thunar blocked by my firewall [Solved]

baude · 2007-11-01 17:48:22

Hello everyone,

since I configured my firewall (with iptables), Thunar - the file manager I sometime use under FluxBox - doesn't launch anymore. When I clean iptables up, it works again... I didn't test with another file manager because thunar is the only one I have.
I find it strange, but I didn't manage to locate the problem. Could someone help me ?
I put my firewall configuration file here :

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
#
# INPUT chain
#
# we are never sure, dude...
-A INPUT -m state --state INVALID -j DROP 
-A INPUT -p tcp --dport ssh -j DROP
-A INPUT -p udp --dport ssh -j DROP
-A INPUT -p tcp --dport telnet -j DROP
-A INPUT -p tcp --dport rtelnet -j DROP
-A INPUT -p udp --dport rtelnet -j DROP
-A INPUT -p tcp --dport telnets -j DROP
-A INPUT -p udp --dport telnets -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
# torrent
-A INPUT -p tcp --dport 6881:6889 -j ACCEPT
-A INPUT -p tcp --dport 6969:7000 -j ACCEPT
# msn file transfert
-A INPUT -p tcp --dport 6891:6900 -j ACCEPT
-A INPUT -p udp --dport 6891:6900 -j ACCEPT
# uncomment the two lines below to allow ftp requests from LAN
#-A INPUT -s 192.168.1.0/24 -p tcp --dport ftp -j ACCEPT
#-A INPUT -s 192.168.1.0/24 -p tcp --dport ftp-data -j ACCEPT
# uncomment the two lines below to allow nfs requests from LAN
#-A INPUT -s 192.168.1.0/24 -p tcp --dport nfs -j ACCEPT
#-A INPUT -s 192.168.1.0/24 -p udp --dport nfs -j ACCEPT
# idem for samba
#-A INPUT -p tcp --dport 139 -j ACCEPT
#
# OUTPUT chain
#
# all responses are allowed
# we refuse any connection attempt except for the following open ports
# ie some ports open, other open only for responses
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# DNS
-A OUTPUT -p udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp --dport 53 -j ACCEPT
# DHCP
-A OUTPUT -p udp --dport 67 -j ACCEPT
# PING
-A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p tcp --dport http -j ACCEPT
-A OUTPUT -p udp --dport http -j ACCEPT
-A OUTPUT -p tcp --dport https -j ACCEPT
-A OUTPUT -p udp --dport https -j ACCEPT
-A OUTPUT -p tcp --dport http-alt -j ACCEPT
-A OUTPUT -p udp --dport http-alt -j ACCEPT
-A OUTPUT -p tcp --dport mail -j ACCEPT
# smtp TLS de Gmail
-A OUTPUT -p tcp --dport 587 -j ACCEPT
-A OUTPUT -p udp --dport 587 -j ACCEPT
-A OUTPUT -p tcp --dport pop2 -j ACCEPT
-A OUTPUT -p udp --dport pop2 -j ACCEPT
-A OUTPUT -p tcp --dport pop3 -j ACCEPT
-A OUTPUT -p udp --dport pop3 -j ACCEPT
-A OUTPUT -p tcp --dport pop3s -j ACCEPT
-A OUTPUT -p udp --dport pop3s -j ACCEPT
-A OUTPUT -p tcp --dport imap3 -j ACCEPT
# imap
-A OUTPUT -p tcp --dport 143 -j ACCEPT
-A OUTPUT -p udp --dport 143 -j ACCEPT
-A OUTPUT -p tcp --dport imsp -j ACCEPT
-A OUTPUT -p udp --dport imsp -j ACCEPT
# extension webmail
-A OUTPUT -d localhost -p tcp --dport 1230 -j ACCEPT
-A OUTPUT -d localhost -p udp --dport 1230 -j ACCEPT
-A OUTPUT -d localhost -p tcp --dport 1240 -j ACCEPT
-A OUTPUT -d localhost -p udp --dport 1240 -j ACCEPT
-A OUTPUT -p tcp --dport telnet -j ACCEPT
-A OUTPUT -p tcp --dport rtelnet -j ACCEPT
-A OUTPUT -p udp --dport rtelnet -j ACCEPT
-A OUTPUT -p tcp --dport telnets -j ACCEPT
-A OUTPUT -p udp --dport telnets -j ACCEPT
-A OUTPUT -p tcp --dport ssh -j ACCEPT
-A OUTPUT -p udp --dport ssh -j ACCEPT
-A OUTPUT -p tcp --dport ftp -j ACCEPT
-A OUTPUT -p tcp --dport ftp-data -j ACCEPT
# ftp passive mode... :-(
-A OUTPUT -p tcp --dport 1024: -j ACCEPT
-A OUTPUT -p udp --dport tftp -j ACCEPT
-A OUTPUT -p tcp --dport sftp -j ACCEPT
-A OUTPUT -p tcp --dport ftps -j ACCEPT
-A OUTPUT -p tcp --dport ftps-data -j ACCEPT
-A OUTPUT -p udp --dport ftps -j ACCEPT
-A OUTPUT -p udp --dport ftps-data -j ACCEPT
-A OUTPUT -p tcp --dport rtsp -j ACCEPT
-A OUTPUT -p udp --dport rtsp -j ACCEPT
-A OUTPUT -p tcp --dport irc -j ACCEPT
-A OUTPUT -p udp --dport irc -j ACCEPT
-A OUTPUT -p tcp --dport ircd -j ACCEPT
# gnutella
-A OUTPUT -p tcp --dport 6346 -j ACCEPT
# torrent
-A OUTPUT -p tcp --dport 6881:6889 -j ACCEPT
-A OUTPUT -p tcp --dport 6969:7000 -j ACCEPT
# msn, conversations
-A OUTPUT -p tcp --dport 1863 -j ACCEPT
-A OUTPUT -p udp --dport 1863 -j ACCEPT
# msn, tranfert de fichiers
-A OUTPUT -p tcp --dport 6891:6900 -j ACCEPT
-A OUTPUT -p udp --dport 6891:6900 -j ACCEPT
# samba 
-A OUTPUT -p tcp --dport 139 -j ACCEPT
-A OUTPUT -p tcp --dport nfs -j ACCEPT
-A OUTPUT -p udp --dport nfs -j ACCEPT
# SWAT
-A OUTPUT -d localhost -p tcp --dport 901 -j ACCEPT
#
# COMMIT
#
COMMIT

Thank you for your help !

Last edited by baude (2007-11-01 19:18:50)

skymt · 2007-11-01 18:01:40

One nitpick before we get to your question: why are you specifically dropping packets for ssh, telnet, etc? Just have a default policy of DROP, and open the ports you do want to let through.

Now to your main problem: Thunar connects to a few local daemons (fam and hal, that I know of) using TCP. Your severely restrictive output rules aren't letting it connect. If you ran thunar from a terminal, you'd probably get a better idea of what's going on from the error message.

Restricting output like that doesn't do a whole lot of good, anyway. Even if, by some very small chance, your computer became infected, the malware would almost certainly phone home on port 80, for the maximum chance of getting through restrictive firewalls like yours or those at some companies.

byte · 2007-11-01 18:35:19

block all
pass quick on lo

After that, you could get picky. But those two are not open for debate.

(Yes, that is pf syntax. I hate iptables.)

baude · 2007-11-01 19:15:50

Thank you two very much ! I have allowed the local stuff (traffic via lo) and it works.

to skymt :

Thunar connects to a few local daemons (fam and hal, that I know of) using TCP. Your severely restrictive output rules aren't letting it connect. If you ran thunar from a terminal, you'd probably get a better idea of what's going on from the error message.

I did run thunar from a terminal, but it didn't produce any output, it just looped. That is why I didn't know what it wanted to do.

Restricting output like that doesn't do a whole lot of good, anyway. Even if, by some very small chance, your computer became infected, the malware would almost certainly phone home on port 80, for the maximum chance of getting through restrictive firewalls like yours or those at some companies.

Yes you're right, my rules are paranoid ones. I just wanted to build a strong firewall, but it is probably useless. Thanks for your advice.

to byte :
Thank you for confirming the fact that lo traffic is needed.

Arch Linux

#1 2007-11-01 17:48:22

thunar blocked by my firewall [Solved]

#2 2007-11-01 18:01:40

Re: thunar blocked by my firewall [Solved]

#3 2007-11-01 18:35:19

Re: thunar blocked by my firewall [Solved]

#4 2007-11-01 19:15:50

Re: thunar blocked by my firewall [Solved]

Board footer