I have a firewall.sh file......where should I put it so it can be executed
on boot?
and how do I tell slack to execute it on boot?

Simon

--
"Of all the things I've lost, I miss my mind the most" - Ozzy Osbourne

Registered Linux User #306035

"Simon Atkins" <Bonzodog0@ntlworld.com> wrote in message
newsan.2003.08.16.10.09.03.138070@ntlworld.com.. .
> I have a firewall.sh file......where should I put it so it can be executed
> on boot?
> and how do I tell slack to execute it on boot?

Look at /etc/rc.d/rc.inet2 and place rc.firewall in the same directory.

Sean

cp firewall.sh /etc/rc.d #Put it in /etc/rc.d
cd /etc/rc.d #change directory to rc.d
chmod +x firewall.sh #change the permissions to make it
executeable

you should really read up on firewalls and firewall rules to make this work
right. otherwise you'll be as insecure with a firewall as without it.

-mmm

"Simon Atkins" <Bonzodog0@ntlworld.com> wrote in message
newsan.2003.08.16.10.09.03.138070@ntlworld.com.. .
> I have a firewall.sh file......where should I put it so it can be executed
> on boot?
> and how do I tell slack to execute it on boot?
>
> Simon
>
> --
> "Of all the things I've lost, I miss my mind the most" - Ozzy Osbourne
>
> Registered Linux User #306035
>
>
>

In article <1dM%a.750468$ro6.15281244@news2.calgary.shaw.ca >,
Bologna wrote:
> cp firewall.sh /etc/rc.d #Put it in /etc/rc.d
> cd /etc/rc.d #change directory to rc.d
> chmod +x firewall.sh #change the permissions to make it

echo "Please do not top-post "
less rc.inet2 # and search for "fire"
mv firewall.sh rc.firewall

> you should really read up on firewalls and firewall rules to make this work
> right. otherwise you'll be as insecure with a firewall as without it.

Many ready-made firewalls one might download are good, unless translated
from ipchains. But even with a good firewall, one must give due
consideration to:
o the security of any daemons on open ports
o vulnerabilities in iptables itself
o TCP/IP problems in the kernel
o internal threats
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

On Sun, 17 Aug 2003 15:37:15 +0000, Mark Hill wrote:

> On 2003-08-17,
> Bologna <mmm@good.com> wrote:
<Snip>

Um..thanks guys, I have it working now, figured it out when I looked in
the rc files
got some strange stuff tho when I fired it up........
dmesg gives out a whole list of 'firewall caught' messages, and unroutable
reports (about 500 in all), although they seem to be repeating the same
info. Any ideas?
sample;

firewall caught:IN=eth0 OUT= MAC=<mac address of CM> SRC=<ip of ISP>
DST=<Own dynamic IP> LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=29776 PROTO=TCP
SPT=3886 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0

there are about 500 of these with varying IP addresses and some with
PROTO=UDP on them. some have a mac=ff:ff:ff:ff:ff:ff: etc

Any info on what these mean would be useful.

Simon

--
"Of all the things I've lost, I miss my mind the most" - Ozzy Osbourne

Registered Linux User #306035

On 2003-08-17,
/dev/rob0 <rob0@gmx.co.uk> wrote:

> less rc.inet2 # and search for "fire"

I just found out you can do both in one go. :-)
less -p firewall /etc/rc.d/rc.inet2


--
Mark Hill <mark_usenet@yahoo.co.uk>

On Sunday 17 August 2003 5:23 pm in alt.os.linux.slackware Simon Atkins
wrote:

> On Sun, 17 Aug 2003 15:37:15 +0000, Mark Hill wrote:
>
>> On 2003-08-17,
>> Bologna <mmm@good.com> wrote:
> <Snip>
>
> Um..thanks guys, I have it working now, figured it out when I looked in
> the rc files
> got some strange stuff tho when I fired it up........
> dmesg gives out a whole list of 'firewall caught' messages, and unroutable
> reports (about 500 in all), although they seem to be repeating the same
> info. Any ideas?
> sample;
>
> firewall caught:IN=eth0 OUT= MAC=<mac address of CM> SRC=<ip of ISP>
> DST=<Own dynamic IP> LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=29776 PROTO=TCP
> SPT=3886 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
>
> there are about 500 of these with varying IP addresses and some with
> PROTO=UDP on them. some have a mac=ff:ff:ff:ff:ff:ff: etc
>
> Any info on what these mean would be useful.

IN=eth0 This packet arrived with you via eth0
SRC= Where it came from
DST= Where it was addressed to
PROTO= Protocol - documented in /etc/protocols
SPT= Source port (not very usefull)
DPT= Destination port - documented in /etc/services

Get a copy of the Linux Network Administrators Guide and study it
for more information. There is usually a copy in the Documentation
directory of Slackware, or you can buy a deadtree version from
O'Reilly.

FWIW, the above example is a probe for a windoze vulnerability.

C. Newport wrote:

>> firewall caught:IN=eth0 OUT= MAC=<mac address of CM> SRC=<ip of ISP>
>> DST=<Own dynamic IP> LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=29776
>> PROTO=TCP SPT=3886 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
>>
<cut>
>
> DPT= Destination port - documented in /etc/services
>
In this case its port 135 and this indicates that its the infamous
Blaster worm looking for a WinNT-like computer.

Nothing to worry about when your running Linux.
--
Thomas O.

This area is designed to become quite warm during normal operation.

On 2003-08-17,
/dev/rob0 <rob0@gmx.co.uk> wrote:

> Look at the DPT and PROTO values. A rule of thumb is that the ones you
> see most often should be dropped without logging.

Another possibility is to use iptables' --limit option to limit logging.

--
Mark Hill <mark_usenet@yahoo.co.uk>

Hi there,

"Simon Atkins" <Bonzodog0@ntlworld.com> writes:

[...]

>Um..thanks guys, I have it working now, figured it out when I looked in
>the rc files
>got some strange stuff tho when I fired it up........
>dmesg gives out a whole list of 'firewall caught' messages, and unroutable
>reports (about 500 in all), although they seem to be repeating the same
>info. Any ideas?
>sample;

>firewall caught:IN=eth0 OUT= MAC=<mac address of CM> SRC=<ip of ISP>
>DST=<Own dynamic IP> LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=29776 PROTO=TCP
>SPT=3886 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0

>there are about 500 of these with varying IP addresses and some with
>PROTO=UDP on them. some have a mac=ff:ff:ff:ff:ff:ff: etc

>Any info on what these mean would be useful.

>Simon

I may be wrong, but this particulat log entry looks like your firewall
is working fine and busy dropping Lovsan attack packets (connects to
135/tcp to transmit some data triggering a bug in MS Winblows NT/2000/XP
DCOM implementation) (Also known as MSBLASTER).

I guess your firewall setup includes logging of dropped
packets. That would explain them being in dmesg buffer.
However, they should also appear in some log file once syslog
is running. I usually only get firewall log entries on the
console screen during boot or shutdown.

Similarly, my workstation is dropping packets like
that, even today(!)[I'm using gShield as a "personal firewall,
in case you didn't guess :-)]:
Aug 18 11:05:52 holmes kernel: gShield (default drop) IN=eth0
OUT= MAC=<imagine obliterated MAC adress here :-)>
SRC=xxx.xxx.xxx.xxx DST=<my IP address> LEN=48 TOS=0x00 PREC=0x00
TTL=125 ID=30366 DF PROTO=TCP SPT=1215 DPT=135 WINDOW=16384
RES=0x00 SYN URGP=0

What I can't quite figure out is, why the packets would appear
to be coming only from your ISP. I get them from all over the
place...

The other log entries will also have to do with what your
firewall allows and what it doesn't.

Can't speak for the "unroutables" you mention, unless that's
also part of your firewall setup. (e.g. in the way it reacts,
when it drops a packet)

HTH
Martin
--
Martin Boening, mboen@t-online.de

It is impossible to travel faster than light, and certainly not
desirable, as one's hat keeps blowing off. (Woody Allen)