Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Is it me???

  1. #1

    Is it me???

    Is there a config utility for iptables from the CLI for RH8.0?

    ***takes a deep breath before he starts his rambling
    Is it me or are the iptables scripts out there REALLY complex I took a look at Securing-Optimizing-Linux-The-Ultimate-Solution book. OMG!!!!!!!! The script is outragous! A whole lotta checking for this and that and that then this then that again holly crap!! It had my head spinning. Then I was looking at this one and still way too much going on for my likes!!! Oh and everyone out there seems to assume that because you want a firewall you are running some sort of router or something... talking about DMZs and forwarding... man oh man all I really wanted to do was make it so that my computers behind my new router can talk to each other with out fear (well as little as possible) specifically ssh and http... but its looking way to complex for me > :'( Gotta worry abou those darn IP spoofers but I can't do too much about it cuz my intranet uses a class c subnet (I think... So checking for spoofing from those addresses is impossible because that would limit me from reaching my own machine!!! > :-\

    Enough rambling already.

  2. #2

    Re:Is it me???

    i cant bring myself to learn iptables either, it gives me a headache looking at these scripts, something tells me we need a newbie PET for building firewalls ;D

  3. #3

    Re:Is it me???

    Yeah right on man!!!

    I did however find that the lokkit tool was decent.

  4. #4

    Re:Is it me???

    Do a search for the monmatha firewall script. its easy to configure and not a problem to setup. I have been using it for prob a year now.

  5. #5

    Re:Is it me???
    Im working on getting it installed on mine now. If you want, icq me and we will try to work it out together.

  6. #6

    Re:Is it me???

    Rock on thanx guys I will give it a look!!!

  7. #7

    Re:Is it me???

    [quote author=10Dedfish link=board=5;threadid=5841;start=0#55669 date=1039698109]
    Im working on getting it installed on mine now. If you want, icq me and we will try to work it out together.

    Hey 10,

    Did you know he is on 2.3.8-pre8 it is from November of 2002? Should I use that one or do you think that it will be too different from your version for you to help me?

  8. #8

    Re:Is it me???

    Man I should post my old firewall script if you think the link to the one you provided is confusing.

    The firewall HOWTOs all talk about DMZs, forwarding and routers because well, that's what firewalls need to deal with in the LAN/WAN realm. All in all, iptables is only slightly more complex that Cisco ACLs. I have never mucked around with Cisco PIX configuration, but I'm imagining that that is equally as complex.

    I think you may be thinking of a firewall's role incorrectly. For instance, firewalling needs to be done at the access points to your network (at the router), not between on the actual hosts themselves. Using host-based firewalls does not hurt you, but really does little to secure your LAN properly.

    If someone were going to spoof one of your boxes, what would a host based firewall be able to do about it? Again, spoof checks need to be done at the router (often called sanity checking), meaning that no packet with a source address claiming to be inside in the LAN should ever be seen on the WAN interface of the router. However, since you are using a class C private address range for your LAN (192,168.x.x), packets with that address space should never even be able to make it to your router anyway, since private address ranges are not routable across the public internet. To put it more clearly, I cannot craft a packet with a spoofed adress of and ever realistically expect it to make it to your LAN.

    The most 'appropraite' place for a firewall is at an access point to your LAN, not on your computers themsleves. If your router is not performing any kind of traffic filtering, or you don't have a firewall right behind your router (acting, in a sense, as a second egress to your LAN), then having host-based firewalls will in no way secure communications between your LAN boxes.

    An iptables script can be as simple or complex as you want. Most of the examples are complex, because they are intended for larger networks that have to accomidate for a large number of ports, protocols, subnets and senarios.

  9. #9
    Senior Member
    Join Date
    May 2001

    Re:Is it me???

    A real simple iptables firewall would simply block incoming access to 1-1023, and anything else running as a server on higher ports (6000 for example (X)).

    A firewall isn't completely useless inside your network. If you assume all the systems on the network are safe and trusted it is, but how often can you say that? In the office with 150 systems on your lan? In the dorm room with satan's little brother next door? At home with family's Windows machines? Heck, even if you're all linux there's always the possibility someone else on your lan would try to hack you for the heck of it.

    Of course, spoofed packet checking and the such would be useless when firewalling an individual machine..

    My network setup is a Debian stable box working as my firewall/router machine (does email, dns, etc.. for the lan) with a custom ipchains firewall (it's running a 2.2 kernel, and I see no need to upgradeit to 2.4) then I have a desktop and a laptop, both running SuSE 8.1 (desktop duals XP, and Zone alarm is installed there, though it's presence is to keep those nasty windows programs from phoning home all the time, why do all windows programs feel the need to check for program updates, etc..?) Anyway, I also run firewalls on those machines as well, nothing fancy -- just the firewall config'd by SuSE's GUI tool. There are two additional machines on the network not owned by me, one Windows 98 machine, and another Debian machine (I think unstable.)

    Yeah, it's probably more than I need, but it doesn't hurt anything.

  10. #10

    Re:Is it me???

    I don't want to suggest that a firewall inside a network is useless. On the contrary it's often needed when 2 subnets or internal networks do not trust each other (a college dorm room is the perfect example). But yet again, you would then want to drop the firewall between the subnets, not firewall individual hosts.

    The reason I say that to firewall an individual host is not that effective is this: Let's say I am sitting behind a router and have a firewall built on my box itself. I close all ports except ssh and maybe ftp. I then firewall all those ports. The firewall would only accomplish 2 things: 1) return no answer if an unused ports is being scanned 2) allows you to specify a rule saying which hosts can and cannot connect to my open services. But It would in no way keep people off my LAN. And, if my LAN addresses are publicly routable addresses, I'm in even worst shape.

    Option one does nothing, since nmapping the box will tell anyone its up and what OS it is running since some services still are open. Also, why firewall a closed port? If you are firewalling just incase a backdoor opens it later, then you're in bad shape for getting to the point that the trojan made it this far. Option two does provide a more fine tuned level of security, but on how many boxes do you need this? If it is more than one (most likely a server farm or data center), then those boxes should be on their own segment, behind a firewall or other router or something else that can filter the traffic based upon a traffic's source and destination addresses. Also, option 2 does nothing to guard against spoofed traffic. Let's say that spoofed traffic makes it onto your LAN, and you have a host-based firewall that lets box A communicate only with box B. Well, if I spoof box B can I not then communicate with box A not matter what its firewall says?

    The reason I say put firewalls at the routers is because 1) it is too much administrative overhead to maintain a firewall on each individual host 2) invalid and unwanted packets should never be processed by the end host and should always be weeded out at the router whenever possible. This helps against spoofs and in some ways DOS attacks (depending on what firewall you run).

    Out of a few hundred boxes on my LAN I have only one box with a very simple host-based firewall. In truth it is not even a firewall at all, rather it is a single iptables line blocking all access to the http port on that box from everything but one other box on our LAN. Not perfect, but it helps obscure the presence of that server a little, since it does sit on highly populated segment.

    In a home setup where you are just securing one box, or simply messing around, a host-based firewall works. But like I said, it is not the best solution. A true firewall should run no services, have no software on it and do nothing but make routing decisions.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts