[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Firewall config - for Ross.



>>>>> "ross" == ross h <ross> writes:

    ross> On Thursday 17 May 2001 13:24, you wrote:
    >> Ross, the firewall config I sent you is default DENY - but it
    >> will allow related connections back (you did patch your 2.4.3
    >> kernel to fix the bug with that didn't you? If not upgrade to
    >> 2.4.4 or patch 2.4.3!).
    >> 

    ross> dropped the firewall and now xhost is running :-) i had
    ross> already added some lines to the firewall to allow related
    ross> packets through on ppp1 (my direct serial link) so i thought
    ross> that should do it.  however..... you mention a patch for
    ross> related pachets....

This was mentioned here, Slashdot, various security sites, and the
netfilter site.

There is a security issue on kernel-2.4.3 when using
iptables/netfilter and FTP, and the RELATED connection type.

There is a patch on the netfilter website, but the best way is to grab
kernel-2.4.4 and build it.


    ross>  i would hope that the latest kernel
    ross> from mandrake was patched!  is there some way of checking?

Yeap, when your box tries to hack into NASA without your permission,
you know that your firewall wasn't working :-)

Read the errata from Mandrake - it *will* mention if a security
problem like this has been resolved - note: Redhat still have not
released a patched kernel yet. The only vendor I've seen is Progeny.

Check http://www.linux-mandrake.com/en/security/

for updates.

The last updated kernel I can see is 2.2.19 on Mandrake 7.2. Nothing
on Mandrake 8.0, and no 2.4.x kernels.

    ross> i don't relish the idea of recomiling the kernel.... i've
    ross> had bad experiances of this:-(

Recompiling the kernel is easy enough once you figure it - just
remember to keep the old kernel installed, until you know the new one
boots and runs OK!

    ross> can i acespt all packets from
    ross> ppp1? if so how? 

Erm - nasty!

OK:

iptables -I INPUT -i ppp1 -j ACCEPT
iptables -I FORWARD -i ppp1 -j ACCEPT

should accept *everything* from ppp1

iptables -I OUTPUT -o ppp1 -j ACCEPT
iptables -I FORWARD -o ppp1 -j ACCEPT

will allow *everything* out on ppp1.

All your other rules will still work (on other interfaces).

iptables -L -n will list all your rules - and the first few rules will
be the ones above.

If you want a hand, or a lesson in iptables, or ipchains, drop me a
line, tell me want you want to do, and I'll help out.

    ross>  the lines i added to the firewall are
    ross> iptables -A INPUT -i ppp1 -m state --state
    ross> ESTABLISHED,RELATED -j ACCEPT 

    ross> iptables -A FORWARD -i ppp1 -m
    ross> state --state RELATED,ESTABLISHED -j ACCEPT

These will only allow packets related to a connection you are trying
to start (RELATED) or have started, and are using (ESTABLISHED)

The notes on the firewall script I send you should be quite good - but
I'm quite happy to help you sort out custom rules for your setup - and
more importantly teach you why and how it does what it does, so you
can modify it yourself.

Cheers.

Baz.


-- 
Barrie J. Bremner 		OpenPGP public key ID: 5164F553
baz [at] barriebremner.com	http://barriebremner.com/

baz /baz/ n.
 1. [common] The third metasyntactic variable.
 2. interj. A term of mild annoyance.
 3. Occasionally appended to foo to produce `foobaz'

	-- Jargon File v4.3.0, www.tuxedo.org/jargon

 4. Me.

---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.