Re: [Firestarter-user] Testing a server
Brought to you by:
majix
From: Jack B. <jb...@sh...> - 2004-03-28 17:51:08
|
On Sun, Mar 28, 2004 at 08:54:53AM -0500, John Woolsey wrote: > This is more for the developers of firestarter. > > I have a DNS set up on the machine, but I am not sure how it would help > in testing the rule. It will just set up the ip for the external address > which will then fail. > > Ok now for the fun stuff. > 1) I found somewhere on the net how to make an iptables rule that > allowed people inside the network to see connections. It looks something > like this: > -A POSTROUTING -p tcp --dst $webhostip --dport 80 -j SNAT --to-source > $firewallip > Source site for information: > http://iptables-tutorial.frozentux.net/iptables-tutorial.html#PREREQUISITES > Yes, this is called IP Hairpinning. Works for most but not all. > 2) I needed to open ports to another location. Since one of the > competitors to firestarter supports this I thought I would give it a try > under iptables. I used -s hostname.domainname. It worked fine in > testing, but didn't work very well when rebooting since it couldn't look > up the domain name. The simple solution would have been to stick the > lookup in host file, but the ip for this name changes. So the solution > is: Bring up a closed firewall that allows DNS, bring up the network, > bring up the dns, add our rule with a host name in it. Add a crontab job > to update the iptables every 15 minutes to ensure the domain name > information hasn't changed. Thus I just opened a secure connection to > only one location on the internet. Port scanners go away because you > won't find anything here :) YEAH! The linux kernel only understands IP addresses, not domain names so if you use domain names they must be converted somehow to IPs. It is recommended to use only IPs not DNS domain names in your iptables rulesets for the simple facts that: 1) the lookup may fail/timeout which could affect the setting up of your firewall. 2) looking up domain names is resource intensive and can significantly lower the performance of your iptables ruleset if you have a lot of rules. > > 3) There seems to be a problem with IP tables. If you open a port > internally on a box behind the firewall you effectively open that port > on the firewall too. Actually no I guess I could check the destination > after routing as well. Sokay. This would undermine the whole integrity of a firewall. Doesn't happen on my box. > > 4) Does anyone know what the default is for dead connections? REJECT or > DROP? I assume since I only opened certain ports that everything will be > handled in the same way which makes it not obvious which ports are semi > open. However I am mixed. I believe DROP makes it look like you have a > firewall and REJECT just makes it look like no ports are open. Is that > right? Which do you think is better to show to an external person trying > to gain entry? This is a religious war in some camps. The fundamental difference is that DROP just eats the packet and sends nothing back to tell the other end that it did so; REJECT sends back a message telling the other end that it dropped the packet on the floor. The connecting end must wait a system-defined timeout when a packet gets DROPped whereas a REJECT sends an immediate message. Some see using DROP as impolite due to the timeout while others see REJECT as unnecessary advertising that you have a firewall in place. And since portscanners assume that if they get a timeout that there is a firewall in place on the other end then why use DROP? The reason I use DROP is if in the case where your box is being DoS attacked, your box does not have to take the time to respond to the storm of packets arriving on the machine. It is already busy enough just directing the packets to /dev/null. Your call. > > Well that is about it. Firestarter looks cool, but I ended up having to > go iptables myself just for option 2. It would be cool if firestarter > would set up rules for 1 as an option to allow you to see things > properly from behind the firewall. Yes, a hairpin option could easily be setup in the FS GUI. However, using domain names in iptables rules is not recommended by the netfilter authors. -- Jack Bowling mailto: jb...@sh... |