|
|
Dear all, I am working in a local university at a system that has a static (“bought”/global) ip address. I am connected to my department’s lan from where (through a gateway) I am getting access to the internet. There are of course set up firewalls from the university authorities. I wonder how much helpful would be to also enable my firewall and how should I configure it? I am running ssh and remote desktop service being able to connect to my computer remotely Regards Alex |
On Tue, 08 Jan 2013 18:26:02 +0000, alaios wrote:
> Dear all, I am working in a local university at a system that has a
> static (“bought”/global) ip address. I am connected to my department’s
> lan from where (through a gateway) I am getting access to the internet.
> There are of course set up firewalls from the university authorities. I
> wonder how much helpful would be to also enable my firewall and how
> should I configure it? I am running ssh and remote desktop service
> being able to connect to my computer remotely Regards Alex
Firewalls on your university’s network protect the university’s network.
They won’t protect you from (for example) someone inside the firewall
getting to your machine without your consent.
Use the default configuration (which is “enabled”). Open the ports for
the services you’re using (such as ssh) using the YaST firewall module.
I would tunnel the remote desktop over SSH, as VNC is typically not set
up to be encrypted, and the password scheme is trivially broken.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
Thanks a lot . something that I do not know then
how to do that with ssh ? What if I am also running on ssh port nx (nx and ssh use the same port)
Regards
Alex
Jim Henderson wrote:
> On Tue, 08 Jan 2013 18:26:02 +0000, alaios wrote:
>
>> Dear all, I am working in a local university at a system that has a
>> static (“bought”/global) ip address. I am connected to my department’s
>> lan from where (through a gateway) I am getting access to the internet.
>> There are of course set up firewalls from the university authorities. I
>> wonder how much helpful would be to also enable my firewall and how
>> should I configure it? I am running ssh and remote desktop service
>> being able to connect to my computer remotely Regards Alex
>
> Firewalls on your university’s network protect the university’s network.
> They won’t protect you from (for example) someone inside the firewall
> getting to your machine without your consent.
>
> Use the default configuration (which is “enabled”). Open the ports for
> the services you’re using (such as ssh) using the YaST firewall module.
I agree with Jim. I think there are three considerations in deciding
whether you can turn off the firewall on your machine:
(1) Do you trust the people running the network firewall to do their job
competently and comprehensively? If not, you need to run your own
firewall to protect yourself from every attacker on the net.
(2) Do you have any data on your machine that must be maintained
confidential and/or must the machine be guaranteed to keep running? If
so, you need to run your own firewall to protect yourself from possible
attackers within the university.
(3) Do you regard your university’s policies for preventing network
users making attacks as effective (e.g. active detection of attack
activity, formal policy forbidding attacks, plus effective
punishment/sanctions for transgressors)? If not, you need to run your
own firewall to protect yourself from possible pranksters/idiots within
the university.
Any information you have about the number of incidents over previous
years and how the incidents were resolved might help guide you.
Thanks I turned it on, but then there are these terms I do not understand,
like demilitarized zone, and external zone.
Now one more question I am having ntp starting at boot updating my system clock. Through Yast -» NPT Configuration. Starn NTP Daemon-» Now and onBoot and I added a server. On securitz tab now there are options for firewal.l. Open Port in Firewall. Should I open it and why? I do not understand why firewall would disable my external traffic.
Regards
Alex
My work computer is in a similar situation. I have the firewall on, with defaults. I open up the ssh service in the firewall settings.
Actually, I usually do that during install. With the DVD install image, there’s an option to run sshd and to open the firewall for ssh. I check that option. But I have also done it the other way. I have not run into any difficulties.
I use only public key authentication with ssh, and configure sshd to only allow that. If you allow password auth, then be sure to have a good password - there’s a lot of ssh hacking being attempted.
On Wed, 09 Jan 2013 09:46:01 +0000, alaios wrote:
> Thanks a lot . something that I do not know then how to do that with ssh
> ?
Something like:
ssh -L 5910:localhost:5900 user@remotehost.domain.com
That forwards local port 5910 to 5900 (the default VNC port) on the
remote system.
Then use your favourite VNC client and point it at localhost:10.
> What if I am also running on ssh port nx (nx and ssh use the same
> port)
If you can ssh to the box, then that’ll work. If you are running ssh on
an alternate port, then you need to specify the appropriate port in the
ssh command and use the same VNC connection string.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
On Wed, 09 Jan 2013 11:36:01 +0000, alaios wrote:
> Thanks I turned it on, but then there are these terms I do not
> understand,
> like demilitarized zone, and external zone.
Unless you have more than one network interface, you don’t need to worry
about that.
> Now one more question I am having ntp starting at boot updating my
> system clock. Through Yast -» NPT Configuration. Starn NTP Daemon-» Now
> and onBoot and I added a server. On securitz tab now there are options
> for firewal.l. Open Port in Firewall. Should I open it and why?
> I do not understand why firewall would disable my external traffic.
The firewall is an ingress firewall only - it doesn’t block outbound
traffic at all.
With configuration of the NTP server (as an example), the port is opened
to allow other systems to use this system as an NTP time source.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
Hi there and thanks for the answer!
I decided to switch to xrdp,
and I am following the guide here
Windows Linux RDP Remote Desktop Connections using openSUSE as Client or Server (terminal server)
The question is if I set the security settings to high do I also need to do port forwarding (for security improvement?)
Finally I would like also to ask you how I can check that my firewall is protecting me. Any command to try from an external net work for that?
Regards
Alex
one more question,
I have add ssh port to my firewall configuration and it works nice 
the question though now is: should I configure my host to drop ping packets and not reply back? I can always check with ssh that my host is up and running.
Any command to try from a client to see if I did it right?
Regards
Alex
On 2013-01-10 08:56, alaios wrote:
> Finally I would like also to ask you how I can check that my firewall
> is protecting me. Any command to try from an external net work for that?
Loot at the firewall log to see if there are rejected connections.
Use nmap from another computer.
–
Cheers/Saludos
Carlos E. R.
Carlos E. R. wrote:
> On 2013-01-10 08:56, alaios wrote:
>> Finally I would like also to ask you how I can check that my firewall
>> is protecting me. Any command to try from an external net work for that?
>
> Loot at the firewall log to see if there are rejected connections.
>
> Use nmap from another computer.
Note that running nmap may be against the terms of use of the university
network. It is sometimes a disciplinary offence. Check with the admins
first.
I guess you mean
sudo tail /var/log/firewall
Any gui to make my life easier?
Alex
On 01/10/2013 02:36 PM, alaios wrote:
> Any gui to make my life easier?
what do you mean?
do you want see it in a GUI window with black text on a white
background, that you can scroll from top to bottom…and, grab the edge
and make it W_I_D_E ??
if so, in kde try:
-hold down Alt and press F2
-in the pop up blank near the top of the screen, type
kdesu kwrite /var/log/firewall
-provide the root password when asked
do NOT forget that kwrite is a text EDITOR, it would be unwise to make
changes to the log and then try to save it…always exit without
saving…and do NOT forget that instance of kwrite is ROOT powered…i
suggest when done looking at the log you CLOSE that kwrite…
alternatively, you might like to use the CLI tool of champions…have a
look at mc (it runs great as root and is a editor, file manager and dish
washer…)
On 2013-01-10 14:36, alaios wrote:
> I guess you mean
> Code:
> --------------------
> sudo tail /var/log/firewall
> --------------------
Yep. Or tailf, better.
> Any gui to make my life easier?
What for? 
You can see the text on editors, or special file viewvers, but with any
of those, you still need to read yourself that log file and learn what
it means
–
Cheers/Saludos
Carlos E. R.
> one more question,
Here’s one for you…
> I have add ssh port to my firewall configuration and it works nice
Of course it does. Yast is great, as is SUSE and openSUSE.
> the question though now is: should I configure my host to drop ping
> packets and not reply back? I can always check with ssh that my host is
> up and running.
Yes, you could always test TCP ports, but what exactly do you expect to
get by blocking ICMP?
There are generally two sides to this camp; some favor blocking ICMP to
prevent being as visible, and others favor leaving it open for reasons
like “It’s the right thing to do” and “Crackers will find out anyway via
TCP scans.” Full disclosure: I belong to the latter camp.
My preference is that being a good network citizen and responding to ICMP
echo requests (pings) is the right thing to do. If I blocked it and
somebody wanted to know if I had a Linux box sitting there, they’d test
SSH (just like you will), or HTTP, or any of the other services likely to
be present on a box. If I have no services at all and they’re on the same
network a simple LAN trace will often reveal my box’s presence via ARP,
broadcasts or multicasts that I do not prevent from leaving my system. In
the end they could just try to attack every my IP address without knowing
I’m there (which is, I think, often the case) because the guys who are
really worth avoiding control thousands or millions of boxes anyway. My
better defense is to be sure my box, once known, cannot be accessed by
those I do not want to have access.
On the other hand, if I block ICMP echo requests if I happen to be stuck
on a windows seven machine (by default) troubleshooting its failures
(which are many) and want to see if it can talk to my laptop, I cannot
test for connectivity to SSH without downloading an SSH client. windows
does not have useful tools like netcat to simply test a port:
Code:
netcat -zv ip.address.goes.here 22
What’s that you say? telnet? windows seven does not come with it by
default, and even when Vista (oh joy) and others did come with it, it was
never as simple at testing TCP ports as netcat is. ‘ping’, however, is
still present on every OS I’ve ever seen. I bring this up because by
attempting to prevent the “bad guys” from seeing my box, and by being a
bad network citizen, I am preventing my own ability to use standard tools
for legitimate reasons. My belief is this this price is too high for the
potential benefit, but that’s my opinion. Those who believe differently
will likely put different values on the inability to be “seen” via ICMP
echo request packets.
Good luck.
On 2013-01-10 17:03, ab wrote:
> My preference is that being a good network citizen and responding to ICMP
> echo requests (pings) is the right thing to do.
Time ago system scripts in SuSE tested connectivity by ping to suse.de.
Currently this doesn’t work: neither suse.de, suse.com or opensuse.org
respond to pings. The other day I thought I had broken network because
of this.
–
Cheers/Saludos
Carlos E. R.
I think what I meant is to understand what is going on. Some viewers can do that for you. Interpret log files and convert their messages into a form that the naive user can understand easier.
I do not understand for example the below (I hide ip addresses)
sudo tail /var/log/firewall
Jan 11 14:20:03 hostname kernel: [96087.877752] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=a4:22:db:ea:11:12:00:23:ae:60:ff:b2:08:00 SRC=152.131.228.65 DST=152.131.228.55 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61024 DF PROTO=TCP SPT=35130 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 OPT
On 01/11/2013 02:46 PM, alaios wrote:
> I do not understand . . . SFW2-INext-DROP-DEFLT IN=eth0
what did you do to try to understand?
i don’t understand it either, but i find if i search on
“SFW2-INext-DROP-DEFLT” i get hits and the first several begin to gimme
a idea of what is happening…
try it (anyway, as far as i know there is no easy application (GUI or
otherwise) which can be used to short cut the path to
understanding–there is just TOO much out there . . . hmmmm, for example
it takes a good bit of effort to become a qualified Linux System
Administrator…and, every Linux system needs one…even mine.)
ymmv
On 2013-01-11 14:46, alaios wrote:
>
> I think what I meant is to understand what is going on. Some viewers can
> do that for you. Interpret log files and convert their messages into a
> form that the naive user can understand easier.
No such thing. Somebody would have to do it if he wishes. And if they
did it, it would be obsolete soon.
>
> I do not understand for example the below (I hide ip addresses)
>
> Code:
> --------------------
>
>
> sudo tail /var/log/firewall
> Jan 11 14:20:03 hostname kernel: [96087.877752] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=a4:22:db:ea:11:12:00:23:ae:60:ff:b2:08:00 SRC=152.131.228.65 DST=152.131.228.55 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61024 DF PROTO=TCP SPT=35130 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 OPT
> --------------------
>
susefirewall2 dropped by default rule, on external interface (eth0),
incomming packet… etc. Then you have the MAC address, the source IP
address, the source port, the destination port (443). If you look the
port in the /etc/services file you see:
https 443/tcp # http protocol over TLS/SSL
which is interesting.
–
Cheers/Saludos
Carlos E. R. (12.1 test at Minas-Anor)