I’m looking forward to the release of openSUSE 11.4, which I’m looking to install as an Internet facing gateway on a mini-ITX machine with 2 Ethernet cards. As such I’ve been reading up on the YaST Firewall trying to find out to configure it, and there’s one thing I’d like to be able to do: ‘stealth’ all the firewall ports.
In other words, if someone were to hypothetically do a port scan of my external IP address, I would rather they not know whether any of the ports on my gateway are open or closed, so instead of replying with the status of those ports the packets get dropped. I’ve been able to do this with a product called Astaro Security Gateway, which I currently have installed on a second hand Dell Optiplex machine, but I am now looking into the possibility of installing this as a virtual machine inside an openSUSE 11.4 host (extra level of security) and would like the same functionality for the host OS.
Can the firewall in openSUSE do this? Any help would be appreciated.
On 03/05/2011 03:06 PM, jonitfcfan wrote:
>
> Can the firewall in openSUSE do this? Any help would be appreciated.
yes, https://www.grc.com/ reports mine as “Your system has achieved a
perfect “TruStealth” rating. Not a single packet — solicited or
otherwise — was received from your system as a result of our security
probing tests. Your system ignored and refused to reply to repeated
Pings (ICMP Echo Requests). From the standpoint of the passing probes
of any hacker, this machine does not exist on the Internet. Some
questionable personal security systems expose their users by
attempting to “counter-probe the prober”, thus revealing themselves.
But your system wisely remained silent in every way. Very nice.”
that is with a default installed openSUSE firewall…but, i did have
to find the setting (in the router) to stop it from answering pings…
–
DenverD
CAVEAT: http://is.gd/bpoMD
[NNTP posted w/openSUSE 11.3, KDE4.5.5, Thunderbird3.0.11, nVidia
173.14.28 3D, Athlon 64 3000+]
“It is far easier to read, understand and follow the instructions than
to undo the problems caused by not.” DD 23 Jan 11
When you say ‘router’ are you refering to your separate ADSL router, or is your main router an openSUSE box? Can the openSUSE firewall be set to stop answering pings in the same fashion if it directly faces the Internet? This would be ideal since this would potentially be the first device (apart from my ADSL modem) that would be reached in this setup from the outside.
If not how could I go about enabling such functionality in openSUSE?
On 03/05/2011 07:36 PM, jonitfcfan wrote:
>
> Thanks for the reply,
>
> DenverD;2298685 Wrote:
>> i did have to find the setting (in the router) to stop it from answering
>> pings…
>
> When you say ‘router’ are you refering to your separate ADSL router, or
> is your main router an openSUSE box? Can the openSUSE firewall be set
> to stop answering pings in the same fashion if it directly faces the
> Internet? This would be ideal since this would potentially be the first
> device (apart from my ADSL modem) that would be reached in this setup
> from the outside.
>
> If not how could I go about enabling such functionality in openSUSE?
>
>
If you want to stop replying to ping, issue the command:
sysctl -w net.ipv4.icmp_echo_ignore_all=1
To turn it back:
sysctl -w net.ipv4.icmp_echo_ignore_all=1
On 03/05/2011 07:48 PM, Vahis wrote:
> On 03/05/2011 07:36 PM, jonitfcfan wrote:
>>
>> Thanks for the reply,
>>
>> DenverD;2298685 Wrote:
>>> i did have to find the setting (in the router) to stop it from answering
>>> pings…
>>
>> When you say ‘router’ are you refering to your separate ADSL router, or
>> is your main router an openSUSE box? Can the openSUSE firewall be set
>> to stop answering pings in the same fashion if it directly faces the
>> Internet? This would be ideal since this would potentially be the first
>> device (apart from my ADSL modem) that would be reached in this setup
>> from the outside.
>>
>> If not how could I go about enabling such functionality in openSUSE?
>>
>>
>
> If you want to stop replying to ping, issue the command:
>
> sysctl -w net.ipv4.icmp_echo_ignore_all=1
>
> To turn it back:
> sysctl -w net.ipv4.icmp_echo_ignore_all=1
>
> Vahis
Sorry, mistake:
To turn it back on:
Your protection from the Internet should be in your router. When you want your openSUSE box not to respond to requests from the internet, you should first configure your router to forward all those requests to your openSUSE box (else they wouldn’t even arrive there) and then not answer to them. Seems a bit idiotic to me.
When you want to hide your ports from the internet, that should be done in your router (like DenverD did). In your openSUSE box, you can only hide from other systems in your LAN (if there are any), but when this is a home LAN, it seems a bit ridiculous to me that you want to hide from a portscan started on your wife’s system.
On 03/05/2011 06:36 PM, jonitfcfan wrote:
>
> When you say ‘router’ are you refering to your separate ADSL router, or
> is your main router an openSUSE box?
here, between my openSUSE computer and the ISP provided ADSL “modem”
is a router which by default answered pings, but does no longer…
> Can the openSUSE firewall be set to stop answering pings
yes, as another has already answered…
–
DenverD
CAVEAT: http://is.gd/bpoMD
[NNTP posted w/openSUSE 11.3, KDE4.5.5, Thunderbird3.0.11, nVidia
173.14.28 3D, Athlon 64 3000+]
“It is far easier to read, understand and follow the instructions than
to undo the problems caused by not.” DD 23 Jan 11
On 03/05/2011 08:36 PM, hcvv wrote:
>
> Your protection from the Internet should be in your router. When you
> want your openSUSE box not to respond to requests from the internet, you
> should first configure your router to forward all those requests to your
> openSUSE box (else they wouldn’t even arrive there) and then not answer
> to them. Seems a bit idiotic to me.
>
> When you want to hide your ports from the internet, that should be
> done in your router (like DenverD did). In your openSUSE box, you can
> only hide from other systems in your LAN (if there are any), but when
> this is a home LAN, it seems a bit ridiculous to me that you want to
> hide from a portscan started on your wife’s system.
>
>
I’m not hiding at all.
My machines listen to http, ssh, ping and so on.
This is of course all about those ports you are not serving and you want " ‘stealth’ all the firewall ports".
I suppose you mean the ports your are not serving. But I admit that your post #1 is a bit vague: “I would rather they not know whether any of the ports on my gateway are open or closed,”. When they are open they “report” as open. Else nobody could use your service.
When your openSUSE box is directly connected to the Internet, you have no router and thus your openSUSE must indeed do the work. This is all about IPtables. I do not know (but I think it is possible) to tell using IP tables that yoou do not want to give any answer on your unused ports. But you can notof course on used ports. I do not know if SuSEfirewall2 (configured with YaST) can cope for this. But you could add your own IPtables statments to the configuration.
The only things I can mention to you:
. Look through* /etc/sysconfig/SuSEfirewall2*, there is information there.
. Try to find info on the internet about IPtables, especialy of course about your “silent”" subject.
. Wait a bit, people now asleep could come later to this thread with much better advice.
As I mentioned earlier I currently use Astaro Security Gateway software (Linux-based, by the way) installed on a second hand machine as my router, and this has options allowing you to ‘stealth’ [hide] all ports on the machine regardless of whether they’re in use or not. I can PM my DNS hostname if you want to try it out, I have confidence in my setup :)!
I’m not sure whether the developers use some sort of custom Linux process/configuration to achieve this or whether there’s some sort of complex setup possible with either IP tables or other Linux packages/configurations, hence my original post. I don’t like the idea of someone out there knowing a potential port to either TCP flood or otherwise hack into our network with, especially if I choose to have a private web/FTP server sitting behind the firewall.
Thanks for the advice, I’ll sit tight in case someone posts here with another helpful tip.