[opensuse-security] Very secure firewall ... really!
But this isn't what exactly I was waiting for ... okay after my usual tradition of custom compiling tarball kernels I have ended with a 2.6.20 SuSE 10.1 pretty running okay and optimized for the CPU model the box uses, so voila a fast and stable system. Now assigning the NIC to the external zone (it is, there's no NAT behind that box) and activating firewall all open ports from outside to inside they do work! All ports from inside to outside are kept blocked, so DNS fails for example, until someone tells me what file to edit manually and add the required from inside ports to be opened as well. The following is an lsmod list, hoping something isn't missing. When I activate firewall additional modules do load, but this won't solve the problem. Module Size Used by edd 19016 0 ipv6 315264 22 button 17504 0 battery 19464 0 ac 14408 0 loop 26448 0 xt_conntrack 11648 0 x_tables 29384 1 xt_conntrack nf_conntrack_ftp 19232 0 nf_conntrack 70940 2 xt_conntrack,nf_conntrack_ftp nfnetlink 16136 1 nf_conntrack dm_mod 69456 0 ehci_hcd 40652 0 uhci_hcd 33440 0 shpchp 42780 0 i2c_viapro 18392 0 i2c_core 32640 1 i2c_viapro usbcore 147504 3 ehci_hcd,uhci_hcd pci_hotplug 41796 1 shpchp r8169 40904 0 reiserfs 237952 1 ext3 145168 0 jbd 81528 1 ext3 sg 45224 0 pata_via 21700 0 capability 14408 0 commoncap 16640 1 capability amd74xx 23920 0 [permanent] sata_via 20292 2 libata 120032 2 pata_via,sata_via fan 14024 0 thermal 24208 0 processor 45224 1 thermal via82cxxx 17988 0 [permanent] sd_mod 30464 3 scsi_mod 164856 3 sg,libata,sd_mod ide_disk 25024 0 ide_core 152832 3 amd74xx,via82cxxx,ide_disk Kind Regards Nick. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On 9.2.2007 16:50:38 Dos Wizard wrote:
But this isn't what exactly I was waiting for ... okay after my usual tradition of custom compiling tarball kernels I have ended with a 2.6.20 SuSE 10.1 pretty running okay and optimized for the CPU model the box uses, so voila a fast and stable system.
Now assigning the NIC to the external zone (it is, there's no NAT behind that box) and activating firewall all open ports from outside to inside they do work! All ports from inside to outside are kept blocked, so DNS fails for example, until someone tells me what file to edit manually and add the required from inside ports to be opened as well.
The following is an lsmod list, hoping something isn't missing. When I activate firewall additional modules do load, but this won't solve the problem.
Hi, What is the output of: # iptables -t filter --list with your firewall running? SuSE firewall does not normally block any outgoing traffic. Are outgoing connections ok if no firewall is started? -- Blade hails you... I wish for this night-time to last for a lifetime The darkness around me Shores of a solar sea --Nightwish
Here's the dump, hope it helps. Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere input_ext all -- anywhere anywhere input_ext all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET ' DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING ' Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR ' Chain forward_ext (0 references) target prot opt source destination Chain input_ext (2 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp echo-request LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ftp-data flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ftp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:domain flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:domain LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:http flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:http LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:https flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:https LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:imap flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:imap LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:imaps flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:imaps LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:pop3 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:pop3s flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:smtp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:smtp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT udp -- anywhere anywhere udp dpt:domain LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' DROP all -- anywhere anywhere Chain reject_func (0 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable Boyan Tabakov wrote:
On 9.2.2007 16:50:38 Dos Wizard wrote:
But this isn't what exactly I was waiting for ... okay after my usual tradition of custom compiling tarball kernels I have ended with a 2.6.20 SuSE 10.1 pretty running okay and optimized for the CPU model the box uses, so voila a fast and stable system.
Now assigning the NIC to the external zone (it is, there's no NAT behind that box) and activating firewall all open ports from outside to inside they do work! All ports from inside to outside are kept blocked, so DNS fails for example, until someone tells me what file to edit manually and add the required from inside ports to be opened as well.
The following is an lsmod list, hoping something isn't missing. When I activate firewall additional modules do load, but this won't solve the problem.
Hi, What is the output of:
# iptables -t filter --list
with your firewall running?
SuSE firewall does not normally block any outgoing traffic. Are outgoing connections ok if no firewall is started?
Yes outgoing connections are okay with a stopped firewall. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hi, The one thing that seems odd to me is that there is no ACCEPT specified for established connections. The OUTPUT chain looks normal, so I don't think that outgoing traffic gets blocked. Rather the returned traffic does not get through because there is no rule like this one: ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED There is a kernel config option that controls whether netfilter should support state matching. Maybe you have missed that one during configuration? It is called CONFIG_NETFILTER_XT_MATCH_STATE (also the CONFIG_NETFILTER_XT_MATCH_CONNTRACK deals with connection tracking) and the corresponding module that should get built is xt_state. In order not to miss something else, I recommend that you build all the modules for the netfilter (or leave the defaults for that part of the kernel config). Here is this part of the kernel config by default: # # Core Netfilter Configuration # CONFIG_NETFILTER_NETLINK=m CONFIG_NETFILTER_NETLINK_QUEUE=m CONFIG_NETFILTER_NETLINK_LOG=m CONFIG_NETFILTER_XTABLES=m CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m CONFIG_NETFILTER_XT_TARGET_CONNMARK=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_MATCH_COMMENT=m CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m CONFIG_NETFILTER_XT_MATCH_CONNMARK=m CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m CONFIG_NETFILTER_XT_MATCH_DCCP=m CONFIG_NETFILTER_XT_MATCH_HELPER=m CONFIG_NETFILTER_XT_MATCH_LENGTH=m CONFIG_NETFILTER_XT_MATCH_LIMIT=m CONFIG_NETFILTER_XT_MATCH_MAC=m CONFIG_NETFILTER_XT_MATCH_MARK=m CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m CONFIG_NETFILTER_XT_MATCH_REALM=m CONFIG_NETFILTER_XT_MATCH_SCTP=m CONFIG_NETFILTER_XT_MATCH_STATE=m CONFIG_NETFILTER_XT_MATCH_STRING=m CONFIG_NETFILTER_XT_MATCH_TCPMSS=m # # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y CONFIG_IP_NF_CONNTRACK_EVENTS=y CONFIG_IP_NF_CONNTRACK_NETLINK=m CONFIG_IP_NF_CT_PROTO_SCTP=m CONFIG_IP_NF_FTP=m CONFIG_IP_NF_IRC=m CONFIG_IP_NF_NETBIOS_NS=m CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_AMANDA=m CONFIG_IP_NF_PPTP=m CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_IPRANGE=m CONFIG_IP_NF_MATCH_MULTIPORT=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_RECENT=m CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_DSCP=m CONFIG_IP_NF_MATCH_AH_ESP=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_MATCH_ADDRTYPE=m CONFIG_IP_NF_MATCH_HASHLIMIT=m CONFIG_IP_NF_MATCH_POLICY=m CONFIG_IP_NF_MATCH_IPV4OPTIONS=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_ULOG=m CONFIG_IP_NF_TARGET_TCPMSS=m CONFIG_IP_NF_NAT=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_TARGET_NETMAP=m CONFIG_IP_NF_TARGET_SAME=m CONFIG_IP_NF_NAT_SNMP_BASIC=m CONFIG_IP_NF_NAT_IRC=m CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_PPTP=m CONFIG_IP_NF_MANGLE=m CONFIG_IP_NF_TARGET_TOS=m CONFIG_IP_NF_TARGET_ECN=m CONFIG_IP_NF_TARGET_DSCP=m CONFIG_IP_NF_TARGET_TTL=m CONFIG_IP_NF_TARGET_CLUSTERIP=m CONFIG_IP_NF_RAW=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m CONFIG_IP_NF_ARP_MANGLE=m That would mean a recompile for you, but if you have kept your previous config and build that should go fast... Good luck! -- Blade hails you... Should I dress in white and search the sea As I always wished to be - one with the waves Ocean Soul --Nightwish
participants (2)
-
Boyan Tabakov -
Dos Wizard