Originally Posted by
haani
doesnt work firestarter says that it can't connect/start!! when i remove the text from /etc/firestarter/user-per than it works!! so i am thinkin that there is no way of workin moblock and firestarter together??
ok, you have to leave out the
Code:
if [ -f $PIDF ]; then
PID=`cat $PIDF`
if [ `ps -p $PID|wc -l` -gt 1 ]; then
echo "$0: $PIDF exists and processs seems to be running. Exiting."
exit 1;
fi;
fi;
I thought that's obvious.
I did what I never wanted: spending time on firestarter Leaving out the lines above just works fine. The firestarter firewall is being build up and moblock starts blocking things. I tested it.
Here's the file user-pre for copy & paste:
Code:
#!/bin/sh
#
# MoBlock.sh - MoBlock start script
# ---------------------------------
ACTIVATE_CHAINS=1
WHITE_TCP_IN=""
WHITE_UDP_IN=""
WHITE_TCP_OUT="http https 1863"
WHITE_UDP_OUT=""
WHITE_TCP_FORWARD=""
WHITE_UDP_FORWARD=""
PIDF=/var/run/moblock.pid
FNAME=`basename $0 .sh`
MODE=`echo $FNAME|awk -F- '{print $2}'`
if [ -f /usr/bin/moblock-ipq ]; then
modprobe ip_queue
TARGET="QUEUE"
elif [ -f /usr/bin/moblock-nfq ]; then
modprobe ipt_NFQUEUE
TARGET="NFQUEUE"
fi;
modprobe ipt_state
# Filter all traffic, edit for your needs
iptables -N MOBLOCK_IN
iptables -N MOBLOCK_OUT
iptables -N MOBLOCK_FW
if [ $ACTIVATE_CHAINS -eq 1 ]; then
iptables -I INPUT -p all -m state --state NEW -j MOBLOCK_IN
iptables -I OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT
iptables -I FORWARD -p all -m state --state NEW -j MOBLOCK_FW
fi;
iptables -I MOBLOCK_IN -p all -j $TARGET
#iptables -I MOBLOCK_IN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I MOBLOCK_OUT -p all -j $TARGET
#iptables -I MOBLOCK_OUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I MOBLOCK_FW -p all -j $TARGET
#iptables -I MOBLOCK_FW -m state --state ESTABLISHED,RELATED -j ACCEPT
for PORT in $WHITE_TCP_OUT; do
iptables -I MOBLOCK_OUT -p tcp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_UDP_OUT; do
iptables -I MOBLOCK_OUT -p udp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_TCP_IN; do
iptables -I MOBLOCK_IN -p tcp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_UDP_IN; do
iptables -I MOBLOCK_IN -p udp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_TCP_FORWARD; do
iptables -I MOBLOCK_FW -p tcp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_UDP_FORWARD; do
iptables -I MOBLOCK_FW -p udp --dport $PORT -j ACCEPT
done
# Loopback traffic fix
iptables -I INPUT -p all -i lo -j ACCEPT
iptables -I OUTPUT -p all -o lo -j ACCEPT
There is just one problem left: AFAIK, if traffic is put into moblock's queue and moblock (or any other program that uses the same interface) decides that the package is accepted, it is accepted. Period. (Same as -j ACCEPT when using iptables, no possibility to use something similar to -j RETURN which enables the package to traverse the remaining rules of the firewall to be checked there, too)
So using what I posted above means putting moblock in front of firestarter, effectively leaving firestarter's rules unused because moblock is filtering everything.
You can only use firestarter to watch open connections
You can fix part of this problem by putting all stuff into the file user-post, leaving user-pre empty and by replacing
Code:
if [ $ACTIVATE_CHAINS -eq 1 ]; then
iptables -I INPUT -p all -m state --state NEW -j MOBLOCK_IN
iptables -I OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT
iptables -I FORWARD -p all -m state --state NEW -j MOBLOCK_FW
fi;
by
Code:
if [ $ACTIVATE_CHAINS -eq 1 ]; then
iptables -A INPUT -p all -m state --state NEW -j MOBLOCK_IN
iptables -A OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT
iptables -A FORWARD -p all -m state --state NEW -j MOBLOCK_FW
fi;
But this only replaces the problem by another: now firestarter is in charge and if firestarter decides that a packages is to be accepted, it may do so without consulting moblock.
This is one of the reasons for which on sourceforge.net I categorized moblock as software for "advanced end users": you should know how to use iptables before you use moblock. You can do without as per default the package blocks things. But if you want to integrate it in another firewall you need to know, what is going on.
I you are brave and grok the iptables documentation you can insert the moblock chains into firestarter's rules at exactly the places that make sense in your individual case.
It may make sense to use
Code:
if [ $ACTIVATE_CHAINS -eq 1 ]; then
iptables -A INBOUND -p all -m state --state NEW -j MOBLOCK_IN
#where in output?
OLINE=$((`iptables -L OUTBOUND|wc -l` - 2 ))
iptables -R OUTBOUND $OLINE -p all -m state --state NEW -j MOBLOCK_OUT
iptables -A FORWARD -p all -m state --state NEW -j MOBLOCK_FW
fi;
in the file user-post.
But I cannot guarantee that it does what you want.
The moral of this story is: You are not secure if you don't know what your firewall does. Even if you do, you may be not secure, but it's better than the first case.
Bookmarks