automatic dsl firewall
Forum: DSL Tips and Tricks
Topic: automatic dsl firewall
started by: tuxmachine
Posted by tuxmachine on June 05 2006,17:05Hi at all.
Damn Small Linux have a program called r.c.firewall in the mydsl menu,in the Net subsection.
Is a powerful and very robust firewall,but by default is needed you launch this program every day or however every pc reboot.
To make automatically the start of this firewall,open the .xinitrc with beaver and add "start_firewall".
In this mode,the firewall starting automatically when pc is start,when open fluxbox,for highest and continuos protection of your pc.
The default firewall shell is aterm and when fluxbox is starting,display the firewall program with bad color,because is transparent.
To resolve this beauty problem,go to the /usr/bin directory and open the file "start_firewall" with beaver.
The default configuration is:
"rxvt -rv -T "rc.firewall" -e sudo /etc/init.d/rc.firewall"
delete "-rv" and replace with "+tr".
Save it and close beaver.
Now the firewall shell is black with white characters,good and beautiful color for this program.
Goodbye and good dsl at all.
Excuse-me for bad english but i'm italian!
Posted by kerry on June 06 2006,00:22WHAT ! A FIREWALL, WE DON'T NEED NO STINK'IN WALL!
(Just joken of course . I just could'nt resist)
I haven't used virus protection or a firewall since i begin useing linux a year or so ago.
Posted by jls legalize on June 06 2006,00:44modifica il .dsl e invialo a extensions at damnsmalllinux.org
Posted by tuxmachine on June 06 2006,17:30
ciao...come faccio a modificare il file rcfirewall.dsl?
ho provato ad aprirlo con beaver ma non vedo niente,scusami ma non sono esperto di queste cose.
ciao a presto.
Posted by flatcat on June 06 2006,21:48I like your suggestion but you normally cannot edit /usr/bin especially if its on a cd.
I'm sure you can without having to remaster. Can someone suggest a way around this?
Posted by kerry on June 07 2006,01:04If your running live cd, security is already tight as no one can modify it.aka: you don't need a firewall.
Posted by AwPhuch on June 07 2006,03:15
They may not be able to modify it on the CD, but what is running..if it stays running and is corrupted, yes...it can happen, and yes a quick reboot will fix it, unless that person nailing you knows what he is doing and then its a pre-coded exploit...simple script breaks in...changes your running LiveCD on the fly and as long as it stays running the hack stays running (get the picture)
I really would recommend any/all linux have a stateful packet firewall like rc.firewall...incredibly simple and powerful at startup...and with a simple command you can turn it off..or edit the config and turn rc.firewall into a router, with DMZ and tons of other stuff (yes its that powerful too!)
Posted by kerry on June 07 2006,05:33Wow, i didn't know that. I thought i was pretty safe running in ram. I run wireless, the dsl modem and wireless router have built in firewall and i use a wep key. I connect to my wireless useing a us robtics ethernet gaming brige that plugs into my ethernet connection. I know when i used windows some firewalls slowed down the connection, is there any loss in speed with rc.firewall? I try and keep my system as simple as i can and not add to many things that might bring vonabilties.
Posted by meo on June 07 2006,10:36Hi tuxmachine!
Thanks a lot for the tip. I have experienced attacks and I've been wondering what to do about it. Now I've fixed it with your help. Thanks again!!
Keep on having fun with DSL,
Posted by doobit on June 07 2006,14:29Why can't somebody come up with a firewall that sends a virus back to the hacker and destroys his file system. That would be cool.
Posted by flatcat on June 07 2006,15:06It would be great to be able to "return the favour" to a hacker but imagine if you got the wrong person. You would end up causing more problems.
Plus if its a bot they might not even know their machine is compromised.
Posted by ZoOp on June 07 2006,16:16damn, I was sure to be secure running dsl toram...
I have a question: is it possible to forward ports in order to use some services from behind a router with rc. firewall without re-doing the wheel?
I run DSL toram and I didn't experience any attacks until now; I know to be in a network full of viruses, so your suggestions would help me a lot.
Posted by tuxmachine on June 07 2006,17:30hi Meo,hi at all.
to modify the file /usr/bin/start_firewall is needed you have root privileges,enter in the root account and modify it.
the livecd users dont needed a firewall.
this tips is only for the people with dsl installed on hard disk.
for any questions,i read the forum everyday.
good days and have a lot of fun forever at all.
Posted by KerowynM on June 09 2006,03:04Not to be a fly in the ointment, but just because the root fs is ro, doesn't mean my data is safe from attackers/virus. Data is rw and more valuable (ie irreplaceable) then the system anyway. just because the system is safe doesn't mean you are.
Posted by flatcat on June 09 2006,10:50I still believe you need a firewall even if running from a CD. I leave my box unattended for long periods so I want it to be as secure as possible.
I don't think its paranoia - if it is there and easy to use - why not?
Posted by jls legalize on June 09 2006,12:46a .dsl is just a .tar.gz, so u can rename with emelfm, unpack it, modify, repack and rename again.
Legalize cannabis, ecc.
Posted by humpty on June 09 2006,15:33if it's just a one line script, why not just copy the whole line into
.xinitrc ? then you don't need start_firewall.
rxvt +tr -T "rc.firewall" -e sudo /etc/init.d/rc.firewall &
Posted by Thulemanden on June 09 2006,23:51The producers of routers for adsl states there is a built-in firewall function. Wouldn't that be enough?
Posted by tuxmachine on June 10 2006,22:11
hy Humpty,thanks for your tips,is the best solutions add the line script directly in the .xinitrc thanks thanks
hy Thulemanden: in italy most people does not have adsl routers,i have ethernet modem without built-in firewall protection.
however,most peple have routers web page with default password (admin admin) and the web page is acessible from the internet (type the ip address)
the r.c. firewall is a safety protection.
bye and good dsl.
Posted by ZoOp on June 13 2006,14:58Hi,
I was totally new to rc.firewall and had to search a lot a solution in order to shut it down and bring it up without rebooting my machine. So, the solution:
start the rc.firewall once loaded (open a shell as root):
stop the rc.firewall (open a shell as root):
I hope it can help.
Posted by jpeters on June 23 2006,06:57Thanks for the tip. ZoOp. I just wrote the path into a script, so I can turn it on and of with "bash start_firewall" or "bash stop_firewall". Have you found some conflict where you needed to turn it off?
Posted by ZoOp on June 23 2006,11:39none conflict found, but I just didn't want to have it all time on because I want to keep my access to my betaftpd.
Posted by brianw on June 27 2006,22:14If you want the firewall to start automatically when the system starts up you can add symbolic link in the correct rc?.d directory (i.e. in /etc/rc2.d add a sym link ln -s /etc/init.d/rc.firewall S99firewall). This will call /etc/init.d/rc.firewall start automatically, the 99 in the filename is used because the init starts at 0 and goes through starting each one in order using number first then alphabetical for each one with the same number. You can also add a kill symlink in other directories if you wish (i.e. in rc6.d you would have K03firewall) to send the stop command (again the 03 is used because you usually want the last things started to stop first).
Posted by Gerro on July 27 2006,19:56I haven't used a firewall ever even on windows. You just have to make sure there isn't some F'ed up gaping security hole program starting up when you run your system. And don't run anything with potential security problems. Still have problem with certain minor malware so I use scanners and you could try using wget, netcat, telnet to download webpages thereby preventing any sort of funky html plugin hacks. Firewalls are mainly for servers or people whom know what they're doing.
Posted by muskrat on Aug. 12 2006,01:23Correct me if I'm mistaken, but isn't these firewall packages in linux just a script to harden the iptables a little more?
Meaning that all linux systems do/should have iptables. So even without these firewall packages, you still have a generic set of iptables.
Posted by dougp on Aug. 04 2007,18:02Good stuff on using rc.firewall at its homepage: http://www.256bit.org/rc.firewall.shtml
> ./rc.firewall start # to start the firewall
> ./rc.firewall stop # to stop the firewall
Verify that everything works :-)
Integrate the script in the sys-v scheme with creating the following links:
> ln -s /etc/rc.firewall /etc/rc.d/init.d/rc.firewall
> ln -s /etc/rc.firewall /etc/rc.d /rc3.d/S<ordernumber> # Starting the script in runlevel 3
> ln -s /etc/rc.firewall /etc/rc.d /rc3.d/K<ordernumber> # Stopping the script in runlevel 3
brianw suggested using 99 (start) and 03 (stop) for the <ordernumber> refered to in the script.
If one wants to use the one line startup suggested by humpty, just where in .xinitrc does one put it? Just before DHCP broadcast starts or after window manager is invoked, since it uses a terminal for startup feedback?
Posted by ^thehatsrule^ on Aug. 04 2007,20:03It would have to before the window manager process takes over. Not sure about it relying on dhcp, but it probably doesn't.
Technically though, you should reserve .xinitrc for X user-related things only.
Posted by dougp on Aug. 04 2007,21:41Thanks, hats. I was thinking its best to start the firewall before the DHCP 'cause that's what initiaties the Internet connection, right? So you want your firewall up & running <i>before</i> that connection is made, yes? But with the frugal install one can't change the boot parameters, so maybe the only way to get the firewall to start automagically on boot is to do it in .xinitrc with humpty's script. That leaves a short gap between connection to the 'net & firewall start, but that wouldn't be critical, would it?
Posted by ^thehatsrule^ on Aug. 04 2007,23:33Well, there's other ones such as bootlocal.sh... it's executed by root and is run only once -- unlike xinitrc
Hm yea, you'd probably have to edit linuxrc if you're a frugal if you wanted it before startup dhcp broadcast (probably there's an easier way with a debian-style hd-install though). But an easier way may be to not set your net up at all (i.e. nodhcp), then manually load the firewall then connect.
Posted by lucky13 on Aug. 05 2007,00:21
Do it after you have an IP. You're mistaken about .xinitrc in the boot process. It's not first, it's after everything else including DHCP (if detected when you boot). Your .xinitrc is for X-related processes, not system-related processes. Muddling processes like that can lead to confusion in pinning down problems or eveb bigger issues. What will you do about a firewall if X doesn't start (.xinitrc) for some reason?
Posted by fioddor on Aug. 29 2007,21:01Small correction: rc.firewall installs into /etc/init.d/rc.firewall
Posted by cylock on Mar. 03 2008,03:18To enable the firewall automatically on a CD just use a CDRW if possible.
Ive done this and you are pretty safe as you actually to open a burner app to change anything on it