Help - Search - Members - Calendar
Full Version: firewalling on zaurus?
OESF Forums > General Forums > General Support and Discussion > Security and Networking
infinite
How would I enable iptables [or similar firewall] on the zaurus [with thekompany rom], or is there already a firewall in place? Could anyone point me in the right direction?

Many thanks,
Infinite biggrin.gif
loji
sure ... here's shorewall and iptables. PLus how to get it set up
http://cmisip.home.insightbb.com/zaurus.htm
infinite
QUOTE(loji @ Nov 7 2004, 03:12 PM)
sure ... here's shorewall and iptables. PLus how to get it set up
http://cmisip.home.insightbb.com/zaurus.htm

Thanks loji, most appreciated cool.gif
cvmiller
QUOTE(loji @ Nov 7 2004, 07:12 AM)
sure ... here's shorewall and iptables. PLus how to get it set up
http://cmisip.home.insightbb.com/zaurus.htm

Thanks also for this pointer.

However the links (on this page) to iptables are broken. Do you know where one might get the iptables ipks?

TIA,

Craig...
loji
yea .. the link right about the broken one is to killefiz

here's what you need
http://www.killefiz.de/zaurus/search.php?q=iptables&x=0&y=0

I had it all installed for awhile: :: but then I relized I was only connecting for like 5 minuets to check my mail ot jump on AIM ... so I didn't really need a firewall. Especailly since the way the files are organized on the Z makes it unique enough that most rootkits or tojans wouldn't work.

(and everything that is REALLY important is already read only in ROM)
cvmiller
QUOTE(loji @ Nov 8 2004, 11:18 AM)
yea .. the link right about the broken one is to killefiz

here's what you need
http://www.killefiz.de/zaurus/search.php?q=iptables&x=0&y=0

I had it all installed for awhile: :: but then I relized I was only connecting for like 5 minuets to check my mail ot jump on AIM ... so I didn't really need a firewall. Especailly since the way the files are organized on the Z makes it unique enough that most rootkits or tojans wouldn't work.

(and everything that is REALLY important is already read only in ROM)

Unfortunately, the links on ZSI are broken as well. If anyone knows where to get the iptables ipks I would appreciate it.

Yes, I agree if you are only hopping on the network for a short amount of time, you may be able to get away without the FW. Still I'd like to shut down port 4242 (which QPE listens for syncing).

Anyone have another way of shutting down QPE from listening to Sync (I never use it anyway, but instead rely on ssh/scp)?

TIA,

Craig...
cvmiller
QUOTE(Jcroto1 @ Nov 9 2004, 12:44 PM)

Thanks!

I tried Google, but had no success. Thanks for the URLs.

I now have iptables installed and configured to block the stuff I can't turn off in qpe (ports 4992, and 4244). And it works great!

I didn't go the full shorewall route, since it seemed a bit of overkill for what I wanted (which was to close down any ports I wasn't using). I feel safer already ;-)

Thanks again,

Craig...
pelendur
@cvmiller:

You can simply close ports 4992 and 4244 without resorting to iptables by editing /etc/inetd.conf, as indicated by this thread here which will refer you to this FAQ entry here on what to do exactly. The poor security caused by these types of open ports in the Sharp Qtopia ROMs is an old problem starting with the SL-5000D and SL-5500.

Patrick
cvmiller
Thanks Patrick,

I followed the instructions in the FAQ (which is for port 4242), and I see via netstat that the Z is still listening on ports 4992 and 4244, which is expected.

What I didn't expect is that I could still telnet to those ports. I would have expected with /bin/false that I would have been disconnected right away, and I am not. Since I don't run a PC to test to see if the sync function is really been overridden by the inetd.conf, I have turned back on iptables.

Call me paranoid, but I really don't want anyone even trying to sync to my Z.

Craig...
stupkid
cvmiller,

Once you have these entries in your inetd.conf:

# Block QPE ports to prevent connections
4242 stream tcp nowait root /bin/false false
4244 stream tcp nowait root /bin/false false
4992 stream tcp nowait root /bin/false false

Reboot your Z. Now telnetting to any of the above ports will immediately disconnect you. If inetd dies at some point qpe will start listening on those ports again and you will have to restart inetd and restart Qtopia.

Hope this helps.
cvmiller
QUOTE(stupkid @ Nov 10 2004, 06:02 PM)
cvmiller,

Once you have these entries in your inetd.conf:

# Block QPE ports to prevent connections
4242 stream tcp nowait root /bin/false false
4244 stream tcp nowait root /bin/false false
4992 stream tcp nowait root /bin/false false

Reboot your Z. Now telnetting to any of the above ports will immediately disconnect you. If inetd dies at some point qpe will start listening on those ports again and you will have to restart inetd and restart Qtopia.

Hope this helps.

stupkid,

Thanks that does help. I think I hadn't started in the correct order inetd, and qpe.

using the command "netstat -anp" shows me which process owns which tcp port. It is quite clear that qpe was still owning the ports I wanted to block.

Since I have gone to the trouble of installing and configuring iptables, I think I'll stick with that method for now. Since I don't have to worry about whether qpe has grabbed those ports or not. But it is good to know "other" ways of accomplishing this task.

Thanks again,

Craig...
xjqian
I'm still interested in Shorewall. However, everywhere I looked seems pointing to the broken link. Could anybody have the package locally post it? TIA
cvmiller
QUOTE(xjqian @ Apr 3 2005, 07:32 AM)
I'm still interested in Shorewall. However, everywhere I looked seems pointing to the broken link. Could anybody have the package locally post it? TIA
*

Hi Xjqian,

I have a local copy, I have (temporarily) put on my ISP website. We used to have a Downloads section on the old forum site, but I am not seeing it.

Please find shorewall here:
http://www.storm.ca/~cvmiller/Zaurus/shore...harprom_arm.ipk

I hope this helps,

Craig...
bluedevils
403 permissions error on that link
craigtyson
Yup Me Too
craigtyson
Anyone know where to obtain the packages ???
cvmiller
QUOTE(bluedevils @ Apr 5 2005, 07:15 AM)
403 permissions error on that link
*


Sorry about that, I was on vacation. Just got back, and have changed the permissions.

Should work now.

Craig...
craigtyson
Cheers Can access now. Will play when I get home.
ZDevil
After quite some time of googling, I finally found the original site with a new address. You can find all the necessary packages here.

http://home.mchsi.com/~cmisip/zaurus.htm#SHW

It is one of my most favourite sites for Z!
Meanie
QUOTE(ZDevil @ Apr 29 2005, 01:48 AM)
After quite some time of googling, I finally found the original site with a new address.  You can find all the necessary packages here.

http://home.mchsi.com/~cmisip/zaurus.htm#SHW

It is one of my most favourite sites for Z!
*


I had to repackage shorewall to make it work on the C3000 and also had to build an iptables package with the 2.4.20 kernel files but it all seems to be working now. Have to do a bit more testing. If anyone is interested, it's on my website.
ZDevil
That's great! Thanks, Meanie and the wealth of info in your website.

BTW, I got a problem with Shorewall long ago, but seems it was just ignored...

http://www.oesf.org/forums/index.php?showtopic=12253&hl=

Any idea would be greatly appreciated. Thanks!

ZDevil
speculatrix
Here's my trivial firewall script on the Z:

iptables -F INPUT
iptables -P INPUT DROP
iptables -I INPUT -m state --state established,related -j ACCEPT

basically, it uses connection tracking to only allow connections which were created by outbound traffic.
tfraser
I just generated an .ipk for the "Snowfence" iptables-based firewall I use on my Zaurus SL-6000. It's quite small and simple, and should work on other Zaurus versions and ROMS as well. Please see

http://alum.wpi.edu/~tfraser/Software/Snowfence

Version 1.1 contains rules similar to those posted by speculatrix in this thread nearly a year ago, with the exception that it allows bidirectional traffic on the USB interface so you can use the cradle as you normally would. In addition, the .ipk sets up the traditional /etc/rc.d files so the firewall will start and stop properly on reboots. There's no configuration to fool with; just install the ipks and that's it.

I have also mirrored the .ipk's for iptables and iptables-modules posted earlier by Jcroto1, to help keep them available on the Net.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.