DA-Kiss - DirectAdmin specific firewall based on Kiss v2.0

ProHS said:
Yea the kiss firewall will not work in FreeBSd because their is no /etc/rc.d/rc.local dir
Click to expand...

Its suppost to be a file, and that wouldnt really affect it anyway....... adding it in there simply gets it to start upon reboot (with redhat anyway).

Chris
 
Kiss and APF are IPtable based firewalls. FreeBSD uses something called IPfirewall, so the rules syntax would be different. That would mean you can't really use them on FreeBSD.
 
Yea i try it i notice they were calling for different file paths and that it has to be wrote different. Do any of you know of a FreeBSD firewall?
 
For the redhat 9 problems:

chmod 755 /usr/bin/kiss
kiss start

Runs as expected :)

Chris
 
So how exactly does this block_list variable work?

if I want to block a certain IP I just add the ip to the block list? Or do I need to add a subnet mask as well?

And how about if I want to block more ip's, do I just add them there as well?
 
You can use it anyway you specify IPs in other areas

Multiple IP addresses (usually subnets)

Do not use the first example below (0.0.0.0/0))
BLOCK_LIST="0.0.0.0/0"

or you can use it with multiple IP addresses indivudually

BLOCK_LIST="0.0.0.0 1.1.1.1 2.2.2.2"

or just 1 single IP:

BLOCK_LIST="0.0.0.0"

Chris
 
ProWebUK said:
For the redhat 9 problems:

chmod 755 /usr/bin/kiss
kiss start

Runs as expected :)

Chris
Click to expand...

Hate to say it but I still get the "bad interpreter message" on my RH9 system. I checked and iptables is installed, nothing in the config file.

Any other ideas?
 
What ownership does the kiss file have? have you tried running

/usr/bin/kiss start (rather than just kiss start)

Chris
 
Ownership was root. I say was because I finally uninstalled the "DA" version and installed the version direct from the KISS site and it worked fine.
 
The only difference between the one from the official page and this... is that a few variables are chnaged (ports added, and unwanted ports removed) - besides that the script is unchanged - you could just use the original and copy the ports list from this script over... that should work fine, if it doesn't then... i'm unsure!

Chris
 
I'd recommend everyone on RH9 getting regular KISS< and use

BLOCK_LIST=""
TCP_IN="21 25 53 80 110 143 443 2222"
TCP_OUT="21 22 25 37 43 53 80 443"
UDP_IN="53"
UDP_OUT="53"
TCP_IN_TRUSTED="22"
TRUSTED_IPS="0.0.0.0/0"
SERVER_IPS="0.0.0.0/0"


as config for ports


the one listed kept giving me permission + cant interpret errors as well.
 
ProHS said:
Yea i try it i notice they were calling for different file paths and that it has to be wrote different. Do any of you know of a FreeBSD firewall?
Click to expand...

Their are 2 kernel level firewalls built into FBSD, IPfilter and ipfw. They are well covered in the handbook but if you want I will post a How-To in a seperate FBSD thread? I use ipfw more than I use IPfilter so it would be ipfw.

Basic rundown is you comment out the lines in the kernel for the firewall

Edit your /etc/rc.conf and turn on the firewall

Edit the /etc/rc.firewall and edit the rules.

That makes it seems easy but their is a TON more than that. Let me know I will write a How-To...
 
New release available - fix for previous DNS problem with earthlink DNS servers.

Link is available from the main post.

Chris
 
Chris,

Not to mess up your thread what turned out to be the problem with KISS? Just interested to know what he found...
 
I have not actually contacted the author as of yet. - what has been said is in the EV1 thread appears correct, I have seen a numerous amount of systems running kiss with them lines commented that have problems with earthlinks DNS servers.

He has given valid reasons why you should keep them commented, however, as much as them comments may be valid, it *does* affect some DNS servers which in my opinion shouldn't happen and therefore, that is my reasoning behind uncommenting the lines in the release I am offering.

I'm sure having the lines uncommented will provide advantages rather than disadvantages with KISS users here, and on EV1, since it's not my script nor do I have any contact withthe author I believe its his responsibility to update or leave the script as it is.

All servers I am currently working on have the lines uncommented to fix the problem, all servers I work on in the future will have the lines uncommented and of course, all releases of the software I provide from here on in, will have the lines uncommented :)

The *actual* problem is that earthlinks DNS servers appear to use port 53 as a source port for DNS... in depth details on the ev1 link :)

Chris
 
Hi,

Anyone know why KISS is blocking pings from all ips except for main IP? And how i can fix that? Thanks
:cool:
 
So where do i go to fix this? Can't seem to find it in pico..

##############################################################################
# Allow pinging of this server's MAIN_IP by trusted IPs only.
#
for trusted_ips in $TRUSTED_IPS; do
$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done



Thanks for your help.
 
Replace:

Code: 
for trusted_ips in $TRUSTED_IPS; do
$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done

with:

Code: 
# comment out the previous setup if you want it in the future
#for trusted_ips in $TRUSTED_IPS; do
#$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
#done

# allow anyone to ping this system
$IPTABLES -A INPUT -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT

Chris
 
You must log in or register to reply here.
Back
Top