Linux Forums unreachable.

Markus Schönhaber ubuntu-users at list-post.mks-mail.de
Thu Feb 25 20:37:18 UTC 2010 

25.02.2010 15:17, Ray Parrish:

> It means I have common trojan ports blocked in Firestarter, and it's 
> outbound traffic policy is set to "Permmisive - blacklist unwanted 
> traffic only" in Firestarter.
>> What is the output of
>> sudo iptables-save
>>   
> 
> Here is the output, however I have no idea what the different columns mean.

[a gazillion rules snipped]

>> -A INBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
>> -A INBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT 
>> -A INBOUND -s 192.168.0.2 -j ACCEPT 
>> -A INBOUND -s 192.168.0.2 -j ACCEPT 
>> -A INBOUND -s 192.168.0.2 -j ACCEPT 
>> -A INBOUND -s 192.168.0.2 -j ACCEPT 
>> -A INBOUND -s 192.168.0.2 -j ACCEPT 
>> -A INBOUND -s 174.129.35.126 -j ACCEPT 
>> -A INBOUND -s 174.129.35.126 -j ACCEPT 
>> -A INBOUND -s 174.129.35.126 -j ACCEPT 
>> -A INBOUND -s 174.129.35.126 -p tcp -m tcp --dport 38009 -j ACCEPT 
>> -A INBOUND -s 174.129.35.126 -p udp -m udp --dport 38009 -j ACCEPT 
>> -A INBOUND -j LSI 
>>   
> What are the immediately above inbound connections about???

INBOUND is the name of a netfilter chain. This chain, like any other
chain, contains a list of rules a packet might or might not match, and
what do to with the packet if it does match.
The fact that the chain is called "INBOUND" (which, since it is none of
the built-in chains, is simply a name, nothing else) does not
necessarily mean that the rules contained in it match packets directed
at your machine. Looking at the rules above, in this case, they probably do.

> I thought I 
> had my computer locked down to where there were no inbound connections 
> allowed???

You've learned the hard way that, if you don't exactly know what you're
doing, a packet filter can be an excellent tool when it comes to
shooting yourself in the foot.
I think, now is the time you should ask yourself what makes you think
that you need something to "lock down" your computer.

Wrt incoming connections, I see two major possibilities:
1. You have applications running on your machine that accept incoming
network connections.
In this case, why do you want to prevent them to do what they are
supposed to do?
2. You have no applications running on your machine that accept incoming
network connections.
In this case, why do you think you have to take additional measures?
Your machine's network stack will happily reject packets which are not
related ("answers") to packets you've sent.

[a boobazillion more rules snipped]

> Thanks for any help you can be.

I think you yourself can be the greatest help - by throwing away
Firestarter.

If you really think you have to take additional measures wrt to network
security, you should be able to explain what exactly you want to protect
against exactly which threat. If you can do this, people here will
probably be able to offer some advice on what to do to get this protection.

>> BTW: some posts ago, I asked you whether there's a packet filter active
>> on your machine. You answered "no". How come?
>>   
> I don't even know what a packet filter is. How about a quick introduction?

A network packet filter is some application/kernel module/whatever that
inspects packets passing through "the network" and acts upon certain
properties of the packets. For example, packet filter might look at IP
protocol, source address, destination port, packet size and depending on
the values of those properties it might decide to allow the packet to
pass or to throw it away or to change some of the packet's information.
The Linux kernel's packet filter (netfilter) is exactly what you
manipulated using Firestarter.

Two remarks:
- I don't like the inflationary use of the word "firewall". In my point
of view a firewall is a *concept* of how to separate two network
segments in a way that only certain information can pass from one
segment to the other. An actual implementation of this concept might, or
might not, make use of a packet filter.
Granted, if I had spoken of a "firewall" instead of a "packet filter"
you'd have probably known immediately what I was asking for. Sorry for that.
- I don't know if anything of what I wrote does sound snappy or even
insulting to you. If it does, be assured that it isn't meant to be. I
simply try to explain how I see things.

-- 
Regards
  mks

More information about the ubuntu-users mailing list