[gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan
A. Khattri [EMAIL PROTECTED] writes: But preventing updates (espec. if they're Windoze boxes) seems like a bad idea to me. It can be done by running IE thru a proxy on my linux box. Then it only sees local address. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan
On Sun, Nov 13, 2005 at 01:09:54AM -0600, Harry Putnam wrote: Apparently you too are not looking at the router I've specified: NETGEAR FVS318 In the schedule section there is only one place to put an IP address and that is for an ntp server if you want one. Apparently you didn't RTFM. (Of course, since you didn't read my comment either. I said: Click on BLOCK SERVICES and you clicked on Schedule, well no shit Sherlock, of course what I told you won't be there.) Here: I found it for you: ftp://downloads.netgear.com/files/fvs318_ref_manual_14.pdf Chapter 4, page 5. Poorly written, but understandable. Of course, that is for firmware version 1.4, which has been out since January 2004, hopefully I am not making an undue assumption that your router has the most up-to-date firmware. Hope THAT helps /sarcasm W -- Pintsize: You don't have my raw electro-magnetism. Sortir en Pantoufles: up 1 day, 59 min -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan
Harry Putnam schreef: Apparently you too are not looking at the router I've specified: NETGEAR FVS318 Not to mix in (not having a Netgear router), but I wonder if perhaps the reason you are not seeing the ability to block IPs (which several people have said exists) is because you have not enabled it by setting a schedule: John Jolet [EMAIL PROTECTED] writes (twice): look at the schedule setups. set them up only to be able to access the internet for, say a second on sunday at 3 am, and not for the rest of the time here. you set a schedule, then limit certain ip addresses As I said, I'm not familiar with this router, but I am familiar with the concept of options not becoming enable-able (and often even visible) until some precondition has been met (in this case setting a schedule). Certainly it would not seem logical for a high-end router *not* to be able to block IPs (and fairly thoroughly), especially if lower-end models of the same brand are capable of doing so; certainly it seems possible that such a device would not be interested in knowing what you want it to do (ip blocks) if it didn't have a category under which to perform the series of actions (the schedule). Just an idea, Holly -- gentoo-user@gentoo.org mailing list
[gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan
Willie Wong [EMAIL PROTECTED] writes: Apparently you didn't RTFM. (Of course, since you didn't read my comment either. I said: Click on BLOCK SERVICES and you clicked on Schedule, well no shit Sherlock, of course what I told you won't be there.) Here: I found it for you: ftp://downloads.netgear.com/files/fvs318_ref_manual_14.pdf Chapter 4, page 5. Poorly written, but understandable. Of course, that is for firmware version 1.4, which has been out since January 2004, hopefully I am not making an undue assumption that your router has the most up-to-date firmware. Hope THAT helps /sarcasm You have a fast smart mouth on you Mr. Wong. But thanks just the same. I got in my head you both were talking about the scheduling area. My mistake. I noticed it soon after posting and found the place to make these settings shortly thereafter. There is a problem with it I'll explain in a minute but first let me ask if you are actually using your router to do something similar to what I described? Reason I ask is here it appears it would be a very shaky way to go. In the blocking area there is a list of 11 services to block. Services can be added in a differernt area but even then one is just guessing and hoping any attacker doesn't use a port for which there is no service or one you forgot to add. It appears there is no global setting to just block everything. I thought of doing something similar with the keywords blocking by selecting com, org, net, edu etc as the keywords, but again one is just hoping you didn't overlook something. Again, no way to just say `block all incoming/outgoing'. If you've been doing this overtime it would be encouraging to hear it has worked with no problems Getting back to using the gentoo box for this: One poster mentioned, he thought it would require hard wiring the win boxes to run thru the gentoo first. I'm wondering if it would work to just set the gentoo box as gateway for them even though they are coming in thru the router first. Haven't tried any of that since I need an undisturrbed internet connection for a while more yet. -- gentoo-user@gentoo.org mailing list
[gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan
Willie Wong wrote: Poorly written, but understandable. Of course, that is for firmware version 1.4, which has been out since January 2004, hopefully I am not making an undue assumption that your router has the most up-to-date firmware. You've got an earlier firmware. The latest is 2.4 also from mid 2004, don't recall exact date. But it appears to be the same anyway. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan
On Sun, Nov 13, 2005 at 11:44:31AM -0600, Harry Putnam wrote: You have a fast smart mouth on you Mr. Wong. But thanks just the same. I got in my head you both were talking about the scheduling area. My mistake. I noticed it soon after posting and found the place to make these settings shortly thereafter. =) Willie is fine. Mr. Wong doesn't become me. There is a problem with it I'll explain in a minute but first let me ask if you are actually using your router to do something similar to what I described? Yes and no I firewall off some access for wireless devices around home. Mostly so people who are visiting with their computers won't cause heavy disruption (by, for example, getting a spyware/spambot infected machine onto my network and pissing off my ISP). But I do not block off all services. Reason I ask is here it appears it would be a very shaky way to go. In the blocking area there is a list of 11 services to block. Services can be added in a differernt area but even then one is just guessing and hoping any attacker doesn't use a port for which there is no service or one you forgot to add. True. That's one question I've been wondering. Since I do *not* actually have a FSV318 (like I said, I have a way lower end Netgear router), I was wondering about what I saw in the manual. The page I referred you to had a sample screen that says something akin to Clicking here enables ALL services for ALL local LAN addresses. (I hope you know which screencap I am talking about.) So 1) Does such screen exist? 2) If it does, if you only enable OUTBOUND service for the two computers you want, does it do the job? The other consideration is that: so long as your computer has no way of initiating outbound HTTP/S, FTP, TELNET, SSH, etc. access (those in the list), I highly doubt there's a way for the computer to get _passively_ infected by malware. What I mean is that there are basically two ways for the attack to happen: 1) The attacker puts his stuff on the 'web and waits for people to click on it (software that bundles spyware, malformed webpages). 2) The attacker actively attacks you. For case 1), blocking outbound services on those 11 ports should be sufficient (especially if you administer your own small network and not let random strangers off the street play with your boxes). For case 2), that is what a firewall is for. Judging by your setup I am assuming you have NAT setup (of course, you could have 5 ips from the ISP, but in principle you won't need a router then...). In that case without explicitly forwarding ports or setting up a DMZ, there really isn't a way for the attacker to attack your computers without the router/firewall being seriously compromised. just hoping you didn't overlook something. Again, no way to just say `block all incoming/outgoing'. Again (sorry if I sound redundant), you only need to block all OUTGOING at the router level. incoming is blocked by assumption unless you setup port forwarding. That is what a firewall means afterall. If you've been doing this overtime it would be encouraging to hear it has worked with no problems sorry... no way to tell: different models of router, different level of security we are talking about here. I put my linux box on the DMZ and run iptables on it... I've seen scripted attacks hitting my DMZ box, but nothing has ever hit computers behind the router's firewall. So I guess I must be doing something right. =) Getting back to using the gentoo box for this: One poster mentioned, he thought it would require hard wiring the win boxes to run thru the gentoo first. That's the only way to be safe. I'm wondering if it would work to just set the gentoo box as gateway for them even though they are coming in thru the router first. Haven't tried any of that since I need an undisturrbed internet connection for a while more yet. If the windows boxes are wired to the router, then it would be possible to change a setting in windows and make them use the router as the gateway. And if the router is not setup to block services, they would have direct access to the internet. If blocking (finite number of) services sound shaky to you, then I think only hard-wiring the boxes to pass through the gentoo box would be secure enough for you. If you have some budget: get a second NIC for your gentoo box, hook it directly up to the internet. Point the second NIC to your netgear router, and setup the router to function only as switch (no address translation, no dhcp, nothing). Follow the gentoo home networking guide http://www.gentoo.org/doc/en/home-router-howto.xml to setup your gentoo box as a router/firewall. And then you can explicitly block all outbound connections from the three machines in question. So / Windows 1 Internet Gentoo box Netgear Router - Windows 2 \ Windows 3
[gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan
Willie Wong wrote: =) Willie is fine. Mr. Wong doesn't become me. Willie it is then... There is a problem with it I'll explain in a minute but first let me ask if you are actually using your router to do something similar to what I described? [snip] reasoning about blocking only services by name True. That's one question I've been wondering. Since I do *not* actually have a FSV318 (like I said, I have a way lower end Netgear router), I was wondering about what I saw in the manual. The page I referred you to had a sample screen that says something akin to Clicking here enables ALL services for ALL local LAN addresses. (I hope you know which screencap I am talking about.) So 1) Does such screen exist? Yes, the manual you cited is for v1.4 by your message and my router is running v2.4 so there may be some differences but there is such a page yes. Your manual shows an `any' choice in the services box whereas I only see a list of 11, no `any' choice. That isn't what we're discussing but just added for referencefor my actual screen see: http://www.jtan.com/~reader/exp/web_ready/dispimg.cgi 2) If it does, if you only enable OUTBOUND service for the two computers you want, does it do the job? I suspect it would, and yes there is the possibility to ALLOW on that screen too. So one could turn it around and allow whatever machines I want internet capable rather than denying the ones I don't. But if you mean to disable services for the other 3. That does work, and I've tried it now, but is the exact thing I called shakey. Your further comments on that have caused me to clean up my thinking about it a bit. And as you say the router/fw is already blocking all incoming to those computers, since they are natted and no port forwarding on those. I do have a port forwarded from the gentoo box for ssh access. [snip] cleaner thinking about what is really happening at the router. [snip] discussion of doing it with gentoo box = [An aside but sort of an answer to your diagram too]: I got the netgear a couple of years ago to avoid doing what you laid out with the gentoo box. Only then it was a lean mean install of openbsd on an old x86 computer. But I think the same draw back would apply eventually, that is, that it is too labor intensive to keep up with updates, patches, noise heat etc since I'd not want to use my main desktop (my gentoo box) in that capacity since its not really wise to run a hardened firewall on a production machine. I'd end up setting up a second Gentoo box as very configurable FW or really I'd probly install latest Openbsd and set it up as hardened and highly configurable router/fw, using the NETGEAR as you describe as a switch. Its hard to argue with something the size of a medium book that generates no heat or noise yet keeps all but the most dedicated of script kiddies out of my network with ease. And need almost no attention. == Getting back to other things that might be tried: I'm thinking now, after you comments on the subject that blocking the services would be all I need to do. I'm currently doing the isolating by running a sw firewall called Kerio on each of the 3 machines. That isn't much fun either and if kerio wasn't started or was turned off the instant machine would be in harms way right away, as you mentioned somewhere in your replies. No telling how much internet access happens when running a bunch of graphic manip programs. Probably not particualry dangerous but still all those update mechanisms would only need someone with bad intent to do harm with them. I'm wondering now if there is a way to do something like setup a squid proxy on the gentoo and somehow force any attemts to go online from the 3 isolated mchs, toward it? Someone already mentioned squid and said it could not be forced but not sure I understood what that meant. But also if I were to set the gateway which is now the NETGEAR router, to the gentoo box, wouldn't all outgoing traffic automatically head for the gateway? Would they really need to be wired to a second nic? Can the gentoo box be made to handle that local lan based traffic, and head it toward the internet without a second nic and all? My feeble understanding of setting a default gateway is that it then becomes the only route used without setting static routes in the routing table of the winboxes. I intend to experiment with this a bit later, tracerouting different setups and such. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan
On Sun, Nov 13, 2005 at 03:13:35PM -0600, Harry Putnam wrote: big big big snip of things I can't answer for you I'm wondering now if there is a way to do something like setup a squid proxy on the gentoo and somehow force any attemts to go online from the 3 isolated mchs, toward it? Two ways exist (AFAIK) of using squid: 1) Run it as a proxy server. In the Internet Options for your web browser, you point the proxy toward the proxy server. You submit a request, it gets relayed to the internet, the response comes back, squid passes it backs to your computer. 2) Run it transparently on the _router_. This is the important part: on the router, you can force all traffic intended for HTTP traffic to go through squid. There are many howtos on the web detailing how this work, so I will not go into details and only say that it involves intercepting the traffic halfway with iptables and pass them to squid. Clearly, 1 cannot be forced: if you just unset the proxy setting from the web browser, your computer will connect to the internet directly. 2 cannot be implemented in your case, since it requires that internet-bound traffic must pass through your gentoo box. If you try to forward all traffic from the router toward your gentoo box, you get an infinite loop since the gentoo box is behind the router. Someone already mentioned squid and said it could not be forced but not sure I understood what that meant. But also if I were to set the gateway which is now the NETGEAR router, to the gentoo box, wouldn't all outgoing traffic automatically head for the gateway? Would they really need to be wired to a second nic? Yes... theoretically. But as far as I can see it, 1) The complexity of that setup will be at least as large as setting up a custom, dedicated gentoo/openbsd box as a firewall. 2) It can be circumvented trivially by setting the gateway manually to your netgear router. Having a second NIC makes the circumvention method of 2 is not possible. My feeble understanding of setting a default gateway is that it then becomes the only route used without setting static routes in the routing table of the winboxes. Yes, but default gateway can be changed on the fly. Since you expressed doubts about the reliability of third party firewall software, I don't think you would be terribly comfortable with the idea of a protection method that can be trivially by-passed on the software level. W -- 3.1415926535897932384626433832795028841971693993751058209749445923078164062862 089986280348253421170679821480865132823066470938446095505822317253594081284811 174502841027019385211055596446229489549303819644288109756659334461284756482337 Sortir en Pantoufles: up 1 day, 13:38 -- gentoo-user@gentoo.org mailing list
[gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan
Willie Wong [EMAIL PROTECTED] writes: Two ways exist (AFAIK) of using squid: 1) Run it as a proxy server. In the Internet Options for your web browser, you point the proxy toward the proxy server. You submit a request, it gets relayed to the internet, the response comes back, squid passes it backs to your computer. 2) Run it transparently on the _router_. This is the important part: on the router, you can force all traffic intended for HTTP traffic to go through squid. There are many howtos on the web detailing how this work, so I will not go into details and only say that it involves intercepting the traffic halfway with iptables and pass them to squid. Clearly, 1 cannot be forced: if you just unset the proxy setting from the web browser, your computer will connect to the internet directly. In the different scenarios we've been discussing though, I'm thinking I've blocked internet access for several machines. If those machines are then set to proxy thru a local lan address (The gentoo box running squid). They would be able to contact that address. As I understand it, that is the only address they would see. And if the proxy were turned off in software they would then not be able to go to internet either since that avenue is already blocked. So the browser would stall and show no internet connection. 2 cannot be implemented in your case, since it requires that internet-bound traffic must pass through your gentoo box. If you try to forward all traffic from the router toward your gentoo box, you get an infinite loop since the gentoo box is behind the router. I'm not sure what you mean here about the infinite loop. Thats what routers do is foward traffic to machines behind them. What I'm thinking when I talk about setting default route to the gentoo box is that the router is also a switch. I'm wondering if internet bound packets can: o start on a win box behind the router o get to the router/switch o be switched to the gentoo box since it is the gateway listed o be sent back to the router by the gentoo box on its journey to INET. Is that even possible without another subnet, nic etc? -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan
On Sun, Nov 13, 2005 at 05:35:27PM -0600, Harry Putnam wrote: In the different scenarios we've been discussing though, I'm thinking I've blocked internet access for several machines. If those machines are then set to proxy thru a local lan address (The gentoo box running squid). They would be able to contact that address. As I understand it, that is the only address they would see. So you are thinking: 1) Block internet access of all kinds for the three windows boxes. 2) Leave the internet access open for the Gentoo box. 3) Have squid running on the Gentoo box. So that if the Windows boxes want to access the internet, it goes through the Gentoo box? Yes it would work. A pretty good idea from what I can see. And if the proxy were turned off in software they would then not be able to go to internet either since that avenue is already blocked. So the browser would stall and show no internet connection. I'm not sure what you mean here about the infinite loop. Thats what routers do is foward traffic to machines behind them. What I'm thinking when I talk about setting default route to the gentoo box is that the router is also a switch. I'm wondering if internet bound packets can: o start on a win box behind the router o get to the router/switch o be switched to the gentoo box since it is the gateway listed o be sent back to the router by the gentoo box on its journey to INET. Is that even possible without another subnet, nic etc? The question is: when you say the gateway listed, do you mean the gateway listed for the router or the gateway listed for the win box? If for the win box, it is trivial to change the gateway to the router, and since the router speaks to the internet, you are down to no protection. If you mean the gateway for the router imagine: the gentoo box passes a packet to the router, the router things the gateway is the gentoo box, and passes the packet back... Unless, of course, your router does forwarding per host, and my guess is that your router can't do that (though I might very well be wrong). I think you are trying to make it more complicated than it actually is. If you just take the one method you suggested above: block of services on the netgear and mandate internet access from the win boxes go through squid on gentoo, I think it should be fine for what you want. W -- Seen in LINAC @ Fermi National Accelerator Laboratory: (A series of signs, each with a different name) This 7833 Power Amplifier Tube is to be Called: Gassy Sparky Leaky Old Number 9 Just Plain Dead Nick O'Tyme Sortir en Pantoufles: up 1 day, 21:49 -- gentoo-user@gentoo.org mailing list
[gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan
John Jolet [EMAIL PROTECTED] writes: The netgear will do it. you can give it ip addresses to block. look at the schedule setups. set them up only to be able to access the internet for, say a second on sunday at 3 am, and not for the rest of the time Do you mean to bock every address on the internet? I'm not following you hear. Further I don't see an option to block ip addresses in the blocking section at all. Only by keywords. Are we looking at the same router? (here is it FVS318) I see: # Security Logs # Block Sites # Block Service # Add Service # Schedule # E-mail On left (others are below but not of interest here unless you tell me you mean some other section) I see no way to block by IP number in any of those sections. One could block by keyword and use `com' `net' `org' etc as the keywords I suppose but it seems really hackish and prone to unexpected results. No kind of control like is possible with Iptables. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan
On Sat, Nov 12, 2005 at 06:56:46PM -0600, Harry Putnam wrote: Do you mean to bock every address on the internet? I'm not following you hear. Further I don't see an option to block ip addresses in the blocking section at all. Only by keywords. Yes, the netgear will do it. My crappy netgear router will, so your much higher end machines will too. Are we looking at the same router? (here is it FVS318) I see: # Security Logs # Block Sites # Block Service This is the one. Block service allow you to specify which LOCAL ip addresses you want to limit the service for. Just set up static ip for machines 3-5 (or DHCP with fixed ip addresses for those machines based on hardware address). Set the blocking schedule to always. For ALL services you find in the list, supply the ips for those three machines. W -- The last time anybody made a list of the top hundred character attributes of New Yorkers, common sense snuck in at number 79. When it's fall in New York, the air smells as if someone's been frying goats in it, and if you are keen to breathe the best plan is to open a window and stick your head in a building. - Nuff said?? Sortir en Pantoufles: up 20:10 -- gentoo-user@gentoo.org mailing list
[gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan
John Jolet [EMAIL PROTECTED] writes: On Saturday 12 November 2005 18:56, Harry Putnam wrote: John Jolet [EMAIL PROTECTED] writes: The netgear will do it. you can give it ip addresses to block. look at the schedule setups. set them up only to be able to access the internet for, say a second on sunday at 3 am, and not for the rest of the time Do you mean to bock every address on the internet? I'm not following you hear. Further I don't see an option to block ip addresses in the blocking section at all. Only by keywords. Are we looking at the same router? (here is it FVS318) I see: # Security Logs # Block Sites # Block Service # Add Service # Schedule here. you set a schedule, then limit certain ip addresses to access only at certain times...you make the time slice small enough, you've effectively blocked them. # E-mail Willie Wong [EMAIL PROTECTED] writes: # Block Service This is the one. Block service allow you to specify which LOCAL ip addresses you want to limit the service for. Just set up static ip for machines 3-5 (or DHCP with fixed ip addresses for those machines based on hardware address). Set the blocking schedule to always. For ALL services you find in the list, supply the ips for those three machines. Apparently you too are not looking at the router I've specified: NETGEAR FVS318 In the schedule section there is only one place to put an IP address and that is for an ntp server if you want one. http://home.jtan.com/~reader/exp/web_ready/dispimg.cgi -- gentoo-user@gentoo.org mailing list
