[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Portsentry, ipchains and pmfirewall
- Subject: Re: [cobalt-security] Portsentry, ipchains and pmfirewall
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Sun, 20 Jan 2002 16:15:18 +0100
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Francisco,
> For starting gShield at boot time, I assume that a line with
> /etc/firewall/gShield.rc in rc.local will do. Right?
That's right. However, this entails one capital danger: If you have a mistake
in your ruleset which locks you out, then even rebooting the server will not
help you to remove the problem, as the firewall will kick in automatically
after reboot. So make sure to programm in a delay like "sleep 5m" so that you
can go in after server reboot and can kill the process.
> Finally, is it there a simple way to apply the firewall rules to a machine
> that has several IP addresses. I have created separate rules for each
> additional IP, but, is it anything easier that I am missing?
The easiest way is to not allow by IP-address, but by netblock with
corresponding subnet mask. That's about the only option you have with
gShield, as it's not designed to handle multiple (own) IP addresses another
way. While this looks like a security issue at first glimpse, on second
glimpse - it isn't. All your closed ports are still closed and all blocked
source addresses are still blocked. The additional target IP addresses you
opened up ... now that's no issue at all. On those IPs your machine isn't
listening anway, so this does no damage at all.
You can automatically fetch the important network settings from the RaQs
configuration files. To do so just add/replace the following in gShield.conf:
# ------ [ Network settings ] ------ #
# Automatically fetch them from the RaQ configuration files
source /etc/sysconfig/network-scripts/ifcfg-eth0
LOCALIP=$IPADDR
LOCALMASK=$NETMASK
LOCALNET=$NETWORK/$NETMASK
REMOTENET="0/0"
As you can see, I read /etc/sysconfig/network-scripts/ifcfg-eth0 (where the
RaQ stores the network settings for eth0) and then I just pass the
information to the proper strings in gShield. That way you can even use the
frontpanel to reconfigure your basic network settings and the firewall will
then use the new settings right away after the reboot which then takes place.
Just make darn well sure that your gateway is within the same network class
as $LOCALNET, otherwise you blow off your own boot.
The only thing you still have to enter manually are the DNS servers. I use a
three line shell script and a short PERL-script to read those settings and to
transform them into the format that gShield expects. I leave 'em out of here
as I already got too talkative. :o)
--
With best regards,
Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer