|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
[PLUG] Unstateful firewall
|
Gabriel,
First, for your info request:
I'm using Mandrake Single Network Firewall, which is a customized version of
Mandrake 7.2 with bastille-firewall (http://www.bastille-linux.org)
preinstalled (this was an .iso download). Pretty pictures can be found
here:
http://www.mandrakesoft.com/products/snf?wslang=en
Mandrake 7.2 uses kernel 2.2.19. I am not using DHCP. It is running on a
P-133 with 80MB RAM and a 1.2GB hard drive.
I've done a bit of research on ICMP. The firewall config file,
bastille-firewall.conf, had only the first three of the following ICMP types
enabled. I added the other types last night. This had absolutely no effect
on download behavior:
==========
ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded
host-unreachable redirect source-quench address-mask-request
address-mask-reply fragmentation-needed TOS-network-unreachable
TOS-host-unreachable"
==========
Incidentally, the comments in the config file recommend forcing passive FTP,
and it is set, thusly:
==============
FORCE_PASV_FTP="Y"
==============
I went looking through a couple of log files in /var/log (none being named
"bastille" or "firewall" and the only real messages or warnings I seem to
get which are firewall-related are something like:
TCP 901 swat: bind: port already in use
These repeat MANY times (about every 10 minutes). I opened 901 in
bastille-firewall.conf to allow me to access swat (samba config tool) from
the other machines on my network, but it's apparently conflicting with
something that samba has already done?
===================
TCP_INTERNAL_SERVICES="ssh 2000 2001 5190 901 137 138 139 8443"
===================
(2000, 2001 and 5190 are for icq, 8443 is for secure access to Mandrake's
web-based firewall config tool, and 137-139 are for setting up a print
server with cups, should I live that long.)
Another issue to resolve...could the port 901 TCP conflict interfere with
firewall funcitoning on other ports? I wouldn't think so.
If not, I'll need to look into firewall "statefulness"? You commented
earlier,
==========
Hrm. This is smelling more and more like a firewall that doesn't
know how to maintain state on TCP and UDP connections (or hasn't
been told to do so).
==========
Can you recommend a source for learning how to teach my firewall to be
stateful :-)
Many thanks for your kind help,
Greg
Privileged/Confidential information may be contained in this message.
If you are not the addressee indicated in this message (or responsible
for delivery of the message to such person), you may not copy or deliver
this message to anyone. In such case, you should destroy this message
and notify GRA, Inc. (gramail@gra-inc.com) immediately. Please advise
immediately if you or your employer do not consent to Internet e-mail
for messages of this kind. Opinions, conclusions and other information
expressed in this message are not given or endorsed by GRA, Inc. unless
otherwise indicated by an authorized representative independent of this
message.
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|