|
|
||
A Firewall Script—Day 44© Copyright Darrell Anderson. I successfully installed a firewall script! I did nothing spectacular on my own. I ran across a blurb about a web site that generates basic IPTable scripts based upon a handful of configuration options. The web site is http://easyfwgen.morizot.net/gen/. As I am running a single box with no gateway and I use a modem, I had little to do other than change the network device to ppp0 and generate the script. Could this process be so easy? I was hopeful but skeptical. I happened to be running in NT4 at that time so I copied the script to my hard drive. Later, while in Slackware, I copied the text file to my existing rc.firewall script which contained only a couple of commands not related directly to IPTables. I opened Konsole and manually started rc.firewall. Nothing but error messages that the script could not find /sbin/IPTables. Hmm. I performed a locate iptables. In Slackware the file is located in /usr/sbin. I opened the new rc.firewall script in Kate and immediately searched for /sbin/iptables. Aha! Early in the script is a variable assignment that one must manualy configure to the correct location. Easy! I then looked through the script. I added a few echo screen messages because I like that kind of thing in case I have to troubleshoot. I then also noticed that some of my previous /proc/sys/net/ipv4 configurations were also part of the new script. So I deleted the duplications, saved the document, and again ran the script from the command line. Everything seemed okay, and I had some nice screen messages too. Excellent! I then toggled to a different login and started KDE as a mortal user. I dialed out, headed to www.grc.com. Whoa! All ports were stealth! I then ran the longer test and had the same result. Then I jogged over to www.pcflank.com and performed their tests. Silence and stealth everywhere. Woohoo! I do not want to raise the never-ending discussion about closed vs. stealth ports. I am aware of the discussion, having been exposed to those arguments long ago when I started using a software firewall in NT4. I realize that “stealth” is more of a marketing slogan to sell firewalls than anything meaningful. I know that if I access a web site with my browser that I am no longer stealth. I know that the script kiddies often test entire blocks of IP addresses. If a box does not exist at an IP address they receive a different message than if the IP address is occupied. Thus, they know something is there even if there is no response. Stealth only means that they cannot “see” me. That might arouse their curiosity and might not—who knows. Nonetheless, a closed port is a closed port. “Stealth” does possess a certain attraction, but closed is closed. Enough said. Regardless, I now have a nice firewall script in place and if later I decide to install a gateway box, I know where to go to generate a new script. Although I was already connecting to the web safely with all of my ports closed and running no services, I am not about to ridicule that the firewall script provides me an additional if only slim margin of comfort. The half-smart script kiddies know my box is there, but like a science fiction story, my box is “cloaked.” Perhaps “cloaked” is a better expression than the marketing term “stealth.” Doesn’t matter really—I’m happy! Finis. |
||