Tillbaka till svenska Fidonet
English   Information   Debug  
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   7718/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3250
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33431
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33946
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41708
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13615
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16075
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
Möte LINUX, 22112 texter
 lista första sista föregående nästa
Text 7720, 278 rader
Skriven 2006-10-27 20:06:02 av Paul Rogers (1:105/360.0)
     Kommentar till en text av Martin Atkins
Ärende: Latest firewall script
==============================
 PR>> issue, e.g. the Morris worm,
 MA> Stinking Maurice. ;-\

Robert T.

 PR>> A firewall will never catch them.
 MA> Exactly. So why mention if it is not a firewall issue?

But it is!  I can make it harder for them to phone home with the
firewall.

 MA> If something traverses the INPUT rules and you didn't see it
 MA> coming, by what magic are you going have an OUTPUT rule to
 MA> deal with it going? If you did have something in the OUTPUT rule
 MA> to deal with it, why wasn't it stopped at the INPUT part of the
 MA> table?

OK, here's a scenario for you.

I visit a website's port 80.  No problem getting out through the
firewall, or getting the HTML responses back in over the
ESTABLISHED link.  Unbeknownst to me it's been hacked and
hijacked.  There's a Java script on the page I get that tries to
establish a NEW connection to a malware server on some ephemeral
port.  That would work if all OUTPUT ports are open.  If it gets
that, then it intends to download a bunch of malware.  My
firewall stops that.  Unbeknownst to $BAD_BOY, it might have
worked if he'd used one of the well known ports, until I catch
on and blacklist his IP address.

 MA> I have no problem with that, indeed you could tighten it up more
 MA> by defining $EPHEM according to the amount of ram you have.
 MA> The value on my system is in /proc/sys/net/ipv4/ip_local_port_range.
 MA> I'm not sure if it's the same with LFS but as i have 384meg ram
 MA> the value on my machine is 32768:61000

I'll check into that.  Of course, if the ports don't EXIST,
they're blocked.  ;-)

 PR>>> iptables -A OUTPUT -p tcp --dport 81 -j log-it
 PR>>> iptables -A OUTPUT -p tcp --dport 8080 -j log-it
 MA>> This does exactly the same.
 MA>> iptables -A INPUT -p tcp --dport 81 -j log-it
 MA>> iptables -A INPUT -p tcp --dport 8080 -j log-it
 PR>> No
 MA> Yes it does. It doesn't matter whether it's on a workstation or

Sure it does.  An output packet to some server's port 81 doesn't
traverse the INPUT chain.  Without my rules, a webpage/Java
script could communicate to any server's port 81 or 8080,
whatever that does.  I don't allow that.  Your rule only works
for a packet coming in to port 81 on my machine, where, since
this isn't a server with Apache listening on port 81, there's
nothing to receive it anyhow.  In any event, since I don't have
an INPUT rule to ACCEPT packets coming to ports 81 or 8080,
those get dropped at the end.

 MA> a server. What do you think iptables knows the difference? The two top
 MA> lines are taken from your firewall and the two at the bottom would do
 MA> _exactly_the_same_thing.

Mine affects the OUTPUT chain traversal.  Yours affects the
INPUT chain traversal.  They are NOT the same.

 MA> Fall through? If you write a rule in the output chain that stops
 MA> an undesirable event then why did you not stop such an event in
 MA> the input chain.

Because the default policy is DROP.  ACCEPT is the exception.  I
don't have a rule to ACCEPT an OUTPUT to ports 81 or 8080, so
they wouldn't get out anyway, I just make it explicit.

 MA> Sub-channels?  You need more than a firewall you
 MA> need a bomb shelter.

See scenario above.

 MA> Give me an example of one valid situation where it is imperative
 MA> for you to filter on the output chain.

See above.

 PR>> In my case LOCAL_NET is 192.168.1.x, (though now I wish I'd made
 PR>> it something like 192.168.137.x, 0 & 1 are too easy to guess).
 MA> Then why later in this message do you say in your script:-
 MA> # iptables -A INPUT -s $CLASS_C -j DROP
 MA> # PGR Can't do that, our LAN is a Class C private network
 MA> Earlier in the script you define.
 MA> CLASS_C="192.168.0.0/16"
 MA> So you are making things up as you go along. How is anyone supposed
 MA> to follow your script?

I see you're having a lot of difficulty.  Tell me what CIDR
you'd write to cover a range of addresses except one that's
neither the beginning or end?

 MA> As i said, if you invite comment on your iptables chain you need
 MA> to define things in the script correctly and not use outside references
 MA> unless you have to.

I wasn't inviting comment, but offering it for others to use.
Thought Wayne might be interested.

 MA> Lets have a look at the gist of what you have done with $LOCAL_NET
 MA> throughout your script. For brevity i have omitted the statefull
 MA> side of things and used port numbers but have the service commented.
 MA> iptables -A INPUT  -p udp --dport 137 -s $LOCAL_NET -j ACCEPT
 MA> #netbios-ns iptables -A INPUT  -p udp --dport 138 -s $LOCAL_NET -j
 MA> ACCEPT #netbios-dgm iptables -A INPUT  -p udp -s $LOCAL_NET --sport 53
 MA> -j ACCEPT #domain iptables -A OUTPUT -p udp -d $LOCAL_NET --dport 53
 MA> -j ACCEPT #domain iptables -A INPUT  -p udp -s $LOCAL_NET --sport 113
 MA> -j ACCEPT #auth iptables -A INPUT  -p tcp --dport 139 -s $LOCAL_NET -j
 MA> ACCEPT #netbios-ssn iptables -A OUTPUT -p tcp --sport 139 -d $LOCAL_NET
 MA> -j ACCEPT #netbios-ssn iptables -A INPUT  -p tcp --dport 139 -s
 MA> $LOCAL_NET -j ACCEPT #netbios-ssn iptables -A OUTPUT -p tcp --dport 137
 MA> -s $LOCAL_NET -j ACCEPT #netbios-ns iptables -A OUTPUT -p tcp --dport
 MA> 138 -s $LOCAL_NET -j ACCEPT #netbios-dgm iptables -A OUTPUT -p tcp
 MA> --dport 139 -s $LOCAL_NET -j ACCEPT #netbios-ssn iptables -A INPUT  -p
 MA> tcp -s $LOCAL_NET --sport 113 -j ACCEPT #auth

 MA> God only knows why you have these last lines.
 MA> iptables -A INPUT  -s $LOCAL_NET -j REJECT
 MA> iptables -A OUTPUT -d $LOCAL_NET -j REJECT

$man iptables

DROP discards the packet without informing the sender.  REJECT
returns an error to the sender.  I play nice with my own
machines.  If they try something I don't allow, rather than
hanging until the operation times out, I have the firewall
return an error so they/I know immediately the operation failed.

 MA> By having your OUTPUT as ACCEPT then you can replace the whole lot
 MA> with:-
 MA> iptables -A INPUT -p tcp -s $LOCAL_NET -m multiport --port
 MA> 53,113,137,138,139  -j ACCEP
 MA> iptables -A INPUT -p udp -s $LOCAL_NET -m multiport --port
 MA> 53,113,137,138,139  -j ACCEP
 MA> Without the line wrap of course.

Certainly could, but I think that would be harder to understand.

 MA> You just don't get it do you. What ever goes in or out of your network
 MA> including your local machine has to go through the INPUT chain.

No, I got it fine.  You must be reading it wrong.  See:
http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-6.html
Here is a text rendition:
+++++++++++
    6. How Packets Traverse The Filters

The kernel starts with three lists of rules in the `filter' table; these
lists are called *firewall chains* or just *chains*. The three chains
are called *INPUT*, *OUTPUT* and *FORWARD*.

For ASCII-art fans, the chains are arranged like so: *(Note: this is a
very different arrangement from the 2.0 and 2.2 kernels!)*

                          _____
Incoming                 /     \         Outgoing
       -->[Routing ]--->|FORWARD|------->
          [Decision]     \_____/        ^
               |                        |
               v                       ____
              ___                     /    \
             /   \                   |OUTPUT|
            |INPUT|                   \____/
             \___/                       ^
               |                         |
                ----> Local Process -----

The three circles represent the three chains mentioned above. When a
packet reaches a circle in the diagram, that chain is examined to decide
the fate of the packet. If the chain says to DROP the packet, it is
killed there, but if the chain says to ACCEPT the packet, it continues
traversing the diagram.

A chain is a checklist of *rules*. Each rule says `if the packet header
looks like this, then here's what to do with the packet'. If the rule
doesn't match the packet, then the next rule in the chain is consulted.
Finally, if there are no more rules to consult, then the kernel looks at
the chain *policy* to decide what to do. In a security-conscious system,
this policy usually tells the kernel to DROP the packet.

   1. When a packet comes in (say, through the Ethernet card) the kernel
      first looks at the destination of the packet: this is called
      `routing'.
   2. If it's destined for this box, the packet passes downwards in the
      diagram, to the INPUT chain. If it passes this, any processes
      waiting for that packet will receive it.
   3. Otherwise, if the kernel does not have forwarding enabled, or it
      doesn't know how to forward the packet, the packet is dropped. If
      forwarding is enabled, and the packet is destined for another
      network interface (if you have another one), then the packet goes
      rightwards on our diagram to the FORWARD chain. If it is ACCEPTed,
      it will be sent out.
   4. Finally, a program running on the box can send network packets.
      These packets pass through the OUTPUT chain immediately: if it
      says ACCEPT, then the packet continues out to whatever interface
      it is destined for.
++++++++++++

OUTPUT packets from some client of mine, e.g. browser, ftp,
etc., goes to the OUTPUT chain, not the INPUT chain.  See #4
above.

 MA> Where pray tell me? After having defined $CLASS_C it's never
 MA> mentioned again except where you have commented it out.

All 192.168.x.y INPUT packets traverse the INPUT chain.  They
aren't explicitly dropped like the Class-[A,B] addresses are.
If they are from $LOCAL_NET for ports I allow they find an
ACCEPT rule and are passed.  If they're NOT from $LOCAL_NET,
e.g. 192.168.0.y, 192.168.[2-255].y, etc., OR they're $LOCAL_NET
to a prohibited port, they NEVER find an ACCEPTing rule.  They
traverse the entire chain to the bottom where they get shunted
to log-it, where they're logged & dropped.

 MA> It's a simple question i asked you. Does your local net and the inet
 MA> hook  up to _your_ machine through one etho?

Yes.  My perimeter firewall/router machine is 192.168.1.254 on
my LAN.  I'm not running a DMZ setup.

 PR> Mine does.  By saving the tables at shutdown, and restoring them
 PR> at boot, I'm using already processed tables.  No glitches.
 MA> Well if it works for your distro so be it.

It's in iptables-1.2.11.
$man iptables-save
$man iptables-restore

 MA> So you like sending youself error messages? Did i say you shouldn't
 MA> log it? Why not just log and drop it?

Yes.  I don't like sitting there while a failing operation times
out.  If it isn't going to work, I'd like to know about it
immediately by returning an error code.

 MA>> iptables -A INPUT -s $BAD_BOY -j REJECT --reject-with icmp-host-unr...
 PR>> NO!  Not what I want to do.  That would send an ICMP packet back
 MA> Why let it into the firewall in the first place?

You mean set-up the blacklisting on the perimeter firewall?
That's a lot harder.

 PR>> Ummm, paranoia?
 MA> Then don't let it in in the first place.

I don't.  Net-filter is a kernel facility.  They never make
it through.

 MA> Are you telling me that $IP is a variable? You must have the distro
 MA> from hell.

It is defined in /etc/sysconfig/network_devices/ifconfig.eth0,
and sourced in several scripts: here in firewall, &
/etc/rc.d/init.d/network.  RedHat does it similarly.

 MA> I asked at the very beginning if it was your script or if someone else
 MA> had written it. If it's an adaptation then of course it will be messy.

As it says, someone else wrote a firewall script which I took
and modified to suit myself.

 MA> I ran iptables -L -v while pinging a remote and then had the remote
 MA> ping me. Next i instigated a NFS connection and for icing on the cake i
 MA> got hackerwacker.com to probe my ports. I flushed the firewall and
 MA> bought it up again and on each occasion iptables -L -v worked
 MA> flawlessly.

It does, when you have a connection to a DNS server.  It hangs
unless you specify -n and you need a DNS lookup.  My way, I can
update my workstation when the network is down and it doesn't
hang for DNS lookups.

---
 * Origin: The Bare Bones BBS (1:105/360)