Re: iptables not logging or dhcp-client lying?

2002-04-11 Thread Olaf Meeuwissen 
Olaf Meeuwissen <[EMAIL PROTECTED]> writes:

> Gabor Kovacs <[EMAIL PROTECTED]> writes:
> 
> > Olaf Meeuwissen wrote:
> > 
> > > Basically, I'd like to keep the setup as closed as possible so I make
> > > a hole in /etc/dhclient-enter-hooks during the PREINIT stage to let
> > > the DHCPDISCOVER broadcast out (and a reply back in eventually, taking
> > > this one step at a time ;-).  At least, that's what I thought I should
> > > do, but I noticed that packets are not logged!
> > 
> > I think (but not sure) DHCP client is using (so called) raw sockets
> > which are below the layer where iptables is in the kernel. That's why
> > iptables is unable to see the packets.
> 
> Looks like you are right.  I set all built-in chains to LOG and a DROP
> policy (no other rules) and my interface configures fine.  Once it is
> up there's an incessant stream of logged packets (mainly win-DoS hosts
> letting everyone know who and where they are by shouting all over the
> subnet and, occasionally, beyond).
> 
> Oh well, I guess I can forget about making and plugging holes for the
> DHCPDISCOVER (and probably DHCPREQUEST) requests and their replies.
> That makes my job easier, but I guess the docs then need a fix ;-)

I gotta set myself straight here.  The DHCPDISCOVER does not need a
hole to make it past the packet filtering layer, but the DHCPREQUEST
does.  And from experience, it seems that dhclient starts requesting
without going through the /etc/dhclient-script.  Bummer, 'cause that
means you don't get the chance to open up a hole for the request and
close it once your lease has been renewed.  Oh well, I guess I have to
leave a hole open permanently for the requests to and replies from the
dhcp-server-identifier ...
-- 
Olaf MeeuwissenEpson Kowa Corporation, CID
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2   -- I hack, therefore I am -- BOFH


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: iptables not logging or dhcp-client lying?

2002-04-10 Thread Olaf Meeuwissen 

Olaf Meeuwissen <[EMAIL PROTECTED]> writes:

> Gabor Kovacs <[EMAIL PROTECTED]> writes:
> 
> > Olaf Meeuwissen wrote:
> > 
> > > Basically, I'd like to keep the setup as closed as possible so I make
> > > a hole in /etc/dhclient-enter-hooks during the PREINIT stage to let
> > > the DHCPDISCOVER broadcast out (and a reply back in eventually, taking
> > > this one step at a time ;-).  At least, that's what I thought I should
> > > do, but I noticed that packets are not logged!
> > 
> > I think (but not sure) DHCP client is using (so called) raw sockets
> > which are below the layer where iptables is in the kernel. That's why
> > iptables is unable to see the packets.
> 
> Looks like you are right.  I set all built-in chains to LOG and a DROP
> policy (no other rules) and my interface configures fine.  Once it is
> up there's an incessant stream of logged packets (mainly win-DoS hosts
> letting everyone know who and where they are by shouting all over the
> subnet and, occasionally, beyond).
> 
> Oh well, I guess I can forget about making and plugging holes for the
> DHCPDISCOVER (and probably DHCPREQUEST) requests and their replies.
> That makes my job easier, but I guess the docs then need a fix ;-)

I gotta set myself straight here.  The DHCPDISCOVER does not need a
hole to make it past the packet filtering layer, but the DHCPREQUEST
does.  And from experience, it seems that dhclient starts requesting
without going through the /etc/dhclient-script.  Bummer, 'cause that
means you don't get the chance to open up a hole for the request and
close it once your lease has been renewed.  Oh well, I guess I have to
leave a hole open permanently for the requests to and replies from the
dhcp-server-identifier ...
-- 
Olaf MeeuwissenEpson Kowa Corporation, CID
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2   -- I hack, therefore I am -- BOFH


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: iptables not logging or dhcp-client lying?

2002-04-08 Thread Olaf Meeuwissen 
Gabor Kovacs <[EMAIL PROTECTED]> writes:

> Olaf Meeuwissen wrote:
> 
> > Basically, I'd like to keep the setup as closed as possible so I make
> > a hole in /etc/dhclient-enter-hooks during the PREINIT stage to let
> > the DHCPDISCOVER broadcast out (and a reply back in eventually, taking
> > this one step at a time ;-).  At least, that's what I thought I should
> > do, but I noticed that packets are not logged!
> 
> I think (but not sure) DHCP client is using (so called) raw sockets
> which are below the layer where iptables is in the kernel. That's why
> iptables is unable to see the packets.

Looks like you are right.  I set all built-in chains to LOG and a DROP
policy (no other rules) and my interface configures fine.  Once it is
up there's an incessant stream of logged packets (mainly win-DoS hosts
letting everyone know who and where they are by shouting all over the
subnet and, occasionally, beyond).

Oh well, I guess I can forget about making and plugging holes for the
DHCPDISCOVER (and probably DHCPREQUEST) requests and their replies.
That makes my job easier, but I guess the docs then need a fix ;-)

Thanks,
-- 
Olaf MeeuwissenEpson Kowa Corporation, CID
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2   -- I hack, therefore I am -- BOFH


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: iptables not logging or dhcp-client lying?

2002-04-08 Thread Olaf Meeuwissen 

Gabor Kovacs <[EMAIL PROTECTED]> writes:

> Olaf Meeuwissen wrote:
> 
> > Basically, I'd like to keep the setup as closed as possible so I make
> > a hole in /etc/dhclient-enter-hooks during the PREINIT stage to let
> > the DHCPDISCOVER broadcast out (and a reply back in eventually, taking
> > this one step at a time ;-).  At least, that's what I thought I should
> > do, but I noticed that packets are not logged!
> 
> I think (but not sure) DHCP client is using (so called) raw sockets
> which are below the layer where iptables is in the kernel. That's why
> iptables is unable to see the packets.

Looks like you are right.  I set all built-in chains to LOG and a DROP
policy (no other rules) and my interface configures fine.  Once it is
up there's an incessant stream of logged packets (mainly win-DoS hosts
letting everyone know who and where they are by shouting all over the
subnet and, occasionally, beyond).

Oh well, I guess I can forget about making and plugging holes for the
DHCPDISCOVER (and probably DHCPREQUEST) requests and their replies.
That makes my job easier, but I guess the docs then need a fix ;-)

Thanks,
-- 
Olaf MeeuwissenEpson Kowa Corporation, CID
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2   -- I hack, therefore I am -- BOFH


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: iptables not logging or dhcp-client lying?

2002-04-03 Thread Gabor Kovacs 
Olaf Meeuwissen wrote:

> Basically, I'd like to keep the setup as closed as possible so I make
> a hole in /etc/dhclient-enter-hooks during the PREINIT stage to let
> the DHCPDISCOVER broadcast out (and a reply back in eventually, taking
> this one step at a time ;-).  At least, that's what I thought I should
> do, but I noticed that packets are not logged!

I think (but not sure) DHCP client is using (so called) raw sockets
which are below the layer where iptables is in the kernel. That's why
iptables is unable to see the packets.

(There is an option for Raw sockets in the kernel, and it can be used
only with root privileges.)

KoGa


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: iptables not logging or dhcp-client lying?

2002-04-03 Thread Gabor Kovacs 

Olaf Meeuwissen wrote:

> Basically, I'd like to keep the setup as closed as possible so I make
> a hole in /etc/dhclient-enter-hooks during the PREINIT stage to let
> the DHCPDISCOVER broadcast out (and a reply back in eventually, taking
> this one step at a time ;-).  At least, that's what I thought I should
> do, but I noticed that packets are not logged!

I think (but not sure) DHCP client is using (so called) raw sockets
which are below the layer where iptables is in the kernel. That's why
iptables is unable to see the packets.

(There is an option for Raw sockets in the kernel, and it can be used
only with root privileges.)

KoGa


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: iptables not logging or dhcp-client lying?

2002-04-03 Thread Olaf Meeuwissen 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Lupe Christoph <[EMAIL PROTECTED]> writes:

> On Wednesday, 2002-04-03 at 14:02:20 +0900, Olaf Meeuwissen wrote:
> 
> > I am playing with packet filtering on a DHCP client and trying to get
> > it done the right way.
> 
> The right way is to dispense with DHCP. The protocol has no security
> whatsoever. Read RFC2131, "7. Security Considerations" for details.

Although I may share your sympaties on this point (still have to read
up on it), you assume I am in a position to do so.

- -- 
Olaf MeeuwissenEpson Kowa Corporation, CID
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2   -- I hack, therefore I am -- BOFH
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.6 

iD8DBQE8qsWeFsfyfWvjfZARAjQLAJ0cA8X1NNPGDWBeVT2yh2PAp/2ZJwCfZf44
gDj83SMnXI2ATIDfg8SQGMA=
=G8AJ
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: iptables not logging or dhcp-client lying?

2002-04-03 Thread Lupe Christoph 
On Wednesday, 2002-04-03 at 14:02:20 +0900, Olaf Meeuwissen wrote:

> I am playing with packet filtering on a DHCP client and trying to get
> it done the right way.

The right way is to dispense with DHCP. The protocol has no security
whatsoever. Read RFC2131, "7. Security Considerations" for details.

HTH,
Lupe Christoph
-- 
| [EMAIL PROTECTED]   |http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a  |
| Bat-Leth contest on the holodeck. They will not concern us again.  |
| http://public.logica.com/~stepneys/joke/klingon.htm|


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: iptables not logging or dhcp-client lying?

2002-04-03 Thread Olaf Meeuwissen 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Lupe Christoph <[EMAIL PROTECTED]> writes:

> On Wednesday, 2002-04-03 at 14:02:20 +0900, Olaf Meeuwissen wrote:
> 
> > I am playing with packet filtering on a DHCP client and trying to get
> > it done the right way.
> 
> The right way is to dispense with DHCP. The protocol has no security
> whatsoever. Read RFC2131, "7. Security Considerations" for details.

Although I may share your sympaties on this point (still have to read
up on it), you assume I am in a position to do so.

- -- 
Olaf MeeuwissenEpson Kowa Corporation, CID
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2   -- I hack, therefore I am -- BOFH
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.6 

iD8DBQE8qsWeFsfyfWvjfZARAjQLAJ0cA8X1NNPGDWBeVT2yh2PAp/2ZJwCfZf44
gDj83SMnXI2ATIDfg8SQGMA=
=G8AJ
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: iptables not logging or dhcp-client lying?

2002-04-03 Thread Lupe Christoph 

On Wednesday, 2002-04-03 at 14:02:20 +0900, Olaf Meeuwissen wrote:

> I am playing with packet filtering on a DHCP client and trying to get
> it done the right way.

The right way is to dispense with DHCP. The protocol has no security
whatsoever. Read RFC2131, "7. Security Considerations" for details.

HTH,
Lupe Christoph
-- 
| [EMAIL PROTECTED]   |http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a  |
| Bat-Leth contest on the holodeck. They will not concern us again.  |
| http://public.logica.com/~stepneys/joke/klingon.htm|


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

iptables not logging or dhcp-client lying?

2002-04-02 Thread Olaf Meeuwissen 
Dear .debs,

I am playing with packet filtering on a DHCP client and trying to get
it done the right way.  Policy for all built-in chains is DROP and all
packets are logged before they go plonk.  I pulled the network cable
while playing around.

Debian GNU/Linux 3.0
kernel 2.4.18-tux, iptables 1.2.5-7, dhcp-client 2.0pl5-7

Basically, I'd like to keep the setup as closed as possible so I make
a hole in /etc/dhclient-enter-hooks during the PREINIT stage to let
the DHCPDISCOVER broadcast out (and a reply back in eventually, taking
this one step at a time ;-).  At least, that's what I thought I should
do, but I noticed that packets are not logged!

That is, if I don't open up said hole, there is nothing in the logs!
I also inserted logging rules at the very beginning of all built-in
chains, but I still don't see the broadcast logged by iptables.  Only
the dhcp-client message saying it is broadcasting to 255.255.255.255
on port 67 on eth0 shows up in the system logs.

What's going on?  Why do those broadcast packets not show up?  Any
clues anyone?

# If you need more info, please ask.
-- 
Olaf MeeuwissenEpson Kowa Corporation, CID
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2   -- I hack, therefore I am -- BOFH


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

iptables not logging or dhcp-client lying?

2002-04-02 Thread Olaf Meeuwissen 

Dear .debs,

I am playing with packet filtering on a DHCP client and trying to get
it done the right way.  Policy for all built-in chains is DROP and all
packets are logged before they go plonk.  I pulled the network cable
while playing around.

Debian GNU/Linux 3.0
kernel 2.4.18-tux, iptables 1.2.5-7, dhcp-client 2.0pl5-7

Basically, I'd like to keep the setup as closed as possible so I make
a hole in /etc/dhclient-enter-hooks during the PREINIT stage to let
the DHCPDISCOVER broadcast out (and a reply back in eventually, taking
this one step at a time ;-).  At least, that's what I thought I should
do, but I noticed that packets are not logged!

That is, if I don't open up said hole, there is nothing in the logs!
I also inserted logging rules at the very beginning of all built-in
chains, but I still don't see the broadcast logged by iptables.  Only
the dhcp-client message saying it is broadcasting to 255.255.255.255
on port 67 on eth0 shows up in the system logs.

What's going on?  Why do those broadcast packets not show up?  Any
clues anyone?

# If you need more info, please ask.
-- 
Olaf MeeuwissenEpson Kowa Corporation, CID
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2   -- I hack, therefore I am -- BOFH


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]