Tillbaka till svenska Fidonet
English   Information   Debug  
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   5219/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3250
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33431
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33946
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41708
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13615
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16075
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
Möte LINUX, 22112 texter
 lista första sista föregående nästa
Text 7738, 368 rader
Skriven 2006-10-30 10:02:00 av MARTIN ATKINS (1:123/140)
     Kommentar till en text av PAUL ROGERS
Ärende: Latest firewall script
==============================
-=> PAUL ROGERS wrote to MARTIN ATKINS <=-


 PR>> A firewall will never catch them.
 MA> Exactly. So why mention if it is not a firewall issue?

 PR> But it is!  I can make it harder for them to phone home with the
 PR> firewall.

Now you are contradicting yourself. First you say a firewall won't
catch them and in the next breath you say it will.

 MA> If something traverses the INPUT rules and you didn't see it
 MA> coming, by what magic are you going have an OUTPUT rule to
 MA> deal with it going? If you did have something in the OUTPUT rule
 MA> to deal with it, why wasn't it stopped at the INPUT part of the
 MA> table?

 PR> OK, here's a scenario for you.

 PR> I visit a website's port 80.  No problem getting out through the
 PR> firewall, or getting the HTML responses back in over the
 PR> ESTABLISHED link.  Unbeknownst to me it's been hacked and
 PR> hijacked.  There's a Java script on the page I get that tries to
 PR> establish a NEW connection to a malware server on some ephemeral
 PR> port.  
 
You shouldn't have a server on the ephemeral ports. You have your servers
on what you have defined as KNOWN="0:1024". If you mean the remote is 
using a different port other than 80 then so what? It isn't going
anywhere. Why would they bother to do something like that? They
would be better of using port 80.
 
 PR> That would work if all OUTPUT ports are open.  

The $EPHEM ports don't provide a service and as far as i know ports
in the $EPHEM range are allocated as needed. So you can't define
OUTPUT ports.

 PR> If it gets that, then it intends to download a bunch of malware.  

If that was a real scenario there would be millions of win 9x users 
downloading files without them knowing. It does happen of course but 
that has nothing to do with what port the remote is using. 

 PR> My firewall stops that.  Unbeknownst to $BAD_BOY, it might have
 PR> worked if he'd used one of the well known ports, until I catch
 PR> on and blacklist his IP address. 
 
$BAD_BOY gets squashed because of his IP not because of the port.

 MA> I have no problem with that, indeed you could tighten it up more
 MA> by defining $EPHEM according to the amount of ram you have.
 MA> The value on my system is in /proc/sys/net/ipv4/ip_local_port_range.
 MA> I'm not sure if it's the same with LFS but as i have 384meg ram
 MA> the value on my machine is 32768:61000

 PR> I'll check into that.  Of course, if the ports don't EXIST,
 PR> they're blocked.  ;-)

They lower ports do exist but they are not in the $EPHEM range.
They would be in what you have defined as $KNOWN but you have
IMO wisely not used it in your script. Of course $KNOWN could
be expanded but you don't want to give blanket permission to
any ports that provide a service.

 PR>>> iptables -A OUTPUT -p tcp --dport 81 -j log-it
 PR>>> iptables -A OUTPUT -p tcp --dport 8080 -j log-it
 MA>> This does exactly the same.
 MA>> iptables -A INPUT -p tcp --dport 81 -j log-it
 MA>> iptables -A INPUT -p tcp --dport 8080 -j log-it
 PR>> No
 MA> Yes it does. It doesn't matter whether it's on a workstation or

 PR> Sure it does.  An output packet to some server's port 81 doesn't
 PR> traverse the INPUT chain.  
 
Unless you allow port 81 on the input chain then it is dropped as per
the policy. So unless you need that port for something you don't
need a rule.  
 
 PR> Without my rules, a webpage/Java
 PR> script could communicate to any server's port 81 or 8080,
 PR> whatever that does.  

No it can't get to port but 81 but as you have $EPHEM defined as
1024:65535 then it can get to 8080 and NFS 2049 so deal with them
early in the input chain.

iptables -A INPUT -p tcp -m multiport --port 8080,2049 j DROP
iptables -A INPUT -p udp -m multiport --port 8080,2049 j DROP

 PR>  I don't allow that.  Your rule only works
 PR> for a packet coming in to port 81 on my machine, where, since
 PR> this isn't a server with Apache listening on port 81, there's
 PR> nothing to receive it anyhow.  In any event, since I don't have
 PR> an INPUT rule to ACCEPT packets coming to ports 81 or 8080,
 PR> those get dropped at the end.

Not 81 but 8080 you do. This from your script:-

iptables -A INPUT  -p tcp --sport $EPHEM --dport $EPHEM -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --sport $EPHEM --dport $EPHEM -m state --state
ESTABLISHED,RELATED -j ACCEPT 

Here you appear to allow a remote to connect to your machine using
any port of his above 1024. Exactly the situation you said you didn't 
want. 

 MA> a server. What do you think iptables knows the difference? The two top
 MA> lines are taken from your firewall and the two at the bottom would do
 MA> _exactly_the_same_thing.

 PR> Mine affects the OUTPUT chain traversal.  Yours affects the
 PR> INPUT chain traversal.  They are NOT the same.

No they are not the same INPUT deals with things coming into
the table OUTPUT deals with things going out of the table.

It must traverse the INPUT rules before it hits the OUTPUT
rules. 

 MA> Fall through? If you write a rule in the output chain that stops
 MA> an undesirable event then why did you not stop such an event in
 MA> the input chain.

 PR> Because the default policy is DROP.  ACCEPT is the exception.  I
 PR> don't have a rule to ACCEPT an OUTPUT to ports 81 or 8080, so
 PR> they wouldn't get out anyway, I just make it explicit.

See what i have said about this earlier. Both 8080 and 2049 are wide
open.

 MA> Sub-channels?  You need more than a firewall you
 MA> need a bomb shelter.

 PR> See scenario above.

See the fairies at the bottom of your garden. It aint gonna happen any
time soon.

 MA> Give me an example of one valid situation where it is imperative
 MA> for you to filter on the output chain.

 PR> See above.

Ditto

 PR>> In my case LOCAL_NET is 192.168.1.x, (though now I wish I'd made
 PR>> it something like 192.168.137.x, 0 & 1 are too easy to guess).
 MA> Then why later in this message do you say in your script:-
 MA> # iptables -A INPUT -s $CLASS_C -j DROP
 MA> # PGR Can't do that, our LAN is a Class C private network
 MA> Earlier in the script you define.
 MA> CLASS_C="192.168.0.0/16"
 MA> So you are making things up as you go along. How is anyone supposed
 MA> to follow your script?

 PR> I see you're having a lot of difficulty.  
 
Of course i'm having difficulty because you have never defined
your local net range. 

 PR> Tell me what CIDR
 PR> you'd write to cover a range of addresses except one that's
 PR> neither the beginning or end?

Then define what want with 192.168.1.0/255.255.255.0 notation.
How do i know if you need to do this if you have never given me
the value of $LOCAL_NET or $IP. 

 MA> As i said, if you invite comment on your iptables chain you need
 MA> to define things in the script correctly and not use outside references
 MA> unless you have to.

 PR> I wasn't inviting comment, but offering it for others to use.
 PR> Thought Wayne might be interested.

If you post in a public forum you are inviting comment. Wayne has
dial-up IP with dynamic DNS so your firewall is totally inappropriate
for him. Having said that i applaud you for sticking you neck out
and sharing your thoughts with us. I wish more people would have a 
go as you have. I'm sure Wayne is watching our exchange and learning
that firewalls can be a complex issue. 

    <CUT>

 MA> God only knows why you have these last lines.

 MA> iptables -A INPUT  -s $LOCAL_NET -j REJECT
 MA> iptables -A OUTPUT -d $LOCAL_NET -j REJECT

 PR> $man iptables

Hmmm! God only knows why you have those last lines.

 PR> DROP discards the packet without informing the sender.  REJECT
 PR> returns an error to the sender.  I play nice with my own
 PR> machines.  If they try something I don't allow, rather than
 PR> hanging until the operation times out, I have the firewall
 PR> return an error so they/I know immediately the operation failed.


 MA> By having your OUTPUT as ACCEPT then you can replace the whole lot
 MA> with:-
 MA> iptables -A INPUT -p tcp -s $LOCAL_NET -m multiport --port
 MA> 53,113,137,138,139  -j ACCEP
 MA> iptables -A INPUT -p udp -s $LOCAL_NET -m multiport --port
 MA> 53,113,137,138,139  -j ACCEP
 MA> Without the line wrap of course.

 PR> Certainly could, but I think that would be harder to understand.

Two lines are harder to understand than twelve? You make a
comment in the script naming the ports and what they do.

 MA> You just don't get it do you. What ever goes in or out of your network
 MA> including your local machine has to go through the INPUT chain.

 PR> No, I got it fine.  You must be reading it wrong.  See:
 PR> http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-6.ht
 PR> ml
 PR> Here is a text rendition:
 PR> +++++++++++
 PR>     6. How Packets Traverse The Filters

 PR> The kernel starts with three lists of rules in the `filter' table;
 PR> these lists are called *firewall chains* or just *chains*. The three
 PR> chains are called *INPUT*, *OUTPUT* and *FORWARD*.

 PR> For ASCII-art fans, the chains are arranged like so: *(Note: this is a
 PR> very different arrangement from the 2.0 and 2.2 kernels!)*

 PR>                           _____
 PR> Incoming                 /     \         Outgoing
 PR>        -->[Routing ]--->|FORWARD|------->
 PR>           [Decision]     \_____/        ^
 PR>                |                        |
 PR>                v                       ____
 PR>               ___                     /    \
 PR>              /   \                   |OUTPUT|
 PR>             |INPUT|                   \____/
 PR>              \___/                       ^
 PR>                |                         |
 PR>                 ----> Local Process -----


 PR> OUTPUT packets from some client of mine, e.g. browser, ftp,
 PR> etc., goes to the OUTPUT chain, not the INPUT chain.  See #4
 PR> above.

Read the diagram. You see the input table has to be traversed
before it reaches the output table. "Local Process" refers to
user defined tables and not the local network.

 MA> Where pray tell me? After having defined $CLASS_C it's never
 MA> mentioned again except where you have commented it out.

 PR> All 192.168.x.y INPUT packets traverse the INPUT chain.  They
 PR> aren't explicitly dropped like the Class-[A,B] addresses are.

$LOCAL_NET as far as i can see has only access to specific ports.
It is therefore not necessary to to drop it. If it were to try
to access other services it is dropped as per the input policy. 

 PR> If they are from $LOCAL_NET for ports I allow they find an
 PR> ACCEPT rule and are passed.  If they're NOT from $LOCAL_NET,
 PR> e.g. 192.168.0.y, 192.168.[2-255].y, etc., OR they're $LOCAL_NET
 PR> to a prohibited port, they NEVER find an ACCEPTing rule.  They
 PR> traverse the entire chain to the bottom where they get shunted
 PR> to log-it, where they're logged & dropped.

They do not traverse the entire in/outchain. If they don't meet the
the rules set out in the input table they are dropped. That
is the whole point of having the INPUT policy as DROP. At best
they can only use $EPHEM where they can do no harm if your 
statefull side of thing are working correctly.

I was right at the begining of this thread when i said you don't
have to drop CLASS_[A,B] etc because they are not given permission
in the first place.

 MA> It's a simple question i asked you. Does your local net and the inet
 MA> hook  up to _your_ machine through one etho?

 PR> Yes.  My perimeter firewall/router machine is 192.168.1.254 on
 PR> my LAN.  I'm not running a DMZ setup.

Ahh that gives be a much better picture of things. Something like this?
                            
                              Internet
                                  |
                                  V
                                router 
        Your machine ------- 192.168.1.254 -------- Local net



 PR> Mine does.  By saving the tables at shutdown, and restoring them
 PR> at boot, I'm using already processed tables.  No glitches.
 MA> Well if it works for your distro so be it.

 PR> It's in iptables-1.2.11.
 PR> $man iptables-save
 PR> $man iptables-restore

Yea i know. On my system i only need run the firewall script and then
do iptables-save > /etc/sysconfig/iptables and then it's bought up
on boot. 

 MA> So you like sending youself error messages? Did i say you shouldn't
 MA> log it? Why not just log and drop it?

 PR> Yes.  I don't like sitting there while a failing operation times
 PR> out.  If it isn't going to work, I'd like to know about it
 PR> immediately by returning an error code.

Fair enough but do it on in the input table and drop it as well.

 MA>> iptables -A INPUT -s $BAD_BOY -j REJECT --reject-with icmp-host-unr...
 PR>> NO!  Not what I want to do.  That would send an ICMP packet back
 MA> Why let it into the firewall in the first place?

 PR> You mean set-up the blacklisting on the perimeter firewall?
 PR> That's a lot harder.

No but deal with it in the input table.

 PR>> Ummm, paranoia?
 MA> Then don't let it in in the first place.

 PR> I don't.  Net-filter is a kernel facility.  They never make
 PR> it through.

 MA> Are you telling me that $IP is a variable? You must have the distro
 MA> from hell.

 PR> It is defined in /etc/sysconfig/network_devices/ifconfig.eth0,
 PR> and sourced in several scripts: here in firewall, &
 PR> /etc/rc.d/init.d/network.  RedHat does it similarly.

Yes but your ip is not a vairible is it? So why not just define it
from within the script.

 MA> I asked at the very beginning if it was your script or if someone else
 MA> had written it. If it's an adaptation then of course it will be messy.

 PR> As it says, someone else wrote a firewall script which I took
 PR> and modified to suit myself.

 MA> I ran iptables -L -v while pinging a remote and then had the remote
 MA> ping me. Next i instigated a NFS connection and for icing on the cake i
 MA> got hackerwacker.com to probe my ports. I flushed the firewall and
 MA> bought it up again and on each occasion iptables -L -v worked
 MA> flawlessly.

 PR> It does, when you have a connection to a DNS server.  It hangs
 PR> unless you specify -n and you need a DNS lookup.  My way, I can
 PR> update my workstation when the network is down and it doesn't
 PR> hang for DNS lookups.

It doesn't hang on my system. I've run every test possible and i can't
duplicate the problem you are reporting.


--- MultiMail/Linux v0.47
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)