Re: [Firestarter-user] Testing a server

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Sun, Mar 28, 2004 at 08:54:53AM -0500, John Woolsey wrote:
> This is more for the developers of firestarter.
> 
> I have a DNS set up on the machine, but I am not sure how it would help 
> in testing the rule. It will just set up the ip for the external address 
> which will then fail.
> 
> Ok now for the fun stuff.
> 1) I found somewhere on the net how to make an iptables rule that 
> allowed people inside the network to see connections. It looks something 
> like this:
> -A POSTROUTING -p tcp --dst $webhostip --dport 80 -j SNAT --to-source 
> $firewallip
> Source site for information:
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html#PREREQUISITES
> 

Yes, this is called IP Hairpinning. Works for most but not all.

> 2) I needed to open ports to another location. Since one of the 
> competitors to firestarter supports this I thought I would give it a try 
> under iptables. I used -s hostname.domainname. It worked fine in 
> testing, but didn't work very well when rebooting since it couldn't look 
> up the domain name. The simple solution would have been to stick the 
> lookup in host file, but the ip for this name changes. So the solution 
> is: Bring up a closed firewall that allows DNS, bring up the network, 
> bring up the dns, add our rule with a host name in it. Add a crontab job 
> to update the iptables every 15 minutes to ensure the domain name 
> information hasn't changed. Thus I just opened a secure connection to 
> only one location on the internet. Port scanners go away because you 
> won't find anything here :) YEAH!

The linux kernel only understands IP addresses, not domain names so if you
use domain names they must be converted somehow to IPs. It is recommended
to use only IPs not DNS domain names in your iptables rulesets for the simple 
facts that:

1) the lookup may fail/timeout which could affect the setting
up of your firewall.
2) looking up domain names is resource intensive and can significantly 
lower the performance of your iptables ruleset if you have a lot of rules.

> 
> 3) There seems to be a problem with IP tables. If you open a port 
> internally on a box behind the firewall you effectively open that port 
> on the firewall too. Actually no I guess I could check the destination 
> after routing as well. Sokay. 

This would undermine the whole integrity of a firewall. Doesn't happen on
my box.

> 
> 4) Does anyone know what the default is for dead connections? REJECT or 
> DROP? I assume since I only opened certain ports that everything will be 
> handled in the same way which makes it not obvious which ports are semi 
> open. However I am mixed. I believe DROP makes it look like you have a 
> firewall and REJECT just makes it look like no ports are open. Is that 
> right? Which do you think is better to show to an external person trying 
> to gain entry? 

This is a religious war in some camps. The fundamental difference is that
DROP just eats the packet and sends nothing back to tell the other end that
it did so; REJECT sends back a message telling the other end that it
dropped the packet on the floor. The connecting end must wait a system-defined
timeout when a packet gets DROPped whereas a REJECT sends an immediate
message. Some see using DROP as impolite due to the timeout while others
see REJECT as unnecessary advertising that you have a firewall in place. And
since portscanners assume that if they get a timeout that there is a
firewall in place on the other end then why use DROP? The reason I use DROP
is if in the case where your box is being DoS attacked, your box does not
have to take the time to respond to the storm of packets arriving on the
machine. It is already busy enough just directing the packets to /dev/null. 
Your call. 

> 
> Well that is about it. Firestarter looks cool, but I ended up having to 
> go iptables myself just for option 2. It would be cool if firestarter 
> would set up rules for 1 as an option to allow you to see things 
> properly from behind the firewall.

Yes, a hairpin option could easily be setup in the FS GUI. However, using
domain names in iptables rules is not recommended by the netfilter authors. 

--
Jack Bowling
mailto: jb...@sh...