Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Linux Software

GNOME, Security, Linux, and Cable Modems? 335

Posted by Cliff from the keeping-your-secure-box...secure dept.
beagle asks: "I just signed up for Time Warner's Road Runner service, and I'm concerned for security on my home machine now. As I started to crack down on my box over the weekend, I noticed that GNOME has about ten ports open in the range of 1030-1040, for such things as gpilotd, tasklist (sp?), and other similar apps. I shut off inetd, named, sendmail, and all other basic services except httpd. Of course, ssh is the only remote login method I support. However, I run Helix GNOME at home (I don't at work; I only ssh into the work machine - no console) and I don't want to stop using GNOME."

"I have always been more lax about security on my home Linux box than I have been on my public Linux box, but now that my home machine will be online all the time, security becomes more of an issue.

Are there any security concerns related to GNOME? Should I worry about all these ports that GNOME is using? Is there anything I can do to beef up security on the machine? (There are bunches of other UNIX sockets open too - ORBIT comes to mind - but I'm only worried about the TCP sockets.) Of course, I have Zone Alarm for when the machine is running Windows (once in a blue moon), but I don't know of anything like that for a single Linux box.

I know I could use a spare machine as a firewall and run Linux's IP masquerading. My only spare machine, however, is an old 486dx2-66 with an NE2000 ethernet card. Not exactly a speed demon, and speed is exactly why I got a cable modem. (Well, that and my wife is tired of me tying up the landline every night.)

So, what about it, gurus of Slashdot? Is my best option to go ahead and run IPFW and IP Masquerading on my old 32MB 486? Do I even need to worry about the ports GNOME is using at all?"
This discussion has been archived. No new comments can be posted.

GNOME, Security, Linux, and Cable Modems? More

GNOME, Security, Linux, and Cable Modems?

Comments Filter:

  • Re:Could an old... (Score:2)

    by Anonymous Coward
    At home I run a 486sx33 with 20mb of RAM in it as my IPMasq, httpd, mail, and proxy server. It serves everything I have loaded on it without problems. (It does addmittantly only feed a 144kbps DSL link)

    I regularly pull 700kbps/sec off it over the local net, most of which I attribute the speed to the generic ISA NE2000 clone card that I've got in there. (The rest of my home net is switched 100mbps)

    A 486dx66 should be _more_ than plenty for what you're trying to do.. just watch the rulesets to make sure you're not doing anything overly complicated and you'll be just fine.

  • Got Roadrunner, you may want Coyote (Score:2)

    by Anonymous Coward
    If you want to go the 'dedicated firewall' route (no pun intended), a device such as the LinkSys is a great choice.

    But if you want something more programmable, check out Coyote Linux [coyotelinux.com]. It's a micro distribution specifically for doing firewall/NAT on boxes like your 486.

    I've used the freebie version and it's quite nice.

  • Why does no one state the truth? (Score:2)

    by Anonymous Coward
    Whats with all this firewall talk?

    If my money was sitting on my dashboard, I would not cover it with paper, I would put it someplace safe insted.

    Turns out that all gnome apps are compiled with libwrap, so all you have to do is put an ALL in your hosts.deny (you did that already right??).

    Furthrmore, most (all?) of them only listen on 127.0.0.1 so they shouldn't be a big concern on most desktops (i.e. you are mostly afraid of remtoe root)
  • I use a 486-50 with 8 megs of ram, and 2 Linksys NE2000 clone cards as a firewall (running OpenBSD).
    I had a little trouble with the GENERIC kernal running out of memory, but after I stripped unneeded drivers (SCSI, NFS, PCI, etc..) out of the kernal it worked great!

    It used to be a Linux (Slackware) system, which also worked well until someone got in through a buffer overflow in sshd a couple of months ago, and trashed the system.
    --
  • Running a website off a cable modem or asymmetric DSL is like running a website off a 57K modem.

    Not if you have a decent cable modem provider - I get a 10 megabit chunk of a 100 megabit backbone (there aren't many people on my node, so I get close to the full bandwidth most of the time) with some very liberal TOS [tcimet.net] (I've never had them enforce clause 10-C).

    It's nice living in an area which was one of the inital testing areas for cable modems, and to still be on the prototype network for testing how much bandwith is possible over cable modems :-)
    --
  • I've gotten over 300k/s (bytes, not bits) through my 386dx33 ipmasq router. A 486dx2-66 would be severe overkill (though nice for those rare times you have to compile something on that box).

    Bill - aka taniwha
    --

  • Urm, dont run it to block on default, if a person is funny, he/she will run a spoof'ed IP-scan on you, and you will end up blocking hosts that never did anything. Imagine someone spoofing an IP scan from slashdot, now you can't read slashdot anymore,

    At least you know sombody scanned you that way. If /. gets blocked, just remove that rule from the chain and all is well again. If you do manually remove a rule, PortSentry WILL NOT re-add it unless you delete the address from it's list of already blocked addresses.

    If that's a problem, you can always set it to just add the address to hosts.deny. That way, you can still contact the spoofed address, but no services will accept a connection from it (not a problem for /. or for the gateway).

    Just for good measure in case the attacker knows you, set the IP you would be using to log in from work not to be blocked. That way you can always get in.

    Getting mail about a scan is good, but kiddie screpts are often automated enough that you could be owned before the mail hits your box.

  • What kind of an admin would advertise his box like that? Are you sure your box is secure? Why not taunt people some more and find out.

    It happens all the time. It's called a server. Many .coms spend millions of dollars advertising their boxes. All of them pay at least $35 to make it easy to find once you hear about it.

    There comes a point where you have to go for it and hope you did enough, or use the 1 inch air gap method and defeat the whole point.

  • Given that a regular modem involves a CPU response to almost every single character (a DSL interface won't require that)

    I believe that some cheap-ass NICs are almost as bad. 3COM's Parallel tasking chipset (in the 3C905B) is very good about not using your CPU to bring in data.

  • If you have a box on the net you really need to make sure that addresses coming in on an interface match the interface. There should be plenty of example firewall scripts that do just that. It is important to make sure people can't tunnel into your firewall and look like they are coming from inside your network.

    As a rule, 127.* should only be accepted on loopback, if you use 192.168.*, only packets addressed to addresses in that range and coming from that range should be accepted.

    Publicly accessible interfaces MUST drop all packets with destination and source addresses in the unroutable range.
    --
    Mike Mangino
    Sr. Software Engineer, SubmitOrder.com
  • I'll try and remember that next time I update my kernel :-) [uptime in the 100+ days region now]

    On a more serious note, wouldn't any attacker be immediately blocked as soon as the chains come up, or would his connection be allowed because it already exists? Behind my 64k link I can't see anyone doing much serious if the former is the case. But if the latter is the case, I would worry a bit more about it.
  • Running old slackware. Works fine. Connected to DSL.

    Check out this site of the guy who wrote the book
    _Linux Firewalls_.

    http://www.linux-firewall-tools.com/linux/

  • On my system at least, and I last updated Gnome 2 weeks ago. I hope this has been fixed since; using TCP sockets instead of unix sockets is odd enough, but those TCP sockets do *NOT* need to be listening on non-local ports without my say so. I don't care that they're not running as root; like most home users I make backups infrequently enough (yeah, like most home users make backups) that someone cracking my personal account would be a real PITA.

    Yes, I'm ipchains proficient enough to block outside access to those ports... but I shouldn't have to; even if there's some functionality benefit I'm missing, I should have to change the default configuration just to open them up in the first place.

    This ticks me off. We've got a linux machine outside the firewall at work; I carefully made sure that ssh was the only open port, even making sure that the X server and font server were local only. Now I have to add an ipchains ruleset too, to protect against every random app that wants to moon the rest of the internet?
  • I signed up for roadrunner a month or two ago and had the great pleasure of being billed over $350 for a single month's service.

    It broke down: cable tv fees, $39.95 RR subscriber rate, PLUS "7 additional connections" each at an additional $39.95. My guess is the technical wizards they sent over to my home caught a glimpse of my LAN's nerve center in the basement and counted the number of ports on the hub... Needless to say, I didn't pay it, and when I called, they quickly realized their error and corrected it. Sheesh! Just a few words of caution, what with the story on @Home today and such.

  • I think you're missing the point. Placing a computer behind an NAT firewall is no safer than just running the firewall on the computer itself. Most all of the responses on this thread have been along the lines of "Dude, just NAT and firewall your box", which is pointless considering he only has one PC. An entire night to "bring it all together" seems like a waste of time when three or four firewall rules could do the trick just as nicely.

    --
  • My firewall is rather peculiar in that instead of blocking everything, it's open to the public *except* for my ISP's blocks. If you want, I can provide you with my script.

    Can I just say that that's about the stupidest reason to have a firewall I've ever heard of. Besides irony, what exactly is such a device providing you with? Last I checked, Time Warner wasn't rooting peoples boxes, thrashing their hard drives, exploiting unpatched copies of Sendmail, or otherwise wreaking havoc. I get scanned once every two weeks on port 119, of all things, by my ISP. I get scanned approximately 3-4 times a day by random other hosts from around the world on pretty much every port between 1 and 1024. In my opinion your stance - "Your biggest threat won't be the script kiddies" - is highly naive.


    --
  • The open ports are used for CORBA communication within GNOME.

    Just add the lines:
    ORBIIOPIPv4=0
    ORBIIOPIPv6=0
    to the .orbitrc file in your home directory.

    This tells ORBit not to open TCP ports by default. You will not be able to run remote GNOME components if you do this.

    Also, the newer Helix GNOME updates do this by default.
  • Your biggest threat won't be the script kiddies. It'll be Time Warner probing your system. they've decided to take it upon themselves to police YOUR system. I had someone get kicked off the network for having telnet open.. apparently it's "windows or mac only" - with a vengance. My firewall is rather peculiar in that instead of blocking everything, it's open to the public *except* for my ISP's blocks. If you want, I can provide you with my script, e-mail me [mailto] and I can fill you in on the 411 for making your system stealth to their scans. :/

    Sad, huh?


  • Read the ipchains HOWTO [linuxdoc.org]

    Perhaps my firewall scripts may be a good starter:

    For masq boxes, see
    http://duckie.neep.net/firewall [neep.net]

    For standallone boxes, see
    http://duckie.neep.net/firewall1 [neep.net]

    For unprivileged ports, use ! -y to accept packets which aren't SYN packets. Be aware you might run into trouble with ftp. The client will get connections on unpriv'd ports in port mode, the server will get 'em in passive mode.

    My masq box is a 486/66 with 32 MB as well and woopsie:
    1:58am up 195 days, 23:58, 1 user, load average: 0.04, 0.06, 0.01

    It's fast enough to do whatever masquerading you want. It'll even handle mail/ftp/http just fine. Though I'm not sure if it'll survive /. load ;-)
  • Take your Ritalin Garth. Although I use OpenBSD on my site, I've found that a locked down slackware/debian box is no less secure than OpenBSD. The code audit / secure by default stuff is nice though.
  • Although T-W Corporate will hand down orders from on high from time to time, the actual enforcement of the RR Acceptable Use Policy tends to vary from region to region.

    I've lived places where people have been warned for having open SMTP ports (not open relays, just open ports, mind you). There was one city where I was given the seemingly standard line of "Linux is not a supported OS", yet was directed to the local RR other-os newsgroup, where RR employees volunteered support in their off hours. Wonderful folks, those. We need more of 'em.

    The same thing goes for actively scanning systems for open ports. Some affiliates do it. Others aren't as intrusive. A good way of finding out is by checking your local RR security newsgroup for horror stories.

    Going back to the original subject, this is also a great way of finding out which ports (if any) are blocked by RR, and getting warning of any local script-kiddies who have been hitting firewalls.
  • I know I could use a spare machine as a firewall and run Linux's IP masquerading. My only spare machine, however, is an old 486dx2-66 with an NE2000 ethernet card. Not exactly a speed demon, and speed is exactly why I got a cable modem

    A DX2-66? I think that's fast enough for a masquerading box, you just have to put in a second ethernet card. I have used a 50 Mhz 386 (8 MB RAM) as a IP Masquerading server for a long time. We only have 60KB/s downstream and 7K upstream though (also cablemodem)...

    It's not like you're running Windows, so you don't necessarily need a PII and 128 MB of memory just to run IP masquerading...

  • Since most people today are buying distributions, I want to know why more distros are not setting these up already. It was not till Redhat 6.2 that it included a way to turn on and off the ipchains through linuxconf. I used gfcc to set up my packet filtering firewall. gfcc also comes with a few scripts for workstations, and I was able to modify one of them to fit my needs. Now I have a packet filtering firewall whenever my computer is up and running.

    The second thing I have done is to get my system port scanned by an outside source. So far I have had no problems. I too use GNOME and have other services that are running, but only my web server is open to the outside and there are not forms with CGI that a user can access and slosh around with. I have a little php but that is it, nothing fancy.

    I am not sure that everyone understands how the ports work, but they are only a problem if they are not behind the firewall or if someone gets behind your firewall. If you have no untrusted users on your machine ipchins shoudl be fine. IF you are worried that that is not enough try setting up a proxy firewall in conjunction with ipchains. You can do it on your host machine and contrary to some you will be fine.

    Good luck. I hope that road runner is a good isp. AT&T cable went out for a day and a half this past week for me and I cannot imagine what I'd do if I had them as my ISP as well and not just mycable provider.

    Don't put your egs in one basket, having cable, phone, and ISP may not be such a good thing. If one goes out you loose may service to all.
    ~~~~~~~~~~~~~~~~~~~~
    I don't want a lot, I just want it all ;-)
    Flame away, I have a hose!

  • It's just a little box like the Linksys one, but so much more protective and flexible! If you're gonna spend $150-200 for a POS, why not spend $350-400 for a real firewalling solution?

    -- Bryan "TheBS" Smith

  • For 150 bucks what do you expect chief? Its a SOHO network device and the best one for the price. (Outpost apparently raised the price to 150 or sold out of the 104.00 non switched linksys).

    Performace? You can't beat the Switched 100mbit connction for local traffic. Sure it is 10mbit to the net but uhm, again this is soho and not rocket science or a T3, they don't advertise this to solve all your problems.

    Again, i don't know what you mean by low performance.

    On my ADSL i have an 8 person UT server, 5 pcs, web server and file server all connected. Got the ut on the DMZ zone, the fileserver, my box on the switch and the other port going to another hub for the rest of the network. No problems whatsoever. I'd never consider replacing it with a clunky pc or linux or ics or wingate or anything.

    Don't buy what you read on slashdot either

    /me slaps Stan silly and calls him Gertrude

    You asked for it.

  • Actually with ICS you don't need DHCP. Just change it to static ip. I had my network with static 10.x.x.x ip's and i used ICS to send web/ftp/telnet ports to specific machines behind the network.

    That box has since become a dedicated Unreal Tournament server and runs great behind my new $104.00 Linksys Switch/Router.

    btw, it only takes 4 minutes to switch from ICS to Linksys and make my exisiting network work and add firewall features to protect services.

  • Hey some people like a simple affordable solution that plugs and plays.

    Not everyone buys a PC to run linux on everything. Some people buy a PC to run linux and applications and they don't want to waiste time worry about who's pinging them, they just like to know that being behind this little devices helps secure them, speeds up there network and makes life easier then maintaining a pc.

    More points being this thing will stay up forever on UPS power, doesn't have a drive to fail, boots up in a snap should power burp, is easy to configure and only costs $104.00 to buy from outpost.com and have on your frontdoor.

    Why would anyone want to maintain a linux box instead of a plugin simple solution is beyond me. And why anyone would call this a POS is wayyy beyond me.

    It nats to 4 boxes on my network through its 100mbit switch which is very nice, the unreal tournament server plays away while i copy db files back and forth between two machines and the best part of all is i just don't have to worry.

    Its the best 100 bucks i've spent. and damnit, Outpost.com is the best place to buy it from :) (104 bucks)

  • Sorry had to one up again! :) I've got a 486/100 with 32MB memory and a 20GB HD (yes alot of computer but wait there is more).
    But its acting as a Nat/firewall/SMB server for 25 clients pulling template,timesheet,and reports documents from it/Database hosting (ok its just hosting a database file that's accessed by said previous clients through microsoft access, havn't learned SQL yet/ and working on getting it to do peridoic backups through samba from the clients, to a CD-RW :) (but hopefully will have new server before I have the database solution finished)

    Been running 2 years now without a hickup :)

  • Oh btw on a side note, and this one is to the Ask Slashdot question, I tried running a VPN (s/wan) on it a few months ago... EKK.. it was terribly slow :( Currently in the process of setting up ssl for testing :)
  • Extrapolate backwards... Cisco Pix Firewall has a Pentium II (266MHz I think) processor, and it's traffic throughput (with filtering) is rated at circa 170Mbps...
  • the darn things only support a class C subnet mask, instantly rendering it useless because of the class B scheme that we were using.

    /me rolls eyes...

    The LinkSys box was designed specifically for the home-network situation where there are only a few machines. In its intended environment, class C is more than enough for the internal network.

    Now, I have/use one of these, and I wouldn't be without it, but let's all say it together... "You get what you pay for." If you need to connect multiple subnets to a NAT box, you're gonna have to do an ipchains/ipfw/ipmasq box. Or you could talk to Cisco (or similar). I'm sure they've got something they'd be happy to sell you.

  • I have a 25MHz 486 box with 16Mb of RAM as the firewall/NAT box for my home network. I have my RedHat box, my wife's Win98 box and two NT boxen from work, all talking through the 486 to the cable modem, and also a dialup modem to the RAS server at work. The throughput of the 486 has not been an issue, even with my wife and I both doing large downloads. The biggest bottleneck is the 5 port hub, which gets a lot of collisions when I do a large download . Count the boxen - it's full.

    --
  • DNS/NTP/SAMBA/realaudio are the most common services using UDP. If you have a client setup, you can safely DENY all UDP traffic to your net on ports 0-1023. in the ipchains way;

    /sbin/ipchains -A input -l -i eth0 -p UDP -d $lan 0:1023 -j DENY
    /sbin/ipchains -A output -l -i eth0 -p UDP -s $lan 0:1023 -j DENY

    You should still read and understand the IPCHAINS-HOWTO
  • Our local LUG has several members that swear by e-smith. They claim on their webpage that they only support pentiums, but it does work on a 486, it jsut needs a little tweaking to get the netcards installed (the isa drivers are not there). You can get it at www.e-smith.net? Another option is the linux router project.

    Personally, I am not sure you have to worry about those ports, but then again.. ;)
  • Masquerading has a nice side effect in that it is now "impossible" for machines on the Internet to connect directly to your machine. (Impossible without some serious configuration work.)

    So use your 486 as a masquerade box, and as a nice side effect, if your wife gets a machine of her own, it's really easy to setup a tiny lan in your home so both of you can use the cable modem.

    The only caveat is that the machine doing the masquerading had better be secured down. So, I suggest that you strip all the unnecessary cruft from the machine, like most userland programs with the exception of the bare essentials. Kill all daemons on the machine, and setup a firewall on the machine. Run tripwire, keep the database on another machine and periodically check, yadda yadda yadda.
  • I'm currently using a 486DX2-66 with a couple NE2000 clone cards as a NAT/firewall, and it works wonderfully. You just don't need much processing power to do simple firewalling and routing.

    But also, there's probably no reason why you couldn't setup ipchains on your main box. I think either solution would work well. You can simply tell ipchains to block all incoming tcp connections (except for specific ports that you want), and you'll have a lot more peace-of-mind.

  • This has been brought up several times on the mailing lists:

    http://www.gnome.org/resources/mailing-lists.html

    http://mail.gnome.org/pipermail/gnome-list/2000-Ju ne/039518.html

    This is mainly an issue with ORBit and it's COBRA compliance. ORBit can be compiled to either listen to TCP sockets or UNIX pipes. From what I've heard, Debian is the only one to compile it with UNIX pipes. A fix for everyone else:

    http://mail.gnome.org/pipermail/gnome-list/2000-Ju ne/039645.html

  • 2.4 uses netfilter...as i recall FreeBSD/OpenBSD all use the same thing. i think the syntax is pretty much the same so you might try looking at their netfilter docs.
  • I've clock 1.5Mbps on a regular basis... Been using IPMasq for years without a detectable slowdown... My first Masq box was a 486/25 with 8meg of ram... I finally put in CoyoteLinux on a P100 with 32meg of ram, but I don't have to have a HardDrive in the thing anymore...
  • My homebrew intrusion detection system would automatically generate a friendly form letter with the relevant ip addresses and times. Periodically (once a day) I would track down the offending sites and send them the letter. Most of the time the other admin would thank me for letting them know their machine had been compromised. BTW, these were friendly letters. I always assume the other admin had been rooted. This is usually the case.

    Ryan
  • I don't know about the GNOME ports, but your 486/66 is a more than adequate machine. A low end 486 can easily flood a T1 or two, your cable modem isn't going to be a problem to route for. I'm using one right now for something quite similar!
  • If you want to play it safe (although no security holes are known to exist in ORBits incoming processing path) you can put this in your /etc/orbitrc:

    ORBIIOPUSock=1
    ORBIIOPIPv4=0
    ORBIIOPIPv6=0

    Have you given any thought to making these settings the default config? Why not "play it safe" by default, and give people the oppurtunity to be dangerous on their own?

  • On the issue of network gateways, I have a used 486DX (66mhz, two NICs, 12mb, 400mb hd) that serves up Road Runner to three workstations on my home LAN (sshhh, told tell!). It works flawlessly. I made sure to take the time to shut down all the unneeded services (everything) so that a portscan actually comes up completely empty.

    The point being, a 486 is more than adequate for a network gateway.

  • Always, always, always set up firewall rules to deny everything, then allow only the service(s) you want (namely, ssh) Also, just out of habit, all packets with internal or localhost IP addresses coming in off the external ethernet should be logged and droped.
  • I didn't see anybody menton bastille-linux yet:

    Check it out here [sourceforge.net]

  • I can't speak for Linux as a firewall, but if you used that clunky old machine as an OpenBSD firewall, you'd be fairly secure. I have a Pentium-75 running OpenBSD 2.6, and I've noticed no speed dips at all. The load on the firewall sits at about 0.08, so I'd be surprised if your 486 fared much worse.
  • The best way to combat open TCP ports is to deny all incomming packets with the syn flag set by default, and then only let in the ones that I want. However, what do you do with UDP? I'm not even exactly sure what uses it. DNS? Some ICQ stuff? some echos? Any pointers in particular?

    Thanks :)
  • There's a good NetBSD based free firewall at www.dubbele.com [dubbele.com] if you have an old box lying around...

    -John
  • If you're just talking about using ipmasq to protect and share any machines you have at home, the 486dx2-66 is definitely enough to handle the job.

    It would just be handling tcp-sockets, and with only 1 or 2 machines behind it, that doesn't even require much memory.

    I've had a 486sx25 hadnling it for me for 4 years now without a glitch. The case it's in is even older, it doesn't even have the "new" smaller power supply for a floppy drive...
  • That's nothing. I used a:

    * cardboard box
    * no screen
    * Rubber band for power, using a trained mouse on a cartwheel
    * storage was limited to the memory of the mouse.

    Oh wait - that was my sister's pet cage, not my computer.

  • A great helix-code gnome using firewall program is firestarter, it configures a ipchain script through a wizard interface, and shows everyone who hits and how they are accessing yr machine.

    http://firestarter.sourceforge.net/
  • my wife has an old Mac (LC II I think), and if it's as simple as you make it out to be, I think I've got my firewall!

    You'll have trouble; the LC only has room for one card. That's not bad, considering the entire LC literally fits inside a medium pizza box, but a NAT/Firewall really works a lot better with two ethernet cards (one for the LAN, one for the outbound line).

    On the cheap, you could try a secondhand Quadra ($80) with two NuBus cards ($35 each).
  • We were using a 486-66 (32 megs of ram helped) for an ip masq box. It could easily pump out the 500 kilobytes per second that my cable modem pushes. Its not a bad thing.

    Either way, be sure you setup sensible firewall rules. That is the key.
  • There's a good book about security on Linux: "Linux Firewalls", by Robert Ziegler, New Riders editors. It talks about ipfw, ipchains and all that stuff about setting up a "formal" firewall. You might want to take a look [newriders.com] at it.
  • One thing to note, the Linksys will lose its configuration if it ever loses power! Not so good.
  • Back about 1991, the Computer Science department used 386-25s and 386-33s for routers. They were dedicated units (ethernet interfaces, one floppy disk, no keyboard, no monitor). As I remember, the Networking geeks figured that the '33s were overkill, but cheap enough that it wasn't worth worrying about.

    This was for 10MB ethernet (thicknet mostly but some thinnet). Being a computer science department with everything on NFS, you can bet that we were willing and able to push these ethernets to their 10Mb limit sometimes.

    This being before Linux was ready for prime time, I figured that it was one of the few good uses for an Intel box.

  • /sbin/ipchains -A input -p tcp -i eth0 -j ACCEPT ! -y
    /sbin/ipchains -A input -p tcp -i eth0 --dport 22 -y -j ACCEPT
    /sbin/ipchains -A input -p tcp -i eth0 -y -j DENY

    I also have a line with exceptions from an ftp machine that is configured similarily (I can't do passive to it). If you want to log you can do a -l on the last one. You can easily add a port 80 allow as well.

    The only catch with this is if you portscan yourself you'll see everything as open (well, stuff that is open) even though nobody else can.
  • I highly recommend having an old computer as a firewall. The 486 will do just fine handling the load of a cable modem, and you will never even come close to maxing out the NE2000's 10Mbit speed.

    As for security, I'm a big fan of portsentry [psionic.com] and logsentry. And although I have never used Bastille Linux [bastille-linux.org] I've heard many good things about it.

    But it is a whole lot easier to lock down and secure a firewall, than worry about what software on your desktop might expose you. You'll be glad you did.

  • ...mine's a DEC 433dxLP 32MB RAM running IPMASQ / IPCHAINS / SSHD / TCPD & PORTFW. I downloaded FreeBSD 4.1 (~640MB) in 55 minutes last night while listening to the Red Sox via RealAudio, sending e-mail, web surfing etc. No noticeable latency...

    Check out TrinityOS for a good start on locking you machine down

  • I use PortSentry, a "Port Scan Detection and Active Defense System". It works through Ipchains by blocking anybody trying to scan your ports. It also runs in stealth mode, so the pings from the scanner does not get answered, therefore making the scan's from the wannabe attac very slow.

    You can find it here:

    http://www.psionic.com/abacus/portsentry/

  • if you're using a 2.2 kernel, it's as simple as this:

    ipchains --insert input --destination-port 1030:1040 --jump DENY

    Of course, there is a lot more you can do with ipchains than that. I recommend you block all ports below 1024, except for the ones you need, block 6000-6010, and go ahead and block any GNOME ports if you don't know what they're for.

    A more radical policy which many people use, is to block *all* incoming TCP connections, and UDP packets, *except* for ones explicitly allowed. You can do that too, but it may cause some problems (it won't cause any problems that wouldn't also be caused by using IP MASQ. In fact, this would be pretty much the functional equivalent of IP MASQ, but with only one computer.)

    More info: ipchains(8), IPCHAINS-HOWTO [linuxdoc.org].

    Kernel 2.4 will change the entire way networking is adminstered, btw, so if you're using 2.4 those docs will be worthless. But everything you can do in 2.2 you can do in 2.4, so the same basic strategy applies.

  • Any chance of making scripts for 2.4/iptables? I know a long time ago it was announced you were working on it, but it has since disappeared from the site. I would like somewhere easy to start on the 2.4 firewall without having to use the ipchains-kludge included in 2.4

    I have an old version of your scripts modified heavily to suit my needs on the 2.2 firewall, thanks!

  • Don't turn on ftp *ever* - use scp.

    And instead of anonymous FTP? Is there anonymous scp, or should I be using HTTP for world-readable files anyway?


    <O
    ( \
    XGNOME vs. KDE: the game! [8m.com]
  • PMFirewall is another ipchains script that's simple to use, a seems to generate a very useful set of rules. You can find it here [pmfirewall.com].
  • Apparently Lokkit was written by Alan Cox hizzelf. It's another firewalling script/utility that may be of interest, and you can find it here [linux.org.uk].
  • I am currently running a 486/66 as my NAT and firewall for my cable modem. If there is a speed slowdown, it is not detectable. If I remember right the ISA/PCI bus is going to be saturated long before the processor limitaions show up.
  • The trick here is ipchains. There are many flavors, I'll paste a quick scipt in here (can be put in an RC script... best idea, if you ask me)

    Once you have this up and running hit any of your favorite scanning sites and see if they can find you!

    ----------Start Code---------------
    case "$1" in
    start)
    echo -n "'Engaging the Caterpillar Drive Captain.'"
    ## Not starting any real daemons (yet)
    ## configure IPCHAINS - I could use ipchains-restore, but that
    ## would make this _REALLY_ hard to manage.

    # set up the input chain first
    ipchains -P input DENY # this should always be your default
    ipchains -A input -p icmp -j ACCEPT # I allow all icmp
    ipchains -A input -p TCP ! -y -j ACCEPT #accept tcp replies
    ipchains -A input -p UDP -j ACCEPT # need to fix this to only allow dns

    # I don't do anything with forward as I'm not routing
    # set up the output chain
    ipchains -A output -d 199.95.207.0/24 -j REJECT #reject anything to
    ipchains -A output -d 199.95.208.0/24 -j REJECT #doubleclick

    #I assume that the user will see the screen output if one of these
    #fails. Can't really imagine that happening, though :-)
    echo -e "$return"
    ;;
    stop)
    echo -n "'Ok, now we just unzipped our fly...'"

    # first, kill the ipchains rules
    ipchains -F #flush ALL of the chains
    ipchains -P input ACCEPT #back to normal 60's type sharing...

    echo -e "$return"
    ;;

    ------------End Code------------

    Like I said, that's set up to put in an rc script - I call this the "caterpillar drive" as in "The Hunt for Red October" - notice the quotes.

    If you really are planning on running a web server, you will have to add a rule to allow inbound tcp on port 80.

    In any case, because I believe in never typing code blindly without understanding what it does, read the ipchains howto before using any of this, and make sure you understand what it is doing.

  • 0.1MHz ZX81
    1K RAM
    Mono (But can't display an entire screen because dynamic screen to memory mapping doesn't have room)
    External cassette deck

    It took 9 years to compile LinuxLite, with much cassette swapping. It now NATS through a serial port card in the expansion slot, and out through the earphone. It doesn't saturate much, but no one can be bothered to hack it.

    Tell kids that today and the wouldn't believe it

  • I'll one up you (I can't help myself!) ;-):

    -- 386/DX40
    -- 270 MB HDD using e2compr to compress ext2 on the fly
    -- 8 MB RAM
    -- TWO modems
    -- Multilink connection
    -- Hercules Graphics Card / Commodore Radar Green Phosphor monitor
    -- Amazingly, sshd, httpd, and ftpd.

    All that, and a network card + ipmasq/firewall... woah. And it all works no problem. With multilink on I get a full speed transfer (which, with my horrible 28.8kBps phone lines) of about 5-6kBps.

    But, it gets worse, I decided to resurrect this POS last year:

    -- 386 SX/16
    -- 4 Mb SIPP RAM
    -- 2x40 MB MFM HDD
    -- Arcnet Card [I have a near unlimited supply... woooooo :-| ]
    -- Using NFS
    -- 1.2 MB Floppy for booting
    -- Same crappy Hercules/Commodore monitor combo.

    And yes, it (woah!) booted Linux, and, I beleive X via the NFS mount (after about 1/2 hour of swapping to the XT HDD)... That was fun. Yes, there is an X server for Hercules cards. Yay.

    Fortunately, nothing possibly gets worse than a 386 SX/16 for Linux.
  • 386 running linux-router as a firewall help? Dunno if ya got an old box lying around...

    ----

  • Try telling that to people who have been cracked in the past. When I lived in the dorms, I had a freeBSD box ravaged for no reason, just people being assholes.

    With security, overkill is not a bad thing. I can brag about my '31337' firewall / masq gate I made for my office all I want, but all it takes is one hole, and I might as well be running an NT server as my router.

    "obsolete" computers are easy to get.. most of mine were given away to me. It's well worth the effort to set up some extra security. You never know when you will need it.

    The author of the article mentions that he has an extra 486 sitting around. What should be done with it? Should his wife use it to run windows 3.1 and play solitaire? At least my wife uses linux, so I don't need to argue over all the computers in the house. I set up the network, and she gets work done.

    Firewall, Masq, filter, and firewall again.. make it harder to break. (ignore the irony in the sig.)

  • Are the listening ports wildcards? (Score:3)

    by Kaz Kylheku ( 1484 ) on Monday August 14, 2000 @03:16PM (#855721) Homepage
    Before panicing, be sure that these ports really are open to the world.

    Use netstat to see what network they are bound to.

    A foreign address of *:* is a bad thing.

    A foreign address of 127.0.0.1:* indicates that
    the connection is restricted to localhost only. An attacker would have to spoof packets originating from 127.0.0.1 in order to connect to the port.

  • Userspace threat, definately. (Score:3)

    by maynard ( 3337 ) on Monday August 14, 2000 @02:58PM (#855722) Journal
    Any program which grabs a network socket and accepts connections from the outside world represents a potential threat from buffer overflows. Fortunately, I'm pretty certain all of these run with the permisstions of the user, so a successful crack would be limited to the user's account. Doesn't make me feel any safer though. It just doesn't make sense that the GNOME team would need open sockets for these services... why not just use a local named pipe down /tmp, for instance (which they do use)?

    Can a competent GNOME hacker please chime in?

  • Re:Quit your whining use ipchains (Score:3)

    by Jeffrey Baker ( 6191 ) on Monday August 14, 2000 @05:03PM (#855723)
    Actually it is much more secure to first DENY all inbound connections, and then selectively ALLOW connections that you have deemed to be secure. For example, assuming eth0 is your only public network interface.

    First, deny and log to syslog all inbound connections: ipchains -A input -p tcp -y -l -i eth0 -j REJECT

    I'm pretty sure I got it right but I didn;t consult the manual. Use at your own risk.

    Second, decide that you wish to always allow inbound SSH connections: ipchains -I input 1 -p tcp --dport ssh -i eth0 -j ACCEPT

    And maybe a secure web server too: ipchains -I input 1 -p tcp --dport 443 -i eth0 -j ACCEPT

  • WHAT the heck are you talking about? (Score:3)

    by Accipiter ( 8228 ) on Monday August 14, 2000 @04:51PM (#855724)
    they've decided to take it upon themselves to police YOUR system.

    With the exception of Time Warner's Acceptable Use Policy [twcincy.com] (Mirrored verbatim from city to city), they don't probe users' systems.

    I had someone get kicked off the network for having telnet open.. apparently it's "windows or mac only" - with a vengance.

    A) I seriously doubt you got a user "kicked off" for simply having telnet open. I had RoadRunner for over a year with several services (including telnet) open, and Time Warner was full aware of it. I talked with a few techs there, and they knew what I was running. How? I told them. They never "scanned" me to find out.

    B) Part of the reason of RoadRunner eliminating the Windows/Macintosh login program was to support users of other operating systems. It used to be that users of RoadRunner would have to log into the system using an authentication program for either Windows or Mac. This step has been eliminated, in part because of pressure from users of other systems.

    The extent of Time Warner's involvement with users' security can be found here [rr.com].

    -- Give him Head? Be a Beacon?

  • ORBit configuration error (Score:3)

    by Ethan ( 9204 ) on Monday August 14, 2000 @03:06PM (#855725) Homepage

    I'm pretty sure there was a bug in one of the Helix packages a while back that caused ORBit to listen on a TCP socket by default... This caused any gnome app exporting a CORBA interface to have an open socket. (gnome-terminal, panel, gpilot-applet, etc. - any applet and many apps)

    At any rate, Helix fixed this in one of their updates, and the recent ORBit RPMs have this feature disabled by default. A simple upgrade should fix your troubles.

  • Just set up a quick ipchains ruleset to filter those ports IPCHAINS-HOWTO [linuxdoc.org] Thanks for bringing it to our attention though.

  • Linksys != firewall!!! Get a SonicWall instead! (Score:3)

    by BitMan ( 15055 ) on Monday August 14, 2000 @06:56PM (#855727)

    Dude! Linksys should be SMACKED for calling that POS a "firewall". Linux IPChains is MUCH, MUCH better! At least it has some REAL logging!

    For $350, you can get the SonicWall SOHO/10. It is the only ICSA approved firewall you can find for under $500. It has excellent features, including one-to-one NAT (so you can let in certain ports), and logging is fairly good (nothing to complain about at that price). I've used these little babies on corporate networks.

    -- Bryan "TheBS" Smith

  • Firewall Info (Score:3)

    by Kimble ( 17437 ) on Monday August 14, 2000 @03:08PM (#855728) Homepage

    Here's some Firewall info I've referred to many times.
    Check out the Trinity OS Paper [csuchico.edu] . It gives some excellent advice on Securing your Linux System. This paper also comes with various IPCHAINS Rule-Sets you can use. Don't try to print it out though. It's atleast 1,400 pages long and growing.
    This Firewall Site [linux-firewall-tools.com] allows you to configure an excellent firewall Script just by answering some simple questions. I know of many people who have used this site to configure their firewalls.

  • Re:Could an old... (Score:3)

    by Chmarr ( 18662 ) on Monday August 14, 2000 @02:58PM (#855729)
    A cable modem isnt going to be pushing more than around 384k, with full-sized ethernet packets, 1500bytes = 12k-bits, you'll be pushing around 30 or 40 packets a second, 60 to 80 for bidirectonal... and a 486dx2-66 is going to be able to act as a router for that just fine.

  • Re:Firewall (Score:3)

    by Azog ( 20907 ) on Monday August 14, 2000 @03:45PM (#855730) Homepage
    Yup - OpenBSD works really nicely for that.

    I have a Pentium 120 running OpenBSD 2.6 for my firewall, and even when my other four computers are generating loads of traffic and completely filling my DSL it doesn't even slow down.

    I used OpenBSD for the firewall because I'm not an expert on security and wanted to be less likely to screw it up. The OpenBSD FAQ had a pretty good section on how to set up the IP Masquerading and IP Firewalling, including opening a few ports up to connect to the Linux HTTP / Web server behind it.

    It's not as easy to install as Mandrake, but it was fun. I like a little variety.


    Torrey Hoffman (Azog)
  • The linksys is $104.00 at Outpost.com and that is cheaper then the amount of electricity a single linux box will use over a year.

    Plus with the linksys you get a 4 port 100mbit SWITCH with Nat and routing and only 4 minutes to install. If there is a poweroutage no fs to rebuild and no parts to replace on a dead peecee should something happen.

    Plus if your concerned about uptime and connectivity the Linksys uses alot less UPS power and will hide easily on a shelf and does make a hell of alot less noise then an old pc box.

    Don't underestimate the power of theses devices.

  • Same problem as you (Score:3)

    by NoWhere Man ( 68627 ) on Monday August 14, 2000 @04:33PM (#855732) Homepage
    Actually I came across this very same problem. I have @home Rogers Cable Access. I setup a Proxy server on my box so another computer could use the network and use that connection. But it seems to be as slow as a 14.4 modem (maybe worse). Servers me right for using a Windows Proxy program.
    I came across a proxy/boot floppy setup which is perfect for your old 486 as long as you have 2 NIC cards installed.

    Here is the address:
    http://lightening.prohosting.com/~normr/index.sh tml
    Hopefully this guy doesn't suffer from the Slashdot affect after this post

    Good Luck!

  • The easiest way (Score:3)

    by slakhead ( 75639 ) on Monday August 14, 2000 @04:17PM (#855733) Homepage
    First of all, your 486 is fast enough for what you need. My personal setup at in my room is a P90 with 24mb of ram that does all my IP forwarding and acts as a firewall. I dont know if I have the most secure setup but here are the tools I use and you will need to get this working:

    dhcpcd
    dhcpd
    ndc (not a requirement but you may benefit from having a local name server instead of using the slow @home ones)
    pmfirewall
    rc.firewall

    You can find the rc.firewall script here [codeburner.com]. It sets up all your forwarding modules for your network.

    dhcpd and dhcpcd are used to assign an IP address to your main machine. I use them because I am lazy and dont want to bother with setting a static address.

    Your dhcpd.conf should probably look something like this [codeburner.com] for your type of two computer network. dhcpcd just has to be run on your main computer and it will get all the info it needs from the dhcpd on the firewall computer.

    Finally, you need your firewall program. I use pmfirewall because it is easy to install and use. It is basically a frontend to ipchains and it takes all the nasty configuration out of setting up a firewall.

    You can download it here [pointman.org].

    The best thing about pmfirewall is how easy it is to allow complete access to one address (like your main computer) to everything you need and close off the important/scary ports to everyone else.

    As long as your network cards are working, you should have no problems getting dhcpd to work and the rest of it installs very easily. As for your gnome ports, you can close those to everyone but you so you dont have to worry about screwing up gnome.

    Hope that helps.

  • Some Useful Websites:

    The Yellow Network Coalition [ync.org] takes old 486's and turns them into firewalls and IP masquerading servers they give away for free to people who have cable modems and DSL. I gave them my 486 when I moved. They also set up free public-access kiosks. These guys are inspired by the freely available yellow bicycles in Amsterdam.

    They Need Your Donations of Old 486's and Other Hardware

    The Forum on Risks to the Public in Computers and Related Systems [ncl.ac.uk] discusses security holes, bugs in software, user and usability problems that cause such trouble as security problems, and carries security announcements.

    The CERT Coordination Center [cert.org] carries authoritative announcements of security problems and what you can do to fix them; provides rapid response to security emergencies while they are in progress.

    I've also heard BugTaq is good and better than CERT for timely information but don't have a URL handy.

  • Re:Clarifications (Score:3)

    by Trepalium ( 109107 ) on Tuesday August 15, 2000 @07:19AM (#855735)
    1. It's not called masq. It was called IP Masquerading to distingush it from NAT. Linux (as of 2.2) doesn't include any TRUE network address translation services, but rather just a port-based NAT derrivative. NAT, in it's truest form, relys on a pool of public IP addresses that are dynamically assigned (and translated) for internal addresses, and doesn't suffer from the problem that IP masq has in dealing with listening connections.

    2. A 486 is more than up for the job. A 486-DX2 running Linux kernel version 2.2.x with ISA NICs will become saturated at about the 3-4Mbit/sec mark. As long as you never see more than that much traffic, you'll be fine.

    3. Safety first. I agree that keeping your firewall clean and efficient is very important. However, I find the claims that Linux is less secure than BSD more than a bit bogus. Almost all those server daemons that have had buffer overflows on Linux can be compiled and install into OpenBSD with the same buffer overflows. Security is a journey not a destination is true in ALL cases, even OpenBSD. An incompetent (or inexperienced) administrator can easily turn a secure machine into one that's wide open for anyone to break into.
    Most people usually end up compromised because of services that they either never used or never knew about, and therefore didn't bother maintaining. Due to the shortsightedness of most Linux distributors, you'll probably end up "cleaning" dozens of packages out that are completely worthless. Ideally, your result should be a machine that's not listening to anything on the public interface.

    4. Raise Hell About Gnome Security Issues. Absolutely! A TCP/IP port should never be opened unless there's a very good reason why this service needs to be advertised to the world. Most of the time, this is just lazy coding, and a place where other types of sockets would probably serve better.

  • Re:How do you check ... (Score:3)

    by Andrew Cady ( 115471 ) on Monday August 14, 2000 @03:19PM (#855736)
    How do you check to see what ports are open? Use a shell script to port sweep with netcat(nc)?
    netstat -t -u --listening | less

  • Re:very good question (Score:3)

    by benploni ( 125649 ) on Monday August 14, 2000 @03:34PM (#855737) Journal
    Those are some pretty bad habits you're espousing. Don't turn on ftp *ever* - use scp.

    Enumerate whatever services you are sporadicaly turning on and off, and either decide that they are vulnerable, and never use them, or leave them on and tighten what you can.

    For example, you already decided to leave ssh on. That's an example of the second option. To continue on that line, tighten ssh by making sure rhosts is off, root cannot log in directly, and blank passowrds are disallowed.

    An example of the first option would be disabling ftp for good, and learing how to use scp.

    Ben Ploni

  • 10 minute solution: (Score:4)

    by Anonymous Coward on Monday August 14, 2000 @04:07PM (#855738)
    As others have mentioned, a 486 can easily route a T-1 or more with no performance hit. The easiest solution on the planet has to be Freesco. http://www.freesco.org. It runs off a floppy, can be easily migrated to the smallest hdd you have, and supports such niceties as dynaminc DNS and port forwarding...all without editing config files. Port forwarding will allow you to run Apache or ftp behind the Freesco box, even if you're using a private subnet. A huge benefit.

  • Clarifications (Score:4)

    by Anonymous Coward on Monday August 14, 2000 @03:41PM (#855739)
    1. It's not called masq. It's called net address translation. It's been called that for 20 years. Then these linux kids come along and make up masq. Call it by it's technical name; not a developer's gimmick name.

    2.A 486 is more than up for the job. It will handle a saturated cable line and still not carry a heavy load.

    3. Safety first. Just because the 486 is more than enough power don't feel justified in making a stupid security mistake; keep the firewall clean.
    Linux is not as secure as BSD, as you are finding, because many chances are taken in user land apps with permissions. This makes the OS more cutting edge, but security is the price. (This is not a troll--how many weeks go by before another bugtraq post comes up about another linux exploit--every few weeks; how often for OpenBSD? Not for three years. Look, it's better than windows, OK, but linux is riddled with buffer overflows in user space, which in turn lead to LOCAL ROOT compromises.)
    So, DON'T LISTEN TO OTHERS WHO SUGGEST RUNNING OTHER SERVICES ON THE BOX.

    Don't do it.

    Run these other service (mail, httpd, etc.) off your interior boxes.
    Your absolutely want ipfilter or other socket filtration software to have a complete crack at packets; you don't want to make a nice firewall, and then junk it up with services. Keep the firewall clean and separate from user space. Hell, even remove ls from the freakin' firewall. Trash it so you have to admin by booting from a floppy. Don't leave your tools on the firewall; the hacker will only use them to compromise other machines on the LAN.

    4. Raise Hell About Gnome Security Issues.
    You should start asking loud, noisy questions about (a) what are these ports, (b) HAS THERE BEEN A SECURITY AUDIT OF THEM (answer: No), and (c) Are the really necessary (perhaps they are; could they instead be wrapped; are they suid? who owns that port? etc.).

  • yes, excellent script! (Score:4)

    by DrSpoo ( 650 ) on Monday August 14, 2000 @03:20PM (#855740) Homepage
    You have made a wonderful script Manuka, thanks for your hard work! I have made a quick security guide for my local users group, and this script is a big part of it.

    http://usmcug.usm.main e.edu/papers/linux_security_guide.html [maine.edu]

  • Get thee a firewall ... (Score:4)

    by Stan Chesnutt ( 2253 ) on Monday August 14, 2000 @02:58PM (#855741) Homepage
    Over the weekend, I installed a firewall made by LinkSys:

    http://www.linksys.com/products/product.asp?prid =20&grid=5

    and it replaced a simple Linux machine that was running the usual ipchains/NAT software. Why use the LinkSys? Smaller, much less power consumption, no noise, very little heat. While a linux machine is a lot more powerful, the power simply isn't needed in this situation. The linksys allows port forwarding, supports DHCP, and a few more exotic features. The unit has gotten a lot of good reviews on epinions.com.

  • Easier than any Linux solution (Score:4)

    by Weasel Boy ( 13855 ) on Monday August 14, 2000 @07:07PM (#855742) Journal

    If you have an old Mac, as I do, load it up with dual Ethernets, Open Transport 1.1.1 or better, and IPNetRouter [sustworks.com]. It does all the port mapping and filtering you need, and comes with excellent instructions.

    The same reason Macs were chosen by the U.S Army [slashdot.org] will make your old Mac a great firewall: Macs don't hardly have any open TCP/IP ports! Other than the ones you explicitly enable, of course.

    I loaded up IPNetRouter on my 6-yr-old Mac and used it both as a firewall for my house and as my primary workstation for over 9 months before I upgraded. It has been extremely reliable (uptimes on the order of weeks ain't bad considering all I do to it) and easy to maintain.

    Which is more than I can say for the Linux rig I used for my firewall previously.

  • My experiences (Score:4)

    by benploni ( 125649 ) on Monday August 14, 2000 @02:55PM (#855743) Journal
    I have a dsl line in my apartment. I have it connected to a dual NIC pentium 90 that is my ip-masq/firewall/dhcp server/samba/ssh/httpd server. That's right, a Pentium 90. Not as bad as a 486, but no great shakes. I VERY carefully bind vulnerable services to the inside NIC, and only have http and ssh available to the outside nic. ipchains rules do the masqing and firewalling.

    Te box has flawless uptimes, and speed is NOT an issue. It's very easy to saturate a cable or DSL line. CPU won't be your bottleneck.

    Things to watch out for:
    1) listening ports. do a "netstat -a" and check for "*:anything ... LISTEN". If you dont want it to be available to the outside world FIX it!
    2) NO X. Duh.
    3) understand ipchains. It's not hard, but not obvious either
    4) dont forget about UDP.

    Good luck,
    Ben Ploni

  • Re:yes, excellent script! (Score:4)

    by Karmageddon ( 186836 ) on Tuesday August 15, 2000 @04:05AM (#855744)
    initializing your ipchains via rc.local as you suggest leaves you highly vulnerable for a short period of time whenever you reboot. You need to run the script before the network is started

    if you look in /etc/rc.d/rc{3,5}.d/ you will see the SnnNetwork startup script. put a symbolic link named SnnFirewall to your firewall script. replace the nn with a smaller number than the network script uses.

  • Update your Gnome install (Score:5)

    by Mike Hicks ( 244 ) <hick0088@tc.umn.edu> on Monday August 14, 2000 @03:05PM (#855746) Homepage Journal
    I believe that these problems have largely been fixed in the recent versions of Helix Gnome. If you just run helix-update, you can download the new packages that use Unix sockets by default instead.

    I remember having similar frustration myself, and I was happy when it was fixed.
    --
    Ski-U-Mah!

  • ipchains (Score:5)

    by Manuka ( 4415 ) on Monday August 14, 2000 @02:54PM (#855747) Homepage
    Simply run ipchains with a set of rules that firewall that individual machine. There is a script at http://firewall.langistix.com [langistix.com] that I wrote which will do precisely that if only given one interface. Combined with intrusion detection, it can be a very powerful tool.

  • The ports open. (Score:5)

    by miguel ( 7116 ) on Monday August 14, 2000 @04:57PM (#855748) Homepage
    Each port open is a CORBA connection from an application that supports being controlled through CORBA.

    To access those services you do have to know the secret password (which is generated once for each session) so it is basically as secure has being able to log into your computer.

    Now, we realized that this was a potential problem and some systems are shipping with ORBit CORBA sockets disabled (Helix GNOME ships with a disabled CORBA socket connection) as well as other distributions that have turned this feature off.

    If you want to play it safe (although no security holes are known to exist in ORBits incoming processing path) you can put this in your /etc/orbitrc:

    ORBIIOPUSock=1
    ORBIIOPIPv4=0
    ORBIIOPIPv6=0

    Miguel

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close