GNOME, Security, Linux, and Cable Modems?

beagle asks: "I just signed up for Time Warner's Road Runner service, and I'm concerned for security on my home machine now. As I started to crack down on my box over the weekend, I noticed that GNOME has about ten ports open in the range of 1030-1040, for such things as gpilotd, tasklist (sp?), and other similar apps. I shut off inetd, named, sendmail, and all other basic services except httpd. Of course, ssh is the only remote login method I support. However, I run Helix GNOME at home (I don't at work; I only ssh into the work machine - no console) and I don't want to stop using GNOME."

"I have always been more lax about security on my home Linux box than I have been on my public Linux box, but now that my home machine will be online all the time, security becomes more of an issue.

Are there any security concerns related to GNOME? Should I worry about all these ports that GNOME is using? Is there anything I can do to beef up security on the machine? (There are bunches of other UNIX sockets open too - ORBIT comes to mind - but I'm only worried about the TCP sockets.) Of course, I have Zone Alarm for when the machine is running Windows (once in a blue moon), but I don't know of anything like that for a single Linux box.

I know I could use a spare machine as a firewall and run Linux's IP masquerading. My only spare machine, however, is an old 486dx2-66 with an NE2000 ethernet card. Not exactly a speed demon, and speed is exactly why I got a cable modem. (Well, that and my wife is tired of me tying up the landline every night.)

So, what about it, gurus of Slashdot? Is my best option to go ahead and run IPFW and IP Masquerading on my old 32MB 486? Do I even need to worry about the ports GNOME is using at all?"

Could an old... Oh Most Definitely!

Oh Most Definitely! My 486/50mhz with 16 meg can handle 2MBit/sec REAL (Timed 40 Mbytes FTP) transfers. I just wish the cable modem would keep up more often.

The only thing that I would recommend is using a good pair of NICs. I use the SMC-1660 ISA NICs. They ran about $19 per at the local Compusa. I originally had a generic and a SMC, and it made a big difference by going to two SMCs.

After a lightning strike, I temporarily replaced one of the SMCs with a Linksys I got for $9 on sale. After a day of running I couldn't wait for the burnt SMC to come back from the factory (ya gotta love that lifetime warranty).

I've also heard that 3COMs are also great, But they are more expensive, and they won't work well with the generic NE2000 driver. They need the special -905 driver, which LRP and most of the Floppy Linux Routers do supply.

That machine is more then enough.

Goto: www.freesco.org, and download there free one disk router/firewall software, it can run on half the power you have and can be completely run off one floppy disk, or if you have an extra HD, an HD. All you would need to modify in your setup is you would need one more NE2000 card if you only have one now. I have used this distro for a while, and it is top notch, setup, and use. Try it, you won't be disapointed...

How about READING the story?

Dumbass!

Re:How about READING the story?

[Malor]

I can jump in here and say that OpenBSD (and, I presume, the Net and Free varieties of same) has a MUCH better firewall setup than Linux does.

Linux's firewalling is 'stateless'. That is, it works on a packet-by-packet basis. Each packet is treated independently of every other packet. It's easy to do things like 'block all requests from anyone except X.X.X.X on port X.X.X.X", but it's quite difficult to do things like 'let me call out on HTTP, but don't let other people call IN on that same port.' You can sort of simulate this by using all sorts of tricky rules disallowing packets with various combinations of SYN/ACK/FIN/RST to particular ports, but you end up leaving holes that savvy attackers can see through.

OpenBSD's ipfw and ipnat packages are wonderful in comparison. The rules are quite simple and straightforward. 'pass' rules are also stateful (for tcp/udp and icmp) with the simple keyword 'keep state'. This lets you block incoming HTTP and allow outgoing without any of the trickery you have to do on a Linux box, and without leaving holes open.

I got a nicely tight firewall and NAT environment set up in a couple of hours, and I could have done it faster if I had done it before. Total elapsed time from a naked box to a fully functional firewall, DNS, NAT, and DHCP server was about eight hours.

I think the 2.4 netfilter code in Linux may offer similar functionality (probably even better, as packages tend to leapfrog one another), but I can tell you that OpenBSD utterly and absolutely destroys Linux 2.2 on this particular front.

Bringing this back to some relevancy to the original question: strikes me that there are two major ways of solving the problem. The first would be by running the Linux firewall package on the same machine, and preventing connections to those ports from machines other than 127.0.0.1. Simple rules would probably be okay, as he probably won't want to connect OUT on those ports either. A better solution would be a standalone firewall machine running NAT, and I would suggest that anyone considering this sort of a setup check out the BSDs.

I imagine FreeBSD would be best if you were planning to also use that server as a desktop. NetBSD would be useful if you had a strange machine to use for a firewall. But if, like me, you had an old moldy box just gathering dust, and don't plan to use it for anything BUT a server, OpenBSD is nicely tuned to do exactly this job.

Re:How about READING the story?

[ragnar!]

Problem is there are 9 machines around the house, and some may have the incoming port set to something nonstandard. I was hoping to learn some clever way to block it, whatever the port.

----------------------------------------------

The war on drugs may be over soon.

On my first day in office I will pardon everyone who has been convicted of a non-violent federal drug offense - Harry Browne - Libertarian presidential candidate

Re:How about READING the story?

[ragnar!]

Not a dumbass question. I've seen similar machines used as dedicated routers supplied by point to point business cablemodem providers.

It would be interesting to see some simple benchmarks that would validiate such use.

As far as the OS goes, slashdot's 'what we run' article cited them as using FreeBSD (or was it OpenBSD... NetBSD?) because of ipfilter - supposedly better and simpler to configure than ipchains. I'm using a linux box and IP_MASQ for my home network, but have been thinking of switching to xxxBSD and ipfilter, maybe using an old 486 laptop.

Does anyone have ipchains rules for blocking incoming napster requests? One way cable modems (33.6 upstream) bog down with even 1 or 2 napster users pulling stuff off my machines, and my wife keeps inadvertantly turning on file sharing. I don't want to ban napster, just prevent users from sharing files.

----------------------------------------------

The war on drugs may be over soon.

On my first day in office I will pardon everyone who has been convicted of a non-violent federal drug offense - Harry Browne - Libertarian presidential candidate

Re:How about READING the story?

[Xentax]

"Clever" would have to be VERY clever, I think.
You might try identifying what ports you DO expect incoming traffic on, and allowing those, block traffic by default, and allow traffic on existing connections.
There's an option in IPChains that can block based on the state of the SYN bit, which is set in a connection attempt (ie, traffic on an established connection won't have the SYN bit set, but it will be set when someone first tries to connect, e.g. when someone makes an upload request). If you accept traffic to your host ports (for FTP or SSH or what have you), then only accept remaining traffic if the SYN bit is not set (it's ! -p in ipchains, IIRC), you might just pull it off. Note that the rule order matters here.

man ipchains for the details, or elaborate on your system if you're using something different to firewall.

Good luck,
Xentax

Re:How about READING the story?

[Xentax]

Just block traffic with a destination IP and port of whichever port your Napster client is configured to use -- 6346 by default? Maybe that's Gnutella...

At any rate, that should block any requests to upload your shared files.

Firewalling with an i486

I have my PCs (one for Linux and one for Windoze) running behind a linux firewall, connected to TW's Roadrunner service. The firewall does not slow things down noticably, and mine's running on a 486 with just 16M RAM! It's setup using ipchains, and it does firewalling and IP masquerading. (Also SMB print/file serving.) Works great!

Re:Firewall

and even when my other four computers are generating loads of traffic and completely filling my DSL it (P120) doesn't even slow down


Duh. I have a cisco 2501 running on a 68000 and connected to 2 T1 links. A 386 can do what you are doing witht that P-120.

Gibralter looks promising!

A firewall whose filesystem on cdrom, config on floppy, no HD needed! Give it a try at: http://gibraltar.vianova.at/

router on a floppy

I've never brought up a linux based router more quickly than with Freesco and it fits on a single floppy. Cool!

Check this out

http://www.nessus.org/

Fix your /etc/orbitrc

Make sure your /etc/orbitrc looks like this: ORBIIOPUSock=1 ORBIIOPIPv4=0 ORBIIOPIPv6=0 By default most people have it misconfigured. If you turn off IPv4 then ORBit will not open these ports. There is no need for ipchains firewalling.

Re:Question: How long can High speed ISPs ban serv

[Pathwalker]

Yeah - it is a little pricy. It used to be much cheaper, but they boosted the price a couple of months ago. I think they were trying to encourage people to switch to tci@home.

Still, I consider it well worth the cost, for the high bandwidth, and freedom to do pretty much whatever I want with it :-)
--

economics

[latro]

Your argument is only valid if you already have an extra machine with 2 network cards ready to perform this task! You can't build a comparable system from scratch for less than $150! Well, you might be able to, but sheesh!

-------

Re:gnome doesn't care about security

[cduffy]

You know, you could actually look at the thing to be sure it is a threat before you complain.

As in, you could check that the ports are actually open to external hosts. I'm running gnome-core 1.2.1, and none of gnome's ports are externally accessible. I suspect that it's the same way on his version too.

If you look at the design of some of GNOME's components -- like evolution or GB -- you'd see that they're quite security-conscious.

ipchains/iptables on a standalone machine

[imroy]

You don't have to setup a seperate machine to use the firewall support in the Linux kernel. Just apply strict rules on the INPUT chain (? thingy...) and that will protect that box as well.

I'm no expert on this yet, but I'd drop everything except SSH, HTTP, maybe FTP and the basics like echo etc...
Do drop inetd, but replace it with xinetd. With xinetd you can specify which network interfaces a certain service will respond to. That way your local network (if you have one) doesn't have to suffer because you're limiting the number of ports open to the world.

ObCrackRef: I've got Portsentry running on my box and I get a couple of port scans a month. But this is on a dial-in account down here in .au, with 150 hours a month limit (5h/day). Man, what those script kiddies lack in quality and intelligence they sure make up in quantity!

That's one last tip: get Portsentry (um... look on Freshmeat) and configure it to 'wall' you when a port scan comes in. You'll know the instant someone scans you because wall of your open terminals will beep with the message!

Netgear RT311 Gateway Router

[mholve]

I have been very happy with my recent purchase of the Netgear RT311 gateway router for $119US.

It hooks up between the cable modem and your hub/switch and does DHCP and NAT and serves as a firewall as well.

You run your LAN on a private IP class and you can use the router to provide DHCP or you can do it manually. For the WAN, it uses DHCP to get an address from your provider.

You can set up rules inbound and outbound based on protocol, port number and so on. Access to the device is via telnet, HTTP or serial cable. Very nice!

Linksys also makes a really nice one.

Re:Port scanning is illegal

[bpeck]

Are you an idiot? You can portscan your own machine.

Re:My experiences

[tzanger]

That's right, a Pentium 90. Not as bad as a 486, but no great shakes.

A pox on both your P90 and the other guy's 486!

I'm doing the masq/firewall mambo with a 12 (10?) year old 80386DX/40. This poor machine was purchased new by my father for a small fortune and a few years ago I claimed it.

It sits headless in a corner and does nothing but work. An old 400MB hard drive (the original 120 went screwy) and 8MB of memory and it's pretty much at its limit. But it doesn't complain at all.

Re:Biggest threat?

[tzanger]

I wonder how long it will take until cable companies start to hire outsiders to scan their networks...

What's so hard about using a trigger port/ports to open everything else up?

Re:The general solution is ..

[tzanger]

Its /possible/ for someone at the other end of the wire to send packets to you with a destination-IP of 127.0.0.1, and your box will happily accept them. Sure, this is a long-shot, and there's no way the hacker at the central-office will get a response, but there are a lot of attacks that dont need responses.

That's why my IPCHAINS input chain looks a little like this:

polcy accept
-s 127.0.0.1/32 -d 0/0 -i ! lo -j DENY

I've played a bit with deny policies on the input chain but they're really too restrictive and your chain starts to get a little long, especially if you're doing more than just telnet/ssh/ftp/web. or have more than just two interfaces (think incoming dialup, DSL, local network and VPN) The forward policy, however, is always deny. Always.

Re:Biggest threat?

[tzanger]

What's so hard about using a trigger port/ports to open everything else up?

It's just another example of security through obscurity, that's what's wrong with it. IP-based authentication is worthless.

I've said it before and I'll say it again and again. Security through obscurity is a perfectly fine LAYER to add to a security regimen.

Sure you've got everything tuned up pretty good but there is nothing wrong and I strongly encourage the use of an obscurity layer in order to build up defences a little more. Relying on obscurity to protect you is one thing, and it's a very bad thing. But having the attacker have to guess what the hell he's looking at before he can apply his standard toolkits and procedures is always a good thing. Always. You don't have a little sticker on your house door which says "Dudley EX-145 model lock" now do you?

Now bringing this back to the topic at hand... If I have a trigger port that will open up all my services (or a selected service) when tickled just right is a fine way to keep the scanners at bay. Even better is if you put that trigger port on auth and your auth demon is tied in with your inetd server: If you get an auth request for port 12345 followed by a request for port 54321 within a 5 second window, it tells inetd to start listening on whichever ports you specify for the next 1 minute (or something).

Tell me, what's so insecure about that, if you've got all your other defences built up?

Re:The general solution is ..

[tzanger]

Doh! Please excuse my stupid ass. It should really be 127.0.0.0/8

Mine too. I checked my polcy and that is what I have. It was a brainfart last night in that post, I swear. :-)

Re:Biggest threat?

[tzanger]

You don't have a little sticker on your house door which says "Dudley EX-145 model lock" now do you?

No, it says "Keyless entry system". Not that I need the sticker, the keypad should be obvious enough (with that nice red LED glowing above it). I'd like to see *you* bypass a magnetically-controlled deadbolt...

Still an obscurity layer on top of your other security layers. You don't tell them the model so they can easily find the electronic/mechanical equivalent of an exploit.

Simple.. anyone with a sniffer can get that information, and then scan behind it.

Which is good, because it involves an extra move on their part.

Even worse, you may not detect it because the firewall now views that scan as "authorized".

I don't follow. What's the difference between an unknown IP hitting auth, netbios, ICQ, elite and netbus in addition to your control port, or just hitting the real service ports? The whole point is to make your machine look "normal" to the DSL/cable guys but to include some method of openning up a few real servers when tickled right.

Or maybe that trigger port can be tickled the wrong way and lock YOU out. Or maybe the server on that port can be crashed, thus accomplishing the same.

Those are implementation issues. You could argue that a bug in the real servers could do the same.

As far as I'm concerned, my original point still stands. Obscurity layers are everywhere in the world, partially on purpose but mostly because people are lazy. The internet default, however, is full disclosure if you're lazy.

Re:Linksys != firewall!!! Get a SonicWall instead!

[Stan+Chesnutt]

Well smack me silly and call me Gertrude! Sure, the Linksys is a minimal device. No logging, class C network, low performance. And I advise everyone to read the specs before buying.

Even so, it is great for what I'm doing. I used a standalone Linux machine as a firewall for two years or so, and it was great at the job. And, like I said before, just too noisy in the home environment. Since I do want to leave the duap-P3 system going (yep, distributed.net), the firewall is a necessity.

Don't buy the Linksys if it isn't what you need or want!

The general solution is ..

[freddie]

You set your app to bind to the 127.x.x.x addresses only. That way the app is only accessible from the local machine.

To specify this should be easy. If it's not it might be a good area for gnome improvement. Since even behind firewalls this could be used for stupid pranks, as well as privacy violations.

--fred

Re:The general solution is ..

[Single+GNU+Theory]

If it's not it might be a good area for gnome improvement.

Wasn't that a Tim Allen TV show?

Re:The general solution is ..

[Chmarr]

That's not a very good solution.

Its /possible/ for someone at the other end of the wire to send packets to you with a destination-IP of 127.0.0.1, and your box will happily accept them. Sure, this is a long-shot, and there's no way the hacker at the central-office will get a response, but there are a lot of attacks that dont need responses.

Firewalling is what you want, either on that box, or a separate one.

Re:The general solution is ..

[benploni]

Unofrtunately, a lot of apps are hardcoded to bind to the "any" address. If that's case you have two options:

1) Fix the code
2) Use ipchains to prevent a syn packet from coming in on the "wrong" inteface to that port. It'll still show up as listening on that port in a "netstat -a", but noone can get to it.

Ben Ploni

Re:The general solution is ..

[mangino]

If you have a box on the net you really need to make sure that addresses coming in on an interface match the interface. There should be plenty of example firewall scripts that do just that. It is important to make sure people can't tunnel into your firewall and look like they are coming from inside your network.

As a rule, 127.* should only be accepted on loopback, if you use 192.168.*, only packets addressed to addresses in that range and coming from that range should be accepted.

Publicly accessible interfaces MUST drop all packets with destination and source addresses in the unroutable range.
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com

ipchains on a single box

[booch]

I think that people fail to realize that ipchains does not need to be put on a separate firewall box. You can run it on any box, including a workstation. The only reason that it normally runs on a single box is so that it can protect a whole network with all the configuration done at one location.

Re:I run a portscan detector

[Meleschi]

Maybe you're the one who should get a clue?

The way portsentry works is by setting up an ipchains statement blocking the ip address in question on the input chain.

If your gateway is running any services for you, then those services are now blocked. Many ISP's use a true router as the gateway, while other ISP's/companies use Solaris or other unix type solutions.

What if the gateway ip was also your DNS server? Wow. That sucks. No more DNS. How about your DHCP server? maybe your smtp gateway? All of the sudden, you've got the appearance of a downed network all because your gateway IP was blocked by portsentry.

This works because it happened to me. :-)

Either way, the solution is to simply add the IP's you do not want to be blocked into the portsentry.ignore file....

Rick

Re:ipchains

[Manuka]

Heh. One of these days when I get some time to play with it. Life's been a little hectic lately.

Simple Solution

[Coverfire]

The open ports you see are the result of the CORBA communication that GNOME uses internally. You can tell ORBit not to open TCP sockets by default by editing the .orbitrc file in your home directory.
Just add the lines:
ORBIIOPIPv4=0
ORBIIOPIPv6=0

Re:Gnome security

[Coverfire]

Just add the lines:
ORBIIOPIPv4=0
ORBIIOPIPv6=0

to the .orbitrc file in your home directory.

That tells the ORBit libs not to open TCP ports. You will not be able to run remote GNOME applications if you do this.

Re:gnome doesn't care about security

[Coverfire]

Just add the lines:
ORBIIOPIPv4=0
ORBIIOPIPv6=0
to the .orbitrc file in your home directory.

This tells ORBit not to open TCP ports by default. You will not be able to run remote GNOME applets etc if you do this.

Also, the newer Helix GNOME updates do this by default.

Re:Userspace threat, definately.

[The+Mayor]

I'm not so sure this post should have been moderated down. I think this poster made a valid point (that GNOME monkeys have better things to do with their time). It was a witty response to a rather stupid point, IMHO.

Oh well. Slashdot seems to be continuing its downward slope. . Remember the days when "http://www.slashdot.org" didn't work? You had to use "http://slashdot.org".

Re:My experiences

[glens]

386SX-33

8MB RAM (no secondary cache - takes 7 hours to compile 2.2.16 versus 9 hours with 24MB RAM!)

no monitor or keyboard

old IBM ne clone to the inside

modem to the outside (28kb/s max. connections, usually somewhat less)

running caching name server and sendmail and some other stuff on it.

One day I was wgeting a large database-type of FAQ with a bunch of individual pages. I'd been "surfing" in the mean-time and noticed the name lookups were getting a little sluggish. I discovered that each page request was generating an identd lookup and they were backing way up. The load was up to 30 on that little sucker, but even with all that userland stuff going on, there was no detectable difference in the alacrity with which it was masqing my packets!

Re:The ports open.

[Des+Herriott]

Yep, that's the right way to do it.

Fortunately, it looks like that is indeed the default now - in the Helix GNOME I'm running on this box, Unix domain sockets are enabled by default and IPv4/IPv6 sockets are not.

(Last GNOME update I did was about 2 weeks ago, so it's been there since then at least)

Re:WHAT the heck are you talking about?

[Signal+11]

I just reviewed their AUP for Mediaone up here in minnesota.. they no longer have that clause in their AUP. It would appear they have backed off.. substantially.

Re:Biggest threat?

[Signal+11]

What's so hard about using a trigger port/ports to open everything else up?

It's just another example of security through obscurity, that's what's wrong with it. IP-based authentication is worthless.

Re:Biggest threat?

[Signal+11]

Security through obscurity is a perfectly fine LAYER to add to a security regimen.

No, it's not, it lulls you into a false sense of "extra" security.

You don't have a little sticker on your house door which says "Dudley EX-145 model lock" now do you?

No, it says "Keyless entry system". Not that I need the sticker, the keypad should be obvious enough (with that nice red LED glowing above it). I'd like to see *you* bypass a magnetically-controlled deadbolt...

Tell me, what's so insecure about that, if you've got all your other defences built up?

Simple.. anyone with a sniffer can get that information, and then scan behind it. Even worse, you may not detect it because the firewall now views that scan as "authorized". If you do it alot, the attempt may show up in your logs and you'll miss it because you thought it came from you. Or maybe that trigger port can be tickled the wrong way and lock YOU out. Or maybe the server on that port can be crashed, thus accomplishing the same.

Not only that, but having a single port open on an otherwise oblique firewall is going to attract alot of extra attention to that port.

Besides, you're neglecting human nature - by making something obscure and hidden, you're piquing people's curiosity.

Horsepower shmorsepower, as long as I'm rich!

[leonbrooks]

"-- Daffy Duck, August 2000"

I have a 486SLC40 gateway box feeding a modem. It has a BogoMIPS rating of 7.86 - yes, the decimal point does come second. On bad days, it drops to around 7.5. I don't get to see it change often (it's been... (/ME sshes in, checks uptime...) 82 days since the last power failure).

Given that a regular modem involves a CPU response to almost every single character (a DSL interface won't require that), and that the brain-dead not-even-PnP NE-2000-clone network card has never dropped a packet, I can't see anybody having horsepower issues with a real 486 or better. (-:

Re:Horsepower shmorsepower, as long as I'm rich!

[tzanger]

Given that a regular modem involves a CPU response to almost every single character (a DSL interface won't require that)

I believe that some cheap-ass NICs are almost as bad. 3COM's Parallel tasking chipset (in the 3C905B) is very good about not using your CPU to bring in data.

Re:ipchains - response to Anonymous Coward

[osjedi]

The use of sockets in X is not a problem. It's how X works. Blocking ports is not "fixing the symptom rather than the problem" as you stated. Your box is like a house. You don't want strangers wandering into your house, right? So lock the front door, but don't lock every room in the house. If you lock the outer doors, then you have no need to lock every room within the house - and you can move about freely within. You can do wonderful things with sockets. To say that they should not be used shows your short sightedness.

Re:OT: Roadrunner billing nastiness

[PD]

It's stories like that which prevent me from getting a cable modem. I am not eligible for DSL where I live, but I will wait thank you very much.

I just called the cable company last night to return my Scientific Atlanta piece of crap to them (changes channels slower than my grandma). After putting me on hold for 20 minutes, they hung up on me.

My new house has a satellite dish.

Re:With RoadRunner...

[kneeo]

Not in my area(MN)..I blocked all of their addresses.

here is what I do
first I allow the dns server access to "see" me
$IPCHAINS -A input -s 24.26.163.32/32 -d $Any -i eth0 -j ACCEPT
then I ban all other addresses from their subnet
$IPCHAINS -A input -s 24.26.0.0/16 -d $Any -i eth0 -j DENY

then I ban all input from eth0 that has 1.1.0.0 subnet on eth0..to stop spoofing
$IPCHAINS -A input -s 1.1.0.0/16 -d $Any -i eth0 -j DENY -l

then in my /etc/hosts.deny file I have...
in.telnetd: ALL: twist /root/bin/ipban %a %u
in.ftpd: ALL: twist /root/bin/ipban %a %u
in.fingerd: ALL: twist /root/bin/ipban %a %u

ipban is a script that does..
/sbin/ipchains -A input -s $1/32 -d 0.0.0.0/0 -i eth0 -j DENY
/sbin/ipchains -A input -p icmp -s $1/32 -d 0.0.0.0/0 -i eth0 -j DENY
echo $2 has been Denied all packets

so if anyone that is not in the /etc/hosts.allow or /etc/hosts trys to connect on the telnet, ftp, or finger port they get ipchain denied

Re:Just firewall it...

[Duckie01]

Perhaps I'd like to share my script and don't care as much about the box itself? Many people liked my scripts and used them or built something else from it.

I am sure there are no known security holes in it. No reason to be paranoid.

I'm not absolutely sure there are no unknown security holes in it somewhere. Neither is slashdot... and they give away slash...

Another easy solution - Gnatbox

[Wicked+Panda]

OK, a floppy only firewall is a Gantbox. (http://www.gnatbox.com)

This is a floppy only firewall. Very feature rich for how small it is. No, it doesn't do dynamic DNS, or provide a DHCP server, but:
it in on a single floppy (no hard drive, so you can reduce the moving parts)
you can get a limited (5 users) version for free
It runs on as little as a 486 with 8Mb of RAM
There is an active mailing list, which the company techs are on, and you can get useful support on the list.
Supports a third NIC for a DMZ to put public servers on.

Enough shilling, check out the page. I use it on a system for my gateway on RoadRunner. I am using an old pentium, and have got 1.12Mbit throughput, and have never seen more than 5% utilization.

Get or build a firewall

[pivo]

You can build a firewall using an old PC and Linux or *BSD or you can shell out about $120 for a NetGear/Zyxel/Linksys router/firewall/NAT/hub. I'd sure do one or the other unless you enjoy being hacked.

There are plenty of Linux firewall howtos if you're going that route.

Re:Get or build a firewall

[benploni]

Go w/ the linux/bsd route. The SOHO hardware routers don't give you enough flexibility. They're getting better, but for a bit more, a cheapie linux box can do things like letting you ssh in.

Ben Ploni

Use a Hardware Router/Firewall

[Neuroprophet]

I have 3 computers sharing my cablemodem at home using a Cable/DSL Router from Linksys. It's a 4 port switch with a built in router. It does NAT based translation and has a firewall built in. It also supports port forwarding, can be used as a dhcp server, and also lets you configure a computer as a DMZ if you like. You can find it from places like buy.com for about $150. I also like it becaue I don't have to leave a computer on all the time.

Re:Easier than any Linux solution

[Weasel+Boy]

With all due respect (and I'm sure that's a lot), I fail to see that my use of the vernacular was any more grievous an offense than your failure to capitalize. If you're going to insist on splitting grammatical hairs, at least have the courtesy to exert yourself to reach that little finger over to the shift key at appropriate times.

just run ipchains on your linux box...

[miscellaneous]

...the same one you use as a workstation, if you don't think it will hurt performance too much. you can allow unlimited traffice to/from the local net and host, and reject stuff from all the script kiddies on RR.

You don't need a separate firewall machine

[st.+augustine]

You can use the firewalling kernel modules on your own machine -- ipfwadm, ipchains, or netfilter, depending on whether you're running 2.0.x, 2.2.x, or 2.3.x+. Start by limiting everything incoming to localhost-only, and then open up just the stuff you need to open up.

See sections 7 and eight of the Firewall and Proxy Server HOWTO for ipfwadm and ipchains, respectively; and the Linu x 2.4 Packet Filtering HOWTO for netfilter.

(Of course, everything-off should be the default setting in the first place, but that's another story altogether.)

Re:Clarifications

[jekk]

When will you learn....?

A posting such as that is nothing more than a troll without including a link to website detailing the results of this security audit. With such a link, it's a valuable contribution to the discussion.

Yours has no link. It's a troll. Next time, back it up with evidence.

-- Michael Chermside

Re:Check the mailinglists

[Camelot]

My favorite quote:

PPS. Re-reading, this is disturbingly reminiscent of making NT secure - you have to create loads of magic registry settings to make NT even remotely secure.

'Nuff said.

To avoid the world seeing X

[Kimble]

You can use the following command from the CLI to Start X up.
startx -- -nolisten tcp
That should stop the various ports X uses from from listening to outside connections.
P.S. A good Firewall, worth it's weight, should block any connection attempts from everyone but the localhost to begin with.

Re:My experiences

[aschlemm]

Visit the Linux firewall tools website and use the firewall design tool to generate a nice set of ipchain rules for your system. I used the generated rules as the basis for my rule set on my K6-300 dual NIC'd gateway/firewall box for my cable modem.

http://www.linux-firewall-tools.com

P.S. Make sure you understand exactly what the generated rule set is doing before you start using it since it may not be setup exactly like you want. It's nice not to have to type all of that stuff in by hand but it's good to know how to tweak the rule set so it works properly for your setup.

Re:Get thee a firewall ...

[knick]

This did not work as the LinkSys would not connect to the ethernet card on the Linux box. Maybe it needs a crossover cable when going into a hub?

Exactly. Since the cable modem/DSL modem expects to connect to a NIC, it acts like a hub. Since LinkSys expects to be connect to a Modem, it acts like a NIC. When you connected it to a NIC, it wouldn't work. Using a x-over cable will fix your woes. BTW, it's a 4-port 10/100 Switch. Thats almost worth the $150 right there. --kNick

Re:A few words...

[QuMa]

first of all, if you read the article, he's got 2 comps. a 486 will do fine for firewalling, I've got all my traffic going through a 486DX/2-66, without a problem.

And a seperate box for firewalling will help you. For instance, what if a program binds a random high port? You can't firewall off all your high ports. What if someone writes a bufferoverflow for mutt that runs /bin/sh on port 48002? Ipchains rules on localhost aren't going to help you.

Re:Easier than any Linux solution

[bocee]

Or you can just install linux on it ;-).

I'm currently using my old Centris 610 (with an upgraded processor to fix the faulty LC040 chip) as my NAT/ipmasq box, and everything works fine.

I have used IPNetRouter before though, and it's a very good product.

links:
maclinuxstatus.sourceforge.net

With RoadRunner...

[rm+-rf+/etc/*]

Your biggest worry is keeping them away from your machine. They'll port scan you on a regular basis, install something like port sentry and keep an eye on it, then block their spiders. Unfortunately if they notice any devious attempts to keep them from scanning you, they tend to get more agressive (at least in my area).

As for gnome, just set some firewall rules to block the ports, no biggie.

Maybe I'm missing something? What about Bastille?

[Displaced+Cajun]

Bastille Linux

The Bastille Hardening System attempts to "harden" or "tighten" the Linux operating system. It currently supports Red Hat and Mandrake systems. We attempt to provide the most secure, yet usable, system possible

Linux Security

[NakNomik]

Take a look at http://www.linux-firewall-tools.com/linu x

Re:The Truth About PROPAGANDA

[Rombuu]

The only problem is, you weren't aware of it because every news resource you read is owned by the same company we gave the bird to back in April.

Well, that wasn't too bright was it?

Re:Hate to burst your bubble...

[thppt]

Have you taken a look at the rrlogin program? It was written specifically to solve your kind of dilemma. No one should be forced to use Win98 as a firewall. Try:

http://people.qualcomm.com/karn/rr/linux.html

Good luck.

Use the IPCHAINS input chain

[DeathBunny]

You don't need a seperate machine to use IPCHAINS. Most people are more familier with using IPCHAINS to construct forwarding rules for a dedicated firewall. But, you can also use IPCHAINS to create input rules to secure your workstation (or server).

It's very similar to creating forwarding rules, but instead of accepting or denying packets forwarded through your box, you accept or deny packets directed to your box.

Re:Linksys != firewall!!! Get a SonicWall instead!

[Hast]

Err, a small firewall computer was too noisy, but you have a dual P3 on?

If you have a 486 as a firewall can't you rip out the noisy bits (hd, fans etc) and make it extremely quiet?

Re:Could I have the old envelope please...

[SEWilco]

Oops, I made a mistake in the second estimate. A "ping" actually involves a packet which exited my machine, entered the other machine, the reply exited the other machine, and entered my machine. The "ping" time is a round trip and is processed by two machines -- so a 2 ms ping time actually involves being processed twice, so I should cut in half the time for the estimate.

So the second estimate should be doubled, to 4Mbps.

Could I have the old envelope please...

[SEWilco]

66 MHz handling 10 MBps max data rate? Get the back of an envelope and a pencil.

• That's 10M bits per second, about 10 bits per 8-bit byte (overhead, router delays) so 1M bytes per second.
• 1MB/second on a 66 MHz processor would require no more than 66 clock cycles per byte.
• Transfer of a network byte in Linux requires grabbing by the device driver, placing in buffer, giving completed packet to firewall/routing code, header examination of packet, passing packet to outgoing device driver, and pushing the byte to the card.
• There are well under 66 byte-level transfers involved, most of the Linux kernel will be handling the entire packet.
• The kernel might have to copy the packet between one and four times, but mostly a pointer to the packet buffer is passed around.
• If your average buffer is 400 bytes, copying a pointer is about 1/400th the effort of copying the bytes (actually even less due to not needing a loop -- yes, clock cycles are needed for a loop even if you're using a multibyte copy instruction where the loop is done in hardware)
• For a 400-byte packet, 66*400=26,400 clock cycles is available (subtracting the few cycles needed for touching the individual bytes).
• From my experience with the Linux networking code, I think each packet requires much less than 26K clock cycles of processing.

Now let's check my work.

• When I traceroute a similar machine, I see delays of under 2 milliseconds.
• 1,000 milliseconds per second divided by 2 ms of delay per packet equals 500 ICMP ("ping")packets per second.
• 500 packets...if they had 400 bytes each...would be 200,000 bytes per second.
• 200,000 bytes per second would be about 2,000,000 bits per second.
• I am aware there are millisecond-level timing difficulties and network-related delays, but I've ignored them as here I'm trying to underestimate the maximum throughput rate.

Okay, so in the first estimate I thought that 26K clock cycles would be enough but the second estimate came up with a low end of 2Mbps. I'm confident that a 66MHz machine is overkill for a simple routing table handling up to 1 1.5Mbps T1 circuit. There may be delays at full 10Mbps, but usually Internet bottlenecks will not allow reaching that speed anyway.

Anyone else have more detailed values on their envelopes?

Re:10 minute solution:

[Richard+Jones]

10 minutes indeed! www.freesco.org rocks! I got my old 486 (which I had been tussling with for _ages_) up and running on my cable modem in a little over 10 minutes. I'm pretty much a dumbass when it comes to sysadmin type stuff too :)

In 20 minutes I had finished tinkering with the web admin interface (not actually changing anything, just playing around :) and then I fired up counter-strike and played for a while with no appreciable difference.

Something I have always wondered...

[FIGJAM]

Does ipchains detect 32bit IPs?
ie. 2130706433 = 127.0.0.1

Should we setup rules to include 32bit, 24+8bit, 8+24bit and 16+16bit IPs?

Old 486

[[Xenocide]]

I've run an ony 486/66 /w 32mb RAM as a gateway, local nameserver, and http caching proxy for about 4 months with minimal problems. If speed is your only concern, put it out of your mind. A 486 like that, regargless of network card, should be able to easily out perform the speeds of a cable modem.


Derek Lewis

Thanks

[jtgold]

Thanks. I'll try that.

Re:My experiences

[jtgold]

Chai! How are things in the new life?

Anyway, try "netstat -pleA inet". This will display only listening sockets, in addition to the user and process id responsible for each. Unfortunately, this uses service names instead of port numbers, but that can be fixed by adding `n' (ie, "netstat -plenA inet").

I'm working on a way to run X without listening on TCP sockets, which would make it safe for a firewall. (Obviously "startx -- -nolisten tcp" works, but I want to cover gdm use as well). Why? Because it's there...

Be well.
Jeff

And Xdm?

[jtgold]

Any ideas on how to make this work for Xdm (actually, gdm would be more interesting...)?

Re:Quit your whining use ipchains

[cmg]

These ports are dynamic I believe. It really is a pain to just set up what should be a few simple rules.

Yes, just picking the ports you want to let through is the correct way to firewall but It'd be nice if the gnome stuff was linked with libwrap.

Re:My experiences

[sampson]

i'm wondering if you can give me a copy of the ipchains commands/script you're using. i have a very similar setup and would like to see if i missed anything. please email it to the address above(pericles(at)hushmailDOTcom)

Re:OpenBSD firewall

[Omar+Djabji]

Why not just put another network card in your existing firewall and adjust your ipnat.rules and ipf.rules files.

Instant DMZ at a fraction of the Siemens Linux terminal :)

Then you dont have your "dirty DMZ packets" flying over your internal network, even just to go to your second firewall.

--brent nelson

Re:Could an old...

[/]

From the article: "I know I could use a spare machine as a firewall and run Linux's IP masquerading. My only spare machine, however, is an old 486dx2-66 with an NE2000 ethernet card. Not exactly a speed demon, and speed is exactly why I got a cable modem."

That would be a "no".

Re:That's more than enough machine for a NAT firew

[ano]

Last time I checked, sometime around kernel 2.1.125, my 25MHz 386 with 2 3c509 could easily route 3mbps with 64 byte packets.

Re:Firewall

[kwerle]

486 DX4/100 w/ 32M RAM running FreeBSD with ipfw, natd, ssh, thttpd, and a couple of other things on my cablemodem. In general, idle stays above 80% - except when hitting the perl cgi scripts :-) Poor little thing. I'm extatic with it as my firewall, though! I certainly don't notice it slowing me down - how hard is natd and a bunch of comms stuff, anyway :-)

Really we're all spoiled with all this bloatware and GUIs and OO work environments (KDE/GNOME) - which are great - don't get me wrong. But, really, what do you need your firewall to do? Certainly you don't need 100's of MHz...

FREEBSD ROCKS!

ipchains

[ldanna]

Just don't allow anyone except localhost to connect to them

Re:ipchains

[UrLord]

OpenBSD uses IPFilter and IPNAT for firewalling and NAT respectively. ipfilter and ipnat seemed a lot easier to set up than ipchains looked, of course I havent had the "pleasure" of using ipchains yet so Im a little biased... =]

Re:ipchains

[Zurk]

2.4 uses netfilter...as i recall FreeBSD/OpenBSD all use the same thing. i think the syntax is pretty much the same so you might try looking at their netfilter docs.

Re:ipchains

[andrez]

There's a good book about security on Linux: "Linux Firewalls", by Robert Ziegler, New Riders editors. It talks about ipfw, ipchains and all that stuff about setting up a "formal" firewall. You might want to take a look at it.

Re:ipchains

[fsck]

Any chance of making scripts for 2.4/iptables? I know a long time ago it was announced you were working on it, but it has since disappeared from the site. I would like somewhere easy to start on the 2.4 firewall without having to use the ipchains-kludge included in 2.4

I have an old version of your scripts modified heavily to suit my needs on the 2.2 firewall, thanks!

Re:The easiest way

[MadAhab]

careful of recent remote exploits in dhcp clients. Don't want @home breaking into your linux box hehe. keep up to date...

Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.

Uhmm. 3 lines and you�re pretty well off.

[mxs]

ipchains -A input -i eth0 -p tcp -y -j DENY -l ipchains -I input -p tcp --dport ssh -j ACCEPT

You could also block UDP Ports from 1-1024 for good measure :

ipchains -A input -i eth0 -p udp --dport 1:1024 -j DENY

Of course youd need to adjust eth0 to the interface youre going to use.

This is just some basic port filtering. If your SSH server is secure (CHECK!), this is perfect. If you want to further secure the box in order to leave services open and not feel bad about it, youll have to do a lot more, most of it common-sense, some of it non-trivial ;-) You might also want to Block some ICMP traffic if youre truely paranoid (does anybody need to ping you ? no ? turn it off ;-), or even go as far as rate limiting ingress and egress traffic with tc (from iproute2) to suit your needs.

Of course, putting a firewall in front of your machine is ALWAYS a good idea. A 486 is WELL able to handle the load of a Cable Modem. Do a MINIMUM install of your secure Free System of choice (that is, OpenBSD or Linux), set up NAT and the rules above, and churn away on the net. Do NOT enable anything else on that box, as it would defeat the purpose. No extra services, no nothing. Of course you might use some proxies, but if you do, make absolutely sure theyre attached only to the interface on your LAN and not to your cable modem. Proxies may either add to or decrease security, depending on how you deploy them. My setup is NAT + daisychained Junkbuster & Squid.

Hope this helps a little. Generally, just follow common sense and dont leave ANY ports open that you dont trust completely.

486 not fast enough?

[redhotchil]

486 not fast enough? ethernet is 10 mbit and cable is normally 1.5 mbit max (which i've never heard anyone else get) I cant see how a 486 could suffer enough to drop to bandwidth under 1.5 mbit. If so, a nice ethernet card wouldnt be very expensive at all. If you use one of those disk ethernet-routers you'll be guaranteeded to get speed preformance since everything is loaded from memory. Still think its too slow? Buy one of those 100 dollar out-of-the-box router things. Notice my recommendation in my sig :P

issues

[superlame]

A 486 should be able to keep up with the speed of the internet connection. Of course, this depends on two things. First, it depends on the speed of your connection (like is it 640k or 7mbit?), and the complexity of the firewall setup. A simple firewall and a reasonably slow connection (like only 1.5mbit) should pose no problem to the aging machine. However, a complex firewall and a fast connection would be hard.

That said, on you main machine, just tell all set it up so that requests on ports from external interfaces are denied. You should be able to set that in your hosts.allow and hosts.deny file. Just add ALL:127.0.0.1 to the hosts.allow file, and ALL:* to the hosts.deny file. From there add services you want allowed to get through to the hosts.allow file.

Re:I run a portscan detector

[perlmangle]

>even worse from your gateway IP, there went your internet access

I've heard this crap before and I simply have to respond.

You can block all packets coming from your gateway and you will not experience a loss of connectivity. Dropping packets from your gateway only means that packets with that machine's source address are ignored, it does not mean that every packet that goes through that machine is blocked, as your statement implies. If you firewall out your gateway, then you won't be able to ping it, it won't be able to ping you, you won't be able to connect to it's web server (why is your router running a webserver?), you won't be able to get your email from your router, etc, and so on. None of this really matters in the normal case (99.99% of the time). Your machine will still happily accept packets from sources that simply pass them through a host you have completely firewalled out, which is the entire Internet (minus your router). Yahoo doesn't stop working just because you drop packets that originate from your gateway.

Get a clue about TCP/IP. Also please understand that I still don't think that automated blocking of portscanner's IPs is a good idea.. it isn't. But your notion of IP routing is false and I cannot bear it without comment.

Re:WHAT the heck are you talking about?

[RallyDriver]

I have never had anything other than my Linux box on TW/RoadRunner - there are a number of excellent scripts / tools which are portable, open source replacements for Road Runner Manager. I got my system online for the first time 11 minutes after getting in the door with the cable modem, including compiling rrdhcpcd/rrlogind - a number I have yet to hear of a Time Warner tech matching on Windows. :-)

Here in Austin TX, AFAICT Linux outnumbers MacOS on their network, but they are doubtless largely blissfully unaware. The reason they did away with the login widget was no doubt simplicity, and the fact that the touted "nanny" feature of multiple passwords was little used. They now appear to use the modem's MAC address for authentication.

I recently had them pay me a visit to replace a dead cable modem, and the tech called in the modem serial number - maybe just show though? He also happily tested the circuit using command line ping from a bash shell without comment.

Re:Update your Gnome install

[QuantumG]

I expected about 400% more flame in this reply.

486 will do!

[esapro]

I use an ancient 486/66 w/32mb ram (a VLB machine no less!) on RR. It gateways/firewalls for three machines in my house. In the early morning hours (Pre-7am), I can get nearly 1mb/sec downstream. I have never tried the cable modem straight in (I set this up the day they installed RR), so I cannot say if the Linux box is slowing me down, but I can consistently get 300-600kbs average. Better than a modem, and no DSL CO-distance worries, or (at least around here) finger-pointing from multiple vendors about where the problem lies when something goes wrong (DSL here can be a real PIA AFAIK).

Jim.

Re:The easiest way

[Broccolist]

DHCP? Seems like overkill for a home network. When you only have 3 or 4 boxes, it's more trouble than it's worth. And if your DHCP server is down or away (because you are gone to a LAN party, say), you'll have to make changes to the configuration of your client box.

It's worth writing your own ipchains/iptables scripts, also. Once you've gotten the hang of it, you can start doing nifty things like port forwarding and packet logging. I sleep well at night knowing that every SYN packet to any suspicious port is logged.

Re:Could an old...

[Rufy]

Very true. I'm using a 486dx2-66 with 24MB ram as a firewall and it works beautifully.

Re:Is there some sort of anonymous scp?

[Ophelan]

Personally, I leave FTP running on my machines, but only for anonymous (the daemon is configured to disallow users from logging in). Real users have no choice but to use scp.

---

LinkSys EtherFast Cable/DSL Router

[tilleyrw]

This is the perfect solution to the problem presented. A router that also doubles as a firewall, does IP forwarding, etc. Go online and research this nifty item to find why they've been back-ordered at many resellers.

Love -- spread it those around you
Disdain -- that's what all the rest get

Re:Userspace threat, definately.

[aidan+skinner]

Any program which grabs a network socket and accepts connections from the outside world represents a potential threat from buffer overflows.

Any program written in C like languages may be vulnerable to buffer overflows.

Programs written in other languages (which don't let you do that kind of shit) won't.

Buffer overflows should have been eliminated in 1980, along with GoTo and C itself[1]

Aidan

[1] If you want assembly, you know where to get it. If you want a programming language, try here

PMFirewall

[Captain+Bumpsickle]

Have you heard of PMFirewall? I use an @Home cable modem and run Gnome with this package.

Basically, PMFirewall is just a script to help you configure all of your TCP ports and IPCHAINS/IPMASQ. I have found it easy to use, but I am sure there are alternatives that are just as good.

I would like to point out that I haven't performed a complete and thorough test to determine how secure my system is. I did run the "ShieldsUp" test at grc.com and it couldn't find any open ports or access any services. This may not be the most exhaustive test around, however, so I can't give any guarantees.

Re:Question: How long can High speed ISPs ban serv

[mebob]

I wish I could get a 10Mb connection... looks like a great service, but what is with the prices on IPs! $50 for an extra static ip?

heh, my ISP used to port scan me semi-hourly

[Whelkman]

Then I complained so much that they stopped. I don't know what they were looking for, anyway: what kind of useful server can I serve on a 56k modem (31.2k upload)? It must have irritated them to scan me; I've tried scanning myself remotely and it takes an hour and a half just to get through the first 1500 ports.

I deny my whole ISP's network from access on all TCP ports. My ISP inquired once what kind of servers where running on "those high ports, like 4400 and 5000". They were asking me about ICQ ports. What losers. But now they can't even see these; I'm still paranoid, though since UDP isn't as locked down as TCP (I have problems when I try to block UDP from my ISP). I also shut off ICMP so ping dumps these nasty debug messages when it's used. I fear my ISP way more than I fear any random hacker.

Re:Get thee a firewall ...

[suky]

I bought one of those for a network I administrate.. the darn things only support a class C subnet mask, instantly rendering it useless because of the class B scheme that we were using.. Attempts at contacting linksys have turned up nothing. Anyone know of one of these cheap (around $100) NAT boxes that let you change the netmask instead of it being fixed at 255.255.255.0?

Re:Put in a hardware firewall

[suky]

Hey, that sounds cool! Do you have it available anywhere? That sounds like something fun to have around.

Dont waste your time

[ffatTony]

Just turn off unnecessary ports and those that are opened by software you need, but don't want to expose to the world, use ipchains (2.2.x) or iptables (2.3.x/2.4.x) to lock down. You can do some pretty great stuff like let only certain hosts see certain ports or hide 'em all.

486 = good firewall

[jtosburn]

I've got a 486-100 acting as a firewall / mail server on a dsl line, doing NAT for ten users. Works like a champ! Tests have shown that a 486 doing NAT and simple ipchains filtering can saturate a T1, so dust the cobwebs off of that 'ol 486 and let 'er rip!

Should be fine

[orblee]

That 486 is more than capable of being a firewall. Obviously if it was trying to cope with numerous users it wouldn't work, but it'll be fine for just 1-5 users. You could even stick squid on it and so have a proxy server and it'll cope. You'll have to do some jiggery pokery if you want to be able to ssh to your machine from outside though, but hey, that's what life's all about!

486 should be enough.

[xENTROPYx]

Like other people have mentioned, a 486 should just be enough for NAT and firewalling.. We have a home network here with 17 machines, most of them linux-based. All of these machines are behind an OpenBSD box (running a Pentium 90) that does NAT translation and firewalling. Works like a charm. There is no slow down from the processor at all.

..and of course, I would have to suggest learning about OpenBSD if you don't have much experience with it. Makes an AWESOME firewall machine. ;)

-xENTROPYx

sftp

[whm]

If you like the ftp interface but want to be secure, you may want to check out Secure FTP (sftp). sftp sits on top of ssh and does not require a daemon to be run on either side. Its nice.

Here's the url, http://www.xbill.org/sftp/

Heath

One simple solutiion...

[Cantara]

Here's an easy solution: Build the firewalling stuff into your kernel (or as modules) and just deny all incoming traffic on those ports that is not from localhost. Of course, it'd be just as easy to run the other box as NAT. And as several others have mentioned, a 486/66 can route for a T1 with no problem. Cable shouldn't give it a problem.

linux and intros to security

[Bogatyr]

Three starting points:
a)
http://www.cnn.com/TECH/computing/9906/03/linux. ent.idg/index.html

b)
a local user group presentation on networking and security issues
http://www.mindspring.com/~joncarnes/linux/secur ingURbox.html

c)
a nicely done presentation to TriLUG on Linux security in August 1999, archived at

http://www.nwo.net/security/

Re:How do you check ...

[mnot]

I like

lsof -i

486? fast enough

[Sammeh]

Your 486 is fast enough to handle the bandwidth of a 10bt network. It'd be fine as a router.

But...

[addison]

It also doesn't have the bottlenecks than an x86 (PC) does.

So in all fairness, comparing a router built to route versus a PC used to route (and 486s have a lot of legacy that can/will bottleneck them) isn't fair.

Its not *JUST* the processor.

Actually, I priced a 2501 (my cablemodem goes in Thursday) with my discount yesterday. $400 for the 2501. But the firewalling software was $1000. Oh well. The Cyrix 200 might just get build today. :)

Either that.. or the SS5 will route... and I'll run Token ring in the apartment. :)

Addison

Re:How do you check ...

[Kishar]

man netstat

OS Diversity

[AntiBasic]

Why not put *BSD on the 486, you'll have a chance to try the OS without the hype? You'll be pleasently surprised just how well ipfw or ipf work. Be open-minded.

/sbin/ipchains

[invictus]

/sbin/ipchains -A input ! -s 127.0.0.1 -p tcp -d xxx.xxx.xxx.xxx 10xx -j REJECT

(make all that one line, change xxx.xxx.xxx.xxx to either your static IP or a mask for whatever range of IP's you're assigned by the modem... make and entry for each port (10xx = {1030,1031,...,1040}) all better).

Do NAT with the 486

[ev0l]

I also have Road Runner. I have a 486 with 2 NE2000 NICs 16 megs of ram running NAT (IP masquerading) and acting as a file server (I have to have a place to store my MP3s). It runs great.

I have set up my /etc/hosts.allow file to only allow connections from my local subnet and NFS (for my MP3s) only allows connections from one host on my local subnet.

There you go, a fairly secure home network that is very easy to set up.

Set up the 486 to run IP masquerading. You are then capable to run more than one computer off the same connection if you ever need to in the future.

Thanks
Will

Re:Biggest threat?

[inburito]

I wonder how long it will take until cable companies start to hire outsiders to scan their networks...

Re:Put in a hardware firewall

[inburito]

Couldn't this port scanning be considered a malicious activity and if done by your isp(cable company) you could have a lawyer draft a nice letter for them where you threaten to sue them if they did not stop their hacking attempts.

Then again you probably wave this right by agreeing to the TOS, or do you?

dx266 Should be plenty!

[twivel]

My previous company asked me for a quick firewall solution for their intranet to access the internet. So I dug up a 486 dx 33 w/340 meg hard drive to serve the purpose. It was plenty fast enough to saturate our T1 connection with 200-400 users on the internet at one time. If you get a heavily hit website, that might be a different story. But if all it does is route and masquerade, it will be enough to do the job.
--
Twivel
Microsoft Humor

Re:Speed & Security

[retsrof]

I highly recommend having an old computer as a firewall. The 486 will do just fine

I agree; my firewall runs on an old 486DX2-66, 32MB RAM, 127MB HD, two Intel EtherExpress Pro/10 ISA ethernet cards and it works fine for my needs (@HOME cable connection).

I use the free EDGE Firewall from Fireplug Computers (recently acquired by Lineo), based on their ThinLinux distribution. It is a stripped down Linux that does packet filtering and NAT, and uses DHCPCD to connect with my ISP (@HOME) and serves DHCP to my LAN.

It is amazingly easy to setup if the instructions are followed carefully, and being a linux is as configurable as you want it to be.

I have not noticed any reduction in speed since setting up the firewall, though I must admit that the service I get from Rogers@Home is not what it used to be since all my neighbours jumped on the highspeed bandwagon. (I get max 150 KB/s these days, and am moving to ADSL as soon a port comes free). If I was still getting top-line cable speeds I might be seeing some limitation due to the slow ISA bus (no PCI in this box), but the processor is not a limitation.

i486DX2-66 is plenty fast for ip masq

[tsphere]

I'm writing this from behind a 486 firewall on a DSL connection. There is no appreciable speed decrease when you go through a firewall of this type. In fact, I've discovered that a 486 firewall has no problem saturating a 10 Mbps ethernet connection. Remember, ethernet is something like 3 times faster than cable.

I would, however, make sure the firewall has at least 32 megs of memory (as yours does). Linux (and other modern OS's in general) are very memory-hungry and slow down greatly when starved of it.

Ummm... a firewall or ipchains is overkill

[JAPH+Doggy]

Those open sockets are from ORBIT which understands the '/etc/hosts.{allow,deny}' files.

If you've configured TCP-Wrappers correctly, then you're good to go.

--

Re:Ummm... a firewall or ipchains is overkill

[flikx]

Try telling that to people who have been cracked in the past. When I lived in the dorms, I had a freeBSD box ravaged for no reason, just people being assholes.

With security, overkill is not a bad thing. I can brag about my '31337' firewall / masq gate I made for my office all I want, but all it takes is one hole, and I might as well be running an NT server as my router.

"obsolete" computers are easy to get.. most of mine were given away to me. It's well worth the effort to set up some extra security. You never know when you will need it.

The author of the article mentions that he has an extra 486 sitting around. What should be done with it? Should his wife use it to run windows 3.1 and play solitaire? At least my wife uses linux, so I don't need to argue over all the computers in the house. I set up the network, and she gets work done.

Firewall, Masq, filter, and firewall again.. make it harder to break. (ignore the irony in the sig.)

Security and installed programs

[buma]

Actually, having the compiler and tools installed isn't a security problem. Having X installed is, but the reasons for that are not clear from your post.

The OS is responsible for making sure that all code run by a user is subject to the security restrictions placed on that user. Barring bugs in the kernel (or processor) the ability to compile code gains nothing for the user.

That leaves having another user run code on your behalf. This includes: SUID/SGID programs with buffer overflows, insecure services and trojans.

Thus, X is insecure because it includes programs that are SUID/SGID or run as root and are linked against Xlib, which contains many exploitable bugs.

If you are interested in knowing what programs may be most vulnerable, use ps to see what root is running, and find to locate SUID/SGID programs.

ps is also usefull to determine the contents of the PATH variable for processes running as root. Make sure no directories in root's path are writeable by anyone but root! This would allow users to produce trojans easily.

Re:Get thee a firewall ...

[Talonius]

Crossover cable works, or my setup: modem plugged into my hub via crossover cable, and two cables going from my hub to the Linksys router. The WAN port plugs into the uplink port on my hub (acting as a crossover) - why?

I have 5 static IPs, but 12 computers. ;P 4 of my machines are servers and need direct access to the 'Net. The Linksys router acts as a NAT router for the rest of the machines.

Lovin' that little baby! Better was that when I had to use PPPoE the router supported it, so to get my machines up and running I had to install -0- software.

And I paid $200 for it because I wanted it // right now // and I still don't regret it. :-)

(BTW my "modem" is a bridge. Are all DSL "modems" actually bridges?)

-- Talonius

I have RR

[gfxguy]

An old 486 will do just fine as a firewall.

One setup I had used the 486 (with PCI slots...see below) running OpenBSD. Nothing enabled, not even ssh or anything except NAT. I have a $10.00 8 inch NCR green monitor hooked up to it for console only logins.

It needed PCI slots because RR service (at least in my area - Atlanta) is locked to the NIC adapters ethernet address. Their DHCP server wouldn't give the other card an IP address. I was stuck for a while until I took the card from my pentium (which is what RR was installed on) and put it in the BSD box. That worked. You can also call them up and tell them you have a new card and give them the number.

But I guess all I wanted to say was that I had a 66Mhz 486 being the firewall for two computers, and never noticed a slowdown - even when both were accessing the internet. The bottlenecks are usually somewhere else.
----------

routing speed

[rastaguy]

A 486DX266 with 32M will route a T1. Don't worry about your cable modem speed.

Re:My experiences

[bjd145]

Right now at my home, I have a 486 Dx2 50 MHZ with 24 MB of RAM running Redhat with ipchains with five computers behind it for my dad, mom, and brother and I haven't seen any decrease in performance. ipchains takes a little while to learn but it can be a very powerful tool to keep everyone one out.

ipchains is the answer

[kevdog]

Just set up some tough rules for ipchains. Check out the following web site. It sets up a pretty good firewall which can be made to suit your needs.

http://linux-firewall-too ls.com/linux/firewall/index.html

Re:WHAT the heck are you talking about?

[cwebster]

I'm on cable in austin too *makes a longhorn symbol and points himself northwest in his apt on riverside* and have had no probs with a linux box on thier network. I've even called thier support and and they are aware i'm running linux. I also believe the authentication is based on an ID from the modem, as i have 2 ip's (so 2 roomates can play on the same halflife or starcraft server at the same time) and the modem was only able to let one of the ip's be active at any time, so when i called the tech, after confirming that it was the modem the tech banged away at his machine for 2 minutes or so and then i could get 2 ip's. Also, plain vanilla dhcpcd works on rr's network, you dont need rrdhcpcd. RR has been great about service too, everynow and then during peak usage times the network gets laggy, but if you let one of the techs know about it, they generally work out the problem.

Re:Firewall

[BigRedZX]

How fast do you think the CPU is in those SOHO Cable/DSL routers anyway?!?!? :-)

Many use an ARM7 core ASIC. Not exactly a powerhouse, but more than enough for the job at hand.

I just can't resist a troll..

[swdunlop]

That's right.. And noone using nmap might have noticed that friendly little tcp port out there by his lonesome, or an entry in the services, or looked at netstat or anything..

Well, in case you were worried, Slashdot wasn't the first to mention these vunerabilities. There have been vulns listed all over Bugtraq about Gnome. Orbit being wrapped in tcp_wrappers was a fair to middling belt-and-suspenders solution, but it's still going out the door with dangerous default settings, and tcp_wrappers is not sufficient protection on a multiuser machine by itself.

Re:gnome doesn't care about security

[swdunlop]

Yes, it's a threat. There are at least two Orbit-relevant gnome vunerabilities listed on Bugtraq, search for keyword 'orbit', and several more associated with gnome.

I don't care whether they are security conscious or not. I don't want my word processor listening to a port, and I /definately/ don't want that port to be one accessible by an outside influence. Hell, I don't even want the guy two offices down to see it.

Re:Just firewall it...

[swdunlop]

Maybe it's a honey pot, and maybe he'd like to see what you try to attack it. I've done similar, in other forums, of course, and stuck an IDS system next to the target just to see what came by.

Most of it was boring stuff, but I saw a couple interesting tactics.

Overkill is your Friend

[swdunlop]

There is always the concern that one defense or nother will have a hole. I personally would advocate using a different OS for your firewall, as well, in this case OpenBSD and ipfilter is my favorite, than you use for your interior workstations.

Configure ipfilter in a nice and paranoid fashion, ensure via nmap that no services are addressable, (inetd, portmap, etc, etc.. ) /then/ go about placing ipchains input rules on your interior boxen.

The idea is, even if there is a vunerability found in the firewall box, there is a different type of wall protecting your secured hosts. ipfilter is also available for FreeBSD, in case you find OpenBSD a little too user/hardware-hostile.

For more info on ipfilter visit The IPFilter HOWTO and The IPFilter Mailing-Lists.

(Zealotry Notice, *BSD-fanatic who wouldn't trust ipchains with Bill Gate's homepage, but understands that Helix is addictive.)

Re:Clarifications

[swdunlop]

Actually, about that 486 claim.. I had an IBM 701c Thinkpad that didn't handle a 10/100mbps 3com Ethernet under RH6.1 very well in a 100-only environment. It would just fall all over itself with big downloads.

Mind, you're probably not going to get that with Road Runner, but one never can tell. =)

Re:A couple of notes on this...

[swdunlop]

I believe it's a legacy problem stemming from the fact that ORBit is a cornerstone of gnome, and being Corba, is capable of remote messaging with other hosts for various savory, and unsavory reasons.

HelixCode probably didn't notice that the default config was wide open, at first. Whups.

Re:Are the listening ports wildcards?

[swdunlop]

*cough* That's assuming there are no problems in your TCP/IP stack. Which is much like assuming the stock market is going to go up.. Usually you're right.. But boy, when you're wrong... ;)

Re:Just use ipchains

[swdunlop]

Whoa! Careful.. Blocking the SYNs will stop most trivial and well formed attack, but there are still FIN scans and other attacks that don't have the SYN flag set.

There are a whole raft of exploits involving the use of forged ip fragments that would get around that rule. While your average script kiddie doesn't seem to be using them, it's only a matter of time until someone automates it for those chimps.

486 OK

[twitter]

486 at 66MHz with 24MB RAM, 500MB hard disk, and 2 3com509Bs, produces no observable latency. It also produces the at home banned personal network so you can share all of your resources.

Put a BSD and IP filter on the 486

[jcmc]

Definately better than some proprietry "firewall" box that undoubtedly has its own built in security problems. Anyone that follows bugtraq will know what I'm talking about.

IPF is better IMNSHO than any other Stateful Packet Filter available, free or otherwise. Its great, use it, tell your friends. Darren Reed owns you.

- jcmc

Re:Clarifications

[whovian]

Please pardon my ignorance (and do correct me), are there any OSes yet that check for buffer overflow at the "kernel" level? I understand that's a "no" for linux(TM) since there is now the security auditing team combing through code. So what makes OpenBSD inherently more secure??

sucks, don't it?

[jmd!]

This was the major reason I stoped using gnome, every program opens up a publicly accessable tcp port. While im sure you can/(will be able to) do some neat remote stuff with a system like that, its just not secure, at all. Software under as much development as gnome is, being hacked together by god knows who, and listening on 15 ports...theres gotta be a bunch of overflows in there somewhere.

I use plain sawfish now, and 'gkrellm' gives me all the pretty cpu/mem/net graphs i had on my panel, plus the weather too, WITHOUT opening up 5 backdoors.

Re:sucks, don't it?

[jmd!]

Oh, i forgot to mention...

people here have suggested firewalls.

you cant firewall it, it binds to random ports...whatever is available. So you'd be having to add a firewall rule everytime you launch any gnome app ('glines &; ipchains -A ...)...

fun!

p.s. speaking of glines, can anyone beat my 714 score? I think thats pretty good...

Re:sucks, don't it?

[norton_I]

Always, always, always set up firewall rules to deny everything, then allow only the service(s) you want (namely, ssh) Also, just out of habit, all packets with internal or localhost IP addresses coming in off the external ethernet should be logged and droped.

Try this.

[Raymond+Luxury+Yacht]

I use Seawall on my home box, and aside from simply shutting down ports (which you can open manually if you want) it basically stops your box from responding to any pings. If the kiddies don't see you, they won't bother you.

All-in-one... For a price

[gavinmead]

If you are looking for a small-scale NAT/VPN/Firewalling device, I HIGHLY recommend a product from Netscreen Technologies. I have played with the Netscreen 5 and have been VERY pleased. However, don't expect to get all those cool features without a little $$$ up front. I think the Netscreen 5 ran the company 300 bucks or so.

Re:how about e-smith?

[crivens]

I would recommend E-Smith as well. It is perfect for this kind of scenario, although you'd need to check the minimum requirements.


stodge.net - my corner of the web

Re:Firewall

[biohazard99]

Offtopic but an interesting question Does anyone remember a story (c. 1994 popular science) about chrysler buying all the remaining 286's in stock for use in their passenger cars? That would be the ultimate oddball *nix box, if a 386 could be swapped into the car computer.

Re:OT: Roadrunner billing nastiness

[biohazard99]

Wait! Teledisc is planing on launching 2-way sat broadband and I have heard rumors that echostar/DISHnetwork were planning the same, early 2001 roll out, damn shame it should happen about the same time I can get DSL at my parents place.

OT Mac question

[scruffyMark]

Could you tell me, does OS X have IPFilter built into it like some BSD's do? I only have the one computer, and it would be nice if I could just edit one file and have it do the firewalling for me, without needing to get more software, etc.

Thanks in advance.

Re:OT Mac question

[am+2k]

Sorry, I signed the NDA.

Re:You don't need IP MASQ to block those ports

[Andrew+Cady]

X11 listens on 6000 for display :0, 6001 for display :1, etc.

Re:Urr, lot's of ports open.

[storem]

x11 6000-6063/tcp X Window System
x11 6000-6063/udp X Window System
ias-reg 2140/tcp IAS-REG
ias-reg 2140/udp IAS-REG

For more ports go to: http://www.isi.edu/in-not es/iana/assignments/port-numbers

Re:My experiences

[dave-man]

My NAT/firewall/Samba/httpd/ftpd box:

20 MHz 386 (bought new for $5,000 in ~1987)
8 MB RAM (maxed out)
6 GB HD
2 3c509 NICs
VGA w/ old 8514 (original monitor smoked years ago)
Linux 2.0.36-07 (Red Hat 5.2)

Tested my cable connection with and without the firewall -- no speed impact on transfers up to 2,500 kbps (although I usually see 800 - 900 kbps).

use your 486 as a masquerade box with floppyfw

[banbeans]

http://www.zelow.no/floppyfw/

other option linksys router iv used both
if you need a small hub buy the 4 port switch version
it isnt allot more than the 1 port and
not allot more than a decent hub.

I prefere a linux box it is more versitile
and i trust its security more than the
closed source linksys.

both work aok:}
ymmv

@Home and IPMASQ

[Kryporeal]

I've been using cable behind an IPMASQ for almost a year now. I've had some attempts at accessing my MASQ machine, but no breaches that I've detected. The router is a 150 MHz Cyrix. Speed of the router is not much of an issue and I think a 486 should be able to handle all the traffic you could possibly put through your cable modem. You do need 2 ethernet cards for the IP MASQ router and you might need a hub for the local net. Also, using 10B2 for your local net won't result in any speed decrement. You do accrue a small latency for each router you add in the chain, but it is usually insignificant. Set up of the IP MASQ is pretty simple. Check the HOW-TO. The only protocol that gave me significant difficulties was irc because of ident. There is a workaround for it though.

very good question

[neoThoth]

I'm glad you asked as I have wondered myself how to best secure my box. As someone who has to get work in the winTel world my skills are mainly NT oriented. Despite that I am not naive to think that my gateway (athlon 600 with 2 3c905B's) should be anything other than a linux-based OS. The problem I've been having is finding good documentation about locking the box down. Currently I run only SSH and turn on services here and there (FTP's when I'm away from home) but turn them off again when I'm done. This solution is sloppy I know, but so far the books I've read (O'Reilly Practical Unix and Internet Security, and Building Internet Firewalls book) don't give much in practical advice as overall theory and design. I almost feel that my box is *more* vulnerable now as I would be able to secure an NT box fairly tight (aside from the obvious problem that it's MS to begin with) and defend it. With linux I don't know as much and am sure that I've commited many common mistakes. So am I better off with a more securable (could be a word) OS that I'm not as skill in or a less securable OS that I do have skills in?

Re:very good question

[benploni]

Those are some pretty bad habits you're espousing. Don't turn on ftp *ever* - use scp.

Enumerate whatever services you are sporadicaly turning on and off, and either decide that they are vulnerable, and never use them, or leave them on and tighten what you can.

For example, you already decided to leave ssh on. That's an example of the second option. To continue on that line, tighten ssh by making sure rhosts is off, root cannot log in directly, and blank passowrds are disallowed.

An example of the first option would be disabling ftp for good, and learing how to use scp.

Ben Ploni

Re:My experiences

[neoThoth]

I've heard over and over and over that X isn't secure .. .at all over public networks. A friend of mine has been going on about SSH redirects lately and I am wondering if it is possible to have secure X exported displays. any thoughts?

Re:Don't run X? Why the hell do you have DSL? Lynx

[benploni]

Boy, did you miss the point! The machine is nothing but a gateway/router. Why would it need X? His main boxes acan run whatever he feels like.

And that silly line about encrypting stuff on your HD shows you're not too bright. How do you plan on unencrypting /etc/passwd every time it's needed? And if you plan on using a loopback encrypted filesystem, it's all open while the box is up anyway.

Sigh,
Ben Ploni

Re:Firewall

[benploni]

How fast do you think the CPU is in those SOHO Cable/DSL routers anyway?!?!? :-)

Ben Ploni

Re:Just use ipchains

[benploni]

That's nice, but what if you *want* some services to be available to the outside world? Being able to ssh from anywhere into your home network is *handy*!

Ben Ploni

Re:My experiences

[benploni]

Yes, ssh, if used *correctly* can secure X. What I meant was that you shouldn't be running an X server on the machine. Takes up too much resources.

Ben Ploni

Go for the firewall

[MrSparkle]

I have both roadrunner service and a 486 32MB machine with two NE2000 cards. Works fine! You're not going to get more than 10Mbps from the outside world at this time anyway. My machines inside the wall are all using 100Mbps cards and my hub is autoswitching. Don't worry about the speed of you're firewall machine, just don't use it for anything but server stuff. X is slower then snot, so if you like to use the graphical tools to configure you're box, be prepared to wait. Let me know if you have any questions...

486DX 32MB with a Ne2K as a router

[NovaScorpio]

I personally run a Pentium 66 with *16* megabytes of RAM and an Ne2k-PCI card to the cablemodem, and it seems just as fast as if it weren't there. I still get *outrageous* download speeds, and if you really think that it will be to slow, you can always just select 'computer is too slow for bandwidth' in kernel configuration. I definetely advise that you use that 486dx.

Gnome security

[slyph]

yes, as everyone has stated before, the 486 will do fine as a firewall. Can anyone comment on his other (real) question, however, that of the GNOME open sockets and how to shut them down/securify them? Also, can these be used to by nmap (queso) to fingerprint the OS? Are any of the binaries listening on these ports setuid? Can they be configured to listen only on a given interface (lo0)? etc ...

Re:The ports open.

[Chagrin]

You don't need any exploit to exist to know that it is a problem. Exploits inevitably are created to attack open ports like these. It's like showing a thief a locked door instead of a wall - I'd rather show them the wall.

Re:WHAT the heck are you talking about?

[rotten_]

they don't probe users' systems.

I can't speak for RoadRunner in specific, but @home *does* port scan. By the same machine every time--and it has a hostname that is like 'scanner.home.com' or something like that. I am not sure what they are looking for as I have some ports (80 and 22 at least) open. They haven't taken action (although I imagine that they may if one had an abusable SMTP server) against anyone that I am aware of.

-k

OpenBSD, bridge & ipf

[Garc]

I'm running an OpenBSD filtering bridge between my LAN and cable modem. Its a 486 33, with 16 MBs RAM. I've had so speed issues, and the logging with ipf is excellent. An ipf howto can be found here. Near the bottom there is a section(B.2?) on how to work with bridges.

the downside of ipmasq

[Bad_CRC]

I've been wanting to set up a 486 box as an ipmasq machine for a while, but I've noticed a serious problem with it.

I am a gamer, and with most online games, where you go to the server list and hit refresh, the machine will lock up when it tries to hit the 200 servers or so on the list.

anybody know a solution to this? I need my quake and my tribes.

________

Look out!

[The+Pim]

Now that the profile of this has been raised, I'd bet even odds that an exploitable bug in some GNOME desktop component is posted to BUGTRAQ within a week.

This is just asking for trouble. And, given past history, so unbelievably stupid.

Re:10 minute solution:

[Borigias]

But a Cisco 2501 won't route 2 x E1. No really, whatever the specs are :(

Fatal server error.

[Remote]

• I wonder how long it will take until cable companies start to hire outsiders to scan their networks...

Fatal server error.
Caught signal 11.

Just use IPChains on the 486

[ScottMan]

486's are plenty fast to route network information for a cable modem. Hell, a 386 would be fast enough. Especially if you only have a couple computers behind the 486 firewall. HelixGNOME is too new for me to have figured out how secure it is, but I use it myself and have had no problems. I do a fairly minimal install so stuff like gpilot isn't loaded. I'd just use the 486 as a firewall, and if you only have the one nick use IP aliasing to assign it 2 IP addresses (netcfg in RedHat makes this easy to set up)

How about an out of the box router/firewall?

[broken77]

Any reason you can't use something like this? I use something very similar for my DSL service at home. If you wanna open up a port such as http, ftp, ssh, etc. just configure the router to do port forwarding. Voila!

A couple of notes on this...

[Ungulate]

Running helix-update and upgrading the gnome-* packages will close all the ports that were indeed open on previous versions of gnome. I'd wondered about their purpose myself, but was never able to get a straight answer as to why they were ever open in the first place. Incidentally, you may find that after running a portscan on yourself, you have open ports that give no clue as to who owns them. This handy command will tell you:

fuser 000/tcp

where 000 is the port number. The result will be the process ID of the port's owner. fuser may be in a place that's not in your path depending on your distro, so you might need to look around for it.

Re:Get thee a firewall ...

[xeno-cat]

I to have one of these ( w/ the 100mbps 4-port hub ). I run a Linux box to serve up a website and other things that I secured as best I could, and it won't be the end of the world if it gets blasted. What I am concerned about are my workstations as they have actual work and more extensive installs and configurations.

What I tried to do was connect my Linux box to my DSL modem and then connect the LynkSys to a second ethernet card and have it pick up an IP via DHCP.

The reason for this was that if my server got hacked, all the other devices on the network would be behind another firewall that had a very restrictive policy.

This did not work as the LinkSys would not connect to the ethernet card on the Linux box. Maybe it needs a crossover cable when going into a hub?

One final note, the DMZ option on the hub is not a proper DMZ, it basicaly exposes every port on the designated computer to the outside. If someone compromises that box then they will have unrestricted access to the "ajoining zones". This was the reason I tried to configure the network in the way described above.

If anybody knows more about this type of setup, please let me know -Cheers

Urr, lot's of ports open.

[KidSock]

[miallen@prodlinux satserv]$ nc -v -z localhost 1-10000

localhost [127.0.0.1] 6000 (?) open
localhost [127.0.0.1] 3240 (?) open
localhost [127.0.0.1] 2179 (?) open
localhost [127.0.0.1] 515 (printer) open
localhost [127.0.0.1] 514 (shell) open
localhost [127.0.0.1] 513 (login) open
localhost [127.0.0.1] 139 (netbios-ssn) open
localhost [127.0.0.1] 113 (auth) open
localhost [127.0.0.1] 111 (sunrpc) open
localhost [127.0.0.1] 98 (linuxconf) open
localhost [127.0.0.1] 80 (www) open
localhost [127.0.0.1] 79 (finger) open
localhost [127.0.0.1] 23 (telnet) open
localhost [127.0.0.1] 21 (ftp) open

KidSock

My setup...

[LightningTH]

486 with a 10mbit network card? get another card and your going. Unless your cable modem manages to break the 10mbit/sec line i doubt you'll see speed issues from it (I ran on a cable modem for 8 computers without issue with ip masquerading for a year). The specs on the 486 don't have to be alot either, I ran off of 8MB of ram and a 500MB harddrive. If you do not want to do ip masquerading then here are some ideas/steps 1. of course kill all services you do not need 2. look into PortSentry, I have it setup in advanced mode on all ports. What it does is block IPs that try to connect to a non-open port. 3. you would be smart to have ssh run on a port other than 22, the reason for this is that people trying to actually gain access will hit a non-open port, and if #2 was done then they aren't going to get another chance to hit the correct port. 4. don't run old software. This sounds simple but some people just don't realize that kernels 2.2.16 have a security hole and don't keep other software up to date either. 5. you could look into IP-Chains and configure it to block incoming connects on the ports that you can not close that are from the outside (while still allowing internal connects). This is probably the easiest but not always thought of. Samuel (@Lightspeed.cx)

Re:My setup...

[LightningTH]

Oops. I forgot my BR commands. I'm always free to chat if you have questions :)

Re:Clarifications

[gi_wrighty]

OpenBSD is inherently more secure because there has been a security audit. See for youself.

I going to set it up on my cable connection just a soon I get hold of some NICs that can grab a DHCP address (gotta love those no-name brands ;).

wrighty.

Re:Get thee a firewall .. and the LinkSys is great

[tannhaus]

No thanks...I'll stick to using linux as a firewall. Why? It is highly configurable and I don't have $150 to plop down on something I can do with a little research and no money.

Re:My experiences

[shepd]

>Toshiba T2000SXe

Oh, now that is a name I wish they would use more often -- Tee two thousand sexy. :-)

Who wouldn't want to say that about their laptop?

>It took a day to compile the kernel, swapping continuously :)

And the HDD didn't melt? Decent equipment. A freind of mine once opened up the HDD in a Toshiba T1200 unit. Strange interface. And they used the circuit board as the bottom of the HDD. There was only half a metal can for the top half. Weird.

Re:The ports open.

[Zanth_]

you rock thanks for this info!

Re:OT: Roadrunner billing nastiness

[JCMay]

PD wrote:

My new house has a satellite dish.

As a DirecTV subscriber, I was interested in their DirecPC service as a replacement for my current 56k service I have through Palmnet (pretty good local ISP that was gobbled up last year by OneMain)

My wife's concern is rain fade. The little dishes have little margin for rain-induced signal degredation. I've considered replacing our 18" Sony dish with a 36" RCA dish we saw on consignment at a local used electronics store.

Other than the EXTREME difference in UL/DL speeds (UL path still uses phone line), does anyone here have comments about DirecPC?

Jeff

Re:Get thee a firewall .. and the LinkSys is great

[LancerX]

My total investment with my Linksys was 15 minutes and $150 - if I compare that to 8 hours of research for a $0 outlay, I think I came out way ahead.

Of course, my home network hardly requires the same level of security compared to what a production ecommerce environment needs, and for what I need, the Linksys is more than adequate.

It's all a matter of perspective, what's more important time or money? I don't want to spend any more time than I have to in discouraging people from snooping my home net, because I'd much rather be reading /. or playing Diablo or something equally unproductive yet more entertaining than figuring out how not to spend $150.

Firewalls and intrusion detection

[the_codewarrior]

For my box (which is not online 24/7, but still) I use the Abacus Project's Portsentry (http://www.psionic.com/) and pmfirewall, available here. I find this to be quite sufficient.
cheers
cw

Change outgoing ports and run ipchains

[zzyrc]

Hi,

you can change the unprivileged ports used for outgoing TCP and UDP connections via /proc/sys/net/ipv4/ip_local_port_range to something else then 1024. I use something between 25000 and 30000. Than use ipchains to filter any packets you don't want in.

I've done this setup with my dial on demand connection, and I get at least one unwelcome packet for most times I am logged in.

IPCHAINS was made for this and more

[DeHackEd]

Don't know how to do this with netfilter, but here's a command to run as root which will remove these small annoyances in 2.2.x kernels:

ipchains -A input -i eth0 --desination-port start:end -j DENY -l -y -p tcp

Where "start" is the first port in a range and "end" is the last (I use 0 and 7000). Also assumes you use eth0 for your cable modem, but you might use eth1. Any connection attempts will be logged to SYSLOG.

I run a more complicated ruleset, but it's based on things like this. I also use my computer as a firewall and masquerading server too...

Re:IPCHAINS was made for this and more

[nstenz]

What's wrong with passive-mode FTP transfers anyhow? You still get the file either way, and it works...?

Use PortSentry

[cthulhubob]

http://www.psionic.com/abacus/portsentry/

I run this at home and at work. It is awesome. Basically, when you start getting ports scanned, it adds an entry to the routing table sending packets to the attacker to 0.0.0.0 -- effectively dropping them into a black hole. They don't get any output back from the port scan, and they have no effective way to contact your machine.

Easy enough

[cthulhubob]

edit /etc/X11/xdm/Xservers

on the line that actually starts the server, add -- -nolisten tcp

here's an example (from my box here at work):

:0 local /usr/X11R6/bin/X -- -dpi 100 -nolisten tcp

Good Book on securing Redhat

[billwashere]

Found this book on setting up a redhat server for doing this sorta thing. The book looks fairly well designed and new versions are available on the web. Check it out.... http://www.openna.com/books/book.htm

Re:The ULTIMATE In Securing your System

[Lordrashmi]

ROTFL There are so many holes in NT it isn't even funny....

Beating the Script-Kiddies by Denying ICMP

[pryan]

You can keep a lot of people away from your box by denying all incoming ICMP traffic. My box hasn't been scanned for quite some time. It stopped getting scanned after I discarded all ICMP packets with my firewall. I am quite happy with this situation.

Not to mention...

[trikyguy]

Most people do keep their main workstation running constantly, but sometimes it crashes or needs a reboot, so a separate box that is only concerned with the firewall will always be one, and therefore won't cut off other computers from internet access. Also with most cable internet, the server gives you a new ip each time you reconnect, therefor, a computer constantly connected gives you a more static ip.

Re:Could an old...

[sig226]

I have same setup, I use a 486-33 to act as both
the firewall, my intranet nameserver and dhcp server. The modem gets 250KB, not a problem on my
machine even using ISA cards.
I don't run ftp, telnetd, lpd, or anything that
I'm not using, get the latest bind, have it listen
only on the intranet side, ditto for dhcpd, run sshd if you need access via the internet side.

Re: OT Mac question (Wrong Question)

[geosync]

You need to be asking if Darwin OS has an IPFilter built into it ;).

Re:Could an old...

[Golias]

IIRC, setting up a DHCP router or a firewall to serve multiple PC's violates Road Runner's home-user TOS.

I am not saying "don't do it", I'm just saying "don't inform them of what you are doing". :)

Re:Biggest threat?

[macplusg3]

well, incase these smart asses didn't realise, u can run telnet daemons on Mac too :) You control it all remotely via applescript. very cool looking when u got someone on the other side of the planet moving windows around on your mac :) and what about MachTen? That's unix ON mac (as in, side by side), i'm sure u can run telnet there too.

Re:the slow discarded PC's work fine

[nstenz]

I would have awesome uptime if I could keep my cats off the power strip switch.

Duck tape.
The switch on the power strip, not the cats... now THAT would suck.

Re:The easiest way

[nstenz]

No, DHCP is MUCH simpler than fixed IP addresses - just ask Microsoft. I had to set up Win98 Internet Conncetion sharing for lack of a free computer to use as a proxy... I got it running after screwing with it for a while and being sure to NOT follow Microsoft's 'simple' directions in the help file... It defaults to DHCP... I wanted fixed IP's... so I followed their nice little instructions to turn off DHCP, and assigned my machines IPs... only having 3 machines, you can be sure I didn't screw that up and get conflicts. Would it work? Hell no. I tried for hours. Then I said fuck it. So now I've got my nice little 4-computer network, and I get to guess which address the FTP server is running on at the moment. Fucking annoying.
</rant>

Re:Could an old...

[Just6979]

actually they don't care. after we set up windows internet connection sharing (hey my dad won't let me put anything in front of his machine on the net), my dad asked them if it was ok, they said it was

Linux on a 486

[PrimalChrome]

I run Linux on a 486 at home for my DSL. It's stripped down to do nothing but use ipchains for NAT and forward a few ports through to my web server. I have no performance issues whatsoever and cannot notice a difference between a direct connection and going through the 486.

Using this scenario, security is as tight as you want to make it.

PrimalChrome

Linksys box works pretty damn well

[NulDevice]

I had a separate machine set up to do all my IPChains stuff, and wouldn't ya know, the nic in it blew when I was moving it home from work. So while at the local computer shoppe, pricing a new nic and a bub, I stumbled across the Linksys home router, whcih is a DHCP server, firewall, and 4-port hub in one. And it cost the same as a new nic and a hub, so I bought it.

Turns out it's pretty sweet. Doesn't have the geek appeal of IPchains on a linuxbox, but it takes up a lot less desk space. So it make s a pretty decent solution.

----

Re:yes, excellent script!

[Karmageddon]

On a more serious note, wouldn't any attacker be immediately blocked as soon as the chains come up, or would his connection be allowed because it already exists?

Good point. Yes, the blocking would begin immediately... but that could easily be too late: a scripted compromise can take place very quickly (think how long it takes you to get a pure text webpage, less than a second), and if it immediately opens an outgoing connection, the firewall is unlikely to block that. depending on what all else happens during boot, it could very well be possible for an attacker to initiate the compromise and simultaneously launch some sort of "SoS" (slowdown-of-service :) that would delay the rest of the boot process. The point is that if you publish your firewalling and boot process for educational purposes, a determined attacker has more specific information to work with. While it might seem unlikely, if someone doesn't like you in particular, or has reason to want something from your machine, that window of opportunity could be all they need.

Re:A few words...

[Karmageddon]

Placing a computer behind an NAT firewall is no safer than just running the firewall on the computer itself.

The point you are making is a good one, so you should consider this post to be supportive, but you are overstating it a bit so I would refine it. Yes, in the home, the hassle of running an extra box is probably not worth it (if you don't find it a hassle, you probably aren't keeping up with the patches), and yes, theoretically you are running the same software on two machines, so all the same holes exist and you actually have more chances for error so perhaps it is less secure.

However, I think two factors give the two-box version the potential to truly be more secure: (1) on a shared firewall/workstation box, you are likely to be changing things more often. I'm awfully careful, but every now and then I discover I've left a window wide open. (2) with a separate firewall box, you can clamp the security down very tightly on the firewall box, allowing no remote connections, only forwarding. In this way your logs of any activity will be secure from tampering.

now, truth be told, once there are two boxes running, the itch to add capabilities to the firewall becomes irresistable (now, there's a good reason to make it an 8Meg 386!)

Re:yes, excellent script!

[Karmageddon]

good idea and good info, but not necessarily what you want or need: ipchains rules will remain intact through upping and downing, so you wouldn't need to reload the rules over and over.

But you are pointing out that if you ever boot without ipchains loaded it would be nice to have the rules get loaded if you up the net manually.

Re:How do you check ...

[Tomcow2000]

The best way is to nmap yourself. As always, the best way to secure your system is to pretend to break into it.

Re:A few words...

[flikx]

I agree with your point, but I find it a better idea to up the security on both boxes. Once the cracker breaks into the first box, make it hard to get to the rest of the network.

My main point is that you can never have too many locks on the door. It may be clumsy and excessive, but I think the time will pay off when that kiddie tries to poke around.

Re:My experiences

[cronik]

You could just run lrp (Linux Router project) on a 80386/33 no hard drive and two 3C509b network cards (splurged).

Re:10 minute solution:

[Turtle+Master]

Another option is the LinkSys BESR41 box. It's about $170, and it's a dedicated router, NAT firewall, DHCP server, 4 port 100BT switch, etc... It does port forwarding, so you can run a server behind it (although it's likely that RoadRunner explicitly forbids you to do so). I've got one in front of my cable modem, and it works really well. Highly recommended.

Re:Userspace threat, definately.

[ultrabot]

Doesn't make me feel any safer though. It just doesn't make sense that the GNOME team would need open sockets for these services... why not just use a local named pipe down /tmp, for instance (which they do use)?

I think Unix Domain Sockets would be preferable to pipes, since they would only require minimal amount of reimplementing.

Perhaps the use of inet-domain sockets is a part of some megalomanic netverk-transparent-gnome-anywhere - scheme.

Re:Put in a hardware firewall

[adipocere]

Hey, that sounds pretty nice!

Do you have any pages up where we can look at the script? Is it perl?

Re:My experiences

[int18h]

How about the laptop I had in '97-'98?

Toshiba T2000SXe
-- 386 SX/20
-- 2MB RAM
-- 60MB HDD
-- One 1.44MB floppy drive
-- Mono VGA

Managed (via floppies, then PPP over it's serial port) to get "Linux-Lite" running, (v1.0.9 kernel).

It took a day to compile the kernel, swapping continuously :)

IP Masqueradeing

[Burning1]

"I know I could use a spare machine as a firewall and run Linux's IP masquerading. My only spare machine, however, is an old 486dx2-66 with an NE2000 ethernet card. Not exactly a speed demon, and speed is exactly why I got a cable modem."

Actually, you're underestimating the power of your 486 (or overestimating the demands of firewalling.)

I built a IP Masqueradeing / Socks / firewalling machine for my company, to support our T1. At the time we had only a Microsoft IIS box, which only proxied HTTP and FTP connections (ug).

Well, anyway, the thing was based on an old K5-100, with 24MB of ram in 72 pin SIMMs (probably not even fast page stuff.)

Even this weekling of a box could masquerade 170+ kilobytes per second of traffic, at about 3% cpu utilization, and it still managed to run inside of memory (in CLI mode - forget X.)

Throwing 5 copies of TCPDump on top of that still didn't slow things down significantly, though some memory holes did cause a problem (have you ever tried running your shell out of virtual memory? Dont.) :-\

As far as latency, 1ms or less was added. Nothing noticeable.

Anyway, I highly recommend some form of NAT for the security conscious. The number of back holes and attacks this will stop is pretty darned impressive, and 2.2.x's QOS abilities are highly recommended even to those not in search of safety.

On a final note: I built my proxy so for pleasure... A few months later it was being used by every one in the company... Who says games are a waste of time? *GRIN*

Re:Easier than any Linux solution

[mr.ska]

NOW someone's talking my language.

As much as I'd like to be, I'm not into Linux yet. - my primary computer runs NT 4.0. I'll have a fully-functioning Linux (RedHat 6.0) box soon, and have been considering a cable modem for a while, but a firewall has always been the question. But my wife has an old Mac (LC II I think), and if it's as simple as you make it out to be, I think I've got my firewall!

Do you have any more links/insights/thoughts on setting up a Mac firewall? Most appreciated.

Re:Userspace threat, definately.

[wicky]

yeah, i would love to hear a comment. why another
computer acting as a firewall? it's like trying curing the symptoms and not eliminate the reason.
it's off topic, but i also don't like the installer from helix-gnome: wish it would be more transparent, don't like to run "unknown" programs
as root, which additionally opens ip connections.
do we want to end up with microsoft's security?

Re:Put in a hardware firewall

[Vassily+Overveight]

Go to cnet.com and do a search. You'll find lots of sites offering it. Or Linksys equipment is sold at any Fry's.

Re:Put in a hardware firewall

[Vassily+Overveight]

I guess I was ambiguous. The port scans are coming from all over the place. Saw one from a domain in Russia. I've complained both to my ISP and some of the domains involved, but never get any interest. I think it's so widespread, it's like complaining about someone turning without using their signals.

Re:My experiences

[King+of+the+World]

P200MMX, 32megs RAM, half gig HDD, redhat 6.1, wooo!

It just sits there handling a 55.6 dialup.

I repeat: woooo!

Hate to burst your bubble...

[CorpDecker]

I really do. I wish all this was possible, but, at least where I live, you have to have win9x on the machine that will be talking to the cable modem.
Sadly all this is for naught. We set our shared cable connection up with IP masquerading and put 5 machines on the lan, all going out through one cable line, but the firewall machine had to be a 98 box in order for RR to do it's thing.
There is a system tray program that runs to authenticate the user of the account. As far as I know you could use anything behind that 9x box but the one the cable modem sees has to be win9x.
I suppose you could have your linux desktop, a bsd firewall and THEN the win9x machine, but that just sounds silly.

Re:Just use ipchains

[Chazmati]

Sure, RTFM for ipchains. You can do whatever you want. My rulesets leave a couple ports open so I can connect from work. The same ports are closed to anyone with a different IP address.

Just use ipchains

[Chazmati]

#ipchains -I input -p tcp -y -s ! 127.0.0.0/24 -j DENY

should drop any TCP SYN packets coming from 'outside' your box. As I understand it the SYN packets are the ones that request a connection, so response data (telnet, www, etc) should get through ok.

Gibson Research will scan your ports for you.

Re:10 minute solution:

[AbbyNormal]

Rock on baby! 486 25sx with 25megs of ram on a ....GASP...IBM PS/1 with fun proprietary stuff. It took a while but the sucker feeds my network at home without a prob. Freesco definetly the way to go.

Re:Could an old...

[swimfastom]

The 486-66mhz should meet or exceed your needs. I have the same setup on my 486-25mhz machine at home and it works flawlessly; bearing my internet connection doesnt fail. It has been running for months and is very stable. I would undoubtedly suggest using your old machine as a firewall and running IP masquerading. BTW, I only have 8mb of ram on my firewall machine!

Don't Worry =)

[AlienHosting]

I wouldn't worry about the extra ports that GNOME is using. You can always firewall them out. Your 486 will be MORE than sufficient to do the tasks that you want to do.

Re:Don't run X? Why the hell do you have DSL? Lynx

[am+2k]

> I can't imagine that running your system only in the terminal is even worth it - why not just shut it off?

Maybe it's just a router. I've got a FreeBSD-machine without X as my firewall and a MacOS X machine behind it for everyday use.
It's very nice because you can keep your working machine running while you install a new kernel on your router. And you don't get slower when someone tries to DOS you :)

Zone Alarm for a single linux box.

[g1n3tix2k]

There are very similar programs for a single linux box, one i throughly recommend is Firestarter (Linked here)

Its basically an IP-CHAINS front end thats very configurable and easy to use.

giv eit a whirl. i tried cracking my machine the other day to test it and it worked very well.

aterwards try using `many of the web port probers. :)

have a good time

nmap

[sreitshamer]

If you really want to know what ports you're listening on, try using nmap. It'll do a TCP SYN stealth port scan, among others. Get it at http://www.insecure.org/nmap/

Re:WHAT the heck are you talking about?

[wbean]

I get scanned by RR every few days. If you take a look at this site you'll see an explanation(?) of what they're doing.

Re:Could an old...

At home I run a 486sx33 with 20mb of RAM in it as my IPMasq, httpd, mail, and proxy server. It serves everything I have loaded on it without problems. (It does addmittantly only feed a 144kbps DSL link)

I regularly pull 700kbps/sec off it over the local net, most of which I attribute the speed to the generic ISA NE2000 clone card that I've got in there. (The rest of my home net is switched 100mbps)

A 486dx66 should be _more_ than plenty for what you're trying to do.. just watch the rulesets to make sure you're not doing anything overly complicated and you'll be just fine.

Got Roadrunner, you may want Coyote

If you want to go the 'dedicated firewall' route (no pun intended), a device such as the LinkSys is a great choice.

But if you want something more programmable, check out Coyote Linux. It's a micro distribution specifically for doing firewall/NAT on boxes like your 486.

I've used the freebie version and it's quite nice.

Why does no one state the truth?

Whats with all this firewall talk?

If my money was sitting on my dashboard, I would not cover it with paper, I would put it someplace safe insted.

Turns out that all gnome apps are compiled with libwrap, so all you have to do is put an ALL in your hosts.deny (you did that already right??).

Furthrmore, most (all?) of them only listen on 127.0.0.1 so they shouldn't be a big concern on most desktops (i.e. you are mostly afraid of remtoe root)

Re:Firewall

[Pathwalker]

I use a 486-50 with 8 megs of ram, and 2 Linksys NE2000 clone cards as a firewall (running OpenBSD).
I had a little trouble with the GENERIC kernal running out of memory, but after I stripped unneeded drivers (SCSI, NFS, PCI, etc..) out of the kernal it worked great!

It used to be a Linux (Slackware) system, which also worked well until someone got in through a buffer overflow in sshd a couple of months ago, and trashed the system.
--

Re:Question: How long can High speed ISPs ban serv

[Pathwalker]

Running a website off a cable modem or asymmetric DSL is like running a website off a 57K modem.

Not if you have a decent cable modem provider - I get a 10 megabit chunk of a 100 megabit backbone (there aren't many people on my node, so I get close to the full bandwidth most of the time) with some very liberal TOS (I've never had them enforce clause 10-C).

It's nice living in an area which was one of the inital testing areas for cable modems, and to still be on the prototype network for testing how much bandwith is possible over cable modems :-)
--

Re:Could an old...

[Bill+Currie]

I've gotten over 300k/s (bytes, not bits) through my 386dx33 ipmasq router. A 486dx2-66 would be severe overkill (though nice for those rare times you have to compile something on that box).

Bill - aka taniwha
--

Re:I run a portscan detector

[sjames]

Urm, dont run it to block on default, if a person is funny, he/she will run a spoof'ed IP-scan on you, and you will end up blocking hosts that never did anything. Imagine someone spoofing an IP scan from slashdot, now you can't read slashdot anymore,

At least you know sombody scanned you that way. If /. gets blocked, just remove that rule from the chain and all is well again. If you do manually remove a rule, PortSentry WILL NOT re-add it unless you delete the address from it's list of already blocked addresses.

If that's a problem, you can always set it to just add the address to hosts.deny. That way, you can still contact the spoofed address, but no services will accept a connection from it (not a problem for /. or for the gateway).

Just for good measure in case the attacker knows you, set the IP you would be using to log in from work not to be blocked. That way you can always get in.

Getting mail about a scan is good, but kiddie screpts are often automated enough that you could be owned before the mail hits your box.

Re:Just firewall it...

[sjames]

What kind of an admin would advertise his box like that? Are you sure your box is secure? Why not taunt people some more and find out.

It happens all the time. It's called a server. Many .coms spend millions of dollars advertising their boxes. All of them pay at least $35 to make it easy to find once you hear about it.

There comes a point where you have to go for it and hope you did enough, or use the 1 inch air gap method and defeat the whole point.

Re:yes, excellent script!

[Matts]

I'll try and remember that next time I update my kernel :-) [uptime in the 100+ days region now]

On a more serious note, wouldn't any attacker be immediately blocked as soon as the chains come up, or would his connection be allowed because it already exists? Behind my 64k link I can't see anyone doing much serious if the former is the case. But if the latter is the case, I would worry a bit more about it.

My firewall: 386SX, 8MB ram

[jjohn]

Running old slackware. Works fine. Connected to DSL.

Check out this site of the guy who wrote the book
_Linux Firewalls_.

http://www.linux-firewall-tools.com/linux/

Yes, they are

[roystgnr]

On my system at least, and I last updated Gnome 2 weeks ago. I hope this has been fixed since; using TCP sockets instead of unix sockets is odd enough, but those TCP sockets do *NOT* need to be listening on non-local ports without my say so. I don't care that they're not running as root; like most home users I make backups infrequently enough (yeah, like most home users make backups) that someone cracking my personal account would be a real PITA.

Yes, I'm ipchains proficient enough to block outside access to those ports... but I shouldn't have to; even if there's some functionality benefit I'm missing, I should have to change the default configuration just to open them up in the first place.

This ticks me off. We've got a linux machine outside the firewall at work; I carefully made sure that ssh was the only open port, even making sure that the X server and font server were local only. Now I have to add an ipchains ruleset too, to protect against every random app that wants to moon the rest of the internet?

OT: Roadrunner billing nastiness

[mechtoad]

I signed up for roadrunner a month or two ago and had the great pleasure of being billed over $350 for a single month's service.

It broke down: cable tv fees, $39.95 RR subscriber rate, PLUS "7 additional connections" each at an additional $39.95. My guess is the technical wizards they sent over to my home caught a glimpse of my LAN's nerve center in the basement and counted the number of ports on the hub... Needless to say, I didn't pay it, and when I called, they quickly realized their error and corrected it. Sheesh! Just a few words of caution, what with the story on @Home today and such.

Re:A few words...

[drix]

I think you're missing the point. Placing a computer behind an NAT firewall is no safer than just running the firewall on the computer itself. Most all of the responses on this thread have been along the lines of "Dude, just NAT and firewall your box", which is pointless considering he only has one PC. An entire night to "bring it all together" seems like a waste of time when three or four firewall rules could do the trick just as nicely.

--

Re:Biggest threat?

[drix]

My firewall is rather peculiar in that instead of blocking everything, it's open to the public *except* for my ISP's blocks. If you want, I can provide you with my script.

Can I just say that that's about the stupidest reason to have a firewall I've ever heard of. Besides irony, what exactly is such a device providing you with? Last I checked, Time Warner wasn't rooting peoples boxes, thrashing their hard drives, exploiting unpatched copies of Sendmail, or otherwise wreaking havoc. I get scanned once every two weeks on port 119, of all things, by my ISP. I get scanned approximately 3-4 times a day by random other hosts from around the world on pretty much every port between 1 and 1024. In my opinion your stance - "Your biggest threat won't be the script kiddies" - is highly naive.


--

Re:Anyone with any REAL knowledge about gnome ?

[Coverfire]

The open ports are used for CORBA communication within GNOME.

Just add the lines:
ORBIIOPIPv4=0
ORBIIOPIPv6=0
to the .orbitrc file in your home directory.

This tells ORBit not to open TCP ports by default. You will not be able to run remote GNOME components if you do this.

Also, the newer Helix GNOME updates do this by default.

Biggest threat?

[Signal+11]

Your biggest threat won't be the script kiddies. It'll be Time Warner probing your system. they've decided to take it upon themselves to police YOUR system. I had someone get kicked off the network for having telnet open.. apparently it's "windows or mac only" - with a vengance. My firewall is rather peculiar in that instead of blocking everything, it's open to the public *except* for my ISP's blocks. If you want, I can provide you with my script, e-mail me and I can fill you in on the 411 for making your system stealth to their scans. :/

Sad, huh?

Re:Biggest threat?

[Wayfarer]

Although T-W Corporate will hand down orders from on high from time to time, the actual enforcement of the RR Acceptable Use Policy tends to vary from region to region.

I've lived places where people have been warned for having open SMTP ports (not open relays, just open ports, mind you). There was one city where I was given the seemingly standard line of "Linux is not a supported OS", yet was directed to the local RR other-os newsgroup, where RR employees volunteered support in their off hours. Wonderful folks, those. We need more of 'em.

The same thing goes for actively scanning systems for open ports. Some affiliates do it. Others aren't as intrusive. A good way of finding out is by checking your local RR security newsgroup for horror stories.

Going back to the original subject, this is also a great way of finding out which ports (if any) are blocked by RR, and getting warning of any local script-kiddies who have been hitting firewalls.

Just firewall it...

[Duckie01]

Read the ipchains HOWTO

Perhaps my firewall scripts may be a good starter:

For masq boxes, see
http://duckie.neep.net/firewall

For standallone boxes, see
http://duckie.neep.net/firewall1

For unprivileged ports, use ! -y to accept packets which aren't SYN packets. Be aware you might run into trouble with ftp. The client will get connections on unpriv'd ports in port mode, the server will get 'em in passive mode.

My masq box is a 486/66 with 32 MB as well and woopsie:
1:58am up 195 days, 23:58, 1 user, load average: 0.04, 0.06, 0.01

It's fast enough to do whatever masquerading you want. It'll even handle mail/ftp/http just fine. Though I'm not sure if it'll survive /. load ;-)

Re:Clarifications

[Ex+Machina]

Take your Ritalin Garth. Although I use OpenBSD on my site, I've found that a locked down slackware/debian box is no less secure than OpenBSD. The code audit / secure by default stuff is nice though.

That's fast enough!

[Idaho]

I know I could use a spare machine as a firewall and run Linux's IP masquerading. My only spare machine, however, is an old 486dx2-66 with an NE2000 ethernet card. Not exactly a speed demon, and speed is exactly why I got a cable modem

A DX2-66? I think that's fast enough for a masquerading box, you just have to put in a second ethernet card. I have used a 50 Mhz 386 (8 MB RAM) as a IP Masquerading server for a long time. We only have 60KB/s downstream and 7K upstream though (also cablemodem)...

It's not like you're running Windows, so you don't necessarily need a PII and 128 MB of memory just to run IP masquerading...

the distros

[josepha48]

Since most people today are buying distributions, I want to know why more distros are not setting these up already. It was not till Redhat 6.2 that it included a way to turn on and off the ipchains through linuxconf. I used gfcc to set up my packet filtering firewall. gfcc also comes with a few scripts for workstations, and I was able to modify one of them to fit my needs. Now I have a packet filtering firewall whenever my computer is up and running.

The second thing I have done is to get my system port scanned by an outside source. So far I have had no problems. I too use GNOME and have other services that are running, but only my web server is open to the outside and there are not forms with CGI that a user can access and slosh around with. I have a little php but that is it, nothing fancy.

I am not sure that everyone understands how the ports work, but they are only a problem if they are not behind the firewall or if someone gets behind your firewall. If you have no untrusted users on your machine ipchins shoudl be fine. IF you are worried that that is not enough try setting up a proxy firewall in conjunction with ipchains. You can do it on your host machine and contrary to some you will be fine.

Good luck. I hope that road runner is a good isp. AT&T cable went out for a day and a half this past week for me and I cannot imagine what I'd do if I had them as my ISP as well and not just mycable provider.

Don't put your egs in one basket, having cable, phone, and ISP may not be such a good thing. If one goes out you loose may service to all.
~~~~~~~~~~~~~~~~~~~~
I don't want a lot, I just want it all ;-)
Flame away, I have a hose!

The SonicWall *IS* a little PnP box dude!

[BitMan]

It's just a little box like the Linksys one, but so much more protective and flexible! If you're gonna spend $150-200 for a POS, why not spend $350-400 for a real firewalling solution?

-- Bryan "TheBS" Smith

Re:Linksys != firewall!!! Get a SonicWall instead!

[cybrthng]

For 150 bucks what do you expect chief? Its a SOHO network device and the best one for the price. (Outpost apparently raised the price to 150 or sold out of the 104.00 non switched linksys).

Performace? You can't beat the Switched 100mbit connction for local traffic. Sure it is 10mbit to the net but uhm, again this is soho and not rocket science or a T3, they don't advertise this to solve all your problems.

Again, i don't know what you mean by low performance.

On my ADSL i have an 8 person UT server, 5 pcs, web server and file server all connected. Got the ut on the DMZ zone, the fileserver, my box on the switch and the other port going to another hub for the rest of the network. No problems whatsoever. I'd never consider replacing it with a clunky pc or linux or ics or wingate or anything.

Don't buy what you read on slashdot either

/me slaps Stan silly and calls him Gertrude

You asked for it.

Re:Get thee a firewall .. and the LinkSys is great

[cybrthng]

Actually with ICS you don't need DHCP. Just change it to static ip. I had my network with static 10.x.x.x ip's and i used ICS to send web/ftp/telnet ports to specific machines behind the network.

That box has since become a dedicated Unreal Tournament server and runs great behind my new $104.00 Linksys Switch/Router.

btw, it only takes 4 minutes to switch from ICS to Linksys and make my exisiting network work and add firewall features to protect services.

Re:Linksys != firewall!!! Get a SonicWall instead!

[cybrthng]

Hey some people like a simple affordable solution that plugs and plays.

Not everyone buys a PC to run linux on everything. Some people buy a PC to run linux and applications and they don't want to waiste time worry about who's pinging them, they just like to know that being behind this little devices helps secure them, speeds up there network and makes life easier then maintaining a pc.

More points being this thing will stay up forever on UPS power, doesn't have a drive to fail, boots up in a snap should power burp, is easy to configure and only costs $104.00 to buy from outpost.com and have on your frontdoor.

Why would anyone want to maintain a linux box instead of a plugin simple solution is beyond me. And why anyone would call this a POS is wayyy beyond me.

It nats to 4 boxes on my network through its 100mbit switch which is very nice, the unreal tournament server plays away while i copy db files back and forth between two machines and the best part of all is i just don't have to worry.

Its the best 100 bucks i've spent. and damnit, Outpost.com is the best place to buy it from :) (104 bucks)

Re:My experiences

[MindStalker]

Sorry had to one up again! :) I've got a 486/100 with 32MB memory and a 20GB HD (yes alot of computer but wait there is more).
But its acting as a Nat/firewall/SMB server for 25 clients pulling template,timesheet,and reports documents from it/Database hosting (ok its just hosting a database file that's accessed by said previous clients through microsoft access, havn't learned SQL yet/ and working on getting it to do peridoic backups through samba from the clients, to a CD-RW :) (but hopefully will have new server before I have the database solution finished)

Been running 2 years now without a hickup :)

Re:My experiences

[MindStalker]

Oh btw on a side note, and this one is to the Ask Slashdot question, I tried running a VPN (s/wan) on it a few months ago... EKK.. it was terribly slow :( Currently in the process of setting up ssl for testing :)

Re:Firewall

[Robert+S+Gormley]

Extrapolate backwards... Cisco Pix Firewall has a Pentium II (266MHz I think) processor, and it's traffic throughput (with filtering) is rated at circa 170Mbps...

Re:Get thee a firewall ...

[kennylives]

the darn things only support a class C subnet mask, instantly rendering it useless because of the class B scheme that we were using.

/me rolls eyes...

The LinkSys box was designed specifically for the home-network situation where there are only a few machines. In its intended environment, class C is more than enough for the internal network.

Now, I have/use one of these, and I wouldn't be without it, but let's all say it together... "You get what you pay for." If you need to connect multiple subnets to a NAT box, you're gonna have to do an ipchains/ipfw/ipmasq box. Or you could talk to Cisco (or similar). I'm sure they've got something they'd be happy to sell you.

486-66 is fast enough

[Rupert]

I have a 25MHz 486 box with 16Mb of RAM as the firewall/NAT box for my home network. I have my RedHat box, my wife's Win98 box and two NT boxen from work, all talking through the 486 to the cable modem, and also a dialup modem to the RAS server at work. The throughput of the 486 has not been an issue, even with my wife and I both doing large downloads. The biggest bottleneck is the 5 port hub, which gets a lot of collisions when I do a large download . Count the boxen - it's full.

--

Re:My experiences - what to do with UDP?

[nchip]

DNS/NTP/SAMBA/realaudio are the most common services using UDP. If you have a client setup, you can safely DENY all UDP traffic to your net on ports 0-1023. in the ipchains way;

/sbin/ipchains -A input -l -i eth0 -p UDP -d $lan 0:1023 -j DENY
/sbin/ipchains -A output -l -i eth0 -p UDP -s $lan 0:1023 -j DENY

You should still read and understand the IPCHAINS-HOWTO

how about e-smith?

[Raleel]

Our local LUG has several members that swear by e-smith. They claim on their webpage that they only support pentiums, but it does work on a 486, it jsut needs a little tweaking to get the netcards installed (the isa drivers are not there). You can get it at www.e-smith.net? Another option is the linux router project.

Personally, I am not sure you have to worry about those ports, but then again.. ;)

Yeah. Run the 486 as a masquerade box.

[Zenki]

Masquerading has a nice side effect in that it is now "impossible" for machines on the Internet to connect directly to your machine. (Impossible without some serious configuration work.)

So use your 486 as a masquerade box, and as a nice side effect, if your wife gets a machine of her own, it's really easy to setup a tiny lan in your home so both of you can use the cable modem.

The only caveat is that the machine doing the masquerading had better be secured down. So, I suggest that you strip all the unnecessary cruft from the machine, like most userland programs with the exception of the bare essentials. Kill all daemons on the machine, and setup a firewall on the machine. Run tripwire, keep the database on another machine and periodically check, yadda yadda yadda.

A 486 is a great firewall

[bgarcia]

I'm currently using a 486DX2-66 with a couple NE2000 clone cards as a NAT/firewall, and it works wonderfully. You just don't need much processing power to do simple firewalling and routing.

But also, there's probably no reason why you couldn't setup ipchains on your main box. I think either solution would work well. You can simply tell ipchains to block all incoming tcp connections (except for specific ports that you want), and you'll have a lot more peace-of-mind.

Check the mailinglists

[tiny69]

This has been brought up several times on the mailing lists:

http://www.gnome.org/resources/mailing-lists.html

http://mail.gnome.org/pipermail/gnome-list/2000-Ju ne/039518.html

This is mainly an issue with ORBit and it's COBRA compliance. ORBit can be compiled to either listen to TCP sockets or UNIX pipes. From what I've heard, Debian is the only one to compile it with UNIX pipes. A fix for everyone else:

http://mail.gnome.org/pipermail/gnome-list/2000-Ju ne/039645.html

Re:Could an old...

[TreeRat]

I've clock 1.5Mbps on a regular basis... Been using IPMasq for years without a detectable slowdown... My first Masq box was a 486/25 with 8meg of ram... I finally put in CoyoteLinux on a P100 with 32meg of ram, but I don't have to have a HardDrive in the thing anymore...

Re:Put in a hardware firewall

[slashdot-me]

My homebrew intrusion detection system would automatically generate a friendly form letter with the relevant ip addresses and times. Periodically (once a day) I would track down the offending sites and send them the letter. Most of the time the other admin would thank me for letting them know their machine had been compromised. BTW, these were friendly letters. I always assume the other admin had been rooted. This is usually the case.

Ryan

IP Masq box

[aaronl]

I don't know about the GNOME ports, but your 486/66 is a more than adequate machine. A low end 486 can easily flood a T1 or two, your cable modem isn't going to be a problem to route for. I'm using one right now for something quite similar!

Re:The ports open.

[mjh]

If you want to play it safe (although no security holes are known to exist in ORBits incoming processing path) you can put this in your /etc/orbitrc:

ORBIIOPUSock=1
ORBIIOPIPv4=0
ORBIIOPIPv6=0

Have you given any thought to making these settings the default config? Why not "play it safe" by default, and give people the oppurtunity to be dangerous on their own?

Network Gateway...

[ScottBrady]

On the issue of network gateways, I have a used 486DX (66mhz, two NICs, 12mb, 400mb hd) that serves up Road Runner to three workstations on my home LAN (sshhh, told tell!). It works flawlessly. I made sure to take the time to shut down all the unneeded services (everything) so that a portscan actually comes up completely empty.

The point being, a 486 is more than adequate for a network gateway.

bastille

[schnucki]

I didn't see anybody menton bastille-linux yet:

Check it out here

Firewall

[B-Rad]

I can't speak for Linux as a firewall, but if you used that clunky old machine as an OpenBSD firewall, you'd be fairly secure. I have a Pentium-75 running OpenBSD 2.6, and I've noticed no speed dips at all. The load on the firewall sits at about 0.08, so I'd be surprised if your 486 fared much worse.

Re:Firewall

[Azog]

Yup - OpenBSD works really nicely for that.

I have a Pentium 120 running OpenBSD 2.6 for my firewall, and even when my other four computers are generating loads of traffic and completely filling my DSL it doesn't even slow down.

I used OpenBSD for the firewall because I'm not an expert on security and wanted to be less likely to screw it up. The OpenBSD FAQ had a pretty good section on how to set up the IP Masquerading and IP Firewalling, including opening a few ports up to connect to the Linux HTTP / Web server behind it.

It's not as easy to install as Mandrake, but it was fun. I like a little variety.


Torrey Hoffman (Azog)

Re:My experiences - what to do with UDP?

[matman]

The best way to combat open TCP ports is to deny all incomming packets with the syn flag set by default, and then only let in the ones that I want. However, what do you do with UDP? I'm not even exactly sure what uses it. DNS? Some ICQ stuff? some echos? Any pointers in particular?

Thanks :)

Spare 486? See www.dubbele.com!

[DreamerFi]

There's a good NetBSD based free firewall at www.dubbele.com if you have an old box lying around...

-John

the 486dx2-66 is enough.

[AugstWest]

If you're just talking about using ipmasq to protect and share any machines you have at home, the 486dx2-66 is definitely enough to handle the job.

It would just be handling tcp-sockets, and with only 1 or 2 machines behind it, that doesn't even require much memory.

I've had a 486sx25 hadnling it for me for 4 years now without a glitch. The case it's in is even older, it doesn't even have the "new" smaller power supply for a floppy drive...

Re:My experiences

[FirstEdition]

That's nothing. I used a:

* cardboard box
* no screen
* Rubber band for power, using a trained mouse on a cartwheel
* storage was limited to the memory of the mouse.

Oh wait - that was my sister's pet cage, not my computer.

Firestarter

[redpants]

A great helix-code gnome using firewall program is firestarter, it configures a ipchain script through a wizard interface, and shows everyone who hits and how they are accessing yr machine.

http://firestarter.sourceforge.net/

Re:Easier than any Linux solution

[frankie]

my wife has an old Mac (LC II I think), and if it's as simple as you make it out to be, I think I've got my firewall!

You'll have trouble; the LC only has room for one card. That's not bad, considering the entire LC literally fits inside a medium pizza box, but a NAT/Firewall really works a lot better with two ethernet cards (one for the LAN, one for the outbound line).

On the cheap, you could try a secondhand Quadra ($80) with two NuBus cards ($35 each).

486 fine for masq box

[molo]

We were using a 486-66 (32 megs of ram helped) for an ip masq box. It could easily pump out the 500 kilobytes per second that my cable modem pushes. Its not a bad thing.

Either way, be sure you setup sensible firewall rules. That is the key.

Re:Securing Linux

[molo]

Also check out the Linux Administrator's Security Guide and Sec uring and Optimizing Linux: Red Hat Edition

Re:Get thee a firewall ...

[ravenmoon]

One thing to note, the Linksys will lose its configuration if it ever loses power! Not so good.

Re:Could an old...

[Stephen+Samuel]

Back about 1991, the Computer Science department used 386-25s and 386-33s for routers. They were dedicated units (ethernet interfaces, one floppy disk, no keyboard, no monitor). As I remember, the Networking geeks figured that the '33s were overkill, but cheap enough that it wasn't worth worrying about.

This was for 10MB ethernet (thicknet mostly but some thinnet). Being a computer science department with everything on NFS, you can bet that we were willing and able to push these ethernets to their 10Mb limit sometimes.

This being before Linux was ready for prime time, I figured that it was one of the few good uses for an Intel box.

My solution

[qux.net]

/sbin/ipchains -A input -p tcp -i eth0 -j ACCEPT ! -y
/sbin/ipchains -A input -p tcp -i eth0 --dport 22 -y -j ACCEPT
/sbin/ipchains -A input -p tcp -i eth0 -y -j DENY

I also have a line with exceptions from an ftp machine that is configured similarily (I can't do passive to it). If you want to log you can do a -l on the last one. You can easily add a port 80 allow as well.

The only catch with this is if you portscan yourself you'll see everything as open (well, stuff that is open) even though nobody else can.

Speed & Security

[yorgasor]

I highly recommend having an old computer as a firewall. The 486 will do just fine handling the load of a cable modem, and you will never even come close to maxing out the NE2000's 10Mbit speed.

As for security, I'm a big fan of portsentry and logsentry. And although I have never used Bastille Linux I've heard many good things about it.

But it is a whole lot easier to lock down and secure a firewall, than worry about what software on your desktop might expose you. You'll be glad you did.

That's more than enough machine for a NAT firewall

[bozone]

...mine's a DEC 433dxLP 32MB RAM running IPMASQ / IPCHAINS / SSHD / TCPD & PORTFW. I downloaded FreeBSD 4.1 (~640MB) in 55 minutes last night while listening to the Red Sox via RealAudio, sending e-mail, web surfing etc. No noticeable latency...

Check out TrinityOS for a good start on locking you machine down

I run a portscan detector

[Kwelstr]

I use PortSentry, a "Port Scan Detection and Active Defense System". It works through Ipchains by blocking anybody trying to scan your ports. It also runs in stealth mode, so the pings from the scanner does not get answered, therefore making the scan's from the wannabe attac very slow.

You can find it here:

http://www.psionic.com/abacus/portsentry/

You don't need IP MASQ to block those ports

[Andrew+Cady]

if you're using a 2.2 kernel, it's as simple as this:

ipchains --insert input --destination-port 1030:1040 --jump DENY

Of course, there is a lot more you can do with ipchains than that. I recommend you block all ports below 1024, except for the ones you need, block 6000-6010, and go ahead and block any GNOME ports if you don't know what they're for.

A more radical policy which many people use, is to block *all* incoming TCP connections, and UDP packets, *except* for ones explicitly allowed. You can do that too, but it may cause some problems (it won't cause any problems that wouldn't also be caused by using IP MASQ. In fact, this would be pretty much the functional equivalent of IP MASQ, but with only one computer.)

More info: ipchains(8), IPCHAINS-HOWTO.

Kernel 2.4 will change the entire way networking is adminstered, btw, so if you're using 2.4 those docs will be worthless. But everything you can do in 2.2 you can do in 2.4, so the same basic strategy applies.

Is there some sort of anonymous scp?

[yerricde]

Don't turn on ftp *ever* - use scp.

And instead of anonymous FTP? Is there anonymous scp, or should I be using HTTP for world-readable files anyway?

<O
( \
XGNOME vs. KDE: the game!

Check out PMFirewall

[mauryisland]

PMFirewall is another ipchains script that's simple to use, a seems to generate a very useful set of rules. You can find it here.

Don't forget Lokkit

[mauryisland]

Apparently Lokkit was written by Alan Cox hizzelf. It's another firewalling script/utility that may be of interest, and you can find it here.

Re:Could an old...

[bechberger]

I am currently running a 486/66 as my NAT and firewall for my cable modem. If there is a speed slowdown, it is not detectable. If I remember right the ISA/PCI bus is going to be saturated long before the processor limitaions show up.

IPCHAINS!

[null_session]

The trick here is ipchains. There are many flavors, I'll paste a quick scipt in here (can be put in an RC script... best idea, if you ask me)

Once you have this up and running hit any of your favorite scanning sites and see if they can find you!

----------Start Code---------------
case "$1" in
start)
echo -n "'Engaging the Caterpillar Drive Captain.'"
## Not starting any real daemons (yet)
## configure IPCHAINS - I could use ipchains-restore, but that
## would make this _REALLY_ hard to manage.

# set up the input chain first
ipchains -P input DENY # this should always be your default
ipchains -A input -p icmp -j ACCEPT # I allow all icmp
ipchains -A input -p TCP ! -y -j ACCEPT #accept tcp replies
ipchains -A input -p UDP -j ACCEPT # need to fix this to only allow dns

# I don't do anything with forward as I'm not routing
# set up the output chain
ipchains -A output -d 199.95.207.0/24 -j REJECT #reject anything to
ipchains -A output -d 199.95.208.0/24 -j REJECT #doubleclick

#I assume that the user will see the screen output if one of these
#fails. Can't really imagine that happening, though :-)
echo -e "$return"
;;
stop)
echo -n "'Ok, now we just unzipped our fly...'"

# first, kill the ipchains rules
ipchains -F #flush ALL of the chains
ipchains -P input ACCEPT #back to normal 60's type sharing...

echo -e "$return"
;;

------------End Code------------

Like I said, that's set up to put in an rc script - I call this the "caterpillar drive" as in "The Hunt for Red October" - notice the quotes.

If you really are planning on running a web server, you will have to add a rule to allow inbound tcp on port 80.

In any case, because I believe in never typing code blindly without understanding what it does, read the ipchains howto before using any of this, and make sure you understand what it is doing.

Re:My experiences

[Lozzer]

0.1MHz ZX81
1K RAM
Mono (But can't display an entire screen because dynamic screen to memory mapping doesn't have room)
External cassette deck

It took 9 years to compile LinuxLite, with much cassette swapping. It now NATS through a serial port card in the expansion slot, and out through the earphone. It doesn't saturate much, but no one can be bothered to hack it.

Tell kids that today and the wouldn't believe it

Re:My experiences

[shepd]

I'll one up you (I can't help myself!) ;-):

-- 386/DX40
-- 270 MB HDD using e2compr to compress ext2 on the fly
-- 8 MB RAM
-- TWO modems
-- Multilink connection
-- Hercules Graphics Card / Commodore Radar Green Phosphor monitor
-- Amazingly, sshd, httpd, and ftpd.

All that, and a network card + ipmasq/firewall... woah. And it all works no problem. With multilink on I get a full speed transfer (which, with my horrible 28.8kBps phone lines) of about 5-6kBps.

But, it gets worse, I decided to resurrect this POS last year:

-- 386 SX/16
-- 4 Mb SIPP RAM
-- 2x40 MB MFM HDD
-- Arcnet Card [I have a near unlimited supply... woooooo :-| ]
-- Using NFS
-- 1.2 MB Floppy for booting
-- Same crappy Hercules/Commodore monitor combo.

And yes, it (woah!) booted Linux, and, I beleive X via the NFS mount (after about 1/2 hour of swapping to the XT HDD)... That was fun. Yes, there is an X server for Hercules cards. Yay.

Fortunately, nothing possibly gets worse than a 386 SX/16 for Linux.

Could an old...

[AntiPasto]

386 running linux-router as a firewall help? Dunno if ya got an old box lying around...

----

Re:Could an old...

[man_of_mr_e]

Actually, my old cable modem pushed on average 800-1.5Mb/s, and as high as 2.5Mb/s during off peak times.

My TCP recieve window was set to 64k, since it was a one-way modem (it reduced the number of acks going back at 28.8k).

Re:Could an old...

[Chmarr]

A cable modem isnt going to be pushing more than around 384k, with full-sized ethernet packets, 1500bytes = 12k-bits, you'll be pushing around 30 or 40 packets a second, 60 to 80 for bidirectonal... and a 486dx2-66 is going to be able to act as a router for that just fine.

A few words...

[flikx]

386, 486, or old pentium lying around: stolen/borrowed/bought for $4 -- whatever.


IPv4 Masq gate (linux or OS of choice)
Mason - good firewall builder, very easy
Filter some ports
A copy of the TOS, so you know what you're violating. :)

some coffee (if that's your thing.)

... and one night to bring it all together.

priceless.

Re:Get thee a firewall .. and the LinkSys is great

[sillysally]

I sometimes wonder if the Linux crowd will use Linux for ANYTHING, no matter how ridiculous, just so they can point out that there's yet another thing Linux can do.

Um... linux people were doing this years ago, is why there are so many. Yeah, this linksys boxlet is great and cheap today, but where was it last year? the year before? the year before that?

BTW, Windows 2000 can do this stuff now too, though it insists on being a DHCP server just like the Linksys... if you use Linux, you can used fixed IP.

Put in a hardware firewall

[Vassily+Overveight]

As far as what you can do to improve security: spend @$150 for a Linksys router. (There are others, such as those made by Beadle, but LinkSys was cheapest last I knew). Besides allowing up to 255 computers to share the cable modem, it acts as a firewall to keep out hackers. It also can keep you out of trouble with RoadRuner. The RR Terms of Service forbids 'servers' (basically anything which can allow people out in the world at large access to files on your computer. So Napster would qualify, for example). If you're running any sort of Unixoid O/S, there's bound to be a 'server' or two by their definition. The last time I talked to RR, they weren't enforcing this provision of the TOS, but that may have changed, or could at any time. At any rate, a firewall just makes life easier, security-wise. Mine catches two or three port scan attempts per day.

No, it isn't

[Vassily+Overveight]

Port scanning is ilegal. The fact that it's your own box doesn't change that.

No it isn't 'illegal'. It may be against the Terms of Service of a provider, but there's no law against it. And it isn't even against the TOS if you're doing it locally and not across the provider's network.

Are the listening ports wildcards?

[Kaz+Kylheku]

Before panicing, be sure that these ports really are open to the world.

Use netstat to see what network they are bound to.

A foreign address of *:* is a bad thing.

A foreign address of 127.0.0.1:* indicates that
the connection is restricted to localhost only. An attacker would have to spoof packets originating from 127.0.0.1 in order to connect to the port.

Userspace threat, definately.

[maynard]

Any program which grabs a network socket and accepts connections from the outside world represents a potential threat from buffer overflows. Fortunately, I'm pretty certain all of these run with the permisstions of the user, so a successful crack would be limited to the user's account. Doesn't make me feel any safer though. It just doesn't make sense that the GNOME team would need open sockets for these services... why not just use a local named pipe down /tmp, for instance (which they do use)?

Can a competent GNOME hacker please chime in?

Re:Quit your whining use ipchains

[Jeffrey+Baker]

Actually it is much more secure to first DENY all inbound connections, and then selectively ALLOW connections that you have deemed to be secure. For example, assuming eth0 is your only public network interface.

First, deny and log to syslog all inbound connections: ipchains -A input -p tcp -y -l -i eth0 -j REJECT

I'm pretty sure I got it right but I didn;t consult the manual. Use at your own risk.

Second, decide that you wish to always allow inbound SSH connections: ipchains -I input 1 -p tcp --dport ssh -i eth0 -j ACCEPT

And maybe a secure web server too: ipchains -I input 1 -p tcp --dport 443 -i eth0 -j ACCEPT

WHAT the heck are you talking about?

[Accipiter]

they've decided to take it upon themselves to police YOUR system.

With the exception of Time Warner's Acceptable Use Policy (Mirrored verbatim from city to city), they don't probe users' systems.

I had someone get kicked off the network for having telnet open.. apparently it's "windows or mac only" - with a vengance.

A) I seriously doubt you got a user "kicked off" for simply having telnet open. I had RoadRunner for over a year with several services (including telnet) open, and Time Warner was full aware of it. I talked with a few techs there, and they knew what I was running. How? I told them. They never "scanned" me to find out.

B) Part of the reason of RoadRunner eliminating the Windows/Macintosh login program was to support users of other operating systems. It used to be that users of RoadRunner would have to log into the system using an authentication program for either Windows or Mac. This step has been eliminated, in part because of pressure from users of other systems.

The extent of Time Warner's involvement with users' security can be found here.

-- Give him Head? Be a Beacon?

ORBit configuration error

[Ethan]

I'm pretty sure there was a bug in one of the Helix packages a while back that caused ORBit to listen on a TCP socket by default... This caused any gnome app exporting a CORBA interface to have an open socket. (gnome-terminal, panel, gpilot-applet, etc. - any applet and many apps)

At any rate, Helix fixed this in one of their updates, and the recent ORBit RPMs have this feature disabled by default. A simple upgrade should fix your troubles.

Quit your whining use ipchains

[Ex+Machina]

Just set up a quick ipchains ruleset to filter those ports IPCHAINS-HOWTO Thanks for bringing it to our attention though.

Linksys != firewall!!! Get a SonicWall instead!

[BitMan]

Dude! Linksys should be SMACKED for calling that POS a "firewall". Linux IPChains is MUCH, MUCH better! At least it has some REAL logging!

For $350, you can get the SonicWall SOHO/10. It is the only ICSA approved firewall you can find for under $500. It has excellent features, including one-to-one NAT (so you can let in certain ports), and logging is fairly good (nothing to complain about at that price). I've used these little babies on corporate networks.

-- Bryan "TheBS" Smith

Firewall Info

[Kimble]

Here's some Firewall info I've referred to many times.
Check out the Trinity OS Paper . It gives some excellent advice on Securing your Linux System. This paper also comes with various IPCHAINS Rule-Sets you can use. Don't try to print it out though. It's atleast 1,400 pages long and growing.
This Firewall Site allows you to configure an excellent firewall Script just by answering some simple questions. I know of many people who have used this site to configure their firewalls.

Re:Get thee a firewall .. and the LinkSys is great

[cybrthng]

The linksys is $104.00 at Outpost.com and that is cheaper then the amount of electricity a single linux box will use over a year.

Plus with the linksys you get a 4 port 100mbit SWITCH with Nat and routing and only 4 minutes to install. If there is a poweroutage no fs to rebuild and no parts to replace on a dead peecee should something happen.

Plus if your concerned about uptime and connectivity the Linksys uses alot less UPS power and will hide easily on a shelf and does make a hell of alot less noise then an old pc box.

Don't underestimate the power of theses devices.

Same problem as you

[NoWhere+Man]

Actually I came across this very same problem. I have @home Rogers Cable Access. I setup a Proxy server on my box so another computer could use the network and use that connection. But it seems to be as slow as a 14.4 modem (maybe worse). Servers me right for using a Windows Proxy program.
I came across a proxy/boot floppy setup which is perfect for your old 486 as long as you have 2 NIC cards installed.

Here is the address:
http://lightening.prohosting.com/~normr/index.sh tml
Hopefully this guy doesn't suffer from the Slashdot affect after this post

Good Luck!

The easiest way

[slakhead]

First of all, your 486 is fast enough for what you need. My personal setup at in my room is a P90 with 24mb of ram that does all my IP forwarding and acts as a firewall. I dont know if I have the most secure setup but here are the tools I use and you will need to get this working:

dhcpcd
dhcpd
ndc (not a requirement but you may benefit from having a local name server instead of using the slow @home ones)
pmfirewall
rc.firewall

You can find the rc.firewall script here. It sets up all your forwarding modules for your network.

dhcpd and dhcpcd are used to assign an IP address to your main machine. I use them because I am lazy and dont want to bother with setting a static address.

Your dhcpd.conf should probably look something like this for your type of two computer network. dhcpcd just has to be run on your main computer and it will get all the info it needs from the dhcpd on the firewall computer.

Finally, you need your firewall program. I use pmfirewall because it is easy to install and use. It is basically a frontend to ipchains and it takes all the nasty configuration out of setting up a firewall.

You can download it here.

The best thing about pmfirewall is how easy it is to allow complete access to one address (like your main computer) to everything you need and close off the important/scary ports to everyone else.

As long as your network cards are working, you should have no problems getting dhcpd to work and the rest of it installs very easily. As for your gnome ports, you can close those to everyone but you so you dont have to worry about screwing up gnome.

Hope that helps.

Yellow Network Coalition, Risks, CERT, BugTraq

[goingware]

Some Useful Websites:

The Yellow Network Coalition takes old 486's and turns them into firewalls and IP masquerading servers they give away for free to people who have cable modems and DSL. I gave them my 486 when I moved. They also set up free public-access kiosks. These guys are inspired by the freely available yellow bicycles in Amsterdam.

They Need Your Donations of Old 486's and Other Hardware

The Forum on Risks to the Public in Computers and Related Systems discusses security holes, bugs in software, user and usability problems that cause such trouble as security problems, and carries security announcements.

The CERT Coordination Center carries authoritative announcements of security problems and what you can do to fix them; provides rapid response to security emergencies while they are in progress.

I've also heard BugTaq is good and better than CERT for timely information but don't have a URL handy.

Re:Clarifications

[Trepalium]

1. It's not called masq. It was called IP Masquerading to distingush it from NAT. Linux (as of 2.2) doesn't include any TRUE network address translation services, but rather just a port-based NAT derrivative. NAT, in it's truest form, relys on a pool of public IP addresses that are dynamically assigned (and translated) for internal addresses, and doesn't suffer from the problem that IP masq has in dealing with listening connections.

2. A 486 is more than up for the job. A 486-DX2 running Linux kernel version 2.2.x with ISA NICs will become saturated at about the 3-4Mbit/sec mark. As long as you never see more than that much traffic, you'll be fine.

3. Safety first. I agree that keeping your firewall clean and efficient is very important. However, I find the claims that Linux is less secure than BSD more than a bit bogus. Almost all those server daemons that have had buffer overflows on Linux can be compiled and install into OpenBSD with the same buffer overflows. Security is a journey not a destination is true in ALL cases, even OpenBSD. An incompetent (or inexperienced) administrator can easily turn a secure machine into one that's wide open for anyone to break into.
Most people usually end up compromised because of services that they either never used or never knew about, and therefore didn't bother maintaining. Due to the shortsightedness of most Linux distributors, you'll probably end up "cleaning" dozens of packages out that are completely worthless. Ideally, your result should be a machine that's not listening to anything on the public interface.

4. Raise Hell About Gnome Security Issues. Absolutely! A TCP/IP port should never be opened unless there's a very good reason why this service needs to be advertised to the world. Most of the time, this is just lazy coding, and a place where other types of sockets would probably serve better.

Re:How do you check ...

[Andrew+Cady]

How do you check to see what ports are open? Use a shell script to port sweep with netcat(nc)?

netstat -t -u --listening | less

10 minute solution:

As others have mentioned, a 486 can easily route a T-1 or more with no performance hit. The easiest solution on the planet has to be Freesco. http://www.freesco.org. It runs off a floppy, can be easily migrated to the smallest hdd you have, and supports such niceties as dynaminc DNS and port forwarding...all without editing config files. Port forwarding will allow you to run Apache or ftp behind the Freesco box, even if you're using a private subnet. A huge benefit.

Clarifications

1. It's not called masq. It's called net address translation. It's been called that for 20 years. Then these linux kids come along and make up masq. Call it by it's technical name; not a developer's gimmick name.

2.A 486 is more than up for the job. It will handle a saturated cable line and still not carry a heavy load.

3. Safety first. Just because the 486 is more than enough power don't feel justified in making a stupid security mistake; keep the firewall clean.
Linux is not as secure as BSD, as you are finding, because many chances are taken in user land apps with permissions. This makes the OS more cutting edge, but security is the price. (This is not a troll--how many weeks go by before another bugtraq post comes up about another linux exploit--every few weeks; how often for OpenBSD? Not for three years. Look, it's better than windows, OK, but linux is riddled with buffer overflows in user space, which in turn lead to LOCAL ROOT compromises.)
So, DON'T LISTEN TO OTHERS WHO SUGGEST RUNNING OTHER SERVICES ON THE BOX.

Don't do it.

Run these other service (mail, httpd, etc.) off your interior boxes.
Your absolutely want ipfilter or other socket filtration software to have a complete crack at packets; you don't want to make a nice firewall, and then junk it up with services. Keep the firewall clean and separate from user space. Hell, even remove ls from the freakin' firewall. Trash it so you have to admin by booting from a floppy. Don't leave your tools on the firewall; the hacker will only use them to compromise other machines on the LAN.

4. Raise Hell About Gnome Security Issues.
You should start asking loud, noisy questions about (a) what are these ports, (b) HAS THERE BEEN A SECURITY AUDIT OF THEM (answer: No), and (c) Are the really necessary (perhaps they are; could they instead be wrapped; are they suid? who owns that port? etc.).

yes, excellent script!

[DrSpoo]

You have made a wonderful script Manuka, thanks for your hard work! I have made a quick security guide for my local users group, and this script is a big part of it.

http://usmcug.usm.main e.edu/papers/linux_security_guide.html

Re:yes, excellent script!

[Karmageddon]

initializing your ipchains via rc.local as you suggest leaves you highly vulnerable for a short period of time whenever you reboot. You need to run the script before the network is started

if you look in /etc/rc.d/rc{3,5}.d/ you will see the SnnNetwork startup script. put a symbolic link named SnnFirewall to your firewall script. replace the nn with a smaller number than the network script uses.

Get thee a firewall ...

[Stan+Chesnutt]

Over the weekend, I installed a firewall made by LinkSys:

http://www.linksys.com/products/product.asp?prid =20&grid=5

and it replaced a simple Linux machine that was running the usual ipchains/NAT software. Why use the LinkSys? Smaller, much less power consumption, no noise, very little heat. While a linux machine is a lot more powerful, the power simply isn't needed in this situation. The linksys allows port forwarding, supports DHCP, and a few more exotic features. The unit has gotten a lot of good reviews on epinions.com.

Easier than any Linux solution

[Weasel+Boy]

If you have an old Mac, as I do, load it up with dual Ethernets, Open Transport 1.1.1 or better, and IPNetRouter. It does all the port mapping and filtering you need, and comes with excellent instructions.

The same reason Macs were chosen by the U.S Army will make your old Mac a great firewall: Macs don't hardly have any open TCP/IP ports! Other than the ones you explicitly enable, of course.

I loaded up IPNetRouter on my 6-yr-old Mac and used it both as a firewall for my house and as my primary workstation for over 9 months before I upgraded. It has been extremely reliable (uptimes on the order of weeks ain't bad considering all I do to it) and easy to maintain.

Which is more than I can say for the Linux rig I used for my firewall previously.

My experiences

[benploni]

I have a dsl line in my apartment. I have it connected to a dual NIC pentium 90 that is my ip-masq/firewall/dhcp server/samba/ssh/httpd server. That's right, a Pentium 90. Not as bad as a 486, but no great shakes. I VERY carefully bind vulnerable services to the inside NIC, and only have http and ssh available to the outside nic. ipchains rules do the masqing and firewalling.

Te box has flawless uptimes, and speed is NOT an issue. It's very easy to saturate a cable or DSL line. CPU won't be your bottleneck.

Things to watch out for:
1) listening ports. do a "netstat -a" and check for "*:anything ... LISTEN". If you dont want it to be available to the outside world FIX it!
2) NO X. Duh.
3) understand ipchains. It's not hard, but not obvious either
4) dont forget about UDP.

Good luck,
Ben Ploni

Securing Linux

[Kiro]

Information sites on keeping your Linux box secured:

http://www.linuxgazette.com/issue34/v ertes.html
http://www.linu xworld.com/linuxworld/lw-1999-05/lw-05-ramparts_p. html
http://www.secu rityfocus.com/focus/linux/articles/linux-securing. html
http://www.isr.umd.edu/~dani elf/Linux/securinglinux.html
http://www.gl.umbc.edu/~jjasen1/unix/ linux.html

--
Kiro

Update your Gnome install

[Mike+Hicks]

I believe that these problems have largely been fixed in the recent versions of Helix Gnome. If you just run helix-update, you can download the new packages that use Unix sockets by default instead.

I remember having similar frustration myself, and I was happy when it was fixed.
--
Ski-U-Mah!

ipchains

[Manuka]

Simply run ipchains with a set of rules that firewall that individual machine. There is a script at http://firewall.langistix.com that I wrote which will do precisely that if only given one interface. Combined with intrusion detection, it can be a very powerful tool.

The ports open.

[miguel]

Each port open is a CORBA connection from an application that supports being controlled through CORBA.

To access those services you do have to know the secret password (which is generated once for each session) so it is basically as secure has being able to log into your computer.

Now, we realized that this was a potential problem and some systems are shipping with ORBit CORBA sockets disabled (Helix GNOME ships with a disabled CORBA socket connection) as well as other distributions that have turned this feature off.

If you want to play it safe (although no security holes are known to exist in ORBits incoming processing path) you can put this in your /etc/orbitrc:

ORBIIOPUSock=1
ORBIIOPIPv4=0
ORBIIOPIPv6=0

Miguel