Re: [psad-discuss] Meaning of error message when starting fwknop
Brought to you by:
mbr
From: Grant F. <gfc...@mt...> - 2008-01-19 01:57:00
|
If you're manually blacklisting or dealing with threats by DROPing, you should be putting it in a separate chain that you jump to at the start of your default chain. This will clean up your INPUT/FORWARD/OUTPUT chains. I can't stress enough to refer to published examples for a base configuration to prevent you from making basic mistakes, then you can add custom jumps to your own chains. Seriously, you shouldn't be ashamed to post your firewall, no matter how convoluted ;) Better to fear looking silly than be compromised. If you do post, make sure to take out any public IP's or info that could identify you. I think most people working with iptables have done some seriously idiotic things in their past, so they shouldn't be throwing stones at you. Grant _____ From: Kaplan, Andrew H. [mailto:AHKAPLAN@PARTNERS.ORG] Sent: January 18, 2008 7:12 PM To: fe...@mt...; psa...@li... Subject: RE: [psad-discuss] Meaning of error message when starting fwknop Hi there -- Thanks for your reply. I do have psad and fwsnort running, but I am still forced periodically to manually add IP addresses to the iptables file. Consequently, something in my configuration, be it with psad, fwsnort, or iptables, is not quite right. If I place the state rule after the DROP rules, the current configuration would have my periodically 'moving' the state rule down each time I need to manually add a DROP rule. My INPUT chain is admittedly haphazard, being based on reacting to perceived attacks. Posting it would be embarrising to say the least. If it is necessary, I can do so. -----Original Message----- From: fe...@mt... [mailto:fe...@mt...] Sent: Friday, January 18, 2008 7:02 PM To: Kaplan, Andrew H.; psa...@li... Subject: RE: [psad-discuss] Meaning of error message when starting fwknop Sorry to the group for overtyping, I hate Outlook. Glad to hear things are going better Andrew. As for the placement of the state rule, it depends what is making your "blacklist" rule. If it's psad or fwsnort, then they will typically place their blacklisting rules/chains at the start of the default chains, so your rule will usually occur after them as you would expect. It's your firewall, so you have complete control. If your state rule is higher than any blacklisting chains or rules, then delete and re-add it. As for it coming before "drop" lines, it all depends on what those lines are. A typical INPUT chain with a default DROP policy means that the rules you're adding are to specifically allow traffic, in which case order shouldn't matter too much. In other words, the policy should read something like: DROP blacklist, ALLOW established, ALLOW certain TCP/UDP ports, LOG anything reaching this point, and finally let the default policy (DROP) of the chain take over. You could always post your current INPUT chain for a sanity check by doing: iptables -L INPUT -n -v Grant _____ From: Kaplan, Andrew H. [mailto:AHKAPLAN@PARTNERS.ORG] Sent: January 18, 2008 5:27 PM To: fe...@mt...; psa...@li... Subject: RE: [psad-discuss] Meaning of error message when starting fwknop Hi there - The error condition that you suggested did appear to be the case. I inserted the following lines just above the list of DROP ip addresses: # The following line has been inserted to allow fwknop to work properly. -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT I restarted iptables and fwknop, and everything appears to be operating normally. The output of the iptables status command for the line in question is shown below: 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED There is one question, shouldn't the above line come after the DROP lines? My reasoning is that shouldn't iptables check to see what address is attempting to connect first, and then if it is none of the 'blacklisted' ip addresses, then accept the connection? Thanks. The information transmitted in this electronic communication is intended only for the person or entity to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this information in error, please contact the Compliance HelpLine at 800-856-1983 and properly dispose of this information. |