Peasy Firewall Monitor

Problems and successes with specific brands/models of networking hardware.
Message
Author
keniv
Posts: 583
Joined: Tue 06 Oct 2009, 21:00
Location: Scotland

#31 Post by keniv »

rcrsn51 wrote:
I don't understand how you are getting from the second window back to the first window - there is no path to do that unless you re-run the program.
Please answer.
I have just removed v1.5 and replaced it with v1.6. V1.6 is working perfectly in wary. Thank you for that. I'm sorry but I can't exactly remember how I got from image2 to 3. I got from 1 to 2 by clicking OK or Cancel on the corrupted window. I clicked on the button in 2 to bring up the tray icon and clicked OK.This is the point where I'm not sure what I did next. I did however click on the icon a couple of times. I also re-ran the firewall from the window. I also looked in /root/startup to make sure there was something relvant in there. I also rebooted the machine to check the firewall started. I also ran iptables -L -n in a terminal to make sure the firewall was running.
I hope, from the above, you can work out from this how I got to image3.

Regards,

Ken.

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#32 Post by rcrsn51 »

Thanks. I have added a post-install script to the PET that removes any existing firewall. That will make PFM build a new basic firewall on the first run.

keniv
Posts: 583
Joined: Tue 06 Oct 2009, 21:00
Location: Scotland

#33 Post by keniv »

I think thats a good idea. I did not think to shut off the firewall before I installed v1.5. I'm wondering if I should install v1.6 in 412 lite and 410 smp. v1.5 works with these two. I'd appreciate your advice.

Ken.b

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#34 Post by rcrsn51 »

That's up to you. The major changes in v1.6 are with detection of open ports and building the firewall for trusted networks.

User avatar
greengeek
Posts: 5789
Joined: Tue 20 Jul 2010, 09:34
Location: Republic of Novo Zelande

#35 Post by greengeek »

keniv wrote: I also ran iptables -L -n in a terminal to make sure the firewall was running..
I am interested to know what information this command offers. Does my output ring any alarm bells with you? -

Code: Select all

# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state NEW
TRUSTED    all  --  0.0.0.0/0            0.0.0.0/0            state NEW

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       icmp --  0.0.0.0/0            0.0.0.0/0            state INVALID

Chain TRUSTED (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
DROP       icmp --  0.0.0.0/0            0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
# 

keniv
Posts: 583
Joined: Tue 06 Oct 2009, 21:00
Location: Scotland

#36 Post by keniv »

@greengeek
Your output from iptables -L -n is very like mine. I can't check just now as I don't have access to my old laptop and am replying on a phone.
I'm no expert on this stuff. I asked on another thead how I could tell if the firewall was running. This was what was suggested. I think it displays your set of rules. I think if the firewall is not running they would not be displayed.

@rcrsn51
I think I'll stick with v1.5 for 412 lite and 410 as their not on a local network .

Ken.

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#37 Post by rcrsn51 »

Version 1.7 is posted above. It has a single-window user interface.

keniv
Posts: 583
Joined: Tue 06 Oct 2009, 21:00
Location: Scotland

#38 Post by keniv »

Now using v1.7 in all four pups. Working in all of them.

Ken.

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#39 Post by rcrsn51 »

Excellent. Thanks for testing.

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#40 Post by rcrsn51 »

Version 1.8 posted above.

slavvo67
Posts: 1610
Joined: Sat 13 Oct 2012, 02:07
Location: The other Mr. 305

#41 Post by slavvo67 »

Installed in Quirky Xerus64 (actually RU Xerus but interchangeable from my standpoint). Seems to work except for the install tray applet.

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#42 Post by rcrsn51 »

slavvo67 wrote:Installed in Quirky Xerus64 (actually RU Xerus but interchangeable from my standpoint). Seems to work except for the install tray applet.
The tray applet is a 32bit binary, so you need a 64bit version. Attached below, but I don't know if it will be compatible. Please report.

[Edit] This version is also compatible with Fatdog.
Seems to work
That's the thing about firewalls. The only true test is to run from a second machine and probe the first machine with a tool like PeasyPort.

---------------------------
Attachments
peasyfwmon_64bit-2.1.pet
Updated 2017-07-25
Recognizes multiple networks
(23.91 KiB) Downloaded 585 times
peasyfwmon_2state_tray_64bit-1.0.pet
(5.24 KiB) Downloaded 598 times
Last edited by rcrsn51 on Tue 25 Jul 2017, 18:19, edited 14 times in total.

slavvo67
Posts: 1610
Joined: Sat 13 Oct 2012, 02:07
Location: The other Mr. 305

#43 Post by slavvo67 »

The tray applet seems to be working --- Thank you! Thank you for the Peasyport tip. I'll have to test a little....

I have a suggestion but I'm not sure if it's practical or how difficult to accomplish. It would be nice to have a box that says Open Port [ _ _ ] to simplify opening a specific port #. Then, you would probably need a close port X or close all ports. Just a thought but it's nice, either way!

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#44 Post by rcrsn51 »

slavvo67 wrote:The tray applet seems to be working
Ummm... Either it's working or it's not.
It would be nice to have a box that says Open Port
If you want to open individual ports, you can run the full Linux Firewall app, assuming it's installed. But what is the practical value of doing that?

slavvo67
Posts: 1610
Joined: Sat 13 Oct 2012, 02:07
Location: The other Mr. 305

#45 Post by slavvo67 »

When I temporarily turn off the firewall, only ports 139 and 445 reflect as being opened using Peasyscan with a different computer.

Actually, the above might be a Peasyport issue. When I removed the firewall, Peasyport only reported back the ports above as being opened.

Practical value is say you're using Python Simple Server. No?

Update: I see what you're doing. So you're using port 24 for trusted LAN and that can be used with Python Simple Server as well as any. So, only question is can you turn off the trusted lan (port 24) without shutting down the firewall and restarting?

Also, still checking on the Peasyport discrepancy. I may have had the firewall up on the computer using Peasyport to scan. Still, not sure why it would show 2 open ports when that computer would be locked down..... I'll let you know what I find...

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#46 Post by rcrsn51 »

slavvo67 wrote:Actually, the above might be a Peasyport issue. When I removed the firewall, Peasyport only reported back the ports above as being opened.
That's exactly how it should be. A port only opens if there is a service using it. Were you expecting to see all 1024 standard ports open?
Practical value is say you're using Python Simple Server. No?
Suppose you have Python Simple Server running on port 8000. So you allow that port on the firewall. All the firewall is now doing is blocking a bunch of other ports that aren't active anyway.

The value of the "trusted LAN" procedure is that it allows traffic through whatever ports you choose to open to anyone on the LAN, without having specify them individually.

It also lets you communicate with network devices that might be advertising their presence on ports that you don't know about.

slavvo67
Posts: 1610
Joined: Sat 13 Oct 2012, 02:07
Location: The other Mr. 305

#47 Post by slavvo67 »

The value of the "trusted LAN" procedure is that it allows traffic through whatever ports you choose to open to anyone on the LAN, without having specify them individually.
Forgive me, as networking has been one of my many weaknesses. So, you're opening the trusted LAN so if I open let's say Port 8000 on one computer, I can go to 198.162.0.0:8000 without having to open that port through the firewall and it will work because the computers are on the same local network?

Maybe you can give an example of how it would be used?

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#48 Post by rcrsn51 »

Exactly.

But here is something else to consider. Assuming that you are on a LAN behind a router, the ONLY computers that can see the server are those on the LAN. In which case, why do you need a firewall in the first place?
Maybe you can give an example of how it would be used?
The objective of PFM is to give people who absolutely insist on running a firewall a tool that works, even though they don't need it.

The only people who might need a firewall are those with a public IP address and are directly exposed to the Internet. But they shouldn't have any ports open anyway because they aren't sharing anything.

slavvo67
Posts: 1610
Joined: Sat 13 Oct 2012, 02:07
Location: The other Mr. 305

#49 Post by slavvo67 »

Wow! Like if I tree falls in the woods and nobody is there to hear it, does it make a sound? Very enlightening. Thank you and thank you for the excellent tool!

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#50 Post by rcrsn51 »

PFM began in 2013 because people were getting confused by the various Puppy firewalls. They couldn't get file/print sharing to work because the firewall was blocking it, even though they were certain that the firewall was off.

They needed a diagnostic tool that could show them EXACTLY what the firewall was doing.

Consider this: you install the firewall because you are concerned that malicious outside users can somehow "see into your computer". You then set up a SAMBA server to share data with your family, so you open Port 139 on the firewall. You just exposed all that data to those malicious users! Meanwhile, the firewall is protecting a bunch of other ports that aren't even active.

The firewall is having the opposite effect of what you want. The only thing that makes any sense is Trusted LAN.

Post Reply