[sclug] Firewalls

[tim]

Thanks for the help guys - you have given me some usefull clues.
 Found the bit about rc.firewall in the appendix B


Had been under the impression that you opened up a shell and started
typing in the iptables commands and by doing so slowly built up the
firewall.
Have looked at the rc.firewall and realised that I can created a bash
shell with all those environment variables and use that or just create a
file that is the full script.
I am running Mandrake 8.2 and have installed it as a firewall but do not
seem to have the /etc/sysconfig/iptables file. I do have
/etc/rc.d/init.d/iptables which says it is a Startup script to implement
/etc/sysconfig/iptables. So I guess I have to create that in a similar
manner to rc.firewall.


I know some of this may seem obvious to you but I am and OS390/Windows
techie trying to move to Linux in my spare time


Thanks again for your help


-----Original Message-----
From: lug at assursys.co.uk [mailto:lug at assursys.co.uk]
Sent: 13 January 2003 19:29
To: Tom Dawes-Gamble
Cc: tim; Sclug
Subject: Re: [sclug] Firewalls


On Mon, 13 Jan 2003, Tom Dawes-Gamble wrote:

> Hi Tim,
>
> 	I wonder if we are reading the same book.  Linux Firewalls
> published by New Riders?  I've had my copy for ages so may be you have a
> newer version.  Anyway page 115 is talking about traceroute.

Looks like Tim has the second edition, like me. ;-)

> 	The one reason that you might not want to invoke iptables commands
> at the comand line is that you may enter a rule such as that you stop
> all incoming traffic and then open up to spacific addresses.  So your
> connected over an IP connection and you stop yourself sending the
command
> to open up your connection.
>
> 	If you use a script then if you pull the rug from under your feet
> the script may coninue and put the rug back.  If you are on the console
> there is no rug to pull out. :-)

I think that's what Ziegler's getting at - don't change firewall rules
across a network connection as you may find that connection gets blocked
partway through, leaving you unable to add further rules which would
otherwise allow the connection to proceed.

> Regards,
> Tom.
>
>
> On Mon, Jan 13, 2003 at 06:01:38PM -0000, tim wrote:
> > Can anyone help - I'm sure it is a simple question.
> >
> > I am working through Bob Ziegler's Firewall book.
> > On page 115 (If you have it) He says Do not attempt to invoke specific
> > iptables reules from the command line.
> > On the previous page he had pointed to a shell script
> > /etc/rc.d/rc.firewall
> >
> > He says to execute the shell script from the console.
> >
> > What does this mean ? I have looked thru the firewall HOW-TO and that
does
> > not mention it which makes me think that it is very basic stuff
> > that I just haven't twigged.

Ziegler is assuming that you're going to create /etc/rc.d/rc.firewall as
per
the guidance in his book.

> > My thoughts are to start a shell by running bash fromthe command line,
but
> > 1. I thought the command line was bash

It is.

> 2. That still does not explain the
> > /etc/rc.d/rc.firewall which does not exist on my system .

Which means you'll need to create it.

If you're running RH though, and want to fit in with the way RH does
things,
you'll probably want to edit /etc/sysconfig/iptables instead of creating
rc.firewall.

> > Any help would be much appreciated - thanks
> > Tim Holmes

HTH,
Alex.
--
Alex Butcher        Brainbench MVP for Internet Security:
www.brainbench.com
Bristol, UK                        Need reliable and secure network
systems?
PGP/GnuPG ID:0x271fd950
<http://www.assursys.com/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2257 bytes
Desc: not available
Url : http://lists.tmdg.co.uk/pipermail/sclug/attachments/20030114/246d1c5a/smime.bin