(OLD) (ARCHIVED) Puppy Linux Discussion Forum Forum Index (OLD) (ARCHIVED) Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info

This forum can also be accessed as http://oldforum.puppylinux.com
It is now read-only and serves only as archives.

Please register over the NEW forum
https://forum.puppylinux.com
and continue your work there. Thank you.

 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups    
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sat 16 Jan 2021, 23:58
All times are UTC - 4
 Forum index » House Training » Beginners Help ( Start Here)
What exactly does Puppy's firewall do?
Moderators: Flash, Ian, JohnMurga
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies. View previous topic :: View next topic
Page 2 of 2 [22 Posts]   Goto page: Previous 1, 2
Author Message
shroomy_bee


Joined: 28 Jun 2008
Posts: 666

PostPosted: Mon 18 Aug 2008, 07:27    Post subject:  

Using the firewall wizard in 4.00 doesn't seem to save, so you need to run it each bootup.

The iptables do show some changes with no-firewall / firewall on, but the wizard only really lets you block incoming protocols(along with their default ports) - it doesn't deal with IPs and things like ICMP, but you can specify IPs that are allowed to connect & bypass the firewall.

So it's pretty easy to get around. If you're going to run a server of any kind you should use additional security.
Back to top
View user's profile Send private message Visit poster's website 
Béèm


Joined: 21 Nov 2006
Posts: 11775
Location: Brussels IBM Thinkpad R40, 256MB, 20GB, WiFi ipw2100. Frugal Lin'N'Win

PostPosted: Mon 18 Aug 2008, 07:45    Post subject:  

Ron wrote:
Beem: Good Grief, so this is the petget package manager that I've actually been using! Embarassed

Thanks

Ron
Well, a certain moment, MU's PSI was quite ahead on the package install facility of that time. It was more user friendly.
Development has continued as per the PSI and is called now the Puppy Package Manager.It retrieves Puppy 2, Puppy 3 and Puppy 4 packages, so it's much more complete now.

_________________
Time savers:
Find packages in a snap and install using Puppy Package Manager (Menu).
Consult Wikka
Use peppyy's puppysearch
Back to top
View user's profile Send private message 
Pizzasgood


Joined: 04 May 2005
Posts: 6266
Location: Knoxville, TN, USA

PostPosted: Mon 18 Aug 2008, 18:42    Post subject:  

I don't have any firewall sites bookmarked yet, so I just typed 'linux iptables tutorial' into Google and it came up with this: http://iptables-tutorial.frozentux.net/iptables-tutorial.html
Looks like there's lots of good info in there, but I haven't read it yet.


This is a neat little trick I found a month ago or so in order to prevent people brute-forcing my SSH, which helps show how much more the firewall is capable of. It causes the firewall to count how many times any particular IP attempts to access port 22 (SSH) and refuses to open more than 4 connections per minute per IP. This doesn't necessarily translate to only four tries to get my password correct per minute though, because SSH will allow a number of attempts before killing the connection (I think the default is 3, but it can be adjusted).
Code:
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP


NOTE: You don't actually need to worry about people brute-forcing your SSH unless you have installed SSHD and turned it on. Puppy doesn't come with it.

I haven't actually gotten around to enabling sshd yet so I haven't bothered picking better numbers. Probably I'll set SSH to only allow one attempt per connection and set the firewall to four connections per fifteen minutes. I'll also set up a script to loosen the restrictions for an arbitrary IP, so if I need to connect more times I can just run that script.



As for .pet vs. dotpup: the short answer is that PET and dotpup packages are equally non-officially-created. Dotpups are the old format, .pet are the new. So in general you would want to grab a .pet version as it is probably a newer version of the program or possibly configured for a newer version of Puppy (sometimes this matters, especially with packages from Puppy 1.xx as things have changed somewhat).

Dotpup was created by the legendary "GuestToo" and was the first formalized format we had - prior to that we just had tarballs. Barry had also been using a tarball format similar to Slackware's .tgz files to build Puppy with and created a system called "Pupget" to download the official Puppy packages (basically just packages he created but didn't include in Puppy). Those ended in .tar.gz just like any other compressed tar archive, so we couldn't have a nice automated installer set up for when we clicked on them, so most people used the dotpup format to distribute their packages.

Eventually Barry enhanced the 'Pupget' format to contain a small bit of information about dependencies, whether to make an uninstall entry, etc. and called this new format .pet, with a .pet extension. This was still a compressed tarball, but had a md5 checksum appended to the end of the file (so trying to simply extract them with 'tar' will work but will spit out an error message unless you use 'pet2tgz' to strip off (and check) the checksum). Now that they had a unique extension we could have them install when clicked, making it more friendly to distribute. This also meant that if people distributed their packages as .pet, they could be used with Unleashed to build new Puppies, with almost no modification. You just need to extract them to the packages directory of the unleashed tree. This was nowhere near as easy to do with dotpups because their format was very flexible, making nearly every package unique (except for those created by MU's dotpup creating wizard, but not in a format that could be directly used by Unleashed). The .pet format is also much more strict than dotpup, making it much easier to extract a package manually, look around, and see exactly what it does. With dotpups there was a (usually) hand-written install script that one would need to analyze to see what it did. With packages created by MU's dotpup creator this was particularly tedious because it outputted a huge mess of files and scripts. It was nice for the user because he had it set up to check if files would be overwritten, register with Pupget/PETget (so it could be uninstalled later), add menu entries (before we had XDG which made that very simple, it involved editing the menu files, and he had it handle three or four different WMs on top of that!), and then install. Theoretically all packages it created were the same, but only if you trust that the packager didn't tamper with the package after the tool finished creating it.

So we mostly moved to PETget.

As for raw capabilities, both of them are equally powerful. It's just that PETget is much better suited for distributing packages (standardized internal layout, automatically takes care of adding an uninstall entry, compatible with Unleashed). Dotpup on the other hand would be a great format for one-click-to-execute compressed applications. Both formats even check their own integrity (though you have to create the .md5 file manually with dotpup, unless you have a script to automate it like I did, or used a fancy tool like the one MU created).

_________________
Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib

Back to top
View user's profile Send private message 
shroomy_bee


Joined: 28 Jun 2008
Posts: 666

PostPosted: Tue 19 Aug 2008, 07:05    Post subject:  

If you want to be even more secure - don't let SSH through any port number. The numbered ports are only defaults for the protocols, so in most cases you can use any port that is open to send any protocol traffic through.
Back to top
View user's profile Send private message Visit poster's website 
Ron

Joined: 03 Aug 2008
Posts: 184
Location: Around Seattle

PostPosted: Wed 20 Aug 2008, 22:48    Post subject:  

Hey, thanks for all the good info.

Pizzasgood, your historical on pups & pets was very helpful in understanding it all. Sometimes a good little narrative on a subject like this really helps us newcomers.

I had no idea that the firewall had to be set up every time. Good thing it isn't really important for casual desktop use...

Ron
Back to top
View user's profile Send private message 
Pizzasgood


Joined: 04 May 2005
Posts: 6266
Location: Knoxville, TN, USA

PostPosted: Thu 21 Aug 2008, 00:23    Post subject:  

When you install the firewall, Puppy should add a line in /etc/rc.d/rc.local that runs /etc/rc.d/rc.firewall on every boot. /etc/rc.d/rc.firewall is the script that configures the firewall.

I just ran the setup script and it looks like it's installed properly. I'll have to reboot to be certain, but I don't see any reason why it wouldn't start back up.

EDIT: Worked fine on my end... Confused

_________________
Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib

Back to top
View user's profile Send private message 
shroomy_bee


Joined: 28 Jun 2008
Posts: 666

PostPosted: Thu 21 Aug 2008, 13:27    Post subject:  

What I'm finding is that the entry in the IP tables for 'trusted - accept - icmp - anywhere' changes from "icmp echo request" to my isp details once the firewall is enabled.

But after a reboot (and possibly a redial - I'll need to check) it goes back to the pre-configured version. If I then enable / install the firewall again from the wizard, it puts my ISP details back in.

(It doesn't make any other changes as far as the 'iptables -L' command shows)

That could be because I'm on dialup of course. It might be configured to deal with DHCP (ie dynamic IP changes - for me they change on nearly every connection) only for ethernet.
Back to top
View user's profile Send private message Visit poster's website 
Display posts from previous:   Sort by:   
Page 2 of 2 [22 Posts]   Goto page: Previous 1, 2
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies. View previous topic :: View next topic
 Forum index » House Training » Beginners Help ( Start Here)
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0793s ][ Queries: 11 (0.0410s) ][ GZIP on ]