[/COLOR]
[COLOR=green]Brief Summary
KISS My Firewall is a FREE iptables script designed for a typical web server. It takes advantage of the latest firewall technologies including stateful packet inspection and connection tracking. It also contains some preventative measures for port scanning, DoS attacks, and IP spoofing, among other things.
KISS My Firewall 2 is very easy to install and does not require any initial configuration. It will work with any stock installation of Ensim WEBppliance Basic & Pro, Plesk, and Webmin. Cpanel installations require some modifications.
HOW TO: Install KISS My Firewall
When logged in as root ( "su -" ), type:
cd /usr/bin
wget http://www.geocities.com/steve93138/kiss-2.0.1.tar.gz
tar zxvf kiss-2.0.1.tar.gz
That's it! To get it running anywhere on the command line, you simply type:
kiss start
To stop the firewall, type:
kiss stop
To get status information, type:
kiss status
If you want to block an offenders IP address/subnet, simply edit the BLOCK_LIST variable in the /usr/bin/kiss file. You can separate IP addresses and subnet's with a space. Once you are finished, simply restart KISS by typing:
kiss restart
Last, but not least, it is recommended that you configure the firewall to allow only for needed ports. Using trusted IP addresses/subnets is also recommended. These variables are located near the beginning of the /usr/bin/kiss file and are self-explanatory. Once you make changes, you should always restart KISS for the changes to take effect:
kiss restart
What's New in Version 2?
The biggest change is that it does not require any initial configuration. With version 2, you won't automatically lock yourself out of your server unless you set some of the variables incorrectly. It also does extensive error checking and is distributed as a tar file. This solves a lot of the issues that were present with the older version. In addition, version 2 is highly configurable and was tested to work with the latest version of iptables - version 1.2.8.
Let me know if you have any questions or problems.
Happy Firewalling!
Full Version: HOWTO: KISS My Firewall 2.0!
Hello RDATE, here I come!!!!
Thanks Steve, installing in the morning, version 1.4 has done a splendid job but time for 2.0.
Thanks Steve, installing in the morning, version 1.4 has done a splendid job but time for 2.0.
When trying to initialize the new version i am getting the following error:
[root@secure bin]# kiss start
/usr/bin/kiss: ifconfig: command not found
Could not determine MAIN_IP. Firewall script aborted!
Please advise me on how to correct this?
[root@secure bin]# kiss start
/usr/bin/kiss: ifconfig: command not found
Could not determine MAIN_IP. Firewall script aborted!
Please advise me on how to correct this?
You do have ifconfig, right?
Yep -i've got ifconfig
I have also got the firewall started. I located where ifconfig was written in and added /sbin/ - saved the file and started the firewall, everything seems to be working now.
I have also got the firewall started. I located where ifconfig was written in and added /sbin/ - saved the file and started the firewall, everything seems to be working now.
ah, perhaps you did:
su
instead of:
su -
Without the ' -' you don't have root's paths exported, so you have to reference things by full pathname.
su
instead of:
su -
Without the ' -' you don't have root's paths exported, so you have to reference things by full pathname.
can someone tell me what modifications are needed for cpanel/blackorb to update properly.
And do I need to change anything for redhat network?
And do I need to change anything for redhat network?
QUOTE
Originally posted by TDI
can someone tell me what modifications are needed for cpanel/blackorb to update properly.
I don't use cPanel but I think all you need to do is add "2082:2083 2086:2087 2095:2096" to the TCP_IN variable in the /usr/bin/kiss file. It would look something like this:
can someone tell me what modifications are needed for cpanel/blackorb to update properly.
TCP_IN="20 21 25 53 80 110 143 443 995 2082:2083 2086:2087 2095:2096 3306"
This would open the needed inbound ports for cPanel (See: http://forums.cpanel.net/showthread.php?s=...&threadid=13834).
I think you also need to add "873" (RSYNC) and "2089" (cPanel License) on the output chain:
TCP_OUT="21 22 25 37 43 53 80 443 873 2089"
Let me know if this works for you.
Hi,
is there any more configuration to autorun this script at boot time?
is there any more configuration to autorun this script at boot time?
cPanel users:
http://forums.cpanel.net/showthread.php?s=...light=firewalls
I found that - should make getting KISS up and running a bit quicker.
http://forums.cpanel.net/showthread.php?s=...light=firewalls
I found that - should make getting KISS up and running a bit quicker.
Ok - I'm having issues with this.
First - here's what I've done to the file. Added ports. Added server IP's, and added a trusted IP. (nothing in block list)
Now, I thought everything was running just fine. Until someone says to me they can't see my site for about a week. (they're in Peru)
long story short - I shut off KISS and he can see the site immedietly after. I start it back up and he can STILL see my site.
But then I get curious - so I ask a friend in Australia to check the site. She can not see it. Again - I shut off KISS and RIGHT AFTER she can hit my site again, no problems....
What do I do?
First - here's what I've done to the file. Added ports. Added server IP's, and added a trusted IP. (nothing in block list)
Now, I thought everything was running just fine. Until someone says to me they can't see my site for about a week. (they're in Peru)
long story short - I shut off KISS and he can see the site immedietly after. I start it back up and he can STILL see my site.
But then I get curious - so I ask a friend in Australia to check the site. She can not see it. Again - I shut off KISS and RIGHT AFTER she can hit my site again, no problems....
What do I do?
TDI,
To be honest, I think the problems you are having are due to the way in which your OS is set up. I run KISS on *many* servers from RedHat 7.3 to RedHat 9, iptables 1.2.5 to 1.2.8 and don't have any issues with it. I have customers from all around the world.
If you have upgraded iptables (which I never recommend) then it may not work 100% with your kernel. If you didn't do that, it may have somthing to do with certain modules not being installed correctly.
What version of RedHat and iptables are you running?
Also, what do you mean that "they can not connect"? For example, can they connect to port 80 (HTTP) but not connect to their control panel, etc...
Also, it would be helpful if I could see your list of variables.
Thanks,
Steve
To be honest, I think the problems you are having are due to the way in which your OS is set up. I run KISS on *many* servers from RedHat 7.3 to RedHat 9, iptables 1.2.5 to 1.2.8 and don't have any issues with it. I have customers from all around the world.
If you have upgraded iptables (which I never recommend) then it may not work 100% with your kernel. If you didn't do that, it may have somthing to do with certain modules not being installed correctly.
What version of RedHat and iptables are you running?
Also, what do you mean that "they can not connect"? For example, can they connect to port 80 (HTTP) but not connect to their control panel, etc...
Also, it would be helpful if I could see your list of variables.
Thanks,
Steve
Right right - I never meant for it to sound like a problem with your script.
I'm running linux 7.3 - iptables 1.2.8
What I mean by can not connect is that the user can not see my website - these aren't clients, just users trying to view my site via web browser.
variables (only things I've changed in the KISS file):
# Optional KISS Configurtion Variables:
#
BLOCK_LIST=""
TCP_IN="20 21 25 26 37 53 80 110 143 443 873 995 2082 2083 2086 2087 2095
2096 3306 6666 8080 8443 8998 9999 10000"
TCP_OUT="21 25 26 37 43 53 80 443 873 2082 2083 2086 2087 2095 2096 6666 8080 8443 8999 9999 55000"
UDP_IN="53"
UDP_OUT="53"
TCP_IN_TRUSTED="8999"
TRUSTED_IPS="0.0.0.0/0 216.118.116.106"
SERVER_IPS="207.44.194.6 207.44.194.129 207.44.194.130 207.44.194.131"
The trusted IP is for cpanel updates. Wasn't sure if I needed it there so I added it to be safe. Otherwise I just added ports that I require open. I've adjusted ssh to use port 8999 so that's why I changed that in
TCP_IN_TRUSTED="8999"
Any help is greatly appreciated.
Thanks!
TDI
I'm running linux 7.3 - iptables 1.2.8
What I mean by can not connect is that the user can not see my website - these aren't clients, just users trying to view my site via web browser.
variables (only things I've changed in the KISS file):
# Optional KISS Configurtion Variables:
#
BLOCK_LIST=""
TCP_IN="20 21 25 26 37 53 80 110 143 443 873 995 2082 2083 2086 2087 2095
2096 3306 6666 8080 8443 8998 9999 10000"
TCP_OUT="21 25 26 37 43 53 80 443 873 2082 2083 2086 2087 2095 2096 6666 8080 8443 8999 9999 55000"
UDP_IN="53"
UDP_OUT="53"
TCP_IN_TRUSTED="8999"
TRUSTED_IPS="0.0.0.0/0 216.118.116.106"
SERVER_IPS="207.44.194.6 207.44.194.129 207.44.194.130 207.44.194.131"
The trusted IP is for cpanel updates. Wasn't sure if I needed it there so I added it to be safe. Otherwise I just added ports that I require open. I've adjusted ssh to use port 8999 so that's why I changed that in
TCP_IN_TRUSTED="8999"
Any help is greatly appreciated.
Thanks!
TDI
TDI,
Have you tried adding 113 to TCP_OUT? That might help...
Also want to mention that since you said you are running SSH on port 8999 and since you put your trusted IP in the TRUSTED_IPS variable, you should probably remove the 0.0.0.0/0 from TRUSTED_IPS.
Putting "0.0.0.0/0" into TRUSTED_IPS means that any (all) IP addresses are trusted so no matter what other IP's you put in there, it will have no effect. It was set to "any" by default but should either be replaced by a trusted IP or left as-is.
Hope that helps.
Have you tried adding 113 to TCP_OUT? That might help...
Also want to mention that since you said you are running SSH on port 8999 and since you put your trusted IP in the TRUSTED_IPS variable, you should probably remove the 0.0.0.0/0 from TRUSTED_IPS.
Putting "0.0.0.0/0" into TRUSTED_IPS means that any (all) IP addresses are trusted so no matter what other IP's you put in there, it will have no effect. It was set to "any" by default but should either be replaced by a trusted IP or left as-is.
Hope that helps.
QUOTE
Originally posted by blueice
Hi,
is there any more configuration to autorun this script at boot time?
Yes, additional work is needed to start the firewall automatically on reboot. Here's how you can do that:
Hi,
is there any more configuration to autorun this script at boot time?
Edit the file /etc/rc.d/rc.local and add the following line to the end of the file:
/usr/bin/kiss start
That should do it.
not a linux expert, so maybe this isn't a concern:
will adding it to /etc/rc.d/rc.local work if one hasn't modified the script where ifconfig is referenced as root's paths are needed by KISS? are root's paths used when everything in /etc/rc.d/rc.local is run on boot? I don't feel like rebooting to find out =).
... well, i added the /sbin/ in anyways on line 62 i think it was, but i figured if this was an issue some other people might like to know.
thanks.
will adding it to /etc/rc.d/rc.local work if one hasn't modified the script where ifconfig is referenced as root's paths are needed by KISS? are root's paths used when everything in /etc/rc.d/rc.local is run on boot? I don't feel like rebooting to find out =).
... well, i added the /sbin/ in anyways on line 62 i think it was, but i figured if this was an issue some other people might like to know.
thanks.
Nice update - like it.
I'd like to seee a UDP_IN_TRUSTED as well as an TCP_TRUSTED
Great work though
I'd like to seee a UDP_IN_TRUSTED as well as an TCP_TRUSTED
Great work though
dunno if this is documented anywhere, but i thought i'd post what i found cause it sure cause some grief...
my box has main ip and 1 additional ip... putting the main ip first would cause the main to be recognised, but the additional ip would not show up
on a whim, i swapped the order (extra ip first, main ip second) and everything works..
hope this helps someone out...
my box has main ip and 1 additional ip... putting the main ip first would cause the main to be recognised, but the additional ip would not show up
on a whim, i swapped the order (extra ip first, main ip second) and everything works..
hope this helps someone out...
i download it, and its working fine accept cpanel things,
i saw this page:
http://forums.cpanel.net/showthread.php?s=...ight=firewalls&
and i understand that i need to open all of these ports,
who can i open it?? from where do i have to configre???
ssh to your server as your admin account -
then su - to get to root.
cd to the directory where KISS is located.
use: pico -w kiss
to open the editor, place the needed ports in the the TCP_IN and TCP_OUT fields as I have done a few posts up.
then su - to get to root.
cd to the directory where KISS is located.
use: pico -w kiss
to open the editor, place the needed ports in the the TCP_IN and TCP_OUT fields as I have done a few posts up.
does anyone know how to fix this error?
# kiss start
lsmod: QM_MODULES: Function not implemented
Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!
thanks
# kiss start
lsmod: QM_MODULES: Function not implemented
Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!
thanks
Yo!
this is gonna help some people in another forum, that's for sure. i'll post it there next.
KISS 2.0 has the following commented out at the bottom of the script by default:
leaving that commented out will make it so EARTHLINK / MINDSPRING DNS SERVERS WILL NOT BE ABLE TO SEE YOU. why? i haven't the slightest idea, i'm a php geek and dumpster diver, not a sysadmin.
anyways, i'd suggest making a note of that as i saw it affecting domains on the servers of the company i work for in addition to those on my own. multiple Earthlink/Mindspring dns servers were tried and all experienced this problem, along with everyone i knew who had earthlink. now it seems the problem is solved.
p.s. i spent 2 hours on the phone complaining to earthlink this week insisting they were messed up. ah, well.
this is gonna help some people in another forum, that's for sure. i'll post it there next.
KISS 2.0 has the following commented out at the bottom of the script by default:
CODE
##############################################################################
# Uncomment to allow DNS zone transfers
#
#$IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
# Uncomment to allow DNS zone transfers
#
#$IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
leaving that commented out will make it so EARTHLINK / MINDSPRING DNS SERVERS WILL NOT BE ABLE TO SEE YOU. why? i haven't the slightest idea, i'm a php geek and dumpster diver, not a sysadmin.
anyways, i'd suggest making a note of that as i saw it affecting domains on the servers of the company i work for in addition to those on my own. multiple Earthlink/Mindspring dns servers were tried and all experienced this problem, along with everyone i knew who had earthlink. now it seems the problem is solved.
p.s. i spent 2 hours on the phone complaining to earthlink this week insisting they were messed up. ah, well.
can i know what are the common ports to disable???
and i want to disable the ping, so no one can ping me?
who can i do it plz?
and i want to disable the ping, so no one can ping me?
who can i do it plz?
QUOTE
Originally posted by revolution
Yo!
this is gonna help some people in another forum, that's for sure. i'll post it there next.
KISS 2.0 has the following commented out at the bottom of the script by default:
code:
[B]#############################################################################
#
# Uncomment to allow DNS zone transfers
#
#$IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
leaving that commented out will make it so EARTHLINK / MINDSPRING DNS SERVERS WILL NOT BE ABLE TO SEE YOU. why? i haven't the slightest idea, i'm a php geek and dumpster diver, not a sysadmin.
anyways, i'd suggest making a note of that as i saw it affecting domains on the servers of the company i work for in addition to those on my own. multiple Earthlink/Mindspring dns servers were tried and all experienced this problem, along with everyone i knew who had earthlink. now it seems the problem is solved.
p.s. i spent 2 hours on the phone complaining to earthlink this week insisting they were messed up. ah, well. [/B]
Actually, the comment is wrong in the file. It is not for "Zone Transfers" but is actually for nameserver to nameserver transfers on older systems running something like Bind 4.x. Unless you setup your DNS servers to allow source port 53 connections, uncommenting these lines should have no real affect on anything...
Yo!
this is gonna help some people in another forum, that's for sure. i'll post it there next.
KISS 2.0 has the following commented out at the bottom of the script by default:
code:
[B]#############################################################################
#
# Uncomment to allow DNS zone transfers
#
#$IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
leaving that commented out will make it so EARTHLINK / MINDSPRING DNS SERVERS WILL NOT BE ABLE TO SEE YOU. why? i haven't the slightest idea, i'm a php geek and dumpster diver, not a sysadmin.
anyways, i'd suggest making a note of that as i saw it affecting domains on the servers of the company i work for in addition to those on my own. multiple Earthlink/Mindspring dns servers were tried and all experienced this problem, along with everyone i knew who had earthlink. now it seems the problem is solved.
p.s. i spent 2 hours on the phone complaining to earthlink this week insisting they were messed up. ah, well. [/B]
I doubt that Earthlink/Mindspring DNS servers use a source port of 53 for getting DNS data from your servers. That would make their DNS servers practically useless. The destination port would of course be 53, but the source port is a high port 1024-65535 and that's already taken care of in the KISS script. I would recommened that you don't uncomment these lines...
I'm guessing steve is right because i did what i did because it solved the problem, not because i knew what i was doing. regardless...
=> if you are using KISS 2.0, find yourself an earthlink user to look at a new site that just changed to your nameservers. --- or just drop in some of their dns servers for your internet connection and see for yourself. (try 207.69.188.187 and 207.69.188.186)
so, yeah, if you aren't having problems don't do anything, but if you are, remember this warning. as i said, no other isp's dns servers anywhere had a problem, but earthlink/mindspring did and this solved it for multiple newly transferred domains on multiple servers--- one with plesk6/redhat9/bind-9.2.1-16, the other with ensim3.5/redhat7.3/bind-9.2.1-1.7x.2 , neither of which has had any customization done to the dns servers (it's all default config).
steve: thanks for the info on what this is because, as i said, i didn't really know.
=> if you are using KISS 2.0, find yourself an earthlink user to look at a new site that just changed to your nameservers. --- or just drop in some of their dns servers for your internet connection and see for yourself. (try 207.69.188.187 and 207.69.188.186)
so, yeah, if you aren't having problems don't do anything, but if you are, remember this warning. as i said, no other isp's dns servers anywhere had a problem, but earthlink/mindspring did and this solved it for multiple newly transferred domains on multiple servers--- one with plesk6/redhat9/bind-9.2.1-16, the other with ensim3.5/redhat7.3/bind-9.2.1-1.7x.2 , neither of which has had any customization done to the dns servers (it's all default config).
steve: thanks for the info on what this is because, as i said, i didn't really know.
Thanks for the great script!
I see the trusted tcp ports and IP's feature. I am wondering if there is a way to allow access to all tcp/udp ports, in and out, from a specific privileged IP or list of IP's?
I see the trusted tcp ports and IP's feature. I am wondering if there is a way to allow access to all tcp/udp ports, in and out, from a specific privileged IP or list of IP's?
To prevent users to send UCE from server you can add 1 line at the begining of OUTPUT rules:
$IPTABLES -A OUTPUT -o eth0 -p tcp --dport 25 -j REJECT -m owner ! --uid-owner 0
(for ensim only)
$IPTABLES -A OUTPUT -o eth0 -p tcp --dport 25 -j REJECT -m owner ! --uid-owner 0
(for ensim only)
Here is my problem.. I am installing Kiss onto rhe 3 with cpanel
I believe that i have followed the instructions, and opened the needed ports up,
But as soon as i start it up.. I am unable to login to whm (i havent tested anything else)
Any ideas?
I believe that i have followed the instructions, and opened the needed ports up,
But as soon as i start it up.. I am unable to login to whm (i havent tested anything else)
Any ideas?
Open these ports for cPanel/WHM:
873 2080 2081 2082 2083 2086 2087 2089 2095 2096
There might be more. Read this:
http://forums.cpanel.net/showthread.php?s=...&threadid=13834
873 2080 2081 2082 2083 2086 2087 2089 2095 2096
There might be more. Read this:
http://forums.cpanel.net/showthread.php?s=...&threadid=13834
2080 & 2081 ?
How to upgrade from version 1 to version 2?
Upload v2
configure v2
stop v1
delete v1
start v2
I think that's it...
configure v2
stop v1
delete v1
start v2
I think that's it...
However, the http://www.geocities.com/steve93138/ site only has version 2's information now. I don't even remember where I installed version 1 and don't remember how to stop it.
oh good point..I had that same trouble when I upgraded...
try:
locate kiss
via SSH to find where you have it.
And if you had followed all directions along with v1 there should be a file called "flush"
that would clear your iptables. Although I could be wrong. So you may want to ignore that part....Wouldn't want to lock you out of your box....
MOVING ON!
ok - if you can use "locate kiss" to find it - check out the readme or similar file. I know the stopping instruction are located along with v1.
Hope this helps.
try:
locate kiss
via SSH to find where you have it.
And if you had followed all directions along with v1 there should be a file called "flush"
that would clear your iptables. Although I could be wrong. So you may want to ignore that part....Wouldn't want to lock you out of your box....
MOVING ON!
ok - if you can use "locate kiss" to find it - check out the readme or similar file. I know the stopping instruction are located along with v1.
Hope this helps.
i believe according to his original instructions,
the script was here: /etc/rc.d/rc.firewall
the file to start it up at bootup: /etc/rc.d/rc.local
HTH
the script was here: /etc/rc.d/rc.firewall
the file to start it up at bootup: /etc/rc.d/rc.local
HTH
Yes, the file is at /etc/rc.d/rc.firewall, but I don't remember how to stop the version 1.4. And after I stop it, I just simply delete rc.firewall?
here's how you stop V1:
create a file, call it whatever you want.
put this in it:
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F
close, save. chmod to 755.
then execute it.
V1 cleared. delete rc.firewall, install V2, and you're done.
create a file, call it whatever you want.
put this in it:
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F
close, save. chmod to 755.
then execute it.
V1 cleared. delete rc.firewall, install V2, and you're done.
is fxp working with this new version of kiss ? It was not with the old one.
thanks
thanks
QUOTE
Originally posted by revolution
I'm guessing steve is right because i did what i did because it solved the problem, not because i knew what i was doing. regardless...
=> if you are using KISS 2.0, find yourself an earthlink user to look at a new site that just changed to your nameservers. --- or just drop in some of their dns servers for your internet connection and see for yourself. (try 207.69.188.187 and 207.69.188.186)
steve: thanks for the info on what this is because, as i said, i didn't really know.
I'm guessing steve is right because i did what i did because it solved the problem, not because i knew what i was doing. regardless...
=> if you are using KISS 2.0, find yourself an earthlink user to look at a new site that just changed to your nameservers. --- or just drop in some of their dns servers for your internet connection and see for yourself. (try 207.69.188.187 and 207.69.188.186)
steve: thanks for the info on what this is because, as i said, i didn't really know.
your right on this - for whatever reason .. did an nslookup with mindspring isp with this #'d and it died out .. removed it and it worked... for whatever reason.
Great Ver 2 - steve .. you may want to make a note somewhere in the script how to setup multiple values .. like server ips's, banned ip's .. to serperate by "spaces" and not commas or something else.. it had me wondering.. unless I missed something
I've installed this using the HOW-TO.
But when I started kiss all ports lock down.
What is me doing wrong?
But when I started kiss all ports lock down.
What is me doing wrong?
CODE
[root@blue /]# kiss start
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
etc...
etc...
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
etc...
etc...
I've set up firewall and it works fine
but when I use ws_ftp to connect my web site, it takes a while to do so .. about 5~10 seconds longer than before.
I just wonder if any of you also has this problem?
update : I just turned off kiss firewall to do the test and I am sure now it's caused by kiss firewall. Is it possible to improve this situation?
but when I use ws_ftp to connect my web site, it takes a while to do so .. about 5~10 seconds longer than before.
I just wonder if any of you also has this problem?
update : I just turned off kiss firewall to do the test and I am sure now it's caused by kiss firewall. Is it possible to improve this situation?
I've installed KISS 2.0 and listed all my server IP's with a space in between each one.
Problem is when I have the firewall running I can do a tracert to the first IP listed but I can't do a tracert to the other IP's listed. This has caused DNS problems with mail bouncing etc. If I stop KISS the problems go away.
Any suggestions?
Problem is when I have the firewall running I can do a tracert to the first IP listed but I can't do a tracert to the other IP's listed. This has caused DNS problems with mail bouncing etc. If I stop KISS the problems go away.
Any suggestions?
I suddenly can't view my web site
it's blocked by the firewall....
once I turned off kiss then turned it back on again, it's ok.
so weird
it's blocked by the firewall....
once I turned off kiss then turned it back on again, it's ok.
so weird
I installed it and everything works fine, except one thing. The firewall keeps on disabling every so often. I keep on having to start it up. It usually diables within 12 hours or so...
Does this work with rh 9?
Does this work with rh 9?
yes. works with RH9.
How about RHEL?
QUOTE
Originally posted by WreckRman2
I've installed KISS 2.0 and listed all my server IP's with a space in between each one.
Problem is when I have the firewall running I can do a tracert to the first IP listed but I can't do a tracert to the other IP's listed. This has caused DNS problems with mail bouncing etc. If I stop KISS the problems go away.
Any suggestions?
I've installed KISS 2.0 and listed all my server IP's with a space in between each one.
Problem is when I have the firewall running I can do a tracert to the first IP listed but I can't do a tracert to the other IP's listed. This has caused DNS problems with mail bouncing etc. If I stop KISS the problems go away.
Any suggestions?
Anybody?
This is what happens on a rh 9 server:
root@server [/usr/bin]# kiss start
Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!
root@server [/usr/bin]# kiss start
Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.