Mailinglist Archive: opensuse (2358 mails)

[chris.reeves@xxxxxxxxx (Chris Reeves)]

Hi everyone,
        This is going to be a long one, with LOTS of questions, but please bear with
me and try and answer as many as possible (and there's a treat for some of you
at the end :-)... ). It's also probably slightly OT and parts have been asked
before in various forms, but firewalling is very specific. I'm sure this would
answer a lot of questions that many people have. I have read HOWTOs, man pages,
SuSE manual, etc. and still need some help. I recently moved from home (56k
dialup) to uni (24/7 ethernet connection, pretty much direct). Since the
university net isn't exactly secure, I need to set up firewalling and sort out
services, etc.
I'd also better mention: SuSE 6.1, kernel 2.2.5, Cyrix P150+, 96M RAM, 10GB HD,
10Mb Ethernet connection.

1) I have ipchains set to deny virtually everything except a few servers coming
from specific remote ports and the first rule of all is to deny all incoming
conections (-p tcp -y). I have the output chain set to accept everything (I
don't see any harm in that, as forwarding is also set to deny all and isn't
even turned on). Most of the services in /etc/services are left uncommented. So
the first question is - those services running from inetd are safe as no
connections can be established, aren't they (I know that they should be
disabled anyway, but lets just say they're not)? What about if I put a rule in
before that -y deny rule that would accept connections on port 80, to run a
webserver, say. Would those other services still be safe? As far as I know, the
httpd would answer connections on port 80 - is there any way for someone to
connect on port 80 (where httpd is running) and use telnet to log on (sort of
request the telnet daemon)? What if the open port were, say, 34712 and there
was no daemon listening there - would the incomming connection then be able to
choose a daemon? What would happen?

2) This one's kind of related to the previous one. I want to run a web server
from my computer. I don't want to remove all the SuSE support db and search
facilities. I would like to know if there would be any security holes if I just
opened it up as it is - search facilities and everything. Would people be able
to search the hard drive? I have a documentation server installed, but I think
that's on a different port? I wouldn't be opening that up. But I have lots of
support docs installed from the packages on the cdrom, and they are searchable
with htdig. So can I just open the server up as it is?

3) I would like to use ftp from behind the firewall (recieving, not serving).
How should I set this up with ipchains? I thought that I could just allow
packets in from tcp port 21, but I wasn't sure if this was secure enough, but
then I thought - since I don't allow incoming connections, *I* must have
connected to *their* port 21, so that must make it safe(er). Is that true?
Also, there is the problem of active (or is it passive?) ftp, which means the
remote server tries to establish a connection to me (which at the moment is
blocked by -y). How do I make allowances for this, other than specifying the
server manually just before doing the transfer and opening up a range of ports,
because the souce and destination ports can (as far as I know) be anything? So
to sum up: how do I firewall ftp?

4) Here's a nice insecure protocol: icq. I know I have to open up udp port 4000
to icq.mirablis.com - that isn't a problem (other than the fact that the
servers that I have IP addresses for keep on disappearing). What is a problem
is that you need to open some other tcp ports (some outgoing, but others,
presumably, for connection) as described in the ICQ firewall faq at
http://www.mirabilis.com/faq/firewall.html . Has anyone had any experience of
using ICQ over a firewall? What exactly are the security risks? Those ports you
open for connection - does icq put a daemon on them?? I can get connected to an
icq server by opening port 4000, but can't do much else. Please help if you can
- some people I can only speak to over icq.

5) NFS. Does anyone know what ports have to be open on my side to be able to
mount volumes via NFS? How secure is it? Does the RPC portmapper daemon need to
be running on my end? Or any other daemon (eg mount)? man nfs mentioned the
default port being udp 2049. Is this the only one I have to open? Do I have to
expect incoming connections (I'm not going to be doing any sharing, just
mounting)? What port should I expect a reply to? Again, could someone with
experience using NFS through a firewall help me?

6) Surfing the web. I am trying to set up the firewall to access a caching
proxy on the uni network. I don't need any help with that just now, and if it
works it won't be a problem. At the moment, though, I am just directly
accessing the websites. To do this I have (as you will see below) set ipchains
to accept any packet from tcp port 80 from ANYWHERE. Since I don't accept
incoming connections I think this is safe, yes?

7) ipchains. Although I have read quite a bit about them, I would maybe like to
see one or two other people's scripts (sent off list to avoid wasting any more
bandwidth) to compare with my own (which follow) and I am open to suggestions
and comments on my current setup. There's no problem with the accept all
output, is there, as I have got forwarding turned off? IPs have been altered to
'protect the innocent':

Chain input (policy DENY):
target     prot opt     source                destination           ports
DENY       tcp  -y----  anywhere              my-ip-address		    any ->   any
ACCEPT     icmp ------  anywhere              anywhere              any ->  
any
ACCEPT     tcp  ------  uni-ns1		      anywhere              domain ->   any
ACCEPT     tcp  ------  uni-ns2		      anywhere              domain ->   any
ACCEPT     udp  ------  uni-ns1		      anywhere              domain ->   any
ACCEPT     udp  ------  uni-ns2		      anywhere              domain ->   any
ACCEPT     tcp  ------  nearby-uni-server     anywhere              smtp ->  
any
ACCEPT     tcp  ------  caching-proxy	      anywhere              any ->  
any     <--my attempt to get proxy cache server working, ignore
ACCEPT     tcp  ------  anywhere              anywhere              www ->  
any
ACCEPT     tcp  ------  home-isp-pop3-serv    anywhere              pop3 ->  
any
ACCEPT     tcp  ------  nearby-uni-server     anywhere              telnet ->  
any
ACCEPT     tcp  ------  nearby-uni-server     anywhere              pop3 ->  
any
Chain forward (policy DENY):
Chain output (policy ACCEPT):

<end output>

Right, that's just about it. I'd like to mention, though, that I got sound
working a couple of days ago for the first time ever in linux (had various
dists for over a year). I'd never actually tried before because it always
sounded so complicated with everyone writing in with problems. After reading
the docs it took me all of 5 mins to get it set up with OSS!! It only runs for
three hours, but that's not a problem. I didn't even have to install anything
extra (other than replacing the full license OSS off the CDs with the demo
version off the CDs). BTW, I have a Yamaha DS-XG PCI and it sounds excellent.

Here's the treat that you've all been waiting for. (Actually, you probably all
knew about this already) I was looking through some stuff on the CDs and
noticed a wee program called tleds, which does a very handy job. Ever had to
crawl around the back of the computer to see if the network card's lights are
flashing? No need now, use tleds and it'll use your numlock and scrolllock leds
on your keyboard as TX and RX leds as on the back of the card. I've already
found it very handy in checking for strange unneccesary network activity - and
noticed a number of active connections to a particular server. If I remember
right it is in series n (that would be sensible wouldn't it!).

OK, now for a plea. Please reply, even if you can only answer one of these
thousands of questions (but it would be excellent if you could answer them all
:->>). I have to thank you now, even if you don't reply, for taking the time to
read this epic. And thankyou in advance for anyone who does give me any
answers. I've been building up to this for a number of weeks and it has all
come flooding out like a dam bursting (as if you didn't notice!). Thanks again,
and please, please answer.

Thanks,
        Chris


-- 
      __   _
  -o)/ /  (_)__  __ ____  __      Chris Reeves
  /\\ /__/ / _ \/ // /\ \/ /      ICQ# 22219005
 _\_v __/_/_//_/\_,_/ /_/\_\

-- 
To unsubscribe send e-mail to suse-linux-e-unsubscribe@xxxxxxxx
For additional commands send e-mail to suse-linux-e-help@xxxxxxxx             
Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/