All IRC Live! events are moderated. This means that audience members message their questions to the moderator and the moderator asks questions in the channel, so any question that comes from 'lcModerator' is a question from an audience member. Thanks and enjoy the log.
Jeff McClure, a Linux.com contributor, who is also experienced in setting up and maintaining his own firewall, discussed some of the basics that need to be known before configuring your own firewall. ElectricElf also helped out by answering some of the questions asked during the event.
<lcModerator> if you have qestions please direct them to me, and I will forward them to our host
-lcModerator- I am yes
<Wintersun> Okay, I'd like to welcome everyone to #live!
<lcModerator> please feel free to /msg lcModerator your questions I will post them to channel
<Wintersun> Tonight, Jeff McClure (aka jeffie) will be talking about configuring a firewall with linux
<Wintersun> yes, please /msg lcModerator any questions you have and he will ask them at the right time.
<jeffie> Well, I guess that means I'm on.
<Wintersun> yes, it does. :)
<jeffie> Hello, everyone. Wintersun asked me to host tonight's chat mostly because of my personal experience setting up a Linux machine as a firewall.
<jeffie> Tonight, I'm going to try to give some introductory notes on how to make this work.
<jeffie> First, probably some definitions are in order:
<jeffie> A firewall is a computer which is connected to two different networks and serves as the "traffic cop" (so to speak) between those networks.
<jeffie> Firewalls are most commonly used as a means of restricting the types of traffic that can travel between the two networks.
<lcModerator> <buzzsaw> what is the differencew between a PRoxy and a firewall
<jeffie> A proxy is actually a way across the firewall...
<jeffie> It is a piece of software that accepts traffic from one network and hands it across to the other network in a controlled manner.
<jeffie> One example is a company using a web proxy to allow access to the web from the inside without actually allowing inside computers to connect directly to outside computers.
<jeffie> ...usually for security reasons.
<ElectricElf> buzzsaw_: A firewall, typically, intercepts network packets and makes decisions on both the contents of the packet as well as the header information ... stuff like destination address, source address, so on and so forth. Ports and the like. What it decisions it makes depends mostly on the firewall software itself; the simplest would simply say "okay, you can continue" or "no, I'm afraid I'm going to stop you". Generally firewalls arn't
<ElectricElf> buzzsaw_: Proxies are also more intrusive.
<lcModerator> bastos* Is firewall necessary for a single Linux box network?
<ElectricElf> buzzsaw_: A client application typically has to *ask* the proxy to do its stuff.
<jeffie> EElf: Exactly. With a proxy, the computers on the two networks explicit talk to the proxy machine to pass their traffic.
<jeffie> bastos: I think it's a good idea...
<jeffie> Here's why...
<jeffie> Even with only one computer, malicious traffic can still come from the outside connection...
<jeffie> With firewalling rules in place to allow only wanted packets through, you reduce your risk of being cracked.
<ElectricElf> bastos: Of course, if the computer is completely isolated; ie: no connection to the outside world, *whatsoever*, setting up a firewall is probably superfluous.
<lcModerator> can you elaborate on what Cracked means. Most people feel your cracked only if you lose files or a directory. But it is more then this is it not?
<jeffie> Yes it is.
<jeffie> For one example, can I assume that folks are familiar with what a denial of service attack is? Do we need to define that?
<Wintersun> It would be good to just quickly define it, yes.
<lcModerator> I think for new users yes what is a DoS attack
<jeffie> A denial of service attack is a network attack in which the attacker's aim is to use up some resource (network bandwidth, commonly) so that legitimate traffic can't happen.
<jeffie> One way of being "cracked" that is becoming more common...
<jeffie> is for the attacker to gain access to a large number of computers out on the Internet without the users of those computers being aware...
<jeffie> The attacker then uses the combined resources of these computers to send floods of network traffic to stop the operation of, say, a web site.
<jeffie> Setting up firewall rules can help prevent the attacker from gaining access to your computer in the first place.
<jeffie> That's one example.
<ElectricElf> I would say that "cracked" means that somebody is doing something to, or is doing something *with* your computer, which you are unaware of. Or don't want.
<ElectricElf> In general terms.
<jeffie> That sums it up pretty well. The bad thing is that the default settings in some disrtibutions of Linux leave several system services running and open to attempts.
<jeffie> Shutting down services you don't need is a good first step.
<ElectricElf> Something to note is that Linux can be significantly more powerful than some other, well-known operating systems. As such, somebody who has control over your computer can do a lot of damage.
<jeffie> But restricting access to the ones you _do_ need (I think) is the best next step for anyone not running a truly public server.
<ElectricElf> It should be considered "being a good citizen" to set up a firewall, so that people can't use your computer for nefarious purposes.
<jeffie> Attacks are getting more sophisticated, but...
<lcModerator> <linuxwolf> are their some services that are more prone tot hese attacks then others, and what ports should unless needed always be shut down
<jeffie> Configuring your firewall to simply "drop" (not respond at all) to unwanted packets can actually help slow an attacker down, also.
<jeffie> linuxwolf: Yes...
<jeffie> There are some that have historically had more problems than others.
<jeffie> FTP servers and the Sendmail SMTP server are two of the more notorious.
<jeffie> The key is only allow access to service you actually want to make available, and.....
<jeffie> make sure you're running the latest stable version of any server software.
<jeffie> Also....
<jeffie> I personally do not like to run any service which allows users to send their passwords as clear text.
<jeffie> (although that's more a network sniffing issue than a firewall issue)
<lcModerator> *buzzsaw_* Just what server software is important to keep current?
<ElectricElf> linuxwolf: You should block all ports and services that you don't use. :)
<ElectricElf> linuxwolf: (And carefully examine those you do use, from a security perspective)
<jeffie> Any server software.
<jeffie> Any software has the potential for explotable security holes.
<lcModerator> *Viper233* Could you make a quick comment on sendmails poor security?
<jeffie> Viper233: I'm afraid I don't have enough experience with Sendmail to be specific, but...
<ElectricElf> Viper233: Sendmail was first written ages ago. It performs an important role, but some of the assumptions made way back when don't apply any more.
<jeffie> Sendmail is such a huge program, and it was written before Internet security was a real issue...
<jeffie> Therefore, it is much harder to know where its vulnerabilities lie....
<ElectricElf> Viper233: It's not that Sendmail is bad software, but it is *very* difficult to properly secure a large application like Sendmail. Especially when you didn't write it in the first place.
<lcModerator> *d4ve* jeffie: will you be going into ipchains and the methods you can use ipchains to forward and block specific ports?
<jeffie> d4ve: I can try to get to some of that, but I'm afraid that it's too long a topic to cover completely here....
<jeffie> I am planning, however, to work with Wintersun to do some articles, some of whcih will undoubtedly cover that very topic....
<lcModerator> I think for now if everyone would refsrain from asking questions for a few minutes would be apprecaited. So that our host may actually shopw us how to use a firewall. Then feel free to ask questions
<jeffie> Okay...
* jeffie runs off to grab an example or two
<jeffie> Here's a classic example...
<jeffie> I'm running a box with a Linux 2.4.x kernel, thus the firewall admin tool I use is called "iptables"...
<jeffie> I have a script file whilch is set to run just as my outside network card comes up...
<jeffie> That script conatins various "rules" which allow or drop traffic as I see fit.
<jeffie> One of those rules:
<jeffie> "/sbin/iptables -A INPUT -j DROP -i $EXTIF -p TCP --dport 137:139"
<jeffie> Adds a rule to my "input chain"...
<jeffie> That rule says to drop any TCP packet coming in on my external Ethernet interface which is destined for ports 137 through 139...
<jeffie> Those ports are used for Windows machines to share files, printers, etc....
<lcModerator> netbios ports?
<jeffie> Yes. The NetBIOS ports.
<jeffie> These packets...
<jeffie> form some of the most numerous unwanted packets I see. Most are benign (not cracking attempts), but filtering them allows my machine to not have to process them.
<ElectricElf> Some basics; there are four parts to every connection made; the source IP address, the source port, the destination IP address and the destination's port. When making a connection to a remote server, your own computer will open the connection, typically from a randomly-assigned port. Which port you connect to on the remote machine depends on the service; port 80 for web servers, port 25 for email, so on and so forth.
<lcModerator> So denying access to your cpu to have to process these requests, could actually speed up your connection and how you interact with your machine?
<ElectricElf> That's where jeffie got ports 137 and 139 from, for Windows file sharing(netbios); you can find a list in /etc/services
<jeffie> lcMod: Yes. If the traffic is bad enough.
<ElectricElf> Or your computer is old enough ;)
<jeffie> That too. :) And that's important since you can press a 486 into service as a firewall quite easily.
<lcModerator> I hope allour geuests see a trend here that by denying access to ports and services can make your machine not only. More secure, but run faster
<ElectricElf> And you won't lose all your games and your porn collection. :)
<ElectricElf> And you'll be a good person for denying the use of your machine to those who might use it for malignant purposes.
<jeffie> As for ports, most of the lower-numbered ones (below 1024) are associated with some type of service (again, see /etc/services). Manipulating the firewall rules according to port number gives you quite fine control over things.
<jeffie> also...
<jeffie> Let's say you really want to allow a friend....
<lcModerator> now jeffie how bout we move onto how to shut these puppys down. How do we actually close ports on a machine is the most asked question right now
<jeffie> I'll hold off on that one and answer the question...
<jeffie> The ports get shut down by writing a firewall ruleset with rules that block these lower-numbered ports. The rules for an iptables ruleset will look much (but not exactly) like what I showed earlier. I have a whole list of those...
<jeffie> What I'd like to do is drop a couple of web site addresses at some point...
<jeffie> Which help explain these matters much better than I (and give specifics on the commands).
<jeffie> One thing is that which commands you use depends on what your kernel version is.
<jeffie> How about here: http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html
<jeffie> for a start.
<jeffie> It's a bit old, but it helps explain the basic concepts.
* jeffie goes for some more
<lcModerator> I may add here the IPchaine and IPmasq how-to's are also excellent resources
<jeffie> For those running 2.4 kernels...
<jeffie> Here's one that gives the lowdown on how the new firewalling code (called Netfilter) works, and how to use the iptables command:
<jeffie> http://netfilter.filewatcher.org/unreliable-guides/index.html
<jeffie> I'm sorry I'm not answering directly, but it really is something you have to go study a bit...
<Matt> don't let the "unreliable-guides" put you off
<jeffie> Matt: Not really. This is the official info. It's not easy to follow, but the Howto can help with that.
<jeffie> I've also been told there's an iptables guide on Freshmeat. If you search it, it will come. :)
<jeffie> Here's another that I use for good hints....
<lcModerator> one thing about Linus is there is no lack of information
<jeffie> Exactly. :)
<jeffie> http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/cHTML/TrinityOS-c.html
<jeffie> This is the TrinityOS guide...
<jeffie> This guy basically documents his entire Linux setup and explains what he's doing.
<jeffie> His sections on firewalling gave me a lot of insight (and some cool tricks).
<lcModerator> so how do we go about setting up a firewall jeffie, what does a new user to have installed as basics?
<jeffie> As basics...any of the latest version Linux distros (I'm most familiar with Debian) should have a kernel which is built to handle this type of stuff...
<jeffie> You will need to also install the appropriate admin package (iptables for 2.4, ipchains for 2.2)
<jeffie> For simple firewalling, there's not much else in the way of tools you really need.
<jeffie> Basically, just research the firewall rulesets (pay SPECIAL attention to what order the rules go in...that tripped me up several times)...
<lcModerator> ah a question from a user on anothernet " Is webadmin a risk, or can it be used to create/admin a firewall"
<jeffie> webadmin.... It depends on how it's handled...
<jeffie> If you block access to it from the outside (another rule! :) ) then you should be okay...
<jeffie> If you REALLY need outside access, then PLEASE use a secure web server (ApacheSSL, Apache with ModSSL, etc.)
<jeffie> And good authentication with it!
<jeffie> (That's another topic)
<lcModerator> *bastos* Does installing a firewall interfere with some client softwares like streamin audio and irc on a newbie?with
<jeffie> I use web-based admin for Samba on my box, but only allow access from the inside network.
<jeffie> Bastos: If you set your rules wrong, it can. Also...
<jeffie> However, if you're talking about oter machines on the "inside" network...
<jeffie> that use the firewall as a "NAT" or "IP Masquerading" box, there are other reasons why streaming media might be tougher....
<jeffie> In my own experience, if you craft your rules right...
<jeffie> RealPlayer and QuickTime don't have much of a problem...
<jeffie> And the problems they _do_ have are more due to the NAT aspects then the firewall aspects...
<jeffie> If the fireall gets in the way, you can always open a specific hole.
<lcModerator> *aikisensei* what about IDS and how it can be used to augment a firewall?
<jeffie> I'm afraid I'm unfamiliar with that term.
<lcModerator> configuring rules to only allow certain IP's, what about IP spoofing and TCP sequence prediction?
<jeffie> You're right...
<lcModerator> *aikisensei* Intrusion Detection System
<jeffie> IP spoofing can get around your rules. However....
<jeffie> It's really only good for denial of service attacks....
<jeffie> Think about it. If the attacker fakes his IP, the connection traffic can't get back to him. In my own experience...
<jeffie> I don't see a lot of what looks like spoofing, and if someone wants to DoS you, there's really nothing you can do about it at your machine.
<jeffie> In other words, IP spoofing doesn't bother me much. I
<jeffie> IDS....
<lcModerator> aikisensei: with I will not post yopur last request only because it would lead to an entire nites questions
<jeffie> I personally don't use one (I just try to read my log files), but...
<jeffie> If you set up an IDS carefully, then it can certainly save a lot of work reading those logs...
<jeffie> HOWEVER...
<jeffie> If an IDS flags something, please be sure it's really an intrusion attempt before you fly off the handle...
<jeffie> I bugged a LOT of ISPs needlessly at first because I thought NetBIOS traffic was malicious. :)
<lcModerator> I alos did my ISp cause of internal VPN traffic
<lcModerator> cable ISP's where notorius for carrying normal VPN over our lines
<jeffie> Very good point.
<jeffie> And I didn't even need an IDS to make me do it. :)
<lcModerator> I thought it was attacks, turned out was the CEO having a meeting
<jeffie> I tried setting up Tripwire once. I gave up when I saw how much configuration was necessary.
<jeffie> I know this doesn't really scratch the surface as a how-to on setting up a firewall, but I'm afraid there's not a good all-in-one way of explaining it...
<jeffie> I'm encouraged by some tools out there that may help with that soon.
<lcModerator> everyone is still frree to ask questions, or I will let Jeffie enjoy his dinner and un-moderate the channel
<lcModerator> He can not answer Distro specific quesations, or is IPchains better then IPtables as they are really mute points
<lcModerator> *Viper233* what value is used for $EXTIF ? some awk/sed on ifconfig results?
<jeffie> Viper: Yes...
<jeffie> That contains the name ("eth1") of my external Ethernet adapter. I got that trick from TrinityOS.
<jeffie> It's actually just set in the script...
<jeffie> However, here's a handy bit I got from that same source:
<jeffie> EXTIP=`/sbin/ifconfig | grep -A 4 $EXTIF | awk '/inet/ { print $2 } ' | sed -e s
<jeffie> EXTIP=`/sbin/ifconfig | grep -A 4 $EXTIF | awk '/inet/ { print $2 } ' | sed -e s/addr://`
<jeffie> That one gets you the address of your interface. That can be quite handy in the rules for dynamic IPs.
<lcModerator> any other questions?
<lcModerator> Thewn I wish to thank all of you for joining us, and to Jeff for taking time out of his night to introduce you to the power of firewalls
<jeffie> I hope it helped.
<jeffie> I'll try to gather some more info and do some articles with Wintersun.
<lcModerator> Thnke you Jeff for taking time to answer our guests questions, and thank you everyone that attended. If you missed part of this weeks events. the logs will be on http://www.linux.com in the coming days
<aikisensei> LinuxWolf: why didn't you post my questions?
<LinuxWolf> aikisensei: I can not posat every question
<LinuxWolf> some are asked before etc
<LinuxWolf> I do appologize but it is just not possaable
<aikisensei> yes but I was really curious about the expertise of the ppl answering questions
<LinuxWolf> aikisensei: Jefferie is stil here your more then welcome to ask him
<aikisensei> actually he just left
<LinuxWolf> yes he did I do appologize he did
<LinuxWolf> he has to work i the morning
<buzzsaw_> hum looks like i mised it
<bastos> I guess I would have wanted more details on "/sbin/iptables -A INPUT -j DROP -i $EXTIF -p TCP --dport 137:139"
<LinuxWolf> bastos: it is very hard to get into specifics, also is a newbie week. it is not meant to be sysadmin 303
<buzzsaw> oh well
<LinuxWolf> there is many usrers dont even know what a firewall is, let alone what ipchains or iptables is etc. That is what manpages are for, or when we host advanced topic nights.
<bastos> I think at least I got one thing resolved tonight - that I can install a firewall even though I only have a one box network :-)
<Jeopardy> hmm...I've always had a problem with many manpages
<LinuxWolf> bastos: yes you can a firewall is not more then really a set of rulles that apply to incoming packets. They are allowed or denied. be you have 200 computers or 1 the rules are basically the same. Only difference is machine 120 is allowed to accept requests on a given port
* buzzsaw is away: The space ship came to take me back home. Don't worry they won't keep me for long I will be back.
* buzzsaw is back (gone 00:00:05)
<bastos> One thing with experimenting with a firewall in a one box network is that you can screw up some services already being used by your users. :-)
<LinuxWolf> think of it like you have 5 football teams. but team #3 only allows players over 180cm
<LinuxWolf> that is what a firewall does in all honesty. you apply top join team #3 but are 179.99cm therfore your rejected
<bastos> from this conversation, it seems that mail will be filtered by firewall. But do you do that, or do you use the mail softwares take care of mail filtering?
<LinuxWolf> bastos: thaTS VERY true you can. But also i think most ppl offer al lot of services just because they can. Not because they have to. And that in itself makes it dangerous
<LinuxWolf> Just because you run Linux and can, does nopt mean you should
<bastos> for a Windows convert to Linux, that is intoxicatingly powerful :-)
<LinuxWolf> bastos: yes it is, dont get me wrong it is very intoxicating. But you have to also realize the inherent risks involved by doing so. ANd not knowing how to control it
<LinuxWolf> it the greatest risk
<bastos> The use of firewall infers that one is aware of cyber-intrusions. That is one of the selling points of the current OSS to users of the other OS who are made to be unaware of it or the backdoors.
<bastos> I have neighbors who are interestedly curious. And I need to learn the firewalls now so as not to be embarrassed. :-)
<LinuxWolf> bastos: while learning is a great thing, it is not really an OS based thing. any box is only as good as the person that admins it.
<LinuxWolf> becuase a person has this OS or that OS means nothing really.
<LinuxWolf> NT can be locked down very well, just not a lot of people learn how is all
<LinuxWolf> I could not as I like Linux, but I know a cpl of admins they could make it you cant even get a cup of coffee so to speak from their boxes. But they are exceptions
<LinuxWolf> you either care bastos about security or you dont is the bottom line. the OS really is not relevant for the most part. Some are just easier to exploit or admin is all
<LinuxWolf> anyways I need some dinner, Have a great week all
<sam\seng> When will the log for this night event go online?
Session Close: Fri Sep 28 00:00:00 2001
Session Start: Thu Sep 27 11:20:32 2001
Session Time: Thu Sep 27 11:20:32 2001
Session Close: Fri Sep 28 11:21:24 2001
Session Start: Thu Sep 27 11:24:44 2001
Session Time: Thu Sep 27 11:24:44 2001
<sam\> Wintersun_afk
<sam\> Still here?
<sam\> brainless: Do you when the firewall and home network events will be online at linux.com?
<brainless> sam\: i have no idea :( soryr
<brainless> i shall find out and let u know
<Wintersun> sam\: I'm putting those logs up as we speak. :)
Session Close: Thu Sep 27 13:53:35 2001
Session Start: Thu Sep 27 15:53:15 2001
<sam\> Wintersun: Sweet, my ISP got into trouble during the event.. so I couldn't log it myself :|
<Wintersun> sam\: We always publish the logs for reasons such as that. If there's ever a log that you're looking for from a previous event, just ask me and I'll do what I can to get it to you.
<Wintersun> also, if you have any ideas for Live! events, feel free to suggest them to me. I'm always up for ideas.
<sam\> Cool :)
<sam\> I got one right here
<sam\> "How to set up you *DSL connection using PPPoE and sharing that connection with the rest of your network"
<sam\> :P
<Wintersun> hrm... how about a more generalized "Setting up DSL and sharing over your network"
<Wintersun> ?
<sam\> Don't forget the using PPPoE, that's the tricky part :P
<sam\> If the ISP isn't using PPPoE you can just put the DSL router as gw and you're set
<sam\> As far as I know atleast..
<Wintersun> absolutely, especially since a lot of ISPs actually still use PPPoE for DSL.
<Wintersun> I'll see if I can hunt down someone who knows how to do that and I'll set it up.
<sam\> Nice! :)
<sam\> It's damn annoying to have a windows workstation as a router.. (reboots all the time), especially when you do almost all the internet activity via the linux server..
<Wintersun> sam\: well, we did do the firewall event last night and the previous night's setting up a network. That could at least get you with a firewall/router box setup for your network that's Linux, not Windows
<sam\> Yeah, I'm gonna use the fw log on my 386 that's coming to me this Saturday
<sam\> The network is covered :P
<Wintersun> Cool.
<sam\> So, it's just the DSL left and I'll be cruisin' the web in style :P
<Wintersun> heh. yeah, I work with a cable modem in my apartment. It's schweet.
<sam\> :)
<sam\> Hey, you wouldn't happen to know any dedicated news posters looking for a site to post news? (Linux related, of course)
<Wintersun> nope, sorry.
<Wintersun> you're more than welcome to write articles for us. :)
<sam\> hehe, I'm looking for writers for my own site :P
<sam\> http://www.linuxminds.net/TeMpOrArY/ *spam*
<sam\> ;P
Session Close: Thu Sep 27 16:58:23 2001