[Bastille-linux-discuss] Problem with Bastille 1.1.0 and NTPd
This tool locks down Linux and UNIX systems.
Brought to you by:
jay
From: martin l. <ma...@sc...> - 2000-12-19 12:35:47
|
hi, sorry if this has been discussed before (coulnd't find a way to search the archives, and google hasn't got them). I seem to be having a problem with Bastille, where it is firewalling NTP -- not letting it through to synch with other servers. [ please, copy me in you answer -- im not on the list ] My O'Reilly book on firewalls (Building interner firewalls) speaks of 3 types of connections for NTP: A - client -> server query (high port -> ntp port) B - server -> client answer (ntp port -> high port) C - server -> server query/response (ntp port -> ntp port) Now I am not *that* familiar with IPCHAINS nor firewalls in general, but reading Bastille's code and the resulting IPCHAINS policy, it looks like it's setting up proper rules for A and B. But it's forgetting to allow ntp->ntp. I did set up the peers I want to be available like: NTP_SERVERS="200.49.40.1 200.49.32.1 216.244.192.3" but then, if I do: # /init/bastille-firewall status | grep 200.49.40.1 ACCEPT udp ------ 200.49.40.1.addr.nap.com.ar anywhere ntp -> 1024:65535 ACCEPT udp ------ 200.49.40.1.addr.nap.com.ar anywhere ntp -> 1024:65535 ACCEPT udp ------ 200.49.40.1.addr.nap.com.ar anywhere ntp -> 1024:65535 Something's missing here. May be it's my brain that's missing. Hope someone with a working neuron or two could help me out ;) martin - full configs (bastille and ipchains) after signature bastille-firewall - settings: ================================================================== PATH=/bin:/sbin:/usr/bin:/usr/sbin IPCHAINS=/sbin/ipchains DNS_SERVERS="0.0.0.0/0" TRUSTED_IFACES="lo" PUBLIC_IFACES="eth+ ppp+ slip+" INTERNAL_IFACES="" TCP_AUDIT_SERVICES="telnet ftp imap pop-3 finger sunrpc exec login linuxconf ssh" UDP_AUDIT_SERVICES="31337" ICMP_AUDIT_TYPES="" TCP_PUBLIC_SERVICES="ssh pop-3 ntp www domain smtp" UDP_PUBLIC_SERVICES="domain" TCP_INTERNAL_SERVICES="" UDP_INTERNAL_SERVICES="" FORCE_PASV_FTP="N" TCP_BLOCKED_SERVICES="1024 2049 2065:2090 6000:6020 7100" UDP_BLOCKED_SERVICES="1066 2049 6770" ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded" # ENABLE_SRC_ADDR_VERIFY="Y" IP_MASQ_NETWORK="" IP_MASQ_MODULES="" # REJECT_METHOD="REJECT" # DHCP_IFACES="" NTP_SERVERS="200.49.40.1 200.49.32.1 216.244.192.3" ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded" LOG_FAILURES="N" # do not log blocked packets ================================================================== ipchains -L ================================================================ Chain input (policy REJECT): target prot opt source destination ports - tcp -y--l- anywhere anywhere any -> telnet - tcp -y--l- anywhere anywhere any -> ftp - tcp -y--l- anywhere anywhere any -> imap2 - tcp -y--l- anywhere anywhere any -> pop3 - tcp -y--l- anywhere anywhere any -> finger - tcp -y--l- anywhere anywhere any -> sunrpc - tcp -y--l- anywhere anywhere any -> exec - tcp -y--l- anywhere anywhere any -> login - tcp -y--l- anywhere anywhere any -> linuxconf - tcp -y--l- anywhere anywhere any -> ssh - udp ----l- anywhere anywhere any -> 31337 - tcp -y--l- anywhere anywhere any -> telnet - tcp -y--l- anywhere anywhere any -> ftp - tcp -y--l- anywhere anywhere any -> imap2 - tcp -y--l- anywhere anywhere any -> pop3 - tcp -y--l- anywhere anywhere any -> finger - tcp -y--l- anywhere anywhere any -> sunrpc - tcp -y--l- anywhere anywhere any -> exec - tcp -y--l- anywhere anywhere any -> login - tcp -y--l- anywhere anywhere any -> linuxconf - tcp -y--l- anywhere anywhere any -> ssh - udp ----l- anywhere anywhere any -> 31337 - tcp -y--l- anywhere anywhere any -> telnet - tcp -y--l- anywhere anywhere any -> ftp - tcp -y--l- anywhere anywhere any -> imap2 - tcp -y--l- anywhere anywhere any -> pop3 - tcp -y--l- anywhere anywhere any -> finger - tcp -y--l- anywhere anywhere any -> sunrpc - tcp -y--l- anywhere anywhere any -> exec - tcp -y--l- anywhere anywhere any -> login - tcp -y--l- anywhere anywhere any -> linuxconf - tcp -y--l- anywhere anywhere any -> ssh - udp ----l- anywhere anywhere any -> 31337 REJECT all ------ BASE-ADDRESS.MCAST.NET/4 anywhere n/a ACCEPT all ------ anywhere anywhere n/a ACCEPT tcp ------ anywhere anywhere any -> ssh ACCEPT tcp ------ anywhere anywhere any -> pop3 ACCEPT tcp ------ anywhere anywhere any -> ntp ACCEPT tcp ------ anywhere anywhere any -> www ACCEPT tcp ------ anywhere anywhere any -> domain ACCEPT tcp ------ anywhere anywhere any -> smtp REJECT tcp -y---- anywhere anywhere any -> 1024 REJECT tcp -y---- anywhere anywhere any -> 2049 REJECT tcp -y---- anywhere anywhere any -> 2065:2090 REJECT tcp -y---- anywhere anywhere any -> 6000:6020 REJECT tcp -y---- anywhere anywhere any -> 7100 ACCEPT tcp ------ anywhere anywhere ftp-data -> 1024:65535 ACCEPT tcp !y---- anywhere anywhere any -> any ACCEPT icmp ------ anywhere anywhere destination-unreachable ACCEPT icmp ------ anywhere anywhere echo-reply ACCEPT icmp ------ anywhere anywhere time-exceeded DENY icmp ------ anywhere anywhere any -> any ACCEPT udp ------ anywhere anywhere any -> domain REJECT udp ------ anywhere anywhere any -> 1066 REJECT udp ------ anywhere anywhere any -> 2049 REJECT udp ------ anywhere anywhere any -> 6770 ACCEPT udp ------ anywhere anywhere domain -> 1024:65535 ACCEPT udp ------ 200.49.40.1.addr.nap.com.ar anywhere ntp -> 1024:65535 ACCEPT udp ------ 200.49.32.1.addr.nap.com.ar anywhere ntp -> 1024:65535 ACCEPT udp ------ thor.sinectis.com.ar anywhere ntp -> 1024:65535 ACCEPT tcp ------ anywhere anywhere any -> ssh ACCEPT tcp ------ anywhere anywhere any -> pop3 ACCEPT tcp ------ anywhere anywhere any -> ntp ACCEPT tcp ------ anywhere anywhere any -> www ACCEPT tcp ------ anywhere anywhere any -> domain ACCEPT tcp ------ anywhere anywhere any -> smtp REJECT tcp -y---- anywhere anywhere any -> 1024 REJECT tcp -y---- anywhere anywhere any -> 2049 REJECT tcp -y---- anywhere anywhere any -> 2065:2090 REJECT tcp -y---- anywhere anywhere any -> 6000:6020 REJECT tcp -y---- anywhere anywhere any -> 7100 ACCEPT tcp ------ anywhere anywhere ftp-data -> 1024:65535 ACCEPT tcp !y---- anywhere anywhere any -> any ACCEPT icmp ------ anywhere anywhere destination-unreachable ACCEPT icmp ------ anywhere anywhere echo-reply ACCEPT icmp ------ anywhere anywhere time-exceeded DENY icmp ------ anywhere anywhere any -> any ACCEPT udp ------ anywhere anywhere any -> domain REJECT udp ------ anywhere anywhere any -> 1066 REJECT udp ------ anywhere anywhere any -> 2049 REJECT udp ------ anywhere anywhere any -> 6770 ACCEPT udp ------ anywhere anywhere domain -> 1024:65535 ACCEPT udp ------ 200.49.40.1.addr.nap.com.ar anywhere ntp -> 1024:65535 ACCEPT udp ------ 200.49.32.1.addr.nap.com.ar anywhere ntp -> 1024:65535 ACCEPT udp ------ thor.sinectis.com.ar anywhere ntp -> 1024:65535 ACCEPT tcp ------ anywhere anywhere any -> ssh ACCEPT tcp ------ anywhere anywhere any -> pop3 ACCEPT tcp ------ anywhere anywhere any -> ntp ACCEPT tcp ------ anywhere anywhere any -> www ACCEPT tcp ------ anywhere anywhere any -> domain ACCEPT tcp ------ anywhere anywhere any -> smtp REJECT tcp -y---- anywhere anywhere any -> 1024 REJECT tcp -y---- anywhere anywhere any -> 2049 REJECT tcp -y---- anywhere anywhere any -> 2065:2090 REJECT tcp -y---- anywhere anywhere any -> 6000:6020 REJECT tcp -y---- anywhere anywhere any -> 7100 ACCEPT tcp ------ anywhere anywhere ftp-data -> 1024:65535 ACCEPT tcp !y---- anywhere anywhere any -> any ACCEPT icmp ------ anywhere anywhere destination-unreachable ACCEPT icmp ------ anywhere anywhere echo-reply ACCEPT icmp ------ anywhere anywhere time-exceeded DENY icmp ------ anywhere anywhere any -> any ACCEPT udp ------ anywhere anywhere any -> domain REJECT udp ------ anywhere anywhere any -> 1066 REJECT udp ------ anywhere anywhere any -> 2049 REJECT udp ------ anywhere anywhere any -> 6770 ACCEPT udp ------ anywhere anywhere domain -> 1024:65535 ACCEPT udp ------ 200.49.40.1.addr.nap.com.ar anywhere ntp -> 1024:65535 ACCEPT udp ------ 200.49.32.1.addr.nap.com.ar anywhere ntp -> 1024:65535 ACCEPT udp ------ thor.sinectis.com.ar anywhere ntp -> 1024:65535 Chain forward (policy REJECT): Chain output (policy ACCEPT): target prot opt source destination ports REJECT icmp ------ anywhere anywhere destination-unreachable REJECT icmp ------ anywhere anywhere time-exceeded REJECT icmp ------ anywhere anywhere destination-unreachable REJECT icmp ------ anywhere anywhere time-exceeded REJECT icmp ------ anywhere anywhere destination-unreachable REJECT icmp ------ anywhere anywhere time-exceeded ===================================================================== |