You are not logged in.

#1 2010-04-03 02:06:02

Milena
Member
Registered: 2010-04-02
Posts: 67

Firewall Installation > Arno's iptables script

Hello

I have installed the arno-iptables-script from aur (yaourt -S aur/arno-iptables-firewall) and added eth0 to the configuration file

EXT_IF="eth0"

also setup the daemon in rc.conf

DAEMONS=(syslog-ng arno-iptables-firewall network netfs crond fam hal sensors)

is it correct to start it before network ?

Well it doesn't seem to work at all, i tried several of these firewall/port sniffing tests such as ShieldsUP! with bad results, i think the Firewall is just not working. I came recently from RHEL/Fedora to Arch and could need a little assistance with this problem.

Thanks in Advance

Offline

#2 2010-04-03 11:33:28

harryNID
Member
From: P3X-1971
Registered: 2009-06-12
Posts: 117

Re: Firewall Installation > Arno's iptables script

Mine's working fine. Hmmmmm!:/

For reference: I'm just running a very basic land-line setup. Nothing exotic! (no routers, NAT etc.)

My setup for Arno's: (/etc/arno-iptables-firewall/firewall.conf)

EXT_IF="eth0"

Same as what you have!

rc.conf: (snippet)

#Static IP example
#eth0="dhcp"
eth0="dhcp"
INTERFACES=(eth0)

# Routes to start at boot-up (in this order)
# Declare each route then list in ROUTES
#   - prefix an entry in ROUTES with a ! to disable it
#
gateway="default gw 192.168.0.1"
ROUTES=(!gateway)
 
# Enable these network profiles at boot-up.  These are only useful
# if you happen to need multiple network configurations (ie, laptop users)
#   - set to 'menu' to present a menu during boot-up (dialog package required)
#   - prefix an entry with a ! to disable it
#
# Network profiles are found in /etc/network.d
#
# This now requires the netcfg package
#
#NETWORKS=(main)

# -----------------------------------------------------------------------
# DAEMONS
# -----------------------------------------------------------------------
#
# Daemons to start at boot-up (in this order)
#   - prefix a daemon with a ! to disable it
#   - prefix a daemon with a @ to start it up in the background
#
DAEMONS=(@preload @syslog-ng @hal @dnsmasq @network @arno-iptables-firewall @privoxy @alsa @crond)

I have arno's set to start after "network" (actually backgrounded, that is what @ is for).

Here's a thought. Mine wouldn't start once cause I didn't have "iproute2" installed (It should already be installed though as it's a core component, I uninstalled mine intentionally thinking I didn't need it. Duh! was I wrong.). It really should be in the "depends" of the PKGBUILD cause arno's has a stink if it's not installed. If you don't have it installed then install it and preform a restart of arno's (detailed below). If that's not it then try to start/restart arno's from the command line and see if it has any errors.  Could help in diagnosing the problem.

As root:

/etc/rc.d/arno-iptables-firewall start|stop|restart*

* Pick One
start = start the daemon if it's not currently running
stop = stop the already running daemon
restart = stops the currently running daemon and restarts it

That's about all there is to setting it up. If it's not that then something else could be causing the issue.

Update:
It seems like Dragonlord has added "iproute2" to the dependency list after all. Sorry about that! I'm using and older version of the PKGBUILD and just updating it myself. I hadn't checked out the AUR page lately.

Last edited by harryNID (2010-04-03 22:19:22)


In solving a problem of this sort, the grand thing is to be able to reason backward. That is a very useful accomplishment, and a very easy one, but people do not practice it much. In the everyday affairs of life it is more useful to reason forward, and so the other comes to be neglected. There are fifty who can reason synthetically for one who can reason analytically.  --Sherlock Holmes

Offline

#3 2010-04-03 20:28:10

berbae
Member
From: France
Registered: 2007-02-12
Posts: 1,302

Re: Firewall Installation > Arno's iptables script

there is also in the /etc/arno-iptables-firewall/firewall.conf :

# Enable if THIS machines (dynamically) obtains its IP through DHCP (from your
# ISP).
# -----------------------------------------------------------------------------
EXT_IF_DHCP_IP=1

The firewall works well on my system too.

Offline

#4 2010-04-03 22:37:07

harryNID
Member
From: P3X-1971
Registered: 2009-06-12
Posts: 117

Re: Firewall Installation > Arno's iptables script

there is also in the /etc/arno-iptables-firewall/firewall.conf :
Code:

# Enable if THIS machines (dynamically) obtains its IP through DHCP (from your
# ISP).
# -----------------------------------------------------------------------------
EXT_IF_DHCP_IP=1

The firewall works well on my system too.

That's strange, mine is set to zero yet it still works (and yes my IP is dynamically assigned). I saw that option too but it seemed to be working fine at zero so I haven't messed with it.

Mine:

EXT_IF_DHCP_IP=0


In solving a problem of this sort, the grand thing is to be able to reason backward. That is a very useful accomplishment, and a very easy one, but people do not practice it much. In the everyday affairs of life it is more useful to reason forward, and so the other comes to be neglected. There are fifty who can reason synthetically for one who can reason analytically.  --Sherlock Holmes

Offline

#5 2010-04-03 23:30:06

Milena
Member
Registered: 2010-04-02
Posts: 67

Re: Firewall Installation > Arno's iptables script

Thanks for the replys

Its works well now smile


EDIT:

Well I spoke too soon, the Firewall does not work as intended.

www.grc.com / ShieldsUp shows all ports as Stealth but it fails the test with:

Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

I have made appropriate settings to the config files:

/etc/sysctl.conf

net.ipv4.icmp_echo_ignore_all = 1

/etc/arno-iptables-firewall/firewall.conf

# Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces.
# -----------------------------------------------------------------------------
ECHO_IGNORE=1

# Enable this to allow for ICMP-requests(ping) from your LAN
# -----------------------------------------------------------------------------
LAN_OPEN_ICMP=0

# Enable this to allow for ICMP-requests(ping) for LAN->INET
# -----------------------------------------------------------------------------
LAN_INET_OPEN_ICMP=0

# Enable if you want to accept ICMP redirect messages. Should be set to "0" in
# case of a router.
# -----------------------------------------------------------------------------
ICMP_REDIRECT=0

daemons in rc.conf

DAEMONS=(syslog-ng !network netfs crond hal networkmanager arno-iptables-firewall)

Can you confirm similar results about the failed ICMP/Ping test ?
Just curious my out-of-the-box Fedora 12 install passes the ping test with their default iptables based Firewall.

Best Regards

Last edited by Milena (2010-04-04 00:35:28)

Offline

#6 2010-04-04 08:24:58

davidlondonuk
Member
Registered: 2009-06-24
Posts: 49

Re: Firewall Installation > Arno's iptables script

Hi,

It's best to have the firewall start towards the end of the daemons in /etc/rc.conf. Also you really need to go through the firewall.conf file for arno a few times- check and recheck incase something applies to your setup. Normally you ony need to edit the settings in the first part of the file.

Offline

#7 2010-04-04 16:26:56

harryNID
Member
From: P3X-1971
Registered: 2009-06-12
Posts: 117

Re: Firewall Installation > Arno's iptables script

I think you might have misinterpreted firewall.conf. You have to look real close sometimes. When he has something like this:

# Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces.
# -----------------------------------------------------------------------------
ECHO_IGNORE=0

He means just to uncomment the line (enable the line) and not change any value. When he has something like this:

# (EXPERT SETTING!) Set this (to 1) to enable tracing
# -----------------------------------------------------------------------------
TRACE=0

Then he means change TRACE=0 to TRACE=1 to enable.

By setting ECHO_IGNORE=0 to ECHO_IGNORE=1 you are probably just turning the echo back on after sysctl.conf turns it off. That's a guess though.

Also instead of using

net.ipv4.icmp_echo_ignore_all = 1

you might try

net/ipv4/icmp_echo_ignore_broadcasts=1

in sysctl.conf.

Here's the difference:

3.4.1. icmp_echo_ignore_all

If this value is set to 1, in other words on or true, the kernel chooses to totally ignore all ICMP Echo requests. This variable takes a boolean value and is per default set to false, or off. If this is variable is turned on, you and others will be unable to ping the machine in question which is generally a bad thing. Of course, everyone has different opinions about this, some say it is good because people will be unable to ping you and hence know you are there, some say it is bad because you want people to know you are available on the internet. A lot of tools and applications rely upon ICMP Echo requests, some good, some bad as always.


3.4.2. icmp_echo_ignore_broadcasts

This variable works precisely the same as icmp_echo_ignore_all except that it will only ignore those ICMP messages sent to broadcast or multicast addresses. It should be quite obvious why this is good, it would among other things stop this specific host from being part of smurf attacks and likely problems. Broadcast pings are generally bad unless you are using this to find out how many hosts on your network(s) are up or not.

The icmp_echo_ignore_broadcasts variable takes a boolean value and is per default turned off. If you want to turn this value on, you should do so since there is relatively few bad sides to not replying to broadcast pings.

Here's a link to Arno's QA/FAQ page for further reference. It covers some things that might be useful in the future once you've got things running correctly.
http://rocky.eld.leidenuniv.nl/joomla/i … &Itemid=81

If that doesn't get it then report back and we'll try something else till it does.

Off Topic:
Welcome to Arch!:lol:


In solving a problem of this sort, the grand thing is to be able to reason backward. That is a very useful accomplishment, and a very easy one, but people do not practice it much. In the everyday affairs of life it is more useful to reason forward, and so the other comes to be neglected. There are fifty who can reason synthetically for one who can reason analytically.  --Sherlock Holmes

Offline

#8 2010-04-05 03:01:06

Milena
Member
Registered: 2010-04-02
Posts: 67

Re: Firewall Installation > Arno's iptables script

harryNID wrote:

Welcome to Arch!:lol:

Thanks smile and thank you again for your help.

I start to believe that test-website, https://www.grc.com/x/ne.dll?bh0bkyd2 , is a fake as it shows all ports always Stealth but says my PC replies their ping no matter what settings i try for sysctl or firewall.conf. The arno script itself seems to work fine now. Know of any other good way to test the firewall and is the arno one the best i should use on arch ?

this is my result regardless if the firewall is enabled or disabled or what settings in sysctl.conf it is always the same:

grc.jpg

i'm pretty sure the Stealth for all ports is done by my dsl-router, a speedport w701v.

since this is just my desktop pc at home and i'm not a target for somebody (hopefully) everything should be fine now.

Offline

#9 2010-04-05 03:33:30

stryder
Member
Registered: 2009-02-28
Posts: 500

Re: Firewall Installation > Arno's iptables script

Milena wrote:
harryNID wrote:

Welcome to Arch!:lol:

Thanks smile and thank you again for your help.

I start to believe that test-website, https://www.grc.com/x/ne.dll?bh0bkyd2 , is a fake as it shows all ports always Stealth but says my PC replies their ping no matter what settings i try for sysctl or firewall.conf. <snip>

i'm pretty sure the Stealth for all ports is done by my dsl-router, a speedport w701v.

since this is just my desktop pc at home and i'm not a target for somebody (hopefully) everything should be fine now.

Most likely there is a firewall at your router and so whatever firewall behind your router firewall will not affect what grc detects - it can't get behind the router firewall! You don't really need to set up a firewall if your router already provides one.

Offline

#10 2010-04-05 20:28:46

harryNID
Member
From: P3X-1971
Registered: 2009-06-12
Posts: 117

Re: Firewall Installation > Arno's iptables script

I agree with stryder. You never mentioned you had a router. You will probably have to configure the router itself to stop it from pinging. A way to check to see if your router is the culprit would be to remove the router temporarily and run the cable straight to your nic card bypassing it's firewall. Run Shields up again to see what you get then.

I start to believe that test-website, https://www.grc.com/x/ne.dll?bh0bkyd2  , is a fake as it shows all ports always Stealth but says my PC replies their ping no matter what settings i try for sysctl or firewall.conf. The arno script itself seems to work fine now.

Shields Up is the real deal.


Know of any other good way to test the firewall and is the arno one the best i should use on arch ?

There are plenty of Internet Security sites you can use to check your security just Google for them. As to whether arno's is a good firewall then it depends on what you want and what you like. Here in the Arch forums I've noticed most questions that use the word "best"  in them get bombed. That's because only you know what's best for you. The only way you can do that is with "trial and error".  I personally like arno's because it's light (no dependencies other than core programs) and is easy to set up. It's also very powerful. I've used shorewall too and really like that but it's not quite as easy to set up (IMO). It's really up to you however.


Just found this it might help:
http://bbs.archlinux.org/viewtopic.php?id=43888

Last edited by harryNID (2010-04-05 20:35:51)


In solving a problem of this sort, the grand thing is to be able to reason backward. That is a very useful accomplishment, and a very easy one, but people do not practice it much. In the everyday affairs of life it is more useful to reason forward, and so the other comes to be neglected. There are fifty who can reason synthetically for one who can reason analytically.  --Sherlock Holmes

Offline

#11 2010-04-05 20:51:01

kgas
Member
From: Qatar
Registered: 2008-11-08
Posts: 718

Re: Firewall Installation > Arno's iptables script

Currently using this script with little more additions for mpd/samba/ssh. and the result in the web site provided is passed.

Offline

#12 2010-04-06 04:21:55

Milena
Member
Registered: 2010-04-02
Posts: 67

Re: Firewall Installation > Arno's iptables script

Thanks for the link. I called my isp's technical support and they said my dsl router can't block icmp/ping requests and the firewall can't be disabled either so i have to get another one in order to use iptables as software based firewall.

Offline

Board footer

Powered by FluxBB