ipchains

[Jeff]

On Sat, Mar 18, 2000 at 07:23:04PM -0500, Shelly L. Hokanson wrote:
> my question is - what is the best way to test that the firewall is secure? i
> configured mine using ipchains (also doing masquerading for my internal lan,
> which is set up as a 192.168.x.x network - my external interface is an isdn
> connection at work). i had been reading about the prog SAINT, but it seems
> that must be run from another linux box, as a remote admin sort of tool. the
> linux firewall box is the only linux box on the network at my job - all others
> are NT servers and win98 workstations. i also tried the port scanner at
> www.hackerwhacker.com, but that only scans 11 ports (5 of which it says i have
> open, though it won't elaborate without $$$). any other programs anyone could
> recommend for firewall testing?

If you want to scan ports, pick up nmap.  http://www.insecure.org/nmap
It is a great little utility for checking your box.  It would also be a
good idea to run it from the other side of the ISDN line, and from the
internal network -- this is where the attacks will be coming from.
However, it will only tell you the ports, some information about the
sequence numbers and guess the OS if you tell it to.  It won't actually
print out any vulnerabilities or try to break through the firewall.

As for other methods of testing, go and find some firewall subversion
programs.  I don't know of anything off hand, but there is stuff out
there.  I'm not big into the security sites (just a Bugtraq lurker),
anyone have any suggestions for some good ones?

> 
> also... with an ipchains packet filter in place, how important is it that
> certain ports are left open? i've turned off everything i don't need from
> inetd.conf, and removed unnecessary services from my rc3.d. what other methods
> are there to close ports - must i put ipchains rules in regarding specific
> ports? (my firewall script is currently very general, referring only to the
> ability of external traffic to traverse past eth0 onto my local lan - no ports
> specified).

Sounds pretty good.  The only cases where you might want to block out
specific ports with Ipchains is if you want to monitor a specific port
for abuse; like to watch if people are trying to DOS your win boxes on
one of the netbios ports (I don't think win98 is vulnerable to that
one... but I have little to no experience with that OS).

-- 
Jeff
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/M/>P d-(pu) s+:- a17>? C++(++++) L+++ UL++++@>$ P+ E--- W++@ N+ o? K++ w--- O? M V- PS+ PE(--)@ Y+@ PGP++ t+ 5 X++@ R++@ !tv@ b++ DI++++ D- G e- h! r% y?
------END GEEK CODE BLOCK------

My Public Key -- http://24.5.73.229/pubkey.txt 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 248 bytes
Desc: not available
Url : http://linuxchix.org/pipermail/techtalk/attachments/20000318/b662728b/attachment.pgp