LeRoy Cressy on Fri, 12 Apr 2002 00:00:16 +0200


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Unstateful firewall


Hi All,

If the Mandrake firewall is using ipchains you need to update it to
linux kernel >= 2.4.18 and also install iptables.  You should make a
custom kernel with all of the matches that you need or think that you
will need.  Also, on the Debian newest iptables to use some of the neat
things you need to get the iptables source and run the patch-o-matic and
patch your kernel with items like the string match.  The iptables people
are usually way ahead of the kernel guys as far as the latest patches
for the iptables portion of the kernel.  So making a stateful firewall
is a pain but well worth the rewards.

The iptables manpage tells you what changes have to be made to ipchains
scripts to make it work in iptables.  

As I said ipchains is not a stateful firewall, but you can change the
script and make it one

Gregson Helledy wrote:
> 
> Gabriel,
> First, for your info request:
> 
> I'm using Mandrake Single Network Firewall, which is a customized version of
> Mandrake 7.2 with bastille-firewall (http://www.bastille-linux.org)
> preinstalled (this was an .iso download).  Pretty pictures can be found
> here:
> http://www.mandrakesoft.com/products/snf?wslang=en
> Mandrake 7.2 uses kernel 2.2.19.  I am not using DHCP.  It is running on a
> P-133 with 80MB RAM and a 1.2GB hard drive.
> 
> I've done a bit of research on ICMP.  The firewall config file,
> bastille-firewall.conf, had only the first three of the following ICMP types
> enabled.  I added the other types last night.  This had absolutely no effect
> on download behavior:
> 
> ==========
> ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded
> host-unreachable redirect source-quench address-mask-request
> address-mask-reply fragmentation-needed TOS-network-unreachable
> TOS-host-unreachable"
> ==========
> 
> Incidentally, the comments in the config file recommend forcing passive FTP,
> and it is set, thusly:
> ==============
> FORCE_PASV_FTP="Y"
> ==============
> 
> I went looking through a couple of log files in /var/log (none being named
> "bastille" or "firewall" and the only real messages or warnings I seem to
> get which are firewall-related are something like:
> TCP 901 swat:  bind:  port already in use
> 
> These repeat MANY times (about every 10 minutes).  I opened 901 in
> bastille-firewall.conf to allow me to access swat (samba config tool) from
> the other machines on my network, but it's apparently conflicting with
> something that samba has already done?
> 
> ===================
> TCP_INTERNAL_SERVICES="ssh 2000 2001 5190 901 137 138 139 8443"
> ===================
> (2000, 2001 and 5190 are for icq, 8443 is for secure access to Mandrake's
> web-based firewall config tool, and 137-139 are for setting up a print
> server with cups, should I live that long.)
> 
> Another issue to resolve...could the port 901 TCP conflict interfere with
> firewall funcitoning on other ports?  I wouldn't think so.
> 
> If not, I'll need to look into firewall "statefulness"?  You commented
> earlier,
> ==========
> Hrm. This is smelling more and more like a firewall that doesn't
> know how to maintain state on TCP and UDP connections (or hasn't
> been told to do so).
> ==========
> 
> Can you recommend a source for learning how to teach my firewall to be
> stateful :-)
> 
> Many thanks for your kind help,
> 
> Greg
> 
> Privileged/Confidential information may be contained in this message.
> If you are not the addressee indicated in this message (or responsible
> for delivery of the message to such person), you may not copy or deliver
> this message to anyone.  In such case, you should destroy this message
> and notify GRA, Inc. (gramail@gra-inc.com) immediately.  Please advise
> immediately if you or your employer do not consent to Internet e-mail
> for messages of this kind.  Opinions, conclusions and other information
> expressed in this message are not given or endorsed by GRA, Inc. unless
> otherwise indicated by an authorized representative independent of this
> message.
> 
> ______________________________________________________________________
> Philadelphia Linux Users Group       -      http://www.phillylinux.org
> Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
> General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug

-- 
Rev. LeRoy D. Cressy   mailto:leroy@lrcressy.com   /\_/\
                       http://lrcressy.com        ( o.o )
                       Phone:  215-535-4037        > ^ <

Jesus saith unto him, I am the way, the truth, and the life: 
no man cometh unto the Father, but by me. (John 14:6)

______________________________________________________________________
Philadelphia Linux Users Group       -      http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug