How to make Puppy 2 unresponsive to probe (firewall)
How to make Puppy 2 unresponsive to probe (firewall)
According to this wiki page, by running the firewall wizard, Puppy becomes completely unresponsive to internet probing. That may have been true of Puppy 1, but it is not of Puppy 2 (2.0.1, in my case). I went to grc.com, the "shields up" page, and found that it passed the first 2 tests but responded to ping requests.
When you look at the /etc/rc.d/rc.firewall, you see that RFC_1122_COMPLIANT="yes", which means it is set up to respond to ping requests. I changed that to "no", and re-ran the script, which then made the firewall pass all of Steve Gibson's tests.
I guess it is the firewall wizard setting this up "wrong"?
I also set LOGGING="yes" because I want to see any probes in my log (dmesg, right?), for now anyway.
When you look at the /etc/rc.d/rc.firewall, you see that RFC_1122_COMPLIANT="yes", which means it is set up to respond to ping requests. I changed that to "no", and re-ran the script, which then made the firewall pass all of Steve Gibson's tests.
I guess it is the firewall wizard setting this up "wrong"?
I also set LOGGING="yes" because I want to see any probes in my log (dmesg, right?), for now anyway.
-
- Posts: 622
- Joined: Wed 05 Apr 2006, 20:43
Paul, the logic you have used seems faulty.
RFC 1122 - Implement this? Nah, ignore it, what does the IETF know about the Internet?
grc.com - do what they say? Yeah, unquestioning obedience, obviously.
I'm sorry to sound like I'm parodying your words (well, I suppose I am) but logic is about the most important defence against all the bad advice and false fear and FUD out there.
Happiness and safety,
Mark
RFC 1122 - Implement this? Nah, ignore it, what does the IETF know about the Internet?
grc.com - do what they say? Yeah, unquestioning obedience, obviously.
I'm sorry to sound like I'm parodying your words (well, I suppose I am) but logic is about the most important defence against all the bad advice and false fear and FUD out there.
Happiness and safety,
Mark
Mark, I'm documenting a change in behavior that some users may care about, even though you don't. Is that such a bad thing? Is that FUD?
I'm also giving a way to get back to the old situation, which some users may care about, even if you don't. Is that FUD?
I think Steve Gibson is a great guy, helping people plug holes in Windows, and I don't see why anyone would take a whack at him. Maybe his stuff is overkill in the linux world (for now). That's for the user to decide. I did not intend to argue on one side or the other of that question, because I am not informed enough to have a good opinion of it (that's why there are quotes around the word "wrong"). If it came off that way, I am sorry.
I'm also giving a way to get back to the old situation, which some users may care about, even if you don't. Is that FUD?
I think Steve Gibson is a great guy, helping people plug holes in Windows, and I don't see why anyone would take a whack at him. Maybe his stuff is overkill in the linux world (for now). That's for the user to decide. I did not intend to argue on one side or the other of that question, because I am not informed enough to have a good opinion of it (that's why there are quotes around the word "wrong"). If it came off that way, I am sorry.
-
- Posts: 622
- Joined: Wed 05 Apr 2006, 20:43
Hey Paul, I should apologise, you seem like a sensitive soul and I'm not exactly the soul of tact! I wasn't criticising you or judging you as a person or questioning your motives. That said, I do believe that you are not applying the correct logic.
I have nothing against Steve Gibson, but he has nothing like the authority of the IETF. I prefer to to stick with standards unless there is a clear reason not to. Since Puppy isn't Windows (YAY!) it really doesn't have to be mollycoddled to the same extent as that fragile delicate little flower of an operating system.
Note that Windows XP by default runs masses of insecure services on ports it keeps open.
In contrast, Puppt defaults to no services at all. If you have the firewall set up to block access to all except ports you want open for some reason, then you should have no fear of responding to pings in RFC-compliant fashion, unless you believe that someone is planning to ping-flood your system. Except I don't believe that trick has worked since before there were Linux 2 series kernels.
Wishing knowledge and courage to all,
Mark
I have nothing against Steve Gibson, but he has nothing like the authority of the IETF. I prefer to to stick with standards unless there is a clear reason not to. Since Puppy isn't Windows (YAY!) it really doesn't have to be mollycoddled to the same extent as that fragile delicate little flower of an operating system.
Note that Windows XP by default runs masses of insecure services on ports it keeps open.
In contrast, Puppt defaults to no services at all. If you have the firewall set up to block access to all except ports you want open for some reason, then you should have no fear of responding to pings in RFC-compliant fashion, unless you believe that someone is planning to ping-flood your system. Except I don't believe that trick has worked since before there were Linux 2 series kernels.
Wishing knowledge and courage to all,
Mark
more details on the same issue;
http://www.murga.org/~puppy/viewtopic.p ... t=firewall
if you are on dial up and blocked pins your ISP might drop you.
1more thing PaulBx1
don't let it bother you .this dude has a serious attitude problem.
http://www.murga.org/~puppy/viewtopic.p ... t=firewall
if you are on dial up and blocked pins your ISP might drop you.
1more thing PaulBx1
don't let it bother you .this dude has a serious attitude problem.
-
- Posts: 622
- Joined: Wed 05 Apr 2006, 20:43
Not only do I not know you, I don't believe our paths have ever crossed before, so it's doubtful that you know me.Q wrote:1more thing PaulBx1
don't let it bother you .this dude has a serious attitude problem.
Sage is sometimes inclined to lament the decline of everyday exercise of intellect, and on a day when people choose to see disagreement and a questioning attitude as "an attitude problem" he may be feeling somewhat justified in his views.
OBTW, Paul and I have exchanged personal messages - he does know something about me.
Now you can resume the ad hominem attacks, and justify them by telling everyone that I insulted you....
Do you really think so? There are an awful lot of people running firewalls (e.g. ZoneAlarm) that drop pings. I've never heard of this being an issue.if you are on dial up and blocked pins your ISP might drop you.
I could see it if my machine were part of an ordinary lan, because the administrator might come over and slap me around if my machine ignores his pings.
Well, one can place one's trust in authorities. I tend to trust more the people who have been down in the trenches, who actually run into this stuff. There are lots of things about the Internet (viruses, spyware, NSA) that were never imagined by the authorities when they first set it up. That's not a slander on the authorities; they probably did as well as they humanly could, but no one sees into the future.I have nothing against Steve Gibson, but he has nothing like the authority of the IETF.
But I think it really is a decision for the user. Does he want to respond to pings, or not? Up to him to read and decide. Some people just like a little more anonymity, which is hard enough as it is to maintain these days. The world won't end if a ping gets dropped.
I was looking at this. There is a discussion here about it. When I did "netstat -tap | grep LISTEN" I got one line, from tcp. So apparently it is not "no services at all", although it certainly is very few services. Although maybe that got turned on by me trying out setup scripts, I don't know. I happen to have an internal lan (not working yet), I wonder if I need that service on to get the lan running? Do I need it on if I just bag the lan, and only use the internet?In contrast, Puppt defaults to no services at all.
ZA doesn't block server pings ,chk your ZA settings and you will see its enabled and if you did block'em chances are you wil get disconnected after few minutes or you can't surf.PaulBx1 wrote: Do you really think so? There are an awful lot of people running firewalls (e.g. ZoneAlarm) that drop pings. I've never heard of this being an issue.
would you like me to C&P few of your comments maybe just maybe you can see what you are doing.marksouth2000 wrote:
Now you can resume the ad hominem attacks, and justify them by telling everyone that I insulted you....
lets see how good you are can you convert this to txt
01110111 01101000 01100001 01110100 00100000 01101001 01110011 00100000 01111001 01101111 01110101 01110010 00100000 01110000 01110010 01101111 01100010 01101100 01100101 01101101 00100000 01100100 01110101 01100100 01100101 00101110 01100111 01100101 01110100 00100000 01100001 00100000 01101100 01101001 01100110 01100101 00100000 01100001 01101110 01100100 00100000 01101100 01101001 01100111 01101000 01110100 01100101 01101110 00100000 01110101 01110000 00100000 01110111 01101001 01101100 01101100 00100000 01111001 01101111 01110101 00101110
no need to panic its just words not commands.
I probably know less about firewalls than any of you, but I have used ZA, some. It's been a while since I last fiddled with it, but I seem to recall that it has a "stealth" setting that will not respond to pings. I remember reading a discussion somewhere about whether this was a good idea. I think the conclusion was that it is better not to use stealth, but I don't remember why.
I use multisession Puppy, and turn off my computer when I'm not using it, so I don't worry too much about it any more.
I use multisession Puppy, and turn off my computer when I'm not using it, so I don't worry too much about it any more.
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=69321][color=blue]Puppy Help 101 - an interactive tutorial for Lupu 5.25[/color][/url]
I booted windows and looked at my ZA settings and the docs. Here is what the docs say:ZA doesn't block server pings ,chk your ZA settings and you will see its enabled and if you did block'em chances are you wil get disconnected after few minutes or you can't surf.
(My emphasis.)Internet Service Providers (ISPs) periodically send heartbeat messages to their connected dial-up customers to make sure they are still there. If the ISP cannot determine that the customer is there, it might disconnect the customer so that the user's IP address can be given to someone else.
By default, Zone Labs security software blocks the protocols most commonly used for these heartbeat messages, which may cause you to be disconnected from the Internet. To prevent this from happening, you can identify the server sending the messages and add it to your Trusted Zone or you can configure the Internet Zone to allow ping messages.
Actually on my free copy of Zone Alarm, I was not given a choice to allow all pings or pings from my ISP only (according to the way the docs said it was done), so I'm guessing that is only available on paid copies, or maybe the docs are wrong.
But every indication is that ZA normally DOES drop pings and any other thing that can serve as a "heartbeat". I'm guessing the server is smart enough that if it receives any traffic at all from a home PC, it figures out the home PC is still out there without having to check by sending a heartbeat.
Anyway, the worst it can do is hand your IP address to someone else, in which case your PC will simply renegotiate for another. I have noticed my PC doing this when it wakes up from being on standby. Only takes a couple of seconds.
Bottom line, ZA drops everything, including pings, just like Steve Gibson says it does with his test - except of course things you've instructed it to accept.