Samba & IPTables (fwd)

Charles Bronson packetgeek at chuckiechanboys.com
Sat Aug 2 20:49:35 UTC 2003 

Dag Wieers wrote:
> On Sat, 2 Aug 2003, Charles Bronson wrote:
> 
> 
>>>It is a great tool to learn more about networking.
>>
>>You are correct when all networking activities are limited to the Well Known 
>>Ports. However, what happens when a user gets a request for access to a port 
>>above 1024? This could be someone trying to hack their pc or it could be a 
>>legitimate use.
> 
> 
> What legitimate use access on port > 1024 (on a unknown port) ?
VNC, the default is 5900.

> I think it is fairly safe to say that if the user wasn't expecting 
> anything to happen, he can deny it temporarily (and maybe that should be 
> the default thing to suggest/advice).
Ok but Bob just lost his connection when he apparently needed it.

> 
> 
> 
>>Let's use Bob and Alice (avg users) in an example:
>>Bob wants to access the faimily computer from work so he installs <insert 
>>Generic Remote Access Tool name here>. The next day Bob is at work and lights up 
>>the GRAT client. Alice is home surfing the web and a pop-up asks her if she 
>>should allow access to port 2029. Pretend your Alice and make the call, what 
>>would you do?
> 
> 
> Well, I think you're not talking about the common case here already. I'm 
> sure that if bob knows how to install GRAT
It installs by default with the some of the install profiles. But even so, RPM's 
are easy to install and most will set the service to run ableit it with very 
general conf files.

  and was planning to connect to
> home on a system that he shares with his wife. He prepared the personal 
> firewall sufficiently.
VNC doesn't tell you it uses 5900 but that's ok Bob doesn't understand ports 
anyway so knowing that VNC uses 5900 doesn't do him any good. He and the 
firewall have no common language so Bob can;t tell the firewall about his new 
installation.

> 
> Anyway, in this case the pop-up probably says something like:
> 
> 	We noticed someone (from firewall.bobswork.com)
Only if Bob's firewall does reverse DNS AND Bob's company set's their DNS to 
answer those queries. Otherwise you get a raw IP address.

  trying to connect
> 	to 'Generic Remote Access Tool' (on port 2029).
As long as the firewall tears open the packet to look at the application layer 
or let's it far enough into your computer to see who it wants to talk to.

> 
> 	This traffic is unknown by the firewall and therefor could be
> 	dangerouse. We advise not to allow it unless you understand the 
> 	consequences.
> 
> 	Do You want to allow access to Generic Remote Access Tool from 
> 	firewall.bobswork.com
> 
> 			[Yes]	[*No*]	[Customize]
> 
> If it was a known protocol the personal firewall could give more 
> information about what it is used for.
Assuming your talking about *known* protocols above 1024(because we already 
eliminated < 1024 from the discussion) Linux will let ANY program use ANY port 
that is not already listening. Therefore a malicious program can grab, for 
instance, port 1033 which your method will identify as "local netinfo port" 
which sounds pretty harmless.

  (Warning: this is a remote
> administration tool, someone with access can completely control your 
> machine from remote.)
> 
> bob is fairly stupid if he installed the personal firewall and the GRAT 
> server and didn't think of this before going to work.
Bob's firewall was installed by default during the system install and he does 
not know enough about GRAT to know how to preset the firewall and he won't be 
home the first time he tries to connect to it...
  He still can call
> his wife and tell her to click on Yes ;)
I was being nice and assuming his wife would be there to see it. In many houses 
only the cat/dog/goldfish will be there to answer the call ;-)

> 
> Let me also add that if nothing is listening on a port the traffic is 
> dropped silently (and logged).
Firewalls are not around to protect your computer from calls to ports that are 
not listening, your computer does that on its own ;-)

  My biggest concern is that you're denying
> the concept of personal firewalls
I hand configure the IPTables scripts on all of my home computers, so you can 
put your concerns aside. However my concern is that you are trivializing what in 
actuality is a daunting task and that is not helping to find the solution.

  and I don't have time to argue for the
> sake of arguing.
Suit yourself but solutions will only come from intelligent and probing discussions.

> 
> I did a quick search to get a screenshot of ZoneAlarm. There are better 
> examples, I'm sure.
> 
> 	http://antivirus.about.com/library/reviews/aafprzone.htm
Your example shows a program that the user knowingly initiates going out to the 
Internet. Whereas many of the situations that a firewall protects against are 
not user initiated and they come in from the Internet. Which means that the user 
is going to have to understand the request and that goes back to the knowledge 
paradigm.

> 
> 
> 
>>>Lokkit is a very limited tool. It is not functional for most of the home 
>>>users and I don't think it is intended to be. Someone in this thread 
>>>already refered to it (not supporting samba).
>>
>>If you look at my previous reply you will see that I already agree with you on 
>>this point.
> 
> 
> Right, after first saying "This statement is just plain wrong. IPTables is 
> a VERY powerful tool.". Next time you better not use strong language if 
> you're actually agreeing with me.
Please look at the following quote from earlier in this thread:
---------- Begin inserted quote ------------

 >> That's probably what 'Home Users' would expect anyway. The current iptables 
 >>firewall from Red Hat is a basic tool and limited in functionality.

This statement is just plain wrong. IPTables is a VERY powerful tool. Are you 
maybe referring to the firewall configuration tool? If so it is sufficiently 
functional for a home user although using it properly would definitely be beyond 
a laymen.

----------- End inserted quote --------------

You are saying "The current iptables firewall from Red Hat is a basic tool and 
limited in functionality."

And I am saying that you are wrong and IPTable is a VERY powerful tool. After 
that I was *again* trying to be courteous and allow for the fact that you may 
have been talking about the firewall CONFIGURATION tool in which case I would 
agree with you.

Since I will continue to try and be courteous I would appreciate it if you would 
try to read my entire message.


> 
> I think you understand what I was trying to suggest so for me the thread 
> ends here. Feel free to find some other cornercases ;)
Yes I do understand what you are trying to suggest. I am trying to get you to 
help form the solution to your stated problem by suggesting that you are 
oversimplifying the situation. You see the problem and that makes you a good 
candidate to see when the solution has arrived. Why wouldn't you want to help 
form the solution to a problem you are having?


-- 
(¬_    Some days you're the windshield    >o)
//\    Some days you're the bug...        /\\
V_/_                                     _\_V
Charles Bronson

More information about the fedora-list mailing list