> ** Reply to message from Richard Hebert <[EMAIL PROTECTED]> on Mon,
> 24 Sep 2001 12:56:46 -0400
>
>
> <snip>
>> To start Firestarter automatically on login .
>> Should the firewall be started before or after log in ?
>> And if so how do i do that ?
>> I read that after or before dosent make much difference since the time
>> where the machine is actually " open " is very small.
>> Any comments ?
> <snip>
>
> Note that as reported here, some Windows servers are getting hit by the
> Nimda worm at the rate of hundreds if not thousands of times/second.
> Assuming that it is only a matter of time until a linux variant worm
> shows up, it will eventually become sheer hubris to not have your
> firewall up before your network interfaces are initialized.
>
> jb
>
> Jack Bowling
> mailto: [EMAIL PROTECTED]
Jack,
I would certainly say that a Linux Worm will show up when and if someone
finds a security flaw in apache, but it has absolutely nothing to do with
the Windows IIS worms - but of course we are not immune to such beasts, just
at the moment the problem is Windows and a lot of Windows users are too
stupid to know what is going on (the case may be the same if a Linux
worm appears)
Basically every computer on the internet is being hit by these annoying
worms, not just Windows computers. Windows computers are, however, the
target and of course many of them get infected by it (whereas Linux
apache computers do not get infected)
The only answer I can think of that make sense to Richard's question is
based on the assumption that he has a completely closed firewall that he
opens when he logs into the computer to do stuff. My suggestion is that
you should have a rule in your input & output that intercepts the interface
to your internet connection, sends it to another chain that says DENY and
add above that rule (line 1) a rule that redirects to another chain that
handles the "open" firewall when you want the firewall open and of course
just add another DENY rule (line 1) in the same chain when you want to
close it.
e.g.
-----------------------------------------------------
# whichever interface points to the internet e.g. "ppp0" or "eth1"
externalif="eth1"
# whatever covers your local IP addresses
localnet="192.168.0.0/16"
# the "test" rule chains
ipchains -N TestIn
ipchains -N TestOut
# the "open" rule chains
ipchains -N OpenIn
ipchains -N OpenOut
# input chain (second rule to avoid spoofing)
ipchains -A input -i $externalif -s ! $localnet -j TestIn
ipchains -A input -i $externalif -s $localnet -j DENY
# output chain (second rule to avoid spoofing)
ipchains -A output -i $externalif -s $localnet -j TestOut
ipchains -A output -i $externalif -s ! $localnet -j DENY
# these two chains just have the first rule to decide if the
# firewall should be open or closed - initially closed
ipchains -A TestIn -j DENY
ipchains -A TestOut -j DENY
# place your input rules you want when the interface needs to be open:
ipchains -A OpenIn ...
ipchains -A OpenIn ...
ipchains -A OpenIn ...
# place your output rules you want when the interface needs to be open:
ipchains -A OpenOut ...
ipchains -A OpenOut ...
ipchains -A OpenOut ...
-----------------------------------------------------
# To open the firewall you need 2 commands:
ipchains -I TestIn 1 -j OpenIn
ipchains -I TestOut 1 -j OpenOut
-----------------------------------------------------
# To close the firewall you need 2 commands:
ipchains -I TestIn 1 -j DENY
ipchains -I TestOut 1 -j DENY
-----------------------------------------------------
And you can keep opening and closing it. But of course the
TestIn & TestOut chains will get quite large but it doesn't matter
since only the first rule is always executed
As for system startup, I actually edit /etc/rc.d/init.d/network and add
it in just before it brings up eth0 (and of course you don't need to
remove the firewall during shutdown) BUT this usually requires you to use
numeric IP addresses in the rules due to DNS issues (so use variables :-)
-Cheers
-Andrew
--
MS ... if only he hadn't been hang gliding!
_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list
