Re: [suse-security] hack me! -- ipchains security
also sprach Philipp Snizek (on Sun, 24 Dec 2000 10:35:36PM +0100):
I accept that you use 100% ipchains to see how secure it is. But your solution is not very fexible, e.g. ftp. Many ftp servers have (as you know) data ports on >1024. Connections to them will not work (I beg your pardon if I'm wrong, I just went very quickly through it).
i think i am allowing them. specifically with the following two lines: -A ei-in -d 0.0.0.0/0 1024:65535 -p 6 -j accepted -A ei-in -d 0.0.0.0/0 1024:65535 -p 17 -j accepted where ei-in is the chain of packets arriving from a non-local machine on the external interface.
You can save up a lot of rulesets which will make your script easier to control by using squid for www, ssl and pasv ftp. Also you can run bind as a dns forwarder bound to your int eth (Not to your ext eth!).
well, i am. currently, i don't forward 443 to squid, but 80 is automatically handled by squid without the need to specify a proxy. and i actually did not know that ftp can be handled by squid too.
I solved it the way that I have squid doing the main internet job. My ipchains forward policy is set to deny. All others are set to accept. I just run ipchains for pop and smtp. This makes it very easy to control the chains.
yes i know. i don't find my scripts particularly hard for i broke them up into subchains quite nicely...
I know, it's not what you wanted to hear. I'm not a cacker. But I still hope that it helps in making your systems more secure and easier to monitor.
thanks though. i appreciate any input... martin [greetings from the heart of the sun]# echo madduck@!#:1:s@\@@@.net -- the young lady had an unusual list, linked in part to a structural weakness. she set no preconditions.
i think i am allowing them. specifically with the following two lines:
-A ei-in -d 0.0.0.0/0 1024:65535 -p 6 -j accepted -A ei-in -d 0.0.0.0/0 1024:65535 -p 17 -j accepted
Agree. But why udp? ftp doesn't use udp.
where ei-in is the chain of packets arriving from a non-local machine on the external interface.
You can save up a lot of rulesets which will make your script easier to control by using squid for www, ssl and pasv ftp. Also you can run bind as a dns forwarder bound to your int eth (Not to your ext eth!).
well, i am. currently, i don't forward 443 to squid, but 80 is automatically handled by squid without the need to specify a proxy. and i actually did not know that ftp can be handled by squid too.
You run squid transparently? Good thing though, but not ftp pasv capable. I see, you handled it the other way 'round, opening your firewall box from 1024:. Just checking back your script. You shouldn't close all icmp traffic. In particular you should allow ping, pong and icmp unreachable. Not doing so could cause loss of bandwith because of unanswered icmp unreachables. Anti spoof is ok. You can enhance it by doing echo 1 > /proc/sys/net/ipv4/rp_filter Then I miss smurf protection... # SMURF PROTECTION echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ....as well as fragmented ip protection # IP DEFRAGMENTATION echo 1 > /proc/sys/net/ipv4/ip_always_defrag Syntax & useless stuff #-A input -s 0.0.0.0/0 -d 0.0.0.0/0 79:79 -p 6 -j ACCEPT # http (tcp) #-A input -s 0.0.0.0/0 -d 0.0.0.0/0 80:80 -p 6 -j ACCEPT # ident (tcp) -A input -s 0.0.0.0/0 -d 0.0.0.0/0 113:113 -p 6 -j ACCEPT You don't need to write 79:79, 80:80 or 113:113. if you just write 79, 80 and 113 you'll be fine. Why allowing finger? do you like other people fingering you? Giving away information? Why auth port open? (send)Mail does work with auth port to authenticate the mail sender. You don't need that. Works well without. Also same problem as port 79. giving away information. Transparent proxy: I'm afraid I was wrong. You don't run squid in transparent mode. Your input chain for www would have other syntax. ### screw that micro$oft netbeui bullshit I'm afraid netbeui is something else than netbios. Netbeui is ISO layer 3- approx 5. Netbios would be (like www, or ftp) application layer (7). It's not really correct what I write here, because MS network doesn't know about 7-Layer OSI model. What you mean here is netbios. ### screw that micro$oft netbeui bullshit -A input -s 0.0.0.0/0 -d 0.0.0.0/0 137:139 -p 6 -j DENY -A input -s 0.0.0.0/0 137:139 -d 0.0.0.0/0 -p 6 -j DENY -A input -s 0.0.0.0/0 -d 0.0.0.0/0 137:139 -p 17 -j DENY -A input -s 0.0.0.0/0 137:139 -d 0.0.0.0/0 -p 17 -j DENY You can save up 3 rules by using -b (= bidirecitonal) option and forgetting about protocols This line below covers your four lines above. -A input -s 0.0.0.0/0 -d 0.0.0.0/0 137:139 -j DENY -b General information ### deny everything by default :input REJECT in your config ok. With squid running you would fail with this policy. ### this is not really relevant :forward ACCEPT This is relevant. With forward = deny nothing works. I think you should check back at the priciple of how ipchains forward rule works. The forward rule decides whether to route the packet. I attached a drawing about it. lo device is not included in this drawing. It's german. I guess you sprichst Deutsch. ### and we allow the local user to do anything :output ACCEPT The output policy covers two directions. From your ext eth out to the internet and from your int eth into your internal net. CUL Philipp
man, i am so dumb... because i sent the wrong file out to the list. please let me try again and use only the attached file - these are my real ipchains rules... sorry about that. martin [greetings from the heart of the sun]# echo madduck@!#:1:s@\@@@.net -- sum quod eris.
Martin, I'm not absolutely sure about what I write you here because I never have worked before with the -N option. But ## chain: accepted ## all packets that are being accepted -N accepted -A accepted -j ACCEPT -A ii-in -b -d 0.0.0.0/0 22:22 -p 6 -j accepted -A ii-in -b -d 0.0.0.0/0 25:25 -p 6 -j accepted -A ii-in -b -d 0.0.0.0/0 53:53 -p 17 -j accepted -A ii-in -b -d 0.0.0.0/0 67:68 -p 17 -j accepted -A ii-in -b -d 0.0.0.0/0 80:80 -p 6 -j accepted -A ii-in -b -d 0.0.0.0/0 110:110 -p 6 -j accepted -A ii-in -b -d 0.0.0.0/0 515:515 -p 6 -j accepted -A ii-in -b -d 0.0.0.0/0 8080:8080 -p 6 -j accepted seems to be very much pleonasm. Dual acceptance. What for? Why not writing it -A ii-in -b -d 0.0.0.0/0 22:22 -p 6 -j ACCEPT ? The same with DENY, MASQ and REJECT. I know, you don't want to switch between CAPITALS and the small letters when defining new rules. About 22:22, 25:25 and so on we already talked. Quick analysis (please correct me if I'm wrong): -A ie-out -d 0.0.0.0/0 1024:65535 -p 6 -j accepted -A ie-out -d 0.0.0.0/0 1024:65535 -p 17 -j accepted The output chains for ippp0 to the internet. -A ie-in -d 0.0.0.0/0 1024:65535 -p 6 -j accepted -A ie-in -d 0.0.0.0/0 1024:65535 -p 17 -j accepted The input chains for internal network to internal network adapter in your firewall box. -A ei-in -d 0.0.0.0/0 1024:65535 -p 6 -j accepted -A ei-in -d 0.0.0.0/0 1024:65535 -p 17 -j accepted -A ii-out -j accepted This rule is internal eth to internal network. Everything is accepted. This is the input chains on your ext device (ippp0). Open like the gate of a barn for trojans. Here's a link: http://www.simovits.com/nyheter9902.html You have achieved full ftp functionality at the cost of the above comments. I consider it dangerous. -A ie-out -d 0.0.0.0/0 79:79 -p 6 -j accepted forget about finger. -A ei-in -p 1 -j denied Please allow at least icmp dest unreach. -A ei-in -p 2 -j denied Question to the group: Can igmp be a security threat? -A ii-in -b -d 0.0.0.0/0 67:68 -p 17 -j accepted It seems that your packetfilter box receives its IP address from dhcp/bootp server or is itself a dhcp/bootp box. Do you run xinetd or have you got your dhcp bound on your int device? Well, that's all for now. I don't see more. HTH Philipp BTW: I'll send you my more primitive firewall.
-----Ursprungliche Nachricht----- Von: 'MaD dUCK' [mailto:madduck@madduck.net] Gesendet: Montag, 25. Dezember 2000 11:40 An: Philipp Snizek Cc: suse-security@suse.com Betreff: [suse-security] ack, wrong ipchains (was: hack me! -- ipchains security)
man, i am so dumb... because i sent the wrong file out to the list. please let me try again and use only the attached file - these are my real ipchains rules...
sorry about that. martin
[greetings from the heart of the sun]# echo madduck@!#:1:s@\@@@.net -- sum quod eris.
also sprach Philipp Snizek (on Tue, 26 Dec 2000 04:16:58PM +0100):
-N accepted -A accepted -j ACCEPT -A ii-in -b -d 0.0.0.0/0 22:22 -p 6 -j accepted
Why not write
-A ii-in -b -d 0.0.0.0/0 22:22 -p 6 -j ACCEPT ?
i only use this while debugging so that i can quickly add the -l flag to all rules that are being accepted, or do whatever else i wish to all the denied packets and so on. it's mere convenience.
-A ie-out -d 0.0.0.0/0 1024:65535 -p 6 -j accepted -A ie-out -d 0.0.0.0/0 1024:65535 -p 17 -j accepted The output chains for ippp0 to the internet.
"ie" means internal to external, out means output, so yes.
-A ie-in -d 0.0.0.0/0 1024:65535 -p 6 -j accepted -A ie-in -d 0.0.0.0/0 1024:65535 -p 17 -j accepted
almost. these are packets coming from a local host with a destination on the internet. packets arriving at the firewall can either be for itself, or to be forwarded (ii-in and ie-in respectively).
-A ei-in -d 0.0.0.0/0 1024:65535 -p 6 -j accepted -A ei-in -d 0.0.0.0/0 1024:65535 -p 17 -j accepted
these are packets from the internet for the firewall or for the demasquerading process.
This is the input chains on your ext device (ippp0). Open like the gate of a barn for trojans. Here's a link: http://www.simovits.com/nyheter9902.html
well, but i can't see a simple way to close it while basically keeping the firewall as transparent as possible from the inside... my family is not much in favor that they cannot be using a simple modem like everyone but must use the LAN to get email, surf, icq, and all the other jingle sheit. so the last thing they want is a firewall that tells them that they cannot use ftp...
-A ii-out -j accepted
anything sent by the firewall to the local network.
-A ei-in -p 1 -j denied Please allow at least icmp dest unreach.
done. give me another week or two and i will send you the new code. i am meeting my swiss (!) girlfriend for skiing tomorrow and won't be touching a computer for a week!
-A ei-in -p 2 -j denied Question to the group: Can igmp be a security threat?
i don't know. this rule started out in my college network when i was so annoyed at our network admins to be misconfiguring expensive cisco equipment to a point where there were igmp broadcasts multiple times a second (at times) and in my revolutionary something i decided to deny them... probably not much help. but then again, i am sure igmp could be used somehow... maybe for DoS attacks...
-A ii-in -b -d 0.0.0.0/0 67:68 -p 17 -j accepted It seems that your packetfilter box receives its IP address from dhcp/bootp server or is itself a dhcp/bootp box. Do you run xinetd or have you got your dhcp bound on your int device?
dhcpd is running without inetd, and yes, it's bound to the local interface only. the firewall is the dhcp server for the local network. where in switzerland are you btw? martin [greetings from the heart of the sun]# echo madduck@!#:1:s@\@@@.net -- "when I was a boy I was told that anybody could become president. now i'm beginning to believe it." -- clarence darrow
-N accepted -A accepted -j ACCEPT -A ii-in -b -d 0.0.0.0/0 22:22 -p 6 -j accepted
Why not write
-A ii-in -b -d 0.0.0.0/0 22:22 -p 6 -j ACCEPT ?
i only use this while debugging so that i can quickly add the -l flag to all rules that are being accepted, or do whatever else i wish to all the denied packets and so on. it's mere convenience.
I see. Good idea.
well, but i can't see a simple way to close it while basically keeping the firewall as transparent as possible from the inside... my family is not much in favor that they cannot be using a simple modem like everyone but must use the LAN to get email, surf, icq, and all the other jingle sheit. so the last thing they want is a firewall that tells them that they cannot use ftp...
My solution: (This is why I love Squid) Policy is set to forward=deny (seeing now I could also set input = deny. But output = deny would be a mistake). These here are my Proxy Rules for www, ftp and ssl. ipchains -A input -p tcp -s 10.0.0.0/24 1024:5000 -d 10.0.0.191/32 8008 -i eth1 -j ACCEPT ipchains -A input -p tcp -s ! 10.0.0.0/24 -d 212.232.168.183/32 1024:5000 -i eth0 -j ACCEPT # This rule makes the music ipchains -A output -p tcp -s 10.0.0.191/32 8008 -d 10.0.0.0/24 1024:5000 -i eth1 -j ACCEPT These below are my denial rules: # DENIALs ipchains -A input -i eth1 -j DENY -l ipchains -A output -i eth1 -j DENY -l ipchains -A input -i eth0 -j DENY -l # As well as this eth0 = ext eth eth1 = int eth Since this is the heart of my ipchains, you don't need the rest anymore. So I won't send it to you. The rest is uninteresting. The rest is DNS without forward rule (because of bind), pop and smtp with masqued forward rule and icmp ping, pong and dest unreach. Also some windows stuff like netbios, dhcp that is denied because I don't want to have my log full of senseless stuff. This config solved all my ftp problems. I can access all ftp that are also running in passive mode. There are very few ftp servers that are running in active mode only.
-A ii-out -j accepted
anything sent by the firewall to the local network.
-A ei-in -p 1 -j denied Please allow at least icmp dest unreach.
done. give me another week or two and i will send you the new code. i am meeting my swiss (!) girlfriend for skiing tomorrow and won't be touching a computer for a week!
Ok.
-A ei-in -p 2 -j denied Question to the group: Can igmp be a security threat?
i don't know. this rule started out in my college network when i was so annoyed at our network admins to be misconfiguring expensive cisco equipment to a point where there were igmp broadcasts multiple times a second (at times) and in my revolutionary something i decided to deny them... probably not much help. but then again, i am sure igmp could be used somehow... maybe for DoS attacks...
I don't know. Post it as a question to the group. Answer may be interesting.
where in switzerland are you btw?
Reinach, AG. Between Aarau and Luzern. 50km west-south-west of Zurich. Philipp. PS: Are you somewhere from Bayern or Baden-Wurtemberg? you can't be far away if your girlfriend is Swiss.
also sprach Philipp Snizek (on Mon, 25 Dec 2000 10:58:52AM +0100):
i think i am allowing them. specifically with the following two lines:
-A ei-in -d 0.0.0.0/0 1024:65535 -p 6 -j accepted -A ei-in -d 0.0.0.0/0 1024:65535 -p 17 -j accepted
Agree. But why udp? ftp doesn't use udp.
well, because i want to allow traffic above 1024. icq for instance should be allowed...
well, i am. currently, i don't forward 443 to squid, but 80 is automatically handled by squid without the need to specify a proxy. and i actually did not know that ftp can be handled by squid too.
You run squid transparently? Good thing though, but not ftp pasv capable. I see, you handled it the other way 'round, opening your firewall box from 1024:.
can you explain the ftp pasv thing of squid to me? passive ftp is the ftp where data transfers happen on port >= 1024 instead of 21, right? well, how does squid handle this and why would using squid (without transparency) allow me to close ports 1024 and up?
Just checking back your script. You shouldn't close all icmp traffic. In particular you should allow ping, pong and icmp unreachable. Not doing so could cause loss of bandwith because of unanswered icmp unreachables.
well, maybe you are right. but when i took my last security seminar, i was told that disabling icmp is the safest of all. if you can't ping me, it will be really hard to hack me.
Anti spoof is ok. You can enhance it by doing echo 1 > /proc/sys/net/ipv4/rp_filter # SMURF PROTECTION echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # IP DEFRAGMENTATION echo 1 > /proc/sys/net/ipv4/ip_always_defrag
i had all these enabled through sysctl...
You don't need to write 79:79, 80:80 or 113:113. if you just write 79, 80 and 113 you'll be fine.
okay...
Why allowing finger? do you like other people fingering you? Giving away information?
well, yes, i use finger for information... but as i said, the ipchains you got was that of a different system...
Why auth port open? (send)Mail does work with auth port to authenticate the mail sender. You don't need that. Works well without. Also same problem as port 79. giving away information.
irc. that needs auth.
Transparent proxy: I'm afraid I was wrong. You don't run squid in transparent mode. Your input chain for www would have other syntax.
as i said, it was the wrong ipchains script.
### screw that micro$oft netbeui bullshit
I'm afraid netbeui is something else than netbios. Netbeui is ISO layer 3- approx 5. Netbios would be (like www, or ftp) application layer (7). It's not really correct what I write here, because MS network doesn't know about 7-Layer OSI model. What you mean here is netbios.
true true. and i am an MCSE myself. but i haven't worked with windoze so long! :)
-A input -s 0.0.0.0/0 -d 0.0.0.0/0 137:139 -p 6 -j DENY -A input -s 0.0.0.0/0 137:139 -d 0.0.0.0/0 -p 6 -j DENY -A input -s 0.0.0.0/0 -d 0.0.0.0/0 137:139 -p 17 -j DENY -A input -s 0.0.0.0/0 137:139 -d 0.0.0.0/0 -p 17 -j DENY
You can save up 3 rules by using -b (= bidirecitonal) option and forgetting about protocols
yes, i learnt about -b the other day.
This line below covers your four lines above. -A input -s 0.0.0.0/0 -d 0.0.0.0/0 137:139 -j DENY -b
nope, specifying a port requires specifying a protocol: root@albatross ~> ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 137:139 -j DENY -bipchains: can only specify ports for icmp, tcp or udp again, i am sorry that i posted the wrong script at first. if you do have time, could you please look over the new one. the one i sent you is from a test system and absolutely bad and wrong. it's like a year old too and i learned a lot about ipchains since then... martin [greetings from the heart of the sun]# echo madduck@!#:1:s@\@@@.net -- weekend, where are you?
Martin,
-A ei-in -d 0.0.0.0/0 1024:65535 -p 6 -j accepted -A ei-in -d 0.0.0.0/0 1024:65535 -p 17 -j accepted
Agree. But why udp? ftp doesn't use udp.
well, because i want to allow traffic above 1024. icq for instance should be allowed...
You should do a tcpdump or use iptraf to find out what ports icq uses. The rest you know yourself. BTW: ICQ is AFAIK a serious security hole. Maybe u already heard/read about the various icq hacks.
You run squid transparently? Good thing though, but not ftp pasv capable. I see, you handled it the other way 'round, opening your firewall box from 1024:.
can you explain the ftp pasv thing of squid to me? passive ftp is the ftp where data transfers happen on port >= 1024 instead of 21, right?
No, not exactly. you have port 21 control port and port 20 data port. Port 21 only handles the controlling (who is talking to who and how (=e.g. passive or active)) short text below illustrates it very simplyfied: Active mode: control channel: client (nn) --> server (21) server (21) --> client (nn) data channel: server (20) --> client (nn) #server connects client from port 20 to some high port on the client machine. client (nn) --> server (20) #client accepts, connection established Passive mode: control channel: same as above data channel client (nn) --> server (21) #client asks the server on which port to connect to for data connection. server (21) --> client (nn) #server's answer to the above question. client (nn) --> server (nn) #client establishes connection to that server-defined port / policy rule of inbound connects allowed is accomplished server (nn) --> client (nn) #server accepts, connection established Generally this is how active and passive ftp work. Attached you'll find tcpdumps a friend once made.
well, how does squid handle this and why would using squid (without transparency) allow me to close ports 1024 and up?
how squid handles this I can't tell you (I'm not a programmer). Why you can close ports 1024 up? Generally I can't say you can close them. You can only close them in the forward chain, because Squid as a proxy is a layer 7 (application layer) application and so it replaces the forward chain, the routing decision respectively. Take the drawing I sent you and replace the forward with squid. This is the answer to your question. You can completely deny forward rule for www, ftp and ssl. All you have to define is input rule for int eth and ext eth as well as output rule for int and ext eth. The thing with ftp pasv was the reason why I gave up running squid transparently.
Just checking back your script. You shouldn't close all icmp traffic. In particular you should allow ping, pong and icmp unreachable. Not doing so could cause loss of bandwith because of unanswered icmp unreachables.
I made here a little mistake. I mean icmp destination unreachable.
well, maybe you are right. but when i took my last security seminar, i was told that disabling icmp is the safest of all. if you can't ping me, it will be really hard to hack me.
I think German is no problem for you, if yes, please tell me so I will try to translate it for you. Here I'm referring to http://www2.little-idiot.de/firewall/zusammen-53.html Filterung von ICMP ICMP besitzt zwar Optionen als Argument, diese bezeichnen aber keine Portnummern, sondern beziehen sich auf Codes. Eine Invertierung, wie bei obigen Protokollen, ist nicht erlaubt. ICMP Codebezeichnungen sind recht lang, daher werden haufig nur die Kurzbezeichnungen angegeben. Number Name Funktion 0 echo-reply ping 3 destination-unreachable Router, Clients 5 redirect Router 8 echo-request ping 11 time-exceeded traceroute Keinesfalls sollten alle ICMP Pakete in Firewalls gesperrt werden. Der Code Nummer 3, destination unreachable ist ein unentbehrliches Hilfsmittel korrektes Routing. Es konnten so eventuell Leitungen uberlastet werden, insbesondere ISDN. I myself have ping, pong and dest unreach. All others you can deny. I agree, you can deny ping and pong. But don't do it with dest unreach. Ask the teacher in the seminar about dest unreach.
Anti spoof is ok. You can enhance it by doing echo 1 > /proc/sys/net/ipv4/rp_filter # SMURF PROTECTION echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # IP DEFRAGMENTATION echo 1 > /proc/sys/net/ipv4/ip_always_defrag
i had all these enabled through sysctl...
You don't need to write 79:79, 80:80 or 113:113. if you just write 79, 80 and 113 you'll be fine.
okay...
Why allowing finger? do you like other people fingering you? Giving away information?
well, yes, i use finger for information... but as i said, the ipchains you got was that of a different system...
I read it :-) But I took a look at it. As much as I remember finger port is open there. Why? You don't allow people to ping you but you allow people to finger you? Where is the security here?
Why auth port open? (send)Mail does work with auth port to authenticate the mail sender. You don't need that. Works well without. Also same problem as port 79. giving away information.
irc. that needs auth.
Thanx, didn't know that. I don't use irc.
Transparent proxy: I'm afraid I was wrong. You don't run squid in transparent mode. Your input chain for www would have other syntax.
as i said, it was the wrong ipchains script.
Yes, it was. Took a look at the other one. There you use -j REDIRECT 8080.
### screw that micro$oft netbeui bullshit
I'm afraid netbeui is something else than netbios. Netbeui is ISO layer 3- approx 5. Netbios would be (like www, or ftp) application layer (7). It's not really correct what I write here, because MS network doesn't know about 7-Layer OSI model. What you mean here is netbios.
true true. and i am an MCSE myself.
Martin, shame on you! ;-)
but i haven't worked with windoze so long! :)
I don't wear such nice medals. I myself am nothing.
-A input -s 0.0.0.0/0 -d 0.0.0.0/0 137:139 -p 6 -j DENY -A input -s 0.0.0.0/0 137:139 -d 0.0.0.0/0 -p 6 -j DENY -A input -s 0.0.0.0/0 -d 0.0.0.0/0 137:139 -p 17 -j DENY -A input -s 0.0.0.0/0 137:139 -d 0.0.0.0/0 -p 17 -j DENY
You can save up 3 rules by using -b (= bidirecitonal) option and forgetting about protocols
yes, i learnt about -b the other day.
This line below covers your four lines above. -A input -s 0.0.0.0/0 -d 0.0.0.0/0 137:139 -j DENY -b
nope, specifying a port requires specifying a protocol:
Oh, you're right. So you make 2 out of these 4 chains.
root@albatross ~> ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 137:139 -j DENY -bipchains: can only specify ports for icmp, tcp or udp
again, i am sorry that i posted the wrong script at first. if you do have time, could you please look over the new one. the one i sent you is from a test system and absolutely bad and wrong. it's like a year old too and i learned a lot about ipchains since then...
Let me see what I can do. Maybe I'll learn some coding of you. Since a long time I want to reprogram my ipchains because it seems to be a mess to myself. Until now I only worked with the three ipchains defined rules (input output forward) and never defined own rules. So it will be interesting for myself. But let me do it tomorrow, ok? Philipp Have you ever tried to run ipchains on a linux bridge? Cool thing.....:-)
ein schweizer, jetzt sehe ich es erst. but nevertheless, i'll still to english for i believe it's easiest when talking computers. but you are right, i am german and so i don't have a problem with that language. frohe weihnachten uebrigens! also sprach Philipp Snizek (on Mon, 25 Dec 2000 08:47:03PM +0100):
You should do a tcpdump or use iptraf to find out what ports icq uses. The rest you know yourself. BTW: ICQ is AFAIK a serious security hole. Maybe u already heard/read about the various icq hacks.
it uses port 4000, so yes, i could disable all ports above 1024, but let me ask you another thing about this ftp thingy... i think i knew the difference between active and passive and that you basically want to stick to passive whenever possible just so that port 20 (which is far more insecure than anything above 1024) can remain closed. but when someone inside my network contacts an ftp server out there, then this server talks back to them on a port >= 1024, so on the external->internal input chain, i need to accept such connects. and i really can't see how squid would solve this. but anyhow, even for things like ssh, since ipchains is not a context firewall, i have to either say allow all connections to ports 1024+, or allow everything from port 22, and the latter is a horrible one if you know what i mean...
well, how does squid handle this and why would using squid (without transparency) allow me to close ports 1024 and up?
how squid handles this I can't tell you (I'm not a programmer). Why you can close ports 1024 up? Generally I can't say you can close them. You can only close them in the forward chain, because Squid as a proxy is a layer 7 (application layer) application and so it replaces the forward chain, the routing decision respectively. Take the drawing I sent you and replace the forward with squid. This is the answer to your question. You can completely deny forward rule for www, ftp and ssl. All you have to define is input rule for int eth and ext eth as well as output rule for int and ext eth.
yes, i do understand this quite well. nevertheless, ports 1024+ are then still needed.
I read it :-) But I took a look at it. As much as I remember finger port is open there. Why? You don't allow people to ping you but you allow people to finger you? Where is the security here?
if they finger me, they know the ip anyway. they could use ping to discover the ip...
irc. that needs auth. Thanx, didn't know that. I don't use irc.
no prob... it's dumb and it annoys me, but that's the way it is.
true true. and i am an MCSE myself. Martin, shame on you! ;-)
but i haven't worked with windoze so long! :) I don't wear such nice medals. I myself am nothing.
nice medals? my other certs are nice, the MCSE is a joke! i regret it, it's dirt on my business card!
Let me see what I can do. Maybe I'll learn some coding of you. Since a long time I want to reprogram my ipchains because it seems to be a mess to myself. Until now I only worked with the three ipchains defined rules (input output forward) and never defined own rules. So it will be interesting for myself. But let me do it tomorrow, ok?
oh sure. i appreciate your time. i'll look over yours too if you wish.
Have you ever tried to run ipchains on a linux bridge? Cool thing.....:-)
i.e. one linux computer, multiple eth interfaces, and a routing table to simulate a bridge? that's not really layer 2, is it? what else is a linux bridge? martin [greetings from the heart of the sun]# echo madduck@!#:1:s@\@@@.net -- "you raise the blade, you make the change you rearrange me till i'm sane. you lock the door, and throw away the key, there's someone in my head but it's not me." -- pink floyd, 1972
Martin,
frohe weihnachten uebrigens!
Danke, gleichfalls!
it uses port 4000, so yes, i could disable all ports above 1024
It's not just that you could, you have to! But take care to the ftp problem. You have to find a solution for that.
, but let me ask you another thing about this ftp thingy... i think i knew the difference between active and passive and that you basically want to stick to passive whenever possible just so that port 20 (which is far more insecure than anything above 1024) can remain closed.
Aehm...why is port 20 as ftp-data port more insecure than ftp-data port on e.g. 40348? Isn't this just security by obscurity?
but when someone inside my network contacts an ftp server out there, then this server talks back to them on a port >= 1024, so on the external->internal input chain, i need to accept such connects.
The difference between active and passive ftp are the following: (very generally) active: ftp server tells client which port to use for ftp data connection passive: ftp server asks client which port to use for ftp data connection take a look again at what I sent you the days before.
and i really can't see how squid would solve this.
The joke lies in iso/osi model. Squid is a proxy and runs on layer 7 (application layer firewall). What you have is a network level firewall. Squid replaces the forward chain and this is your gain. Take a look at my ipchains script I sent you today. Try to make a drawing of it. Then you will see how I designed it.
but anyhow, even for things like ssh, since ipchains is not a context firewall,
I'm sorry, what is a context firewall?
i have to either say allow all connections to ports 1024+, or allow everything from port 22,
No, you don't have to. Find out what ports above 1024 are used by your client to access ssh server on your firewall box. See how I did it in my script.
for int eth and ext eth as well as output rule for int and ext eth.
yes, i do understand this quite well. nevertheless, ports 1024+ are then still needed.
Yes, but only for input and output chain. Not for forward chain. You can completely close it. Traffic for www, ftp and ssl aren't routed anymore. They are handled by the proxy (as already said above: layer 7). My goal is to set up a proxy for all services (also for smtp and pop). Then I could shut down routing. My firewall would be God damn very secure.
I read it :-) But I took a look at it. As much as I remember finger port is open there. Why? You don't allow people to ping you but you allow people to finger you? Where is the security here?
if they finger me, they know the ip anyway. they could use ping to discover the ip...
So why don't you shut down finger if you know that?
irc. that needs auth. Thanx, didn't know that. I don't use irc.
no prob... it's dumb and it annoys me, but that's the way it is.
Hmm...never tried it. I think it's waste of time.
but i haven't worked with windoze so long! :) I don't wear such nice medals. I myself am nothing.
nice medals? my other certs are nice, the MCSE is a joke! i regret it, it's dirt on my business card!
Being MCSE is being a more qualified end-user supporter in a company. Bah! I hate such work. People are ignorants. But since I'm paid with CHF 150/h I do it. Sometimes it's easy made money. As already Caligula said: Money doesn't smell, and I need it to finance my studies. Philipp
also sprach Philipp Snizek (on Tue, 26 Dec 2000 10:18:57PM +0100):
it uses port 4000, so yes, i could disable all ports above 1024 It's not just that you could, you have to! But take care to the ftp problem. You have to find a solution for that.
i am working on it. i still don't understand how squid solves this... more later.
, but let me ask you another thing about this ftp thingy... i think i knew the difference between active and passive and that you basically want to stick to passive whenever possible just so that port 20 (which is far more insecure than anything above 1024) can remain closed.
Aehm...why is port 20 as ftp-data port more insecure than ftp-data port on e.g. 40348? Isn't this just security by obscurity?
because ports < 1024 can only be opened by root, so a process attached to port 20 runs as root (the process may later switch to a different user). point of the matter is that root is involved with port 20 and not necessaruly with 40348. and when root's involved, there's danger!
and i really can't see how squid would solve this.
The joke lies in iso/osi model. Squid is a proxy and runs on layer 7 (application layer firewall). What you have is a network level firewall. Squid replaces the forward chain and this is your gain. Take a look at my ipchains script I sent you today. Try to make a drawing of it. Then you will see how I designed it.
i can't open your file, it's somehow windoze whacky encoded... please send it again plain text. i am using linux purely... anyway, so take squid... on the internal side of this software router (i do understand the concept of a proxy), all the ports are open, so there's no problem - other than squid speaking no ftp on the client side (which means we cannot use ftp clients...). on the external side, however, squid is just a regular client so it will tell the server to use its port 12345 or whatever, which needs to be opened in the input chain for the external interface. we could do one of two things: - allow all packets that come from port 21 of a server. - allow all packets that come to our ftp-data port. the first method is suicidal as far as i know since i can then launch my attach from port 21, and the second method is impossible since the ftp-data port is assigned at random... we might be able to bind it to port 20, but then we could never have two ftp transfers at the same time... so i have to open the firewall to packets destined for ports 1024 and above - which is the pool used by the ftp client to allocate the data port.
but anyhow, even for things like ssh, since ipchains is not a context firewall,
I'm sorry, what is a context firewall?
ipchains is a packet firewall, meaning it filters by packet. a context firewall such as firewall-1 or some cisco stuff is one which says that since there is a connection from 10.0.0.24:3452 to 202.143.23.123:21, i'll allow a connection from 202.143.23.123:21 to 10.0.0.24:3452 for a short while. so all ports are closed except for the ones running actual services and the ones that are currently being used. it's quite nice and as soon as i find a nice firewall for linux that's free and context-based, i am off ipchains...
i have to either say allow all connections to ports 1024+, or allow everything from port 22, No, you don't have to. Find out what ports above 1024 are used by your client to access ssh server on your firewall box. See how I did it in my script.
i don't think this is how it works. berkeley sockets provide a way to "get the next free port" with the following call, which is most frequently used in programs that spawn to handle client connects - and which is used by passive ftp to obtain a data port: addr.sin_port = htons(0); this returns the next free port, which could be anything above 1024 and so i don't think there's a certain range of 1024+ ports that you could open just to allow ssh for instance. and even if there was, say 16 ssh data ports, what if i wanted 17 connections???
for int eth and ext eth as well as output rule for int and ext eth.
yes, i do understand this quite well. nevertheless, ports 1024+ are then still needed.
Yes, but only for input and output chain. Not for forward chain. You can completely close it. Traffic for www, ftp and ssl aren't routed anymore. They are handled by the proxy (as already said above: layer 7). My goal is to set up a proxy for all services (also for smtp and pop). Then I could shut down routing. My firewall would be God damn very secure.
well, ipchains only provide routing from the inside to the outside, never from the outside to the inside network - so the only danger that really exists is man-in-the-middle attacks as well as attacks aimed straight at the firewall... only as soon as root on the firewall has been compromised, then access to the network is possible. individual attacks to the workstations is not possible as far as i know - even if i had a zero length root password and telnet on one of the machines...
So why don't you shut down finger if you know that?
i might. as i said, it's not that important to have a highly secure firewall for there's nothing of interest on the machines in here, and it's dialup, so the ip changes every now and then, but i am learning by doing...
irc... Hmm...never tried it. I think it's waste of time.
not true. depends on the channels. it's usually a very quick source of answers for programming and linux stuff...
nice medals? my other certs are nice, the MCSE is a joke! i regret it, it's dirt on my business card!
Being MCSE is being a more qualified end-user supporter in a company. Bah! I hate such work. People are ignorants.
word.
But since I'm paid with CHF 150/h I do it. Sometimes it's easy made money. As already Caligula said: Money doesn't smell, and I need it to finance my studies.
sure sure. so what do you do, and where do you work? 150 Sfr/h is quite nice hey! i wouldn't mind that :) (i am still a student...) martin [greetings from the heart of the sun]# echo madduck@!#:1:s@\@@@.net -- if you don't understand or are scared by any of the above ask your parents or an adult to help you.
participants (2)
-
'MaD dUCK' -
Philipp Snizek