LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-24-2004, 05:25 AM   #1
Danodare
Member
 
Registered: Feb 2004
Distribution: Slackware
Posts: 54

Rep: Reputation: 16
Firewall on slackware ?


Fresh install of slackware 9.1. I use rp-pppoe to access the internet.

I ran adsl-setup (from roaring penguin pppoe package), which supposedly put up a basic firewall.

1) Where would that firewall be located ? Is it the iptables everyone is talking about ? Where is iptables located in slackware ? I don't have a /etc/rc.d/rc.firewall or /etc/firewall that I could see.

"nmap -vv localhost" gives me

The SYN Stealth Scan took 1 second to scan 1657 ports.
Interesting ports on localhost (127.0.0.1):
(The 1649 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
37/tcp open time
79/tcp open finger
113/tcp open auth
587/tcp open submission
6000/tcp open X11

2) Is this good or bad ? I want to allow web-surfing and bittorrent, nothing else for now.

During the installation of slackware, I got sendmail by mistake (I thought it was used to send mail). I ran "chmod 644 rc.sendmail" to unactivate it for the next reboot... but

3) Is there any way to remove it other than rebooting ? Linux is not windows after all !

I am sorry to say, but everybody I know uses windows. So I dont know anyone who could run nmap from a remote unix machine.

4) Is there any way to probe for open ports in windows ? If possible using a program of the standard install, since I dont want to press my friends into downloading and installing a new program.

Thanks in advance for any pointers,
-Danodare

Last edited by Danodare; 02-24-2004 at 08:02 AM.
 
Old 02-24-2004, 06:38 AM   #2
Nic-MDKman
Member
 
Registered: Feb 2004
Location: Sacramento, CA, USA
Distribution: Mandrake 9.2
Posts: 159

Rep: Reputation: 30
You might get some more responses if your subject indicates the nature of the problem as opposed to your skill level.

My guess would be that it installed shorewall. Check for /etc/shorewall
 
Old 02-24-2004, 08:07 AM   #3
Danodare
Member
 
Registered: Feb 2004
Distribution: Slackware
Posts: 54

Original Poster
Rep: Reputation: 16
No /etc/shorewall.

The title of the post, I thought, was indicative of the nature of the questions... very very basic.

I found out since then how to list all processes... "ps -e" and I killed both sendmail processes. Is this the correct way to end sendmail ?

Lots and lots of processes running that end with d... for daemon I guess.

PID TTY TIME CMD
1 ? 00:00:04 init
2 ? 00:00:00 keventd
3 ? 00:00:00 ksoftirqd_CPU0
4 ? 00:00:14 kswapd
5 ? 00:00:03 bdflush
6 ? 00:00:00 kupdated
10 ? 00:00:00 mdrecoveryd
92 ? 00:00:00 syslogd
95 ? 00:00:00 klogd
98 ? 00:00:00 inetd
101 ? 00:00:00 sshd
111 ? 00:00:00 crond
113 ? 00:00:00 atd
123 ? 00:00:00 acpid
135 tty1 00:00:00 bash
136 tty2 00:00:00 agetty
137 tty3 00:00:00 agetty
138 tty4 00:00:00 agetty
139 tty5 00:00:00 agetty
140 tty6 00:00:00 agetty
516 ? 00:00:00 in.identd

Is it normal that I have six "agetty" running ?

Thanks in advance for any more help,
-Danodare

Last edited by Danodare; 02-24-2004 at 08:57 AM.
 
Old 02-24-2004, 12:07 PM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Killing a process will certainly end it, but next time you boot, it will be back. To shut down these processes, you need to find out where they are starting during boot and comment out the lines that start them. The good news is that the vast majority start from either one of the scripts in the /etc/rc.d directory.

To find out if you have a firewall running, type iptables -L (you have to be root or su) and see what comes back.

By the way, there is a version of nmap that runs on windows. As far as I know, Windows doesn't ship with any software that allows you to probe for open ports.
 
Old 02-24-2004, 01:48 PM   #5
Danodare
Member
 
Registered: Feb 2004
Distribution: Slackware
Posts: 54

Original Poster
Rep: Reputation: 16
Thanks !

"iptables -L" returns the following:

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Unless I'm misunderstanding, that means there is no firewall installed at all ? I distinctly remember choosing in adsl-setup (from rp-pppoe package) between server firewall / workstation firewall / no firewall and I chose workstation. The mystery deepens.

-Danodare
 
Old 02-24-2004, 03:24 PM   #6
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Yes, that definitely means that you don't have a firewall. I'm really not familiar at all with the rp-pppoe package, so I cant comment on why it didn't work. However, getting one in place is pretty easy. If you want a graphical interface to iptables, Firestarter seems to be rather popular. As an alternative, you can create it fairly easily in /etc/rc.d/rc.firewall (create it if you don't have one and make it executable).

The following should set up a minimal firewall if you want to roll your own

#!/bin/bash
iptables -F
iptables -P INPUT DROP
iptables -P OUTOUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -p tcp -m state --state ESTABLISHED, RELATED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED, RELATED -j ACCEPT

iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 
Old 02-25-2004, 05:27 AM   #7
Danodare
Member
 
Registered: Feb 2004
Distribution: Slackware
Posts: 54

Original Poster
Rep: Reputation: 16
Pulling my hair

I found out where "adsl-setup" put the firewall... It's in "/etc/ppp/firewall-standalone".

That way, the firewall is started everytime I type "adsl-start", which is what I want anyway.

Now what is odd is the inside of that "firewall-standalone" file :
-------------------
EXTIF=ppp+

ANY=0.0.0.0/0

ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward DENY

ipchains -F forward
ipchains -F input
ipchains -F output

# Deny TCP and UDP packets to privileged ports
ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p udp -j DENY
ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p tcp -j DENY

# Deny TCP connection attempts
ipchains -A input -l -i $EXTIF -p tcp -y -j DENY

# Deny ICMP echo-requests
ipchains -A input -l -i $EXTIF -s $ANY echo-request -p icmp -j DENY
-------------------------

It does not look too bad on the surface, but then out of curiosity I typed "ipchains" in a console, and I got
-bash: ipchains: command not found.

The mystery deepens even more !!!!

-Danodare
 
Old 02-25-2004, 07:18 AM   #8
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Actually there is no mystery at all. Ipchains is an older firewall program that I believe is deprecated and most distros have dumped. If you're using Slackware 9.1, it almost certainly is using iptables (also called netfilter). I suppose that you could search and see if ipchains is installed (which ipchains but you may need to be root or su to find it. There are usually a few directories that aren't on a normal user's PATH). I am surprised that your adsl program still uses ipchains since iptables has been around for a bit. You might want to see if there is a newer version.

So, the solution is to either compile a custom kernel that supports ipchains (I'm running 2.6.3 and the option is still there) or to set up your own iptables firewall. It really doesn't hurt to have the firewall running even when you aren't connected, so you can just have it load at boot time.
 
Old 02-25-2004, 08:07 AM   #9
Danodare
Member
 
Registered: Feb 2004
Distribution: Slackware
Posts: 54

Original Poster
Rep: Reputation: 16
My own ignorance put aside, a *lot* of advice I read prior to installing slackware 9.1 was to just use "adsl-setup", "adsl-start", "adsl-stop", all of which are part of the rp-pppoe package, installed by default in a full slackware 9.1. That means a lot of newbies like me used these, which by default use ipchains, not iptables. So unless other newbies were a lot smarter than me, many people think they are running firewalls... when in fact they are not. This is bad !

I got brave today and tried to read up some of the links unSpawn put in the sticky post here. I think I'm getting a basic understanding of how this all works, and I will copy/paste a firewall script that got the official seal of approval from the gurus.

Thanks a lot for your kind help,
-Danodare

Last edited by Danodare; 02-25-2004 at 08:09 AM.
 
Old 02-25-2004, 09:19 AM   #10
Danodare
Member
 
Registered: Feb 2004
Distribution: Slackware
Posts: 54

Original Poster
Rep: Reputation: 16
Actually, your script is pretty good... I like the simplicity of it. Btw you put an extra space between ESTABLISHED and RELATED in the INPUT lines, and also in the policy settings you wrote OUTOUT instead of OUTPUT.

I ran your script with the above corrections, and there is something odd. If I run netscape or konqueror, everything works fine. If I run Mozilla, and if I try to write anything (e.g. google search), Mozilla freezes and I can't do anything except kill the process. Very very odd (and it didn't do that before I put up the firewall).

Another question: what about the icmp protocol ? Is it totally useless ?

Finally, bittorrent needs inbound traffic for the 6881-6999 ports. Will that put me in jeopardy if I add the extra line ?

iptables -A INPUT -p tcp -m state --state NEW --destination-port 6881:6999 -j ACCEPT

Thanks in advance for any answer

-Danodare

Last edited by Danodare; 02-25-2004 at 09:34 AM.
 
Old 02-25-2004, 10:42 AM   #11
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Quote:
Btw you put an extra space between ESTABLISHED and RELATED in the INPUT lines, and also in the policy settings you wrote OUTOUT instead of OUTPUT.
Ah yes, fat fingered typing at its best.


Quote:
Another question: what about the icmp protocol ? Is it totally useless ?
Well, it would be easy to include this.... Since the rules are matching by state, it is possible to remove the protocol bit and just use

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Since the -p flag is gone, icmp should be included. This also might help bittorrent. I guess I've assumed that since bittorrent will be running on your machine, anything coming back will be ESTABLISHED or RELATED and should get through regardless of port. However, I don't use bittorrent, so I'm guessing. If it doesn't work, your rule for opening ports can be shortened a bit since you don't need to do state matching. You can do state matching here, but I'm not sure what limiting state to NEW might do to bittorrent. Once a connection is established, they could be RELATED or ESTABLISHED, in which case your rule won't accept them:

iptables -A INPUT -p tcp --dport 6881:6999 -j ACCEPT


As far as putting you in jeopardy, well, yes it will. But no more so than any other hole in your firewall. Heck, just being connected to the internet at all puts you in jeopardy. The trick is to harden your system, keep it updated and run defenses. If you're already working through unSpawn's links, you're already heading in the right direction. You probably want to start with investigating an intrusion detection system like Snort and a file monitor like Aide or Tripwire. That way if someone does get through, you have a record of what they did.
 
Old 02-25-2004, 11:03 AM   #12
Danodare
Member
 
Registered: Feb 2004
Distribution: Slackware
Posts: 54

Original Poster
Rep: Reputation: 16
*EDIT: THIS GOT ME REALLY CURIOUS, MAKING A SEPARATE THREAD*

Thanks ! More questions, sadly.

I put a

iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT"

at the end of my firewall config, and my "/var/log/syslog" is steadily filling up with odd lines... Lots of ip addresses are trying to initiate connections with me. Now, "whois thoseipaddresses" gives me my isp. Is it normal for my isp to try and initiate connections with me ? Should I phone them ? Moreover, my isp is trying different ports and tcp/udp, so I can't just allow one port.

The reason I put the logging thing is to see what Mozilla didnt like. The exact second Mozilla freezes, the log shows a *local* input (from me to me). Is there any reason not to allow local input ?

Thanks in advance,
-Danodare

Last edited by Danodare; 02-25-2004 at 11:50 AM.
 
Old 02-25-2004, 12:10 PM   #13
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Quote:
Is there any reason not to allow local input ?
That noise you are hearing is me getting dope-slapped.

The one line you pretty much always need in your firewall (and I forgot to add) is :

iptables -A INPUT -i lo -j ACCEPT

You should always accept input (and probably output) from lo, which is your local interface.

Quote:
Is it normal for my isp to try and initiate connections with me ?
Someone correct me if I'm wrong, but I think the answer is yes. There are standard protocols (like finger) that have traditionally been allowed to run and that might look like your ISP trying to do something. If you use a program like Ethereal to just listen to your LAN, there is all sorts of chatter between computers. I have no idea how much of it is important, but Windows computers in particular seem to be noisy. Unless they are scanning your computer (hits to lots of ports in rapid succession) or focusing on one port for a long time, I wouldn't worry about it. I also wouldn't call your ISP about it unless you are having trouble. Besides, getting someone on the phone who actually knows something can be a real challenge. I know with my ISP as soon as the word "linux" comes up, general panic ensues.
 
Old 03-13-2004, 11:16 PM   #14
robertn
Member
 
Registered: Mar 2004
Location: mid-atlantic
Distribution: mandrake 9.1 rc2
Posts: 43

Rep: Reputation: 15
greatly appreciated this thread; right on the money for me as I try to initiate basic firewalling with Mandrake 9.1 I ran a check using sygate scan and it showed all sorts of vulnerability and I was thinking I had a firewall already installed.

Would it be a hassle to post again the new and corrected version of the simple "roll your own script" that was suggested ?

 
Old 03-13-2004, 11:21 PM   #15
robertn
Member
 
Registered: Mar 2004
Location: mid-atlantic
Distribution: mandrake 9.1 rc2
Posts: 43

Rep: Reputation: 15
Is this the correct "roll your own" executable script that is suggested?

!/bin/bash
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

ty for the simple approach.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Total Newbie needs help ariam Linux - Newbie 3 02-23-2005 04:24 AM
Total Newbie Screener Linux - Newbie 10 06-02-2004 07:46 AM
Total Newbie Needs Help! orillion Linux - Newbie 5 09-05-2003 03:10 AM
total newbie help libster Linux - Distributions 2 02-08-2003 01:25 PM
Total newbie! shakazed Linux - Newbie 13 07-27-2001 06:41 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration