Re: firewall protocols

Re: firewall protocols

[Vernon A. Fort]

Ted Gervais wrote:

> I have just discovered that people are not able to telnet to my system 
> and I have been told that it is not because I don't have the necessary 
> ports open but rather the problem is because of protocols??
>
> I have no idea what this means and am wondering if someone could 
> explain.  If it is needed I can supply a copy of my firewall  but was 
> wondering first if anyone has heard of this.

you should be able to list the open port from the iptables command:  
iptables -L -nv
and
telnet localhost to see if telnet if running

from the iptables, you should see port 23 open from the ip address 
needing access.  you should also be able to telnet to the localhost.

Vernon

firewall protocols

[Ted Gervais]

I have just discovered that people are not able to telnet to my system and 
I have been told that it is not because I don't have the necessary ports 
open but rather the problem is because of protocols??

I have no idea what this means and am wondering if someone could 
explain.  If it is needed I can supply a copy of my firewall  but was 
wondering first if anyone has heard of this.

---
Ted Gervais,
Coldbrook, Nova Scotia, Canada

Re: firewall protocols

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 7 Apr 2005, Vernon A. Fort wrote:

> Ted Gervais wrote:
>
>> I have just discovered that people are not able to telnet to my system and 
>> I have been told that it is not because I don't have the necessary ports 
>> open but rather the problem is because of protocols??
>> 
>> I have no idea what this means and am wondering if someone could explain. 
>> If it is needed I can supply a copy of my firewall  but was wondering 
>> first if anyone has heard of this.
>
> you should be able to list the open port from the iptables command:  iptables 
> -L -nv
> and
> telnet localhost to see if telnet if running
>
> from the iptables, you should see port 23 open from the ip address needing 
> access.  you should also be able to telnet to the localhost.
>

Which might tell him if the ports open, but not if there's anything really 
listening on the port.  gre telnet /etc/inetd.conf is a better starting 
point, since he claims is rulebase allows telnet already, this so7unds 
like the ports open but there's nothing listening.  If he see this 
response;

#telnet stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd

He needs to vi /etc/inetd.conf to enable telnet <and with tcpd for other 
sec reasons>  the kill -HUP inetd and also then make sure his 
/etc/hosts.allow is setup to allow telnet, especially if he has a 
populated /etc/hosts.deny.

Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCVZSVst+vzJSwZikRAi1AAJ4lcGiGAAo4nNFMFI5M4cEja7s0jwCcDI18
xX+FOhgzqbMgGbGdIhZ4oGE=
=yWtU
-----END PGP SIGNATURE-----

Re: firewall protocols

[Alexander Samad]

[-- Attachment #1: Type: text/plain, Size: 2291 bytes --]

On Thu, Apr 07, 2005 at 04:14:08PM -0400, R. DuFresne wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Thu, 7 Apr 2005, Vernon A. Fort wrote:
> 
> >Ted Gervais wrote:
> >
> >>I have just discovered that people are not able to telnet to my system 
> >>and I have been told that it is not because I don't have the necessary 
> >>ports open but rather the problem is because of protocols??
> >>
> >>I have no idea what this means and am wondering if someone could explain. 
> >>If it is needed I can supply a copy of my firewall  but was wondering 
> >>first if anyone has heard of this.
> >
> >you should be able to list the open port from the iptables command:  
> >iptables -L -nv
> >and
> >telnet localhost to see if telnet if running
> >
> >from the iptables, you should see port 23 open from the ip address needing 
> >access.  you should also be able to telnet to the localhost.
> >
> 
> Which might tell him if the ports open, but not if there's anything really 
> listening on the port.  gre telnet /etc/inetd.conf is a better starting 
> point, since he claims is rulebase allows telnet already, this so7unds 
> like the ports open but there's nothing listening.  If he see this 
> response;
> 
> #telnet stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd
> 
> He needs to vi /etc/inetd.conf to enable telnet <and with tcpd for other 
> sec reasons>  the kill -HUP inetd and also then make sure his 
> /etc/hosts.allow is setup to allow telnet, especially if he has a 
> populated /etc/hosts.deny.


can always try a netstat -pane | grep 23 to see what is using/listening
on port 23

> 
> Thanks,
> 
> Ron DuFresne
> - -- 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior security consultant:  sysinfo.com
>                         http://sysinfo.com
> Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629
> 
> ...We waste time looking for the perfect lover
> instead of creating the perfect love.
> 
>                 -Tom Robbins <Still Life With Woodpecker>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> 
> iD8DBQFCVZSVst+vzJSwZikRAi1AAJ4lcGiGAAo4nNFMFI5M4cEja7s0jwCcDI18
> xX+FOhgzqbMgGbGdIhZ4oGE=
> =yWtU
> -----END PGP SIGNATURE-----
> 
> 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: firewall protocols

[Cedric Blancher]

Le jeudi 07 avril 2005 à 16:27 -0300, Ted Gervais a écrit :
> I have just discovered that people are not able to telnet to my system and 
> I have been told that it is not because I don't have the necessary ports 
> open but rather the problem is because of protocols??

Do you have IPv6 support ? It's a quite common issue with people using
an IPv6 connection not to configure their firewall for this protocol
using ip6tables. Then, they're firewalled for IPv4, but all naked
towards IPv6.

It can be something else, so I think you should post your ruleset.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: firewall protocols

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 8 Apr 2005, Alexander Samad wrote:

>
>
> can always try a netstat -pane | grep 23 to see what is using/listening
> on port 23
>

And that will work, as long as telnetd is presently being used or used 
very recently.  Remember inetd, being the super server launches all it 
cares for as they are asked for...they run for the time required and then 
go sleep, until inetd get a request to relaunch one of the daemons it 
manages...


Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCVcJWst+vzJSwZikRAjdtAKDOkEvI3kbmsbs2AXni4KPiCWktNQCZAceE
v8tr5NSET+Z6WGM9t3x3YuU=
=XGFv
-----END PGP SIGNATURE-----

Re: firewall protocols

[Alexander Samad]

[-- Attachment #1: Type: text/plain, Size: 1370 bytes --]

On Thu, Apr 07, 2005 at 07:29:24PM -0400, R. DuFresne wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Fri, 8 Apr 2005, Alexander Samad wrote:
> 
> >
> >
> >can always try a netstat -pane | grep 23 to see what is using/listening
> >on port 23
> >
> 
> And that will work, as long as telnetd is presently being used or used 
> very recently.  Remember inetd, being the super server launches all it 
> cares for as they are asked for...they run for the time required and then 
> go sleep, until inetd get a request to relaunch one of the daemons it 
> manages...

should you still see a listen on port 23 ? the process will be inetd
instead of telnetd - which is why I grepped for 23 and not telentd

> 
> 
> Thanks,
> 
> Ron DuFresne
> - -- 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior security consultant:  sysinfo.com
>                         http://sysinfo.com
> Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629
> 
> ...We waste time looking for the perfect lover
> instead of creating the perfect love.
> 
>                 -Tom Robbins <Still Life With Woodpecker>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> 
> iD8DBQFCVcJWst+vzJSwZikRAjdtAKDOkEvI3kbmsbs2AXni4KPiCWktNQCZAceE
> v8tr5NSET+Z6WGM9t3x3YuU=
> =XGFv
> -----END PGP SIGNATURE-----
> 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: firewall protocols

[Nick Drage]

On Thu, Apr 07, 2005 at 04:27:51PM -0300, Ted Gervais wrote:
> I have just discovered that people are not able to telnet to my system and 
> I have been told that it is not because I don't have the necessary ports 
> open but rather the problem is because of protocols??
> 
> I have no idea what this means and am wondering if someone could 
> explain.  If it is needed I can supply a copy of my firewall  but was 
> wondering first if anyone has heard of this.

To be honest I think you need to go back to whoever made this remark and
ask them quite what they mean, while following up the suggestions made
elsewhere in the thread.  "protocol" could cover a pretty wide range of
things here, ipv6, tcp, or telnet itself; so their diagnosis needs to be
rather more precise.

-- 
If you always do what you've always done,
you'll always get what you've always got.