Results 1 to 10 of 10

Thread: Knoppix Firewall

  1. #1
    Senior Member registered user
    Join Date
    May 2006
    Location
    Columbia, Maryland USA
    Posts
    1,631

    Knoppix Firewall

    In my copy of Knoppix 6.4.3, there is a menu choice under 'Preferences'
    called 'Knoppix Firewall'. It doesn't do anything.

    If my setup is like everyone elses, I can't imagine why there isn't
    some ongoing discussion about this state of affairs.

    I can't imagine that if nmap reports 'All 1000 scanned ports
    on (my routers address) are closed', that that is the end of it.
    Doesn't that leave 64,535 questions unanswered?

    Can anyone orient me to some sense of reality here?
    Is there no security concern beyond an nmap 1000 port test
    for a machine running Knoppix?

  2. #2
    Senior Member registered user
    Join Date
    May 2006
    Location
    Columbia, Maryland USA
    Posts
    1,631
    Here's an interesting answer from a Debian forum:

    http://wiki.debian.org/iptables

  3. #3

    same here...

    having the same question, I note this:

    http://www.debian.org/doc/manuals/se...firewall-setup

    section 5.14.3

    My Knoppix 6.4.4 ends up with a message "see Knoppix menu to create persistent image" when I attempt to save firewall settings, I assume, implying there is not a persistent image.

    Seeing no menu item for doing that, I assume its crippleware.

    "Doesn't that leave 64,535 questions unanswered?"

    LOVE IT. computer humour!! and 64,535 hackers...

  4. #4
    interesting: - see if firewall running

    http://wiki.linuxquestions.org/wiki/FireWall

  5. #5
    Senior Member
    Join Date
    Jan 2011
    Posts
    242
    Quote Originally Posted by daveca View Post
    My Knoppix 6.4.4 ends up with a message "see Knoppix menu to create persistent image" when I attempt to save firewall settings, I assume, implying there is not a persistent image.
    Hi Daveca,

    Are you running a LiveCD or a LiveUSB ? Unfortunately with Knoppix 6 you cannot have persistent store with the LiveCD. Why is not known. You could with Knoppix 5. Wiki pages and quite possibly Knoppix scripts from the Knoppix 5 era have not all been updated. The Knoppix firewall script may indeed suggest you use the Knoppix menu to create a persistent image but there is no such menu item. You can create persistent store for a LiveUSB installation during boot.

    Quote Originally Posted by daveca View Post
    Seeing no menu item for doing that, I assume its crippleware.
    I suspect many people thought the same and left years ago.

    Quote Originally Posted by utu View Post
    In my copy of Knoppix 6.4.3, there is a menu choice under 'Preferences'
    called 'Knoppix Firewall'. It doesn't do anything.

    I suspect there is a misunderstanding of the need for a firewall here.

    In the bad old days of dial-up modems, your PC was connected directly to the Internet in the sense that the bad guys out there could probe your IP address to see if they could get in. You needed a firewall to keep them out. In many homes a Windows PC is connected directly to broadband with other PCs in the house connecting through the first. The first needs a firewall, the others don't.

    When I ran Windows and Windows firewall software I had a trusted zone - inside the house - and a untrusted zone - outside the house. I had a broadband router and it had all the firewall I needed but I still amused myself with the firewall software discovering just how many Windows applications needed to access the Internet without my knowledge or consent while I wasn't even using them.

    If you have a broadband router, it has a firewall, most probably iptables based. Unless you've been playing around with it, your broadband router's firewall will have only two rules:

    1. allow any connection from inside out
    2. deny all connections from outside in

    Inside, on your LAN, you don't need any more firewall unless you are insanely paranoid.

    If you want to offer web services on a PC at home or access your PCs from work or college, upload digital photo next time you visit your gran or even just set MythTV to record from your mobile/handy/cell/blackberry/fondleslab/whatever, you would need to open your BBR firewall to allow connections from outside in.

    I never done this but AFAIK you might then need firewalls on every PC to ensure the incoming connections only go to the right PC or you might set up a DMZ and a proxy server of your very own or you might prefer to set up own VPN or you might be able to do everything by just configuring your BBR correctly.

    From the nature of your questions, I suspect you don't. I would not expect people who need to do this to use Knoppix except perhaps to try things out before doing it for real as servers need high availability and Live distributions don't really qualify.

    If anyone knows different, please put me right on this.
    Last edited by Forester; 03-24-2011 at 06:06 PM.

  6. #6
    Senior Member registered user
    Join Date
    May 2006
    Location
    Columbia, Maryland USA
    Posts
    1,631
    Quote Originally Posted by Forester View Post
    If you want to ... upload digital photo next time you visit your gran... you would need to open your BBR firewall to allow connections from outside in.
    Could you expand on this?

  7. #7
    Senior Member registered user
    Join Date
    May 2006
    Location
    Columbia, Maryland USA
    Posts
    1,631
    @ Forester:

    Even more specifically:

    Here's what I find using nmap.
    I'm presuming all is well, but I don't know.

    knoppix@Microknoppix:~$ sudo nmap 192.168.1.1 (My Verizon Router)

    Starting Nmap 5.00 ( http://nmap.org ) at 2011-03-24 13:48 UTC
    Interesting ports on 192.168.1.1:
    Not shown: 993 closed ports
    PORT STATE SERVICE
    23/tcp open telnet
    80/tcp open http
    443/tcp open https
    992/tcp open telnets
    4567/tcp open unknown
    8080/tcp open http-proxy
    8443/tcp open https-alt
    MAC Address: 00:18:01:A5:61:5E (Actiontec Electronics)

    Nmap done: 1 IP address (1 host up) scanned in 1.95 seconds



    knoppix@Microknoppix:~$ sudo nmap 192.168.1.2 (My Laptop)

    Starting Nmap 5.00 ( http://nmap.org ) at 2011-03-24 13:48 UTC
    All 1000 scanned ports on 192.168.1.2 are closed

    Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
    knoppix@Microknoppix:~$

    *******************

    Questions that remain:
    1. How do I know if my router has a firewall?
    2. What about Laptop ports above 1000?
    3. Why would KK leave in a menu choice that does not work?

  8. #8
    Senior Member
    Join Date
    Jan 2011
    Posts
    242
    I'm not an expert. You might learn more from reading the nmap man page.

    Ports 1-1000 are special. On your laptop, none are open so that's what you get. I've port 22 open for ssh, so my report is that 999 ports are closed.

    If a port is open there is a daemon listening on that port for connections. The port number, as a rule, tells you which daemon is listening and what protocol is speaks. These tell the bad guys something about what kind of vulnerabilities there might be to exploit. Especially if they use the -A option. Good security says don't leave open ports you don't need open. When I run nmap against localhost I find 631 ipp and 3306 mysql ports are also open. The second is needed for database access but since the port is only open on the localhost interface, only clients running under Knoppix on my laptop can access the database. No other PC on my LAn can see the Knoppix database. No need to open things more than necessary.

    When you scan your router from inside you see the ports open to the inside. That's not the same as the ports open on the outside. I do not know the significance of the ports your router has open. Mine offers 80 (http) and 1863, 1864, 4443, 5190 and 5566 which I think are all Instant Messaging ports. I think my router will act as a proxy for these. Does that happen in practice ? I don't know. It's a long time since I used Instant Messaging from home.

    The 80 (http) port is so that you can log on to your router and change its configuration. The same should be true for your network printer (if you've got one) and your NAS too. You didn't know about logging on to your router ? Perhaps Verizon assumed as a cable customer you must be a Windows user and so did what was in your best interest. My router's mine. I bought it. So if I enter:

    Code:
    http://192.168.1.1
    in my browser's address bar and enable scripts for that IP address I get me a log in screen on my router.

    Once in, I can go to firewall rules and, in English (more or less) it says allow all outbound services and no inbound services. Like I said, the default iptables rules.

    I've a couple of extra rules stopping outbound services: MS Windows can't extend my samba network across the universe and my network printer can discover Internet printers. That last is perhaps a bit cruel but never mind.

    I've never changed the defaults so my router does not respond to pings from the Internet, has port scan and DOS protection enabled. It is not so much "no one at home" as "no such address" as far as the bad guys can tell. I've no DMZ or VPN though my router supports such things.

    I read some years ago to make sure UPnP is disabled and it is. You got (going to get) one of these Home Media Networks ? That will use UPnP and you won't have control. Scary or handy, depending on your point of view

  9. #9
    Forrester, Im using 6.4.4 on a 4 Gb flash drive with 2Gig user space. Firewall still wont save persistent data (if im phrasing that correctly) "Why is not known" because it cant write back to a CD?? It can write to flash or HDD. Wonder if there are functions that magically work in 6.x.x in a HDD installation?? Someone commented that 5.3.1 had much more capabilities???

  10. #10
    Senior Member
    Join Date
    Jan 2011
    Posts
    242
    Quote Originally Posted by Forester View Post
    Wiki pages and quite possibly Knoppix scripts from the Knoppix 5 era have not all been updated.
    Yup. This script (/usr/sbin/firewall) has a copyright date of 2004 and still thinks /KNOPPIX.IMG is the name of the persistent store.

    Report it as a bug to KK and/or fix it yourself.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


ASUS H110M-R Motherboard Intel 6th/7th Gen LGA1151 DDR4 Micro-ATX i/o shield picture

ASUS H110M-R Motherboard Intel 6th/7th Gen LGA1151 DDR4 Micro-ATX i/o shield

$42.00



Asus B85M-E/CSM, LGA 1150 Intel Socket Motherboard picture

Asus B85M-E/CSM, LGA 1150 Intel Socket Motherboard

$39.99



***NEW*** BCM RX67Q Gaming Motherboard | Intel Q67 2nd/3rd Gen. | LGA1155 | DDR3 picture

***NEW*** BCM RX67Q Gaming Motherboard | Intel Q67 2nd/3rd Gen. | LGA1155 | DDR3

$27.77



ASUS Motherboard H81M-C | No CPU picture

ASUS Motherboard H81M-C | No CPU

$30.00



ASRock B660M PRO RS LGA 1700 Intel SATA 6Gb/s DDR4 Micro ATX Motherboard picture

ASRock B660M PRO RS LGA 1700 Intel SATA 6Gb/s DDR4 Micro ATX Motherboard

$94.99



Micro ATX Desktop Motherboard ASUS H110M-C LGA 1151 picture

Micro ATX Desktop Motherboard ASUS H110M-C LGA 1151

$31.95



ASUS Q87M-E/CSM Intel Q87 Chipset DDR3 mATX LGA1150 Motherboard Tested picture

ASUS Q87M-E/CSM Intel Q87 Chipset DDR3 mATX LGA1150 Motherboard Tested

$48.95



ASUS ROG Crosshair VIII Hero Wi-Fi X570 Motherboard for AMD AM4 Ryzen 5000 3000 picture

ASUS ROG Crosshair VIII Hero Wi-Fi X570 Motherboard for AMD AM4 Ryzen 5000 3000

$149.99



GIGABYTE MB10-Datto Motherboard Xeon D-1521- SR2DF 2.40 GHz- Open Box picture

GIGABYTE MB10-Datto Motherboard Xeon D-1521- SR2DF 2.40 GHz- Open Box

$115.00



BTC-S37 Mining Motherboard Kit /w SSD & Ram Preinstalled picture

BTC-S37 Mining Motherboard Kit /w SSD & Ram Preinstalled

$59.99