Hi, I noted on the documentation that we can create a file called "common" to overwrite the common.def. Basically, I am trying to blocking stealth scan for IDENT, Netbios, and SMB. I have created the "common" file, and put the rules (directly by copying from the common.def and change the "reject" to "DROP"). But when I do a scan from http://scan.sygate.com/stealthscan.html, it''s still marking as OPEN. Do I need to add anything in shorewall.conf to tell that the ''common'' file exists? 2nd question: If a port can be scanned but CLOSED (nothing is running on that port), can anyone hack into it? Shorewall version: 1.4.7c At the beginning of the common file, I put ". /etc/shorewall/common.def" as recommended. Do I need to change the permission for both common and common.def to be executable? Thanks. ------------------------ Lito Kusnadi
On Mon, 2 Feb 2004, Lito Kusnadi wrote:> Hi, I noted on the documentation that we can create a file called > "common" to overwrite the common.def. > Basically, I am trying to blocking stealth scan for IDENT, Netbios, and > SMB. > I have created the "common" file, and put the rules (directly by copying > from the common.def and change the "reject" to "DROP"). But when I do a > scan from http://scan.sygate.com/stealthscan.html, it''s still marking as > OPEN. > Do I need to add anything in shorewall.conf to tell that the ''common'' > file exists? >No -- what does "shorewall show common" show?> 2nd question: If a port can be scanned but CLOSED (nothing is running on > that port), can anyone hack into it?No. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi Tom. Moving the ''. /etc/shorewall/common.def'' to the end fixed it. Just want to know if there''s a need for an errata at http://www.shorewall.net/shorewall_extension_scripts.htm Particularly at the section (almost at the bottom of the page): ... /etc/shorewall/common: . /etc/shorewall/common.def <add your rules here> ... Or this might be an aberrant behavior for version 1.4.7c? One last question: By dropping the Netbios, SMB, and IDENTD, will there be any implication in the running of other services, say network browsing through VPN IPSEC? -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Monday, 2 February 2004 11:03 AM To: Mailing List for Experienced Shorewall Users Subject: Re: [Shorewall-users] common file to overwrite common.def On Mon, 2 Feb 2004, Lito Kusnadi wrote:> Hi, I noted on the documentation that we can create a file called > "common" to overwrite the common.def. > Basically, I am trying to blocking stealth scan for IDENT, Netbios,and> SMB. > I have created the "common" file, and put the rules (directly bycopying> from the common.def and change the "reject" to "DROP"). But when I doa> scan from http://scan.sygate.com/stealthscan.html, it''s still markingas> OPEN. > Do I need to add anything in shorewall.conf to tell that the ''common'' > file exists? >No -- what does "shorewall show common" show?> 2nd question: If a port can be scanned but CLOSED (nothing is runningon> that port), can anyone hack into it?No. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Sunday 01 February 2004 04:29 pm, Lito Kusnadi wrote:> Hi Tom. > Moving the ''. /etc/shorewall/common.def'' to the end fixed it. > Just want to know if there''s a need for an errata at > http://www.shorewall.net/shorewall_extension_scripts.htm > > Particularly at the section (almost at the bottom of the page): > ... > /etc/shorewall/common: > > . /etc/shorewall/common.def > <add your rules here> > ... > > Or this might be an aberrant behavior for version 1.4.7c?READ THE MANUAL!!!!! -- right after what you quote above: "If you need to supercede a rule in the released common.def file, you can add the superceding rule before the "." command.> > One last question: > By dropping the Netbios, SMB, and IDENTD, will there be any implication > in the running of other services, say network browsing through VPN > IPSEC?No. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
[This email is either empty or too large to be displayed at this time]
On Sun, 1 Feb 2004, Tom Eastep wrote:> On Sunday 01 February 2004 04:29 pm, Lito Kusnadi wrote: > > Hi Tom. > > Moving the ''. /etc/shorewall/common.def'' to the end fixed it. > > Just want to know if there''s a need for an errata at > > http://www.shorewall.net/shorewall_extension_scripts.htm > > > > Particularly at the section (almost at the bottom of the page): > > ... > > /etc/shorewall/common: > > > > . /etc/shorewall/common.def > > <add your rules here> > > ... > > > > Or this might be an aberrant behavior for version 1.4.7c? > > READ THE MANUAL!!!!! -- right after what you quote above: > > "If you need to supercede a rule in the released common.def file, you can add > the superceding rule before the "." command. >To protect my blood pressure and to be sure that no one else cuts themselves on this sharp edge before common.def goes away in 2.0, I have removed the above sentence and have reversed the order of the "." and <add...>. I''m sure someone will manage to break something following those instructions also but we''ll see.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I have searched the shorewall docs, the Mac site and google''d but I cannot find information on how to allow the darwin streaming server to work through a firewall. The streaming server does work when not accessed from behind the firewall. If anyone had any hints or information on this it is much appreciated.
On Sun, 1 Feb 2004, Robin M. wrote:> I have searched the shorewall docs, the Mac site and google''d but I > cannot find information on how to allow the darwin streaming server to > work through a firewall. > > The streaming server does work when not accessed from behind the firewall. > > If anyone had any hints or information on this it is much appreciated. >So you found this (http://www.apple.com/quicktime/products/qtss/qtssfaq.html - I googled and looked for 48 seconds to find it): How do I get around firewall problems? -------------------------------------- If you are experiencing firewall problems, update your software to the latest version of QuickTime Streaming Server and have users upgrade to QuickTime 4.1 or later. You may optionally want to select the "Enable Streaming On Port 80" checkbox in the Settings window of the QuickTime Streaming Server Admin application. --------------------------------------------------------------------------- In another 24 seconds, I located this: http://www.apple.com/quicktime/resources/qt4/us/proxy/ Seems like there is lots of information there as well. --------------------------------------------------------------------------- If you have Shorewall-specific questions about implementing the suggestions in at the above sites, we''ll be happy to help. --------------------------------------------------------------------------- Alternatively -- *look at your log* and then read FAQ 17; you can solve almost any connection problem this way if you are patient. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 1 Feb 2004, Tom Eastep wrote:> On Sun, 1 Feb 2004, Robin M. wrote: > > > I have searched the shorewall docs, the Mac site and google''d but I > > cannot find information on how to allow the darwin streaming server to > > work through a firewall. > > > > The streaming server does work when not accessed from behind the firewall. > > > > If anyone had any hints or information on this it is much appreciated. > > > So you found this > (http://www.apple.com/quicktime/products/qtss/qtssfaq.html - I > googled and looked for 48 seconds to find it):Yep I read that. The only useful information was suggesting that I run the server on port 80, but that is not an option as I have only one ip address and need to run a web server as well.> > http://www.apple.com/quicktime/resources/qt4/us/proxy/ >Yep I did read that too. The useful information I gathered from there was Open port 554 for RTSP/TCP data. Open ports 6970 through 6999 (inclusive) for RTP/UDP data. I also have installed the Streaming server directoy on the firewall and it does work with these rules ACCEPT loc fw udp rtsp ACCEPT net fw udp rtsp ACCEPT loc fw tcp rtsp,1220 ACCEPT net fw tcp rtsp,1220 ACCEPT fw loc udp 6970:6999 ACCEPT fw net udp 6970:6999 but I just can''t get it to work behind the NAT. I have tried a couple combinations of rules and the closest I have gotten is some choppy sound with not video. There are no logs in my /var/log/messages either showing denied packets.... I am just not proficient enough to figure out the rules and was hoping someone has already gotten it to work. Any hints or suggestions are appreciated.
On Sun, 1 Feb 2004, Robin M. wrote:> Yep I did read that too. The useful information I gathered from there was > Open port 554 for RTSP/TCP data. > Open ports 6970 through 6999 (inclusive) for RTP/UDP data. > > I also have installed the Streaming server directoy on the firewall and it > does work with these rules > > ACCEPT loc fw udp rtsp > ACCEPT net fw udp rtsp > ACCEPT loc fw tcp rtsp,1220 > ACCEPT net fw tcp rtsp,1220 > > ACCEPT fw loc udp 6970:6999 > ACCEPT fw net udp 6970:6999 > > > but I just can''t get it to work behind the NAT.You need to look at FAQ 30 -- the rules that you have above would work well if you had a proxy server running on your firewall; I assume that you don''t.> I have tried a couple combinations of rules and the closest I have gotten > is some choppy sound with not video. There are no logs in my > /var/log/messages either showing denied packets.... > > I am just not proficient enough to figure out the rules and was hoping > someone has already gotten it to work. Any hints or suggestions are > appreciated.I''ll assume that your server is in the loc zone and has address 192.168.1.5: DNAT net loc:192.168.1.5 udp rtsp DNAT net loc:192.168.1.5 tcp rtsp,1220 DNAT net loc:192.168.1.5 udp 6970:6999 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 1 Feb 2004, Tom Eastep wrote:> On Sun, 1 Feb 2004, Robin M. wrote: > > > Yep I did read that too. The useful information I gathered from there was > > Open port 554 for RTSP/TCP data. > > Open ports 6970 through 6999 (inclusive) for RTP/UDP data. > > > > I also have installed the Streaming server directoy on the firewall and it > > does work with these rules > > > > ACCEPT loc fw udp rtsp > > ACCEPT net fw udp rtsp > > ACCEPT loc fw tcp rtsp,1220 > > ACCEPT net fw tcp rtsp,1220 > > > > ACCEPT fw loc udp 6970:6999 > > ACCEPT fw net udp 6970:6999 > > > > > > but I just can''t get it to work behind the NAT. > > You need to look at FAQ 30 -- the rules that you have above would work > well if you had a proxy server running on your firewall; I assume that you > don''t. >Sorry -- I should have read your post more carefully (where you say that these rules DO work when the server is on the firewall) :-( -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Monday 02 February 2004 03:26, Robin M. wrote:> I have searched the shorewall docs, the Mac site and google''d but I > cannot find information on how to allow the darwin streaming server to > work through a firewall. > > The streaming server does work when not accessed from behind the firewall. > > If anyone had any hints or information on this it is much appreciated.Please do _not_ just hit reply on some message on the list. This will add an In-Reply-To or References Header to your mail which shows, which message(s) you are replying to. So many Mail Readers and mailinglist web interfaces will thread your new message under the message you replied to. So basically you begin a completely new thread inside of another one. Just click on the mail address of the list or add it to your address book. Thx Alex