Re: [psad-discuss] Meaning of error message when starting fwknop

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

If you're manually blacklisting or dealing with threats by DROPing, you
should be putting it in a separate chain that you jump to at the start of
your default chain.  This will clean up your INPUT/FORWARD/OUTPUT chains.  I
can't stress enough to refer to published examples for a base configuration
to prevent you from making basic mistakes, then you can add custom jumps to
your own chains.

Seriously, you shouldn't be ashamed to post your firewall, no matter how
convoluted ;)  Better to fear looking silly than be compromised.  If you do
post, make sure to take out any public IP's or info that could identify you.
I think most people working with iptables have done some seriously idiotic
things in their past, so they shouldn't be throwing stones at you.

Grant

  _____  

From: Kaplan, Andrew H. [mailto:AHKAPLAN@PARTNERS.ORG] 
Sent: January 18, 2008 7:12 PM
To: fe...@mt...; psa...@li...
Subject: RE: [psad-discuss] Meaning of error message when starting fwknop

Hi there --

Thanks for your reply. I do have psad and fwsnort running, but I am still
forced periodically to manually add IP addresses to the iptables file.
Consequently, something in my configuration, be it with psad, fwsnort, or
iptables, is not quite right. 

If I place the state rule after the DROP rules, the current configuration
would have my periodically 'moving' the state rule down each time I need to
manually add a DROP rule. My INPUT chain is admittedly haphazard,  being
based on reacting to 

perceived attacks. Posting it would be embarrising to say the least. If it
is necessary, I can do so.  

-----Original Message-----
From: fe...@mt... [mailto:fe...@mt...]
Sent: Friday, January 18, 2008 7:02 PM
To: Kaplan, Andrew H.; psa...@li...
Subject: RE: [psad-discuss] Meaning of error message when starting fwknop

Sorry to the group for overtyping, I hate Outlook.  Glad to hear things are
going better Andrew.  As for the placement of the state rule, it depends
what is making your "blacklist" rule.  If it's psad or fwsnort, then they
will typically place their blacklisting rules/chains at the start of the
default chains, so your rule will usually occur after them as you would
expect.

It's your firewall, so you have complete control.  If your state rule is
higher than any blacklisting chains or rules, then delete and re-add it.  As
for it coming before "drop" lines, it all depends on what those lines are.
A typical INPUT chain with a default DROP policy means that the rules you're
adding are to specifically allow traffic, in which case order shouldn't
matter too much. In other words, the policy should read something like:

DROP blacklist, ALLOW established, ALLOW certain TCP/UDP ports, LOG anything
reaching this point, and finally let the default policy (DROP) of the chain
take over.

You could always post your current INPUT chain for a sanity check by doing:
iptables -L INPUT -n -v 

Grant

  _____  

From: Kaplan, Andrew H. [mailto:AHKAPLAN@PARTNERS.ORG] 
Sent: January 18, 2008 5:27 PM
To: fe...@mt...; psa...@li...
Subject: RE: [psad-discuss] Meaning of error message when starting fwknop

Hi there -

The error condition that you suggested did appear to be the case. I inserted
the following lines just above the list of DROP ip addresses:

# The following line has been inserted to allow fwknop to work properly.

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

I restarted iptables and fwknop, and everything appears to be operating
normally. The output of the iptables status command for the line

in question is shown below:

2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED

There is one question, shouldn't the above line come after the DROP lines?
My reasoning is that shouldn't iptables check to see what

address is attempting to connect first, and then if it is none of the
'blacklisted' ip addresses, then accept the connection? Thanks. 

The information transmitted in this electronic communication is intended
only
for the person or entity to whom it is addressed and may contain
confidential
and/or privileged material. Any review, retransmission, dissemination or
other
use of or taking of any action in reliance upon this information by persons
or
entities other than the intended recipient is prohibited. If you received
this
information in error, please contact the Compliance HelpLine at 800-856-1983
and
properly dispose of this information.