LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-25-2008, 03:35 AM   #1
phantom_cyph
Senior Member
 
Registered: Feb 2007
Location: My HDD...
Distribution: WinXP for designing, Linux for life.
Posts: 2,329
Blog Entries: 1

Rep: Reputation: 47
Problem installing firewall


Trying to install pico firewall, but I get the following message:
Quote:
rm: cannot remove `/etc/init.d/picofirewall': No such file or directory
ln: creating symbolic link `/etc/init.d/rc3.d/S99picofirewall': No such file or directory
ln: creating symbolic link `/etc/init.d/rc5.d/S99picofirewall': No such file or directory

Error during installation of picoFIREWALL - try: bash -x ./install
in order to evaluate things...
I don't know why it would be looking for files that I would think the installation would put there.

If you know what the problem is, that would be helpful, if you know another relatively simple firewall to set up that does not depend on Gnome or KDE, doesn't have to be graphical, I would also like to know about that. I have XFCE, Fluxbox, and IceWM, so no qt here.

Thanks!
 
Old 11-25-2008, 08:45 PM   #2
wernerz
Member
 
Registered: Jun 2008
Location: Ottawa, Ontario, Canada
Distribution: debian, dsl-n
Posts: 55

Rep: Reputation: 15
I'm not sure if Slackware has this firewall, but I user lokkit. It is a menu-driven firewall that is very simple to setup.
 
Old 11-25-2008, 09:45 PM   #3
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by wernerz View Post
I'm not sure if Slackware has this firewall, but I user lokkit. It is a menu-driven firewall that is very simple to setup.
Slackware comes with iptables by default and is enabled, although it lacks rules (there is on init script...you create your own).

I've never heard of picofirewall. I've also used Slackware since 1997. I have no idea how picofirewall is installed or why it is doing what it is doing.

Have you asked the developers for assistance or checked any support pages they have?

Last edited by unixfool; 11-25-2008 at 09:57 PM.
 
Old 11-26-2008, 01:04 AM   #4
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288
You're probably getting the error because there is no real '/etc/init.d' in Slackware. It's a symlink to '/etc/rc.d/init.d', but even then it won't work even if you put it there. The real init directory on Slackware in '/etc/rc.d'. It depends on what exactly those scripts do, the one that is to be put in rc.3 should run on startup, while the rc.5 will also get run at the same time (there is no runlevel 5 on Slackware but is bound to runlevel 3). If the scripts are the same I would copy one into '/etc/rc.d', rename it to 'rc.firewall' and it will get run on every boot. This of course depends on what exactly is in the script, but it might work.

Also, why picofirewall ?

Last edited by H_TeXMeX_H; 11-26-2008 at 01:06 AM.
 
Old 11-26-2008, 11:09 PM   #5
phantom_cyph
Senior Member
 
Registered: Feb 2007
Location: My HDD...
Distribution: WinXP for designing, Linux for life.
Posts: 2,329
Blog Entries: 1

Original Poster
Rep: Reputation: 47
Well, I'm trying to use shorewall, its been recommended to me before. I'm just trying to set it up to block all ports but the ones I designate. No answers yet. The thread is here if you think you can help.
 
Old 11-26-2008, 11:47 PM   #6
internetSurfer
Member
 
Registered: Jan 2008
Location: w3c
Distribution: Slackware 12 Zenwalk 5.2
Posts: 71

Rep: Reputation: 16
Thumbs down

Other Firewalls:

 
Old 11-30-2008, 04:33 PM   #7
phantom_cyph
Senior Member
 
Registered: Feb 2007
Location: My HDD...
Distribution: WinXP for designing, Linux for life.
Posts: 2,329
Blog Entries: 1

Original Poster
Rep: Reputation: 47
I like firestarter, but you need gnome. At one point I found a slackware package that contained the files needed for just about any gnome-based program without needing to install gnome. Any idea where I could find that?

BTW-apf doesn't seem to agree with me. It can't read anything having anything to do with iptables.
 
Old 11-30-2008, 04:55 PM   #8
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Quote:
Originally Posted by phantom_cyph View Post
I like firestarter, but you need gnome. At one point I found a slackware package that contained the files needed for just about any gnome-based program without needing to install gnome. Any idea where I could find that?
Try googling for gnome-libs.
 
Old 11-30-2008, 07:56 PM   #9
phantom_cyph
Senior Member
 
Registered: Feb 2007
Location: My HDD...
Distribution: WinXP for designing, Linux for life.
Posts: 2,329
Blog Entries: 1

Original Poster
Rep: Reputation: 47
Its okay now. Got on the freenode Slackware irc channel and they set me up with a iptables script.
 
Old 11-30-2008, 08:17 PM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Quote:
Originally Posted by phantom_cyph View Post
Its okay now. Got on the freenode Slackware irc channel and they set me up with a iptables script.
Care to share it with us? Getting yourself some free feedback can't hurt.
 
Old 11-30-2008, 08:32 PM   #11
phantom_cyph
Senior Member
 
Registered: Feb 2007
Location: My HDD...
Distribution: WinXP for designing, Linux for life.
Posts: 2,329
Blog Entries: 1

Original Poster
Rep: Reputation: 47
Short, sweet, and to the point.
Code:
#!/bin/bash

start() {
    echo "Starting Firewall..."
    iptables -F
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -A INPUT  -i lo -j ACCEPT
    iptables -A INPUT -p tcp --destination-port 6881 -j ACCEPT #azureus
    iptables -A INPUT -p udp --destination-port 6881 -j ACCEPT
    iptables -A INPUT -p tcp --destination-port 113 -j ACCEPT
    iptables -A INPUT -p tcp --source-port 20 -j ACCEPT
    iptables -A INPUT -p tcp --destination-port 0 -j DROP
    iptables -A INPUT -p tcp --destination-port 1 -j DROP
    iptables -A INPUT -p udp ! --destination-port 25 -j ACCEPT
    iptables -A INPUT -p tcp ! --syn -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type redirect -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type router-advertisement -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

    iptables -L | sed 's/        / /' | sed 's/           / /g' | sed 's/     / /g'
    echo
}

stop() {
    echo "Stopping firewall"
    iptables -F
    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    echo
}

case "$1" in
    start)
    start
    ;;
    stop)
    stop
    ;;
    restart)
    stop
    start
    ;;
esac
(thanks dive)
 
Old 11-30-2008, 08:58 PM   #12
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Quote:
Originally Posted by phantom_cyph View Post
Short, sweet, and to the point.
Code:
#!/bin/bash

start() {
    echo "Starting Firewall..."
    iptables -F
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -A INPUT  -i lo -j ACCEPT
    iptables -A INPUT -p tcp --destination-port 6881 -j ACCEPT #azureus
    iptables -A INPUT -p udp --destination-port 6881 -j ACCEPT
    iptables -A INPUT -p tcp --destination-port 113 -j ACCEPT
    iptables -A INPUT -p tcp --source-port 20 -j ACCEPT
    iptables -A INPUT -p tcp --destination-port 0 -j DROP
    iptables -A INPUT -p tcp --destination-port 1 -j DROP
    iptables -A INPUT -p udp ! --destination-port 25 -j ACCEPT
    iptables -A INPUT -p tcp ! --syn -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type redirect -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type router-advertisement -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

    iptables -L | sed 's/        / /' | sed 's/           / /g' | sed 's/     / /g'
    echo
}

stop() {
    echo "Stopping firewall"
    iptables -F
    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    echo
}

case "$1" in
    start)
    start
    ;;
    stop)
    stop
    ;;
    restart)
    stop
    start
    ;;
esac
(thanks dive)
After only a quick glance, I can tell you there's lots of problems with that script. For starters, I hope you aren't really running identd (although technically that's a separate issue). Regarding the other rules, you've got gaping holes all over the place. You're pretty much allowing anyone to feed you TCP packets as long as they set their source ports to 20. You're also allowing anyone to feed you any UDP packets as long as they have a destination port other than 25. All those ICMP rules pose unnecessary risk too. You aren't using any stateful packet filtering at all. In summary, this is IMHO a really weird/dangerous script and my suggestion is that you get rid of it ASAP.

Last edited by win32sux; 11-30-2008 at 09:06 PM.
 
Old 11-30-2008, 11:04 PM   #13
internetSurfer
Member
 
Registered: Jan 2008
Location: w3c
Distribution: Slackware 12 Zenwalk 5.2
Posts: 71

Rep: Reputation: 16
I have XFCE, Fluxbox, and IceWM, so no qt here.
_

Last edited by internetSurfer; 11-30-2008 at 11:46 PM.
 
Old 11-30-2008, 11:18 PM   #14
phantom_cyph
Senior Member
 
Registered: Feb 2007
Location: My HDD...
Distribution: WinXP for designing, Linux for life.
Posts: 2,329
Blog Entries: 1

Original Poster
Rep: Reputation: 47
Quote:
Originally Posted by win32sux View Post
After only a quick glance, I can tell you there's lots of problems with that script. For starters, I hope you aren't really running identd (although technically that's a separate issue). Regarding the other rules, you've got gaping holes all over the place. You're pretty much allowing anyone to feed you TCP packets as long as they set their source ports to 20. You're also allowing anyone to feed you any UDP packets as long as they have a destination port other than 25. All those ICMP rules pose unnecessary risk too. You aren't using any stateful packet filtering at all. In summary, this is IMHO a really weird/dangerous script and my suggestion is that you get rid of it ASAP.
Point taken. All I really want is a way to make iptables block/drop everything except for like, 6 specified ports. I would like to stick with iptables, as I need to know more about the security side of life. If you have any suggestions as to where to start I would greatly appreciate it. (preferably something that can show me how to get a new firewall up in a small amount of time).

@internetSurfer, I already have the first two, and I am not about to switch to zenwalk anyway. Thanks though.
 
Old 12-01-2008, 08:29 AM   #15
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Quote:
Originally Posted by phantom_cyph View Post
Point taken. All I really want is a way to make iptables block/drop everything except for like, 6 specified ports. I would like to stick with iptables, as I need to know more about the security side of life. If you have any suggestions as to where to start I would greatly appreciate it. (preferably something that can show me how to get a new firewall up in a small amount of time).
I could share with you a script based on my template if you tell me the services (and/or port numbers) you need to be accessible.

Last edited by win32sux; 12-01-2008 at 08:31 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Installing a firewall on Ubuntu LXer Syndicated Linux News 0 07-01-2006 08:21 PM
how to set firewall after installing linux o/s? frozenam_24 Linux - Security 3 01-23-2006 01:36 AM
Help installing FWTK (Firewall tool kit) cynthia_thomas Linux - Networking 1 11-08-2005 06:31 AM
installing or creating firewall in linux os vishakha Linux - General 5 02-14-2003 03:20 AM
Installing the Firewall.... dalk Linux - Security 5 04-10-2001 06:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:22 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration