[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Samba & IPTables (fwd)

Dag Wieers wrote:
On Sat, 2 Aug 2003, Charles Bronson wrote:

It is a great tool to learn more about networking.

You are correct when all networking activities are limited to the Well Known Ports. However, what happens when a user gets a request for access to a port above 1024? This could be someone trying to hack their pc or it could be a legitimate use.

What legitimate use access on port > 1024 (on a unknown port) ?
VNC, the default is 5900.

I think it is fairly safe to say that if the user wasn't expecting anything to happen, he can deny it temporarily (and maybe that should be the default thing to suggest/advice).
Ok but Bob just lost his connection when he apparently needed it.

Let's use Bob and Alice (avg users) in an example:
Bob wants to access the faimily computer from work so he installs <insert Generic Remote Access Tool name here>. The next day Bob is at work and lights up the GRAT client. Alice is home surfing the web and a pop-up asks her if she should allow access to port 2029. Pretend your Alice and make the call, what would you do?

Well, I think you're not talking about the common case here already. I'm sure that if bob knows how to install GRAT
It installs by default with the some of the install profiles. But even so, RPM's are easy to install and most will set the service to run ableit it with very general conf files.

and was planning to connect to
home on a system that he shares with his wife. He prepared the personal firewall sufficiently.
VNC doesn't tell you it uses 5900 but that's ok Bob doesn't understand ports anyway so knowing that VNC uses 5900 doesn't do him any good. He and the firewall have no common language so Bob can;t tell the firewall about his new installation.

Anyway, in this case the pop-up probably says something like:

We noticed someone (from firewall.bobswork.com)
Only if Bob's firewall does reverse DNS AND Bob's company set's their DNS to answer those queries. Otherwise you get a raw IP address.

trying to connect
to 'Generic Remote Access Tool' (on port 2029).
As long as the firewall tears open the packet to look at the application layer or let's it far enough into your computer to see who it wants to talk to.

This traffic is unknown by the firewall and therefor could be
dangerouse. We advise not to allow it unless you understand the consequences.

Do You want to allow access to Generic Remote Access Tool from firewall.bobswork.com

[Yes] [*No*] [Customize]

If it was a known protocol the personal firewall could give more information about what it is used for.
Assuming your talking about *known* protocols above 1024(because we already eliminated < 1024 from the discussion) Linux will let ANY program use ANY port that is not already listening. Therefore a malicious program can grab, for instance, port 1033 which your method will identify as "local netinfo port" which sounds pretty harmless.

(Warning: this is a remote
administration tool, someone with access can completely control your machine from remote.)

bob is fairly stupid if he installed the personal firewall and the GRAT server and didn't think of this before going to work.
Bob's firewall was installed by default during the system install and he does not know enough about GRAT to know how to preset the firewall and he won't be home the first time he tries to connect to it...
He still can call
his wife and tell her to click on Yes ;)
I was being nice and assuming his wife would be there to see it. In many houses only the cat/dog/goldfish will be there to answer the call ;-)

Let me also add that if nothing is listening on a port the traffic is dropped silently (and logged).
Firewalls are not around to protect your computer from calls to ports that are not listening, your computer does that on its own ;-)

My biggest concern is that you're denying
the concept of personal firewalls
I hand configure the IPTables scripts on all of my home computers, so you can put your concerns aside. However my concern is that you are trivializing what in actuality is a daunting task and that is not helping to find the solution.

and I don't have time to argue for the
sake of arguing.
Suit yourself but solutions will only come from intelligent and probing discussions.

I did a quick search to get a screenshot of ZoneAlarm. There are better examples, I'm sure.

Your example shows a program that the user knowingly initiates going out to the Internet. Whereas many of the situations that a firewall protects against are not user initiated and they come in from the Internet. Which means that the user is going to have to understand the request and that goes back to the knowledge paradigm.

Lokkit is a very limited tool. It is not functional for most of the home users and I don't think it is intended to be. Someone in this thread already refered to it (not supporting samba).

If you look at my previous reply you will see that I already agree with you on this point.

Right, after first saying "This statement is just plain wrong. IPTables is a VERY powerful tool.". Next time you better not use strong language if you're actually agreeing with me.
Please look at the following quote from earlier in this thread:
---------- Begin inserted quote ------------

>> That's probably what 'Home Users' would expect anyway. The current iptables >>firewall from Red Hat is a basic tool and limited in functionality.

This statement is just plain wrong. IPTables is a VERY powerful tool. Are you maybe referring to the firewall configuration tool? If so it is sufficiently functional for a home user although using it properly would definitely be beyond a laymen.

----------- End inserted quote --------------

You are saying "The current iptables firewall from Red Hat is a basic tool and limited in functionality."

And I am saying that you are wrong and IPTable is a VERY powerful tool. After that I was *again* trying to be courteous and allow for the fact that you may have been talking about the firewall CONFIGURATION tool in which case I would agree with you.

Since I will continue to try and be courteous I would appreciate it if you would try to read my entire message.

I think you understand what I was trying to suggest so for me the thread ends here. Feel free to find some other cornercases ;)
Yes I do understand what you are trying to suggest. I am trying to get you to help form the solution to your stated problem by suggesting that you are oversimplifying the situation. You see the problem and that makes you a good candidate to see when the solution has arrived. Why wouldn't you want to help form the solution to a problem you are having?

-- (¬_ Some days you're the windshield >o) //\ Some days you're the bug... /\\ V_/_ _\_V Charles Bronson

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]