Re: Firestarter in FC2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Di, den 12.10.2004 schrieb Carlos Alberto Alves um 18:13:

> Firestarter 0.9.3 running under FC2 kernel 2.6.5-1.358
> 
> [root@localhost root]# iptables -vnL
> Chain INPUT (policy DROP 0 packets, 0 bytes)
>   pkts bytes target     prot opt in     out     source 
> destination
>      0     0 ACCEPT     tcp  --  *      *       200.227.128.20 
> 0.0.0.0/0           tcp flags:!0x16/0x02
>     25  4755 ACCEPT     udp  --  *      *       200.227.128.20 
> 0.0.0.0/0

allowing incoming tcp/udp from 200.227.128.20

>      0     0 ACCEPT     tcp  --  *      *       200.227.128.21 
> 0.0.0.0/0           tcp flags:!0x16/0x02
>      0     0 ACCEPT     udp  --  *      *       200.227.128.21 
> 0.0.0.0/0

allowing incoming tcp/udp from 200.227.128.21

>     32  2944 ACCEPT     all  --  lo     *       0.0.0.0/0 
> 0.0.0.0/0

allowing incoming localhost traffic

>      0     0 LR         all  --  *      *       224.0.0.0/8 
> 0.0.0.0/0
>      0     0 LR         all  --  *      *       0.0.0.0/0 
> 224.0.0.0/8
>      0     0 LR         all  --  *      *       255.255.255.255 
> 0.0.0.0/0

redirecting traffic from these nets or to these nets to the log+reject
chain

So far seems ok. (not knowing your situation behind the firewall)

>      0     0 LR         all  --  *      *       0.0.0.0/0            0.0.0.0

but now redirecting all further incoming traffic to log+reject? from
this point onwards the rest of the rules are ignored!

>      0     0 DROP       all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0           state INVALID
>      0     0 LR         all  -f  *      *       0.0.0.0/0 
> 0.0.0.0/0           limit: avg 10/min burst 5
>      0     0 ACCEPT     47   --  *      *       0.0.0.0/0 
> 0.0.0.0/0
>      0     0 LR         tcp  --  *      *       0.0.0.0/0 
> 0.0.0.0/0           tcp flags:!0x16/0x02 state NEW
>     11   508 LR         all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0
> 
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>   pkts bytes target     prot opt in     out     source 
> destination
> 
> Chain OUTPUT (policy DROP 552 packets, 24840 bytes)
>   pkts bytes target     prot opt in     out     source 
> destination
>     32  2944 ACCEPT     all  --  *      lo      0.0.0.0/0 
> 0.0.0.0/0
>      0     0 LR         all  --  *      *       224.0.0.0/8 
> 0.0.0.0/0
>      0     0 LR         all  --  *      *       0.0.0.0/0 
> 224.0.0.0/8
>      0     0 LR         all  --  *      *       255.255.255.255 
> 0.0.0.0/0

so far ok

>      0     0 LR         all  --  *      *       0.0.0.0/0            0.0.0.0

now again a rule which catches all outgoing traffic and redirecting it
to the log+reject chain, mean: rest is bypassed

>      0     0 DROP       tcp  --  *      *       0.0.0.0/0 
> 0.0.0.0/0           tcp flags:!0x16/0x02 state NEW
>      0     0 DROP       all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0           state INVALID
>     29  2215            all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0           TTL match TTL == 64
>     36  2851 ACCEPT     all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0

wonder a bit why the counter of the 2 last rules have values, though no
traffic should come up to this point

> Chain LR (14 references)
>   pkts bytes target     prot opt in     out     source 
> destination
>     11   508 LOG        all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0           LOG flags 0 level 6
>     11   508 REJECT     all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0           reject-with icmp-port-unreachable
> 
> Chain NR (0 references)
>   pkts bytes target     prot opt in     out     source 
> destination

unused

> Chain SANITY (0 references)
>   pkts bytes target     prot opt in     out     source 
> destination
>      0     0 REJECT     tcp  --  *      *       0.0.0.0/0 
> 0.0.0.0/0           tcp flags:0x12/0x12 state NEW reject-with tcp-reset
>      0     0 LR         all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0

unused

> Chain STATE (0 references)
>   pkts bytes target     prot opt in     out     source 
> destination
>      0     0 LR         all  --  !lo    *       0.0.0.0/0 
> 0.0.0.0/0           state NEW 
> 
>      0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0           state RELATED,ESTABLISHED
>      0     0 LR         all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0

unused

> * Carlos Alberto Alves

You will have to rework over your firewall setup. The order of the rules
have a meaning. This is very fundamental. The rules are gone through
from first to last, until a rule matches and has a jump target to go out
to a different chain.

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp 
Serendipity 16:55:57 up 13 days, 19:22, load average: 0.26, 0.32, 0.23 

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux