| View previous topic :: View next topic |
| Author |
Message |
slycordinator
Advocate
Joined: 31 Jan 2004
Posts: 3065
Location: Korea
|
 Posted: Thu Mar 04, 2004 11:26 pm Post subject: Need good iptables/ipfilter script... |
 |
|
I've tried different firewall programs and scripts, only to find nothing that really works well.
No matter what I do, running nmap always returns that all my ports are closed (and I'm sure if the filter is set up correctly it should at least respond with some ports being "sealth").
So here's my current system setup:
Single NIC connected directly to T-1 LAN.
Kernel 2.4.25 with ipfilter modules installed. |
|
| Back to top |
|
 |
Given M. Sur
l33t
Joined: 03 Feb 2004
Posts: 648
Location: No such file or directory
|
| Posted: Thu Mar 04, 2004 11:32 pm Post subject: |
|
|
ipkungfu is extremely easy to set up, after emerging, the only file (in your situation) you should have to edit is /etc/ipkungfu/ipkungfu.conf
The file is full of comments to help you edit it.
_________________
What is the best [insert-type-of-program-here]? |
|
| Back to top |
|
|
slycordinator
Advocate
Joined: 31 Jan 2004
Posts: 3065
Location: Korea
|
| Posted: Fri Mar 05, 2004 1:02 am Post subject: |
|
|
| 00420 wrote: | ipkungfu is extremely easy to set up, after emerging, the only file (in your situation) you should have to edit is /etc/ipkungfu/ipkungfu.conf
The file is full of comments to help you edit it. |
All the current versions of it are masked as unstable for x86.
Guess I'll try to find it's source code somewhere else. |
|
| Back to top |
|
|
Given M. Sur
l33t
Joined: 03 Feb 2004
Posts: 648
Location: No such file or directory
|
| Posted: Fri Mar 05, 2004 2:02 am Post subject: |
|
|
Hmmm... I didn't remember it being masked when I emerged it, but it may have been. You may just want to try | Code: | | ACCEPT_KEYWORDS="~x86" emerge ipkungfu |
rather than getting the source from somewhere else. I have version 0.5.2 and it works fine. I'm going to try to upgrade to 0.5.2-r1 to test it out tonight.
You might need to find the README and FAQ files somewhere else. Portage didn't install them for me.
If you want I can send you my ipkungfu.conf file. It should work with your system. Just email me if you want it.
_________________
What is the best [insert-type-of-program-here]? |
|
| Back to top |
|
|
jesterspet
Apprentice
Joined: 05 Feb 2003
Posts: 215
Location: Atlanta
|
| Posted: Fri Mar 05, 2004 2:48 am Post subject: Re: Need good iptables/ipfilter script... |
|
|
| slycordinator wrote: | | No matter what I do, running nmap always returns that all my ports are closed |
And this is a bad thing why 
Nmap returning results that say all your ports are closed is a very good thing. You don't want stealthed/filtered/open ports being returned at all to outside scans.
_________________
(X) Yes! I am a brain damaged lemur on crack, and would like to buy your software package for $499.95 |
|
| Back to top |
|
|
slycordinator
Advocate
Joined: 31 Jan 2004
Posts: 3065
Location: Korea
|
| Posted: Fri Mar 05, 2004 3:46 am Post subject: |
|
|
| 00420 wrote: | Hmmm... I didn't remember it being masked when I emerged it, but it may have been. You may just want to try | Code: | | ACCEPT_KEYWORDS="~x86" emerge ipkungfu |
rather than getting the source from somewhere else. I have version 0.5.2 and it works fine. I'm going to try to upgrade to 0.5.2-r1 to test it out tonight.
You might need to find the README and FAQ files somewhere else. Portage didn't install them for me.
If you want I can send you my ipkungfu.conf file. It should work with your system. Just email me if you want it. |
I'm giving guarddog a try. Only downside to it is it's installing qt and kde libraries that I haven't needed. And those take forever. Though now that I think of it, there are some programs I've wanted to install but didn't because of the KDE libs thing.
I'll try ipkungfu some other time. Buy sure go ahead and send me the "ipkungfu.conf" file.
slycorc at cc.wwu.edu |
|
| Back to top |
|
|
slycordinator
Advocate
Joined: 31 Jan 2004
Posts: 3065
Location: Korea
|
| Posted: Fri Mar 05, 2004 3:54 am Post subject: Re: Need good iptables/ipfilter script... |
|
|
| jesterspet wrote: | | slycordinator wrote: | | No matter what I do, running nmap always returns that all my ports are closed |
And this is a bad thing why
Nmap returning results that say all your ports are closed is a very good thing. You don't want stealthed/filtered/open ports being returned at all to outside scans. |
I was under the impression that it was essentially doing what seems like an outside scan.
the way I did it was, as root, I called "nmap -sS IPADDRESS"
Note I was using my IP address and not the address for localhost. I would expect if you called it against the localhost address it would return all closed.
I tried testing this whole thing by going to www.grc.com for their "Shield's Up" utility but it doesn't work because it gets an incorrect IP sent. For some reason our network is messed up so that sites like that one are listing my IP as being the one that is registered to some networking box for the "Residential Technologies" group. God, wish those guys knew what they were doing and didn't mess up this network (almost) all the time. |
|
| Back to top |
|
|
jhmartin
Tux's lil' helper
Joined: 03 Sep 2003
Posts: 95
|
| Posted: Sun Mar 07, 2004 12:57 am Post subject: |
|
|
| I recommend Shorewall for a firewall utility. |
|
| Back to top |
|
|
slycordinator
Advocate
Joined: 31 Jan 2004
Posts: 3065
Location: Korea
|
| Posted: Sun Mar 07, 2004 2:53 am Post subject: |
|
|
I'll give shorewall a try as well.
Figured out why the scan didn't work at grc.com. I was connecting through a proxy server on campus and it was sending the server's IP address and location out, then testing that.
And I've figured out that guarddog is lame. Sure it's got a nice gui and was easy to set up. But choosing settings to make it so I could use ports to get online made them come up as completely open to the world when tested.
Wish there was something like zonealarm to work in Linux. Instead of having ports be allowed to be open/closed, allowing it to control which programs had access. Simpler idea imo. |
|
| Back to top |
|
|
jhmartin
Tux's lil' helper
Joined: 03 Sep 2003
Posts: 95
|
| Posted: Sun Mar 07, 2004 3:00 am Post subject: |
|
|
| The GRSecurity kernel patch can do that actually, although its rules aren't as easy to set up as ZA. |
|
| Back to top |
|
|
|
Networking & Security
