On Fri, 18 Oct 2002 17:10:07 +0200 "Jacob Saaby Nielsen" <linux@kode-fu.net> wrote:

Hey all,

I've noticed in the firewall "stuff" I've seen on various linux distros that you have to make a device a trusted device. What do I do when I only have one NIC in my machine, and that NIC is con- nected to a hub ? That hub connects my two PC's and my router. So, by making my eth0 the trusted device, what happens then, firewall- wise ? I guess there's no other way, but what are the consequences ?

You are only protecting eth0 were it comes into your machine.

Last, but not least, am I right to assume that when I have to di- stinguish between ingoing and outgoing traffic, that when I open up to traffic so that e.g. I can surf the web, I open up the out- going direction on port 80, tcp.

I don't think you have that part right. You can go out and surf the web without opening your port 80. You can open your port 80 to either the internet (EXT_TCP) or your internal network (INT_TCP). Opening port 80 means you are letting others have access to your apache server on 80 or 443(for https). When you are surfing the web, you are accessing port 80 on OTHER machines, and they tell the web browser to accept the return data on some other port, which is opened up for that connection's data return. Experiment around. Some useful commands are (run as root) lsof -i socklist netstat -plant Before surfing the web, do a netsat -plant then connect to some webserver and run netstat -plant again. You will see the ports your webrowser opened up to recieve the data. They stay open until they timeout. Start up your local apache server and browse it, look at netstat -plant. The iptables firewall has a "stateful connection" which means it knows that you requested a page, so it allows that port to be opened to receive.

That means that any ingoing traffic will only be allowed as long as a request has been made for it. But, if anyone tries to make an HTTP request to my machine, that would be considered ingoing traffic, and would be dropped ?

The firewall knows the ip address to which you made the request, so it opens receiving ports for data only from that address, so it can't be hijacked by someone trying to force there way into your connection.

In other words: If I wanted to secure my machine and completely control which communication could take place, I would generally:

1. Close all ports for all protocols, both in- and outgoing 2. Open up each specific communication method, be it TCP or UDP, for just the port needed, in the outgoing direction

Would that make me be able to surf, send mail, ftp etc., but if anyone made the same requests to my machine, it would be denied ?

The SuSEfirewall2 does this. Read thru the /sbin/SuSEfirewall2 script and the /etc/sysconfig/SuSEfirewall2 config file. It is pretty much self-documenting, but read it slowly, each word is important. Another thing to think about is the difference between "reject" and "drop". If you reject, you bounce back the packet, so the sender knows you are there. If you drop packets, the sender never receives anything back, and this is what is called "stealth mode". There are sections in /sbin/SuSEfirewall2 where ports 113 are set to reject instead of drop, to help identification online. Search the script for 113 and read it. If you want to scan yourself online, go to: http://scan.sygate.com/stealthscan.html see what results you get. -- use Perl; #powerful programmable prestidigitation