[not4n00bs] A "secure" firewall default...

Post tutorials, HOWTO's and other useful resources here.
Post Reply
User avatar
n0ctilucient
Shogun
Shogun
Posts: 407
Joined: 21 Apr 2017, 15:59
Distribution: fullmoonremix
Location: 127.0.0.1
Contact:

[not4n00bs] A "secure" firewall default...

Post#1 by n0ctilucient » 06 Mar 2018, 17:47

This thread is for those interested in remastering Porteus instead of using cheatcodes or dialogs.
(I don't use use the "rootcopy"... "changes" cheatcodes or the Setings Centre "save" dialogs)

The firewall in Porteus is turned off by default.
To turn it on by default do the following...

Make an empty "/etc" folder (I label mine... 09-etc) containing /etc/rc.d

(While booted into Porteus) copy /etc/rc.d/rc.local
and /etc/rc.d/rc.Firewall into the empty folder.

With a text editor open /etc/rc.d/rc.local and remove
the 1st comment symbol ("#") and add -e to the end of the line.

Then after the 1st group of rc.local comments add the following...

/etc/rc.d/rc.Firewall start


It should look like this...

Code: Select all

#!/bin/sh -e
#
# /etc/rc.d/rc.local:  Local system initialization script.
#
# Put any local startup commands in here.  Also, if you have
# anything that needs to be run at shutdown time you can
# make an /etc/rc.d/rc.local_shutdown script and put those
# commands in there.

/etc/rc.d/rc.Firewall start
Now... make the module and add it to your Porteus loadout.
(the location of the final module is moot... place it in "base" or "modules" if you prefer)

When you start Porteus your firewall will default to "block all".

I'm sure other defaults (and methods) are possible... but you have to start somewhere right?

More to come...
Last edited by n0ctilucient on 13 Mar 2018, 04:13, edited 19 times in total.
:hmmm: I do NOT have the "right" to tell anyone what they should do...
but I reserve the "right" to tell them what they should "consider".

donald
Full of knowledge
Full of knowledge
Posts: 1391
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

[not4n00bs] A "secure" firewall default...

Post#2 by donald » 06 Mar 2018, 20:52

n0ctilucient wrote:
06 Mar 2018, 17:47
(While booted into Porteus) copy /etc/rc.d/lrc.local
Ok, this might be a typo..

But then
With a text editor open /etc/rc.d/rc.local and remove
the 1st comment (#) and add -e to the end of the line.
What..??
you mean the first line should be !/bin/sh -e ??

Looks to me like a messed up shebang line.
There should be a '#' in front of the '!'.
And why the -e flag = errexit
(causing the script to immediately exit on the first error)
Please explain why...

User avatar
n0ctilucient
Shogun
Shogun
Posts: 407
Joined: 21 Apr 2017, 15:59
Distribution: fullmoonremix
Location: 127.0.0.1
Contact:

[not4n00bs] A "secure" firewall default...

Post#3 by n0ctilucient » 06 Mar 2018, 22:09

Thanks donald... :good:

typo corrected.

My current rc.local...

Code: Select all

!/bin/sh -e
#
# /etc/rc.d/rc.local:  Local system initialization script.
#
# Put any local startup commands in here.  Also, if you have
# anything that needs to be run at shutdown time you can
# make an /etc/rc.d/rc.local_shutdown script and put those
# commands in there.

/etc/rc.d/rc.Firewall start
This post was made with the above noted rc.local @ login.
On login the firewall was defaulted to "block all".

I will have to hunt down the faq site (so bear with me).
I'm multitasking today... usually I'm not this sloppy.

I will also try it with the shebang default (#).
Perhaps the firewall will still default to "block all".

More to follow...
Last edited by n0ctilucient on 07 Mar 2018, 02:42, edited 2 times in total.
:hmmm: I do NOT have the "right" to tell anyone what they should do...
but I reserve the "right" to tell them what they should "consider".

donald
Full of knowledge
Full of knowledge
Posts: 1391
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

[not4n00bs] A "secure" firewall default...

Post#4 by donald » 07 Mar 2018, 01:01

You do only need a modified rc.local file to start the firewall.

Code: Select all

#!/bin/sh
#
# /etc/rc.d/rc.local:  Local system initialization script.
#
# Put any local startup commands in here.  Also, if you have
# anything that needs to be run at shutdown time you can
# make an /etc/rc.d/rc.local_shutdown script and put those
# commands in there.
chmod +x /etc/rc.d/rc.FireWall
/etc/rc.d/rc.FireWall start
When you start Porteus your firewall will default to "block all".
I doubt that the firewall will use the "block all" settings
without further adjustments in rc.FireWall > allowed ports
I think the firewall will use the default = normal setting

You can compare the "block all" and "normal" firewall settings
as root with iptables -L -v

User avatar
n0ctilucient
Shogun
Shogun
Posts: 407
Joined: 21 Apr 2017, 15:59
Distribution: fullmoonremix
Location: 127.0.0.1
Contact:

[not4n00bs] A "secure" firewall default...

Post#5 by n0ctilucient » 07 Mar 2018, 02:26

All I can say is... the rc.local (and firewall default) is what I am using for this post.
However... your version looks interesting so I'll try it also.

In any case... the ultimate goal in these insecure times is to have
a better default than "no" firewall (ie... the current Porteus default).
You can compare the "block all" and "normal" firewall settings
as root with iptables -L -v

Code: Select all

root@porteus:/usr/bin/fifth-0.5# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   22  1548 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:domain
  280 26537 ACCEPT     udp  --  any    any     anywhere             anywhere             udp spt:domain
40953   90M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp spt:http state ESTABLISHED
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp spt:https state ESTABLISHED
  133  4616 LOG_DROP   all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG_DROP   all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy DROP 120 packets, 6240 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   22  1548 ACCEPT     all  --  any    lo      anywhere             anywhere            
  280 17068 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:domain
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp spt:domain
13119 1202K ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http state NEW,ESTABLISHED
17545 3732K ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https state NEW,ESTABLISHED

Chain LOG_DROP (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  133  4616 DROP       all  --  any    any     anywhere             anywhere 
Since I remaster (and boot) from CDR... I have to remaster
and burn to make changes using your rc.local version.

I'm a little busy tonight but tomorrow I'll report back to
you my findings and I'll also look for the original faq site.

Cheers.
:hmmm: I do NOT have the "right" to tell anyone what they should do...
but I reserve the "right" to tell them what they should "consider".

donald
Full of knowledge
Full of knowledge
Posts: 1391
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

[not4n00bs] A "secure" firewall default...

Post#6 by donald » 07 Mar 2018, 11:59

EDIT
...learned something today...thanks! ncmprhnsbl :good:

So the simplest way to achieve the goal would be to create a module containing
/etc/rc.d/rc.FireWall,
make rc.FireWall executable and edit the ALLOWED_PORTS line.

Example:
Firewall "normal" would be ALLOWED_PORTS="20 21 22 25 80 110 143 443"
Firewall "block all" would be ALLOWED_PORTS="80 443"

and if you name the resulting module (e.g) 009-firewall.xzm
and place it into the "base" folder, it will work in AF mode too.
Last edited by donald on 07 Mar 2018, 14:44, edited 2 times in total.

User avatar
ncmprhnsbl
DEV Team
DEV Team
Posts: 1505
Joined: 20 Mar 2012, 03:42
Distribution: 4.0-64bit all-DE+more
Location: australia
Contact:

[not4n00bs] A "secure" firewall default...

Post#7 by ncmprhnsbl » 07 Mar 2018, 12:12

FYI. once /etc/rc.d/rc.FireWall is made executable, it will start at boot without needing /etc/rc.d/rc.FireWall start in rc.local(or anywhere else)
whatever is executable in /etc/rc.d/ will be executed at boot.
when set with psc, a module containing /etc/rc.d/rc.FireWall(executable) is made (when not using /changes)
Forum Rules : http://forum.porteus.org/viewtopic.php?f=35&t=44

User avatar
n0ctilucient
Shogun
Shogun
Posts: 407
Joined: 21 Apr 2017, 15:59
Distribution: fullmoonremix
Location: 127.0.0.1
Contact:

[not4n00bs] A "secure" firewall default...

Post#8 by n0ctilucient » 07 Mar 2018, 12:17

Thanks donald... :good:

Your input is duly noted.

Not for nothing... this thread is for those interested in remastering by hand.
And yes... the dialogs and cheatcodes are notwithstanding important to n00bs.

In any case... the 1st post is still valid as are your alternatives.

This is not a zero sum game... we are all correct.
I do not post theorectically... all my posts are tested.

This post was done using my method which was successful.
If your point is efficiency... then there is only welcome lively discussion.

As I stated originally... this thread is a starting point.
Last edited by n0ctilucient on 10 Mar 2018, 11:43, edited 12 times in total.
:hmmm: I do NOT have the "right" to tell anyone what they should do...
but I reserve the "right" to tell them what they should "consider".

donald
Full of knowledge
Full of knowledge
Posts: 1391
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

[not4n00bs] A "secure" firewall default...

Post#9 by donald » 07 Mar 2018, 12:28

@ ncmprhnsbl
Aha!, good to know, thanks. :beer:

donald
Full of knowledge
Full of knowledge
Posts: 1391
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

[not4n00bs] A "secure" firewall default...

Post#10 by donald » 07 Mar 2018, 12:46

@ n0ctilucient
Hmmm...I thought you were going to build a module as you wrote in the 1st post
Now... make the module and add it to your Porteus loadout.
add it to the iso and burn a CD (or whatever)

Otherwise you could surely extract the original modules, search for the files, replace
them and rebuild the module, :)

User avatar
n0ctilucient
Shogun
Shogun
Posts: 407
Joined: 21 Apr 2017, 15:59
Distribution: fullmoonremix
Location: 127.0.0.1
Contact:

[not4n00bs] A "secure" firewall default...

Post#11 by n0ctilucient » 07 Mar 2018, 13:05

Listen carefully... I am not "going to" do anything.
I'm posting with (and already using) what was already done.

This is NOT proof of concept.

In any case... your method "seems" more efficient.

I just have not tried it yet. If it's a winner I will revise the 1st post.

In regard to editing original modules... @ least for me I try to avoid it.
The exception being only if I am deprecating w/ my own compiled packages.

What I'm trying to say is... I prefer overwrite to editing (@ least for certain projects).

:unknown: I think we both know my preferences are on the esoteric side...
but I'm an esoteric kinda guy. Status quo doesn't work for me.
:hmmm: I do NOT have the "right" to tell anyone what they should do...
but I reserve the "right" to tell them what they should "consider".

Post Reply