Re: [gentoo-user] Wha' hoppen to firestarter?
On Thursday 14 June 2007 21:19, Roy Wright wrote: I just switched to shorewall. I configured it to only allow in SSH, but have one weirdy when I try to test using nmap -v -A -P0 in that sometimes nmap reports only port 22 open and 113 closed as expected, but other times it also reports ports 80, 554, and 1755 open, which has me really confused and concerned. What does netstat -anop report in such occasions? To see the status of all of your ports within a given range try something like: # nmap -v -A -T4 -P0 -p 1-1755 ip_addressfor scanning all ports between 1 and 1755. -- Regards, Mick pgpIeoT4tOvMd.pgp Description: PGP signature
Re: [gentoo-user] Wha' hoppen to firestarter?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Roy Wright wrote: but other times it also reports ports 80, 554, and 1755 open, which has me really confused and concerned. Typical case when you scan from behind your ISP's NetApp NetCache appliance. Same thing happens in Argentina when using Fibertel ISP. I scan a server, and 80, 554 and 1755 are open, when in fact they're not. That's because you're behind a transparent proxy. It might be a different issue, but I'd try scannning from different ISPs, or from another box in the same LAN. - -- Arturo Buanzo Busleiman - Consultor Independiente en Seguridad Informatica Free Music: http://www.buanzo.com.ar/files/buanzo-ultimamente.ogg Consulting and Secure Mail Hosting: http://www.buanzo.com.ar/pro/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGcn1JAlpOsGhXcE0RCkbaAJ9u7nbroblXE+/mWVhEWt9qB13e/wCeN/RA 8wTnNcFwPu1R93vtpm3g6wk= =cWaQ -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Wha' hoppen to firestarter?
Kevin O'Gorman wrote: That helps some, but in net-firewall I'm finding a lot of unstable packages, and no really good idea which ones will be the best for a personal firewall, let alone which ones are best supported upstream so this doesn't happen to me again. So I'm interested in recommendations. What did you switch to? I just switched to shorewall. I configured it to only allow in SSH, but have one weirdy when I try to test using nmap -v -A -P0 in that sometimes nmap reports only port 22 open and 113 closed as expected, but other times it also reports ports 80, 554, and 1755 open, which has me really confused and concerned. One word of advice on using shorewall, compile the netfilter options in your kernel as modules, not directly linked in... That one lead me on a merry chase until I punted and switched to using modules... HTH, Roy -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Wha' hoppen to firestarter?
Mick wrote: packages, and no really good idea which ones will be the best for a personal firewall, let alone which ones are best supported upstream so this doesn't happen to me again. So I'm interested in recommendations. What did you switch to? I switched to shorewall and have been very pleased with it's performance. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Wha' hoppen to firestarter?
On Wednesday 06 June 2007, Kevin O'Gorman wrote: I had firestarter-1.0.3 emerged for quite some time. I hadn't really used it, but I'm a bit surprised now to find that it's interfering with normal emerges because it's got a big red M smacked on it. I suppose that means there's a problem with it, and it's explained in some forum or list that I don't normally get. But now I'd like a clue: what's the {prognosis, workaround, fix, alternative}. As I mentioned, I hadn't really started to use it, but I'd like to have a better firewall tool than building iptables scripts in vim. I find it useful to read the new entries in $PORTDIR/profile/package.mask after every sync to see what's recently been nuked: # Michael Sterrett [EMAIL PROTECTED] (30 May 2007) # masked for removal on 20070629 # Upstream is dead and there are several open bugs: # http://bugs.gentoo.org/show_bug.cgi?id=146620 # http://bugs.gentoo.org/show_bug.cgi?id=179792 # http://bugs.gentoo.org/show_bug.cgi?id=180104 # http://bugs.gentoo.org/show_bug.cgi?id=180105 # See http://article.gmane.org/gmane.comp.security.firewalls.firestarter.user/1342 # for a thread on the mailing list regarding the state of things, including # mention of the problems with the newest netfilter code. net-firewall/firestarter alan -- Optimists say the glass is half full, Pessimists say the glass is half empty, Developers say wtf is the glass twice as big as it needs to be? Alan McKinnon alan at linuxholdings dot co dot za +27 82, double three seven, one nine three five -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Wha' hoppen to firestarter?
On 6/5/07, Dale [EMAIL PROTECTED] wrote: Kevin O'Gorman wrote: I had firestarter-1.0.3 emerged for quite some time. I hadn't really used it, but I'm a bit surprised now to find that it's interfering with normal emerges because it's got a big red M smacked on it. I suppose that means there's a problem with it, and it's explained in some forum or list that I don't normally get. But now I'd like a clue: what's the {prognosis, workaround, fix, alternative}. As I mentioned, I hadn't really started to use it, but I'd like to have a better firewall tool than building iptables scripts in vim. This is from the Gentoo dev list. The upstream development for firestarter has been dead for some time (last news update Jul 31 2005). Recent changes to the netfilter code in the kernel have caused firestarter not to work (see bug #179792). That bug has a patch that fixes that particular problem but the fact that upstream is dead, the several other open bugs about firestarter and the fact that I no longer use it myself mean I'm masking it for removal. I feel there are several good alternatives in net-firewall/ to use as replacements for the iptables-generating aspect of firestarter. If someone would like to pick up and maintain this package, they're welcome to it, otherwise, I'll remove it in thirty days. Michael Sterrett -Mr. Bones.- So, if you like firestarter, better say something pretty soon. ;-) That help any?? Dale That helps some, but in net-firewall I'm finding a lot of unstable packages, and no really good idea which ones will be the best for a personal firewall, let alone which ones are best supported upstream so this doesn't happen to me again. So I'm interested in recommendations. What did you switch to? ++ kevin -- Kevin O'Gorman, PhD -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Wha' hoppen to firestarter?
On Wed, 6 Jun 2007, Kevin O'Gorman wrote: That helps some, but in net-firewall I'm finding a lot of unstable packages, and no really good idea which ones will be the best for a personal firewall, let alone which ones are best supported upstream so this doesn't happen to me again. So I'm interested in recommendations. What did you switch to? I use Shorewall. It's well supported and works well. I don't know a thing about iptables and still I've had a firewall in my workstations since I started using Linux. -- Jorge Almeida -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Wha' hoppen to firestarter?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kevin O'Gorman wrote: On 6/5/07, Dale [EMAIL PROTECTED] wrote: Kevin O'Gorman wrote: snip That helps some, but in net-firewall I'm finding a lot of unstable packages, and no really good idea which ones will be the best for a personal firewall, let alone which ones are best supported upstream so this doesn't happen to me again. So I'm interested in recommendations. What did you switch to? ++ kevin I never used firestarter, but I have used and would recommend shorewall. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGZr6s0PM4px2/kjgRAs8OAJ0XIDfA21OfMSsbGJxttO73yq2P2QCgiRbl kSZqw3JMxdfxSb0dKkx9aLk= =8N8n -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Wha' hoppen to firestarter?
On Wed, Jun 06, 2007 at 06:35:18AM -0700, Kevin O'Gorman wrote: That helps some, but in net-firewall I'm finding a lot of unstable packages, and no really good idea which ones will be the best for a personal firewall, let alone which ones are best supported upstream so this doesn't happen to me again. So I'm interested in recommendations. What did you switch to? I've been using net-firewall/fwbuilder for a few years with no issues. I also find it pretty easy to use. Plus, it will also write rules for a Linksys WRT54G running openwrt. festus -- It is not unusual for those at the wrong end of the club to have a clearer picture of reality than those who wield it. Noam Chomsky pgppuLIPOkrmf.pgp Description: PGP signature
Re: [gentoo-user] Wha' hoppen to firestarter?
Jorge Almeida wrote on 06/06/07 15:59: That helps some, but in net-firewall I'm finding a lot of unstable packages, and no really good idea which ones will be the best for a personal firewall, let alone which ones are best supported upstream so this doesn't happen to me again. So I'm interested in recommendations. What did you switch to? I use fwbuilder. It's a drag and drop iptables front-end which builds firewall scripts. fwbuilder works very well once you've figured out defining and manipulating your firewall objects. The documentation is very sparse. It does miss the immediacy of the firestarter GUI though. Cheers, Dave -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Wha' hoppen to firestarter?
On Wednesday 06 June 2007 15:10, John J. Foster wrote: On Wed, Jun 06, 2007 at 06:35:18AM -0700, Kevin O'Gorman wrote: That helps some, but in net-firewall I'm finding a lot of unstable packages, and no really good idea which ones will be the best for a personal firewall, let alone which ones are best supported upstream so this doesn't happen to me again. So I'm interested in recommendations. What did you switch to? I've been using net-firewall/fwbuilder for a few years with no issues. I also find it pretty easy to use. Plus, it will also write rules for a Linksys WRT54G running openwrt. I've also tried fwbuilder out (a pain to set up with ssh and what not), but for some reason the naked truth of iptables and a little script I gradually knocked up has prevailed as my chosen method of managing my firewalls. Full transparency as to what goes in and what comes out. PS. I found a pdf manual of fwbuilder somewhere in their website and it was quite detailed and very helpful. Strongly recommended for anyone who starts fiddling with it. -- Regards, Mick pgp58INqirI0C.pgp Description: PGP signature
[gentoo-user] Wha' hoppen to firestarter?
I had firestarter-1.0.3 emerged for quite some time. I hadn't really used it, but I'm a bit surprised now to find that it's interfering with normal emerges because it's got a big red M smacked on it. I suppose that means there's a problem with it, and it's explained in some forum or list that I don't normally get. But now I'd like a clue: what's the {prognosis, workaround, fix, alternative}. As I mentioned, I hadn't really started to use it, but I'd like to have a better firewall tool than building iptables scripts in vim. -- Kevin O'Gorman, PhD -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Wha' hoppen to firestarter?
Kevin O'Gorman wrote: I had firestarter-1.0.3 emerged for quite some time. I hadn't really used it, but I'm a bit surprised now to find that it's interfering with normal emerges because it's got a big red M smacked on it. I suppose that means there's a problem with it, and it's explained in some forum or list that I don't normally get. But now I'd like a clue: what's the {prognosis, workaround, fix, alternative}. As I mentioned, I hadn't really started to use it, but I'd like to have a better firewall tool than building iptables scripts in vim. This is from the Gentoo dev list. The upstream development for firestarter has been dead for some time (last news update Jul 31 2005). Recent changes to the netfilter code in the kernel have caused firestarter not to work (see bug #179792). That bug has a patch that fixes that particular problem but the fact that upstream is dead, the several other open bugs about firestarter and the fact that I no longer use it myself mean I'm masking it for removal. I feel there are several good alternatives in net-firewall/ to use as replacements for the iptables-generating aspect of firestarter. If someone would like to pick up and maintain this package, they're welcome to it, otherwise, I'll remove it in thirty days. Michael Sterrett -Mr. Bones.- So, if you like firestarter, better say something pretty soon. ;-) That help any?? Dale :-) :-) :-) -- [EMAIL PROTECTED] mailing list