[NCLUG] ipchains and firewalls

John L. Bass jbass at dmsd.com
Thu Jan 24 17:53:35 MST 2002


	Hi,

	I have 2 questions about ipchains and firewalls.  The first is I
	executed 

	  ipchains -R input 8 -j ACCEPT -p tcp -s 130.20.118.155 x11:6009

	along with

	  xhost +

	and I can now have X apps display on my machine from 130.20.118.155.
	Is this all I did? Or did I open up something else by accident?  (I'm
	an ipchains newbie) Where is "x11" defined? I assume it's just a "well
	known" port (something like 6000?).

For the most part, you are getting what you wanted - but depends largely on the
other rules in the set.

What you probably get for free is the ability for outside parties to send X events
to the Xserver machine claiming to be from 130.20.118.155 - while this takes a
small amount of creativity, it does yeild keyboard access to shell windows.
The attacker then has the ability to launch arbitrary command lines on your behalf.
This is an old attack, I'm not sure anything has changed to help close it.

	Second question:  If I buy one of the cheap hub/router/firewall boxes (as
	opposed to using an old machine as a firewall and buying a hub) can I
	have the same kind of control as what I'm doing with ipchains?  A
	specialized box would be more convenient for several reasons but I
	would like to have the kind of control that ipchains seems to provide.

Depends on the box ... Linksys/Netgear cable modem firewalls have a very limited
filter ruleset available that isn't well documented ... serious IT hackers only.
Some of these boxes have security exploits that are being attacked too, and you
have much less room to update the firmware as they are found. They also lack
debugging tools to help sort out ruleset problems. If you don't like the nice
UI of ipchains/iptables, you certainly will not link the cable modem ruleset UI.

	Thanks,

	Matt

Have Fun,
John



More information about the NCLUG mailing list