[gentoo-dev] Gentoo Linux Security Guide

[gentoo-dev] Gentoo Linux Security Guide

[Conny R. Landstedt]

To Kim Nielsen & Gentoo-dev

In the "Gentoo Linux Security Guide"
>Code listing 64: /etc/init.d/firewall
>  #Incoming traffic
>  einfo "Creating incoming ssh traffic chain"
>  $IPTABLES -N allow-ssh-traffic-in
>  $IPTABLES -F allow-ssh-traffic-in
>  $IPTABLES -A allow-ssh-traffic-in -p tcp --sport ssh -j ACCEPT

I'm not absolutely certain, but shouldn't it be "--dport" instead of
"--sport"?

Reg. Conny

Re: [gentoo-dev] Gentoo Linux Security Guide

[Kim Nielsen]

On Mon, 2002-06-24 at 03:50, Conny R. Landstedt wrote:
> To Kim Nielsen & Gentoo-dev
> 
> In the "Gentoo Linux Security Guide"
> >Code listing 64: /etc/init.d/firewall
> >  #Incoming traffic
> >  einfo "Creating incoming ssh traffic chain"
> >  $IPTABLES -N allow-ssh-traffic-in
> >  $IPTABLES -F allow-ssh-traffic-in
> >  $IPTABLES -A allow-ssh-traffic-in -p tcp --sport ssh -j ACCEPT
> 
> I'm not absolutely certain, but shouldn't it be "--dport" instead of
> "--sport"?
> 

No .. since --sport would be the client port and not the actual port of
the service

example:

You create a http request to gentoo.org and this is what happens

1. get ip for gentoo.org (64.57.168.198)
2. allocate a client port
3. send request from <ip>:<port> (Source) to 64.57.168.198:80
(Destination)

The http server on gentoo.org says:
1. I got a request on port 80
2. send request back to <ip>:<port>

And if the firewall is install it checks the allowed chains if anyone is
allowed to send packets to port 80 (The servers port 80, destination
port) .. 

if you where to use sport instead of dport you would only allow the
packet if the user sends from client port 80 which is very unlikely
since ports below 1024 is privileged ports

/Kim

Re: [gentoo-dev] Gentoo Linux Security Guide

[Kim Nielsen]

On Mon, 2002-06-24 at 07:51, Kim Nielsen wrote:

> No .. since --sport would be the client port and not the actual port of
> the service
> 
> example:
> 
> You create a http request to gentoo.org and this is what happens
> 
> 1. get ip for gentoo.org (64.57.168.198)
> 2. allocate a client port
> 3. send request from <ip>:<port> (Source) to 64.57.168.198:80
> (Destination)
> 
> The http server on gentoo.org says:
> 1. I got a request on port 80
> 2. send request back to <ip>:<port>
> 
> And if the firewall is install it checks the allowed chains if anyone is
> allowed to send packets to port 80 (The servers port 80, destination
> port) .. 
[SNIP]


> if you where to use sport instead of dport you would only allow the
> packet if the user sends from client port 80 which is very unlikely
> since ports below 1024 is privileged ports

I'm sorry ..you are right .. I misunderstood your last mail  it will be
corrected as soon as possible

/Kim

Re: [gentoo-dev] Gentoo Linux Security Guide

[Miguel S. Filipe]

Conny R. Landstedt wrote:

>To Kim Nielsen & Gentoo-dev
>
>In the "Gentoo Linux Security Guide"
>  
>
>>Code listing 64: /etc/init.d/firewall
>> #Incoming traffic
>> einfo "Creating incoming ssh traffic chain"
>> $IPTABLES -N allow-ssh-traffic-in
>> $IPTABLES -F allow-ssh-traffic-in
>> $IPTABLES -A allow-ssh-traffic-in -p tcp --sport ssh -j ACCEPT
>>    
>>
>
>I'm not absolutely certain, but shouldn't it be "--dport" instead of
>"--sport"?
>
>Reg. Conny
>
>_______________________________________________
>gentoo-dev mailing list
>gentoo-dev@gentoo.org
>http://lists.gentoo.org/mailman/listinfo/gentoo-dev
>
>  
>
I believe that the line is for ssh-traffic in.. wich means.. that you 
connect to a server in the internet to the ssh port..
and the rule makes it "allowable" for you to recieve the traffic that 
comes from the server..
(otherwise you wouldn't be able to use the session because you would 
drop everything that comes from the server to you)

But that's shouldn't be needed it one uses a statefull firewall like 
iptables...
In my "home made" firewall.. I have this:
# Accept established connections and related ones
$IPT -A NET -m state --state ESTABLISHED,RELATED -j ACCEPT
where NET  represents every INPUT from the internet (network device wich 
goes to the net)
so..since I accept outgoing connections to ssh(it's also in the 
firewall), whenever I iniciate a ssh connection to the outside it 
becomes accepted.

I'm not shure that the "allow-ssh-traffic-in" is what i've just said, 
it's a guess since I don't know/use that firewall, but if it is, I 
believe that something like accepting the outgoing connection & using 
that " --state ESTABLISHED,RELATED"  would make  the rule set cleaner 
and easyer to manage...

«just my two euro cents»

And by the way, anyone was able to get dcc send and receive working with 
masquerading with iptables?

Miguel Sousa Filipe
Gentoo user since November 2001 ;-)

p.s.: if anyone want's to see my rule set it's in:

URL: http://mega.ist.utl.pt/~mmsf/configs/rc.icewall

Re: [gentoo-dev] Gentoo Linux Security Guide

[Alexander Gretencord]

On Tuesday 25 June 2002 03:24, Miguel S. Filipe wrote:
> And by the way, anyone was able to get dcc send and receive working with
> masquerading with iptables?

DCC Receive is no problem at all, because of the way DCC works (Someone offers 
you a DCC send and sends you his IP an a port which _you_ connect to. The 
offer goes through normal irc traffic so it comes through and the rest should 
succeed unless your firewall blocks traffic to any ip on the port that the 
dcc offer included.

If you want to send a dcc offer yourself this will of course not succeed as 
you firewall will not let traffic through to the port from your dcc offer but 
that's what the masquerrading modules is for (it's in the official kernel 
tree for some time now). All you have to do, is insert that module before you 
connect to the irc server (or compile it into your kernel).

Alex

-- 
"They that can give up essential liberty to obtain a little temporary safety 
deserve neither liberty nor safety."
Benjamin Franklin

[gentoo-dev] Gentoo Linux Security Guide

[Daniel Schroeter]

Hi

I have been using your guide and first thing to say: It is very good! 
But I've also some ideas of improvement and questions.

Daniel Schröter 

-Suidfiles
The script works very well, but the output may confuse a little bit.
Why not putting this (from the gentoo-mailinglist) into the guide to avoid confusion or even change the script to not show directories?
**begin quote
On Wed, 2002-10-02 at 02:51, isaac gouy wrote:
> After 1.4.1_rc1 rebuild
> using this from the Gentoo Linux Security Guide shows
> 199 SUID/SGID files 
> 
> /usr/bin/find / -type f \( -perm -004000 -o -perm
> -002000 \) -exec ls -lg {} \; 2>/dev/null
> >suidfiles.txt
> 
> Most of the files are in /var/cache/edb/dep/
> Can they be deleted?
No .. if you look closely its not files but directories .. and
directories with the suid bit only means that it inherrits the
permissions.
**end quote

-/etc/login.defs 
According to the guide I should set LOG_OK_LOGINS to yes. This gives me an errormessage:
"configuration error - unknown itme 'LOG_OK_LOGINS' ...
and I can't find this option in man login.defs... Did this option just exist in older versions or have I made some mistake??


-/etc/init/procparam
In newer gentoo-releases /proc and everything inside has no write permission (555) ->update the script
(I know this looks nasty! I hope there is a better solution)
/bin/chmod 755 /proc
/bin/chmod 755 /proc/sys
/bin/chmod 755 /proc/sys/net -R
...
/bin/chmod 555 /proc/sys/net -R
/bin/chmod 555 /proc/sys
/bin/chmod 555 /proc


-Possible spelling-mistake
9.FAQ
Answars and questions -> Answers and...

--
gentoo-dev@gentoo.org mailing list