Hi I suppose I am really aiming this at AT but other noobs like me might find this useful. I am having some "quality time" with the Mandriva built in firewall (is it called shorewall?) Anyway, I wanted to disable it (the -Everything (no firewall)- option). But for some reason after setting it, when I go back in to the firewall settings again, the tick in the box has gone..... and I am basically back to where I was before I ticked the box. I just noticed that even with all the boxes unticked, I can still access all services such as POP, BT, Internet etc. Is it that I can only change setting while not connected? In other words I cannot make changes to the current connection? I am not sure what is happenning. I went to Sygate firewall test page and ran a few tests and these are the results: 1. Quicktest - All ports closed (?) ICMP Type 8 is open (whatever this means). 2. Stealth scan - All ports closed. 3. Troyan scan - Port 7000 is open (I gave Azures this port) 4. TCP scan - Port 111 (SUNRPC) is open, Port 631 (unknown) is open, Port 860 (unknown) is open. 5. UDP scan - All ports closed So, I just find this a bit bizarr. Can I use Firestarter? I found it really easy to set-up and use and it showed me that it actually blocking stuff where as this one here does not really tell me jack... Thanks for looking....
Shorewall is a quick & simple firewall tool for those that just need to open a few ports and stealth the rest. You should be able to just set your rules, add ones that are not listed in the commonly used ports by hand using the "advanced" dialog, and hit 'OK' ...unless, that is, you used Firestarter or another firewall tool at the same time as Shorewall. In that case, you have two programs editing the same IPTables rules! IPTables is the Linux firewall, built right into the kernel. Both Shorewall and Firestarter are simple ways of writing rules in IPTables. If you have two different services editing the same rules at the same time, it can really screw up your firewalling... as you've discovered. With such things, you must use one program or the other, and prevent the one(s) you're not using from starting up at all. P.S. - Unless you have your system auto-updating, I wouldn't have my firewall completely open. Linux is very secure, but there's no reason to tempt fate by allowing outdated, unhardened services directly on the Internet, is there?
Hi No, I haven't actualy used Firestarter together with Shorewall. I just find it weird that whether I have all boxes (on your attachment) ticked or if I do not, the effect seem to be exactly the same.... hah: Anyway, lets say that everything is OK and I wanted to add a rule, how do I know whether it should be "[port number]/udp" or "[port number]/tcp". Also, how can I check that my firewall is indeed doing it's thang? If I go to the 'Interactive Firewall' (right click on the "connected" icon at the bottom right pannel), there is nothing in the log... The reason I mentioned Firestarter was that when I used it in Ubuntu, it showed laods of action in the log book. I think I just want to make sure I am sort of keeping the wrong stuff out.... For example at the moment none of the boxes are ticked (again, at the pannel you attached to your image). So , theoreticaly nothing should be able to acces the network. However, I am downloading, checking mail and surfing with no problem at all......hah: *Scratching my head*
First of all, the simple Mandriva front-end for Shorewall provides no egress filtering, it only filters incoming traffic. Therefore, even if you filter everything you will still be able to surf the Internet, get your mail, download, etc. completely unhindered. Secondly, you don't need ports open in your firewall in order to do these things, you only need ports open if you plan on hosting such services from your own PC. If you want to filter outgoing packets you will have to either write the rules yourself by hand or use a more advanced firewall tool. To test if your Shorewall rules are doing the job, you can head over to GRC and do the "Shields Up" test. As far as how to know if a service uses UDP or TCP (or both), you're on your own. You'll have to do a little research on the specific program in question to know the answer. However, most services use TCP and many games use UDP. Some use both. If in doubt, allow both.
Ahhhhhaaaaa! OOooooohhhh, how dumb do I feel..... duhhhh..... Now I understand! OK many thanks! that is ultra cool with me! Took your advice and this is one report: How do I disallow ICMP Echo? Finaly, can you point me in the right direction where I can find out how to code such rules. I do not mind reading and learning but not sure where to go? Mandrive support forums? Thanks again AT for your time and advice....
It looks like your firewall is off. Is your shorewall service running? Is it even installed? What about IPTables?
Hi I wish you could see how red my face is...... Both are installed but are not showing in the KSysGuard. I am assuming this means they are not running...... I could not see a menu item to start shorewall. How do I start it? And How do I add it to the modules starting at boot? Only a few questions..... I have just ran 'shorewall start' in terminal but I still cannot see any evidence that it is running....
You can check if the daemons are running, start them if necessary, and change whether or not they boot with the system from the Mandriva Control Center. You can do most anything in regards to your system configuration through mcc, always check that first.
I have checked and IPTables are 'stopped'. However it does not react to me pressing the 'Start' button..... Stop press.... I have started shorewall and passed the test from GRC. I suppose I just need to make sure shorewall start at boot. Thanks AT!
