Firewall/Security for Puppy?
Firewall/Security for Puppy?
What firewall/security options are there for Puppy?
- Pizzasgood
- Posts: 6183
- Joined: Wed 04 May 2005, 20:28
- Location: Knoxville, TN, USA
Re: Firewall/Security for Puppy?
I'm using Puppy 3.01 and this is for that version, you don't mention which version you have.6tr6tr wrote:What firewall/security options are there for Puppy?
On the menu, under Setup there is a menu entry for Linux-Firewall Wizard. That script is designed to configure iptables for you. I chose to close all ports because I don't run any services that need to be accessible from outside the box. You can configure yours as you need. I think that menu option is still there in Dingo.
Re: Firewall/Security for Puppy?
Using 4.0. I'll check that out, thanks. I do have to connect to a router via DHCP, any idea what port it needs to do that?nipper wrote:I'm using Puppy 3.01 and this is for that version, you don't mention which version you have.6tr6tr wrote:What firewall/security options are there for Puppy?
On the menu, under Setup there is a menu entry for Linux-Firewall Wizard. That script is designed to configure iptables for you. I chose to close all ports because I don't run any services that need to be accessible from outside the box. You can configure yours as you need. I think that menu option is still there in Dingo.
What settings did you change? When I installed the firewall it has the setting (in rc.firewall):
PERMIT=""
Does that permit everything?
The only thing I want to permit is DHCP connection to/from the router, internal connections (so 192.168.x.x I believe) and use of the web browser. That's it. What changes should I make?
PERMIT=""
Does that permit everything?
The only thing I want to permit is DHCP connection to/from the router, internal connections (so 192.168.x.x I believe) and use of the web browser. That's it. What changes should I make?
No.6tr6tr wrote:What settings did you change? When I installed the firewall it has the setting (in rc.firewall):
PERMIT=""
Does that permit everything?
Trust the script. When I run it I select custom and make sure that no services are selected because I don't need any open to the outside. That sounds like what you want too.6tr6tr wrote:The only thing I want to permit is DHCP connection to/from the router, internal connections (so 192.168.x.x I believe) and use of the web browser. That's it. What changes should I make?
You do not need to open a port for DHCP, your box requests an IP address and thus it expects an answer from the DHCP server. To put it simply, it's a bit like question-answer. With the ports closed, your box can still ask questions and accept answers to the questions it asks, but it ignores questions from outside.
Re: Firewall/Security for Puppy?
After reading a few of the postings in this thread, I decided to test my Puppy (3.01 Retro) firewall configuration at Gibson Research's shields up page (www.grc.com).6tr6tr wrote:Using 4.0. I'll check that out, thanks. I do have to connect to a router via DHCP, any idea what port it needs to do that?nipper wrote:I'm using Puppy 3.01 and this is for that version, you don't mention which version you have.6tr6tr wrote:What firewall/security options are there for Puppy?
On the menu, under Setup there is a menu entry for Linux-Firewall Wizard. That script is designed to configure iptables for you. I chose to close all ports because I don't run any services that need to be accessible from outside the box. You can configure yours as you need. I think that menu option is still there in Dingo.
I've always used Puppy Firewall configurator's "easy' option, and never worried about it. I assumed, since all I'm doing is browsing, and not trying to support a website, downloading, or file sharing, this setting would give me the same protection as the free Zone Labs firewall I use in Windows.
Apparently not!
Where Zonealarm passes all of the shields up tests except for hiding port 113 (which is merely closed) and my IP address, the Puppy "easy' firewall also failed GRC's "solicited TCP Packets" test, and the "Ping Reply' test, responding to both.
What's the solution?
Re: Firewall/Security for Puppy?
I've just finished reconfiguring the Linux firewall in Puppy 3.01Retro via the other two options : default, and custom.otropogo wrote:...
After reading a few of the postings in this thread, I decided to test my Puppy (3.01 Retro) firewall configuration at Gibson Research's shields up page (www.grc.com).
I've always used Puppy Firewall configurator's "easy' option,...
Where Zonealarm passes all of the shields up tests except for hiding port 113 (which is merely closed) and my IP address, the Puppy "easy' firewall also failed GRC's "solicited TCP Packets" test, and the "Ping Reply' test, responding to both....
"default" gave the same results as the "automatic/easy' option. Is there actually a difference in the settings?
With custom, I went down the list of services and made sure every one of them was unchecked, I also disabled all filesharing. As far as I can tell, I've disabled everything that can be disabled in the firewall using the Puppy configurator.
Yet the results of the GRC shields up test remain the same as for the easy and default settings! The firewall still fails the solicited TCP packet test, the Ping test, doesn't shield port 113, and doesn't hide my IP address.
In Windows 98SE I'm running a free version of Zonealarm that's several years old. You'd think a current Linux firewall would provide at least as much protection...
oblivious wrote:I can't see that one on Shields Up - what is that one for?the solicited TCP packet test
Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.
I've cut and pasted the blurb about solicted TCP packets that shows on my screen after the test of "all ports". I'd like to hear from someone knowledgeable too...oblivious wrote:The firewall is set to accept pings - could somebody knowledgeable explain why the default is set to accept pings, and whether there's any problem deleting that rule/those rules?
- BarryK
- Puppy Master
- Posts: 9392
- Joined: Mon 09 May 2005, 09:23
- Location: Perth, Western Australia
- Contact:
At least one person posting here is connecting to the Internet through a modem/router with dhcp server. In that case, the probes from grc.com are not testing your computer, they ae testing the modem/router.
In that situation you may have a perfectly effective firewall running on your PC but it won't make any difference to what grc.com reports.
In my case, I have a satellite Internet connection and there is a router in the satellite (or it may be physically at a ground station, I'm not clear on that) and that is what grc.com reports on. So, the test can be completely misleading.
If you have analog dialup, then grc.com will be reporting the protection of your actual computer.
In that situation you may have a perfectly effective firewall running on your PC but it won't make any difference to what grc.com reports.
In my case, I have a satellite Internet connection and there is a router in the satellite (or it may be physically at a ground station, I'm not clear on that) and that is what grc.com reports on. So, the test can be completely misleading.
If you have analog dialup, then grc.com will be reporting the protection of your actual computer.
[url]https://bkhome.org/news/[/url]
Yes, I am pretty sure only my router ever gets tested, but I had noticed that the iptables rules are set to allow "icmp pings". Is it just to comply with that RFC-1122-thing or is there a more practical reason for it?the probes from grc.com are not testing your computer, they ae testing the modem/router.
Also I noticed when I changed that RFC-1122 setting to "no", I got 127.0.0.2:xxxxx "listening" (I'm pretty sure it related to that, because it wasn't there before, and when I changed it back, it disappeared). What is it and what's it listening for, does anyone know?
In a configuration like yours, your LAN (local area network) inside a firewall in your router is shielded from the Internet. When there are several computers on a LAN like that it can be useful to be able to ping the other nodes to verify connection. That is a reason to allow the LAN (trusted network) to ping each other and answer. Those pings stay within the LAN. And as BarryK stated, the pings from outside are received and acted upon by the router. The router only lets through "answers" to "questions" that your host has made and no one on the outside can see your host, only the WAN interface of the router. Note: There will be a configuration page in your router options that will have a setting to not answer pings. In truth you are not at risk from those pings (some people will argue with that opinion) but you can set your router to drop them (not answer).oblivious wrote:Yes, I am pretty sure only my router ever gets tested, but I had noticed that the iptables rules are set to allow "icmp pings". Is it just to comply with that RFC-1122-thing or is there a more practical reason for it?the probes from grc.com are not testing your computer, they ae testing the modem/router.
I can't answer your other question, not sure I really understand it fully, where are you seeing this?
See page 1 - when you do what 6tr6tr said, you get what I wrote.not sure I really understand it fully, where are you seeing this?
I don't have any other computers, there is no LAN, ..... BUT there are packets reaching the firewall. Where are they coming from? (I trust nothing, there is no trusted network....)
I plead guilty!BarryK wrote:At least one person posting here is connecting to the Internet through a modem/router with dhcp server.
So how then can one check to see whether the firewall is working properly?BarryK wrote:In that case, the probes from grc.com are not testing your computer, they ae testing the modem/router.
In that situation you may have a perfectly effective firewall running on your PC but it won't make any difference to what grc.com reports.
BTW - I just ran my Windows system with Zonealarm against GRC, and got exactly the same failure report. I'm quite sure nothing has changed in my router setup since I checked it previously, and I'm just as certain that I've never had anything but the failure to stealth port 113 reported by shields up before. So I'm wondering whether something has changed in the shields up testing within the last few months?
In any case, I apologize for the hasty unfavourable comparison of zonealarm and the linux firewall.
There are two remaining problems to my mind, however:
1. does running the Puppy firewall behind a router or even through any DSL connection serve any purpose at all? Your post suggests otherwise...
2. how do I properly configure and check the final product?
When finished using the firewall setup tool, it announces that the configuration will be saved in /tmp/rc.firewall, "if you choose not to continue". But Pfind can't locate this file. Searching for "rc.firewall", Pfind announces six results, but will only show four, all of which are symbolic links, and NONE from /tmp/rc.firewall.
If I "continue" firewall setup assures me that the firewall "is now running". But is it really? And how can I check this and the configuration being used?
in a terminal, you typeBut is it really? And how can I check this and the configuration being used?
iptables -vL
and the rules will be displayed.
The firewall script wizard adds the rules to iptables (which is part of the kernel). They'd drop off every time you shut down, which is where the rc.d, rc.firewall script comes in - it reloads the rules when you boot up.