This is the old SliTaz forum - Please use the main forum.slitaz.org
cooking firewall
-
the default firewall.conf set INPUT policy to DROP and allows packets from lo interface and packets from local network, without any other INPUT accepting rule.
so if you set the interface to ppp+ no INPUT packets are allowed, unless they are spoofed packages claiming to come from local network.
this makes your browsing a little bit difficult :-)
the 3.0 firewall.conf had these rows# Accept input trafic only for connections initialized by user.
that makes things working, maybe we could have the rows back?
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
@devs
is it enough to put problems i find in cooking here or am i supposed to fill bugs in slitaz labs too?
i ask this because in slitaz labs i rarely see changes and i don't know if bugs are assigned or not. -
@ernia : It looks like this row is in cooking too : http://hg.slitaz.org/slitaz-tools/rootfs/etc/firewall.conf
-
you are right, but i'm not wrong ;-)
boot the iso you can find at http://mirror.slitaz.org/iso/cooking/slitaz-cooking.iso , then cat /etc/firewall.conf.
you can see yourself that you don't have the "iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT" row, nor the default policy for FORWARD chain.
now this is part of the receipt of slitaz-tools:# Pre install commands.
pre_install()
{
local root
root=$1
# Backup file to restore with post install
echo "Creating backups of configs..."
cp $root/etc/TZ $root/etc/TZ.bak 2>/dev/null
cp $root/etc/keymap.conf $root/etc/keymap.conf.bak 2>/dev/null
cp $root/etc/X11/screen.conf $root/etc/X11/screen.conf.bak 2>/dev/null
cp $root/etc/locale.conf $root/etc/locale.conf.bak 2>/dev/null
cp $root/etc/firewall.conf $root/etc/firewall.conf.bak 2>/dev/null
}
# Post install
post_install()
{
echo "Restoring configs backups..."
mv -f $root/etc/TZ.bak $root/etc/TZ 2>/dev/null
mv -f $root/etc/keymap.conf.bak $root/etc/keymap.conf 2>/dev/null
mv -f $root/etc/X11/screen.conf.bak $root/etc/X11/screen.conf 2>/dev/null
mv -f $root/etc/locale.conf.bak $root/etc/locale.conf 2>/dev/null
mv -f $root/etc/firewall.conf.bak $root/etc/firewall.conf 2>/dev/null
# Install boxes package if old slitaz-tools
if [ -f $root/usr/bin/mountbox ] && [ ! -d /var/lib/tazpkg/installed/slitaz-tools-boxes ]; then
tazpkg get-install slitaz-tools-boxes
fi
# Remove old files
rm -rf $root/usr/share/slitaz-tools
rm -rf $root/usr/share/doc/slitaz-tools
}
The original firewall.conf is saved and restored, so the problem is that the slitaz-cooking.iso on the mirror does not have a correct firewall.conf.
Before to do this test with the iso i've checked the md5sums of other 2 slitaz-cooking.iso i've downloaded in the past days and the md5sums were different from the one on the server right now, which is strange because i did not get any error and all of the iso's booted correctly.
md5sums:
1bb36856d9de7d156ebc323d7689f316 slitaz-cooking.iso 07/10/2010
2a9dfb43bbec26661a4d0cfb461544a8 slitaz-cooking.iso 18/10/2010
e1d8b5169d8da0c7d867a8e2ee1f895b slitaz-cooking.iso 21/10/2010 (which would be right)
is it ok for you? are my downloads wrong or the image on the server keeps changing? if my downloads are wrong i cannot exclude that my problem with xorg and pppd scripts umask are due to these md5sum conflicts.
thanks for your answer
-
@ernia :
In fact I use an home-made cooking iso, with my own firewall.conf. The default iptable rules in SliTaz keep some ports open to input connexion (not only answers for output connexions). It avoid connexion problems when using some servers tools on SliTaz (http/ftp/ssh/ping and so on). Having ping and http port open for input seems me to be a security hole, so my iptables_rules are :iptables_rules()
{
# Drop all input connections.
iptables -P INPUT DROP
# Drop all output connections.
iptables -P OUTPUT DROP
# Drop all forward connections.
iptables -P FORWARD DROP
# Accept input on localhost (127.0.0.1).
iptables -A INPUT -i lo -j ACCEPT
# Accept input on the local network (192.168.0.0/24).
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
# Accept near all output trafic.
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Accept input trafic only for connections initialized by user.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
}
It's why I missed this issue. About md5sum, I think that iso are re-builded each time a package they contains is changed.
There's something I don't understand : from where comes the other firewall.conf which is backed then overwrite the default one? Iso are builds in a clean directory with nothing installed.
Waiting a fix, I suggest you to build your own iso, with a firewall.conf in addfiles. -
@ernia : That's absolutely right, this is very strange. In fact I'm wrong, slitaz-cooking.iso shouldn't have been changed since 14 Mars. I just downloaded the last iso, can you upload the two older using http://dump.no/ and send me the links please ? I want to search where are the differences.
-
me dumb, i must have done "isohybrid slitaz-cooking.iso" somewhere because the content of different isos seems to be identical.
root@sl3:/home/fabio# mount slitaz-cooking.iso /media/iso1
root@sl3:/home/fabio# mount Downloads/slitaz-cooking.iso /media/iso2
root@sl3:/home/fabio# mount Downloads/provamd5sum/slitaz-cooking.iso /media/iso3
root@sl3:/home/fabio# md5sum /media/iso1/*
f696018bce9be2bdf9f93f910eeba926 /media/iso1/index.html
cd14e6c45e9f91b3047b3debce9e9b6a /media/iso1/md5sum
d1fb41c783bddb6d2107ea9453c387f9 /media/iso1/README
4a57d4663e381c47e869e12b236c395e /media/iso1/style.css
root@sl3:/home/fabio# md5sum /media/iso2/*
f696018bce9be2bdf9f93f910eeba926 /media/iso2/index.html
cd14e6c45e9f91b3047b3debce9e9b6a /media/iso2/md5sum
d1fb41c783bddb6d2107ea9453c387f9 /media/iso2/README
4a57d4663e381c47e869e12b236c395e /media/iso2/style.css
root@sl3:/home/fabio# md5sum /media/iso3/*
f696018bce9be2bdf9f93f910eeba926 /media/iso3/index.html
cd14e6c45e9f91b3047b3debce9e9b6a /media/iso3/md5sum
d1fb41c783bddb6d2107ea9453c387f9 /media/iso3/README
4a57d4663e381c47e869e12b236c395e /media/iso3/style.css
root@sl3:/home/fabio# md5sum /media/iso1/
boot/ images/ index.html md5sum README style.css
root@sl3:/home/fabio# md5sum /media/iso1/boot/
bzImage gpxe grub/ isolinux/ rootfs.gz vmlinuz-2.6.30.6-slitaz
root@sl3:/home/fabio# md5sum /media/iso1/boot/rootfs.gz
eb60c93013edbf9cfa4393b99e2df437 /media/iso1/boot/rootfs.gz
root@sl3:/home/fabio# md5sum /media/iso2/boot/rootfs.gz
eb60c93013edbf9cfa4393b99e2df437 /media/iso2/boot/rootfs.gz
root@sl3:/home/fabio# md5sum /media/iso3/boot/rootfs.gz
eb60c93013edbf9cfa4393b99e2df437 /media/iso3/boot/rootfs.gz
root@sl3:/home/fabio# md5sum /media/iso1/boot/bzImage
855c107812cedef0d5ed6251d5e46bb8 /media/iso1/boot/bzImage
root@sl3:/home/fabio# md5sum /media/iso2/boot/bzImage
855c107812cedef0d5ed6251d5e46bb8 /media/iso2/boot/bzImage
root@sl3:/home/fabio# md5sum /media/iso3/boot/bzImage
855c107812cedef0d5ed6251d5e46bb8 /media/iso3/boot/bzImage
root@sl3:/home/fabio# md5sum /media/iso1/boot/vmlinuz-2.6.30.6-slitaz
855c107812cedef0d5ed6251d5e46bb8 /media/iso1/boot/vmlinuz-2.6.30.6-slitaz
root@sl3:/home/fabio# md5sum /media/iso2/boot/vmlinuz-2.6.30.6-slitaz
855c107812cedef0d5ed6251d5e46bb8 /media/iso2/boot/vmlinuz-2.6.30.6-slitaz
root@sl3:/home/fabio# md5sum /media/iso3/boot/vmlinuz-2.6.30.6-slitaz
855c107812cedef0d5ed6251d5e46bb8 /media/iso3/boot/vmlinuz-2.6.30.6-slitaz
i've uploaded to a different server because dump.no seems to assign the same link to files with the same name.
these are the links but i think that the fault is mine, sorry about that:
http://hotfile.com/dl/77575485/32cf5d8/slitaz-cooking.iso.html
http://hotfile.com/dl/77578053/3386172/slitaz-cooking.iso.html
Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Categories
- All Discussions2,606
- English1,834
- Français389
- Português160
- Deutsch107
- Español66
- Russian31
- Chinese16
- Indonesian3