dranch at trinnet dot net
TrinityOS(TM)(c) http://www.ecst.csuchico.edu/~dranch/LINUX/index.html#TrinityOS
Written, Maintained, Trademarked, and Copyrighted by David A. Ranch (dranch at trinnet dot net)
Sorry for all the legal stuff...
I've already had one company try to take the name TrinityOS from me (thus the trademark - Reg. Numbers 2440502 and 2525874). I also have had one LDP Guide author ("Securing and Optimizing Linux Red Hat Edition - A Hands on Guide") rip off a large portion of TrinityOS's content without even referencing me or TrinityOS as a source. Unfortunately, this author simply rewrote / rephrased the sections of it to avoid any direct copyright issue though the content is the same. So, with all this bad luck, I had to start covering my butt from the many lowlifes in the world.
Anyway, if you would like to use some of the content from TrinityOS in your project, you NEED to contact me first for permission. I'm an easy going guy so it won't be a big deal. Please just don't use my stuff first and ask second. That's pretty silly.
TrinityOS is a complete Linux server configuration, maintenance, and security guide for the Linux novice and guru alike! Though there are a LOT of features covered in TrinityOS, you don't have to implement all of them. All I can say is, if you are going to connect your Linux box to the Internet, at least INSTALL the packet firewall!!
This document is tailored as a step-by-step, example driven document, instead of a detailed explanation doc on each Linux feature. It doesn't go into many debugging aspects since the Linux Documentation Project's (LDP) HOWTOs already cover this. The TrinityOS document is intended for a techincal audience but hopefully everything is laid out well enough that a new user should be able to follow along without too much trouble!
All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at:
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-security/TrinityOS-security.tar.gz
* For the curious, the name TrinityOS and my company, Trinity Designs, is NOT derived from being religious (the holy Trinity). The name "Trinity Designs" came from the Trinity Alps in Northern California and "TrinityOS" came from the name of the first atomic bomb testing site in White Sands, New Mexico.
Like any UNIX document, it must be updated constantly to remain relevant. I will do my best to maintain this document but all comments, ideas, etc. are appreciated to keep TrinityOS valuable!
This guide was initially based off the Slackware v3.2 distribution but due to a disk crash, I then installed Redhat 5.0 to try it out. From that point on, I now try to make TrinityOS doc reflect other distributions.
Note: Most of the initial functionality given in this document is already available in a modern day distribution such as Mandrake, Redhat, Debian, SuSe, etc. If you are using any other distribution than Redhat, Debian, etc., you will need to use this doc as a *reference* or a project management guide only. You will then need to obtain the various software sources or binaries by hand and configure the software via its native methods.
** Please note that this document will always be "Under Construction". **
Everything in the "Current Features List" has been implemented and should be documented. Some things in the "Future Features" section have already been completed though not necessarily documented yet. If you have any specific questions about the "Future" or "Current features".. feel free to ask!
#### Tangent #### # # If you have come to this doc directly, you also might want to # check out the rest of my WWW page at: # # http://www.ecst.csuchico.edu/~dranch # # It covers other topics such as: #
**********************************************************************
** Would you like to be notified when I update my WWW page or **
** specifically the TrinityOS doc? **
** **
** Every "update" e-mail is based from both the ChangeLog WWW page **
** and the TrinityOS ChangeLog section so you will know what **
** exactly was updated without any extra fluff. **
** **
** If you're interested, send an e-mail to **
** **
** mailto:dranch at trinnet dot net **
** **
** with a subject of "Add me to your updates list" and I'll add **
** you to the list! **
** **
** -P.S.- In the same request email, tell me what specifically you **
** were/are looking for on my WWW page or in TrinityOS. **
** I'm always taking new requests for additions and expanded **
** coverage of topics already on my page. **
** **
** So don't be shy! **
**********************************************************************
(Won't be implemented in any particular order)
This document uses methodologies that I have developed over the years. Some of these docs have saved my butt on several occasions (documenting things like Drive partition maps, I/O and IRQ maps). This may seem like a pain in the butt to do initially but when you need them..
YOU NEED THEM!
- Mandrake 7.0 w/ all available patches
v2.2.25
- Intel Pentium 200Mhz / 128MB EDO RAM
- Intel TC430HX motherboard (cannot tune IRQ use)
- Serial port #1: COM1 - IRQ 4
- Serial port #2: COM2 - IRQ 3
- LPT1 - IRQ 7
- IDE 0 (disabled)
- IDE 1 - IRQ 15
- Network:
Eth0: Compaq Netelligent 10/100 Dual port (PCI) - port #1 (IRQ 11)
- cable modem side
Eth1: Compaq Netelligent 10/100 Dual port (PCI) - port #2 (IRQ 14)
- Int LAN
- Video:
Matrox Millennium II (4MB) - (PCI)
- Sound:
Built-in Windows Sound System (IO:530h, IRQ: 9, L-DMA: 0, H-DMA: 1,
MPU: 330h, MPU IRQ: -1
- Controllers:
- Adaptec 2940UW SCSI controller (PCI) - IRQ: 10
- Used for SCSI disks (ext. cabling to RAID enclosure)
- Adaptec 2940U SCSI controller (PCI) - IRQ: 14
- Used for CDROMs and Tape drives (int. & ext. cabling)
- I/O Adapter - (ISA)
(2) port serial / (1) parallel
- COM3 - IRQ 4
- COM4 - IRQ 3
- LPT2 - IRQ 5
- Storage Devices:
== In the primary system case ==
- HDC: Maxtor DiamondMax+ 10.0GB (UDMA)[512k][LBA] [
- HDD: IBM 120GB HD
- SR0-6: Nakamichi 7-CD 2x changer (ID: 4)
- SR7: Philips CM4xx 4x CDROM (ID: 5)
- ST0: HP T4000 TR4 Tape drive (ID: 6) [dead?]
== In the secondary RAID enclosure ==
- SDA: Seagate ST39173N 9GB (20Mb/s) (ID: 0) - Primary HD
- SDB: Seagate ST39173N 9GB (20Mb/s) (ID: 1) -
- SDC: IBM DNES-309170 9GB (20Mb/s) (ID: 2) -
- SDD: Seagate ST39173N 9GB (20Mb/s) (ID: 3) - dd backup of SDA
- I/O:(See docs on IRQTUNE to better understand why these
are like this. It makes a difference!)
ttyS0: COM1 - APC SmartUPS UPS
ttyS1: COM2 - N/A
ttyS3: COM3 - USR Courier v.Everything
ttyS2: COM4 -
LPT1: Hp LaserJet-IIp (UNIX & Samba share)
LPT2: Canon S800 (UNIX & Samba share)
------ I/O Maps and "Expert" fdisk partition tables -----
IRQ Map:
0: timer (system)
1: keyboard (system)
2: Cascade (system)
3: COM2-N/A (Motheboard) & COM4-
4: COM1-APC Smartups (Motherboard & COM3-US Robotics modem
5: Sound (Motherboard)
6: Floppy (system)
7: LPT1-printer (motherboard)
8: Clock (system)
9: Cascade
10: Adaptec 2940U (PCI)
11: Compaq Ethernet#1 (PCI)
12: PS/2 mouse (motherboard)
13: Math coprocessor
14: Adaptec 2940UW (PCI)
15: IDE1 (motherboard)
I/O Port MAP:
170-1F7h: IDE1
1F0-1F7h: IDE0
200-207h: (not used) usually Joystick
278-27Fh: LPT1
2E8-2EFh: COM4
2F8-2FFh: COM2
330-331h: Windows Sound Systye Pro MPU-401
376-376h: IDE1
378-37Fh: LPT1
3E8-3EFh: COM3
3F0-3F5h: Floppy drive
3F6-3F6h: IDE0
530-533h: Windows Sound System
E800h: AHA2940U
EC80h: AHA2940U
FCE0: TLAN #1
FCF0: TLAN #2
E400h: System BIOS
E800h: Systen BIOS
F000h: System BIOS
DMA Map:
0 - Windows Sound System
1 - Windows Sound System
2 - Alternative Floppy DMA
3 - Floppy DMA
4 - Casecade
5 - None
6 - None
-----
All hard Drive partition tables
-----
/dev/hdc (normal mode printout - expert truncates)
==================================================
Disk /dev/hdc: 16 heads, 63 sectors, 19390 cylinders
Units = cylinders of 1008 * 512 bytes
Device Boot Begin Start End Blocks Id System
/dev/hdc1 1 1 19390 9772528+ 83 Linux native
==================================================
/dev/sda (expert mode printout)
==================================================
Disk /dev/sda: 255 heads, 63 sectors, 1106 cylinders
Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID
1 80 1 1 0 254 63 6 63 112392 06
2 00 0 1 7 254 63 1023 11245517655435 05
3 00 0 0 0 0 0 0 0 0 00
4 00 0 0 0 0 0 0 0 0 00
5 00 1 1 7 254 63 261 63 4096512 83
6 00 1 1 262 254 63 294 63 530082 82
7 00 1 1 295 254 63 1023 6312289662 83
8 00 254 63 1023 254 63 1023 63 738927 83
==================================================
/dev/sdb (expert mode printout)
==================================================
Disk /dev/sdb: 255 heads, 63 sectors, 1106 cylinders
Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID
1 00 1 1 0 254 63 1023 6317767827 83
2 00 0 0 0 0 0 0 0 0 00
3 00 0 0 0 0 0 0 0 0 00
4 00 0 0 0 0 0 0 0 0 00
==================================================
/dev/sdc (expert mode printout)
==================================================
Disk /dev/sdc: 255 heads, 63 sectors, 1115 cylinders
Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID
1 00 1 1 0 254 63 1023 6317912412 83
2 00 0 0 0 0 0 0 0 0 00
3 00 0 0 0 0 0 0 0 0 00
4 00 0 0 0 0 0 0 0 0 00
==================================================
/dev/sdd (expert mode printout)
==================================================
Disk /dev/sdd: 255 heads, 63 sectors, 1106 cylinders
Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID
1 80 1 1 0 254 63 6 63 112392 06
2 00 0 1 7 254 63 1023 11245517655435 05
3 00 0 0 0 0 0 0 0 0 00
4 00 0 0 0 0 0 0 0 0 00
5 00 1 1 7 254 63 261 63 4096512 83
6 00 1 1 262 254 63 294 63 530082 82
7 00 1 1 295 254 63 1023 6312289662 83
8 00 254 63 1023 254 63 1023 63 738927 83
==================================================
-------
--
mkdir /etc/iana
cd /etc/iana/
wget -r -l 1 -nH --no-parent http://www.iana.org/numbers.htm
Any Service Packs, security patches, etc. for your installed Slackware or Redhat distribution(s)
ftp://ftp.kernel.org/pub/linux/kernel/ or ftp://ftp.freesoftware.com/pub/linux/sunsite/kernel/
IPMASQADM port forward patches:
The beginnings of Stateful Inspection for Linux:
Primary site: http://www.samba.org/ppp/index.html/
Very popular user-space client : Primary Site: http://www.roaringpenguin.com/pppoe.html
Kernel-Space client known for somewhat better performance: http://www.davin.ottawa.on.ca/pppoe/
Some other informational URLs as well:
http://www.suse.de/~bk/PPPoE-project.html
http://www.sympaticousers.org/faq.htm
Diald is now maintained by a new author and site:
RPMS: http://ipmasq.webhop.net/juanjox/
Download the original Diald and Diald patches (Diald v0.16.5)
http://www.loonie.net/~eschenk/diald.html
Sources: ftp://ftp.isc.org/isc/bind/src/
Versions: 9.2.2 requires non-vulnverable OpenSSL code. It's also recommend to download both the source code /and/ the associated .asc PGP signature for that version of BIND.
RPMs: Finding new RPMs for the newest versions of Bind isn't very easy. Once place you might have luck is the CONTRIB area of sites like Redhat and Mandrake. Those RPMs seem to work fine but some people do NOT trust someone else's compiled code, so, it's your choice.
You can also find a chroot-ed version of bind here:
ftp://ftp.fi.muni.cz/pub/users/kas/bind-chroot/
Announcement list:
Send email to bind-announce-request@isc.org with "subscribe" in the subject field.
ftp://ftp.freesoftware.com/pub/linux/sunsite/utils/console/vlock-1.0.tar.gz
ftp://ftp.freesoftware.com/pub/linux/sunsite/system/network/management/ or ftp://ftp.ee.lbl.gov/tcpdump.tar.Z
- Current 2.7.0
- Current 0.10.11
ftp://ftp.sendmail.org/pub/sendmail/
Both Sendmail 8.12.9 and 8.11.7 are secure though they have a problem with the "smrsh" shell. TrinityOS doesn't use this but if you are concerned about it, a patch is available. Currently, if you plan to use 8.11.x, you need to run 8.11.7 secure it from a few recently found remote root exploits.
RPMs: The newest Sendmail is NOT available in RPM form from sendmail.org but it IS in Redhat's CONTRIB area. It seems to work fine but some people do NOT trust someone else's compiled code, so, it's your choice.
ftp://ftp.infomagic.com/pub/mirrors/linux/RedHatContrib/libc6/i386
Announcement list:
Send an email to majordomo@Lists.Sendmail.ORG with the text "subscribe sendmail-announce" in the body of the message.
I have taken over ownership of these documents but haven't had a chance to post them yet. If you would like to get a copy of them, please email me
For allowing remote POP-3 clients to be able to use the SMTP server to send email.
To support multple email domains w/ Sendmail, Qmail, etc check out:
http://www.linuxdoc.org/HOWTO/Virtual-Services-HOWTO.html
DHCP Faq: http://www.dhcp-handbook.com/dhcp_faq.html#hddhs
RFC Info: http://www.dhcp.org/rfc2131.html
http://www.dhcp.org/rfc2132.html
Legacy Info: http://www.cis.ohio-state.edu/rfc/rfc1542.txt
Download: http://www.isc.org/dhcp.html
DHCP HOWTO: http://www.tldp.org/HOWTO/mini/DHCP/index.html
dhclient v3.0.2 comes with the server code above
DHCPcd 1.3.22-p14: http://www.phystech.com/download/dhcpcd.html
Other DHCP info:
http://www.linux-firewall-tools.com/linux/firewall/index.html
A HOWTO specific to the RoadRunner Cablemodem setup, but it's still a good site: http://www.vortech.net/rrlinux/
FTP: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/
FAQ: http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html
ftp://ftp.digital.com/pub/linux/redhat/powertools-5.0/i386/
ftp://metalab.unc.edu/pub/Linux/system/network/misc/getdate_rfc868-1.2.tar.gz
http://www.eecis.udel.edu/~mills/ntp
- BRU (it's not free but it's the best Linux backup software out there IMHO. This is one place you just CAN'T skimp!) Recommended!
http://www.estinc.com
Original Mozilla (deprecated) - 1.7.8 Firefox - 1.0.4 Thunderbird - 1.0.2
Commonly used BSD licensed OpenSSH client/server (totally free) - current: 4.0p1 http://www.openssh.com/
Original Commercial SSH.com client/server (free for Linux :: for now) - current: 3.2.6.1 http://ftp.ssh.com/pub/ssh/
Additional UNIX SSH tunneling URLs:
http://www.ccs.neu.edu/groups/systems/howto/howto-sshtunnel.html
MDADM v1.11.0): http://www.cse.unsw.edu.au/~neilb/source/mdadm/
Good but old info on Linux RAID: http://linas.org/linux/raid.html
Raidtools (DEPRECATED) 1.00.3: http://people.redhat.com/mingo/raidtools/
Also, they have great docs at http://samba.anu.edu.au/
http://pcmcia-cs.sourceforge.net/
Original and quite nice APCUPSd open-source daemon - v3.10.17a: http://www.apcupsd.com/ or http://www.sibbald.com/apcupsd/
Official APC Powerchute for Linux - v4.5.3 - Free closed-source daemon with excellent Xwindows support: http://www.apcc.com/tools/download/index.cfm
Standard Apache: http://www.apache.org or ftp://ftp.redhat.com/pub/contrib/i386/apache-1.2.6-5.i386.rpm
SSL-encrypted Apache:
Tripwire has gone OpenSource for LINUX! Woohoo! Though it isn't available quite yet, it will be there soon:
Also, as of v2.2.1, Tripwire now runs on Glibc.
http://www.tripwiresecurity.com/products/Tripwire_ASR20.cfml
You can also get the older versions here:
ftp://coast.cs.purdue.edu/pub/COAST/Tripwire
AIDE is a GNU version of Tripwire - v0.10
http://sourceforge.net/projects/aide
ViperDB is another GNU version of Tripwire
http://www.resentment.org/projects/viperdb/index.html
http://www.kaybee.org/~kirk/html/linux.html
http://cpan.valueclick.com/modules/by-module/Net/
(does not work for Redhat 5.2+) [Will be phased out] ftp://ftp.iaehv.nl/pub/users/grimaldo/rpmwatch-1.1-1.noarch.rpm
ftp://ftp.fokus.gmd.de/pub/unix/cdrecord/mkisofs/
BZip2 : http://sourceware.cygnus.com/bzip2/index.html
http://www.linuxdoc.org/HOWTO/Bash-Prompt-HOWTO.html Also see Section 42 in TrinityOS
Project home page:
http://www.xs4all.nl/~freeswan or http://www.flora.org/freeswan/
SWAN email list:
http://www.xs4all.nl/~freeswan
Overview http://www.cygnus.com/~gnu/swan.html
Download the IPSec code from:
Broken? ftp://ftp.xs4all.nl/pub/crypto/freeswan
Works ? http://ftp.xs4all.nl/pub/crypto/freeswan
or
http://www.flora.org/freeswan/download
Other Mini-HOWTOs:
https://www.seifried.org/articles/ipsec/
ftp://ftp.tu-graz.ac.at/pub/linux/redhat-contrib/SRPMS/iplogger-0.1-1.src.rpm
ftp://ftp.freesoftware.com/pub/linux/sunsite/system/security/cops_104.tgz
Newer: ftp://ftp.porcupine.org/pub/security/index.html
Older ftp://ftp.win.tue.nl/pub/security/satan.tar.Z
ftp://ftp.huwig.de/pub/linux/mama/2.0/stack_noexec-symlink-security-fix.bz2
https://www.seifried.org/lasg/
http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.0.pdf
Test Exploits: http://www-miaif.lip6.fr/willy/security/
Test Exploits: http://www.rootshell.org
Test Exploits: http://www.l0pht.com
Test Exploits: http://www.geek-girl.com
Security Alerts: Subscribe to BugTraq at mailto://LISTSERV@NETSPACE.ORG
More Security:
http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#security
http://www.ecst.csuchico.edu/~jtmurphy/
Includes host_sentry, port_sentry and logchecker.
SHADOW (SANS): http://www.nswc.navy.mil/ISSEC/CID/step.htm
Snort: http://www.snort.com
Setup HOWTO: http://www.nswc.navy.mil/ISSEC/CID/nfr.htm
NFR software: http://www.nfr.net/download/
NFR ID Attack ID Packages: http://www.nswc.navy.mil/ISSEC/CID/nfr_id.tar.gz http://www.l0pht.com/NFR/
http://www-math.uni-paderborn.de/~axel/NoShit/index.html
patch: http://www.america.com/~chrisf/web/NoShit/WebFilter_0.5.patch.gz
Example filter: http://www.america.com/~chrisf/web/NoShit/library.txt
http://www.torque.net/~campbell
http://www.xnet.com/~blatura/linapps.shtml
X-Shipwars: http://fox.mit.edu/xsw/
This is too complicated to be completely covered in TrinityOS. But, to get you started, here are a few comments that talk about what Linux distribution might be right for you.
One thing I've been asked over and over is regarding users that are trying out Linux with an old Linux CD ( given to them, etc.). With the new 2.4.x kernels out, all the newest Linux distributions BLOW AWAY the old ones in terms of ease of setup, performance, hardware compatibility, etc. So, I recommend that you get a new copy a given Linux distribution and give that a look. And you can't tell me it's expensive when you can get almost ANY Linux distribution for under $3.00 US a CD from places like http://www.cheapbytes.com.
*-----------------------------------------------------------------------------* * What do I use? I currently use Mandrake v9.1 on my work laptop (Dell) and * * * * 7.0 at home but I'm worried about Mandrake's direction (see more below) * *-----------------------------------------------------------------------------*
So, with that behind us, here is a few notes:
Redhat has recently discontinued both their regular Linux distribution via retail channels as well as their downloadable ISO version (currently 9.0). Moving forward, Redhat has created two projects. The "Fedora" project which is an opensource distribution and then their Redhat Enterprise Linux v3.0 distro line. A good question is if the Fedora project will take over where the RH9.0 distro left off in terms of quality, etc. I have no idea but I do know that the testing won't be nearly as good and I doubt the installer and GUI tools will be as refined as they've been in the past.
Fedora: The main differentiation with with the two RH distros is there isn't any Redhat commercial grade testing or tech support for the Fedora version This is no different than using distros like Debian, Gentoo, etc. which are well supported by the Linux community as a whole. All Fedora support will be via web forums, 3rd party support vendors, etc.
Enterprise Linux: The RH Enterprise Linux line offers email/phone support for 2-3 years for email/phone support and 5 years for critical security patches, etc. which is very good in my option. Unfortunately, the Enterprise line comes in three versions (workstation only (WS), small server (ES), and big server (AS)) and thus charges accordingly:
As of November, 2003 -------------------- WS - $180 - only initial install support :: Full 1 yr support is $299 US. - NO servers support - this is only a workstation (very limiting)
ES - $350 - only initial install support :: Full 1 yr support is $799 US.A - Full servers support - Dual SMP only - limited RPM package list
AS - $1500 - support included but 4 CPU version starts at $2500 US. - Full servers support - 4way CPU + - more complete RPM package list
Yes, this is expensive for a enduser but not bad for an enterprise setup. BUT, my major gripe with RHEL is that the software package list or RPM list Linux is probably < 50% that of RH 9.0 was. Check it out, here is a full list of the RHEL ES 3.0 RPMs - http://www.ecst.csuchico.edu/~dranch/LINUX/Rhel/ As you can tell, not only does this make EL expensive but you don't get a whole lot for your money other than a good software patch policy.
Anyway, Redhat has been a premier Linux distribution that has a strong installation tool and has some great system administration utilities too. One of the best parts of Redhat is its increamental RPM package installation and upgrade system. Redhat is constantly upgraded, they even support / offer patches for their oldest distro versions, and it is well supported in the Linux community.
Redhat is a good choice for the Linux newbie that wants a more server-focused distro or a GUI configuration approach running with all kinds functionality. Don't let the server focus fool you.. this distro is very desktop friendly as well. Redhat is a Gnome shop vs. a KDE-centric distro.
If you are already a UNIX snob, you might find Redhat's layout a little wierd (unless you are a Sun Solaris (SYSV) person - the /etc/rc.d/rc2.d layout is similar).
*BUT*, many people don't like Redhat. Why?
1. Redhat has a LOT of extra software built-in. Yes, you can choose the "Custom" installation process and get rid of most of the options (recommended) but a FULL install is quite large (a full RH8.0 install is 4.6GB!). Yes, you can pick a "custom" install and reduce the number of installed packages but it's still a heavy distro.
2. If you want to *learn* UNIX (not specifically Linux) in the classic LINUX step-by-step fashion and truly understand it (the hardest but BEST way (IMHO)), Redhat probably wouldn't be my first choice! Yet, I do have to admit my opinion is slowly changing though.
3. Redhat changes the entire behavior of how Linux is set up and configured compared to other distributions like Slackware to be more easy to use, modifible via scripts, etc. Unfortunately, Redhat's GUI tools don't easily tell you what it is going to do to your config files. If you want to learn UNIX in a classic fashion, go with Slackware or, to a lesser extent, Debian, SuSe, etc! Those distributions are a LOT more plain and easier to initially figure out.
4. RPM Hell. You've might have heard about this term before. What this basically means is that if you want install a given program, sometimes it has prerequisite of installing another program first. Ok, so you try to install that required program to only find thhat this sub-required program might have THREE other required programs. Then when you try to install the sub-sub programs, they TOO have requirements. Get the idea? Though it is always solved with patience (using RPM manually and installing all the required programs), many people hate RPMs for this reason. Fortunately, Redhat's newest RPM GUI tools determine all the required other programs for youi. Some say this is a fundamental flaw of the RPM system itself. I don't think it's that bad but I'm a patient kind of guy (most of the time at least).
All Newer versions of Redhat have enhanced installation programs for simple installations but with the ability to configure advanced options like software RAID, LVM, etc. Also, the ASCII, NCURSES, and X-Windows versions of the "linuxconf" and "control-panel" GUI interfaces are getting VERY cool!
Mandrake Linux, currently at version 9.2, is a close derivative of Redhat Linux with some significant changes and add-ons. The main difference between Mandrake and Redhat (even today) is that Mandrake is compiled for [ Pentium ] or newer machines. Redhat is currently compiled for Intel 386 (i386) processors though their kernels are optimized. With the Pentium optimizations alone, Mandrake can yeild anywhere from a 10-20% performance increase over RedHat on some platforms.
Next, Mandrake has been adding more customized tools to their distribution. With these tools, like the "Mandrake Updater", administration is easier. If you like GUI tools, Mandrake has them!
One thing I do want to mention is that Mandrake installers within the "Drak" have become very powerful. The installers are very simple for the newbie but can also be very powerful (installtion of software RAID, LVM, etc). Mandrake is also very security conscious and gives the user the option of different default security settings, etc.
Much like Redhat, Mandrake also shares with the RPM hell problem. Fortunately, Mandrake has RPMdrake which determines all of the required dependancies for you and fixes most of this issue.
One last thing that must be noted is that like most Linux vendors, Mandrake has changed their patch support policies. They now only offers security patches for ONE year from the release of the distro. After that, you MUST upgrade to their newest distro. The alternative is to buy their Corporate Server version which is pretty expensive (Corp. Server 1.1 is $799) but will give you support 2+ years. In comparison to Redhat and SuSe's support policies, Mandrake is both expensive and lacking equal support. This pains me as I'm a big Mandrake fan but servers need to be supported and upgrading every two years is silly. Ultimately, if it's a server that you don't plan on upgrading very often, getting the Corporate version might make sense. For a destop system, only getting patches for 1 year sucks but then again, newer distros will have more featuress, etc.
SuSE, currently in version 9.0, is a powerful distribution from Germany. I had previously tried their older releases but there was so much embedded German text in it, it bothered me so I gave up on it. I recently installed newer versions and it seemed much better. The installation program is pretty good though I think Redhat or Mandrake's is better. But, SuSE has a nice configuration tool called YaST and they were one of the first to come with the KDE window manager.
If you like the BSD style of configuring services (much like Slackware, FreeBSD, etc.), you'll like SuSe.
BUT.. recently, Novell with a grant from IBM is trying to buy SuSe. What will this mean to SuSe? Good question but it will take them a while to improve or bury it.
Debian is currently on their 3.0R1 release and though I haven't used Debian much, many people out there (mostly power users) seem to like it a lot. Debian is a community distro which means that there is no "Debian" corporation trying to make money at it. It's run and maintained by the community so the distro is only as good as the contributors. It has been best described to me as as a distribution that old Slackware users will LOVE which hate Redhat. Interestingly enough, the defunct Corel and Storm distributions were based on Debian.
Debian doesn't include the kitchen sink in for software like Mandrake or Redhat but it's laid out in a good manner and it has it's own RPM-like installation/upgrade system called dPKG with GUI frontends like "apt" or the older too, "dselect". One thing to note about Debian's package system is that unlike the "RPM hell" situation (see the Redhat section above), it can automatically determine a package's dependancies (what other programs are needed to get this particular program to run) and automatically download AND install the required packages. In this respect, Debian is still untouched in ease of use.
Like Redhat, Debian is reported to be constantly updated and well supported. Many people argue that Debian is even better updated than Redhat though they are considerably slower to release new distributions with the newest versions of Gnome, KDE, etc. compared to the other distro vendors.
Gentoo is a new distro community distro that is very similar to Debian in the respect that there is no "Gentoo" corporation trying to make money from it. It's run and maintained by the community so the distro is only as good as the contributors.
Fortunately, Gentoo brings something new to the Linux distro mix. Most traditional linux distros (Redhat, Mandrake, SuSe, etc.) all install pre-compiled binaries which makes the installation quick and painless but the resulting distro might not take advantage of your hardware (ahem.. Redhat). Gentoo takes a totally different stance on the installation phase. Specifically, after you pick the packages you want to install, Gentoo will compile ALL of them from the sources to maximize your hardware. This is great though a full installation can take DAYS if not even a WEEK or more depending on how fast your hardware is and how many packages you are installing.
Once installed, Gentoo uses the "portage" program installation system which is similar to the *BSD "ports" system. This is where everything is compiled from source. It's a pretty easy system to use as it automatically figures out where to download the programs from and how to compile them. It just is time consuming. But, the sweetest aspect to "portage" system is that with one command, you can upgrade your ENTIRE distro install to the current versions of all packages with ONE command! Very powerful though I also consider this dangerous too (config files change, too many variables if something breaks, etc.)
Slackware, now at version 9.1 is one of the original Linux distributions and it is still one of my favorites. It definately isn't as slick in terms of installation or functionality compared to Mandrake but it's laid out in a clear manner. The INIT scripts (the scripts that are executed to bring the system up) are laid out in a very readable fashion (BSD-style - So is SuSe) and everything is obvious (in the open). Slackware will be a comfortable fit for the UNIX guru peoples out there.
Like Redhat, Slackware uses a software package system (pkg) for modularized system upgrades. Though it isn't as fancy as Redhat's RPM system.. it has almost all the same functionality. Though patches do come out for Slackware, Redhat's community usually has patches available FASTER.
Caldera or SCO, now at v3.1, is the most commercial of all the Linux distributions. They initially pulled ahead of the pack with a better installation program and auto-installing hardware modules but almost everyone has caught up pretty quickly. Caldera was understood to have one of the easiest installation program of ALL the distributions though Mandrake might have them beat now.
Caldera differentiates itself by trying to meet the needs of the corporate market. For example, they have completed a port of Novell's NDS directory services to Linux. Pretty cool!
But, it should be noted that SCO seems to be taking on Linux on the legal front. They are sueing various companies for Millions if not Billions of dollars. In my opinion, this is a last gasp for them to stay alive but this isn't a way to keep the Linux community happy with them.
There are other Distributions out there to pick from depending on your hardware platform (Dec Alpha, Motorola PowerPC, etc) such as:
TurboLinux - popular in Japan / Network clusters
LinuxPPc http://www.linuxppc.org - for PowerPC machines
LinuxPro http://www.wgs.com/
LinuxWare http://www.trans-am.com/
MkLinux http://www.mklinux.apple.com/ - For 680x0 and PPC Apples
Stampede http://www.stampede.org/
You'll have to experiment and ask other Linux people what distribution they like and WHY! Personally, I'd recommend to get one of those multiple Distrobution CD sets from places like http://www.cheapbytes.com and try them out yourself!!
For more Distribution details, check out:
http://www.linux.org/dist/english.html
http://www.tldp.org/HOWTO/CD-Distributions-EN-HOWTO/index.html
http://www.linuxgazette.com/issue31/hughes.html
Like ANY Linux distribution, bug fixes, security releases, etc. are always coming out and you NEED to stay on top of it. Remember, Linux is very functional but without a given security patch, a hacker can break into your box and do ANYTHING! Redhat, Debian, Slackware, etc have their own incremental update systems that makes this easier.
P.S. If the program you update to with "pkgadd" has different configuration file layouts, you will have to the conversion manually. Debian and Redhat's systems can do the conversion for you though I've had mixed results with this.
Go to the Redhat Updates URL in Section 5 and download all the recent patches to a directory (ie. /tmp/patches). Once you have all of the newest RPMs, you should use the "Fresh" option of the RPM tool. This will update the RPMs on your machine ONLY if an older version of the RPM is installed on your machine. So, I recommend thast you do:
rpm -Fvh /tmp/patches/*
Also, please heed these following warnings regarding RPMs:
******************************************************************************* ** Don't always trust RPMs!!!! ** ** ** ** See [Section 50] for more specific instructions on how to use ** ** RPMs, see what files will be installed/replaced/OVERWRITTEN BEFORE you ** ** install them, etc. ** ******************************************************************************* ** Staying on top of new RP Ms ** ** ** ** You should also implement the RPM notification tool that is documented ** ** in [Section 43] to stay on-top of this in the future! ** *******************************************************************************
----------------------------------------------
This is how the TrinityOS network is laid out:
--
Network topology diagram:
________
/ \
|Internet >------------------+
\________/ |
Cablemodem
|
+-----------------------+
| | |
| External Link: eth0 |
| IP: 100.200.0.212 |
_________ | DGW: 100.200.0.1 |
/ Various \ | |
| Remote | | ------------ |
| Sites >-ISDN--|- External Link: ppp0 |
| & | | IP: dynamic |
| Internet| | ------------ |
| link | | DMZ Link: eth2 ---|----< To 802.11b wireless network
\ backup / | IP: 192.168.10.1 | IP: 192.168.10.x
--------- | ------------ | DGW: 192.168.10.1
| | DNS: 192.168.10.1
| Internal Link: eth1 |
| IP: 192.168.0.1 |
| | |
+-----------------------+
|
8-port 100Mb/s switch
|
+----+----+----+----+----+----+----+----+
| | | | | | | | |
PC PC PC PC PC PC PC PC PC
#1 #2 #3 #4 #5 #6 #7 #8 #9
|
|
/----------------\
IP: 192.168.0.2
DGW: 192.168.0.1
DNS: 192.168.0.1
- Next, this section is to custom tailor your copy of TrinityOS to your specific
environment. Do a search/replace on the "Search for" fields and replace them
with your correct "replace with" fields.
PLEASE NOTE: If you are going to use IP Masquerading, you should use one of the private address spaces as described in RFC 1918 http://www.cis.ohio-state.edu/htbin/rfc/rfc1918.html such as:
search for replace with (given as an example)
---------- ----------------------------------
Your main login ID johndoe your-login
Your PPP ISP name your-ppp-isp-name your-ppp-isp-name
Your PPP ISP # 555-1212 555-1234
Your PPP login your-ppp-login your-ppp-login
Your PPP password your-ppp-passwd your-ppp-passwd
The Linux machine
name roadrunner your-linux-boxes-name
Domain Name acme123.com yourdomain.org
Second Domain Name another-domain.com yourseconddomain.org
Internal IP network 192.168.0.0 192.168.0.0
Internal IP address 192.168.0.10 192.168.0.10
Internal gateway IP 192.168.0.1 192.168.0.1
Internal broadcast IP 192.168.0.255 192.168.0.255
Internal DMZ IP network 192.168.10.0 192.168.10.0
Internal DMZ IP address 192.168.10.10 192.168.10.10
Internal DMZ gateway IP 192.168.10.1 192.168.10.1
Internal broadcast DMZ IP 192.168.10.255 192.168.10.255
External IP network 100.200.0.0 100.201.0.0
External IP address 100.200.0.212 100.201.0.212
External gateway IP 100.200.0.1 100.201.0.1
External broadcast IP 100.200.0.255 100.201.0.255
Remote SECONDARY DNS ns.backupacme.com ns.yourdomain.org
External secondary DNS 102.200.0.25 102.201.0.25
Reverse DNS lookup 54.44.80.10 50.0.201.102
Explict allowed IP#1 200.211.0.40 200.244.0.40
Explict allowed IP#2 200.211.0.41 200.244.0.41
Explict allowed IP#3 200.211.0.42 200.244.0.42
Explict allowed IP#4 200.211.0.43 200.244.0.43
ISP DNS server #1 10.200.200.69 10.222.222.44
ISP DNS server #2 10.200.200.96 10.222.222.88
Your SMB Workgroup: ACME123 your-linux-boxes-SMB-workgroup-name
Your pager email: 1234567@skytel.com 2321432342@skytel.com
An internal PORTFWed
MASQ machine name: coyote one-internal-MASQed-machine-name
A internal PORTFWed
MASQ machine IP: 192.168.0.20 192.168.0.20
Internal machines
allowed to connect
to the MASQ server: 192.168.0.11 192.168.0.11
192.168.0.12 192.168.0.12
Remote PPTP setup
PPTP server running at: MyEmployer.com MyEmployer.com
PPTP server IP: 220.1.2.3 220.1.2.3
PPTP username: YourUserNameHERE YourUserNameHERE
PPTP CHAP name: REMOTE-PPTP-CHAP-HERE REMOTE-PPTP-CHAP-HERE
* These are errors, bugs, annoyances, etc that I've notice in Redhat5.x. But, these might be fixed in later CD releases, patches, etc.
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-security/TrinityOS-security.tar.gz
chmod -R 750 /etc/cron.hourly
chmod -R 750 /etc/cron.hourly/*
chmod -R 750 /etc/cron.daily
chmod -R 750 /etc/cron.daily/*
chmod -R 750 /etc/cron.weekly
chmod -R 750 /etc/cron.weekly/*
chmod -R 750 /etc/cron.monthly
chmod -R 750 /etc/cron.monthly/*
MINICOM="-c on"
export MINICOM
alias ls='ls --color=yes'
export CC="colorgcc"
TZ=PST8PDT
Now edit the "EXPORT PATH" line and append the word "TZ"
NOTE: Changing this behavior makes the permissions of all NEWLY created files only readable by certain users and groups. This can have a detrimental effect on programs that need to be used by multiple users. The default is "umask 002 else umask 022".
NOTE2: If you see two "umask" lines, change them BOTH to 027
- edit /etc/profile, find the umask line(s) and make them it read "umask 027"
NOTE: The changes were:
ln -s /usr/local/bin/tar /bin/tar
:.Z: : :/usr/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS : : :.Z:/usr/bin/compress -c %s:T_REG:O_COMPRESS:COMPRESS :.gz: : :/bin/gzip -cd %s:T_REG|T_ASCII:O_UNCOMPRESS:GUNZIP : : :.gz:/bin/gzip -9 -c %s:T_REG:O_COMPRESS:GZIP : : :.tar:/bin/tar -c -f - %s:T_REG|T_DIR:O_TAR:TAR : : :.tar.Z:/bin/tar -c -Z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS : : :.tar.gz:/bin/tar -c -z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP
Bad, Bad, Bad. Only "root" and admin groups should be able to do this type of adminstration.
chmod -R 770 /etc/rc.d/init.d/*
================================================================================
This covers CMOS setups, disable ports, TCP wrappers, shadow passwds, etc.
First thing, I would recommend to do in addition to following TrinityOS for your needed purposes, read LDP's Security HOWTO for a more detailed explanation of what to do. Interestingly enough, I never read it until recently and a LOT of things I had independantly recommend was already in the Security HOWTO too! So, it sounds like we are on-track! I recommend you read it too! The URL is in Section 5.
Upon system boot, enter into the CMOS setup
- I recommend the combination of upper and lower case characters with numbers!
By changing the BIOS boot order from A:,C: to C:,A:
If you are extra paranoid, you can set the floppy drive to READ only or even disable the floppy drive all together if you wish.
- Now, boot back into Linux and make sure you have a password for the root login
passwd root
Pl3a5eGet0ut and Pl3a5eGe
Because of this, you need a strong password and it can ONLY be 8-characters long. You REALLY should use a combination of UPPER and lower case characters, numbers, and special characters such as:
[ `~!@#$%^&*()-_=+{[]}\|'";:,<.>/? ]
Fortunately enough, the newer Linux distributions have fixed this issue. But regardless if this has been fixed on your distribution or not, it IS important that you choose a strong passwd.
This ensures that only the file's owner can delete
a given file in /tmp (Fixed in RH6.x):
chmod 1777 /tmp
- This is pretty important if you don't have the best physical security on the box:
- Do implement this, edit /etc/inittab and change the line:
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
to
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
- Now, for the system to understand the change, type in the following at a prompt
/sbin/init q
Newer Redhat:
prompt=yes
prompt=no
NOTE: Use this command if you are logged in as root and want to LOCK the ttys without having to log fully out and back in again. Nice!
NOTE: Regardless of Linux distribution, you might want to SKIP some of the following steps if you plan to run:
(though this is specific to Redhat, the following is a good read for ALL Linux users.)
The way that Redhat boots is the SysV way. This is where the OS will execute ALL files for a given runlevel (see definition below) that start with a "S" (that's a CAPITAL "S") and have a number after that in a numerical order from lowest to highest. For example, it will run "S10network" before it runs "S30syslog".
So what's a RUN-level? A run-level is the mode that the machine will load various system programs. Though this varies from Unix to Unix (Linux, Solaris, AIX, HP-UX, etc.), they are similar. For Linux, this is the run-levels (from /etc/inittab):
Please note that some Linux distributions have slight variations:
Also, if you didn't already notice, all of the files in various runlevel directories like /etc/rc.d/rc0, 1, 2, 3, 4, 5, 6.d are actually just symbolic links to all the real script files in /etc/rc.d/init.d! This makes things more manageable.
So, since Linux usually runs in multi-user / non-Xwindows mode, that means runlevel "3" will execute all files in the /etc/rc.d/rc3.d directory. Then, the system will begin to run ALL files starting with "S" in order. When you shutdown or restart the machine, you change the machine into runlevel "0" or "1". This will first execute all commands from the initial runlevel directory of "3" starting with "K". If the given process isn't already running, like my example for LPD, it will just skip it and move on. Get it?
The way that Slackware boots is the BSD way. It will execute the /etc/rc.d/rc.inet1 (network interfaces) file first. Then, it will run the /etc/rc.d/rc.inet2 (network services) file. This is much more readable than the Redhat method but its harder to maintain (IMHO).
BSD-Style: Edit the following files in /etc/rc.d/ and make these changes unless you need that service.
- rc.M (disable email and WWW servers)
- line 75: #'d out all lines for Sendmail
- line 97: #'d out all lines for httpd
- rc.inet2 (disable SERVER and NFS servers)
- line 14: #'d out all lines for lpd
- line 15: #'d out all lines for lpd
- line 31: #'d out all lines for portmap
- line 72: #'d out all lines for mountd, nfsd, pcnfsd, bwnfsd
There are at least (6) ways to turn on/off what daemons load:
Via A GUI interface:
This process manipulation can be done either via:
Note - Though I'm a command line bigot, I feel the "ntsysv" GUI is the fastest way to modify these options!
NOTE #2 - It should be noted that some people really feel that if you are going to disable a package, you might as well REMOVE IT. This is technically MORE secure (nothing to run an exploit against) nor does it take up any disk space. Personally, I usually side with functionality and rather just disable the service vs. delete it all together. Now, if you're sure that you'll NEVER use this service, definately recommend to delete the package.
To DELETE a given package:
To remove packages:
NOTE #3 - I've found that when you first run these GUI tools, they will default to running and disabling some processes they SHOULDN'T! So, be careful and make sure that the tool is starting/stopping the correct daemons. Confirm this by going into the correct runlevel directory, say /etc/rc.d/rc3.d, and making sure only the minimal S* files are there.
With "chkconfig":
Please note that there might be some daemons that are missing and/or extra in your specific /etc/rc.d/init.d directory so make sure you enable/disable the appropriate ones for your needs.
--
#Disable automounters
chkconfig --level 2345 amd off
#Disable unless this is a laptop
chkconfig --level 2345 apmd off
#Disable unless you want to run batch programs within certain loads
chkconfig --level 2345 atd off
#Disable unless you want emails of EVERY ARP on your network segment
chkconfig --level 2345 arpwatch off
#Disable unless you want boot diskless workstations
chkconfig --level 2345 bootparamd off
#Disable unless this machine will be a DHCP *SERVER*
chkconfig --level 2345 dhcpd off
#Disable unless this machine will be a full blown router
chkconfig --level 2345 gated off
#Disable unless this machine will be a WWW server
chkconfig --level 2345 httpd off
#Disable unless this machine uses a modularized kernel
# NOTE: Not needed for 2.2.x+ kernels
chkconfig --level 2345 kerneld off
#Disable unless you really want to configure remote machines via Linuxconf
chkconfig --level 2345 linuxconf off
#Disable unless this machine will be a print server
#(for the local or remote machine)
chkconfig --level 2345 lpd off
#Disable unless you really need the proprietary MC server
chkconfig --level 2345 mcserv off
#Disable unless this machine will be a database server
chkconfig --level 2345 mysql off
#Disable unless this machine will be a caching or full blown DNS server
chkconfig --level 2345 named off
#Disable unless this machine will be a NFS server
chkconfig --level 2345 nfs off
#Disable unless this machine is a laptop or the PC has PCMCIA cards
chkconfig --level 2345 pcmcia off
#Disable unless this machine will be an NFS server or needs RPC tools
chkconfig --level 2345 portmap off
#Disable all R-cmds
chkconfig --level 2345 rusersd off
chkconfig --level 2345 rwalld off
chkconfig --level 2345 rwhod off
#Disable unless this machine is a email server
chkconfig --level 345 sendmail off
#Disable unless this machine is a Samba (MS File&Print) server
chkconfig --level 345 smb off
#Disable unless this machine is to support SNMP
chkconfig --level 2345 snmpd off
#Disable unless this machine is a local/remote HTTP proxy server
chkconfig --level 2345 squid off
#Disable unless this machine will be running X-windows
chkconfig --level 2345 xfs off
#Disable unless this machine will be an NTP server
chkconfig --level 2345 xntpd off
#Disable unless this machine will be part of a NIS/YP domain
chkconfig --level 2345 ypbind off
chkconfig --level 2345 yppasswdd off
#Disable unless this machine will be a NIS/YP server
chkconfig --level 2345 ypserv off
Manually:
NOTE: only do this to the processes you WON'T use.
NOTE #2: If, for some reason, any of the K or S* files don't exist and you want them to be there, use one of the GUI tools above.
Do this in /etc/rc.d/rc2.d, /etc/rc.d/rc3.d, and /etc/rc.d/rc5.d
- mv S08autofs K08autofs
- mv S20nfs K20nfs
(unless this is for a full or caching NFS server)
- mv S20rusersd K20rusersd
- mv S20rwalld K20rwalld
- mv S20rwhod K20rwhod
- mv S30mcserv K30mcserv
- mv S98kerneld K98kerneld
- mv S35smb K35smb (unless this is for a Samba F&P server)
- mv S60lpd K60lpd (unless this is for a print server)
- mv S65portmap K65portmap (unless this is for a NFS server)
- mv S95nfsfs K95nfsfs (unless this is for a NFS server)
- mv S45pcmcia K45pcmcia (unless this for a laptop)
- mv S65dhcpd K65dhcpd (unless this is for a DHCP server)
- mv S85httpd K85httpd (unless this is for a WWW server)
- mv S80sendmail K80sendmail (unless this is for a mail server)
Inetd and Xinetd are called the "super servers" as they load a network server based upon a request from the network. I personally recommend that any service that you DON'T need shouldn't be able to load. This both minimizes CPU and Memory load as well as greatly reduces your security risk.
* The exceptions that I leave in and secure via a firewall and * TCPwrappers are: * * TELNET, FTP, SSH, sometimes TALK, POP-3, IMAP, and maybe FINGER. *
Newer Linux distributions no longer use "inetd" but instead use a newer version called "xinetd". This new version allows for much more granular configuration as well as superior logging, etc. Overall, I really recommend Xinetd though it does take a little time to get used to.
XINETD: ------- Go into the /etc/xinetd.d directory and edit each of the files in that directoru. In each one of the service files that should be disabled, make sure that a line reading "disable = yes" is present. For example
/etc/xinetd.d/chargen
# default: off
# description: A chargen server. This is the tcp \
# version.
service chargen
{
type = INTERNAL
id = chargen-stream
socket_type = stream
protocol = tcp
user = root
wait = no
disable = yes
}
I recommend to disable the following services and any other services enabled in your machine that you don't need (unless noted below).
To make the change take effect, type in:
INETD: ------ I recommend to edit the /etc/inetd.conf file and place a "#" in front of the lines to disable them (if not already done).
As noted above for Xinetd, some items you might want to leave enabled. Some you might want to leave available until you install a secure alternative like SSH):
Once you make these changes, finish editing the file. To make the change take effect, type in:
More and more Linux distributions are shipping with secure defaults. But, never ASSUME that things are locked down. CONFIRM IT!
- Edit "/etc/hosts.deny" and insert the following at the end of the file:
ALL: ALL
It should also be noted that TCP wrappers supports extensive logging and remote banners. Please see the end of this section for a detailed example.
- edit "/etc/hosts.allow" and insert lines at the end of the file for each IP and or Domain that you want to allow access to the Linux box.
NOTE: Do NOT use DNS names for the hosts as DNS can be spoofed. Use TCP/IP addresses instead.
ALL: 127.0.0.1 #Needed for some local services like comsat
ALL: 200.211.0.40 #Securehost
ALL: w.x.y.z
For example:
ALL: 192.168.0.2 #Allow everything from coyote2
ALL: 200.211.0.40 #Allow all traffic from Explict Allowed #1
ALL: 200.211.1. #Allow *ALL* traffic from all hosts on the 200.211.1.x
#network. Yes, the option should END with a
single "."
in.ftpd: 192.168.0.2 #Allow only FTP traffic from coyote2
in.pop3d: 200.211.0.40 #All only pop-3 traffuc from Explict Allowed #1
TCP Wrapper logging and banner support
As mentioned above, TCP wrappers support advanced features like logging and sending text banners to the remote machine. To do this, you want to change the /etc/hosts.deny file to look something like the following:
# The following example will DENY all traffic except finger.
# For finger, it will allow the request but log it, send a banner and THEN
# deny it
#
# First, set up a booby trap and bounce message for all except finger
# and log attempt to /var/log/tcpwrappers.log
ALL except in.fingerd: ALL \
:spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s %d-%h root;\
date >>/var/log/tcpwrappers.log;\
echo '%u@%h (%d) connection attempted.' >>/root/access.log)& \
:rfc931 45\
:twist /bin/echo \
$'\nAccess to this system is limited to authorized users. \
\n%u@%h is not a valid ID to access %d \
\non this system. This attempt has been logged. \n'
# Now log and bounce message for finger
#
in.fingerd: ALL\
:spawn (date >>/var/log/tcpwrappers.log; \
echo '%u@%h (%d) connection attempted.' >>/var/log/tcpwrappers.log)& \
:rfc931 45\
:twist /bin/echo \
$'\nAccess to this system is limited to authorized users. \
\n%u@%h is not a valid ID to access %d \
\non this system. This \
attempt has been logged.\
\n'
Disable anonymous FTP to your box by editing /etc/ftpaccess and change the common first line that looks like:
class all real,guest,anonymous *
class all real *
In most earily Linux distributions, all user's passwords were stored in the /etc/passwd file. These passwords were then encrypted by the "crypt" tool. The problem with this setup was that anyone could get these encrypted passwords and crypt's encryption was very poor. These passwords could then be broken with publically available tools. In recent times, the shadow system was implemented where the passwords were hashed with the MD5 algorithm and placed the resulting MD5 hased passwords in /etc/shadow.
To quickly see if your machine is "shadow" enabled, look at the "/etc/passwd" file. In this file, you will see the username, password, UserID (UID), GroupID (GID), Home Directory, and the user's default shell all separated by colons (:). Anyway, if you see "x"s in the second left-hand field, the password field, then you are done! If you DON'T see "x"s in that field.. you need to follow these directions or better yet.. get a newer distribution!
Slackware v3.2 did not come with Shadow passwords enabled but v3.4+ does. For several reasons, I recommend that you just upgrade to Slackware v3.4 if you are running an older Slackware distribution. The upgrade will fix numerous security issues and has many other features as well.
Redhat5, out of the box, does NOT do shadow passwords (stupid) but it is fixed in RH 6.1 and onward.
Confirm that your system is using SHADOW passwords by looking at the /etc/passwd file and make sure that the second left-hand field next to the username is a ":x:". If so, make sure everthing in this section is setup the same on your box.
If it isn't do the following:
- login as root
- type in "pwconv"
- This will convert the /etc/passwd file and move the encrypted passwords over to /etc/shadow and change the encryption algorithm from the weak "crypt" system to "md5"
- More info is available in "/usr/doc/pam-0.64/txts/pam.txt"
- NOTE: Using passwords more than 8 characters will NOT work. Use larger passwords and prepare NOT to be able to login again!
- Edit the /etc/pam.d/passwd file and change the bottom lines
NOTE: There are (2) methods shown below. Crypt is the OLD UNIX method and is considered weak. The newer method uses MD5 hashing. I recommend the MD5 method.
So, edit the file and change it to the following:
For MD5 hashing (more secure and recommended):
--
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so retry=3
password required /lib/security/pam_pwdb.so shadow use_authtok nullok md5
--
--
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so retry=3
password required /lib/security/pam_pwdb.so shadow use_authtok nullok
--
By default, most Linux distributions don't allow direct "root" logins via TELNET or SSH. This is considered good security.
- If you DO need to login via telnet as root then edit or create the /etc/securetty file and ADD the following:
ttyp0
ttyp1
ttyp2
Please note that newer Linux distributions now use the DevFS system. If your system uses DevFS, you should add the following in addition to the "ttyp0, ttyp1, etc." system. If you are using DevFS full time, you can delete the ttyp0, etc. lines.
vc/1
vc/2
**** MAKE SURE YOU PUT "#"s IN FRONT OF THESE NEW LINES ONCE YOU ARE DONE! ****
It seems that some Linux distributions do not come with the /etc/ftpusers file. This file basically is for when any usernames in this file, they are NOT allowed to FTP in. Usually, it is considered POOR security to be able to FTP in as ROOT. By putting the word "root" into this file, this disables FTP logins from "root".
- If you ever need to FTP into the linux box as ROOT (you shouldn't be able to by default), edit the "/etc/ftpusers" file and put a "#" in front of "root".
NOTE: If the /etc/ftpusers file DOESN'T already exist, just create it. Once you are done, LEAVE it there with at least the line "root" without a "#" in front of it.
*********************************************************
**** MAKE SURE YOU REMOVE THIS "#" ONCE YOU ARE DONE ****
**** SINCE THIS IS A BIG SECURITY ISSUE ****
*********************************************************
* When users install Redhat, they usually install more programs than they plan to initially use. Though Redhat allows users to later choose what daemons are and are NOT run upon boot, this does NOT disable some things that are loaded into the cron file.
As mentioned before in this section, unless you plan on using the functionality of a specific product, DON'T disable a given cron entry. Just delete the package all together as described above.
**NOTE**: DON'T disable: logrotate, tmpwatch, updatedb.cron, makewhatis.cron
- Look in the /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, and /etc/cron.monthly and make sure that nothing is installed that you don't want. For example, I had to do the following for RH 5.2:
mkdir -m 700 /etc/cron.disabled
mkdir -m 700 /etc/cron.disabled/cron.hourly
mkdir -m 700 /etc/cron.disabled/cron.daily
mv /etc/cron.hourly/inn-cron-nntpsend /etc/cron.disabled/cron.hourly
mv /etc/cron.daily/inn-cron-expire /etc/cron.disabled/cron.daily
mv /etc/cron.daily/inn-cron-rnews /etc/cron.disabled/cron.daily
mv /etc/cron.daily/tetex.cron /etc/cron.disabled/cron.daily
**NOTE**: DON'T disable: updatedb.cron
- Realistically, you won't have the same issues as Redhat users because Slackware doesn't have as many bells and whistles as RH does. BUT, check to make sure. All of Slackware's cron configuration is stored here.
less /var/spool/cron/crontabs/root
A lot of the default file permissions on Linux distributions just give away too much information to the end user or hacker. Some people might think that some of these are paranoid but I'd rather be safe than sorry:
NOTE: Most of these permissions reflect Redhat 5.2 but most will apply to any Linux distribution.
NOTE2: If you receive any ERRORs when applying these changes, don't worry. That just means you don't have that package installed.
It is highly recommended that you apply these permissions via the TrinityOS-security script to avoid typing mistakes and save time.
# Files in /dev chmod 660 /dev/lp* # Files in /bin echo "Bru is a commercial backup program but some Linux distributions come with it" chmod 750 /bin/bru chmod 750 /bin/linuxconf chmod 750 /bin/mount chmod 750 /bin/mt chmod 750 /bin/rpm chmod 750 /bin/setserial chmod 4750 /bin/su chgrp adm /bin/su chmod 750 /bin/umount # Files in /sbin chmod 750 /sbin/accton chmod 750 /sbin/badblocks chmod 750 /sbin/ctrlaltdel chmod 750 /sbin/chkconfig chmod 750 /sbin/chkraid chmod 750 /sbin/debugfs chmod 750 /sbin/depmod chmod 750 /sbin/dhcpcd chmod 750 /sbin/dump* chmod 750 /sbin/fdisk chmod 750 /sbin/fsck* chmod 750 /sbin/ftl* chmod 750 /sbin/getty chmod 750 /sbin/halt chmod 750 /sbin/hdparm chmod 750 /sbin/hwclock chmod 750 /sbin/ide_info chmod 750 /sbin/if* chmod 750 /sbin/init chmod 750 /sbin/insmod echo "IPFWADM is only installed for v2.0 kernels" chmod 750 /sbin/ipfwadm chmod 750 /sbin/ipx* chmod 750 /sbin/isapnp chmod 750 /sbin/kerneld chmod 750 /sbin/killall* echo "This is the new location for klogd. Please disregard any errors if this doesn't work." chmod 750 /sbin/klogd chmod 750 /sbin/lilo chmod 750 /sbin/mgetty chmod 750 /sbin/mingetty chmod 750 /sbin/mk* chmod 750 /sbin/mod* chmod 750 /sbin/netreport chmod 750 /sbin/pam* chmod 750 /sbin/pcinitrd chmod 750 /sbin/pnpdump chmod 750 /sbin/portmap chmod 750 /sbin/quotaon chmod 750 /sbin/raidadd chmod 750 /sbin/restore chmod 750 /sbin/runlevel chmod 750 /sbin/stinit echo "This is the old location for klogd. Please disregard any errors if this doesn't work." chmod 750 /sbin/syslogd chmod 750 /sbin/swapon chmod 750 /sbin/tune2fs chmod 750 /sbin/uugetty chmod 750 /sbin/vgetty echo "Files in /usr/bin" chmod 750 /usr/bin/control-panel chmod 750 /usr/bin/comanche chmod 750 /usr/bin/eject chmod 750 /usr/bin/glint chmod 750 /usr/bin/gnome* chmod 750 /usr/bin/gpasswd chmod 750 /usr/bin/ipx* chmod 750 /usr/bin/kernelcfg chmod 755 /usr/bin/lp* chmod 4755 /usr/bin/lpr #NOTE: I feel setting "lpr" to allow any group to execute it is # a bad thing. # # I would like to add UNIX users and even the Samba process to # the "lp" group already defined in /etc/groups and then be able # to put things back to to 4750. BUT, I just talked to a buddy # of mine and this really isn't possible. Linux doesn't support # multiple groups per file and Linux doesn't support access lists # (ACLs') yet. So, you either have to do all this or run LPRng. # # Stock permissionss are: # -r-sr-sr-x 1 root lp 15436 Oct 17 06:49 lpq # -r-sr-sr-x 1 root lp 16176 Oct 17 06:49 lpr # -r-sr-sr-x 1 root lp 16132 Oct 17 06:49 lprm chmod 750 /usr/bin/mformat chmod 750 /usr/bin/minicom chmod 750 /usr/bin/mtools chmod 750 /usr/bin/netcfg chmod 750 /usr/bin/rusers chmod 750 /usr/bin/rwall chmod 750 /usr/bin/uucp echo "Files in /usr/sbin" chmod 750 /usr/sbin/am* chmod 750 /usr/sbin/at* chmod 750 /usr/sbin/automount chmod 750 /usr/sbin/bootp* chmod 750 /usr/sbin/crond chmod 750 /usr/sbin/dhc* chmod 750 /usr/sbin/dip chmod 750 /usr/sbin/dump* chmod 750 /usr/sbin/edquota chmod 750 /usr/sbin/exportfs chmod 750 /usr/sbin/fixmount chmod 750 /usr/sbin/ftpshut chmod 750 /usr/sbin/gated chmod 750 /usr/sbin/group* chmod 750 /usr/sbin/grp* chmod 750 /usr/sbin/imapd chmod 750 /usr/sbin/in.* chmod 750 /usr/sbin/inetd chmod 750 /usr/sbin/ipop* echo "This is the old location for klogd. Please disregard any errors if this doesn't work." chmod 750 /usr/sbin/klogd chmod 750 /usr/sbin/logrotate chmod 750 /usr/sbin/lp* chmod 755 /usr/sbin/lsof chmod 750 /usr/sbin/makemap chmod 750 /usr/sbin/mk-amd-map chmod 750 /usr/sbin/mouseconfig chmod 750 /usr/sbin/named* chmod 750 /usr/sbin/nmbd chmod 750 /usr/sbin/newusers chmod 750 /usr/sbin/ntp* chmod 750 /usr/sbin/ntsysv chmod 750 /usr/sbin/pppd chmod 750 /usr/sbin/pnpprobe chmod 750 /usr/sbin/pw* chmod 750 /usr/sbin/quota* chmod 750 /usr/sbin/rdev chmod 750 /usr/sbin/rdist chmod 750 /usr/sbin/repquota chmod 750 /usr/sbin/rhbackup chmod 750 /usr/sbin/rotatelogs chmod 750 /usr/sbin/rpc* chmod 750 /usr/sbin/rwhod chmod 750 /usr/sbin/samba chmod 750 /usr/sbin/setup chmod 750 /usr/sbin/showmount chmod 750 /usr/sbin/smb* chmod 750 /usr/sbin/sndconfig chmod 750 /usr/sbin/snmp* chmod 750 /usr/sbin/squid echo "This is the old location for sysklogd. Please disregard any errors if this doesn't work." chmod 750 /usr/sbin/syslogd chmod 750 /usr/sbin/taper chmod 750 /usr/sbin/tcpd* chmod 750 /usr/sbin/time* chmod 750 /usr/sbin/tmpwatch chmod 750 /usr/sbin/tunelp chmod 750 /usr/sbin/user* chmod 750 /usr/sbin/uu* chmod 750 /usr/sbin/vi* chmod 750 /usr/sbin/wire-test chmod 750 /usr/sbin/xntp*
- Check that there aren't any SUID ROOT (programs that execute as the ROOT user) that are WRITABLE by other users. To do this, execute this following command (per http://rlz.ne.mediaone.net/linux/index.html):
mkdir -m700 /etc/info
find / -type f \( -perm -04000 -o -perm -02000 \) -ls > /etc/info/suid-results
So what do you do with these results?
Figure out the SUID programs that you need and note which ones they are and where they are. The issue is to just make sure that no other unknonwn programs don't get added to this list. What about just changing their permissions to NOT be SUID root? This would be bad because most programs that are usually SUID ROOT *must* be this way or they won't work right.
But, for example, GnuPlot on a recent copy of SuSE was found SUID though it shouldn't have been. Later, a person on BugTraq found this and created both a root exploit and patch for it. So, this is where you can be proactive and fix things.
For the other SUID programs you don't need or know what they are, change their permissions to 700 (chmod 700 *) or even better yet, change their permissionss to 700, move them to a temporary directory to later delete them once you are SURE you don't need the programs.
*** Once you have resolved all your SUID issues, rename this *** /etc/info/suid-results file to /etc/info/suid-results-checked and then *** fix the permissions:
mv /etc/info/suid-results /etc/info/suid-results-checked
chmod 600 /etc/info/suid-results-checked
We will use this file later as a template file to check for changed SUID files in Section 9
Much like looking for SUID files above, it is also a good idea to look for R-command permission files.
find / | grep -e ".rhosts" -e "hosts.equiv" > /etc/info/rcmd-results
Once you have reviewed this /etc/info/rcmd-results file for any entries that DON'T belong in there, rename it and fix its permissions:
mv /etc/info/rcmd-results /etc/info/rcmd-results-checked
chmod 600 /etc/info/rcmd-results-checked
* This was exploited recently in Xfree86 but I still feel that the sticky bit on the /tmp/.X11-unix directory should be set
rm -rf /tmp/.X11-unix
mkdir -p -m 1777 /tmp/.X11-unix
chmod o+t /tmp/.X11-unix
- SYSLOG is the main UNIX logging tool. With this system, you can setup logging to be very high level to extremely detailed and have each logging stream go to a different file. Trust me, SYSLOG is your friend!
Edit /etc/syslog.conf and -ADD- the following lines if they aren't already in there:
******* * NOTE!!! All space from the left and right columns MUST BE TABS. * If they are SPACEs, syslog will NOT load! Kinda stupid eh? *
Redhat users:
*.warn;*.err /var/log/syslog
auth.*;user.*;daemon.none /var/log/loginlog
kern.* /var/log/kernel
Slackware users:
*.warn;*.err /var/adm/syslog
mail.* /var/adm/maillog
auth.*;user.*;daemon.none /var/adm/loginlog
kern.* /var/adm/kernel
All Distributions: Once you have edited the /etc/syslog.conf file, save your changes and exit the editor. Now, following files must be created for SYSLOG to work:
touch /var/log/syslog
touch /var/log/loginlog
touch /var/log/kernel
--
Nov 28 08:25:42 hostname -- MARK --
--
This is the SYSLOG daemon telling you that SYSLOG is running but had nothing to report. If you don't like this behavior, you can disable it by editing the following file and changing the MARK time out.
In /etc/rc.d/init.d/syslog, find the line that says:
--
daemon syslogd
--
and replace it with:
--
daemon syslogd -m 0
--
To make ALL of the above changes go into effect, run:
Next, close down these new files (and existing files) permissions:
chmod 600 /var/log/syslog
chmod 600 /var/log/loginlog
chmod 600 /var/log/kernel
echo "Make sure old SYSLOG file perms are ok too."
chmod 600 /etc/syslog.conf
chmod 600 /var/log/cron
chmod 700 /var/log/httpd
chmod 600 /var/log/httpd/*
chmod 600 /var/log/maillog
chmod 600 /var/log/messages
chmod 600 /var/log/mysql
chmod 600 /var/log/netconf.log
chmod 700 /var/log/samba
chmod 600 /var/log/samba/*
chmod 600 /var/log/sendmail.st
chmod 600 /var/log/secure
chmod 600 /var/log/spooler
chmod 700 /var/log/squid
chmod 600 /var/log/squid/*
chmod 600 /var/log/xferlog
chmod 600 /var/adm/syslog
chmod 600 /var/adm/loginlog
chmod 600 /var/adm/kernel
chmod 600 /etc/syslog.conf
Ok, now restart SYSLOG:
Stock Redhat comes with a tool that will take your SYSLOG log files, rename them to the day they came from, optionally compress them, and then restart the log files for the next day. This is very handy as SYSLOG files can get VERY large. If you are using some other Linux distribution that doesn't have this feature, I highly recommend installed a program that will do this for you (there are many to choose from).
- Redhat:
Next, allow the new syslog file to be rotated as well. Add these lines to the /etc/logrotate.d/syslog:
--
/var/log/kernel {
postrotate
/usr/bin/killall -9 klogd
/sbin/klogd &
endscript
}
/var/log/loginlog {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
/var/log/syslog {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
--
Also.. I highly recommend that you edit the /etc/logrotate.conf file and do the following:
Find "#compress" and remove the "#" so it only says "compress".
I also recommend that your #ed out the sections to look like this:
[ Why? If these files are rotated, you won't be easily able to ] [ tell when users have logged in. ]
## no packages own lastlog or wtmp -- we'll rotate them here
#/var/log/wtmp {
# monthly
# rotate 1
#}
#/var/log/lastlog {
# monthly
# rotate 1
#}
This will then compress the moved log files with Gzip.
Finally, some log files explicitly default to no-compression. Why? I recommend to add a "#" before the "nocompress" line in each of the following files:
/etc/logrotate.d/ftpd
/etc/logrotate.d/linuxconf
/etc/logrotate.d/sendfax
There might be other files in this directory. Check each one of them.
Lastly, I recommend to go into the /etc/logrotate.d/ directory and MOVE log config files that you KNOW you won't be using to a "disabled" directory. This is completely dependant on the services that you installed and then on which ones you opted to NOT run.
As mentioned before, for packages that you KNOW you won't ever use, instead of disabling the logrotation for a given package, DELETE the entire package either using RPM or PKGDEL.
To manually disable things:
mkdir -m 700 /etc/logrotate.d.disabled
mv /etc/logrotate.d/mysql /etc/logrotate.d.disabled
mv /etc/logrotate.d/squid /etc/logrotate.d.disabled
- Edit the "/etc/rc.d/rc.local" file and add the following lines at the end:
The following tip is a personal idea I like for both Redhat and Slackware. By default, then you login to a Linux box, it tells you the Linux distribution name, version, kernel version, and the name of the server. Even worse, Mandrake puts up a very stupid looking Penguin.
To me, this is giving away too much info. I rather just prompt users with a "Login: " prompt (if they ever get that far past your packet firewall and TCP wrappers).
To fix this, do the following:
Place "#"s in front of the following lines like shown:
NOTE: This looks a little different with Mandrake:
/etc/rc.d/rc.local
## This will overwrite /etc/issue at every boot. So, make any changes you ## want to make to /etc/issue here or you will lose them when you reboot. #echo "" > /etc/issue #echo "Red Hat Linux $R" >> /etc/issue #echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue # #cp -f /etc/issue /etc/issue.net
Then, do the following:
- rm -f /etc/issue - rm -f /etc/issue.net - touch /etc/issue - touch /etc/issue.net - chmod 400 /etc/issue - chmod 400 /etc/issue.net
/etc/rc.d/rc.local
dmesg >> /etc/info/dmesg
* Next, the following tip is a great way of seeing your various logs on your Linux box without having to login, etc. Some people might feel that this is a security risk but the risk stems from physical security.
Edit the following file and FIND each line for, say syslog or messages, and add in the respective line:
/etc/syslog.conf
*.warn;*.err /dev/tty7 mail.* /dev/tty8 kern.* /dev/tty8
To make these changes take effect, run the following line:
Now, whenever anything is added to those log files, just go to the ALT-F7 or F8 VTY and see the messages roll by in real-time.
* Like the real-time log monitor above, it's nice to be able to see errors in real time whenever you suspect problems via a TELNET, SSH, etc. To do this, create the file with the following:
Slackware:
/root/logit
-- #/bin/sh tail -f /var/adm/samba/log.nmb & tail -f /var/adm/samba/log.smb & tail -f /var/adm/xferlog & tail -f /var/adm/maillog & tail -f /var/adm/secure & tail -f /var/adm/syslog & tail -f /var/adm/messages & --
Redhat:
/root/logit
-- #!/bin/sh tail -f /var/log/samba/log.nmb & tail -f /var/log/samba/log.smb & tail -f /var/log/xferlog & tail -f /var/log/maillog & tail -f /var/log/secure & tail -f /var/log/syslog & tail -f /var/log/messages & --
Now, fix the permissions for it:
chmod 700 /root/logit
Close the file and then fix it's permissions with "chmod 700 /usr/local/sbin/logit".
Now, whenever you are suspecting problems with ANYTHING on your Linux box, just run "/root/logit" and watch the error logs go by in real-time.
A few tips: - type in "clear" at the UNIX prompt now and then to clean the screen up for readibility sake.
- When logs are scrolling by but you are looking for something that should show up in a few seconds, hit ENTER a few times to move up the old log info a few lines.
When you are done with "logit", run the command "killall tail" to stop all the logging.
Being a command line junky, I use the CLI (command line interface) most of the time. To make things a little easier on the eye, I recommend that you make the BASH prompt a little more easy on the eye. All NON-root users will get a "green" colored prompt but ROOT users will get a "red" colored prompt.
You can do this one of two ways. Have it setup on a PER USER basis or for ALL users.
For this example, let's do it just for the ROOT user.
1. Copy the main bash profile to the root user's home directory:
cp /etc/bashrc /root/.bashrc
NOTE: Why bashrc and not profile? The reason being is that bashrc OVERRIDES anything in the profile.
2. Edit it and find the line for the "PS1" variable and REPLACE it with the following. This will make the prompt be a bright green (easy on the eyes) color for NON-root users and red for ROOT uses. It will also show the machine name and a condensed directory prompt:
if [ `id -un` = root ]; then
PS1='\[\033[1;31m\]\h:\w\$\[\033[0m\] '
else
PS1='\[\033[1;32m\]\h:\w\$\[\033[0m\] '
fi
3. Save the .bashrc, login as the root user or run "su -" and then you should have the new prompt. For more good Bash ideas, check out the BASH howto from Section 5.
If you wanted to do it for ALL users, do the above changed to the /etc/bashrc file.
As you execute commands in bash, they are recorded for the command history, etc. Though this is great during your shell login, you might accidently put a password in as a command, etc. To clean this up and cover your tracks once you log off, add the following line as the LAST line in your /etc/profile:
/etc/profile
--<begin>
#Depending on your version of BASH, you might have to use
# the other form of this command
trap "rm -f ~$LOGNAME/.bash_history" 0
#The older KSH-style form
trap 0 rm -f ~$LOGNAME/.bash_history
--<end>
One powerful command in UNIX is the "apropos" or "man -k" command. This will let you do command searches on generic words like "modem", etc. BUT, when you first install Linux, this database isn't complete. It is usually run as a weekly cron job but I recommend to start it now:
makewhatis -w &
NOTE: This command will take a while depending on HD and CPU speed.
If you get ERRORs on the "makewhatis" command as I did in Mandrake 6.1, some of this is how to fix them. I received the following errors (bugs in the distribution - already reported as Bug #ier206). Running this command in Mandrake 7.0 runs without error.
-- bzcat: Can't open input file ./fetchmailconf.1.bz2: No such file or directory. bzcat: ./ksh.1.bz2 is not a bzip2 file. bzcat: Can't open input file ./pdksh.1.bz2: No such file or directory. Read file error: ./rec.1 No such file or directory bzcat: ./tixwish.1.bz2 is not a bzip2 file. bzcat: ./efence.3.bz2 is not a bzip2 file. Read file error: ./stm.8 No such file or directory Read file error: ./clockprobe.8 No such file or directory --
line 1: The /usr/man/man1/fetchmailconf.1.bz2 file is a symbolic link to fetchmail.1. This file doesn't exist since its compressed with bz2. To fix it, do:
rm /usr/man/man1/fetchmailconf.1.bz2
ln -s /usr/man/man1/fetchmail.1.bz2 /usr/man/man1/fetchmailconf.1.bz2
line 2: The /usr/man/man1/ksh.1.bz2 file isn't really bz2'ed. To fix it, do:
mv /usr/man/man1/ksh.1.bz2 /usr/man/man1/ksh.1
bzip2 -z /usr/man/man1/ksh.1
line 3: The /usr/man/man1/pdksh.1.bz2 file points to a non-bz2 file. (sloppy). To fix it, do:
Do the line-2 fix above
rm /usr/man/man1/pdksh.1.bz2
ln -s /usr/man/man1/ksh.1.bz2 /usr/man/man1/pdksh.1.bz2
line 4: The /usr/man/man1/rec.1 file points to a bogus path /var/tmp/sox-root//usr/man/man1/play.1 (sloppy). To fix it, do:
rm /usr/man/man1/rec.1
ln -s /usr/man/man1/play.1.bz2 /usr/man/man1/rec.1.bz2
line 5: The /usr/man/man1/tixwish.1.bz2 file is not a bz2 file. To fix it, do:
mv /usr/man/man1/tixwish.1.bz2 /usr/man/man1/tixwish.1
bzip2 -z /usr/man/man1/tixwish.1
line 6: The /usr/man/man3/efence.3.bz2 file is not a valid man page To fix it, do:
rm /usr/man/man3/efence.3.bz2
line 7: The /usr/man/man8/stm.8 file points to a non existing file. To fix it, do:
rm /usr/man/man8/stm.8
ln -s /usr/man/man8/SVGATextMode.8.bz2 /usr/man/man8/stm.8.bz2
line 8: The /usr/man/man8/clockprobe.8 file points to a non existing file. To fix it, do:
rm /usr/man/man8/clockprobe.8
ln -s /usr/man/man8/grabmode.8.bz2 /usr/man/man8/clockprobe.8.bz2
Once you have fixed these problems, re-run "makewhatis -w" and make sure it completes cleanly.
** HIGHLY RECOMMENDEDD for ALL Administrators **
If you are like me, you would like to know if any strange things are happening to your system like (processes failing, hacker attempts, etc.). At the same time, you probably don't have the time to scan over all these logs every day to see what is and isn't interesting. This script will simply count the number of specific blocked port connections (worms, viruses, etc.). This script also optionally monitors how many times your modem line came online (or failed due to busy signals, etc.) and report what speeds it connected at in a nice summarized table.
To do this, follow these next steps (note: this isn't the prettiest script I've wrote and it needs a LOT of cleaning but it should work for you).
*** Note:
ALL USERS: The first time this script executes, you
will receive some errors regarding:
- todays-date and yesterdays-date
You can safely ignore these errors!
Slackware users: This file should be called "/usr/local/sbin/sendlogs"
Redhat users: This file should be called "/usr/local/sbin/sendlogs"
(Note: All users: you will need to substitute in your proper mail address
( so you will get your logs
(
( Slackware users: please edit this file and change the /var/log
( references to /var/adm
(
( Modem users: You will need to un-# out the modem fields and
( make sure that the temp file swaping from
( $1.tmp to $2.tmp etc. transisions are correct.
(
( I have this disabled because I'm a cable modem dude
( now but this worked well.
------------------------------------------------------------------------------
All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at:
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-security/TrinityOS-security.tar.gz -----------------------------------------------------------------------------
/usr/local/sbin/sendlogs <Sendlogs START>
#!/bin/sh
# TrinityOS-sendlogs.sh
# 03/06/04
#
# Part of the copyrighted and trademarked TrinityOS document.
# <"http://www.ecst.csuchico.edu/~dranch">
#
# Written and Maintained by David A. Ranch
# dranch@trinnet.net
#
# Updates:
#
# 03/06/04 - Added counts for SQL
# 02/12/04 - Added counts for MyDoom trojans
# 01/12/04 - Added Samba counts to the DMZ segment
# 11/15/03 - Fixed a typo of > vs. >> for the cups and http filter
# 11/09/03 - added a count of port 631 hits (CUPS)
# 10/28/03 - Changed mirror DD drive to sdc
# 10/23/03 - Adding a logger debug command
# 09/26/03 - Added a count of port 80 hits (www)
# 09/23/03 - removed all port 80 hits
# 01/30/03 - Added MP3 archive change log
# 06/28/02 - Added Seti stats
# 12/13/01 - Added a calculated total runtime to the end of the script
# 11/13/01 - filter those damn run-parts messages
# 08/28/01 - Log the status of the script for debuging hangs
# 07/14/01 - delete all the Jeff R denied update messages
# 01/07/01 - This script is now parsed directly from the SGML code and
# because of this, several formatting issues were fixed.
# - Made the output a little more pretty
# - #ed out some diagnostic file information
# - added an lsof log entry
# - cleaned up the error reports in the SUID and RCMD searches
#
# 12/26/00 - Added --MARK-- Filtering
#
# 10/28/00 - Added an optional and #ed out section on DDing one HD to
# another. This is a simple but VERY effective online backup
# though it is only done once a night. If you have a spare HD
# in your system, this is the next best thing to setting up
# RAID1. Personally, I just recommend to setup RAID1! :)
#
# 10/08/00 - Deleted the removal of the SUID and RCMD new result files
#
# 09/16/00 - Added a full RPM database verification setup
#
# 04/15/00 - Added the $HOST variable to easily tune the SUBJECT field to
# reflect the name of your Linux system. You should edit this
# to reflect your system.
#
# 04/09/00 - Hmmm.. we need %e and NOT %d for catching dates 01-09.
# Basically, I need to reverve the change on 01/17/00.
#
# 02/21/00 - Doh! We do need the spaces between %b and %d
#
# 01/17/00 - Fixed all the "date" issues. Date now uses %d over %e and
# doesn't use any spaces.
#
# 01/01/00 - Fixed a missing ">" on line 139
#
# 12/16/99 - Fixed the RCMD mailer command at the end. The "mail -s" line
# needed to be ONE line
#
# 11/26/99 - Cleaned things up a bit
# - Made all file references absolute
#
# 02/01/99 - Added "w" to the vitals output
logger "Sendlogs starting: `date`"
# Change this variable to reflect the HOSTNAME of this box
# --------------------------------------------------------
HOST="roadrunner"
EXTIP="100.200.0.212"
export COLUMNS=132
echo "Sendlogs start: `date`" > /var/log/sendlogs.status
START=`date +%s`
#Make sure that the "yesterdays-date" file exists. If not, create it.
#
if [ -f /var/log/todays-date ]; then
mv /var/log/todays-date /var/log/yesterdays-date;
else
date +'%b %e' > /var/log/yesterdays-date;
fi
#Make sure that the "/etc/info/logs" directory exists. If not, create it.
#
if [ -a /etc/info ]; then
if [ -a /etc/info/logs ]; then
echo "";
else
mkdir /etc/info/logs;
fi
else
mkdir /etc/info;
mkdir /etc/info/logs;
fi
date +'%b %e' > /var/log/todays-date
echo " Start messages: `date`" >> /var/log/sendlogs.status
cat /var/log/messages | grep "`cat /var/log/yesterdays-date`" > /var/log/messlog.`date +'%b%d%y'`
export f1=/var/log/messlog.`date +'%b%d%y'`
export f2=/var/log/testfile
#echo "File 1: $f1"
#echo "File 2: $f2"
#For messages - FTP and PPP stuff
#
sed -e "/PWD/d" -e "/PASV/d" -e "/TYPE/d" -e "/PORT/d" -e "/NLST/d" -e "/SYST/d" $f1 > $f1.tmp
sed -e "/PASS/d" -e "/QUIT/d" -e "/LIST/d" -e "/CDUP/d" -e "/ATDT/d" -e "/Welcome/d" $f1.tmp > $f2.tmp
sed -e "/Using/d" -e "/Connect/d" -e "/Remote/d" -e "/IP address/d" -e "/CHECKSUM/d" $f2.tmp > $f1.tmp
sed -e "/Terminated/d" -e "/Terminating/d" -e "/diald/d" -e "/2.2.0/d" -e "/Exit./d" $f1.tmp > $f2.tmp
sed -e "/(passwd=guest)/d" -e "/alarm/d" -e "/Failed/d" $f2.tmp > $f1.tmp
#For messages - modem specific stuff
#
#sed -e "/send /d" -e "/expect/d" -e "/OK/d" -e "/AT&F/d" -e "/ATZ/d" -e "/ ^M /d" $f1.tmp > $f2.tmp
#sed -e "/Swansea/d" -e "/logging/d" -e "/starting/d" -e "/Ready/d" -e "/0x03f8/d" -e "/0x02f8/d" $f2.tmp > $f1.tmp
#sed -e "/sbpcd.c/d" -e "/CR-563/d" -e "/copyright/d" -e "/sockets/d" -e "/Serial/d" -e "/registered/d" $f1.tmp > $f2.tmp
#sed -e "/SLIP/d" -e "/sbpcd-0/d" -e "/ATM0X7/d" -e "/1.44M/d" -e "/8272A/d" -e "/statistics/d" $f2.tmp > $f1.tmp
#sed -e "/Please/d" -e "/hangup/d" -e "/ip-down/d" -e "/scans/d" $1.tmp -e "/abort on/d" $f1.tmp > $f2.tmp
#sed -e "/CONNECT /d" -e "/BUSY/d" -e "/SIGHUP/d" $f2.tmp > $f1.tmp
#For messages - modem dialout specific stuff
#
#echo -e "---------------------------------------" > /var/log/header.tmp
#echo -e "$HOST Call stats for \c" >> /var/log/header.tmp
#date >> /var/log/header.tmp
#echo -e " " >> /var/log/header.tmp
#echo -e "Total number of connects: \c" >> /var/log/header.tmp
#grep -c "CONNECT" $f1.tmp >> /var/log/header.tmp
#echo -e " 21600: \c" >> /var/log/header.tmp
#grep -c "21600" $f1.tmp >> /var/log/header.tmp
#echo -e " 26400: \c" >> /var/log/header.tmp
#grep -c "26400" $f1.tmp >> /var/log/header.tmp
#echo -e " 28800: \c" >> /var/log/header.tmp
#grep -c "28800" $f1.tmp >> /var/log/header.tmp
#echo -e " 31200: \c" >> /var/log/header.tmp
#grep -c "31200" $f1.tmp >> /var/log/header.tmp
#echo -e " 33600: \c" >> /var/log/header.tmp
#grep -c "33600" $f1.tmp >> /var/log/header.tmp
#echo -e " 33600: \c" >> /var/log/header.tmp
#grep -c "41333" $f1.tmp >> /var/log/header.tmp
#echo -e " 41333: \c" >> /var/log/header.tmp
#grep -c "42666" $f1.tmp >> /var/log/header.tmp
#echo -e " 42666: \c" >> /var/log/header.tmp
#echo -e " " >> /var/log/header.tmp
#echo -e "Total number of busys: \c" >> /var/log/header.tmp
#grep -c "BUSY" $f1.tmp >> /var/log/header.tmp
#echo -e "---------------------------------------" >> /var/log/header.tmp
#echo -e " " >> /var/log/header.tmp
#cat /var/log/header.tmp >> $f1.tmp
#For messages - named specific stuff
#
sed -e "/Cleaned/d" -e "/USAGE/d" -e "/NSTATS/d" -e "/XSTATS/d" $f1.tmp > $f2.tmp
sed -e "/points/d" -e "/Lame server/d" $f2.tmp > $f1.tmp
#For messges - SSH specific
sed -e "/Generating /d" -e "/generation /d" -e "/NSTATS/d" -e "/XSTATS/d" $f1.tmp > $f2.tmp
#For messges - Delete --MARK-- entries and J.Robinson DNS issues
sed -e "/-- MARK --/d" -e "/run-parts/d" $f2.tmp > $f1.tmp
#
# COUNT log hits but delete them -- greatly cuts down on log sizes
#
#
echo -e "Firewall hit log reduction section:" >> /var/log/messlog.tmp
echo -e " +----------------------------------------------------------" >> \
/var/log/messlog.tmp
# --- EXT interfaces ---
#For messages - count all port 80 hits
echo -en " | Port 80 (www) count: " >> /var/log/messlog.tmp
grep -c "$EXTIP:80" $f1.tmp >> /var/log/messlog.tmp
echo -e " +----------------------------------------------------------" >> \
/var/log/messlog.tmp
#For messges - Delete all PORT 80 stuff
sed -e "/$EXTIP:80/d" $f1.tmp > $f2.tmp
#For messages - count all port 1433 - SQL hits
echo -en " | Port 1433 (SQL) count: " >> /var/log/messlog.tmp
grep -c "$EXTIP:1433" $f2.tmp >> /var/log/messlog.tmp
echo -e " +----------------------------------------------------------" >> \
/var/log/messlog.tmp
#For messges - Delete all PORT 1443 stuff
sed -e "/$EXTIP:1433/d" $f2.tmp > $f1.tmp
#For messages - count all port 3127 hits
echo -en " | Port 3127 (MyDoom) count: " >> /var/log/messlog.tmp
grep -c "$EXTIP:3127" $f1.tmp >> /var/log/messlog.tmp
echo -e " +----------------------------------------------------------" >> \
/var/log/messlog.tmp
#For messges - Delete all PORT 3127 stuff
sed -e "/$EXTIP:3127/d" $f1.tmp > $f2.tmp
# --- INT2 interfaces ---
#For messages - count all port 631 hits
echo -en " | Port 631 (CUPS) count: " >> /var/log/messlog.tmp
grep -c "$INT2BROAD:631" $f2.tmp >> /var/log/messlog.tmp
echo -e " +----------------------------------------------------------" >> \
/var/log/messlog.tmp
#For messges - Delete all PORT 631 stuff
sed -e "/$INT2BROAD:631/d" $f2.tmp > $f1.tmp
#For messages - count all port port 137 hits
echo -en " | Port 137 (Samba) count: " >> /var/log/messlog.tmp
grep -c "$INT2BROAD:137" $f1.tmp >> /var/log/messlog.tmp
echo -e " +----------------------------------------------------------" >> \
/var/log/messlog.tmp
#For messges - Delete all PORT 137 stuff
sed -e "/$INT2BROAD:137/d" $f1.tmp > $f2.tmp
#For messages - count all port port 138 hits
echo -en " | Port 138 (Samba) count: " >> /var/log/messlog.tmp
grep -c "$INT2BROAD:138" $f2.tmp >> /var/log/messlog.tmp
echo -e " +----------------------------------------------------------\n" >> \
/var/log/messlog.tmp
#For messges - Delete all PORT 138 stuff
sed -e "/$INT2BROAD:138/d" $f2.tmp > $f1.tmp
mv /var/log/messlog.tmp $f1
cat $f1.tmp >> $f1
#cat $f2.tmp >> $f1
rm -R /var/log/*.tmp
mail -s "$HOST messages for `cat /var/log/yesterdays-date`" root@localhost < /var/log/messlog.`date +'%b%d%y'`
rm /var/log/messlog.`date +'%b%d%y'`
echo -e "-------------------------------------------------------"
echo -e "MESSAGES: Parsed, filtered, mailed and deleted messages"
echo -e "-------------------------------------------------------"
#---------------------------------------------
echo " Start syslog: `date`" >> /var/log/sendlogs.status
cat /var/log/syslog | grep "`cat /var/log/yesterdays-date`" > /var/log/syslog.`date +'%b%d%y'`
export f1=/var/log/syslog.`date +'%b%d%y'`
#echo "file 1: $f1"
#echo "file 2: $f2"
#Syslog - modem specific
#sed -e "/ got /d" -e "/abort on/d" -e "/expect/d" -e "/ ^M /d" -e "/AT&F1^M^M/d" $f1 > $f1.tmp
#sed -e "/ATZ^M^M/d" -e "/ATM0X7S11=40^M^M/d" -e "/Executed/d" -e "/ATDT/d" $f1.tmp > $f2.tmp
#sed -e "/Welcome/d" -e "/Using/d" -e "/Connect/d" -e "/Remote/d" -e "/IP address/d" $f2.tmp > $f1.tmp
#sed -e "/CHECKSUM/d" -e "/Terminated/d" -e "/Terminating/d" -e "/diald/d" -e "/2.2.0/d" $f1.tmp > $f2.tmp
#sed -e "/Exit./d" -e "/(passwd=guest)/d" -e "/alarm/d" -e "/Failed/d" -e "/CONNECT/d" $f2.tmp > $f1.tmp
#sed -e "/hangup/d" -e "/RINGING^M/d" $f1.tmp > $f2.tmp
#mv $f2.tmp $f1
#syslog FTP,
sed -e "/PWD/d" -e "/PASV/d" -e "/LIST/d" -e "/CDUP/d" -e "/RETR/d" -e "/CWD/d" $f1 > $f1.tmp
sed -e "/TYPE/d" -e "/PASS/d" -e "/QUIT/d" $f1.tmp > $f2.tmp
#For messages
sed -e "/send /d" -e "/expect/d" -e "/OK/d" -e "/AT&F/d" -e "/ATZ/d" -e "/ ^M /d" $f2.tmp > $f1.tmp
sed -e "/Swansea/d" -e "/logging/d" -e "/starting/d" -e "/Ready/d" -e "/0x03f8/d" $f1.tmp > $f2.tmp
sed -e "/0x02f8/d" -e "/sbpcd.c/d" -e "/CR-563/d" -e "/copyright/d" -e "/sockets/d" $f2.tmp > $f1.tmp
sed -e "/SLIP/d" -e "/sbpcd-0/d" -e "/1.44M/d" -e "/8272A/d" -e "/statistics/d" $f1.tmp > $f2.tmp
sed -e "/Please/d" -e "/hangup/d" -e "/ip-down/d" -e "/scans/d" $f2.tmp > $f1.tmp
sed -e "/abort on/d" -e "/Serial/d" -e "/registered/d" $f1.tmp > $f2.tmp
mv $f2.tmp $f1
rm -r /var/log/*.tmp
mail -s "$HOST syslog for `cat /var/log/yesterdays-date`" root@localhost < /var/log/syslog.`date +'%b%d%y'`
rm /var/log/syslog.`date +'%b%d%y'`
echo -e "SYSLOG: Parsed, filtered, mailed and deleted syslog"
echo -e "---------------------------------------------------"
echo " Start secure: `date`" >> /var/log/sendlogs.status
cat /var/log/secure | grep "`cat /var/log/yesterdays-date`" > /var/log/secure.`date +'%b%d%y'`
export f1=/var/log/secure.`date +'%b%d%y'`
#echo "file 1: $f1"
#echo "file 2: $f2"
sed -e "/127/d" $f1 > $f1.tmp
mv $f1.tmp /var/log/secure.`date +'%b%d%y'`
mail -s "$HOST secure for `cat /var/log/yesterdays-date`" root@localhost < /var/log/secure.`date +'%b%d%y'`
rm -r /var/log/*.tmp 2> /dev/null > /dev/null
rm /var/log/secure.`date +'%b%d%y'`
echo -e "SECURE: Parsed, filtered, mailed and deleted secure"
echo -e "---------------------------------------------------"
echo " Start xferlog: `date`" >> /var/log/sendlogs.status
cat /var/log/xferlog | grep "`cat /var/log/yesterdays-date`" > /var/log/xferlog.`date +'%b%d%y'`
mail -s "$HOST xferlog for `cat /var/log/yesterdays-date`" root@localhost < /var/log/xferlog.`date +'%b%d%y'`
rm /var/log/xferlog.`date +'%b%d%y'`
echo -e "XFERLOG: Parsed, filtered, mailed and deleted xferlog"
echo -e "-----------------------------------------------------"
echo " Start kernel: `date`" >> /var/log/sendlogs.status
cat /var/log/kernel | grep "`cat /var/log/yesterdays-date`" > /var/log/kernel.`date +'%b%d%y'`
export f1=/var/log/kernel.`date +'%b%d%y'`
export f2=/var/log/testfile
#For kernel - Delete all PORT 80 stuff
sed -e "/$EXTIP:80/d" $f1 > $f1.tmp
mail -s "$HOST kernel for `cat /var/log/yesterdays-date`" root@localhost < /var/log/$f1.tmp
rm -r /var/log/*.tmp 2> /dev/null > /dev/null
rm /var/log/kernel.`date +'%b%d%y'`
echo -e "KERNEL: Parsed, filtered, mailed and deleted kernel"
echo -e "---------------------------------------------------"
echo " Start vitals: `date`" >> /var/log/sendlogs.status
df > /var/log/sendlogs.`date +'%b%d%y'`
echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'`
w >> /var/log/sendlogs.`date +'%b%d%y'`
echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'`
free >> /var/log/sendlogs.`date +'%b%d%y'`
echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'`
ps aux >> /var/log/sendlogs.`date +'%b%d%y'`
echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'`
lsof -i >> /var/log/sendlogs.`date +'%b%d%y'`
mail -s "$HOST vitals for `cat /var/log/yesterdays-date`" root@localhost < /var/log/sendlogs.`date +'%b%d%y'`
rm -f /var/log/sendlogs.`date +'%b%d%y'`
echo -e "VITALS: Sent system vitals.."
echo -e "----------------------------"
# Create a full file system ls-laR archive in /etc/info
#
# NOTE: You should ALSO copy this file to somewhere on a DIFFERENT HD,
# floppy, etc. in case your mail HD fails.
#
echo " Start ls-laR: `date`" >> /var/log/sendlogs.status
ls -laR / 2> /dev/null | bzip2 -9 > /etc/info/logs/ls-laR.`date +'%b%d%y'`.bz2
echo -e "LS-LAR: Created full file system ls-laR archive in /etc/info"
echo -e "------------------------------------------------------------"
# cp /etc/info/logs/ls-laR.`date +'%b%d%y'`.bz2 /to/some/other/HD
# Create a full file system du archive in /etc/info
#
# NOTE: You should ALSO copy this file to somewhere on a DIFFERENT HD,
# floppy, etc. in case your mail HD fails.
#
echo " Start du: `date`" >> /var/log/sendlogs.status
du / 2> /dev/null | bzip2 -9 > /etc/info/logs/du.`date +'%b%d%y'`.bz2
# cp /etc/info/logs/du.`date +'%b%d%y'`.bz2 /to/some/other/HD
echo -e "DU: Created full file system du archive in /etc/info"
echo -e "----------------------------------------------------"
# Search for SUID programs, compare the results to the approved list and email
# the results
echo " Start SUID: `date`" >> /var/log/sendlogs.status
find / -type f \( -perm -04000 -o -perm -02000 \) -ls 2> /dev/null > /etc/info/suid-results-new
diff /etc/info/suid-results-checked /etc/info/suid-results-new 2> /dev/null > /etc/info/suid-results-diff
#
mail -s "$HOST SUID results for `cat /var/log/yesterdays-date`" root@localhost < /etc/info/suid-results-diff
rm -f /etc/info/suid-results-diff
echo -e "SUID: Sent SUID check.."
echo -e "-----------------------"
# Search for rhost files, compare the results to the approved list and email
# the results
echo " Start RHOSTs: `date`" >> /var/log/sendlogs.status
find / 2> /dev/null | grep -e ".rhosts" -e "hosts.equiv" > /etc/info/rcmd-results-new
diff /etc/info/rcmd-results-checked /etc/info/rcmd-results-new > /etc/info/rcmd-results-diff
#
mail -s "$HOST RCMD results for `cat /var/log/yesterdays-date`" root@localhost < /etc/info/rcmd-results-diff
rm -f /etc/info/rcmd-results-diff
echo -e "Sent RCMD check.."
echo -e "-----------------"
# Search for altered RPM packages, compare the results to the approved list
# and email the results
echo " Start RPMS: `date`" >> /var/log/sendlogs.status
/bin/rpm -Va > /etc/info/rpm-results-new
diff /etc/info/rpm-results-checked /etc/info/rpm-results-new > /etc/info/rpm-results-diff
#
mail -s "$HOST RPM results for `cat /var/log/yesterdays-date`" root@localhost < /etc/info/rpm-results-diff
rm -f /etc/info/rpm-results-diff
echo -e "Sent RPM check.."
echo -e "----------------"
#Get SETI statsistics
#
# This section is commented out by default
#
# (this is optional and only is useful for people using Seti and the Jsetidoor
# proxy
#
#JDATE=`cat /usr/src/archive/seti/proxy/jsetidoor/jseti-current-date`
#JPERF="/usr/src/archive/seti/proxy/jsetidoor/jsd-performance.log"
#JLOG="/usr/src/archive/seti/proxy/jsetidoor/jsd.log"
#JCOUNT=`cat $JLOG | grep -e $JDATE | grep -e update | wc --lines`
#echo -e "\nSETI stats: WU completed for $JDATE is $JCOUNT\n"
#echo -e "SETI stats: WU completed for $JDATE is $JCOUNT" >> $JPERF
#
#Update date for next run
#/usr/src/archive/seti/proxy/jsetidoor/jseti-date
# This section is commented out by default
#
# This section is to DD one HD to a backup HD. This is a simple but VERY
# effective online backup though it is only done once a night. If you
# have a spare HD in your system, this is the next best thing to setting
# up RAID1. Personally, I just recommend to setup RAID1! :)
#
# Please note that the block size and timing was found by doing testing
# for my specific system. You should do this for your own setup to
# to find your optimial setup.
#
#echo -e "-------------------------------------------------------------------------------"
#echo " Start dd: `date`" >> /var/log/sendlogs.status
#echo -e "DD /dev/sda to /dev/sdc : 1k transfers yields an optimal 22minute"
#echo -e "transfer at 27 percent CPU load\n"
#time dd if=/dev/sda of=/dev/sdc bs=1k
echo -e "-------------------------------------------------------------------------------"
echo -e "\nRemaining entries are due to errors in the cron files or in /etc/logrotate.d files\n"
echo "Finished Sendlogs: `date`" >> /var/log/sendlogs.status
STOP=`date +%s`
echo -e "\n\nSendlogs took `echo "( $STOP - $START ) / 60" | bc -l` minutes\n"
#!/bin/sh
# TrinityOS-sendlogs.sh
# v01/07/01
#
# Part of the copyrighted and trademarked TrinityOS document.
# <url url="http://www.ecst.csuchico.edu/~dranch">
#
# Written and Maintained by David A. Ranch
# dranch at trinnet dot net
#
# Updates:
#
# 01/07/01 - This script is now parsed directly from the SGML code and
# because of this, several formatting issues were fixed.
# - Made the output a little more pretty
# - #ed out some diagnostic file information
# - added an lsof log entry
# - cleaned up the error reports in the SUID and RCMD searches
#
# 12/26/00 - Added --MARK-- Filtering
#
# 10/28/00 - Added an optional and #ed out section on DDing one HD to
# another. This is a simple but VERY effective online backup
# though it is only done once a night. If you have a spare HD
# in your system, this is the next best thing to setting up
# RAID1. Personally, I just recommend to setup RAID1! :)
#
# 10/08/00 - Deleted the removal of the SUID and RCMD new result files
#
# 09/16/00 - Added a full RPM database verification setup
#
# 04/15/00 - Added the $HOST variable to easily tune the SUBJECT field to
# reflect the name of your Linux system. You should edit this
# to reflect your system.
#
# 04/09/00 - Hmmm.. we need %e and NOT %d for catching dates 01-09.
# Basically, I need to reverve the change on 01/17/00.
#
# 02/21/00 - Doh! We do need the spaces between %b and %d
#
# 01/17/00 - Fixed all the "date" issues. Date now uses %d over %e and
# doesn't use any spaces.
#
# 01/01/00 - Fixed a missing ">" on line 139
#
# 12/16/99 - Fixed the RCMD mailer command at the end. The "mail -s" line
# needed to be ONE line
#
# 11/26/99 - Cleaned things up a bit
# - Made all file references absolute
#
# 02/01/99 - Added "w" to the vitals output
# Change this variable to reflect the HOSTNAME of this box
# --------------------------------------------------------
HOST="TrinityOS"
#Make sure that the "yesterdays-date" file exists. If not, create it.
#
if [ -f /var/log/todays-date ]; then
mv /var/log/todays-date /var/log/yesterdays-date;
else
date +'%b %e' > /var/log/yesterdays-date;
fi
#Make sure that the "/etc/info/logs" directory exists. If not, create it.
#
if [ -a /etc/info ]; then
if [ -a /etc/info/logs ]; then
echo "";
else
mkdir /etc/info/logs;
fi
else
mkdir /etc/info;
mkdir /etc/info/logs;
fi
date +'%b %e' > /var/log/todays-date
cat /var/log/messages | grep "`cat /var/log/yesterdays-date`" > /var/log/messlog.`date +'%b%d%y'`
export f1=/var/log/messlog.`date +'%b%d%y'`
export f2=/var/log/testfile
#echo "File 1: $f1"
#echo "File 2: $f2"
#For messages - FTP and PPP stuff
#
sed -e "/PWD/d" -e "/PASV/d" -e "/TYPE/d" -e "/PORT/d" -e "/NLST/d" -e "/SYST/d" $f1 > $f1.tmp
sed -e "/PASS/d" -e "/QUIT/d" -e "/LIST/d" -e "/CDUP/d" -e "/ATDT/d" -e "/Welcome/d" $f1.tmp > $f2.tmp
sed -e "/Using/d" -e "/Connect/d" -e "/Remote/d" -e "/IP address/d" -e "/CHECKSUM/d" $f2.tmp > $f1.tmp
sed -e "/Terminated/d" -e "/Terminating/d" -e "/diald/d" -e "/2.2.0/d" -e "/Exit./d" $f1.tmp > $f2.tmp
sed -e "/(passwd=guest)/d" -e "/alarm/d" -e "/Failed/d" $f2.tmp > $f1.tmp
#For messages - modem specific stuff
#
#sed -e "/send /d" -e "/expect/d" -e "/OK/d" -e "/AT&F/d" -e "/ATZ/d" -e "/ ^M /d" $f1.tmp > $f2.tmp
#sed -e "/Swansea/d" -e "/logging/d" -e "/starting/d" -e "/Ready/d" -e "/0x03f8/d" -e "/0x02f8/d" $f2.tmp > $f1.tmp
#sed -e "/sbpcd.c/d" -e "/CR-563/d" -e "/copyright/d" -e "/sockets/d" -e "/Serial/d" -e "/registered/d" $f1.tmp > $f2.tmp
#sed -e "/SLIP/d" -e "/sbpcd-0/d" -e "/ATM0X7/d" -e "/1.44M/d" -e "/8272A/d" -e "/statistics/d" $f2.tmp > $f1.tmp
#sed -e "/Please/d" -e "/hangup/d" -e "/ip-down/d" -e "/scans/d" $1.tmp -e "/abort on/d" $f1.tmp > $f2.tmp
#sed -e "/CONNECT /d" -e "/BUSY/d" -e "/SIGHUP/d" $f2.tmp > $f1.tmp
#For messages - modem dialout specific stuff
#
#echo -e "---------------------------------------" > /var/log/header.tmp
#echo -e "$HOST Call stats for \c" >> /var/log/header.tmp
#date >> /var/log/header.tmp
#echo -e " " >> /var/log/header.tmp
#echo -e "Total number of connects: \c" >> /var/log/header.tmp
#grep -c "CONNECT" $f1.tmp >> /var/log/header.tmp
#echo -e " 21600: \c" >> /var/log/header.tmp
#grep -c "21600" $f1.tmp >> /var/log/header.tmp
#echo -e " 26400: \c" >> /var/log/header.tmp
#grep -c "26400" $f1.tmp >> /var/log/header.tmp
#echo -e " 28800: \c" >> /var/log/header.tmp
#grep -c "28800" $f1.tmp >> /var/log/header.tmp
#echo -e " 31200: \c" >> /var/log/header.tmp
#grep -c "31200" $f1.tmp >> /var/log/header.tmp
#echo -e " 33600: \c" >> /var/log/header.tmp
#grep -c "33600" $f1.tmp >> /var/log/header.tmp
#echo -e " 33600: \c" >> /var/log/header.tmp
#grep -c "41333" $f1.tmp >> /var/log/header.tmp
#echo -e " 41333: \c" >> /var/log/header.tmp
#grep -c "42666" $f1.tmp >> /var/log/header.tmp
#echo -e " 42666: \c" >> /var/log/header.tmp
#echo -e " " >> /var/log/header.tmp
#echo -e "Total number of busys: \c" >> /var/log/header.tmp
#grep -c "BUSY" $f1.tmp >> /var/log/header.tmp
#echo -e "---------------------------------------" >> /var/log/header.tmp
#echo -e " " >> /var/log/header.tmp
#cat /var/log/header.tmp >> $f1.tmp
#For messages - named specific stuff
#
sed -e "/Cleaned/d" -e "/USAGE/d" -e "/NSTATS/d" -e "/XSTATS/d" $f1.tmp > $f2.tmp
sed -e "/points/d" -e "/Lame server/d" $f2.tmp > $f1.tmp
#For messges - SSH specific
sed -e "/Generating /d" -e "/generation /d" -e "/NSTATS/d" -e "/XSTATS/d" $f1.tmp > $f2.tmp
#For messges - Delete --MARK-- entries
sed -e "/-- MARK --/d" $f2.tmp > $f1.tmp
mv $f1.tmp $f1
rm -R /var/log/*.tmp
mail -s "$HOST messages for `cat /var/log/yesterdays-date`" root@localhost < /var/log/messlog.`date +'%b%d%y'`
rm /var/log/messlog.`date +'%b%d%y'`
echo -e "-------------------------------------------------------"
echo -e "MESSAGES: Parsed, filtered, mailed and deleted messages"
echo -e "-------------------------------------------------------"
#---------------------------------------------
cat /var/log/syslog | grep "`cat /var/log/yesterdays-date`" > /var/log/syslog.`date +'%b%d%y'`
export f1=/var/log/syslog.`date +'%b%d%y'`
#echo "file 1: $f1"
#echo "file 2: $f2"
#Syslog - modem specific
#sed -e "/ got /d" -e "/abort on/d" -e "/expect/d" -e "/ ^M /d" -e "/AT&F1^M^M/d" $f1 > $f1.tmp
#sed -e "/ATZ^M^M/d" -e "/ATM0X7S11=40^M^M/d" -e "/Executed/d" -e "/ATDT/d" $f1.tmp > $f2.tmp
#sed -e "/Welcome/d" -e "/Using/d" -e "/Connect/d" -e "/Remote/d" -e "/IP address/d" $f2.tmp > $f1.tmp
#sed -e "/CHECKSUM/d" -e "/Terminated/d" -e "/Terminating/d" -e "/diald/d" -e "/2.2.0/d" $f1.tmp > $f2.tmp
#sed -e "/Exit./d" -e "/(passwd=guest)/d" -e "/alarm/d" -e "/Failed/d" -e "/CONNECT/d" $f2.tmp > $f1.tmp
#sed -e "/hangup/d" -e "/RINGING^M/d" $f1.tmp > $f2.tmp
#mv $f2.tmp $f1
#syslog FTP,
sed -e "/PWD/d" -e "/PASV/d" -e "/LIST/d" -e "/CDUP/d" -e "/RETR/d" -e "/CWD/d" $f1 > $f1.tmp
sed -e "/TYPE/d" -e "/PASS/d" -e "/QUIT/d" $f1.tmp > $f2.tmp
#For messages
sed -e "/send /d" -e "/expect/d" -e "/OK/d" -e "/AT&F/d" -e "/ATZ/d" -e "/ ^M /d" $f2.tmp > $f1.tmp
sed -e "/Swansea/d" -e "/logging/d" -e "/starting/d" -e "/Ready/d" -e "/0x03f8/d" $f1.tmp > $f2.tmp
sed -e "/0x02f8/d" -e "/sbpcd.c/d" -e "/CR-563/d" -e "/copyright/d" -e "/sockets/d" $f2.tmp > $f1.tmp
sed -e "/SLIP/d" -e "/sbpcd-0/d" -e "/1.44M/d" -e "/8272A/d" -e "/statistics/d" $f1.tmp > $f2.tmp
sed -e "/Please/d" -e "/hangup/d" -e "/ip-down/d" -e "/scans/d" $f2.tmp > $f1.tmp
sed -e "/abort on/d" -e "/Serial/d" -e "/registered/d" $f1.tmp > $f2.tmp
mv $f2.tmp $f1
rm -r /var/log/*.tmp 2> /dev/null > /dev/null
mail -s "$HOST syslog for `cat /var/log/yesterdays-date`" root@localhost < /var/log/syslog.`date +'%b%d%y'`
rm /var/log/syslog.`date +'%b%d%y'`
echo -e "SYSLOG: Parsed, filtered, mailed and deleted syslog"
echo -e "---------------------------------------------------"
cat /var/log/secure | grep "`cat /var/log/yesterdays-date`" > /var/log/secure.`date +'%b%d%y'`
export f1=/var/log/secure.`date +'%b%d%y'`
#echo "file 1: $f1"
#echo "file 2: $f2"
sed -e "/127/d" $f1 > $f1.tmp
mv $f1.tmp /var/log/secure.`date +'%b%d%y'`
mail -s "$HOST secure for `cat /var/log/yesterdays-date`" root@localhost < /var/log/secure.`date +'%b%d%y'`
rm -r /var/log/*.tmp
rm /var/log/secure.`date +'%b%d%y'`
echo -e "SECURE: Parsed, filtered, mailed and deleted secure"
echo -e "---------------------------------------------------"
cat /var/log/xferlog | grep "`cat /var/log/yesterdays-date`" > /var/log/xferlog.`date +'%b%d%y'`
mail -s "$HOST xferlog for `cat /var/log/yesterdays-date`" root@localhost < /var/log/xferlog.`date +'%b%d%y'`
rm /var/log/xferlog.`date +'%b%d%y'`
echo -e "XFERLOG: Parsed, filtered, mailed and deleted xferlog"
echo -e "-----------------------------------------------------"
cat /var/log/kernel | grep "`cat /var/log/yesterdays-date`" > /var/log/kernel.`date +'%b%d%y'`
mail -s "$HOST kernel for `cat /var/log/yesterdays-date`" root@localhost < /var/log/kernel.`date +'%b%d%y'`
rm /var/log/kernel.`date +'%b%d%y'`
echo -e "KERNEL: Parsed, filtered, mailed and deleted kernel"
echo -e "---------------------------------------------------"
df > /var/log/sendlogs.`date +'%b%d%y'`
echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'`
w >> /var/log/sendlogs.`date +'%b%d%y'`
echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'`
free >> /var/log/sendlogs.`date +'%b%d%y'`
echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'`
ps aux >> /var/log/sendlogs.`date +'%b%d%y'`
echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'`
lsof -i >> /var/log/sendlogs.`date +'%b%d%y'`
mail -s "$HOST vitals for `cat /var/log/yesterdays-date`" root@localhost < /var/log/sendlogs.`date +'%b%d%y'`
rm -f /var/log/sendlogs.`date +'%b%d%y'`
echo -e "VITALS: Sent system vitals.."
echo -e "----------------------------"
# Create a full file system ls-laR archive in /etc/info
#
# NOTE: You should ALSO copy this file to somewhere on a DIFFERENT HD,
# floppy, etc. in case your mail HD fails.
#
ls -laR / 2> /dev/null | bzip2 > /etc/info/logs/ls-laR.`date +'%b%d%y'`.bz2
echo -e "LS-LAR: Created full file system ls-laR archive in /etc/info"
echo -e "------------------------------------------------------------"
# cp /etc/info/logs/ls-laR.`date +'%b%d%y'`.bz2 /to/some/other/HD
# Create a full file system du archive in /etc/info
#
# NOTE: You should ALSO copy this file to somewhere on a DIFFERENT HD,
# floppy, etc. in case your mail HD fails.
#
du / 2> /dev/null | bzip2 > /etc/info/logs/du.`date +'%b%d%y'`.bz2
# cp /etc/info/logs/du.`date +'%b%d%y'`.bz2 /to/some/other/HD
echo -e "DU: Created full file system du archive in /etc/info"
echo -e "----------------------------------------------------"
# Search for SUID programs, compare the results to the approved list and email
# the results
find / -type f \( -perm -04000 -o -perm -02000 \) -ls 2> /dev/null > /etc/info/suid-results-new
diff /etc/info/suid-results-checked /etc/info/suid-results-new 2> /dev/null > /etc/info/suid-results-diff
#
mail -s "$HOST SUID results for `cat /var/log/yesterdays-date`" root@localhost < /etc/info/suid-results-diff
rm -f /etc/info/suid-results-new
echo -e "SUID: Sent SUID check.."
echo -e "-----------------------"
# Search for rhost files, compare the results to the approved list and email
# the results
find / 2> /dev/null | grep -e ".rhosts" -e "hosts.equiv" > /etc/info/rcmd-results-new
diff /etc/info/rcmd-results-checked /etc/info/rcmd-results-new > /etc/info/rcmd-results-diff
#
mail -s "$HOST RCMD results for `cat /var/log/yesterdays-date`" root@localhost < /etc/info/rcmd-results-diff
rm -f /etc/info/rcmd-results-new
echo -e "Sent RCMD check.."
echo -e "-----------------"
# Search for altered RPM packages, compare the results to the approved list
# and email the results
/bin/rpm -Va > /etc/info/rpm-results-new
diff /etc/info/rpm-results-checked /etc/info/rpm-results-new > /etc/info/rpm-results-diff
#
mail -s "$HOST RPM results for `cat /var/log/yesterdays-date`" root@localhost < /etc/info/rpm-results-diff
rm -f /etc/info/rpm-results-diff
echo -e "Sent RPM check.."
echo -e "----------------"
# This section is commented out by default
#
# This section is to DD one HD to a backup HD. This is a simple but VERY
# effective online backup though it is only done once a night. If you
# have a spare HD in your system, this is the next best thing to setting
# up RAID1. Personally, I just recommend to setup RAID1! :)
#
# Please note that the block size and timing was found by doing testing
# for my specific system. You should do this for your own setup to
# to find your optimial setup.
#
#echo -e "DD /dev/sda to /dev/sdd : 1k transfers yeilds an optimal 22minute transfer\n"
#time dd if=/dev/sda of=/dev/sdd bs=1k
echo -e "-------------------------------------------------------------------------------"
echo -e "\nRemaining entries are due to errors in the cron files or in /etc/logrotate.d files\n"
- Next, make the file executable by running "chmod 700 /usr/local/sbin/sendlogs"
- Now create the following directories and fix their permissions
mkdir /etc/info
mkdir /etc/info/logs
chmod -R 700 /etc/info
* Before you run the "sendlogs" script, follow the procedure in Section 18
- Now, you have to make cron run this script every day:
BSD-style (Slackware, etc): ---------------------------
Edit the file /var/spool/cron/crontabs/root and append the following:
--
# Run the sendlogs program at 12:00am everyday
0 12 * * * /usr/local/sbin/sendlogs
--
- That's it. Now, make cron re-read it's config files by doing:
SysV-style (Redhat): --------------------
Create the file /etc/cron.daily/a-sendlogs and enter in:
NOTE: Why the name "a-sendlogs"? The reason is because the crontab runs all the files in /etc/cron.daily in alphabetical order. We need to run the sendlogs script BEFORE the "rotatelogs" script executes.
#!/bin/sh
cd /usr/local/sbin
./sendlogs
Now make it executable via "chmod 700 /etc/cron.daily/a-sendlogs"
Once you start getting the parsed nightly logs, I HIGHLY recommend that you start creating a on-going log file of your firewall hits. You can learn how to read the firewall hits in Section 10.
I do this by manually creating a simple ASCII text file that I populate with the date, port #, port type, the source name (manually found via nslookup), and the IP address. For the sites that won't reverse resolve, I just do a traceroute to the closest named hop.
So why do I do this? Because you'll soon see trends of simple telnets to full blown port scans from specific IPs and/or domains. Also.. some hackers run port scans that take weeks and not minutes. If you run a log like this, you'll catch them!
Here is one example from my "Firewall hits list" of some dirtbag that tried to do a DoS attack against my IMAP service. Not only did my firewall stop him, but TCP wrappers would have stopped him and I logged the fact. I've changed the IP address to protect the luser and myself.
NOTE: Not only is it important to log the destination port the hacker was trying to get to but also their source port. This luser was using source port 0 which is common DoS attack method:
01/08/99 143/tcp Name: cc6666666-b..nj.home.com Address: 10.0.0.1
from port 0!
Once you start seeing the proactive logs via email, some entries will seem bad at first but hopefully this section will help you understand what things mean:
The /proc file system is a virtual file system and somethings cannot be listed due to operating system restrictions and/or security issues. If you see entries like:
ls: /proc/2/exe: No such file or directory
ls: /proc/3/exe: No such file or directory
ls: /proc/4/exe: No such file or directory
ls: /proc/5/exe: No such file or directory
As part of keeping a system secure, you will need to patch it often. When you apply a new set of patches, the file size, date, etc. will change. The next Sendlogs results will notify you of these changes. If the changed files were due to an applied patch, things are ok.
It should also be noted that as a Linux system is running, the EXT2 file system will eventually change a file's time stamp (typically after six months) from the file's creation DATE (month and day) and TIME (hour and minute) to simple the DATE (month, day, and year). So, when you see a file change from the Sendlogs script, definately make sure the file size and permissions are the same but pay close attention to the DATE. If only the date changed from the TIME to YEAR, things are ok.
As you patch your system, you want to be sure that the changed files, RPM database, and the MD5 sums of files are accounted for. One nice thing about the RPM verification is that you can monitor if files are modified either on purpose, by corruption, or by intrusion.
So, part of maintaining a secure and reliable Linux box is you will have to replace the reference files in /etc/info. Once you are sure that the changes that have shown up in your email box are ok (as described above), you will need to move the new files to become the new reference file.
mv /etc/info/suid-results-new /etc/info/suid-results-checked
mv /etc/info/rcmd-results-new /etc/info/rcmd-results-checked
mv /etc/info/rpm-results-new /etc/info/rpm-results-checked
If you are unfamiliar with how TCP/IP packet filters work, the following should give you a decent start. Please understand that if you don't understand what is being described below, you should probably do a little research on how TCP/IP works.
Think of a IPCHAINS or IPFWADM rule set like the following:
DENY:
If you TELNET to a box that "denies" TELNET traffic, your TELNET client will just sit there and try for a period to connect to that remote host. Ultimately, the TELNET request will eventually timeout.
REJECT:
If you TELNET to a box that "rejects" TELNET traffic, your TELNET request traffic will be met with an ICMP message telling the originator that the traffic was rejected. This is the normal behavior for a machine that does not SUPPORT telnet server access in the first place (like stock versions of MS Windows9x, NT, etc.).
If someone connects to your server and you REJECT their traffic, it seems to them as if your computer cannot serve, say, TELNET connections. If you DENY the traffic, then their TELNET traffic just dies and their TELNET client eventually times out.
So? With REJECT, a hacker doesn't know if your machine CAN or CAN NOT run a TELNET server. With DENY, a hacker will always KNOW that you are filtering them. I feel that a firewall using REJECTs make your box look "simpler" and thus less interesting to attack.
So , lets explain how a packet firewall works with an example:
Say you have a TELNET packet (port 23) from the Internet that wants to reach your Linux box
FYI: Some ideas of possible packet firewall rules can include:
Then let the packet IN though the packet firewall. If not matched, the packet is either REJECTED or DENIED. You can also log the fact that this packet was killed.
Once the reply TELNET traffic is generated, the actual return traffic will be returned on a HIGH PORT ( port > 1024 ) and NOT on port 23.
If you don't understand this, please read up on TCP/IP fundamentals since this discussion is out of the scope of TrinityOS.
For this example, lets say the return TELNET traffic is on port 3200. Now, this return port 3200 traffic is then sent to the OUTPUT filter of the EXTERNAL NIC card.
NOTE: This is is what a "router" does on a basic level.
+-------------------------------+
| Linux TCP/IP stack |
|_______________________________|
| (3) Telnetd Server |
{PORT 23} |_______________________________| (Port 3200)
(2) +--->| Input: Forward: Output: |-------------+ (4)
| +-------------------------------+ |
| |
| |
+------------+ | +------------+ |
| Input | | | Output |<--+
| Rule | | | Rule | ^
{PORT 23} | | | | | |
(1) +-IN--->| P a s s ? |---+ +--------------| P a s s ? | |
| | or | | | or | |
^ |Deny/Reject?| | (5) |Deny/Reject?| |
--------- +------------+ | +------+-----+ |
*Send* | | | |
--------- v Check if packet v |
Remote Dump Packet No +---- needs to be Dump Packet |
Internet (possibly log it) | forwarded (possibly log it) |
site | | |
--------- | (6) | Yes |
*Received* | | |
--------- | v |
^ | +--------------+ +---------------^------+
| {PORT 3200} | | Forward | | Write the packet for |
(7) +-----------------------------+ | Rule | | the destination |
| | | network address |
| | | |
Dump Packet <------|Don't Forward?| | Possibly re-write the|
(possibly log it) | | |SRC addresses for MASQ|
| Forward? | +----------------------+
| or | ^
|FWD & MASQ it |-----------------------+
+--------------+
Basically, IP MASQ's main mechanism works when an INTERNAL machine initiates traffic to the outside world. External machines on the Internet CAN directly communicate to an internal machine(s) with the aid of PORTFWing but this is better explained in the IP Masquerade HOWTO. PORTFW support IS included in the TrinityOS firewall ruleset but for a full explination, again, please see the IP Masqerade HOWTO.
Anyway, when an internal machine (for now, in that diagram in the URL above, think of the "Remote Internet Site" on the left with your internal machine. If this diagram confuses you, just skip it and read through this example..
1. Say the internal machine trys to TELNET to some server out on the Internet.
For this explict example, this example is:
Source src IP: 192.160.0.10
src port: 3200
dst port: 23
Linux : src IP: 111.222.212.222
External src port: 64000
dst port: 23
Destination: dest IP: 222.020.222.111
dst port: 23
2. The MASQ server receives this request from the MASQed PC over the Internal
interface and it hits the Input firewall. Here, the input firewall can
either accept the packet or deny it. For this example, assume it will be
ACCEPTed.
3. Now, if the packet was also allowed through the OUTPUT firewall, the
TELNET would be finally forwarded through the MASQ server unchanged
except...
3M. Notice that src port IP address of the TELNET is a private RFC1918 address?
These addresses aren't routable on the Internet so it must be changed to
a public address. To be able to track this change, the SRC port address
will be changed as well.
The changes in IP address and port number is IP MASQ in action! What Masq
basically does is RECORDs the traffic type (for this example, 23, TELNET),
where the traffic is going (DST IP address, 222.020.222.111) and the
original SRC port (SRC port 3200) from the MASQed client. It takes all
this information and puts it into a MASQUERADE table.
It then will re-send this TELNET traffic out on its EXTERNAL NIC but it
will also alter the packet. It will both re-addresses the Source IP address
(SRC IP) with the MASQ server's own external IP address and change the
source port (SRC port) to something in the range of 61000-64096. So, the
packet would now look something like:
Source: SRC IP: 111.222.212.222
SRC port: 64000
Destination: DST IP: 222.020.222.111
DST port: 23
4. When the response comes back from that remote TELNET server, the Linux
MASQ server will recognise that this traffic as coming back from a server
that is in the MASQ table. It would then take the packet and first verify
that it should be allowed through the INPUT section of the firewall.
Next, it would then replace the destination IP address (DST IP) with the
correct FINAL IP address of original internal TELNET client and also change
the original SRC port address back to 3200.
The returning packet now looks like:
Source: DST IP: 222.020.222.111
DST port: 23
Destination: SRC IP: 192.160.0.10
SRC port 3200
Get it?
If you want another explination of how MASQ works, I wrote a semi-comprehensive
article about it in the August 1999 version of Linux Magazine. You can get an
online version of it at:
http://www.linux-mag.com/1999-08/guru_01.html
Now, I want to quickly comment on the use of HIGH TCP/IP ports and what is the difference between a PACKET firewall and a STATEFULLY INSPECTED firewall. Though you might let port 23 OUT of your Linux box (TELNET), if you don't also allow ports 1024-65535 back INTO your Linux box, TELNET won't work.
Now you might be thinking that letting in ALL high ports back into your Linux box is a BAD thing. You know what? YOU'RE RIGHT!
Realistically, it would be nice to only allow in only the return HIGH ports that you need. This is what the "-k" option in IPFWADM or "! -y" is for IPCHAINS. The problem is, IPFWADM and IPCHAINS aren't smart enough yet to understand all TCP/IP programs such like TELNET, WWW, SSH, etc. So, some programs you can lock down the high ports with the "-k" or "! -y" options while other programs will have to be configured to allow all 1024-65535 ports in.
Bummer huh? So your next question should be "Do others firewalls have this problem?" NO! Why? Because they use a technology called "Stateful Inspection".
Stateful firewalls actually listen to ALL network traffic step-by-step to make sure that everything is going 100% correctly.
Analogy:
Packet firewall: A packet firewall only checks for source and destination IP addresses and port numbers. Kinda like a strainer for different colored marbles (if one exists).
Stateful Firewall: A stateful firewall not only checks for source and destination IP addresses and port numbers, but it also LISTENS to all TCP/IP communications to make sure that all of the "communications" are following all procedures. Think of it as a realtime grammer and spell checker for "languages" like TELNET, WWW, etc. Hackers try to re-write the "language" to try to break into it, crash it, etc. A stateful firewall will see a given TCP/IP connection running a "language" like TELNET doing weird stuff that it shouldn't be doing and then it simply drops that weird packet. Much better huh?
So your next question should be: "I want a statefully inspected firewall for Linux and NOT a packet firewall. Where do I get one?!?!"
Well.. it now exists in IPTABLES under the 2.4.x kernels. This is a huge step for for Linux. Unfortunately, if you also need to use IP Masquerading (NAT), the MASQ support for some protocols under the 2.4.x kernel isn't on par with the 2.2.x kernel set. If you don't use IPMASQ, then then IPTABLES is a great solution. It should also be noted that non-IPMASQ users can still use their IPCHAINS rulesets under 2.4.x kernels with the aid of the ipchains.o kernel module.
For now, TrinityOS only covers IPCHAINS and an older IPFWADM ruleset. A IPTABLES ruleset is under developement but is a slow project as it is an entire rewrite and will offer far more features.
Once you setup one of the firewalls shown below, you might have some problems getting running or your might be getting strange new messages on the console. What do these messages mean?
In the below rule sets, any lines that either DENY or REJECT any traffic also have a "-o" to LOG this firewall hit to the SYSLOG messages file found either in:
Redhat: /var/log Slackware: /var/adm
If you look at one of these firewall logs, you would see something like:
The kernel logs this information looking like:
IPCHAINS:
Packet log: input DENY eth0 PROTO=17 12.75.147.174:1633 100.200.0.212:23
L=44 S=0x00 I=54054 F=0x0040 T=254
IPFWADM:
Feb 23 07:37:01 Roadrunner kernel: IP fw-in rej eth0 TCP 12.75.147.174:1633
100.200.0.212:23 L=44 S=0x00 I=54054 F=0x0040 T=254
There is a LOT of information in this just one line. Let break out this example so refer back to the original firewall hit as you read this. Please note that this example is for IPFWADM though it is DIRECTLY readable for IPCHAINS users.
NOTE: To understand all the various port numbers, protocol numbers, etc., I recommend you to go to the TOP URL in Section 5 and get all of the various documents from the IANA and put them in /etc/iana.
- This firewall "hit" occurred on: "Feb 23 07:37:01"
- This hit was on the "RoadRunner" computer.
- This hit occurred on the "IP" or TCP/IP protocol
- This hit came IN to ("fw-in") the firewall
* Other logs can say "fw-out" for OUT or "fw-fwd" for FORWARD
- This hit was then "rejECTED".
* Other logs can say "deny" or "accept"
- This firewall hit was on the "eth0" interface (Internet link)
- This hit was a "TCP" packet
- This hit came from IP address "12.75.147.174" on return port "1633".
- This hit was addressed to "100.200.0.212" to port "23" or TELNET.
* If you don't know that port 23 is for TELNET, look at your
/etc/services file to see what other ports are used for.
- This packet was "44" bytes long
- This packet did NOT have any "Type of Service" (TOS) set
--Don't worry if you don't understand this; not required to know
* divide this by 4 to get the Type of Service for ipchains users
- This packet had the "IP ID" number of "18"
--Don't worry if you don't understand this; not required to know
- This packet had a 16bit fragment offset including any TCP/IP packet
flags of "0x0000"
--Don't worry if you don't understand this; not required to know
* A value that started with "0x2..." or "0x3..." means the "More
Fragments" bit was set so more fragmented packet will be coming in
to complete this one BIG packet.
* A value which started with "0x4..." or "0x5..." means that the
"Don't Fragment" bit is set.
* Any other values is the Fragment offset (divided by 8) to be later
used to recombinw into the original LARGE packet
- This packet had a TimeToLive (TTL) of 20.
* Every hop over the Internet will subtract (1) from this number. Usually,
packets will start with a number of (255) and if that number ever reaches
(0), it means that realistically the packet was lost and will be deleted.
So, with basic understanding now, lets get either your MASQing or NON-MASQing Network up!
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++ ++
++ NOTE: TrinityOS covers both IPCHAINS and IPFWADM firewall rule sets. ++
++ -------------------------------------------------------------- ++
++ ++
++ ** Please note that the IPCHAINS ruleset is VASTLY more secure and ++
++ and powerful when compared to the IPFWADM ruleset. Due to the ++
++ power and maintinance of IPCHAINS compared to IPFWADM, I recommend ++
++ that any user that MUST run a 2.0.x kernel, that they patch their ++
++ kernel to support IPCHAINS and use this newer ruleset ++
++ ++
++ In the future, I will be replacing ALL rule sets with a modular ++
++ system so all Secured IPs will be configured via a seperate file ++
++ This will let users update their main firewall rule sets to newer ++
++ verions without ANY manual customization for their environment. ++
++ ++
++ This new system is already designed but I need to finish it up. ++
++ ++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- First, you need to make sure you have either the "ipchains" or "ipfwadm" or firewall programs. To check, run the commmand "whereis ipfwadm" or "whereis ipchains". If its there, you're set. If not, download it from the URL in Section 5
* VERY IMPORTANT:
- Next, create the file /etc/rc.d/rc.firewall
Slackware Users: DELETE the module info in the following IPFWADM rule set and put it in the /etc/rc.d/rc.modules file instead
- NOTE: If you don't plan to use some of these modules, comment or un-comment the various lines (I've already commented out cuseeme, irc, quake, and vdolive).
Edit the following file to use the proper configuration below depending if you are running a 2.2.x+ kernel (IPCHAINS) or a <2.0.x kernel (IPFWADM).
All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at:
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-security/TrinityOS-security.tar.gz
The simple (WEAK) firewall rule set for IPCHAINS or IPFWADM :
--
#!/bin/sh
# Simple firewall rule set for both IPCHAINS and IPFWADM
# v3.00
echo "Enabling IP MASQ, MASQ timeouts, MASQ modules and simple firewalling"
#Load the MASQ modules
#BSDComp
/sbin/modprobe bsd_comp
#
echo Loading MASQ modules
#/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_ftp
#/sbin/modprobe ip_masq_irc
#/sbin/modprobe ip_masq_quake
#/sbin/modprobe ip_masq_vdolive
# NOTE: Though Real Audio will work without this module, the data
# will be coming in TCP mode vs. UDP mode. With this
# module, you can enable UDP mode and possibly clean up
# any "glitches" in the sound stream
/sbin/modprobe ip_masq_raudio
# Finished with MASQ modules
# Multicast is a powerful, yet seldom used aspect of TCP/IP for multimedia
# data. Though it isn't used much now (because most ISPs don't enable
# multicast on their networks, it will be very common in a few more
# years. Check out www.mbone.com for more detail.
#
# NOTE: Adding this feature is OPTIONAL
#
echo "Adding multicast route.."
/sbin/route add -net 224.0.0.0 netmask 240.0.0.0 dev eth0
echo "Enabling IP Masqurading.."
echo "1" > /proc/sys/net/ipv4/ip_forward
#Note: Redhat users can enable this also by turning the
# flag forward flag on in /etc/sysconfig/network
#
# Change the forward line to
# FORWARD_IPV4=true
#--------------------------------------------------------------------------
# NOTE: The following simple IPFWADM and IPCHAINS rule set is purely to
# *test* IP MASQ functionality.
#
# Though this rule set will work for
# ALL users, it WILL NOT give you any good protection from lusers
# (security crackers, etc) out on the Internet. Trust me, now that
# you are using a UNIX box, you need all the protection you can get!
# Once you can confirm that is MASQ working properly, I *HIGHLY*
# recommend that you -delete- this simple rc.firewall script and
# replace it with the strong IPCHAINS or IPFWADM rule sets shown
# later in this section!
#---------------------------------------------------------------------
#2.2.x+ kernels with IPCHAINS ONLY
#
echo " - Setting Policies: IN/OUT is ACCEPT; FWD is reject (poor security; great functionality)"
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward REJECT
echo " - Flushing any old rule sets"
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
# 2.0.x kernels and IPFWADM users ONLY
#
#echo " - Setting Policies: IN/OUT is ACCEPT; FWD is reject (poor security; great functionality)"
#/sbin/ipfwadm -I -p accept
#/sbin/ipfwadm -O -p accpet
#/sbin/ipfwadm -F -p reject
#echo " - Flushing any old rule sets"
#/sbin/ipfwadm -I -f
#/sbin/ipfwadm -O -f
#/sbin/ipfwadm -F -f
echo "Extending MASQ timeouts.."
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 60 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
#
# IPCHAINS
/sbin/ipchains -M -S 7200 10 60
#
# IPFWADM
#/sbin/ipfwadm -M -s 7200 10 60
echo "Enable IP Masq.."
#
#IPCHAINS
ipchains -A forward -s 192.168.0.0/24 -j MASQ
#
#IPFWADM
#/sbin/ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0 -W eth0
echo "rc.firewall done."
----
Next, append this to the end of the "/etc/rc.d/rc.local" file
All distributions:
--
#Run the IP MASQ and firewall script
/etc/rc.d/rc.firewall
--
- Finally, make the rc.firewall file ROOT executable ONLY
chmod 700 /etc/rc.d/rc.firewall
That's it. Go ahead and run the new ruleset by typing in /etc/rc.d/rc.firewall and make sure that the Linux box can still access the Internet both by IP address and DNS names. For Masquerade users, also make sure that INTERNAL masqed PCs can access the Internet by both methods. If things do NOT work for you, please see Section 5 of the IP Masquerade HOWTO at http://www.ecst.csuchico.edu/~dranch/LINUX/ipmasq/c-html/. This document will help you troubleshoot any issues.
Once you confirm that IP-MASQ works ok, it is *HIGHLY* recommended to replace the above WEAK rule sets with one of the below STRONG rule sets.
############################################################################# # MASQ rc.firewall # # # # - There are -3- rule sets listed below: # # # # 1. Strong rc.firewall rule set for IPCHAINS w/ and w/o MASQ support # # for single, dual, and even three NIC configurations. # # # # ^^ This is current the ONLY rule set that is maintained ^^ # # # # 2. Strong rc.firewall rule set for IPFWADM w/ MASQ support # # # # 3. Strong rc.firewall rule set for IPFWADM w/o MASQ support for # # single NIC Linux boxes. # # # # - As mentioned above, once you have confirmed that the initial MASQ # # functionality, You *SHOULD* either create your own strong firewall # # rule set or use the following TrinityOS firewall rule set. # # # #############################################################################
*** If you aren't running MASQ, check out the other firewall rule set that follows after this one. ***
NOTE: You will have to edit this to allow machines you care about into your machine. All of this is well commented though.
NOTE #2: Even if you aren't running MASQ, you should modify these rule sets to suit your needs and APPLY them!!! You DO need some protection from the Internet!
------------------------------------------------------------------------------
All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at:
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-security/TrinityOS-security.tar.gz
or you can just get the file here: http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-security/etc/rc.d/
It is HIGHLY recommended that you get the rc.firewall and the other TrinityOS scripts from the TrinityOS-Security archive (URL above) as it will help avoid typos, etc. *** Do NOT try to cut and paste the various scripts via a web browser into a text editor. If you do this, you will most likely find that the resulting scripts will have formatting errors (thus syntax errors) and also most likely every line will have ^M characters at the end of it which will abnormally terminate the script trying to be run. -----------------------------------------------------------------------------
+------------------------------------------------------------------+ | rc.firewall for MASQ setups with a STRONG IPCHAINS RULE SET for | | 2.4.x, 2.2.x, and patched 2.0.x. kernels | +------------------------------------------------------------------+
CRITICAL NOTE:
/etc/rc.d/rc.firewall
<TrinityOS rule set START>
#!/bin/sh
# ------------------------------------------------------------------------------
FWVER="v4.21-123nic"
#
# Part of the copyrighted and trademarked TrinityOS document.
# http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
#
# Written and Maintained by David A. Ranch
# dranch at trinnet dot net
#
# You may use this file for private or internal commercial use ONLY.
#
# Any duplication and/or use of this file or its contents for direct
# commercial (commercial being for profit) applications and/or
# written publications (be it for profit OR free) must be granted
# by written permission from David Ranch. Basically, just ASK me..
# I'm a pretty easy going guy but DON'T assume anything. Ok?
#
# Sorry for the harsh language here but the TrinityOS ruleset has been
# taken advantage of recently.
#
# --
# Summary:
#
# The TrinityOS ruleset is a comprehensive IPCHAINS ruleset that
# supports filtering for 1, 2, and 3 network interfaces. This allows
# for strong filtering for simple one interface PPP users, two interface
# MASQ users, and even three interface MASQ users with a DMZ segment. In
# addition to all this, TrinityOS allows to explictly filter various types of
# traffic including ICMP, known trojan horse traffic, etc.
#
# NOTE: The current 4.00 firewall version requires that the INTIF
# (internal) interface be configured to then allow for the INT2IF
# (DMZ network) to function. If there is enough requests, I can
# rework the ruleset to let INTIF and INT2IF load independantly.
#
# ------------------------------------------------------------------------------
# You can get this file at:
#
# http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos
# ------------------------------------------------------------------------------
#
# Personal Changes:
#
# Put any of your own version notes HERE. Its a good idea to document
# what you've changed.
#
# ------------------------------------------------------------------------------
#
# TrinityOS Rule Set History:
#
# 04/16/05 - 4.21
# - Updated the bogon list to reflect changed bogon listing and
# added output Multicast and NFS traffic filters
# 01/29/03 - 4.20
# - The INT2BROAD variable was missing for the DMZ configuration
# but the proper setting was being automatically used regardless.
#
# 01/13/03 - 4.10
# - The latter half of the OUTPUT section was using $UNIVERSE/0
# instead of $UNIVERSE which was already set to 0.0.0.0/0.
# This was a harmless typo and didn't hurt anything but was
# incorrect
#
# 12/30/01 - 4.05
# - Somehow ip_forward was getting set to "0" instead of "1"
# - Added comments when a 2.4.x kernel is found that running
# IPCHAINS emulation is NOT recommended due to poor MASQ
# support. It is recommended to run a native IPTABLES ruleset
# under 2.4.x kernels.
#
# 12/01/01 - 4.03
# - Added an echo statement to let things run if you dont use
# DHCP
# - Added filters for the SubSeven trojan
# - Added comments to let peopel know that NOT having the
# ip_dynaddr or ip_defrag option is ok
#
# 11/09/01 - 4.02
# - Disabled external DNSd and SMTPd server options as per the
# default.
# - Added comments and #ed out DHCPd for eth1 (input and output)
# - split up the SSHd and DNSd enable/disable area for eth1
# - #ed out SSHd and DNSd access (output) per the correct default
#
# 10/04/01 - 4.01f
# - added ipchains check for 2.4.x kernels
# - make sure that dhcpc is really enabled by default
# - Added a logger line to send final result to SYSLOG
#
# 09/06/01 - v4.01
# - Fixed some syntax issues with left/right parens
# - replaced all the bash -n if..thens with string checks since
# it seems that bash doesnt know what to do with non-initialized
# vars
# - ** check for all foo entries
#
# 09/03/01 - v4.00
#
# - Changed the DMZ section to now allow full SSH connectivity between
# the DMZ and internal NICs.
# - Moved the INPUT DMZ-specific ALLOW/REJECT section to be below the
# input SECUREHOST section
# - Updated and rearranged the debug logging section
# - Added #ed out support for the H.323 IPMASQ module
# - Added PPTP support for MASQed clients
#
# 06/20/01 - v3.85
# - The IPCHAINS ruleset now can support single interface machines
# for those users who just want a firewall but aren't MASQing, etc.
# - To enable this new feature, the INTIF variable (internal interface)
# needs to be set but left EMPTY. With this set, the other INTIF
# sections will be disabled via IF..THEN checks.
#
# 03/20/01 - v3.83d-3NIC
#
# - Added 3rd NIC (eth2) for DMZ applications like 802.11b wireless networks
#
# eth0 = Internet [ public IP ]
# eth1 = internal trusted net [ 192.168.0.x ]
# eth2 = DMZ wireless network (not trusted) [ 192.168.10.x ]
#
# This DMZ interface can ONLY do the following globally
# - DHCP, DNS, internet WWW, internet FTP
# - SSH (to the internet and devices on the INT interface
# (eth1)
# - ping machines on the Internet AND devices on eth1
#
# This interface CANNOT
# - accept FTP
# - SSH any hosts on eth1
#
# The reason that I implimented this DMZ setup is for wireless networks.
# Ultimately, the 802.11b WEP encryption spec is flawed and can be completely
# sniffed within a matter of hours. Because of this, you should ONLY allow
# encrypted streams: SSH, IPSEC, and maybe PPTP.
#
# v3.83d - 03/06/01
# - Fixed a typo (stray #) where the RFC1918 10.x.x.x network was
# NOT being filtered in the OUTPUT section
#
# v3.83c - 01/27/01
# - Fixed a wrong output netmask for NET-TEST-B being a /12 instead
# of a /16. But, this really doesn't matter as I have disabled
# the filtering of reserved IP space as ARIN constantly is releasing
# this address space to the public without any form of notification.
# See the update for v3.83a
#
# v3.83b - 01/06/01
# - Fixed a missing ".0" in the Reserved-7 filters for the 72.0.0
# networks
#
# v3.83a - 11/09/00
# - Deleted all non RFC1918 address filtering. It seems that many of the
# addresses that the IANA reports as "reserved" are actually in use.
#
# - Removed all rc.firewall history motes from v3.60 and older to
# the TrinityOS-old-updates.wri (URL is above)
#
# v3.82 - 10/28/00
# - Updated the port range for Xwindows filtering
#
# v3.81 - 10/15/00
# - Crap! Last subnet error in the Reserved-8 IANA section. Please
# change the subnet mask on 68.0.0.0 to a /6!
#
# v3.80 - 10/13/00
# - Updated the version since this really is a big update
#
# -----------------------------------------------------------------------------
# All changes older than version 3.80 have been moved to the archives available
# at:
#
# <"http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-old-updates.wri">
#------------------------------------------------------------------------------
#--------------------------------------------------------------------
# This configuration assumes the following (DSL / Cablemodem setup):
#
# 1) The external interface is running on "eth0"
# 2) The external IP address is dynamically or statically assigned
# 3) The optional internal interface is "eth1"
# 4) The internal network is addressed within the private
# 192.168.0.x TCP/IP addressing scheme per RFC1918A
# 5) The optional DMZ network is on eth2
#
# ****
# NOTE: All 2.2.x Linux kernels prior to 2.2.16 have TCP exploit that
# **** that when combined with tools like Sendmail can leed to a ROOT
# compromise. In addition to this, all kernels less than 2.2.11 have
# a fragmentation bug that renders all strong IPCHAINS rule sets void.
# It is CRITICAL that users upgrade the Linux kernel to at least a
# 2.2.16+ kernel for proper firewall and system security.
#
#--------------------------------------------------------------------
#********************************************************************
# Initializing
#********************************************************************
echo -e "\n\nLoading TrinityOS IPCHAINS Firewall $FWVER"
echo "----------------------------------------------------------------------"
#--------------------------------------------------------------------
# Variables
#--------------------------------------------------------------------
# The loopback interface and address
#
LOOPBACKIF="lo"
LOOPBACKIP="127.0.0.1"
# External interface device.
#
# NOTE: PPP and SLIP users will want to replace this interface
# with the correct modem interface such as "ppp0" or "sl0"
#
# For users that might have multiple PPP interfaces, you can
# try the following code. You will need to call the firewall
# from /etc/ppp/ip-up script with a "$1" appended at the end.
#
#if [ "x$1" != "x" ]; then
# EXTIF=$1
#else
# EXTIF="ippp0"
#fi
#
EXTIF="eth0"
# Make sure the external interface is up
if ! /sbin/ifconfig | grep $EXTIF > /dev/null; then
echo -e "\n\nExternal interface is DOWN. Aborting."
exit 1;
fi
echo External Interface: $EXTIF
# IP address of the external interface
#
# *
# * If you get a DYNAMIC IP address (regardless if you use PPP
# * with a modem or DHCP with Ethernet), you *MUST* make this firewall
# * rule set understand your new IP address everytime you get a new
# * IP address. To do this, enable the following one-line script.
# *
#
# (Please note that the different single and double quote characters MATTER).
#
# NOTE: Red Hat v6.0 users who run DHCP to get TCP/IP addresses
# (Cablemodems, DSL, etc) will need to install and use a different
# DHCP client than the stock client called "pump". Redhat 6.2+
# comes with a newer version of "pump" that CAN run scripts upon
# lease bringup, renew, etc. but older versions are broken.
#
# The reason for this whole issue is the old "pump" doesn't support the
# ability to run scripts run when DHCP gets an IP address.
# Specifically, DHCP doles out IP addresses to its clients for
# limited amounts of time; this is called a "lease".
# When a DHCP "lease" expires, the client will query the DHCP
# server for a "lease renewal". Though the DHCP client will
# usually get back its original IP address in the renewal, this
# is NOT always guaranteed. With this understood, if your DHCP
# client receives a different IP address than the IPCHAINS
# firewall was configured for, the firewall will block ALL
# network access in and out of the Linux server because that
# is what it was configured to do.
#
# As mentioned above, the key to solve this problem is to use a
# DHCP client program, such like DHCPcd found in Section 5, that
# can re-run the /etc/rc.d/rc.firewall rule set once a new TCP/IP
# address is set. The new rule set will then make the required
# changes to the rule sets to allow network traffic from and to
# your new TCP/IP address.
#
# With the dhcpcd program, it will need to be executed with a
# specific command line option to have the firewall rule set
# re-run upon every DHCP lease renew (please note the -c syntax
# is depreciated in newer DHCPcd clients). Please see the
# DHCPcd section in TrinityOS for full details on how to edit
# the /sbin/ifup file.
#
#
# Static TCP/IP addressed users: For EXTIP, EXTBROAD, and EXTGW, simply replace
# the pipelines with your correct TCP/IP address, broadcast address, and
# external gateway, respectively.
#
# e.g.: EXTIP="100.200.0.212"
#
EXTIP=`/sbin/ifconfig $EXTIF | awk '/inet addr/ { gsub(".*:", "", $2) ; print $2 }'`
if [ "$EXTIP" = '' ]; then
echo "Aborting: Unable to determine the IP of $EXTIF ... DHCP or PPP problem?"
exit 1
fi
echo External IP: $EXTIP
# Broadcast address of the external network
#
# Static TCP/IP addressed users:
#
# Simply delete all of the text and including the single quotes and
# replace it with your correct TCP/IP netmask enclosed in double
# quotes.
#
# e.g.: EXTBROAD="100.200.0.255"
#
EXTBROAD=`/sbin/ifconfig $EXTIF | awk '/inet addr/ { gsub(".*:", "", $3) ; print $3 }'`
echo External broadcast: $EXTBROAD
# Gateway for the external network
#
# Static TCP/IP addressed users:
#
# Simply delete all of the text and including the single quotes and
# replace it with your correct TCP/IP default gateway or "next hop
# address".
#
# e.g.: DGW="100.200.0.1"
#
EXTGW=`/sbin/route -n | grep -A 4 UG | awk '{ print $2}'`
echo Default GW: $EXTGW
echo " --- "
# Internal interface device.
#
# ** READ ME:
#
# If you don't have any other interfaces than say eth0, delete the
# word "eth1" below. i.e. make it read:
#
# INTIF=""
#
INTIF=""
if [ "$INTIF" != "" ]; then
echo "Internal Interface: $INTIF"
else
echo -e "Internal Interface: None\n** MASQ and DMZ support disabled**"
fi
if [ "$INTIF" != "" ]; then
# IP address on the internal interface
#
# ** READ ME:
#
# If you don't have any other interfaces, delete the address
# "192.168.0.1" but leave the rest. i.e. INTIP=""
#
INTIP=""
echo Internal IP: $INTIP
fi
if [ "$INTIF" != "" ]; then
# IP network address of the internal network
#
# ** READ ME:
#
# If you don't have any other interfaces, delete the address
# "192.168.0.0/24" but leave the rest. i.e. INTLAN=""
#
INTLAN=""
echo Internal LAN: $INTLAN
fi
echo " --- "
#Do not remove this check as the ruleset currently requires the INTIF
#interface to exist for the INT2IF interface to properly function.
#
if [ "$INTIF" != "" ]; then
# DMZ interface device.
#
# ** READ ME:
#
# If you don't have any other interfaces than say eth0, delete the
# word "eth2" below. i.e. make it read:
#
# INT2IF=""
#
#INT2IF="eth2"
INT2IF=""
if [ "$INT2IF" != "" ]; then
echo "DMZ network interface: $INT2IF"
else
echo -e "DMZ Interface: None\n **DMZ support disabled**"
fi
if [ "$INT2IF" != "" ]; then
# IP address on the DMZ interface
#
# If you don't have any other interfaces, delete the address
# "192.168.10.1" but leave the rest. i.e. INT2IP=""
#
INT2IP=""
echo "DMZ interface IP: $INT2IP"
fi
if [ "$INT2IF" != "" ]; then
# IP network address of the DMZ network
#
# If you don't have any other interfaces, delete the address
# "192.168.10.0/24" but leave the rest. i.e. INT2LAN=""
#
INT2LAN=""
echo DMZ network subnet: $INT2LAN
fi
if [ "$INT2IF" != "" ]; then
# IP network broadcast of the DMZ network
#
# If you don't have any other interfaces, delete the address
# "192.168.10.255" but leave the rest. i.e. INT2BROAD=""
#
INT2BROAD=""
echo DMZ network broadcast: $INT2BROAD
fi
fi
echo " --- "
# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"
# IP Mask for broadcast transmissions
BROADCAST="255.255.255.255"
# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"
# Specification of X Window System (TCP) ports.
XWINDOWS_PORTS="6000:6063"
# The TCP/IP addresses of a specifically allowed EXTERNAL hosts
#
# NOTE: If you want to allow in an ENTIRE NETWORK, let the
# last octet of the network be a .0 and add the netmask.
# e.g.:
# SECUREHOST="200.244.0.0/26"
#
# Disabled by default.
#
#SECUREHOST="200.211.0.40"
#echo Secure Host1 IP: $SECUREHOST
#SECUREHOST2="200.211.0.41"
#echo Secure Host2 IP: $SECUREHOST2
#SECUREHOST3="200.244.0.42"
#echo Secure Host3 IP: $SECUREHOST3
#SECUREHOST4="200.244.0.43"
#echo Secure Host4 IP: $SECUREHOST4
#SECUREHOST5="200.244.0.44"
#echo Secure Host4 IP: $SECUREHOST5
# The TCP/IP addresses of a specifically allowed DMZ hosts
#
# NOTE: If you want to allow in an ENTIRE NETWORK, let the
# last octet of the network be a .0 and add the netmask.
# e.g.:
# DMZHOST1="192.168.10.10"
#
# Disabled by default.
#
#DMZHOST1="192.168.10.10"
#echo DMZ Secure Host1 IP: $DMZHOST1
#DMZHOST2="192.168.10.20"
#echo DMZ Secure Host2 IP: $DMZHOST2
# IP Port Forwarded Addresses
#
# Port forwarding allows external traffic to directly connect to an INTERNAL
# Masq'ed machine. An example need for port forwarding is the need for external
# users to directly contact a WWW server behind the MASQ server.
#
# To enable portfw, you need to un-# out and edit the lines above for one or
# more SECUREHOSTs. You then need to un-# out the PORTFW in the FORWARD
# sections of later in the rule set.
#
# If you want to simply portfw one explicit host, it should be configured via a
# SECUREHOST option above. If this PORTFW'ed port should be available for ALL
# hosts on the Inet, it should be opened up in the INPUT section much like for
# HTTP, Sendmail, etc.
#
# NOTE: Port forwarding is well beyond the scope of this documentation to
# explain the security issues implied in opening up access like this.
# Please see Appendix A to find the IP-MASQ-HOWTO for a full explanation.
#
# Disabled by default.
#
#PORTFWIP1="192.168.0.20"
#echo PortFW1 IP: $PORTFWIP1
#PORTFWIP2="192.168.0.20"
#echo PortFW2 IP: $PORTFWIP2
#PORTFWIP3="192.168.0.20"
#echo PortFW3 IP: $PORTFWIP3
# TCP/IP addresses of INTENRAL hosts network allowed to directly
# connect to the Linux server. All internal hosts are allowed
# per default.
#
# Disabled by default
#HOST1IP="192.168.0.10"
#echo Internal Host 1 IP: $HOST1IP
#HOST2IP="192.168.0.11"
#echo Internal Host 2 IP: $HOST2IP
# Logging state.
#
# Uncomment the " " line and comment the "-l" (please note is this a
# lower case "L" and NOT a numerial one) line if you want to
# disable logging of some of more important the IPCHAINS rule sets.
#
# The output of this logging can be found in the /var/log/messages
# file. It is recommended that you leave this setting enabled.
# If you need to reduce some of the logging, edit the rule sets and
# delete the "$LOGGING" syntax from the rule set that you aren't
# interested in.
#
# LOGGING=" "
echo "Logging is: ENABLED"
LOGGING="-l"
echo " --- "
#Verify that IPCHAINS is loaded for 2.4.x kernels
#
if [ -n "`/bin/uname -a | awk {'print $3'} | grep 2.4`" ]; then
echo "Running 2.4.x kernel"
echo " - Please note that running IPCHAINS emulation under a 2.4.x"
echo " is NOT recommended as various MASQ modules such as FTP, etc"
echo " will no longer function. To regain this functionality, you"
echo -e " MUST run a native IPTABLES ruleset.\n"
if [ -z "`/sbin/lsmod | grep ipchains`" ]; then
echo "loading ipchains.o"
/sbin/insmod ipchains
else
echo " ipchains.o already loaded."
fi
fi
echo " --- "
echo "----------------------------------------------------------------------"
#--------------------------------------------------------------------
# Debugging Section
#--------------------------------------------------------------------
# If you are having problems with the firewall, uncomment the lines
# below and then re-run the firewall to make sure that the firewall
# is not giving any errors, etc. The output of this debugging
# script will be in a file called /tmp/rc.firewall.dump
#--------------------------------------------------------------------
#
#echo " - Debugging."
#echo Loopback IP: $LOOPBACKIP > /tmp/rc.firewall.dump
#echo Loopback interface name: $LOOPBACKIF >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo External interface name: $EXTIF >> /tmp/rc.firewall.dump
#echo External interface IP: $EXTIP >> /tmp/rc.firewall.dump
#echo External interface broadcast IP: $EXTBROAD >> /tmp/rc.firewall.dump
#echo External interface default gateway: $EXTGW >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo Internal interface name: $INTIF >> /tmp/rc.firewall.dump
#echo Internal interface IP: $INTIP >> /tmp/rc.firewall.dump
#echo Internal LAN address: $INTLAN >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo DMZ interface name: $INT2IF >> /tmp/rc.firewall.dump
#echo DMZ interface IP: $INT2IP >> /tmp/rc.firewall.dump
#echo DMZ LAN address: $INT2LAN >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo External secured host: $SECUREHOST >> /tmp/rc.firewall.dump
#echo External secured host #2: $SECUREHOST2 >> /tmp/rc.firewall.dump
#echo External secured host #3: $SECUREHOST3 >> /tmp/rc.firewall.dump
#echo External secured host #4: $SECUREHOST4 >> /tmp/rc.firewall.dump
#echo External secured host #4: $SECUREHOST5 >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo DMZ secured host #1: $DMZHOST1 >> /tmp/rc.firewall.dump >> /tmp/rc.firewall.dump
#echo DMZ secured host #2: $DMZHOST2 >> /tmp/rc.firewall.dump >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#--------------------------------------------------------------------
# General
#--------------------------------------------------------------------
# Performs general processing such as setting the multicast route
# and DHCP address hacking.
#
# Multicast is a powerful, yet seldom used aspect of TCP/IP for multimedia
# data. Though it isn't used much now (because most ISPs don't enable multicast
# on their networks, it will be very common in a few more years. Check out
# www.mbone.com for more detail.
#
# Adding this feature is OPTIONAL.
#
# Disabled by default.
#echo " - Adding multicast route."
#/sbin/route add -net 224.0.0.0 netmask 240.0.0.0 dev $EXTIF
# Disable IP spoofing attacks.
#
# This drops traffic addressed for one network though it is being received on a
# different interface.
#
echo " - Disabling IP Spoofing attacks."
for file in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo "2" > $file
done
# Comment the following out of you are not using a dynamic address
#
# Please note that some kernels dont have this enabled.
# If this option gives an error, you can safely ignore it.
#
echo " - Enabling dynamic TCP/IP address hacking."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Enable TCP SYN Cookie protection:
#
echo " - Enable TCP SYN Cookie protection"
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Ensure that various ICMP sanity settings are there
#
echo " - Enable ICMP sanity settings"
# Disable ICMP broadcast echo protection
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Disable ICMP Re-directs
for file in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo "0" > $file
done
#
# Ensure that source-routed packets are dropped
# - If you are running IPROUTE2, this will need to be DISABLED
#
echo " - Ensure that source-routed packets are dropped "
for file in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo "0" > $file
done
# Log spoofed, source-routed, and redirect packets
#
echo " - Log spoofed, source-routed, and redirect packets "
for file in /proc/sys/net/ipv4/conf/*/log_martians; do
echo "1" > $file
done
#--------------------------------------------------------------------
# Type of Service (TOS) Settings
#--------------------------------------------------------------------
# Though very FEW ISPs do anything with the TOS bits, I thought you'd
# like to see it. In theory, you can tell the Internet how to handle
# your traffic, be it sensitive to delay, throughput, etc.
#
# -t 0x01 0x10 = Minimum Delay
# -t 0x01 0x08 = Maximum Throughput
# -t 0x01 0x04 = Maximum Reliability
# -t 0x01 0x02 = Minimum Cost
#
# Example:
#
# Settings for FTP, SSH, and TELNET
# /sbin/ipchains -A output -p tcp -d 0/0 21:23 -t 0x01 0x10
#
# Settings for WWW
# /sbin/ipchains -A output -p tcp -d 0/0 80 -t 0x01 0x10
# Dont run these commands if MASQ isnt compiled into the kernel
if [ -a /proc/sys/net/ipv4/ip_always_defrag ] && [ "$INTIF" != "" ]; then
#--------------------------------------------------------------------
# Masquerading Timeouts
#--------------------------------------------------------------------
# Set timeout values for masq sessions (seconds).
#
# Item #1 - 2 hrs timeout for TCP session timeouts
# Item #2 - 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# Item #3 - 60 sec timeout for UDP traffic
#
# Note to ICQ users: You might want to set the UDP timeout to something
# like 160.
#
echo " - Changing IP masquerading timeouts."
/sbin/ipchains -M -S 7200 10 60
fi
# Dont run these commands if MASQ isnt compiled into the kernel
if [ -a /proc/sys/net/ipv4/ip_always_defrag ]; then
#--------------------------------------------------------------------
# Masq Modules
#--------------------------------------------------------------------
# Most TCP/IP-enabled applications work fine behind a Linux IP
# Masquerade server. But, some applications need a special
# module to get their traffic in and out properly.
#
# Note: Some applications do NOT work well though a IP Masquerade server
# without special helper modules such as H.323-based programs.
# Please the IP-MASQ HOWTO for more details.
#
# Note #2: Only uncomment the modules that you REQUIRE to be loaded.
# The FTP module is loaded by default.
#--------------------------------------------------------------------
echo " - Loading masquerading modules."
#/sbin/modprobe ip_masq_cuseeme
#/sbin/modprobe ip_masq_ftp
#/sbin/modprobe ip_masq_irc
#/sbin/modprobe ip_masq_quake
#/sbin/modprobe ip_masq_raudio
#/sbin/modprobe ip_masq_vdolive
# If you downloaded and compiled the ICQ module from Section 5, use it
#/sbin/modprobe ip_masq_icq
# If you downloaded and compiled the H.323 module from Section 5, use it
#/sbin/modprobe ip_masq_h323
# If you downloaded and compiled the PPTP module from Section 5, use it
#/sbin/insmod ip_masq_pptp
fi
#--------------------------------------------------------------------
# Default Policies
#--------------------------------------------------------------------
# Set all default policies to REJECT and flush all old rules.
#--------------------------------------------------------------------
# Change default policies to REJECT.
#
# We want to only EXPLICTITLY allow what traffic is allowed IN and OUT of the
# firewall. All other traffic will be implicitly blocked.
#
echo " - Set default policies to REJECT"
/sbin/ipchains -P input REJECT
/sbin/ipchains -P output REJECT
/sbin/ipchains -P forward REJECT
echo " - Flushing all old rules and setting all default policies to REJECT "
# Flush all old rule sets
#
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
#********************************************************************
# Input Rules
#********************************************************************
echo "----------------------------------------------------------------------"
echo "Input Rules:"
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
#--------------------------------------------------------------------
# Incoming Traffic on the Internal LAN
#--------------------------------------------------------------------
# This section controls the INPUT traffic allowed to flow within the internal
# LAN. This means that all input traffic on the local network is valid. If
# you want to change this default setting and only allow certain types of
# traffic within your internal network, you will need to comment this following
# line and configure individual ACCEPT lines for each TCP/IP address you want
# to let through. A few example ACCEPT lines are provided below for
# demonstration purposes.
#
# Sometimes it is useful to allow TCP connections in one direction but not the
# other. For example, you might want to allow connections to an external HTTP
# server but not connections from that server. The naive approach would be to
# block TCP packets coming from the server. However, the better approach is to
# use the -y flag which will block only the packets used to request a
# connection.
#--------------------------------------------------------------------
echo " - Setting input filters for traffic on the internal LAN."
# DHCP Server.
#
# If you have configured a DHCP server on the Linux machine to serve IP
# addresses to the internal network, you will need to enable this section.
#
# This is an example of how to let input traffic flow through the local
# LAN if we have rejected all prior requests above.
#
# NOTE: Some distros change ipchains to NOT allow TCP connections for
# DHCP. Though TCP-based DHCP is really rare, it is part of
# of the standard.
#
# Disabled by default
#echo " Optional parameter: DHCPd server"
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p udp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps
# DMZ DHCPd - If we don't have a DMZ interface, dont do things for it
# #
# if [ "$INT2IF" != "" ]; then
# #DMZ network
# echo " Optional parameter: Second INT2IF DHCPd server"
# /sbin/ipchains -A input -j ACCEPT -i $INT2IF -p udp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps
# /sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps
# fi
#--------------------------------------------------------------------
# Explicit Access from Internal LAN Hosts
#--------------------------------------------------------------------
# This section is provided as an example of how to allow only SPECIFIC
# hosts on the internal LAN to access services on the firewall server.
# Many people might feel that this is extreme but many system attacks
# occur from the INTERNAL networks.
#
# Examples given allow access via FTP, FTP-DATA, SSH, and TELNET.
#
# In order for this rule set to work, you must first comment out the
# generic allow lines just above the final ALLOW HIGH PORTS at the END
# of this section. That one line provides full access to the internal
# LAN by all internal hosts. You will then need to enable the lines
# below to allow any access at all.
#--------------------------------------------------------------------
#echo " - Setting input filters for specific internal hosts."
# First allowed internal host to connect directly to the Linux server
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp-data
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ssh
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP telnet
# Second allowed internal host to connect directly to the Linux server
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp-data
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ssh
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP telnet
# This allows the ruleset to run if you use STATIC IPs and dont
# enable DHCP
echo "." > /dev/null
# End of the INTIF loop
fi
#--------------------------------------------------------------------
# Incoming Traffic from the External Interface
#--------------------------------------------------------------------
# This rule set will control specific traffic that is allowed in from
# the external interface.
#--------------------------------------------------------------------
#
echo " - Setting input filters for traffic from the external interface."
# DHCP Clients.
#
# If you get a dynamic IP address for your ADSL or Cablemodem connection, you
# will need to enable these lines.
#
# NOTE: Some distros change ipchains to NOT allow TCP connections for
# DHCP. Though TCP-based DHCP is really rare, it is part of
# of the standard.
#
# Enabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE bootps -d $BROADCAST/0 bootpc
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE bootps -d $BROADCAST/0 bootpc
# FTP: Allow external users to connect to the Linux server ITSELF for
# PORT-style FTP services. This will NOT work for PASV FTP transfers.
#
# Disabled by default.
# echo " Optional parameter: FTP server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ftp
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ftp-data
# IRCd: Allow external users to connect to the Linux server ITSELF for
# IRC services.
#
# Make sure ircd is defined in /etc/services
#
# Disabled by default.
# echo " Optional parameter: IRC server"
# /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ircd
# HTTP: Allow external users to connect to the Linux server ITSELF for HTTP services.
#
# Disabled by default.
# echo " Optional parameter: HTTP server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP http
# HTTPS: Allow external users to connect to the Linux server ITSELF for HTTPS services.
#
# Disabled by default.
# echo " Optional parameter: HTTPS server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP https
# Advanced ICMP: Some users prefer that their UNIX box NOT ping, etc.
# This is easy enough to do but be sure you know what you
# are doing.
#
# There is an EXCELLENT paper on ICMP filtereing available at:
#
# http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.0.pdf
#
#
# NOTE: When setting a FIREWALL to REJECT ICMP traffic, the resulting
# reply traffic is automatically discarded per the RFCs
#
# NOTE2: For a full list of all supported major and minor ICMP codes, run:
# /sbin/ipchains -h icmp
#
# MOST are Disabled by default.
#
#
# Do NOT reply to ECHO REPLYs (type 0) from the Internet (this is NOT a
# good idea)
#
# echo " Optional parameter: ICMP ECHO-REPLY inbound filtered"
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type echo-reply $LOGGING
#
# Do NOT reply to TCP/UDP TRACEROUTE requests from the Internet (some find
# this useful)
#
# echo " Optional parameter: TCP/UDP TRACEROUTE inbound filtered"
#
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 33434 $LOGGING
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP 33434 $LOGGING
#
# Do NOT reply to TRACEROUTE requests from the Internet (MS clients use
# ICMP ECHO and not TCP/UDP - some find this useful )
#
# echo " Optional parameter: ICMP TRACEROUTE [for MS] inbound filtered"
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type destination-unreachable $LOGGING
#
# Do NOT reply to DESTINATION-UNREACHABLE (type 3) from the Internet (this
# is NOT a good idea - if you must do this then filter out the specific
# SUB-options such as PROTOCOL-UNREACHABLE in the OUTBOUND direction)
#
# echo " Optional parameter: ICMP DESTINATION-UNREACHABLE inbound filtered"
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type destination-unreachable $LOGGING
#
# Do NOT reply to SOURCEQUENCH (type 4) from the Internet (this is NOT a
# good idea)
#
# echo " Optional parameter: ICMP SOURCEQUENCH inbound filtered"
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type source-quench $LOGGING
#
# Do NOT reply to ANY form of REDIRECT packets (type 5) (this can help
# stop OS fingerprinting)
#
echo " Optional parameter: ICMP REDIRECT inbound filtered"
/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type redirect $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
echo " Optional parameter: INT2IF - ICMP REDIRECT inbound filtered"
/sbin/ipchains -A input -j REJECT -i $INT2IF -p icmp -s $UNIVERSE -d $INT2IP --icmp-type redirect $LOGGING
fi
# Do NOT allow PING requests (type 8) from the Internet (some find this
# useful)
#
# echo " Optional parameter: ICMP ECHO inbound filtered"
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type echo-request $LOGGING
#
# Do NOT reply to TTL-EXPIRED packets (type 11) from the Internet (this is
# NOT a good idea - do it OUTBOUND)
#
# echo " Optional parameter: ICMP TTL-EXPIRED inbound filtered"
#/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type time-exceeded $LOGGING
#
# Do NOT reply to PARAMETER-PROBLEM packets (type 12) (this is NOT a good
# idea - filter this on OUTBOUND)
#
# echo " Optional parameter: ICMP PARAMETER-PROBLEM inbound filtered"
# /sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type parameter-problem $LOGGING
#
# Do NOT reply to ICMP TIMESTAMP packets (type 13 and 14) (this can help
# stop OS fingerprinting)
#
echo " Optional parameter: ICMP TIMESTAMP inbound filtered"
/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type timestamp-request $LOGGING
/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type timestamp-reply $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
echo " Optional parameter: INT2IF - ICMP TIMESTAMP inbound filtered"
/sbin/ipchains -A input -j REJECT -i $INT2IF -p icmp -s $UNIVERSE -d $INT2IP --icmp-type timestamp-request $LOGGING
/sbin/ipchains -A input -j REJECT -i $INT2IF -p icmp -s $UNIVERSE -d $INT2IP --icmp-type timestamp-reply $LOGGING
fi
# ICMP INFORMATION (type 15 and 16) packet filtering is NOT supported by
# either LINUX or IPCHAINS (no big deal)
#
# Do NOT reply to ICMP ADDRESS MASK packets (type 17 and 18) (this can
# help stop OS fingerprinting)
#
echo " Optional parameter: ICMP ADDRESS-MASK inbound filtered"
/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type address-mask-request $LOGGING
/sbin/ipchains -A input -j REJECT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP --icmp-type address-mask-reply $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
echo " Optional parameter: INT2IF - ICMP ADDRESS-MASK inbound filtered"
/sbin/ipchains -A input -j REJECT -i $INT2IF -p icmp -s $UNIVERSE -d $INT2IP --icmp-type address-mask-request $LOGGING
/sbin/ipchains -A input -j REJECT -i $INT2IF -p icmp -s $UNIVERSE -d $INT2IP --icmp-type address-mask-reply $LOGGING
fi
# General ICMP: Allow ICMP packets from all external TCP/IP addresses.
#
# NOTE: Disabling ICMP packets via the firewall rule set can do far more
# than just stop people from pinging your machine. Many aspects of
# TCP/IP and its associated applications rely on various ICMP
# messages. Without ICMP, both your Linux server and internal
# Masq'ed computers might not work.
#
# If you feel compelled to do ICMP filtering, do it by uncommenting your
# desired traffic types from the section ABOVE and NOT here.
#
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP
# DMZ ICMP - If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p icmp -s $UNIVERSE -d $INT2IP
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p icmp -s $INT2LAN -d $INTLAN
fi
# NNTP: Allow external computers to connect to the Linux server ITSELF
# for NNTP (news) services.
#
# Disabled by default.
# echo " Optional parameter: NNTP server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP nntp
# NTP: Allow external computers to connect to the Linux server ITSELF for
# NTP (time) updates
#
# NOTE: Some NTP clients require TCP traffic. Others require UDP.
# Your pick!
#
# Disabled by default.
# echo " Optional parameter: NTP server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ntp
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP ntp
# TELNET: Allow external computers to connect to the Linux server ITSELF for
# TELNET access.
#
# Disabled by default.
# echo " Optional parameter: TELNET server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP telnet
# SSH server: Allow external computers to connect to the Linux server ITSELF
# for SSH access.
#
# Disabled by default.
echo " Optional parameter: SSH server"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ssh
#--------------------------------------------------------------------
# Specific Input Rejections on the EXTERNAL interface
#--------------------------------------------------------------------
# These rule sets reject specific traffic that you do not want into
# the system.
#--------------------------------------------------------------------
echo " - Reject specific inputs."
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
# Remote interface, claiming to be local machines, IP spoofing, get lost & log
/sbin/ipchains -A input -j REJECT -i $EXTIF -s $INTLAN -d $UNIVERSE $LOGGING
fi
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A input -j REJECT -i $INT2IF -s $INTLAN -d $UNIVERSE $LOGGING
fi
# RFC1918 and IANA Reserved Address space Bogon filtering
#
# Filter all external traffic coming from either RESERVED or non-routed
# address space.
#
# See ftp://ftp.iana.org/assignments/ipv4-address-space for up to date
# results.
#
# Please run "whois IANA*@arin.net" and with a careful eye
# "whois RESERVED*@arin.net" for more info.
#
# -------------------------------------------------------------------
# NOTE *1*: Please notice that ALL IANA Reserved Address filters
# (except for the Class-D and Class-E networks) have
# been disabled as is seems that the IANA is releasing IP
# address space without updating their tables. There is
# the email list called "bogon-announce" which you can
# subscribe to here:
# http://www.cymru.com/Bogons/
#
# Note2: The bogon list changes ALL the time. Unless you subscribe
# to the above bogon list AND update your firewall when things
# change, you will be blackholing traffic.
#
# Note3: that the address schemes from whois are silently using CLASSFULL
# masks
#
# Note4: Some ISPs use RFC1918 addresses for internal addressing of
# customers and keeping status on equipment. Some customers of
# General Instruments SURFboard cable modems might have similar
# issues.
#
# -------------------------------------------------------------------
# Reserved-1
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 0.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-9
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 1.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-2
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 2.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-5
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 5.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-7
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 7.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-10 and RFC1918 (10.x.x.x)
/sbin/ipchains -A input -j REJECT -i $EXTIF -s 10.0.0.0/8 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A input -j REJECT -i $INT2IF -s 10.0.0.0/8 -d $UNIVERSE $LOGGING
fi
# Reserved-23
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 23.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-27
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 27.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-31
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 31.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-36
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 36.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-37
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 37.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-39
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 39.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-42
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 42.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-74 and 75
# 74.0.0.0 - 75.55.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 74.0.0.0/7 -d $UNIVERSE $LOGGING
# Reserved-76 though 79
# 76.0.0.0 - 79.55.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 76.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved 89
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 89.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved 90
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 90.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved 91
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 91.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved 92 though 95
# 92.0.0.0 - 95.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 92.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved 96 though 111
# 96.0.0.0 - 111.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 96.0.0.0/4 -d $UNIVERSE $LOGGING
# Reserved 112 though 119
# 112.0.0.0 - 119.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 112.0.0.0/5 -d $UNIVERSE $LOGGING
# Reserved 120 though 123
# 120.0.0.0 - 123.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 120.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved-127 127.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 127.0.0.0/8 -d $UNIVERSE $LOGGING
# BLACKHOLE3
#
# Disabled due to the fact that ALL reverse DNS functions (regardless of the
# address) will stop working properly. If you have a good explination of
# why this is, I would love to hear it.
#
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 128.9.64.26/32 -d $UNIVERSE $LOGGING
# Includes NET-TEST-B
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 128.66.0.0/16 -d $UNIVERSE $LOGGING
# IANA-BBLK-RESERVED and RFC1918 (172.16-31.0.0)
/sbin/ipchains -A input -j REJECT -i $EXTIF -s 172.16.0.0/12 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A input -j REJECT -i $INT2IF -s 172.16.0.0/12 -d $UNIVERSE $LOGGING
fi
# Reserved-173
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 173.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-174 through 175
# 174.0.0.0 - 175.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 174.0.0.0/7 -d $UNIVERSE $LOGGING
# Reserved-176 through 183
# 176.0.0.0 - 183.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 176.0.0.0/5 -d $UNIVERSE $LOGGING
# Reserved-184 through 187
# 184.0.0.0 - 187.255.255.255
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 184.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved-189
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 189.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-190
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 190.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-4
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 191.255.0.0/16 -d $UNIVERSE $LOGGING
# ROOT-NS-LAB - 192.0.0.0/24
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 192.0.0.0/24 -d $UNIVERSE $LOGGING
# NET-ROOTS-NS-LIVE - 192.0.1.0/24
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 192.0.1.0/24 -d $UNIVERSE $LOGGING
# NET-TEST - 192.0.2.0/24
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 192.0.2.0/24 -d $UNIVERSE $LOGGING
# RFC1918
#foo
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 192.168.0.0/16 -d $UNIVERSE $LOGGING
# RESERVED-13
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 197.0.0.0/16 -d $UNIVERSE $LOGGING
# Reserved-197
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 197.0.0.0/8 -d $UNIVERSE $LOGGING
# RESERVED-14
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 201.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-5
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 223.255.255.0/24 -d $UNIVERSE $LOGGING
# Reserved-223
#/sbin/ipchains -A input -j REJECT -i $EXTIF -s 223.0.0.0/24 -d $UNIVERSE $LOGGING
#Future use for Class-E:
/sbin/ipchains -A input -j REJECT -i $EXTIF -s 240.0.0.0/5 -d $UNIVERSE $LOGGING
#Future use for Class-F:
/sbin/ipchains -A input -j REJECT -i $EXTIF -s 248.0.0.0/5 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A input -j REJECT -i $INT2IF -s 240.0.0.0/5 -d $UNIVERSE $LOGGING
/sbin/ipchains -A input -j REJECT -i $INT2IF -s 248.0.0.0/5 -d $UNIVERSE $LOGGING
fi
# -----------------
# Special Filtering
# -----------------
# Multicast: Silently drop all multicast traffic for those users who
# find this traffic filling up their logs.
#
# Disabled by default.
# echo " Optional parameter: Ignore MULTICAST"
# /sbin/ipchains -A input -j REJECT -i $EXTIF -s $UNIVERSE -d 224.0.0.0/4
# NFS: Reject NFS traffic FROM and TO external machines.
#
# NOTE: NFS is one of the biggest security issues an administrator will face.
# Do NOT enable NFS over the Internet or any non-trusted networks unless you
# know exactly what you are doing.
#
# NOTE #2: the $LOGGING variable is NOT included here because if it was
# enabled, your logs would grow too quickly to manage.
#
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 2049
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 2049 -d $EXTIP
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2IP 2049
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE 2049 -d $INT2IP
fi
# SMB and CIFS: Reject SMB and CIFS traffic FROM and TO external machines.
#
# NOTE: SMB (Win 3.x, 9x, NT) and CIFS (Win2k) is one of the biggest
# security issues an administrator will face. Do NOT enable SMB/CIFS
# traffic to flow over the Internet or any non-trusted networks
# unless you know exactly what you are doing. If you NEED this
# functionality, please use a IPSEC or PPTP VPN
#
# NOTE #2: the $LOGGING variable is NOT included here because if it was
# enabled, your logs would grow too quickly to manage.
#
# Ports: 137 TCP/UDP (NetBIOS name service)
# 138 UDP (NetBIOS datagram service) - TCP filtered just in case
# 139 TCP (NetBIOS session service) - UDP filtered just in case
# 445 TCP/UDP (MS CIFS in Win2k)
echo " - Silently rejecting SMB and CIFS traffic on the external interface."
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 137
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP 137
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTBROAD 137
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTBROAD 137
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 138
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP 138
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTBROAD 138
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTBROAD 138
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 139
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP 139
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTBROAD 139
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTBROAD 139
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 445
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP 445
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTBROAD 445
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTBROAD 445
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 137 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE 137 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 138 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE 138 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 139 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE 139 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 445 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE 445 -d $EXTIP
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2IP 137
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2IP 137
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2BROAD 137
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2BROAD 137
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2IP 138
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2IP 138
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2BROAD 138
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2BROAD 138
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2IP 139
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2IP 139
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2BROAD 139
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2BROAD 139
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2IP 445
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2IP 445
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE -d $INT2BROAD 445
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2BROAD 445
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE 137 -d $INT2IP
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE 137 -d $INT2IP
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE 138 -d $INT2IP
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE 138 -d $INT2IP
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE 139 -d $INT2IP
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE 139 -d $INT2IP
/sbin/ipchains -A input -j REJECT -i $INT2IF -p tcp -s $UNIVERSE 445 -d $INT2IP
/sbin/ipchains -A input -j REJECT -i $INT2IF -p udp -s $UNIVERSE 445 -d $INT2IP
fi
#--------------------------------------------------------------------
# Incoming Traffic on all Interfaces
#--------------------------------------------------------------------
# This will control input traffic for all interfaces. This is
# usually used for what could be considered as public services.
#--------------------------------------------------------------------
echo " - Setting input filters for public services [all interfaces]."
# AUTH: Allow the authentication protocol, ident, to function on all
# interfaces but disable it in /etc/inetd.conf. The reason to
# allow this traffic in but block it via Inetd is because some
# legacy TCP/IP stacks don't deal with REJECTed "auth" requests
# properly.
#
# Traffic TO your machine and FROM your machine
/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE auth
/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE auth -d $UNIVERSE
# BOOTP/DHCP: Reject all stray bootp traffic.
#
# Disabled by default.
#/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE bootpc
# DNS: If you are running an authoritative DNS server, you must open
# up the DNS ports on all interfaces to allow lookups. If you are
# running a caching DNS server, you will need to at least open the DNS
# ports to internal interfaces.
#
# It is recommend to secure DNS by restricting zone transfers and split
# DNS servers as documented in Step 4.
#
# Disabled by default.
#echo " Optional parameter: DNS server"
#/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE domain
#/sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $UNIVERSE domain
# RIP: Reject all stray RIP traffic. Many improperly configured
# networks propagate network routing protocols to the edge of the
# network. The follow line will allow you explicitly filter it here
# without logging to SYSLOG.
#
# Disabled by default.
#/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE -d $UNIVERSE route
# SMTP: If this server is an authoritative SMTP email server, you must
# allow SMTP traffic to all interfaces.
#
# Disabled by default.
#echo " Optional parameter: SMTP server"
#/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE smtp
# SQUID Proxy w/ JunkBuster
#
# If you are using Squid w/ Junkbuster enabled [Banner filtering], you will
# need to enable the following lines to do the IPCHAINS port redirection to
# port 3128. This also assumes that you have Squid properly configured and
# running.
#
# Disabled by default.
#echo " Optional parameter: SQUID transparent proxy"
#/sbin/ipchains -A input -j ACCEPT -i $LOOPBACKIF -p tcp -d $LOOPBACKIP/32 www
#
# If we don't have an internal interface, dont do things for it
#
#if [ "$INTIF" != "" ]; then
# /sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $INTLAN -d $INTIP/32 www
# /sbin/ipchains -A input -j REDIRECT 3128 -i $INTIF -p tcp -s $INTLAN -d $INTLAN www $LOGGING
#fi
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
# DMZ network - Enable this section if you have a wireless segment
#
# Enabled by default if INT2IF is valid
echo " Optional parameter: DMZ segment - SSH"
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $INT2LAN ssh -d $UNIVERSE
# Enabled by default if INT2IF is valid
echo " Optional parameter: DMZ segment - DNS"
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $INT2LAN -d $UNIVERSE domain
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p udp -s $INT2LAN -d $UNIVERSE domain
#Enable this option if you want ALL DMZ machines to access all network services
# on all interfaces. The alternative is allow host by host access in the
# DMZ SecureHOST section below
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $INT2IF -s $INT2LAN -d $UNIVERSE
fi
#--------------------------------------------------------------------
# Specific Input Rejections from ANY interface
#--------------------------------------------------------------------
# These rule sets reject specific traffic that you do not want out of
# the system.
#--------------------------------------------------------------------
#echo " - Reject traffic for specific domains."
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
#Do not allow ANY internal hosts to be able to reach the following sites:
#
#Disabled by default.
#The Doubleclick example will filter ALL types of traffic to the given
# class-C networks including WWW, SMTP(email, etc traffic. If you
# want a slightly less restrictive example, see the AOL example.
#
#Doubleclick.net and .com is renowned for their WWW ad banners
#
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 63.160.54.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 128.11.92.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 199.95.206.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 199.95.207.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 199.95.208.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 199.95.210.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 204.178.112.160/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 204.253.104.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 208.10.202.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 208.203.243.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 208.211.225.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 208.228.86.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 209.67.38.0/24
#This is required to complete the if..then loop
echo "." > /dev/null
fi
#AOL.com is renowned for their users sending SPAM to millions of people on
# the Inet. Though you might want to filter email from them, you
# might want to still be able to go look at some of their their
# WWW pages. This example ONLY filters EMAIL and nothing else.
#
#/sbin/ipchains -A input -j REJECT -p tcp -s $UNIVERSE 25 -d 152.163.159.0/24
#/sbin/ipchains -A input -j REJECT -p tcp -s $UNIVERSE 25 -d 205.188.157.0/24
#--------------------------------------------------------------------
# Explicit INPUT Access from external LAN Hosts
#--------------------------------------------------------------------
# This controls external access from specific external hosts (secure hosts).
# This example permits FTP, FTP-DATA, SSH, POP-3 and TELNET traffic from a
# secure host INTO the firewall. In addition to these input rules, we must also
# explicitly allow the traffic from the remote host to get out. See the rules
# in the output section for more details
#
# Disabled as default.
#--------------------------------------------------------------------
echo " - SECUREHOST: Setting input filters for explicit hosts."
# The secure host section
if [ "$SECUREHOST" != "" ]; then
echo " * Allowing $SECUREHOST INPUT for ftp, ftp-data, ssh"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP ftp
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP ftp-data
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP ssh
fi
if [ "$SECUREHOST2" != "" ]; then
echo " * Allowing $SECUREHOST2 INPUT for ftp, ftp-data, ssh, www, telnet, imap"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP ftp
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP ftp-data
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP ssh
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP telnet
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP www
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP imap
fi
if [ "$SECUREHOST3" != "" ]; then
echo " * Allowing $SECUREHOST3 INPUT for ftp, ftp-data, ssh, www"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST3 -d $EXTIP ftp
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST3 -d $EXTIP ftp-data
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST3 -d $EXTIP ssh
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST3 -d $EXTIP www
fi
if [ "$SECUREHOST4" != "" ]; then
echo " * Allowing $SECUREHOST4 INPUT for ftp, ftp-data, ssh"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP ftp
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP ftp-data
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP ssh
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP www
fi
if [ "$SECUREHOST5" != "" ]; then
echo " * Allowing $SECUREHOST5 INPUT for ftp, ftp-data, ssh, www"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST5 -d $EXTIP ftp
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST5 -d $EXTIP ftp-data
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST5 -d $EXTIP ssh
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST5 -d $EXTIP www
fi
if [ "$SECUREHOST6" != "" ]; then
echo " * Allowing $SECUREHOST6 INPUT for ftp, ftp-data, ssh, pop-3, and telnet"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP ftp
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP ftp-data
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP ssh
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP pop-3
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP telnet
fi
echo " - DMZ-SECUREHOST: Setting input filters for explicit hosts."
# If we don't have a DMZ interface, dont do things for it
#
if ( [ "$INT2IF" != "" ] && [ "$DMZHOST1" != "" ] ); then
#DMZ SecureHost
#
echo " * Allowing $DMZHOST1 INPUT for ssh to the Linux server and the INET"
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $DMZHOST1 -d $INT2IP ssh
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $DMZHOST1 -d $INTLAN ssh
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $DMZHOST1 -d $UNIVERSE
fi
if ( [ "$INT2IF" != "" ] && [ "$DMZHOST2" != "" ] ); then
echo " * Allowing $DMZHOST2 INPUT for ssh to the Linux server and the INET"
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $DMZHOST2 -d $INT2IP ssh
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $DMZHOST2 -d $INTLAN ssh
/sbin/ipchains -A input -j ACCEPT -i $INT2IF -p tcp -s $DMZHOST2 -d $UNIVERSE
fi
if [ "$INT2IF" != "" ]; then
#DMZ network - this is where most of the wireless filtering occurs
/sbin/ipchains -A input -j REJECT -i $INT2IF -s $INT2LAN -d $INTLAN $LOGGING
/sbin/ipchains -A input -j REJECT -i $INT2IF -s $INT2LAN -d $INT2LAN $LOGGING
/sbin/ipchains -A input -j REJECT -i $INT2IF -s $INTLAN -d $UNIVERSE $LOGGING
fi
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
# Allow ALL internal interfaces to access the Inet
# ------------------------------------------------
# Local interface, local machines, going anywhere is valid.
#
# The main reason why this is at the BOTTOM of the INPUT section is to
# make sure that all required DENY/REJECT firewall lines are hit before
# allowing all internal traffic. If you DON'T want to allow ALL internal
# traffic to get out to the Internet, put a "#" in the
# front of the line below and un-#ed out the lines at the top of this
# section to allow only specific internal HOSTS to get out.
#
# Comment this line out if you want to only allow specific traffic on the
# internal network.
/sbin/ipchains -A input -j ACCEPT -i $INTIF -s $INTLAN -d $UNIVERSE
fi
# Loopback interface is valid.
#
/sbin/ipchains -A input -j ACCEPT -i $LOOPBACKIF -s $UNIVERSE -d $UNIVERSE
# HIGH PORTS:
#
# Enable all high unprivileged ports for all reply TCP/UDP traffic
#
# NOTE: The use of the "! -y" flag filters TCP traffic that doesn't have the
# SYN bit set. In other words, this means that any traffic that is
# trying to initiate traffic to your server on a HIGH port will be
# rejected.
#
# The only HIGH port traffic that will be accepted is either return
# traffic that the server originally initiated or UDP-based traffic.
#
# NOTE2: Please note that port 20 for ACTIVE FTP sessions should NOT use
# SYN filtering. Because of this, we must specifically allow it in.
#
echo " - Enabling all input REPLY [TCP/UDP] traffic on high ports."
/sbin/ipchains -A input -j ACCEPT ! -y -p tcp -s $UNIVERSE -d $EXTIP $UNPRIVPORTS
/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE ftp-data -d $EXTIP $UNPRIVPORTS
/sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $EXTIP $UNPRIVPORTS
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
#DMZ network and removed FTP as it is insecure
/sbin/ipchains -A input -j ACCEPT ! -y -p tcp -s $UNIVERSE -d $INT2IP $UNPRIVPORTS
/sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $INT2IP $UNPRIVPORTS
fi
#--------------------------------------------------------------------
# Catch All INPUT Rule
#--------------------------------------------------------------------
#
echo " - Final input catch all rule."
# All other incoming is denied and logged.
/sbin/ipchains -A input -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING
#********************************************************************
# Output Rules
#********************************************************************
echo "----------------------------------------------------------------------"
echo "Output Rules:"
#--------------------------------------------------------------------
# Outgoing Traffic on the Internal LAN
#--------------------------------------------------------------------
# This rule set provides policies for traffic that is going out on the internal
# LAN.
#
# In this example, all traffic is allowed out. Therefore there is no
# requirement to implement individual filters. However, as with the input
# section above, examples are given for demonstrative purposes. It is also
# noted that the same rules, outlined above, apply regarding the order of the
# filtering rules.
#--------------------------------------------------------------------
echo " - Setting output filters for traffic on the internal LAN."
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
# Local interface, any source going to local net is valid.
/sbin/ipchains -A output -j ACCEPT -i $INTIF -s $UNIVERSE -d $INTLAN
fi
# Loopback interface is valid.
/sbin/ipchains -A output -j ACCEPT -i $LOOPBACKIF -s $UNIVERSE -d $UNIVERSE
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
# DHCP: If you have configured a DHCP server on this Linux machine, you
# will need to enable the following rule set.
#
# NOTE: Some distros change ipchains to NOT allow TCP connections for
# DHCP. Though TCP-based DHCP is really rare, it is part of
# of the standard.
#
# Enabled by default.
echo " Optional parameter: DHCPd server"
/sbin/ipchains -A output -j ACCEPT -i $INTIF -p udp -s $INTIP/32 bootps -d $BROADCAST/0 bootpc
/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $INTIP/32 bootps -d $BROADCAST/0 bootpc
#If you DISABLE the lines above, you need this following line to
#let the if..then statement run without failing out
echo "." > /dev/null
fi
# DMZ DHCP server - If we don't have a DMZ interface, dont do things for it
#
# Disabled by default
#
# if [ "$INT2IF" != "" ]; then
# /sbin/ipchains -A output -j ACCEPT -i $INT2IF -p udp -s $INT2IP/32 bootps -d $BROADCAST/0 bootpc
# /sbin/ipchains -A output -j ACCEPT -i $INT2IF -p tcp -s $INT2IP/32 bootps -d $BROADCAST/0 bootpc
# fi
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
# HTTP: The following is an example of how to allow HTTP traffic to an
# intranet WWW server without allowing access from the external
# network.
#
# Disabled by default.
# echo " Optional parameter: WWW server"
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $INTIP/32 http -d $INTLAN
# APC PowerChute for Linux: The following is needed for APCs PowerChute
# software for Linux. The way it works is that it broadcasts the
# private network looking for the upsd daemon.
#
# Disabled by default.
#echo " Optional parameter: UPSd server"
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p udp -s $INTIP/32 -d $BROADCAST 5456
#This is required to complete the if..then loop if it is empty
echo "." > /dev/null
fi
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
#--------------------------------------------------------------------
# Explicit Output from Internal LAN Hosts
#--------------------------------------------------------------------
# The following rule sets only allow SPECIFIC hosts on the internal LAN to
# access services on this firewall server itself. Many people might feel that
# this is extreme but many system attacks occur from the INTERNAL network as
# well.
#
# Examples given allow access via FTP, FTP-DATA, SSH, and TELNET.
#
# In order for this rule set to work, you must first comment out the line above
# that provides full access to the internal LAN by all internal hosts.
#
# Disabled by default.
#--------------------------------------------------------------------
#echo " - Setting output filters for specific internal hosts."
# First host
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp-data
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ssh
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP telnet
# Second host
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp-data
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ssh
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP telnet
#This is required to complete the if..then loop if it is empty
echo "." > /dev/null
fi
#--------------------------------------------------------------------
# Outgoing Traffic on the External Interface
#--------------------------------------------------------------------
# This rule set will control what traffic can go out on the external interface.
#--------------------------------------------------------------------
echo " - Setting input filters for traffic to the external interface."
# DHCP Client: If your Linux server is connected via DSL or a Cablemodem
# connection and you get dynamic DHCP addresses, you will need to
# enable the following rule sets.
#
# NOTE: Some distros change ipchains to NOT allow TCP connections for
# DHCP. Though TCP-based DHCP is really rare, it is part of
# of the standard.
#
# Enabled by default.
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE bootpc -d $UNIVERSE bootps
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE bootpc -d $UNIVERSE bootps
# FTP: Allow FTP traffic (the Linux server is a FTP server)
#
# Disabled by default.
# echo " Optional parameter: FTP server"
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $UNIVERSE
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $UNIVERSE
# IRCd: Allow IRC traffic (the Linux server is a IRC server)
#
# Make sure ircd is defined in /etc/services
#
# Disabled by default
# echo " Optional parameter: IRC server"
# /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ircd -d $UNIVERSE
# HTTP: Allow HTTP traffic (the Linux server is a WWW server)
#
# Disabled by default
# echo " Optional parameter: WWW server"
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP http -d $UNIVERSE
# HTTPS: Allow HTTPS traffic (the Linux server is a WWW server)
#
# Disabled by default
# echo " Optional parameter: HTTPS server"
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP https -d $UNIVERSE
# NTP: Allow NTP updates (the Linux server is a NTP server)
#
# NOTE: Some NTP clients require TCP traffic. Others require UDP.
# Your pick!
#
# Disabled by default
# echo " Optional parameter: NTP server"
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ntp -d $UNIVERSE
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p udp -s $EXTIP ntp -d $UNIVERSE
# TELNET: Allow telnet traffic (the Linux server is a TELNET server)
#
# Disabled by default
# echo " Optional parameter: TELNET server"
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP telnet -d $UNIVERSE
# SSH server: Allow outgoing SSH traffic (the Linux server is a SSH server)
#
# Disabled by default
#
# echo " Optional parameter: SSH server"
# /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $UNIVERSE
#--------------------------------------------------------------------
# Outgoing Traffic on all Interfaces
#--------------------------------------------------------------------
# This will control output traffic for all interfaces. This is
# usually used for what could be considered as public services. It
# is noted that we provide a few rejection rule sets as examples but
# these are not required due to the overall REJECT statement above.
#--------------------------------------------------------------------
echo " - Setting output filters for public services on all interfaces."
# AUTH: Allow the authentication protocol, ident, to function on all
# interfaces but disable it in /etc/inetd.conf. The reason to
# allow this traffic in but block it via Inetd is because some
# legacy TCP/IP stacks don't deal with REJECTed "auth" requests
# properly.
#
# Traffic TO your machine and FROM your machine
/sbin/ipchains -A output -j ACCEPT -p tcp -s $UNIVERSE auth -d $UNIVERSE
/sbin/ipchains -A output -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE auth
# DNS: If you your Linux server is an authoritative DNS server, you must
# enable this rule set
#
# Disabled by default
#echo " Optional parameter: DNS server"
#/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP domain -d $UNIVERSE
#/sbin/ipchains -A output -j ACCEPT -p udp -s $EXTIP domain -d $UNIVERSE
# Advanced ICMP: Some users prefer that their UNIX box NOT ping, etc.
# This is easy enough to do but be sure you know what you
# are doing.
#
# There is an EXCELLENT paper on ICMP filtereing available at:
#
# http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.0.pdf
#
#
# NOTE: When setting a FIREWALL to REJECT ICMP traffic, the resulting
# reply traffic is automatically discarded per the RFCs
#
# NOTE2: For a full list of all supported major and minor ICMP codes, run:
# /sbin/ipchains -h icmp
#
# MOST are Disabled by default.
#
#
# Do NOT reply to ICMP ECHO REPLYs (type 0) requests from the Internet
# (some find this useful)
#
# echo " Optional parameter: ICMP ECHO REPLY outbound filtered"
#/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type echo-reply
#
# Do NOT reply to TCP/UDP TRACEROUTE requests from the Internet (some find
# this useful)
#
# echo " Optional parameter: TCP/UDP TRACEROUTE outbound filtered"
#/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 33434 $LOGGING
#/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 33434 $LOGGING
#
# Do NOT reply to TRACEROUTE requests from the Internet (MS clients use
# ICMP ECHOs instead of TCP/UDP - some find this useful )
#
# echo " Optional parameter: ICMP TRACEROUTE [MS] outbound filtered"
#/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type echo-request $LOGGING
#
# Do NOT reply to DESTINATION-UNREACHABLE (type 3) from the Internet (this
# is NOT a good idea - if you must do this then filter out the specific
# SUB-options such as PROTOCOL-UNREACHABLE in the OUTBOUND direction)
#
# echo " Optional parameter: ICMP DESTINATION-UNREACHABLE output filtered"
#/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type destination-unreachable $LOGGING
#
# Do NOT reply to SOURCEQUENCH (type 4) from the Internet (this is NOT a
# good idea)
#
# echo " Optional parameter: ICMP SOURCEQUENCH outbound filtered"
#/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type source-quench $LOGGING
#
# Do NOT reply to ANY form of ICMP REDIRECT packets (type 5) (this can
# help stop OS fingerprinting)
#
echo " Optional parameter: ICMP REDIRECT outbound filtered"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type redirect $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p icmp -s $INT2IP -d $UNIVERSE --icmp-type redirect $LOGGING
fi
# Do NOT allow PING requests (type 8) from the Internet (some find this
# useful)
#
# echo " Optional parameter: ICMP ECHO outbound filtered"
#/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type echo-request $LOGGING
#
# Do NOT reply to TTL-EXPIRED packets (type 11) from the Internet (this
# is NOT a good idea - do it OUTBOUND)
#
echo " Optional parameter: ICMP TTL-EXPIRED outbound filtered"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type ttl-zero-during-reassembly $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p icmp -s $INT2IP -d $UNIVERSE --icmp-type ttl-zero-during-reassembly $LOGGING
fi
# Do NOT reply to PARAMETER-PROBLEM packets (type 12) (this is NOT a good
# idea - filter this on OUTBOUND)
#
echo " Optional parameter: ICMP PARAMETER-PROBLEM outbound filtered"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type parameter-problem $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p icmp -s $INT2IP -d $UNIVERSE --icmp-type parameter-problem $LOGGING
fi
# Do NOT reply to ICMP TIMESTAMP packets (type 13 and 14) (this can help
# stop OS fingerprinting)
#
echo " Optional parameter: ICMP TIMESTAMP outbound filtered"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type timestamp-request $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type timestamp-reply $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p icmp -s $INT2IP -d $UNIVERSE --icmp-type timestamp-request $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p icmp -s $INT2IP -d $UNIVERSE --icmp-type timestamp-reply $LOGGING
fi
# ICMP INFORMATION (type 15 and 16) packet filtering is NOT supported by
# either LINUX or IPCHAINS (no big deal)
#
# Do NOT reply to ICMP ADDRESS MASK packets (type 17 and 18) (this can help
# stop OS fingerprinting)
#
echo " Optional parameter: ICMP ADDRESS-MASK outbound filtered"
/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type address-mask-request $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p icmp -s $EXTIP -d $UNIVERSE --icmp-type address-mask-reply $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p icmp -s $INT2IP -d $UNIVERSE --icmp-type address-mask-request $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p icmp -s $INT2IP -d $UNIVERSE --icmp-type address-mask-reply $LOGGING
fi
# General ICMP: Allow ICMP traffic out
#
# NOTE: Disabling ICMP packets via the firewall rule set can do far
# more than just stop people from pinging your machine. Many aspects
# of TCP/IP and its associated applications rely on various ICMP
# messages. Without ICMP, both your Linux server and internal Masq'ed
# computers might not work.
#
# If you feel compelled to do ICMP filtering, do it by uncommenting your
# desired traffic types from the section ABOVE and NOT here.
#
/sbin/ipchains -A output -j ACCEPT -p icmp -s $UNIVERSE -d $UNIVERSE
# NNTP: This allows NNTP-based news out.
#
# Disabled by default
# echo " Optional parameter: NNTP server"
#/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP nntp -d $UNIVERSE
# SMTP: If the Linux servers is either an authoritative SMTP server or
# relay, you must allow this rule set.
#
# Disabled by default
#echo " Optional parameter: SMTP server"
#/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP smtp -d $UNIVERSE
#--------------------------------------------------------------------
# Output to Explicit Hosts
#--------------------------------------------------------------------
# This controls output to specific external hosts [secure hosts]. This example
# implementation allows ssh and pop-3 protocols out to the secure host. In
# addition to these rules, we must also explicitly allow the traffic in from
# the remote host. See the input rules above to see this take place.
#
# Disabled by default.
#--------------------------------------------------------------------
echo " - SECUREHOST: Setting output filters for explicit hosts."
# The secure host
#
if [ "$SECUREHOST" != "" ]; then
echo " * Allowing $SECUREHOST OUTPUT for ftp, ftp-data, ssh"
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $SECUREHOST $UNPRIVPORTS
fi
if [ "$SECUREHOST2" != "" ]; then
echo " * Allowing $SECUREHOST2 OUTPUT for ftp, ftp-data, ssh, telnet, imap, and www"
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST2 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST2 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $SECUREHOST2 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP telnet -d $SECUREHOST2 $UNPRIVPORT
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP www -d $SECUREHOST2 $UNPRIVPORT
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP imap -d $SECUREHOST2 $UNPRIVPORT
fi
if [ "$SECUREHOST3" != "" ]; then
echo " * Allowing $SECUREHOST3 OUTPUT for ftp, ftp-data, ssh, www"
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST3 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST3 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $SECUREHOST3 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP www -d $SECUREHOST3 $UNPRIVPORTS
fi
if [ "$SECUREHOST4" != "" ]; then
echo " * Allowing $SECUREHOST4 OUTPUT for ftp, ftp-data, ssh, www"
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST4 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST4 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $SECUREHOST4 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP www -d $SECUREHOST4 $UNPRIVPORTS
fi
if [ "$SECUREHOST5" != "" ]; then
echo " * Allowing $SECUREHOST5 OUTPUT for ftp, ftp-data, ssh, www"
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST5 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST5 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $SECUREHOST5 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP www -d $SECUREHOST5 $UNPRIVPORTS
fi
echo " - DMZ-SECUREHOST: Setting output filters for explicit hosts."
# If we don't have a DMZ interface, dont do things for it
#
if ( [ "$INT2IF" != "" ] && [ "$DMZHOST1" != "" ] ); then
echo " * Allowing $DMZHOST1 OUTPUT for ssh, ftp"
/sbin/ipchains -A output -j ACCEPT -i $INT2IF -p tcp -s $INT2IP ftp -d $DMZHOST1 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $INT2IF -p tcp -s $INTLAN ssh -d $DMZHOST1 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $INT2IF -p tcp -s $INTLAN $UNPRIVPORTS -d $DMZHOST1 ssh
fi
if ( [ "$INT2IF" != "" ] && [ "$DMZHOST2" != "" ] ); then
echo " * Allowing $DMZHOST2 OUTPUT for ssh, ftp"
/sbin/ipchains -A output -j ACCEPT -i $INT2IF -p tcp -s $INT2IP ftp -d $DMZHOST2 $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $INT2IF -p tcp -s $INTLAN $UNPRIVPORTS -d $DMZHOST2 ssh
/sbin/ipchains -A output -j ACCEPT -i $INT2IF -p tcp -s $INTLAN ssh -d $DMZHOST2 $UNPRIVPORTS
fi
#--------------------------------------------------------------------
# Specific Output Rejections
#--------------------------------------------------------------------
# These rule sets reject specific traffic that you do not want out of
# the system.
#--------------------------------------------------------------------
echo " - Reject specific outputs."
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
# Reject outgoing traffic to the local net from the remote interface,
# stuffed routing; deny & log
/sbin/ipchains -A output -j REJECT -i $EXTIF -s $UNIVERSE -d $INTLAN $LOGGING
fi
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -s $UNIVERSE -d $INTLAN $LOGGING
fi
# If we don't have an internal interface, dont do things for it
#
if [ "$INTIF" != "" ]; then
# Reject outgoing traffic from the local net from the external interface,
# stuffed masquerading, deny and log
/sbin/ipchains -A output -j REJECT -i $EXTIF -s $INTLAN -d $UNIVERSE $LOGGING
fi
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
#DMZ network - block all outgoing DMZ traffic unless allowed somewhere above
/sbin/ipchains -A output -j REJECT -i $INT2IF -s $INTLAN -d $UNIVERSE $LOGGING
fi
# RFC1918 and IANA Reserved Address space Bogon filtering
#
# Filter all external traffic coming from either RESERVED or non-routed
# address space.
#
# See ftp://ftp.iana.org/assignments/ipv4-address-space for up to date
# results.
#
# Please run "whois IANA*@arin.net" and with a careful eye
# "whois RESERVED*@arin.net" for more info.
#
# -------------------------------------------------------------------
# NOTE *1*: Please notice that ALL IANA Reserved Address filters
# (except for the Class-D and Class-E networks) have
# been disabled as is seems that the IANA is releasing IP
# address space without updating their tables. There is
# the email list called "bogon-announce" which you can
# subscribe to here:
# http://www.cymru.com/Bogons/
#
# Note2: The bogon list changes ALL the time. Unless you subscribe
# to the above bogon list AND update your firewall when things
# change, you will be blackholing traffic.
#
# Note3: that the address schemes from whois are silently using CLASSFULL
# masks
#
# Note4: Some ISPs use RFC1918 addresses for internal addressing of
# customers and keeping status on equipment. Some customers of
# General Instruments SURFboard cable modems might have similar
# issues.
#
# -------------------------------------------------------------------
# Reserved-1
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 0.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-9
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 1.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-2
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 2.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-5
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 5.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-7
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 7.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-10 and RFC1918 (10.x.x.x)
/sbin/ipchains -A output -j REJECT -i $EXTIF -s 10.0.0.0/8 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -s 10.0.0.0/8 -d $UNIVERSE $LOGGING
fi
# Reserved-23
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 23.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-27
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 27.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-31
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 31.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-36
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 36.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-37
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 37.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-39
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 39.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-42
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 42.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-74 and 75
# 74.0.0.0 - 75.55.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 74.0.0.0/7 -d $UNIVERSE $LOGGING
# Reserved-76 though 79
# 76.0.0.0 - 79.55.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 76.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved 89
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 89.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved 90
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 90.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved 91
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 91.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved 92 though 95
# 92.0.0.0 - 95.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 92.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved 96 though 111
# 96.0.0.0 - 111.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 96.0.0.0/4 -d $UNIVERSE $LOGGING
# Reserved 112 though 119
# 112.0.0.0 - 119.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 112.0.0.0/5 -d $UNIVERSE $LOGGING
# Reserved 120 though 123
# 120.0.0.0 - 123.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 120.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved-127 127.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 127.0.0.0/8 -d $UNIVERSE $LOGGING
# BLACKHOLE3
#
# Disabled due to the fact that ALL reverse DNS functions (regardless of the
# address) will stop working properly. If you have a good explination of
# why this is, I would love to hear it.
#
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 128.9.64.26/32 -d $UNIVERSE $LOGGING
# Includes NET-TEST-B
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 128.66.0.0/16 -d $UNIVERSE $LOGGING
# IANA-BBLK-RESERVED and RFC1918 (172.16-31.0.0)
/sbin/ipchains -A output -j REJECT -i $EXTIF -s 172.16.0.0/12 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -s 172.16.0.0/12 -d $UNIVERSE $LOGGING
fi
# Reserved-173
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 173.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-174 through 175
# 174.0.0.0 - 175.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 174.0.0.0/7 -d $UNIVERSE $LOGGING
# Reserved-176 through 183
# 176.0.0.0 - 183.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 176.0.0.0/5 -d $UNIVERSE $LOGGING
# Reserved-184 through 187
# 184.0.0.0 - 187.255.255.255
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 184.0.0.0/6 -d $UNIVERSE $LOGGING
# Reserved-189
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 189.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-190
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 190.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-4
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 191.255.0.0/16 -d $UNIVERSE $LOGGING
# ROOT-NS-LAB - 192.0.0.0/24
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 192.0.0.0/24 -d $UNIVERSE $LOGGING
# NET-ROOTS-NS-LIVE - 192.0.1.0/24
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 192.0.1.0/24 -d $UNIVERSE $LOGGING
# NET-TEST - 192.0.2.0/24
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 192.0.2.0/24 -d $UNIVERSE $LOGGING
# RFC1918
#foo
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 192.168.0.0/16 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j ACCEPT -i $INT2IF -s $UNIVERSE -d $INT2LAN
/sbin/ipchains -A output -j REJECT -i $INT2IF -s $UNIVERSE -d 192.168.0.0/16 $LOGGING
fi
# RESERVED-13
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 197.0.0.0/16 -d $UNIVERSE $LOGGING
# Reserved-197
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 197.0.0.0/8 -d $UNIVERSE $LOGGING
# RESERVED-14
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 201.0.0.0/8 -d $UNIVERSE $LOGGING
# Reserved-5
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 223.255.255.0/24 -d $UNIVERSE $LOGGING
# Reserved-223
#/sbin/ipchains -A output -j REJECT -i $EXTIF -s 223.0.0.0/24 -d $UNIVERSE $LOGGING
#Future use for Class-E:
/sbin/ipchains -A output -j REJECT -i $EXTIF -s 240.0.0.0/5 -d $UNIVERSE $LOGGING
#Future use for Class-F:
/sbin/ipchains -A output -j REJECT -i $EXTIF -s 248.0.0.0/5 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -s 240.0.0.0/5 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -s 248.0.0.0/5 -d $UNIVERSE $LOGGING
fi
# -----------------
# Special Filtering
# -----------------
# Multicast: Silently drop all multicast traffic for those users who
# find this traffic filling up their logs.
#
# Disabled by default.
# echo " Optional parameter: Ignore MULTICAST"
# /sbin/ipchains -A output -j REJECT -i $EXTIF -s $UNIVERSE -d 224.0.0.0/4
# NFS: Reject NFS traffic FROM and TO external machines.
#
# NOTE: NFS is one of the biggest security issues an administrator will face.
# Do NOT enable NFS over the Internet or any non-trusted networks unless you
# know exactly what you are doing.
#
# NOTE #2: the $LOGGING variable is NOT included here because if it was
# enabled, your logs would grow too quickly to manage.
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 2049
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 2049 -d $EXTIP
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $UNIVERSE -d $INT2IP 2049
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $UNIVERSE 2049 -d $INT2IP
fi
# SMB and CIFS: Reject SMB and CIFS traffic FROM external machines.
#
# NOTE: SMB (Win 3.x, 9x, NT) and CIFS (Win2k) is one of the biggest
# security issues an administrator will face. Do NOT enable SMB/CIFS
# traffic to flow over the Internet or any non-trusted networks
# unless you know exactly what you are doing. If you NEED this
# functionality, please use a IPSEC or PPTP VPN
#
# NOTE #2: the $LOGGING variable is NOT included here because if it was
# enabled, your logs would grow too quickly to manage.
#
# Ports: 137 TCP/UDP (NetBIOS name service)
# 138 UDP (NetBIOS datagram service) - TCP filtered just in case
# 139 TCP (NetBIOS session service) - UDP filtered just in case
# 445 TCP/UDP (MS CIFS in Win2k)
echo " - Rejecting TCP/UDP SMB traffic on the external interface."
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 137
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 137
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 138
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 138
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 139
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 139
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 445
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 445
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 137 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 137 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 138 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 138 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 139 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 139 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 445 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 445 -d $UNIVERSE
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 137
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 137
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 138
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 138
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 139
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 139
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 445
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 445
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 137 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 137 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 138 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 138 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 139 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 139 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 445 -d $UNIVERSE
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 445 -d $UNIVERSE
fi
# Explictly filter out any OUTGOING traffic that is either known to be INSECURE or from a
# possible INTERNAL machine infected with a Trojan.
#
# RPC - Used for NFS and other insecure mechanisms
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE sunrpc $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP sunrpc -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE sunrpc $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP sunrpc -d $UNIVERSE $LOGGING
fi
# Mountd - Used for NFS
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 635 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 635 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 635 $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 635 -d $UNIVERSE $LOGGING
fi
# PPTP - Block unauthorized outgoing VPNs
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 1723 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 1723 $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 1723 $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 1723 $LOGGING
fi
# Remote Winsock - Block internal Windows machines doing weird stuff.
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 1745 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 1745 $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 1745 $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 1745 $LOGGING
fi
# NFS - Block NFS due to security issues
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 2049 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 2049 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 2049 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 2049 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 2049 $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 2049 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 2049 $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 2049 -d $UNIVERSE $LOGGING
fi
# PcAnywhere - Block unauthorized outgoing remote control sessions
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 5631 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 5631 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 5632 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 5632 $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 5631 $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 5631 $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 5632 $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 5632 $LOGGING
fi
# Xwindows - Block unauthorized and non-secured Xwindows
#
# NOTE: See variable section above for the example range (6000:6007 by default)
# Xwindows can use far more than just ports 6000-6007.
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE $XWINDOWS_PORTS $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE $XWINDOWS_PORTS $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE $XWINDOWS_PORTS $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE $XWINDOWS_PORTS $LOGGING
fi
# IPSec VPNs - Block unauthorized VPNs
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 500 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 500 $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 500 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 500 $LOGGING
fi
# MySQL - Block unauthorized SQL sessions
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 3306 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 3306 -d $UNIVERSE $LOGGING
fi
# EggDrop IRC bot - Block unauthorized bots
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 3456 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 3456 -d $UNIVERSE $LOGGING
fi
# Block the following known Trojan network ports.
#
# Please note that TCP/IP, by nature uses RANDOM high ports. So just because you get a firewall hit on
# a known trojan port doesn't always mean you have an infected internal machine. Please also note that
# since the port in question is blocked, the local or internal IP stack will eventually use a different
# high port before giving up so things SHOULD work ok anyway.
#
# By NO means is this a complete list but I try to get the common ones.
# If I filtered out ALL the various known trojan ports, there wouldn't be many VALID high ports left! :-(
#
# Please see http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.html for a more complete list.
#
# NetBus.
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 12345 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 12346 $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 12345 $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 12346 $LOGGING
fi
# NetBus Pro.
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 20034 $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 20034 $LOGGING
fi
# BackOrofice
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 31337 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 31338 $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 31337 $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP -d $UNIVERSE 31338 $LOGGING
fi
# Win Crash Trojan.
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 5742 $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 5742 $LOGGING
fi
# Socket De Troye.
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 30303 $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 30303 $LOGGING
fi
# Unknown Trojan Horse (Master's Paradise [CHR])
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 40421 $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP -d $UNIVERSE 40421 $LOGGING
fi
# Trinoo UDP flooder - Please note this port will probably change over time
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 27665 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 27444 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 31335 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 27665 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 27444 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 31335 -d $UNIVERSE $LOGGING
fi
# Shaft distributed flooder - Please note this port will probably change over time
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 20432 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 18753 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 20433 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 20432 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 18753 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 20433 -d $UNIVERSE $LOGGING
fi
# SubSeven Trojan - Please note this port will probably change over time
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 27374 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 27374 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 1243 -d $UNIVERSE $LOGGING
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 27374 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p udp -s $INT2IP 27374 -d $UNIVERSE $LOGGING
/sbin/ipchains -A output -j REJECT -i $INT2IF -p tcp -s $INT2IP 1243 -d $UNIVERSE $LOGGING
fi
#--------------------------------------------------------------------
# Allow all High Ports for return traffic.
#
# Some day this rule set will be stateful and we won't have to do this
#
echo " - Enabling all output REPLY [TCP/UDP] traffic on high ports."
/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP $UNPRIVPORTS -d $UNIVERSE
/sbin/ipchains -A output -j ACCEPT -p udp -s $EXTIP $UNPRIVPORTS -d $UNIVERSE
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A output -j ACCEPT -p tcp -s $INT2IP $UNPRIVPORTS -d $UNIVERSE
/sbin/ipchains -A output -j ACCEPT -p udp -s $INT2IP $UNPRIVPORTS -d $UNIVERSE
fi
#--------------------------------------------------------------------
# Catch All Rule
#--------------------------------------------------------------------
echo " - Final output catch all rule."
# All other outgoing is denied and logged. This rule set should catch
# everything (including samba) that hasn't already been blocked.
#
/sbin/ipchains -A output -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING
#********************************************************************
# Forwarding Rules
#********************************************************************
#
echo "----------------------------------------------------------------------"
echo "Forwarding Rules:"
# Dont run these commands if MASQ isnt compiled into the kernel
if [ -a /proc/sys/net/ipv4/ip_always_defrag ] && [ "$INTIF" != "" ]; then
#--------------------------------------------------------------------
# Enable TCP/IP forwarding and masquerading from the Internal LAN
#--------------------------------------------------------------------
# Diald Users:
#
# You need this rule to allow the sl0 SLIP interface to receive
# traffic to then bring the interface up.
#
# Disabled by default
#
#/sbin/ipchains -A forward -j MASQ -i sl0 -s $INTLAN -d $UNIVERSE
#--------------------------------------------------------------------
# Port Forwarding
#--------------------------------------------------------------------
# Port forwarding allows external traffic to directly connect to an INTERNAL
# Masq'ed machine. An example for this is when a user needs to have external
# users directly contact a WWW server behind the MASQ server.
#
# To use PORTFW, you need to un-# out and edit the $SECUREHOST section at
# the top of the rule set.
#
# NOTE: Port forwarding is well beyond the scope of this documentation to
# explain the security issues implied in opening up access like this.
# Please see Appendix A to read the IP-MASQ-HOWTO for a full explanation.
#
# Do not use ports greater than 1023 for redirection ports.
#
# Disabled by default.
#--------------------------------------------------------------------
#echo " * Enabling Port Forwarding onto internal hosts."
#/usr/sbin/ipmasqadm portfw -f
#echo " * Forwarding SSH traffic on port 26 to $PORTFWIP1"
#/usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 26 -R $PORTFWIP1 22
#
#echo " * Forwarding SSH traffic on port 26 to $PORTFWIP2"
#/usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 26 -R $PORTFWIP2 22
#
#echo " * Forwarding SSH traffic on port 26 to $PORTFWIP3"
#/usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 26 -R $PORTFWIP3 22
#--------------------------------------------------------------------
# Enable TCP/IP forwarding and masquerading from the Internal LAN
#--------------------------------------------------------------------
# Turn on IP Forwarding in the Linux kernel
#
# There are TWO methods of turning on this feature. The first method is the
# Red Hat way. Edit the /etc/sysconfig/network file and change the
# "FORWARD_IPV4" line to say:
#
# FORWARD_IPV4=true
#
# The second method is shown below and can executed at any time while the
# system is running.
#
echo " - Enabling IP forwarding."
echo "1" > /proc/sys/net/ipv4/ip_forward
# Masquerade from local net on local interface to anywhere.
#
echo " - Enable IP Masquerading from the internal LAN."
/sbin/ipchains -A forward -j MASQ -i $EXTIF -s $INTLAN -d $UNIVERSE
# If we don't have a DMZ interface, dont do things for it
#
if [ "$INT2IF" != "" ]; then
/sbin/ipchains -A forward -j MASQ -i $EXTIF -s $INT2LAN -d $UNIVERSE
/sbin/ipchains -A forward -j ACCEPT -i $INTIF -s $INT2LAN -d $INTLAN
/sbin/ipchains -A forward -j ACCEPT -i $INT2IF -s $INTLAN -d $INT2LAN
fi
# Enabling Always Defrag for Masqueraded systems
#
# Some 2.2.x and ALL 2.4.x kernels dont support this feature.
# If your kernel gives you an error on this line, you can safely
# ignore it.
#
echo " - Enable IP Always Defrag for the internal LAN."
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
# Disabling the LooseUDP patch required by some Internet-based games
#
# NOTE: Some distros such as TurboLinux delete this option from the kernel
#
# Enabled by default
echo " - Disable LooseUDP [needed by some games] due to security"
echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
fi
# Catch all rule, all other forwarding is denied.
#
/sbin/ipchains -A forward -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING
#********************************************************************
# The end
#********************************************************************
echo "----------------------------------------------------------------------"
echo -e "TrinityOS IPCHAINS Firewall $FWVER implemented.\n\n"
#/usr/local/sbin/beep
#/usr/local/sbin/success
sleep 1
#/usr/local/sbin/beep
sleep 1
#/usr/local/sbin/beep
sleep 1
Have the firewall rule set automatically load:
It should be noted that Mandrake 7.0+ and most likely newer Redhat versions have a section in /etc/rc.d/rc.sysinit to automatically load a /etc/rc.d/rc.firewall script if it exists. Since the network interfaces aren't up yet, I recommend to edit it and # out those lines
Various Linux Distributions:
--
#!/bin/sh
#
# firewall Bring up/down networking
#
# chkconfig: 2345 11 89
# description: Loads a modified version of the TrinityOS rc.firewall rule set
# probe: true
# ----------------------------------------------------------------------------
# # TrinityOS-firewall
# v11/11/00
#
# Part of the copyrighted and trademarked TrinityOS document.
# <url url="http://www.ecst.csuchico.edu/~dranch">
#
# Written and Maintained by David A. Ranch
# dranch at trinnet dot net
#
# Updates
# -------
#
# 11/11/00 - Fixed an echo typo to say that the policy is REJECT
# and added a MASQ list "mlist" option
# 10/08/00 - Changed the defaults when the firewall is stopped from ACCEPT
# to REJECT
#
# ----------------------------------------------------------------------------
# Source function library.
. /etc/rc.d/init.d/functions
# Check that networking is up.
# This line no longer work with bash2
#[ ${NETWORKING} = "no" ] && exit 0
# This should be OK.
[ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0
[ -x /sbin/ifconfig ] || exit 0
# See how we were called.
case "$1" in
start)
/etc/rc.d/rc.firewall
;;
stop)
echo -e "\nFlushing firewall and setting default policies to REJECT\n"
/sbin/ipchains -P input REJECT
/sbin/ipchains -P output REJECT
/sbin/ipchains -P forward REJECT
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
;;
restart)
$0 stop
$0 start
;;
status)
/sbin/ipchains -L
;;
mlist)
/sbin/ipchains -M -L
;;
*)
echo "Usage: firewall {start|stop|restart|status|mlist}"
exit 1
esac
exit 0
--
Next, make it executable:
chmod 700 /etc/rc.d/init.d/firewall
Lastly, enable the firewall to start automatically:
chkconfig --add firewall
chkconfig --level 345 firewall on
Slackware:
Next, append this to the end of the "/etc/rc.d/rc.local" file
#Run the IP MASQ and firewall script
/etc/rc.d/rc.firewall
- Make the rc.firewall file executable
chmod 700 /etc/rc.d/rc.firewall
Now, if you aren't running a 2.0.x kernel, please skip down to the Firewall Confirm subsection to see how to safely make changes to your live firewall configuration.
+------------------------------------------------------------------------------+ | rc.firewall for MASQ setups with a STRONG IPFWADM rule set for 2.0.x kernels | | | | *** Discontinued!!! Patch your 2.0.x kernel and use the IPCHAINS rules!! | +------------------------------------------------------------------------------+ /etc/rc.d/rc.firewall
--
#!/bin/sh
#--------------------------------------------------------------------
# Version v2.97
#
# NOTE to ALL IPFWADM users:
#
# As you all know, IPFWADM has been replaced by IPCHAINS for some time
# now. I've also been updating the IPCHAINS rule sets for a while yet
# the IPFWADM rule sets haven't been updated.
#
# Though this sucks that I have to do this, I can't maintain both.
# In the future, I will REMOVE these rule sets though I will make them
# available via a different URL.
#
# ** BUT... there is a kernel patch to get IPCHAINS running on 2.0.x
# kernels. Please see <ref id="sect-5" name="Section 5"> for the URL and use IPCHAINS from
# now on. Ok?
#
# v2.97 - Deleted the DHCPcd commands as the syntax was old an misleading. Update
# to IPCHAINS.
#
# v2.96 - Added blurbs and scripts in the EXTIP, EXTBROAD, and DGW variable areas that
# DHCP users should use "dhcpcd" with the -c option to re-run
# the rule set upon lease renews. It is also mentioned that both
# DHCP and PPP users need to get their EXTBROAD and DGW addresses
# dynamically.
# - Changed the debug system to re-create the debug log each time
# (removed one of the >'s at the top of the debug setup)
#
# v2.95 - Added a /0 to the final OUTPUT reject rule. It was implicitly there but its good
# for documentation reasons. There were also a few IMPUT rules that DENYed
# instead of REJECTed traffic for spoofed traffic, etc. Fixed.
# I also noted that the automatic $extbroad varible will only be properly set if
# you have a typical 255.255.255.0 netmask. If you don't, you'll have to statically
# define it vs. use the automatic method.
# v2.94 - Added explicit INPUT filters for NFS and OUTPUT filters for Mountd and RPC
# v2.93 - Added explicit OUTPUT filters for the BackOrofice and NetBus Windows trojans
# v2.92 - Moved the default policy settings and INPUT/OUTPUT/FORWARD flush from
# the top of each section to the top top of the entire rule set.# v2.91
# v2.91 - Added more firewall DENY rules to stop Xwindows ports 6001-6007
# v2.90 - Changed the default policies from DENY to REJECT.
# v2.80 - Clarified the input/output rules for HTTP to use the -W interface option and
# added a #ed out rule for allowing HTTP traffic directly to the Linux box
# from the Internet.
# v2.75 - Added and commented on the enabling of multicast traffic
# - Caught a serious typo: -V CANNOT have a subnet mask appended to it. Though
# this is inconsitant with the other commands, this has been confirmed.
# v2.71 - Redirectted the rc.firewall debugging info to /tmp/rc.firewall.dump
# v2.70 - Added commented out debugging echo statements right after the environment vars
# v2.65 - Removed the /32 bit subnet mask from the intip, extip, dgw, secondarydns,
# and securehost variables and manually placed them back within the rule sets
# themselves. This is for users who use DHCP and/or PPP that wouldn't get the
# correct netmask. Also, the netmask built into these variables would break
# the IPPORTFW section.
# - Added the LOOPBACK variable for better readibilty
# - Cleaned the comment sections a little
#
# v2.60 - Added #'ed out rules to support the Linux box getting addressed via DHCP
# v2.51 - Corrected the vars passed to PPPd as shown bellow in the comments section
# v2.50 - Deleted an already #ed out line to allow in ALL incoming
# traffic.
# - Added a /32 bit subnet mask to the intip, extip, dgw, secondarydns,
# and securehost variables. Because of this, I then deleted a few stray
# and possibly incorrect /24 and /32 bit masks on various IPFWADM rules
# - Cleaned up (split up) the explicit INPUT section for internal and external
# hosts.
# - Cleaned up the IPPORTFW area to use all environment vars and added the
# $portfwip var.
# - Deleted a duplicate line for the "outgoing from local net on remote interface,
# stuffed masquerading, deny" rule set
#
# v2.45 - Added the environment variables that PPPd passes to ease the
# use of IPFWADM firewalls
# v2.40 - Change the default behavior of IPORTFW to disabled
# - Made some clarifications for dynamically addressed users and
# the "extif" variable.
# v2.30 - Commented and changed the unrestricted ports to 1024-65535
# since SSH sometimes creates connections at port 1023
# - Added #'ed out IPFWADM statements to do non-logged filtering
# of BOOTP (ports 67-68), Samba (ports 137-138), RIP
# (port 520), and SNMP (port 161)
# - Added TCP support for DHCP
# v2.25 - Rearranged the ordering and description of the IPFWADM enviro variables
# - Added #'ed out IPFWADM statements for WWW access to the world
# v2.20 - Addition of IPPORTFW commands
# v2.10 - Disabled ALL outbound Xwindows (Xwin uses port 6000) which was
# previously allowed since its in the >1024 port range. Gotcha!
# v2.00 - Totally re-written and MUCH stronger
# v1.00 - Oringial draft
#--------------------------------------------------------------------
# ++ Best viewed in a window at 90+ columns
#
# This script was adapted from Ambrose's IPMASQ-HOWTO and several
# other resources including:
#
# - Me
#
# **Note**: This config ASSUMES:
#
# 1) that you have your private LAN addressing set as
# 192.168.0.x
# 2) Your internal LAN is on eth1
# 3) Your external LAN is on eth0
# 3) Your static IP address is 100.200.0.212
# * If you get your external IP address via DHCP, you
# will need to un-comment (un-#) the "DHCP - Client" rule set
#
# Obviously, this config won't be totally correct for your
# environment nor can your static IP address be the same
# as mine! So, you might need to change the IP addresses,
# internal/external interface names, un-comment out the #'ed out DHCP client
# lines, etc.
#
# ---------------------------------------------------------------
#
# This config also handles both IP spoofing and stuffed routing
# and IP Masquerading. Anything not explicitly allowed is
# REJECTED. Rejecting traffic is better than DENYING it since
# it makes the IPFWADM'ED machine look like its not CAPABLE of
# doing that particular protocol!
#
# ***PPP and DHCP USERS***
#
# 1) All PPP and DHCP users that get Dynamic IP address should
# # out the "extip" variable a page or so down and then un-# out the
# following command for your dynamic IP address:
#
# NOTE: DHCP users will need to replace the "ppp0" interface name with
# the interface name of your external Internet interface.
#
# extip=`/sbin/ifconfig | grep -A 4 ppp0 | awk '/inet/ { print $2 } ' | sed -e s/addr://`
#
#
# 2. Create the /etc/ppp/ip-up script file to execute this rule set:
#
# /etc/ppp/ip-up
# --
# #!/bin/sh
# /etc/rc.d/rc.firewall
# --
#
# NOTE: When PPPd runs the /etc/ppp/ip-up script, it passes several
# environment variables which can help bring up the script.
# Though I haven't updated my doc to use these variables, I will
# at a future date:
#
# $1 = Interface being brought up (e.g. ppp0)
# $2 = TTY device being used (/dev/modem)
# $3 = Terminal speed (38400)
# $4 = IP address of my local PPP interface
# $5 = IP address of the remote P-t-P link (default gw)
# $6 = This is the IPPARM string that is passed from the
# options file for any ip-up specific use
#
#
# 3. Now make this new script executable by running "chmod 700 /etc/ppp/ip-up"
#---------------------------------------------------------------------------
#Enviroment Variables - Change to suit your environment
#
#Specification of the LOOPBACK interface
loopback="127.0.0.1"
#Specification of the INTERNAL NIC
intif="eth1"
#The IP address on your INTERNAL nic
intip="192.168.0.1"
#IP network address of the INTERNAL net
intnet="192.168.0.0"
#IP address of an internal host that should have IPPORTFW forward traffic to
portfwip="192.168.0.20"
#Specification of the EXTERNAL NIC
#
# PPP Users: If you are using the Dynamic PPP "extif" script from above,
# make sure to comment the below line out so it doesn't override it.
#
# If you want to use the PPPd variables, change this to read:
#
# extip=ppp0
#
extif="eth0"
#The IP address you get from the Internet
#
# PPP users: If you are getting dynamic address, either use the "extip" script
# from the header above or if you want to use the PPPd variables,
# change this to read:
#
# EXTIP=`/sbin/ifconfig | grep -A 4 $EXTIF | awk '/inet/ { print $2 } ' | sed -e s/addr://`
#
# NOTE: DHCP users should also update the script that runs DHCP to
# use "dhcpcd" instead of other solutions like RH6's
# "pump" DHCP solution and also have dhcpcd load.
# It should be noted that newer versions of pump can run scripts
# upon lease bringup, renew, etc.
#
# This will let the firewall re-run upon DHCP lease renews
# just in case you get a different IP address.
#
extip="100.200.0.212"
#The IP broadcast address of the external net
#
# PPP users: If you are getting dynamic address, use the PPPd variables.
# Change "extbroad" to read (this make an assuption but it should
# be a safe assumption):
# extbroad=`echo $4 | cut -d '.' -f 1-3`.255
#
# NOTE: This method will only work for typical 255.255.255.0 netmasks,
# if you get other masks such as a 255.255.252.0, you will have to
# statically define it like it is now instead of using the dynamic
# setup.
#
extbroad="100.200.0.255"
#IP address of the default gateway on the EXTERNAL NIC
#
# PPP and DHCP users: If you are getting dynamic address, use the PPPd variables.
# Change "dgw" to read:
#
# dgw=`/sbin/ifconfig | grep -A 4 ppp0 | awk '/gateway/ { print $2 } ' | sed -e s/addr://`
#
dgw="100.200.0.1"
#IP Mask for ALL IP addresses
universe="0.0.0.0"
#IP Mask for BROADCAST
broadcast="255.255.255.255"
#Specification of HIGH IP ports
# NOTE: Notice that this STARTS at 1024 and NOT at 1023 which it should.
# for some reason SSH sometimes initiates connections at 1023 which
# is a TCP violation but shit happens.
#
# Brief update: This is due to SSH not being executed with "-P"
#
unprivports="1024:65535"
#Specification of backup DNS server
secondarydns="102.200.0.25"
#Specifically allowed external host - secure1.host.com
securehost="200.211.0.40"
#---------------------------------------------------------------------------
# Debugging Section: If you are having problems with the firewall, uncomment
# out (un # out) the follow echo lines and then re-run
# the firewall to make sure that the rc.firewall is
# getting the right info.
#
#echo Loopback IP: $loopback >> /tmp/rc.firewall.dump
#echo Internal interface name: $intif >> /tmp/rc.firewall.dump
#echo Internal interface IP: $intip >> /tmp/rc.firewall.dump
#echo Internal interface net: $intnet >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo External interface name: $extif >> /tmp/rc.firewall.dump
#echo External interface IP: $extip >> /tmp/rc.firewall.dump
#echo External interface broadcast IP: $extbroad >> /tmp/rc.firewall.dump
#echo External interface default gateway: $dgw >> /tmp/rc.firewall.dump
#echo Internet IP to be port forwarded to: $portfwip >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo External secondary DNS (optional): $secondarydns >> /tmp/rc.firewall.dump
#echo External secured host (optional): $securehost >> /tmp/rc.firewall.dump
#---------------------------------------------------------------------------
# For a nice display
echo " "
#Multicast is a powerful, yet seldom used aspect of TCP/IP for multimedia
# data. Though it isn't used much now (because most ISPs don't enable
# multicast on their networks, it will be very common in a few more
# years. Check out www.mbone.com for more detail.
#
# NOTE: Adding this feature is OPTIONAL
#
echo "Adding multicast route.."
/sbin/route add -net 224.0.0.0 netmask 240.0.0.0 dev $extif
echo "Enabling IP Masquerading.."
echo "1" > /proc/sys/net/ipv4/ip_forward
#---------------------------------------------------------------------------
# Masq timeouts
# -------------
#
# Set timeout values for masq sessions (seconds).
# I only did this because my telnet connections would drop after inactivity
# of 15 mins.
echo "Changing IP MASQ Timeouts.."
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec
# firewall timeout in ICQ itself)
/sbin/ipfwadm -M -s 7200 10 60
#---------------------------------------------------------------------------
#---------------------------------------------------------------------------
# Masq Modules
# -------------
#
echo "Loading MASQ modules.."
#/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_ftp
#/sbin/modprobe ip_masq_irc
#/sbin/modprobe ip_masq_quake
#/sbin/modprobe ip_masq_vdolive
#/sbin/modprobe ip_masq_raudio
#---------------------------------------------------------------------------
#Set all default policies to REJECT and flush all old rules:
echo "Set all default policies to REJECT and flush all old rules"
#Change default policies
/sbin/ipfwadm -I -p reject
/sbin/ipfwadm -O -p reject
/sbin/ipfwadm -F -p reject
#Flush all old rule sets
/sbin/ipfwadm -I -f
/sbin/ipfwadm -O -f
/sbin/ipfwadm -F -f
#---------------------------------------------------------------------------
echo "Enabling general INPUT on the internal LAN.. line 74"
#---------------------------------------------------------------------------
# INCOMING traffic on the INTERNAL LAN network
# --------------------------------------------
# local interface, local machines, going anywhere is valid
/sbin/ipfwadm -I -a accept -V $intip -S $intnet/24 -D $universe/0
# remote interface, claiming to be local machines, IP spoofing, get lost & log
/sbin/ipfwadm -I -a reject -V $extip -S $intnet/24 -D $universe/0 -o
# loopback interface is valid.
/sbin/ipfwadm -I -a accept -V $loopback -S $universe/0 -D $universe/0
# DHCP - SERVER - to serve out DHCP addresses on the internal LAN 67=bootps 68=bootpc
/sbin/ipfwadm -I -a accept -W $intif -P udp -S $universe/0 bootpc -D $broadcast/0 bootps
/sbin/ipfwadm -I -a accept -W $intif -P tcp -S $universe/0 bootpc -D $broadcast/0 bootps
## DHCP - CLIENT - if you get a dynamic IP address for your ADSL or Cablemodem connection
#/sbin/ipfwadm -I -a accept -W $extif -P udp -S $universe/0 bootps -D $broadcast/0 bootpc
#/sbin/ipfwadm -I -a accept -W $extif -P tcp -S $universe/0 bootps -D $broadcast/0 bootpc
echo "Enabling general INPUT on the external LAN.. line 94"
#---------------------------------------------------------------------------
# INCOMING traffic on the EXTERNAL LAN network
# --------------------------------------------------------------------------
#
# Questionable... ???
# /sbin/ipfwadm -I -a accept -V $extip -P -k -S $universe/0 -D $intnet/24 $unprivports
#-----------
# ICMP: Allow ICMP from the local default GW
/sbin/ipfwadm -I -a accept -W $extif -P icmp -S $dgw/32 -D $extip/32
## ICMP: Allow ICMP from the universe but LOG it .. nice thought but unless you
## can figure out how to ignore REPLIES.. this is too much logging!
#/sbin/ipfwadm -I -a accept -W $extif -P icmp -S $universe/0 -D $extip/32 -o
/sbin/ipfwadm -I -a accept -W $extif -P icmp -S $universe/0 -D $extip/32
# NTP: Allow NTP updates tcp from any host
/sbin/ipfwadm -I -a accept -W $extif -P tcp -S $universe/0 -D $extip/32 ntp
# IDENT: Allow IDENT on ALL interfaces but disable it in /etc/inetd.conf
/sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $universe/0 113
# DNS Lookups & Zone transfers: Since this site is an authoritative DNS server, we must
# open up DNS to the public on ALL interfaces
/sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $universe/0 53
/sbin/ipfwadm -I -a accept -P udp -S $universe/0 -D $universe/0 53
# SMTP MAIL: Since this site is an authoritative SMTP server, allow it in on ALL
# interfaces.
#
# NOTE: No specific -W interfaces are given since I want SMTP to be available
# from ALL interfaces and not just one specific one.
#
/sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $extip/32 smtp
# WWW: Allow HTTP traffic. By default, allow all HTTP traffic from the Internal
# LAN but DISABLE it from the Internet. If you also require HTTP access
# from the Internet, uncomment the #ed out rule below.
#
#Internal LAN:
/sbin/ipfwadm -I -a accept -W $intif -P tcp -S $intnet/24 -D $intip/32 www
#
#Internet:
#/sbin/ipfwadm -I -a accept -W $extif -P tcp -S $universe/0 -D $extip/32 www
# NFS
/sbin/ipfwadm -I -a reject -W $extif -P tcp -S $universe/0 -D $extip/32 2049
/sbin/ipfwadm -I -a reject -W $extif -P tcp -S $universe/0 2049 -D $extip/32
# HIGH PORTS: Enable all HIGH ports for reply tcp/udp traffic
/sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $extip/32 $unprivports
/sbin/ipfwadm -I -a accept -P udp -S $universe/0 -D $extip/32 $unprivports
echo "Enabling explicit INPUT on the -INTERNAL- LAN.. line 136"
##############################################################################
# Begin Explict IP INPUT allows on the INTERNAL LAN network:
##############################################################################
#
### NOTE: copy a set of the following (3) lines and modify them to reflect any
# additional internal hosts you want to be able to access your Linux
# box. These examples allow FTP, FTP-DATA, SSH, and Samba.
#
# If you want to enable TELNET access, just append the word "telnet" after
# the word "ssh"
#coyote
/sbin/ipfwadm -I -a accept -W $intif -P tcp -S 192.168.0.2/32 -D $intip/32 ftp ftp-data ssh
/sbin/ipfwadm -I -a accept -W $intif -P udp -S 192.168.0.2/32 -D $intip/32 137 138 139
#spare
/sbin/ipfwadm -I -a accept -W $intif -P tcp -S 192.168.0.9/32 -D $intip/32 ftp ftp-data ssh
/sbin/ipfwadm -I -a accept -W $intif -P udp -S 192.168.0.9/32 -D $intip/32 137 138 139
#spare2
/sbin/ipfwadm -I -a accept -W $intif -P tcp -S 192.168.0.10/32 -D $intip/32 ftp ftp-data ssh
/sbin/ipfwadm -I -a accept -W $intif -P udp -S 192.168.0.10/32 -D $intip/32 137 138 139
echo "Enabling explicit INPUT on the -EXTERNAL- LAN.. line 136"
##############################################################################
# Begin Explicit IP INPUT allows on the EXTERNAL LAN network:
##############################################################################
#
### NOTE: If you need to need to have more than just one remote Secure Host
# into your Linux box, copy the set of (2) lines below and modify
# them to reflect their proper IP addresses. This example allows
# SSH and POP3 in. In addition to this "Explict IP INPUT" exception,
# you will need to explicitly allow this remote secure
# host traffic to be let -OUT- of the firewall. See the "Explict IP
# OUTPUT allows" later in this rule set to complete the firewall rule set.
#
### NOTE2: If you want to enable TELNET access in addition to SSH and POP3, just
# append the word "telnet" after the word "pop-3"
#
### NOTE3: If you want to forward FTP traffic, you will need to install a different
# ip_masq_ftp module. Please see the IP-MASQ-HOWTO for full details.
#secure1.host.com
/sbin/ipfwadm -I -a accept -W $extif -P tcp -S $securehost/32 -D $extip/32 ssh pop-3
# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# IPPORTFW Re-directions..
# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#
# Port forwarding allows people from the outside to directly connect to a machine
# on the MASQed side. An example of this is the need for people to directly
# contact an FTP server on the MASQed network from the Internet.
# NOTE: Do *NOT* use ports greater than 1023 for redirection ports.
#
# I used to use ports 2312 for TELNET redirection but I figured out
# that with ports > 1023, all my IPFWADM rule sets were being
# ignored and all Internet hosts could hit my re-directed server!
#
# Why? Due to the default behavior of TCP/IP and MASQing, you
# have to allow all ports > 1023 through the firewall.
##### NOTE: Un-#ed out these statements if you want to enable IPPORTFW
#echo "Enabling IPPORTFW Redirection on the external LAN.. line 229"
#/usr/local/sbin/ipportfw -C
#/usr/local/sbin/ipportfw -A -t$extip/2112 -R $portfwip/21
#/usr/local/sbin/ipportfw -A -t$extip/2312 -R $portfwip/23
#/usr/local/sbin/ipportfw -A -t$extip/8012 -R $portfwip/80
# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# END IPPORTFW Re-directions..
# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# ********************************************************************************
# ** Uncomment these non-logging IPFWADM rules if they apply to your enivroment **
# ********************************************************************************
# Reject all stray BOOTP traffic but DON'T log it since it fills up the logs fast
#/sbin/ipfwadm -I -a reject -P udp -S $universe/0 68
# Reject all stray Samba traffic but DON'T log it since it fills up the logs fast
#/sbin/ipfwadm -I -a reject -P udp -S $universe/0 -D $universe/0 137 138 139
# Reject all stray RIP traffic but DON'T log it since it fills up the logs fast
#/sbin/ipfwadm -I -a reject -P udp -S $universe/0 -D $universe/0 520
# Reject all stray SNMP traffic but DON'T log it since it fills up the logs fast
#/sbin/ipfwadm -I -a reject -P udp -S $universe/0 -D $broadcast/0 161
# Final INPUT Rule
#
# catch all rule, all other incoming is denied and logged. pity there is no
# log option on the policy but this does the job instead.
/sbin/ipfwadm -I -a reject -S $universe/0 -D $universe/0 -o
echo "Enabling general OUTPUT on the internal LAN.. line 174 "
#---------------------------------------------------------------------------
# OUTGOING traffic on the INTERNAL LAN network
# --------------------------------------------
# local interface, any source going to local net is valid
/sbin/ipfwadm -O -a accept -V $intip -S $universe/0 -D $intnet/24
# outgoing to local net on remote interface, stuffed routing, deny & log
/sbin/ipfwadm -O -a reject -V $extip -S $universe/0 -D $intnet/24 -o
# outgoing from local net on remote interface, stuffed masquerading, deny
/sbin/ipfwadm -O -a reject -V $extip -S $intnet/24 -D $universe/0 -o
#DISABLED - Too open
## anything else outgoing on remote interface is valid
#ipfwadm -O -a accept -V $extip -S $extip/32 -D $universe/0
# loopback interface is valid.
/sbin/ipfwadm -O -a accept -V $loopback -S $universe/0 -D $universe/0
# DHCP - SERVER - to serve out DHCP addresses on the internal LAN 67=bootps 68=bootpc
/sbin/ipfwadm -O -a accept -W $intif -P udp -S $intip/32 bootps -D $broadcast/0 bootpc
/sbin/ipfwadm -O -a accept -W $intif -P tcp -S $intip/32 bootps -D $broadcast/0 bootpc
## DHCP - CLIENT - if you get a dynamic IP address for your ADSL or Cablemodem connection
#/sbin/ipfwadm -O -a accept -W $extif -P udp -S $universe/0 bootpc -D $broadcast/0 bootps
#/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $universe/0 bootpc -D $broadcast/0 bootps
echo "Enabling general OUTPUT on the EXTERNAL LAN.. line 204 "
#---------------------------------------------------------------------------
# OUTGOING traffic on the external LAN network
# --------------------------------------------
# ICMP: Allow ICMP traffic out
/sbin/ipfwadm -O -a accept -P icmp -S $universe/0 -D $universe/0
# NTP: Allow NTP updates tcp from any host
/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 ntp -D $universe/0
# IDENT: Allow IDENT out but have it disabled in /etc/inetd.conf
/sbin/ipfwadm -O -a accept -P tcp -S $universe/0 113 -D $universe/0
# DNS Lookups & Zone transfers: Since this site is an authoritative DNS
# server, we must open up DNS to the public
# on ALL interfaces
# - You do not need port 42?
/sbin/ipfwadm -O -a accept -P tcp -S $extip/32 53 -D $universe/0
/sbin/ipfwadm -O -a accept -P udp -S $extip/32 53 -D $universe/0
# SMTP MAIL: Since this site is an authoritative SMTP server, allow it in on ALL
# interfaces
#
# NOTE: No specific -W interfaces are given since I want SMTP to be available
# from ALL interfaces and not just one specific one.
#
/sbin/ipfwadm -O -a accept -P tcp -S $extip/32 smtp -D $universe/0
# WWW: Allow HTTP traffic. By default, allow all HTTP traffic from the
# Internal LAN but DISABLE it from the Internet. If you also require
# HTTP access from the Internet, uncomment the #ed out rule below.
#
#Internal LAN:
/sbin/ipfwadm -O -a accept -W $intif -P tcp -S $intip/32 www -D $intnet/24
#
#Internet:
#/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 www -D $universe/0
# RPC - reject
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 111 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 111 -D $universe/0 -o
# Mountd - reject
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 635 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 635 -D $universe/0 -o
# PPTP - reject
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 1723 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 1723 -o
# Remote Winsock - Reject
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 1745 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 1745 -o
# NFS - Reject
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 2049 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 2049 -D $universe/0 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 2049 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 2049 -D $universe/0 -o
# PcAnywhere - Reject
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 5631 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 5631 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 5632 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 5632 -o
# Xwindows - Deny
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6000 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6001 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6002 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6003 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6004 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6005 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6006 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6007 -o
#
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6000 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6001 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6002 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6003 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6004 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6005 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6006 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6007 -o
# NetBus: REJECT Netbus and LOG it
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 12345 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 12346 -o
# BackOrofice: REJECT BO on LOG it
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 31337 -o
# HIGH PORTS: Enable all HIGH ports for reply tcp/udp traffic
/sbin/ipfwadm -O -a accept -P tcp -S $extip/32 $unprivports -D $universe/0
/sbin/ipfwadm -O -a accept -P udp -S $extip/32 $unprivports -D $universe/0
echo "Enabling explicit OUTPUT on the external LAN.. line 231"
##############################################################################
# Begin Explict IP OUTPUT allows on the EXTERNAL LAN network:
##############################################################################
#
### NOTE: If you need to need to have more than just one remote Secure Host
# into your Linux box, copy the set of (2) lines below and modify
# them to reflect their proper IP addresses. This example allows
# FTP, FTP-DATA, SSH, and POP3 out. In addition to this "Explict IP
# OUTPUT" exception, you will need to explicitly allow this remote secure
# host traffic to be let -IN- to the firewall. See the "Explict IP
# INPUT allows" previously in this rule set to complete the firewall
# rule set.
#
### NOTE2: If you want to enable TELNET access in addition to FTP, FTP-DATA,
# and POP3, just append the word "telnet" after the word "pop-3"
#secure1.host.com
/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 ftp ftp-data ssh pop-3 -D $securehost/32 $unprivports
# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
##############################################################################
# End Explict IP OUTPUT allows:
##############################################################################
# catch all rule, all other outgoing is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
# This should catch everything including SAMBA an all non-explicitly allowed
# TELNET, FTP, FTP-DATA, SSH, etc.
/sbin/ipfwadm -O -a reject -S $universe/0 -D $universe/0 -o
echo "Enabling MASQ on the external LAN.. line 250"
#---------------------------------------------------------------------------
# Forwarding traffic from the internal LAN network
# --------------------------------------------
#
# Masquerade from local net on local interface to anywhere.
/sbin/ipfwadm -F -a masquerade -W $extif -S $intnet/24 -D $universe/0
# catch all rule, all other forwarding is denied and logged. pity there is no
# log option on the policy but this does the job instead.
/sbin/ipfwadm -F -a reject -S $universe/0 -D $universe/0 -o
#--------------------------------------------------------------------
# For a nice display
echo " "
--
Redhat:
edit /etc/rc.d/init.d/network and find where the [STAR] block ends (search for the sentance "stop") and ADD the following just above the double semi-colons ";;"
/etc/rc.d/init.d/network
--
#Run the IP MASQ and firewall script
/etc/rc.d/rc.firewall
--
Slackware:
Next, append this to the end of the "/etc/rc.d/rc.local" file
--
#Run the IP MASQ and firewall script
/etc/rc.d/rc.firewall
- Make the rc.firewall file executable
chmod 700 /etc/rc.d/rc.firewall
Now, if you aren't running a 2.0.x kernel for non-Masq users, please skip down to the Firewall Confirm subsection to see how to safely make changes to your live firewall configuration.
############################################################################# # NON-MASQ rc.firewall # # # # The follwing IPFWADM rule set, based upon the rule set above, is for # # NON-MASQ users who just want to restrict access to their Linux box. # # This current config allows gloabal acces to: # # # # - DNS, SENDMAIL, WWW # # # # But it restricts access to only a few IPS for: # # # # - SSH, FTP, FTP-DATA, and POP-3 # ############################################################################# +-----------------------------------------------+ | rc.firewall for NON-MASQ setups using IPFWADM | | | | *** Discontinued!!! Patch your 2.0.x kernel | | and use the IPCHAINS rules!! | +-----------------------------------------------+
/etc/rc.d/rc.firewall
--
#!/bin/sh
#--------------------------------------------------------------------
# Version v2A.97
#
# NOTE to ALL IPFWADM users:
#
# As you all know, IPFWADM has been replaced by IPCHAINS for some time
# now. I've also been updating the IPCHAINS rule sets for a while yet
# the IPFWADM rule sets haven't been updated.
#
# Though this sucks that I have to do this, I can't maintain both.
# In the future, I will REMOVE these rule sets though I will make them
# available via a different URL.
#
# ** BUT... there is a kernel patch to get IPCHAINS running on 2.0.x
# kernels. Please see <ref id="sect-5" name="Section 5"> for the URL and use IPCHAINS from
# now on. Ok?
#
# v2A.97 - Fixed a typo in the BackOrofice filter. It was using the var
# exitif vs. the correct extif.
#
# v2A.96 - Added blurbs and scripts in the EXTIP, EXTBROAD, and DGW variable
# areas that DHCP users should use "dhcpcd" with the -c option to re-run
# the rule set upon lease renews. It is also mentioned that both
# DHCP and PPP users need to get their EXTBROAD and DGW addresses
# dynamically.
#
# - Changed the debug system to re-create the debug log each time
# (removed one of the >'s at the top of the debug setup)
#
# v2A.95 - Added a /0 to the final OUTPUT reject rule. It was implicitly there but its good
# for documentation reasons. There were also a few IMPUT rules that DENYed
# instead of REJECTed traffic for spoofed traffic, etc. Fixed.
# I also noted that the automatic $extbroad varible will only be properly set if
# you have a typical 255.255.255.0 netmask. If you don't, you'll have to statically
# define it vs. use the automatic method.
# v2A.94 - Added explicit INPUT filters for NFS and OUTPUT filters for Mountd and RPC
# v2A.93 - Added explicit OUTPUT filters for the BackOrofice and NetBus Windows trojans
# v2A.92 - Moved the default policy settings and INPUT/OUTPUT/FORWARD flush from
# the top of each section to the top top of the entire rule set.
# v2A.91 - Added more firewall DENY rules to stop Xwindows ports 6001-6007
# v2A.90 - Changed the default policies from DENY to REJECT.
# v2A.80 - Clarified the input/output rules for HTTP to use the -W interface
# option.
# v2A.75 - Added and commented on the addition of multicast traffic
# - Caught a serious typo: -V CANNOT have a subnet mask appended to it. Though
# this is inconsitant with the other commands, this has been confirmed.
# v2A.71 - Redirectted the rc.firewall debugging info to /tmp/rc.firewall.dump
# v2A.70 - Added commented out debugging echo statements right after the environment vars
# - Deleted the un-used $intif, $intip, and $intnet environment vars
#
# v2A.65 - Removed the /32 bit subnet mask from the intip, dgw, secondarydns,
# and securehost variables and manually placed them back within the rule sets
# themselves. This is for users who use DHCP and/or PPP that wouldn't get the
# correct netmask. Also, the netmask built into these variables would break
# the IPPORTFW section.
# - Added the LOOPBACK variable for better readibilty
# - Cleaned the comment sections a little
#
# v2A.60 - Added #'ed out rules to support the Linux box getting addressed via DHCP
# v2A.51 - Corrected the vars passed to PPPd as shown bellow in the comments section
# v2A.50 - Deleted an already #ed out line to allow in ALL incoming
# traffic.
# - Added a /32 bit subnet mask to the intip, extip, dgw, secondarydns,
# and securehost variables. Because of this, I then deleted a few stray
# and possibly incorrect /24 and /32 bit masks on various IPFWADM rules
# v2A.45 - Added the environment variables that PPPd passes to ease the
# use of IPFWADM firewalls
# v2A.40 - Made some clarifications for dynamically addressed users and
# the "extif" variable.
# v2A.30 - Added the better commented environment vars
# - Added #'ed out IPFWADM statements to do non-logged filtering
# of BOOTP (ports 67-68), Samba (ports 137-138), RIP
# (port 520), and SNMP (port 161)
# - Deleted out all the leftover header docments that were
# specific to the MASQ firewall
# - Added TCP support for DHCP
# - Fixed outgoing DNS to reflect port 53 on the SOURCE packet
#
# v2A.20 - New rev for firewalling of a single interface server
#
#--------------------------------------------------------------------
# ++ Best viewed in a window at 90+ columns
#
# This script was adapted from Ambrose's IPMASQ-HOWTO and several
# other resources including:
#
# - Me
#
# **Note**: This config ASSUMES:
# 1) Your external LAN is on eth0
# 2) Your static IP address is 100.200.0.212
#
# Obviously, this config won't be totally correct for your
# environment nor can your static IP address be the same
# as mine!
#
# So, you'll need to either manually change the IP address in
# the environment variable section or or use the following
# command to set it up for you.
#
# This config also handles both IP spoofing and stuffed routing
# and IP Masquerading. Anything not explicitly allowed is
# REJECTED. Rejecting traffic is better than DENYING it since
# it makes the IPFWADM'ED machine look like its not CAPABLE of
# doing that particular protocol!
#
# ***PPP USERS***
#
# 1) All PPP users that get Dynamic IP address should
# # out the "extip" variable a page or so down and then un-# out the
# following command for your dynamic IP address:
#
# extip=`/sbin/ifconfig | grep -A 4 ppp0 | awk '/inet/ { print $2 } ' | sed -e s/addr://`
#
# 2. Create the /etc/ppp/ip-up script file to execute this rule set:
#
# /etc/ppp/ip-up
# --
# #!/bin/sh
# /etc/rc.d/rc.firewall
# --
#
# Now make this new script executable by running "chmod 700 /etc/ppp/ip-up"
#
# NOTE: When PPPd runs the /etc/ppp/ip-up script, it passes several
# environment variables which can help bring up the script.
# Though I haven't updated my doc to use these variables, I will
# at a future date:
#
# $1 = Interface being brought up (e.g. ppp0)
# $2 = TTY device being used (/dev/modem)
# $3 = # Terminal speed (38400)
# $4 = IP address of my local PPP interface
# $5 = IP address of the remote P-t-P link (default gw)
# $6 = This is the IPPARM string that is passed from the options
# file for any ip-up specific use
#
# 3. Now make this new script executable by running "chmod 700 /etc/ppp/ip-up"
#---------------------------------------------------------------------------
#Enviroment Variables - Change to suit your environment
#
#Specification of the LOOPBACK interface
loopback="127.0.0.1"
#Specification of the EXTERNAL NIC
#
# PPP Users: If you are using the Dynamic PPP "extif" script from above,
# make sure to comment the below line out so it doesn't override it.
#
# If you want to use the PPPd variables, change this to read:
# extif="$1"
#
extif="eth0"
#The IP address you get from the Internet
#
# PPP users: If you are getting dynamic address, either use the "extip" script
# from the header above or if you want to use the PPPd variables,
# change this to read:
# extip="$3"
#
# or you can use the following script:
#
# EXTIP=`/sbin/ifconfig | grep -A 4 $EXTIF | awk '/inet/ { print $2 } ' | sed -e s/addr://`
#
#
# DHCP users: DHCP users should also update the script that runs DHCP to
# use "dhcpcd" instead of other solutions like RH6's
# "pump" DHCP solution. It should be noted that newer
# versions of pump can run scripts upon lease bringup, renew, etc.
# Fow now, have dhcpcd load with the option:
#
# -c /etc/rc.d/rc.firewall.ipchains
#
# This will let the firewall re-run upon DHCP lease renews
# just in case you get a different IP address.
#
extip="100.200.0.212"
#The IP broadcast address of the external net
#
# PPP users: If you are getting dynamic address, use the PPPd variables.
# Change "extbroad" to read (this make an assuption but it should
# be a safe assumption):
# extbroad=`echo $4 | cut -d '.' -f 1-3`.255
#
# NOTE: This method will only work for typical 255.255.255.0 netmasks,
# if you get other masks such as a 255.255.252.0, you will have to
# statically define it like it is now instead of using the dynamic
# setup.
#
extbroad="100.200.0.255"
#IP address of the default gateway on the EXTERNAL NIC
#
# PPP users: If you are getting dynamic address, use the PPPd variables.
# Change "dgw" to read:
# dgw=$4
#
# or
#
# dgw=`/sbin/ifconfig | grep -A 4 ppp0 | awk '/gateway/ { print $2 } ' | sed -e s/addr://`
#
dgw="100.200.0.1"
#IP Mask for ALL IP addresses
universe="0.0.0.0"
#IP Mask for BROADCAST
broadcast="255.255.255.255"
#Specification of HIGH IP ports
# NOTE: Notice that this STARTS at 1024 and NOT at 1023 which it should.
# for some reason SSH sometimes initiates connections at 1023 which
# is a TCP violation but shit happens.
#
# Brief update: This is due to SSH not being executed with "-P"
#
unprivports="1024:65535"
#Specification of backup DNS server
secondarydns="102.200.0.25"
#Specifically allowed external host - secure1.host.com
securehost="200.211.0.40"
#---------------------------------------------------------------------------
# Debugging Section: If you are having problems with the firewall, uncomment
# out (un # out) the follow echo lines and then re-run
# the firewall to make sure that the rc.firewall is
# getting the right info.
#
#echo Loopback IP: $loopback > /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo External interface name: $extif >> /tmp/rc.firewall.dump
#echo External interface IP: $extip >> /tmp/rc.firewall.dump
#echo External interface broadcast IP: $extbroad >> /tmp/rc.firewall.dump
#echo External interface default gateway: $dgw >> /tmp/rc.firewall.dump
#echo ----------------------------------------------------- >> /tmp/rc.firewall.dump
#echo External secondary DNS (optional): $secondarydns >> /tmp/rc.firewall.dump
#echo External secured host (optional): $securehost >> /tmp/rc.firewall.dump
#---------------------------------------------------------------------------
# For a nice display
echo " "
#Multicast is a powerful, yet seldom used aspect of TCP/IP for multimedia
# data. Though it isn't used much now (because most ISPs don't enable
# multicast on their networks, it will be very common in a few more
# years. Check out www.mbone.com for more detail.
#
# NOTE: Adding this feature is OPTIONAL
#
echo "Adding multicast route.."
/sbin/route add -net 224.0.0.0 netmask 240.0.0.0 dev $extif
#---------------------------------------------------------------------------
#Set all default policies to REJECT and flush all old rules:
echo "Set all default policies to REJECT and flush all old rules"
#Change default policies
/sbin/ipfwadm -I -p reject
/sbin/ipfwadm -O -p reject
/sbin/ipfwadm -F -p reject
#Flush all old rule sets
/sbin/ipfwadm -I -f
/sbin/ipfwadm -O -f
/sbin/ipfwadm -F -f
#---------------------------------------------------------------------------
echo "Enabling general INPUT on the external LAN.. line 74"
#---------------------------------------------------------------------------
# INCOMING traffic on the EXTERNAL LAN network
# --------------------------------------------
#
# local interface, local machines, going anywhere is valid
#/sbin/ipfwadm -I -a accept -V $extip -S $intnet/24 -D $universe/0
# remote interface, claiming to be local machines, IP spoofing, get lost & log
#/sbin/ipfwadm -I -a reject -V $extip -S $intnet/24 -D $universe/0 -o
# loopback interface is valid.
/sbin/ipfwadm -I -a accept -V $loopback -S $universe/0 -D $universe/0
# DHCP - SERVER - to serve out DHCP addresses on the internal LAN 67=bootps 68=bootpc
#/sbin/ipfwadm -I -a accept -W $intif -P udp -S $universe/0 bootpc -D $broadcast/0 bootps
## DHCP - CLIENT - if you get a dynamic IP address for your ADSL or Cablemodem connection
#/sbin/ipfwadm -I -a accept -W $extif -P udp -S $universe/0 bootps -D $broadcast/0 bootpc
#/sbin/ipfwadm -I -a accept -W $extif -P tcp -S $universe/0 bootps -D $broadcast/0 bootpc
# Questionable... ???
# /sbin/ipfwadm -I -a accept -V $extip -P -k -S $universe/0 -D $intnet/24 $unprivports
#-----------
# ICMP: Allow ICMP from the local default GW
/sbin/ipfwadm -I -a accept -W $extif -P icmp -S $dgw/32 -D $extip/32
## ICMP: Allow ICMP from the universe but LOG it .. nice thought but unless you
## can figure out how to ignore REPLIES.. this is too much logging!
#/sbin/ipfwadm -I -a accept -W $extif -P icmp -S $universe/0 -D $extip/32 -o
/sbin/ipfwadm -I -a accept -W $extif -P icmp -S $universe/0 -D $extip/32
# NTP: Allow NTP updates tcp from any host
/sbin/ipfwadm -I -a accept -W $extif -P tcp -S $universe/0 -D $extip/32 ntp
# IDENT: Allow IDENT on ALL interfaces but disable it in /etc/inetd.conf
/sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $universe/0 113
# DNS Lookups & Zone transfers: Since this site is an authoritative DNS server, we must
# open up DNS to the public on ALL interfaces
/sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $universe/0 53
/sbin/ipfwadm -I -a accept -P udp -S $universe/0 -D $universe/0 53
# SMTP MAIL: Since this site is an authoritative SMTP server, allow it in on ALL
# interfaces
#
# NOTE: No specific -W interfaces are given since I want SMTP to be available
# from ALL interfaces and not just one specific one.
#
/sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $extip/32 smtp
# WWW: Since this site is an authoritative WWW server, allow it in on ALL
# interfaces
/sbin/ipfwadm -I -a accept -P tcp -W $extif -S $universe/0 -D $extip/32 www
# NFS
/sbin/ipfwadm -I -a reject -W $extif -P tcp -S $universe/0 -D $extip/32 2049
/sbin/ipfwadm -I -a reject -W $extif -P tcp -S $universe/0 2049 -D $extip/32
# HIGH PORTS: Enable all HIGH ports for reply tcp/udp traffic
/sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $extip/32 $unprivports
/sbin/ipfwadm -I -a accept -P udp -S $universe/0 -D $extip/32 $unprivports
echo "Enabling explicit INPUT on the external LAN.. line 136"
##############################################################################
# Begin Explict IP INPUT allows on the EXTERNAL LAN network:
##############################################################################
#
#securehost
/sbin/ipfwadm -I -a accept -W $extif -P tcp -S $securehost/32 -D $extip/32 ftp ftp-data ssh
#
##############################################################################
# End Explict IP INPUT allows on the EXTERNAL LAN network:
##############################################################################
# ********************************************************************************
# ** Uncomment these non-logging IPFWADM rules if they apply to your enivroment **
# ********************************************************************************
# Reject all stray BOOTP traffic but DON'T log it since it fills up the logs fast
#/sbin/ipfwadm -I -a reject -P udp -S $universe/0 68
# Reject all stray Samba traffic but DON'T log it since it fills up the logs fast
#/sbin/ipfwadm -I -a reject -P udp -S $universe/0 -D $universe/0 137 138 139
# Reject all stray RIP traffic but DON'T log it since it fills up the logs fast
#/sbin/ipfwadm -I -a reject -P udp -S $universe/0 -D $universe/0 520
# Reject all stray SNMP traffic but DON'T log it since it fills up the logs fast
#/sbin/ipfwadm -I -a reject -P udp -S $universe/0 -D $broadcast/0 161
# catch all rule, all other incoming is denied and logged. pity there is no
# log option on the policy but this does the job instead.
/sbin/ipfwadm -I -a reject -S $universe/0 -D $universe/0 -o
echo "Enabling general OUTPUT on the external LAN.. line 174 "
#---------------------------------------------------------------------------
# OUTGOING traffic on the EXTERNAL LAN network
# --------------------------------------------
# local interface, any source going to local net is valid
#/sbin/ipfwadm -O -a accept -V $intip -S $universe/0 -D $intnet/24
# outgoing to local net on remote interface, stuffed routing, deny & log
#/sbin/ipfwadm -O -a reject -V $extip -S $universe/0 -D $intnet/24 -o
# outgoing from local net on remote interface, stuffed masquerading, deny
#/sbin/ipfwadm -O -a reject -V $extip -S $intnet/24 -D $universe/0 -o
# outgoing from local net on remote interface, stuffed masquerading, deny
#/sbin/ipfwadm -O -a reject -V $extip -S $universe/0 -D $intnet/24 -o
# loopback interface is valid.
/sbin/ipfwadm -O -a accept -V $loopback -S $universe/0 -D $universe/0
# DHCP - SERVER - to serve out DHCP addresses on the internal LAN 67=bootps 68=bootpc
#/sbin/ipfwadm -O -a accept -W $intif -P udp -S $intip/32 bootps -D $broadcast/0 bootpc
## DHCP - CLIENT - if you get a dynamic IP address for your ADSL or Cablemodem connection
#/sbin/ipfwadm -O -a accept -W $extif -P udp -S $universe/0 bootpc -D $broadcast/0 bootps
#/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $universe/0 bootpc -D $broadcast/0 bootps
echo "Enabling general OUTPUT on the EXTERNAL LAN.. line 204 "
# --------------------------------------------
# ICMP: Allow ICMP traffic out
/sbin/ipfwadm -O -a accept -P icmp -S $universe/0 -D $universe/0
# NTP: Allow NTP updatestcp from any host
/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 ntp -D $universe/0
# IDENT: Allow IDENT out but have it disabled in /etc/inetd.conf
/sbin/ipfwadm -O -a accept -P tcp -S $universe/0 113 -D $universe/0
# DNS Lookups & Zone transfers: Since this site is an authoritative DNS
# server, we must open up DNS to the public
# on ALL interfaces
# - You do not need port 42?
/sbin/ipfwadm -O -a accept -P tcp -S $extip/32 53 -D $universe/0
/sbin/ipfwadm -O -a accept -P udp -S $extip/32 53 -D $universe/0
# SMTP MAIL: Since this site is an authoritative SMTP server, allow it in on ALL
# interfaces
#
# NOTE: No specific -W interfaces are given since I want SMTP to be available
# from ALL interfaces and not just one specific one.
#
/sbin/ipfwadm -O -a accept -P tcp -S $extip/32 smtp -D $universe/0
# WWW: Since this site is an authoritative www server, allow it in on ALL
# interfaces
/sbin/ipfwadm -O -a accept -P tcp -W $extif -S $extip/32 www -D $universe/0
# RPC - reject
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 111 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 111 -D $universe/0 -o
# Mountd - reject
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 635 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 635 -D $universe/0 -o
# PPTP - reject
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 1723 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 1723 -o
# Remote Winsock - Reject
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 1745 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 1745 -o
# NFS - Reject
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 2049 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 2049 -D $universe/0 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 2049 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 2049 -D $universe/0 -o
# PcAnywhere - Reject
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 5631 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 5631 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 5632 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 5632 -o
# Xwindows - Deny
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6000 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6001 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6002 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6003 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6004 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6005 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6006 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6007 -o
#
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6000 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6001 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6002 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6003 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6004 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6005 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6006 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6007 -o
# NetBus: REJECT Netbus and LOG it
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 12345 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 12346 -o
# BackOrofice: REJECT BO on LOG it
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 31337 -o
# HIGH PORTS: Enable all HIGH ports for reply tcp/udp traffic
/sbin/ipfwadm -O -a accept -P tcp -S $extip/32 $unprivports -D $universe/0
/sbin/ipfwadm -O -a accept -P udp -S $extip/32 $unprivports -D $universe/0
echo "Enabling explicit OUTPUT on the external LAN.. line 231"
##############################################################################
# Begin Explict IP OUTPUT allows on the EXTERNAL LAN network:
##############################################################################
#
#securehost
/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 ftp ftp-data ssh -D $securehost/32 $unprivports
# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
##############################################################################
# End Explict IP OUTPUT allows:
##############################################################################
# catch all rule, all other outgoing is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
# This should catch everything including SAMBA an all non-explicitly allowed
# TELNET, FTP, FTP-DATA, SSH, etc.
/sbin/ipfwadm -O -a reject -S $universe/0 -D $universe/0 -o
#---------------------------------------------------------------------------
# Forwarding traffic from the internal LAN network
# --------------------------------------------
# catch all rule, all other forwarding is denied and logged. pity there is no
# log option on the policy but this does the job instead.
/sbin/ipfwadm -F -a reject -S $universe/0 -D $universe/0 -o
#--------------------------------------------------------------------
# For a nice display
echo " "
# --end
--
Next, append this to the end of the "/etc/rc.d/rc.local" file
All distributions:
--
#Run the IP MASQ and firewall script
/etc/rc.d/rc.firewall
--
- Make the rc.firewall file executable
chmod 700 /etc/rc.d/rc.firewall
First, you need to figure out what kind of access you are looking for. Ideally (in the name of security), you shouldn't allow the entire Internet to acces your box but only a few IP addresses.
If you can restrict the access down to a few IPs ------------------------------------------------ First, edit the rc.firewall ruleset that you have already modified to fit your needs and un-# out one or more of the SECUREHOST variables towards the top. Here, you will put in your desired remote IP addresses that you want to allow into your box. Next, un-# out the respective SECUREHOST lines in both the INPUT and OUTPUT sections of the rule. One critical thing to change on these two sets of lines is to change the PORT number to reflect the port you want to allow in (23 for telnet, 21 for ftp, etc). Finally, if you actually want to PORTFW this traffic to some internal machine behind a MASQ user, you will want to jump to the section below.
Setting up PORTFW
----------------- To do PORTFW, you need to to towards the top of the rc.firewall file and you need to un-# a PORTFWIP variable. Here, you need to put in the IP address of the internal server you want to contact on, say port 23. Once this is done, you need to goto the PORTFW section of TrinityOS (almost at the very end) and un-# out the line for the respective PORTFW variable you just enabled. Don't forget to update the various TCP/IP ports in the PORTFW example line to be port 23 and 23 where as the example uses 26 and 22.
Thats it.. re-run the firewall and you should be good to go.
#-------------------------------------------------------------------- # How to test your new firewall.. # # From the IPFWADM console: # # TELNET: telnet to a remote site # SSH: ssh to a remote site # DNS: run nslookup with "server = " and "set q =" # NTP: run "/etc/cron.15min/gettime" # Xwin: "export DISPLAY=your-remote-FQDN:0.0" # Run a X-server on the remote machine # Run "xeyes" # # From a MASQed computer on the internal LAN: # # From another machine on the Internet: # TELNET: telnet to your IPFWADMed machine # SSH: SSH to your IPFWADMed machine # # *** Finally.. download "nmap" (URL is in [Section 5] and run it # in both SOCKET and UDP mode to port scan your new firewall! #
One thing that ALL users need to be absolutely PERFECT with is making changes to their firewall rulesets remotely. If you were to make one ill-placed mistake, your firewall machine could become unresponsive to ALL network traffic. This means all incoming and outgoing traffic be it SMTP, WWW, even PINGs could be dropped.
To be sure that you don't take your remote machine offline, create this script file:
/usr/local/sbin/firewall-confirm
#!/bin/sh # ---------------------------------------------------------------------------- # # TrinityOS-firewall-confirmed # v11/09/00 # # Part of the copyrighted and trademarked TrinityOS document. # <url url="http://www.ecst.csuchico.edu/~dranch"> # # Written and Maintained by David A. Ranch # dranch at trinnet dot net # # Updates # ------- # # 11/09/00 - The initial release was the wrong version. Ack! This updated # version includes a critical check for /tmp/fwok. This version # also includes a 30 second screen timer. # Please upgrade! # # ---------------------------------------------------------------------------- # This script should be run when editing and running a new firewall # version remotely. # # When you run this command, you will have 30 seconds to: # # touch /tmp/fwok # # If this script doesn't see it in 30 seconds, it will revert back # to the old firewall. if [ ! -f /etc/rc.d/rc.firewall-checked ]; then echo -e "rc.firewall-checked missing.. aborting!\n\n" exit fi if [ -f /tmp/fwok ]; then echo -e "rc.firewall /tmp/fwok already exists.. aborting!\n\n" exit fi echo "Command Line options: $1" echo -e "Running /etc/rc.d/rc.firewall\n\n" /etc/rc.d/rc.firewall & echo -e "You have 30 seconds to create /tmp/fwok..\n" # Verbose wait loop i=1 while [ $i -le 30 ]; do echo -n "[$i]" sleep 1 i=$((i=$i+1)) done echo -e "\nWait loop complete.." if [ ! -f /tmp/fwok ]; then echo -e "Rolling back to last known good config\n\n" /etc/rc.d/rc.firewall-checked else echo -e "\n/tmp/fwok found.. new firewall took effect..\n\n" rm -f /tmp/fwok fi
Now, don't forget to make it executable:
chmod 700 /usr/local/sbin/firewall-confirmed
Ok.. to use this script, do the following:
cp /etc/rc.d/rc.firewall /etc/rc.d/rc.firewall-checked
/usr/local/sbin/firewall-confirmed &
Please don't forget the "&" at the end to run the script in the background.
touch /tmp/fwok
AaaHa! There is the beauty! If there was a critical error in your new rc.firewall ruleset, you wouldn't have ever seen that counter because your network connection would have been lost. But, because you weren't able to create that /tmp/fwok file, the firewall-confirmed script would run the the known good rc.firewall-checked file. So, in a worst-case senario, your network connection might have been disconnected but you would be still be able to re-connect to the firewall machine, fix your mistake, and try again! Cool eh?
If you have a WWW server, a POP3 server, etc... (say 192.168.0.2) running behind your MASQing Linux box, you can have the MASQ box forward ALL port 80, port 110, etc connections sent to 192.168.0.2 automatically!
With the stock kernel, you CANNOT port forward FTP traffic or many non-NAT friendly Internet games properly to an internal MASQed host. To do this, you need to apply kernels patches, compile up a new IP_MASQ_FTP kernel module, etc. Though these specific topics are not covered in TrinityOS, they ARE fully covered in the new IP-MASQ-HOWTO that I have written. This new HOWTO is available on the IP MASQ WWW site and the URL for this site in in Section 5
NOTE #2: Many people use IPAUTOFW for this function and it does work. But, I have to warn you, I have seen and PROVEN that IPAUTOFW can cause both performance and reliability issues even when compiled IN! Just don't use IPAUTOFW. Use IPPORTFW.
If you are running a 2.2.x kernel, you will need to use the new tool called IPMASQADM. Please see the IP-MASQ-HOWTO found in Section 5 for FULL details.
IPPORTFW for 2.0.x kernels allow for direct connections from the Internet to connect to one of your internal privately addressed servers. Linux 2.2.x kernels have this functionality built in.
- First, you might be concerned about security with PORTFWing, but this is what Steven had to say about that (the author of IPPORTFW):
"Port Forwarding is only called within masquerading functions so it fits inside the same ipfwadm rules. Masquerading is an extension to IP forwarding. Therefore, ipportfw only sees a packet if it fits both the input and masquerading ipfwadm rule sets."
From this and my IPFWADM rule set in Section 10, you will see that the packet has to pass through your IPFWADM rule sets before being forwarded. Excellent!
- Anyway, download BOTH from the URL in Section 5
- ipportfw.c source file - the kernel patch files for 2.0.36
Put this code into the /usr/src directory. I also recommend that you go to Steven's WWW page and copy the "usage" page into a text file on the Linux for future use (there isn't a Man page for IPPORTFW).
- Ok, FTP the latest stable kernel (URL in Section 5) to /usr/src/
Update: It should be noted that there is some controversy with putting the Linux kernel sources in /usr/src. Please see http://kt.linuxcare.com/kernel-traffic/kt20000814_80.epl#4 for full details. So, though Linus recommends NOT to /usr/src/linux for new kernels, many programs, patches, etc. assume that the newest kernel sources are in there. Personally, I haven't had any issue with putting the sources in /usr/src/linux but I now use /usr/src/kernel/linux instead.
- Uncompress it ( tar -xzvf linux-2.0.36.tar.gz )
- For usability, rename the newly created "linux" direcory to the proper kernel version and then just create a symbolic link to re-create the "linux" directory. e.g.
mv linux linux-2.0.36 ln -s linux-2.0.36 linux
- Copy the IPPORTFW patch into the Linux directory
cp /usr/src/subs-patch-1.37.gz /usr/src/kernel/linux
- Now, you need to patch the kernel for IPPORTFW to become an compilable option:
cd /usr/src/kernel/linux zcat subs-patch-1.3x.gz | patch -p1
- That's it for the kernel for now. Now, compile the IPPORTFW program
cd /usr/src gcc ipportfw.c -o ipportfw
- Finally, install it
mv ipportfw /usr/local/sbin
- If you have additional questions, please see the IP-MASQ-HOWTO found in Section 5 for FULL details.
TrinityOS currently reflects the building of both a 2.2.16 and also 2.0.38 kernels. If you didn't already know, Linux kernel numbering follows a rule:
- All EVEN numbered kernels (1.0, 1.2, 2.0, 2.2, 2.4, etc) are all BETA or stable (production) kernels. Beta kernels are usually locked out of having new features added to them so that the developers and concentrate on simply fixing bugs and making the code more stable. Latest numbered kernels are always the best to run.
- All ODD numbered kernels (.9, 1.1, 1.3, 2.1, 2.3, etc) are all ALPHA or test kernels. Alpha kernels are where new Linux features are added, tested, and debugged. After a specific "lockout" period announced by Linus, no more new features can be put into a given Alpha kernel generation. After this, the alpha kernel is simply fixed up for a while more and once the kernel is considered stable, it is moved to the next BETA kernel version and a new ALPHA kernel is started.
Be warned: Alpha kernel revs can be released on occasion that are unstable, cause data corruption, or even not compile at all. Like anything in the Linux world, these issues are fixed at a rapid rate and become more stable every day. As it stands, the latest 2.3.x+ kernels are quite stable and will be rolled into the 2.4.x kernel soon. After this, the 2.5.x Alpha kernel will be started up.
* Anyway, lets get down to compiling up a kernel. All initial steps to getting * the kernel sources and uncompression the kernel is in the previous section [required * since the IPPORTFW patches change the kernel a little]
There are several ways to configure a kernel:
- 2.2.x kernels:
The new 2.2.x kernels are the newer generation in Linus's kernels. They offer enhanced performance, better SMP functionality, etc. At the same time, they had to change some things compared to the 2.0.x kernels and thus broke things. If you are running an older Linux distribution that did NOT come with a 2.2.x kernel, you will have to upgrade at LEAST the following tools:
ftp://ftp.rge.com/pub/systems/linux/redhat/updates/5.2/kernel-2.2/i386/
dhcpcd-1.3.16-0.i386.rpm, initscripts-3.78-2.2.i386.rpm, ipchains-1.3.8-0.i386.rpm
modutils-2.1.121-0.i386.rpm, net-tools-1.50-0.i386.rpm, procinfo-15-0.i386.rpm
samba-2.0.0-0.i386.rpm, util-linux-2.9-0.i386.rpm
Personally, I highly recommend that you just install an entirely new Linux distribution that natively supports the 2.2.x kernels. This will save you a lot of time and suffering in the long run.
Below configs are for my hardware. Make changes to your config as required
2.2.x kernel setup:
NOTE: This kernel config reflects different hardware than documented in Section 2 of TrinityOS. This kernel is running on a Intel motherboard with:
An Intel Pentium 166Mhz CPU 128MB of RAM (2) 3Com 3c905 PCI Ethernet cards Adaptec 2940U SCSI controller Several IBM and Seagate SCSI HDs Matrox Millentium II PCI video card An additional (2)Serial / (1) Parallel I/O card
If you compiled a kernel in the past and got things running fine but now you want to compile up the newest available kernel, there is one cool trick you might want to know about.
Say I compiled up a 2.2.16 kernel on August 12th, 2000.
/usr/src/kernel/linux/.config
# # Automatically generated make config: don't edit # # # Code maturity level options # CONFIG_EXPERIMENTAL=y # # Processor type and features # # CONFIG_M386 is not set # CONFIG_M486 is not set # CONFIG_M586 is not set CONFIG_M586TSC=y # CONFIG_M686 is not set CONFIG_X86_WP_WORKS_OK=y CONFIG_X86_INVLPG=y CONFIG_X86_BSWAP=y CONFIG_X86_POPAD_OK=y CONFIG_X86_TSC=y CONFIG_1GB=y # CONFIG_2GB is not set # CONFIG_MATH_EMULATION is not set # CONFIG_MTRR is not set # CONFIG_SMP is not set # # Loadable module support # CONFIG_MODULES=y # CONFIG_MODVERSIONS is not set CONFIG_KMOD=y # # General setup # CONFIG_NET=y CONFIG_PCI=y # CONFIG_PCI_GOBIOS is not set # CONFIG_PCI_GODIRECT is not set CONFIG_PCI_GOANY=y CONFIG_PCI_BIOS=y CONFIG_PCI_DIRECT=y CONFIG_PCI_QUIRKS=y # CONFIG_PCI_OPTIMIZE is not set CONFIG_PCI_OLD_PROC=y # CONFIG_MCA is not set # CONFIG_VISWS is not set CONFIG_SYSVIPC=y # CONFIG_BSD_PROCESS_ACCT is not set CONFIG_SYSCTL=y CONFIG_BINFMT_AOUT=y CONFIG_BINFMT_ELF=y CONFIG_BINFMT_MISC=y # CONFIG_BINFMT_JAVA is not set CONFIG_PARPORT=y CONFIG_PARPORT_PC=y # CONFIG_PARPORT_OTHER is not set CONFIG_APM=y # CONFIG_APM_IGNORE_USER_SUSPEND is not set # CONFIG_APM_DO_ENABLE is not set # CONFIG_APM_CPU_IDLE is not set CONFIG_APM_DISPLAY_BLANK=y # CONFIG_APM_IGNORE_SUSPEND_BOUNCE is not set # CONFIG_APM_RTC_IS_GMT is not set # CONFIG_APM_ALLOW_INTS is not set # CONFIG_APM_REAL_MODE_POWER_OFF is not set # # Plug and Play support # CONFIG_PNP=y # CONFIG_PNP_PARPORT is not set # # Block devices # CONFIG_BLK_DEV_FD=y CONFIG_BLK_DEV_IDE=y # # Please see Documentation/ide.txt for help/info on IDE drives # # CONFIG_BLK_DEV_HD_IDE is not set CONFIG_BLK_DEV_IDEDISK=y CONFIG_BLK_DEV_IDECD=y # CONFIG_BLK_DEV_IDETAPE is not set # CONFIG_BLK_DEV_IDEFLOPPY is not set # CONFIG_BLK_DEV_IDESCSI is not set # CONFIG_BLK_DEV_CMD640 is not set # CONFIG_BLK_DEV_RZ1000 is not set CONFIG_BLK_DEV_IDEPCI=y CONFIG_BLK_DEV_IDEDMA=y # CONFIG_BLK_DEV_OFFBOARD is not set CONFIG_IDEDMA_AUTO=y # CONFIG_BLK_DEV_OPTI621 is not set # CONFIG_BLK_DEV_TRM290 is not set # CONFIG_BLK_DEV_NS87415 is not set # CONFIG_BLK_DEV_VIA82C586 is not set # CONFIG_BLK_DEV_CMD646 is not set # CONFIG_BLK_DEV_CS5530 is not set # CONFIG_IDE_CHIPSETS is not set # # Additional Block Devices # CONFIG_BLK_DEV_LOOP=m # CONFIG_BLK_DEV_NBD is not set CONFIG_BLK_DEV_MD=y # CONFIG_MD_LINEAR is not set CONFIG_MD_STRIPED=y CONFIG_MD_MIRRORING=y CONFIG_MD_RAID5=y CONFIG_MD_BOOT=y CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_RAM_SIZE=4096 CONFIG_BLK_DEV_INITRD=y # CONFIG_BLK_DEV_XD is not set # CONFIG_BLK_DEV_DAC960 is not set CONFIG_PARIDE_PARPORT=y # CONFIG_PARIDE is not set # CONFIG_BLK_CPQ_DA is not set # CONFIG_BLK_DEV_HD is not set # # Networking options # CONFIG_PACKET=y CONFIG_NETLINK=y CONFIG_RTNETLINK=y # CONFIG_NETLINK_DEV is not set CONFIG_FIREWALL=y CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y CONFIG_RTNETLINK=y CONFIG_NETLINK=y # CONFIG_IP_MULTIPLE_TABLES is not set # CONFIG_IP_ROUTE_MULTIPATH is not set # CONFIG_IP_ROUTE_TOS is not set CONFIG_IP_ROUTE_VERBOSE=y # CONFIG_IP_ROUTE_LARGE_TABLES is not set # CONFIG_IP_PNP is not set CONFIG_IP_FIREWALL=y # CONFIG_IP_FIREWALL_NETLINK is not set # CONFIG_IP_TRANSPARENT_PROXY is not set CONFIG_IP_MASQUERADE=y # # Protocol-specific masquerading support will be built as modules. # CONFIG_IP_MASQUERADE_ICMP=y # # Protocol-specific masquerading support will be built as modules. # CONFIG_IP_MASQUERADE_MOD=y # CONFIG_IP_MASQUERADE_IPAUTOFW is not set CONFIG_IP_MASQUERADE_IPPORTFW=y # CONFIG_IP_MASQUERADE_MFW is not set CONFIG_IP_ROUTER=y # CONFIG_NET_IPIP is not set # CONFIG_NET_IPGRE is not set # CONFIG_IP_MROUTE is not set CONFIG_IP_ALIAS=y # CONFIG_ARPD is not set CONFIG_SYN_COOKIES=y # # (it is safe to leave these untouched) # # CONFIG_INET_RARP is not set CONFIG_SKB_LARGE=y # CONFIG_IPV6 is not set # # # # CONFIG_IPX is not set # CONFIG_ATALK is not set # CONFIG_X25 is not set # CONFIG_LAPB is not set # CONFIG_BRIDGE is not set # CONFIG_LLC is not set # CONFIG_ECONET is not set # CONFIG_WAN_ROUTER is not set # CONFIG_NET_FASTROUTE is not set # CONFIG_NET_HW_FLOWCONTROL is not set # CONFIG_CPU_IS_SLOW is not set # # QoS and/or fair queueing # # CONFIG_NET_SCHED is not set # # Telephony Support # # CONFIG_PHONE is not set # CONFIG_PHONE_IXJ is not set # # SCSI support # CONFIG_SCSI=y # # SCSI support type (disk, tape, CD-ROM) # CONFIG_BLK_DEV_SD=y CONFIG_CHR_DEV_ST=y CONFIG_BLK_DEV_SR=y # CONFIG_BLK_DEV_SR_VENDOR is not set # CONFIG_CHR_DEV_SG is not set # # Some SCSI devices (e.g. CD jukebox) support multiple LUNs # # CONFIG_SCSI_MULTI_LUN is not set CONFIG_SCSI_CONSTANTS=y CONFIG_SCSI_LOGGING=y # # SCSI low-level drivers # # CONFIG_BLK_DEV_3W_XXXX_RAID is not set # CONFIG_SCSI_7000FASST is not set # CONFIG_SCSI_ACARD is not set # CONFIG_SCSI_AHA152X is not set # CONFIG_SCSI_AHA1542 is not set # CONFIG_SCSI_AHA1740 is not set CONFIG_SCSI_AIC7XXX=y CONFIG_AIC7XXX_TCQ_ON_BY_DEFAULT=y CONFIG_AIC7XXX_CMDS_PER_DEVICE=8 CONFIG_AIC7XXX_PROC_STATS=y CONFIG_AIC7XXX_RESET_DELAY=5 # CONFIG_SCSI_IPS is not set # CONFIG_SCSI_ADVANSYS is not set # CONFIG_SCSI_IN2000 is not set # CONFIG_SCSI_AM53C974 is not set # CONFIG_SCSI_MEGARAID is not set # CONFIG_SCSI_BUSLOGIC is not set # CONFIG_SCSI_DTC3280 is not set # CONFIG_SCSI_EATA is not set # CONFIG_SCSI_EATA_DMA is not set # CONFIG_SCSI_EATA_PIO is not set # CONFIG_SCSI_FUTURE_DOMAIN is not set # CONFIG_SCSI_GDTH is not set # CONFIG_SCSI_GENERIC_NCR5380 is not set # CONFIG_SCSI_INITIO is not set # CONFIG_SCSI_INIA100 is not set # CONFIG_SCSI_PPA is not set # CONFIG_SCSI_IMM is not set # CONFIG_SCSI_NCR53C406A is not set # CONFIG_SCSI_SYM53C416 is not set # CONFIG_SCSI_SIM710 is not set # CONFIG_SCSI_NCR53C7xx is not set # CONFIG_SCSI_NCR53C8XX is not set # CONFIG_SCSI_SYM53C8XX is not set # CONFIG_SCSI_PAS16 is not set # CONFIG_SCSI_PCI2000 is not set # CONFIG_SCSI_PCI2220I is not set # CONFIG_SCSI_PSI240I is not set # CONFIG_SCSI_QLOGIC_FAS is not set # CONFIG_SCSI_QLOGIC_ISP is not set # CONFIG_SCSI_QLOGIC_FC is not set # CONFIG_SCSI_SEAGATE is not set # CONFIG_SCSI_DC390T is not set # CONFIG_SCSI_T128 is not set # CONFIG_SCSI_U14_34F is not set # CONFIG_SCSI_ULTRASTOR is not set # CONFIG_SCSI_DEBUG is not set # # I2O device support # # CONFIG_I2O is not set # CONFIG_I2O_PCI is not set # CONFIG_I2O_BLOCK is not set # CONFIG_I2O_SCSI is not set # # Network device support # CONFIG_NETDEVICES=y # # ARCnet devices # # CONFIG_ARCNET is not set CONFIG_DUMMY=m # CONFIG_BONDING is not set # CONFIG_EQUALIZER is not set # CONFIG_ETHERTAP is not set # CONFIG_NET_SB1000 is not set # # Ethernet (10 or 100Mbit) # CONFIG_NET_ETHERNET=y CONFIG_NET_VENDOR_3COM=y # CONFIG_EL1 is not set # CONFIG_EL2 is not set # CONFIG_ELPLUS is not set # CONFIG_EL16 is not set # CONFIG_EL3 is not set # CONFIG_3C515 is not set CONFIG_VORTEX=y # CONFIG_LANCE is not set # CONFIG_NET_VENDOR_SMC is not set # CONFIG_NET_VENDOR_RACAL is not set # CONFIG_RTL8139 is not set # CONFIG_NET_ISA is not set # CONFIG_NET_EISA is not set # CONFIG_NET_POCKET is not set # # Ethernet (1000 Mbit) # # CONFIG_ACENIC is not set # CONFIG_HAMACHI is not set # CONFIG_YELLOWFIN is not set # CONFIG_SK98LIN is not set # CONFIG_FDDI is not set # CONFIG_HIPPI is not set # CONFIG_PLIP is not set CONFIG_PPP=y # # CCP compressors for PPP are only built as modules. # # CONFIG_SLIP is not set # CONFIG_NET_RADIO is not set # # Token ring devices # # CONFIG_TR is not set # CONFIG_NET_FC is not set # CONFIG_RCPCI is not set # CONFIG_SHAPER is not set # # Wan interfaces # # CONFIG_HOSTESS_SV11 is not set # CONFIG_COSA is not set # CONFIG_SEALEVEL_4021 is not set # CONFIG_SYNCLINK_SYNCPPP is not set # CONFIG_LANMEDIA is not set # CONFIG_COMX is not set # CONFIG_HDLC is not set # CONFIG_DLCI is not set # CONFIG_SBNI is not set # # Amateur Radio support # # CONFIG_HAMRADIO is not set # # IrDA (infrared) support # # CONFIG_IRDA is not set # # ISDN subsystem # # CONFIG_ISDN is not set # # Old CD-ROM drivers (not SCSI, not IDE) # # CONFIG_CD_NO_IDESCSI is not set # # Character devices # CONFIG_VT=y CONFIG_VT_CONSOLE=y CONFIG_SERIAL=y # CONFIG_SERIAL_CONSOLE is not set # CONFIG_SERIAL_EXTENDED is not set # CONFIG_SERIAL_NONSTANDARD is not set CONFIG_UNIX98_PTYS=y CONFIG_UNIX98_PTY_COUNT=256 CONFIG_PRINTER=m # CONFIG_PRINTER_READBACK is not set CONFIG_MOUSE=y # # Mice # # CONFIG_ATIXL_BUSMOUSE is not set # CONFIG_BUSMOUSE is not set # CONFIG_MS_BUSMOUSE is not set CONFIG_PSMOUSE=y # CONFIG_82C710_MOUSE is not set # CONFIG_PC110_PAD is not set # # Joysticks # # CONFIG_JOYSTICK is not set # CONFIG_QIC02_TAPE is not set # CONFIG_WATCHDOG is not set # CONFIG_NVRAM is not set CONFIG_RTC=y # # Video For Linux # # CONFIG_VIDEO_DEV is not set # CONFIG_DTLK is not set # # Ftape, the floppy tape device driver # # CONFIG_FTAPE is not set # # Filesystems # # CONFIG_QUOTA is not set CONFIG_AUTOFS_FS=y # CONFIG_ADFS_FS is not set # CONFIG_AFFS_FS is not set # CONFIG_HFS_FS is not set CONFIG_FAT_FS=y CONFIG_MSDOS_FS=y # CONFIG_UMSDOS_FS is not set CONFIG_VFAT_FS=y CONFIG_ISO9660_FS=y CONFIG_JOLIET=y # CONFIG_MINIX_FS is not set # CONFIG_NTFS_FS is not set # CONFIG_HPFS_FS is not set CONFIG_PROC_FS=y CONFIG_DEVPTS_FS=y # CONFIG_QNX4FS_FS is not set # CONFIG_ROMFS_FS is not set CONFIG_EXT2_FS=y # CONFIG_SYSV_FS is not set # CONFIG_UFS_FS is not set # CONFIG_EFS_FS is not set # # Network File Systems # # CONFIG_CODA_FS is not set CONFIG_NFS_FS=y CONFIG_NFSD=m # CONFIG_NFSD_SUN is not set CONFIG_SUNRPC=y CONFIG_LOCKD=y CONFIG_SMB_FS=y # CONFIG_NCP_FS is not set # # Partition Types # # CONFIG_BSD_DISKLABEL is not set # CONFIG_MAC_PARTITION is not set # CONFIG_SMD_DISKLABEL is not set # CONFIG_SOLARIS_X86_PARTITION is not set # CONFIG_UNIXWARE_DISKLABEL is not set CONFIG_NLS=y # # Native Language Support # CONFIG_NLS_DEFAULT="cp437" CONFIG_NLS_CODEPAGE_437=m # CONFIG_NLS_CODEPAGE_737 is not set # CONFIG_NLS_CODEPAGE_775 is not set # CONFIG_NLS_CODEPAGE_850 is not set # CONFIG_NLS_CODEPAGE_852 is not set # CONFIG_NLS_CODEPAGE_855 is not set # CONFIG_NLS_CODEPAGE_857 is not set # CONFIG_NLS_CODEPAGE_860 is not set # CONFIG_NLS_CODEPAGE_861 is not set # CONFIG_NLS_CODEPAGE_862 is not set # CONFIG_NLS_CODEPAGE_863 is not set # CONFIG_NLS_CODEPAGE_864 is not set # CONFIG_NLS_CODEPAGE_865 is not set # CONFIG_NLS_CODEPAGE_866 is not set # CONFIG_NLS_CODEPAGE_869 is not set # CONFIG_NLS_CODEPAGE_874 is not set # CONFIG_NLS_CODEPAGE_932 is not set # CONFIG_NLS_CODEPAGE_936 is not set # CONFIG_NLS_CODEPAGE_949 is not set # CONFIG_NLS_CODEPAGE_950 is not set CONFIG_NLS_ISO8859_1=m # CONFIG_NLS_ISO8859_2 is not set # CONFIG_NLS_ISO8859_3 is not set # CONFIG_NLS_ISO8859_4 is not set # CONFIG_NLS_ISO8859_5 is not set # CONFIG_NLS_ISO8859_6 is not set # CONFIG_NLS_ISO8859_7 is not set # CONFIG_NLS_ISO8859_8 is not set # CONFIG_NLS_ISO8859_9 is not set # CONFIG_NLS_ISO8859_14 is not set # CONFIG_NLS_ISO8859_15 is not set # CONFIG_NLS_KOI8_R is not set # # Console drivers # CONFIG_VGA_CONSOLE=y # CONFIG_VIDEO_SELECT is not set # CONFIG_MDA_CONSOLE is not set # CONFIG_FB is not set # # Sound # CONFIG_SOUND=y # CONFIG_SOUND_CMPCI is not set # CONFIG_SOUND_ES1370 is not set # CONFIG_SOUND_ES1371 is not set # CONFIG_SOUND_MAESTRO is not set # CONFIG_SOUND_ESSSOLO1 is not set # CONFIG_SOUND_ICH is not set # CONFIG_SOUND_SONICVIBES is not set # CONFIG_SOUND_TRIDENT is not set # CONFIG_SOUND_MSNDCLAS is not set # CONFIG_SOUND_MSNDPIN is not set CONFIG_SOUND_OSS=y # CONFIG_SOUND_DMAP is not set # CONFIG_SOUND_PAS is not set CONFIG_SOUND_SB=y CONFIG_SB_BASE=220 CONFIG_SB_IRQ=5 CONFIG_SB_DMA=1 CONFIG_SB_DMA2=5 CONFIG_SB_MPU_BASE=330 # # MPU401 IRQ is only required with Jazz16, SM Wave and ESS1688. # # # Enter -1 to the following question if you have something else such as SB16/32. # CONFIG_SB_MPU_IRQ=-1 # CONFIG_SOUND_GUS is not set # CONFIG_SOUND_MPU401 is not set # CONFIG_SOUND_PSS is not set # CONFIG_SOUND_MSS is not set # CONFIG_SOUND_SSCAPE is not set # CONFIG_SOUND_TRIX is not set # CONFIG_SOUND_VIA82CXXX is not set # CONFIG_SOUND_MAD16 is not set # CONFIG_SOUND_WAVEFRONT is not set # CONFIG_SOUND_CS4232 is not set # CONFIG_SOUND_OPL3SA2 is not set # CONFIG_SOUND_MAUI is not set # CONFIG_SOUND_SGALAXY is not set # CONFIG_SOUND_AD1816 is not set # CONFIG_SOUND_OPL3SA1 is not set # CONFIG_SOUND_SOFTOSS is not set # CONFIG_SOUND_YM3812 is not set # CONFIG_SOUND_VMIDI is not set # CONFIG_SOUND_UART6850 is not set # CONFIG_SOUND_NM256 is not set # CONFIG_SOUND_YMPCI is not set # # Additional low level sound drivers # # CONFIG_LOWLEVEL_SOUND is not set # # Kernel hacking # # CONFIG_MAGIC_SYSRQ is not set
/usr/src/kernel/linux/.config
# # Automatically generated by make menuconfig: don't edit # # # Code maturity level options # CONFIG_EXPERIMENTAL=y # # Loadable module support # CONFIG_MODULES=y # CONFIG_MODVERSIONS is not set # CONFIG_KERNELD is not set # # General setup # # CONFIG_MATH_EMULATION is not set CONFIG_MEM_STD=y # CONFIG_MEM_ENT is not set # CONFIG_MEM_SPECIAL is not set CONFIG_MAX_MEMSIZE=1024 CONFIG_NET=y # CONFIG_MAX_16M is not set # CONFIG_PCI is not set CONFIG_SYSVIPC=y CONFIG_BINFMT_AOUT=y CONFIG_BINFMT_ELF=y # CONFIG_BINFMT_JAVA is not set CONFIG_KERNEL_ELF=y # CONFIG_M386 is not set CONFIG_M486=y # CONFIG_M586 is not set # CONFIG_M686 is not set # CONFIG_APM is not set # # Floppy, IDE, and other block devices # CONFIG_BLK_DEV_FD=y CONFIG_BLK_DEV_IDE=y # CONFIG_BLK_DEV_HD_IDE is not set CONFIG_BLK_DEV_IDECD=y # CONFIG_BLK_DEV_IDETAPE is not set # CONFIG_BLK_DEV_IDEFLOPPY is not set # CONFIG_BLK_DEV_IDESCSI is not set # CONFIG_BLK_DEV_IDE_PCMCIA is not set # CONFIG_BLK_DEV_CMD640 is not set # CONFIG_IDE_CHIPSETS is not set CONFIG_BLK_DEV_LOOP=m CONFIG_BLK_DEV_MD=y CONFIG_MD_LINEAR=y CONFIG_MD_STRIPED=y CONFIG_MD_MIRRORING=y CONFIG_MD_RAID5=y CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_INITRD=y # CONFIG_BLK_DEV_XD is not set # CONFIG_BLK_CPQ_DA is not set # CONFIG_PARIDE is not set # CONFIG_BLK_DEV_HD is not set # # Networking options # CONFIG_FIREWALL=y CONFIG_NET_ALIAS=y CONFIG_INET=y CONFIG_IP_FORWARD=y CONFIG_IP_MULTICAST=y CONFIG_SYN_COOKIES=y CONFIG_IP_FIREWALL=y CONFIG_IP_FIREWALL_VERBOSE=y CONFIG_IP_MASQUERADE=y # CONFIG_IP_MASQUERADE_IPAUTOFW is not set CONFIG_IP_MASQUERADE_IPPORTFW=y # CONFIG_IP_MASQUERADE_PPTP is not set # CONFIG_IP_MASQUERADE_IPSEC is not set CONFIG_IP_MASQUERADE_ICMP=y # CONFIG_IP_TRANSPARENT_PROXY is not set CONFIG_IP_MASQ_LOOSE_UDP=y CONFIG_IP_ALWAYS_DEFRAG=y # CONFIG_IP_ACCT is not set CONFIG_IP_ROUTER=y # CONFIG_NET_IPIP is not set # CONFIG_IP_MROUTE is not set CONFIG_IP_ALIAS=y # CONFIG_INET_PCTCP is not set # CONFIG_INET_RARP is not set # CONFIG_NO_PATH_MTU_DISCOVERY is not set CONFIG_IP_NOSR=y CONFIG_SKB_LARGE=y # CONFIG_IPX is not set # CONFIG_ATALK is not set # CONFIG_AX25 is not set # CONFIG_BRIDGE is not set # CONFIG_NETLINK is not set # # SCSI support # CONFIG_SCSI=y CONFIG_BLK_DEV_SD=y CONFIG_CHR_DEV_ST=y CONFIG_BLK_DEV_SR=y # CONFIG_CHR_DEV_SG is not set # CONFIG_SCSI_MULTI_LUN is not set CONFIG_SCSI_CONSTANTS=y # # SCSI low-level drivers # # CONFIG_SCSI_7000FASST is not set # CONFIG_SCSI_ACARD is not set # CONFIG_SCSI_AHA152X is not set # CONFIG_SCSI_AHA1542 is not set # CONFIG_SCSI_AHA1740 is not set CONFIG_SCSI_AIC7XXX=y CONFIG_AIC7XXX_TCQ_ON_BY_DEFAULT=y CONFIG_AIC7XXX_CMDS_PER_DEVICE=8 CONFIG_AIC7XXX_PROC_STATS=y CONFIG_AIC7XXX_RESET_DELAY=5 # CONFIG_SCSI_ADVANSYS is not set # CONFIG_SCSI_IN2000 is not set # CONFIG_SCSI_AM53C974 is not set # CONFIG_SCSI_MEGARAID is not set # CONFIG_SCSI_BUSLOGIC is not set # CONFIG_SCSI_DTC3280 is not set # CONFIG_SCSI_EATA_DMA is not set # CONFIG_SCSI_EATA_PIO is not set # CONFIG_SCSI_EATA is not set # CONFIG_SCSI_FUTURE_DOMAIN is not set # CONFIG_SCSI_GENERIC_NCR5380 is not set # CONFIG_SCSI_INITIO is not set # CONFIG_SCSI_INIA100 is not set # CONFIG_SCSI_NCR53C406A is not set # CONFIG_SCSI_SYM53C416 is not set # CONFIG_SCSI_PPA is not set # CONFIG_SCSI_PAS16 is not set # CONFIG_SCSI_PCI2000 is not set # CONFIG_SCSI_PCI2220I is not set # CONFIG_SCSI_PSI240I is not set # CONFIG_SCSI_QLOGIC_FAS is not set # CONFIG_SCSI_SEAGATE is not set # CONFIG_SCSI_T128 is not set # CONFIG_SCSI_TC2550 is not set # CONFIG_SCSI_U14_34F is not set # CONFIG_SCSI_ULTRASTOR is not set # CONFIG_SCSI_GDTH is not set # # Network device support # CONFIG_NETDEVICES=y CONFIG_DUMMY=m # CONFIG_EQUALIZER is not set # CONFIG_DLCI is not set # CONFIG_PLIP is not set CONFIG_PPP=y # CONFIG_SLIP is not set # CONFIG_NET_RADIO is not set CONFIG_NET_ETHERNET=y CONFIG_NET_VENDOR_3COM=y # CONFIG_EL1 is not set # CONFIG_EL2 is not set # CONFIG_ELPLUS is not set # CONFIG_EL16 is not set CONFIG_EL3=y # CONFIG_3C515 is not set # CONFIG_VORTEX is not set # CONFIG_NET_VENDOR_SMC is not set # CONFIG_NET_PCI is not set # CONFIG_NET_ISA is not set # CONFIG_NET_EISA is not set # CONFIG_NET_POCKET is not set # CONFIG_TR is not set # CONFIG_FDDI is not set # CONFIG_ARCNET is not set # CONFIG_SHAPER is not set # CONFIG_RCPCI is not set # # ISDN subsystem # # CONFIG_ISDN is not set # # CD-ROM drivers (not for SCSI or IDE/ATAPI drives) # # CONFIG_CD_NO_IDESCSI is not set # # Filesystems # # CONFIG_QUOTA is not set CONFIG_MINIX_FS=y # CONFIG_EXT_FS is not set CONFIG_EXT2_FS=y # CONFIG_XIA_FS is not set CONFIG_NLS=y CONFIG_ISO9660_FS=y CONFIG_FAT_FS=y CONFIG_MSDOS_FS=y # CONFIG_UMSDOS_FS is not set CONFIG_VFAT_FS=y # # Select available code pages # # CONFIG_NLS_CODEPAGE_437 is not set # CONFIG_NLS_CODEPAGE_737 is not set # CONFIG_NLS_CODEPAGE_775 is not set # CONFIG_NLS_CODEPAGE_850 is not set # CONFIG_NLS_CODEPAGE_852 is not set # CONFIG_NLS_CODEPAGE_855 is not set # CONFIG_NLS_CODEPAGE_857 is not set # CONFIG_NLS_CODEPAGE_860 is not set # CONFIG_NLS_CODEPAGE_861 is not set # CONFIG_NLS_CODEPAGE_862 is not set # CONFIG_NLS_CODEPAGE_863 is not set # CONFIG_NLS_CODEPAGE_864 is not set # CONFIG_NLS_CODEPAGE_865 is not set # CONFIG_NLS_CODEPAGE_866 is not set # CONFIG_NLS_CODEPAGE_869 is not set # CONFIG_NLS_CODEPAGE_874 is not set # CONFIG_NLS_ISO8859_1 is not set # CONFIG_NLS_ISO8859_2 is not set # CONFIG_NLS_ISO8859_3 is not set # CONFIG_NLS_ISO8859_4 is not set # CONFIG_NLS_ISO8859_5 is not set # CONFIG_NLS_ISO8859_6 is not set # CONFIG_NLS_ISO8859_7 is not set # CONFIG_NLS_ISO8859_8 is not set # CONFIG_NLS_ISO8859_9 is not set # CONFIG_NLS_ISO8859_15 is not set # CONFIG_NLS_KOI8_R is not set CONFIG_PROC_FS=y CONFIG_NFS_FS=y # CONFIG_ROOT_NFS is not set CONFIG_SMB_FS=y CONFIG_SMB_WIN95=y # CONFIG_HPFS_FS is not set # CONFIG_SYSV_FS is not set # CONFIG_AUTOFS_FS is not set # CONFIG_AFFS_FS is not set # CONFIG_UFS_FS is not set # # Character devices # CONFIG_SERIAL=y # CONFIG_SERIAL_PCI is not set # CONFIG_DIGI is not set # CONFIG_CYCLADES is not set # CONFIG_ISI is not set # CONFIG_STALDRV is not set # CONFIG_RISCOM8 is not set CONFIG_PRINTER=y # CONFIG_SPECIALIX is not set # CONFIG_MOUSE is not set # CONFIG_UMISC is not set # CONFIG_QIC02_TAPE is not set # CONFIG_FTAPE is not set # CONFIG_WATCHDOG is not set CONFIG_RTC=y # # Sound # CONFIG_SOUND=y # CONFIG_PAS is not set CONFIG_SB=y # CONFIG_ADLIB is not set # CONFIG_GUS is not set # CONFIG_MPU401 is not set # CONFIG_UART6850 is not set # CONFIG_PSS is not set # CONFIG_GUS16 is not set # CONFIG_GUSMAX is not set # CONFIG_MSS is not set # CONFIG_SSCAPE is not set # CONFIG_TRIX is not set # CONFIG_MAD16 is not set # CONFIG_CS4232 is not set # CONFIG_MAUI is not set CONFIG_AUDIO=y # CONFIG_MIDI is not set CONFIG_YM3812=y SBC_BASE=220 SBC_IRQ=10 SBC_DMA=1 SB_DMA2=5 SB_MPU_BASE=0 SB_MPU_IRQ=-1 DSP_BUFFSIZE=65536 # CONFIG_LOWLEVEL_SOUND is not set # # Kernel hacking # # CONFIG_PROFILE is not set
- [ OPTIONAL -- You only need to do this if you have an ancient SoundBlaster-type CDROM drive ]
- edit /usr/src/kernel/linux/include/linux/sbpcd.h (as of kernel 2.0.38)
- Roughly at line 77, verify the top most SB address and CDROM port is correct.
- Roughly at line 107, change the "#define DISTRIBUTION" variable to "0" to reflect that you have configured the sound drivers
- Roughly at line 121 and 128, change ALL eject line variable to "0" so the drives won't eject their CDs
Now we need to shift gears and jump to the PPP code installation to verify if there is any newer code in the PPP distribution than the kernel distribution.
- Kernel 2.0.35 didn't come with the new v1.16 3Com driver. Bummer. It was pulled because of problems but I haven't had any and there are a LOT of fixes in it. So, do the following:
- mv /usr/src/kernel/linux/drivers/net/3c509.c /usr/src/kernel/linux/drivers/net/3c509.c.orig
- Download the new driver from:
ftp://cesdis.gsfc.nasa.gov/pub/linux/drivers/3c509.c
If, for some reason, the drive is not available, email me and I'll mail it to you.
*************************
- Download the newest PPP sources from the URL in Section 5 and put it in "/usr/src"
- "tar -xvzf ppp-2.3.x.tar.gz"
- "cd ppp-2.3.x"
- "configure"
- Now, some patches won't need to be installed based upon the version of PPPD and/or the Linux kernel they are installing.
- "make kernel"
This will update any of the required kernel code to work with this version of PPPd.
- "make"
NOTE: You can use "make USE_MS_DNS=1" to insure your system uses the ISP's offered DNS servers over your statically-configure.
Remember, since TrinityOS will run it's OWN DNS server, it really won't matter.
- "make install"
Ok, now back to the kernel configuring for now.. ================================================================================
Time to compile the kernel. You can do it manually via the following commands or use the "built-it" script given below.
"cd /usr/src/kernel/linux"
"make clean"
"make dep"
"make bzImage"
and allow for the kernel to compile (~3mins on a P-II 233)
- Now, compile and install the necessary system modules:
"cd /usr/src/kernel/linux"
"make modules"
"make modules_install"
- Once the kernel has compiled, do the following command line (replacing "XYZ" with an identifing name like "2035-masq":
Slackware:
"cp /usr/src/kernel/linux/arch/i386/boot/bzImage /XYZ"
Redhat:
"cp /usr/src/kernel/linux/arch/i386/boot/bzImage /boot/XYZ"
If you would like to automate this process in the future, create this script in /usr/src/kernel and run it once you have configured your new kernel.
NOTE: You will want to create the directory /usr/src/kernel/config to store your configured kernel setups. This is a good way to find out what is and isn't enabled in a given kernel.
/usr/src/kernel/build-it
<build-it START>
!/bin/sh # # Version: 11/10/01 # # Part of the copyrighted and trademarked TrinityOS document. # <url url="http://www.ecst.csuchico.edu/~dranch"> # # Written and Maintained by David A. Ranch # dranch at trinnet dot net # # Updates: # # 07/09/03 - Added checks to stop the process if the kernel doesn't compile # - Added the use of path variables # - Added additional echo statements for cleaner output # 11/10/01 - added the use of mrproper to solve rare kernel module issues # 11/09/01 - made making "dep" serial as doing via parallel had issues # - Holy cow.. forgot to parallelize the making of the kernel # 10/04/01 - Moved the kernel sources and this script to /usr/src/kernel # 01/17/00 - Changed the date to use %d over %e and remove # any spacesn the date format. # - Changed the layout a little and added some beeps at the end # # Multi-process option (enable this even for uni-processor machines.. # seriously) J=-j4 #Location of the kernel sources SRC=/usr/src/kernel # --- Script Body cd $SRC/linux #Make sure the $SRC/config directory exists. cp $SRC/linux/.config $SRC/config/kernel.`date +'%b%d'` # Deal with rare but troublesome kernel module symbol issues mv .config .. echo -e "\n\n**********************************************" echo -e "** **" echo -e "** Pre-Phase 1: make mrproper **" echo -e "** **" echo -e "**********************************************\n\n" make mrproper echo -e "\n\n**********************************************" echo -e "** **" echo -e "** Pre-Phase 2: make oldconfig **" echo -e "** **" echo -e "**********************************************\n\n" mv ../.config . make oldconfig echo -e "\n\n**********************************************" echo -e "** **" echo -e "** Pre-Phase 3: make clean **" echo -e "** **" echo -e "**********************************************\n\n" # Clean up from any previous builds make $J clean # Start to time the build time date > $SRC/kernel-compile-time.`date +'%b%d'` #Do not parallelize the DEP phase as it can fail echo -e "\n\n**********************************************" echo -e "** **" echo -e "** Phase 1/5: make dep **" echo -e "** **" echo -e "**********************************************\n\n" make dep # Parallize everything else echo -e "\n\n**********************************************" echo -e "** **" echo -e "** Phase 2/5: make bzImage **" echo -e "** **" echo -e "**********************************************\n\n" make $J bzImage #Did it really compile properly? if [ ! -f $SRC/linux/arch/i386/boot/bzImage ]; then #Send a few beeps echo "" sleep 1 echo "" sleep 1 echo "" echo -e "\n\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" echo -e "!! !!" echo -e "!! ERROR: !!" echo -e "!! !!" echo -e "!! Kernel did not properly compile. !!" echo -e "!! (bzImage file is missing). ABORTING. !!" echo -e "!! !!" echo -e "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n\n" #Aborting without cleanup will save a required ojects, etc. exit 1 fi #The kernel binary is present, move on echo -e "\n\n**********************************************" echo -e "** **" echo -e "** Phase 3/5: make modules **" echo -e "** **" echo -e "**********************************************\n\n" make $J modules echo -e "\n\n**********************************************" echo -e "** **" echo -e "** Phase 4/5: make modules_install **" echo -e "** **" echo -e "**********************************************\n\n" make $J modules_install echo -e "\n\n**********************************************" echo -e "** **" echo -e "** Phase 5/5: Move binaries over **" echo -e "** **" echo -e "**********************************************\n\n" cp $SRC/linux/arch/i386/boot/bzImage /boot/bzImage cp $SRC/linux/System.map /boot/System.map.new date >> $SRC/kernel-compile-time.`date +'%b%d'` echo -e "\n\nCompile Done." echo -e "\nRename /boot/bzImage to a proper name, edit /etc/lilo.conf," echo -e "rename /boot/System.map.new to a proper name, symlink this new" echo -e "map file to /boot/System.map, and finally and finally re-run " echo -e "lilo. Make sure lilo runs cleanly" #Due to SGML conversions, the ASCII "bell" code might become # corrupt. To fix this, edit this file with say Vim, delete the # "^G" characters and resplace them with the following in INSERT # mode (the control-q tells Vi to add the following character as # binary and not ascii: # # Control-Q Control-G # echo ^G sleep 1 echo ^G sleep 1 echo ^G
Don't forget.. "chmod 700 /usr/src/kernel/build-it"
To run the script, run it as "./built-it"
Lilo is the typical boot loader for Linux though you don't have to use it. You can also use other loaders like:
- Edit the /etc/lilo.conf file to reflect your new kernel.
**NOTE: If you aren't using LILO, you need to configure your boot method (LOADLIN, NT boot loader, OS/2 boot loader, System Commander, etc) to use this new kernel.
**NOTE#2: If you have any DOS LILO entries, I highly recommend to password protect them as shown below.
- Add an entry like below :
--
# LILO configuration file
# generated by 'liloconfig'
#
# Start LILO global section
boot = /dev/hda
#My box needs this since I have two 3c509 cards
append="ether=0,0,eth1"
#compact # faster, but won't work on all systems.
delay = 50
vga = normal # force sane state
# ramdisk = 0 # paranoia setting
# End LILO global section
# Linux bootable partition config begins
image = /2035-1542-sb16
root = /dev/hda6
label = linux
read-only # Non-UMSDOS filesystems should be mounted read-only for checking
# Linux bootable partition config ends
other=/dev/hda1
label=dos
password=g3a0uttahere
table=/dev/hda
--
Two or more NICs: For a secure system, you should have (2) Ethernet cards installed. One to the cable modem and the other for the internal LAN. If both installed Ethernet cards from different vendors, then skip this next part.
If your two Ethernet cards are identical and you compiled support for them into the kernle, Linux will only autodetect ONE card. To make Linux look for additional Ethernet cards, add the following to the lilo.conf file:
append="ether=0,0,eth1"
If you are using Redhat's dynamic kernel modules to support your network cards, do the following instead:
/etc/conf.modules
--
alias eth1 3c509
--
This says eth1 is a 3Com 3c509. If it uses non-standard addresses, IRQs, etc, you can specify their locations:
/etc/conf.modules
--
options 3c509 io=0x300,12
--
Missing Memory: When you boot your machine and run a "dmesg" or a "free" and you don't see all your installed RAM, do the following. This example is for a system with 40MB of RAM..
/etc/lilo.conf
--
append="mem=40M"
--
- Run the LILO program by simply entering "lilo" at the command prompt to re-write your boot sector. If everything is ok, you will be given a short list of boot images that LILO will boot from.
Before you reboot your box, I *highly* recommend you create a boot disk that will use the kernel off the diskette BUT mount your Linux partition on the hard drive. A RESCUE diskette will NOT let you fix LILO problems. Sucks but its true!
Additional Security: LILO has a feature to password itself. Without the password given, the machine will boot into its configured kernel image. To enable this, edit in the following:
/etc/lilo.conf
--
restricted
password=xxxx
--
Change the "xxx" to a password of your choice. The "restricted" word enables the passwording. Since the password is saved in CLEAR-TEXT, make sure no one else can read it by doing the following:
chmod 700 /etc/lilo.conf
LILO booting problems?
"LI" - Getting this when you are rebooting? This realistically is happening because the hard drive geometry in the CMOS setup is different than reported by the kernel booting up. To fix this, add the following line after the "VGA=normal" line:
/etc/lilo.conf
--
linear
--
If this doesn't help you, check out the LILO docs. Its kinda long but you can just skip down to roughly 93% of it and see what all the LILO codes mean.
/usr/doc/lilo-*/README
Since my system uses all (4) COMM ports and Linux doesn't like to share interrupts (IRQs), you have to tell Linux how to use your specific hardware setup. In addition to configuring Linux to understand your hardware setup, you need to optimize it for maximum performance (serial ports, etc).
NOTE: Until I added these changes, both GPM (tty mouse program) and Xwindows (Xfree86, MetroX, etc) would not load correctly let alone be useful.
--------------------------
NOTE: Starting with later 2.1.x and 2.2.x kernels, you do NOT have to set up the follow parameters to get 115,200 on serial ports. If you call the ports via Minicom, PPP, etc at 115,200, it will just work!!
BUT, by setting these files up, any application that asks for 38,400 will actually get 115,200.
For 2.2.x and 2.0.x kernels
/etc/rc.d/rc.serial file:
--
#!/bin/sh
SETSERIAL="/bin/setserial -b"
echo "Configuring COM1 for 115200"
${SETSERIAL} /dev/ttyS0 spd_vhi
#echo "RE-configuring COM3 and COM4 to use proper IRQs"
#${SETSERIAL} /dev/ttyS2 uart 16450 port 0x3E8 irq 3
#${SETSERIAL} /dev/ttyS3 uart 16550A port 0x2E8 irq 5
${SETSERIAL} -bg /dev/ttyS0 /dev/ttyS1 /dev/ttyS2 /dev/ttyS3
echo "rc.serial done."
--<end>--
Make it executable
chmod 700 /etc/rc.d/rc.serial
Redhat:
Do a search for "rc.serial" in the /etc/rc.d/rc.sysinit file. If it isn't there, add it at the bottom.
/etc/rc.d/rc.sysinit
--
# Initialize the serial subsystem
/etc/rc.d/rc.serial
--
Since I use an older Logitech C7 mouse, Linux doesn't come on-line with it the first time. Edit this to suit your hardware configs.
Fix this by doing:
Redhat: Edit /etc/rc.d/init.d/gpm
replace this:
daemon gpm -t $MOUSETYPE
with this:
daemon gpm -b 9600 -r 50 -t $MOUSETYPE
Slackware: Edit /etc/rc.d/rc.local
replace this:
gpm -t logi
with
gpm -b 9600 -r 50 -t $logi
Vendor Specific: Most 3Com Ethernet ISA and PCI NICs have a ---------------- DOS based utility that allows you to enable/disable Plug and Play, manually configure IO ports, IRQs, and specify both the IRQ utilization and priority.
Personally.. I always recommend to DISABLE Plug and Play and manually configure the cards as depicted in Section 4. Anyway, I also recommend the following:
Serial-attached analog/isdn modem users:
- Set your Ethernet cards to support a modem IRQ utiliztion for 19200 or faster
- Set your NIC optimization for SERVER
Ethernet Router/cable-modem users:
- Set your Ethernet cards to for NO modem
- Set your NIC optimization for SERVER
---- Brief Overview:
- The Modem speed section tells the Ethernet card NOT to hog the IRQ lines too much. Though most PC serial ports have 16550 or better chipsets, if the serial port is ignored for too long, data will be lost.
- The Optimization field tells the NIC how to utilize things like IRQ duration, DMA bus retention, etc. The Server setting will optimize the NIC for fastest performance at the detriment of CPU utilization. This is the BEST setting for Linux boxes that are doing IP Masq, routing, etc.
Both Slackware and Redhat, out of the box, do NOT optimize the TCP/IP window size. This can make a BIG difference with performance. For more information, check out URLs in Section 5:
RFC 1106 - High Latency WAN links - Section 4.1
RFC 793 - Transmission Control Protocol
NOTE to DHCP users:
Redhat:
NOTE: Users that have NOT installed the initscripts-3.67-1.i386.rpm patch RPM, the correct line numbers will be 119 and 134. Personally, I recommend that you just install the RPM NOW!
Edit "/etc/sysconfig/network-scripts/ifup" and around lines 134, 136, 141, 149, and 158, find the lines:
line 134 for Redhat 5
or
line 157 for Mandrake 7:
"route add -net ${NETWORK} netmask ${NETMASK} ${DEVICE}"
to:
"route add -net ${NETWORK} netmask ${NETMASK} window 16384 ${DEVICE}"
Next..
line 136 for Redhat 5
or
line 157 for Mandrake 7:
"route add -host ${IPADDR} ${DEVICE}"
to:
"route add -host ${IPADDR} window 16384 ${DEVICE}"
Next...
line 141 for Redhat 5
or
line 162 for Mandrake 7:
"route add default gw ${GATEWAY} metric 1 ${DEVICE}"
to:
"route add default gw ${GATEWAY} window 16384 metric 1 ${DEVICE}"
Next..
line 149 for Redhat 5
or
line 170 for Mandrake 7:
"route add default gw ${GATEWAY} ${DEVICE}"
to:
"route add default gw ${GATEWAY} window 16384 ${DEVICE}"
Next...
line 158 in Redhat 5
or
line 173 in Mandrake 7
"route add default gw $gw ${DEVICE}"
to:
"route add default gw $gw window 16384 ${DEVICE}"
Slackware:
Edit /etc/rc.d/rc.inet1" and around lines 47 and 49, find the following text (note: your setup might look a little different so make any changes that are needed for your setup)
"/sbin/route add -net ${NETWORK} netmask ${NETMASK} eth0"
and
"if [ ! "$GATEWAY" = "" ]; then
/sbin/route add default gw ${GATEWAY} netmask 0.0.0.0 metric 1
fi"
and replace them with the following:
"/sbin/route add -net ${NETWORK} netmask ${NETMASK} window 16384 eth0"
and
"if [ ! "$GATEWAY" = "" ]; then
/sbin/route add default gw ${GATEWAY} netmask 0.0.0.0 window 16384 metric 1
fi"
After everything is set and you either run these commands manually or reboot, a "netstat -rn" should look something like:
-- Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 100.200.0.0 0.0.0.0 255.255.255.0 U 1500 16384 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 3584 0 0 lo 0.0.0.0 100.200.0.1 0.0.0.0 UG 1500 16384 0 eth0 --
Also, in a pinch, if you need an example of how to address a NIC, say eth1 in Redhat-speak, here is how you do it:
/etc/sysconfig/network-scripts/ifcfg-eth1
--
DEVICE=eth1
IPADDR=192.168.0.1
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
ONBOOT=yes
BOOTPROTO=none
--
NOTE: This is only needed for 2.0.x kernels. 2.2.x kernel users will need to use IPCHAINS which usually is already installed in modern distribution. It can also be found at a URL in Section 5
- FTP the ipfwadm source code tgz or RPM file to "/usr/src/"
- Un-compress the IPFWADM tgz file ("tar -xzvf ipfwadm-2.3.0.tgz") or install the RPM file ("rpm -i ipfwadm-2.3.0-1.i386.rpm")
Note: If you already installed IPFWADM and the above RPM installation didn't work, don't worry, the stock IPFWADM that comes with Redhat will work ok.
- FTP the IPFWADM timeout patch to /usr/src/ipfwadm-2.3.0
- Un-compress the IPFWADM patch ("gunzip ipfwadm-2.3.0-generic-timeout.patch.gz")
- Apply the timeout patch "patch -p0 < ipfwadm-2.3.0-generic-timeout.patch"
- Make sure that all "Hunks Succeed"
- Edit the "ipfwadm.c" file
- At line 107, insert this line:
#include <linux/timer.h>
- Compile IPFWADM by doing:
"make"
"make install"
If you rarely login as root on this Linux server but you *DO* login or read email on another account, I recommend to redirect your "root" mail to that email address.
Please see the Sendmail documentation in Section 25 on the various changes to Sendmail over the various versions but for now, do the following:
Sendmail - 8.9.x : /etc/aliases
or
Sendmail - 8.1x.x : /etc/mail/aliases
To do this, change the line towards the bottom of the file
Edit the /etc/aliases file and insert the following lines after the "root" line towards the bottom if you have YOUR OWN DOMAIN and run the Sendmail daemon:
#If you have your own domain name and run DNS
hostmaster: root
#If you run a WWW site
webmaster: root
#If you have your own domain and run email servers
postmaster: root
abuse: root
#For example: root: johndoe@acme123.com
root: your-final-destination-email-address
Now you need to compile up this new alias file by running the command "newaliases". If you get a warning about duplicated lines, simply remove the duplicate lines and re-run "newaliases".
NOTE: If you are running a older version of Sendmail.. I could tell you how to fix your aliasing issues BUT, I'm going to make you upgrade your version of Sendmail! There are so many security issues with older versions of Sendmail that it's just not worth it.
NOTE-2: Please note that if this machine will be acting as a
SECONDARY mail server for other Internet domains, you need to know about
possible conflicts between the /etc/mail/local-host-names and
/etc/mail/aliases files. Please see
Section 25 for all the critical details.
- For trouble shooting, do the following:
Slackware:
"mv /var/adm/messages /var/adm/messages.old"
"touch /var/adm/messages"
"mv /var/adm/syslog /var/adm/syslog.old"
"touch /var/adm/syslog"
"mv /var/adm/debug /var/adm/debug.old"
"touch /var/adm/debug"
Redhat:
"mv /var/log/messages /var/log/messages.old"
"touch /var/log/messages"
"mv /var/log/syslog /var/log/syslog.old"
"touch /var/log/syslog"
"mv /var/log/debug /var/log/debug.old"
"touch /var/log/debug"
- Reboot with the new kernel
- Once the computer has rebooted, look at both (substitute [xxx] for either "log" or "adm" for your respective Distro) the /var/[xxx]/messages and /var/xxx]/syslog files to make sure no errors or problems were found. If there were errors.. fix them before you continue.
If you setup IP Masq, make sure that the MASQ modules have loaded.
- make sure all of the IP MASQ modules are running by typing in "lsmod"
- You will see the following:
roadrunner:/usr/src/ppp-2.2.0g# lsmod
Module: #pages: Used by:
ip_masq_raudio 1 0
ip_masq_quake 1 0
ip_masq_irc 1 0
ip_masq_ftp 1 0
bsd_comp 1 0
** If you don't see *ALL* of these, check your /etc/rc.d/rc.modules and try loading them manually by doing "./etc/rc.d/rc.modules"
TCPDUMP is loaded by default in most modern Linux distributions. If it isn't installed, you can get it from the URL in Section 5
TCPDUMP--
- Download the "libpcap" source and run the following commands:
"md5sum libpcap-x.y.z.tar.gz" (exchange the x.y.z for your
version)
<bf>verify that this md5 hash is the same as the one posted from the
libpcap URL in <red id="sect-5" name="Section 5">
<p>
run "./configure"
"make"
"make install"
"make install-man"
"make install-incl"
"cp libpcap/bpf/net/* /usr/include/net"
- Download "tcpdump" and do the following commands:
"md5sum tcpdump-x.y.z.tar.gz" (exchange the x.y.z for your
version)
<bf>verify that this md5 hash is the same as the one posted from the
tcpdump URL in <red id="sect-5" name="Section 5">
<p>
"configure"
"make"
"make install"
"make install-man"
- Now run "tcpdump" and watch it fly. Look at TCPDUMP's man page as you can send captures to a file, filter the traffic to only stuff you care upon based on source IP, destination IP, ports, UDP, TCP, etc.
This PPP section is intended for the use of a MANUAL PPP connection for both:
Dial-On-Demand style PPP connections are documented in TrinityOS in the Section 23 - DialD section. Though recent versions of PPPd versions support Dial-On-Demand functionality, it hasn't been as flexible as Diald but this is no longer the case. The newest versions of PPPd support full filtering of interesting/non-interesting packets to keep the line down or up. Because of this, I would recommend to simply just use PPPd instead of Diald. Though I need to expand this section, here are a few pro/con sections:
Anyway, regardless of your PPP use, you have a PPP enabled kernel running. This is fully described in Section 12
-----
Notes for people thinkink of using Multi-Link PPP (ML/PPP) for multiple connections to the same remote site:
As of 01/22/00, the ML/PPP code is moving quite well. Some are patches to PPPd while others are not. Most patches are only for 2.2.x kernels and have issues. Here is an email I receive about one user's view:
-- From Charles @ chas@pcscs.com >This link: http://mp.mansol.net.au/ > is not available as of the time of this mailing. > > It does, however, have functional mods for kernels 2.2.13 and 2.2.14. I > have worked with the 2.2.13 kernel and have been pleased with the > functionality, but I would say that the code is not ready for production > machines as there are still latency issues as well as overhead issues with > 3 or more links in a bundle- at least from my observations. With 3 lines, > the latency was jumping from 150ms to 750ms. With 2 lines, the latency > was smoother with ranges of 150ms to 300ms, but rarely perfect. > > There are also > fault tolerance issues with automated link resets and bundling. If one > maintains the individual links manually, however, this is a functional > solution, but by no means an installation which you can walk away from for > long periods of time and guarantee fault tolerance. Novell's NIAS is still > the best I have seen in these regards as it meets the demands if high load > in both large and small packet fills. > > For Linux, Chris Pascoe's code is by far the most evolved code I have seen. > He shows great promise of mature code in a relatively short period of time. > He has also shown integration with the ppp daemon and ppp kernel > architecture to be an effective way for doing asynchronous analog and > synchronous adapter-based MLPPP. There are rumors and controversy with > regards to modifying Linux PPP's architecture altogether to streamline > features of MLPPP, asynchronous analog and synchronous PPP links for better > uniformity. In my opinion, however, Chris' technique is going to be more > compatible for hardware functionality than an architectural PPP rebuild > that reduces feature modularity in its design. > > As far as the final production stuff: > If you want performance, you are going to need features such as data and/or > VJ header compression for PPP packets. I haven't seen Linux code support that > yet. I also haven't seen Linux code handle link bundling perfectly yet. > Links seem to add well and some links can even go down, but there are still > issues with the 1st link going down causing the whole bundle to need to be > reset via killall pppd. These refinements, I'm sure, will be last on the > "TO DO" list and will probably be quite some time before they are properly > implemented, nevertheless, Linux does in fact now support MLPPP. >>I also haven't seen Linux code handle link bundling perfectly yet. >>Links seem to add well and some links can even go down, but there are >>still issues with the 1st link going down causing the whole bundle to need to >>be reset via killall pppd. These refinements, I'm sure, will be last on >>the "TO DO" list and will probably be quite some time before they are >>properly implemented, nevertheless, Linux does in fact now support MLPPP. -----
Anyway, for you Normal PPP users, here is the TrinityOS setup.
/etc/ppp/chat.your-ppp-isp
-- ABORT BUSY ABORT 'NO CARRIER' "" ATZ OK ATM0S11=40 OK ATDT5551212 CONNECT "" --
Fix its permissions: chmod 600 /etc/ppp/chat.your-ppp-isp
-- /etc/ppp/pap-secrets * your-ppp-login your-ppp-password --
Fix its permissions: chmod 600 /etc/ppp/pap-secrets
/etc/ppp/options
-- # MTU settings will greatly effect your performance, please read up # on calculating MTU settings from my PPP web page. # <url url="http://www.ecst.csuchico.edu/~dranch/PPP/ppp-performance.html#mtu"> # # This setup is optimized for file transfers and NOT for interactive # traffic like telnet, talk, etc # # 14.4k modem users: 296 # 28.8/33.6k modem users: 470 # IP Masq users (regardless of speed): 1500 # Masq users: If you get a lot of "MASQ: failed TCP/UDP checksum for # xxx.xxx.xxx.xxx" errors, turn off VJ header compression # by do the following: # # -vj #pppd v2.3.x PAP config require-pap #Get a dynamic IP address. If you have a static IP addres, put # the static IP address in the LEFT hand address space 0.0.0.0:0.0.0.0 asyncmap 0 lock #Use Hardware flow control crtscts #BSDComp is a more modern compression method than "deflate" bsdcomp 15,15 lcp-restart 1 ipcp-restart 1 defaultroute #Enable these for debugging #debug #kdebug 1 user your-ppp-login --
Fix its permissions: chmod 600 /etc/ppp/options
/usr/local/sbin/startppp
-- #!/bin/sh # # Version: 07/03/00 # # Part of the copyrighted and trademarked TrinityOS document. # <url url="http://www.ecst.csuchico.edu/~dranch"> # # Written and Maintained by David A. Ranch # dranch at trinnet dot net # # NOTE: This configuration assumes that your modem is on COM2 # echo Killing any stray PPPD processes killall pppd killall chat echo Beginning PPP negotiation.. #Replace /dev/ttyS1 with your modem's COMM port. Remember, always start #counting with "0". Also, make SURE that the paths for pppd/chat are #in /usr/sbin. If not, change this command line to use the correct path #Old pppd v2.2.x format #New pppd v2.3.x format /usr/sbin/pppd /dev/ttyS1 38400 crtscts -d lock defaultroute connect '/usr/sbin/chat -v -t 45 -f /etc/ppp/chat.your-ppp-isp' & --
Fix its permissions: chmod 700 /usr/local/sbin/startppp
/usr/lib/ppp/stopppp
-- #!/bin/sh # # Version: 07/03/00 # # Part of the copyrighted and trademarked TrinityOS document. # <url url="http://www.ecst.csuchico.edu/~dranch"> # # Written and Maintained by David A. Ranch # dranch at trinnet dot net # # NOTE: This configuration assumes that your modem is on COM2 # echo Shutting down PPP # #Replace /dev/ttyS1 with your modem's COMM port.. remember, always start #counting with "0". Also.. make SURE that the paths for pppd/chat are #in /usr/sbin. If not, change this command line to use the correct path /usr/lib/ppp/pppd /dev/ttyS1 disconnect echo Killing any stray PPPD processes killall chat killall pppd --
Fix its permissions: chmod 700 /usr/local/sbin/stopppp
If you are using the strong firewall rule sets (IPCHAINS/IPFWADM), you will need to re-run your firewall rule set everytime you get your dynamic IP address. To do this:
- Edit or create the file called /etc/ppp/ip-up and in it put:
--
#!/bin/sh
/etc/rc.d/rc.firewall
#OPTIONAL: Its nice to be able to update your system
# clock when on-line. To do this, add these
# lines, un # them out, and then follow the
# instructions in TrinityOS <ref id="sect-26" name="Section 26">
#
# /usr/local/bin/getdate
--
- now fix the permissions on it:
chmod 700 /etc/ppp/ip-up
That's IT!
Backup PPP links: If you are like me, you either have a locked up ADSL or Cablemodem connection to the Internet. Well, from time to time, your connection will go down for various reasons and you'll be SOL for Internet access.
What can you do? Setup a backup PPP link! Currently, the config shown below will need to be invoked MANUALLY. It is my plan that once I received my ISDN line, I will develop an AUTOMATIC dial-backup configuration based upon a series of connectivity criteria that will be put into the Diald section of TrinityOS.
NOTE: This rule set is OLD and isn't nearly are secure as the new IPCHAINS rule set found in sect-10 . I hope to either port a version of the strong IPCHAINS rule set here soon or make the master rule set adapt to changing environments.
NOTE: When your primary link goes down, your old /etc/rc.firewall rule set will NOT let you out (changed external IP address). So, you need to enter in the following files to bring-up and bring-down a temporary firewall.
/etc/ppp/ip-up
-- #!/bin/sh echo "Starting /etc/ppp/ip-up" # ----------------------------------------------------------------------------------- # NOTE: This short firewall script is for IPFWADM (2.0.x kernels) to only allow # SSH, DNS, and NTP in or out of the PPP0 connection. If you need additional # connectivity, go ahead and add them in. # #Specification of the LOOPBACK interface loopback="127.0.0.1" #Specification of the INTERNAL NIC intif="eth1" #The IP address on your INTERNAL nic intip="192.168.0.1" #IP network address of the INTERNAL net intnet="192.168.0.0" #IP address of an internal host that should have IPPORTFW forward traffic to portfwip="192.168.0.20" #Specification of the EXTERNAL NIC # # PPP Users: If you are using the Dynamic PPP "extif" script from above, # make sure to comment the below line out so it doesn't override it. # # If you want to use the PPPd variables, change this to read: # extif="$1" # extif="ppp0" #The IP address you get from the Internet # # PPP users: If you are getting dynamic address, either use the "extip" script # from the header above or if you want to use the PPPd variables, # change this to read: # extip="$3" # extip="100.200.0.212" # The IP broadcast address of the external net # # PPP users: If you are getting dynamic address, use the PPPd variables. # Change "extbroad" to read (this make an assuption but it should # be a safe assumption): # extbroad=`echo $4 | cut -d '.' -f 1-3`.255 # extbroad="100.200.0.255" #IP address of the default gateway on the EXTERNAL NIC # # PPP users: If you are getting dynamic address, use the PPPd variables. # Change "dgw" to read: # dgw=$4 # dgw="100.200.0.1" #IP Mask for ALL IP addresses universe="0.0.0.0" #IP Mask for BROADCAST broadcast="255.255.255.255" #Specification of HIGH IP ports # NOTE: Notice that this STARTS at 1024 and NOT at 1023 which it should. # for some reason SSH sometimes initiates connections at 1023 which # is a TCP violation but shit happens. # # Brief update: This is due to SSH not being executed with "-P" # unprivports="1024:65535" #Specification of backup DNS server secondarydns="102.200.0.25" #Specifically allowed external host - secure1.host.com securehost="200.211.0.40" # ----------------------------------------------------------------------------------- echo "Change default route to PPP" /sbin/route add default gw $dgw echo "Enabling IP Forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo "Changing IP MASQ Timeouts.." # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec # firewall timeout in ICQ itself) /sbin/ipfwadm -M -s 7200 10 60 #Flush all old rule sets echo "Flushing old poicies" /sbin/ipfwadm -I -f /sbin/ipfwadm -O -f /sbin/ipfwadm -F -f #Change default policies echo "Setting default policies to REJECT" /sbin/ipfwadm -I -p reject /sbin/ipfwadm -O -p reject /sbin/ipfwadm -F -p reject echo "Allow SSH DNS through the PPP0 interface" /sbin/ipfwadm -I -i accept -W $extif -P tcp -S $universe/0 -D $extip/32 ssh domain ntp /sbin/ipfwadm -I -i accept -W $extif -P udp -S $universe/0 -D $extip/32 domain echo "Allow ICMP through the PPP0 interface" /sbin/ipfwadm -I -i accept -W $extif -P icmp -S $universe/0 -D $extip/32 echo "Allowing SSH, DOMAIN, and ICMP out" /sbin/ipfwadm -O -i accept -W $extif -P tcp -S $extip/32 $unprivports -D $universe/0 ssh domain ntp /sbin/ipfwadm -O -i accept -W $extif -P udp -S $extip/32 $unprivports -D $universe/0 domain /sbin/ipfwadm -O -i accept -W $extif -P icmp -S $extip/32 -D $universe/0 echo "Masquerade from local net on local interface to anywhere." /sbin/ipfwadm -F -a masquerade -W $extif -S $intnet/24 -D $universe/0 echo "Logging all failed connections" /sbin/ipfwadm -I -a reject -S $universe/0 -D $universe/0 -o /sbin/ipfwadm -O -a reject -S $universe/0 -D $universe/0 -o /sbin/ipfwadm -F -a reject -S $universe/0 -D $universe/0 -o echo "Temporary PPP0 firewall and MASQ Done. --
/etc/ppp/ip-down
--
#!/bin/sh
# Re-run the master firewall rule set to reset the firewall back to the primary
# interface.
/etc/rc.d/rc.firewall
# /sbin/route add default gw 24.1.83.1
LOGDEVICE=$6
REALDEVICE=$1
[ -x /etc/ppp/ip-down.local ] && /etc/ppp/ip-down.local $*
/etc/sysconfig/network-scripts/ifdown-post ifcfg-${LOGDEVICE}
exit 0
--
Jun 6 21:12:18 server chat[499]: Can't get terminal parameters: Input/output error Jun 6 21:12:18 server pppd[498]: Connect script failed
Redhat: /etc/rc.d/init.d/pcmcia start
--
from: Donald Spoon" <marsala@txdirect.net>
The Microsoft web-site, and Stroud's Consummate Winlist web-site would
literally take MINUTES to load! I had others that exhibited similar
behavior, mainly in the *.mil domain, but most sites would load
fairly quickly as expected. I played around with the MTU / MRU settings and
found an "optimum" set-up for me that helped a great deal, but the
"selective" delay in loading certain web sites remained. One day I noticed
that when I had brought the PPP link up MANUALLY the
affected web-sites loaded normally!!
I did one more review of your notes and applied the
suggestions for re-setting lcp-restart = 1, and ipcp-restart = 1 (from
defaults of 3 in the /etc/ppp/options file!. This change alone did the
trick for me!
--
Diald is a mechanism that will do auto-dialing and auto-PPP negotiations for Linux.
It needs to be mentioned that in the past, the PPPd code could do Dial-on-Demand but it wasn't very flexible. This is no longer the case. PPPd now has the same strengths as Diald in the respect to understanding what traffic should bring the line up, keep the line up, or not be counted to then let the line hang up. Because of this, I recommend to ** NOT USE Diald ** anymore.. use PPPd directly. If you have points to why you disagree, please let me know.
Unfortunately, Dial-on-Demand for PPPd isn't documented in TrinityOS yet so you are on your own for now. If you need help, email me but beyond that, Diald should work fine as well.
NOTE: Diald now has a new maintainer and has been updated to v0.98. The the URLs are in Section 5
+-------------------------------------------------------------------------+
| Follow this link for more information until I can integrate it into the |
| TrinityOS doc: |
| |
| http://www.ecst.csuchico.edu/~dranch/PPP/ppp-performance.html#linux |
+-------------------------------------------------------------------------+
Here are a few quick tips:
Use dcntrl or diald-top to see what networ traffic is bringing up your PPP/SLIP link.
Rough order to get things running:
- /etc/rc.d/rc.S
Enabled rc.serial load up
- /etc/rc.d/rc.serial
/bin/setserial /dev/ttyS1 spd_vhi
cp diald.conf /etc/diald
diald.conf:
--
restrict 16:00:00 20:45:00 * * *
down
restrict * * * * *
mode ppp
connect /etc/ppp/diald/earthlink-connect
device /dev/cua1
speed 115200
modem
lock
crtscts
local 192.168.1.7
remote 0.0.0.0
dynamic
defaultroute
accounting-log /var/adm/ppp.log
include /usr/local/lib/diald/standard.filter
--
In /etc/rc.d/rc.local, add the following line:
--
cat "1" > /proc/sys/net/ipv4/ip_dynaddr
The daemon called "named" is the DNS or "Domain Name Server" service that converts Internet hostnames like "www.yahoo.com" to IP addresses like 204.71.177.71 (one of Yahoo's MANY TCP/IP addresses). Though there are other DNS server alternatives to ISC's BIND, it is the most common and best maintained version available. As you might have already figured out, this is a CRITICAL service for the Internet.
TrinityOS documents how to setup multiple Internet domains for full TCP/IP address subnets using both Bind9 and Bind8. It also also covers advanced redundancy and security topics such as remote secondary (backup) DNS servers and both "CHROOTed Jails" and "Split Zone" files. For the time being, TrinityOS does NOT currently cover Dynamic DNS or DNSSEC. These topics will be covered in future revisions.
What are some of these advanced topics?
To setup your own domain, the first thing you need to do is get a domain from one of the Domain Registars listed at http://www.internic.net. There are lots of them out there and price and the quality of their services varies wildly. So far, I've had great luck with http://www.directnic.net since they offer the ability via an SSL encrypted WWW page vs. old-school mechanisms like email, etc. If you have questions about other registrars you're thinking of using, send me an email and I can give you my thoughts. Next, you need to find another DNS server out on the Internet that will be a SECONDARY dns server for your chosen Internet domain(s). This backup server is for the situations when your server or Internet connection goes down and you don't want to bounce email, etc. (see Section 24 - Sendmail for more details about backup email services). Please note that getting this secondary server setup is NOT optional! Many domain registrars won't accept your domain name application without at least ONE backup domain server. Fortunately, many registrars can offer this secondary service for you for some additional fee. Again, prices vary wildly.
* If you would like to read more on HOW to get your own domain names and understand some important legal issues with Internet domain names, please see the How to acquire a Domain Name sub-section at the end of this section.
NOTE: Due to the fact that DNS can make or break the Internet, you should be very sure that any updates, changes, etc. submitted to the Internic for your domain is done in a secure fashion. I personally recommend that you do all of your Internic updates to your registrar either via a SSL encrypted WWW page or via PGP encrypted email instead of the default old school "Mail-From" email method. Why? Email is very easy to forge. Because of this, it would be easy for a hostile user to screw up your domain name, take ownership of it, etc.
PGP and GnuPG for Linux will be covered in a future chapter but until then, I recommend to either use the Windows PGP client or at least use the Internic's "crypt-pw" option.
This document is intended for BIND versons 9.1.x (and newer) as well as 8.3.x. If you are still running Bind4 or even Bind8, you really need to upgrade because you are either vunerable to ROOT hacks and/or these versions are old and are either soon to be or are already unsupported.
Just a little history:
If you are unsure what version you have installed, you can find out the version from one of two ways.
Or if it's not a CHROOTed DNS server:
From the output, carefully look through the results until you find the version number. You will typically find it somewhere in the middle of the results for Bind 9.x and on the bottom for Bind 8.x.
The new way using the dig (might not work on older version of Dig):
dig @ns1.xyz.com chaos txt version.bind" from the command
prompt where "ns1.xyz.com" is one of the DNS server(s) you are trying get the
Bind version number from. You can get the names of the DNS servers running for
a given domain by running the command "whois xyz.com".
That should tell you the version of the DNS server.
Older method using nslookup (deprecated - nslookup is going away. Use Dig):
nslookup from the command prompt> prompt, type in server xyz (return) where
xyz is the IP or name of the remote DNS server.set q=txt (return) and then
set class=chaos (return).version.bind (return).
That should tell you the version.
There are several MAJOR security exploits out there for older versions of Named (8.3.3-REL, 8.2.5, etc.). Make sure you are running at LEAST version 8.3.4, 9.2.2, or newer. It should be noted that 9.2.2 requires a non-vulnerable version of OpenSSL to be installed if you want to use the "--with-openssl" feature. TrinityOS doesn't currently cover this topic but the installation of 9.2.2 is highly recommended. If you aren't running the newest code, you will be vulnerable to hostile users getting ROOT access on your box!
** To stay up on the newest Bind releases, I recommend that ALL users add themselves to the BIND-announce email list given in Section 5.
This email list is ONLY for BIND version announcements and is very low on email traffic.
cd /usr/src/archive/bind/
#Assuming you have GPG installed (but not nessisarily configured), you will
#need to download both ISC's PGP key and the .asc PGP signature file for the
#Bind source code. Please note that ISC seems to keep changing their PGP keys
#from time to time so your current ISC key might be old now. So let's verify
#that the code is legit:
#
# replace x.y.z with the correct version of Bind you are using
#
gpg --import pgpkey2004.txt
gpg --verify bind-9.2.3.tar.gz.asc
#Make sure it says "Good Signature" at the top. There might be some trust
# warnings but don't worry about that.
#So if the above PGP section passed (or you skipped it), now do the
# following:
#
#The Bind 9 archive creates its own subdirectory so there is no need to
# create one
#
tar xzvf bind-9.x.y.tar.gz
#I haven't added PGP verification for Bind 8.x as it's old and you
# really should install Bind9. Anyway, for those of you who want Bind8:
#
#The Bind 8 archive does NOT create its own subdirectory so I recommend
to create one first
#
mkdir /usr/src/archive/bind/8.x.y
mv /usr/src/archive/bind* /usr/src/archive/bind/8.x.y
cd /usr/src/archive/bind/8.x.y
tar xzvf bind-src.tar.gz
tar xzvf bind-doc.tar.gz
cd /usr/src/archive/bind/bind-9.x.y
# For Bind 9.2.x
# ----------------
# The various compiling configurations are now configured via Automake
#
# Not only that but ISC has again changed their paths and such. So,
# the following setup will place files into their more "classic"
# directories
#
# Please note the "--disabled-threads" option.
#
# This tag will allow CHROOT DNS to work under Linux 2.2.x kernels.
# The reason for this is that there is a bug in ALL 2.2.x kernels
# that basically makes CHROOTing things broken BUT it was fixed
# in the 2.4.x kernels. If you are running a 2.4.x kernel, you do
# NOT need this option. See the end of the "named" MAN page
# for more details about this.
#
# Please note that the "--exec-prefix" stuff on the ./configure line
# will put BIND into the /usr/sbin directory (the default is /usr/local
# (bin, sbin, etc.)) which is the stock place for Mandrake. You can
# put these binaries as well as documentation anywhere you wish. If
# you would like to put it in the proper place for your distribution,
# run the command:
#
# whereis named
#
# to find out where they put the binaries and such and then substitute
# this new path for the Automake one above. REMEMBER this path for
# later in this section when making the CHROOT jails!
#
#----------------------------------------------------------------------
#2.4.x kernels only
#
./configure --prefix= --exec-prefix=/usr --datadir=/usr/share \
--includedir=/usr/include --infodir=/usr/share/info \
--mandir=/usr/share/man
#2.2.x kernels only
#
./configure --prefix= --exec-prefix=/usr --datadir=/usr/share \
--includedir=/usr/include --infodir=/usr/share/info \
--mandir=/usr/share/man --disable-threads
#All kernels - 2.4 or 2.x
#
make
Go into that new directory and compile things up
cd /usr/src/archive/bind/8.3.4/src
# For Bind 8.3.4
# ----------------
# The various compiling configurations are now configured in the
# port/linux/Makefile.set file.
#
# Interestingly enough, ISC has now made /usr/sbin/ the default directory
# so you shouldn't have to do anything special beyond that
#
# Note:
# -----
# FYI, Bind 8.2.4 would NOT compile on my Mandrake 2.2.19 machine as
# it would give me the following error:
#
# eventlib.c:296: structure has no member named `fds_bits' . . .
#
# To fix this, edit the file "src/port/linux/include/port_before.h" and
# insert the following line after the existing "define" lines:
#
# #define _GNU_SOURCE
#
# Ok, before you try to compile the code up again, run the command
# "make clean"
#
# ----------------------------------------------------------------------
#Ok.. compile it up
make clean
make all
make install
cd /usr/src/archive/bind/bind-9.2.x
find . -name "*.1" -exec cp {} /usr/share/man/man1/ \;
find . -name "*.3" -exec cp {} /usr/share/man/man3/ \;
find . -name "*.5" -exec cp {} /usr/share/man/man5/ \;
find . -name "*.8" -exec cp {} /usr/share/man/man8/ \;
#you could have also done it with xargs too:
#find . -name "*.1" | xargs -i cp {} tmp
cd /usr/src/archive/bind/bind-8.3.4/doc/man
make clean
make all
make install
Now, follow the procedures to create the required chrooted user login, group, and various files and do any required substitutions where required.
groupadd -g 120 chroot-dns-ext
groupadd -g 121 chroot-dns-int
useradd -u 120 -g 120 chroot-dns-ext
useradd -u 121 -g 121 chroot-dns-int
# Since this is a CHROOTed environment, you need to make this little
# world look like the real one. This means you need the required
# system directorys as well.
cd /home/chroot-dns-ext
mkdir -p etc lib dev usr/sbin var/named var/run
chmod -R 750 /home/chroot-dns-ext
mknod -m 666 dev/null c 1 3
mknod -m 666 dev/zero c 1 5
mknod -m 666 dev/random c 1 8
cd /home/chroot-dns-int
mkdir -p etc lib dev usr/sbin var/named var/run
chmod -R 750 /home/chroot-dns-int
mknod -m 666 dev/null c 1 3
mknod -m 666 dev/zero c 1 5
mknod -m 666 dev/random c 1 8
cp -f /lib/libc.so.6 /home/chroot-dns-ext/lib
cp -f /lib/libc.so.6 /home/chroot-dns-int/lib
cp -f /lib/ld-linux.so.2 /home/chroot-dns-ext/lib
cp -f /lib/ld-linux.so.2 /home/chroot-dns-int/lib
**NOTE: You will notice that I recommend to first COPY and then later MOVE the executables into the CHROOT'ed directory. This gives you a little more slack in case you make a mistake before you finally remove the original files.
cp -f /usr/sbin/named* /home/chroot-dns-ext/usr/sbin
chmod 750 /home/chroot-dns-ext/usr/sbin/named*
mv -f /usr/sbin/named* /home/chroot-dns-int/usr/sbin
chmod 750 /home/chroot-dns-int/usr/sbin/named*
Ok, fix the binary's file owner and group permissions:
chown -R chroot-dns-int.chroot-dns-int /home/chroot-dns-int
chown -R chroot-dns-ext.chroot-dns-ext /home/chroot-dns-ext
NOTE: You'll notice that some lines will SEEM to have extra "."s (periods) at the end of domain names, etc. LEAVE THEM THERE!! They are supposed to be there and are CRITICAL to bind's internal file format!
/home/chroot-dns-int/etc/named.conf
// /home/chroot-dns-int/etc/named.conf for TrinityOS - 01/12/03
// Config file for a full authoritative --INTERNAL-- DNS server
//
// This internal server will be the one use by the DNS server itself
// and by any internal hosts as well
options {
//Remember, this is already CHROOTed. /var/named IS correct
directory "/var/named";
//You dont want the external interface to listen on this zone
listen-on port 53 {
192.168.0.1; 127.0.0.1;
};
// Uncommenting this might help if you have to go through a
// firewall and things are not working out:
// query-source address * port 53;
};
// Filter out any LAME server messages from cluttering up the SYSLOGs
logging {
category "lame-servers" { null; };
};
zone "." {
type hint;
file "root.hints.db";
};
zone "0.0.127.in-addr.arpa" {
type master;
notify no;
file "127.0.0.db";
};
zone "acme123.com" {
type master;
notify no;
file "acme123-int.com.db";
allow-transfer { none; };
allow-query { 127/8; 192.168.0/24; };
};
zone "0.168.192.in-addr.arpa" {
type master;
notify no;
file "192.168.0-in.addr.db";
allow-transfer {none; };
allow-query {127/8; 192.168.0/24; };
};
You will notice that I am filtering out LAME SERVER messages from being sent to SYSLOG. What is a "lame server"?
dig @a.root-servers.net . ns > /home/chroot-dns-int/var/named/root.hints.db
/home/chroot-dns-int/var/named/root.hints.db
; <<>> DiG 8.1 <<>> @a.root-servers.net . ns ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10 ;; flags: qr rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 ;; QUERY SECTION: ;; ., type = NS, class = IN ;; ANSWER SECTION: . 5d10h28m15s IN NS M.ROOT-SERVERS.NET. . 5d10h28m15s IN NS L.ROOT-SERVERS.NET. . 5d10h28m15s IN NS K.ROOT-SERVERS.NET. . 5d10h28m15s IN NS J.ROOT-SERVERS.NET. . 5d10h28m15s IN NS B.ROOT-SERVERS.NET. . 5d10h28m15s IN NS F.ROOT-SERVERS.NET. . 5d10h28m15s IN NS G.ROOT-SERVERS.NET. . 5d10h28m15s IN NS C.ROOT-SERVERS.NET. . 5d10h28m15s IN NS H.ROOT-SERVERS.NET. . 5d10h28m15s IN NS A.ROOT-SERVERS.NET. . 5d10h28m15s IN NS D.ROOT-SERVERS.NET. . 5d10h28m15s IN NS E.ROOT-SERVERS.NET. . 5d10h28m15s IN NS I.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: M.ROOT-SERVERS.NET. 5w6d16h IN A 202.12.27.33 L.ROOT-SERVERS.NET. 5w6d16h IN A 198.32.64.12 K.ROOT-SERVERS.NET. 5w6d16h IN A 193.0.14.129 J.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.10 B.ROOT-SERVERS.NET. 5w6d16h IN A 128.9.0.107 F.ROOT-SERVERS.NET. 5w6d16h IN A 192.5.5.241 G.ROOT-SERVERS.NET. 5w6d16h IN A 192.112.36.4 C.ROOT-SERVERS.NET. 5w6d16h IN A 192.33.4.12 H.ROOT-SERVERS.NET. 5w6d16h IN A 128.63.2.53 A.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.4 D.ROOT-SERVERS.NET. 5w6d16h IN A 128.8.10.90 E.ROOT-SERVERS.NET. 5w6d16h IN A 192.203.230.10 I.ROOT-SERVERS.NET. 5w6d16h IN A 192.36.148.17 ;; Total query time: 15115 msec ;; FROM: ns.acme123.com to SERVER: a.root-servers.net 198.41.0.4 ;; WHEN: Fri Oct 1 03:02:15 1999 ;; MSG SIZE sent: 17 rcvd: 436
The following file is the REVERSE zone records for the "localhost" or loopback interface:
/home/chroot-dns-int/var/named/127.0.0.db
;
; /home/chroot-dns-int/var/named/127.0.0.db ZONE file for TrinityOS - 09/03/01
;
$TTL 86400
@ IN SOA ns.acme123.com. hostmaster.acme123.com. (
2001052800 ; serial, todays date + todays serial #
8H ; Refresh
2H ; Retry
1W ; Expire
1D) ; Minimum TTL
NS ns.acme123.com.
1 86400 PTR localhost.acme123.com.
The following file is the FORWARD zone record for the internal ACME123.com network
/home/chroot-dns-int/var/named/acme123-int.com.db
;
; /home/chroot-dns-int/var/named/acme123-int.com ZONE file for TrinityOS - 09/03/01
;
$TTL 86400
@ IN SOA ns.acme123.com. hostmaster.acme123.com. (
2001052800 ; serial, todays date + todays serial #
8H ; refresh, seconds
2H ; retry, seconds
1W ; expire, seconds
1D ) ; minimum, seconds
NS ns.acme123.com. ; Inet Address of name server
NS ns.backupacme.com. ; Inet address of backup server
MX 10 mail.acme123.com. ; Primary MX server
;
; note - If you wish to directly resolve any acme123.com hosts
; that are currently only defined in the EXTERNAL zone
; files (say www.acme123.com), you MUST list them here
; as well since the internal zone assumes that it is
; authoritative for acme123.com zone and thus would never
; contact the external server for any other
; acme123.com queries.
roadrunner-int 86400 A 192.168.0.1
HINFO "a486/160/40M" "Linux 2.0"
mail 86400 A 192.168.0.1
HINFO "a486/160/40M" "Linux 2.0"
coyote 86400 A 192.168.0.2
HINFO "iPentium-II/260/64M" "Win95"
spare 86400 A 192.168.0.9
HINFO "Unknown" "Unknown"
spare2 86400 A 192.168.0.10
HINFO "Unknown" "Unknown"
The following file is the REVERSE zone record for the internal ACME123.com network
/home/chroot-dns-int/var/named/192.168.0-in.addr.db
;
; /home/chroot-dns-int/var/named/192.168.0-in.addr ZONE file for TrinityOS - 09/03/01
;
$TTL 86400
@ IN SOA ns.acme123.com. hostmaster.acme123.com. (
2001052800 ; serial, todays date + todays serial #
1 ; Serial
8H ; Refresh
2H ; Retry
1W ; Expire
1D) ; Minimum TTL
NS ns.acme123.com.
1 86400 PTR roadrunner-int.acme123.com.
2 86400 PTR coyote.acme123.com.
9 86400 PTR spare.acme123.com.
10 86400 PTR spare2.acme123.com.
/home/chroot-dns-ext/etc/named.conf
// /home/chroot-dns-ext/etc/named.conf for TrinityOS - 11/25/02
// Config file for a full authoritative --EXTERNAL-- DNS server
options {
//Remember, this is already CHROOTed. /var/named IS correct
directory "/var/named";
//Do NOT have the server listening on localhost or the internal interface
listen-on port 53 {
100.200.0.212;
};
// Clean the cache every 6 hours (default is 1).
cleaning-interval 360;
// Do NOT respond to DNS queries for any domains other than local zones
//
// All remote DNS lookups for this host and any internal machines will
// be served from the INTERNAL DNS server
recursion no;
// Uncommenting this might help if you have to go through a
// firewall and things are not working out:
// query-source address * port 53;
};
zone "." {
type hint;
file "root.hints.db";
};
zone "acme123.com" {
type master;
notify yes;
file "acme123.com.db";
allow-transfer {
102.200.0.25/32;
};
};
zone "212.0.200.100.in-addr.arpa" {
type master;
notify yes;
file "212.0.200.100.db";
allow-transfer {
102.200.0.25/32;
};
};
dig @a.root-servers.net . ns > /home/chroot-dns-ext/var/named/root.hints.db
/home/chroot-dns-ext/var/named/root.hints.db
; <<>> DiG 8.1 <<>> @a.root-servers.net . ns ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10 ;; flags: qr rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 ;; QUERY SECTION: ;; ., type = NS, class = IN ;; ANSWER SECTION: . 5d10h28m15s IN NS M.ROOT-SERVERS.NET. . 5d10h28m15s IN NS L.ROOT-SERVERS.NET. . 5d10h28m15s IN NS K.ROOT-SERVERS.NET. . 5d10h28m15s IN NS J.ROOT-SERVERS.NET. . 5d10h28m15s IN NS B.ROOT-SERVERS.NET. . 5d10h28m15s IN NS F.ROOT-SERVERS.NET. . 5d10h28m15s IN NS G.ROOT-SERVERS.NET. . 5d10h28m15s IN NS C.ROOT-SERVERS.NET. . 5d10h28m15s IN NS H.ROOT-SERVERS.NET. . 5d10h28m15s IN NS A.ROOT-SERVERS.NET. . 5d10h28m15s IN NS D.ROOT-SERVERS.NET. . 5d10h28m15s IN NS E.ROOT-SERVERS.NET. . 5d10h28m15s IN NS I.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: M.ROOT-SERVERS.NET. 5w6d16h IN A 202.12.27.33 L.ROOT-SERVERS.NET. 5w6d16h IN A 198.32.64.12 K.ROOT-SERVERS.NET. 5w6d16h IN A 193.0.14.129 J.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.10 B.ROOT-SERVERS.NET. 5w6d16h IN A 128.9.0.107 F.ROOT-SERVERS.NET. 5w6d16h IN A 192.5.5.241 G.ROOT-SERVERS.NET. 5w6d16h IN A 192.112.36.4 C.ROOT-SERVERS.NET. 5w6d16h IN A 192.33.4.12 H.ROOT-SERVERS.NET. 5w6d16h IN A 128.63.2.53 A.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.4 D.ROOT-SERVERS.NET. 5w6d16h IN A 128.8.10.90 E.ROOT-SERVERS.NET. 5w6d16h IN A 192.203.230.10 I.ROOT-SERVERS.NET. 5w6d16h IN A 192.36.148.17 ;; Total query time: 15115 msec ;; FROM: ns.acme123.com to SERVER: a.root-servers.net 198.41.0.4 ;; WHEN: Fri Oct 1 03:02:15 1999 ;; MSG SIZE sent: 17 rcvd: 436
The following file is the FORWARD zone records for the external ACME123.com network
/home/chroot-dns-ext/var/named/acme123.com.db
;
; /home/chroot-dns-ext/var/named/acme123.com ZONE file for TrinityOS - 09/03/01
;
$TTL 86400
@ IN SOA ns.acme123.com. hostmaster.acme123.com. (
2001052800 ; serial, todays date + todays serial #
8H ; refresh, seconds
2H ; retry, seconds
1W ; expire, seconds
1D ) ; minimum, seconds
NS ns.acme123.com. ; Inet Address of name server
NS ns.backupacme.com. ; Inet address of backup server
MX 10 mail.acme123.com. ; Primary Mail Exchanger
ns 86400 A 100.200.0.212
HINFO "a486/160/40M" "Linux 2.0"
mail 86400 A 100.200.0.212
HINFO "a486/160/40M" "Linux 2.0"
ftp 86400 CNAME ns
roadrunner 86400 CNAME ns
The following file is the REVERSE zone records for the external ACME123.com network:
/home/chroot-dns-ext/var/named/212.0.200.100.db
;
; /home/chroot-dns-ext/var/named/212.0.200.100-in.addr ZONE file for TrinityOS - 09/03/01
;
$TTL 86400
@ IN SOA ns.acme123.com. hostmaster.acme123.com. (
2001052800 ; serial, todays date + todays serial #
8H ; Refresh
2H ; Retry
1W ; Expire
1D) ; Minimum TTL
NS ns.acme123.com. ; Inet Address of name server
NS ns.backupacme.com. ; Inet address of backup server
212.0.200.100.in-addr.arpa. IN PTR ns.acme123.com.
chown -R chroot-dns-int.chroot-dns-int /home/chroot-dns-int
chown -R chroot-dns-ext.chroot-dns-ext /home/chroot-dns-ext
Ok, time for the glue. You need to change the way that DNS loads the server up to recognize the new CHROOT layout and to load the SPLIT servers:
Redhat users:
[ -f /usr/sbin/named ] || exit 0
.
.
.
[ -f /etc/named.conf ] || exit 0
to:
[ -f /home/chroot-dns-int/usr/sbin/named ] || exit 0
[ -f /home/chroot-dns-ext/usr/sbin/named ] || exit 0
[ -f /home/chroot-dns-int/etc/named.conf ] || exit 0
[ -f /home/chroot-dns-ext/etc/named.conf ] || exit 0
#!/bin/sh
#
# named This shell script takes care of starting and stopping
# named (BIND DNS server).
#
# chkconfig: - 55 45
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true
# ----------------------------------------------------------------------------
# # TrinityOS-named
# v11/25/02
#
# Part of the copyrighted and trademarked TrinityOS document.
# <url url="http://www.ecst.csuchico.edu/~dranch">
#
# Written and Maintained by David A. Ranch
# dranch at trinnet dot net
#
#
# NOTE: It's IMPORTANT that you edit this file and enable the correct
# version of Bind that you plan on running. To disable a specific
# version, place "#" charecters in the front of the respective lines.
#
# Bind9 is the TrinityOS default setting.
#
#
# Updates
# -------
# 11/25/02 - Updated some of the comments
#
# 03/05/01 - Updated the file to support the loading of Bind9
#
# 01/28/01 - Added a few CR-LFs to clean up the output between starting
# the internal and external zones
# 10/07/00 - Added the start-int, start-ext, stop-int, and stop-ext functions
#
# ----------------------------------------------------------------------------
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
[ -f /home/chroot-dns-int/usr/sbin/named ] || exit 0
[ -f /home/chroot-dns-ext/usr/sbin/named ] || exit 0
[ -f /home/chroot-dns-int/etc/named.conf ] || exit 0
[ -f /home/chroot-dns-ext/etc/named.conf ] || exit 0
RETVAL=0
# See how we were called.
case "$1" in
start)
# Start daemons.
echo -n "Starting named-int: "
#Bind9 - Use this setup if you are using Bind9
#
daemon /home/chroot-dns-int/usr/sbin/named -u chroot-dns-int -t /home/chroot-dns-int
#Bind8 - # out the "daemon" line above and un-# out the line below
# if you are running Bind8
#
#daemon /home/chroot-dns-int/usr/sbin/named -u chroot-dns-int -g chroot-dns-int -t /home/chroot-dns-int
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/named-int
sleep 5
echo -e "\r"
echo -n "Starting named-ext: "
#For some reason, this server won't load with the "daemon" line in
# front - if you have a solution for this, please let me know
#Bind9 - Use this setup if you are using Bind9
#
/home/chroot-dns-ext/usr/sbin/named -u chroot-dns-ext -t /home/chroot-dns-ext
#Bind8 - # out the "daemon" line above and un-# out the line below
# if you are running Bind8
#
#/home/chroot-dns-ext/usr/sbin/named -u chroot-dns-ext -g chroot-dns-ext -t /home/chroot-dns-ext
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/named-ext
echo -e "\r"
;;
start-int)
# Start daemons.
echo -n "Starting named-int: "
#For some reason, this server won't load with the "daemon" line in
# front - if you have a solution for this, please let me know
#Bind9 - Use this setup if you are using Bind9
#
/home/chroot-dns-int/usr/sbin/named -u chroot-dns-int -t /home/chroot-dns-int
#Bind8 - # out the "daemon" line above and un-# out the line below
# if you are running Bind8
#
#/home/chroot-dns-int/usr/sbin/named -u chroot-dns-int -g chroot-dns-int -t /home/chroot-dns-int
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/named-int
echo -e "\r"
;;
start-ext)
echo -n "Starting named-ext: "
#For some reason, this server won't load with the "daemon" line in
# front - if you have a solution for this, please let me know
#Bind9 - Use this setup if you are using Bind9
#
/home/chroot-dns-ext/usr/sbin/named -u chroot-dns-ext -t /home/chroot-dns-ext
#Bind8 - # out the "daemon" line above and un-# out the line below
# if you are running Bind8
#
/home/chroot-dns-ext/usr/sbin/named -u chroot-dns-ext -g chroot-dns-ext -t /home/chroot-dns-ext
RETVAL=$?
$RETVAL -eq 0 ] && touch /var/lock/subsys/named-ext
echo -e "\r"
;;
stop)
# Stop daemons.
echo -n "Shutting down named: "
killproc named
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named-int && rm -f /var/lock/subsys/named-ext
echo -e "\r"
;;
stop-int)
# Stop INT daemons.
echo -n "Shutting down named-int: "
kill `ps ax | grep chroot-dns-int/usr/sbin/named | grep -v -e grep | awk '{print $1}'`
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named-int
echo -e "\r"
;;
stop-ext)
# Stop EXT daemons.
echo -n "Shutting down named-ext: "
kill `ps ax | grep chroot-dns-ext/usr/sbin/named | grep -v -e grep | awk '{print $1}'`
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named-ext
echo -e "\r"
;;
status)
/usr/sbin/ndc status
exit $?
;;
restart)
$0 stop
$0 start
;;
reload)
/usr/sbin/ndc reload
exit $?
;;
probe)
# named knows how to reload intelligently; we don't want linuxconf
# to offer to restart every time
/usr/sbin/ndc reload >/dev/null 2>&1 || echo start
exit 0
;;
*)
echo "Usage: named {start|start-int|start-ext|stop|stop-int|stop-ext|status|restart}"
exit 1
esac
exit $RETVAL
Edit the /etc/rc.d/init.d/syslog file and change the loading of
SYSLOG to the following:
daemon syslogd -a /home/chroot-dns-int/dev/log -a /home/chroot-dns-ext/dev/log -m 0
Now, configure your machine to use the local DNS server by editing /etc/resolv.conf
search acme123.com
nameserver 127.0.0.1
#Backup - your ISP's DNS servers
#nameserver 10.200.200.69
#nameserver 10.200.200.96
Next, make sure that your machine is prepped to use DNS:
Slackware: /etc/host.conf
order hosts, bind
multi on
Redhat: /etc/nsswitch.conf
Change the "hosts" line to read:
&q