1 |
I'm having a problem with ipkungfu on one of my boxes. According to the |
2 |
log files, it's running, but it doesn't seem to be firewall-ing. It's |
3 |
not working on 192.168.1.2. Here's nmap output from 192.168.1.3: |
4 |
|
5 |
camille ~ # nmap -sT -PT 192.168.1.2 |
6 |
|
7 |
Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-10-04 20:39 |
8 |
CDT |
9 |
Interesting ports on bullet.espersunited.com (192.168.1.2): |
10 |
(The 1657 ports scanned but not shown below are in state: closed) |
11 |
PORT STATE SERVICE |
12 |
21/tcp open ftp |
13 |
22/tcp open ssh |
14 |
25/tcp open smtp |
15 |
53/tcp open domain |
16 |
80/tcp open http |
17 |
111/tcp open rpcbind |
18 |
139/tcp open netbios-ssn |
19 |
143/tcp open imap |
20 |
445/tcp open microsoft-ds |
21 |
587/tcp open submission |
22 |
631/tcp open ipp |
23 |
746/tcp open unknown |
24 |
993/tcp open imaps |
25 |
2049/tcp open nfs |
26 |
3632/tcp open distccd |
27 |
MAC Address: 00:10:4B:73:8E:81 (3com) |
28 |
|
29 |
Nmap finished: 1 IP address (1 host up) scanned in 0.597 seconds |
30 |
|
31 |
Here's /etc/ipkungfu/ipkungfu.conf. It's the only file I've altered for |
32 |
ipkungfu: |
33 |
|
34 |
# Please read the README and FAQ for more information |
35 |
|
36 |
# Some distros (most notably Redhat) don't have |
37 |
# everything we need in $PATH so we specify it here. |
38 |
# Make sure modprobe, iptables, and route are here, |
39 |
# as well as ordinary items such as echo and grep. |
40 |
# Default is as shown in the example below. |
41 |
#PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin |
42 |
|
43 |
# Your external interface |
44 |
# This is the one that connects to the internet. |
45 |
# Ipkungfu will detect this if you don't specify. |
46 |
EXT_NET="eth0" |
47 |
#EXT_NET="eth1" |
48 |
#EXT_NET="ppp0" |
49 |
|
50 |
# Your internal interfaces, if any. If you have more |
51 |
# than 1 internal interface, separate them with |
52 |
# spaces. If you only have one interface, put "lo" |
53 |
# here. Default is auto-detected. |
54 |
#INT_NET="eth0" |
55 |
#INT_NET="eth1" |
56 |
#INT_NET="lo" |
57 |
|
58 |
# IP Range of your internal network. Use "127.0.0.1" |
59 |
# for a standalone machine. Default is a reasonable |
60 |
# guess. |
61 |
LOCAL_NET="192.168.1.0/255.255.255.0" |
62 |
|
63 |
# Set this to 0 for a standalone machine, or 1 for |
64 |
# a gateway device to share an Internet connection. |
65 |
# Default is 1. |
66 |
#GATEWAY=1 |
67 |
|
68 |
# TCP ports you want to allow for incoming traffic |
69 |
# Don't add ports here that you intend to forward. |
70 |
# This should be a list of tcp ports that have |
71 |
# servers listening on them on THIS machine, |
72 |
# separated by spaces. Default is none. |
73 |
ALLOWED_TCP_IN="21 22 25 80" |
74 |
|
75 |
# UDP ports to allow for incoming traffic |
76 |
# See the comments above for ALLOWED_TCP_IN |
77 |
#ALLOWED_UDP_IN="" |
78 |
|
79 |
# Temporarily block future connection attempts from an |
80 |
# IP that hits these ports (If module is present) |
81 |
#FORBIDDEN_PORTS="135 137 139" |
82 |
|
83 |
# Drop all ping packets? |
84 |
# Set to 1 for yes, 0 for no. Default is no. |
85 |
#BLOCK_PINGS=0 |
86 |
|
87 |
# Possible values here are "DROP", "REJECT", or "MIRROR" |
88 |
# |
89 |
# "DROP" means your computer will not respond at all. "Stealth mode" |
90 |
# |
91 |
# "REJECT" means your computer will respond with a |
92 |
# message that the packet was rejected. |
93 |
# |
94 |
# "MIRROR", if your kernel supports it, will swap the source and |
95 |
# destination IP addresses, and send the offending packet back |
96 |
# where it came from. USE WITH EXTREME CAUTION! Only use this if you |
97 |
fully |
98 |
# understand the consequences. |
99 |
# |
100 |
# The safest option, and the default in each case,, is "DROP". Don't |
101 |
change |
102 |
# unless you fully understand this. |
103 |
|
104 |
|
105 |
# What to do with 'probably malicious' packets |
106 |
#SUSPECT="REJECT" |
107 |
SUSPECT="DROP" |
108 |
|
109 |
# What to do with obviously invalid traffic |
110 |
# This is also the action for FORBIDDEN_PORTS |
111 |
#KNOWN_BAD="REJECT" |
112 |
KNOWN_BAD="DROP" |
113 |
|
114 |
# What to do with port scans |
115 |
#PORT_SCAN="REJECT" |
116 |
PORT_SCAN="DROP" |
117 |
|
118 |
# How should ipkungfu determine your IP address? The default |
119 |
# answer, "NONE", will cause ipkungfu to not use the few |
120 |
# features that require it to know your external IP address. |
121 |
# This option is good for dialup users who run ipkungfu on |
122 |
# bootup, since dialup users rarely use the features that |
123 |
# require this, and the IP address for a dialup connection |
124 |
# generally isn't known at bootup. "AUTO" will cause |
125 |
# ipkungfu to automatically determine the IP address of |
126 |
# $EXT_NET when it is started. If you have a static IP |
127 |
# address you can simply enter your IP address here. |
128 |
# If you do port forwarding and your ISP changes your IP |
129 |
# address, choose NONE here, or your port forwarding |
130 |
# will break when your IP address changes. Default is |
131 |
# "NONE". |
132 |
#GET_IP="NONE" |
133 |
GET_IP="AUTO" |
134 |
#GET_IP="192.268.1.2" |
135 |
|
136 |
# If the target for identd (113/tcp) is DROP, it can take |
137 |
# a long time to connect to some IRC servers. Set this to |
138 |
# 1 to speed up these connections with a negligible cost |
139 |
# to security. Identd probes will be rejected with the |
140 |
# 'reject-with-tcp-reset' option to close the connection |
141 |
# gracefully. If you want to actually allow ident probes, |
142 |
# and you're running an identd, and you've allowed port |
143 |
# 113 in ALLOWED_TCP_IN, set this to 0. Default is 0. |
144 |
DONT_DROP_IDENTD=1 |
145 |
|
146 |
# Set this to 0 if you're running ipkungfu on a machine |
147 |
# inside your LAN. This will cause private IP addresses |
148 |
# coming in on $EXT_NET to be identified as a spoof, |
149 |
# which would be inaccurate on intra-LAN traffic |
150 |
# This will cause private IP addresses coming in on |
151 |
# $EXT_NET to be identified as a spoof. Default is 1. |
152 |
#DISALLOW_PRIVATE=1 |
153 |
|
154 |
# For reasons unknown to me, ipkungfu sometimes causes |
155 |
# kernel panics when run at init time. This is my |
156 |
# attempt to work around that. Ipkungfu will wait |
157 |
# the specified number of seconds before starting, to |
158 |
# let userspace/kernel traffic catch up before executing. |
159 |
# Default is 0. |
160 |
WAIT_SECONDS=5 |
161 |
|
162 |
# This option, if enabled, will cause ipkungfu to set |
163 |
# the default policy on all builtin chains in the filter |
164 |
# table to ACCEPT in the event of a failure. This is |
165 |
# intended for remote administrators who may be locked |
166 |
# out of the firewall if ipkungfu fails. A warning to |
167 |
# this effect will be echoed so that the situation can be |
168 |
# rectified quickly. This is the same as running |
169 |
# ipkungfu with --failsafe. Default is 0. |
170 |
#FAILSAFE=0 |
171 |
|
172 |
This config is the exact same as on my other two boxes, except that the |
173 |
other two work. What gives? |
174 |
|
175 |
-- |
176 |
gentoo-user@g.o mailing list |