[S.u.S.E. Linux] IPFWADM configuration and kernel patching
![](https://seccdn.libravatar.org/avatar/abb286b48fd4f80aea703b53fac01ebb.jpg?s=120&d=mm&r=g)
I've seen that I have the following ports opened: 23, 25, 80, 113, 119, 515 and I would like to close some to increase system security. Which ports can I close without compromising system functionalities? Reading ipfwadm man page I found a line that should work but I' m not sure: please tell me if it' s correct. /sbin/ipfwadm -I -a deny -b -P all (or only "tcp"?) -S 0.0.0.0/0 -D$LOCALHOST 23 25 80 113 119 515 This should hermetically seal all those ports (?) but what would it happen if I try to connect to my own web server (I use it to test some cgi scripts)? Connection should be deneided, right? And if I try to send a mail from my mail reader to my local Sendmail? And if I try to send waiting mail queue (sendmail -q &)? And if I try to print to my local printer (on LPT1)? So, how could I tell my firewall to allow these connections only if they are coming from my own system? At the moment, at system startup the following lines are executed: /sbin/ipfwadm -A -a -P all -S $IPADDR -D 0/0 /sbin/ipfwadm -A -a -P all -S 0/0 -D $IPADDR that is all connections are enabled from all hosts and all protocols can be used, right? What would it happen if I reject all incoming ICMPs from all hosts? I wouldn' t be no longer flooded? /sbin/ipfwadm -I -a deny (or reject?) -P icmp -S 0.0.0.0/0 -D$LOCALHOST Is this line correct? One more question: I' ve seen, at Suse' s ftp, a kernel "patched against syndrop" and also a file called "2.0.33-fragment.diff" that should patch against nestea attacks. To patch my system (kernel 2.0.33), do I have to download the new patched kernel and apply "2.0.33-fragment.diff" or I can apply "2.0.33-fragment.diff" directly to my kernel "linux-2.0.33.pre.SuSE.3" and get patched also against syndrop? Are Nestea and Syndrop the same thing? Last question: is it true that, to compile kernel successfully, I must log in as root and not log in as normal user than "su" in xterm window? Thanks for your help. Bye. P.S.: If I would like to patch "manually" my ip_fragment.c, what should I change? I should look in the original file for line if (fp->len < 0 || count+fp->len > skb->len) and replace it with line if (fp->len < 0 || fp->offset+qp->ihlen+fp->len > skb->len) than configure and compile the kernel? P.S.2: What would it happen if during kernel configuration, I specify a wrong address for a card... say sound card or network card? Will system lock up at startup or it would simply ignore the device? -- To get out of this list, please send email to majordomo@suse.com with this text in its body: unsubscribe suse-linux-e
![](https://seccdn.libravatar.org/avatar/a7cbc73b65db3e9a9c132e6c88b07157.jpg?s=120&d=mm&r=g)
On Fri, May 01, 1998 at 08:37:40PM +0200, Simone Castellaneta wrote:
Last question: is it true that, to compile kernel successfully, I must log in as root and not log in as normal user than "su" in xterm window?
The best way IMHO is to log in with a user account and then either su in a xterm or add a entry to your window manager like this: color_xterm -T Tharwin:Root -n Root -e su -l depending on what window manager you are using it will needed to be executed differently; also, you may not be able to add the line directly to your WM configuration file, there might be a better place for it.
P.S.2: What would it happen if during kernel configuration, I specify a wrong address for a card... say sound card or network card? Will system lock up at startup or it would simply ignore the device?
The system should still boot up, but those devices will not work. -- Andrew L. Davis Network Operations adavis@vprlnk.net ViperLink International -- To get out of this list, please send email to majordomo@suse.com with this text in its body: unsubscribe suse-linux-e
![](https://seccdn.libravatar.org/avatar/8f4a97fd774fd986502d2413639dcdea.jpg?s=120&d=mm&r=g)
Hi, On Fri, 1 May 1998, Simone Castellaneta wrote:
One more question: I' ve seen, at Suse' s ftp, a kernel "patched against syndrop" and also a file called "2.0.33-fragment.diff" that should patch against nestea attacks. To patch my system (kernel 2.0.33), do I have to download the new patched kernel and apply "2.0.33-fragment.diff" or I can apply "2.0.33-fragment.diff" directly to my kernel "linux-2.0.33.pre.SuSE.3" and get patched also against syndrop?
You can just use the patch. It should apply cleanly against almost any 2.0.x kernel because it only alters one single file.
Are Nestea and Syndrop the same thing?
Yes. Initially the attack was called "syndrop" but meanwhile "nestea" seems to be the "official" name.
Last question: is it true that, to compile kernel successfully, I must log in as root and not log in as normal user than "su" in xterm window?
No. Getting root privilegies with "su" is sufficient to compile the kernel. In fact, you could "chown -R <user> /usr/src/linux" and <user> would be able to compile the kernel. You need to be root to activate the new kernel for LILO, of course.
Thanks for your help.
Bye.
P.S.: If I would like to patch "manually" my ip_fragment.c, what should I change? I should look in the original file for line
if (fp->len < 0 || count+fp->len > skb->len)
and replace it with line
if (fp->len < 0 || fp->offset+qp->ihlen+fp->len > skb->len)
than configure and compile the kernel?
Correct. This one line is the correct fix for the nestea attack.
P.S.2: What would it happen if during kernel configuration, I specify a wrong address for a card... say sound card or network card? Will system lock up at startup or it would simply ignore the device?
In most (almost all) cases the device simply will not work. There have been rare cases in the past where a wrong address could lead to a system hang, but I didn't see something like that for quite a long time. Hubert -- To get out of this list, please send email to majordomo@suse.com with this text in its body: unsubscribe suse-linux-e
participants (3)
-
adavis@hayson.vmarketing.com
-
mantel@suse.de
-
suse@wavenet.it