I'm getting this error message:

Warren Togami warren at togami.com
Wed Apr 11 12:54:23 PDT 2001 

On Saturday after I realized you had a single NIC, I realized what you were
trying to do.  I tried to explain to you that a "firewall" is NOT what you
want, especially that firewall script in particular.  Most firewall scripts
like the one you are trying to make work are designed to use two network
interfaces, filtering traffic from the outside internet to a local area
network.  You do not have two network interfaces.  You are confusing the
need for a "firewall" with those personal firewall products for Windows like
Zonealarm, Zonefree or BlackIce Defender.  These products are arguably not
firewalls in a traditional sense.  They simply track and disallow certain
types of packets from entering or leaving your computer, and perhaps log
data.

Most users of Linux do not go to this extreme because it is simply not
needed.  This is a very advanced topic, the likes of which very few of us on
this list have even begun to master.  I would suggest securing your system
in the normal way first, learning a bit more about the services, TCP
wrappers, kernel configuration, Netfilter and iptables.  At that point you
will understand that a "personal firewall" is NOT needed, though you can
easily implement rules to make one if you want.

This is the third time I will say this: Please do not persist in trying to
make this script work on your system.  This script was NOT designed to do
what you want.  Please start from scratch with simple INPUT and OUTPUT
chains and work from there.  But first, secure your services and the kernel
the normal way.

As for the services to disable, please refer to this discussion about some
services and their descriptions.
http://forum.mplug.org/viewthread.php3?FID=4&TID=3

If you have any further questions please post again.

Warren Togami
warren at togami.com

----- Original Message -----
From: "Cyberclops" <Cyberclops at hawaii.rr.com>
To: "Linux & Unix Advocates & Users" <luau at list.luau.hi.net>
Sent: Wednesday, April 11, 2001 7:59 AM
Subject: [luau] Re: I'm getting this error message:


> As for disabling unneeded services, I'm not sure what are unneeded, or
> where to do it.  I think the SuSE firewall is most likely doing it's
> job, but again, I'm uncertain how to let programs that I want pass
> through.
>
> Warren Togami wrote:
> >
> > Please understand that you probably shouldn't use that firewall script.
You
> > are confusing this the need of this script with the misguided notion
from
> > Windows that you need a "personal firewall" like Zonealarm, Zonefree or
> > BlackIce Defender.  Windows may need these products because they have no
> > facilities on their own for route security.
> >
> > What I highly suggest this instead:
> > 1. Disable all unneeded services.  ntp is ok to keep, but only if you
know
> > how to secure it.  Your "firewall" rules are somehow interfering with
some
> > reply packets.
> > 2. Have someone nmap you from the outside to make sure you have your
ports
> > secure.  Do this every couple weeks.
> > 3. At this point, if you are still paranoid, then you can close or
filter
> > ports using ipchains or iptables.  Not very necessary but doable.
> >
> > Your script has all kinds of stuff within it to handle routing between
one
> > interface to another.  That could possibly confusing your other efforts.
> >
> > ----- Original Message -----
> > From: "Cyberclops" <Cyberclops at hawaii.rr.com>
> > To: "Linux & Unix Advocates & Users" <luau at list.luau.hi.net>
> > Sent: Monday, April 09, 2001 7:02 AM
> > Subject: [luau] I'm getting this error message:
> >
> > > After I enable my SuSE 7.1 firewall configuration, I get the following
> > > message"
> > >
> > > >>>>Apr  9 06:17:45 a24b161n139client142 ntpdate[483]: no server
suitable
> > for synchronization found<<<<<
> > >
> > > But if the firewall is not actuated I get this:
> > >
> > > >>>>Apr  8 12:55:27 a24b161n139client142 ntpdate[308]: step time
server
> > 128.2.191.71 offset 0.255133 sec<<<<<
> > >
> > > I have a time fetish and like the clock on my computer to be perfectly
> > > synchronized to and Internet time standard.  Can anyone tell me how to
> > > get this signal to pass through the SuSE 7.1 firewall?  Note: it uses
> > > the 2.4 kernel.
> > >
> > > With the firewall activated I'm reported as "totally stealth" at the
> > > "Shields Up" web site.  That's something I like:  Here is the log
> > > entries from the "Shields Up" probe:
> > >
> > > Apr  9 06:24:28 a24b161n139client142 kernel: Packet log: output DENY
> > > eth0 PROTO=1 24.161.139.142:3 24.25.227.34:3 L=203 S=0xC0 I=0 F=0x4000
> > > T=255 (#3)
> > > Apr  9 06:24:35 a24b161n139client142 kernel: Packet log: output DENY
> > > eth0 PROTO=1 24.161.139.142:3 24.25.227.34:3 L=442 S=0xC0 I=0 F=0x4000
> > > T=255 (#3)
> > > Apr  9 06:30:50 a24b161n139client142 kernel: Packet log: input DENY
eth0
> > > PROTO=6 207.71.92.221:4022 24.161.139.142:21 L=48 S=0x00 I=52344
> > > F=0x4000 T=113 SYN (#12)
> > > Apr  9 06:30:53 a24b161n139client142 kernel: Packet log: input DENY
eth0
> > > PROTO=6 207.71.92.221:4022 24.161.139.142:21 L=48 S=0x00 I=53116
> > > F=0x4000 T=113 SYN (#12)
> > > Apr  9 06:31:00 a24b161n139client142 kernel: Packet log: input DENY
eth0
> > > PROTO=6 207.71.92.221:4022 24.161.139.142:21 L=48 S=0x00 I=54885
> > > F=0x4000 T=113 SYN (#12)
> > > Apr  9 06:31:13 a24b161n139client142 kernel: Packet log: input DENY
eth0
> > > PROTO=6 207.71.92.221:4108 24.161.139.142:23 L=48 S=0x00 I=58353
> > > F=0x4000 T=113 SYN (#16)
> > > Apr  9 06:31:16 a24b161n139client142 kernel: Packet log: input DENY
eth0
> > > PROTO=6 207.71.92.221:4108 24.161.139.142:23 L=48 S=0x00 I=59358
> > > F=0x4000 T=113 SYN (#16)
> > > Apr  9 06:31:23 a24b161n139client142 kernel: Packet log: input DENY
eth0
> > > PROTO=6 207.71.92.221:4108 24.161.139.142:23 L=48 S=0x00 I=60730
> > > F=0x4000 T=113 SYN (#16)
> > > Apr  9 06:31:59 a24b161n139client142 kernel: Packet log: input DENY
eth0
> > > PROTO=6 207.71.92.221:4267 24.161.139.142:79 L=48 S=0x00 I=3289
F=0x4000
> > > T=113 SYN (#20)
> > > Apr  9 06:32:02 a24b161n139client142 kernel: Packet log: input DENY
eth0
> > > PROTO=6 207.71.92.221:4267 24.161.139.142:79 L=48 S=0x00 I=4139
F=0x4000
> > > T=113 SYN (#20)
> > > Apr  9 06:32:09 a24b161n139client142 kernel: Packet log: input DENY
eth0
> > > PROTO=6 207.71.92.221:4267 24.161.139.142:79 L=48 S=0x00 I=5581
F=0x4000
> > > T=113 SYN (#20)
> > > Apr  9 06:32:45 a24b161n139client142 kernel: Packet log: input DENY
eth0
> > > PROTO=6 207.71.92.221:4382 24.161.139.142:110 L=48 S=0x00 I=13162
> > > F=0x4000 T=113 SYN (#22)
> > > Apr  9 06:32:48 a24b161n139client142 kernel: Packet log: input DENY
eth0
> > > PROTO=6 207.71.92.221:4382 24.161.139.142:110 L=48 S=0x00 I=13806
> > > F=0x4000 T=113 SYN (#22)
> > >
> > > ---
> > > You are currently subscribed to luau as: warren at togami.com
> > > To unsubscribe send a blank email to $subst('Email.Unsub')
> > >
> > >
> > >
> >
> > ---
> > You are currently subscribed to luau as: Cyberclops at hawaii.rr.com
> > To unsubscribe send a blank email to $subst('Email.Unsub')
>
> ---
> You are currently subscribed to luau as: warren at togami.com
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>

More information about the LUAU mailing list