Article 7393 at 06/10/04 01:56:44 From: dennis (at mark) mixfans.org Subject: [coba-e:07393] Firewall Report

Index: [Article Count Order] [Thread]
Date:  Tue, 03 Oct 2006 18:55:09 +0200
From:  Dennis <dennis (at mark) mixfans.org>
Subject:  [coba-e:07393] Firewall Report
To:  coba-e (at mark) bluequartz.org, shibuya (at mark) alpha.or.jp
Message-Id:  <452295ED.5050203 (at mark) mixfans.org>
In-Reply-To:  <352584B7-F156-44BD-8B50-03B49A4543EA (at mark) alpha.or.jp>
References:  <451B8BC5.4090106 (at mark) enavn.com> <200610011715.27432.bq (at mark) solarspeed.net> <fc.000f8147002514bf3b9aca00473905de.2514c2 (at mark) fc.zio.com> <200610020705.37006.bq (at mark) solarspeed.net> <fc.000f8147002517093b9aca00473905de.25170a (at mark) fc.zio.com> <4521485A.4010900 (at mark) mixfans.org> <352584B7-F156-44BD-8B50-03B49A4543EA (at mark) alpha.or.jp>
X-Mail-Count: 07393

For the sake of many ;-)
Information about Firewall settings after power shutdown: (be happy I am 
running at home and it's not production server like hosters here on this 
list)
Firewall is disabled, Than a reboot
I see thet the netfilter hooks are unregistered and than 2x the 
ip_tables are shown in the startup before showing me the logon screen

here the output requested. Some things are changed default.

note: in the status screen I see that the FTP server icon is RED with 
error message that it cannot be restarted. Also note that no Network 
status, but
is mentioned: The network gateway is not reachable. Please check that 
the network cable is plugged in securely, and that your network settings 
are configured.
Incoming http traffic is accepted, within the own network (192.168.1.x) 
sending e-mail is impossible

After reboot the firewall is enabled again,
Input rule is on DENY. Forward Rule and Output Rule is on Accept.

When changing the Input rule on ACCEPT than all issues are solved
Network Gateway and FTP is than also running fine
 
note that even if the Firewall is enabled (just default settings) and 
above settings are on ACCEPT the INPUT rule will be back on DENY after a 
reboot.

I hope this will solve the issue with many server and the firewall.

:: DISABLED before reboot ::

# /etc/sysconfig/iptables
# This file is automatically generated by log_traffic.
# Any manual changes will be lost
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:acctin - [0:0]
:acctout - [0:0]
-A INPUT -j acctin
-A OUTPUT -j acctout
-A acctin -d 192.168.1.100/32
-A acctout -s 192.168.1.100/32
-A acctin -d 213.84.24.174/32
-A acctout -s 213.84.24.174/32
-A acctin -d 127.0.0.1/32
-A acctout -s 127.0.0.1/32
COMMIT

:: AFTER REBOOT ::
# /etc/sysconfig/iptables
# This file is automatically generated by log_traffic.
# Any manual changes will be lost
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:acctin - [0:0]
:acctout - [0:0]
-A INPUT -j acctin
-A OUTPUT -j acctout
-A acctin -d 192.168.1.100/32
-A acctout -s 192.168.1.100/32
-A acctin -d 213.84.24.174/32
-A acctout -s 213.84.24.174/32
-A acctin -d 127.0.0.1/32
-A acctout -s 127.0.0.1/32
COMMIT


:: DISABLED BEFORE REBOOT ::

# start of auto-generated ipchains commands, do not edit below this line
# Firewall currently not enabled..
# input chain:
# /sbin/iptables -P INPUT ACCEPT
# /sbin/iptables -F INPUT
# /sbin/iptables -A INPUT -j acctin
# /sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -i lo -j ACCEPT
# /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 1024:65535 -i eth0 -j ACCEPT
# /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 389:389 -i eth0 -j ACCEPT
# /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 143:143 -i eth0 -j ACCEPT
# /sbin/iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 161:162 -i eth0 -j ACCEPT
# /sbin/iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 389:389 -i eth0 -j ACCEPT
# /sbin/iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 53:53 -i eth0 -j ACCEPT
# /sbin/iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 42:42 -i eth0 -j ACCEPT
# /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 110:110 -i eth0 -j ACCEPT
# /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 20:23 -i eth0 -j ACCEPT
# /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 80:81 -i eth0 -j ACCEPT
# /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 443:444 -i eth0 -j ACCEPT
# /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 53:53 -i eth0 -j ACCEPT
# /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 25:25 -i eth0 -j ACCEPT
# /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 123:123 -i eth0 -j ACCEPT
# /sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -i eth1 -j ACCEPT

# forward chain:
# /sbin/iptables -P FORWARD ACCEPT
# /sbin/iptables -F FORWARD

# output chain:
# /sbin/iptables -P OUTPUT ACCEPT
# /sbin/iptables -F OUTPUT
# /sbin/iptables -A OUTPUT -j acctout


:: AFTER REBOOT ::

# start of auto-generated ipchains commands, do not edit below this line
# input chain:
/sbin/iptables -P INPUT DROP
/sbin/iptables -F INPUT
/sbin/iptables -A INPUT -j acctin
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -i lo -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 1024:65535 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 389:389 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 143:143 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 161:162 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 389:389 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 53:53 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 42:42 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 110:110 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 20:23 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 80:81 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 443:444 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 53:53 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 25:25 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
--destination-port 123:123 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -i eth1 -j ACCEPT

# forward chain:
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -F FORWARD

# output chain:
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F OUTPUT
/sbin/iptables -A OUTPUT -j acctout


# end of auto-generated ipchains commands, do not edit above this line


:: before reboot ::

[root@wb ~]# /usr/sausalito/bin/cceclient
100 CSCP/0.80
200 READY
get 1.Firewall
102 DATA NAMESPACE = "Firewall"
102 DATA initialized = "1"
102 DATA CLASSVER = "1.0"
102 DATA commit = "1159808918"
102 DATA watchdog = "0"
102 DATA dirty = "0"
102 DATA enabled = "0"
201 OK


:: after reboot ::
[root@wb dennis]# /usr/sausalito/bin/cceclient
100 CSCP/0.80
200 READY
get 1.Firewall
102 DATA NAMESPACE = "Firewall"
102 DATA initialized = "1"
102 DATA CLASSVER = "1.0"
102 DATA commit = "1159893199"
102 DATA watchdog = "0"
102 DATA dirty = "0"
102 DATA enabled = "1"
201 OK

:: before reboot ::

<property name="enabled" type="boolean" default="0" 
writeacl="ruleCapable(modifySystemFirewall)"/>

:: after reboot::
<property name="enabled" type="boolean" default="0" 
writeacl="ruleCapable(modifySystemFirewall)"/>


Hisao SHIBUYA wrote:
> Hi Dennis,
>
> I changed that the firewall is disabled by default.
> But, I got some report like you.
>
> So, would you check the following information and send me?
> - Is enabled the firewall on GUI?
> - /etc/sysconfig/iptables
> - /etc/iptables.conf
> - result of the following command
> # /usr/sausalito/bin/cceclient
> 100 CSCP/0.80
> 200 READY
> get 1.Firewall
> - grep enabled /usr/sausalito/schemas/base/firewall/Firewall.schema
>
> Hisao
>
>
> On 2006/10/03, at 2:11, Dennis wrote:
>
>> Since the latest update the basic firewall setting of BQ is doing 
>> strange things
>>
>> It's enabled by default where I disabled it
>> incomming traffic is denied where I wrote it has to accept it.
>>
>> This is causing the network not to be reachable and services to be 
>> getting very slow.
>>
>> Is there a way to disable the firewall by default (not in the admin 
>> interface) ?
>> Or is there a way to see why it's not keeping the settings after a 
>> reboot?
>>
>> Dennis
>>
>
>