How do I get a firewall to list what it is doing in /var/log/messages 2

[fenris]

I went to

http://www.linux-firewall-tools.com

and created a firewalling script for my machine.

I also went to

http://www.linux-mandrake.com

site and followed there demo on how to install a firewall. The odd thing was they made extensive use of ktail to monitor what was happening in the /var/log/messages and it should that the firewall was actively working. When I tried this, the only thing that I got was my su'ing! I don't know what is going on here. If you want me to post the contents of the firewall, I will but there is quite a large number of lines to contend with.

 

[fenris]

Tony thanks for the tip, I'll be sure to try it out when I get home.

Andy, Thanks for taking the time to explain things, I appreciate it. Ipchains are starting to make a lot of sense. I guess it helps that I finished reading the Ipchains how to as well.

So if I wanted to have an internal machine that was a webserver, then I would modify the rules with the ip of the webserver and set the port to 80?

The first rule that denies everything to every computer on the inside is a catch all for packets that don't fit the rest of the rules.

I think I am getting the hang of things now! I should be able to modify the scripts to so that they work for me and I understand them.

I still have a little bit of a fog about the order of the rules. Does linux check rules after a rule is found that applies to the packet. For instance, say that the first rule was

# Deny access to all privileged ports on all servers.
ipchains -A input -l -i $LOCALIF -d 0.0.0.0/0 0:1023 -p tcp -j DENY

wouldn't this stop here because any packet would match this or would it continue onwards to find the rules below which match the packet better?

# Allow FTP access to two servers.
ipchains -A input -l -i $LOCALIF -d 192.168.0.1/24 20:21 -p tcp -j ACCEPT
ipchains -A input -l -i $LOCALIF -d 192.168.0.3/24 20:21 -p tcp -j ACCEPT

 

[AndyBo]

It sounds like you're getting the hang of things

You're correct in saying that if you want to host a web service, you will need to add a new rule to allow access to port 80 on your server.

The ordering of rules is important. The way ipchains works (in common with products such as Firewall-1) is to pass a packet through each rule until it gets through all the rules. Once it gets past the last rule, the firewall software decides whether to accept or deny the packet.

So, taking the FTP example, when an FTP packet arrives it hits the "deny everything" rule. The Linux kernel flags the packet for throwing away. Further down the line (or immediately in our example the packet then hits the "allow FTP to this IP address", and the kernel flags the packet for keeping. The end result is that we should have a living, breathing, FTP service.

If you take a look at some of the utilities that are available for configuring ipchains, you might see that each rule has a number assigned to it. This is for simplified ordering of the rules. Rules are also usually numbered in 10s or 100s. This is to allow the insertion of new rules. (Anyone remember BASIC?

My fave ipchains editor of the moment is gfcc (Gnome Firewall Control Center). It runs under Gnome, KDE, WindowMaker, etc and is an excellent ipchains configuration tool, once you begin to understand what is going on.

Anyway, I'm glad to hear it's going well, and happy to help Keep us posted on how you get on!

 

[fenris]

Hey I remember Basic and the 10 increments!!!

I'll have to give gfcc a try once I am sure I understand what is going on with the ipchains. I don't like to make things easy for myself till I know what is going on

Thanks again...

 

[fenris]

Well, I managed to get one of the firewall scripts running and I actually got it to log to /var/log/firewall.log by editng /etc/syslog.conf ! Incedently, there is not as much activity that I thought there was going to be

Then I ran into a problem with trying to execute my modifed script. Here is what I did, I took a copy of a number of the scripts that I have and copyed them over to windows (I am more comfortable and faster working on my programming text editor in windows Any recomendations on linux editors that support cut and paste operations that are quik, kedit is rather sluggish )

I created a new script that is a piecemeal combination of a number of scripts. When I brought the newly created script over to linux and put it in /etc/rc.d I tried to run it by
./rc.firewall.new and it returned an error message saying that it could not find the file. So I could not verify if the script actually works.

So I vi rc.firewall.new and it came up in the editor. Then I thought the permissions might be out to lunch. But I checked them and they are the same as my rc.firewall script which is the one currently running. When I mean they are the same the are both set to 700. Did windows do something to it or am I crazy?

 

[AndyBo]

Windows has done something, so don't go running to a shrink yet. ;-) Run "cat -vet rc.firewall.new" and you will see ^M characters at the end of each line. This is the carriage return character that MS-DOS adds to the end of each line in addition to the newline character. You might also see a ^Z at the end of the file.

When you fire up vi, you are probably actually running vim. Unlike the original vi, vim recognises MS-DOS format files. Check the status line at the bottom of the screen when you first open the screen. It probably say "MS-DOS file".

So, when you try to run the script which looks like it has "#!/bin/sh" as the first line, the shell is actually trying to run "#!/bin/sh^M" as the command interpreter.

I had this problem with a file last week, and it drove me mad until I noticed the "MS-DOS file" hidden away on vim's status line. Oh yeah, this text disappears when you start moving around in the file, so it's easy to miss when you jump in and start hacking around the file looking for the problem...

Two ways of fixing it. If you have the mtools (I think) package installed, you should have a command called "dos2unix". Run it as "dos2unix rc.firewall.new" and it does the conversion for you.

Alternatively, pass the script through sed:
[tt]
sed -e 's/^M$//' rc.firewall.new | sed -s 's/^Z//g' >/tmp/rc.firewall.new
mv /tmp/rc.firewall.new rc.firewall.new
[/tt]
(Note: To enter the ^M and ^Z characters from the command line, press Ctrl-V then Ctrl-M, for example, to get the control code entered. Also, exercise for the reader: Create your own dos2unix shell script...)

On the editor front, I've got a few personal favourites. First is vi/vim for all general editing tasks. It's got cut & paste, and there's a graphical version available. Try running "gvim". If it's not installed, get your distro CD and install the vim-X11 package.

For big programming jobs I tend to use xemacs. Even though vim has syntax highlighting, I think emacs does a nicer job of it. There are also a couple of excellent modes in emacs for doing programming work.

On the GUI editing front, there's a program called "nedit" that has a lot of fans. I tried using it for a while, but was put off because it was a little bit too "windowsy" for me.

In Windows, I can recommend the excellent Programmer's File Editor (PFE32). Although, the Windows version of Vim and Emacs tend to get a little more use.

Hope this helps.

 

[fenris]

Thanks for the recomendations, I kind of figure that windows did something to the file, I just could recall what to do with it. I will have to try out the editors that you mentioned. Personally I like vim (I am pretty sure that is what is installed on my system, must a symbolic link to the vi command). I can't what to try gvim, it should be interesting. I will see if the dos2unix program is installed and I will try it out, but I will also try out the sed command as well. It is a wonderful O/S that has so many powerful tools. In windows you would basically have to write a program to accomplish this, shells make windows batch files look like children's toys

Hopefully I will get a chance to get it running over the weekend. I well keep you posted on what is going on. When I get it up and running I will be writing a faq on firewalling over pppoe. Can I use some of the tips that you have posted, with proper credit?


Thanks again...

 

[AndyBo]

I'll look forward to reading the FAQ - I should be getting an ADSL connection in about 2 months, so it's going to be useful reading. Please feel free to use anything I've posted here - I'm glad that you think some of it is worth using. ;-)

Good luck with things over the weekend - I hope it all goes well.

And shells rock! If you want similar power on Windows, take a look at the Bash shell that's available from Cygnus at

http://sources.redhat.com/cygwin/ported.html

You want the "Cygwin B20.1" package. There's two versions, user and full. If you get the "full" version, as well as bash and a load of other Unix tools, you get gcc, make, and the required libraries. Very nice

While you're at it you could also get X11R6.4 programs to go with Cygwin and get yourself a free X server for your Windows machine Head over to

http://dao.gsfc.nasa.gov/software/grads/win32/X11R6.4/

for X.

 

[fenris]

I forgot to ask you about this, but when I did get one of the scripts working last night, I noticed that I could not connect to samba.

The script that I used blocked all the privileged ports and I figure that is why it was not working, so I wrote a couple of rules, I won't have a chance to test them to later on this weekend. I just thought I would put them on hear and get your opinion. So here they are..

#----------------------------------------------------
# Deny TCP and UDP packets to privileged ports
ipchains -A input -l -i ppp0 -d 0.0.0.0/0 0:1023 -p udp -j DENY
ipchains -A input -l -i ppp0 -d 0.0.0.0/0 0:1023 -p tcp -j DENY
echo -n "."

#accept samba requests from the local network
ipchains -A input -l -i eth0 -s 192.168.0.1/24 137:139 -p udp -j ACCEPT
ipchains -A input -l -i eth0 -s 192.168.0.1/24 137:139 -p tcp -j ACCEPT
echo -n "."
#------------------------------------

The reasoning behind the rules is to let the traffic on eth0 (my nic to the internal network) to the samba ports through. Is there any thing that I should add to these rules or are they fine?

Thanks again.

 

[AndyBo]

Those rules look fine to me. You may need to add the same rules again, but this time specifying "output" instead of "input". This would allow the server to talk to the clients. If I was you, I'd test it with just the "input" rules first, and then add the "output" rules if anything seems to be wrong.

 

[fenris]

I got the firewall working and have most of the faq together now. Unfortunately I am stuck! I don't know how to get the firewall to activate when the pppoe connection is initiated. I can get it to activate at boot, but it is a waste to have the firewall running when there is no connection. I have checked around and the best thing that I can find is suggestions on creating a script that calls the firewall. The script should have the name ip-up and it hsould be located in /etc/ppp/ip-up . I think I can probably get this to work. But I am not quite sure how to write the script and get to activate the firewall.

Say I have a firewall script located (and working with the pppoe connection) in /etc/ppp/pppoe.firewall and it is set chmod 700. I believe the ip-up script would be:

#!bin/sh
./pppoe.firewall
#end of script

Supposedly when the pppoe (which is basically run over ppp0)
comes up, the firewall should kick in.

The other question I have would be how to kill the script when the connection goes down. I suspect the use of a script called /etc/ppp/ip-down would be in order. But the contents of that script would be a mystery to me.

Any help, is as always greatly appreciated......




[sig]<p>Troy Williams B.Eng.<br><a href=mailto:fenris@hotmail.com>fenris@hotmail.com</a><br><a href= > </a><br> [/sig]

 

[AndyBo]

You're right about using the &quot;ip-up&quot; script to kick things off when the ppp connection comes up. The only thing I might add is to use the full path name to the firewall script, just in case the paths aren't as you expect.

I don't think you would need to worry about creating a script to be called when the ppp connection goes down. When you run the firewall start script, make sure you still have the following lines in before any other rules:
[tt]
# Incoming packets from the outside network
$IPCHAINS -F input
echo -n &quot;.&quot;

# Outgoing packets from the internal network
$IPCHAINS -F output
echo -n &quot;.&quot;
[/tt]
These will flush all firewall rules out of the system before recreating the new ones. However, if you do want to create a script to be called from &quot;ip-down&quot;, you would just need to put the above lines into it.

I'm glad everything is working OK! After you didn't post for a while I was beginning to worry that I'd given you some bad advice and your system was now inhabited by legions of haxx0rs ;-)

On a side note, have you tried running nmap or similar to check that everything really is working OK? [sig]<p> Andy Bold<br><a href=mailto: > </a><br><a href= > </a><br>"I've probably made most of the mistakes already, so hopefully you won't have to..." Me, most days.[/sig]

 

[fenris]

I went to a few sites like

http://www.grc.com

and that site can't find my machine There was another site that I tried (can't remember the address) that used nmap to scan my machine and it came up with nothing. I was also using tail -f /var/log/firewall.log to see if the firewall was logging, was it ever logging .

As for not posting in awhile, I've been extremely busy at work lately since. It also doesn't help that I will be going to a new job next week. So between training my replacement and having a life, there isn't much time for linux .Hopefully in the next couple of weeks after everything calms down I will have more time to work on it. I am hoping to have the firewalling faq done by the end of the week.....

Thanks again for the help [sig]<p>Troy Williams B.Eng.<br><a href=mailto:fenris@hotmail.com>fenris@hotmail.com</a><br><a href= > </a><br> [/sig]

 

[fenris]

I went to create an ip-up script but it was already there in /etc/ppp .So I edited it and there was a comment in it saying not to edit this file but edit a file called ip-up.local . I checked for man pages on these files but I found nothing? I don't even know what the format of this script should be? I have all the pieces to the FAQ execpt how to launch it when a connection is started

Fortunately the script works, and I an pretty sure that it works well..... [sig]<p>Troy Williams B.Eng.<br><a href=mailto:fenris@hotmail.com>fenris@hotmail.com</a><br><a href= > </a><br> [/sig]