Hey Everyone.. LOTS of updates here and some of them are VERY
important. Please at least scan through this to see whats
new.
-109- users on the list and growing faster and faster!
--David
--
02/11/99 Placed short header names in each [Section]
*Sent name. Makes topicseasier to find.
Update* [Section 2]
Added the note that there is now a description
of how packet and statefully inspected firewalls
work.
[Section 3]
Changed the "Future Features" section to group
similar taskes. ie. Networking, hardware, etc.
Also added a future feature to do more GUI help.
[Section 3]
Added a backup URL for IPCHAIN's IPmasqadm
since Juanjo's main ML.ORG site is now 404.
[Section 5]
Indented all the Security URLs, added L0pht,
Rootshell, etc URLs.
[Section 5]
Updated the "How firewalls work" flow diagram
to include the FORWARDING rule.
[Section 10]
Added a little blurb on what are the differences
between packet and statefully inspected firewalls
work.
[Section 10]
Doh! The explict OUTPUT firewall ruleset was
matching the wrong ports for the MASQ and
NON-MASQ strong ruleset! This isn't a
super huge issue but it IS sloppy!!!
For example:
From:
#secure1.host.com
/sbin/ipfwadm -O -a accept -W $extif -P tcp -S
$extip/32 -D $securehost/32
ftp ftp-data ssh pop-3 $unprivports
To:
#secure1.host.com
/sbin/ipfwadm -O -a accept -W $extif -P tcp -S
$extip/32 ftp ftp-data ssh
-D $securehost/32 $unprivports
[Section 10]
Fixed the DHCP rules to reflect the port
names of "bootps" and "bootpc" vs. ports 67
and 68. Makes things more readible.
[Section 10]
Made sure the /etc/services file has:
--
bootps 67/udp # bootp server
bootpc 68/udp # bootp client
--
[Section 27]
Recently found out on the BRU mailing list
that when you use BRU's software compression
or your tape drive's hardware compression,
you should set the tape drive's capacity setting
to "0"!
[Section 29]
Added a little section on how to test Bru's
tape backups * VERY IMPORTANT*
[Section 29]
Under the RPM testing section, added another
RPM test with a double -vv to really look
at a given RPM.
[Section 50]
Made Lynx permissions recommentations for
Lynx users running older versions than 2.8.1.
[Section 50]
Noted that though not included in Slackware
or Redhat, the ProFTPd daemon included with
Debian Linux is vunerable to the same FTP root
exploit that Wu-ftpd is vunerable.
[Section 50]
02/10/99 Updated the Feature Sets to reflect the support
of multiple Internet domains on one box for
DNS and EMAIL
[Section 3]
Changed the default permissions on Redhat's
/bin/rpm from 755 to 700. Normal endusers
shouldn't have access to something like this.
[Section 7]
Clarified that users should ADD the specific
lines to the /etc/syslog.conf file and not
replace the exitsting file.
[Section 9]
Added both a Slackware and Redhat version of
the /root/logit script
[Section 9]
Cleaned up the "supporting more than one
Internet DNS Domain" section and fixed some
formatting issues.
[Section 24]
Cleaned up the "supporting more than one
Internet Email Domain" section and fixed
some formatting issues.
[Section 25]
Moved the RPM installation pre-installation
tests to [Section 50] since you should
follow these simple recommendations EVERY
TIME before you install an RPM
[Section 25]
Upgrade the "run-rpmwatch" script to v1.1.
This added "rm -f rh-errata.txt" to the
end of the script to clean up the lose
tmp files.
[Section 43]
Moved from [Section 25] a pre-RPM TEST list
to make sure that the user is aware of any
files that will be overwritten/DELETED, etc.
[Section 50]
Installed an RPM to fix security:
wu-ftpd-2.4.2b18-2.1.i386.rpm
[Section 50]
02/09/99 Added a few Future Feature sets:
- Mail Backup: Setup MX email backup
- IPv6: Configure and setup IPv6 and possibly
setup a IPv6 tunnel via the 6Bone
- Dial Backup: Add analog modem dial backup
when the ADSL/Cablemodem goes down
- CODA: Replace NFS support with CODA
- Implement a new 2.2.x kernel
[Section 3]
Added a very detailed description and diagram
of how any TCP/IP packet firewall (including
IPFWADM and IPCHAINS) operates.
[Section 10]
Cleaned up area between the MASQ vs. NON-MASQ
rc.firewall rulesets
[Section 10]
Updated the MASQ and NON-MASQ rc.firewall to v2.90
- Changed the default policy for
INPUT/OUTPUT/FORWARD from DENY to REJECT.
This is actually just a symantic issue
since I was REJECTing all non-allowed
packets at the end of each INPUT, OUTPUT,
and FORWARD section.
[Section 10]
Detailed out how to support muliple Internet domain
names from one DNS server. Simple!
[Section 24]
Added a note that if you are going to support
email for multiple Internet domains on this one
box, you need to add those domain names to the
/etc/sendmail.cw file.
[Section 25]
Added a rough tape drive benchmark output in the
/usr/local/sbin/bru-fullbackup file.
[Section 29]
Moved a bunch of old Updates to the old Updates
URL given at the top of this section.
[Section 100]
02/08/99 Updated the "ssh" profile to include the -C and
-P options to enable Compression and to disable
rsh (tcp ports > 1024) support. This would
break the ability to SSH out of the rc.firewall
ruleset.
[Section 30]
02/07/99 Updated the MASQ and NON-MASQ rc.firewall to
v2.80
- Clarified the input/output rules for
HTTP to use the -W interface option
and added a #ed out rule for allowing
HTTP traffic directly to the Linux
box from the Internet.
[Section 10]
02/04/99 Fixed a typo from /var/adm/log.to.ttys to
/var/log/log.to.ttys
[Section 9]
--
.----------------------------------------------------------------------------.
| David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] |
!---- ----!
`----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----'
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
