Re: Bit Twister: Is this the dhclient-exit-hooks you were talking about?

Bit Twister <BitTwister@xxxxxxxxxxxxxxxx> wrote in

On Sat, 23 Sep 2006 13:58:23 +0000 (UTC), Ohmster wrote:

I don't use shorewall but thought about it. Found it too
difficult to get up and running right away.

Mandriva Linux's installer made the initial Shorewall setup painless.

Hmmm, I got Fedora 3 running right now. Want to go to Fedora 5 but cannot
afford to lose my years and years worth of configs and tweaks. Will have
to wait until I can afford another 200Gb IDE drive and will install FC5
to that and then have my old drive in the box too so that I can copy over
my configs and not lose anything that way. I might even be able to
upgrade from FC3 to FC5 but not sure if that will work and a clean
install is usually always the better way to go.

Firestarter come with a GUI that makes getting it up and running
and doing what you want all of a three minute process.

Mandriva Linux's Control Center is pretty well dumbed down for the new
user. Better GUI tweaking can be done through the Webmin application.

Yeah I hear ya, there is a webmin front end for shorewall. I think that I
tried it once but could not get it up and doing what I wanted quickly so
I sort of sold out to firestarter again.

It does tend to choke the system logs with packet info and
I really wish it would not do that.

That is one of the things I like about Shorewall. I can tweak what
gets logged. It also has a blacklist file where I can just drop
by ip, ip range, port range, .... without logging.

Oh dam, I really need that. I do the same thing with the firestarter GUI
because sometimes I will catch someone trying to hack into my FTP or SSH
daemons. I spot them with iftop (God I love that program!) and then tail
a log file to watch what is happening. I will find them trying to bang
their way in as an admin with every word in the dictionary for a
password. When I spot something like this happening, I will ban the IP

What would be cool is to find a way to make vsftpd and sshd cut off a
login when 3 failed attempts are made. Block them for like a half an hour
when this happens but I don't know of any way to do this. Also ban the IP
range if they do this consistantly. I do it by hand but cannot be around
to catch this all the time.

Maybe I should really investigate shorewall again seeing as how you
already made such a nice script for it, but I have requirements and am
not sure if this can be done with shorewall. What I have firestarter
doing right now is this:

1.) IP Masquerading
2.) ipv4 forwarding
3.) dhcp for local LAN
4.) Block unused ports
5.) Port forwarding for machines on the LAN that require it

Shorewall is pretty complicated but I am sure much more flexible than
firestarter. I would rather use shorewall but to get it up and running
with all the above requirements, like right away, might be more than I
can accompish and cannot leave the system down for a week or more while I
work on it. That is why I use firestarter.

I have a pretty quite log. I run a
xconsole -display wb:0 -geom 1032x50+400+00 -file /var/log/messages
on my firewall which gives me view of the logged messages in realtime
on my web browsing box.

Huh? This sounds pretty cool, I want to try and run this to see what it
does. I will try it now as a command in a terminal in xwindows to see if
it will work for me. No dice, see what happened...

[root@ohmster ~]# xconsole -display wb:0 -geom 1032x50+400+00 -file
/var/log/messages &
[1] 5547
[root@ohmster ~]# _X11TransSocketINETConnect() can't get address for
wb:6000: Name or service not known
Error: Can't open display: wb:0

[1]+ Exit 1 xconsole -display wb:0 -geom 1032x50+400+00
-file /var/log/messages
[root@ohmster ~]#

What am I doing wrong, how come that did not work bit? What you have
going on there sounds really neat and I would like to try it. What is the
"wb:0" part do?
theohmster at comcast dot net
Put "messageforohmster" in message body
to pass my spam filter.

Relevant Pages

  • Re: Unsure about security requirements for workstation/server
    ... I suppose shorewall will be useful for monitoring/blocking outgoing connections. ... I'm not a security expect by any means, so I guess my concern is that by having Testing or Unstable installed, with lots of software not normally used on a server, and by having Apache and other services open to the net, that someone with malicious intent on the net could exploit a hole somewhere that I'm not aware of. ... If it is a different version the security updates may be irrelevant and you will depend on having problems promptly fixed by the package maintainers. ... As a compromise, you could install testing, which will be some way behind unstable, but somewhat less likely to contain serious problems. ...
  • Re: Shorewall probelms
    ... I downloaded it (and managed to install it ... > allow me to go on the internet and have it block hackers. ... > DSL connection ... I use Mandrake 10 and have shorewall enabled. ...
  • Re: problems with IPMASQ
    ... iface lo inet loopback ... then remove ipmasq and install shorewall. ... ask on a KNOPPIX list. ...
  • Re: Shorewall - setup RH8 - GW - webmin
    ... >> I decided to remove firestarter and install shorewall because it is a ... >> better firewall. ... >to setup shorewall. ... installed site-wide spam filters at ...
  • Re: Firestarter VS Shorewall
    ... Shorewall wich seems versatile ... Does the complexity of shorewall ... worth the effort or is firestarter as good as shorewall? ... I am just using one server, ...