On 10/22/2010 04:29 PM, Rob Owens wrote:
On Fri, Oct 22, 2010 at 03:00:40PM -0400, Gilbert Sullivan wrote:
On 10/22/2010 01:56 PM, Rob Owens wrote:
On Fri, Oct 22, 2010 at 01:50:11PM -0400, Gilbert Sullivan wrote:
list's moderator hasn't got back to me. It appears that the rules I want
in iptables are not in effect at all until I actually bring up the
Firestarter user interface during a given session. Once I log off
(restart not necessary) the rules are apparently reset to the default.
You can check this by running (as root):
iptables -L
If there are no firewall rules active, it will look something like this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-Rob
Thanks, Rob.
I set up the rules in Firestarter. I reboot. This is what I get:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
<lots of stuff snipped>
It definitely looks like you have no active firewall until you run
firestarter manually.
I'm not very familiar with firestarter, but it seems like it should
start automatically on boot because as soon as you boot up and get a network
connection, you are vulnerable.
Yes, indeed. My reading of the firestarter docs indicates that it isn't
supposed to matter whether or not you start the application in your
operating session. You only start firestarter when you want to change
settings -- or if you want to use it to monitor the firewall.
It definitely didn't used to behave this way, but it has been a while
since I needed to do this, so I have no idea when the behavior changed
or what might have caused the change. That means that I've been
connecting to that other network with my firewall doing nothing -- which
may not matter a lot because I wasn't configured to make any services
available since I was using SSH a few months ago.
Is there a /etc/default/firestarter file? Does it say to run
firestarter at startup? Install and run sysv-rc-conf. Does it say that
firestarter is supposed to be started in your runlevel? (default
runlevel is 2 for Debian). Are there any other conf files you could
check? /etc/firestarter.conf, for instance?
No /etc/default/firestarter file and no /etc/firestarter.conf or
anything like them.
There is an /etc/init.d/firestarter file and an
/etc/firestarter/configuration file (that later one being present in its
directory with a whole bunch of other files.).
I already had sysv-rc-conf. Very nice utility. It shows an X mark for
firestarter (firestart$) in run levels 2, 3, 4, 5, and S. It's
definitely not sitting in the notification area when I log on, but it
never has done that before, and it worked just fine back then. I'm
guessing that firestarter isn't starting in any of those run levels --
or at least not in all of them. I looked in syslog and dmesg and didn't
see anything that seemed related to either iptables or firestarter. I'm
not sure where I should look to find out.
This application has always just worked in that it never came up
automatically in the user's session, but iptables was definitely
configured and operating properly without firestarter being up and
running visibly. I don't know when this changed, but I definitely tested
it enough when I used it before to know that I could only connect from a
specific IP address. (I moved these systems from network to network back
then, and I would always have to open firestarter on the desktop to
change the rule to allow a different IP address for the notebook on a
different network.)
I've tried registering for the moderated firestarter list so I could
post for help there, but I've received no response from the moderator.
And I tried to post directly without waiting for a subscription, but was
rebuffed by an automated bounce telling me that I'd be notified if the
moderator decided to let my post go to the list.
In the meantime I can be sort of safe on that oddball network (It's the
only other network I do this on besides my home network.) by manually
launching the application every time I log in, though this is obviously
not a very good solution.
I use Xfce as my DE, so firestarter seems to be about my only simple /
GUI alternative without installing a bunch of KDE packages. (I think
there are three or four GUI-type firewall configurers for KDE.)
It's the beginning of the weekend. I guess I've got a project to work on.
;-)
Thank you for your help. Please let me know if you can think of a good
way to proceed. Otherwise, I'm just going to have to do some slogging.
Regards,
Gilbert
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4cc214c2.5060...@comcast.net
