Greg N | 2 Nov 07:33 2006

mDns, Bonjour, Zeroconf, Avahi, Rendevous

Hi

I managed to get Bonjour working by creating a new zone for multicast and adding an entry to the  networkprotocoldb.xml file.
The multicast zone is called "multicast" and has Zone Addresses of 224.0.0.0/255.0.0.0
I added the XML below into /usr/share/apps/guarddog/networkprotocoldb.xml just above where it says "<protocol name="domain">". Restart Guarddog & then check the boxes to allow mDns traffic.

<protocol name="mDns">
  <!-- Protocol information guessed by Greg N <emailgregn <at> googlemail.com> -->
  <longname>mDns,Bonjour,Avahi,ZeroConf</longname>
  <longname lang="nl">mDns</longname>
  <longname lang="fr">mDns</longname>
  <longname lang="it">mDns</longname>
  <longname lang="es">mDns</longname>
  <description>Protocols to allow networks to configure themselves. It is called Bonjour (formerly Rendezvous) by Apple, and used extensively on Mac OS X. </description>
 
  <classification class="net"/>
  <network>
    <udp source="server" dest="client">
      <source><port portnum="nonprivileged"/></source>
      <dest><port portnum="5353"/></dest>
    </udp>
    <udp source="client" dest="server">
      <source><port portnum="5353"/></source>
      <dest><port portnum="nonprivileged"/></dest>
    </udp>
  </network>
  <security threat="medium" falsepos="low"/>
</protocol>


Regards,
Greg

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Guarddog-user mailing list
Guarddog-user <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/guarddog-user
Vassilis Virvilis | 2 Nov 08:20 2006
Picon

Re: mDns, Bonjour, Zeroconf, Avahi, Rendevous

Greg N wrote:
> Hi
> 
> I managed to get Bonjour working by creating a new zone for multicast and
> adding an entry to the  networkprotocoldb.xml file.
> The multicast zone is called "multicast" and has Zone Addresses of
> 224.0.0.0/255.0.0.0
> I added the XML below into /usr/share/apps/guarddog/networkprotocoldb.xml
> just above where it says "<protocol name="domain">". Restart Guarddog & 
> then
> check the boxes to allow mDns traffic.
> 
> <protocol name="mDns">
>  <!-- Protocol information guessed by Greg N <emailgregn <at> googlemail.com>
> -->
>  <longname>mDns,Bonjour,Avahi,ZeroConf</longname>
>  <longname lang="nl">mDns</longname>
>  <longname lang="fr">mDns</longname>
>  <longname lang="it">mDns</longname>
>  <longname lang="es">mDns</longname>
>  <description>Protocols to allow networks to configure themselves. It is
> called Bonjour (formerly Rendezvous) by Apple, and used extensively on Mac
> OS X. </description>
> 
>  <classification class="net"/>
>  <network>
>    <udp source="server" dest="client">
>      <source><port portnum="nonprivileged"/></source>
>      <dest><port portnum="5353"/></dest>
>    </udp>
>    <udp source="client" dest="server">
>      <source><port portnum="5353"/></source>
>      <dest><port portnum="nonprivileged"/></dest>
>    </udp>
>  </network>
>  <security threat="medium" falsepos="low"/>
> </protocol>
> 
> 
> Regards,
> Greg
> 

I did that. I then allowed
protocols served from zone 'multicast' to clients in Local (OK)
buth then the firewall it drops mypackets when I try with avahi-discover
like this
DROPPED IN=eth0 OUT= MAC= SRC=192.168.15.1 DST=224.0.0.251 LEN=82 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF
PROTO=UDP SPT=5353 DPT=5353 LEN=62

Any ideas?

       .bill

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Vassilis Virvilis | 2 Nov 08:31 2006
Picon

Some protocols (again)

Protocols guarddog has not support yet but are useful to have
	TFTP: (for network booting)
	netconsole: (for kernel debugging)
	rdesktop: (for remote windows view)
	svnserve: (for non ssh suvbersion users)
	smtp over SSL: (It is deprecated but maybe useful for some)

Others not listed here:
	apt-proxy: (port = 9999, Debian apt proxy daemon)
	SANE: (cannot be firewalled properly. Seriously compromises sustem security)

<protocol name="tftp">
   <longname>TFTP - Trivial File Transfer Protocol</longname>
   <description>A Very simple protocol used to transfer files during the boot time of
   diskless clients.</description>
   <classification class="net"/>
   <pragma name="guarddog">ip_conntrack_tftp</pragma>
   <network>
     <udp source="client" dest="server" direction="both">
       <dest><port portnum="69"/></dest>
     </udp>
   </network>
   <security threat="high" falsepos="low"/>
   <reference href="http://www.robertgraham.com/pubs/firewall-seen.html">
   FAQ: Firewall Forensics (What am I seeing?)</reference>
</protocol>

<protocol name="netconsole">
   <longname>netconsole</longname>
   <description>A protocol used for kernel debugging.</description>
   <network>
     <udp source="client" dest="server" direction="both">
       <source><port portnum="6665"/></source>
       <dest><port portnum="6666"/></dest>
     </udp>
   </network>
   <security threat="high" falsepos="low"/>
   <reference href="http://www.robertgraham.com/pubs/firewall-seen.html">
   FAQ: Firewall Forensics (What am I seeing?)</reference>
</protocol>

<protocol name="rdesktop">
   <longname>rdesktop - Windows Terminal Service</longname>
   <description>A protocol used to enable remote access of your Windows
machine</description>
   <classification class="session"/>
   <network>
     <tcp source="client" dest="server">
       <description>Request connection.</description>
       <source><port portnum="dynamic"/></source>
       <dest><port portnum="3389"/></dest>
     </tcp>
   </network>
   <security threat="high" falsepos="low"/>
   <reference href="http://www.robertgraham.com/pubs/firewall-seen.html">
   FAQ: Firewall Forensics (What am I seeing?)</reference>
</protocol>

<protocol name="svnserve">
   <longname>subversion - svn simple server</longname>
   <description>A protocol used to enable remote access to your subversion repositories</description>
   <classification class="file"/>
   <network>
     <tcp source="client" dest="server">
       <description>Request connection.</description>
       <source><port portnum="dynamic"/></source>
       <dest><port portnum="3690"/></dest>
     </tcp>
   </network>
   <security threat="high" falsepos="low"/>
   <reference href="http://www.robertgraham.com/pubs/firewall-seen.html">
   FAQ: Firewall Forensics (What am I seeing?)</reference>
</protocol>

protocol name="smtp over SSL">
   <longname>SMTP - Simple Mail Transfer Protocol over SSL</longname>
   <description>SMTP is used to transfer and deliver email across the network.
   It is the standard for transmitting email across the Internet. This enables
   the SSL (secure socket layer) SMTP transmission. Note that this method
   for mail transmission is deprecated and you should use TLS instead which
   uses the normal port 25 instead.
</description>
   <classification class="mail"/>
   <network>
     <tcp>
       <source><port portnum="dynamic"/></source>
       <dest><port portnum="465"/></dest>
     </tcp>
   </network>
   <security threat="medium" falsepos="low"/>
   <reference href="http://www.robertgraham.com/pubs/firewall-seen.html">
   FAQ: Firewall Forensics (What am I seeing?)</reference>
</protocol>

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Giorgio Fernando Pioda | 6 Nov 12:10 2006

Multiple interfaces

Hallo everybody,

I have a stupid question...

What happens if for example I have a running eth0 interface protected
with guarddog and I start a wireless interface (in my case ath0) and I
switch the default gataway? Am I still protected? I use guarddog with
ubuntu and/or debian etch

gfwp

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
CHristoph Hintermüller | 7 Nov 20:56 2006

Note about /etc/rc.firewall created by guarddog

Is it possible if not allready solved in newer version (running 2.5.0) to make
guarddog use make the startupscript /etc/rc.firewall script call gawk and
other programs by their absolute path instead of relying on the $PATH
variable. The latter may not be initialized properly when /etc/rc.firewall is
executed during startup. At least this is the case with the linux distribution
on my system that booting the next time after adjusting firewall settings i
get the message that gawk an logger could not be found. By making them beein
called by absolute path fixes this.

cu
Xris

-----------------------------------------
This E-Mail was sent through MagicMail

Download our Jump'n'Run "BlinkenSisters":
    http://www.blinkensisters.org

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Gary Maxwell | 14 Nov 03:20 2006
Picon
Picon

clarification on firewalling

I'd like some clarification on firewalling. For the record, I am running 
Slackware 11.0.

My understanding is that the firewall script should be installed in the 
/etc/rc.d/rc.firewall position in order for the script to be executed at 
startup.

What I have found is that Guarddog installs the script to 
/etc/rc.firewall. I got tired of copying this to the /etc/rc.d/ 
directory every time I made changes so I made a symbolic link as follows:

ln -s /etc/rc.firewall /etc/rc.d/rc.firewall.

As far as I know it works--though I see nothing at bootup as the words 
fly by.

I deleted the symbolic link to see if it was working on a test machine. 
What I found was that the firewall worked regardless of a sym link or 
file in the /etc/rc.d/ directory.

Does a firewall work just by being placed in the /etc directory? And do 
I need to place a link in the /etc/rc.d folder to start Guarddog at boot up?

A little confused as to what is happening here...

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Didier Spaier | 14 Nov 10:13 2006
Picon

Re: clarification on firewalling

Le mardi 14 novembre 2006 03:20, Gary Maxwell a écrit :
> I'd like some clarification on firewalling. For the record, I am running 
> Slackware 11.0.
Congratulations! Irun it too ;-)

> My understanding is that the firewall script should be installed in the 
> /etc/rc.d/rc.firewall position in order for the script to be executed at 
> startup.

This is correct.
As you can see, the script /etc/rc.d/rc.inet2 call /etc/rc.d/rc.firewall if it is executable (provided
that rc.inet2 is itself executable, of course).

> What I have found is that Guarddog installs the script to 
> /etc/rc.firewall. I got tired of copying this to the /etc/rc.d/ 
> directory every time I made changes so I made a symbolic link as follows:
> 
> ln -s /etc/rc.firewall /etc/rc.d/rc.firewall.
> 
This is what I did, too. You could have modified /etc/rc.inet2 instead to replace occurences of
/etc/rc.d/rc.firewall by /etc/rc.firewall but then in case of update of rc.inet2 you should do that
aain, so a symlink is a better solution IMHO.
>
> As far as I know it works--though I see nothing at bootup as the words 
> fly by.
> 
You can check if it works issuing the command "iptables -L" as root. If you'll see all the rules set up by
giraddog it works.

If you log firewall activity - which is doen by default -  you'll see a lot of lines about dripped packets
issuing dmesg command too, whilst you are connected to the Internet.

> I deleted the symbolic link to see if it was working on a test machine. 
> What I found was that the firewall worked regardless of a sym link or 
> file in the /etc/rc.d/ directory.
> 
> Does a firewall work just by being placed in the /etc directory? And do 
> I need to place a link in the /etc/rc.d folder to start Guarddog at boot up?

The firewall begin to work as soon the script rc.firewall is executed - whether you do it yourself or let it be
done by /etc/rc.d/rc.inet2 at startup -- which is how it is supposed to work on Slackware. 

By the way at startup you don't need to run Guarddog (whose purpose is to update the firewalling rules in
updating rc.firewall) but rc.firewall (whose purpose is to apply the rules).
When you update the rules in guraddog, after you click "OK" Guarddog itself execute rc.firewall so you
don't have to do it yourself either.
> A little confused as to what is happening here...

HTH,

Didier 

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Didier Spaier | 14 Nov 23:46 2006
Picon

Re: clarification on firewalling

Hi Gary,

Le mardi 14 novembre 2006 19:44, vous avez écrit :
> I understand that "...the script /etc/rc.d/rc.inet2 calls 
> /etc/rc.d/rc.firewall if it is executable (provided that rc.inet2 is 
> itself executable, of course." However, the firewall still worked when 
> it was located in the /etc directory. Only when I moved the rc.firewall 
> script out of this directory did the firewall fail to work.
> 
> Am I correct in believing that as long as a firewall script is located 
> in the /etc folder it will still work? Apparently it does.
> 
In short : no.

First, let me remind you some basics about firewalling on linux.

At startup, the kernel doesn't do any packet filtering.

The program iptables is used to set up rules for packet filtering ; these rules are then applied by the kernel
to packets send and/or received.

When you shutdown the computer, these rules are lost. You'll have to set it up again at startup.

This is rc.firewall's job : when executed, it set up the firewalling rules. Thus it should be executed at
every startup.

You can see rc.firewall as a file which contains the rules to apply ; this file is first written by guarddog,
and updated by guarddog whenever you change the rules.

In short : for the firewall to be effective, the rc.firewall script have to be executed at startup.

This can be done several ways :
- by guarddog (when you click "OK" after updating rules)
- by yourself at any time ; become root and issue the command :
<path>rc.firewall
- by rc.inet2 which issue the same command at startup.

Most of the time you'll let rc.inet2 start the script rc.firewall at startup.

For this to work, rc.inet2 has to know the path of rc.firewall -- in other words, where rc.firewall is located.

Now if you open rc.inet2 with your favorite text editor you'll see these lines :
# If there is a firewall script, run it before enabling packet forwarding.
# See the HOWTOs on http://www.netfilter.org/ for documentation on
# setting up a firewall or NAT on Linux.  In some cases this might need to
# be moved past the section below dealing with IP packet forwarding.
if [ -x /etc/rc.d/rc.firewall ]; then
  /etc/rc.d/rc.firewall start
fi

It means "if the file /etc/rc.d/rc.firewall is executable, then launch (or execute) it".

So, inet2.rc assume that rc.firewall is in the /etc/rc.d directory.

This is not the case, because guarddog write this file in the /etc directory.

So we put in /etc/rc.d a symbolic link to /etc/firewall ; you know the command : 
ln -s /etc/rc.firewall /etc/rc.d/rc.firewall
and you can check te result with the "ls -l /etc/rc.d/rc.firewall" command.

When excuted, rc.inet2 will find the symink /etc/rc.d/rc.firewall, which will drive it to
/etc/rc.firewall, which will be executed.

Remember : the location of rc.firewall is not important by itself ; what is important is that whoever need it
can find it - whoever beeing either :
- yourself (to execute it if you whish)
- guarddog (to write it and execute it)
- rc.inet2 (to execute it -- normally at startup when it is itself executed).

Sorry for my bad English - French is my mother tongue.

HTH,

Didier

PS Please address your questions to the list so that everybody can hear it and benefit from the answers.

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Simon Edwards | 15 Nov 20:33 2006

Re: Multiple interfaces

On Monday 06 November 2006 12:10, Giorgio Fernando Pioda wrote:
> Hallo everybody,
> I have a stupid question...
> What happens if for example I have a running eth0 interface protected
> with guarddog and I start a wireless interface (in my case ath0) and I
> switch the default gataway? Am I still protected? I use guarddog with
> ubuntu and/or debian etch

Shouldn't make a difference. Guarddog only looks at IP addresses and not 
directly at your routing / NIC setup.

cheers,

--

-- 
Simon Edwards             | KDE-NL, Guidance tools, Guarddog Firewall
simon <at> simonzone.com       | http://www.simonzone.com/software/
Nijmegen, The Netherlands | "ZooTV? You made the right choice."

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Simon Edwards | 26 Nov 13:29 2006

Re: Some protocols (again)

On Thursday 02 November 2006 08:31, Vassilis Virvilis wrote:
> Protocols guarddog has not support yet but are useful to have
> 	TFTP: (for network booting)
> 	netconsole: (for kernel debugging)
> 	rdesktop: (for remote windows view)
> 	svnserve: (for non ssh suvbersion users)
> 	smtp over SSL: (It is deprecated but maybe useful for some)
> 
> Others not listed here:
> 	apt-proxy: (port = 9999, Debian apt proxy daemon)
> 	SANE: (cannot be firewalled properly. Seriously compromises sustem 
security)

thanks. I'm adding them now and I'll endeavour to put a release out today.

cheers,

--

-- 
Simon Edwards             | KDE-NL, Guidance tools, Guarddog Firewall
simon <at> simonzone.com       | http://www.simonzone.com/software/
Nijmegen, The Netherlands | "ZooTV? You made the right choice."

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Gmane