Tom Eastep | 2 Feb 01:03 2004
Picon

Re: common file to overwrite common.def

On Mon, 2 Feb 2004, Lito Kusnadi wrote:

> Hi, I noted on the documentation that we can create a file called
> "common" to overwrite the common.def.
> Basically, I am trying to blocking stealth scan for IDENT, Netbios, and
> SMB.
> I have created the "common" file, and put the rules (directly by copying
> from the common.def and change the "reject" to "DROP"). But when I do a
> scan from http://scan.sygate.com/stealthscan.html, it's still marking as
> OPEN.
> Do I need to add anything in shorewall.conf to tell that the 'common'
> file exists?
>

No -- what does "shorewall show common" show?

> 2nd question: If a port can be scanned but CLOSED (nothing is running on
> that port), can anyone hack into it?

No.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
Lito Kusnadi | 2 Feb 01:29 2004
Picon
Picon

RE: common file to overwrite common.def

Hi Tom.
Moving the '. /etc/shorewall/common.def' to the end fixed it.
Just want to know if there's a need for an errata at
http://www.shorewall.net/shorewall_extension_scripts.htm

Particularly at the section (almost at the bottom of the page):
...
/etc/shorewall/common:

     . /etc/shorewall/common.def
     <add your rules here>
...

Or this might be an aberrant behavior for version 1.4.7c?

One last question:
By dropping the Netbios, SMB, and IDENTD, will there be any implication
in the running of other services, say network browsing through VPN
IPSEC?

-----Original Message-----
From: shorewall-users-bounces <at> lists.shorewall.net
[mailto:shorewall-users-bounces <at> lists.shorewall.net] On Behalf Of Tom
Eastep
Sent: Monday, 2 February 2004 11:03 AM
To: Mailing List for Experienced Shorewall Users
Subject: Re: [Shorewall-users] common file to overwrite common.def

On Mon, 2 Feb 2004, Lito Kusnadi wrote:

(Continue reading)

Tom Eastep | 2 Feb 01:34 2004
Picon

Re: common file to overwrite common.def

On Sunday 01 February 2004 04:29 pm, Lito Kusnadi wrote:
> Hi Tom.
> Moving the '. /etc/shorewall/common.def' to the end fixed it.
> Just want to know if there's a need for an errata at
> http://www.shorewall.net/shorewall_extension_scripts.htm
>
> Particularly at the section (almost at the bottom of the page):
> ...
> /etc/shorewall/common:
>
>      . /etc/shorewall/common.def
>      <add your rules here>
> ...
>
> Or this might be an aberrant behavior for version 1.4.7c?

READ THE MANUAL!!!!! -- right after what you quote above:

	"If you need to supercede a rule in the released common.def file, you can add
	the superceding rule before the "." command.

>
> One last question:
> By dropping the Netbios, SMB, and IDENTD, will there be any implication
> in the running of other services, say network browsing through VPN
> IPSEC?

No.

-Tom
(Continue reading)

Robin M. | 2 Feb 02:22 2004
Picon

test please ignore


Tom Eastep | 2 Feb 02:23 2004
Picon

Re: common file to overwrite common.def

On Sun, 1 Feb 2004, Tom Eastep wrote:

> On Sunday 01 February 2004 04:29 pm, Lito Kusnadi wrote:
> > Hi Tom.
> > Moving the '. /etc/shorewall/common.def' to the end fixed it.
> > Just want to know if there's a need for an errata at
> > http://www.shorewall.net/shorewall_extension_scripts.htm
> >
> > Particularly at the section (almost at the bottom of the page):
> > ...
> > /etc/shorewall/common:
> >
> >      . /etc/shorewall/common.def
> >      <add your rules here>
> > ...
> >
> > Or this might be an aberrant behavior for version 1.4.7c?
>
> READ THE MANUAL!!!!! -- right after what you quote above:
>
> 	"If you need to supercede a rule in the released common.def file, you can add
> 	the superceding rule before the "." command.
>

To protect my blood pressure and to be sure that no one else cuts
themselves on this sharp edge before common.def goes away in 2.0, I have
removed the above sentence and have reversed the order of the "." and
<add...>.  I'm sure someone will manage to break something following those
instructions also but we'll see....

(Continue reading)

Robin M. | 2 Feb 03:26 2004
Picon

quicktime

I have searched the shorewall docs, the Mac site and google'd  but I
cannot find information on how to allow the darwin streaming server to
work through a firewall.

The streaming server does work when not accessed from behind the firewall.

If anyone had any hints or information on this it is much appreciated.

Tom Eastep | 2 Feb 03:52 2004
Picon

Re: quicktime

On Sun, 1 Feb 2004, Robin M. wrote:

> I have searched the shorewall docs, the Mac site and google'd  but I
> cannot find information on how to allow the darwin streaming server to
> work through a firewall.
>
> The streaming server does work when not accessed from behind the firewall.
>
> If anyone had any hints or information on this it is much appreciated.
>

So you found this
(http://www.apple.com/quicktime/products/qtss/qtssfaq.html - I
googled and looked for 48 seconds to find it):

How do I get around firewall problems?
--------------------------------------
If you are experiencing firewall problems, update your software to the
latest version of QuickTime Streaming Server and have users upgrade to
QuickTime 4.1 or later. You may optionally want to select the "Enable
Streaming On Port 80" checkbox in the Settings window of the QuickTime
Streaming Server Admin application.
---------------------------------------------------------------------------
In another 24 seconds, I located this:

http://www.apple.com/quicktime/resources/qt4/us/proxy/

Seems like there is lots of information there as well.
---------------------------------------------------------------------------

(Continue reading)

Robin M. | 2 Feb 04:07 2004
Picon

Re: quicktime

On Sun, 1 Feb 2004, Tom Eastep wrote:

> On Sun, 1 Feb 2004, Robin M. wrote:
>
> > I have searched the shorewall docs, the Mac site and google'd  but I
> > cannot find information on how to allow the darwin streaming server to
> > work through a firewall.
> >
> > The streaming server does work when not accessed from behind the firewall.
> >
> > If anyone had any hints or information on this it is much appreciated.
> >
> So you found this
> (http://www.apple.com/quicktime/products/qtss/qtssfaq.html - I
> googled and looked for 48 seconds to find it):

Yep I read that. The only useful information was suggesting that I run the
server on port 80, but that is not an option as I have only one ip
address and need to run a web server as well.

>
> http://www.apple.com/quicktime/resources/qt4/us/proxy/
>
Yep I did read that too. The useful information I gathered from there was
Open port 554 for RTSP/TCP data.
Open ports 6970 through 6999 (inclusive) for RTP/UDP data.

I also have installed the Streaming server directoy on the firewall and it
does work with these rules

(Continue reading)

Tom Eastep | 2 Feb 04:14 2004
Picon

Re: quicktime

On Sun, 1 Feb 2004, Robin M. wrote:

> Yep I did read that too. The useful information I gathered from there was
> Open port 554 for RTSP/TCP data.
> Open ports 6970 through 6999 (inclusive) for RTP/UDP data.
>
> I also have installed the Streaming server directoy on the firewall and it
> does work with these rules
>
> ACCEPT  loc fw                udp     rtsp
> ACCEPT  net fw                udp     rtsp
> ACCEPT  loc fw                tcp     rtsp,1220
> ACCEPT  net fw                tcp     rtsp,1220
>
> ACCEPT  fw  loc               udp     6970:6999
> ACCEPT  fw  net               udp     6970:6999
>
>
> but I just can't get it to work behind the NAT.

You need to look at FAQ 30 -- the rules that you have above would work
well if you had a proxy server running on your firewall; I assume that you
don't.

> I have tried a couple combinations of rules and the closest I have gotten
> is some choppy sound with not video. There are no logs in my
> /var/log/messages either showing denied packets....
>
> I am just not proficient enough to figure out the rules and was hoping
> someone has already gotten it to work. Any hints or suggestions are
(Continue reading)

Tom Eastep | 2 Feb 04:32 2004
Picon

Re: quicktime

On Sun, 1 Feb 2004, Tom Eastep wrote:

> On Sun, 1 Feb 2004, Robin M. wrote:
>
> > Yep I did read that too. The useful information I gathered from there was
> > Open port 554 for RTSP/TCP data.
> > Open ports 6970 through 6999 (inclusive) for RTP/UDP data.
> >
> > I also have installed the Streaming server directoy on the firewall and it
> > does work with these rules
> >
> > ACCEPT  loc fw                udp     rtsp
> > ACCEPT  net fw                udp     rtsp
> > ACCEPT  loc fw                tcp     rtsp,1220
> > ACCEPT  net fw                tcp     rtsp,1220
> >
> > ACCEPT  fw  loc               udp     6970:6999
> > ACCEPT  fw  net               udp     6970:6999
> >
> >
> > but I just can't get it to work behind the NAT.
>
> You need to look at FAQ 30 -- the rules that you have above would work
> well if you had a proxy server running on your firewall; I assume that you
> don't.
>

Sorry -- I should have read your post more carefully (where you say that
these rules DO work when the server is on the firewall) :-(

(Continue reading)

Alexander Gretencord | 2 Feb 17:25 2004
Picon
Picon

Re: quicktime

On Monday 02 February 2004 03:26, Robin M. wrote:
> I have searched the shorewall docs, the Mac site and google'd  but I
> cannot find information on how to allow the darwin streaming server to
> work through a firewall.
>
> The streaming server does work when not accessed from behind the firewall.
>
> If anyone had any hints or information on this it is much appreciated.

Please do _not_ just hit reply on some message on the list. This will add an 
In-Reply-To or References Header to your mail which shows, which message(s) 
you are replying to. So many Mail Readers and mailinglist web interfaces will 
thread your new message under the message you replied to. So basically you 
begin a completely new thread inside of another one.

Just click on the mail address of the list or add it to your address book.

Thx

Alex


Gmane