Re: I'm feeling paranoid - with good reason.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday 02 February 2006 16:28, Basil Fowler wrote:
> If this can help.
>
> I use a Speedtouch 510  router, and previously a 530 (this blew up after a
> thunderstorm!)
>
> I am highly suspicious of any commercial firewalls - one never knows if
> they are leaky by intent or design.  So I set up a simple secondary
> firewall using iptables.  Put this file in /etc/sysconfig/iptables. The
> rules stop anything coming in:

Hi Basil. I use a Smoothwall Express2 on dial-up as a dedicated firewall, and 
have Guarddog the GUI frontend to IPtables on the client machines, this setup 
works ok (IPtables under the hood always looked very complex). You obviously 
have had plenty of practice with IPtables, but the question is this. 

The secondary firewall is just fine for protecting the client machines if the 
firewall on the ADSL router/modem is naff. But hypothetically. Port 80 is 
open for incoming traffic on the router/modem, and I presume that the 
webserver on the router/modem, for setting it up, is theoretically accessable 
to a password cracker, much in the same way as you, as a user would access 
it, with user-name and password, to set up the firewall and modem in the 
first place from a client machine. I say this, because when I first got my 
Smoothwall up and running, I allowed my son to access it's web interface from 
his location on the Internet, on a very short timeframe, and just to see what 
it looked like (he's a Windoze user). Allright. I had to port forward port80 
to the gateway address, and give him my current local dynamic IPaddress. 
Sounds pretty stupid now, allowing him to access my firewall. But you live 
and learn.
>
>   *nat
> [0:0] -A POSTROUTING -o ppp0 -j MASQUERADE
> [0:0] -A POSTROUTING -o eth0 -j MASQUERADE
> COMMIT
>
> *mangle
> COMMIT
>
> *filter
>
> :OUTPUT ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
>
> [0:0] -A INPUT -j DROP -m state --state NEW,INVALID -i ppp0
> [0:0] -A INPUT -j LOG -m state --state NEW,INVALID -i eth0
> [0:0] -A INPUT -j DROP -m state --state NEW,INVALID -i eth0
> # *[0:0] -A INPUT -p icmp -j DROP
>
> [0:0] -A FORWARD -j DROP -m state --state NEW,INVALID -i ppp0
> [0:0] -A FORWARD -j LOG -m state --state NEW,INVALID -i eth0
> [0:0] -A FORWARD -j DROP -m state --state NEW,INVALID -i eth0
> # *[0:0] -A FORWARD -p icmp -j DROP
>
> COMMIT
>
> Note: You will notice that all connection attempts that have got through
> the firewall are logged. You do not have to separate out legitimate
> traffic.
>
> The section "Masquerade" is used because the computer is also the gateway
> to the home network.
>
> ppp0 is a dial-up link for use why my ADSL line is down for any reason.
>
> To identify the sources of connection attempts, I use this script - it is
> too much like hard work to program a graphical interface - and much too
> much like Windows - inflexible.
>
> #!/bin/bash
>
> # lists domain names of hosts trying to make contact with bluebottle
>
> # allow other files than default /var/log/messages
> if [ "x$1" = "x" ]
> then
>         MESSAGES="messages"
>         COMMAND="cat"
> else
>         MESSAGES="$1"
>         echo "${MESSAGES}" | grep 'gz' > /dev/null
>         if [ $? -eq 0 ]
>         then
>                 COMMAND="zcat"
>         else
>                 COMMAND="cat"
>         fi
> fi
>
> # define functions
>
> # Collect ip nos of attackers from log file
> ip_nos(){ ${COMMAND} /var/log/${MESSAGES} | grep ' SRC=' | awk '{print $9}'
> \
>
>           | sed 's/SRC=//' | sort | uniq ; }
>
> # Tidy up output from nslookup
> tidy_up(){ sed '-e /^$/d' -e '/SpeedTouch/d' -e '/10.0.0.138/d' ; }
>
> # do the work
> for ip_no in $(ip_nos)
> do
>         nslookup -silent $ip_no | tidy_up
>         echo
> done
>
> Using this I have discovered that the BBC's RealPlay servers try to create
> a back channel - naughty.

I'm interested in this, as I have to use RealPlayer to get audio streams from 
BBC.co.uk, and do from time to time experience mysterious problems. I'd read 
that the BBC were developing open source codecs, but havn't heard much in 
recent months. I'd be happy to hear your experiences, offlist, as this is a 
bit OT.  Nigel.
>
> Perhaps other users of the list would like to suggest improvements.
>
> I hope that you do not connect to the internet as root!
>
> Basil Fowler
>
> On Wednesday 01 Feb 2006 22:48, John wrote:
> > Hi
> > That zoom adsl router I mentioned a while ago seems to have been
> > reprogrammed by some one over the net. It behaved oddly even after a
> > firmware update so I've just fitted another type. Seems that lot's of
> > these units have a simple route into port 254 and maybe 255 too.
> > I need to see if there is anything resident on my machine. Anyway is
> > there anything available that will show and maybe log traffic through my
> > eth0 connection. A graphical interface would be much preferred ideally
> > identifying the transmission source, ascii data translations etc.
> >
> > Regards
> > John
>
> ___________________________________________________
> .
> Account management:  https://mail.kde.org/mailman/listinfo/kde.
> Archives: http://lists.kde.org/.
> More info: http://www.kde.org/faq.html.
___________________________________________________
.
Account management:  https://mail.kde.org/mailman/listinfo/kde.
Archives: http://lists.kde.org/.
More info: http://www.kde.org/faq.html.

[Index of Archives]     [Trinity (TDE) Desktop Users]     [Fedora KDE]     [Fedora Desktop]     [Linux Kernel]     [Gimp]     [GIMP for Windows]     [Gnome]     [Yosemite Hiking]
  Powered by Linux