Hi folks,
I'm back from one month of vacation so it's time for some updates!
With the kernel-2.4 being released I will now start to work on SuSEfirewall2
which will be for iptables. Should be available in the next days/weeks
SuSEfirewall v4.3:
* Added support for selective access for trusted hosts/nets.
* Added bind9 support to FW_SERVICE_DNS
* Fixed a bug in the FW_ALLOW_PING_DMZ function
* Fixed a mini bug in SuSEfirewall where the ICMP timeexceed rate
was not set. (thanks to sm(a)suse.de)
* Added a check for /etc/resolv.conf to prevent awk error messages
* Fixed many typos (thanks to the SuSE Team!)
v4.2.1 01.02.01 (gamma release) -> SuSE 7.1
* Added kernel 2.4 support via ipchains modul
* Changed install script to new runlevels
(done by Kurt Garloff, thanks!)
harden_suse v3.0:
* added RUN_UPDATEDB_AS security
* removed permissions.paranoia support. yes to to question 2 sets
permissions to secure, a no leaves the old value
* removed the ulimit settings, just core files will be prevented
* added some START_ variables to ignore for SuSE 7.1
* fixed a bug where accounting and scanlogd were not enabled
* fixed some output presentation stuff
Please note that harden_suse was not available on SuSE Linux 7.1 - so get it
as an update package. Either wait for the rpm to be available on the SuSE
FTP servers, or be desperate and a nice beta tester (although I tested them
and found no bugs) and download the .tar.gz balls from
http://www.suse.de/~marc
Greets,
Marc
--
Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: marc(a)suse.de Function: Security Research and Advisory
PGP: "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka"
Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C
Private: http://www.suse.de/~marc SuSE: http://www.suse.de/security
Dear list-users,
If I make a new e-mail account for my sendmail it's the same as if I made a
new user account for the mail server. People could login e.g. through ssh.
How can I restrict access to only just the corresponding e-mail account so
users could not log on to the mail server by a terminal client?
Thank you
Philipp
Slightly off topic maybe,
But has anyone who has one of those Suse subscriptions already received his
7.1 CD (professional) ?
Kind regards,
--
Gerhard den Hollander Phone +31-10.280.1515
Technical Support Jason Geosystems BV Fax +31-10.280.1511
(When calling please note: we are in GMT+1)
gdenhollander(a)jasongeo.com POBox 1573
visit us at http://www.jasongeo.com 3000 BN Rotterdam
JASON.......#1 in Reservoir Characterization The Netherlands
This e-mail and any attachment is/are intended solely for the named
addressee(s) and may contain information that is confidential and privileged.
If you are not the intended recipient, we request that you do not
disseminate, forward, distribute or copy this e-mail message.
If you have received this e-mail message in error, please notify us
immediately by telephone and destroy the original message.
Martin Peikert
<news-list.suse.security@inno To: suse-security(a)suse.com
minate.de> cc:
Subject: Re: [suse-security] iptables and conntrack
23.02.01 09:49
Please respond to Martin
Peikert
Marco Ahrendt <marco.ahrendt(a)adconsys.de> wrote:
> Hi all,
>
> I want to set up a firewall to secure my private network. This network
> includes about 5-6 computers running linux and windows os. I decided to
> use netfilter (iptables) with the new 2.4.2 kernel which I compiled
> on my pentium today. Now I have a question about the new iptables and
> the connection tracking module:
> I want to set a default policy for all chains (at first INPUT,OUTPUT
and
> FORWARD) to DENY. Now for example I want to allow a ssh connection from
> the internet to my firewall. (I want the firewall to be the gate to my
> local linux computers. I mean, if anyone wants to ssh to my private
> computers, he only can get a connection if he first connects to the
> firewall, and then connect to the target computer in my network.) Is
> this a good idea ?
I do not think so. On your firewall only those services should run that
are required for the firewall.
If you really need to allow ssh to your internal network from an untrusted
net, try portforwarding to _one_ machine in your internal network, but
_not_ to the firewall. Then your users can login to that machine, but I
would not give them a normal shell on that computer, only ssh to other
machines...
--> I definately and strongly agree. giving ppl accounts on your firewall
renders the thing quite useless, heh.
> So I don't have to allow ssh to any of my computers
> in the local net. Only to the firewall! What do you think about this?
> Now the problem: If I use connection tracking for ssh.
>
> iptables -A INPUT -p tcp --dport 22 -s 0.0.0.0/0 -d $FIREWALLHOST -m
> state --state NEW,ESTABLISHED,RELATED -i eth0 -j ACCEPT
>
> In this rule I would accept all connections coming from internet to my
> firewall at port 22 and all packets in relation with this connect.
> Right?! Should I now add a rule to the OUTPUT chain too, or is any
> outgoing connection in relation with the ssh rule INPUT above accepted
now?
No. You need an additional rule for OUTPUT. But, as said above, I do not
think that this would be a good idea. If you want to secure your private
network, do not allow ssh from outside.
--> hmm. Isnt the RELATED option used in conjunction with stateful
protocols like FTP and not necessary for stateless TCP connections (telnet,
ssh, ntp, http etc ...)? mesa not sure cuz I just got my SuSE 7.1 an am now
putting the thing on my firewall. Netfilter rules; they say. YAY. time to
get a grip :D
--> Cheers
Chris
HTH
Martin
--
martin.peikert(a)innominate.com
innominate AG
the linux architects
tel: +49-30-308806-0 fax: -77 http://www.innominate.com
---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com
For additional commands, e-mail: suse-security-help(a)suse.com
Mainly I have several of the free web mail accounts but I also have a web mail server for work that requires 128 bit secure sockets and they won't allow pop/imap or other non M$ exchange method. If I had a Linux program that would interface to M$ exchange I might be able to use that but I would still like to be able to download the free web mail accounts (with security) with my home pc which runs Linux.
getting it back into a standard system I can do what I want with it, including getting my mail from the home pc (after it gets it from the various places) when I check in at home.
The mail administrators are M$ all the way and ssl wrapped POP/IMAP may be either beyond them or the folks looking over their shoulders (POP was allowed but now not allowed, won't be allowed). Either way its slow, a pain, and higher cost to make a long distance call into their access port. The home pc could do it with a local call and I should be able to get to the home pc with a call to a local isp at pre set times. (I want DSL someday.)
Security has to be acceptable at each point. The web mail is the sticking point.
Will look into wget.
Thanks
Charles Jacks
-----Original Message-----
From: Kurt Seifried [mailto:listuser@seifried.org]
Sent: Friday, February 23, 2001 16:22
To: Jacks, Charles; suse-security(a)suse.com
Subject: Re: [suse-security] web mail into a Linux box
wget? Then a perl script to turn it from html back into mail? Why don't they
just setup ssl wrapped POP/IMAP (It's what I use on the road and I'm a total
security freak).
Kurt Seifried, seifried(a)securityportal.com
Securityportal - your focal point for security on the 'net
> I have a problem and I need a pointer where to look.
>
> I want to "download" mail from a web mail server that requires 128 bit secure
sockets into a Linux system as "standard" mail that can be handled by a mail
program for an intranet.
>
> Any suggestions as to what program might be applicable?
>
> Thanks
> Charles Jacks
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com
> For additional commands, e-mail: suse-security-help(a)suse.com
>
---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com
For additional commands, e-mail: suse-security-help(a)suse.com
I have a problem and I need a pointer where to look.
I want to "download" mail from a web mail server that requires 128 bit secure sockets into a Linux system as "standard" mail that can be handled by a mail program for an intranet.
Any suggestions as to what program might be applicable?
Thanks
Charles Jacks
Maybe you just talking about POP3s, which means a "Standard" POP3 Connection
with SSl ??
Just guessing
Franziskus
-----Original Message-----
From: Jacks, Charles [mailto:jacks@wpb.nuwc.navy.mil]
Sent: Freitag, 23. Februar 2001 16:51
To: 'suse-security(a)suse.com'
Subject: [suse-security] web mail into a Linux box
I have a problem and I need a pointer where to look.
I want to "download" mail from a web mail server that requires 128 bit
secure sockets into a Linux system as "standard" mail that can be handled by
a mail program for an intranet.
Any suggestions as to what program might be applicable?
Thanks
Charles Jacks
---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com
For additional commands, e-mail: suse-security-help(a)suse.com
Hi all,
Does anyone have any experience with SKIP and SuSE 7.0? I'm trying to
set up a server to masquerade protocol 57, but I can't find anything
useful... I can't see anything on www.skip.org about Linux.
:-(
Do I need to patch a kernel, or do something with the firewall script?
Any pointers much appreciated...
Thanks,
Mark
Tor Sigurdsson wrote:
> Það var föstudagur 23 febrúar 2001 13:21 þegar þú skrifaðir:
> > >Feb 23 13:43:20 upnlr3 kernel: martian destination 00000000
> > >from 1f011f0a,
> > >dev eth1
> >
> > 1f011f0a
> > 1f -> 31
> > 01 -> 1
> > 1f -> 31
> > 0a -> 10
> > -> IP 10.31.1.31
>
> I think you got it backwards :-)
No. This is because the x86 architecture host byte order differs from
network byte order. The IP address is internally stored in network
byte order, i.e., with the highest byte first: 0a 1f 01 1f. The kernel
uses a simple printf("... %08x ...", ...) to produce the log message,
so the bytes of the address are interpreted as a 32 bit integer
according to _host_ byte order, i.e., lowest byte first (on x86). This
results in the reversed output, because the last byte of the IP
address is printed as the highest part of the number, and so on.
Eilert
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Eilert Brinkmann -- Universitaet Bremen -- FB 3, Informatik
eilert(a)informatik.uni-bremen.de - eilert(a)tzi.org - eilert(a)linuxfreak.com
http://www.informatik.uni-bremen.de/~eilert/
