Article 7427 at 06/10/05 04:31:43 From: dennis (at mark) mixfans.org Subject: [coba-e:07427] Re: Firewall Report

Index: [Article Count Order] [Thread]
Date:  Wed, 04 Oct 2006 21:22:07 +0200
From:  Dennis <dennis (at mark) mixfans.org>
Subject:  [coba-e:07427] Re: Firewall Report
To:  coba-e (at mark) bluequartz.org
Message-Id:  <452409DF.10200 (at mark) mixfans.org>
In-Reply-To:  <E9F126CA-A1FB-4E9E-8BE5-5FECEC53AAE2 (at mark) alpha.or.jp>
References:  <451B8BC5.4090106 (at mark) enavn.com> <200610011715.27432.bq (at mark) solarspeed.net> <fc.000f8147002514bf3b9aca00473905de.2514c2 (at mark) fc.zio.com> <200610020705.37006.bq (at mark) solarspeed.net> <fc.000f8147002517093b9aca00473905de.25170a (at mark) fc.zio.com> <4521485A.4010900 (at mark) mixfans.org> <352584B7-F156-44BD-8B50-03B49A4543EA (at mark) alpha.or.jp> <452295ED.5050203 (at mark) mixfans.org> <E9F126CA-A1FB-4E9E-8BE5-5FECEC53AAE2 (at mark) alpha.or.jp>
X-Mail-Count: 07427

That's an easy one ;-)

Before using the script: the INPUT rule was on ACCEPT
running the script: the INPUT rule wil be again on DENY
changing back to accept and running the script again will put it back on 
DENY again

the RPM info

Name        : base-firewall-capstone       Relocations: (not relocatable)
Version     : 1.0.1                             Vendor: cobalt
Release     : 23.centos4                    Build Date: Sat 04 Feb 2006 
01:33:39 AM CET
Install Date: Thu 22 Jun 2006 11:12:47 PM CEST      Build Host: 
build-5100R-CentOS4.BlueQuartz.org
Group       : System Environment/BlueQuartz   Source RPM: 
base-firewall-1.0.1-23.centos4.src.rpm
Size        : 7917                             License: Sun modified BSD
Signature   : (none)
Summary     : capstone for base-firewall.
Description :
The base-firewall-capstone package contains the capstone information for 
base-firewall.

Dennis



Hisao SHIBUYA wrote:
> Thank you for your report.
>
> I think that the constructor or some sciript changes System.Firewall 
> CODB.
> But, on my environment, this issue isn't appeared.
> So, would you check the codb before executing the following
> script and after that.
> /usr/sausalito/constructor/base/firewall/50_initialize_ruleset.pl
>
> And please send the 'rpm -qi base-firewall-capstone' information.
>
> Hisao
>
>
> On 2006/10/04, at 1:55, Dennis wrote:
>
>> For the sake of many ;-)
>> Information about Firewall settings after power shutdown: (be happy I 
>> am running at home and it's not production server like hosters here 
>> on this list)
>> Firewall is disabled, Than a reboot
>> I see thet the netfilter hooks are unregistered and than 2x the 
>> ip_tables are shown in the startup before showing me the logon screen
>>
>> here the output requested. Some things are changed default.
>>
>> note: in the status screen I see that the FTP server icon is RED with 
>> error message that it cannot be restarted. Also note that no Network 
>> status, but
>> is mentioned: The network gateway is not reachable. Please check that 
>> the network cable is plugged in securely, and that your network 
>> settings are configured.
>> Incoming http traffic is accepted, within the own network 
>> (192.168.1.x) sending e-mail is impossible
>>
>> After reboot the firewall is enabled again,
>> Input rule is on DENY. Forward Rule and Output Rule is on Accept.
>>
>> When changing the Input rule on ACCEPT than all issues are solved
>> Network Gateway and FTP is than also running fine
>> note that even if the Firewall is enabled (just default settings) and 
>> above settings are on ACCEPT the INPUT rule will be back on DENY 
>> after a reboot.
>>
>> I hope this will solve the issue with many server and the firewall.
>>
>> :: DISABLED before reboot ::
>>
>> # /etc/sysconfig/iptables
>> # This file is automatically generated by log_traffic.
>> # Any manual changes will be lost
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> :acctin - [0:0]
>> :acctout - [0:0]
>> -A INPUT -j acctin
>> -A OUTPUT -j acctout
>> -A acctin -d 192.168.1.100/32
>> -A acctout -s 192.168.1.100/32
>> -A acctin -d 213.84.24.174/32
>> -A acctout -s 213.84.24.174/32
>> -A acctin -d 127.0.0.1/32
>> -A acctout -s 127.0.0.1/32
>> COMMIT
>>
>> :: AFTER REBOOT ::
>> # /etc/sysconfig/iptables
>> # This file is automatically generated by log_traffic.
>> # Any manual changes will be lost
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> :acctin - [0:0]
>> :acctout - [0:0]
>> -A INPUT -j acctin
>> -A OUTPUT -j acctout
>> -A acctin -d 192.168.1.100/32
>> -A acctout -s 192.168.1.100/32
>> -A acctin -d 213.84.24.174/32
>> -A acctout -s 213.84.24.174/32
>> -A acctin -d 127.0.0.1/32
>> -A acctout -s 127.0.0.1/32
>> COMMIT
>>
>>
>> :: DISABLED BEFORE REBOOT ::
>>
>> # start of auto-generated ipchains commands, do not edit below this line
>> # Firewall currently not enabled..
>> # input chain:
>> # /sbin/iptables -P INPUT ACCEPT
>> # /sbin/iptables -F INPUT
>> # /sbin/iptables -A INPUT -j acctin
>> # /sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -i lo -j 
>> ACCEPT
>> # /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 1024:65535 -i eth0 -j ACCEPT
>> # /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 389:389 -i eth0 -j ACCEPT
>> # /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 143:143 -i eth0 -j ACCEPT
>> # /sbin/iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 161:162 -i eth0 -j ACCEPT
>> # /sbin/iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 389:389 -i eth0 -j ACCEPT
>> # /sbin/iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 53:53 -i eth0 -j ACCEPT
>> # /sbin/iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 42:42 -i eth0 -j ACCEPT
>> # /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 110:110 -i eth0 -j ACCEPT
>> # /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 20:23 -i eth0 -j ACCEPT
>> # /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 80:81 -i eth0 -j ACCEPT
>> # /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 443:444 -i eth0 -j ACCEPT
>> # /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 53:53 -i eth0 -j ACCEPT
>> # /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 25:25 -i eth0 -j ACCEPT
>> # /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 123:123 -i eth0 -j ACCEPT
>> # /sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -i eth1 -j 
>> ACCEPT
>>
>> # forward chain:
>> # /sbin/iptables -P FORWARD ACCEPT
>> # /sbin/iptables -F FORWARD
>>
>> # output chain:
>> # /sbin/iptables -P OUTPUT ACCEPT
>> # /sbin/iptables -F OUTPUT
>> # /sbin/iptables -A OUTPUT -j acctout
>>
>>
>> :: AFTER REBOOT ::
>>
>> # start of auto-generated ipchains commands, do not edit below this line
>> # input chain:
>> /sbin/iptables -P INPUT DROP
>> /sbin/iptables -F INPUT
>> /sbin/iptables -A INPUT -j acctin
>> /sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -i lo -j ACCEPT
>> /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 1024:65535 -i eth0 -j ACCEPT
>> /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 389:389 -i eth0 -j ACCEPT
>> /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 143:143 -i eth0 -j ACCEPT
>> /sbin/iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 161:162 -i eth0 -j ACCEPT
>> /sbin/iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 389:389 -i eth0 -j ACCEPT
>> /sbin/iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 53:53 -i eth0 -j ACCEPT
>> /sbin/iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 42:42 -i eth0 -j ACCEPT
>> /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 110:110 -i eth0 -j ACCEPT
>> /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 20:23 -i eth0 -j ACCEPT
>> /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 80:81 -i eth0 -j ACCEPT
>> /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 443:444 -i eth0 -j ACCEPT
>> /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 53:53 -i eth0 -j ACCEPT
>> /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 25:25 -i eth0 -j ACCEPT
>> /sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 
>> --destination-port 123:123 -i eth0 -j ACCEPT
>> /sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -i eth1 -j 
>> ACCEPT
>>
>> # forward chain:
>> /sbin/iptables -P FORWARD ACCEPT
>> /sbin/iptables -F FORWARD
>>
>> # output chain:
>> /sbin/iptables -P OUTPUT ACCEPT
>> /sbin/iptables -F OUTPUT
>> /sbin/iptables -A OUTPUT -j acctout
>>
>>
>> # end of auto-generated ipchains commands, do not edit above this line
>>
>>
>> :: before reboot ::
>>
>> [root@wb ~]# /usr/sausalito/bin/cceclient
>> 100 CSCP/0.80
>> 200 READY
>> get 1.Firewall
>> 102 DATA NAMESPACE = "Firewall"
>> 102 DATA initialized = "1"
>> 102 DATA CLASSVER = "1.0"
>> 102 DATA commit = "1159808918"
>> 102 DATA watchdog = "0"
>> 102 DATA dirty = "0"
>> 102 DATA enabled = "0"
>> 201 OK
>>
>>
>> :: after reboot ::
>> [root@wb dennis]# /usr/sausalito/bin/cceclient
>> 100 CSCP/0.80
>> 200 READY
>> get 1.Firewall
>> 102 DATA NAMESPACE = "Firewall"
>> 102 DATA initialized = "1"
>> 102 DATA CLASSVER = "1.0"
>> 102 DATA commit = "1159893199"
>> 102 DATA watchdog = "0"
>> 102 DATA dirty = "0"
>> 102 DATA enabled = "1"
>> 201 OK
>>
>> :: before reboot ::
>>
>> <property name="enabled" type="boolean" default="0" 
>> writeacl="ruleCapable(modifySystemFirewall)"/>
>>
>> :: after reboot::
>> <property name="enabled" type="boolean" default="0" 
>> writeacl="ruleCapable(modifySystemFirewall)"/>
>>
>>
>> Hisao SHIBUYA wrote:
>>> Hi Dennis,
>>>
>>> I changed that the firewall is disabled by default.
>>> But, I got some report like you.
>>>
>>> So, would you check the following information and send me?
>>> - Is enabled the firewall on GUI?
>>> - /etc/sysconfig/iptables
>>> - /etc/iptables.conf
>>> - result of the following command
>>> # /usr/sausalito/bin/cceclient
>>> 100 CSCP/0.80
>>> 200 READY
>>> get 1.Firewall
>>> - grep enabled /usr/sausalito/schemas/base/firewall/Firewall.schema
>>>
>>> Hisao
>>>
>>>
>>> On 2006/10/03, at 2:11, Dennis wrote:
>>>
>>>> Since the latest update the basic firewall setting of BQ is doing 
>>>> strange things
>>>>
>>>> It's enabled by default where I disabled it
>>>> incomming traffic is denied where I wrote it has to accept it.
>>>>
>>>> This is causing the network not to be reachable and services to be 
>>>> getting very slow.
>>>>
>>>> Is there a way to disable the firewall by default (not in the admin 
>>>> interface) ?
>>>> Or is there a way to see why it's not keeping the settings after a 
>>>> reboot?
>>>>
>>>> Dennis
>>>>
>>>
>>>
>
>