LinuxQuestions.org - firewall setting

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - firewall setting (https://www.linuxquestions.org/questions/linux-security-4/firewall-setting-369025/)

firewall setting

How can i view the Fedora core 3 firewall setting and how to access it ? Pls advise, thanks

Regards
Daniel

To see the actual rules in your firewall, open a terminal and as root run the command: iptables -vnL. There is also a rudimentary utility for configuring the firewall that can be found in ""Start"->System Settings->Security Level. You can access the same utility from the command line with system-config-securitylevel.

How to ensure my linux is not being tampered/hacked ? Below is my iptables. Thanks
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2049 1998K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0. 0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0. 0.0.0/0

Chain OUTPUT (policy ACCEPT 2139 packets, 1695K bytes)
pkts bytes target prot opt in out source destination

Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
1153 1520K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 56 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
19 2322 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
754 467K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
122 7993 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Quote:

Originally posted by Capt_Caveman
To see the actual rules in your firewall, open a terminal and as root run the command: iptables -vnL. There is also a rudimentary utility for configuring the firewall that can be found in ""Start"->System Settings->Security Level. You can access the same utility from the command line with system-config-securitylevel.

Are there any services running on this system that you need other machines to be able to access. Is it acting as a print server?

Just NFS and DNS server for now. Is that secure ? Are there unnecessary services or ports running ?

Rgds
Daniel

Quote:

Originally posted by Capt_Caveman
Are there any services running on this system that you need other machines to be able to access. Is it acting as a print server?

Just NFS and DNS server for now.
Is it running an actual DNS server (like BIND) on the machine itself or do you mean that it connects to some other remote DNS server for hostname resolution (i.e. it acts as a DNS client)?

Is that secure ?
There are serious security considerations for either one, but they can be run reasonably safely if done so properly. Both DNS and NFS were not really design for use in a hostile environment (at least for most implementations). So if at all possible, they should really be run behind a firewall so that only LAN clients can access them. In some cases though it's not an option and you really need to lockdown and harden the server as best you can. I certainly wouldn't recommend running DNS and NFS on your firewall machine, as they should really be running on a seperate box(es), preferably in a DMZ. If this system is just a DNS/NFS client and you don't have the resources necessary for multiple boxes, then I would just use a decent firewall and do some standard hardening (turning off unneeded services, install a file integrity scanner like tripwire/aide/samhain, etc).

Are there unnecessary services or ports running?
Dunno. Run "netstat -pantu" as root and post the output.

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address Stat e PID/Program name
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LIST EN -
tcp 0 0 0.0.0.0:32769 0.0.0.0:* LIST EN 2391/rpc.statd
tcp 0 0 0.0.0.0:32770 0.0.0.0:* LIST EN -
tcp 0 0 0.0.0.0:779 0.0.0.0:* LIST EN 2720/rpc.mountd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LIST EN 2370/portmap
tcp 0 0 218.111.5.196:53 0.0.0.0:* LIST EN 2660/named
tcp 0 0 192.168.0.5:53 0.0.0.0:* LIST EN 2660/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LIST EN 2660/named
tcp 0 0 127.0.0.1:631 0.0.0.0:* LIST EN 2580/cupsd
tcp 0 0 127.0.0.1:5335 0.0.0.0:* LIST EN 2544/mDNSResponder
tcp 0 0 127.0.0.1:25 0.0.0.0:* LIST EN 2757/sendmail: acce
tcp 0 0 127.0.0.1:953 0.0.0.0:* LIST EN 2660/named
tcp 0 0 0.0.0.0:763 0.0.0.0:* LIST EN 2703/rpc.rquotad
tcp 0 0 60.48.91.156:32823 66.94.234.72:80 TIME _WAIT -
tcp 0 0 60.48.91.156:32826 66.94.234.72:80 TIME _WAIT -
tcp 0 0 60.48.91.156:32827 64.179.4.149:80 TIME _WAIT -
tcp 0 0 60.48.91.156:32777 203.106.50.8:80 ESTA BLISHED 3877/firefox-bin
tcp 0 0 60.48.91.156:32778 203.106.50.8:80 ESTA BLISHED 3877/firefox-bin
tcp 0 0 60.48.91.156:32832 216.239.57.103:80 ESTA BLISHED 3877/firefox-bin
tcp 0 0 60.48.91.156:32830 216.239.57.103:80 ESTA BLISHED 3877/firefox-bin
tcp 0 0 60.48.91.156:32779 66.218.70.70:443 ESTA BLISHED 3877/firefox-bin
tcp 0 0 60.48.91.156:32794 203.106.50.9:80 ESTA BLISHED 3877/firefox-bin
tcp 0 0 60.48.91.156:32821 66.35.229.145:80 ESTA BLISHED 3877/firefox-bin
tcp 0 0 60.48.91.156:32787 203.106.50.16:80 ESTA BLISHED 3877/firefox-bin
tcp 0 0 :::22 :::* LIST EN 2673/sshd
udp 0 0 0.0.0.0:32768 0.0.0.0:* 2391/rpc.statd
udp 0 0 0.0.0.0:2049 0.0.0.0:* -
udp 0 0 0.0.0.0:32769 0.0.0.0:* 2660/named
udp 0 0 0.0.0.0:32772 0.0.0.0:* -
udp 0 0 0.0.0.0:776 0.0.0.0:* 2720/rpc.mountd
udp 0 0 218.111.5.196:53 0.0.0.0:* 2660/named
udp 0 0 192.168.0.5:53 0.0.0.0:* 2660/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 2660/named
udp 0 0 0.0.0.0:871 0.0.0.0:* 2391/rpc.statd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2544/mDNSResponder
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2544/mDNSResponder
udp 0 0 0.0.0.0:111 0.0.0.0:* 2370/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 2580/cupsd
udp 0 0 0.0.0.0:760 0.0.0.0:* 2703/rpc.rquotad
udp 0 0 :::32770 :::* 2660/named

Quote:

Originally posted by Capt_Caveman
Just NFS and DNS server for now.
Is it running an actual DNS server (like BIND) on the machine itself or do you mean that it connects to some other remote DNS server for hostname resolution (i.e. it acts as a DNS client)?

Is that secure ?
There are serious security considerations for either one, but they can be run reasonably safely if done so properly. Both DNS and NFS were not really design for use in a hostile environment (at least for most implementations). So if at all possible, they should really be run behind a firewall so that only LAN clients can access them. In some cases though it's not an option and you really need to lockdown and harden the server as best you can. I certainly wouldn't recommend running DNS and NFS on your firewall machine, as they should really be running on a seperate box(es), preferably in a DMZ. If this system is just a DNS/NFS client and you don't have the resources necessary for multiple boxes, then I would just use a decent firewall and do some standard hardening (turning off unneeded services, install a file integrity scanner like tripwire/aide/samhain, etc).

Are there unnecessary services or ports running?
Dunno. Run "netstat -pantu" as root and post the output.

It is just a caching DNS server for local network. Why do you say dns and nfs server not recommended to run on a firewall machine ? Don't they run behind firewall is consider safer instead of running them in DMZ that is exposed to outsider attack? Btw what should i need to look at in the firewall to make it more hardening ? Are we taking abt SELinux now also ? Thanks alot

Regards
Daniel

Quote:

It is just a caching DNS server for local network. Why do you say dns and nfs server not recommended to run on a firewall machine ?
The gateway/border firewall should really not have any services running on it at all, especially unhardened services like NFS or DNS. If either of these are compromised, then the firewall machine is controlled by the attacker which puts your entire network at risk (for example, they could easily route traffic through their box and perform a MitM attack against your entire network). If the DNS server is just used for the local network, then it should be on a seperate box inside the LAN.

Don't they run behind firewall is consider safer instead of running them in DMZ that is exposed to outsider attack?
Yes, I was describing a situation in which you had no choice but to run an exposed DNS server. Because yours is supporting only a LAN, then you absolutely want to put it behind the firewall.

Btw what should i need to look at in the firewall to make it more hardening?
Remove unneeded services and software, use a good firewall script, do some kernel hardening (like PaX or grsecurity), also checkout the hardening guides in the Security References thread.

Does my firewall consider secure and any good example of a good firewall script ? MitM stands for ? Thanks

Rgds
Daniel

Quote:

Originally posted by Capt_Caveman
It is just a caching DNS server for local network. Why do you say dns and nfs server not recommended to run on a firewall machine ?
The gateway/border firewall should really not have any services running on it at all, especially unhardened services like NFS or DNS. If either of these are compromised, then the firewall machine is controlled by the attacker which puts your entire network at risk (for example, they could easily route traffic through their box and perform a MitM attack against your entire network). If the DNS server is just used for the local network, then it should be on a seperate box inside the LAN.

Don't they run behind firewall is consider safer instead of running them in DMZ that is exposed to outsider attack?
Yes, I was describing a situation in which you had no choice but to run an exposed DNS server. Because yours is supporting only a LAN, then you absolutely want to put it behind the firewall.

Btw what should i need to look at in the firewall to make it more hardening?
Remove unneeded services and software, use a good firewall script, do some kernel hardening (like PaX or grsecurity), also checkout the hardening guides in the Security References thread.

Does my firewall consider secure and any good example of a good firewall script?
I usually point to this as an example of basic core firewall for a single host. Obviously you'd need to modify it to you're own requirements, like interface names as well as any other services you'd run. If you are trying to use this for your border/gateway firewall then you'll need to add rules for forwarding traffic. If you are using this inside the LAN then you may need to remove rules blocking amy of your private LAN IP addresses listed in the "bogons" section.

MitM stands for?
Man-in-the-Middle. Attacker maliciously causes traffic destined for other hosts to be routed through a system under their control and sniffs traffic, injects packets, or highjacks sessions.

Hi, forget to ask which file is for the firewall script and what is bogons ? Thankslot

Rgds
Daniel

Quote:

Originally posted by Capt_Caveman
Does my firewall consider secure and any good example of a good firewall script?
I usually point to this as an example of basic core firewall for a single host. Obviously you'd need to modify it to you're own requirements, like interface names as well as any other services you'd run. If you are trying to use this for your border/gateway firewall then you'll need to add rules for forwarding traffic. If you are using this inside the LAN then you may need to remove rules blocking amy of your private LAN IP addresses listed in the "bogons" section.

MitM stands for?
Man-in-the-Middle. Attacker maliciously causes traffic destined for other hosts to be routed through a system under their control and sniffs traffic, injects packets, or highjacks sessions.

On FC3, first backup your existing firewall using:

iptables-save > firewall-backup

Next save the new script as a text file, make it executable with 'chmod +x filename and then run the script. Next run iptables -vnL to verify that the script executed properly and the new rules have been loaded. Finally do the following to save new rules and have the reloaded at boot:

service iptables save
(alternatively you can use: iptables-save > /etc/sysconfig/iptables)

You can also have the script directly run by init at boot, but the trick is to have the script run before the networking facilities have been brought up.

see here for bogon definition.

Hi, why do i need to save the "firewall-backup" script again as text file and then make it executable again ? how to save the new script as text file ?

Regards
Daniel

Quote:

Originally posted by Capt_Caveman
On FC3, first backup your existing firewall using:

iptables-save > firewall-backup

Next save the new script as a text file, make it executable with 'chmod +x filename and then run the script. Next run iptables -vnL to verify that the script executed properly and the new rules have been loaded. Finally do the following to save new rules and have the reloaded at boot:

service iptables save
(alternatively you can use: iptables-save > /etc/sysconfig/iptables)

You can also have the script directly run by init at boot, but the trick is to have the script run before the networking facilities have been brought up.

see here for bogon definition.

Hi, i just read through that you did mention i would need firewall and harderning. What firewall is that ? Tripwire can protect against what threat that firewall can't ? Doesn't firewall would be blocking ports ?

Rgds
Daniel

Quote: