paul at cmm.uklinux.net
Mon Aug 13 12:36:52 PDT 2001
On Monday 13 August 2001 09:15, you wrote:
> Hi Paul, hi everybody else,
> Paul, tell me, if you want via private mail, what went wrong?
I must confess that it was not an LFS system (it was a mandrake) I attempted
it on, and I can't provide the exact debuging of what went wrong. I don't
know what I'm doing with IPtables. I can read scripts such as your PS and
more or less understand it.
However, on one hand it would be great if you could slap the script in and it
work first up, but they never do. I have tried many, many such offered
scripts and never had one that worked.
Once the first attempt has failed, I usually, as you suggest, attempt to
adapt it to my Subnet, interfaces etc. etc. This is were it becomes clear
that modifying such a script, even slightly is very difficult for a beginner.
It is, at least for rme, difficult to know what actually worked and what
didn't work or how to debug and analyse what did come out of the script.
> One thing I have to confess: the hint is NOT aimed to secure one server
> for himself! It's meant to secure either your 'surfing terminal',
> or your 'masquerading gateway/router', with additional services.
It was for a MASQ/ router / gateway I was interested in. Preferable the
services offered on the inside are free for all with no restrictions, I trust
my network users. From the outside it should not appear to exist. (I can
enable the web server later) I want to play with DNS and mail servers on my
network, with the safety of the firewall that I won't upset anybody "out
there". Also that anybody "out there" can't upset me. Also for the MASQ /
NATed workstations the router should not seem to exist, their net connection
should appear just as if they had used there own modem to connect, but with
the added security from nasty sorts on the outside.
> If you'd like me to outline a setup for your server itself, tell me,
> I thing Jeff, if he liked to collaborate, and I could give you some for
> your server, for a preview have a look at PS.
Your PS seems very complete, more than I have seen to date, as I understand
them, (which is not that much). Tell me but, if I put that in my boot
scripts now, on my server, will it work first run? Surely it will require
modifications and alterations to suit my network and interfaces. Where do
> The reason why I did not want to provide such a setup is, that on a
> server you are the man who restricts the services that are running.
> And if there are no daemons running besides openSSH and Apache, secured
> on themselves, the chances for a cracker to succeed seem quite unlucky.
> If there are more services being offered, distributors install and
> activate them quite generously, personally I say recklessly, you could
> prevent anyone to access them with a firewall.
I agree that most distros are a bit reckless with allowing total novices to
install and activate things like full internet DNS and sendmail services and
the like, usually without much warning either.
> But, do you expect me to know which services you'd like to offer and
> which to restrict?
> OK, I'll append a script that allows anyone to access your server via
> http on port 80, and a limited source, (ADAPT IT!) to ping it and to
> access port 22, for openSSH.
I think for the hint or Blfs book that a fully closed server with no ports
showing would be best and with some hint as to how to insert ACCEPT portitons
for the services the individual wants to offer, once they have a working and
secure setup in place.
I know it would be a lot of work, maybe too much, but are there any Perl
chefs out there who could take a set of generic portions of a firewall script
and modify and assemble it based on questions answered at the command line,
much in the same form as Bastille.
On the Bastille point, I managed to get it run last night, (on my LFS
workstation) Interactive Bastille, after compiling the Perl:Tk pm and hacking
in a fake distro define. However it seemed to think it was finished and
successful, which is very unlikely since I don't have IPtables installed and
there was no evidence of anything in init.d directory. I have got this down
to a need to alter the directories $GLOBAL_ variables etc. in the
Bastille/API.pm file, which seems fairly do-able, just take the RedHat
defines and alter them to suit. Not sure as too whether it would suit the
needs of the book. Why don't we write our own firewall generator script in
Anyway, I'm signing off this dicussion, mainly cause I fear I'm out of my
depth, it's just been one of my pet misseries since begining and using Linux,
ie. getting a connection sharing firewall to work.
Good Luck Guys
paul at cmm.uklinux.net
More information about the blfs-book