[gentoo-user] OT 0.0.0.0 security query

[gentoo-user] OT 0.0.0.0 security query

[Dave S]

Hi all,

This is a bit OT but I have a netgear router DG834 ADSL firewall router. I 
have restricted my incoming services with ...

Enable  Service Name  Action  LAN Server IP address  WAN Users  Log
on bit torrent  ALLOW always  192.168.0.5  Any  Always
     Default  Yes  Any  BLOCK always  Any  Any  Never

And tightened my outgoing services with ...

Enable  Service Name  Action  LAN Users  WAN Servers  Log
on  HTTP  ALLOW always  Any  Any  Always
on  HTTPS  ALLOW always  Any  Any  Always
on  POP  ALLOW always  Any  Any  Always
on  SMTP  ALLOW always  Any  Any  Always
on  NTP  ALLOW always  Any  Any  Always
on  FTP  ALLOW always  Any  Any  Always
on  rsync  ALLOW always  Any  0.0.0.0  Never
on  GM Port 389   ALLOW always  192.168.0.6  Any  Always
on  GM Port 1503  ALLOW always  192.168.0.6  Any  Always
on  GM Port 1731  ALLOW always  192.168.0.6  Any  Always
on  GM 1024-65K  ALLOW always  192.168.0.6  Any  Always
on  H.323  ALLOW always  192.168.0.6  Any  Always
on  Port >1023  ALLOW always  Any  Any  Always
on  Samba  ALLOW always  Any  0.0.0.0  Always
on  samba2  ALLOW always  Any  0.0.0.0  Always
on  samba3  ALLOW always  Any  0.0.0.0  Always
on  Any(ALL)  BLOCK always  Any  Any  Always
     Default  Yes  Any  ALLOW always  Any  Any

Some services like rsync and samba I want to keep within my LAN but my DG834 
insists I give it a least one IP address on the WAN that my service can be 
broadcast to. I selected 0.0.0.0

Can anyone advise, am I going about this the right way, any comment greatly 
appreciated :)

Cheers

Dave
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT 0.0.0.0 security query

[Jonathan Chocron]

Le Samedi 27 Mai 2006 11:40, Dave S a écrit :
> Hi all,
>
> This is a bit OT but I have a netgear router DG834 ADSL firewall router. I
> have restricted my incoming services with ...
>
> Enable  Service Name  Action  LAN Server IP address  WAN Users  Log
> on bit torrent  ALLOW always  192.168.0.5  Any  Always
>      Default  Yes  Any  BLOCK always  Any  Any  Never
>
> And tightened my outgoing services with ...
>
> Enable  Service Name  Action  LAN Users  WAN Servers  Log
> on  HTTP  ALLOW always  Any  Any  Always
> on  HTTPS  ALLOW always  Any  Any  Always
> on  POP  ALLOW always  Any  Any  Always
> on  SMTP  ALLOW always  Any  Any  Always
> on  NTP  ALLOW always  Any  Any  Always
> on  FTP  ALLOW always  Any  Any  Always
> on  rsync  ALLOW always  Any  0.0.0.0  Never
> on  GM Port 389   ALLOW always  192.168.0.6  Any  Always
> on  GM Port 1503  ALLOW always  192.168.0.6  Any  Always
> on  GM Port 1731  ALLOW always  192.168.0.6  Any  Always
> on  GM 1024-65K  ALLOW always  192.168.0.6  Any  Always
> on  H.323  ALLOW always  192.168.0.6  Any  Always
> on  Port >1023  ALLOW always  Any  Any  Always
> on  Samba  ALLOW always  Any  0.0.0.0  Always
> on  samba2  ALLOW always  Any  0.0.0.0  Always
> on  samba3  ALLOW always  Any  0.0.0.0  Always
> on  Any(ALL)  BLOCK always  Any  Any  Always
>      Default  Yes  Any  ALLOW always  Any  Any
>
> Some services like rsync and samba I want to keep within my LAN but my
> DG834 insists I give it a least one IP address on the WAN that my service
> can be broadcast to. I selected 0.0.0.0
>
> Can anyone advise, am I going about this the right way, any comment greatly
> appreciated :)
>
> Cheers
>
> Dave

I am not the best net admin on earth, but it seems to me that 0.0.0.0  is  
definitely not a broadcast address. If you want to keep things in your lan, 
you should have something like 192.168.0.255 instead.

Moreover, I do not quite understand what you are trying to do. I had 
approximately the same router (same brand anyway), and it did not block any 
lan-only services. What you're telling it is, for example, to block 
*outgoing* rsync. This should not in any case be blocking an rsync between 
two machines inside your LAN.

I hope this helps, even if i am not quite sure I understand what you're trying 
to do.

-- Jonathan

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT 0.0.0.0 security query

[Dave S]

On Saturday 27 May 2006 23:46, Jonathan Chocron wrote:
> Le Samedi 27 Mai 2006 11:40, Dave S a écrit :
> > Hi all,
> >
> > This is a bit OT but I have a netgear router DG834 ADSL firewall router.
> > I have restricted my incoming services with ...
> >
> > Enable  Service Name  Action  LAN Server IP address  WAN Users  Log
> > on bit torrent  ALLOW always  192.168.0.5  Any  Always
> >      Default  Yes  Any  BLOCK always  Any  Any  Never
> >
> > And tightened my outgoing services with ...
> >
> > Enable  Service Name  Action  LAN Users  WAN Servers  Log
> > on  HTTP  ALLOW always  Any  Any  Always
> > on  HTTPS  ALLOW always  Any  Any  Always
> > on  POP  ALLOW always  Any  Any  Always
> > on  SMTP  ALLOW always  Any  Any  Always
> > on  NTP  ALLOW always  Any  Any  Always
> > on  FTP  ALLOW always  Any  Any  Always
> > on  rsync  ALLOW always  Any  0.0.0.0  Never
> > on  GM Port 389   ALLOW always  192.168.0.6  Any  Always
> > on  GM Port 1503  ALLOW always  192.168.0.6  Any  Always
> > on  GM Port 1731  ALLOW always  192.168.0.6  Any  Always
> > on  GM 1024-65K  ALLOW always  192.168.0.6  Any  Always
> > on  H.323  ALLOW always  192.168.0.6  Any  Always
> > on  Port >1023  ALLOW always  Any  Any  Always
> > on  Samba  ALLOW always  Any  0.0.0.0  Always
> > on  samba2  ALLOW always  Any  0.0.0.0  Always
> > on  samba3  ALLOW always  Any  0.0.0.0  Always
> > on  Any(ALL)  BLOCK always  Any  Any  Always
> >      Default  Yes  Any  ALLOW always  Any  Any
> >
> > Some services like rsync and samba I want to keep within my LAN but my
> > DG834 insists I give it a least one IP address on the WAN that my service
> > can be broadcast to. I selected 0.0.0.0
> >
> > Can anyone advise, am I going about this the right way, any comment
> > greatly appreciated :)
> >
> > Cheers
> >
> > Dave
>
> I am not the best net admin on earth, but it seems to me that 0.0.0.0  is
> definitely not a broadcast address. If you want to keep things in your lan,
> you should have something like 192.168.0.255 instead.
>
> Moreover, I do not quite understand what you are trying to do. I had
> approximately the same router (same brand anyway), and it did not block any
> lan-only services.

Yep, same here. I was trying to lock down my router. By default it allows any 
outgoing packets and only allows incoming packets if they are related to the 
incoming packets.

I was trying to lock down my outgoing packets so services such as Samba would 
not broadcast anything to the WAN. 

As such I defaulted outgoing to BLOCK and allowed only certain ports. 

However I then needed to allow ports between computers ie for Samba again.

When I opened the port on the LAN between computers my router wanted at least 
one IP address for the WAN. I did not want to give it a real address so 
choose 0.0.0.0

I was really asking ...

(a) Is it worthwhile setting up my router this way, or am I being paranoid :)

(b) Is 0.0.0.0 and invalid IP address (I though it might be) because that is 
what i was looking for to trick my router to send nothing to the WAN

Cheers

Dave

PS Sorry for the delay, I am an on call engineer and have been away.


> What you're telling it is, for example, to block 
> *outgoing* rsync. This should not in any case be blocking an rsync between
> two machines inside your LAN.
>
> I hope this helps, even if i am not quite sure I understand what you're
> trying to do.
>
> -- Jonathan

Apologies for my poor explanation :)





-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT 0.0.0.0 security query

[Jonathan Chocron]

Le Dimanche 28 Mai 2006 16:53, Dave S a écrit :
> Yep, same here. I was trying to lock down my router. By default it allows
> any outgoing packets and only allows incoming packets if they are related
> to the incoming packets.
>
> I was trying to lock down my outgoing packets so services such as Samba
> would not broadcast anything to the WAN.
>
> As such I defaulted outgoing to BLOCK and allowed only certain ports.
>
> However I then needed to allow ports between computers ie for Samba again.
>
> When I opened the port on the LAN between computers my router wanted at
> least one IP address for the WAN. I did not want to give it a real address
> so choose 0.0.0.0
>
> I was really asking ...
>
> (a) Is it worthwhile setting up my router this way, or am I being paranoid
> :)

I do not think it wise to setup your router that way. Here's a little of 
theory. I apologize if you're familiar with it, but it is necessary for 
latter development.

When in a LAN, a packet will not reach the WAN unless you specify you want it 
to, that includes broadcasts.

An element of an IP address is a number between 0 and 254. 255 is used only 
for broadcasting.

Moreover, rsync and samba, and most daemons take as a paramater the address or 
address range they can accept connections from. An incoming connection from 
the WAN, could not connect to the daemon even if it wanted to.


> (b) Is 0.0.0.0 and invalid IP address (I though it might be) because that
> is what i was looking for to trick my router to send nothing to the WAN

An IP address is meaningful only in conjunction with a mask. 0.0.0.0 with mask 
255.255.255.255 means broadcast to every single IP address that exists. Since 
the mask indicates between which boundaries the IP number can vary (in this 
case every IP address item can vary between 0 and 254).

As a conclusion, this is definitely not what you want to do ! ;-)

So, taking as a hypothesis that you trust everyone on your LAN, here's what 
you should do :
- Et the policy for incomiong connections to BLOCK.
- Unblock the services you actually need the net to access. Plus, in the 
config file of the daemon, specify it should listen to 0.0.0.0
- Allow traffic from your LAN to the WAN (again, if you trust everyone). And 
set up each daemon to only listen to 192.168.0.1/24 (which means only 
addresses that begin with 192.168.0).
- Set up daemons to broadcast on 192.168.0.255

I hope this was clear, I have hardly slept last night !

-- Jonathan

PS : No need to apologize for the delay, I know even gentooists have lives ;)

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT 0.0.0.0 security query

[Dave S]

On Monday 29 May 2006 11:14, Jonathan Chocron wrote:
> Le Dimanche 28 Mai 2006 16:53, Dave S a écrit :
> > Yep, same here. I was trying to lock down my router. By default it allows
> > any outgoing packets and only allows incoming packets if they are related
> > to the incoming packets.
> >
> > I was trying to lock down my outgoing packets so services such as Samba
> > would not broadcast anything to the WAN.
> >
> > As such I defaulted outgoing to BLOCK and allowed only certain ports.
> >
> > However I then needed to allow ports between computers ie for Samba
> > again.
> >
> > When I opened the port on the LAN between computers my router wanted at
> > least one IP address for the WAN. I did not want to give it a real
> > address so choose 0.0.0.0
> >
> > I was really asking ...
> >
> > (a) Is it worthwhile setting up my router this way, or am I being
> > paranoid
> >
> > :)
>
> I do not think it wise to setup your router that way. Here's a little of
> theory. I apologize if you're familiar with it, but it is necessary for
> latter development.
>
> When in a LAN, a packet will not reach the WAN unless you specify you want
> it to, that includes broadcasts.
>
> An element of an IP address is a number between 0 and 254. 255 is used only
> for broadcasting.
>
> Moreover, rsync and samba, and most daemons take as a paramater the address
> or address range they can accept connections from. An incoming connection
> from the WAN, could not connect to the daemon even if it wanted to.

With you so far :)

>
> > (b) Is 0.0.0.0 and invalid IP address (I though it might be) because that
> > is what i was looking for to trick my router to send nothing to the WAN
>
> An IP address is meaningful only in conjunction with a mask. 0.0.0.0 with
> mask 255.255.255.255 means broadcast to every single IP address that
> exists. Since the mask indicates between which boundaries the IP number can
> vary (in this case every IP address item can vary between 0 and 254).
>
> As a conclusion, this is definitely not what you want to do ! ;-)

Gulp :(

>
> So, taking as a hypothesis that you trust everyone on your LAN, here's what
> you should do :
> - Et the policy for incomiong connections to BLOCK.
> - Unblock the services you actually need the net to access. Plus, in the
> config file of the daemon, specify it should listen to 0.0.0.0
> - Allow traffic from your LAN to the WAN (again, if you trust everyone).
> And set up each daemon to only listen to 192.168.0.1/24 (which means only
> addresses that begin with 192.168.0).
> - Set up daemons to broadcast on 192.168.0.255
>
> I hope this was clear, I have hardly slept last night !
>

That helps a lot, thank you for taking the time to explain. I will have a 
google so I understand netmasks & IPs a bit more :(

> -- Jonathan
>
> PS : No need to apologize for the delay, I know even gentooists have lives
> ;)

Wish I was 247 Linux - have to pay the mortgage though !

Thanks once again

Dave

-- 
gentoo-user@gentoo.org mailing list