From costa at tsaousis.gr Mon Dec 1 06:09:15 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Mon, 1 Dec 2003 07:09:15 +0200 (EET) Subject: [Firehol-support] Ulog In-Reply-To: <20031130110849.GB2965@berini.org> References: <20031129204023.GB19775@berini.org> <57437.10.0.0.193.1070144826.squirrel@nefeli.tsaousis.gr> <20031130110849.GB2965@berini.org> Message-ID: <59991.10.0.0.193.1070255355.squirrel@nefeli.tsaousis.gr> > I know that this topic has been dealt with in the doc and in the forum, > but the suggested solutions don't work in Debian (or at least I can't > succeed to have them work). Strange. Is there someone on the list that has succeded managing the iptables logs on debian to give us some light here? > But I prefer FireHOL, and I'll stick to it anyway ;-) Thanks. > # FireHOL [:] > server x ULOG In explain mode, first give an interface (I have the shortcut "in" to do this): # FireHOL [:] > in and then the server statement with a valid service: # FireHOL [:] > server smtp ULOG This works. > The problem is that I still have the LOG rules in iptables: Yes, since the iptables commands will simply add rules for this logging, will not change the existing one. Anyway, I have added the variable FIREHOL_LOG_MODE to control the method of logging. By default is set to LOG. You can set it to ULOG to change all logging made by FireHOL (even with the log and loglimit rules) to use ULOG. Use the normal FIREHOL_LOG_OPTIONS variable to control other options of ULOG. Note that if set to ULOG, then FIREHOL_LOG_LEVEL and the level parameter to the log/loglimit rules are ignored (ULOG does not have a level). This has been added to v1.172 currently in the CVS. I have tested that LOG works as previously and that ULOG statements are produced correctly but I'll need your help to verify that ULOG is working properly. Costa From costa at tsaousis.gr Mon Dec 1 06:20:48 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Mon, 1 Dec 2003 07:20:48 +0200 (EET) Subject: [Firehol-support] Multiple Ip Allows - Denigh rest of subnet In-Reply-To: References: Message-ID: <60017.10.0.0.193.1070256048.squirrel@nefeli.tsaousis.gr> See bellow > accepted_ips=" > 192.168.2.96 > 192.168.2.42 > #192.168.2.54 > 192.168.2.66 > 192.168.2.174" I don't think that BASH will accept this # as a comment. You can move this list to another file (say, /etc/firehol/ips.txt) and use this here: accepted_ips="`cat /etc/firehol/ips.txt | grep -v '^#'`" (copy and paste it, there are 3 kinds of quotes here) Then put this in /etc/firehol/ips.txt 192.168.2.96 192.168.2.42 # 192.168.2.54 192.168.2.66 192.168.2.174 Note that the # has to be the first character of line. If it is not, it will appear in your list. No other comments are allowed in this file. > > router lan2internet inface eth1 outface eth0 > > masquerade > > route ${accepted_ips} accept > Delete this. It does the same job with the one bellow. > > router internet2lan inface eth0 outface eth1 > > masquerade reverse > > client all accept > > server ident reject with tcp-reset > Change the client statement to: client all accept src "${accepted_ips}" Done. Costa From lazlor at bigboy.lotaris.org Mon Dec 1 17:19:03 2003 From: lazlor at bigboy.lotaris.org (Allen Smith) Date: Mon, 1 Dec 2003 08:19:03 -0800 Subject: [Firehol-support] Ulog In-Reply-To: <59991.10.0.0.193.1070255355.squirrel@nefeli.tsaousis.gr> Message-ID: <000401c3b826$d6864e60$250a0a0a@it637> The following worked for me under sarge/testing using the deb package of firehol: 1) edit /etc/init.d/klogd and make KLOGD="-c 5 " 2) edit /lib/firehol/firehol and make FIREHOL_LOG_LEVEL="info" 3) restart firehol and klogd > -----Original Message----- > From: firehol-support-admin at lists.sourceforge.net > [mailto:firehol-support-admin at lists.sourceforge.net] On > Behalf Of Costa Tsaousis > Sent: Sunday, November 30, 2003 9:09 PM > To: Philippe Berini > Cc: firehol-support at lists.sourceforge.net > Subject: Re: [Firehol-support] Ulog > > > > > I know that this topic has been dealt with in the doc and in the > > forum, but the suggested solutions don't work in Debian (or > at least I > > can't succeed to have them work). > > Strange. Is there someone on the list that has succeded > managing the iptables logs on debian to give us some light here? > > > But I prefer FireHOL, and I'll stick to it anyway ;-) > > Thanks. > > > # FireHOL [:] > server x ULOG > > In explain mode, first give an interface (I have the shortcut > "in" to do > this): > > # FireHOL [:] > in > > and then the server statement with a valid service: > > # FireHOL [:] > server smtp ULOG > > This works. > > > The problem is that I still have the LOG rules in iptables: > > Yes, since the iptables commands will simply add rules for > this logging, will not change the existing one. > > Anyway, I have added the variable FIREHOL_LOG_MODE to control > the method of logging. By default is set to LOG. You can set > it to ULOG to change all logging made by FireHOL (even with > the log and loglimit rules) to use ULOG. Use the normal > FIREHOL_LOG_OPTIONS variable to control other options of ULOG. > > Note that if set to ULOG, then FIREHOL_LOG_LEVEL and the > level parameter to the log/loglimit rules are ignored (ULOG > does not have a level). > > This has been added to v1.172 currently in the CVS. I have > tested that LOG works as previously and that ULOG statements > are produced correctly but I'll need your help to verify that > ULOG is working properly. > > Costa > > > > ------------------------------------------------------- > This SF.net email is sponsored by: SF.net Giveback Program. > Does SourceForge.net help you be more productive? Does it > help you create better code? SHARE THE LOVE, and help us > help YOU! Click Here: http://sourceforge.net/donate/ > _______________________________________________ > Firehol-support mailing list Firehol-support at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/firehol-support > From philippe at berini.org Mon Dec 1 23:14:44 2003 From: philippe at berini.org (Philippe Berini) Date: Mon, 1 Dec 2003 23:14:44 +0100 Subject: [Firehol-support] Ulog In-Reply-To: <59991.10.0.0.193.1070255355.squirrel@nefeli.tsaousis.gr> References: <20031129204023.GB19775@berini.org> <57437.10.0.0.193.1070144826.squirrel@nefeli.tsaousis.gr> <20031130110849.GB2965@berini.org> <59991.10.0.0.193.1070255355.squirrel@nefeli.tsaousis.gr> Message-ID: <20031201221444.GD2012@berini.org> * Costa Tsaousis [Mon 01 Dec 03 07:09]: > This has been added to v1.172 currently in the CVS. I have tested that LOG > works as previously and that ULOG statements are produced correctly but > I'll need your help to verify that ULOG is working properly. Thanks for all these explanations, I'm sure they will be useful later on. I am very far from being a specialist (just able to run my Debian in "normal" quasi newbie conditions) and am afraid I can't be of any help with the CVS for the moment. I'm sure someone else on the list will help you testing this new functionality. Thanks again, I'll keep posted. -- Philippe Berini From philippe at berini.org Mon Dec 1 23:15:10 2003 From: philippe at berini.org (Philippe Berini) Date: Mon, 1 Dec 2003 23:15:10 +0100 Subject: [Firehol-support] Ulog In-Reply-To: <000401c3b826$d6864e60$250a0a0a@it637> References: <59991.10.0.0.193.1070255355.squirrel@nefeli.tsaousis.gr> <000401c3b826$d6864e60$250a0a0a@it637> Message-ID: <20031201221510.GE2012@berini.org> * Allen Smith [Mon 01 Dec 03 08:19]: > The following worked for me under sarge/testing using the deb package of > firehol: > 1) edit /etc/init.d/klogd and make KLOGD="-c 5 " > 2) edit /lib/firehol/firehol and make FIREHOL_LOG_LEVEL="info" > 3) restart firehol and klogd I run Sarge with kernel 2.4.22, and it does not work. Too bad ;-\ Thanks anyway, -- Philippe Berini From james at hdcs.com.au Wed Dec 3 10:20:06 2003 From: james at hdcs.com.au (James Bean) Date: Wed, 3 Dec 2003 19:20:06 +1000 Subject: [Firehol-support] Transparent Proxy help Message-ID: Hi, What I am trying to accomplish is to denigh access to the internet from certain users and enable for others, but the transparent proxy doesn't seem to be working. My firehol.conf is as follows: -------------------------------------------- # # $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $ # # This configuration file will allow all requests originating from the # local machine to be send through all network interfaces. # # No requests are allowed to come from the network. The host will be # completely stealthed! It will not respond to anything, and it will # not be pingable, although it will be able to originate anything # (even pings to other hosts). # # Require release 5 of FireHOL configuration directives version 5 # Internal Network IP Address lan_ips="192.168.69.0/24" accepted_ips="`cat /etc/firehol/ips.txt | grep -v '^#'`" # Transparent Proxy transparent_squid 8080 "squid root" inface eth0 src "${lan_ips}" # My LAN. Everything is allowed here. interface eth0 lan src "${lan_ips}" server dns accept server squid accept server ssh accept server http accept server ftp accept server smtp accept server dhcp accept policy reject interface eth1 internet src not "${lan_ips} ${UNROUTABLE_IPS}" protection strong 10/sec 10 server ssh accept server http accept server ident reject with tcp-reset client all accept router internet2lan inface eth1 outface eth0 masquerade reverse client all accept src "${accepted_ips}" server ident reject with tcp-reset ----------------------------------- ips.txt is as follows 192.168.69.1 192.168.69.5 192.168.69.69 192.168.69.205 But I need the other machines in the network to receive there dhcp from the box, there IP just won't be allowed at the router rule. At the moment that seems to be working, except the transparent proxy doesn't seem to be working corrently, if I do the rules manually with a plain iptables set of rules it works no problems, I seem to have something wrong in the firehol configuration. Any help would be very much appreciated. J -------------- next part -------------- An HTML attachment was scrubbed... URL: From thomas at intevation.de Wed Dec 3 11:00:03 2003 From: thomas at intevation.de (Thomas Arendsen Hein) Date: Wed, 3 Dec 2003 11:00:03 +0100 Subject: [Firehol-support] Multiple Ip Allows - Denigh rest of subnet In-Reply-To: <60017.10.0.0.193.1070256048.squirrel@nefeli.tsaousis.gr> References: <60017.10.0.0.193.1070256048.squirrel@nefeli.tsaousis.gr> Message-ID: <20031203100003.GA20452@intevation.de> On Mon, Dec 01, 2003 at 07:20:48AM +0200, Costa Tsaousis wrote: > I don't think that BASH will accept this # as a comment. > You can move this list to another file (say, /etc/firehol/ips.txt) and use > this here: > > accepted_ips="`cat /etc/firehol/ips.txt | grep -v '^#'`" > > (copy and paste it, there are 3 kinds of quotes here) > Then put this in /etc/firehol/ips.txt > > 192.168.2.96 > 192.168.2.42 > # 192.168.2.54 > 192.168.2.66 > 192.168.2.174 > > Note that the # has to be the first character of line. If it is not, it > will appear in your list. No other comments are allowed in this file. This one doesn't require another file, isn't picky about spaces and allows variables inside the list: foo="this.host.example" accepted_ips="`grep -v '^ *#' << EOF 192.168.2.96 192.168.2.42 # 192.168.2.54 $foo 192.168.2.66 192.168.2.174 EOF`" Thomas -- Email: thomas at intevation.de http://intevation.de/~thomas/ From james at hdcs.com.au Wed Dec 3 11:28:46 2003 From: james at hdcs.com.au (James Bean) Date: Wed, 3 Dec 2003 20:28:46 +1000 Subject: [Firehol-support] Port Forwarding Help Message-ID: Sorry to add so many requests for help, I only joined recently and haven't gotten many posts from this list yet. My problem is port forwarding, the dnat snat nat redirect system seems very complicated when trying to do a simple port redirect. The following is what I am having a problem with. Internal Lan interface is eth0 External Internet interface is eth1 Ports for redirection : 6881 6882 .... 6889 I need to port forward from eth1 any incoming connections to the above ports to 192.168.69.69 so incoming 6881 to port eth1 should be forwarded to 192.168.69.69 Everything I have tried with dnat and snat doesn't seem to work. Any suggestions on this matter would be very much appreciated. I take it by the description any dnat snat nat redirect commands get put at the end of the config not under a router or interface heading? J -------------- next part -------------- An HTML attachment was scrubbed... URL: From costa at tsaousis.gr Wed Dec 3 21:50:19 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Wed, 3 Dec 2003 22:50:19 +0200 (EET) Subject: [Firehol-support] Port Forwarding Help In-Reply-To: References: Message-ID: <44211.10.0.0.193.1070484619.squirrel@nefeli.tsaousis.gr> dnat to 192.168.69.69 inface eth1 dport "6881:6889" place this BEFORE any interface or router blocks. -- Costa Tsaousis > Sorry to add so many requests for help, I only joined recently and > haven't gotten many posts from this list yet. > > My problem is port forwarding, the dnat snat nat redirect system seems > very complicated when trying to do a simple port redirect. > > The following is what I am having a problem with. > > Internal Lan interface is eth0 > External Internet interface is eth1 > > Ports for redirection : 6881 6882 .... 6889 > > I need to port forward from eth1 any incoming connections to the above > ports to 192.168.69.69 > > so incoming 6881 to port eth1 should be forwarded to 192.168.69.69 > > Everything I have tried with dnat and snat doesn't seem to work. > > Any suggestions on this matter would be very much appreciated. > > I take it by the description any dnat snat nat redirect commands get put > at the end of the config not under a router or interface heading? > > J > From costa at tsaousis.gr Wed Dec 3 22:16:26 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Wed, 3 Dec 2003 23:16:26 +0200 (EET) Subject: [Firehol-support] Transparent Proxy help In-Reply-To: References: Message-ID: <44509.10.0.0.193.1070486186.squirrel@nefeli.tsaousis.gr> I guess that when you say that the trasparent proxy is not working, you mean that it allows web browsing from the unroutable IPs. If this is the problem, then change the transparent_squid statement to this: transparent_squid 8080 "squid root" inface eth0 src "${accepted_ips}" This is because, a proxy is not ROUTING the packets, it re-plays them at the other side of your firewall. If your transparent squid does not work at all, please check the squid logs and verify that it gets the requests from the clients. If it gets the requests, then check your squid configuration. If it does get the requests but it complains that it cannot connect to remote hosts, first check this: transparent_squid 8080 "" inface eth0 src "${accepted_ips}" this will disable proxied browsing from the firewall itself (with a browser on the linux host). If that works, check the user under which squid is running and make sure it is included in the first command line above. Costa PS: Your eth0 interface does not state any clients. This means that you will not even be able to ping the other hosts from the linux firewall. Is that what you want? > Hi, > > What I am trying to accomplish is to denigh access to the internet from > certain users and enable for others, but the transparent proxy doesn't > seem to be working. > > My firehol.conf is as follows: > > -------------------------------------------- > # > # $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $ > # > # This configuration file will allow all requests originating from the > # local machine to be send through all network interfaces. > # > # No requests are allowed to come from the network. The host will be > # completely stealthed! It will not respond to anything, and it will > # not be pingable, although it will be able to originate anything > # (even pings to other hosts). > # > > # Require release 5 of FireHOL configuration directives > version 5 > > # Internal Network IP Address > lan_ips="192.168.69.0/24" > accepted_ips="`cat /etc/firehol/ips.txt | grep -v '^#'`" > > # Transparent Proxy > transparent_squid 8080 "squid root" inface eth0 src "${lan_ips}" > > # My LAN. Everything is allowed here. > interface eth0 lan src "${lan_ips}" > server dns accept > server squid accept > server ssh accept > server http accept > server ftp accept > server smtp accept > server dhcp accept > policy reject > > interface eth1 internet src not "${lan_ips} ${UNROUTABLE_IPS}" > protection strong 10/sec 10 > server ssh accept > server http accept > server ident reject with tcp-reset > client all accept > > router internet2lan inface eth1 outface eth0 > masquerade reverse > client all accept src "${accepted_ips}" > server ident reject with tcp-reset > ----------------------------------- > > ips.txt is as follows > > 192.168.69.1 > 192.168.69.5 > 192.168.69.69 > 192.168.69.205 > > But I need the other machines in the network to receive there dhcp from > the box, there IP just won't be allowed at the router rule. > > At the moment that seems to be working, except the transparent proxy > doesn't seem to be working corrently, if I do the rules manually with a > plain iptables set of rules it works no problems, I seem to have > something wrong in the firehol configuration. > > Any help would be very much appreciated. > > J > From bock+firehol at blacknet.de Thu Dec 4 15:07:06 2003 From: bock+firehol at blacknet.de (Goetz Bock) Date: Thu, 4 Dec 2003 15:07:06 +0100 Subject: [Firehol-support] Port Forwarding Help In-Reply-To: <44211.10.0.0.193.1070484619.squirrel@nefeli.tsaousis.gr> References: <44211.10.0.0.193.1070484619.squirrel@nefeli.tsaousis.gr> Message-ID: <20031204140706.GC20753@shell.blacknet.de> On Wed, Dec 03 '03 at 22:50, Costa Tsaousis wrote: > dnat to 192.168.69.69 inface eth1 dport "6881:6889" As James is tring to run bittorrent behind his nat/firewall this will not work as ecpexted. He has to add 9 rules: one for each port from 6881 to 6889. -- Goetz Bock (c) 2003 as blacknet.de - Munich - Germany /"\ IT Consultant GNU FDL 1.1 secure mobile Linux everNETting \ / X ASCII Ribbon Campaign against HTML email & microsoft attachments / \ From daniel at rimspace.net Wed Dec 10 14:00:19 2003 From: daniel at rimspace.net (Daniel Pittman) Date: Thu, 11 Dec 2003 00:00:19 +1100 Subject: [Firehol-support] PPPoE TCP MSS clamping / match Message-ID: <87brqgltek.fsf@enki.rimspace.net> In order to use my ADSL connection, I need to clamp the MSS value on TCP connections to something slightly lower than a standard Ethernet value. Anyway, the "standard" way of achieving this for the in-kernel PPPoE driver is to issue the following iptables command: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ -j TCPMSS --clamp-mss-to-pmtu Now, I can obviously stick that in using the 'iptables' command, but that is a bit less selective than I will want to be in the near future. So, any chance of seeing an action to implement this? I would suggest: tcpmss ( 'pmtu' | ) If the argument is 'pmtu', pass the '--clamp-mss-to-pmtu' option, otherwise pass '--set-mss '. Having it match on the 'router' statement, etc, would be ideal. That way I don't need to fiddle with the interface matching and so on when I have a PPPoE link and an 802.11 link heading out of the same box, and I need to clamp the MSS on only one of them. Daniel -- Reality is not as strong as perception. Perception all too often swallows reality and spits it out in a new, unrecognizable form. -- Maytee Aspuro From moacyrs at akadnyx.com.br Fri Dec 12 13:53:08 2003 From: moacyrs at akadnyx.com.br (Moacyr Leite da Silva) Date: Fri, 12 Dec 2003 10:53:08 -0200 Subject: [Firehol-support] howto block p2p in network References: <44509.10.0.0.193.1070486186.squirrel@nefeli.tsaousis.gr> Message-ID: <004301c3c0ae$e494b7e0$fd00a8c0@moacyr> Hi, Can some help to block p2p in my network? I tryed the config bellow with no luck. Regards Moacyr #### version 5 server_kaaza_ports="tcp/3531" client_kaaza_ports="default" transparent_squid 8080 "squid root" inface eth1 interface eth0 internet src not "${UNROUTABLE_IPS}" policy drop protection strong server ident reject with tcp-reset server http accept server https accept server dns accept server smtp accept server ssh accept server jabberd accept server jabber accept server kaaza deny client all accept interface eth1 lan policy accept server all accept client all accept router lan2internet inface eth1 outface eth0 masquerade route kaaza deny route "http https ftp" accept route "ssh ntp ping" accept route "GRE AH ESP isakmp pptp" accept route "vnc irc msn" accept From andre.marenke at awc.net.au Mon Dec 15 07:17:19 2003 From: andre.marenke at awc.net.au (Andre Marenke) Date: Mon, 15 Dec 2003 17:17:19 +1100 Subject: [Firehol-support] Extending complex service FTP Message-ID: <1071469039.2790.647.camel@andre> Hello, I am currently trying to extend/recreate the FTP service definitions. I have a router R and two machines M1 and M2 behind the router. I have http running on M1 and ftp on M2. My ftp server is setup to listen on ports 2500:2520 (one port for each virtual ftp domain). 2 Questions: 1) With the setup I have below it is not possible to do passive FTP to the FTP server and my definition is too simple to allow for conntrack to work. Is it possible to modify the existing FTP server definition in an easy way to gain full FTP functionality with different ports? 2) I have only set up one router and was wondering what the best/most elegant solution is to split traffic up depending on the type of traffic? Define multiple routers with destination ip addresses set for each service or one router with the service destination IP addresses set? Thanks for a great product btw! My setup is like this: interface eth0 internet policy DROP protection strong client ssh accept interface eth1 dmz policy REJECT protection strong server squid accept server ssh accept client ssh accept router net2dmz inface eth0 outface eth1 route http accept route custom ftpserver tcp/2500:2520 default accept router dmz2net inface eth1 outface eth0 route all accept From costa at tsaousis.gr Tue Dec 16 23:12:29 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Wed, 17 Dec 2003 00:12:29 +0200 Subject: [Firehol-support] Extending complex service FTP In-Reply-To: <1071469039.2790.647.camel@andre> References: <1071469039.2790.647.camel@andre> Message-ID: <1071612749.5072.157.camel@nefeli.tsaousis.gr> Hi Andre, > I am currently trying to extend/recreate the FTP service definitions. I > have a router R and two machines M1 and M2 behind the router. > > I have http running on M1 and ftp on M2. My ftp server is setup to > listen on ports 2500:2520 (one port for each virtual ftp domain). > > 2 Questions: > 1) With the setup I have below it is not possible to do passive FTP to > the FTP server and my definition is too simple to allow for conntrack to > work. Is it possible to modify the existing FTP server definition in an > easy way to gain full FTP functionality with different ports? The FTP service needs an FTP conntrack module, which allows the random socket connection made for the data transfer by the FTP server/client, to be matched as RELATED to the initial request. I don't think that this module will understand ports 2500:2520 as FTP requests, and therefore it will not allow either active or passive data connections RELATED to these ports. I think it would be better to have either multiple IPs on your machine and bind one FTP server to each IP, or use an FTP server with virtual domains support (if I remember correctly, ProFTPd is one of those). If you use either of these two methods, FireHOL's FTP service will operate as expected. If however you cannot use any of the above, I suggest to use this for a safe Active FTP server (ONLY ACTIVE FTP AND ONLY SERVER): --- # Custom FTP Server Control socket server_myftpc_ports="tcp/2500:2520" client_myftpc_ports="default" # Customer FTP server Data socket server_myftpd_ports="tcp/1024:65535" client_myftpd_ports="default" interface ... # Our custom FTP server server myftpc accept client myftpd accept --- DO NOT REVERSE server/client FOR AN FTP CLIENT OF THIS FTP VARIATION. IT WILL BE A HUGE SECURITY HOLE. > 2) I have only set up one router and was wondering what the best/most > elegant solution is to split traffic up depending on the type of > traffic? Define multiple routers with destination ip addresses set for > each service or one router with the service destination IP addresses > set? I like to think with the concept of "zones". A "zone" (for me) is a subnet of machines they are related to each other, and which I am willing to protect. Normally you are going to face a situation similar to this: Servers A, B, C on subnet S1 form ZONE1, connected on interface I1 Servers D, E, F on sunbet S2 form ZONE2, connected on interface I2 Then there is the Internet (of course), on interface I3 I1 and I2 might be the same, but not necessarily. Here is what I do: # Internet - to - Zone1 (and vice versa) router i2z1 inface I3 outface I1 src not "${UNROUTABLE_IPS}" dst S1 server x accept dst A server y accept dst B server z accept dst C ... client x1 accept src A client y1 accept src B client z1 accept src C ... # Internet - to - Zone2 (and vice versa) router i2z2 inface I3 outface I2 src not "${UNROUTABLE_IPS}" dst S2 server x accept dst D server y accept dst E server z accept dst F ... client x1 accept src D client y1 accept src E client z1 accept src F ... In the above, INPUT (inface/src) is the Internet and OUTPUT (outface/dst) is the zone to be protected. Given that, I then "think" of all the rules as if I was the machine(s) protected from the Internet (i.e. same concept with the interface rules). Then, if there is need for routing traffic between the zones, I prefer to do this (for clarity, since both sides are to be protected from each other): # Zone 1 to Zone 2 router Z1toZ2 inface I1 outface I2 src S1 dst S2 route x accept src A dst D route y accept src B dst E ... # Zone 2 to Zone 1 router Z2toZ1 inface I2 outface I1 src S2 dst S1 route x accept src D dst A route y accept src E dst B ... These are unidirectional routers (in concept) and state very clearly what can be requested by clients running on the INPUT, from servers running on the OUTPUT. Remember that inface/outface/src/dst match the REQUEST, not the REPLY. Costa From bock at blacknet.de Tue Dec 16 23:38:53 2003 From: bock at blacknet.de (Goetz Bock) Date: Tue, 16 Dec 2003 23:38:53 +0100 Subject: [Firehol-support] Extending complex service FTP In-Reply-To: <1071612749.5072.157.camel@nefeli.tsaousis.gr> References: <1071469039.2790.647.camel@andre> <1071612749.5072.157.camel@nefeli.tsaousis.gr> Message-ID: <20031216223852.GJ440@shell.blacknet.de> On Wed, Dec 17 '03 at 00:12, Costa Tsaousis wrote: > > I have http running on M1 and ftp on M2. My ftp server is setup to > > listen on ports 2500:2520 (one port for each virtual ftp domain). > > The FTP service needs an FTP conntrack module, which allows the random > socket connection made for the data transfer by the FTP server/client, > to be matched as RELATED to the initial request. I don't think that this > module will understand ports 2500:2520 as FTP requests, and therefore it > will not allow either active or passive data connections RELATED to > these ports. Actually it can be made to: user at box ~$ modinfo /lib/modules/2.4.23/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o filename: /lib/modules/2.4.23/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o description: author: license: "GPL" parm: ports int array (min = 1, max = 8) parm: loose int user at box ~$ so it looks like you can specify up to 8 ports where the module will try to conntrack ftp connections. By default 21 will be used. (You can only get 8 ports, as you can only load the module once) -- Goetz Bock (c) 2003 as blacknet.de - Munich - Germany /"\ IT Consultant GNU FDL 1.1 secure mobile Linux everNETting \ / X ASCII Ribbon Campaign against HTML email & microsoft attachments / \ From lingenavd at planet.nl Thu Dec 25 23:40:59 2003 From: lingenavd at planet.nl (lingenavd) Date: Thu, 25 Dec 2003 23:40:59 +0100 Subject: [Firehol-support] Help needed for firehol.conf Message-ID: <3FEB677B.3020001@planet.nl> Hi all, Could you help me out please..... I have all set a good as I can think in firehol.conf, but the firewall block all mine outgoing traffic. Even when ppp+ is configured for "client all accept" I am using ADSL with a speedtouch USB modem. When I stop the firewall, all works fine. The message in the /var/log/messages is: Dec 25 23:24:33 specimen kernel: OUT-unknown:IN= OUT=ppp0 SRC= DST=195.121.1.34 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=10148 DF PROTO=UDP SPT=32770 DPT=53 LEN=39 this is after I ping a URL. So not even a DNS request is let threw the firewall!! Please help. grtz, dre From jgmbenoit at wanadoo.fr Fri Dec 26 21:58:36 2003 From: jgmbenoit at wanadoo.fr (Jerome BENOIT) Date: Fri, 26 Dec 2003 22:58:36 +0200 Subject: [Firehol-support] psad and firehol Message-ID: <3FECA0FC.9020008@wanadoo.fr> Hello List, I have just written down my first FireHOL script: my first trouble comes from psad: it emails the message: ** The INPUT chain in the iptables ruleset on _CHANGEME_ includes a default LOG rule for all protocols, but the rule does not have a log prefix of "DROP". It appears as though the log prefix is set to "IN-unknown:". psad will not be able to detect scans without adding --log-prefix "DROP" to the rule. I have try to put the following line to my script: FIREHOL_LOG_OPTIONS="--log-prefix \"DROP\"" but I get an error message saying that iptable does not support twice the same option. Is there a clean to satisfy psad ? Thanks inadvance, Jerome PS: Please CC your reponse to my email address as I am not a memeber the list, thanks. From costa at tsaousis.gr Mon Dec 29 09:11:03 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Mon, 29 Dec 2003 10:11:03 +0200 Subject: [Firehol-support] psad and firehol In-Reply-To: <3FECA0FC.9020008@wanadoo.fr> References: <3FECA0FC.9020008@wanadoo.fr> Message-ID: <1072685463.27151.7.camel@nefeli.tsaousis.gr> At the end of each interface add: server any psad drop log "DROP" At the end of all interfaces add: interface any psad server any psad drop log "DROP" At the end of all routers add: router psad server any psad drop log "DROP" These will overwrite the default DROP rules added by FireHOL. Costa On ???, 2003-12-26 at 22:58, Jerome BENOIT wrote: > Hello List, > > I have just written down my first FireHOL script: > my first trouble comes from psad: it emails the message: > > ** The INPUT chain in the iptables ruleset on _CHANGEME_ includes a > default LOG rule for all protocols, but the rule does not have a log > prefix of "DROP". It appears as though the log prefix is set to > "IN-unknown:". psad will not be able to detect scans without adding > --log-prefix "DROP" to the rule. > > > I have try to put the following line to my script: > > FIREHOL_LOG_OPTIONS="--log-prefix \"DROP\"" > > but I get an error message saying that iptable does not support > twice the same option. > > Is there a clean to satisfy psad ? > > Thanks inadvance, > Jerome > > PS: > Please CC your reponse to my email address > as I am not a memeber the list, thanks. > > > > ------------------------------------------------------- > This SF.net email is sponsored by: IBM Linux Tutorials. > Become an expert in LINUX or just sharpen your skills. Sign up for IBM's > Free Linux Tutorials. Learn everything from the bash shell to sys admin. > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > _______________________________________________ > Firehol-support mailing list > Firehol-support at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/firehol-support From jgmbenoit at wanadoo.fr Mon Dec 29 20:24:09 2003 From: jgmbenoit at wanadoo.fr (Jerome BENOIT) Date: Mon, 29 Dec 2003 21:24:09 +0200 Subject: [Firehol-support] psad and firehol References: <3FECA0FC.9020008@wanadoo.fr> <1072685463.27151.7.camel@nefeli.tsaousis.gr> Message-ID: <3FF07F59.60807@wanadoo.fr> Thanks for your reply: I have just try it, and unfortunaltely I get the same email message from psad. Jerome Costa Tsaousis wrote: > At the end of each interface add: > > server any psad drop log "DROP" > > At the end of all interfaces add: > > interface any psad > server any psad drop log "DROP" > > > At the end of all routers add: > > router psad > server any psad drop log "DROP" > > > These will overwrite the default DROP rules added by FireHOL. > > Costa > > On ???, 2003-12-26 at 22:58, Jerome BENOIT wrote: > >>Hello List, >> >>I have just written down my first FireHOL script: >>my first trouble comes from psad: it emails the message: >> >> ** The INPUT chain in the iptables ruleset on _CHANGEME_ includes a >> default LOG rule for all protocols, but the rule does not have a log >> prefix of "DROP". It appears as though the log prefix is set to >> "IN-unknown:". psad will not be able to detect scans without adding >> --log-prefix "DROP" to the rule. >> >> >>I have try to put the following line to my script: >> >>FIREHOL_LOG_OPTIONS="--log-prefix \"DROP\"" >> >>but I get an error message saying that iptable does not support >>twice the same option. >> >>Is there a clean to satisfy psad ? >> >>Thanks inadvance, >>Jerome >> >>PS: >>Please CC your reponse to my email address >>as I am not a memeber the list, thanks. >> >> >> >>------------------------------------------------------- >>This SF.net email is sponsored by: IBM Linux Tutorials. >>Become an expert in LINUX or just sharpen your skills. Sign up for IBM's >>Free Linux Tutorials. Learn everything from the bash shell to sys admin. >>Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click >>_______________________________________________ >>Firehol-support mailing list >>Firehol-support at lists.sourceforge.net >>https://lists.sourceforge.net/lists/listinfo/firehol-support > > > From costa at tsaousis.gr Mon Dec 29 22:48:10 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Mon, 29 Dec 2003 23:48:10 +0200 Subject: [Firehol-support] psad and firehol In-Reply-To: <3FF07F59.60807@wanadoo.fr> References: <3FECA0FC.9020008@wanadoo.fr> <1072685463.27151.7.camel@nefeli.tsaousis.gr> <3FF07F59.60807@wanadoo.fr> Message-ID: <1072734490.27157.20.camel@nefeli.tsaousis.gr> This is normal since the default rules have not been removed. The rules I sent you "overwrite" the defaults because they appear just before them. This means that although psad complains, it should work as expected now. Does it? Note: I noticed in psad documentation that it might require a space after the log prefix. Please replace "DROP" in the rules I sent you with "DROP ". Run a check to see if the rules I sent you allow psad to work as expected, and if they do just add --no-fwcheck to psad to prevent the psad alarm about the possibility of a miss-configured firewall from being sent to you. Costa On ???, 2003-12-29 at 21:24, Jerome BENOIT wrote: > Thanks for your reply: > I have just try it, > and unfortunaltely I get the same email message from > psad. > > Jerome > > Costa Tsaousis wrote: > > At the end of each interface add: > > > > server any psad drop log "DROP" > > > > At the end of all interfaces add: > > > > interface any psad > > server any psad drop log "DROP" > > > > > > At the end of all routers add: > > > > router psad > > server any psad drop log "DROP" > > > > > > These will overwrite the default DROP rules added by FireHOL. > > > > Costa > > > > On ???, 2003-12-26 at 22:58, Jerome BENOIT wrote: > > > >>Hello List, > >> > >>I have just written down my first FireHOL script: > >>my first trouble comes from psad: it emails the message: > >> > >> ** The INPUT chain in the iptables ruleset on _CHANGEME_ includes a > >> default LOG rule for all protocols, but the rule does not have a log > >> prefix of "DROP". It appears as though the log prefix is set to > >> "IN-unknown:". psad will not be able to detect scans without adding > >> --log-prefix "DROP" to the rule. > >> > >> > >>I have try to put the following line to my script: > >> > >>FIREHOL_LOG_OPTIONS="--log-prefix \"DROP\"" > >> > >>but I get an error message saying that iptable does not support > >>twice the same option. > >> > >>Is there a clean to satisfy psad ? > >> > >>Thanks inadvance, > >>Jerome > >> > >>PS: > >>Please CC your reponse to my email address > >>as I am not a memeber the list, thanks. > >> > >> > >> From costa at tsaousis.gr Mon Dec 29 22:51:01 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Mon, 29 Dec 2003 23:51:01 +0200 Subject: [Firehol-support] Help needed for firehol.conf In-Reply-To: <3FEB677B.3020001@planet.nl> References: <3FEB677B.3020001@planet.nl> Message-ID: <1072734660.27155.23.camel@nefeli.tsaousis.gr> The fact that FireHOL logs the traffic as "OUT-unknown" means that the traffic does not match any of the interfaces defined within firehol.conf. Could you please post the "interface ppp..." section of your firehol.conf? Costa On ???, 2003-12-26 at 00:40, lingenavd wrote: > Hi all, > > Could you help me out please..... > > I have all set a good as I can think in firehol.conf, but the firewall > block all mine outgoing traffic. Even when ppp+ is configured for > "client all accept" > I am using ADSL with a speedtouch USB modem. > When I stop the firewall, all works fine. > The message in the /var/log/messages is: > > Dec 25 23:24:33 specimen kernel: OUT-unknown:IN= OUT=ppp0 SRC= address> DST=195.121.1.34 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=10148 DF > PROTO=UDP SPT=32770 DPT=53 LEN=39 > > this is after I ping a URL. > So not even a DNS request is let threw the firewall!! > > Please help. > > grtz, > dre From costa at tsaousis.gr Tue Dec 30 00:04:35 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Tue, 30 Dec 2003 01:04:35 +0200 Subject: [Firehol-support] PPPoE TCP MSS clamping / match In-Reply-To: <87brqgltek.fsf@enki.rimspace.net> References: <87brqgltek.fsf@enki.rimspace.net> Message-ID: <1072739074.27148.33.camel@nefeli.tsaousis.gr> Hi Daniel, TCPMSS is used only in filter/FORWARD? I am asking because I have the following options and I don't know which one to choose: 1. Make this a helper command, to be used at the top of the firewall configuration, like dnat, snat, transparent_squid, etc. with the syntax you suggest. 2. Make this an option for routers which will be used the same way the "policy" subcommand is used in interfaces. This way there will be no optional rule parameters, since the router parameters will be inherited. Example: router x inface a outface b src xx dst yy ... tcpmss pmtu server x accept ... 3. Make this an optional rule parameter (like log, src, dst, etc) which could be used anywhere, even in client/server subcommands. Can you point some documentation about the possible uses of TCPMSS? Thanks Costa On ???, 2003-12-10 at 15:00, Daniel Pittman wrote: > In order to use my ADSL connection, I need to clamp the MSS value on TCP > connections to something slightly lower than a standard Ethernet value. > > Anyway, the "standard" way of achieving this for the in-kernel PPPoE > driver is to issue the following iptables command: > > iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ > -j TCPMSS --clamp-mss-to-pmtu > > Now, I can obviously stick that in using the 'iptables' command, but > that is a bit less selective than I will want to be in the near future. > > So, any chance of seeing an action to implement this? I would suggest: > > tcpmss ( 'pmtu' | ) > > If the argument is 'pmtu', pass the '--clamp-mss-to-pmtu' option, > otherwise pass '--set-mss '. > > Having it match on the 'router' statement, etc, would be ideal. > > > That way I don't need to fiddle with the interface matching and so on > when I have a PPPoE link and an 802.11 link heading out of the same box, > and I need to clamp the MSS on only one of them. > > Daniel From costa at tsaousis.gr Tue Dec 30 00:21:05 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Tue, 30 Dec 2003 01:21:05 +0200 Subject: [Firehol-support] howto block p2p in network In-Reply-To: <004301c3c0ae$e494b7e0$fd00a8c0@moacyr> References: <44509.10.0.0.193.1070486186.squirrel@nefeli.tsaousis.gr> <004301c3c0ae$e494b7e0$fd00a8c0@moacyr> Message-ID: <1072740064.27148.51.camel@nefeli.tsaousis.gr> I am afraid you will not be able to block all P2P applications. More specifically, kazaa seems to adjust itself to the environment and even use port 80 to communicate with the kazaa servers. This makes it almost impossible to block kazaa (blocking port 80 blocks the web too). I have done some search on the net about this, and although I found significantly varying responses to similar questions, I consider the following as the best practices: 1. If you are trying to block P2P in a corporate environment, try to enforce policies that will eliminate the problem. Not all problems are solved with technical solutions, and generally speaking, people that want their jobs tend to follow the policies set by higher management. 2. If you cannot control the policies, you can rate-limit (throttle) kazaa to use too little bandwidth to be useful. Since kazaa first tries the default kazaa ports and if it cannot connect with those, falls back to alternatives, rate limiting the well known kazaa ports will allow you to control it even if it appears to work. Keep in mind though that this means you are willing to play a cat-mouse game as kazaa evolves... If however none of the above is good for you, you can search the net for various solutions applied and experiment to see the results. Personally, I wouldn't suggest that - it will be just a time waste. Costa On ???, 2003-12-12 at 14:53, Moacyr Leite da Silva wrote: > Hi, > > > Can some help to block p2p in my network? I tryed the config bellow with no > luck. > > Regards > Moacyr > > > #### > version 5 > > server_kaaza_ports="tcp/3531" > client_kaaza_ports="default" > > transparent_squid 8080 "squid root" inface eth1 > > > interface eth0 internet src not "${UNROUTABLE_IPS}" > > policy drop > protection strong > server ident reject with tcp-reset > > server http accept > server https accept > server dns accept > server smtp accept > server ssh accept > server jabberd accept > server jabber accept > server kaaza deny > > client all accept > > interface eth1 lan > > policy accept > > server all accept > > client all accept > > > router lan2internet inface eth1 outface eth0 > masquerade > route kaaza deny > route "http https ftp" accept > route "ssh ntp ping" accept > route "GRE AH ESP isakmp pptp" accept > route "vnc irc msn" accept > From lingenavd at planet.nl Wed Dec 31 11:34:47 2003 From: lingenavd at planet.nl (lingenavd) Date: Wed, 31 Dec 2003 11:34:47 +0100 Subject: [Firehol-support] Help needed for firehol.conf References: <3FEB677B.3020001@planet.nl> <1072734660.27155.23.camel@nefeli.tsaousis.gr> Message-ID: <3FF2A647.5090907@planet.nl> Thank you for the hint ...... after some searching and trying with the ppp interface setting in firehol.conf and ifconfig, I noticed that firehol made the setting for ppp src an other IP address.....in ifconfig it is corresponding with the P-t-P IP address. I changed this (src address) in the firehol.conf to "0.0.0.0/0" and than it worked like a charme !! :) Thanks for the reaction, I think it is a great firewall!!! grtz, Andre Costa Tsaousis wrote: >The fact that FireHOL logs the traffic as "OUT-unknown" means that the >traffic does not match any of the interfaces defined within >firehol.conf. > >Could you please post the "interface ppp..." section of your >firehol.conf? > >Costa > > >On ???, 2003-12-26 at 00:40, lingenavd wrote: > > >>Hi all, >> >>Could you help me out please..... >> >>I have all set a good as I can think in firehol.conf, but the firewall >>block all mine outgoing traffic. Even when ppp+ is configured for >>"client all accept" >>I am using ADSL with a speedtouch USB modem. >>When I stop the firewall, all works fine. >>The message in the /var/log/messages is: >> >>Dec 25 23:24:33 specimen kernel: OUT-unknown:IN= OUT=ppp0 SRC=>address> DST=195.121.1.34 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=10148 DF >>PROTO=UDP SPT=32770 DPT=53 LEN=39 >> >>this is after I ping a URL. >>So not even a DNS request is let threw the firewall!! >> >>Please help. >> >>grtz, >>dre >> >> > > > > >------------------------------------------------------- >This SF.net email is sponsored by: IBM Linux Tutorials. >Become an expert in LINUX or just sharpen your skills. Sign up for IBM's >Free Linux Tutorials. Learn everything from the bash shell to sys admin. >Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click >_______________________________________________ >Firehol-support mailing list >Firehol-support at lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/firehol-support > >=============================================================Deze e-mail is door E-mail VirusScanner van Planet Internet gecontroleerd op virussen. >Op http://www.planet.nl/evs staat een verwijzing naar de actuele lijst waar op wordt gecontroleerd. > > > From costa at tsaousis.gr Mon Dec 1 06:09:15 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Mon, 1 Dec 2003 07:09:15 +0200 (EET) Subject: [Firehol-support] Ulog In-Reply-To: <20031130110849.GB2965@berini.org> References: <20031129204023.GB19775@berini.org> <57437.10.0.0.193.1070144826.squirrel@nefeli.tsaousis.gr> <20031130110849.GB2965@berini.org> Message-ID: <59991.10.0.0.193.1070255355.squirrel@nefeli.tsaousis.gr> > I know that this topic has been dealt with in the doc and in the forum, > but the suggested solutions don't work in Debian (or at least I can't > succeed to have them work). Strange. Is there someone on the list that has succeded managing the iptables logs on debian to give us some light here? > But I prefer FireHOL, and I'll stick to it anyway ;-) Thanks. > # FireHOL [:] > server x ULOG In explain mode, first give an interface (I have the shortcut "in" to do this): # FireHOL [:] > in and then the server statement with a valid service: # FireHOL [:] > server smtp ULOG This works. > The problem is that I still have the LOG rules in iptables: Yes, since the iptables commands will simply add rules for this logging, will not change the existing one. Anyway, I have added the variable FIREHOL_LOG_MODE to control the method of logging. By default is set to LOG. You can set it to ULOG to change all logging made by FireHOL (even with the log and loglimit rules) to use ULOG. Use the normal FIREHOL_LOG_OPTIONS variable to control other options of ULOG. Note that if set to ULOG, then FIREHOL_LOG_LEVEL and the level parameter to the log/loglimit rules are ignored (ULOG does not have a level). This has been added to v1.172 currently in the CVS. I have tested that LOG works as previously and that ULOG statements are produced correctly but I'll need your help to verify that ULOG is working properly. Costa From costa at tsaousis.gr Mon Dec 1 06:20:48 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Mon, 1 Dec 2003 07:20:48 +0200 (EET) Subject: [Firehol-support] Multiple Ip Allows - Denigh rest of subnet In-Reply-To: References: Message-ID: <60017.10.0.0.193.1070256048.squirrel@nefeli.tsaousis.gr> See bellow > accepted_ips=" > 192.168.2.96 > 192.168.2.42 > #192.168.2.54 > 192.168.2.66 > 192.168.2.174" I don't think that BASH will accept this # as a comment. You can move this list to another file (say, /etc/firehol/ips.txt) and use this here: accepted_ips="`cat /etc/firehol/ips.txt | grep -v '^#'`" (copy and paste it, there are 3 kinds of quotes here) Then put this in /etc/firehol/ips.txt 192.168.2.96 192.168.2.42 # 192.168.2.54 192.168.2.66 192.168.2.174 Note that the # has to be the first character of line. If it is not, it will appear in your list. No other comments are allowed in this file. > > router lan2internet inface eth1 outface eth0 > > masquerade > > route ${accepted_ips} accept > Delete this. It does the same job with the one bellow. > > router internet2lan inface eth0 outface eth1 > > masquerade reverse > > client all accept > > server ident reject with tcp-reset > Change the client statement to: client all accept src "${accepted_ips}" Done. Costa From lazlor at bigboy.lotaris.org Mon Dec 1 17:19:03 2003 From: lazlor at bigboy.lotaris.org (Allen Smith) Date: Mon, 1 Dec 2003 08:19:03 -0800 Subject: [Firehol-support] Ulog In-Reply-To: <59991.10.0.0.193.1070255355.squirrel@nefeli.tsaousis.gr> Message-ID: <000401c3b826$d6864e60$250a0a0a@it637> The following worked for me under sarge/testing using the deb package of firehol: 1) edit /etc/init.d/klogd and make KLOGD="-c 5 " 2) edit /lib/firehol/firehol and make FIREHOL_LOG_LEVEL="info" 3) restart firehol and klogd > -----Original Message----- > From: firehol-support-admin at lists.sourceforge.net > [mailto:firehol-support-admin at lists.sourceforge.net] On > Behalf Of Costa Tsaousis > Sent: Sunday, November 30, 2003 9:09 PM > To: Philippe Berini > Cc: firehol-support at lists.sourceforge.net > Subject: Re: [Firehol-support] Ulog > > > > > I know that this topic has been dealt with in the doc and in the > > forum, but the suggested solutions don't work in Debian (or > at least I > > can't succeed to have them work). > > Strange. Is there someone on the list that has succeded > managing the iptables logs on debian to give us some light here? > > > But I prefer FireHOL, and I'll stick to it anyway ;-) > > Thanks. > > > # FireHOL [:] > server x ULOG > > In explain mode, first give an interface (I have the shortcut > "in" to do > this): > > # FireHOL [:] > in > > and then the server statement with a valid service: > > # FireHOL [:] > server smtp ULOG > > This works. > > > The problem is that I still have the LOG rules in iptables: > > Yes, since the iptables commands will simply add rules for > this logging, will not change the existing one. > > Anyway, I have added the variable FIREHOL_LOG_MODE to control > the method of logging. By default is set to LOG. You can set > it to ULOG to change all logging made by FireHOL (even with > the log and loglimit rules) to use ULOG. Use the normal > FIREHOL_LOG_OPTIONS variable to control other options of ULOG. > > Note that if set to ULOG, then FIREHOL_LOG_LEVEL and the > level parameter to the log/loglimit rules are ignored (ULOG > does not have a level). > > This has been added to v1.172 currently in the CVS. I have > tested that LOG works as previously and that ULOG statements > are produced correctly but I'll need your help to verify that > ULOG is working properly. > > Costa > > > > ------------------------------------------------------- > This SF.net email is sponsored by: SF.net Giveback Program. > Does SourceForge.net help you be more productive? Does it > help you create better code? SHARE THE LOVE, and help us > help YOU! Click Here: http://sourceforge.net/donate/ > _______________________________________________ > Firehol-support mailing list Firehol-support at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/firehol-support > From philippe at berini.org Mon Dec 1 23:14:44 2003 From: philippe at berini.org (Philippe Berini) Date: Mon, 1 Dec 2003 23:14:44 +0100 Subject: [Firehol-support] Ulog In-Reply-To: <59991.10.0.0.193.1070255355.squirrel@nefeli.tsaousis.gr> References: <20031129204023.GB19775@berini.org> <57437.10.0.0.193.1070144826.squirrel@nefeli.tsaousis.gr> <20031130110849.GB2965@berini.org> <59991.10.0.0.193.1070255355.squirrel@nefeli.tsaousis.gr> Message-ID: <20031201221444.GD2012@berini.org> * Costa Tsaousis [Mon 01 Dec 03 07:09]: > This has been added to v1.172 currently in the CVS. I have tested that LOG > works as previously and that ULOG statements are produced correctly but > I'll need your help to verify that ULOG is working properly. Thanks for all these explanations, I'm sure they will be useful later on. I am very far from being a specialist (just able to run my Debian in "normal" quasi newbie conditions) and am afraid I can't be of any help with the CVS for the moment. I'm sure someone else on the list will help you testing this new functionality. Thanks again, I'll keep posted. -- Philippe Berini From philippe at berini.org Mon Dec 1 23:15:10 2003 From: philippe at berini.org (Philippe Berini) Date: Mon, 1 Dec 2003 23:15:10 +0100 Subject: [Firehol-support] Ulog In-Reply-To: <000401c3b826$d6864e60$250a0a0a@it637> References: <59991.10.0.0.193.1070255355.squirrel@nefeli.tsaousis.gr> <000401c3b826$d6864e60$250a0a0a@it637> Message-ID: <20031201221510.GE2012@berini.org> * Allen Smith [Mon 01 Dec 03 08:19]: > The following worked for me under sarge/testing using the deb package of > firehol: > 1) edit /etc/init.d/klogd and make KLOGD="-c 5 " > 2) edit /lib/firehol/firehol and make FIREHOL_LOG_LEVEL="info" > 3) restart firehol and klogd I run Sarge with kernel 2.4.22, and it does not work. Too bad ;-\ Thanks anyway, -- Philippe Berini From james at hdcs.com.au Wed Dec 3 10:20:06 2003 From: james at hdcs.com.au (James Bean) Date: Wed, 3 Dec 2003 19:20:06 +1000 Subject: [Firehol-support] Transparent Proxy help Message-ID: Hi, What I am trying to accomplish is to denigh access to the internet from certain users and enable for others, but the transparent proxy doesn't seem to be working. My firehol.conf is as follows: -------------------------------------------- # # $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $ # # This configuration file will allow all requests originating from the # local machine to be send through all network interfaces. # # No requests are allowed to come from the network. The host will be # completely stealthed! It will not respond to anything, and it will # not be pingable, although it will be able to originate anything # (even pings to other hosts). # # Require release 5 of FireHOL configuration directives version 5 # Internal Network IP Address lan_ips="192.168.69.0/24" accepted_ips="`cat /etc/firehol/ips.txt | grep -v '^#'`" # Transparent Proxy transparent_squid 8080 "squid root" inface eth0 src "${lan_ips}" # My LAN. Everything is allowed here. interface eth0 lan src "${lan_ips}" server dns accept server squid accept server ssh accept server http accept server ftp accept server smtp accept server dhcp accept policy reject interface eth1 internet src not "${lan_ips} ${UNROUTABLE_IPS}" protection strong 10/sec 10 server ssh accept server http accept server ident reject with tcp-reset client all accept router internet2lan inface eth1 outface eth0 masquerade reverse client all accept src "${accepted_ips}" server ident reject with tcp-reset ----------------------------------- ips.txt is as follows 192.168.69.1 192.168.69.5 192.168.69.69 192.168.69.205 But I need the other machines in the network to receive there dhcp from the box, there IP just won't be allowed at the router rule. At the moment that seems to be working, except the transparent proxy doesn't seem to be working corrently, if I do the rules manually with a plain iptables set of rules it works no problems, I seem to have something wrong in the firehol configuration. Any help would be very much appreciated. J -------------- next part -------------- An HTML attachment was scrubbed... URL: From thomas at intevation.de Wed Dec 3 11:00:03 2003 From: thomas at intevation.de (Thomas Arendsen Hein) Date: Wed, 3 Dec 2003 11:00:03 +0100 Subject: [Firehol-support] Multiple Ip Allows - Denigh rest of subnet In-Reply-To: <60017.10.0.0.193.1070256048.squirrel@nefeli.tsaousis.gr> References: <60017.10.0.0.193.1070256048.squirrel@nefeli.tsaousis.gr> Message-ID: <20031203100003.GA20452@intevation.de> On Mon, Dec 01, 2003 at 07:20:48AM +0200, Costa Tsaousis wrote: > I don't think that BASH will accept this # as a comment. > You can move this list to another file (say, /etc/firehol/ips.txt) and use > this here: > > accepted_ips="`cat /etc/firehol/ips.txt | grep -v '^#'`" > > (copy and paste it, there are 3 kinds of quotes here) > Then put this in /etc/firehol/ips.txt > > 192.168.2.96 > 192.168.2.42 > # 192.168.2.54 > 192.168.2.66 > 192.168.2.174 > > Note that the # has to be the first character of line. If it is not, it > will appear in your list. No other comments are allowed in this file. This one doesn't require another file, isn't picky about spaces and allows variables inside the list: foo="this.host.example" accepted_ips="`grep -v '^ *#' << EOF 192.168.2.96 192.168.2.42 # 192.168.2.54 $foo 192.168.2.66 192.168.2.174 EOF`" Thomas -- Email: thomas at intevation.de http://intevation.de/~thomas/ From james at hdcs.com.au Wed Dec 3 11:28:46 2003 From: james at hdcs.com.au (James Bean) Date: Wed, 3 Dec 2003 20:28:46 +1000 Subject: [Firehol-support] Port Forwarding Help Message-ID: Sorry to add so many requests for help, I only joined recently and haven't gotten many posts from this list yet. My problem is port forwarding, the dnat snat nat redirect system seems very complicated when trying to do a simple port redirect. The following is what I am having a problem with. Internal Lan interface is eth0 External Internet interface is eth1 Ports for redirection : 6881 6882 .... 6889 I need to port forward from eth1 any incoming connections to the above ports to 192.168.69.69 so incoming 6881 to port eth1 should be forwarded to 192.168.69.69 Everything I have tried with dnat and snat doesn't seem to work. Any suggestions on this matter would be very much appreciated. I take it by the description any dnat snat nat redirect commands get put at the end of the config not under a router or interface heading? J -------------- next part -------------- An HTML attachment was scrubbed... URL: From costa at tsaousis.gr Wed Dec 3 21:50:19 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Wed, 3 Dec 2003 22:50:19 +0200 (EET) Subject: [Firehol-support] Port Forwarding Help In-Reply-To: References: Message-ID: <44211.10.0.0.193.1070484619.squirrel@nefeli.tsaousis.gr> dnat to 192.168.69.69 inface eth1 dport "6881:6889" place this BEFORE any interface or router blocks. -- Costa Tsaousis > Sorry to add so many requests for help, I only joined recently and > haven't gotten many posts from this list yet. > > My problem is port forwarding, the dnat snat nat redirect system seems > very complicated when trying to do a simple port redirect. > > The following is what I am having a problem with. > > Internal Lan interface is eth0 > External Internet interface is eth1 > > Ports for redirection : 6881 6882 .... 6889 > > I need to port forward from eth1 any incoming connections to the above > ports to 192.168.69.69 > > so incoming 6881 to port eth1 should be forwarded to 192.168.69.69 > > Everything I have tried with dnat and snat doesn't seem to work. > > Any suggestions on this matter would be very much appreciated. > > I take it by the description any dnat snat nat redirect commands get put > at the end of the config not under a router or interface heading? > > J > From costa at tsaousis.gr Wed Dec 3 22:16:26 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Wed, 3 Dec 2003 23:16:26 +0200 (EET) Subject: [Firehol-support] Transparent Proxy help In-Reply-To: References: Message-ID: <44509.10.0.0.193.1070486186.squirrel@nefeli.tsaousis.gr> I guess that when you say that the trasparent proxy is not working, you mean that it allows web browsing from the unroutable IPs. If this is the problem, then change the transparent_squid statement to this: transparent_squid 8080 "squid root" inface eth0 src "${accepted_ips}" This is because, a proxy is not ROUTING the packets, it re-plays them at the other side of your firewall. If your transparent squid does not work at all, please check the squid logs and verify that it gets the requests from the clients. If it gets the requests, then check your squid configuration. If it does get the requests but it complains that it cannot connect to remote hosts, first check this: transparent_squid 8080 "" inface eth0 src "${accepted_ips}" this will disable proxied browsing from the firewall itself (with a browser on the linux host). If that works, check the user under which squid is running and make sure it is included in the first command line above. Costa PS: Your eth0 interface does not state any clients. This means that you will not even be able to ping the other hosts from the linux firewall. Is that what you want? > Hi, > > What I am trying to accomplish is to denigh access to the internet from > certain users and enable for others, but the transparent proxy doesn't > seem to be working. > > My firehol.conf is as follows: > > -------------------------------------------- > # > # $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $ > # > # This configuration file will allow all requests originating from the > # local machine to be send through all network interfaces. > # > # No requests are allowed to come from the network. The host will be > # completely stealthed! It will not respond to anything, and it will > # not be pingable, although it will be able to originate anything > # (even pings to other hosts). > # > > # Require release 5 of FireHOL configuration directives > version 5 > > # Internal Network IP Address > lan_ips="192.168.69.0/24" > accepted_ips="`cat /etc/firehol/ips.txt | grep -v '^#'`" > > # Transparent Proxy > transparent_squid 8080 "squid root" inface eth0 src "${lan_ips}" > > # My LAN. Everything is allowed here. > interface eth0 lan src "${lan_ips}" > server dns accept > server squid accept > server ssh accept > server http accept > server ftp accept > server smtp accept > server dhcp accept > policy reject > > interface eth1 internet src not "${lan_ips} ${UNROUTABLE_IPS}" > protection strong 10/sec 10 > server ssh accept > server http accept > server ident reject with tcp-reset > client all accept > > router internet2lan inface eth1 outface eth0 > masquerade reverse > client all accept src "${accepted_ips}" > server ident reject with tcp-reset > ----------------------------------- > > ips.txt is as follows > > 192.168.69.1 > 192.168.69.5 > 192.168.69.69 > 192.168.69.205 > > But I need the other machines in the network to receive there dhcp from > the box, there IP just won't be allowed at the router rule. > > At the moment that seems to be working, except the transparent proxy > doesn't seem to be working corrently, if I do the rules manually with a > plain iptables set of rules it works no problems, I seem to have > something wrong in the firehol configuration. > > Any help would be very much appreciated. > > J > From bock+firehol at blacknet.de Thu Dec 4 15:07:06 2003 From: bock+firehol at blacknet.de (Goetz Bock) Date: Thu, 4 Dec 2003 15:07:06 +0100 Subject: [Firehol-support] Port Forwarding Help In-Reply-To: <44211.10.0.0.193.1070484619.squirrel@nefeli.tsaousis.gr> References: <44211.10.0.0.193.1070484619.squirrel@nefeli.tsaousis.gr> Message-ID: <20031204140706.GC20753@shell.blacknet.de> On Wed, Dec 03 '03 at 22:50, Costa Tsaousis wrote: > dnat to 192.168.69.69 inface eth1 dport "6881:6889" As James is tring to run bittorrent behind his nat/firewall this will not work as ecpexted. He has to add 9 rules: one for each port from 6881 to 6889. -- Goetz Bock (c) 2003 as blacknet.de - Munich - Germany /"\ IT Consultant GNU FDL 1.1 secure mobile Linux everNETting \ / X ASCII Ribbon Campaign against HTML email & microsoft attachments / \ From daniel at rimspace.net Wed Dec 10 14:00:19 2003 From: daniel at rimspace.net (Daniel Pittman) Date: Thu, 11 Dec 2003 00:00:19 +1100 Subject: [Firehol-support] PPPoE TCP MSS clamping / match Message-ID: <87brqgltek.fsf@enki.rimspace.net> In order to use my ADSL connection, I need to clamp the MSS value on TCP connections to something slightly lower than a standard Ethernet value. Anyway, the "standard" way of achieving this for the in-kernel PPPoE driver is to issue the following iptables command: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ -j TCPMSS --clamp-mss-to-pmtu Now, I can obviously stick that in using the 'iptables' command, but that is a bit less selective than I will want to be in the near future. So, any chance of seeing an action to implement this? I would suggest: tcpmss ( 'pmtu' | ) If the argument is 'pmtu', pass the '--clamp-mss-to-pmtu' option, otherwise pass '--set-mss '. Having it match on the 'router' statement, etc, would be ideal. That way I don't need to fiddle with the interface matching and so on when I have a PPPoE link and an 802.11 link heading out of the same box, and I need to clamp the MSS on only one of them. Daniel -- Reality is not as strong as perception. Perception all too often swallows reality and spits it out in a new, unrecognizable form. -- Maytee Aspuro From moacyrs at akadnyx.com.br Fri Dec 12 13:53:08 2003 From: moacyrs at akadnyx.com.br (Moacyr Leite da Silva) Date: Fri, 12 Dec 2003 10:53:08 -0200 Subject: [Firehol-support] howto block p2p in network References: <44509.10.0.0.193.1070486186.squirrel@nefeli.tsaousis.gr> Message-ID: <004301c3c0ae$e494b7e0$fd00a8c0@moacyr> Hi, Can some help to block p2p in my network? I tryed the config bellow with no luck. Regards Moacyr #### version 5 server_kaaza_ports="tcp/3531" client_kaaza_ports="default" transparent_squid 8080 "squid root" inface eth1 interface eth0 internet src not "${UNROUTABLE_IPS}" policy drop protection strong server ident reject with tcp-reset server http accept server https accept server dns accept server smtp accept server ssh accept server jabberd accept server jabber accept server kaaza deny client all accept interface eth1 lan policy accept server all accept client all accept router lan2internet inface eth1 outface eth0 masquerade route kaaza deny route "http https ftp" accept route "ssh ntp ping" accept route "GRE AH ESP isakmp pptp" accept route "vnc irc msn" accept From andre.marenke at awc.net.au Mon Dec 15 07:17:19 2003 From: andre.marenke at awc.net.au (Andre Marenke) Date: Mon, 15 Dec 2003 17:17:19 +1100 Subject: [Firehol-support] Extending complex service FTP Message-ID: <1071469039.2790.647.camel@andre> Hello, I am currently trying to extend/recreate the FTP service definitions. I have a router R and two machines M1 and M2 behind the router. I have http running on M1 and ftp on M2. My ftp server is setup to listen on ports 2500:2520 (one port for each virtual ftp domain). 2 Questions: 1) With the setup I have below it is not possible to do passive FTP to the FTP server and my definition is too simple to allow for conntrack to work. Is it possible to modify the existing FTP server definition in an easy way to gain full FTP functionality with different ports? 2) I have only set up one router and was wondering what the best/most elegant solution is to split traffic up depending on the type of traffic? Define multiple routers with destination ip addresses set for each service or one router with the service destination IP addresses set? Thanks for a great product btw! My setup is like this: interface eth0 internet policy DROP protection strong client ssh accept interface eth1 dmz policy REJECT protection strong server squid accept server ssh accept client ssh accept router net2dmz inface eth0 outface eth1 route http accept route custom ftpserver tcp/2500:2520 default accept router dmz2net inface eth1 outface eth0 route all accept From costa at tsaousis.gr Tue Dec 16 23:12:29 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Wed, 17 Dec 2003 00:12:29 +0200 Subject: [Firehol-support] Extending complex service FTP In-Reply-To: <1071469039.2790.647.camel@andre> References: <1071469039.2790.647.camel@andre> Message-ID: <1071612749.5072.157.camel@nefeli.tsaousis.gr> Hi Andre, > I am currently trying to extend/recreate the FTP service definitions. I > have a router R and two machines M1 and M2 behind the router. > > I have http running on M1 and ftp on M2. My ftp server is setup to > listen on ports 2500:2520 (one port for each virtual ftp domain). > > 2 Questions: > 1) With the setup I have below it is not possible to do passive FTP to > the FTP server and my definition is too simple to allow for conntrack to > work. Is it possible to modify the existing FTP server definition in an > easy way to gain full FTP functionality with different ports? The FTP service needs an FTP conntrack module, which allows the random socket connection made for the data transfer by the FTP server/client, to be matched as RELATED to the initial request. I don't think that this module will understand ports 2500:2520 as FTP requests, and therefore it will not allow either active or passive data connections RELATED to these ports. I think it would be better to have either multiple IPs on your machine and bind one FTP server to each IP, or use an FTP server with virtual domains support (if I remember correctly, ProFTPd is one of those). If you use either of these two methods, FireHOL's FTP service will operate as expected. If however you cannot use any of the above, I suggest to use this for a safe Active FTP server (ONLY ACTIVE FTP AND ONLY SERVER): --- # Custom FTP Server Control socket server_myftpc_ports="tcp/2500:2520" client_myftpc_ports="default" # Customer FTP server Data socket server_myftpd_ports="tcp/1024:65535" client_myftpd_ports="default" interface ... # Our custom FTP server server myftpc accept client myftpd accept --- DO NOT REVERSE server/client FOR AN FTP CLIENT OF THIS FTP VARIATION. IT WILL BE A HUGE SECURITY HOLE. > 2) I have only set up one router and was wondering what the best/most > elegant solution is to split traffic up depending on the type of > traffic? Define multiple routers with destination ip addresses set for > each service or one router with the service destination IP addresses > set? I like to think with the concept of "zones". A "zone" (for me) is a subnet of machines they are related to each other, and which I am willing to protect. Normally you are going to face a situation similar to this: Servers A, B, C on subnet S1 form ZONE1, connected on interface I1 Servers D, E, F on sunbet S2 form ZONE2, connected on interface I2 Then there is the Internet (of course), on interface I3 I1 and I2 might be the same, but not necessarily. Here is what I do: # Internet - to - Zone1 (and vice versa) router i2z1 inface I3 outface I1 src not "${UNROUTABLE_IPS}" dst S1 server x accept dst A server y accept dst B server z accept dst C ... client x1 accept src A client y1 accept src B client z1 accept src C ... # Internet - to - Zone2 (and vice versa) router i2z2 inface I3 outface I2 src not "${UNROUTABLE_IPS}" dst S2 server x accept dst D server y accept dst E server z accept dst F ... client x1 accept src D client y1 accept src E client z1 accept src F ... In the above, INPUT (inface/src) is the Internet and OUTPUT (outface/dst) is the zone to be protected. Given that, I then "think" of all the rules as if I was the machine(s) protected from the Internet (i.e. same concept with the interface rules). Then, if there is need for routing traffic between the zones, I prefer to do this (for clarity, since both sides are to be protected from each other): # Zone 1 to Zone 2 router Z1toZ2 inface I1 outface I2 src S1 dst S2 route x accept src A dst D route y accept src B dst E ... # Zone 2 to Zone 1 router Z2toZ1 inface I2 outface I1 src S2 dst S1 route x accept src D dst A route y accept src E dst B ... These are unidirectional routers (in concept) and state very clearly what can be requested by clients running on the INPUT, from servers running on the OUTPUT. Remember that inface/outface/src/dst match the REQUEST, not the REPLY. Costa From bock at blacknet.de Tue Dec 16 23:38:53 2003 From: bock at blacknet.de (Goetz Bock) Date: Tue, 16 Dec 2003 23:38:53 +0100 Subject: [Firehol-support] Extending complex service FTP In-Reply-To: <1071612749.5072.157.camel@nefeli.tsaousis.gr> References: <1071469039.2790.647.camel@andre> <1071612749.5072.157.camel@nefeli.tsaousis.gr> Message-ID: <20031216223852.GJ440@shell.blacknet.de> On Wed, Dec 17 '03 at 00:12, Costa Tsaousis wrote: > > I have http running on M1 and ftp on M2. My ftp server is setup to > > listen on ports 2500:2520 (one port for each virtual ftp domain). > > The FTP service needs an FTP conntrack module, which allows the random > socket connection made for the data transfer by the FTP server/client, > to be matched as RELATED to the initial request. I don't think that this > module will understand ports 2500:2520 as FTP requests, and therefore it > will not allow either active or passive data connections RELATED to > these ports. Actually it can be made to: user at box ~$ modinfo /lib/modules/2.4.23/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o filename: /lib/modules/2.4.23/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o description: author: license: "GPL" parm: ports int array (min = 1, max = 8) parm: loose int user at box ~$ so it looks like you can specify up to 8 ports where the module will try to conntrack ftp connections. By default 21 will be used. (You can only get 8 ports, as you can only load the module once) -- Goetz Bock (c) 2003 as blacknet.de - Munich - Germany /"\ IT Consultant GNU FDL 1.1 secure mobile Linux everNETting \ / X ASCII Ribbon Campaign against HTML email & microsoft attachments / \ From lingenavd at planet.nl Thu Dec 25 23:40:59 2003 From: lingenavd at planet.nl (lingenavd) Date: Thu, 25 Dec 2003 23:40:59 +0100 Subject: [Firehol-support] Help needed for firehol.conf Message-ID: <3FEB677B.3020001@planet.nl> Hi all, Could you help me out please..... I have all set a good as I can think in firehol.conf, but the firewall block all mine outgoing traffic. Even when ppp+ is configured for "client all accept" I am using ADSL with a speedtouch USB modem. When I stop the firewall, all works fine. The message in the /var/log/messages is: Dec 25 23:24:33 specimen kernel: OUT-unknown:IN= OUT=ppp0 SRC= DST=195.121.1.34 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=10148 DF PROTO=UDP SPT=32770 DPT=53 LEN=39 this is after I ping a URL. So not even a DNS request is let threw the firewall!! Please help. grtz, dre From jgmbenoit at wanadoo.fr Fri Dec 26 21:58:36 2003 From: jgmbenoit at wanadoo.fr (Jerome BENOIT) Date: Fri, 26 Dec 2003 22:58:36 +0200 Subject: [Firehol-support] psad and firehol Message-ID: <3FECA0FC.9020008@wanadoo.fr> Hello List, I have just written down my first FireHOL script: my first trouble comes from psad: it emails the message: ** The INPUT chain in the iptables ruleset on _CHANGEME_ includes a default LOG rule for all protocols, but the rule does not have a log prefix of "DROP". It appears as though the log prefix is set to "IN-unknown:". psad will not be able to detect scans without adding --log-prefix "DROP" to the rule. I have try to put the following line to my script: FIREHOL_LOG_OPTIONS="--log-prefix \"DROP\"" but I get an error message saying that iptable does not support twice the same option. Is there a clean to satisfy psad ? Thanks inadvance, Jerome PS: Please CC your reponse to my email address as I am not a memeber the list, thanks. From costa at tsaousis.gr Mon Dec 29 09:11:03 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Mon, 29 Dec 2003 10:11:03 +0200 Subject: [Firehol-support] psad and firehol In-Reply-To: <3FECA0FC.9020008@wanadoo.fr> References: <3FECA0FC.9020008@wanadoo.fr> Message-ID: <1072685463.27151.7.camel@nefeli.tsaousis.gr> At the end of each interface add: server any psad drop log "DROP" At the end of all interfaces add: interface any psad server any psad drop log "DROP" At the end of all routers add: router psad server any psad drop log "DROP" These will overwrite the default DROP rules added by FireHOL. Costa On ???, 2003-12-26 at 22:58, Jerome BENOIT wrote: > Hello List, > > I have just written down my first FireHOL script: > my first trouble comes from psad: it emails the message: > > ** The INPUT chain in the iptables ruleset on _CHANGEME_ includes a > default LOG rule for all protocols, but the rule does not have a log > prefix of "DROP". It appears as though the log prefix is set to > "IN-unknown:". psad will not be able to detect scans without adding > --log-prefix "DROP" to the rule. > > > I have try to put the following line to my script: > > FIREHOL_LOG_OPTIONS="--log-prefix \"DROP\"" > > but I get an error message saying that iptable does not support > twice the same option. > > Is there a clean to satisfy psad ? > > Thanks inadvance, > Jerome > > PS: > Please CC your reponse to my email address > as I am not a memeber the list, thanks. > > > > ------------------------------------------------------- > This SF.net email is sponsored by: IBM Linux Tutorials. > Become an expert in LINUX or just sharpen your skills. Sign up for IBM's > Free Linux Tutorials. Learn everything from the bash shell to sys admin. > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > _______________________________________________ > Firehol-support mailing list > Firehol-support at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/firehol-support From jgmbenoit at wanadoo.fr Mon Dec 29 20:24:09 2003 From: jgmbenoit at wanadoo.fr (Jerome BENOIT) Date: Mon, 29 Dec 2003 21:24:09 +0200 Subject: [Firehol-support] psad and firehol References: <3FECA0FC.9020008@wanadoo.fr> <1072685463.27151.7.camel@nefeli.tsaousis.gr> Message-ID: <3FF07F59.60807@wanadoo.fr> Thanks for your reply: I have just try it, and unfortunaltely I get the same email message from psad. Jerome Costa Tsaousis wrote: > At the end of each interface add: > > server any psad drop log "DROP" > > At the end of all interfaces add: > > interface any psad > server any psad drop log "DROP" > > > At the end of all routers add: > > router psad > server any psad drop log "DROP" > > > These will overwrite the default DROP rules added by FireHOL. > > Costa > > On ???, 2003-12-26 at 22:58, Jerome BENOIT wrote: > >>Hello List, >> >>I have just written down my first FireHOL script: >>my first trouble comes from psad: it emails the message: >> >> ** The INPUT chain in the iptables ruleset on _CHANGEME_ includes a >> default LOG rule for all protocols, but the rule does not have a log >> prefix of "DROP". It appears as though the log prefix is set to >> "IN-unknown:". psad will not be able to detect scans without adding >> --log-prefix "DROP" to the rule. >> >> >>I have try to put the following line to my script: >> >>FIREHOL_LOG_OPTIONS="--log-prefix \"DROP\"" >> >>but I get an error message saying that iptable does not support >>twice the same option. >> >>Is there a clean to satisfy psad ? >> >>Thanks inadvance, >>Jerome >> >>PS: >>Please CC your reponse to my email address >>as I am not a memeber the list, thanks. >> >> >> >>------------------------------------------------------- >>This SF.net email is sponsored by: IBM Linux Tutorials. >>Become an expert in LINUX or just sharpen your skills. Sign up for IBM's >>Free Linux Tutorials. Learn everything from the bash shell to sys admin. >>Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click >>_______________________________________________ >>Firehol-support mailing list >>Firehol-support at lists.sourceforge.net >>https://lists.sourceforge.net/lists/listinfo/firehol-support > > > From costa at tsaousis.gr Mon Dec 29 22:48:10 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Mon, 29 Dec 2003 23:48:10 +0200 Subject: [Firehol-support] psad and firehol In-Reply-To: <3FF07F59.60807@wanadoo.fr> References: <3FECA0FC.9020008@wanadoo.fr> <1072685463.27151.7.camel@nefeli.tsaousis.gr> <3FF07F59.60807@wanadoo.fr> Message-ID: <1072734490.27157.20.camel@nefeli.tsaousis.gr> This is normal since the default rules have not been removed. The rules I sent you "overwrite" the defaults because they appear just before them. This means that although psad complains, it should work as expected now. Does it? Note: I noticed in psad documentation that it might require a space after the log prefix. Please replace "DROP" in the rules I sent you with "DROP ". Run a check to see if the rules I sent you allow psad to work as expected, and if they do just add --no-fwcheck to psad to prevent the psad alarm about the possibility of a miss-configured firewall from being sent to you. Costa On ???, 2003-12-29 at 21:24, Jerome BENOIT wrote: > Thanks for your reply: > I have just try it, > and unfortunaltely I get the same email message from > psad. > > Jerome > > Costa Tsaousis wrote: > > At the end of each interface add: > > > > server any psad drop log "DROP" > > > > At the end of all interfaces add: > > > > interface any psad > > server any psad drop log "DROP" > > > > > > At the end of all routers add: > > > > router psad > > server any psad drop log "DROP" > > > > > > These will overwrite the default DROP rules added by FireHOL. > > > > Costa > > > > On ???, 2003-12-26 at 22:58, Jerome BENOIT wrote: > > > >>Hello List, > >> > >>I have just written down my first FireHOL script: > >>my first trouble comes from psad: it emails the message: > >> > >> ** The INPUT chain in the iptables ruleset on _CHANGEME_ includes a > >> default LOG rule for all protocols, but the rule does not have a log > >> prefix of "DROP". It appears as though the log prefix is set to > >> "IN-unknown:". psad will not be able to detect scans without adding > >> --log-prefix "DROP" to the rule. > >> > >> > >>I have try to put the following line to my script: > >> > >>FIREHOL_LOG_OPTIONS="--log-prefix \"DROP\"" > >> > >>but I get an error message saying that iptable does not support > >>twice the same option. > >> > >>Is there a clean to satisfy psad ? > >> > >>Thanks inadvance, > >>Jerome > >> > >>PS: > >>Please CC your reponse to my email address > >>as I am not a memeber the list, thanks. > >> > >> > >> From costa at tsaousis.gr Mon Dec 29 22:51:01 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Mon, 29 Dec 2003 23:51:01 +0200 Subject: [Firehol-support] Help needed for firehol.conf In-Reply-To: <3FEB677B.3020001@planet.nl> References: <3FEB677B.3020001@planet.nl> Message-ID: <1072734660.27155.23.camel@nefeli.tsaousis.gr> The fact that FireHOL logs the traffic as "OUT-unknown" means that the traffic does not match any of the interfaces defined within firehol.conf. Could you please post the "interface ppp..." section of your firehol.conf? Costa On ???, 2003-12-26 at 00:40, lingenavd wrote: > Hi all, > > Could you help me out please..... > > I have all set a good as I can think in firehol.conf, but the firewall > block all mine outgoing traffic. Even when ppp+ is configured for > "client all accept" > I am using ADSL with a speedtouch USB modem. > When I stop the firewall, all works fine. > The message in the /var/log/messages is: > > Dec 25 23:24:33 specimen kernel: OUT-unknown:IN= OUT=ppp0 SRC= address> DST=195.121.1.34 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=10148 DF > PROTO=UDP SPT=32770 DPT=53 LEN=39 > > this is after I ping a URL. > So not even a DNS request is let threw the firewall!! > > Please help. > > grtz, > dre From costa at tsaousis.gr Tue Dec 30 00:04:35 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Tue, 30 Dec 2003 01:04:35 +0200 Subject: [Firehol-support] PPPoE TCP MSS clamping / match In-Reply-To: <87brqgltek.fsf@enki.rimspace.net> References: <87brqgltek.fsf@enki.rimspace.net> Message-ID: <1072739074.27148.33.camel@nefeli.tsaousis.gr> Hi Daniel, TCPMSS is used only in filter/FORWARD? I am asking because I have the following options and I don't know which one to choose: 1. Make this a helper command, to be used at the top of the firewall configuration, like dnat, snat, transparent_squid, etc. with the syntax you suggest. 2. Make this an option for routers which will be used the same way the "policy" subcommand is used in interfaces. This way there will be no optional rule parameters, since the router parameters will be inherited. Example: router x inface a outface b src xx dst yy ... tcpmss pmtu server x accept ... 3. Make this an optional rule parameter (like log, src, dst, etc) which could be used anywhere, even in client/server subcommands. Can you point some documentation about the possible uses of TCPMSS? Thanks Costa On ???, 2003-12-10 at 15:00, Daniel Pittman wrote: > In order to use my ADSL connection, I need to clamp the MSS value on TCP > connections to something slightly lower than a standard Ethernet value. > > Anyway, the "standard" way of achieving this for the in-kernel PPPoE > driver is to issue the following iptables command: > > iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ > -j TCPMSS --clamp-mss-to-pmtu > > Now, I can obviously stick that in using the 'iptables' command, but > that is a bit less selective than I will want to be in the near future. > > So, any chance of seeing an action to implement this? I would suggest: > > tcpmss ( 'pmtu' | ) > > If the argument is 'pmtu', pass the '--clamp-mss-to-pmtu' option, > otherwise pass '--set-mss '. > > Having it match on the 'router' statement, etc, would be ideal. > > > That way I don't need to fiddle with the interface matching and so on > when I have a PPPoE link and an 802.11 link heading out of the same box, > and I need to clamp the MSS on only one of them. > > Daniel From costa at tsaousis.gr Tue Dec 30 00:21:05 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Tue, 30 Dec 2003 01:21:05 +0200 Subject: [Firehol-support] howto block p2p in network In-Reply-To: <004301c3c0ae$e494b7e0$fd00a8c0@moacyr> References: <44509.10.0.0.193.1070486186.squirrel@nefeli.tsaousis.gr> <004301c3c0ae$e494b7e0$fd00a8c0@moacyr> Message-ID: <1072740064.27148.51.camel@nefeli.tsaousis.gr> I am afraid you will not be able to block all P2P applications. More specifically, kazaa seems to adjust itself to the environment and even use port 80 to communicate with the kazaa servers. This makes it almost impossible to block kazaa (blocking port 80 blocks the web too). I have done some search on the net about this, and although I found significantly varying responses to similar questions, I consider the following as the best practices: 1. If you are trying to block P2P in a corporate environment, try to enforce policies that will eliminate the problem. Not all problems are solved with technical solutions, and generally speaking, people that want their jobs tend to follow the policies set by higher management. 2. If you cannot control the policies, you can rate-limit (throttle) kazaa to use too little bandwidth to be useful. Since kazaa first tries the default kazaa ports and if it cannot connect with those, falls back to alternatives, rate limiting the well known kazaa ports will allow you to control it even if it appears to work. Keep in mind though that this means you are willing to play a cat-mouse game as kazaa evolves... If however none of the above is good for you, you can search the net for various solutions applied and experiment to see the results. Personally, I wouldn't suggest that - it will be just a time waste. Costa On ???, 2003-12-12 at 14:53, Moacyr Leite da Silva wrote: > Hi, > > > Can some help to block p2p in my network? I tryed the config bellow with no > luck. > > Regards > Moacyr > > > #### > version 5 > > server_kaaza_ports="tcp/3531" > client_kaaza_ports="default" > > transparent_squid 8080 "squid root" inface eth1 > > > interface eth0 internet src not "${UNROUTABLE_IPS}" > > policy drop > protection strong > server ident reject with tcp-reset > > server http accept > server https accept > server dns accept > server smtp accept > server ssh accept > server jabberd accept > server jabber accept > server kaaza deny > > client all accept > > interface eth1 lan > > policy accept > > server all accept > > client all accept > > > router lan2internet inface eth1 outface eth0 > masquerade > route kaaza deny > route "http https ftp" accept > route "ssh ntp ping" accept > route "GRE AH ESP isakmp pptp" accept > route "vnc irc msn" accept > From lingenavd at planet.nl Wed Dec 31 11:34:47 2003 From: lingenavd at planet.nl (lingenavd) Date: Wed, 31 Dec 2003 11:34:47 +0100 Subject: [Firehol-support] Help needed for firehol.conf References: <3FEB677B.3020001@planet.nl> <1072734660.27155.23.camel@nefeli.tsaousis.gr> Message-ID: <3FF2A647.5090907@planet.nl> Thank you for the hint ...... after some searching and trying with the ppp interface setting in firehol.conf and ifconfig, I noticed that firehol made the setting for ppp src an other IP address.....in ifconfig it is corresponding with the P-t-P IP address. I changed this (src address) in the firehol.conf to "0.0.0.0/0" and than it worked like a charme !! :) Thanks for the reaction, I think it is a great firewall!!! grtz, Andre Costa Tsaousis wrote: >The fact that FireHOL logs the traffic as "OUT-unknown" means that the >traffic does not match any of the interfaces defined within >firehol.conf. > >Could you please post the "interface ppp..." section of your >firehol.conf? > >Costa > > >On ???, 2003-12-26 at 00:40, lingenavd wrote: > > >>Hi all, >> >>Could you help me out please..... >> >>I have all set a good as I can think in firehol.conf, but the firewall >>block all mine outgoing traffic. Even when ppp+ is configured for >>"client all accept" >>I am using ADSL with a speedtouch USB modem. >>When I stop the firewall, all works fine. >>The message in the /var/log/messages is: >> >>Dec 25 23:24:33 specimen kernel: OUT-unknown:IN= OUT=ppp0 SRC=>address> DST=195.121.1.34 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=10148 DF >>PROTO=UDP SPT=32770 DPT=53 LEN=39 >> >>this is after I ping a URL. >>So not even a DNS request is let threw the firewall!! >> >>Please help. >> >>grtz, >>dre >> >> > > > > >------------------------------------------------------- >This SF.net email is sponsored by: IBM Linux Tutorials. >Become an expert in LINUX or just sharpen your skills. Sign up for IBM's >Free Linux Tutorials. Learn everything from the bash shell to sys admin. >Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click >_______________________________________________ >Firehol-support mailing list >Firehol-support at lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/firehol-support > >=============================================================Deze e-mail is door E-mail VirusScanner van Planet Internet gecontroleerd op virussen. >Op http://www.planet.nl/evs staat een verwijzing naar de actuele lijst waar op wordt gecontroleerd. > > > From costa at tsaousis.gr Mon Dec 1 05:09:15 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Mon, 1 Dec 2003 07:09:15 +0200 (EET) Subject: [Firehol-support] Ulog In-Reply-To: <20031130110849.GB2965@berini.org> References: <20031129204023.GB19775@berini.org> <57437.10.0.0.193.1070144826.squirrel@nefeli.tsaousis.gr> <20031130110849.GB2965@berini.org> Message-ID: <59991.10.0.0.193.1070255355.squirrel@nefeli.tsaousis.gr> > I know that this topic has been dealt with in the doc and in the forum, > but the suggested solutions don't work in Debian (or at least I can't > succeed to have them work). Strange. Is there someone on the list that has succeded managing the iptables logs on debian to give us some light here? > But I prefer FireHOL, and I'll stick to it anyway ;-) Thanks. > # FireHOL [:] > server x ULOG In explain mode, first give an interface (I have the shortcut "in" to do this): # FireHOL [:] > in and then the server statement with a valid service: # FireHOL [:] > server smtp ULOG This works. > The problem is that I still have the LOG rules in iptables: Yes, since the iptables commands will simply add rules for this logging, will not change the existing one. Anyway, I have added the variable FIREHOL_LOG_MODE to control the method of logging. By default is set to LOG. You can set it to ULOG to change all logging made by FireHOL (even with the log and loglimit rules) to use ULOG. Use the normal FIREHOL_LOG_OPTIONS variable to control other options of ULOG. Note that if set to ULOG, then FIREHOL_LOG_LEVEL and the level parameter to the log/loglimit rules are ignored (ULOG does not have a level). This has been added to v1.172 currently in the CVS. I have tested that LOG works as previously and that ULOG statements are produced correctly but I'll need your help to verify that ULOG is working properly. Costa From costa at tsaousis.gr Mon Dec 1 05:20:48 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Mon, 1 Dec 2003 07:20:48 +0200 (EET) Subject: [Firehol-support] Multiple Ip Allows - Denigh rest of subnet In-Reply-To: References: Message-ID: <60017.10.0.0.193.1070256048.squirrel@nefeli.tsaousis.gr> See bellow > accepted_ips=" > 192.168.2.96 > 192.168.2.42 > #192.168.2.54 > 192.168.2.66 > 192.168.2.174" I don't think that BASH will accept this # as a comment. You can move this list to another file (say, /etc/firehol/ips.txt) and use this here: accepted_ips="`cat /etc/firehol/ips.txt | grep -v '^#'`" (copy and paste it, there are 3 kinds of quotes here) Then put this in /etc/firehol/ips.txt 192.168.2.96 192.168.2.42 # 192.168.2.54 192.168.2.66 192.168.2.174 Note that the # has to be the first character of line. If it is not, it will appear in your list. No other comments are allowed in this file. > > router lan2internet inface eth1 outface eth0 > > masquerade > > route ${accepted_ips} accept > Delete this. It does the same job with the one bellow. > > router internet2lan inface eth0 outface eth1 > > masquerade reverse > > client all accept > > server ident reject with tcp-reset > Change the client statement to: client all accept src "${accepted_ips}" Done. Costa From lazlor at bigboy.lotaris.org Mon Dec 1 16:19:03 2003 From: lazlor at bigboy.lotaris.org (Allen Smith) Date: Mon, 1 Dec 2003 08:19:03 -0800 Subject: [Firehol-support] Ulog In-Reply-To: <59991.10.0.0.193.1070255355.squirrel@nefeli.tsaousis.gr> Message-ID: <000401c3b826$d6864e60$250a0a0a@it637> The following worked for me under sarge/testing using the deb package of firehol: 1) edit /etc/init.d/klogd and make KLOGD="-c 5 " 2) edit /lib/firehol/firehol and make FIREHOL_LOG_LEVEL="info" 3) restart firehol and klogd > -----Original Message----- > From: firehol-support-admin at lists.sourceforge.net > [mailto:firehol-support-admin at lists.sourceforge.net] On > Behalf Of Costa Tsaousis > Sent: Sunday, November 30, 2003 9:09 PM > To: Philippe Berini > Cc: firehol-support at lists.sourceforge.net > Subject: Re: [Firehol-support] Ulog > > > > > I know that this topic has been dealt with in the doc and in the > > forum, but the suggested solutions don't work in Debian (or > at least I > > can't succeed to have them work). > > Strange. Is there someone on the list that has succeded > managing the iptables logs on debian to give us some light here? > > > But I prefer FireHOL, and I'll stick to it anyway ;-) > > Thanks. > > > # FireHOL [:] > server x ULOG > > In explain mode, first give an interface (I have the shortcut > "in" to do > this): > > # FireHOL [:] > in > > and then the server statement with a valid service: > > # FireHOL [:] > server smtp ULOG > > This works. > > > The problem is that I still have the LOG rules in iptables: > > Yes, since the iptables commands will simply add rules for > this logging, will not change the existing one. > > Anyway, I have added the variable FIREHOL_LOG_MODE to control > the method of logging. By default is set to LOG. You can set > it to ULOG to change all logging made by FireHOL (even with > the log and loglimit rules) to use ULOG. Use the normal > FIREHOL_LOG_OPTIONS variable to control other options of ULOG. > > Note that if set to ULOG, then FIREHOL_LOG_LEVEL and the > level parameter to the log/loglimit rules are ignored (ULOG > does not have a level). > > This has been added to v1.172 currently in the CVS. I have > tested that LOG works as previously and that ULOG statements > are produced correctly but I'll need your help to verify that > ULOG is working properly. > > Costa > > > > ------------------------------------------------------- > This SF.net email is sponsored by: SF.net Giveback Program. > Does SourceForge.net help you be more productive? Does it > help you create better code? SHARE THE LOVE, and help us > help YOU! Click Here: http://sourceforge.net/donate/ > _______________________________________________ > Firehol-support mailing list Firehol-support at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/firehol-support > From philippe at berini.org Mon Dec 1 22:14:44 2003 From: philippe at berini.org (Philippe Berini) Date: Mon, 1 Dec 2003 23:14:44 +0100 Subject: [Firehol-support] Ulog In-Reply-To: <59991.10.0.0.193.1070255355.squirrel@nefeli.tsaousis.gr> References: <20031129204023.GB19775@berini.org> <57437.10.0.0.193.1070144826.squirrel@nefeli.tsaousis.gr> <20031130110849.GB2965@berini.org> <59991.10.0.0.193.1070255355.squirrel@nefeli.tsaousis.gr> Message-ID: <20031201221444.GD2012@berini.org> * Costa Tsaousis [Mon 01 Dec 03 07:09]: > This has been added to v1.172 currently in the CVS. I have tested that LOG > works as previously and that ULOG statements are produced correctly but > I'll need your help to verify that ULOG is working properly. Thanks for all these explanations, I'm sure they will be useful later on. I am very far from being a specialist (just able to run my Debian in "normal" quasi newbie conditions) and am afraid I can't be of any help with the CVS for the moment. I'm sure someone else on the list will help you testing this new functionality. Thanks again, I'll keep posted. -- Philippe Berini From philippe at berini.org Mon Dec 1 22:15:10 2003 From: philippe at berini.org (Philippe Berini) Date: Mon, 1 Dec 2003 23:15:10 +0100 Subject: [Firehol-support] Ulog In-Reply-To: <000401c3b826$d6864e60$250a0a0a@it637> References: <59991.10.0.0.193.1070255355.squirrel@nefeli.tsaousis.gr> <000401c3b826$d6864e60$250a0a0a@it637> Message-ID: <20031201221510.GE2012@berini.org> * Allen Smith [Mon 01 Dec 03 08:19]: > The following worked for me under sarge/testing using the deb package of > firehol: > 1) edit /etc/init.d/klogd and make KLOGD="-c 5 " > 2) edit /lib/firehol/firehol and make FIREHOL_LOG_LEVEL="info" > 3) restart firehol and klogd I run Sarge with kernel 2.4.22, and it does not work. Too bad ;-\ Thanks anyway, -- Philippe Berini From james at hdcs.com.au Wed Dec 3 09:20:06 2003 From: james at hdcs.com.au (James Bean) Date: Wed, 3 Dec 2003 19:20:06 +1000 Subject: [Firehol-support] Transparent Proxy help Message-ID: Hi, What I am trying to accomplish is to denigh access to the internet from certain users and enable for others, but the transparent proxy doesn't seem to be working. My firehol.conf is as follows: -------------------------------------------- # # $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $ # # This configuration file will allow all requests originating from the # local machine to be send through all network interfaces. # # No requests are allowed to come from the network. The host will be # completely stealthed! It will not respond to anything, and it will # not be pingable, although it will be able to originate anything # (even pings to other hosts). # # Require release 5 of FireHOL configuration directives version 5 # Internal Network IP Address lan_ips="192.168.69.0/24" accepted_ips="`cat /etc/firehol/ips.txt | grep -v '^#'`" # Transparent Proxy transparent_squid 8080 "squid root" inface eth0 src "${lan_ips}" # My LAN. Everything is allowed here. interface eth0 lan src "${lan_ips}" server dns accept server squid accept server ssh accept server http accept server ftp accept server smtp accept server dhcp accept policy reject interface eth1 internet src not "${lan_ips} ${UNROUTABLE_IPS}" protection strong 10/sec 10 server ssh accept server http accept server ident reject with tcp-reset client all accept router internet2lan inface eth1 outface eth0 masquerade reverse client all accept src "${accepted_ips}" server ident reject with tcp-reset ----------------------------------- ips.txt is as follows 192.168.69.1 192.168.69.5 192.168.69.69 192.168.69.205 But I need the other machines in the network to receive there dhcp from the box, there IP just won't be allowed at the router rule. At the moment that seems to be working, except the transparent proxy doesn't seem to be working corrently, if I do the rules manually with a plain iptables set of rules it works no problems, I seem to have something wrong in the firehol configuration. Any help would be very much appreciated. J -------------- next part -------------- An HTML attachment was scrubbed... URL: From thomas at intevation.de Wed Dec 3 10:00:03 2003 From: thomas at intevation.de (Thomas Arendsen Hein) Date: Wed, 3 Dec 2003 11:00:03 +0100 Subject: [Firehol-support] Multiple Ip Allows - Denigh rest of subnet In-Reply-To: <60017.10.0.0.193.1070256048.squirrel@nefeli.tsaousis.gr> References: <60017.10.0.0.193.1070256048.squirrel@nefeli.tsaousis.gr> Message-ID: <20031203100003.GA20452@intevation.de> On Mon, Dec 01, 2003 at 07:20:48AM +0200, Costa Tsaousis wrote: > I don't think that BASH will accept this # as a comment. > You can move this list to another file (say, /etc/firehol/ips.txt) and use > this here: > > accepted_ips="`cat /etc/firehol/ips.txt | grep -v '^#'`" > > (copy and paste it, there are 3 kinds of quotes here) > Then put this in /etc/firehol/ips.txt > > 192.168.2.96 > 192.168.2.42 > # 192.168.2.54 > 192.168.2.66 > 192.168.2.174 > > Note that the # has to be the first character of line. If it is not, it > will appear in your list. No other comments are allowed in this file. This one doesn't require another file, isn't picky about spaces and allows variables inside the list: foo="this.host.example" accepted_ips="`grep -v '^ *#' << EOF 192.168.2.96 192.168.2.42 # 192.168.2.54 $foo 192.168.2.66 192.168.2.174 EOF`" Thomas -- Email: thomas at intevation.de http://intevation.de/~thomas/ From james at hdcs.com.au Wed Dec 3 10:28:46 2003 From: james at hdcs.com.au (James Bean) Date: Wed, 3 Dec 2003 20:28:46 +1000 Subject: [Firehol-support] Port Forwarding Help Message-ID: Sorry to add so many requests for help, I only joined recently and haven't gotten many posts from this list yet. My problem is port forwarding, the dnat snat nat redirect system seems very complicated when trying to do a simple port redirect. The following is what I am having a problem with. Internal Lan interface is eth0 External Internet interface is eth1 Ports for redirection : 6881 6882 .... 6889 I need to port forward from eth1 any incoming connections to the above ports to 192.168.69.69 so incoming 6881 to port eth1 should be forwarded to 192.168.69.69 Everything I have tried with dnat and snat doesn't seem to work. Any suggestions on this matter would be very much appreciated. I take it by the description any dnat snat nat redirect commands get put at the end of the config not under a router or interface heading? J -------------- next part -------------- An HTML attachment was scrubbed... URL: From costa at tsaousis.gr Wed Dec 3 20:50:19 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Wed, 3 Dec 2003 22:50:19 +0200 (EET) Subject: [Firehol-support] Port Forwarding Help In-Reply-To: References: Message-ID: <44211.10.0.0.193.1070484619.squirrel@nefeli.tsaousis.gr> dnat to 192.168.69.69 inface eth1 dport "6881:6889" place this BEFORE any interface or router blocks. -- Costa Tsaousis > Sorry to add so many requests for help, I only joined recently and > haven't gotten many posts from this list yet. > > My problem is port forwarding, the dnat snat nat redirect system seems > very complicated when trying to do a simple port redirect. > > The following is what I am having a problem with. > > Internal Lan interface is eth0 > External Internet interface is eth1 > > Ports for redirection : 6881 6882 .... 6889 > > I need to port forward from eth1 any incoming connections to the above > ports to 192.168.69.69 > > so incoming 6881 to port eth1 should be forwarded to 192.168.69.69 > > Everything I have tried with dnat and snat doesn't seem to work. > > Any suggestions on this matter would be very much appreciated. > > I take it by the description any dnat snat nat redirect commands get put > at the end of the config not under a router or interface heading? > > J > From costa at tsaousis.gr Wed Dec 3 21:16:26 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Wed, 3 Dec 2003 23:16:26 +0200 (EET) Subject: [Firehol-support] Transparent Proxy help In-Reply-To: References: Message-ID: <44509.10.0.0.193.1070486186.squirrel@nefeli.tsaousis.gr> I guess that when you say that the trasparent proxy is not working, you mean that it allows web browsing from the unroutable IPs. If this is the problem, then change the transparent_squid statement to this: transparent_squid 8080 "squid root" inface eth0 src "${accepted_ips}" This is because, a proxy is not ROUTING the packets, it re-plays them at the other side of your firewall. If your transparent squid does not work at all, please check the squid logs and verify that it gets the requests from the clients. If it gets the requests, then check your squid configuration. If it does get the requests but it complains that it cannot connect to remote hosts, first check this: transparent_squid 8080 "" inface eth0 src "${accepted_ips}" this will disable proxied browsing from the firewall itself (with a browser on the linux host). If that works, check the user under which squid is running and make sure it is included in the first command line above. Costa PS: Your eth0 interface does not state any clients. This means that you will not even be able to ping the other hosts from the linux firewall. Is that what you want? > Hi, > > What I am trying to accomplish is to denigh access to the internet from > certain users and enable for others, but the transparent proxy doesn't > seem to be working. > > My firehol.conf is as follows: > > -------------------------------------------- > # > # $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $ > # > # This configuration file will allow all requests originating from the > # local machine to be send through all network interfaces. > # > # No requests are allowed to come from the network. The host will be > # completely stealthed! It will not respond to anything, and it will > # not be pingable, although it will be able to originate anything > # (even pings to other hosts). > # > > # Require release 5 of FireHOL configuration directives > version 5 > > # Internal Network IP Address > lan_ips="192.168.69.0/24" > accepted_ips="`cat /etc/firehol/ips.txt | grep -v '^#'`" > > # Transparent Proxy > transparent_squid 8080 "squid root" inface eth0 src "${lan_ips}" > > # My LAN. Everything is allowed here. > interface eth0 lan src "${lan_ips}" > server dns accept > server squid accept > server ssh accept > server http accept > server ftp accept > server smtp accept > server dhcp accept > policy reject > > interface eth1 internet src not "${lan_ips} ${UNROUTABLE_IPS}" > protection strong 10/sec 10 > server ssh accept > server http accept > server ident reject with tcp-reset > client all accept > > router internet2lan inface eth1 outface eth0 > masquerade reverse > client all accept src "${accepted_ips}" > server ident reject with tcp-reset > ----------------------------------- > > ips.txt is as follows > > 192.168.69.1 > 192.168.69.5 > 192.168.69.69 > 192.168.69.205 > > But I need the other machines in the network to receive there dhcp from > the box, there IP just won't be allowed at the router rule. > > At the moment that seems to be working, except the transparent proxy > doesn't seem to be working corrently, if I do the rules manually with a > plain iptables set of rules it works no problems, I seem to have > something wrong in the firehol configuration. > > Any help would be very much appreciated. > > J > From bock+firehol at blacknet.de Thu Dec 4 14:07:06 2003 From: bock+firehol at blacknet.de (Goetz Bock) Date: Thu, 4 Dec 2003 15:07:06 +0100 Subject: [Firehol-support] Port Forwarding Help In-Reply-To: <44211.10.0.0.193.1070484619.squirrel@nefeli.tsaousis.gr> References: <44211.10.0.0.193.1070484619.squirrel@nefeli.tsaousis.gr> Message-ID: <20031204140706.GC20753@shell.blacknet.de> On Wed, Dec 03 '03 at 22:50, Costa Tsaousis wrote: > dnat to 192.168.69.69 inface eth1 dport "6881:6889" As James is tring to run bittorrent behind his nat/firewall this will not work as ecpexted. He has to add 9 rules: one for each port from 6881 to 6889. -- Goetz Bock (c) 2003 as blacknet.de - Munich - Germany /"\ IT Consultant GNU FDL 1.1 secure mobile Linux everNETting \ / X ASCII Ribbon Campaign against HTML email & microsoft attachments / \ From daniel at rimspace.net Wed Dec 10 13:00:19 2003 From: daniel at rimspace.net (Daniel Pittman) Date: Thu, 11 Dec 2003 00:00:19 +1100 Subject: [Firehol-support] PPPoE TCP MSS clamping / match Message-ID: <87brqgltek.fsf@enki.rimspace.net> In order to use my ADSL connection, I need to clamp the MSS value on TCP connections to something slightly lower than a standard Ethernet value. Anyway, the "standard" way of achieving this for the in-kernel PPPoE driver is to issue the following iptables command: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ -j TCPMSS --clamp-mss-to-pmtu Now, I can obviously stick that in using the 'iptables' command, but that is a bit less selective than I will want to be in the near future. So, any chance of seeing an action to implement this? I would suggest: tcpmss ( 'pmtu' | ) If the argument is 'pmtu', pass the '--clamp-mss-to-pmtu' option, otherwise pass '--set-mss '. Having it match on the 'router' statement, etc, would be ideal. That way I don't need to fiddle with the interface matching and so on when I have a PPPoE link and an 802.11 link heading out of the same box, and I need to clamp the MSS on only one of them. Daniel -- Reality is not as strong as perception. Perception all too often swallows reality and spits it out in a new, unrecognizable form. -- Maytee Aspuro From moacyrs at akadnyx.com.br Fri Dec 12 12:53:08 2003 From: moacyrs at akadnyx.com.br (Moacyr Leite da Silva) Date: Fri, 12 Dec 2003 10:53:08 -0200 Subject: [Firehol-support] howto block p2p in network References: <44509.10.0.0.193.1070486186.squirrel@nefeli.tsaousis.gr> Message-ID: <004301c3c0ae$e494b7e0$fd00a8c0@moacyr> Hi, Can some help to block p2p in my network? I tryed the config bellow with no luck. Regards Moacyr #### version 5 server_kaaza_ports="tcp/3531" client_kaaza_ports="default" transparent_squid 8080 "squid root" inface eth1 interface eth0 internet src not "${UNROUTABLE_IPS}" policy drop protection strong server ident reject with tcp-reset server http accept server https accept server dns accept server smtp accept server ssh accept server jabberd accept server jabber accept server kaaza deny client all accept interface eth1 lan policy accept server all accept client all accept router lan2internet inface eth1 outface eth0 masquerade route kaaza deny route "http https ftp" accept route "ssh ntp ping" accept route "GRE AH ESP isakmp pptp" accept route "vnc irc msn" accept From andre.marenke at awc.net.au Mon Dec 15 06:17:19 2003 From: andre.marenke at awc.net.au (Andre Marenke) Date: Mon, 15 Dec 2003 17:17:19 +1100 Subject: [Firehol-support] Extending complex service FTP Message-ID: <1071469039.2790.647.camel@andre> Hello, I am currently trying to extend/recreate the FTP service definitions. I have a router R and two machines M1 and M2 behind the router. I have http running on M1 and ftp on M2. My ftp server is setup to listen on ports 2500:2520 (one port for each virtual ftp domain). 2 Questions: 1) With the setup I have below it is not possible to do passive FTP to the FTP server and my definition is too simple to allow for conntrack to work. Is it possible to modify the existing FTP server definition in an easy way to gain full FTP functionality with different ports? 2) I have only set up one router and was wondering what the best/most elegant solution is to split traffic up depending on the type of traffic? Define multiple routers with destination ip addresses set for each service or one router with the service destination IP addresses set? Thanks for a great product btw! My setup is like this: interface eth0 internet policy DROP protection strong client ssh accept interface eth1 dmz policy REJECT protection strong server squid accept server ssh accept client ssh accept router net2dmz inface eth0 outface eth1 route http accept route custom ftpserver tcp/2500:2520 default accept router dmz2net inface eth1 outface eth0 route all accept From costa at tsaousis.gr Tue Dec 16 22:12:29 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Wed, 17 Dec 2003 00:12:29 +0200 Subject: [Firehol-support] Extending complex service FTP In-Reply-To: <1071469039.2790.647.camel@andre> References: <1071469039.2790.647.camel@andre> Message-ID: <1071612749.5072.157.camel@nefeli.tsaousis.gr> Hi Andre, > I am currently trying to extend/recreate the FTP service definitions. I > have a router R and two machines M1 and M2 behind the router. > > I have http running on M1 and ftp on M2. My ftp server is setup to > listen on ports 2500:2520 (one port for each virtual ftp domain). > > 2 Questions: > 1) With the setup I have below it is not possible to do passive FTP to > the FTP server and my definition is too simple to allow for conntrack to > work. Is it possible to modify the existing FTP server definition in an > easy way to gain full FTP functionality with different ports? The FTP service needs an FTP conntrack module, which allows the random socket connection made for the data transfer by the FTP server/client, to be matched as RELATED to the initial request. I don't think that this module will understand ports 2500:2520 as FTP requests, and therefore it will not allow either active or passive data connections RELATED to these ports. I think it would be better to have either multiple IPs on your machine and bind one FTP server to each IP, or use an FTP server with virtual domains support (if I remember correctly, ProFTPd is one of those). If you use either of these two methods, FireHOL's FTP service will operate as expected. If however you cannot use any of the above, I suggest to use this for a safe Active FTP server (ONLY ACTIVE FTP AND ONLY SERVER): --- # Custom FTP Server Control socket server_myftpc_ports="tcp/2500:2520" client_myftpc_ports="default" # Customer FTP server Data socket server_myftpd_ports="tcp/1024:65535" client_myftpd_ports="default" interface ... # Our custom FTP server server myftpc accept client myftpd accept --- DO NOT REVERSE server/client FOR AN FTP CLIENT OF THIS FTP VARIATION. IT WILL BE A HUGE SECURITY HOLE. > 2) I have only set up one router and was wondering what the best/most > elegant solution is to split traffic up depending on the type of > traffic? Define multiple routers with destination ip addresses set for > each service or one router with the service destination IP addresses > set? I like to think with the concept of "zones". A "zone" (for me) is a subnet of machines they are related to each other, and which I am willing to protect. Normally you are going to face a situation similar to this: Servers A, B, C on subnet S1 form ZONE1, connected on interface I1 Servers D, E, F on sunbet S2 form ZONE2, connected on interface I2 Then there is the Internet (of course), on interface I3 I1 and I2 might be the same, but not necessarily. Here is what I do: # Internet - to - Zone1 (and vice versa) router i2z1 inface I3 outface I1 src not "${UNROUTABLE_IPS}" dst S1 server x accept dst A server y accept dst B server z accept dst C ... client x1 accept src A client y1 accept src B client z1 accept src C ... # Internet - to - Zone2 (and vice versa) router i2z2 inface I3 outface I2 src not "${UNROUTABLE_IPS}" dst S2 server x accept dst D server y accept dst E server z accept dst F ... client x1 accept src D client y1 accept src E client z1 accept src F ... In the above, INPUT (inface/src) is the Internet and OUTPUT (outface/dst) is the zone to be protected. Given that, I then "think" of all the rules as if I was the machine(s) protected from the Internet (i.e. same concept with the interface rules). Then, if there is need for routing traffic between the zones, I prefer to do this (for clarity, since both sides are to be protected from each other): # Zone 1 to Zone 2 router Z1toZ2 inface I1 outface I2 src S1 dst S2 route x accept src A dst D route y accept src B dst E ... # Zone 2 to Zone 1 router Z2toZ1 inface I2 outface I1 src S2 dst S1 route x accept src D dst A route y accept src E dst B ... These are unidirectional routers (in concept) and state very clearly what can be requested by clients running on the INPUT, from servers running on the OUTPUT. Remember that inface/outface/src/dst match the REQUEST, not the REPLY. Costa From bock at blacknet.de Tue Dec 16 22:38:53 2003 From: bock at blacknet.de (Goetz Bock) Date: Tue, 16 Dec 2003 23:38:53 +0100 Subject: [Firehol-support] Extending complex service FTP In-Reply-To: <1071612749.5072.157.camel@nefeli.tsaousis.gr> References: <1071469039.2790.647.camel@andre> <1071612749.5072.157.camel@nefeli.tsaousis.gr> Message-ID: <20031216223852.GJ440@shell.blacknet.de> On Wed, Dec 17 '03 at 00:12, Costa Tsaousis wrote: > > I have http running on M1 and ftp on M2. My ftp server is setup to > > listen on ports 2500:2520 (one port for each virtual ftp domain). > > The FTP service needs an FTP conntrack module, which allows the random > socket connection made for the data transfer by the FTP server/client, > to be matched as RELATED to the initial request. I don't think that this > module will understand ports 2500:2520 as FTP requests, and therefore it > will not allow either active or passive data connections RELATED to > these ports. Actually it can be made to: user at box ~$ modinfo /lib/modules/2.4.23/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o filename: /lib/modules/2.4.23/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o description: author: license: "GPL" parm: ports int array (min = 1, max = 8) parm: loose int user at box ~$ so it looks like you can specify up to 8 ports where the module will try to conntrack ftp connections. By default 21 will be used. (You can only get 8 ports, as you can only load the module once) -- Goetz Bock (c) 2003 as blacknet.de - Munich - Germany /"\ IT Consultant GNU FDL 1.1 secure mobile Linux everNETting \ / X ASCII Ribbon Campaign against HTML email & microsoft attachments / \ From lingenavd at planet.nl Thu Dec 25 22:40:59 2003 From: lingenavd at planet.nl (lingenavd) Date: Thu, 25 Dec 2003 23:40:59 +0100 Subject: [Firehol-support] Help needed for firehol.conf Message-ID: <3FEB677B.3020001@planet.nl> Hi all, Could you help me out please..... I have all set a good as I can think in firehol.conf, but the firewall block all mine outgoing traffic. Even when ppp+ is configured for "client all accept" I am using ADSL with a speedtouch USB modem. When I stop the firewall, all works fine. The message in the /var/log/messages is: Dec 25 23:24:33 specimen kernel: OUT-unknown:IN= OUT=ppp0 SRC= DST=195.121.1.34 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=10148 DF PROTO=UDP SPT=32770 DPT=53 LEN=39 this is after I ping a URL. So not even a DNS request is let threw the firewall!! Please help. grtz, dre From jgmbenoit at wanadoo.fr Fri Dec 26 20:58:36 2003 From: jgmbenoit at wanadoo.fr (Jerome BENOIT) Date: Fri, 26 Dec 2003 22:58:36 +0200 Subject: [Firehol-support] psad and firehol Message-ID: <3FECA0FC.9020008@wanadoo.fr> Hello List, I have just written down my first FireHOL script: my first trouble comes from psad: it emails the message: ** The INPUT chain in the iptables ruleset on _CHANGEME_ includes a default LOG rule for all protocols, but the rule does not have a log prefix of "DROP". It appears as though the log prefix is set to "IN-unknown:". psad will not be able to detect scans without adding --log-prefix "DROP" to the rule. I have try to put the following line to my script: FIREHOL_LOG_OPTIONS="--log-prefix \"DROP\"" but I get an error message saying that iptable does not support twice the same option. Is there a clean to satisfy psad ? Thanks inadvance, Jerome PS: Please CC your reponse to my email address as I am not a memeber the list, thanks. From costa at tsaousis.gr Mon Dec 29 08:11:03 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Mon, 29 Dec 2003 10:11:03 +0200 Subject: [Firehol-support] psad and firehol In-Reply-To: <3FECA0FC.9020008@wanadoo.fr> References: <3FECA0FC.9020008@wanadoo.fr> Message-ID: <1072685463.27151.7.camel@nefeli.tsaousis.gr> At the end of each interface add: server any psad drop log "DROP" At the end of all interfaces add: interface any psad server any psad drop log "DROP" At the end of all routers add: router psad server any psad drop log "DROP" These will overwrite the default DROP rules added by FireHOL. Costa On Παρ, 2003-12-26 at 22:58, Jerome BENOIT wrote: > Hello List, > > I have just written down my first FireHOL script: > my first trouble comes from psad: it emails the message: > > ** The INPUT chain in the iptables ruleset on _CHANGEME_ includes a > default LOG rule for all protocols, but the rule does not have a log > prefix of "DROP". It appears as though the log prefix is set to > "IN-unknown:". psad will not be able to detect scans without adding > --log-prefix "DROP" to the rule. > > > I have try to put the following line to my script: > > FIREHOL_LOG_OPTIONS="--log-prefix \"DROP\"" > > but I get an error message saying that iptable does not support > twice the same option. > > Is there a clean to satisfy psad ? > > Thanks inadvance, > Jerome > > PS: > Please CC your reponse to my email address > as I am not a memeber the list, thanks. > > > > ------------------------------------------------------- > This SF.net email is sponsored by: IBM Linux Tutorials. > Become an expert in LINUX or just sharpen your skills. Sign up for IBM's > Free Linux Tutorials. Learn everything from the bash shell to sys admin. > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > _______________________________________________ > Firehol-support mailing list > Firehol-support at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/firehol-support From jgmbenoit at wanadoo.fr Mon Dec 29 19:24:09 2003 From: jgmbenoit at wanadoo.fr (Jerome BENOIT) Date: Mon, 29 Dec 2003 21:24:09 +0200 Subject: [Firehol-support] psad and firehol References: <3FECA0FC.9020008@wanadoo.fr> <1072685463.27151.7.camel@nefeli.tsaousis.gr> Message-ID: <3FF07F59.60807@wanadoo.fr> Thanks for your reply: I have just try it, and unfortunaltely I get the same email message from psad. Jerome Costa Tsaousis wrote: > At the end of each interface add: > > server any psad drop log "DROP" > > At the end of all interfaces add: > > interface any psad > server any psad drop log "DROP" > > > At the end of all routers add: > > router psad > server any psad drop log "DROP" > > > These will overwrite the default DROP rules added by FireHOL. > > Costa > > On Παρ, 2003-12-26 at 22:58, Jerome BENOIT wrote: > >>Hello List, >> >>I have just written down my first FireHOL script: >>my first trouble comes from psad: it emails the message: >> >> ** The INPUT chain in the iptables ruleset on _CHANGEME_ includes a >> default LOG rule for all protocols, but the rule does not have a log >> prefix of "DROP". It appears as though the log prefix is set to >> "IN-unknown:". psad will not be able to detect scans without adding >> --log-prefix "DROP" to the rule. >> >> >>I have try to put the following line to my script: >> >>FIREHOL_LOG_OPTIONS="--log-prefix \"DROP\"" >> >>but I get an error message saying that iptable does not support >>twice the same option. >> >>Is there a clean to satisfy psad ? >> >>Thanks inadvance, >>Jerome >> >>PS: >>Please CC your reponse to my email address >>as I am not a memeber the list, thanks. >> >> >> >>------------------------------------------------------- >>This SF.net email is sponsored by: IBM Linux Tutorials. >>Become an expert in LINUX or just sharpen your skills. Sign up for IBM's >>Free Linux Tutorials. Learn everything from the bash shell to sys admin. >>Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click >>_______________________________________________ >>Firehol-support mailing list >>Firehol-support at lists.sourceforge.net >>https://lists.sourceforge.net/lists/listinfo/firehol-support > > > From costa at tsaousis.gr Mon Dec 29 21:48:10 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Mon, 29 Dec 2003 23:48:10 +0200 Subject: [Firehol-support] psad and firehol In-Reply-To: <3FF07F59.60807@wanadoo.fr> References: <3FECA0FC.9020008@wanadoo.fr> <1072685463.27151.7.camel@nefeli.tsaousis.gr> <3FF07F59.60807@wanadoo.fr> Message-ID: <1072734490.27157.20.camel@nefeli.tsaousis.gr> This is normal since the default rules have not been removed. The rules I sent you "overwrite" the defaults because they appear just before them. This means that although psad complains, it should work as expected now. Does it? Note: I noticed in psad documentation that it might require a space after the log prefix. Please replace "DROP" in the rules I sent you with "DROP ". Run a check to see if the rules I sent you allow psad to work as expected, and if they do just add --no-fwcheck to psad to prevent the psad alarm about the possibility of a miss-configured firewall from being sent to you. Costa On Δευ, 2003-12-29 at 21:24, Jerome BENOIT wrote: > Thanks for your reply: > I have just try it, > and unfortunaltely I get the same email message from > psad. > > Jerome > > Costa Tsaousis wrote: > > At the end of each interface add: > > > > server any psad drop log "DROP" > > > > At the end of all interfaces add: > > > > interface any psad > > server any psad drop log "DROP" > > > > > > At the end of all routers add: > > > > router psad > > server any psad drop log "DROP" > > > > > > These will overwrite the default DROP rules added by FireHOL. > > > > Costa > > > > On Παρ, 2003-12-26 at 22:58, Jerome BENOIT wrote: > > > >>Hello List, > >> > >>I have just written down my first FireHOL script: > >>my first trouble comes from psad: it emails the message: > >> > >> ** The INPUT chain in the iptables ruleset on _CHANGEME_ includes a > >> default LOG rule for all protocols, but the rule does not have a log > >> prefix of "DROP". It appears as though the log prefix is set to > >> "IN-unknown:". psad will not be able to detect scans without adding > >> --log-prefix "DROP" to the rule. > >> > >> > >>I have try to put the following line to my script: > >> > >>FIREHOL_LOG_OPTIONS="--log-prefix \"DROP\"" > >> > >>but I get an error message saying that iptable does not support > >>twice the same option. > >> > >>Is there a clean to satisfy psad ? > >> > >>Thanks inadvance, > >>Jerome > >> > >>PS: > >>Please CC your reponse to my email address > >>as I am not a memeber the list, thanks. > >> > >> > >> From costa at tsaousis.gr Mon Dec 29 21:51:01 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Mon, 29 Dec 2003 23:51:01 +0200 Subject: [Firehol-support] Help needed for firehol.conf In-Reply-To: <3FEB677B.3020001@planet.nl> References: <3FEB677B.3020001@planet.nl> Message-ID: <1072734660.27155.23.camel@nefeli.tsaousis.gr> The fact that FireHOL logs the traffic as "OUT-unknown" means that the traffic does not match any of the interfaces defined within firehol.conf. Could you please post the "interface ppp..." section of your firehol.conf? Costa On Παρ, 2003-12-26 at 00:40, lingenavd wrote: > Hi all, > > Could you help me out please..... > > I have all set a good as I can think in firehol.conf, but the firewall > block all mine outgoing traffic. Even when ppp+ is configured for > "client all accept" > I am using ADSL with a speedtouch USB modem. > When I stop the firewall, all works fine. > The message in the /var/log/messages is: > > Dec 25 23:24:33 specimen kernel: OUT-unknown:IN= OUT=ppp0 SRC= address> DST=195.121.1.34 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=10148 DF > PROTO=UDP SPT=32770 DPT=53 LEN=39 > > this is after I ping a URL. > So not even a DNS request is let threw the firewall!! > > Please help. > > grtz, > dre From costa at tsaousis.gr Mon Dec 29 23:04:35 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Tue, 30 Dec 2003 01:04:35 +0200 Subject: [Firehol-support] PPPoE TCP MSS clamping / match In-Reply-To: <87brqgltek.fsf@enki.rimspace.net> References: <87brqgltek.fsf@enki.rimspace.net> Message-ID: <1072739074.27148.33.camel@nefeli.tsaousis.gr> Hi Daniel, TCPMSS is used only in filter/FORWARD? I am asking because I have the following options and I don't know which one to choose: 1. Make this a helper command, to be used at the top of the firewall configuration, like dnat, snat, transparent_squid, etc. with the syntax you suggest. 2. Make this an option for routers which will be used the same way the "policy" subcommand is used in interfaces. This way there will be no optional rule parameters, since the router parameters will be inherited. Example: router x inface a outface b src xx dst yy ... tcpmss pmtu server x accept ... 3. Make this an optional rule parameter (like log, src, dst, etc) which could be used anywhere, even in client/server subcommands. Can you point some documentation about the possible uses of TCPMSS? Thanks Costa On Τετ, 2003-12-10 at 15:00, Daniel Pittman wrote: > In order to use my ADSL connection, I need to clamp the MSS value on TCP > connections to something slightly lower than a standard Ethernet value. > > Anyway, the "standard" way of achieving this for the in-kernel PPPoE > driver is to issue the following iptables command: > > iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ > -j TCPMSS --clamp-mss-to-pmtu > > Now, I can obviously stick that in using the 'iptables' command, but > that is a bit less selective than I will want to be in the near future. > > So, any chance of seeing an action to implement this? I would suggest: > > tcpmss ( 'pmtu' | ) > > If the argument is 'pmtu', pass the '--clamp-mss-to-pmtu' option, > otherwise pass '--set-mss '. > > Having it match on the 'router' statement, etc, would be ideal. > > > That way I don't need to fiddle with the interface matching and so on > when I have a PPPoE link and an 802.11 link heading out of the same box, > and I need to clamp the MSS on only one of them. > > Daniel From costa at tsaousis.gr Mon Dec 29 23:21:05 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Tue, 30 Dec 2003 01:21:05 +0200 Subject: [Firehol-support] howto block p2p in network In-Reply-To: <004301c3c0ae$e494b7e0$fd00a8c0@moacyr> References: <44509.10.0.0.193.1070486186.squirrel@nefeli.tsaousis.gr> <004301c3c0ae$e494b7e0$fd00a8c0@moacyr> Message-ID: <1072740064.27148.51.camel@nefeli.tsaousis.gr> I am afraid you will not be able to block all P2P applications. More specifically, kazaa seems to adjust itself to the environment and even use port 80 to communicate with the kazaa servers. This makes it almost impossible to block kazaa (blocking port 80 blocks the web too). I have done some search on the net about this, and although I found significantly varying responses to similar questions, I consider the following as the best practices: 1. If you are trying to block P2P in a corporate environment, try to enforce policies that will eliminate the problem. Not all problems are solved with technical solutions, and generally speaking, people that want their jobs tend to follow the policies set by higher management. 2. If you cannot control the policies, you can rate-limit (throttle) kazaa to use too little bandwidth to be useful. Since kazaa first tries the default kazaa ports and if it cannot connect with those, falls back to alternatives, rate limiting the well known kazaa ports will allow you to control it even if it appears to work. Keep in mind though that this means you are willing to play a cat-mouse game as kazaa evolves... If however none of the above is good for you, you can search the net for various solutions applied and experiment to see the results. Personally, I wouldn't suggest that - it will be just a time waste. Costa On Παρ, 2003-12-12 at 14:53, Moacyr Leite da Silva wrote: > Hi, > > > Can some help to block p2p in my network? I tryed the config bellow with no > luck. > > Regards > Moacyr > > > #### > version 5 > > server_kaaza_ports="tcp/3531" > client_kaaza_ports="default" > > transparent_squid 8080 "squid root" inface eth1 > > > interface eth0 internet src not "${UNROUTABLE_IPS}" > > policy drop > protection strong > server ident reject with tcp-reset > > server http accept > server https accept > server dns accept > server smtp accept > server ssh accept > server jabberd accept > server jabber accept > server kaaza deny > > client all accept > > interface eth1 lan > > policy accept > > server all accept > > client all accept > > > router lan2internet inface eth1 outface eth0 > masquerade > route kaaza deny > route "http https ftp" accept > route "ssh ntp ping" accept > route "GRE AH ESP isakmp pptp" accept > route "vnc irc msn" accept > From lingenavd at planet.nl Wed Dec 31 10:34:47 2003 From: lingenavd at planet.nl (lingenavd) Date: Wed, 31 Dec 2003 11:34:47 +0100 Subject: [Firehol-support] Help needed for firehol.conf References: <3FEB677B.3020001@planet.nl> <1072734660.27155.23.camel@nefeli.tsaousis.gr> Message-ID: <3FF2A647.5090907@planet.nl> Thank you for the hint ...... after some searching and trying with the ppp interface setting in firehol.conf and ifconfig, I noticed that firehol made the setting for ppp src an other IP address.....in ifconfig it is corresponding with the P-t-P IP address. I changed this (src address) in the firehol.conf to "0.0.0.0/0" and than it worked like a charme !! :) Thanks for the reaction, I think it is a great firewall!!! grtz, Andre Costa Tsaousis wrote: >The fact that FireHOL logs the traffic as "OUT-unknown" means that the >traffic does not match any of the interfaces defined within >firehol.conf. > >Could you please post the "interface ppp..." section of your >firehol.conf? > >Costa > > >On Παρ, 2003-12-26 at 00:40, lingenavd wrote: > > >>Hi all, >> >>Could you help me out please..... >> >>I have all set a good as I can think in firehol.conf, but the firewall >>block all mine outgoing traffic. Even when ppp+ is configured for >>"client all accept" >>I am using ADSL with a speedtouch USB modem. >>When I stop the firewall, all works fine. >>The message in the /var/log/messages is: >> >>Dec 25 23:24:33 specimen kernel: OUT-unknown:IN= OUT=ppp0 SRC=>address> DST=195.121.1.34 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=10148 DF >>PROTO=UDP SPT=32770 DPT=53 LEN=39 >> >>this is after I ping a URL. >>So not even a DNS request is let threw the firewall!! >> >>Please help. >> >>grtz, >>dre >> >> > > > > >------------------------------------------------------- >This SF.net email is sponsored by: IBM Linux Tutorials. >Become an expert in LINUX or just sharpen your skills. Sign up for IBM's >Free Linux Tutorials. Learn everything from the bash shell to sys admin. >Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click >_______________________________________________ >Firehol-support mailing list >Firehol-support at lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/firehol-support > >=============================================================Deze e-mail is door E-mail VirusScanner van Planet Internet gecontroleerd op virussen. >Op http://www.planet.nl/evs staat een verwijzing naar de actuele lijst waar op wordt gecontroleerd. > > > From costa at tsaousis.gr Mon Dec 1 05:09:15 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Mon, 1 Dec 2003 07:09:15 +0200 (EET) Subject: [Firehol-support] Ulog In-Reply-To: <20031130110849.GB2965@berini.org> References: <20031129204023.GB19775@berini.org> <57437.10.0.0.193.1070144826.squirrel@nefeli.tsaousis.gr> <20031130110849.GB2965@berini.org> Message-ID: <59991.10.0.0.193.1070255355.squirrel@nefeli.tsaousis.gr> > I know that this topic has been dealt with in the doc and in the forum, > but the suggested solutions don't work in Debian (or at least I can't > succeed to have them work). Strange. Is there someone on the list that has succeded managing the iptables logs on debian to give us some light here? > But I prefer FireHOL, and I'll stick to it anyway ;-) Thanks. > # FireHOL [:] > server x ULOG In explain mode, first give an interface (I have the shortcut "in" to do this): # FireHOL [:] > in and then the server statement with a valid service: # FireHOL [:] > server smtp ULOG This works. > The problem is that I still have the LOG rules in iptables: Yes, since the iptables commands will simply add rules for this logging, will not change the existing one. Anyway, I have added the variable FIREHOL_LOG_MODE to control the method of logging. By default is set to LOG. You can set it to ULOG to change all logging made by FireHOL (even with the log and loglimit rules) to use ULOG. Use the normal FIREHOL_LOG_OPTIONS variable to control other options of ULOG. Note that if set to ULOG, then FIREHOL_LOG_LEVEL and the level parameter to the log/loglimit rules are ignored (ULOG does not have a level). This has been added to v1.172 currently in the CVS. I have tested that LOG works as previously and that ULOG statements are produced correctly but I'll need your help to verify that ULOG is working properly. Costa From costa at tsaousis.gr Mon Dec 1 05:20:48 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Mon, 1 Dec 2003 07:20:48 +0200 (EET) Subject: [Firehol-support] Multiple Ip Allows - Denigh rest of subnet In-Reply-To: References: Message-ID: <60017.10.0.0.193.1070256048.squirrel@nefeli.tsaousis.gr> See bellow > accepted_ips=" > 192.168.2.96 > 192.168.2.42 > #192.168.2.54 > 192.168.2.66 > 192.168.2.174" I don't think that BASH will accept this # as a comment. You can move this list to another file (say, /etc/firehol/ips.txt) and use this here: accepted_ips="`cat /etc/firehol/ips.txt | grep -v '^#'`" (copy and paste it, there are 3 kinds of quotes here) Then put this in /etc/firehol/ips.txt 192.168.2.96 192.168.2.42 # 192.168.2.54 192.168.2.66 192.168.2.174 Note that the # has to be the first character of line. If it is not, it will appear in your list. No other comments are allowed in this file. > > router lan2internet inface eth1 outface eth0 > > masquerade > > route ${accepted_ips} accept > Delete this. It does the same job with the one bellow. > > router internet2lan inface eth0 outface eth1 > > masquerade reverse > > client all accept > > server ident reject with tcp-reset > Change the client statement to: client all accept src "${accepted_ips}" Done. Costa From lazlor at bigboy.lotaris.org Mon Dec 1 16:19:03 2003 From: lazlor at bigboy.lotaris.org (Allen Smith) Date: Mon, 1 Dec 2003 08:19:03 -0800 Subject: [Firehol-support] Ulog In-Reply-To: <59991.10.0.0.193.1070255355.squirrel@nefeli.tsaousis.gr> Message-ID: <000401c3b826$d6864e60$250a0a0a@it637> The following worked for me under sarge/testing using the deb package of firehol: 1) edit /etc/init.d/klogd and make KLOGD="-c 5 " 2) edit /lib/firehol/firehol and make FIREHOL_LOG_LEVEL="info" 3) restart firehol and klogd > -----Original Message----- > From: firehol-support-admin at lists.sourceforge.net > [mailto:firehol-support-admin at lists.sourceforge.net] On > Behalf Of Costa Tsaousis > Sent: Sunday, November 30, 2003 9:09 PM > To: Philippe Berini > Cc: firehol-support at lists.sourceforge.net > Subject: Re: [Firehol-support] Ulog > > > > > I know that this topic has been dealt with in the doc and in the > > forum, but the suggested solutions don't work in Debian (or > at least I > > can't succeed to have them work). > > Strange. Is there someone on the list that has succeded > managing the iptables logs on debian to give us some light here? > > > But I prefer FireHOL, and I'll stick to it anyway ;-) > > Thanks. > > > # FireHOL [:] > server x ULOG > > In explain mode, first give an interface (I have the shortcut > "in" to do > this): > > # FireHOL [:] > in > > and then the server statement with a valid service: > > # FireHOL [:] > server smtp ULOG > > This works. > > > The problem is that I still have the LOG rules in iptables: > > Yes, since the iptables commands will simply add rules for > this logging, will not change the existing one. > > Anyway, I have added the variable FIREHOL_LOG_MODE to control > the method of logging. By default is set to LOG. You can set > it to ULOG to change all logging made by FireHOL (even with > the log and loglimit rules) to use ULOG. Use the normal > FIREHOL_LOG_OPTIONS variable to control other options of ULOG. > > Note that if set to ULOG, then FIREHOL_LOG_LEVEL and the > level parameter to the log/loglimit rules are ignored (ULOG > does not have a level). > > This has been added to v1.172 currently in the CVS. I have > tested that LOG works as previously and that ULOG statements > are produced correctly but I'll need your help to verify that > ULOG is working properly. > > Costa > > > > ------------------------------------------------------- > This SF.net email is sponsored by: SF.net Giveback Program. > Does SourceForge.net help you be more productive? Does it > help you create better code? SHARE THE LOVE, and help us > help YOU! Click Here: http://sourceforge.net/donate/ > _______________________________________________ > Firehol-support mailing list Firehol-support at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/firehol-support > From philippe at berini.org Mon Dec 1 22:14:44 2003 From: philippe at berini.org (Philippe Berini) Date: Mon, 1 Dec 2003 23:14:44 +0100 Subject: [Firehol-support] Ulog In-Reply-To: <59991.10.0.0.193.1070255355.squirrel@nefeli.tsaousis.gr> References: <20031129204023.GB19775@berini.org> <57437.10.0.0.193.1070144826.squirrel@nefeli.tsaousis.gr> <20031130110849.GB2965@berini.org> <59991.10.0.0.193.1070255355.squirrel@nefeli.tsaousis.gr> Message-ID: <20031201221444.GD2012@berini.org> * Costa Tsaousis [Mon 01 Dec 03 07:09]: > This has been added to v1.172 currently in the CVS. I have tested that LOG > works as previously and that ULOG statements are produced correctly but > I'll need your help to verify that ULOG is working properly. Thanks for all these explanations, I'm sure they will be useful later on. I am very far from being a specialist (just able to run my Debian in "normal" quasi newbie conditions) and am afraid I can't be of any help with the CVS for the moment. I'm sure someone else on the list will help you testing this new functionality. Thanks again, I'll keep posted. -- Philippe Berini From philippe at berini.org Mon Dec 1 22:15:10 2003 From: philippe at berini.org (Philippe Berini) Date: Mon, 1 Dec 2003 23:15:10 +0100 Subject: [Firehol-support] Ulog In-Reply-To: <000401c3b826$d6864e60$250a0a0a@it637> References: <59991.10.0.0.193.1070255355.squirrel@nefeli.tsaousis.gr> <000401c3b826$d6864e60$250a0a0a@it637> Message-ID: <20031201221510.GE2012@berini.org> * Allen Smith [Mon 01 Dec 03 08:19]: > The following worked for me under sarge/testing using the deb package of > firehol: > 1) edit /etc/init.d/klogd and make KLOGD="-c 5 " > 2) edit /lib/firehol/firehol and make FIREHOL_LOG_LEVEL="info" > 3) restart firehol and klogd I run Sarge with kernel 2.4.22, and it does not work. Too bad ;-\ Thanks anyway, -- Philippe Berini From james at hdcs.com.au Wed Dec 3 09:20:06 2003 From: james at hdcs.com.au (James Bean) Date: Wed, 3 Dec 2003 19:20:06 +1000 Subject: [Firehol-support] Transparent Proxy help Message-ID: Hi, What I am trying to accomplish is to denigh access to the internet from certain users and enable for others, but the transparent proxy doesn't seem to be working. My firehol.conf is as follows: -------------------------------------------- # # $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $ # # This configuration file will allow all requests originating from the # local machine to be send through all network interfaces. # # No requests are allowed to come from the network. The host will be # completely stealthed! It will not respond to anything, and it will # not be pingable, although it will be able to originate anything # (even pings to other hosts). # # Require release 5 of FireHOL configuration directives version 5 # Internal Network IP Address lan_ips="192.168.69.0/24" accepted_ips="`cat /etc/firehol/ips.txt | grep -v '^#'`" # Transparent Proxy transparent_squid 8080 "squid root" inface eth0 src "${lan_ips}" # My LAN. Everything is allowed here. interface eth0 lan src "${lan_ips}" server dns accept server squid accept server ssh accept server http accept server ftp accept server smtp accept server dhcp accept policy reject interface eth1 internet src not "${lan_ips} ${UNROUTABLE_IPS}" protection strong 10/sec 10 server ssh accept server http accept server ident reject with tcp-reset client all accept router internet2lan inface eth1 outface eth0 masquerade reverse client all accept src "${accepted_ips}" server ident reject with tcp-reset ----------------------------------- ips.txt is as follows 192.168.69.1 192.168.69.5 192.168.69.69 192.168.69.205 But I need the other machines in the network to receive there dhcp from the box, there IP just won't be allowed at the router rule. At the moment that seems to be working, except the transparent proxy doesn't seem to be working corrently, if I do the rules manually with a plain iptables set of rules it works no problems, I seem to have something wrong in the firehol configuration. Any help would be very much appreciated. J -------------- next part -------------- An HTML attachment was scrubbed... URL: From thomas at intevation.de Wed Dec 3 10:00:03 2003 From: thomas at intevation.de (Thomas Arendsen Hein) Date: Wed, 3 Dec 2003 11:00:03 +0100 Subject: [Firehol-support] Multiple Ip Allows - Denigh rest of subnet In-Reply-To: <60017.10.0.0.193.1070256048.squirrel@nefeli.tsaousis.gr> References: <60017.10.0.0.193.1070256048.squirrel@nefeli.tsaousis.gr> Message-ID: <20031203100003.GA20452@intevation.de> On Mon, Dec 01, 2003 at 07:20:48AM +0200, Costa Tsaousis wrote: > I don't think that BASH will accept this # as a comment. > You can move this list to another file (say, /etc/firehol/ips.txt) and use > this here: > > accepted_ips="`cat /etc/firehol/ips.txt | grep -v '^#'`" > > (copy and paste it, there are 3 kinds of quotes here) > Then put this in /etc/firehol/ips.txt > > 192.168.2.96 > 192.168.2.42 > # 192.168.2.54 > 192.168.2.66 > 192.168.2.174 > > Note that the # has to be the first character of line. If it is not, it > will appear in your list. No other comments are allowed in this file. This one doesn't require another file, isn't picky about spaces and allows variables inside the list: foo="this.host.example" accepted_ips="`grep -v '^ *#' << EOF 192.168.2.96 192.168.2.42 # 192.168.2.54 $foo 192.168.2.66 192.168.2.174 EOF`" Thomas -- Email: thomas at intevation.de http://intevation.de/~thomas/ From james at hdcs.com.au Wed Dec 3 10:28:46 2003 From: james at hdcs.com.au (James Bean) Date: Wed, 3 Dec 2003 20:28:46 +1000 Subject: [Firehol-support] Port Forwarding Help Message-ID: Sorry to add so many requests for help, I only joined recently and haven't gotten many posts from this list yet. My problem is port forwarding, the dnat snat nat redirect system seems very complicated when trying to do a simple port redirect. The following is what I am having a problem with. Internal Lan interface is eth0 External Internet interface is eth1 Ports for redirection : 6881 6882 .... 6889 I need to port forward from eth1 any incoming connections to the above ports to 192.168.69.69 so incoming 6881 to port eth1 should be forwarded to 192.168.69.69 Everything I have tried with dnat and snat doesn't seem to work. Any suggestions on this matter would be very much appreciated. I take it by the description any dnat snat nat redirect commands get put at the end of the config not under a router or interface heading? J -------------- next part -------------- An HTML attachment was scrubbed... URL: From costa at tsaousis.gr Wed Dec 3 20:50:19 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Wed, 3 Dec 2003 22:50:19 +0200 (EET) Subject: [Firehol-support] Port Forwarding Help In-Reply-To: References: Message-ID: <44211.10.0.0.193.1070484619.squirrel@nefeli.tsaousis.gr> dnat to 192.168.69.69 inface eth1 dport "6881:6889" place this BEFORE any interface or router blocks. -- Costa Tsaousis > Sorry to add so many requests for help, I only joined recently and > haven't gotten many posts from this list yet. > > My problem is port forwarding, the dnat snat nat redirect system seems > very complicated when trying to do a simple port redirect. > > The following is what I am having a problem with. > > Internal Lan interface is eth0 > External Internet interface is eth1 > > Ports for redirection : 6881 6882 .... 6889 > > I need to port forward from eth1 any incoming connections to the above > ports to 192.168.69.69 > > so incoming 6881 to port eth1 should be forwarded to 192.168.69.69 > > Everything I have tried with dnat and snat doesn't seem to work. > > Any suggestions on this matter would be very much appreciated. > > I take it by the description any dnat snat nat redirect commands get put > at the end of the config not under a router or interface heading? > > J > From costa at tsaousis.gr Wed Dec 3 21:16:26 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Wed, 3 Dec 2003 23:16:26 +0200 (EET) Subject: [Firehol-support] Transparent Proxy help In-Reply-To: References: Message-ID: <44509.10.0.0.193.1070486186.squirrel@nefeli.tsaousis.gr> I guess that when you say that the trasparent proxy is not working, you mean that it allows web browsing from the unroutable IPs. If this is the problem, then change the transparent_squid statement to this: transparent_squid 8080 "squid root" inface eth0 src "${accepted_ips}" This is because, a proxy is not ROUTING the packets, it re-plays them at the other side of your firewall. If your transparent squid does not work at all, please check the squid logs and verify that it gets the requests from the clients. If it gets the requests, then check your squid configuration. If it does get the requests but it complains that it cannot connect to remote hosts, first check this: transparent_squid 8080 "" inface eth0 src "${accepted_ips}" this will disable proxied browsing from the firewall itself (with a browser on the linux host). If that works, check the user under which squid is running and make sure it is included in the first command line above. Costa PS: Your eth0 interface does not state any clients. This means that you will not even be able to ping the other hosts from the linux firewall. Is that what you want? > Hi, > > What I am trying to accomplish is to denigh access to the internet from > certain users and enable for others, but the transparent proxy doesn't > seem to be working. > > My firehol.conf is as follows: > > -------------------------------------------- > # > # $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $ > # > # This configuration file will allow all requests originating from the > # local machine to be send through all network interfaces. > # > # No requests are allowed to come from the network. The host will be > # completely stealthed! It will not respond to anything, and it will > # not be pingable, although it will be able to originate anything > # (even pings to other hosts). > # > > # Require release 5 of FireHOL configuration directives > version 5 > > # Internal Network IP Address > lan_ips="192.168.69.0/24" > accepted_ips="`cat /etc/firehol/ips.txt | grep -v '^#'`" > > # Transparent Proxy > transparent_squid 8080 "squid root" inface eth0 src "${lan_ips}" > > # My LAN. Everything is allowed here. > interface eth0 lan src "${lan_ips}" > server dns accept > server squid accept > server ssh accept > server http accept > server ftp accept > server smtp accept > server dhcp accept > policy reject > > interface eth1 internet src not "${lan_ips} ${UNROUTABLE_IPS}" > protection strong 10/sec 10 > server ssh accept > server http accept > server ident reject with tcp-reset > client all accept > > router internet2lan inface eth1 outface eth0 > masquerade reverse > client all accept src "${accepted_ips}" > server ident reject with tcp-reset > ----------------------------------- > > ips.txt is as follows > > 192.168.69.1 > 192.168.69.5 > 192.168.69.69 > 192.168.69.205 > > But I need the other machines in the network to receive there dhcp from > the box, there IP just won't be allowed at the router rule. > > At the moment that seems to be working, except the transparent proxy > doesn't seem to be working corrently, if I do the rules manually with a > plain iptables set of rules it works no problems, I seem to have > something wrong in the firehol configuration. > > Any help would be very much appreciated. > > J > From bock+firehol at blacknet.de Thu Dec 4 14:07:06 2003 From: bock+firehol at blacknet.de (Goetz Bock) Date: Thu, 4 Dec 2003 15:07:06 +0100 Subject: [Firehol-support] Port Forwarding Help In-Reply-To: <44211.10.0.0.193.1070484619.squirrel@nefeli.tsaousis.gr> References: <44211.10.0.0.193.1070484619.squirrel@nefeli.tsaousis.gr> Message-ID: <20031204140706.GC20753@shell.blacknet.de> On Wed, Dec 03 '03 at 22:50, Costa Tsaousis wrote: > dnat to 192.168.69.69 inface eth1 dport "6881:6889" As James is tring to run bittorrent behind his nat/firewall this will not work as ecpexted. He has to add 9 rules: one for each port from 6881 to 6889. -- Goetz Bock (c) 2003 as blacknet.de - Munich - Germany /"\ IT Consultant GNU FDL 1.1 secure mobile Linux everNETting \ / X ASCII Ribbon Campaign against HTML email & microsoft attachments / \ From daniel at rimspace.net Wed Dec 10 13:00:19 2003 From: daniel at rimspace.net (Daniel Pittman) Date: Thu, 11 Dec 2003 00:00:19 +1100 Subject: [Firehol-support] PPPoE TCP MSS clamping / match Message-ID: <87brqgltek.fsf@enki.rimspace.net> In order to use my ADSL connection, I need to clamp the MSS value on TCP connections to something slightly lower than a standard Ethernet value. Anyway, the "standard" way of achieving this for the in-kernel PPPoE driver is to issue the following iptables command: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ -j TCPMSS --clamp-mss-to-pmtu Now, I can obviously stick that in using the 'iptables' command, but that is a bit less selective than I will want to be in the near future. So, any chance of seeing an action to implement this? I would suggest: tcpmss ( 'pmtu' | ) If the argument is 'pmtu', pass the '--clamp-mss-to-pmtu' option, otherwise pass '--set-mss '. Having it match on the 'router' statement, etc, would be ideal. That way I don't need to fiddle with the interface matching and so on when I have a PPPoE link and an 802.11 link heading out of the same box, and I need to clamp the MSS on only one of them. Daniel -- Reality is not as strong as perception. Perception all too often swallows reality and spits it out in a new, unrecognizable form. -- Maytee Aspuro From moacyrs at akadnyx.com.br Fri Dec 12 12:53:08 2003 From: moacyrs at akadnyx.com.br (Moacyr Leite da Silva) Date: Fri, 12 Dec 2003 10:53:08 -0200 Subject: [Firehol-support] howto block p2p in network References: <44509.10.0.0.193.1070486186.squirrel@nefeli.tsaousis.gr> Message-ID: <004301c3c0ae$e494b7e0$fd00a8c0@moacyr> Hi, Can some help to block p2p in my network? I tryed the config bellow with no luck. Regards Moacyr #### version 5 server_kaaza_ports="tcp/3531" client_kaaza_ports="default" transparent_squid 8080 "squid root" inface eth1 interface eth0 internet src not "${UNROUTABLE_IPS}" policy drop protection strong server ident reject with tcp-reset server http accept server https accept server dns accept server smtp accept server ssh accept server jabberd accept server jabber accept server kaaza deny client all accept interface eth1 lan policy accept server all accept client all accept router lan2internet inface eth1 outface eth0 masquerade route kaaza deny route "http https ftp" accept route "ssh ntp ping" accept route "GRE AH ESP isakmp pptp" accept route "vnc irc msn" accept From andre.marenke at awc.net.au Mon Dec 15 06:17:19 2003 From: andre.marenke at awc.net.au (Andre Marenke) Date: Mon, 15 Dec 2003 17:17:19 +1100 Subject: [Firehol-support] Extending complex service FTP Message-ID: <1071469039.2790.647.camel@andre> Hello, I am currently trying to extend/recreate the FTP service definitions. I have a router R and two machines M1 and M2 behind the router. I have http running on M1 and ftp on M2. My ftp server is setup to listen on ports 2500:2520 (one port for each virtual ftp domain). 2 Questions: 1) With the setup I have below it is not possible to do passive FTP to the FTP server and my definition is too simple to allow for conntrack to work. Is it possible to modify the existing FTP server definition in an easy way to gain full FTP functionality with different ports? 2) I have only set up one router and was wondering what the best/most elegant solution is to split traffic up depending on the type of traffic? Define multiple routers with destination ip addresses set for each service or one router with the service destination IP addresses set? Thanks for a great product btw! My setup is like this: interface eth0 internet policy DROP protection strong client ssh accept interface eth1 dmz policy REJECT protection strong server squid accept server ssh accept client ssh accept router net2dmz inface eth0 outface eth1 route http accept route custom ftpserver tcp/2500:2520 default accept router dmz2net inface eth1 outface eth0 route all accept From costa at tsaousis.gr Tue Dec 16 22:12:29 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Wed, 17 Dec 2003 00:12:29 +0200 Subject: [Firehol-support] Extending complex service FTP In-Reply-To: <1071469039.2790.647.camel@andre> References: <1071469039.2790.647.camel@andre> Message-ID: <1071612749.5072.157.camel@nefeli.tsaousis.gr> Hi Andre, > I am currently trying to extend/recreate the FTP service definitions. I > have a router R and two machines M1 and M2 behind the router. > > I have http running on M1 and ftp on M2. My ftp server is setup to > listen on ports 2500:2520 (one port for each virtual ftp domain). > > 2 Questions: > 1) With the setup I have below it is not possible to do passive FTP to > the FTP server and my definition is too simple to allow for conntrack to > work. Is it possible to modify the existing FTP server definition in an > easy way to gain full FTP functionality with different ports? The FTP service needs an FTP conntrack module, which allows the random socket connection made for the data transfer by the FTP server/client, to be matched as RELATED to the initial request. I don't think that this module will understand ports 2500:2520 as FTP requests, and therefore it will not allow either active or passive data connections RELATED to these ports. I think it would be better to have either multiple IPs on your machine and bind one FTP server to each IP, or use an FTP server with virtual domains support (if I remember correctly, ProFTPd is one of those). If you use either of these two methods, FireHOL's FTP service will operate as expected. If however you cannot use any of the above, I suggest to use this for a safe Active FTP server (ONLY ACTIVE FTP AND ONLY SERVER): --- # Custom FTP Server Control socket server_myftpc_ports="tcp/2500:2520" client_myftpc_ports="default" # Customer FTP server Data socket server_myftpd_ports="tcp/1024:65535" client_myftpd_ports="default" interface ... # Our custom FTP server server myftpc accept client myftpd accept --- DO NOT REVERSE server/client FOR AN FTP CLIENT OF THIS FTP VARIATION. IT WILL BE A HUGE SECURITY HOLE. > 2) I have only set up one router and was wondering what the best/most > elegant solution is to split traffic up depending on the type of > traffic? Define multiple routers with destination ip addresses set for > each service or one router with the service destination IP addresses > set? I like to think with the concept of "zones". A "zone" (for me) is a subnet of machines they are related to each other, and which I am willing to protect. Normally you are going to face a situation similar to this: Servers A, B, C on subnet S1 form ZONE1, connected on interface I1 Servers D, E, F on sunbet S2 form ZONE2, connected on interface I2 Then there is the Internet (of course), on interface I3 I1 and I2 might be the same, but not necessarily. Here is what I do: # Internet - to - Zone1 (and vice versa) router i2z1 inface I3 outface I1 src not "${UNROUTABLE_IPS}" dst S1 server x accept dst A server y accept dst B server z accept dst C ... client x1 accept src A client y1 accept src B client z1 accept src C ... # Internet - to - Zone2 (and vice versa) router i2z2 inface I3 outface I2 src not "${UNROUTABLE_IPS}" dst S2 server x accept dst D server y accept dst E server z accept dst F ... client x1 accept src D client y1 accept src E client z1 accept src F ... In the above, INPUT (inface/src) is the Internet and OUTPUT (outface/dst) is the zone to be protected. Given that, I then "think" of all the rules as if I was the machine(s) protected from the Internet (i.e. same concept with the interface rules). Then, if there is need for routing traffic between the zones, I prefer to do this (for clarity, since both sides are to be protected from each other): # Zone 1 to Zone 2 router Z1toZ2 inface I1 outface I2 src S1 dst S2 route x accept src A dst D route y accept src B dst E ... # Zone 2 to Zone 1 router Z2toZ1 inface I2 outface I1 src S2 dst S1 route x accept src D dst A route y accept src E dst B ... These are unidirectional routers (in concept) and state very clearly what can be requested by clients running on the INPUT, from servers running on the OUTPUT. Remember that inface/outface/src/dst match the REQUEST, not the REPLY. Costa From bock at blacknet.de Tue Dec 16 22:38:53 2003 From: bock at blacknet.de (Goetz Bock) Date: Tue, 16 Dec 2003 23:38:53 +0100 Subject: [Firehol-support] Extending complex service FTP In-Reply-To: <1071612749.5072.157.camel@nefeli.tsaousis.gr> References: <1071469039.2790.647.camel@andre> <1071612749.5072.157.camel@nefeli.tsaousis.gr> Message-ID: <20031216223852.GJ440@shell.blacknet.de> On Wed, Dec 17 '03 at 00:12, Costa Tsaousis wrote: > > I have http running on M1 and ftp on M2. My ftp server is setup to > > listen on ports 2500:2520 (one port for each virtual ftp domain). > > The FTP service needs an FTP conntrack module, which allows the random > socket connection made for the data transfer by the FTP server/client, > to be matched as RELATED to the initial request. I don't think that this > module will understand ports 2500:2520 as FTP requests, and therefore it > will not allow either active or passive data connections RELATED to > these ports. Actually it can be made to: user at box ~$ modinfo /lib/modules/2.4.23/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o filename: /lib/modules/2.4.23/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o description: author: license: "GPL" parm: ports int array (min = 1, max = 8) parm: loose int user at box ~$ so it looks like you can specify up to 8 ports where the module will try to conntrack ftp connections. By default 21 will be used. (You can only get 8 ports, as you can only load the module once) -- Goetz Bock (c) 2003 as blacknet.de - Munich - Germany /"\ IT Consultant GNU FDL 1.1 secure mobile Linux everNETting \ / X ASCII Ribbon Campaign against HTML email & microsoft attachments / \ From lingenavd at planet.nl Thu Dec 25 22:40:59 2003 From: lingenavd at planet.nl (lingenavd) Date: Thu, 25 Dec 2003 23:40:59 +0100 Subject: [Firehol-support] Help needed for firehol.conf Message-ID: <3FEB677B.3020001@planet.nl> Hi all, Could you help me out please..... I have all set a good as I can think in firehol.conf, but the firewall block all mine outgoing traffic. Even when ppp+ is configured for "client all accept" I am using ADSL with a speedtouch USB modem. When I stop the firewall, all works fine. The message in the /var/log/messages is: Dec 25 23:24:33 specimen kernel: OUT-unknown:IN= OUT=ppp0 SRC= DST=195.121.1.34 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=10148 DF PROTO=UDP SPT=32770 DPT=53 LEN=39 this is after I ping a URL. So not even a DNS request is let threw the firewall!! Please help. grtz, dre From jgmbenoit at wanadoo.fr Fri Dec 26 20:58:36 2003 From: jgmbenoit at wanadoo.fr (Jerome BENOIT) Date: Fri, 26 Dec 2003 22:58:36 +0200 Subject: [Firehol-support] psad and firehol Message-ID: <3FECA0FC.9020008@wanadoo.fr> Hello List, I have just written down my first FireHOL script: my first trouble comes from psad: it emails the message: ** The INPUT chain in the iptables ruleset on _CHANGEME_ includes a default LOG rule for all protocols, but the rule does not have a log prefix of "DROP". It appears as though the log prefix is set to "IN-unknown:". psad will not be able to detect scans without adding --log-prefix "DROP" to the rule. I have try to put the following line to my script: FIREHOL_LOG_OPTIONS="--log-prefix \"DROP\"" but I get an error message saying that iptable does not support twice the same option. Is there a clean to satisfy psad ? Thanks inadvance, Jerome PS: Please CC your reponse to my email address as I am not a memeber the list, thanks. From costa at tsaousis.gr Mon Dec 29 08:11:03 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Mon, 29 Dec 2003 10:11:03 +0200 Subject: [Firehol-support] psad and firehol In-Reply-To: <3FECA0FC.9020008@wanadoo.fr> References: <3FECA0FC.9020008@wanadoo.fr> Message-ID: <1072685463.27151.7.camel@nefeli.tsaousis.gr> At the end of each interface add: server any psad drop log "DROP" At the end of all interfaces add: interface any psad server any psad drop log "DROP" At the end of all routers add: router psad server any psad drop log "DROP" These will overwrite the default DROP rules added by FireHOL. Costa On Παρ, 2003-12-26 at 22:58, Jerome BENOIT wrote: > Hello List, > > I have just written down my first FireHOL script: > my first trouble comes from psad: it emails the message: > > ** The INPUT chain in the iptables ruleset on _CHANGEME_ includes a > default LOG rule for all protocols, but the rule does not have a log > prefix of "DROP". It appears as though the log prefix is set to > "IN-unknown:". psad will not be able to detect scans without adding > --log-prefix "DROP" to the rule. > > > I have try to put the following line to my script: > > FIREHOL_LOG_OPTIONS="--log-prefix \"DROP\"" > > but I get an error message saying that iptable does not support > twice the same option. > > Is there a clean to satisfy psad ? > > Thanks inadvance, > Jerome > > PS: > Please CC your reponse to my email address > as I am not a memeber the list, thanks. > > > > ------------------------------------------------------- > This SF.net email is sponsored by: IBM Linux Tutorials. > Become an expert in LINUX or just sharpen your skills. Sign up for IBM's > Free Linux Tutorials. Learn everything from the bash shell to sys admin. > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > _______________________________________________ > Firehol-support mailing list > Firehol-support at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/firehol-support From jgmbenoit at wanadoo.fr Mon Dec 29 19:24:09 2003 From: jgmbenoit at wanadoo.fr (Jerome BENOIT) Date: Mon, 29 Dec 2003 21:24:09 +0200 Subject: [Firehol-support] psad and firehol References: <3FECA0FC.9020008@wanadoo.fr> <1072685463.27151.7.camel@nefeli.tsaousis.gr> Message-ID: <3FF07F59.60807@wanadoo.fr> Thanks for your reply: I have just try it, and unfortunaltely I get the same email message from psad. Jerome Costa Tsaousis wrote: > At the end of each interface add: > > server any psad drop log "DROP" > > At the end of all interfaces add: > > interface any psad > server any psad drop log "DROP" > > > At the end of all routers add: > > router psad > server any psad drop log "DROP" > > > These will overwrite the default DROP rules added by FireHOL. > > Costa > > On Παρ, 2003-12-26 at 22:58, Jerome BENOIT wrote: > >>Hello List, >> >>I have just written down my first FireHOL script: >>my first trouble comes from psad: it emails the message: >> >> ** The INPUT chain in the iptables ruleset on _CHANGEME_ includes a >> default LOG rule for all protocols, but the rule does not have a log >> prefix of "DROP". It appears as though the log prefix is set to >> "IN-unknown:". psad will not be able to detect scans without adding >> --log-prefix "DROP" to the rule. >> >> >>I have try to put the following line to my script: >> >>FIREHOL_LOG_OPTIONS="--log-prefix \"DROP\"" >> >>but I get an error message saying that iptable does not support >>twice the same option. >> >>Is there a clean to satisfy psad ? >> >>Thanks inadvance, >>Jerome >> >>PS: >>Please CC your reponse to my email address >>as I am not a memeber the list, thanks. >> >> >> >>------------------------------------------------------- >>This SF.net email is sponsored by: IBM Linux Tutorials. >>Become an expert in LINUX or just sharpen your skills. Sign up for IBM's >>Free Linux Tutorials. Learn everything from the bash shell to sys admin. >>Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click >>_______________________________________________ >>Firehol-support mailing list >>Firehol-support at lists.sourceforge.net >>https://lists.sourceforge.net/lists/listinfo/firehol-support > > > From costa at tsaousis.gr Mon Dec 29 21:48:10 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Mon, 29 Dec 2003 23:48:10 +0200 Subject: [Firehol-support] psad and firehol In-Reply-To: <3FF07F59.60807@wanadoo.fr> References: <3FECA0FC.9020008@wanadoo.fr> <1072685463.27151.7.camel@nefeli.tsaousis.gr> <3FF07F59.60807@wanadoo.fr> Message-ID: <1072734490.27157.20.camel@nefeli.tsaousis.gr> This is normal since the default rules have not been removed. The rules I sent you "overwrite" the defaults because they appear just before them. This means that although psad complains, it should work as expected now. Does it? Note: I noticed in psad documentation that it might require a space after the log prefix. Please replace "DROP" in the rules I sent you with "DROP ". Run a check to see if the rules I sent you allow psad to work as expected, and if they do just add --no-fwcheck to psad to prevent the psad alarm about the possibility of a miss-configured firewall from being sent to you. Costa On Δευ, 2003-12-29 at 21:24, Jerome BENOIT wrote: > Thanks for your reply: > I have just try it, > and unfortunaltely I get the same email message from > psad. > > Jerome > > Costa Tsaousis wrote: > > At the end of each interface add: > > > > server any psad drop log "DROP" > > > > At the end of all interfaces add: > > > > interface any psad > > server any psad drop log "DROP" > > > > > > At the end of all routers add: > > > > router psad > > server any psad drop log "DROP" > > > > > > These will overwrite the default DROP rules added by FireHOL. > > > > Costa > > > > On Παρ, 2003-12-26 at 22:58, Jerome BENOIT wrote: > > > >>Hello List, > >> > >>I have just written down my first FireHOL script: > >>my first trouble comes from psad: it emails the message: > >> > >> ** The INPUT chain in the iptables ruleset on _CHANGEME_ includes a > >> default LOG rule for all protocols, but the rule does not have a log > >> prefix of "DROP". It appears as though the log prefix is set to > >> "IN-unknown:". psad will not be able to detect scans without adding > >> --log-prefix "DROP" to the rule. > >> > >> > >>I have try to put the following line to my script: > >> > >>FIREHOL_LOG_OPTIONS="--log-prefix \"DROP\"" > >> > >>but I get an error message saying that iptable does not support > >>twice the same option. > >> > >>Is there a clean to satisfy psad ? > >> > >>Thanks inadvance, > >>Jerome > >> > >>PS: > >>Please CC your reponse to my email address > >>as I am not a memeber the list, thanks. > >> > >> > >> From costa at tsaousis.gr Mon Dec 29 21:51:01 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Mon, 29 Dec 2003 23:51:01 +0200 Subject: [Firehol-support] Help needed for firehol.conf In-Reply-To: <3FEB677B.3020001@planet.nl> References: <3FEB677B.3020001@planet.nl> Message-ID: <1072734660.27155.23.camel@nefeli.tsaousis.gr> The fact that FireHOL logs the traffic as "OUT-unknown" means that the traffic does not match any of the interfaces defined within firehol.conf. Could you please post the "interface ppp..." section of your firehol.conf? Costa On Παρ, 2003-12-26 at 00:40, lingenavd wrote: > Hi all, > > Could you help me out please..... > > I have all set a good as I can think in firehol.conf, but the firewall > block all mine outgoing traffic. Even when ppp+ is configured for > "client all accept" > I am using ADSL with a speedtouch USB modem. > When I stop the firewall, all works fine. > The message in the /var/log/messages is: > > Dec 25 23:24:33 specimen kernel: OUT-unknown:IN= OUT=ppp0 SRC= address> DST=195.121.1.34 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=10148 DF > PROTO=UDP SPT=32770 DPT=53 LEN=39 > > this is after I ping a URL. > So not even a DNS request is let threw the firewall!! > > Please help. > > grtz, > dre From costa at tsaousis.gr Mon Dec 29 23:04:35 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Tue, 30 Dec 2003 01:04:35 +0200 Subject: [Firehol-support] PPPoE TCP MSS clamping / match In-Reply-To: <87brqgltek.fsf@enki.rimspace.net> References: <87brqgltek.fsf@enki.rimspace.net> Message-ID: <1072739074.27148.33.camel@nefeli.tsaousis.gr> Hi Daniel, TCPMSS is used only in filter/FORWARD? I am asking because I have the following options and I don't know which one to choose: 1. Make this a helper command, to be used at the top of the firewall configuration, like dnat, snat, transparent_squid, etc. with the syntax you suggest. 2. Make this an option for routers which will be used the same way the "policy" subcommand is used in interfaces. This way there will be no optional rule parameters, since the router parameters will be inherited. Example: router x inface a outface b src xx dst yy ... tcpmss pmtu server x accept ... 3. Make this an optional rule parameter (like log, src, dst, etc) which could be used anywhere, even in client/server subcommands. Can you point some documentation about the possible uses of TCPMSS? Thanks Costa On Τετ, 2003-12-10 at 15:00, Daniel Pittman wrote: > In order to use my ADSL connection, I need to clamp the MSS value on TCP > connections to something slightly lower than a standard Ethernet value. > > Anyway, the "standard" way of achieving this for the in-kernel PPPoE > driver is to issue the following iptables command: > > iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ > -j TCPMSS --clamp-mss-to-pmtu > > Now, I can obviously stick that in using the 'iptables' command, but > that is a bit less selective than I will want to be in the near future. > > So, any chance of seeing an action to implement this? I would suggest: > > tcpmss ( 'pmtu' | ) > > If the argument is 'pmtu', pass the '--clamp-mss-to-pmtu' option, > otherwise pass '--set-mss '. > > Having it match on the 'router' statement, etc, would be ideal. > > > That way I don't need to fiddle with the interface matching and so on > when I have a PPPoE link and an 802.11 link heading out of the same box, > and I need to clamp the MSS on only one of them. > > Daniel From costa at tsaousis.gr Mon Dec 29 23:21:05 2003 From: costa at tsaousis.gr (Costa Tsaousis) Date: Tue, 30 Dec 2003 01:21:05 +0200 Subject: [Firehol-support] howto block p2p in network In-Reply-To: <004301c3c0ae$e494b7e0$fd00a8c0@moacyr> References: <44509.10.0.0.193.1070486186.squirrel@nefeli.tsaousis.gr> <004301c3c0ae$e494b7e0$fd00a8c0@moacyr> Message-ID: <1072740064.27148.51.camel@nefeli.tsaousis.gr> I am afraid you will not be able to block all P2P applications. More specifically, kazaa seems to adjust itself to the environment and even use port 80 to communicate with the kazaa servers. This makes it almost impossible to block kazaa (blocking port 80 blocks the web too). I have done some search on the net about this, and although I found significantly varying responses to similar questions, I consider the following as the best practices: 1. If you are trying to block P2P in a corporate environment, try to enforce policies that will eliminate the problem. Not all problems are solved with technical solutions, and generally speaking, people that want their jobs tend to follow the policies set by higher management. 2. If you cannot control the policies, you can rate-limit (throttle) kazaa to use too little bandwidth to be useful. Since kazaa first tries the default kazaa ports and if it cannot connect with those, falls back to alternatives, rate limiting the well known kazaa ports will allow you to control it even if it appears to work. Keep in mind though that this means you are willing to play a cat-mouse game as kazaa evolves... If however none of the above is good for you, you can search the net for various solutions applied and experiment to see the results. Personally, I wouldn't suggest that - it will be just a time waste. Costa On Παρ, 2003-12-12 at 14:53, Moacyr Leite da Silva wrote: > Hi, > > > Can some help to block p2p in my network? I tryed the config bellow with no > luck. > > Regards > Moacyr > > > #### > version 5 > > server_kaaza_ports="tcp/3531" > client_kaaza_ports="default" > > transparent_squid 8080 "squid root" inface eth1 > > > interface eth0 internet src not "${UNROUTABLE_IPS}" > > policy drop > protection strong > server ident reject with tcp-reset > > server http accept > server https accept > server dns accept > server smtp accept > server ssh accept > server jabberd accept > server jabber accept > server kaaza deny > > client all accept > > interface eth1 lan > > policy accept > > server all accept > > client all accept > > > router lan2internet inface eth1 outface eth0 > masquerade > route kaaza deny > route "http https ftp" accept > route "ssh ntp ping" accept > route "GRE AH ESP isakmp pptp" accept > route "vnc irc msn" accept > From lingenavd at planet.nl Wed Dec 31 10:34:47 2003 From: lingenavd at planet.nl (lingenavd) Date: Wed, 31 Dec 2003 11:34:47 +0100 Subject: [Firehol-support] Help needed for firehol.conf References: <3FEB677B.3020001@planet.nl> <1072734660.27155.23.camel@nefeli.tsaousis.gr> Message-ID: <3FF2A647.5090907@planet.nl> Thank you for the hint ...... after some searching and trying with the ppp interface setting in firehol.conf and ifconfig, I noticed that firehol made the setting for ppp src an other IP address.....in ifconfig it is corresponding with the P-t-P IP address. I changed this (src address) in the firehol.conf to "0.0.0.0/0" and than it worked like a charme !! :) Thanks for the reaction, I think it is a great firewall!!! grtz, Andre Costa Tsaousis wrote: >The fact that FireHOL logs the traffic as "OUT-unknown" means that the >traffic does not match any of the interfaces defined within >firehol.conf. > >Could you please post the "interface ppp..." section of your >firehol.conf? > >Costa > > >On Παρ, 2003-12-26 at 00:40, lingenavd wrote: > > >>Hi all, >> >>Could you help me out please..... >> >>I have all set a good as I can think in firehol.conf, but the firewall >>block all mine outgoing traffic. Even when ppp+ is configured for >>"client all accept" >>I am using ADSL with a speedtouch USB modem. >>When I stop the firewall, all works fine. >>The message in the /var/log/messages is: >> >>Dec 25 23:24:33 specimen kernel: OUT-unknown:IN= OUT=ppp0 SRC=>address> DST=195.121.1.34 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=10148 DF >>PROTO=UDP SPT=32770 DPT=53 LEN=39 >> >>this is after I ping a URL. >>So not even a DNS request is let threw the firewall!! >> >>Please help. >> >>grtz, >>dre >> >> > > > > >------------------------------------------------------- >This SF.net email is sponsored by: IBM Linux Tutorials. >Become an expert in LINUX or just sharpen your skills. Sign up for IBM's >Free Linux Tutorials. Learn everything from the bash shell to sys admin. >Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click >_______________________________________________ >Firehol-support mailing list >Firehol-support at lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/firehol-support > >=============================================================Deze e-mail is door E-mail VirusScanner van Planet Internet gecontroleerd op virussen. >Op http://www.planet.nl/evs staat een verwijzing naar de actuele lijst waar op wordt gecontroleerd. > > >