| View previous topic :: View next topic |
| Author |
Message |
server
Guest
|
 Posted: Mon Jun 23, 2003 7:51 pm Post subject: Reverse NAT and Masquerade Question |
 |
|
| message unavailable |
|
| |
|
 Back to top |
Allen Kistler
Guest
|
| Posted: Mon Jun 23, 2003 7:51 pm Post subject: Re: Reverse NAT and Masquerade Question |
|
|
Steven J. Hathaway wrote:
| Quote: | This is a network feasibility question.
Do you know which of the following firewalls can perform a reverse
address translation?
Checkpoint Firewall-1
Netfilter (IPtables)
CISCO IOS Firewall
CISCO PIX Firewall
The issue is to map a specific external IP address or transport domain
address onto a
local network IP address. The result of which would allow a workstation
or server on the
local network to establish a session to a remote host by virtue of
addressing data to the
virtualized local IP address.
[snip]
|
They can all do one-to-one NAT. Depending upon how your ISP connection
is configured, you may also need to set up proxy arp for the "virtual"
addresses (if they're truly virtual).
One-to-one means just that. One external address to one internal
address. There's no dynamic remapping like many-to-one (10.x internal
with a single external). So if you want a bunch of machines to be
visable externally, you need that many IP addresses, generally.
(Sometimes you can overlap if each internal machine offers different
services, but that's getting a bit trickier than your question.) |
|
| |
|
| Back to top |
Ryan R. Frederick
Guest
|
| Posted: Mon Jun 23, 2003 8:44 pm Post subject: Re: securing single debian box against internet attacks |
|
|
User wrote:
| Quote: | I am on broadband and I wish to secure my debian box before putting it
on the internet. I have a LinkSys G54 broadband router and 'firewall'
but as a firewall it is limited (spoofed tcp ACK packets get by, etc.)
Hence, I need to protect my desktop debian box against attacks. It's
used just a simple desktop machine, it doesn't need to route or bridge
or any of that. What is the easiest way to harden it against network
attacks? I've read the firewall HOW-TO etc. but I was wondering if
there is a more convenient way than having to recompile the kernel?
For instance, is there a debian package that would aid me?
thanks
|
Mostly... just disable unneeded services... and make sure the needed
ones are configured properly... I've never enabled a firewall solution
on my home networks... and i've never really been attacked either...
Good Luck,
Bob |
|
| |
|
| Back to top |
Steven J. Hathaway
Guest
|
| Posted: Tue Jun 24, 2003 9:53 am Post subject: Re: Reverse NAT and Masquerade Question |
|
|
Allen Kistler wrote:
| Quote: | Steven J. Hathaway wrote:
This is a network feasibility question.
Do you know which of the following firewalls can perform a reverse
address translation?
Checkpoint Firewall-1
Netfilter (IPtables)
CISCO IOS Firewall
CISCO PIX Firewall
The issue is to map a specific external IP address or transport domain
address onto a
local network IP address. The result of which would allow a workstation
or server on the
local network to establish a session to a remote host by virtue of
addressing data to the
virtualized local IP address.
[snip]
They can all do one-to-one NAT. Depending upon how your ISP connection
is configured, you may also need to set up proxy arp for the "virtual"
addresses (if they're truly virtual).
One-to-one means just that. One external address to one internal
address. There's no dynamic remapping like many-to-one (10.x internal
with a single external). So if you want a bunch of machines to be
visable externally, you need that many IP addresses, generally.
(Sometimes you can overlap if each internal machine offers different
services, but that's getting a bit trickier than your question.)
|
My problem is not the forward-nat addressing that firewall devices implement.
Reverse-nat is independent of the number of IP addresses a service provider
gives you for communications. Dial-up point-to-point connections with
dynamic IP assignment should also work.
A trivial example of what I am looking for is to allow local machines to
access an external DNS server without having to know its public IP address
or DNS name. All the local machines need to do is to place in their
configuration files the virtual local IP address that is NAT translated
to some external DNS.
Then when the remote DNS fails - functionality can be restored by creating
another reverse=nat mapping to a functional DNS elsewhere. I then do not
have to reconfigure the local machines for DNS access.
My true requrements go beyond this trivial DNS example.
- Steve Hathaway |
|
| |
|
| Back to top |
Wojtek Walczak
Guest
|
| Posted: Tue Jun 24, 2003 10:55 am Post subject: Re: Shadow Shell? |
|
|
Dnia Wed, 18 Jun 2003 15:59:17 GMT, Kenneth A Kauffman napisał(a):
| Quote: | What happens is that each script will execute the binary and remove your
username from the output via grep -v.
....but it's easy to detect. |
Here's a simple patch for procps-3.1.9 package (well, to be exact for
libproc library):
<http://underground.org.pl/gminick/patches/procps-hide.patch>
....and now you're invisible for w, ps, top and all the stuff using
(in case of default installation) /lib/libproc.so.3.1.9
It won't work for 'who' because 'who' is only reading from utmp file.
It's really easy to patch who, but if you are not able to do
it yourself - simply - remove who from your system ;]
HTH. ;>
--
[ Wojtek Walczak - gminick (at) underground.org.pl ]
[ <http://gminick.linuxsecurity.pl/> ]
[ "...rozmaite zwroty, matowe od patyny dawnosci." ] |
|
| |
|
| Back to top |
no body
Guest
|
| Posted: Wed Jun 25, 2003 4:08 am Post subject: Re: Reverse NAT and Masquerade Question |
|
|
| Quote: | A trivial example of what I am looking for is to allow local machines to
access an external DNS server without having to know its public IP address
or DNS name. All the local machines need to do is to place in their
configuration files the virtual local IP address that is NAT translated
to some external DNS.
Then when the remote DNS fails - functionality can be restored by creating
another reverse=nat mapping to a functional DNS elsewhere. I then do not
have to reconfigure the local machines for DNS access.
|
iptables that comes with the 2.4 kernel can do that. We have a Linux
Security Server set up (from www.ComputerSecurityResearch.com, if that
matters) that does the DNAT just as your example needs. All the internal
boxes have their DNS pointing to the security server, and it in turn it
DNATs the DNS requests out to the current DNS server. If that DNS server
starts acting buggy we just make one change on the security server and all
the clients benefit from the change. Sounds like just what you need.
Now here's one hitch I can see, and I see the way around it. Let's say you
have networks A and B, each with more than one machine, and each with only
one public IP (or IP that will be used to link them together). So computer
A.1 wants to connect to B.1, the security server for A correctly changes the
destination IP to B's public IP. B's security server gets this packet and
doesn't know which internal computer to send it to.
The way around it is what we've done with this security server. A's and B's
security servers create an IPSEC tunnel between them and have route entries
that say "anything for B's net - route to B's IPSEC IP" and likewise for A.
Works like a charm because their isn't any DNAT involved. You wouldn't need
the tunnel, we just needed the data to be secure between the networks.
In the case where you have A, B, and C *and* two networks (say B and C) have
the same private address range, you have the combination of the two examples
above put together. A's network thinks B's and C's networks are actually
different, and a DNAT translation happens on B's and C's security servers.
What you end up with is a "global address map" that says network A has this
"public" range (not true public, but only used once within all your
networks), B has this "public" range, etc... Then anything destined for A
will be addressed to that "public" range, and A's security server is
expected to do the DNAT to the real internal IP address.
It's complicated, but it works. And none of our local nets had to get
renumbered.
One thing that stinks is the one-to-one NAT. Each box has one line DNAT,
and one line SNAT per internal IP. The nice thing here is the only NAT is
happening on the security server responsible for those IPs. This lets us
add more IPs to a network without having to go change all the security
servers, we just change the one that manages that network. And the load of
doing the NAT is on the local security server, so if we have a new local
network with thousands of IPs, we get a more powerful (as in CPU/mem)
security server just for that network, we don't have to upgrade the whole
infrastructure to support the increase in NATs of more IPs. That security
server is the only one that realizes the load of those additional IPs and
their resultant NATs. |
|
| |
|
| Back to top |
Guest
|
| Posted: Fri Jun 27, 2003 8:23 pm Post subject: Re: Detecting Wireless Ethernet Frames |
|
|
Dan Smith <dsmith@nospam.danplanet.com> wrote:
| Quote: | I was wondering if there is a way to detect (hopefully through iptables)
ethernet frames that originated from a wireless client. I would like to
be able to have sensitive machines block access to specific ports if
they're coming from the wireless LAN. I have a normal wired LAN with
many computers, and a wireless segment (using a Linksys AP) for a few
mobile units. I thought maybe there was some way of checking a flag on
the frames to determine if they originated from a WLAN machine (and / or
traversed the AP).
|
I don't think there's any way of distinguishing wireless packets from
(er) wired ones. Particularly since it is not difficult to change the
MAC on a wireless interface.
Can you tell the Linksys AP to only accept certain MACs? Then you can
subject any packets on the wire that claim to come from one of those
MACs to your rules.
Better, though, would be to put the AP on its own ethernet segment and
bridge or route traffic from it through a firewall. You could achieve
this by putting an extra ethernet card into a spare Linux / *BSD
machine:
--LAN---[eth0:Firewall:eth1]--X---WirelessAP (X = maybe crossover cable)
This way you can treat any packets that come in on the eth1 interface as
suspicous, neatly sidestepping any issues of spoofed packets, etc.
Unless you're running 802.11g or something fancy like that the load on
the firewall will be minimal.
S. |
|
| |
|
| Back to top |
Dan Smith
Guest
|
| Posted: Fri Jun 27, 2003 8:59 pm Post subject: Re: Detecting Wireless Ethernet Frames |
|
|
| Quote: | I don't think there's any way of distinguishing wireless packets from
(er) wired ones. Particularly since it is not difficult to change the
MAC on a wireless interface.
|
Well, that's one of the problems. I think I could limit all MACs other
than the ones I know about, but since MAC spoofing is easy, it'd be useless.
| Quote: | Can you tell the Linksys AP to only accept certain MACs? Then you can
subject any packets on the wire that claim to come from one of those
MACs to your rules.
|
Apparently I can, although it would be very difficult to administer that
list. I was hoping to be able to blanket any wireless ethernet packets,
instead of maintaining the list...
| Quote: | Better, though, would be to put the AP on its own ethernet segment and
bridge or route traffic from it through a firewall. You could achieve
this by putting an extra ethernet card into a spare Linux / *BSD
machine:
|
Yes, I used to do this before I had an access point. I had a wireless
card in my linux router, which allowed much control (which I miss).
Maybe this would be the best idea...
Does anyone know if there's anything that the AP does to the ethernet
packet that would identify it as coming from the AP? Like tagging its
MAC address in the frame (like a comment)? Just hoping here ;)
Thanks!
--Dan |
|
| |
|
| Back to top |
Michael Forster
Guest
|
| Posted: Sun Jun 29, 2003 2:02 pm Post subject: Re: securing single debian box against internet attacks |
|
|
If you have a 2.4 kernel then it is simple to block stuff and allow external
access by the internal machines, here is my firewall-setup script (I hate
using the built in stuff (I use SuSE Linux) but as I also run servers I
haven't dropped all packets, and the first line that is hashed out when
unhashed will stop the box even responding to ping requests.
Hope this helps
Mike.
# start the ip forwarding
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
# setup masquerading
iptables -F
iptables -t nat -F
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# iptables -A INPUT -p ICMP -i eth1 -j DROP
iptables -A PREROUTING -t nat -p udp -d 212.19.66.163 --dport
1412 -j DN
iptables -A PREROUTING -t nat -p tcp -d 212.19.66.163 --dport
1412 -j DN
iptables -A INPUT -p tcp -d 212.19.66.163 -i eth1 --dport 37 -j DROP
iptables -A INPUT -p tcp -d 212.19.66.163 -i eth1 --dport 113 -j
DROP
iptables -A INPUT -p tcp -d 212.19.66.163 -i eth1 --dport 79 -j DROP
iptables -A INPUT -p tcp -d 212.19.66.163 -i eth1 --dport 111 -j
DROP
iptables -A INPUT -p tcp -d 212.19.66.163 -i eth1 --dport 135 -j
DROP
iptables -A INPUT -p tcp -d 212.19.66.163 -i eth1 --dport 139 -j
DROP
iptables -A INPUT -p tcp -d 212.19.66.163 -i eth1 --dport 143 -j
DROP
# iptables -A INPUT -p tcp -d 212.19.66.163 -i eth1 --dport 443 -j
DROP
iptables -A INPUT -p tcp -d 212.19.66.163 -i eth1 --dport 445 -j
DROP
iptables -A INPUT -p tcp -d 212.19.66.163 -i eth1 --dport 515 -j
DROP
iptables -A INPUT -p tcp -d 212.19.66.163 -i eth1 --dport 5000 -j
DROP
"User" <qw@spamhole.com> wrote in message
news:73c5dd76.0306230151.32f54ee2@posting.google.com...
| Quote: | I am on broadband and I wish to secure my debian box before putting it
on the internet. I have a LinkSys G54 broadband router and 'firewall'
but as a firewall it is limited (spoofed tcp ACK packets get by, etc.)
Hence, I need to protect my desktop debian box against attacks. It's
used just a simple desktop machine, it doesn't need to route or bridge
or any of that. What is the easiest way to harden it against network
attacks? I've read the firewall HOW-TO etc. but I was wondering if
there is a more convenient way than having to recompile the kernel?
For instance, is there a debian package that would aid me?
thanks |
|
|
| |
|
| Back to top |
Wesley Parish
Guest
|
| Posted: Sun Jun 29, 2003 5:41 pm Post subject: Re: GPG: Invalid character |
|
|
I had the same problem. Being a gpg newbie, I copied their layout,
block-for-block.
Enter your real name: Hans Van DeReiver
as is, where is, no quotes, no nothing fancy,
then hit enter/return
then enter your email address: HansVanD@nutcracker.suite.com
then hit enter/return
then enter your comment: Speedie
then it shows what you've entered in that layout:
"Hans Van DeReiver (Speedie) <HansVanD@nutcracker.suite.com>"
Took me ages to work that one out.
Wesley Parish
Richard Harke wrote:
| Quote: | I decided that at long last I would start using gpg.
During the gen-key, after I enter my real name, gpg complains
with Invalid character in name I have no idea what is the problem.
I tried again without period after middle init then without
middle init Finally without the quotes and various permutations
without quotes
Help!
Richard
|
--
First the wife, tone of awe. So much a condition. Kent in the labs, fast
forward. "So how was the worthlessful businessman?" But they hadn't
stopped meat for year ago, that arose hotel facade slowly moved apper.
- Don't let emacs meta-x dissociatedpress write your speeches! |
|
| |
|
| Back to top |
Rolf Luz
Guest
|
| Posted: Mon Jun 30, 2003 1:16 am Post subject: Re: Application level firewalls/proxies |
|
|
Hi there,
had the same question but did not find something in the style of 'ZoneAlarm'
but for Linux.
I solved it this way:
1- I have a Linux server installed that is my interface to the internet (via
ADSL)
2- it plays the role of router and firewall using ipchains, managed by the
Webmin 'firewalls' module which i configured to my needs. No direct routing
between inside and outside is allowed.
3- the application level firewall is obtained by putting in an application
that links the inside with the outside: the squid proxy for html,
fetchmail/sendmail/fetchnews etc. I checked this with the nessus hacking
tool; it could not find any security hole...
4- On top of this I added the antivirus software from http://www.antivir.de/
to scan files and the mail
All of this for free and legally.
(fyi I'm using SuSE 7.1)
grtz Rolf
"weiner" <weiner@weiner.com> wrote in message
news:3ee9dfa9$0$28715$afc38c87@news.optusnet.com.au...
| Quote: | Hi all..
Are there any application level firewall/vpn/proxy solutions for linux
that
are either roll-your-ownable or at least cheap ?
Not the iptables, ipchains packet level stuff but the application layer
stuff..
best regards,
|
|
|
| |
|
| Back to top |
Christopher Browne
Guest
|
| Posted: Mon Jun 30, 2003 8:15 am Post subject: Re: Linux and spyware? |
|
|
Quoth haynes@alumni.uark.edu (Jim Haynes):
| Quote: | An article in today's paper alleges that Linux and MacOS are just as
vulnerable to spyware as is Windows. Is this true? and if so what is
the mechanism of action? And how can spyware be detected and eliminated
in Linux?
|
Most of the "client side spyware" has tended to be embedded either in
web browser extensions or in stuff like JavaScript. The former tend
not to be available for Linux, but the latter ought to be able to
work.
And in any case, the usual _real_ form of "spyware" will mostly be on
the server side of web accesses, so that the platform you are using to
browse the web is totally irrelevant.
Consider: You get an email that points you to "Hot Young Teens."
It has a URL that points the sender to who they sent it to. That may
be as unobvious as:
ID # Email Address
-------------------------------------
1021 a@b.com
1022 your_address@wherever.com
1023 my_add@mysite.com
.. and so forth ...
which turns into a URL like:
<http://www.hotteens.com/stuff+1022+intro/>
Note that there is _no_ reason for you to consider the "1022" part to be
associated in any way with your identity.
But an interesting linkage then takes place: if the web site does
basic URL access logging, they can know that someone whose email
address was <your_address@wherever.com> accessed the URL from some IP
address at some moment in time.
If your web browser quietly stores cookies, remote web sites can link
things up further, so that if you visit that web site again, they can
identify that it was you before, and you now.
They may not know much about you beyond the email address, but they'll
get to know a few things.
And note that the only thing about this that you can forcibly do
anything about is to choose not to follow the web links.
--
wm(X,Y):-write(X),write('@'),write(Y). wm('aa454','freenet.carleton.ca').
http://www.ntlug.org/~cbbrowne/security.html
"As long as there are ill-defined goals, bizarre bugs, and unrealistic
schedules, there will be Real Programmers willing to jump in and Solve
The Problem, saving the documentation for later. Long live FORTRAN!" |
|
| |
|
| Back to top |
#Harold Stevens US.972.95
Guest
|
| Posted: Mon Jun 30, 2003 1:01 pm Post subject: Re: Linux and spyware? |
|
|
In <bdoa0i$uena0$2@ID-125932.news.dfncis.de>, Christopher Browne:
[Snip...]
| Quote: | And note that the only thing about this that you can forcibly do
anything about is to choose not to follow the web links.
|
I take the burntearth policy: turnoff Java, Javascript, and cookies except
for trusted useful sites (like my hometown bank, for example). This has an
extra benefit of virtually eliminating those pesky popups, etc. It is also
why Lynx is typically my browser of choice for most mundane tasks. If Lynx
has problems with a site, I probably don't have the time myself for it.
I understand this isn't possible all the time for everybody. Just my view.
--
Regards, Weird (Harold Stevens) * IMPORTANT EMAIL INFO FOLLOWS *
Pardon any bogus email addresses (mklog*) in place for spambots.
Really it's (wyrd) at raytheon, dotted with com. DO NOT SPAM IT.
Standard Disclaimer: These are my opinions not Raytheon Company. |
|
| |
|
| Back to top |
Ed Murphy
Guest
|
| Posted: Mon Jun 30, 2003 1:06 pm Post subject: Re: Linux and spyware? |
|
|
On Mon, 30 Jun 2003 08:01:31 +0000, #Harold Stevens US.972.952.3293 wrote:
| Quote: | And note that the only thing about this that you can forcibly do
anything about is to choose not to follow the web links.
I take the burntearth policy: turnoff Java, Javascript, and cookies except
for trusted useful sites (like my hometown bank, for example). This has an
extra benefit of virtually eliminating those pesky popups, etc. It is also
why Lynx is typically my browser of choice for most mundane tasks. If Lynx
has problems with a site, I probably don't have the time myself for it.
|
If you go visit one of those http://www.hotteens.com/stuff+1022+intro/
type URLs, then they can tell (from the 1022 part) what your e-mail
address is, even if you have Java/JS/cookies turned off. As previously
noted, the only way around *that* is to avoid going to the site. |
|
| |
|
| Back to top |
Sebastian Hans
Guest
|
| Posted: Mon Jun 30, 2003 2:06 pm Post subject: Re: Linux and spyware? |
|
|
David <thunderbolt01@netscape.net> wrote:
| Quote: |
Do you know of any OSS web bug blocking packages available?
|
You could use a filtering proxy, for starters. Squid with sleezeball for
instance. This will not protect you from web bugs in general, but it
lets you block stuff by URL. So you can e.g. avoid ad.doubleclick.net.
Ciao.
Seb. |
|
| |
|
| Back to top |
|
