Hello, It''s my firsts step with ShoreWall : associated with Squid and DansGuardian on a Mandrake 10.1 Linux router And I have (lots of) problem to configure ShoreWall to work properly with MsnMessenger. This solution I have writen doesn''t work, I have put these lines in rules file : # rules ... #### MSN Messenger ########################### ACCEPT loc net tcp 1863 # file transfert ACCEPT loc net tcp 6891:6900 # voice : computer to phone ACCEPT loc net udp 2001:2120,6801,6901 # voice : computer to computer ACCEPT loc net udp 6901 ACCEPT loc net tcp 6901 # end of file Finaly I have added this line at the end of policy : #policy .... loc net ACCEPT # last line of policy all all REJECT info That''s work, but I don''t think it''s secure :-) Is it possible to configure ShoreWall to accept MsnMessenger
Didier DOUSSAUD wrote:> Finaly I have added this line at the end of policy : > .... > loc net ACCEPT > # last line of policy > all all REJECT info > > That''s work, but I don''t think it''s secure :-) >Every Shorewall user who follows the instructions for installing a two-interface Shorewall firewall with single public IP address (see http://www.shorewall.net/two-interface.htm) has a policy like that. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I don''t understand ? for me the next line in policy "loc net ACCEPT" open all the port from my local networt to Internet, And me I want to open only the ports used by Messenger... 2005/8/15, Tom Eastep <teastep@shorewall.net>:> > Didier DOUSSAUD wrote: > > > Finaly I have added this line at the end of policy : > > .... > > loc net ACCEPT > > # last line of policy > > all all REJECT info > > > > That''s work, but I don''t think it''s secure :-) > > > > Every Shorewall user who follows the instructions for installing a > two-interface Shorewall firewall with single public IP address (see > http://www.shorewall.net/two-interface.htm) has a policy like that. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >-- didier.doussaud@doussaud.org
Didier DOUSSAUD wrote:>I don''t understand ? > >for me the next line in policy >"loc net ACCEPT" >open all the port from my local networt to Internet, > >And me I want to open only the ports used by Messenger...Security is a relative issue, Didier. Many users with home networks use the loc > net ACCEPT policy simply because they have good control over their machines and know what they are doing. It is another issue if this would be on a corporate network, the administrator has to have much more control since corporate policies are much more strict having to with employees'' computers. Allowing outgoing traffic on a home network is not really an issue other than if you are worried about trojans "phoning home", which is mostly based on virii and flaws in Windows software. Allowing MSN Messenger is in itself a security issue, you are opening about 25 ports for only one program and it has had its flaws: http://securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=MSN+messenger&x=25&y=11 Personally, I have used that policy for years and have never come across any problems......yet. ;-) -- Patrick Benson Stockholm, Sweden ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
thanks for your reply, Yes it''s against "trojan" and other bad program, that I wanted to configure my FireWall. I wanted also to understand how it works. But I will keep this policy, the rule that redirects web access from my chidren''s pc to "DansGuardian" works before this policy, so I have no real pb with this policy. But if someone have wrote rule to allow only MSN-Messenger acces : I''m interresting to read it ! 2005/8/15, Patrick Benson <benson@chello.se>:> > Didier DOUSSAUD wrote: > > >I don''t understand ? > > > >for me the next line in policy > >"loc net ACCEPT" > >open all the port from my local networt to Internet, > > > >And me I want to open only the ports used by Messenger... > > Security is a relative issue, Didier. Many users with home networks use > the loc > net ACCEPT policy simply because they have good control over > their machines and know what they are doing. It is another issue if this > would be on a corporate network, the administrator has to have much more > control since corporate policies are much more strict having to with > employees'' computers. Allowing outgoing traffic on a home network is not > really an issue other than if you are worried about trojans "phoning > home", which is mostly based on virii and flaws in Windows software. > Allowing MSN Messenger is in itself a security issue, you are opening > about 25 ports for only one program and it has had its flaws: > > > http://securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=MSN+messenger&x=25&y=11 > > Personally, I have used that policy for years and have never come across > any problems......yet. ;-) > > > -- > Patrick Benson > Stockholm, Sweden > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle > Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- didier.doussaud@doussaud.org
Patrick Benson wrote:> It is another issue if this > would be on a corporate network, the administrator has to have much more > control since corporate policies are much more strict having to with > employees'' computers.And in a corporate setting, basic MSN functionality works fine through an HTTP proxy. MSN Messenger is designed for home users -- it uses UPnP which is *not* appropriate for anywhere but in a home network setting. UPnP requires that applications behind the firewall be able to open arbitrary holes in the firewall -- this is certainly not something that a network administrator would want to allow. see http://www.shorewall.net/UPnP.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> And in a corporate setting, basic MSN functionality works fine through > an HTTP proxy.Wouldn''t it be enough to just add rules on the HTTP proxy, denying traffic to the default login gateways for im clients? As long as they can''t log in they''re pretty useless. The pain is keeping track of updated ip''s... -- Patrick Benson Stockholm, Sweden ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Patrick Benson wrote:> Tom Eastep wrote: > >>And in a corporate setting, basic MSN functionality works fine through >>an HTTP proxy. > > Wouldn''t it be enough to just add rules on the HTTP proxy, denying > traffic to the default login gateways for im clients? As long as they > can''t log in they''re pretty useless. The pain is keeping track of > updated ip''s... >Sure -- for controlling outgoing HTTP, it''s always better to use the Proxy''s ACL features than to use Shorewall. Shorewall should be used simply to deny direct loc->net HTTP(S), -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Didier DOUSSAUD escribió:> I don''t understand ? > > for me the next line in policy > "loc net ACCEPT" > open all the port from my local networt to Internet, >MSN messenger use arbitrary ports using a Windowz "feature" called UPnP. I assume your loc->net policy is DROP or REJECT ACCEPT loc net 1863 Will permit basic MSN usage from your local network ( File transfer will not work..though,,) -- Cristian Rodriguez R. perl -e ''$_=pack(c5,0105,0107,0123,0132,(1<<3)+2);y[A-Z][N-ZA-M];print;''
Cristian Rodriguez escribió:> Didier DOUSSAUD escribió: >> I don''t understand ? >> >> for me the next line in policy >> "loc net ACCEPT" >> open all the port from my local networt to Internet, >> > > MSN messenger use arbitrary ports using a Windowz "feature" called UPnP. > > I assume your loc->net policy is DROP or REJECT > > ACCEPT loc net 1863 > > Will permit basic MSN usage from your local network ( File transfer will > not work..though,,) > > >UPPS.. I forget PROTO :-P ACCEPT loc net tcp 1863 -- Cristian Rodriguez R. perl -e ''$_=pack(c5,0105,0107,0123,0132,(1<<3)+2);y[A-Z][N-ZA-M];print;''