What firewall/security options are there for Puppy?

6tr6tr wrote:What firewall/security options are there for Puppy?

I'm using Puppy 3.01 and this is for that version, you don't mention which version you have.

On the menu, under Setup there is a menu entry for Linux-Firewall Wizard. That script is designed to configure iptables for you. I chose to close all ports because I don't run any services that need to be accessible from outside the box. You can configure yours as you need. I think that menu option is still there in Dingo.

special suit


also try here
http://pupweb.org/wikka/Security

nipper wrote:

6tr6tr wrote:What firewall/security options are there for Puppy?

I'm using Puppy 3.01 and this is for that version, you don't mention which version you have.

On the menu, under Setup there is a menu entry for Linux-Firewall Wizard. That script is designed to configure iptables for you. I chose to close all ports because I don't run any services that need to be accessible from outside the box. You can configure yours as you need. I think that menu option is still there in Dingo.

Using 4.0. I'll check that out, thanks. I do have to connect to a router via DHCP, any idea what port it needs to do that?

What settings did you change? When I installed the firewall it has the setting (in rc.firewall):

PERMIT=""

Does that permit everything?

The only thing I want to permit is DHCP connection to/from the router, internal connections (so 192.168.x.x I believe) and use of the web browser. That's it. What changes should I make?

6tr6tr wrote:What settings did you change? When I installed the firewall it has the setting (in rc.firewall):

PERMIT=""

Does that permit everything?

No.

6tr6tr wrote:The only thing I want to permit is DHCP connection to/from the router, internal connections (so 192.168.x.x I believe) and use of the web browser. That's it. What changes should I make?

Trust the script. When I run it I select custom and make sure that no services are selected because I don't need any open to the outside. That sounds like what you want too.

You do not need to open a port for DHCP, your box requests an IP address and thus it expects an answer from the DHCP server. To put it simply, it's a bit like question-answer. With the ports closed, your box can still ask questions and accept answers to the questions it asks, but it ignores questions from outside.

6tr6tr wrote:

nipper wrote:

6tr6tr wrote:What firewall/security options are there for Puppy?

I'm using Puppy 3.01 and this is for that version, you don't mention which version you have.

On the menu, under Setup there is a menu entry for Linux-Firewall Wizard. That script is designed to configure iptables for you. I chose to close all ports because I don't run any services that need to be accessible from outside the box. You can configure yours as you need. I think that menu option is still there in Dingo.

Using 4.0. I'll check that out, thanks. I do have to connect to a router via DHCP, any idea what port it needs to do that?

After reading a few of the postings in this thread, I decided to test my Puppy (3.01 Retro) firewall configuration at Gibson Research's shields up page (www.grc.com).

I've always used Puppy Firewall configurator's "easy' option, and never worried about it. I assumed, since all I'm doing is browsing, and not trying to support a website, downloading, or file sharing, this setting would give me the same protection as the free Zone Labs firewall I use in Windows.

Apparently not!

Where Zonealarm passes all of the shields up tests except for hiding port 113 (which is merely closed) and my IP address, the Puppy "easy' firewall also failed GRC's "solicited TCP Packets" test, and the "Ping Reply' test, responding to both.

What's the solution?

otropogo wrote:...

After reading a few of the postings in this thread, I decided to test my Puppy (3.01 Retro) firewall configuration at Gibson Research's shields up page (www.grc.com).

I've always used Puppy Firewall configurator's "easy' option,...

Where Zonealarm passes all of the shields up tests except for hiding port 113 (which is merely closed) and my IP address, the Puppy "easy' firewall also failed GRC's "solicited TCP Packets" test, and the "Ping Reply' test, responding to both....

I've just finished reconfiguring the Linux firewall in Puppy 3.01Retro via the other two options : default, and custom.

"default" gave the same results as the "automatic/easy' option. Is there actually a difference in the settings?

With custom, I went down the list of services and made sure every one of them was unchecked, I also disabled all filesharing. As far as I can tell, I've disabled everything that can be disabled in the firewall using the Puppy configurator.

Yet the results of the GRC shields up test remain the same as for the easy and default settings! The firewall still fails the solicited TCP packet test, the Ping test, doesn't shield port 113, and doesn't hide my IP address.

In Windows 98SE I'm running a free version of Zonealarm that's several years old. You'd think a current Linux firewall would provide at least as much protection...

the solicited TCP packet test

I can't see that one on Shields Up - what is that one for?

The firewall is set to accept pings - could somebody knowledgeable explain why the default is set to accept pings, and whether there's any problem deleting that rule/those rules?

oblivious wrote:

the solicited TCP packet test

I can't see that one on Shields Up - what is that one for?

Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.

oblivious wrote:The firewall is set to accept pings - could somebody knowledgeable explain why the default is set to accept pings, and whether there's any problem deleting that rule/those rules?

I've cut and pasted the blurb about solicted TCP packets that shows on my screen after the test of "all ports". I'd like to hear from someone knowledgeable too...

after the test of "all ports"

Ah, so that's a result to the port scan test, rather than a test in itself. Ok.

I believe to fix the pinging (try it and tell me if it works) you edit "/etc/rc.d/rc.firewall" and change

RFC_1122_COMPLIANT="yes"

to

RFC_1122_COMPLIANT="no"

try it and tell me if it works

Well, it changes the rules under "trusted" to drop but doesn't change the references to TRUSTED in the INPUT rules and reference to icmp in OUTPUT rules

At least one person posting here is connecting to the Internet through a modem/router with dhcp server. In that case, the probes from grc.com are not testing your computer, they ae testing the modem/router.
In that situation you may have a perfectly effective firewall running on your PC but it won't make any difference to what grc.com reports.

In my case, I have a satellite Internet connection and there is a router in the satellite (or it may be physically at a ground station, I'm not clear on that) and that is what grc.com reports on. So, the test can be completely misleading.

If you have analog dialup, then grc.com will be reporting the protection of your actual computer.

the probes from grc.com are not testing your computer, they ae testing the modem/router.

Yes, I am pretty sure only my router ever gets tested, but I had noticed that the iptables rules are set to allow "icmp pings". Is it just to comply with that RFC-1122-thing or is there a more practical reason for it?

Also I noticed when I changed that RFC-1122 setting to "no", I got 127.0.0.2:xxxxx "listening" (I'm pretty sure it related to that, because it wasn't there before, and when I changed it back, it disappeared). What is it and what's it listening for, does anyone know?

oblivious wrote:

the probes from grc.com are not testing your computer, they ae testing the modem/router.

Yes, I am pretty sure only my router ever gets tested, but I had noticed that the iptables rules are set to allow "icmp pings". Is it just to comply with that RFC-1122-thing or is there a more practical reason for it?

In a configuration like yours, your LAN (local area network) inside a firewall in your router is shielded from the Internet. When there are several computers on a LAN like that it can be useful to be able to ping the other nodes to verify connection. That is a reason to allow the LAN (trusted network) to ping each other and answer. Those pings stay within the LAN. And as BarryK stated, the pings from outside are received and acted upon by the router. The router only lets through "answers" to "questions" that your host has made and no one on the outside can see your host, only the WAN interface of the router. Note: There will be a configuration page in your router options that will have a setting to not answer pings. In truth you are not at risk from those pings (some people will argue with that opinion) but you can set your router to drop them (not answer).

I can't answer your other question, not sure I really understand it fully, where are you seeing this?

not sure I really understand it fully, where are you seeing this?

See page 1 - when you do what 6tr6tr said, you get what I wrote.

I don't have any other computers, there is no LAN, ..... BUT there are packets reaching the firewall. Where are they coming from? (I trust nothing, there is no trusted network....)

BarryK wrote:At least one person posting here is connecting to the Internet through a modem/router with dhcp server.

I plead guilty!

BarryK wrote:In that case, the probes from grc.com are not testing your computer, they ae testing the modem/router.
In that situation you may have a perfectly effective firewall running on your PC but it won't make any difference to what grc.com reports.

So how then can one check to see whether the firewall is working properly?

BTW - I just ran my Windows system with Zonealarm against GRC, and got exactly the same failure report. I'm quite sure nothing has changed in my router setup since I checked it previously, and I'm just as certain that I've never had anything but the failure to stealth port 113 reported by shields up before. So I'm wondering whether something has changed in the shields up testing within the last few months?

In any case, I apologize for the hasty unfavourable comparison of zonealarm and the linux firewall.

There are two remaining problems to my mind, however:

1. does running the Puppy firewall behind a router or even through any DSL connection serve any purpose at all? Your post suggests otherwise...

2. how do I properly configure and check the final product?

When finished using the firewall setup tool, it announces that the configuration will be saved in /tmp/rc.firewall, "if you choose not to continue". But Pfind can't locate this file. Searching for "rc.firewall", Pfind announces six results, but will only show four, all of which are symbolic links, and NONE from /tmp/rc.firewall.

If I "continue" firewall setup assures me that the firewall "is now running". But is it really? And how can I check this and the configuration being used?

But is it really? And how can I check this and the configuration being used?

in a terminal, you type

iptables -vL

and the rules will be displayed.

The firewall script wizard adds the rules to iptables (which is part of the kernel). They'd drop off every time you shut down, which is where the rc.d, rc.firewall script comes in - it reloads the rules when you boot up.