----- Original Message ----- From: "Michael Stauber" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, 20 January, 2002 16:15 Subject: Re: [cobalt-security] Portsentry, ipchains and pmfirewall
> That's right. However, this entails one capital danger: If you have a mistake > in your ruleset which locks you out, then even rebooting the server will not > help you to remove the problem, as the firewall will kick in automatically > after reboot. So make sure to programm in a delay like "sleep 5m" so that you > can go in after server reboot and can kill the process. > Yes, this is a very important safety measure for a remote server. I will set this delay. Thanks for the idea. > The easiest way is to not allow by IP-address, but by netblock with > corresponding subnet mask. That's about the only option you have with > gShield, as it's not designed to handle multiple (own) IP addresses another > way. While this looks like a security issue at first glimpse, on second > glimpse - it isn't. All your closed ports are still closed and all blocked > source addresses are still blocked. The additional target IP addresses you > opened up ... now that's no issue at all. On those IPs your machine isn't > listening anway, so this does no damage at all. > > You can automatically fetch the important network settings from the RaQs > configuration files. To do so just add/replace the following in gShield.conf: > > # ------ [ Network settings ] ------ # > > # Automatically fetch them from the RaQ configuration files > source /etc/sysconfig/network-scripts/ifcfg-eth0 > > LOCALIP=$IPADDR > LOCALMASK=$NETMASK > LOCALNET=$NETWORK/$NETMASK > REMOTENET="0/0" > > As you can see, I read /etc/sysconfig/network-scripts/ifcfg-eth0 (where the > RaQ stores the network settings for eth0) and then I just pass the > information to the proper strings in gShield. That way you can even use the > frontpanel to reconfigure your basic network settings and the firewall will > then use the new settings right away after the reboot which then takes place. > > Just make darn well sure that your gateway is within the same network class > as $LOCALNET, otherwise you blow off your own boot. > > The only thing you still have to enter manually are the DNS servers. I use a > three line shell script and a short PERL-script to read those settings and to > transform them into the format that gShield expects. I leave 'em out of here > as I already got too talkative. :o) > Yeah... but gave great lessons. Here I see tow different apporaches. One with your suggested method and same rules for all IP addresses and another which would be to add a user configuration for the other IP addresses in case you want different behaviour for each one. Also a combination of methods would fit. Imagine you have a DNS server with one address but not with the others. We could use your method and add custom rules to block tcp and udp for port 53 in all other addresses. Well, this is a matter of trial and error. Once being locked out of the server has been resolved (and the 5 minute delay in starting the firewall should be the right answer) you can test with more peace of mind. Thanks again for your very good advise. Best regards, Francisco _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
