OESF Portables Forum
Everything Else => General Support and Discussion => Zaurus General Forums => Archived Forums => Security and Networking => Topic started by: infinite on November 07, 2004, 04:46:14 am
-
How would I enable iptables [or similar firewall] on the zaurus [with thekompany rom], or is there already a firewall in place? Could anyone point me in the right direction?
Many thanks,
Infinite
-
sure ... here's shorewall and iptables. PLus how to get it set up
http://cmisip.home.insightbb.com/zaurus.htm (http://cmisip.home.insightbb.com/zaurus.htm)
-
sure ... here's shorewall and iptables. PLus how to get it set up
http://cmisip.home.insightbb.com/zaurus.htm (http://cmisip.home.insightbb.com/zaurus.htm)
Thanks loji, most appreciated
-
sure ... here's shorewall and iptables. PLus how to get it set up
http://cmisip.home.insightbb.com/zaurus.htm (http://cmisip.home.insightbb.com/zaurus.htm)
Thanks also for this pointer.
However the links (on this page) to iptables are broken. Do you know where one might get the iptables ipks?
TIA,
Craig...
-
yea .. the link right about the broken one is to killefiz
here's what you need
http://www.killefiz.de/zaurus/search.php?q=iptables&x=0&y=0 (http://www.killefiz.de/zaurus/search.php?q=iptables&x=0&y=0)
I had it all installed for awhile: :: but then I relized I was only connecting for like 5 minuets to check my mail ot jump on AIM ... so I didn't really need a firewall. Especailly since the way the files are organized on the Z makes it unique enough that most rootkits or tojans wouldn't work.
(and everything that is REALLY important is already read only in ROM)
-
yea .. the link right about the broken one is to killefiz
here's what you need
http://www.killefiz.de/zaurus/search.php?q=iptables&x=0&y=0 (http://www.killefiz.de/zaurus/search.php?q=iptables&x=0&y=0)
I had it all installed for awhile: :: but then I relized I was only connecting for like 5 minuets to check my mail ot jump on AIM ... so I didn't really need a firewall. Especailly since the way the files are organized on the Z makes it unique enough that most rootkits or tojans wouldn't work.
(and everything that is REALLY important is already read only in ROM)
Unfortunately, the links on ZSI are broken as well. If anyone knows where to get the iptables ipks I would appreciate it.
Yes, I agree if you are only hopping on the network for a short amount of time, you may be able to get away without the FW. Still I'd like to shut down port 4242 (which QPE listens for syncing).
Anyone have another way of shutting down QPE from listening to Sync (I never use it anyway, but instead rely on ssh/scp)?
TIA,
Craig...
-
Try these
http://www.8ung.at/mango/iptables_1.2.9_arm.ipk (http://www.8ung.at/mango/iptables_1.2.9_arm.ipk)
http://www.8ung.at/mango/iptables-modules_...xa3-embedix.ipk (http://www.8ung.at/mango/iptables-modules_2.4.18-rmk7-pxa3-embedix.ipk)
(googles soo cool)
-
Try these
http://www.8ung.at/mango/iptables_1.2.9_arm.ipk (http://www.8ung.at/mango/iptables_1.2.9_arm.ipk)
http://www.8ung.at/mango/iptables-modules_...xa3-embedix.ipk (http://www.8ung.at/mango/iptables-modules_2.4.18-rmk7-pxa3-embedix.ipk)
(googles soo cool)
Thanks!
I tried Google, but had no success. Thanks for the URLs.
I now have iptables installed and configured to block the stuff I can't turn off in qpe (ports 4992, and 4244). And it works great!
I didn't go the full shorewall route, since it seemed a bit of overkill for what I wanted (which was to close down any ports I wasn't using). I feel safer already ;-)
Thanks again,
Craig...
-
@cvmiller:
You can simply close ports 4992 and 4244 without resorting to iptables by editing /etc/inetd.conf, as indicated by this thread here (https://www.oesf.org/forums/index.php?showtopic=7006&hl=port,and,4244) which will refer you to this FAQ entry here (http://www.zaurususergroup.com/FAQ+index-myfaq-yes-id_cat-12.phtml#106) on what to do exactly. The poor security caused by these types of open ports in the Sharp Qtopia ROMs is an old problem starting with the SL-5000D and SL-5500.
Patrick
-
Thanks Patrick,
I followed the instructions in the FAQ (which is for port 4242), and I see via netstat that the Z is still listening on ports 4992 and 4244, which is expected.
What I didn't expect is that I could still telnet to those ports. I would have expected with /bin/false that I would have been disconnected right away, and I am not. Since I don't run a PC to test to see if the sync function is really been overridden by the inetd.conf, I have turned back on iptables.
Call me paranoid, but I really don't want anyone even trying to sync to my Z.
Craig...
-
cvmiller,
Once you have these entries in your inetd.conf:
# Block QPE ports to prevent connections
4242 stream tcp nowait root /bin/false false
4244 stream tcp nowait root /bin/false false
4992 stream tcp nowait root /bin/false false
Reboot your Z. Now telnetting to any of the above ports will immediately disconnect you. If inetd dies at some point qpe will start listening on those ports again and you will have to restart inetd and restart Qtopia.
Hope this helps.
-
cvmiller,
Once you have these entries in your inetd.conf:
# Block QPE ports to prevent connections
4242 stream tcp nowait root /bin/false false
4244 stream tcp nowait root /bin/false false
4992 stream tcp nowait root /bin/false false
Reboot your Z. Now telnetting to any of the above ports will immediately disconnect you. If inetd dies at some point qpe will start listening on those ports again and you will have to restart inetd and restart Qtopia.
Hope this helps.
stupkid,
Thanks that does help. I think I hadn't started in the correct order inetd, and qpe.
using the command "netstat -anp" shows me which process owns which tcp port. It is quite clear that qpe was still owning the ports I wanted to block.
Since I have gone to the trouble of installing and configuring iptables, I think I'll stick with that method for now. Since I don't have to worry about whether qpe has grabbed those ports or not. But it is good to know "other" ways of accomplishing this task.
Thanks again,
Craig...
-
I'm still interested in Shorewall. However, everywhere I looked seems pointing to the broken link. Could anybody have the package locally post it? TIA
-
I'm still interested in Shorewall. However, everywhere I looked seems pointing to the broken link. Could anybody have the package locally post it? TIA
[div align=\"right\"][{POST_SNAPBACK}][/a][/div] (http://index.php?act=findpost&pid=73368\")
Hi Xjqian,
I have a local copy, I have (temporarily) put on my ISP website. We used to have a Downloads section on the old forum site, but I am not seeing it.
Please find shorewall here:
[a href=\"http://www.storm.ca/~cvmiller/Zaurus/shorewall-1.4.5-1_sharprom_arm.ipk]http://www.storm.ca/~cvmiller/Zaurus/shore...harprom_arm.ipk[/url]
I hope this helps,
Craig...
-
403 permissions error on that link
-
Yup Me Too
-
Anyone know where to obtain the packages ???
-
403 permissions error on that link
[div align=\"right\"][a href=\"index.php?act=findpost&pid=73626\"][{POST_SNAPBACK}][/a][/div]
Sorry about that, I was on vacation. Just got back, and have changed the permissions.
Should work now.
Craig...
-
Cheers Can access now. Will play when I get home.
-
After quite some time of googling, I finally found the original site with a new address. You can find all the necessary packages here.
http://home.mchsi.com/~cmisip/zaurus.htm#SHW (http://home.mchsi.com/~cmisip/zaurus.htm#SHW)
It is one of my most favourite sites for Z!
-
After quite some time of googling, I finally found the original site with a new address. You can find all the necessary packages here.
http://home.mchsi.com/~cmisip/zaurus.htm#SHW (http://home.mchsi.com/~cmisip/zaurus.htm#SHW)
It is one of my most favourite sites for Z!
[div align=\"right\"][a href=\"index.php?act=findpost&pid=77379\"][{POST_SNAPBACK}][/a][/div]
I had to repackage shorewall to make it work on the C3000 and also had to build an iptables package with the 2.4.20 kernel files but it all seems to be working now. Have to do a bit more testing. If anyone is interested, it's on my website.
-
That's great! Thanks, Meanie and the wealth of info in your website.
BTW, I got a problem with Shorewall long ago, but seems it was just ignored...
https://www.oesf.org/forums/index.php?showtopic=12253&hl= (https://www.oesf.org/forums/index.php?showtopic=12253&hl=)
Any idea would be greatly appreciated. Thanks!
ZDevil
-
Here's my trivial firewall script on the Z:
iptables -F INPUT
iptables -P INPUT DROP
iptables -I INPUT -m state --state established,related -j ACCEPT
basically, it uses connection tracking to only allow connections which were created by outbound traffic.
-
I just generated an .ipk for the "Snowfence" iptables-based firewall I use on my Zaurus SL-6000. It's quite small and simple, and should work on other Zaurus versions and ROMS as well. Please see
http://alum.wpi.edu/~tfraser/Software/Snowfence (http://alum.wpi.edu/~tfraser/Software/Snowfence)
Version 1.1 contains rules similar to those posted by speculatrix in this thread nearly a year ago, with the exception that it allows bidirectional traffic on the USB interface so you can use the cradle as you normally would. In addition, the .ipk sets up the traditional /etc/rc.d files so the firewall will start and stop properly on reboots. There's no configuration to fool with; just install the ipks and that's it.
I have also mirrored the .ipk's for iptables and iptables-modules posted earlier by Jcroto1, to help keep them available on the Net.