[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] ipchains & kde



> On Thu, 13 Jul 2000, ross wrote:
> >hi all,
> >after reading the latest edition of linux format, i've been trying to set
up a
> >firewall using ipchains using the sugested rules. just something simple
to get
> >me started with firewalls. problem is that when the rules I'm using are
> >imlemented, KFM will no longer read the / directory? if a directory
location is
> >specified, there is no problem. moving 'up one level' also works okay
until /
> >is reached. if / is accessed, the whole x session locks up.
>
> Errr no! The last rule is actually accepting any _non_ SYN packets.

Yep. -y MATCHES all syn packets, the ! negates the rule - like the old ACK
matching. It basically means that packets can come back in from a connection
to another machine - a one way street, in other words.

> A couple of suggestions.
>
> 1. You have to allow all packets on the interface lo or your computer
won't be
> able to talk to itself.

Not quite true in this case - only ports <1023 are disabled; that's probably
fine for most people. Indeed, lo is something of a security risk for a
number of attacks. Some distros come with lo disabled by default, Stormix
springs to mind. However, disabling lo also disables X in most cases, so if
you're running KDE it's likely you need lo ;)) But anyway, most connections
are on higher port numbers than 1023: indeed, only root can open connections
on those ports anyway.

> 2. Don't have rules for all interfaces like this. Limit your rules to one
(ppp0 is what you want).

I agree. To be honest, the ruleset given looks like a bit of a club hammer
to me, and probably not worth a great deal, although it's probably better
than no rulesset. It's much better to have a finer set of rules; besides,
it's an exercise in networking if nothing else, you'll understand things a
whole lot better.

> 3. The ipchains howto is actually very good. Read it.
>
> 4. Take a look at my generic firewall at www.noether.freeserve.co.uk

As they say in french, d'accord.

As for the problem itself.. could be one of two things. I've tried
replicating it here, and it works fine for me, but I have a funny K setup,
so it could be I'm doing something wildly different to me. If you could tell
us a little more about what you've got: distro-wise, version of K, etc.,
that would probably be of help. Also, are you sure the X session locks up??
Is it just kfm that goes belly up? Or does everything else close down? And
does it really lock up, or is it in a long pause?

Two ideas: firstly, could be a bug in kfm. Bloody thing is riddled with them
;) More likely if you have an older (1.1.1, or earlier) version of KDE.
Second, it could be some KDE cleverness that is catching you out here. I
presume by '/' you mean 'file:/'? If you just specify '/', it could be that
it's interpreting that as 'http://localhost/' ? If it really is KDE trying
out a few different things, it could be a very long time-out that's causing
a pause: instead of DENYing in your rulesset, try REJECTing instead. If that
sorts the problem, you can blame KDE's ongoing 'committment to network
transparency' ;)

Cheers,

Alex.


---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.