Author Topic: firewalling on zaurus? (Read 10100 times)

infinite · « **on:** November 07, 2004, 04:46:14 am »

How would I enable iptables [or similar firewall] on the zaurus [with thekompany rom], or is there already a firewall in place? Could anyone point me in the right direction?

Many thanks,
Infinite

loji · « **Reply #1 on:** November 07, 2004, 10:12:19 am »

sure ... here's shorewall and iptables. PLus how to get it set up
http://cmisip.home.insightbb.com/zaurus.htm

infinite · « **Reply #2 on:** November 07, 2004, 11:21:18 pm »

Quote

sure ... here's shorewall and iptables. PLus how to get it set up
http://cmisip.home.insightbb.com/zaurus.htm

Thanks loji, most appreciated

cvmiller · « **Reply #3 on:** November 08, 2004, 10:03:50 am »

Quote

sure ... here's shorewall and iptables. PLus how to get it set up
http://cmisip.home.insightbb.com/zaurus.htm

Thanks also for this pointer.

However the links (on this page) to iptables are broken. Do you know where one might get the iptables ipks?

TIA,

Craig...

loji · « **Reply #4 on:** November 08, 2004, 02:18:19 pm »

yea .. the link right about the broken one is to killefiz

here's what you need
http://www.killefiz.de/zaurus/search.php?q=iptables&x=0&y=0

I had it all installed for awhile: :: but then I relized I was only connecting for like 5 minuets to check my mail ot jump on AIM ... so I didn't really need a firewall. Especailly since the way the files are organized on the Z makes it unique enough that most rootkits or tojans wouldn't work.

(and everything that is REALLY important is already read only in ROM)

cvmiller · « **Reply #5 on:** November 09, 2004, 09:02:28 am »

Quote

yea .. the link right about the broken one is to killefiz

here's what you need
http://www.killefiz.de/zaurus/search.php?q=iptables&x=0&y=0

I had it all installed for awhile: :: but then I relized I was only connecting for like 5 minuets to check my mail ot jump on AIM ... so I didn't really need a firewall. Especailly since the way the files are organized on the Z makes it unique enough that most rootkits or tojans wouldn't work.

(and everything that is REALLY important is already read only in ROM)

Unfortunately, the links on ZSI are broken as well. If anyone knows where to get the iptables ipks I would appreciate it.

Yes, I agree if you are only hopping on the network for a short amount of time, you may be able to get away without the FW. Still I'd like to shut down port 4242 (which QPE listens for syncing).

Anyone have another way of shutting down QPE from listening to Sync (I never use it anyway, but instead rely on ssh/scp)?

TIA,

Craig...

Jcroto1 · « **Reply #6 on:** November 09, 2004, 03:44:07 pm »

Try these
http://www.8ung.at/mango/iptables_1.2.9_arm.ipk
http://www.8ung.at/mango/iptables-modules_...xa3-embedix.ipk

(googles soo cool)

cvmiller · « **Reply #7 on:** November 10, 2004, 03:39:42 pm »

Quote

Try these
http://www.8ung.at/mango/iptables_1.2.9_arm.ipk
http://www.8ung.at/mango/iptables-modules_...xa3-embedix.ipk

(googles soo cool)

Thanks!

I tried Google, but had no success. Thanks for the URLs.

I now have iptables installed and configured to block the stuff I can't turn off in qpe (ports 4992, and 4244). And it works great!

I didn't go the full shorewall route, since it seemed a bit of overkill for what I wanted (which was to close down any ports I wasn't using). I feel safer already ;-)

Thanks again,

Craig...

pelendur · « **Reply #8 on:** November 10, 2004, 04:59:46 pm »

@cvmiller:

You can simply close ports 4992 and 4244 without resorting to iptables by editing /etc/inetd.conf, as indicated by this thread here which will refer you to this FAQ entry here on what to do exactly. The poor security caused by these types of open ports in the Sharp Qtopia ROMs is an old problem starting with the SL-5000D and SL-5500.

Patrick

cvmiller · « **Reply #9 on:** November 10, 2004, 08:29:38 pm »

Thanks Patrick,

I followed the instructions in the FAQ (which is for port 4242), and I see via netstat that the Z is still listening on ports 4992 and 4244, which is expected.

What I didn't expect is that I could still telnet to those ports. I would have expected with /bin/false that I would have been disconnected right away, and I am not. Since I don't run a PC to test to see if the sync function is really been overridden by the inetd.conf, I have turned back on iptables.

Call me paranoid, but I really don't want anyone even trying to sync to my Z.

Craig...

stupkid · « **Reply #10 on:** November 10, 2004, 09:02:58 pm »

cvmiller,

Once you have these entries in your inetd.conf:

# Block QPE ports to prevent connections
4242 stream tcp nowait root /bin/false false
4244 stream tcp nowait root /bin/false false
4992 stream tcp nowait root /bin/false false

Reboot your Z. Now telnetting to any of the above ports will immediately disconnect you. If inetd dies at some point qpe will start listening on those ports again and you will have to restart inetd and restart Qtopia.

Hope this helps.

cvmiller · « **Reply #11 on:** November 12, 2004, 11:09:52 am »

Quote

cvmiller,

Once you have these entries in your inetd.conf:

# Block QPE ports to prevent connections
4242 stream tcp nowait root /bin/false false
4244 stream tcp nowait root /bin/false false
4992 stream tcp nowait root /bin/false false

Reboot your Z. Now telnetting to any of the above ports will immediately disconnect you. If inetd dies at some point qpe will start listening on those ports again and you will have to restart inetd and restart Qtopia.

Hope this helps.

stupkid,

Thanks that does help. I think I hadn't started in the correct order inetd, and qpe.

using the command "netstat -anp" shows me which process owns which tcp port. It is quite clear that qpe was still owning the ports I wanted to block.

Since I have gone to the trouble of installing and configuring iptables, I think I'll stick with that method for now. Since I don't have to worry about whether qpe has grabbed those ports or not. But it is good to know "other" ways of accomplishing this task.

Thanks again,

Craig...

xjqian · « **Reply #12 on:** April 03, 2005, 11:32:51 am »

I'm still interested in Shorewall. However, everywhere I looked seems pointing to the broken link. Could anybody have the package locally post it? TIA

cvmiller · « **Reply #13 on:** April 05, 2005, 10:22:56 am »

Quote

I'm still interested in Shorewall. However, everywhere I looked seems pointing to the broken link. Could anybody have the package locally post it? TIA
[div align=\"right\"][{POST_SNAPBACK}][/a][/div]

Hi Xjqian,

I have a local copy, I have (temporarily) put on my ISP website. We used to have a Downloads section on the old forum site, but I am not seeing it.

Please find shorewall here:
[a href=\"http://www.storm.ca/~cvmiller/Zaurus/shorewall-1.4.5-1_sharprom_arm.ipk]http://www.storm.ca/~cvmiller/Zaurus/shore...harprom_arm.ipk[/url]

I hope this helps,

Craig...

bluedevils · « **Reply #14 on:** April 05, 2005, 11:15:24 am »

403 permissions error on that link

News:

Author Topic: firewalling on zaurus? (Read 10100 times)