[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Portsentry, ipchains and pmfirewall

Subject: Re: [cobalt-security] Portsentry, ipchains and pmfirewall
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Sun, 20 Jan 2002 16:15:18 +0100
Organization: Stauber Multimedia Design
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi Francisco,

> For starting gShield at boot time, I assume that a line with
> /etc/firewall/gShield.rc in rc.local will do.  Right?

That's right. However, this entails one capital danger: If you have a mistake 
in your ruleset which locks you out, then even rebooting the server will not 
help you to remove the problem, as the firewall will kick in automatically 
after reboot. So make sure to programm in a delay like "sleep 5m" so that you 
can go in after server reboot and can kill the process.

> Finally, is it there a simple way to apply the firewall rules to a machine
> that has several IP addresses.  I have created separate rules for each
> additional IP, but, is it anything easier that I am missing?

The easiest way is to not allow by IP-address, but by netblock with 
corresponding subnet mask. That's about the only option you have with 
gShield, as it's not designed to handle multiple (own) IP addresses another 
way. While this looks like a security issue at first glimpse, on second 
glimpse - it isn't. All your closed ports are still closed and all blocked 
source addresses are still blocked. The additional target IP addresses you 
opened up ... now that's no issue at all. On those IPs your machine isn't 
listening anway, so this does no damage at all.

You can automatically fetch the important network settings from the RaQs 
configuration files. To do so just add/replace the following in gShield.conf:

# ------ [ Network settings ] ------ #

        # Automatically fetch them from the RaQ configuration files
        source /etc/sysconfig/network-scripts/ifcfg-eth0

        LOCALIP=$IPADDR
        LOCALMASK=$NETMASK
        LOCALNET=$NETWORK/$NETMASK
        REMOTENET="0/0"

As you can see, I read /etc/sysconfig/network-scripts/ifcfg-eth0 (where the 
RaQ stores the network settings for eth0) and then I just pass the 
information to the proper strings in gShield. That way you can even use the 
frontpanel to reconfigure your basic network settings and the firewall will 
then use the new settings right away after the reboot which then takes place.

Just make darn well sure that your gateway is within the same network class 
as $LOCALNET, otherwise you blow off your own boot. 

The only thing you still have to enter manually are the DNS servers. I use a 
three line shell script and a short PERL-script to read those settings and to 
transform them into the format that gShield expects. I leave 'em out of here 
as I already got too talkative. :o)


-- 

With best regards,

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer

Follow-Ups:
- Re: [cobalt-security] Portsentry, ipchains and pmfirewall
  - From: Francisco Sánchez

References:
- [cobalt-security] Portsentry, ipchains and pmfirewall
  - From: Francisco Sánchez
- Re: [cobalt-security] Portsentry, ipchains and pmfirewall
  - From: Michael Stauber
- Re: [cobalt-security] Portsentry, ipchains and pmfirewall
  - From: Francisco Sánchez

Prev by Date: Re: [cobalt-security] Portsentry, ipchains and pmfirewall
Next by Date: [cobalt-security] New version SSH for Qube3/XTR on pkg.nl.cobalt.com
Previous by thread: Re: [cobalt-security] Portsentry, ipchains and pmfirewall
Next by thread: Re: [cobalt-security] Portsentry, ipchains and pmfirewall

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index