Firewall problems
Shadow Hawkins on Monday, 07 July 2003 14:39:07
Hi, i wanted to set up a tunnel, but i found my firewall is probably too tight (policy DROP). Any idea which incoming traffic should be allowed? i though just allowing protocol 41 from the pop ipv4 endpoint would do, but that doesnt seem to be enough.
Firewall problems
Jeroen Massar on Monday, 07 July 2003 14:56:04
Proto 41 should indeed be enough, note protocol, not port ;)
IF=eth0
POP=<pop's IPv4 address>
iptables -A INPUT -i ${IF} --proto 41 --src ${POP} -j ALLOW
iptables -A OUTPUT -o ${IF} --proto 41 --dst ${POP} -j ALLOW
I tend to reverse that rule and drop anything not from/to the POP btw.
Though that was a 'requirement' in the old tunnel stacks :)
For the rest, use tcpdump, and watch those counters.
One could also use the LOG statement ofcourse to check which packets
get dropped etc... Maybe handy for linux users:
iptables --new LDROP
iptables -A LDROP --proto tcp -j LOG --log-level info --log-prefix 'TCP-Drop:'
iptables -A LDROP --proto udp -j LOG --log-level info --log-prefix 'UDP-Drop:'
iptables -A LDROP --proto icmp -j LOG --log-level info --log-prefix 'ICMP-Drop:'
iptables -A LDROP --proto 41 -j LOG --log-level info --log-prefix '6in4-Drop:'
iptables -A LDROP -j DROP
Now where-ever you had DROP, replace it with LDROP and dropped packets are logged, nicely notated what it was. Ofcourse there are more variants to add so you can even see more information etc. See LARTC
Firewall problems
Shadow Hawkins on Monday, 07 July 2003 14:59:21
ok, going to try again then :)
wont be using the LOG, because i didnt build support in kernel, might be a future thing :)
Firewall problems
Shadow Hawkins on Monday, 07 July 2003 16:14:49
ok, next part :)
i figured out i got the ipv4 part just fine, now its just the ipv6 firewall...
i set policy on DROP there too, and set protocol icmp to accept. In tcpdump, i see icmp6 though, and not icmp. So, i figured trying to accept that should help, but i get this error:
fulgor:~# ip6tables -A INPUT -p icmp6 -j ACCEPT
ip6tables v1.2.6a: unknown protocol `icmp6' specified
Try `ip6tables -h' or 'ip6tables --help' for more information.
any ideas on this?
P.S. forgot to mention it works fine with policy ACCEPT, but im not going to take that risk for normal use.
Firewall problems
Shadow Hawkins on Monday, 07 July 2003 16:29:23
okay nvm... i just found /etc/protocols :)
feel free to delete some of my messages if they dont make any sense ;)
Firewall problems
Jeroen Massar on Tuesday, 08 July 2003 12:24:24 P.S. forgot to mention it works fine with policy ACCEPT, but im not going to take that risk for normal use.
I still wonder why people are so paranoid. As long as there is no application listening it won't be open. And a host should respond with icmp unreach/reject when the port is not available that is just being nice. "hiding" your self has no use. Except maybe for the icmp packets that go back up your line.
If someone is out to DDOS you they certainly will, one way or the other...
And as IPv4 endpoint information is available by looking up your IPv6 address in the SixXS whois I hope the kids pick on the correct address. Or even better just report the abuse and not denial our POP's
Firewall problems
Shadow Hawkins on Tuesday, 08 July 2003 14:20:31
Well, you do have a point about being paranoid. But the box is a colocation server i run with a few others, so we just try to keep it as secure as possible :)
Furthermore debian systems run a lot of services by default, and ofcourse they can be disabled but who knows what theyre going to do at the next system update..
Firewall problems
Jeroen Massar on Wednesday, 09 July 2003 12:00:12
apt-get update+dist-upgrade won't install any new packages.
Posting is only allowed when you are logged in. |