[Leaplist] A "STOPPED" IPCop Computer

John Simpson jms1 at jms1.net
Thu Jan 8 21:34:08 EST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2009-01-07, at 1512, William Holmes Ferguson wrote:
>
> Your welcome clarification mentioned a couple items I don't  
> understand.
>
> I don't understand the phrase  "statefull inspection firewall."
> This is not criticism coming from me.
> Maybe a typo?  Maybe "stable inspection firewall" intended?

the term "stateful" is correct. it means that the firewall actively  
watches the connections your internal machines make to the outside  
world, and dynamically allows or rejects incoming packets based on the  
"state" of these active connections. for example, if an internal  
machine opens an FTP connection to a server in the outside world, the  
firewall will know that it's okay to allow that outside machine to  
send "FTP data" packets back to the internal machine. and once the  
internal machine closes the socket, any further "FTP data" packets  
from that outside machine will be rejected again.


> I don't understand what a "webmin interface" is.

the word "webmin" is a mashed-up abbreviation of "web administration".  
it normally refers to a specific program called "webmin", which  
provides a web-based system administration interface, but i think in  
this case randy meant it in a more generic sense. the ipcop web  
interface is a type of "system administration", if you consider the  
ipcop machine itself to be a "system".


> As you see, I'm walking on very unfamiliar ground here.
>
> What caused me to refer to the opening screen of my IPCop Computer's
> software was: ---  I boot my Main Linux computer and type in a  
> Terminal
> the IP Address of my IPCop computer.

are you sure you mean "terminal"? it sounds like you mean "web  
browser". most people administer their ipcop systems by typing "http://192.168.0.1:81/ 
" into a web browser. a "terminal" is usually a text-based interface  
which has no graphics at all. usually a "terminal" acts as a container  
for a "shell", which is a program (like bash or tcsh) which allows you  
to type in a command, and executes that command.


> Then, after a couple minutes, the Screen of the IPCop
> Computer opens with what, to me, the uninitiated, looks sort of  
> comparable to
> a Desktop screen on other Linux Distro's.
>
> So if I understand it correctly, that opening screen with its Menu  
> of Buttons
> horizontally arranged in the upper part of the screen should be called
> the "web interface" or  a "webmin interface?"

if you access it through a web browser, then it's a web page, or a web  
interface.

and your description sounds like what the ipcop web-based  
administration interface looks like.


> I think that you are teaching me that tho' both the "Red" and the  
> "Green" NIC's of
> my IPCop Computer were "STOPPED" when I checked System Status,  but  
> they aren't
> "STOPPED" when the IPCop Computer is properly connected in my two- 
> person
> home LAN.

no. the "stopped" items you were originally talking about are not  
referring to the red and green interfaces themselves. they are talking  
about a program called "snort", which can be told to watch traffic  
coming from the red and/or green interfaces. the fact that they both  
say "stopped" means that snort isn't running.

ipcop by itself is a "stateful inspection firewall". a big part of its  
security comes from the fact that it does NAT, and therefore there is  
no way for an outside machine to directly access an inside machine  
unless you have configured a rule under "external access" to allow  
those packets into the machine, and a rule under "port forwardings" to  
direct them to the internal machine where you want them to go. this by  
itself will block almost every type of attack there is.

snort is an "intrusion detection system", or "IDS", which comes with  
ipcop, but is not turned on by default. it adds another layer of  
protection by watching the incoming packets for certain patterns-  
packets which, by themselves, would be ignored by ipcop, but as a  
pattern would indicate some other kind of attack. for example, if  
somebody does a "port scan" on your IP address (i.e. they try to  
connect to port 1, then port 2, then port 3, and so forth) ipcop alone  
would either drop or reject those connections, but it wouldn't  
recognize the overall pattern, because it looks at each packet  
individually. snort watches the overall stream of packets to find  
patterns like this, and it would recognize it as a port scan-  
something which cannot be seen from any one packet, but which is  
apparent when you look at the entire set of packets.

again, snort is NOT enabled by default, because not everybody wants to  
use it, and because not every machine has enough memory to use it. it  
needs at least 128MB by itself, on top of the 128MB which are needed  
by the linux kernel and iptables, the DHCP server, DNS caching server,  
apache (to drive the web interface), and other things which ipcop does  
run by default.


- ----------------------------------------------------------------
| John M. Simpson    ---   KG4ZOW   ---    Programmer At Large |
| http://www.jms1.net/                         <jms1 at jms1.net> |
- ----------------------------------------------------------------
| http://video.google.com/videoplay?docid=-1656880303867390173 |
- ----------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAklmt6AACgkQj42MmpAUrRp9+wCfZg3+Nd0EyHSJn375aKDnJpmY
rWYAn3/TQma2Pki0n3U+iMXPXo04Qz7h
=cXIE
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Leaplist mailing list