[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Confounded by Firestarter "Issues"...



> Heresy?  Why?

There is a consensus of some sort among some security people that
(a) personal firewalls are useless, (b) using ipchains, iptables,
or anything layered thereupon (like Firestarter)to attempt to
construct one is a waste of time.  (Obviously I don't care what
they think, or I wouldn't be beating on the problem...).  this relates
in some measure to your comment below regarding running processes
"calling home"...

> > I have it set up and running and I can get data through it.  The problem
> > is that I can't seem to dope out how to properly set it up for packet
> > filtering
> 
> This is not a difficult package to install; I did it as a non-technical 
> newbie.  Maybe you're making it more complex than it is?

It's installed, just fine.  (with minor exceptions).  I can get data
through
it.  I can make it completely block an IP address or completely trust an
IP
address.  What I don't seem to be able to do is (generally) figure out 
how to control which *applications* can communicate (beginning with a
browser), and on which ports, etc. etc. (one of the things that
distinguishes a "Personal" firewall...).  I can't get Netscape (or even
"ping")
to be able to access any IP address on the net by default - I have to
individually make each address "trusted", or (in the case of "ping")
give the DNS servers completely unrestricted access, etc...

> I run Firestarter 0.9.2 and haven't touched it since installation in 
> November.  It just runs automatically from the init script, like all the 
> other Linux services.  I just opened it up now to remember what it looks 

Which release have you got?  If you have 0.9.2 running on stable Woody,
I am very, very, VERY interested in how you got *that* installed...
(pre-emptive question: did you upgrade the C library, and if so how and
to what?)  At the moment I'm stuck with 0.8xx because what I've
determined
thus far about the upgrade is that it's only compatible with Sarge

I had a problem with running it from the "init" script.  I'm starting it
manually.  (Could *that* be my problem?  There was some dicsucsion of
*that*
as well, on the "sourceforge" lists, but I couldn't convince myself that
there was a real issue with whether or not it was run from init.d as
far as functionality goes...)

> like. ;)  Its GUI is very easy to use to configure your firewall, and I 
> use it to protect this desktop box.  If you use the pull-down menu item 
> Edit -> Preferences -> Services, just check the boxes for services you 

The key there is "services".  I don't have any services I want to
make available (yet - I'm sure I'll end up with "ftpd" etc. turned on
eventually).  I just want things like a browser to be able to
communicate.
Thus far - and if you've got the magic combination, I'd like to know -
turning on various services doesn't seem to enable my browser to work.
I have to enable IP addresses for every web site one at a time in the
security settings.  (There's clearly something really wrong there...).

But I can't figure out which services might have to be enabled to make
the browser work (if that's what's wrong), and my undersatanding (again)
is that a running program just uses one or more ports for communication
- enabling "services" has nothing to do with it - and that just enabling
the *ports* on which it communicates should be sufficient.  So far,
though,
no luck...

> want enabled to the public.  It's as easy as configuring ZoneAlarm, but 
> even  more configurable, as I recall.

Yes and no...  it's really a different animal.  Zone Alarm is "program"
oriented - it can keep track of what apps are actually running and grant
or deny access to them.  I'm trying to sort of dummy up that feature
with
Firestarter...  Zone Alarm, OTOH, knows nothing of ports (or if it does,
I've never seen evidence of it, except possibly in the log files.)

> Mine works out-of-the box.  I do remember changing some of the settings, 
> as needed, in the preferences from the GUI, as mentioned above.  I 
> changed Reject to Deny, for example.

I haven't tried every combination of everything, but I already feel like
a complete idiot so I suppose trying things that make no sense is
probably
next on the agenda, unless I can find more information somewhere...
 
> > I thought the idea was to explicitly permit only certain *ports* to
> > communicate,
> > but so far, I can't figure out any way to make *that* work...  
> 
> Use the Preferences to do this for Incoming by type of Service.  I don't 
> see how to do that for Outgoing, or even if that is a capability of 

It's not important for outgoing data unless (as you warn of below)
something
is trying to call home.  (That question - whether something can "call
home"
- is one in which I'm very interested, and about which I've heard
ominous
tidbits - particularly as regards Gatesware, of curse - and which could
occupy plenty of bandwidth here by itself, if it hasn't already...)
In any case, I'm not trying to solve *that* problem yet (though I would
like to know how to get logging for *all* IP transactions set up in
Linux;
I'm sure *that* at least is documented somewhere - haven't looked).

But again, the key word in your response is "Service"...  thus far,
unless
there's something I'm missing, a "service" has a "daemon" such as inetd
or ftpd or named etc. associated with it, and an assigned port or ports,
and is
completely distinct from what communications happen when you (for
instance)
spawn a web browser.  If that's not true, and I'm somehow braindamaged
over this, that could be the source of my confusion and problems, and
I'd
like to know about it.

> Firestarter.  Remember, this isn't windows -- you don't need the same 
> kind of "leak" protection from rogue programs calling home (I hope).

Hope springs eternal...  If your girlfriend was a computer, would you
trust it not to dial out when you weren't there?  Are you convinced
that nobody has gerbiled a keyhole into Linux anywhere?  (Dennis Ritchie
wrote
a terrific article on how to use a C compiler as a trojan horse, about
30 years ago - I doubt if things have changed much; they can only have
gotten worse.)  (If this causes this thread to detonate, I'm sorry...
please fork another one).  This is one of the reasons I disagree with
the anti-personal-firewall Nazis

> > Is there some dark secret to determining exactly which ports what
> > processes/programs
> > are using, so that they can be selectively enabled in the Firestarter
> > "rules"?
> 
> Standard protocols.

I'm not following you there...  There is a list in /etc/services, and
there
is another list which can be obtained from "lsof -i"... but I've noticed
that even the "standard" ports have changed over time (the service for
port 53, for instance, corresponding to I-forget-what, has now been
re-satandardized on port 32780, or something...  dep't...).  Also, the
(blocked) net traffic I'm seeing tends to indicate that (for instance)
"named" may have a block of available ports...

Do I need to go read a couple of satandards documents to make this work?

> Have you looked at http://firestarter.sourceforge.net/manual/rules.php ?

Yes - numerous times.  That's not to say that I'm not looking right at
the solution and failing to see it right under my nose.  But for
insatance
(from the manual:)

>Open ports are ports that are freely accessibly by everyone (except blocked hosts). For example, an >open port rule with a value of 80 will allow anyone to access a web server running on the firewalled >machine. 

I tried enabling port 80 (and various others) to everyone and everything
and Netscape still can't communicate except on an
IP-address-by-IP-address basis.
(again, by my understanding, that should come as no surprise since
running a "Web server" has nothing to do with making
browser communications work...  or does it?)  But clearly there
is *something* that needs to be enabled, because I can only get Netscape
to work by explicitly "trusting" the IP address of whatever website I'm
trying to access.  (again, that behavior I think represents some sort of
global setup problem - ?)



Reply to: