Hi all,

I went looking for a firewall and found and love firestarter, except that
it fails to load at startup. I have to start it manually after I log in,
and that sucks. It tries to run when my computer is booting, but it fails.
Anyone else have a simular problem? Whats the solution? Also, I'm being
bombarded with incoming traffic on ports 1026, 1027, and 1028. All UPD
protocol. Once my firewall is started, I don't really need to worry about
these, but since my firewall isn't starting at boot, like it should, I'm
worried that I might be at some sort of risk. Is this normal traffic?
Should I be allowing these incoming connections? Anyone have any idea
what these connection attempts are about?

I've also had a number of high-risk connection attempts, though they are
not nearly so frequent. I get SAMBA connection attempts on port 139 and
microsoft-ds trying to connect on port 445. I'm thinking that these are
some sort of hack attempt. The ips are always different, so I suspect my
hackers are running sort of fakeip program. Is there anything I co do
about this? or is it safe to ignore these things?

Thanks All,

Tony.

On 08/21/2007 02:56 AM, Tony Peardon wrote:
> Hi all,
>
> I went looking for a firewall and found and love firestarter, except that
> it fails to load at startup. I have to start it manually after I log in,
> and that sucks. It tries to run when my computer is booting, but it fails.
> Anyone else have a simular problem? Whats the solution? Also, I'm being
> bombarded with incoming traffic on ports 1026, 1027, and 1028. All UPD
> protocol. Once my firewall is started, I don't really need to worry about
> these, but since my firewall isn't starting at boot, like it should, I'm
> worried that I might be at some sort of risk. Is this normal traffic?
> Should I be allowing these incoming connections? Anyone have any idea
> what these connection attempts are about?
>

UDP ports 1026-1028 relate to Windows; if you're running Debian, don't
worry about your Debian machine.

> I've also had a number of high-risk connection attempts, though they are
> not nearly so frequent. I get SAMBA connection attempts on port 139 and
> microsoft-ds trying to connect on port 445. I'm thinking that these are
> some sort of hack attempt.

Yes

> The ips are always different, so I suspect my
> hackers are running sort of fakeip program.

No, the hackers have control of 500,000 to 1,000,000 different machines.

> Is there anything I co do
> about this? or is it safe to ignore these things?
>
> Thanks All,
>
> Tony.

If you connect to the Internet using dial-up, I think you can configure
Firestarter to activate when the ppp link comes up.

If you have an always-on Internet connection, you might have to use
update-rc.d (or some other method of renaming scripts in /etc/rcX.d) to
get firestarter to load later in the boot process.

IOW, S20firestarter might become S60firestarter. Later in the boot
process more things are enabled, so the chances that Firestarter will
load properly are increased.

Tony Peardon wrote:

> Hi all,
>
> I went looking for a firewall and found and love firestarter, except that
> it fails to load at startup. I have to start it manually after I log in,
> and that sucks. It tries to run when my computer is booting, but it fails.
> Anyone else have a simular problem? Whats the solution? Also, I'm being
> bombarded with incoming traffic on ports 1026, 1027, and 1028. All UPD
> protocol. Once my firewall is started, I don't really need to worry about
> these, but since my firewall isn't starting at boot, like it should, I'm
> worried that I might be at some sort of risk. Is this normal traffic?
> Should I be allowing these incoming connections? Anyone have any idea
> what these connection attempts are about?
>
> I've also had a number of high-risk connection attempts, though they are
> not nearly so frequent. I get SAMBA connection attempts on port 139 and
> microsoft-ds trying to connect on port 445. I'm thinking that these are
> some sort of hack attempt. The ips are always different, so I suspect my
> hackers are running sort of fakeip program. Is there anything I co do
> about this? or is it safe to ignore these things?
>
> Thanks All,
>
> Tony.
Here's what works for my Sid/KDE install

* In /home/your_username/.kde/Autostart, create a file called firestarter,
containing this:
#!/bin/sh
sudo firestarter --start-hidden
Set permissions rwx-r-xr-x

* Add this to /etc/sudoers:
your_username ALL=NOPASSWD: /usr/sbin/firestarter

I normally connect to the internet through a router which does a great
job of filtering out incoming, but I run Firestarter as well. Without
the router, I see a lot of traffic on ports 1026/7/8 too.

On Tue, 21 Aug 2007 07:56:41 +0000, Tony Peardon wrote:

> Hi all,
>
> I went looking for a firewall and found and love firestarter, except
> that it fails to load at startup. I have to start it manually after I
> log in, and that sucks. It tries to run when my computer is booting, but
> it fails. Anyone else have a simular problem? Whats the solution?

Well, firestarter is just a GUI frontend for IP tables, you don't need to
have the GUI up in order to have the ports closed. If you think about it,
it seems natural that it couldn't start until the network interface is up
(since that is what it is going to monitor), which is related to what
Munia W told you.


> Also, I'm being
> bombarded with incoming traffic on ports 1026, 1027, and 1028. All UPD
> protocol. Once my firewall is started, I don't really need to worry
> about these, but since my firewall isn't starting at boot, like it
> should, I'm worried that I might be at some sort of risk. Is this normal
> traffic? Should I be allowing these incoming connections? Anyone have
> any idea what these connection attempts are about?
>

Yes, normal traffic on the Internet these days. Have a look at your
syslog, are any of those connections getting through or are they dropped?

Some could be scans looking for open ports to exploit a vulnerability,
some are probably just packets that are trying to reach a computer that
previously had that IP address.


> I've also had a number of high-risk connection attempts, though they are
> not nearly so frequent. I get SAMBA connection attempts on port 139 and
> microsoft-ds trying to connect on port 445. I'm thinking that these are
> some sort of hack attempt. The ips are always different, so I suspect my
> hackers are running sort of fakeip program. Is there anything I co do
> about this? or is it safe to ignore these things?
>

Define "high-risk connection attempts". As long as they only try but get
dropped, can't do you much good to worry about them.

On Tue, 21 Aug 2007 06:49:18 -0700, Rodney wrote:

> On Tue, 21 Aug 2007 07:56:41 +0000, Tony Peardon wrote:

[snip]

> Well, firestarter is just a GUI frontend for IP tables, you don't need
> to have the GUI up in order to have the ports closed. If you think about
> it, it seems natural that it couldn't start until the network interface
> is up (since that is what it is going to monitor), which is related to
> what Munia W told you.

Are you saying that I don't need to have my firewall running in order to
protect my computer. It will still only allow connections that I've
authorized with the firewall? If that's the case, then that is great,
since my machine doesn't have lots of memory. I've got firestarter set to
restrictive by default, so if I understand correctly, I should only need
to run firestarter when I want to change something in the firewall, like
authorize an out-going connection. Is that right? If so, how can I stop
firestarter from trying to start when my computer boots. If you recall,
it is failing anyhow.


>
>> Also, I'm being
>> bombarded with incoming traffic on ports 1026, 1027, and 1028. All UPD
>> protocol. Once my firewall is started, I don't really need to worry
>> about these, but since my firewall isn't starting at boot, like it
>> should, I'm worried that I might be at some sort of risk. Is this
>> normal traffic? Should I be allowing these incoming connections?
>> Anyone have any idea what these connection attempts are about?
>>
>>
> Yes, normal traffic on the Internet these days. Have a look at your
> syslog, are any of those connections getting through or are they
> dropped?

Sorry, I'm so new. I have no idea where I would find my syslog. From what
I'm now understanding though, it's unlikely that any of these connection
attempts has gotten through.

Thanks lots.

Tony.

PS. Where can I get a look at my IP-Tables? And what exactly are they?

Government satellites recorded Tony Peardon saying:
>
> Are you saying that I don't need to have my firewall running in order to
> protect my computer. It will still only allow connections that I've
> authorized with the firewall? If that's the case, then that is great,
> since my machine doesn't have lots of memory. I've got firestarter set to
> restrictive by default, so if I understand correctly, I should only need
> to run firestarter when I want to change something in the firewall, like
> authorize an out-going connection. Is that right? If so, how can I stop
> firestarter from trying to start when my computer boots. If you recall,
> it is failing anyhow.

The supplied kernel has a built-in "table" which is "stealthy" (as some call it)
and ping is "closed". There is an easier way which I use and doesn't rely on
iptables, other applications, memory or the kernel and its upgrades: a router. I
use one and have no problems at all. Should you be wondering which I use, it is
a di604e by d-link (about 35 USD).

--
sk8r-365

http://goodbye-microsoft.com/

On 08/21/2007 04:42 PM, Tony Peardon wrote:
> [...]
> PS. Where can I get a look at my IP-Tables? And what exactly are they?

Iptables is a complicated, low-level way to configure the Linux
firewall. If you're new to Linux, you want to stay with Firestarter.

Mumia W. <paduille.4061.mumia.w+nospam@earthlink.net> wrote:
> On 08/21/2007 04:42 PM, Tony Peardon wrote:
>> [...]
>> PS. Where can I get a look at my IP-Tables? And what exactly are they?
>
> Iptables is a complicated, low-level way to configure the Linux
> firewall. If you're new to Linux, you want to stay with Firestarter.
>
Complicated? Not at all. Go here
http://monmothas.shacknet.nu/firewall/download/
download the script make it executable drop it in your /etc/rc.d
directory. Read README for better explanation.

--
[Hello to all my friends and fans in domestic surveillance!]
SHA Nazi NASA Osama MD5 Leuken-Baden Area 51 IMF Dick Cheney cypherpunk
Cohiba encryption number key military AVN

[edit]
>
> Are you saying that I don't need to have my firewall running in order to
> protect my computer. It will still only allow connections that I've
> authorized with the firewall? If that's the case, then that is great,
> since my machine doesn't have lots of memory. I've got firestarter set
> to restrictive by default, so if I understand correctly, I should only
> need to run firestarter when I want to change something in the firewall,
> like authorize an out-going connection. Is that right? If so, how can I
> stop firestarter from trying to start when my computer boots. If you
> recall, it is failing anyhow.
>
>

I'm saying you don't need to have the GUI running on your desktop all
the time if you installed a Debian package of Firestarter. It sets up
firestarter to run as a service during init.

A good place to find the docs on Firestarter is:
http://www.fs-security.com/docs
You may want to pay special attention the the topic "persistence of the
firewall" in the advanced topics section.


>
> Sorry, I'm so new. I have no idea where I would find my syslog. From
> what I'm now understanding though, it's unlikely that any of these
> connection attempts has gotten through.
>
>

Syslog is in the directory /var/log/
You don't actually need to look in the syslog if you have the Firestarter
GUI up because because it has the information displayed on the "Events"
tab. That could be one reason you might want to use the GUI, if you wanted
to monitor the hits.


> PS. Where can I get a look at my IP-Tables? And what exactly are they?

Well, I would suggest first you enter man iptables in a terminal and read
through the manual page, then decide if you want to look at the raw
data or continue to use the GUI for configuration. The policy tab in
Firestarter has the "rules".