IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Linux Forum / Re: Common ploy by....
Post #61,567
by rickmoen
Picture of rickmoen
11/7/02 3:34:08 AM
Reply
New Re: Common ploy by....
gfolkert said:

The common ploy allows crackers to spoof things in that brief instant to get further along on a crack. I know I've used it to humble some admins that say thier CheckPoint Firewall is impervious... Well, when they change the default rule from anything other than REJECT, changing from Negative logic to Positive Logic or a combo of both as well as a bad order of rules... Well what you expect?

Yeah, what he said. The pity of it is that this is such an elementary, dumbass error: Practically the first thing you learn, in setting up routers, is that you should ensure that they reject everything as the very first step upon initialising the interfaces.

People don't realise that filtering routers are actually much trickier than application-level proxy gateways, in that sense. With the latter, only traffic that's been explicitly permitted will be handled at all. With the former, one little error with the rulesets, or a ruleset enacted only in the runtime state but not in the NVRAM, and you're vulnerable.

But routers with only 2K RAM should be dumpster fodder, no?

Rick Moen
rick@linuxmafia.com

If you lived here, you'd be $HOME already.
Post #61,600
by jake123
11/7/02 10:22:02 AM
Reply
New Ok, what do you think of this firewall script?

I'm using ipchains on this one.

\r\n
\r\n
#!/bin/sh                                                                   \r\n                                                                            \r\n# This script sets up the NAT and firewall for the box, and is run when the \r\n# ppp connection to Bell comes up.                                          \r\n                                                                            \r\n/sbin/ipchains -A input -j ACCEPT -i ppp0 -s 0/0 67 -d 0/0 68 -p udp        \r\n                                                                            \r\n/sbin/depmod -a                                                             \r\n/sbin/modprobe ip_masq_ftp                                                  \r\n/sbin/modprobe ip_masq_raudio                                               \r\n                                                                            \r\necho "1" > /proc/sys/net/ipv4/ip_dynaddr                                    \r\necho "1" > /proc/sys/net/ipv4/ip_forward                                    \r\necho "1" > /proc/sys/net/ipv4/ip_always_defrag                              \r\necho "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose                            \r\n                                                                            \r\n/sbin/ipchains -M -S 7200 10 160                                            \r\n                                                                            \r\nipchains -F input                                                           \r\nipchains -F output                                                          \r\nipchains -F forward                                                         \r\n                                                                            \r\nipchains -P input ACCEPT                                                    \r\nipchains -P output ACCEPT                                                   \r\nipchains -P forward DENY                                                    \r\nipchains -A input -s 192.168.0.0/24 -i ppp0 -j DENY                         \r\nipchains -A input -s 127.0.0.0/8 -i ppp0 -j deny                            \r\nipchains -A forward -s 192.168.0.0/24 -i ppp0 -j MASQ                       \r\n
\r\n

I'd like to be able to set the policy of input deny, but whenever I do I end up being able to send things out by explicitly allowing input traffic from 192.168.0.0 to eth1 (internal interface) but I never get anything back as the incoming packets get killed.

At any rate... pointers on this one would be welcome. Thanks!

--\r\n-------------------------------------------------------------------\r\n* Jack Troughton                            jake at consultron.ca *\r\n* [link|http://consultron.ca|http://consultron.ca]                   [link|irc://irc.ecomstation.ca|irc://irc.ecomstation.ca] *\r\n* Laval Qu\ufffdbec Canada                   [link|news://news.consultron.ca|news://news.consultron.ca] *\r\n-------------------------------------------------------------------
     Wierd Debian Networking problem - (jake123) - (32) - Nov. 6, 2002, 04:00:53 PM EST
         Hmm - (deSitter) - (2) - Nov. 6, 2002, 04:22:20 PM EST
             Brainstorm - (deSitter) - Nov. 6, 2002, 04:24:23 PM EST
             Card... - (jake123) - Nov. 7, 2002, 10:26:29 AM EST
         neighbor table overflow sounds like RIP problem -NT - (boxley) - (4) - Nov. 6, 2002, 05:37:23 PM EST
             Newb to unix... what's RIP? - (jake123) - (3) - Nov. 7, 2002, 09:44:26 AM EST
                 RIP is a routing protocol - (boxley) - Nov. 7, 2002, 10:17:16 AM EST
                 Routing Interchange Protocol - (deSitter) - (1) - Nov. 7, 2002, 10:19:23 AM EST
                     Re: Routing Interchange Protocol - (pwhysall) - Nov. 7, 2002, 11:48:36 AM EST
         Re: Wierd Debian Networking problem - (pwhysall) - (20) - Nov. 6, 2002, 05:40:35 PM EST
             ifconfig -a output: - (jake123) - (19) - Nov. 7, 2002, 09:43:29 AM EST
                 eth1 is having collision issues and eth0 is not addressed -NT - (boxley) - (6) - Nov. 7, 2002, 10:20:20 AM EST
                     Re: eth1 is having collision issues and eth0 is not addresse - (jake123) - (5) - Nov. 7, 2002, 10:23:33 AM EST
                         Re: eth1 is having collision issues and eth0 is not addresse - (deSitter) - (4) - Nov. 7, 2002, 10:25:36 AM EST
                             also swap the cable and see if it makes a difference -NT - (boxley) - Nov. 7, 2002, 10:34:06 AM EST
                             This is using the mii-diag program, I take it? -NT - (jake123) - (2) - Nov. 7, 2002, 10:46:44 AM EST
                                 Re: This is using the mii-diag program, I take it? - (deSitter) - (1) - Nov. 7, 2002, 10:51:38 AM EST
                                     :) - (jake123) - Nov. 7, 2002, 11:21:41 AM EST
                 Re: ifconfig -a output: - (rickmoen) - (11) - Nov. 8, 2002, 03:45:15 AM EST
                     Yikes - (jake123) - (10) - Nov. 8, 2002, 10:58:09 AM EST
                         Re: Yikes - (rickmoen) - (1) - Nov. 8, 2002, 06:11:20 PM EST
                             Well, time will tell - (jake123) - Nov. 9, 2002, 11:31:04 PM EST
                         Re: Yikes - (deSitter) - (7) - Nov. 8, 2002, 08:42:45 PM EST
                             Debian thing? - (pwhysall) - (2) - Nov. 8, 2002, 09:18:29 PM EST
                                 Slip of fingers? - (deSitter) - (1) - Nov. 8, 2002, 09:23:09 PM EST
                                     Re: Slip of fingers? - (pwhysall) - Nov. 8, 2002, 09:44:27 PM EST
                             Re: Yikes - (rickmoen) - (3) - Nov. 9, 2002, 12:36:59 AM EST
                                 lo (and bug, incidentally) - (kmself) - (2) - Nov. 9, 2002, 06:09:12 AM EST
                                     Re: lo (and bug, incidentally) - (jake123) - (1) - Nov. 9, 2002, 11:39:07 PM EST
                                         Re: lo (and bug, incidentally) - (rickmoen) - Nov. 10, 2002, 01:57:14 AM EST
         Common ploy by.... - (folkert) - (2) - Nov. 6, 2002, 09:48:10 PM EST
             Re: Common ploy by.... - (rickmoen) - (1) - Nov. 7, 2002, 03:34:08 AM EST
                 Ok, what do you think of this firewall script? - (jake123) - Nov. 7, 2002, 10:22:02 AM EST

A colonoscopy, while eerily similar, is probably better than politics.
113 ms