Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: Arne on December 27, 2003, 04:26:16 PM
-
Hello !
As I am using the e-smith in server only mode, I can not check it for one thing I would be very courious to know.
Around the issue of RedHat 7.x the design of the Linux firewall were changed completely from the "old style" using ipchains and the "new style" using iptables. The 2.4.x kernel were based on the netfilter firewall design ( http://www.netfilter.org ) but at least RedHat 7.0 and 7.1 used a module for backward compability so at least theese two RedHat distributions were based on the old style firewall design.
I wonder: What about the e-smith 5.6 and 6.0 ?? (That is a derivative of theese RedHat distributions.)
Could some og you that has an e-smith running in gateway mode just try theese two commands in the command shell "iptables -l" and "ipchains -l" (l = small L) ?? The commands will just show the "listing" or status of the firewall and whether it is the old or the new type of firewall.
Best reg Arne.
-
From what I have read SME5.6 and 6.0 are base on Redhat 7.3 and use iptables.
-
SME v6.0 final set as server/gateway uses iptables. Here is my output but I had to use "-L" (or --list) because "-l" was an unrecognized option.
[root@server root]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
state_chk all -- anywhere anywhere
local_chk all -- anywhere anywhere
PPPconn all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
InboundICMP icmp -- anywhere anywhere
denylog icmp -- anywhere anywhere
InboundTCP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
InboundUDP udp -- anywhere anywhere
denylog udp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc
gre-in gre -- anywhere anywhere
denylog gre -- anywhere anywhere
denylog all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
state_chk all -- anywhere anywhere
local_chk all -- anywhere anywhere
ForwardedTCP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
ForwardedUDP udp -- anywhere anywhere
denylog all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PPPconn all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
OutboundICMP icmp -- anywhere anywhere
denylog icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain ForwardedTCP (1 references)
target prot opt source destination
ForwardedTCP_7356 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
Chain ForwardedTCP_7356 (1 references)
target prot opt source destination
Chain ForwardedUDP (1 references)
target prot opt source destination
ForwardedUDP_7356 all -- anywhere anywhere
denylog udp -- anywhere anywhere
Chain ForwardedUDP_7356 (1 references)
target prot opt source destination
Chain InboundICMP (1 references)
target prot opt source destination
InboundICMP_7356 all -- anywhere anywhere
denylog icmp -- anywhere anywhere
Chain InboundICMP_7356 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
denylog all -- anywhere anywhere
Chain InboundTCP (1 references)
target prot opt source destination
InboundTCP_7356 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
Chain InboundTCP_7356 (1 references)
target prot opt source destination
denylog all -- anywhere !c-xxx-xxx-xxx-xxx.client.xxxxxxxxxxx.xxx
ACCEPT tcp -- anywhere anywhere tcp dpt:auth
denylog tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
denylog tcp -- anywhere anywhere tcp dpt:imap2
denylog tcp -- anywhere anywhere tcp dpt:ldap
denylog tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:1723
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
denylog tcp -- anywhere anywhere tcp dpt:ssh
denylog tcp -- anywhere anywhere tcp dpt:telnet
Chain InboundUDP (1 references)
target prot opt source destination
InboundUDP_7356 all -- anywhere anywhere
denylog udp -- anywhere anywhere
Chain InboundUDP_7356 (1 references)
target prot opt source destination
denylog all -- anywhere !c-xxx-xxx-xxx-xxx.client.xxxxxxxxxx.xxx
Chain OutboundICMP (1 references)
target prot opt source destination
OutboundICMP_7356 all -- anywhere anywhere
denylog icmp -- anywhere anywhere
Chain OutboundICMP_7356 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
denylog all -- anywhere anywhere
Chain PPPconn (2 references)
target prot opt source destination
PPPconn_7356 all -- anywhere anywhere
Chain PPPconn_7356 (1 references)
target prot opt source destination
Chain denylog (24 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn
LOG all -- anywhere anywhere LOG level warning prefix denylog:'
DROP all -- anywhere anywhere
Chain gre-in (1 references)
target prot opt source destination
denylog all -- anywhere !c-xxx-xxx-xxx-xxx.client.xxxxxxxxxx.xxx
ACCEPT all -- anywhere anywhere
Chain local_chk (2 references)
target prot opt source destination
local_chk_7356 all -- anywhere anywhere
Chain local_chk_7356 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 10.0.0.0/24 anywhere
Chain state_chk (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Good Luck,
Paul
-
Thanks a lot !! This saved me one extra installation and to set in an extra network.
(By the way, you vere right about the -L :-)
This printout is what I believe you can say "a typical" status for a well designed rule set of the new type of Linux firewall that basicly came with the 2.4.x kernel (Actually it could also be obtained to the last revision of the 2.2.x kernel.)
The very big difference between the old and the new type firewall is that the new type firewall basicly contains two separate set of tfirewall rules while the old type of firewall contained only one. In the old type of firewall you validated each of the packets only at one "place" so the trafick to the LAN and the computers on the LAN vere passing trough the same ruleset as the internal prosesses at the firewall machine itself.
AT the netfilter and the 2.4.x consept the trafic vvere first split off in two directions via a set of dnat (destignation nat) before it vere filtered). Then it is filtered trough two compeltely different ruleset, one filtering the trafick to the firewall machine itself and one filtering the trafic to the LAN.
The status listed above should normally be the status for the ruleset filtering the trafick to the firewall machine only. (iptables -L) If you want the other main ruleset the command should normally be: "iptables -t NAT -L"
In the firewall above you basicly first have the 3 policies (default rules).
Chain INPUT (policy DROP) (Block all trafick to the internal prosesses)
Chain FORWARD (policy DROP) (Block all trafick in to the LAN)
Chain OUTPUT (policy ACCEPT) (Open for all trafick out.)
Then there comes a lot of static exeptions, like small wholes in the wall that will accept a certain trafick in, as an excample:
"ACCEPT icmp -- anywhere anywhere icmp echo-request (Accept this kind of ping request.)"
In the end of the script there is one single rule that can mean than all those small and presisely described small openings.
"ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED"
This last one says: Activate the automatic and dynamic statefull inspection function. In real pracktical life this will mean something like "make an automatic opening for all trafick that is return traffick relative to trafick that is first initiated from the inside of the firewall.".
The 2.2.x firewall did not have this dynamic part it was static only, so you had to put in rather "big holes" in the firewall to make pass for the return trafick. With the new 2.4.x kernel and netfiler/iptables you get the return trafick handeled by the dynamic statfull inspection function so that the openings for the return trafic will be set dynamicly and automatic. Because of this it is possibly to design the firewall more presisely and with "smaller holes".
-
SME 5.5 and prior used ipchains.
SME 5.6 uses iptables but has a very simple rule set similar to previous versions of SME using ipchains. Installing the netfilter rpm enhances the firewall but not to the level of that in SME 6.
SME 6 (at least in the final release) uses the same version of iptables used in 5.6 (1.2.5-3) but has a much more sophistocated rule set including statefull packet inspection.
-
RayG wrote:
> SME 5.6 uses iptables but has a very simple rule set similar
> to previous versions of SME using ipchains. Installing the
> netfilter rpm enhances the firewall but not to the level of
> that in SME 6.
I don't know what you "netfilter RPM" mean. netfilter is the kernel component of the iptables system (and is installed in 5.6)
> SME 6 (at least in the final release) uses the same version
> of iptables used in 5.6 (1.2.5-3) but has a much more
> sophistocated rule set including statefull packet inspection.
stateful packet inspection is also used in 5.6. The firewall code is re-arranged for programmer convenience in 6.0, but isn't fundamentally different from 5.6 (apart from port-forwarding being an added feature).
Charlie