|
osdir.com mailing list archive |
|
Subject: Firestarter inbound outbound policies will not work - msg#00003List: security.firewalls.firestarter.userinstalled and running. When I go to do an ssh to the host computer running firestarter, I can not connect. When I try to ssh from that host computer running firestarter to another computer, it won't work either. I can ping the firestarter host and vice versa but out side of that.....nothing. All I get is "Connection refused" I have tried setting the inbound & outbound policies to allow the specific remote computer in and ssh on the host out, but it seems that the firestarter application will not make the adjustments at the iptables level. I know that this is just a gui to make it easier to manage iptables, but it looks like I'm going to have to make the adjustment directly in iptables. All I want is to allow a remote computer on my local LAN to be able ssh to this host without issues. Thxs. D- ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ Thread at a glance:
Previous Message by Date: click to view message previewRe: Firewall rules not loaded on bootOn Fri, Apr 27, 2007 at 03:50:54AM -0500, Billy Wayne McCann wrote: > Hello. > > I've been using Firestarter to configure my firewall for a few months. > It's a great, easy to use front-end that I found to be very intuitive > and flexible. One thing is, it doesn't load the firewall rules at > boot. I set Firestarter to set my ports to stealth. When I reboot, my > ports are merely closed, not stealthed. I have to start Firestarter > manually from within Gnome in order for the firewall rules to be > loaded. Perhaps I'm not setting Firestarter up correctly. I've used > Firestarter with Debian Sarge and Etch, Ubuntu Edgy and Feisty. > > So my question is, how can I help you help me? I've tried looking at > logs, but I'm frankly a little bewildered. I'm fairly new to Linux. I > use a cable modem. No home network or anything. Just the one desktop > with a wired connection. > > Nearly every Google search returns something along the lines of someone > wanting the tray icon in the notification area whenever they log in. I, > on the other hand, am not concerned with merely having the icon in the > tray. I can do without that (though it -is- kind of pretty and > comforting). I just want my firewall rules loaded without having to > begin Firestarter from within Gnome. > > Thanks for the awesome program and any help. A stock Ubuntu install of Firestarter loads up the necessary init script to load the firewall script at bootup: $ dpkg -L firestarter | grep init.d /etc/init.d /etc/init.d/firestarter So you see that firestarter is in the init scripts already. I think your problem is that you need to understand that there are two facets to Firestarter. The first is the firewall scripts in /etc/firestarter that hook into the kernel netfilter code and provide the firewall rules. The initial set of scripts and rules are written when you first run the Firestarter GUI. These rules are loaded without intervention by the user at bootup. The second facet is the GUI itself from which you control the Firestarter scripts. You can open up any of the Firestarter scripts and edit the iptables rules there as you like but the GUI makes the job pretty easy for most simple firewall uses. When you block an IP via the GUI, what is happening is that an iptables rule is added to one of the scripts and then the Firestarter firewall is reloaded to incorporate the change to the firewall. So I think your system is being protected as well as can be expected with Firestarter. I do not know why your system would show as being closed before loading the Firestarter GUI and as stealthed after the GUI is loaded. I still think any "bad" packet would be dropped regardless. A good place to look for more information on Firestarter is the project web site at: http://www.fs-security.com/ Hit the "Learn more about Firestarter" link opposite the Download link on the homepage and then click the "A quick tutorial" to give you an idea of Firestarter's capabilities. BTW, I have Firestarter added to my Gnome startup scripts so the GUI starts up automatically. Are you running Gnome or KDE or some other Desktop Environment? Jack ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ Next Message by Date: click to view message previewRe: Firestarter inbound outbound policies will not workOn Wed, May 02, 2007 at 11:23:42AM -0400, dsandif wrote: > I am using Unbuntu 7.04 of which I installed I have Firestarter 1.03 > installed and running. When I go to do an ssh to the host computer > running firestarter, I can not connect. When I try to ssh from that host > computer running firestarter to another computer, it won't work either. > I can ping the firestarter host and vice versa but out side of > that.....nothing. All I get is "Connection refused" I have tried setting > the inbound & outbound policies to allow the specific remote computer in > and ssh on the host out, but it seems that the firestarter application > will not make the adjustments at the iptables level. I know that this is > just a gui to make it easier to manage iptables, but it looks like I'm > going to have to make the adjustment directly in iptables. All I want is > to allow a remote computer on my local LAN to be able ssh to this host > without issues. Thxs. I run Feisty as well and I have no problem allowing hosts via ssh. You may want to check that there isn't something else blocking port 22. Perhaps you have a block in /etc/hosts.deny and /etc/hosts.allow? If you do not see a hosts IP being blocked in the Firestarter Events tab, then the packets are not even making it to the layer which FS monitors. If you do see the blocked packets, then the easiest thing is to just right click on the host and "Allow from Source" then hit the reload button to put the new rule into service. Hosts added from the GUI should end up in /etc/firestarter/inbound/allow-service. Jack ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ Previous Message by Thread: click to view message previewRe: Firewall rules not loaded on bootOn Fri, Apr 27, 2007 at 03:50:54AM -0500, Billy Wayne McCann wrote: > Hello. > > I've been using Firestarter to configure my firewall for a few months. > It's a great, easy to use front-end that I found to be very intuitive > and flexible. One thing is, it doesn't load the firewall rules at > boot. I set Firestarter to set my ports to stealth. When I reboot, my > ports are merely closed, not stealthed. I have to start Firestarter > manually from within Gnome in order for the firewall rules to be > loaded. Perhaps I'm not setting Firestarter up correctly. I've used > Firestarter with Debian Sarge and Etch, Ubuntu Edgy and Feisty. > > So my question is, how can I help you help me? I've tried looking at > logs, but I'm frankly a little bewildered. I'm fairly new to Linux. I > use a cable modem. No home network or anything. Just the one desktop > with a wired connection. > > Nearly every Google search returns something along the lines of someone > wanting the tray icon in the notification area whenever they log in. I, > on the other hand, am not concerned with merely having the icon in the > tray. I can do without that (though it -is- kind of pretty and > comforting). I just want my firewall rules loaded without having to > begin Firestarter from within Gnome. > > Thanks for the awesome program and any help. A stock Ubuntu install of Firestarter loads up the necessary init script to load the firewall script at bootup: $ dpkg -L firestarter | grep init.d /etc/init.d /etc/init.d/firestarter So you see that firestarter is in the init scripts already. I think your problem is that you need to understand that there are two facets to Firestarter. The first is the firewall scripts in /etc/firestarter that hook into the kernel netfilter code and provide the firewall rules. The initial set of scripts and rules are written when you first run the Firestarter GUI. These rules are loaded without intervention by the user at bootup. The second facet is the GUI itself from which you control the Firestarter scripts. You can open up any of the Firestarter scripts and edit the iptables rules there as you like but the GUI makes the job pretty easy for most simple firewall uses. When you block an IP via the GUI, what is happening is that an iptables rule is added to one of the scripts and then the Firestarter firewall is reloaded to incorporate the change to the firewall. So I think your system is being protected as well as can be expected with Firestarter. I do not know why your system would show as being closed before loading the Firestarter GUI and as stealthed after the GUI is loaded. I still think any "bad" packet would be dropped regardless. A good place to look for more information on Firestarter is the project web site at: http://www.fs-security.com/ Hit the "Learn more about Firestarter" link opposite the Download link on the homepage and then click the "A quick tutorial" to give you an idea of Firestarter's capabilities. BTW, I have Firestarter added to my Gnome startup scripts so the GUI starts up automatically. Are you running Gnome or KDE or some other Desktop Environment? Jack ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ Next Message by Thread: click to view message previewRe: Firestarter inbound outbound policies will not workOn Wed, May 02, 2007 at 11:23:42AM -0400, dsandif wrote: > I am using Unbuntu 7.04 of which I installed I have Firestarter 1.03 > installed and running. When I go to do an ssh to the host computer > running firestarter, I can not connect. When I try to ssh from that host > computer running firestarter to another computer, it won't work either. > I can ping the firestarter host and vice versa but out side of > that.....nothing. All I get is "Connection refused" I have tried setting > the inbound & outbound policies to allow the specific remote computer in > and ssh on the host out, but it seems that the firestarter application > will not make the adjustments at the iptables level. I know that this is > just a gui to make it easier to manage iptables, but it looks like I'm > going to have to make the adjustment directly in iptables. All I want is > to allow a remote computer on my local LAN to be able ssh to this host > without issues. Thxs. I run Feisty as well and I have no problem allowing hosts via ssh. You may want to check that there isn't something else blocking port 22. Perhaps you have a block in /etc/hosts.deny and /etc/hosts.allow? If you do not see a hosts IP being blocked in the Firestarter Events tab, then the packets are not even making it to the layer which FS monitors. If you do see the blocked packets, then the easiest thing is to just right click on the host and "Allow from Source" then hit the reload button to put the new rule into service. Hosts added from the GUI should end up in /etc/firestarter/inbound/allow-service. Jack ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ Loading Comments...
|
|
