[Leaplist] Re: John Simpson explanation of "STOPPED" IPCop Computer

[William Holmes Ferguson]

Mr. John,

You offer exceptionally clear, thoroughgoing, and considerate 
instruction each time
you post to the Leaplist.org.

Thank you, sir.

William


John Simpson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 2009-01-07, at 1512, William Holmes Ferguson wrote:
>>
>> Your welcome clarification mentioned a couple items I don't understand.
>>
>> I don't understand the phrase "statefull inspection firewall."
>> This is not criticism coming from me.
>> Maybe a typo? Maybe "stable inspection firewall" intended?
>
> the term "stateful" is correct. it means that the firewall actively 
> watches the connections your internal machines make to the outside 
> world, and dynamically allows or rejects incoming packets based on the 
> "state" of these active connections. for example, if an internal 
> machine opens an FTP connection to a server in the outside world, the 
> firewall will know that it's okay to allow that outside machine to 
> send "FTP data" packets back to the internal machine. and once the 
> internal machine closes the socket, any further "FTP data" packets 
> from that outside machine will be rejected again.
>
>
>> I don't understand what a "webmin interface" is.
>
> the word "webmin" is a mashed-up abbreviation of "web administration". 
> it normally refers to a specific program called "webmin", which 
> provides a web-based system administration interface, but i think in 
> this case randy meant it in a more generic sense. the ipcop web 
> interface is a type of "system administration", if you consider the 
> ipcop machine itself to be a "system".
>
>
>> As you see, I'm walking on very unfamiliar ground here.
>>
>> What caused me to refer to the opening screen of my IPCop Computer's
>> software was: --- I boot my Main Linux computer and type in a Terminal
>> the IP Address of my IPCop computer.
>
> are you sure you mean "terminal"? it sounds like you mean "web 
> browser". most people administer their ipcop systems by typing 
> "http://192.168.0.1:81/" into a web browser. a "terminal" is usually a 
> text-based interface which has no graphics at all. usually a 
> "terminal" acts as a container for a "shell", which is a program (like 
> bash or tcsh) which allows you to type in a command, and executes that 
> command.
>
>
>> Then, after a couple minutes, the Screen of the IPCop
>> Computer opens with what, to me, the uninitiated, looks sort of 
>> comparable to
>> a Desktop screen on other Linux Distro's.
>>
>> So if I understand it correctly, that opening screen with its Menu of 
>> Buttons
>> horizontally arranged in the upper part of the screen should be called
>> the "web interface" or a "webmin interface?"
>
> if you access it through a web browser, then it's a web page, or a web 
> interface.
>
> and your description sounds like what the ipcop web-based 
> administration interface looks like.
>
>
>> I think that you are teaching me that tho' both the "Red" and the 
>> "Green" NIC's of
>> my IPCop Computer were "STOPPED" when I checked System Status, but 
>> they aren't
>> "STOPPED" when the IPCop Computer is properly connected in my two-person
>> home LAN.
>
> no. the "stopped" items you were originally talking about are not 
> referring to the red and green interfaces themselves. they are talking 
> about a program called "snort", which can be told to watch traffic 
> coming from the red and/or green interfaces. the fact that they both 
> say "stopped" means that snort isn't running.
>
> ipcop by itself is a "stateful inspection firewall". a big part of its 
> security comes from the fact that it does NAT, and therefore there is 
> no way for an outside machine to directly access an inside machine 
> unless you have configured a rule under "external access" to allow 
> those packets into the machine, and a rule under "port forwardings" to 
> direct them to the internal machine where you want them to go. this by 
> itself will block almost every type of attack there is.
>
> snort is an "intrusion detection system", or "IDS", which comes with 
> ipcop, but is not turned on by default. it adds another layer of 
> protection by watching the incoming packets for certain patterns- 
> packets which, by themselves, would be ignored by ipcop, but as a 
> pattern would indicate some other kind of attack. for example, if 
> somebody does a "port scan" on your IP address (i.e. they try to 
> connect to port 1, then port 2, then port 3, and so forth) ipcop alone 
> would either drop or reject those connections, but it wouldn't 
> recognize the overall pattern, because it looks at each packet 
> individually. snort watches the overall stream of packets to find 
> patterns like this, and it would recognize it as a port scan- 
> something which cannot be seen from any one packet, but which is 
> apparent when you look at the entire set of packets.
>
> again, snort is NOT enabled by default, because not everybody wants to 
> use it, and because not every machine has enough memory to use it. it 
> needs at least 128MB by itself, on top of the 128MB which are needed 
> by the linux kernel and iptables, the DHCP server, DNS caching server, 
> apache (to drive the web interface), and other things which ipcop does 
> run by default.
>
>
> - ----------------------------------------------------------------
> | John M. Simpson --- KG4ZOW --- Programmer At Large |
> | http://www.jms1.net/ <jms1 at jms1.net> |
> - ----------------------------------------------------------------
> | http://video.google.com/videoplay?docid=-1656880303867390173 |
> - ----------------------------------------------------------------
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
>
> iEYEARECAAYFAklmt6AACgkQj42MmpAUrRp9+wCfZg3+Nd0EyHSJn375aKDnJpmY
> rWYAn3/TQma2Pki0n3U+iMXPXo04Qz7h
> =cXIE
> -----END PGP SIGNATURE-----
>


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.