RFC: firewall-hint_v1.3

Paul Campbell paul at cmm.uklinux.net
Mon Aug 13 12:36:52 PDT 2001


On Monday 13 August 2001 09:15, you wrote:
> Hi Paul, hi everybody else,
>
> Paul, tell me, if you want via private mail, what went wrong?

I must confess that it was not an LFS system (it was a mandrake) I attempted 
it on, and I can't provide the exact debuging of what went wrong.  I don't 
know what I'm doing with IPtables.  I can read scripts such as your PS and 
more or less understand it.  

However, on one hand it would be great if you could slap the script in and it 
work first up, but they never do.  I have tried many, many such offered 
scripts and never had one that worked. 

Once the first attempt has failed, I usually, as you suggest, attempt to 
adapt it to my Subnet, interfaces etc. etc.  This is were it becomes clear 
that modifying such a script, even slightly is very difficult for a beginner.

It is, at least for rme, difficult to know what actually worked and what 
didn't work or how to debug and analyse what did come out of the script.

> One thing I have to confess: the hint is NOT aimed to secure one server
> for himself! It's meant to secure either your 'surfing terminal',
> or your 'masquerading gateway/router', with additional services.

It was for a MASQ/ router / gateway I was interested in.  Preferable the 
services offered on the inside are free for all with no restrictions, I trust 
my network users.   From the outside it should not appear to exist. (I can 
enable the web server later)  I want to play with DNS and mail servers on my 
network, with the safety of the firewall that I won't upset anybody "out 
there".  Also that anybody "out there" can't upset me.  Also for the MASQ / 
NATed workstations the router should not seem to exist, their net connection 
should appear just as if they had used there own modem to connect, but with 
the added security from nasty sorts on the outside.

> If you'd like me to outline a setup for your server itself, tell me,
> I thing Jeff, if he liked to collaborate, and I could give you some for
> your server, for a preview have a look at PS.

Your PS seems very complete, more than I have seen to date, as I understand 
them, (which is not that much).  Tell me but, if I put that in my boot 
scripts now, on my server, will it work first run?  Surely it will require 
modifications and alterations to suit my network and interfaces.  Where do 
you begin?

> The reason why I did not want to provide such a setup is, that on a
> server you are the man who restricts the services that are running.
> And if there are no daemons running besides openSSH and Apache, secured
> on themselves, the chances for a cracker to succeed seem quite unlucky.
>
> If there are more services being offered, distributors install and
> activate them quite generously, personally I say recklessly, you could
> prevent anyone to access them with a firewall.

I agree that most distros are a bit reckless with allowing total novices to 
install and activate things like full internet DNS and sendmail services and 
the like, usually without much warning either.

> But, do you expect me to know which services you'd like to offer and
> which to restrict?
>
> OK, I'll append a script that allows anyone to access your server via
> http on port 80, and a limited source, (ADAPT IT!) to ping it and to
> access port 22, for openSSH.

I think for the hint or Blfs book that a fully closed server with no ports 
showing would be best and with some hint as to how to insert ACCEPT portitons 
for the services the individual wants to offer, once they have a working and 
secure setup in place.

I know it would be a lot of work, maybe too much, but are there any Perl 
chefs out there who could take a set of generic portions of a firewall script 
and modify and assemble it based on questions answered at the command line, 
much in the same form as Bastille.

On the Bastille point, I managed to get it run last night, (on my LFS 
workstation) Interactive Bastille, after compiling the Perl:Tk pm and hacking 
in a fake distro define.  However it seemed to think it was finished and 
successful, which is very unlikely since I don't have IPtables installed and 
there was no evidence of anything in init.d directory.  I have got this down 
to a need to alter the directories $GLOBAL_ variables etc. in the 
Bastille/API.pm file, which seems fairly do-able, just take the RedHat 
defines and alter them to suit.  Not sure as too whether it would suit the 
needs of the book.  Why don't we write our own firewall generator script in 
Perl?

Anyway, I'm signing off this dicussion, mainly cause I fear I'm out of my 
depth, it's just been one of my pet misseries since begining and using Linux, 
ie. getting a connection sharing firewall to work.

Good Luck Guys

-- 
paul at cmm.uklinux.net
http://www.cmm.uklinux.net



More information about the blfs-book mailing list