dryzone
asked on
X and firewall+ipchains
I have a firewall running Ipchains with eth1 to the internet and eth0 to my internal network to be secured.
I need to run X on my firewall as I want to use it for system monitoring.
I have all ports closed and masquerade all traffic to the webb.
I cannot manage to shut down X (6000) on eth1 without shutting down Port 6000 on eth0 also. This is a problem since the following IPCHAINS command is supposed to only shut down X availability on eth1. I need to be able to have X working on eth0.
$IPC -A input -p tcp -s 0/0 -d 0/0 6000:6010 -i eth1 -j $STOP -l
$IPC -A input -p udp -s 0/0 -d 0/0 6000:6010 -i eth1 -j $STOP -l
If I run a portscanner against the two networks say 68.67.65.64(eth1) then Port 6000 should be closed, if I run a portascanner against 192.191.190.189(eth0) then I should see X(6000) open.
Is there ANY way I can do this with Ipchains? or do I misunderstand the chain above????
I need to run X on my firewall as I want to use it for system monitoring.
I have all ports closed and masquerade all traffic to the webb.
I cannot manage to shut down X (6000) on eth1 without shutting down Port 6000 on eth0 also. This is a problem since the following IPCHAINS command is supposed to only shut down X availability on eth1. I need to be able to have X working on eth0.
$IPC -A input -p tcp -s 0/0 -d 0/0 6000:6010 -i eth1 -j $STOP -l
$IPC -A input -p udp -s 0/0 -d 0/0 6000:6010 -i eth1 -j $STOP -l
If I run a portscanner against the two networks say 68.67.65.64(eth1) then Port 6000 should be closed, if I run a portascanner against 192.191.190.189(eth0) then I should see X(6000) open.
Is there ANY way I can do this with Ipchains? or do I misunderstand the chain above????
ASKER
ahoffmann, do you never sleep or do you follow me around?
I'm getting paranoid.
So you say that this should close the X-port on eth1 but still allow it to be able to do X-transaction on eth0.
Ill try it and come back to you.
I'm getting paranoid.
So you say that this should close the X-port on eth1 but still allow it to be able to do X-transaction on eth0.
Ill try it and come back to you.
ASKER
ipchains -A input -p tcp -i eth1 -s ! U.V.W.X 6000:6010 -j DROP
I get the following error message:
ipchains: No target by that name
I think that ipchains refer to U.V.W.X my external IP address. I cannot figure out where ipchains looks for the "target" details. I do not have my external IP address in my /etc/hosts file as I feel it is safer to do so when masquerading the internal network. Maybe it looks in /etc/hosts, I cannot see why it should?
I get the following error message:
ipchains: No target by that name
I think that ipchains refer to U.V.W.X my external IP address. I cannot figure out where ipchains looks for the "target" details. I do not have my external IP address in my /etc/hosts file as I feel it is safer to do so when masquerading the internal network. Maybe it looks in /etc/hosts, I cannot see why it should?
oops, should be DENY instead of DROP, sorry.
ASKER
No ipchains accepts the command but the port remains open.
What I need is, if i run nmap against the external ip @ eth1, it should show port 6000 closed or non existent.
If I run nmap against the internal IP @ eth0 I should get the port 6000 open.
The curious thing is when I run the command as in my problem definition, then port 6000 is closed on both interfaces eth1 and eth0, which is a bit strange.
What I need is, if i run nmap against the external ip @ eth1, it should show port 6000 closed or non existent.
If I run nmap against the internal IP @ eth0 I should get the port 6000 open.
The curious thing is when I run the command as in my problem definition, then port 6000 is closed on both interfaces eth1 and eth0, which is a bit strange.
ASKER
Does anybody think that this is possible at all?
Port 6000 remains open. Their does not seem to be a way to deny a service on one ionterface but not the other.
Port 6000 remains open. Their does not seem to be a way to deny a service on one ionterface but not the other.
do you have a rule which accepts before the DENY 6000 rule is checked?
ASKER
Accepts what Port 6000? or Accept e.g.ANY
Accept e.g.ANY
ipchains checks rules in sequence as you see it with
ipchains -nL
if there is any rule matching, before it comes to the port 6000, the algorithm uses that rule.
You may check by inserting the port 6000 DENY rule as first one.
ipchains checks rules in sequence as you see it with
ipchains -nL
if there is any rule matching, before it comes to the port 6000, the algorithm uses that rule.
You may check by inserting the port 6000 DENY rule as first one.
ASKER
To ahoffmann
I am still looking into this, I had to go to Potsdam for a week so I could not tend to this.
Will look into it this week.
Apologies for the delay.
I am still looking into this, I had to go to Potsdam for a week so I could not tend to this.
Will look into it this week.
Apologies for the delay.
ASKER
To ahoffmann
I am still looking into this, I had to go to Potsdam for a week so I could not tend to this.
Will look into it this week.
Apologies for the delay.
I am still looking into this, I had to go to Potsdam for a week so I could not tend to this.
Will look into it this week.
Apologies for the delay.
ASKER
To ahoffman
The easiest I give you the ipchains list (ipchains -L)
Just tell me where to insert the necessary chains as this problem persists.
It is quite strange to me that it is so difficult to deny services on one and allow on the other. Seems that ipchains has never been designed to be "generic" with interfaces. It also has a curious prefernece to eth0..must be internal network for some reason.
Anyway here is the output.
Chain input (policy ACCEPT):
target prot opt source destination ports
ACCEPT all ------ anywhere anywhere n/a
ACCEPT icmp ------ anywhere 200.90.223.0/24 echo-request
ACCEPT icmp ------ anywhere 200.90.223.0/24 echo-reply
REJECT udp ----l- anywhere 200.90.223.0/24 any -> 33434
REJECT icmp ----l- anywhere 200.90.223.0/24 destination-unreachable
REJECT icmp ----l- anywhere 200.90.223.0/24 host-unreachable
REJECT icmp ----l- anywhere 200.90.223.0/24 timestamp-request
REJECT icmp ----l- anywhere 200.90.223.0/24 timestamp-reply
REJECT icmp ----l- anywhere 200.90.223.0/24 address-mask-request
REJECT icmp ----l- anywhere 200.90.223.0/24 address-mask-reply
REJECT icmp ----l- anywhere 200.90.223.0/24 redirect
ACCEPT icmp ----l- anywhere 200.90.223.0/24 source-quench
ACCEPT all ------ 192.168.1.0/24 anywhere n/a
DENY all ------ 127.0.0.0/8 200.90.223.0/24 n/a
DENY all ------ 128.66.0.0/16 200.90.223.0/24 n/a
DENY all ------ 172.16.0.0/12 200.90.223.0/24 n/a
DENY all ------ 192.168.0.0/16 200.90.223.0/24 n/a
DENY all ------ 197.0.0.0/16 200.90.223.0/24 n/a
DENY all ------ 201.0.0.0/8 200.90.223.0/24 n/a
DENY tcp ----l- anywhere 200.90.223.0/24 any -> 31337
DENY udp ----l- anywhere 200.90.223.0/24 any -> 31337
DENY tcp ----l- anywhere 200.90.223.0/24 any -> 12345:12346
DENY udp ----l- anywhere 200.90.223.0/24 any -> 12345:12346
DENY tcp ----l- anywhere 200.90.223.0/24 any -> ingreslock
DENY tcp ----l- anywhere 200.90.223.0/24 any -> 27665
DENY udp ----l- anywhere 200.90.223.0/24 any -> 27444
DENY udp ----l- anywhere 200.90.223.0/24 any -> 31335
DENY all ----l- BASE-ADDRESS.MCAST.NET/8 anywhere n/a
DENY all ----l- anywhere BASE-ADDRESS.MCAST.NET/8 n/a
DENY tcp ----l- anywhere anywhere any -> 2049
DENY udp ----l- anywhere anywhere any -> nfsd
REJECT tcp ----l- anywhere anywhere any -> netbios-ns:netbios-ssn
REJECT udp ----l- anywhere anywhere any -> netbios-ns:netbios-ssn
REJECT tcp ----l- anywhere anywhere any -> 445
REJECT udp ----l- anywhere anywhere any -> 445
ACCEPT tcp !y---- anywhere 200.90.223.0/24 any -> 1023:65535
ACCEPT udp ------ anywhere 200.90.223.0/24 any -> 1023:65535
DENY all ----l- anywhere anywhere n/a
Chain forward (policy DENY):
target prot opt source destination ports
ACCEPT all ------ 192.168.1.0/24 192.168.1.0/24 n/a
MASQ all ------ 192.168.1.0/24 anywhere n/a
Chain output (policy ACCEPT):
target prot opt source destination ports
ACCEPT all ------ anywhere anywhere n/a
ACCEPT all ------ 192.168.1.0/24 anywhere n/a
ACCEPT icmp ------ 192.168.1.0/24 anywhere any -> any
ACCEPT icmp ------ 200.90.223.0/24 anywhere any -> any
ACCEPT all ------ anywhere anywhere n/a
The easiest I give you the ipchains list (ipchains -L)
Just tell me where to insert the necessary chains as this problem persists.
It is quite strange to me that it is so difficult to deny services on one and allow on the other. Seems that ipchains has never been designed to be "generic" with interfaces. It also has a curious prefernece to eth0..must be internal network for some reason.
Anyway here is the output.
Chain input (policy ACCEPT):
target prot opt source destination ports
ACCEPT all ------ anywhere anywhere n/a
ACCEPT icmp ------ anywhere 200.90.223.0/24 echo-request
ACCEPT icmp ------ anywhere 200.90.223.0/24 echo-reply
REJECT udp ----l- anywhere 200.90.223.0/24 any -> 33434
REJECT icmp ----l- anywhere 200.90.223.0/24 destination-unreachable
REJECT icmp ----l- anywhere 200.90.223.0/24 host-unreachable
REJECT icmp ----l- anywhere 200.90.223.0/24 timestamp-request
REJECT icmp ----l- anywhere 200.90.223.0/24 timestamp-reply
REJECT icmp ----l- anywhere 200.90.223.0/24 address-mask-request
REJECT icmp ----l- anywhere 200.90.223.0/24 address-mask-reply
REJECT icmp ----l- anywhere 200.90.223.0/24 redirect
ACCEPT icmp ----l- anywhere 200.90.223.0/24 source-quench
ACCEPT all ------ 192.168.1.0/24 anywhere n/a
DENY all ------ 127.0.0.0/8 200.90.223.0/24 n/a
DENY all ------ 128.66.0.0/16 200.90.223.0/24 n/a
DENY all ------ 172.16.0.0/12 200.90.223.0/24 n/a
DENY all ------ 192.168.0.0/16 200.90.223.0/24 n/a
DENY all ------ 197.0.0.0/16 200.90.223.0/24 n/a
DENY all ------ 201.0.0.0/8 200.90.223.0/24 n/a
DENY tcp ----l- anywhere 200.90.223.0/24 any -> 31337
DENY udp ----l- anywhere 200.90.223.0/24 any -> 31337
DENY tcp ----l- anywhere 200.90.223.0/24 any -> 12345:12346
DENY udp ----l- anywhere 200.90.223.0/24 any -> 12345:12346
DENY tcp ----l- anywhere 200.90.223.0/24 any -> ingreslock
DENY tcp ----l- anywhere 200.90.223.0/24 any -> 27665
DENY udp ----l- anywhere 200.90.223.0/24 any -> 27444
DENY udp ----l- anywhere 200.90.223.0/24 any -> 31335
DENY all ----l- BASE-ADDRESS.MCAST.NET/8 anywhere n/a
DENY all ----l- anywhere BASE-ADDRESS.MCAST.NET/8 n/a
DENY tcp ----l- anywhere anywhere any -> 2049
DENY udp ----l- anywhere anywhere any -> nfsd
REJECT tcp ----l- anywhere anywhere any -> netbios-ns:netbios-ssn
REJECT udp ----l- anywhere anywhere any -> netbios-ns:netbios-ssn
REJECT tcp ----l- anywhere anywhere any -> 445
REJECT udp ----l- anywhere anywhere any -> 445
ACCEPT tcp !y---- anywhere 200.90.223.0/24 any -> 1023:65535
ACCEPT udp ------ anywhere 200.90.223.0/24 any -> 1023:65535
DENY all ----l- anywhere anywhere n/a
Chain forward (policy DENY):
target prot opt source destination ports
ACCEPT all ------ 192.168.1.0/24 192.168.1.0/24 n/a
MASQ all ------ 192.168.1.0/24 anywhere n/a
Chain output (policy ACCEPT):
target prot opt source destination ports
ACCEPT all ------ anywhere anywhere n/a
ACCEPT all ------ 192.168.1.0/24 anywhere n/a
ACCEPT icmp ------ 192.168.1.0/24 anywhere any -> any
ACCEPT icmp ------ 200.90.223.0/24 anywhere any -> any
ACCEPT all ------ anywhere anywhere n/a
this listing is not very helpful, unfortunately
Could you please post result of:
ipchain -nL -v
Could you please post result of:
ipchain -nL -v
ASKER
Chain input (policy ACCEPT: 33 packets, 2089 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports
12M 528M ACCEPT all ------ 0xFF 0x00 lo 0.0.0.0/0 0.0.0.0/0 n/a
50 6764 ACCEPT icmp ------ 0xFF 0x00 * 0.0.0.0/0 200.121.10.0/24 8 -> *
15 1260 ACCEPT icmp ------ 0xFF 0x00 * 0.0.0.0/0 200.121.10.0/24 0 -> *
0 0 REJECT udp ----l- 0xFF 0x00 * 0.0.0.0/0 200.121.10.0/24 * -> 33434
258 24458 REJECT icmp ----l- 0xFF 0x00 * 0.0.0.0/0 200.121.10.0/24 3 -> *
0 0 REJECT icmp ----l- 0xFF 0x00 * 0.0.0.0/0 200.121.10.0/24 3 -> 1
0 0 REJECT icmp ----l- 0xFF 0x00 * 0.0.0.0/0 200.121.10.0/24 13 -> *
0 0 REJECT icmp ----l- 0xFF 0x00 * 0.0.0.0/0 200.121.10.0/24 14 -> *
0 0 REJECT icmp ----l- 0xFF 0x00 * 0.0.0.0/0 200.121.10.0/24 17 -> *
0 0 REJECT icmp ----l- 0xFF 0x00 * 0.0.0.0/0 200.121.10.0/24 18 -> *
0 0 REJECT icmp ----l- 0xFF 0x00 * 0.0.0.0/0 200.121.10.0/24 5 -> *
0 0 ACCEPT icmp ----l- 0xFF 0x00 * 0.0.0.0/0 200.121.10.0/24 4 -> *
18M 2647M ACCEPT all ------ 0xFF 0x00 * 192.168.1.0/24 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 eth1 127.0.0.0/8 200.121.10.0/24 n/a
0 0 DENY all ------ 0xFF 0x00 eth1 128.66.0.0/16 200.121.10.0/24 n/a
3 234 DENY all ------ 0xFF 0x00 eth1 172.16.0.0/12 200.121.10.0/24 n/a
0 0 DENY all ------ 0xFF 0x00 eth1 192.168.0.0/16 200.121.10.0/24 n/a
0 0 DENY all ------ 0xFF 0x00 eth1 197.0.0.0/16 200.121.10.0/24 n/a
0 0 DENY all ------ 0xFF 0x00 eth1 201.0.0.0/8 200.121.10.0/24 n/a
0 0 DENY tcp ----l- 0xFF 0x00 * 0.0.0.0/0 200.121.10.0/24 * -> 31337
0 0 DENY udp ----l- 0xFF 0x00 * 0.0.0.0/0 200.121.10.0/24 * -> 31337
0 0 DENY tcp ----l- 0xFF 0x00 * 0.0.0.0/0 200.121.10.0/24 * -> 12345:12346
0 0 DENY udp ----l- 0xFF 0x00 * 0.0.0.0/0 200.121.10.0/24 * -> 12345:12346
0 0 DENY tcp ----l- 0xFF 0x00 * 0.0.0.0/0 200.121.10.0/24 * -> 1524
0 0 DENY tcp ----l- 0xFF 0x00 * 0.0.0.0/0 200.121.10.0/24 * -> 27665
0 0 DENY udp ----l- 0xFF 0x00 * 0.0.0.0/0 200.121.10.0/24 * -> 27444
0 0 DENY udp ----l- 0xFF 0x00 * 0.0.0.0/0 200.121.10.0/24 * -> 31335
0 0 DENY all ----l- 0xFF 0x00 * 224.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 * 0.0.0.0/0 224.0.0.0/8 n/a
0 0 DENY tcp ----l- 0xFF 0x00 eth1 0.0.0.0/0 0.0.0.0/0 * -> 2049
1 138 DENY udp ----l- 0xFF 0x00 eth1 0.0.0.0/0 0.0.0.0/0 * -> 2049
0 0 REJECT tcp ----l- 0xFF 0x00 eth1 0.0.0.0/0 0.0.0.0/0 * -> 137:139
310 31333 REJECT udp ----l- 0xFF 0x00 eth1 0.0.0.0/0 0.0.0.0/0 * -> 137:139
0 0 REJECT tcp ----l- 0xFF 0x00 eth1 0.0.0.0/0 0.0.0.0/0 * -> 445
0 0 REJECT udp ----l- 0xFF 0x00 eth1 0.0.0.0/0 0.0.0.0/0 * -> 445
738K 506M ACCEPT tcp !y---- 0xFF 0x00 * 0.0.0.0/0 200.121.10.0/24 * -> 1023:65535
92402 13M ACCEPT udp ------ 0xFF 0x00 * 0.0.0.0/0 200.121.10.0/24 * -> 1023:65535
5435 320K DENY all ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY: 8 packets, 424 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports
0 0 ACCEPT all ------ 0xFF 0x00 * 192.168.1.0/24 192.168.1.0/24 n/a
1136K 130M MASQ all ------ 0xFF 0x00 * 192.168.1.0/24 0.0.0.0/0 n/a
Chain output (policy ACCEPT: 20 packets, 1400 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports
12M 528M ACCEPT all ------ 0xFF 0x00 lo 0.0.0.0/0 0.0.0.0/0 n/a
16M 702M ACCEPT all ------ 0xFF 0x00 * 192.168.1.0/24 0.0.0.0/0 n/a
0 0 ACCEPT icmp ------ 0xFF 0x00 * 192.168.1.0/24 0.0.0.0/0 * -> *
1063 268K ACCEPT icmp ------ 0xFF 0x00 * 200.121.10.0/24 0.0.0.0/0 * -> *
1969K 649M ACCEPT all ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a
ipchains -I input 4 -p tcp -i eth0 -s u.v.w.x 6000:6010 -j ACCEPT
ipchains -I output 1 -p tcp -i eth0 -d u.v.w.x 6000:6010 -j ACCEPT
# where u.v.w.x is you network address for LAN
# and assuming that the rules are in order of you last posting
ipchains -I output 1 -p tcp -i eth0 -d u.v.w.x 6000:6010 -j ACCEPT
# where u.v.w.x is you network address for LAN
# and assuming that the rules are in order of you last posting
ASKER
No, it already accepts X on eth0,
The problem is that it also accepts x connections on eth1 (web-side) which I do not want. If I run nmap against eth1, I get X as OPEN, I want it to disappear on eth1, but allowed on eth0.
The problem is that it also accepts x connections on eth1 (web-side) which I do not want. If I run nmap against eth1, I get X as OPEN, I want it to disappear on eth1, but allowed on eth0.
ok then add also
pchains -I input 4 -p tcp -i eth1 -s 0.0.0.0 6000:6010 -j DENY
ipchains -I output 1 -p tcp -i eth1 -d 0.0.0.0 6000:6010 -j DENY
pchains -I input 4 -p tcp -i eth1 -s 0.0.0.0 6000:6010 -j DENY
ipchains -I output 1 -p tcp -i eth1 -d 0.0.0.0 6000:6010 -j DENY
ASKER
I will try this again for good luck, but previously it refused to work.
Is there a specific place they should be inserted?
Is there a specific place they should be inserted?
keep in mind that you use last 4 ipchain commands !
> Is there a specific place they should be inserted?
yes and no, depends.
If you use it as i posted *and* you table is looking like you (last) posting here, it should be ok. Otherwise you need to make shure that no other rule match before.
You may check the current rule number with:
ipchains -nL --line-number
> Is there a specific place they should be inserted?
yes and no, depends.
If you use it as i posted *and* you table is looking like you (last) posting here, it should be ok. Otherwise you need to make shure that no other rule match before.
You may check the current rule number with:
ipchains -nL --line-number
ASKER
I tried everything you suggested,
nmap still reports X11 as open - crazy!!!
Starting nmap V. 2.54BETA2 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1529 ports scanned but not shown below are in state: closed)
Port State Service
6000/tcp open X11
TCP Sequence Prediction: Class=random positive increments
Difficulty=3309706 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.16
Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
nmap still reports X11 as open - crazy!!!
Starting nmap V. 2.54BETA2 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1529 ports scanned but not shown below are in state: closed)
Port State Service
6000/tcp open X11
TCP Sequence Prediction: Class=random positive increments
Difficulty=3309706 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.16
Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So, if I understand you right I have been looped into lo all the time where I would be shown X11 or any other port open if EITHER of eth1 or eth0 open? Yeah I guess you are right.
Just tried it through my dialup and you are right
nmap -sS -p 6000-6010 -O -f 20X.9X.2XY.ZV
reported
Starting nmap V. 2.54BETA2 ( www.insecure.org/nmap/ )
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 30 seconds
So my firewall has been completely stealthed all the time and I did nothing wrong with ipchains.......(x-fingers)
DSL reports me as a 0 and GRC can get daylight out of my firewall, but this port 6000 which always remained open baffled me. Ok so it is my misinterpretation, I would have thought that if you portscan your external interface that linux would be clever enough not to route to lo. What you are telling me now is that EVERYTHING nmap does goes through lo!!?
Anyway you solved the problem and I expected too much from nmap...they could inform users of the fact that they do not distinguish between lo,eth1 and eth0. Right it is also stupid not to test outside your firewall.
Thanks, and if you want to solve my apache problem.....
look at https://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=linuxprog&qid=20192574 for about 100 points.
Usually with linux (actually always) the trouble is my own doing, but appache authentication has been screwing me arround for a long time.. I will give you the points for this job (200) when you respond and checked my nmap setting stated and agree on the outcome of the dialup nmap test. Anyway yoyu get the points regardless but I just want you to check as security ......is serious (ask my previous employer who attempted to hack into my system...therefore the X-paranoia)
Regards
Just tried it through my dialup and you are right
nmap -sS -p 6000-6010 -O -f 20X.9X.2XY.ZV
reported
Starting nmap V. 2.54BETA2 ( www.insecure.org/nmap/ )
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 30 seconds
So my firewall has been completely stealthed all the time and I did nothing wrong with ipchains.......(x-fingers)
DSL reports me as a 0 and GRC can get daylight out of my firewall, but this port 6000 which always remained open baffled me. Ok so it is my misinterpretation, I would have thought that if you portscan your external interface that linux would be clever enough not to route to lo. What you are telling me now is that EVERYTHING nmap does goes through lo!!?
Anyway you solved the problem and I expected too much from nmap...they could inform users of the fact that they do not distinguish between lo,eth1 and eth0. Right it is also stupid not to test outside your firewall.
Thanks, and if you want to solve my apache problem.....
look at https://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=linuxprog&qid=20192574 for about 100 points.
Usually with linux (actually always) the trouble is my own doing, but appache authentication has been screwing me arround for a long time.. I will give you the points for this job (200) when you respond and checked my nmap setting stated and agree on the outcome of the dialup nmap test. Anyway yoyu get the points regardless but I just want you to check as security ......is serious (ask my previous employer who attempted to hack into my system...therefore the X-paranoia)
Regards
> I would have thought that if you portscan your external interface that linux would be clever enough not to route to lo.
Don't intermix linux with nmap.
In your sitution *and* the view you use, nmap is the culprit, not linux. Or lets say it: user error.
Just read man nmap and look at the -e and -S option and the host argument ;-)
> What you are telling me now is that EVERYTHING nmap does goes through lo!!?
No. If you do not specify the interface it detects it automatically, and AFAIK if you do not specify the host it uses localhost. I'm not shure about that, needs to be tested ..
Don't intermix linux with nmap.
In your sitution *and* the view you use, nmap is the culprit, not linux. Or lets say it: user error.
Just read man nmap and look at the -e and -S option and the host argument ;-)
> What you are telling me now is that EVERYTHING nmap does goes through lo!!?
No. If you do not specify the interface it detects it automatically, and AFAIK if you do not specify the host it uses localhost. I'm not shure about that, needs to be tested ..
ASKER
You can use any of the 3 interface IPs.... the results remain the same...
I do not think nmap developers would be that stupid if the kernel did not make it very difficult. I found several difficulties with other different software. They cannot all be wrong.
Try switching eth0--eth1 in ipchains
then swap ip's for kernel for these two interfaces
and switch the network cables around... should just continue to work right???
No suddenly your firewall dont work...masquerading breaks and others... why... ? there must be a preference in the kernel relating ONLY to eth0 or a preference towards eth0 for some processes. That can only be kernel as ipchains has no preference for eth0 or its IP or eth1 or it's IP.
I do not think nmap developers would be that stupid if the kernel did not make it very difficult. I found several difficulties with other different software. They cannot all be wrong.
Try switching eth0--eth1 in ipchains
then swap ip's for kernel for these two interfaces
and switch the network cables around... should just continue to work right???
No suddenly your firewall dont work...masquerading breaks and others... why... ? there must be a preference in the kernel relating ONLY to eth0 or a preference towards eth0 for some processes. That can only be kernel as ipchains has no preference for eth0 or its IP or eth1 or it's IP.
> You can use any of the 3 interface IPs..
Well agreed. Think that the -e option just tells nmap to go "out" that interface, the kernel then relizes that it can shorten, and therefore circumvents the packetfilter ...
So, nmap on external host.
Well agreed. Think that the -e option just tells nmap to go "out" that interface, the kernel then relizes that it can shorten, and therefore circumvents the packetfilter ...
So, nmap on external host.
# same for udp