[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sheflug] Firewall config - for Ross.
>>>>> "ross" == ross h <ross> writes:
ross> On Thursday 17 May 2001 13:24, you wrote:
>> Ross, the firewall config I sent you is default DENY - but it
>> will allow related connections back (you did patch your 2.4.3
>> kernel to fix the bug with that didn't you? If not upgrade to
>> 2.4.4 or patch 2.4.3!).
>>
ross> dropped the firewall and now xhost is running :-) i had
ross> already added some lines to the firewall to allow related
ross> packets through on ppp1 (my direct serial link) so i thought
ross> that should do it. however..... you mention a patch for
ross> related pachets....
This was mentioned here, Slashdot, various security sites, and the
netfilter site.
There is a security issue on kernel-2.4.3 when using
iptables/netfilter and FTP, and the RELATED connection type.
There is a patch on the netfilter website, but the best way is to grab
kernel-2.4.4 and build it.
ross> i would hope that the latest kernel
ross> from mandrake was patched! is there some way of checking?
Yeap, when your box tries to hack into NASA without your permission,
you know that your firewall wasn't working :-)
Read the errata from Mandrake - it *will* mention if a security
problem like this has been resolved - note: Redhat still have not
released a patched kernel yet. The only vendor I've seen is Progeny.
Check http://www.linux-mandrake.com/en/security/
for updates.
The last updated kernel I can see is 2.2.19 on Mandrake 7.2. Nothing
on Mandrake 8.0, and no 2.4.x kernels.
ross> i don't relish the idea of recomiling the kernel.... i've
ross> had bad experiances of this:-(
Recompiling the kernel is easy enough once you figure it - just
remember to keep the old kernel installed, until you know the new one
boots and runs OK!
ross> can i acespt all packets from
ross> ppp1? if so how?
Erm - nasty!
OK:
iptables -I INPUT -i ppp1 -j ACCEPT
iptables -I FORWARD -i ppp1 -j ACCEPT
should accept *everything* from ppp1
iptables -I OUTPUT -o ppp1 -j ACCEPT
iptables -I FORWARD -o ppp1 -j ACCEPT
will allow *everything* out on ppp1.
All your other rules will still work (on other interfaces).
iptables -L -n will list all your rules - and the first few rules will
be the ones above.
If you want a hand, or a lesson in iptables, or ipchains, drop me a
line, tell me want you want to do, and I'll help out.
ross> the lines i added to the firewall are
ross> iptables -A INPUT -i ppp1 -m state --state
ross> ESTABLISHED,RELATED -j ACCEPT
ross> iptables -A FORWARD -i ppp1 -m
ross> state --state RELATED,ESTABLISHED -j ACCEPT
These will only allow packets related to a connection you are trying
to start (RELATED) or have started, and are using (ESTABLISHED)
The notes on the firewall script I send you should be quite good - but
I'm quite happy to help you sort out custom rules for your setup - and
more importantly teach you why and how it does what it does, so you
can modify it yourself.
Cheers.
Baz.
--
Barrie J. Bremner OpenPGP public key ID: 5164F553
baz [at] barriebremner.com http://barriebremner.com/
baz /baz/ n.
1. [common] The third metasyntactic variable.
2. interj. A term of mild annoyance.
3. Occasionally appended to foo to produce `foobaz'
-- Jargon File v4.3.0, www.tuxedo.org/jargon
4. Me.
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word
"unsubscribe" in the body of the message.
GNU the choice of a complete generation.