Martin,
-A ei-in -d 0.0.0.0/0 1024:65535 -p 6 -j accepted -A ei-in -d 0.0.0.0/0 1024:65535 -p 17 -j accepted
Agree. But why udp? ftp doesn't use udp.
well, because i want to allow traffic above 1024. icq for instance should be allowed...
You should do a tcpdump or use iptraf to find out what ports icq uses. The rest you know yourself. BTW: ICQ is AFAIK a serious security hole. Maybe u already heard/read about the various icq hacks.
You run squid transparently? Good thing though, but not ftp pasv capable. I see, you handled it the other way 'round, opening your firewall box from 1024:.
can you explain the ftp pasv thing of squid to me? passive ftp is the ftp where data transfers happen on port >= 1024 instead of 21, right?
No, not exactly. you have port 21 control port and port 20 data port. Port 21 only handles the controlling (who is talking to who and how (=e.g. passive or active)) short text below illustrates it very simplyfied: Active mode: control channel: client (nn) --> server (21) server (21) --> client (nn) data channel: server (20) --> client (nn) #server connects client from port 20 to some high port on the client machine. client (nn) --> server (20) #client accepts, connection established Passive mode: control channel: same as above data channel client (nn) --> server (21) #client asks the server on which port to connect to for data connection. server (21) --> client (nn) #server's answer to the above question. client (nn) --> server (nn) #client establishes connection to that server-defined port / policy rule of inbound connects allowed is accomplished server (nn) --> client (nn) #server accepts, connection established Generally this is how active and passive ftp work. Attached you'll find tcpdumps a friend once made.
well, how does squid handle this and why would using squid (without transparency) allow me to close ports 1024 and up?
how squid handles this I can't tell you (I'm not a programmer). Why you can close ports 1024 up? Generally I can't say you can close them. You can only close them in the forward chain, because Squid as a proxy is a layer 7 (application layer) application and so it replaces the forward chain, the routing decision respectively. Take the drawing I sent you and replace the forward with squid. This is the answer to your question. You can completely deny forward rule for www, ftp and ssl. All you have to define is input rule for int eth and ext eth as well as output rule for int and ext eth. The thing with ftp pasv was the reason why I gave up running squid transparently.
Just checking back your script. You shouldn't close all icmp traffic. In particular you should allow ping, pong and icmp unreachable. Not doing so could cause loss of bandwith because of unanswered icmp unreachables.
I made here a little mistake. I mean icmp destination unreachable.
well, maybe you are right. but when i took my last security seminar, i was told that disabling icmp is the safest of all. if you can't ping me, it will be really hard to hack me.
I think German is no problem for you, if yes, please tell me so I will try to translate it for you. Here I'm referring to http://www2.little-idiot.de/firewall/zusammen-53.html Filterung von ICMP ICMP besitzt zwar Optionen als Argument, diese bezeichnen aber keine Portnummern, sondern beziehen sich auf Codes. Eine Invertierung, wie bei obigen Protokollen, ist nicht erlaubt. ICMP Codebezeichnungen sind recht lang, daher werden haufig nur die Kurzbezeichnungen angegeben. Number Name Funktion 0 echo-reply ping 3 destination-unreachable Router, Clients 5 redirect Router 8 echo-request ping 11 time-exceeded traceroute Keinesfalls sollten alle ICMP Pakete in Firewalls gesperrt werden. Der Code Nummer 3, destination unreachable ist ein unentbehrliches Hilfsmittel korrektes Routing. Es konnten so eventuell Leitungen uberlastet werden, insbesondere ISDN. I myself have ping, pong and dest unreach. All others you can deny. I agree, you can deny ping and pong. But don't do it with dest unreach. Ask the teacher in the seminar about dest unreach.
Anti spoof is ok. You can enhance it by doing echo 1 > /proc/sys/net/ipv4/rp_filter # SMURF PROTECTION echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # IP DEFRAGMENTATION echo 1 > /proc/sys/net/ipv4/ip_always_defrag
i had all these enabled through sysctl...
You don't need to write 79:79, 80:80 or 113:113. if you just write 79, 80 and 113 you'll be fine.
okay...
Why allowing finger? do you like other people fingering you? Giving away information?
well, yes, i use finger for information... but as i said, the ipchains you got was that of a different system...
I read it :-) But I took a look at it. As much as I remember finger port is open there. Why? You don't allow people to ping you but you allow people to finger you? Where is the security here?
Why auth port open? (send)Mail does work with auth port to authenticate the mail sender. You don't need that. Works well without. Also same problem as port 79. giving away information.
irc. that needs auth.
Thanx, didn't know that. I don't use irc.
Transparent proxy: I'm afraid I was wrong. You don't run squid in transparent mode. Your input chain for www would have other syntax.
as i said, it was the wrong ipchains script.
Yes, it was. Took a look at the other one. There you use -j REDIRECT 8080.
### screw that micro$oft netbeui bullshit
I'm afraid netbeui is something else than netbios. Netbeui is ISO layer 3- approx 5. Netbios would be (like www, or ftp) application layer (7). It's not really correct what I write here, because MS network doesn't know about 7-Layer OSI model. What you mean here is netbios.
true true. and i am an MCSE myself.
Martin, shame on you! ;-)
but i haven't worked with windoze so long! :)
I don't wear such nice medals. I myself am nothing.
-A input -s 0.0.0.0/0 -d 0.0.0.0/0 137:139 -p 6 -j DENY -A input -s 0.0.0.0/0 137:139 -d 0.0.0.0/0 -p 6 -j DENY -A input -s 0.0.0.0/0 -d 0.0.0.0/0 137:139 -p 17 -j DENY -A input -s 0.0.0.0/0 137:139 -d 0.0.0.0/0 -p 17 -j DENY
You can save up 3 rules by using -b (= bidirecitonal) option and forgetting about protocols
yes, i learnt about -b the other day.
This line below covers your four lines above. -A input -s 0.0.0.0/0 -d 0.0.0.0/0 137:139 -j DENY -b
nope, specifying a port requires specifying a protocol:
Oh, you're right. So you make 2 out of these 4 chains.
root@albatross ~> ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 137:139 -j DENY -bipchains: can only specify ports for icmp, tcp or udp
again, i am sorry that i posted the wrong script at first. if you do have time, could you please look over the new one. the one i sent you is from a test system and absolutely bad and wrong. it's like a year old too and i learned a lot about ipchains since then...
Let me see what I can do. Maybe I'll learn some coding of you. Since a long time I want to reprogram my ipchains because it seems to be a mess to myself. Until now I only worked with the three ipchains defined rules (input output forward) and never defined own rules. So it will be interesting for myself. But let me do it tomorrow, ok? Philipp Have you ever tried to run ipchains on a linux bridge? Cool thing.....:-)