[ale] Portsentry and IPTables

[Joseph A. Knapka]

djinn wrote:
> 
> Twofold question:
> 
> 1) If I have hardened my system with Bastille and am running its'
> firewall, and have also written custom rules that say
> iptables -A custom-ruleset <<lots of custom rules here>>
> iptables -A INPUT -j custom-ruleset
> iptables -A FORWARD -j custom-ruleset
> 
> and I load the custom ruleset after starting up Bastille's rules, am I
> correct in thinking that those last two lines of my ruleset totally
> negate anything Bastille is doing??  It seems to me that since I load
> all these rules and then tell iptables to take any INPUT and look in the
> custom ruleset, it would negate any of Bastille's INPUT rules...

Except that you're "A"ppending your rules to the INPUT and FORWARD
chains, so any rules that are already there will still be used, and
your rules will be used only if the pre-existing ones can't figure
out what to do with a packet.
 
> 2) If I am running PortSentry on this same machine and I want it to
> alert me if I'm being scanned (testing purposes only), but I'm blocking
> all ports except 80 with my firewall, will PortSentry never alert me
> because it never sees the scans??  I've tried running nmap against this
> machine, and since I'm blocking pings it doesn't return anything, but it
> *should* go from port 1-1024 trying and PortSentry *should* scream and
> holler about it...but all's quiet in the logs...

I'm pretty sure that if you've got firewall rules that deny packets,
the firewall code throws them away as soon as it sees them, and nothing
else will ever notice them at all. That would certainly explain the
behavior you're seeing.

HTH,

-- Joe Knapka
"You know how many remote castles there are along the gorges? You
 can't MOVE for remote castles!" -- Lu Tze re. Uberwald
// Linux MM Documentation in progress:
// http://home.earthlink.net/~jknapka/linux-mm/vmoutline.html
2nd Lbl A + 1 = 2nd Pause 2nd Prt GTO 2 R/S
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.