This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
From: "Juha Saarinen" <juha_saarinen@email.msn.com> Date: Thu, 25 Feb 1999 09:32:12 +1300 Subject: RE: Firewall/Linux > -----Original Message----- > From: John Coldrick [mailto:jc@axyzfx.com] > Sent: Thursday, 25 February 1999 05:59 > To: redhat-list@redhat.com > Subject: Firewall/Linux > > > Now that I'm a convert, I'm looking into setting up > a firewall on a Linux box. There appears to be a number > of products out there for Win that give you nice GUI's, > and manage a lot of stuff for you. I've looked at the > Linux HOWTO on firewalls, and it was written in 1996! It > appears to be woefully out of date, even the free > non-builtin solution it refers to appears to have gone > commercial and doesn't, on the initial perusal of their > site, actually support Linux anymore. Is there a > built-in/freely available/reasonably inexpensive solution > for firewalling that's easy to use(read: not requiring > devoting a significant portion of your life to it like > becoming a GrandMaster of sendmail), or should I just > forget about this whole idea and buy a win box and a > Macaffe tool? I've asked seasoned networking gurus the same question, and they all say "don't use Linux." Setting up Linux packet filtering is a hairy task -- ipfwadm rules are incredibly convoluted -- and the stuff hasn't been proven to be secure, so their advice is to get a router with firewalling capabilities instead. Look at www.ascend.com for instance for more info. I'd like to see a secure and affordable, home-SOHO router for dialups etc. connections so that I don't have to waste time fiddling with ipfwadm and sentry just to keep the geeks out of my box. === From: "Juha Saarinen" <juha_saarinen@email.msn.com> Date: Thu, 25 Feb 1999 23:14:44 +1300 Subject: RE: Firewall/Linux > Bah! They're trying to sell you something. ;-) Not an unlikely scenario, that. > Take a look at http://www.wolfenet.com/~jhardin/ipfwadm.html for a GUI > around the ipfwadm command. I have, and it's a very good front end to ipfwadm. It goes way beyond the ipfwadm man pages and HOWTOs in terms of showing users what ipfwadm is capable of, but... it's not working here. The rc.firewall configs that I've set up with a default policy of deny simply cut off my workstations from the 'Net and each other. I'd love to get ipfwadm working properly, as I can't afford one of those fancy Ascend or Cisco routers myself. > And ask your gurus about Ascend (et. al.) backdoor maintenance > passwords... You mean like some of the default ones on Cisco routers that people often forget to change? ;-) === From: Charles Galpin <cgalpin@lighthouse-software.com> Date: Sat, 06 Mar 1999 15:40:18 -0500 (EST) Subject: Re: Firewall vs shutting down inetd.conf Ok, I have a fundamental misunderstanding about firewalls. I am going to switch from a one box does all solution for my home lan, to a little 486 as a firewall, and put my current linux box behind it - still doing most of the work, just not the ipfwadm stuff and dialout responsibilities. So this means I will still be forwarding some ports like http (80) and smtp (25) through to the server. Other than reducing the number of ports going back to my server, isn't there still plenty of room to be cracked? I realize that I can run NFS a little more safely since it's behind the firewall etc, but it still seems like it's not much better than my current solution. of course I also see this as being a headache to now have to telnet into the firewall, then telnet through to the server if I want to get in from the outside what am I missing? Am I supposed to keep the web server outside the firewall? Speaking of which, what is *outside* the firewall if your firewall has a PPP connection/IP and a eth0/IP - is the firewall box itself considered outside, and everything on the other side of the eth0 inside? === From: "rcarson@home" <rcarson@home.com> Date: Wed, 10 Mar 1999 18:00:27 -0800 Subject: RE: firewall build - a beginning Keep in mind this is for rh5.2 2.0.36 and that I'm not the end-all of sources on this subject. I, like a lot of you, am also learning how to do this as well. Keep in mind that I have logging turned on from within my firewall. This means all failures get logged to the messages file, which is usually located in the /var/log directory. This file is a great resource to see if you think something is wrong. I sometimes perform a tail -f /var/log/messages one of my sessions so that it's constantly being refreshed which I perform manual ipfwadm testing to see the results. Q1: Yes you need to rebuild the kernel, which you should want to do to remove unwanted items like sound cards, scsi, etc - based on your system. In your kernel you need to build a new on with all of your network card drivers you need built in - not as modules. This is so lilo can load them up via the first line in your lilo.conf which looks like... append="ether=11,0x300,eth0 ether=9,0x340,eth1" for my setup with 2 Ethernet cards, both ne2000 compliant. then under networking I have the following checked off... [*] Network firewalls [*] Network aliasing [*] TCP/IP networking [*] IP: forwarding/gatewaying [*] IP: multicasting [*] IP: syn cookies [*] IP: firewalling [*] IP: firewall packet logging [*] IP: masquerading [ ] IP: ipautofw masquerading (EXPERIMENTAL) [*] IP: ICMP masquerading [ ] IP: transparent proxy support (EXPERIMENTAL) [*] IP: always defragment [*] IP: accounting [*] IP: optimize as router not host < > IP: tunneling [*] IP: multicast routing (EXPERIMENTAL) <*> IP: aliasing support <*> IP: aliasing support --- (it is safe to leave these untouched) [ ] IP: PC/TCP compatibility mode < > IP: Reverse ARP [ ] IP: Disable Path MTU Discovery (normally enabled) [*] IP: Drop source routed frames [*] IP: Allow large windows (not recommended if <16Mb of memory) --- < > The IPX protocol < > Appletalk DDP Q2: Good call, because I don't run ftp yet I tried it but it failed and I assumed because I didn't have the service turned on. port 21 is correct. I would limit this to outside IPs that I trust, like my work ip or my brother-in-law, etc. > >ipfwadm -I -a accept -Weth0 -S any/0 20 -D $EXTIP 1024:65535 -P tcp > > Q2: I thought ftp is at port 21. Do you care (or I am missing > something about ftp)? > Q3: I was setup (and was ok with) access my web from inside my network via the 192 based ip address. By adding the following, it allows access from inside my network based on my published IP which is better/easier for most users. ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D $EXTIP 80 I don't understand your other optional way so I did not play with it. Q4 you will need to read up on the man pages on ipfwadm to understand how the masking works 224.207.123.0/24 would allow everything, which may or may not be ok for you. let us know what you find out > Q4: How do I setup this rule if I have a range of IP addresses? > For example: 224.207.123.1 224.207.123.2 .... 224.207.123.9 > > Would the following work? > ipfwadm -I -a accept -Weth0 -S 224.207.123. -D $EXTIP > ^ Q5 like I said before, I don't yet fully understand it all either. I'm reading, learning, borrowing, from others and sharing. I do not that my testing (good or bad) made me more a ease while I learn this stuff. > >ipfwadm -O -a accept -Weth0 -S any/0 > ># > ># Deny and log anything else: > ># > >ipfwadm -O -a deny -Weth0 -S any/0 -o > > Q5: Don't really understand your logic here. First accept all > then deny all. if you got this far then here are some links that I find helpful. http://rlz.ne.mediaone.net/linux/faq/index.html http://129.173.21.99/Firewall-HOWTO.html a great overall linux setup document http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri Philip Ching (605.734.71) [mailto:pching@aplcenMP.apl.jhu.edu] wrote: > Thanks you very much for posting the ipfwadm script. > I have been pondering about security for last few months. > Your email certainly helps me a lot. > > I am also reading Mark Grennan's Firewalling & Proxy Server > HOWTO (only the ipfwadm portion though). Looking at your > ipfwadm script I have 5 questions, and hope you will > explain them. Really appreciate. > >My system is RH 5.2 running 2.0.36 other configuration files are at the > >bottom of this document. > >The IPs in here have been changed as I feel an easy way for > hackers to get > >IP's of newer systems is to groom dejanews etc for emails asking > questions. > > Q1: In order to run your ipfwadm script, do I need to recompile > the kernel? > I have RedHat5.2 and RedHat5.0. Will the kernel work right > out of the box? > > > >#!/bin/sh > ># > ># My ipfwadm rules on a Cable Modem > ># Providing support for PC's inside the firewall on a 192.168.1.X network > ># > ># > ># Original base by Frank Keeney frank@pasadena.net > ># modified it for my flavor: rjc > ># > ># Use at your own risk! > ># > ># Your external ip address: > ># > >EXTIP="24.2.122.99/32" > ># > ># Misc. startup: > ># > ># These items did not need to be activated on my system: rjc > ># > >#echo "1" > /proc/sys/net/ipv4/ip_forward > >#sbin/depmod -a > >#/sbin/modprobe ip_masq_ftp.o > >#/sbin/modprobe ip_masq_raudio.o > ># > ># Flush rules: > ># > >ipfwadm -I -f > >ipfwadm -O -f > >ipfwadm -F -f > ># > ># Set default to deny: > ># > >ipfwadm -F -p deny > >ipfwadm -I -p deny > >ipfwadm -O -p deny > ># > ># Allow masquerading from my internal network: > ># > >/sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0 > ># ----------------------- > ># EXTERNAL INBOUND RULES: > ># ----------------------- > ># > ># Deny packets with localhost, broadcast and multicast addresses: > ># > >ipfwadm -I -a deny -Weth0 -S 224.0.0.0/3 -D $EXTIP -o > >ipfwadm -I -a deny -Weth0 -S 127.0.0.0/8 -D $EXTIP -o > >ipfwadm -I -a deny -Weth0 -S 255.0.0.0/8 -D $EXTIP -o > ># > ># Deny rfc 1918 addresses: > ># > >ipfwadm -I -a deny -Weth0 -S 10.0.0.0/8 -D $EXTIP -o > >ipfwadm -I -a deny -Weth0 -S 172.16.0.0/12 -D $EXTIP -o > >ipfwadm -I -a deny -Weth0 -S 192.168.0.0/16 -D $EXTIP -o > ># > ># Deny packets without ip address. > ># > >ipfwadm -I -a deny -Weth0 -S 0.0.0.0/32 -D $EXTIP -o > ># > ># Prevent spoofing. Deny incoming packets that have > ># our external address: > ># > >ipfwadm -I -a deny -Weth0 -S $EXTIP -o > ># > ># Allow only specific ICMP: > ># > ># http://www.isi.edu/in-notes/iana/assignments/icmp-parameters > ># http://www.worldgate.com/~marcs/mtu/ > ># > >ipfwadm -I -a accept -Weth0 -S any/0 3 4 11 -P icmp > ># > ># Allow only ACKed tcp packets to our network: > ># > >ipfwadm -I -a accept -Weth0 -S any/0 -D $EXTIP 1024:65535 -P tcp -k > ># > ># For ftp clients: > ># > >ipfwadm -I -a accept -Weth0 -S any/0 20 -D $EXTIP 1024:65535 -P tcp > > Q2: I thought ftp is at port 21. Do you care (or I am missing > something about ftp)? > > > ># > ># Allow http tcp packets to our network: > ># > >ipfwadm -I -a accept -Weth0 -S any/0 -D $EXTIP 80 -P tcp > > Q3: Do you care about outbound http/web activity? > > Mark Grennan's HOWTO suggest the following: > # Forward Web connection to my box > ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D $EXTIP 80 > > # Forward Web connection to outside world > ipfwadm -F -a accept -b -P tcp -S $EXTIP 80 -D 0.0.0.0/0 1024:65535 > > Would you recommend his approach also? > > > ># > ># Allow telnet and ssh from this network: > ># > >ipfwadm -I -a accept -Weth0 -S 24.2.122.0/24 -D $EXTIP 22 23 -P tcp > > Q3: I see port 23 is for telnet. But how do you get port 22 for ssh? > I am playing with ssh here. Just don't see any port for the ssh. > > > ># > ># Allow inbound DNS queries on our server: > ># > >ipfwadm -I -a accept -Weth0 -S any/0 -D $EXTIP 53 -P udp > ># > ># Allow outbound DNS queries: > ># > >ipfwadm -I -a accept -Weth0 -S any/0 53 -D $EXTIP 1024:65535 -P udp > ># > >#------------------------- added for my flavor --------------------- > ># > ># Allow anything from internal > ># > >ipfwadm -I -a accept -S 192.168.1.0/0 -D 192.168.1.1/32 > ># > ># Allow activity from my workstation at work IP > ># > >ipfwadm -I -a accept -Weth0 -S 224.207.123.5 -D $EXTIP > > Q4: How do I setup this rule if I have a range of IP addresses? > For example: 224.207.123.1 224.207.123.2 .... 224.207.123.9 > > Would the following work? > ipfwadm -I -a accept -Weth0 -S 224.207.123. -D $EXTIP > ^ > with a period ok? > > ># > ># > >#------------------------ end of my flavor ------------------------ > ># > ># Important!! Deny and log anything else: > ># > >ipfwadm -I -a deny -Weth0 -S any/0 -D any/0 -o > ># > ># ----------------------- > ># EXTERNAL OUTBOUND RULES: > ># ----------------------- > ># > ># Prevent leakage of rfc 1918 addresses: > ># > >ipfwadm -O -a deny -Weth0 -S 10.0.0.0/8 -o > >ipfwadm -O -a deny -Weth0 -S 172.16.0.0/12 -o > >ipfwadm -O -a deny -Weth0 -S 192.168.0.0/16 -o > >ipfwadm -O -a deny -Weth0 -D 10.0.0.0/255.0.0.0 -o > >ipfwadm -O -a deny -Weth0 -D 172.16.0.0/255.240.0.0 -o > >ipfwadm -O -a deny -Weth0 -D 192.168.0.0/255.255.0.0 -o > ># > ># Allow everything else: > ># > >ipfwadm -O -a accept -Weth0 -S any/0 > ># > ># Deny and log anything else: > ># > >ipfwadm -O -a deny -Weth0 -S any/0 -o > > Q5: Don't really understand your logic here. First accept all > then deny all. > > > ># ----- > ># Misc: > ># ----- > ># > ># Allow localhost: > ># > >ipfwadm -I -a accept -Wlo -S any/0 -D any/0 > >ipfwadm -O -a accept -Wlo -S any/0 -D any/0 > ># > ># Allow everything on the internal network: > ># > >ipfwadm -I -a accept -Weth1 -S any/0 -D any/0 > >ipfwadm -O -a accept -Weth1 -S any/0 -D any/0 > ># > ># End of script. > > > > > >#Reference: > >#Information from CERT: > > > >#http://www.cert.org/ftp/tech_tips/packet_filtering > > > >#12.30.1998 12:10 > > > >/etc/inetd.conf > > > >all on except the following: > >gopher nntp shell login exec talk ntalk dtalk > >pop-2 pop-3 imap uucp tftp bootps finger cfinger systat netstat === From: "Anthony E. Greene" <agreene@pobox.com> Date: Mon, 15 Mar 1999 22:58:39 +0100 (CET) Subject: Re: more on POP & sendmail Thus spake Tom Burke (tomii@erols.com): > OK, > > I went into sendmail & added the IP address of my workstation to > ip_allow... > > I sent a test message through my ISPs mail server, & got the > following > (I get the same thing as a message when users try to use POP through > this box): Let's clear some things up. When a Win9x user *retrieves* mail from a mail server, they are generally using POP3. That function is handled by imapd, qpopper, cucipop or some other POP3 daemon, depending on what you installed. Most likely, as a Red Hat user, you installed imapd with it's included ipop3d. When A Win9x user *sends* mail to a mail server, they are using SMTP. Sendmail is an SMTP server. When an SMTP server has to take the mail received from a Win9x user and send it somewhere else to be delivered, that is called relaying. Recent Red Hat distributions include settings that prevent relaying by default. In order to allow specific machines to use your Linux box as an SMTP relay, you have to add their IP addresses to your ip_allow file. Then you should be able to set you Win9x mail client to use the Linux box as it's SMTP server and send mail to anyone. At this point, your relay_allow and name_allow files should be empty or contain only comments. First try to send to an account on the Linux box (root@linuxbox) to verify that sendmail will accept mail for localusers. Then send a message from your Win9x box to your ISP account (tomii@erols.com), still using the Linux box as an SMTP relay. You will have to dialup your ISP from your Linux box and flush sendmail's queue (run 'sendmail -q') for the message to be delivered. you should be able to retrieve that message from your ISP's POP3 server using the mail client on your Win9x box. The only other sendmail setting you may want to change is to set it to send all non-local mail to your ISP's mail server for delivery. The ISP's mail server will become your "smarthost". This will allow you to minimize your connect time and have a mail server with a full time connection do the queueing and retrying that is sometimes necessary to delver Internet mail. To set a smarthost, look for the DS option in sendmail.cf. === Subject: Re: OK, I think I'm ready. From: Steve Borho <steve@borho.org> Date: Fri, 5 May 2000 07:06:34 -0500 On Fri, May 05, 2000 at 08:13:43AM -0400, Burke, Thomas G. wrote: > It's actually quite common not to install one, especially on a > gateway/firewall machine... If there are more boxes inside, on the internal > netwok, then it is no problem to make a new kernel or build of whatever, & > move it to the gateway. See, if the firewall machine has no compiler, then > if someone _does_ break into the machine, then that person can compile no > malicious code. In that case you force them to ftp precompiled binaries onto your machine... it doesn't slow a cracker down much. One of the few ways to keep them from running malicious code is to mount all rw partitions as noexec and nosuid. But even this doesn't really help if the cracker roots you through a network daemon. ===