Hello,
We have successfully implemented shorewall version 1.4.6b as our
firewall which i believe is working the way it should be. I was able to
further test the firewall to make sure that it was working properly by going
to the www.grc.com website. In doing so i was able to conduct a test from
that website that would subject the firewall to any vulnerabilities. The
results came back as saying that the computer at IP address xxx.xxx.xxx.xxx
was completely stealthed. This was a relief to me because it confirmed that
the firewall is working the way it should be.
But when i went to another site called www.pcflank.com/stealth_test1.htm and
conducted a stealth test it came back as saying that the firewall did reject
some traffic but not all. Hence indicating to me that the firewall may or
may not be doing it''s job, the below information is a result of that
test.
Does anyone know if indeed this valid ?
Thank you,
James
We have sent following packets to TCP:1 port of your machine:
TCP ping packet
TCP NULL packet
TCP FIN packet
TCP XMAS packet
UDP packet
Here is the description of possible results on each sent packet:
"Stealthed" - Means that your system (firewall) has successfuly passed
the
test by not responding to the packet we have sent to it.
"Non-stealthed" - Means that your system (firewall) responded to the
packet
we have sent to it. What is more important, is that it also means that your
computer is visible to others on the Internet that can be potentially
dangerous.
Packet'' type Status
TCP "ping" non-stealthed
TCP NULL stealthed
TCP FIN non-stealthed
TCP XMAS non-stealthed
UDP stealthed
On Thu, 2003-11-20 at 13:33, james wrote:> Hello, > > We have successfully implemented shorewall version 1.4.6b as our > firewall which i believe is working the way it should be. I was able to > further test the firewall to make sure that it was working properly by going > to the www.grc.com website. In doing so i was able to conduct a test from > that website that would subject the firewall to any vulnerabilities. The > results came back as saying that the computer at IP address xxx.xxx.xxx.xxx > was completely stealthed. This was a relief to me because it confirmed that > the firewall is working the way it should be. > > But when i went to another site called www.pcflank.com/stealth_test1.htm and > conducted a stealth test it came back as saying that the firewall did reject > some traffic but not all. Hence indicating to me that the firewall may or > may not be doing it''s job, the below information is a result of that test. > Does anyone know if indeed this valid ? >a) Do you have the ''tcpflags'' option set on your external interface in /etc/shorewall/interfaces? b) How have you set TCPFLAGS_DISPOSITION in shorewall.conf? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2003-11-20 at 13:58, Tom Eastep wrote:> On Thu, 2003-11-20 at 13:33, james wrote:> > > > a) Do you have the ''tcpflags'' option set on your external interface in > /etc/shorewall/interfaces? > b) How have you set TCPFLAGS_DISPOSITION in shorewall.conf?Make that TCP_FLAGS_DISPOSITION... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2003-11-20 at 14:00, Tom Eastep wrote:> On Thu, 2003-11-20 at 13:58, Tom Eastep wrote: > > On Thu, 2003-11-20 at 13:33, james wrote: > > > > > > > > a) Do you have the ''tcpflags'' option set on your external interface in > > /etc/shorewall/interfaces? > > b) How have you set TCPFLAGS_DISPOSITION in shorewall.conf? > > Make that TCP_FLAGS_DISPOSITION... >Also, what is your setting for NEWNOTSYN? Have you specified ''newnotsyn'' on your external interface in /etc/shorewall/interfaces? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2003-11-20 at 14:03, james wrote:> I enabled the tcpflags checkbox for the external network card "eth0" and > conducted the test again and this is what i recieved. > > > > We have sent following packets to TCP:1 port of your machine: > > TCP ping packet > TCP NULL packet > TCP FIN packet > TCP XMAS packet > UDP packet > Here is the description of possible results on each sent packet: > "Stealthed" - Means that your system (firewall) has successfuly passed the > test by not responding to the packet we have sent to it. > "Non-stealthed" - Means that your system (firewall) responded to the packet > we have sent to it. What is more important, is that it also means that your > computer is visible to others on the Internet that can be potentially > dangerous. > > Packet'' type Status > TCP "ping" non-stealthed > TCP NULL stealthed > TCP FIN non-stealthed > TCP XMAS stealthed > UDP stealthed > > > > Here is my shorewall.conf parameters, >NEWNOTSYN=Yes produces those results. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net