My FREESCO page | A FREESCO is born | Additional setup and configuration
This page is a continuation to Setting up FREESCO and assumes that you have set up a floppy based FREESCO in accordance with that page. This tutorial describes some additional setup steps I find useful. None of these steps are necessary as you already should have a functional router.
Once you got FREESCO installed, it is recommended that you take a look in the Announcement section of the FREESCO support forums. Here you will find patches for your FREESCO. These patches will fix errors and bugs discovered since the release. In order to keep your box as secure as possible, my recommendation is to always apply patches when they are available.
[ Top ]
One of the main purposes with running a firewall such as FREESCO is to keep all ports in a well known state. Ports are used when connecting to computers (hosts) over the Internet. Each service running on a host uses one (or several) ports. Ports can be "open", "closed" or "stealth".
Open ports are security risks as they can be used by hackers who try to get access to your FREESCO. Hence you should try to limit the number of open ports on your machine. Unused ports should definitely be closed/stealthed. If you followed the instructions in Setting up FREESCO, no services are opened to the Internet. Consequently no ports should be open. Now it is time to verify that FREESCO keep all ports closed.
Note: What is said above is a very simplified discussion about Internet services, ports, security and firewalls. I really recommend that you dig deeper into the topic as this is merely an introduction.
There are several sites on the Internet that will test your firewall. Some of them are ShieldsUp!, HackerWatch, Audit My PC and Hacker Wacker. All of them will run various tests on your FREESCO and look for vulnerables. It is a good idea to run several tests as each of them has their own approach. What most of these sites do is to try to connect to various ports of your FREESCO. This is often referred to as a "port scan". When done, the result is presented to you. Below is the result from using Shields Up! and running the 'Common Ports' test on a FREESCO configured as described in Setting up FREESCO:
What might catch your eye here is that the analysis obvious failed! The report says that there were ports responding to the attempts to connect to them and that the host answered the Ping request. Bad news or what?
When analyzing the result, the first thing to notice is that all checked ports have the status "Closed" or "Stealth". This is a good thing, as it is not possible to connect to a host on a certain port if that port is closed or stealthed. So as long as all ports are reported closed or stealthed, you can feel somewhat safe. However, when a client is trying to connect to a closed port on a host, the host will report back to the client that the port exists and that it is closed. This means that if a hacker tries to connect to your FREESCO on a closed port, the hacker will receive information saying that there IS a machine up and running on the given IP, but that the port is not open. As a closed port gives information back to the client, closed ports are reported as "unsecure" by most firewall testers.
It is also possible to configure a port to be "stealthed". With this setting, the port will not report anything back to the client. This means that a person trying to connect to your box on a stealthed port will not know whether there really exist a host on your IP or not. This is often seen as a higher level of security and is what most firewall tests look for. So in order to pass this part of the test you need to stealth you ports. For instructions on how to stealth ports on your FREESCO, see below.
So should one stealth ports or not? In my opinion, it's much a matter of taste. Personally, I do not stealth ports as I do not feel that I need that extra level of security. On the other hand, stealthing ports is an easy way to "hide" your machine from possible intruders. Before you decide whether to stealth your ports or not, I recommend you to educate yourself by doing some reading/Googling on the topic.
The report also shows that your FREESCO respond to pings. Ping is a command used to check if a computer on a certain IP is up and running. If the host respond to the ping command, one knows that the host is running and hence it can be attacked. As ping can be used to find running hosts, most firewall tests expect ping replies to be turned off or the test will fail. It is possible to disable the ping reply relatively easily and below I show how to do this. However, you should be aware that if this is turned off, you will not be able to ping other hosts on the Internet, neither will you be able to run the
traceroute is used to track and display how a command from your site is forwarded over Internet to a certain site. See Lightnings comment about turning pings off, and its impact on
traceroute. Ping and traceroute are not necessary commands and if you never have heard of them it might be a good idea to turn off ping replies. To do this, just follow these steps:
Network Address Translation and Firewall. y = Enable NAT with internal forwarding (default) s = Enable NAT with internal symmetric NAT n = Disable NAT Warning: When disabled, all services are visible. 11 Enable NAT/firewall (y/n) [y]?Here you can enable/disable the firewall. Just leave the setting as it is by hitting Enter.
Reject is recommended over stealth. 111 Stealth or Reject ports (s/r) ? ?Here you specify the default port status. Default is 'reject' and it is fine leaving the setting as it is.
In "s" mode, pings will be allowed or returned when initiated from within your LAN. WARNING:y - Enable service worldwide (insecure) s - Enable service locally (secure recommended) n - Disable service 112 Enable PING responses (y/s/n) ? [y]?This is where you turn off ping responses. Change the "y" to a "n" and hit Enter.
Saved. You should restart the system so settings will take effect. [root@Freesco]If you are unsure if you need to reboot your FREESCO or not, it is always a good idea to reboot it. Then you are sure that your new configuration will be used the next time FREESCO loads. In this case it is not necessary to reboot FREESCO, it is enough to restart the firewall which is done by typing
[root@Freesco] rc_masq restartand pressing Enter. FREESCO will answer with
NAT and firewalling is enabled... Doneand then you will be back at the prompt.
By now your FREESCO should not respond to pings any more. To verify this, run another test on the firewall and ensure that no ping replies are sent.
[ Top ]
As mentioned earlier, it is possible to stealth ports with FREESCO and it is done using the Advanced Settings (see above). When specifying which ports to stealth, you have the possibility to specify a singe port (just giving a number), a list of ports (several numbers separated with a comma:
21,23), a range of ports (two numbers separated with a colon:
100:200) or a combination:
Note: Be sure to NOT stealth port 53, otherwise the DNS server can not resolve names.
To stealth the ports, log in to your FREESCO as super user, run the setup program, enter the Advanced Settings Menu and select setting 27 (Block extra ports). Here you specify which ports to stealth. If you decide to stealth your ports, you should also update setting 111. This setting is used to specify the default state for ports used by packages installed to FREESCO. By default this setting is set to "Reject" (close) ports but you should change this to "Stealth" to get a stealthed system. The setting is "hidden" behind setting 11 (On/Off NAT/Firewall), the same setting that was used to disable ping responses. When done, save your settings and restart the firewall using
[root@Freesco] rc_masq restart
Take a look at the output from the command. If you have used an incorrect format when specifying the ports to stealth, you will be noticed about it here. If this happen, just re-enter the setup and enter the ports using the correct format and restart the firewall. If you decide to remove the stealthing of ports, just enter a "-" (minus) in setting 27.
Once you have stealthed the ports you want to, it is a good idea to run the firewall tests once again to verify that the ports really are stealthed. After disabling ping response and stealthing ports, a report from Shilds Up! might look like this:
Note: Please remember that just because your FREESCO passed one (or several) of the tests, you should not lean back and think that you are protected. Internet is big, bad and evil and any computer connected to it is a possible target for hackers. What you can do is to minimize the risk that you are attacked but you should never feel safe or think that you are totally protected.
[ Top ]
When I upgraded to 034 I discovered some problems when trying to FTP to other sites. I thought it was my FTP client that caused the problems, but then I saw this post from El Machete who described the same problem. As always, Lightning comes to the rescue. He explained that since 034 the NAT helper modules are not loaded automatically. Instead one has to manually enable the loading of one of these modules. The modules increase the security risk, but as loading them solves my FTP problems I am willing to take that risk.
Enabling these modules is quite easy:
266 Load FTP module (y/n) ?Change this value to "y" and keep pressing Enter until you are back in the menu. Now save your changes.
rc_masq restartor reboot your FREESCO.
From now on you should have no problem using FTP from within your LAN.
[ Top ]
Last modified: Tue Apr 15 22:36:55 CEST 2008