firewall useless for puppy

[increa]

One point I'd like to learn more about is configuring the firewall to deny all programs, except certain ones I trust, access to the net.

Non-Puppy comment: I use free "Zone Alarm" to do this in Windows.

[increa]

One last thought in this thread for this morning:

It's often not one specific thing (get through my firewall) that creates a threat. Here's an example where individual non-threat pieces built into enough of a threat that I secured my system.

I enabled the Haiwatha web server. Even opened up to respond to all IP addresses (like a honey pot, I was interested who was on the hotel network and would choose to browse into my computer).

Then I enabled the Puppy personal blog. All okay, until I READ the default files served up by the server and the blog. In the blog default post, it gives the password for the "secure" spot account. Well, that file is intended to only be read by the local user at 127.0.0.1. But, by opening my web server up, the blog program now provided that password to everybody.

So, anybody could admin my blog, dump whatever they want there and as a minimum bury my computer in downloaded trash. That will crash any hard drive when it becomes full. Or the database will die first.

So... I went back and turned off the web server. OR, what I could have done is install a firewall so that only packets from within my local network could get to the web server Puppy. In this case, the firewall ~would~ have protected me. That's a pretty tangible example, I think. However, I solved the problem a different way.

However, I still run the Puppy firewall because it's overhead is a simple XOR statement against a port or IP number. Takes about a microsecond. I can afford that cost to cover my ~other~ braindead actions such as web serving my own blog post that gives my own password to the world.

[Aitch]

In the blog default post, it gives the password for the "secure" spot account. Well, that file is intended to only be read by the local user at 127.0.0.1. But, by opening my web server up, the blog program now provided that password to everybody.

I think that should be brought to Barry K's attention somewhat urgently, as a security bug!

Aitch

[puppyite]

About Hiawatha:
I would think that anyone who runs a web server on their local machine would know that it should have a password set before it will start or at least give some warning if a password isn’t set.

I have no experience using the Hiawatha web server in Puppy Linux so I don’t know if it has a default password set up or not. If not then that may be a problem if the user starts it and no warning is given.

[SimpleWater]

After doing research, i have found the solution for the flash cookies. There is actually an extension for firefox called "Betterprivacy"(essential). It is made specially for deleting super cookies and is very easy customizable. If your worried about javascript then theres "noscript"(nonessential). Another firefox add-on. Something else you can do is go into your about:config and look for dom.storage.enabled and set the value to false.

I also tried to find warning threads about malware. I searched other big distros like ubuntu forums, and nothing of course. This is linux i don't think the word "malware" exist in linux yet. You might want to include your sources when you make big claims like that bernie.

When html5 becomes a standard, then you can ditch flash

[Bernie_by_the_Sea]

I also tried to find warning threads about malware. I searched other big distros like ubuntu forums, and nothing of course. This is linux i don't think the word "malware" exist in linux yet. You might want to include your sources when you make big claims like that bernie.

Exactly what “big

[aarf]

@BbtS have you found any 'bad things' with your specially modified puppy?
i haven't read the whole thread.

[Scooby]

rc.firewall built with default config

I tried to mod rc.firewall to pass shieldsup common ports test
But cannot stealth: 135, 139, 445

I probably could find out how via iptables directly but can it be done
via rc.firewall?


with

Code: Select all

########################################
# -- Advanced Configuration Options -- #
########################################

# ** DO NOT ** modify anything below unless you know what you are doing!!
# See online documentation at: http://projectfiles.com/firewall/config.html

DENY_OUTBOUND=""
ALLOW_INBOUND=""
BLACKLIST=""
STATIC_INSIDE_OUTSIDE=""
PORT_FORWARDS=""
PORT_FWD_ALL="yes"
PORT_FWD_ROUTED_NETWORKS="yes"
ADDITIONAL_ROUTED_NETWORKS=""
TRUST_ROUTED_NETWORKS="yes"
SHARED_INTERNAL="yes"
FIREWALL_IP=""
TRUST_LOCAL_EXTERNAL_NETWORKS="no"
DMZ_INTERFACES=""
NAT_EXTERNAL="yes"
ADDITIONAL_NAT_INTERFACES=""
IGNORE_INTERFACES=""
LOGGING="no"
REQUIRE_EXTERNAL_CONFIG="no"

############################################
# -- Advanced Firewall Behavior Options -- #
############################################

# The default settings provide the suggested firewall configuration.

NO_RP_FILTER_INTERFACES=""
INTERNAL_DHCP="yes"
RFC_1122_COMPLIANT="no"
DROP_NEW_WITHOUT_SYN="yes"
DUMP_TCP_ON_INIT="no"
TTL_STEALTH_ROUTER="yes"
LOG_LIMIT="1/minute"
LOG_BURST="5"
LOG_LEVEL="notice"

###########################################################
# -- Nothing below this point should need modification -- #
###########################################################

# Set version information.

VERSION="2.0rc9"

[Semme]

Scoobs.. adjust these two. If no good, inspect your ISP's configuration page.

Hey, and if not there either, you could always take a look through Arno's.

# The default settings provide the suggested firewall configuration.

NO_RP_FILTER_INTERFACES=""
INTERNAL_DHCP="yes"
RFC_1122_COMPLIANT="yes"
DROP_NEW_WITHOUT_SYN="no"
DUMP_TCP_ON_INIT="no"
TTL_STEALTH_ROUTER="no"
LOG_LIMIT="1/minute"
LOG_BURST="5"
LOG_LEVEL="notice"

[Scooby]

with your configuration I get even worse results
see below

What do you mean check ISP?

*edit*
tried arnos with exactly the same result
135, 139, 445 closed and not stealthed?



------------------------------------------------------------------------------------
GRC Port Authority Report created on UTC: 2014-07-24 at 10:32:08

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000

0 Ports Open
13 Ports Closed
13 Ports Stealth
---------------------
26 Ports Tested

NO PORTS were found to be OPEN.

Ports found to be CLOSED were: 135, 139, 445, 1002, 1024, 1025,
1026, 1027, 1028, 1029, 1030,
1720, 5000

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

[Semme]

Worse is fine, you go back. I think the difference is in your ISP's configuration page.

For me it's http://192.168.1.1/

Don't you have some type of hw between your box and the internet?

445's Samba, no?

Not knowing what iptables might be missing, try here.

[Scooby]

Worse is fine, you go back.

I like your philosophy

For me it's http://192.168.1.1/

doesn't respond

Don't you have some type of hw between your box and the internet?

Nope I have optical fiber connection straight to my wall

will try other stuff, btw with arnos I got the same result

[Semme]

How'd you know you had Arno's loaded?

Have we got Samba in the mix?

Who's your ISP?

[Scooby]

I started arno's from cmd line, had to do som config to make it start.
But then shieldsup show them other ports as stealthed and without arnos
all ports came up closed so I'm pretty sure it ran

I have bredband2 - sweden

I'll check samba page but otherwise still no luck

[Scooby]

I guess you're right hose ports are likely blocked at the ISP level.

[Semme]

Samba.. Do you share a connection with other computers in your household?

Does *htop* show it as running? Otherwise >> ps -aux

For Arno's >> iptables -L

LOTS rtn'd..

==

Now because of translation, it's better you ask your ISP if such a configuration page exists.

[Scooby]

Samba.. Do you share a connection with other computers in your household?

Nope

Does *htop* show it as running? Otherwise >> ps -aux

Nope

I tried with a different ISP over wlan with the same config
and now shieldsup showed a different set of ports as closed
,https and ssh, so for sure ISP

I am allright with it now, thanks for your help

[8Geee]

This older thread seemed to be appropriate, sorry for digging it up.

One of the things I've encountered along the way is the combination of modem/router and ISP before the Firewallstate pup. A recent case occured for me when ShieldsUp discovered ports 0 and 1 closed rather than stealthed. Of course being two years since last tinkered, I forgot my access PSWD, and had to reset the M/R. So a correct setup reveals that my ISP wants my creds established again. In the meantime I notice that ALL ports arre closed except 21, 22, 23, 80, and 443 (stealthed). So my ISP is not a shall we say good neighbor, but does stealth the basic 5 used ports: the other 65530 are closed.

I don't expect too much from M/R manufacturers in terms of help, but I went to mine, and their webpages. Buried in there is the way to stealth "all" ports by using a DMZ and pointing to a particular address. I did this, and not "all" ports were stealthed. It seems 0 and 1 are closed, and the remainder are indeed stealthed according to grc_com. So just a note here that my M/R manufacturer forced me to go on-line with these 65530 ports "closed" to obtain the secret code to get all but two of them stealthed.

That brings me finally to firewallstate in puppy Slacko-5.7 nonpae, and my purpose... Does it stealth ports 1 and 0?