Firewall Wizards mailing list archives
[Fwd: Help with ipchains rules]
From: "Marnix Petrarca, DaemonLabs.com." <Marnix () DaemonLabs com>
Date: Sat, 27 Jan 2001 11:59:39 -0100
--- Begin Message --- From: "Marnix Petrarca, DaemonLabs.com." <Marnix () DaemonLabs com>
Date: Sat, 27 Jan 2001 11:41:29 -0100
In other words, you don't need named if you can get your current dns-server (where you registered your web/domain-names) to point at the IP or the virtual IP's of your webserver to-be. Much more beatiful is in the end only an open port 80. And while you're at it, disable XFS after configuration - saves you another port. That's the GUI-server that serves 'windows' to you. Bye now -- Marnix "Marnix Petrarca, DaemonLabs.com." wrote:Hi again, the beauty of it is that local also means localhost, which is basically you when you do what you want to do. It doesn't matter that there's no network behind it. If you want to set up a full-featured dns-server, that's really something else. You don't just do that by running named as a caching-only server. You will have to build dns-records and so on, and make sure somewhere on the net the machines know who the first Nameserver was, i.e. where it was first created. It's a lot easier if you just let the current DNS server point to your caching-dns machine, just adjust the the point-to address. You find the current one by typing in your domain-names and see where you come out. Or use nslookup. If you registered at Register.com then for $70,-/2 Yrs it would have been settled - no extra charge. At register.com you can simply set the point-to to the IP# of your webserver/DNS server. Check it out - you will be less vulnerable. And yes, it's that simple. A lot simpler than your ruleset. Don't forget to first flush the rules, then set up the Deny rule, forget the DHCP ports if you dont use them, forget the timings - you don't need them really (defaults OK), and allow for local packets to be forwarded, and deny all others. Really, that's all. Try it out. And if you can arrange for physically making changes instead of via SSH, you'll be a lot safer again. And if you're really up to speed, try and use snort for an IDS - it's free. (www.snort.org) Cheers -- M I'm a Swinger wrote:Hi, thanx for the reply... The reason why the home networking how-to was a little confusing for me was that I don't have any sort of network. Just the linux box. And it's sole purpose is to serve webpages (virtual hosting), and DNS (the four domains I have registered for the four webpages), and SSH (for obvious reasons). That's why I'm assuming I need a VERY simple ruleset. (I just don't think it's quite as simple as the sample I provided) :-) CurtisFrom: Marnix Petrarca <Marnix () DaemonLabs com> To: I'm a Swinger <imaswinger () hotmail com>, firewall-wizards () nfr com, Marnix () DaemonLabs com Subject: Re: [fw-wiz] Help with ipchains rules Date: Fri, 26 Jan 2001 11:59:08 -0100 Hi, take a (good) look at the home-networking how-to. It's not the Fortress kind of ruleset, but it will get you up and running. Basically the suggested ruleset says Deny all, but forward all local packets and masq them. That way you will not have these problems (I hope). You can load additional modules (ICQ, FTP, etc) via /sbin/modprobe ip_masq_icq and so on. After adjusting, run sysctlconfig-gtk and under the options >Networking>ICMP>ICMP2 you can adjust ICMP-response to your likings. Try marking all three options, reboot and ping yourself again. You may like what you find. Dont't forget setting yor nameserver to the user nobody and group nobody - default it's named. For stronger rulesets, look at the IP-masquerading how-to. That will put you on track. Good luck and oh, use Nmap (www.insecure.org/nmap) for scanning, if you didn't have it already. Redgards, Marnix DaemonLabs.com, The Netherlands I'm a Swinger wrote:Hello, I am running a Redhat 7.0 server (by itself, there are nocomputersbehind it) running DNS (to host my domain names for WWW), WWW, and SSH.Theonly open ports (judging by a nessus report) were 22, 53, 80, and 443(I'dlike to shutdown 443, but that's not a question for this particularlist).A friend gave me his ipchains ruleset to use, but when its running I cannotftp or lynx out of the machine (it's also supposed to drop all ping requests, but it does not). It (ftp or lynx) just hangs. So I started reading up on ipchains so that I could implement my own ruleset.Judging bythe HOWTO (and the simple example given), I really only have to worryaboutallowing incoming to 22, 53, and 80. There were some issues with theftp(needing a port <1024), but I think if I run passive mode I can ignorethem.Now disregarding ip-spoofing and forwarding, I'm guessing that this iswhatI would include in my ipchains (This is most likely wrong, which is whyI'mwriting this letter): ~~ #(I'm substituting 123.123.123.123 for my real ip) #I allow UDP/TCP packets in for DNS, TCP for WWW, and TCP for SSH ipchains -A -p UDP -s 123.123.123.123 dns -j ACCEPT ipchains -A -p tcp -s 123.123.123.123 dns -j ACCEPT ipchains -A -p tcp -s 123.123.123.123 www -j ACCEPT ipchains -A -p tcp -s 123.123.123.123 ssh -j ACCEPT #Local-to-local packets are OK: ipchains -A -i lo -j ACCEPT #Now, my default policy on the input chain is DENY, so everything elsegetsdropped: ipchains -P input DENY ~~ Now this seems far to simple to me to be what I need. Can anyone help explain to me what I need to allow to simply run DNS, WWW, and SSH? Iwantto allow access to those, and block everything else. The only thingelse Ihave to do is occasional use of lynx (I could probably do without that actually) and ftp (I need to access updates.redhat.com, etc.). Any help with this matter (along with a cc to my address imaswinger () hotmail com because I may not be on the mailing list just yet- Idon't know how long it takes) would be extremely appreciated. Curtis PS - I apologize for the longwindedness of this letter (and it'spostscript:-), I just wanted to give as much info as possible._________________________________________________________________________Get Your Private, Free E-mail from MSN Hotmail athttp://www.hotmail.com._______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards_________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
--- End Message ---
Current thread:
- [Fwd: Help with ipchains rules] Marnix Petrarca, DaemonLabs.com. (Jan 29)