SourceFiles.org - Use the Source, Luke
Home | Register | News | Forums | Guide | MyLinks | Bookmark

Related Sites

Latest News
  General News
  Reviews
  Press Releases
  Software
  Hardware
  Security
  Tutorials
  Off Topic


Back to files

IsinGlass README

$Revision: 1.13 $
tummy.com, ltd.
Copyright (c) 1998 Sean Reifschneider, tummy.com, ltd. All rights reserved.

IsinGlass Home Page: http://www.tummy.com/isinglass/ IsinGlass FTP: ftp.tummy.com:/pub/tummy/isinglass/

INTRODUCTION

WARNING: IsinGlass can (and is indended to) make certain parts of your computer inaccessable via the network. Installing IsinGlass via the network on a machine hundreds or thousands of miles away may be a Bad Idea (tm).

IsinGlass is a script which is meant to make the average user's machine more secure when connected to the Internet, for example, when dialing up via a local ISP. The problem is that the average computer is running background processes (daemons) that the average user doesn't even know are running. Many of these have exploits which can allow another user on the Internet to gain access.

This script has been developed for Linux, and does require kernel support for firewalling. Additionally, the "ipfwadm" program must be installed. For RedHat Linux, the standard kernels have firewall support, and the "ipfwadm" program is available as an RPM.

ADVANTAGES 

      Secure default setup -- no configuration needed for most users.
      Easily configured when you need to.
      Automatically detects LAN/WAN network interfaces.
      LANs are allowed full access while PPP lines are secured.
      LANs bridged/routed to the Internet are secured.
      Default setup protects against bad/no passwords and insecure X.
      Written in shell script, no non-standard interpreters needed.
      Attempts prevented by IsinGlass are logged in syslog (/var/log/messages).

GETTING STARTED

You can try it out right away by running "isinglass -c isinglass.cfg".

By default, the only thing that IsinGlass allows is IDENT and Postgres (since many hosts won't be running Postgres, and if they are it's likely not on a TCP socket). If you PROVIDE (meaning you run a server that other people connect to) telnet, NNTP, HTTP/Web, etc... or wish to allow finger or talk requests, you will need to modify the "isinglass.cfg" script.

The configuration script is documented internally. Basically, you allow a service by uncommenting it's line, for example:

DNS=yes

Then you must re-run the "isinglass" script to make the changes take effect.

IsinGlass automatically detects LAN and dial-up network interfaces. LAN interfaces allow any traffic FROM THAT LAN ONLY, while WAN (dial-ups) allow only a very restricted sub-set.

If your machine is on a LAN that's bridged/routed to a WAN (like the Internet), you will need to manually configure it at this point. Change the InternalNet/ExternalNet settings from "auto" so that InternalNet is your local IP network address with subnet bits, and ExternalNet is the same. For example, if your IP address is 1.2.3.4 with a subnet mask of 255.255.255.0:

InternalNet=1.2.3.4/24
ExternalNet=1.2.3.4/24

NOTE: You will have to re-run IsinGlass every time a new network interface is brought up (every time you re-dial your ISP). The only exception to this is if you have a static IP for every interface.

INSTALLATION

Installation of IsinGlass involves copying the script and configuration file to the appropriate directories, and making it so they are run automatically at the appropriate times. To install the files, assuming you want them in "/usr/local/sbin", use:

cp isinglass.conf isinglass.user /etc chown root:root /etc/isinglass.conf /etc/isinglass.user chmod 600 /etc/isinglass.conf
chmod 700 /etc/isinglass.user
cp isinglass /usr/local/sbin
chown root:root /usr/local/sbin/isinglass chmod 750 /usr/local/sbin/isinglass

Now, to automatically start IsinGlass, you will want to add a line to the end of the "/etc/ppp/ip-up" and "/etc/rc.d/rc.local" (or wherever your distribution puts those files) reading:

/usr/local/sbin/isinglass

(again, assuming you installed the binary in "/usr/local/sbin".

SWITCHES

"isinglass" takes the following command-line switches: 

   -c <cfg file>     Specify alternate config file.
   -d                Debug mode, ALL packets logged to syslog.
   -f                Remove (flush) firewall.
   -n                Show what actions would have been taken (no-exec).
   -v                Display version and exit.
   -h                Show this help message and exit.

The "-d" switch is useful for determining why certain packets may be being denied. Note that this can generate a huge amount of data in your "/var/log/messages" file.

"-f" will turn off IsinGlass completely.

"-n" is no-exec mode. Instead of installing the firewall, IsinGlass shows you the rules it would have installed.

See the associated LICENSE file or http://www.tummy.com/isinglass/License.html for the full License.

The contents of this file are subject to the Mozilla Public License Version 1.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.mozilla.org/MPL/

Software distributed under the License is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for the specific language governing rights and limitations under the License.

The Original Code is isinglass, released June 28, 1998. The Initial Developer of the Original Code is tummy.com, ltd. Portions created by tummy.com, ltd. are Copyright (C) 1998 tummy.com, ltd. All Rights Reserved.

Contributor(s): 

                Rob Riggs (Pointed out bug in rule ordering)
                Kevin Fenzi (Warning that 2.1 and above kernels use ipchains)


Other Sites

Discussion Groups
  Beginners
  Distributions
  Networking / Security
  Software
  PDAs

About | FAQ | Privacy | Awards | Contact
Comments to the webmaster are welcome.
Copyright 2006 Sourcefiles.org All rights reserved.