Re: Networking questions

["seg" <seg@vl.videotron.ca>]

 Been reading up on my spare time (did read the ipchain, net and a few other howtos), but I still am a total newbie:)  Got some question on how to "put your suggestions to work". Also if anyone has a link on how to use -REDIRECT, plz provide:)

 

 

 "For a firewall machine, I'd not only comment them out, but install TCP_wrappers and deny all connections to the firewall from the internet.  (/etc/hosts.deny , syntax is in the man page for hosts.deny)"

 "Why not uninstalling these services?"

 

  Ok, what are TCP_wrappers? And how would I go about uninstalling services?  Also what services do I need to keep for a basic firewall?

 

 

 "What I usually do is put my ipchains rules in a file called ipchains.sh and execute it at the end of my rc.local script."

 "A good solution is to create a init script, put it in /etc/init.d/ and create the init links (for example with update-rc.d)."

  Haven't found an HOWTO on scripting, is there one? Or could you "walk me through it", if not to long? I assume ipchains.sh is simply a sequence of command, but I have no clue how to set up rc.local.  What are init links?

 

 

 

 "Depends on what you're  capturing the traffic with.  Did you plan on using something in particular? " 

 

  Wasn't planning on using anything in particular. Just want the output to be written to some text file. I know it's written to a file called messages right now, but this file is not specific for ipchains.

 

 

   A new question:

 

  -What is the port number for smtp, pop3, www and DNS on my firewall, not on the remote server? And do these port numbers change depending on the local hosts which is accessing the "net"?  

----- Original Message -----

From: Jason Mogavero

To: 'seg' ; debian

Sent: Monday, January 22, 2001 4:56 PM

Subject: RE: Networking questions

 

-----Original Message-----
From: seg [mailto:seg@vl.videotron.ca]
Sent: Monday, January 22, 2001 2:29 PM
To: debian
Subject: Networking questions

 

 I have a few questions, here goes:

 

 1. My inetd.conf files contains entries such as these ones:

    

       #:STANDARD: These are standard services.

       #:BSD: Shell, login, exec and talk are BSD protocls

 

    These are of the form #:LABEL: (what the file states). Are these enabled or commented  out? I want to disable all rlogin,  telnet, rsh, ftp, and whatnot (just running a firewall).

 

If they are prefixed with a #, they are commented out.  For a firewall machine, I'd not only comment them out, but install TCP_wrappers and deny all connections to the firewall from the internet.  (/etc/hosts.deny , syntax is in the man page for hosts.deny)

 

 

  2. Can I turn on rp_filter without disrupting "anything"? Does it need to be turned on during boot up (before netwrok configuration)?  

 

afraid I can't help you there. 

 

 3. How can I unsinstall ipmasq? And do I run my ipchains rules at startup (and echo 1 > ip_forward and similar commands)? 

 

I'd recommend enabling IP forwarding in your ipchains script, and running the script at startup.  Otherwise, if for some reason your firewall reboots, you're forwarding packets with no firewall rulebase, and that's a "bad thing"

 

 

What I usually do is put my ipchains rules in a file called ipchains.sh and execute it at the end of my rc.local script.

 

 

 4.  I want to log some specific network trafic. Where can I specify in which file the output of such a log should go  

 

Depends on what you're  capturing the traffic with.  Did you plan on using something in particular?  

 

 

 5. I know there's a REDIRECT target in ipchains.(how)  Can I use this target to allow outside connection to one of my local hosts? Not sure, but I think I need to allow outside connection for  PEER-TO-PEER network games to work. 

 

Yes, that's correct...you need to forward the port the game uses to the internal machine that's running the game server.  You can use ipchains (who's syntax for forwarding I don't know...something like 'ipchains -I forward udp --destination port <portnumber> destination-IP'   maybe someone else knows it off the top of their head)  Personally I use a port forwarding program called Fast Forward, which does the same thing and is easy to configure. 

 

 6. Is it safe to simply allow all OUTPUT datagrams (ipchains -P output ACCEPT)? 

 

It really can't hurt.  I'm assuming this is a home network and not a business.  As long as you can control who uses the systems inside the firewall, sure, go ahead.   

 

 7. Can I block all TCP connection request (-y) without disrupting web, mail and whatnot access?

 

http and smtp ARE TCP connections, so you'll disrupt those if you block all TCP incoming without declaring specific allows for them.  That's a good way to do it, just make sure you make a rule for anything you want to allow. 

 

 

 8. What usefullness to the following rules have:

 

 OUTPUT

 

 ACCEPT     ! TCP      0.0.0.0/0     224.0.0.0/4     *->* 

 

Looks like that's telling the firewall to allow all broadcast packets out of your network.  Since the firewall's pretty much acting as a router, internal broadcasts aren't going anywhere anyway....maybe that's to allow DHCP requests for the firewall if you're on broadband with no static IP.

 

 

 INPUT

 

 ACCEPT     ALL     0.0.0.0/0 2    55.255.255.255 

 

 That's allowing all incoming traffic.  Bad firewall.  No biscuit. 

 

 Thx in advanced for any help provide!  Really appreciate it.