Firewall-easy setup difficulties

• Previous message: Frank Gevaerts: "Re: Get directories names"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Tue, 09 Nov 2004 23:41:20 +0000
To: debian-user@lists.debian.org

Hi,

Could someone kindly help me with firewall setup with my home cable
(dhcp) internet connection? I wish to use firewall-easy purely because
I know nothing about configuration of firewalls. I can't recall having
changed the firewall-easy.conf file (attached).

I'm using debian unstable, 2.6.7 kernel.

The output I currently see is below:

debian:/home/tim# firewall-easy start
Running kernel 2.6.7
2.4 kernel support
    -> iptables list OK
2.2 kernel support
    NO ipchains list, firewall kernel support?
    NO ipmasqadm list, port forwarding kernel support?
2.0 kernel support
    NO ipfwadm list, firewall kernel support?
firewall-easy: iptables support detected
firewall-easy: iptables support detected

----AUTODETECTION--------
    loopback = 127.0.0.0/255.0.0.0
    local net =
          local IP =
    DNS servers = 62.31.176.39 194.117.134.19 195.188.53.175
    ADSL iface =
          gw =

-> Securing kernel (secure-kernel-24)
-> Setting up firewall (firewall-iptables)

---- STATUS:1 --------
        iptables -A ACCEPTLOG -m limit --limit 3/minute -j LOG
--log-prefix ACCEPT->
        iptables: No chain/target/match by that name

---- STATUS:1 --------
        iptables -A DROPLOG -m limit --limit 3/minute -j LOG
--log-prefix DROP->
        iptables: No chain/target/match by that name

---- STATUS:1 --------
        iptables -A RST -p tcp -j REJECT --reject-with tcp-reset
        iptables: No chain/target/match by that name

---- STATUS:1 --------
        iptables -A RST -p udp -j REJECT
        iptables: No chain/target/match by that name

---- STATUS:1 --------
        iptables -A RSTLOG -m limit --limit 3/minute -j LOG --log-prefix
REJECT->
        iptables: No chain/target/match by that name

---- STATUS:1 --------
        iptables -A RSTLOG -p tcp -j REJECT --reject-with tcp-reset
        iptables: No chain/target/match by that name

---- STATUS:1 --------
        iptables -A RSTLOG -p udp -j REJECT
        iptables: No chain/target/match by that name

---- STATUS:1 --------
        iptables -t mangle -A PREROUTING -j TOS --set-tos 0x10 -p tcp -d
0/0 --dport 1024:65535 -s 0/0 --sport www
        iptables: No chain/target/match by that name

---- STATUS:1 --------
        iptables -t mangle -A PREROUTING -j TOS --set-tos 0x10 -p tcp -s
0/0 --sport 1024:65535 -d 0/0 --dport www
        iptables: No chain/target/match by that name

---- STATUS:1 --------
        iptables -t mangle -A PREROUTING -j TOS --set-tos 0x08 -p tcp -d
0/0 --dport 1024:65535 -s 0/0 --sport rsync
        iptables: No chain/target/match by that name

---- STATUS:1 --------
        iptables -t mangle -A PREROUTING -j TOS --set-tos 0x08 -p tcp -s
0/0 --sport 1024:65535 -d 0/0 --dport rsync
        iptables: No chain/target/match by that name

---- STATUS:1 --------
        iptables -t mangle -A PREROUTING -j TOS --set-tos 0x08 -p tcp -d
0/0 --dport 1024:65535 -s 0/0 --sport 1024:65535
        iptables: No chain/target/match by that name

---- STATUS:1 --------
        iptables -t mangle -A PREROUTING -j TOS --set-tos 0x08 -p tcp -s
0/0 --sport 1024:65535 -d 0/0 --dport 1024:65535
        iptables: No chain/target/match by that name

TESTING FIREWALL

debian:/home/tim#
(no error messages, just a command prompt)

My kernel .configs I think are relevant are:

CONFIG_SYSVIPC=y
CONFIG_SYSCTL=y
CONFIG_BLK_DEV_LOOP=y
CONFIG_SYN_COOKIES=y
CONFIG_INET_AH=y
CONFIG_INET_ESP=y
CONFIG_INET_IPCOMP=y
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_MANGLE=m
CONFIG_PROC_FS=y
CONFIG_PROC_KCORE=y
CONFIG_SYSFS=y

# firewall-easy.conf
#
# use vars as with bash format (no spaces allowed before/after the equal)
#

################################################################################
#### HOME USER CONFIG

LOCALNET_IFACES=
#LOCALNET_IFACES=eth0 # Interfaces without firewall (better none)

ADSL_IFACES=
#ADSL_IFACES=eth1 # To get ADSL config by DHCP

    # HIGH SECURITY OPTION
FTP="" # active FTP not available

    # MEDIUM SECURITY OPTION
#FTP="1.1.1.1 2.2.2.2" # My active FTP servers (FTP is usually passive)

    # LOW SECURITY OPTION
#FTP="0/0" # NOT RECOMMENDED: This allow all active ftp at the
                        # price of being visible to scanings from port 20

NTP="" # Time servers (NTP) to access in Internet

NO_IP="" # Remote IPs to deny access to our system

#### CONFIG OPTIONS
# no matter their value, just if they exist or not

TESTFW=yes # Uncomment to do firewall test in start
 #NOLOG=yes # Uncomment to NOT do ANY LOG (only 2.2 kernel)
 #LOGALLDENY=yes # Uncomment to log all denied rule (debug)
 #DEBUG=yes # Uncomment to debug

# STRATEGY NO SERVICES (only 2.4 kernel)
# Instead of being invisible which is the default config, you may want to look
# like having no services: you get this uncommenting the two following lines

 #RSTALLDENY=yes # Uncomment to return RST in all denied rules
 #RST_TO="0/0" # Allow outputs RST and icmp DEST UNREACHABLE to all IP

################################################################################
#### INTRANET SERVER CONFIG

MASQ_IFACES="ppp0 $ADSL_IFACES"
                        # Interfaces by which we have to masquerade

NO_PRIV="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" # private IP ranges
                        # Exclude range if used in Internet connection via DMZ

#### SSH Internet access

    # ZERO RISK OPTION
ISSH="" # ssh not available

    # HIGH SECURITY OPTION
#ISSH="1.1.1.1 2.2.2.2" # Only to my ssh clients (fix IPs needed)

    # MEDIUM SECURITY OPTION
#ISSH="0/0" # ssh access from any IP, we are _NOT_ invisible

################################################################################
#### ADVANCED USERS

#### LOCAL OUTPUTS RESTRICTED BY OWNER OR GROUP
# This only works with 2.4 kernels (iptables required)
# Uncomment lines to active them
# Following vars can be as USERCONN="root user1 user2 user3"

    # No owner output control for packets (default)
USERCONN=""
USERREPLY=""

    # No users, no services, as in only firewall box
#USERCONN="root"
#USERREPLY="NO"

    # No users, services but only answering
#USERCONN="root"
#USERREPLY="ALL"

    # One user (user1), services, and some services starting connections:
    # DNS/bind (woody:named), SMTP (postfix), POP3-retriever (woody:fetchmail)
    # web-cache (proxy)
    # NOTE: samba/netbios uses nobody via lo when printing in shared printer
    # NOTE: In potato bind runs as root, and fetchmail as the user runing it
#USERCONN="root named postfix fetchmail proxy user1"
#USERREPLY="ALL"

################################################################################
#### KERNEL MODULES

#### kernel 2.2 modules

    # Uncoment only what needed
#insmod ip_masq_ftp # FTP <-- suggested
 #insmod ip_masq_raudio # REALAUDIO (radio via internet)
 #insmod ip_masq_irc # IRC (chat)
 #insmod ip_masq_vdolive # VDOlive video connection
 #insmod ip_masq_cuseeme # CU-SeeMe broadcast
 #insmod ip_masq_quake # QUAKE game
 #insmod ip_masq_user # User space control ?

#### kernel 2.4 modules

    # Uncoment only what needed
#insmod ip_conntrack # Autoloaded
 #insmod ip_conntrack_ftp # Autoloaded if rule ">> ftp-data"
#insmod ip_nat_ftp # ftp NAT alteration, includes masquerade?
 #insmod ip_queue # queue packets to use via netlink in user space

################################################################################
#### AUTODETECTION
#### values are autodetected from variables defined at the beginning

ALL_IPS="`list-iface-ip all`" # All our IP for antispoof

DNS="`list-dns-ip`" # My DNS servers

LO_NETS="`list-iface-net lo`" # Net/mask interface loopback

LOCALNETS="`list-iface-net $LOCALNET_IFACES`" # Net/mask local (intranet)
LOCALNET_IPS="`list-iface-ip $LOCALNET_IFACES`" # IP in iface local this server

ADSL_IPS="`list-iface-ip $ADSL_IFACES`" # Our IP in ADSL iface
ADSL_GWS="`list-iface-gw $ADSL_IFACES`" # IP of GW in ADSL router

echo ""
echo "----AUTODETECTION--------"
echo " loopback = $LO_NETS"
echo " local net $LOCALNET_IFACES = $LOCALNETS"
echo " local IP = $LOCALNET_IPS"
echo " DNS servers = $DNS"
echo " ADSL iface $ADSL_IFACES = $ADSL_IPS"
echo " gw = $ADSL_GWS"
echo ""

-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

• Previous message: Frank Gevaerts: "Re: Get directories names"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages [patch] move ipfw logging to after syslogd ... We have a problem that on our busy firewalls, a boot and shutdown ... can be delayed by up to 20 minutes by the kernel printing log ... most kernel activity appears to be suspended by outputting ipfw ... echo 'Firewall rules loaded.' ... (freebsd-current) Re: Linux firewall on P166 ... Which is it, ipchains or iptables? ... gives you a much stronger firewall. ... It's difficult to do much with 4MB RAM, ... > of a specially-tailored kernel. ... (comp.os.linux.networking) Re: Linux firewall on P166 ... Which is it, ipchains or iptables? ... gives you a much stronger firewall. ... It's difficult to do much with 4MB RAM, ... > of a specially-tailored kernel. ... (comp.security.firewalls) Re: Anyone Networking there ? ... is in the configuration of the firewall. ... Laptop to connect with WPA, (using Fedora FC5 ans the LT does not have ... RAM to take Suse10.1 but its become a war now and I am obsessed. ... Yeah Malke, got all the WPA supplicant stuff, kernel modules, firmware ... (alt.os.linux.suse) Re: EPP Cost vs. Coupon Cost? ... Jay is right, don't get the, McAfee Security Center with ... VirusScan, Firewall, Spyware Removal, 15-months. ... i routinely buy the 1.83 for around $800 in your config. ... Network Card and Modem Integrated 10/100 Network Card and Modem ... (alt.sys.pc-clone.dell)