite or OpenOffice will work as long as you save the file as text.

What firewall is that
I posted an basic example earlier in the thread and there are a number availble in the security reference thread. There are also examples in the frozentux tutorial.

Tripwire can protect against what threat that firewall can't
Tripwire is a different type of security applilcation that is used for intrusion detection rather than prevention. If someone were able to gain access to your system (through an unpatched/unpublished vuln) then your firewall would likely not help much, whereas tripwires file alteration detection capabilities might.
 
Old 10-17-2005, 08:58 AM   #22
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Hi, isn't the default firewall file is executable?
No. In Fedora the default firewall rules are stored in /etc/sysconfig/iptables which isn't a shell script, it's the output of iptables-save. The rules are loaded from that file during boot using iptables-restore. Earlier in this thread I gave you instructions on how to use that method (basically run your script once so that it is loaded into iptables and then save the setup to /etc/sysconfig/iptables using iptables-save > /etc/sysconfig/iptables). That way Fedora will automatically load your new rules from there. Otherwise the old rules will be run at boot and you will need to have your script executed at boot.

Also why need another firewall software in place?
You only need one. The Fedora firewall is relatively mediocre and I feel there are better scripts available.

Hi, in your thread earlier, i saw a file "rc.local" , what does it do?
The contents of that file are executed as one of the final steps of the boot init process. It's handy for having scripts run automatically. However it is not ideal for running a firewall script as the network interfaces have already been brought up by init, so for a brief peroid your system would be online with live network interfaces and no firewall.
 
Old 10-17-2005, 10:51 AM   #23
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
Hi, i'm a bit blur regarding rc.local, does it necessary to have it ? In total how many files do i need to have for firewall to be running ? Thanks

Rgds
Daniel



Quote:
Originally posted by Capt_Caveman
Hi, isn't the default firewall file is executable?
No. In Fedora the default firewall rules are stored in /etc/sysconfig/iptables which isn't a shell script, it's the output of iptables-save. The rules are loaded from that file during boot using iptables-restore. Earlier in this thread I gave you instructions on how to use that method (basically run your script once so that it is loaded into iptables and then save the setup to /etc/sysconfig/iptables using iptables-save > /etc/sysconfig/iptables). That way Fedora will automatically load your new rules from there. Otherwise the old rules will be run at boot and you will need to have your script executed at boot.

Also why need another firewall software in place?
You only need one. The Fedora firewall is relatively mediocre and I feel there are better scripts available.

Hi, in your thread earlier, i saw a file "rc.local" , what does it do?
The contents of that file are executed as one of the final steps of the boot init process. It's handy for having scripts run automatically. However it is not ideal for running a firewall script as the network interfaces have already been brought up by init, so for a brief peroid your system would be online with live network interfaces and no firewall.
 
Old 10-17-2005, 07:04 PM   #24
Brian1
LQ Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 64
I getting a little confused where this topic is going. When I mean more layers, I mean if you have a setup like this.

If you have a broadband connection, put a router whether a store bought or a linux box between the internet and your private lan. If no ports are being forward through the router then consider this first layer of defense. No ports to attack.

Next running iptables on all machines and open only the ports to be visiable to the lan network. You can run all the services on the linux box you want but unless iptables allow a connection then it is blocked. This would be the next layer of security if someone got through the router.

Use of /etc/host.allow and host.deny is another layer of defense that can be used.

Use of strong passwords and use of keys would be additional layer of security.

Keeping daemon services updated to current releases would be another layer of security. Example you have version 3.2 of something and a exploited hack has been found the devolper of the software releases a patch or a complete package version 3.3 to fix the exploit.

Also check for firmware updates for store bought routers.

Now if the router also provides wireless access and not using wireless cards, and if the router has the feature, one can turn the antenna off. If using wireless is being used enable wep and or wpa security and or mac filtering and or IP filtering. Each item here can be considered a layer of security here.

Pretty much for the home user as long as there is a router in place with no open ports this usually enough.

Now as for rc.local it is used to put addition scripts or apps you want to run on the machine. It can be used to load addition modules, reset files, restore settings, start a service. Anything you want with an easy neiether empty file to use. Adding to the rc file would not be the best because of the size and contents already in there. Here is example of my rc.local file:
Code:
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

# Start DMZ Firewall for wan, lan and dmz networks
echo "Starting up DMZ Firewall...."
/etc/dmz.firewall

# Load modules for sensors
echo "Starting up LM Sensors modules...."
modprobe i2c-amd756
modprobe w83781d
modprobe eeprom
sensors -s

# Pause to allow modules to finsh loading before continuing
ping -c3 127.0.0.1 > /dev/null

# Startup of the gkrellm daemon for remote monitoring of nics
echo "Starting up gkrellmd daemon...."
/usr/bin/gkrellmd &

touch /var/lock/subsys/local
Hope this helps.
Brian1

Last edited by Brian1; 10-17-2005 at 07:05 PM.
 
Old 10-17-2005, 07:35 PM   #25
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
When the system starts up, the last step of the boot process is to execute the contents of rc.local. So any files you put in the rc.local file will be run (note that rc.local contains paths to the files you want run, similar to a link).

In total how many files do i need to have for firewall to be running?
Technically you do not need any files. You could start the system and enter your rules manually with iptables every time you boot. However, the easiest way is to use 2 files. One is the actual shell script containing your firewall rules. The second is the /etc/sysconfig/iptables file which is used to store your firewall rules in a special format so that they can be automatically reloaded for you when the system boots. To do it that way you need to do the following:
1. Open a text file and paste/type the firewall rules
2. Make the file executable with chmod u+x filename
3. Execute the file as root to load the firewall rules
4. Verify that the rules were loaded by running iptables -vnL
5. Save the loaded rules using iptables-save > /etc/sysconfig/iptables

Your firewall rules will now get automatically loaded at boot. You can delete the script containing the firewall rules if you like, as the rules are now stored in /etc/sysconfig/iptables.

I would still recommend making a backup copy of your original set of rules first before you start. Anytime you modify *ANY* config file in linux you should *ALWAYS* make a backup copy. If you make a mistake editing it or somehow screw up, then you can always revert to the backup. If you don't have the backup copy then you're in trouble.
 
Old 10-25-2005, 09:10 PM   #26
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
Hi, can you please explain this line and which IP is bogons ? Does prevent those bogon and bad packets increase the network traffic ? Thanks

iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -j DROP

Rgds
Daniel




Quote:
Originally posted by Capt_Caveman
Does my firewall consider secure and any good example of a good firewall script?
I usually point to this as an example of basic core firewall for a single host. Obviously you'd need to modify it to you're own requirements, like interface names as well as any other services you'd run. If you are trying to use this for your border/gateway firewall then you'll need to add rules for forwarding traffic. If you are using this inside the LAN then you may need to remove rules blocking amy of your private LAN IP addresses listed in the "bogons" section.

MitM stands for?
Man-in-the-Middle. Attacker maliciously causes traffic destined for other hosts to be routed through a system under their control and sniffs traffic, injects packets, or highjacks sessions.
 
Old 10-30-2005, 03:25 AM   #27
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
Hi, i did reconfigure my firewall and now my FC3 hangs during firewall init. Even before i restart, it hangs on shutdown. i did backup my old firewall config but not the new config. Pls advise. Thanks

Regards
Daniel




Quote:
Originally posted by Capt_Caveman
When the system starts up, the last step of the boot process is to execute the contents of rc.local. So any files you put in the rc.local file will be run (note that rc.local contains paths to the files you want run, similar to a link).

In total how many files do i need to have for firewall to be running?
Technically you do not need any files. You could start the system and enter your rules manually with iptables every time you boot. However, the easiest way is to use 2 files. One is the actual shell script containing your firewall rules. The second is the /etc/sysconfig/iptables file which is used to store your firewall rules in a special format so that they can be automatically reloaded for you when the system boots. To do it that way you need to do the following:
1. Open a text file and paste/type the firewall rules
2. Make the file executable with chmod u+x filename
3. Execute the file as root to load the firewall rules
4. Verify that the rules were loaded by running iptables -vnL
5. Save the loaded rules using iptables-save > /etc/sysconfig/iptables

Your firewall rules will now get automatically loaded at boot. You can delete the script containing the firewall rules if you like, as the rules are now stored in /etc/sysconfig/iptables.

I would still recommend making a backup copy of your original set of rules first before you start. Anytime you modify *ANY* config file in linux you should *ALWAYS* make a backup copy. If you make a mistake editing it or somehow screw up, then you can always revert to the backup. If you don't have the backup copy then you're in trouble.
 
Old 10-30-2005, 03:28 AM   #28
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
Brian, i did modify my firewall rules on FC3 and now it hangs on firewall init during startup. Any idea how to sole this problem ? i did make a backup of the old config.

Regards
Daniel



Quote:
Originally posted by Brian1
I getting a little confused where this topic is going. When I mean more layers, I mean if you have a setup like this.

If you have a broadband connection, put a router whether a store bought or a linux box between the internet and your private lan. If no ports are being forward through the router then consider this first layer of defense. No ports to attack.

Next running iptables on all machines and open only the ports to be visiable to the lan network. You can run all the services on the linux box you want but unless iptables allow a connection then it is blocked. This would be the next layer of security if someone got through the router.

Use of /etc/host.allow and host.deny is another layer of defense that can be used.

Use of strong passwords and use of keys would be additional layer of security.

Keeping daemon services updated to current releases would be another layer of security. Example you have version 3.2 of something and a exploited hack has been found the devolper of the software releases a patch or a complete package version 3.3 to fix the exploit.

Also check for firmware updates for store bought routers.

Now if the router also provides wireless access and not using wireless cards, and if the router has the feature, one can turn the antenna off. If using wireless is being used enable wep and or wpa security and or mac filtering and or IP filtering. Each item here can be considered a layer of security here.

Pretty much for the home user as long as there is a router in place with no open ports this usually enough.

Now as for rc.local it is used to put addition scripts or apps you want to run on the machine. It can be used to load addition modules, reset files, restore settings, start a service. Anything you want with an easy neiether empty file to use. Adding to the rc file would not be the best because of the size and contents already in there. Here is example of my rc.local file:
Code:
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

# Start DMZ Firewall for wan, lan and dmz networks
echo "Starting up DMZ Firewall...."
/etc/dmz.firewall

# Load modules for sensors
echo "Starting up LM Sensors modules...."
modprobe i2c-amd756
modprobe w83781d
modprobe eeprom
sensors -s

# Pause to allow modules to finsh loading before continuing
ping -c3 127.0.0.1 > /dev/null

# Startup of the gkrellm daemon for remote monitoring of nics
echo "Starting up gkrellmd daemon...."
/usr/bin/gkrellmd &

touch /var/lock/subsys/local
Hope this helps.
Brian1
 
Old 10-31-2005, 11:37 PM   #29
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally posted by DanielTan
Hi, i did reconfigure my firewall and now my FC3 hangs during firewall init. Even before i restart, it hangs on shutdown. i did backup my old firewall config but not the new config. Pls advise. Thanks
Please describe *EXACTLY* what modifications you've made, the entire firewall script you are trying to run and post the output of iptables -vnL
 
Old 11-01-2005, 08:03 AM   #30
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
Hi, first i make backup of the old configuration. Below is result of "cat" from iptables. Btw how to boot into linux again by bypass the firewall ? Thanks

*filter
:input drop [0:0]
:forward drop [0:0]
utput accept [0:0]
:RH-firewall-1-input-[0:0]

-A input -m state --state invalid -j drop
-A input -p tcp -m tcp ! --tcp-flags syn,rst,ack,syn -m state --state new -j drop
-A input -p tcp -m tcp --tcp-flags fin, syn fin, syn -j drop
-A input -p tcp -m tcp --tcp-flags syn,rst syn,rst -j drop
-A input -p tcp -m tcp --tcp-flags fin, syn,rst,psh,ack,urg fin,syn,rst,psh,ack,urg -j drop
-A forward -m state --state invalid -j drop
-A output -m state --state invalid -j drop
-A RH-firewall-1-input -i lo -j accept
-A RH-firewall-1-input-i eth0 -p icmp -m icmp --icmp-type 8 - m limit -- limit 10/s -j accept
-A RH-firewall-1-input-i eth0 -p tcp -m tcp --tcp-flags syn,rst,ack syn -m limit --limit 5/sec -j accept
-A RH-firewall-1-input -d 224.0.0.251 -p udp --dport 5353 -j accept
-A Rh-firewall-1-input -p udp -m udp --dport 631 -j accept
-A Rh-firewall-1-input -m state --state related, established -j accept
-A RH-firewall-1-input -p tcp -m state --state new -m multiport --dport 80,443 -j accept
-A RH-firewall-1-input -j reject --reject-with icmp host-prohibited
Commit





Quote:
Originally posted by Capt_Caveman
Please describe *EXACTLY* what modifications you've made, the entire firewall script you are trying to run and post the output of iptables -vnL
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
setting the firewall one_ro SUSE / openSUSE 2 02-17-2005 05:10 PM
Setting up a firewall myguest Linux - Security 5 08-02-2004 12:32 PM
setting up a firewall behind a router mattmc97 Linux - Security 3 05-05-2004 04:36 PM
Setting up MDK 9.2 Firewall raysr Linux - Newbie 13 01-05-2004 07:46 PM
Setting up firewall linuxfond Linux - Newbie 3 02-21-2003 01:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration