| 1 |
I'm having a problem with ipkungfu on one of my boxes. According to the |
| 2 |
log files, it's running, but it doesn't seem to be firewall-ing. It's |
| 3 |
not working on 192.168.1.2. Here's nmap output from 192.168.1.3: |
| 4 |
|
| 5 |
camille ~ # nmap -sT -PT 192.168.1.2 |
| 6 |
|
| 7 |
Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-10-04 20:39 |
| 8 |
CDT |
| 9 |
Interesting ports on bullet.espersunited.com (192.168.1.2): |
| 10 |
(The 1657 ports scanned but not shown below are in state: closed) |
| 11 |
PORT STATE SERVICE |
| 12 |
21/tcp open ftp |
| 13 |
22/tcp open ssh |
| 14 |
25/tcp open smtp |
| 15 |
53/tcp open domain |
| 16 |
80/tcp open http |
| 17 |
111/tcp open rpcbind |
| 18 |
139/tcp open netbios-ssn |
| 19 |
143/tcp open imap |
| 20 |
445/tcp open microsoft-ds |
| 21 |
587/tcp open submission |
| 22 |
631/tcp open ipp |
| 23 |
746/tcp open unknown |
| 24 |
993/tcp open imaps |
| 25 |
2049/tcp open nfs |
| 26 |
3632/tcp open distccd |
| 27 |
MAC Address: 00:10:4B:73:8E:81 (3com) |
| 28 |
|
| 29 |
Nmap finished: 1 IP address (1 host up) scanned in 0.597 seconds |
| 30 |
|
| 31 |
Here's /etc/ipkungfu/ipkungfu.conf. It's the only file I've altered for |
| 32 |
ipkungfu: |
| 33 |
|
| 34 |
# Please read the README and FAQ for more information |
| 35 |
|
| 36 |
# Some distros (most notably Redhat) don't have |
| 37 |
# everything we need in $PATH so we specify it here. |
| 38 |
# Make sure modprobe, iptables, and route are here, |
| 39 |
# as well as ordinary items such as echo and grep. |
| 40 |
# Default is as shown in the example below. |
| 41 |
#PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin |
| 42 |
|
| 43 |
# Your external interface |
| 44 |
# This is the one that connects to the internet. |
| 45 |
# Ipkungfu will detect this if you don't specify. |
| 46 |
EXT_NET="eth0" |
| 47 |
#EXT_NET="eth1" |
| 48 |
#EXT_NET="ppp0" |
| 49 |
|
| 50 |
# Your internal interfaces, if any. If you have more |
| 51 |
# than 1 internal interface, separate them with |
| 52 |
# spaces. If you only have one interface, put "lo" |
| 53 |
# here. Default is auto-detected. |
| 54 |
#INT_NET="eth0" |
| 55 |
#INT_NET="eth1" |
| 56 |
#INT_NET="lo" |
| 57 |
|
| 58 |
# IP Range of your internal network. Use "127.0.0.1" |
| 59 |
# for a standalone machine. Default is a reasonable |
| 60 |
# guess. |
| 61 |
LOCAL_NET="192.168.1.0/255.255.255.0" |
| 62 |
|
| 63 |
# Set this to 0 for a standalone machine, or 1 for |
| 64 |
# a gateway device to share an Internet connection. |
| 65 |
# Default is 1. |
| 66 |
#GATEWAY=1 |
| 67 |
|
| 68 |
# TCP ports you want to allow for incoming traffic |
| 69 |
# Don't add ports here that you intend to forward. |
| 70 |
# This should be a list of tcp ports that have |
| 71 |
# servers listening on them on THIS machine, |
| 72 |
# separated by spaces. Default is none. |
| 73 |
ALLOWED_TCP_IN="21 22 25 80" |
| 74 |
|
| 75 |
# UDP ports to allow for incoming traffic |
| 76 |
# See the comments above for ALLOWED_TCP_IN |
| 77 |
#ALLOWED_UDP_IN="" |
| 78 |
|
| 79 |
# Temporarily block future connection attempts from an |
| 80 |
# IP that hits these ports (If module is present) |
| 81 |
#FORBIDDEN_PORTS="135 137 139" |
| 82 |
|
| 83 |
# Drop all ping packets? |
| 84 |
# Set to 1 for yes, 0 for no. Default is no. |
| 85 |
#BLOCK_PINGS=0 |
| 86 |
|
| 87 |
# Possible values here are "DROP", "REJECT", or "MIRROR" |
| 88 |
# |
| 89 |
# "DROP" means your computer will not respond at all. "Stealth mode" |
| 90 |
# |
| 91 |
# "REJECT" means your computer will respond with a |
| 92 |
# message that the packet was rejected. |
| 93 |
# |
| 94 |
# "MIRROR", if your kernel supports it, will swap the source and |
| 95 |
# destination IP addresses, and send the offending packet back |
| 96 |
# where it came from. USE WITH EXTREME CAUTION! Only use this if you |
| 97 |
fully |
| 98 |
# understand the consequences. |
| 99 |
# |
| 100 |
# The safest option, and the default in each case,, is "DROP". Don't |
| 101 |
change |
| 102 |
# unless you fully understand this. |
| 103 |
|
| 104 |
|
| 105 |
# What to do with 'probably malicious' packets |
| 106 |
#SUSPECT="REJECT" |
| 107 |
SUSPECT="DROP" |
| 108 |
|
| 109 |
# What to do with obviously invalid traffic |
| 110 |
# This is also the action for FORBIDDEN_PORTS |
| 111 |
#KNOWN_BAD="REJECT" |
| 112 |
KNOWN_BAD="DROP" |
| 113 |
|
| 114 |
# What to do with port scans |
| 115 |
#PORT_SCAN="REJECT" |
| 116 |
PORT_SCAN="DROP" |
| 117 |
|
| 118 |
# How should ipkungfu determine your IP address? The default |
| 119 |
# answer, "NONE", will cause ipkungfu to not use the few |
| 120 |
# features that require it to know your external IP address. |
| 121 |
# This option is good for dialup users who run ipkungfu on |
| 122 |
# bootup, since dialup users rarely use the features that |
| 123 |
# require this, and the IP address for a dialup connection |
| 124 |
# generally isn't known at bootup. "AUTO" will cause |
| 125 |
# ipkungfu to automatically determine the IP address of |
| 126 |
# $EXT_NET when it is started. If you have a static IP |
| 127 |
# address you can simply enter your IP address here. |
| 128 |
# If you do port forwarding and your ISP changes your IP |
| 129 |
# address, choose NONE here, or your port forwarding |
| 130 |
# will break when your IP address changes. Default is |
| 131 |
# "NONE". |
| 132 |
#GET_IP="NONE" |
| 133 |
GET_IP="AUTO" |
| 134 |
#GET_IP="192.268.1.2" |
| 135 |
|
| 136 |
# If the target for identd (113/tcp) is DROP, it can take |
| 137 |
# a long time to connect to some IRC servers. Set this to |
| 138 |
# 1 to speed up these connections with a negligible cost |
| 139 |
# to security. Identd probes will be rejected with the |
| 140 |
# 'reject-with-tcp-reset' option to close the connection |
| 141 |
# gracefully. If you want to actually allow ident probes, |
| 142 |
# and you're running an identd, and you've allowed port |
| 143 |
# 113 in ALLOWED_TCP_IN, set this to 0. Default is 0. |
| 144 |
DONT_DROP_IDENTD=1 |
| 145 |
|
| 146 |
# Set this to 0 if you're running ipkungfu on a machine |
| 147 |
# inside your LAN. This will cause private IP addresses |
| 148 |
# coming in on $EXT_NET to be identified as a spoof, |
| 149 |
# which would be inaccurate on intra-LAN traffic |
| 150 |
# This will cause private IP addresses coming in on |
| 151 |
# $EXT_NET to be identified as a spoof. Default is 1. |
| 152 |
#DISALLOW_PRIVATE=1 |
| 153 |
|
| 154 |
# For reasons unknown to me, ipkungfu sometimes causes |
| 155 |
# kernel panics when run at init time. This is my |
| 156 |
# attempt to work around that. Ipkungfu will wait |
| 157 |
# the specified number of seconds before starting, to |
| 158 |
# let userspace/kernel traffic catch up before executing. |
| 159 |
# Default is 0. |
| 160 |
WAIT_SECONDS=5 |
| 161 |
|
| 162 |
# This option, if enabled, will cause ipkungfu to set |
| 163 |
# the default policy on all builtin chains in the filter |
| 164 |
# table to ACCEPT in the event of a failure. This is |
| 165 |
# intended for remote administrators who may be locked |
| 166 |
# out of the firewall if ipkungfu fails. A warning to |
| 167 |
# this effect will be echoed so that the situation can be |
| 168 |
# rectified quickly. This is the same as running |
| 169 |
# ipkungfu with --failsafe. Default is 0. |
| 170 |
#FAILSAFE=0 |
| 171 |
|
| 172 |
This config is the exact same as on my other two boxes, except that the |
| 173 |
other two work. What gives? |
| 174 |
|
| 175 |
-- |
| 176 |
gentoo-user@g.o mailing list |
Archives