/etc/rc.d/rc.FireWall bug

Please reproduce your error on a second machine before posting, and check the error by running without saved changes or extra modules (See FAQ No. 13, "How to report a bug"). For unstable Porteus versions (alpha, beta, rc) please use the relevant thread in our "Development" section.
Post Reply
kadalka
White ninja
White ninja
Posts: 28
Joined: 05 Dec 2012, 18:53
Distribution: Linux Mint
Location: France

/etc/rc.d/rc.FireWall bug

Post#1 by kadalka » 05 Dec 2012, 21:32

We need a firewall to fight against insider and outsider attackers...
A firewall should have appropriate "technics" to fight against attackers...
So...

I've noticed a bug in the policy area:
some code are missing... :(
I've noticed the issue when the iptables command said that the policy stays at ACCEPT... :fool:
[after "stop" then another "start", this occur]

I'm not here to ask something, I'm here to give solution to this firewall bug.

After the code below...

Code: Select all

if [ "$1" = "start" ]; then
#... some codes are here... then you've got the above lines:
   $IPTABLES -F      # remove all rules
   $IPTABLES -X      # delete all user-defined chains
...put these at least:

Code: Select all

    $IPTABLES -P OUTPUT DROP
    $IPTABLES -P FORWARD DROP
    $IPTABLES -P INPUT DROP
To make your code more efficient, also put this code :
[for a more appropriate technics 8) ]

Code: Select all

    $IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
    $IPTABLES -A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
I remind some of you that to run the Firewall, something I do recommend, do this as root:

Code: Select all

# /etc/rc.d/rc.FireWall start
Of course, if what I've said is wrong, feel free to explain it to me. :)
I rather prefer to write some stupid things sometimes, being eventually ridiculous and learn something :oops: than staying ignorant about what is correct or not... :cry:
I like Slackware so I tried Porteus...
You don't know everything because you are born to learn ...

User avatar
fanthom
Site Admin
Site Admin
Posts: 4566
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland, currently - Cork, IE
Contact:

Re: /etc/rc.d/rc.FireWall bug

Post#2 by fanthom » 06 Dec 2012, 14:34

hello kadalka,

please read the description at the top of the firewall script:
# Simple firewall disallowing all incomming connections
# but allowing all traffic on localhost (lo device)
# and allowing all outgoing traffic for $ALLOWED_PORTS
# (you can set the variable below)
that's why we can't do:

Code: Select all

    $IPTABLES -P OUTPUT DROP
    $IPTABLES -P FORWARD DROP
    $IPTABLES -P INPUT DROP
as all connections would be blocked and this is not what we want.

Cheers
Please add [Solved] to your thread title if the solution was found.

kadalka
White ninja
White ninja
Posts: 28
Joined: 05 Dec 2012, 18:53
Distribution: Linux Mint
Location: France

Re: /etc/rc.d/rc.FireWall bug

Post#3 by kadalka » 07 Dec 2012, 00:00

please read the description at the top of the firewall script:
1/ A good Firewall rule does not need explanations to be read...
Only computers' newbies read it, and they should...

This is why I do not read it.

2/ In my discuss there are two parts:
Policy issue and "better" drop...
Both are security best practice...

3/ Lets see if I am wrong or not with the next post:
As I said: I am NOT here for questions but for informations.
And we are here to discuss... not to fight.
This is what I expect.
I like Slackware so I tried Porteus...
You don't know everything because you are born to learn ...

User avatar
Hamza
Warlord
Warlord
Posts: 1847
Joined: 28 Dec 2010, 07:41
Distribution: Porteus
Location: France

Re: /etc/rc.d/rc.FireWall bug

Post#4 by Hamza » 07 Dec 2012, 00:10

1/ A good Firewall rule does not need explanations to be read...
Only computers' newbies read it, and they should...
Explain yourself.
This is why I do not read it.
Does this mean you're not a computer newbie? If yes, who are you to judge you as experimented user? Even most known linux users didn't assumed they were experimented. Your signature says "We are born to learn" ... so you will have to teach us and explain us your point of view. The base of human communication.
As I said: I am NOT here for questions but for informations.
This is totally against your signature definition ... "We are born to learn" ... does this mean you have anything new to learn from us or our community about this very basic firewall script ?
And we are here to discuss... not to fight.
Who said we are going to fight with you? Fanthom has simply answered with the best simplicity we can have. You must has misunderstood his answer ;)
NjVFQzY2Rg==

kadalka
White ninja
White ninja
Posts: 28
Joined: 05 Dec 2012, 18:53
Distribution: Linux Mint
Location: France

Re: /etc/rc.d/rc.FireWall bug

Post#5 by kadalka » 07 Dec 2012, 00:52

Hello fanthom,

All commands below must be run as root of course.
If you're not root, then do this (the password should be: toor)

Code: Select all

su -

Code: Select all

head -n 10 /etc/rc.d/rc.FireWall
#!/bin/bash
#
# usage: rc.firewall start|stop|status
#
# Simple firewall disallowing all incomming connections
# but allowing all traffic on localhost (lo device)
# and allowing all outgoing traffic for $ALLOWED_PORTS
# (you can set the variable below)
#
# Author: Tomas M. <http://slax.linux-live.org/>
Let show line numbers :

#1!/bin/bash
#
# usage: rc.firewall start|stop|status
#
#5 Simple firewall disallowing all incomming connections
# but allowing all traffic on localhost (lo device)
#7 and allowing all outgoing traffic for $ALLOWED_PORTS
# (you can set the variable below)
#
# Author: Tomas M. <http://slax.linux-live.org/>

Line 5 means :

Code: Select all

   $IPTABLES -P INPUT DROP
Line 7 means :
disallowing all outgoing traffic EXCEPT those in $ALLOWED_PORTS

Code: Select all

   $IPTABLES -P OUTPUT DROP
Lets see the original code how it runs :
First do:

Code: Select all

# /etc/rc.d/rc.FireWall stop
This code...

Code: Select all

# /etc/rc.d/rc.FireWall status
... shows this :

Code: Select all

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
Then this code...

Code: Select all

# /etc/rc.d/rc.FireWall start
# /etc/rc.d/rc.FireWall status
... shows this :

Code: Select all

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
## ... some drops and accepts :-)

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG_DROP   all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            
## ... some drops and accepts :-)
Explain me why we can see that INPUT is in the state of ACCEPT when your goal is disallow INPUT ?
If everything is ACCEPT then no firewall is needed, because nothing is stopped.
Is it what everyone wants ?
Even, Microsoft do recommend that the outgoing connections should be allowed by correct rules...

INPUT must be in the state of DROP, and that's it, at least !

Make the change as I said in my first post and then do this:

Code: Select all

# /etc/rc.d/rc.FireWall start
# /etc/rc.d/rc.FireWall status
which shows this:

Code: Select all

Chain INPUT (policy DROP 0 packets, 0 bytes)
## ... some drops and accepts :-)

Chain FORWARD (policy DROP 0 packets, 0 bytes)
## ... some drops and accepts :-)

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
## ... some drops and accepts :-)
This is how it should be shown: everything is DROP
So what is wrong in my discuss ?


Now, lets discuss your point of view, which is not the original code point of view.
as all connections would be blocked and this is not what we want.
All connections that could be blocked should be blocked: this is "best security practice".
And $ALLOWED_PORTS are allowed...
This is the behavior we want.

Porteus is not used as a firewall but as a desktop distro.
In another word we can block everything but allowed connections.
If some guys would like to use it as a Firewall/router, then FORWARD should be set to ACCEPT.
However, someone who would like to use it as a firewall must learn how to use firewall.
In my point of view, Porteus is not a good choice for that.
I like Slackware so I tried Porteus...
You don't know everything because you are born to learn ...

kadalka
White ninja
White ninja
Posts: 28
Joined: 05 Dec 2012, 18:53
Distribution: Linux Mint
Location: France

Re: /etc/rc.d/rc.FireWall bug

Post#6 by kadalka » 07 Dec 2012, 01:40

Hello Hamza,
Does this mean you're not a computer newbie? If yes, who are you to judge you as experimented user?
I could say that I am an experienced user in some areas and not experienced in some other area.
And of course, I know nothing in some area... This is normal life.
Experienced is what some people said about me in some area.
For example, if you know how to compile a kernel to fit your need you can't say that you are a newbie.
Even most known linux users didn't assumed they were experimented
I can't say that I am not experienced: it's not honest. But, I can say that there are many things I don't know about Linux.
Honesty is something important in my life.
does this mean you have anything new to learn from us or our community about this very basic firewall script ?
This is not your script, this is Thomas (slax).
If there's something new until today, then your script should be the same as mine, which is not.
However, there are many new things to learn in the iptables area for example...

When I said I am NOT here for questions but for informations, it's just for today of course, and for this firewall issue.
It's about serious discuss not junk ones...

Who said we are going to fight with you? Fanthom has simply answered with the best simplicity we can have

I understand what he said, he does not understand what I said. :( (see what I said before this post)
The fight thing is what I put because in many forums some stupid people think that when you said no, especially when they are administrator or something like that, you are the guy that would like to have a fight or worse you are mad at them.
So, i am happy that this is not the case. :D
Honestly I do not think that he is a bad guy. :oops:

I am prudent... 8)

I've learnt today that you are ready to discuss whosever I am. :friends:

Last : I must admit it: you seem to be a good guy.
A good point for you.
You will see that I am a good guy too... :)
I like Slackware so I tried Porteus...
You don't know everything because you are born to learn ...

User avatar
fanthom
Site Admin
Site Admin
Posts: 4566
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland, currently - Cork, IE
Contact:

Re: /etc/rc.d/rc.FireWall bug

Post#7 by fanthom » 07 Dec 2012, 02:18

@kadalka

i get you now.
will test both configs tomorrow morning.

thanks for detailed explanation.
Please add [Solved] to your thread title if the solution was found.

User avatar
wread
Module Guard
Module Guard
Posts: 1065
Joined: 09 Jan 2011, 18:48
Distribution: Porteus v3.2.5-kde5-64 bits
Location: Santo Domingo
Contact:

Re: /etc/rc.d/rc.FireWall bug

Post#8 by wread » 07 Dec 2012, 02:24

I always meant, a firewall for Porteus is not useful; attackers work towards Windows machines, not towards Linux (Well, if Wine is not installed....), Windows machines are easier to brake (no posix files!), so why bother?

Firewalls bring always discussions about pros and cons of allowing and accepting connections. It is like having sx using a cdm.... If you are afraid of being attacked, then you would rather keep away from the internet. Read a book or see a video.

Cheers!
Porteus is proud of the FASTEST KDE ever made.....(take akonadi, nepomuk and soprano out and you will have a decent OS).
The Porteus Community never sleeps!

kadalka
White ninja
White ninja
Posts: 28
Joined: 05 Dec 2012, 18:53
Distribution: Linux Mint
Location: France

Re: /etc/rc.d/rc.FireWall bug

Post#9 by kadalka » 07 Dec 2012, 02:45

Hello everyone,
I always meant, a firewall for Porteus is not useful
It's useful for other distros ? That's ridiculous...
attackers work towards Windows machines, not towards Linux (Well, if Wine is not installed....), Windows machines are easier to brake (no posix files!), so why bother?
You don't know what I am talking about don't you ?
When Linux will be the number one, we may redo this discuss.
You could be attacked, like android. Android is a linux sort of...

For example, your computer could be hacked to be a zombie one. Trust me it is not good for you if this occur.
(You could be sued for that)
Firewalls bring always discussions about pros and cons of allowing and accepting connections
Serious people know for certain that connections should be closed and opened only if needed...
It is like having sx using a cdm....
no comment...
If you are afraid of being attacked, then you would rather keep away from the internet. Read a book or see a video.
It's not about me, it's about everyone needs. Everyone needs minimal security.
Every one are afraid of being hacked. Some people always ask me about how to secure correctly a Windows system...
Do you think that everybody know how to handle a GPO and how much it may cost ? I guess not.
If you know how to, 99% do not.

I'm not afraid to be hacked. A "cracker" have millions of MS Windows computer with no security at all to use with no fear.
Do you think that he is stupid enough to try to hack me, a linux/unix user who know how to handle Windows GPO ? :shock:

Here, I give to everybody minimal security for zero dollars... :)
I like Slackware so I tried Porteus...
You don't know everything because you are born to learn ...

User avatar
fanthom
Site Admin
Site Admin
Posts: 4566
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland, currently - Cork, IE
Contact:

Re: /etc/rc.d/rc.FireWall bug

Post#10 by fanthom » 07 Dec 2012, 10:00

@kadalka

i have made a simple test:
a) started openssh server in porteus
b) edited firewall and removed port 22 from 'ALLOWED_PORTS='
c) started firewall
d) confirmed that port 22 is not allowing incoming connections on this page:
http://www.speedguide.net/networktools.php
e) stopped firewall and port 22 become open

looks like everything is ok - please try yourself.
Please add [Solved] to your thread title if the solution was found.

User avatar
wread
Module Guard
Module Guard
Posts: 1065
Joined: 09 Jan 2011, 18:48
Distribution: Porteus v3.2.5-kde5-64 bits
Location: Santo Domingo
Contact:

Re: /etc/rc.d/rc.FireWall bug

Post#11 by wread » 07 Dec 2012, 11:35

@kadalka
What you have is an illness named "Windows-paranoia". If you are so smart, please, try to attack me, I invite you!
Cheers! :D
Porteus is proud of the FASTEST KDE ever made.....(take akonadi, nepomuk and soprano out and you will have a decent OS).
The Porteus Community never sleeps!

User avatar
Hamza
Warlord
Warlord
Posts: 1847
Joined: 28 Dec 2010, 07:41
Distribution: Porteus
Location: France

Re: /etc/rc.d/rc.FireWall bug

Post#12 by Hamza » 07 Dec 2012, 12:35

If everything is ACCEPT then no firewall is needed, because nothing is stopped.
A firewall could be used to forward traffic ;)
NjVFQzY2Rg==

kadalka
White ninja
White ninja
Posts: 28
Joined: 05 Dec 2012, 18:53
Distribution: Linux Mint
Location: France

Re: /etc/rc.d/rc.FireWall bug

Post#13 by kadalka » 18 Dec 2012, 22:28

Hamza wrote: A firewall could be used to forward traffic ;)
If I give comments in a forum, I focus to everyone needs.

It will be hard to hear to people if I said that Firewall could be used to alter tcp/ip packets...
In another word, that your packets [when you use a browser and do the http://an.address.com/] could be changed such as "yes" becomes "no"...

About the rc.firewall.
a) I never said that the Porteus doesn't run at all. I said that it is not a serious one, if best practises should be one of the first goal of a nice distro.
b) I've changed the basic firewall to make it easier to read.
c) I will give the appropriate FireWall as Best Practises ask so no one would be hurt.
[A link will be provided]
Reminder :
1/ policies = DROP
2/ SYN/ACK issues as it is written in THIS post.

In another word, I stick with what I said unless someone have good idea to share.
I like Slackware so I tried Porteus...
You don't know everything because you are born to learn ...

Post Reply