LinuxQuestions.org - gShield - default drop ????

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - gShield - default drop ???? (https://www.linuxquestions.org/questions/linux-security-4/gshield-default-drop-25812/)

gShield - default drop ????

I have a new install of Slackware 8.1 and I decided with this new install I would try using gShield as my firewall. The Linux box sits inside a LAN that runs off a single cable connection through a Linksys router. I have opened up most service ports to the Linux box as I use that for a DNS caching server, mail, server, etc. I have noticed that my syslog is indicating a lot of activity in the firewall. I just wanted to make sure this is safe. I assue the "default drop" listed below means the access was denied to the Incoming IP. Is this correct? Note the Linux box LAN IP is 192.168.1.130 as listed below.

Jul 14 13:30:14 linux kernel: gShield (default drop) IN=eth0 OUT= MAC=<deleted for privacy> SRC=167.181.31.35 DST=192.168.1.130 LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=65155 PROTO=TCP SPT=443 DPT=49200 WINDOW=0 RES=0x00 ACK RST URGP=0

Guess you're right, haven't looked at Gshield too close but I guess grepping its (output?) script for the policies (-P) should tell what it's default policies are.

*Btw, MAC addresses are unique, but don't carry beyond the LAN, so stripping 'em ain't really necessary. Stripping non-LAN IP addresses is good if you wanna.

Obviously, how gShield handles intruders depends on how you've setup /etc/firewall/gShield.conf. But in this case, 167.181.31.35's inquiry was dropped with no response from your box going back to him. If you need to look at iptables rules, as set by gShield, do iptables -L. -mk

I just wanted to know whether people are getting in or not,

I am a bit worried (aka paranoid) as I compiled and ran the Saint intrusion detection system and it indicated - specifically the "Evidence of penetration:

* Fresh install of Slackware 8.1
* gShield firewall - basically default setting
* qmail mail server
* cable connection behind Linksys router

Evidence of Penetration

* linux.macvoodoo.lan: Possible Trinity portshell detected
* linux.macvoodoo.lan: Possible mstream handler detected
* linux.macvoodoo.lan: Possible shaft handler detected
* linux.macvoodoo.lan: Possible stacheldraht handler detected

BROWNPossible Vulnerabilities

* linux.macvoodoo.lan: Is your Kerberos secure? (CVE 2000-0389 2000-0390 2000-0391)
* linux.macvoodoo.lan: possible vulnerability in Linux lpd

BROWNLimit Internet Access ?

* linux.macvoodoo.lan: rlogin is enabled
* linux.macvoodoo.lan: pop receives password in clear
* linux.macvoodoo.lan: rexec is enabled and could help attacker

Should I be worried are these erroneous readings?