Arch as a firewall

Similar Messages

• Arch pc as firewall

  do i just need to configure iptables to setup an arch system as a network firewall. what i want to do is force all pcs or devices to go through my arch system to filter content out in an acl fashion. so i would connect it to a switch and make it then point to my router. would this work or am i going about this wrong?

  This is my setup:
  Internet<----->Modem<---->ArchRouter (iptables, squid)<----->Switch<---->Internal Network
  My house is all wired.
  I recently added a wlan0 to router, but can't get it to work

• Is Arch network safe on default install?

  So I was wondering if Arch had a firewall installed by default and if so is it set to deny all incoming traffic?
  I've been using my arch install for about 2 weeks and only now just realised that I didn't have a firewall setup so I installed UFW configured that.
  Since I've been using my Arch install without a firewall (if there isn't one installed by default) am I still safe? I had a few ports forwarded to my PC as well but I thought I had a firewall installed blocking them. (as my router would take care of the non-port forwarded ports)
  Any help would be very appreciated!
  Last edited by Hectrin2 (2015-05-12 08:17:46)

  Awebb wrote:having an open port is like leaving the house with your door unlocked in a bad neighborhood!
  Isn't that exactly how it is though? I mean, I know i'm pretty ignorant on the subject but am I really that ignorant?
  Awebb wrote:0. A list of ports forwarded to your device and the name and platform of the program you originally forwarded the ports for.
  27015 UDP and 27005 TCP and UDP. These are forwarded for SRCDS as in, a game server for Source games. (Counter Strike, Team Fortress 2, etc.)
  Awebb wrote:2. The outpout of "netstat -tulpn" (run as root, with sudo for example). Make sure you have all those programs running you usually use on a normal day.
  Active Internet connections (only servers)
  Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
  tcp 0 0 0.0.0.0:27036 0.0.0.0:* LISTEN 739/steam
  tcp 0 0 127.0.0.1:57343 0.0.0.0:* LISTEN 739/steam
  tcp 0 0 127.0.0.1:27015 0.0.0.0:* LISTEN 1465/./srcds_linux
  tcp 0 0 0.0.0.0:4433 0.0.0.0:* LISTEN 783/python2
  tcp 0 0 0.0.0.0:61589 0.0.0.0:* LISTEN 783/python2
  tcp 0 0 0.0.0.0:55413 0.0.0.0:* LISTEN 616/skype
  tcp6 0 0 :::4434 :::* LISTEN 783/python2
  tcp6 0 0 :::61589 :::* LISTEN 783/python2
  udp 0 0 0.0.0.0:26901 0.0.0.0:* 1465/./srcds_linux
  udp 0 0 0.0.0.0:27005 0.0.0.0:* 1465/./srcds_linux
  udp 0 0 0.0.0.0:27015 0.0.0.0:* 1465/./srcds_linux
  udp 0 0 0.0.0.0:27020 0.0.0.0:* 1465/./srcds_linux
  udp 0 0 0.0.0.0:27036 0.0.0.0:* 739/steam
  udp 0 0 0.0.0.0:59862 0.0.0.0:* 739/steam
  udp 0 0 192.168.100.105:6771 0.0.0.0:* 783/python2
  udp 0 0 127.0.0.1:6771 0.0.0.0:* 783/python2
  udp 0 0 0.0.0.0:6771 0.0.0.0:* 783/python2
  udp 0 0 0.0.0.0:44051 0.0.0.0:* 783/python2
  udp 0 0 192.168.100.105:60616 0.0.0.0:* 783/python2
  udp 0 0 127.0.0.1:40588 0.0.0.0:* 616/skype
  udp 0 0 0.0.0.0:48782 0.0.0.0:* 739/steam
  udp 0 0 0.0.0.0:68 0.0.0.0:* 416/dhcpcd
  udp 0 0 0.0.0.0:61589 0.0.0.0:* 783/python2
  udp 0 0 127.0.0.1:33324 0.0.0.0:* 783/python2
  udp 0 0 0.0.0.0:55413 0.0.0.0:* 616/skype
  udp6 0 0 :::61589 :::* 783/python2
  Awebb wrote:3. For educational reasons the output of "netstat -lptu" (also root)
  Active Internet connections (only servers)
  Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
  tcp 0 0 *:27036 *:* LISTEN 739/steam
  tcp 0 0 localhost.localdo:57343 *:* LISTEN 739/steam
  tcp 0 0 localhost.localdo:27015 *:* LISTEN 1465/./srcds_linux
  tcp 0 0 *:vop *:* LISTEN 783/python2
  tcp 0 0 *:61589 *:* LISTEN 783/python2
  tcp 0 0 *:55413 *:* LISTEN 616/skype
  tcp6 0 0 [::]:4434 [::]:* LISTEN 783/python2
  tcp6 0 0 [::]:61589 [::]:* LISTEN 783/python2
  udp 0 0 *:26901 *:* 1465/./srcds_linux
  udp 0 0 *:27005 *:* 1465/./srcds_linux
  udp 0 0 *:27015 *:* 1465/./srcds_linux
  udp 0 0 *:27020 *:* 1465/./srcds_linux
  udp 0 0 *:27036 *:* 739/steam
  udp 0 0 *:59862 *:* 739/steam
  udp 0 0 KJHGF:plysrv-https *:* 783/python2
  udp 0 0 localhost.:plysrv-https *:* 783/python2
  udp 0 0 *:plysrv-https *:* 783/python2
  udp 0 0 *:44051 *:* 783/python2
  udp 0 0 KJHGF:60616 *:* 783/python2
  udp 0 0 localhost.localdo:40588 *:* 616/skype
  udp 0 0 *:48782 *:* 739/steam
  udp 0 0 *:bootpc *:* 416/dhcpcd
  udp 0 0 *:61589 *:* 783/python2
  udp 0 0 localhost.localdo:33324 *:* 783/python2
  udp 0 0 *:34683 *:* 1465/./srcds_linux
  udp 0 0 *:55413 *:* 616/skype
  udp6 0 0 [::]:61589 [::]:* 783/python2
  Awebb wrote:4. A list of programs you run you think are in the habit of randomly generating traffic on different ports (Skype for example or a torrent client with a port randomizer)
  Skype, a torrent client and maybe Steam? Not much.
  Last edited by Hectrin2 (2015-05-12 15:05:59)

• [SOLVED] vsftpd on Local Mirror, running but not working

  I'm building a Local Mirror on a vm (vbox) with bridged adapter and fix-ip by following this wiki.
  http://wiki.archlinux.org/index.php/Loc … cal_mirror
  After the painful rsync and those setup, I tried pacman -Syu from another Arch vm (no firewall).  I received the following error.
  :: Synchronizing package databases...
  error: failed retrieving file 'core.db.tar.gz' from 192.168.100.100 : Service not available, closing control connection
  I've tried by nmap on the hosting PC and find that the vsftpd should be running.
  Starting Nmap 4.62 ( http://nmap.org ) at 2010-08-27 01:03 HKT
  Interesting ports on 192.168.100.100:
  Not shown: 1714 closed ports
  PORT   STATE SERVICE
  21/tcp open  ftp
  MAC Address: 08:00:27:76:33:1C (Cadmus Computer Systems)
  Nmap done: 1 IP address (1 host up) scanned in 1.318 seconds
  In the wiki, it suggests to use "ftp" to replace "mirror" for ftp_username & nopriv_user.  I tried both.
  I also find that there is no "archlinux" under my /home/mirror/files as "suggested" by the following statement in vsftpd.conf
  # Chroot directory for anonymous user
  anon_root=/home/mirror/files/archlinux
  I tried both (1) amend the vsftpd.conf to remove the "archlinux", and (2) manually add that directory with owner/group=mirror.
  Meanwhile, I only find under /home/mirror/files 6 items - community core extra community.lastsync core.lastsync extra.lastsync.  Have I completed the rsync successfully?  Or, something is missing.  Is the directory structure correct?
  Is the sample vsftpd.conf in the Local Mirror wiki updated?  I've cross reference it with the vsftpd wiki but I'm not knowledgable enough to find things useful.
  What else should I check?
  I love ArchLinux so much that I really hope that it can work.
  Please help.
  Thanks.
  Last edited by dboat (2010-08-27 15:38:14)

  I have tried couple of Linux distro to learn Linux/Network.  I like ArchLinux's "simple" concept, light weight, updated packages, nice document and fast bootup/shutdown.  I have installed over ten times ArchLinux in different virtualmachines and netbook in the past week.  I will keep some, delete some and create more.  I don't have a fast internet connection and that's why I would like to set up my local mirror.  I am a newbie here, so please feel free to let me know if I am taking too much (bandwidth) from the community, and it is not encouraged for my case.  And sorry if I have already created any trouble.
  Well, back to my problem.
  1. After the rsync, including everything, the / now occupies 14G harddisk space.  Is it a normal size for a local mirror?
  2. I have inserted "Server = file:///home/mirror/files/$repo/os/i686" as the first line in its /etc/pacman.d/mirrorlist
      pacman -Syy  looks fine.
      pacman -Syu  gives a list of warning (xxx: local is newer than core), end with "there is nothing to do"
      pacman -S mplayer  starts installtion normally, but need mirrors on internet cause a large portion of software is missing/inaccessible on my local mirror.
  3. I have tried to login by FileZilla from an Ubuntu vm, and receive this error message (on FileZilla)
  Status:    Connecting to 192.168.100.100:21...
  Status:    Connection established, waiting for welcome message...
  Response:    421 Service not available.
  Error:    Could not connect to server
  Seems I have issues on both the mirror and the vsftpd.  I prefer to resolve the vsftpd problem first, but all suggestion/comment are very welcome.
  Lastly, did I post my question in a wrong place?  If yes, please let me know.

• 3rd network interface unknown and not found - udev renaming

  I have an Arch linux based firewall with 3 wired network interfaces, one on the mobo.
  In a thunderstorm one of the pci-based interfaces died.
  Upon changing that one to another with the same chipset (realtek 8139) as the one on the mobo, udev hangs a long time on boot and the latter (eth2) becomes unknown and not found.
  Looking at the kernel log I find the following before change:
  kernel: udev[435]: renamed network interface eth1 to eth1-eth2
  kernel: udev[426]: renamed network interface eth2 to eth1
  kernel: udev[435]: renamed network interface eth1-eth2 to eth2
  And after the change just this:
  kernel: udev[426]: renamed network interface eth2 to eth2-eth1
  What is going on and how can I avoid this?
  Thanks

  Could you post the output of sudo lspci -v  ?? I am wondering if the chipsets are conflicting with each other's resources.  They shouldn't, but it sounds like one of them might have been a little traumatized and may be a little brain damaged. (Pardon my anthropomorphisms)

• Network setup advice

  Hi there,
  My home network will consist of a Belkin wireless router, an Athlon XP Desktop, and two Laptops (Wireless Access).
  My Athlon XP is going to be an always on machine, that i wanted to setup with arch as an firewall/gateway, i may consider setup an openvpn to secure my wireless network and i also need this machine as a "support" workstation (this means i'll have to install X, i use it mainly for some quick browsing or office task whenever i don't want to turn on the laptop... yeah call me lazy!!), my printer will also be atached to this computer so i can say it will also be a print server .
  I have a cable modem connection, so i was thinking of the following setup: The Cable modem connects to the Athlon XP trough eth0, providing internet connection (gateway) trough eth1. The Belkin router will connect to the eth1 adapter. (i consider disabling the built in router function in it using it as an access point only.
  At this point you might be asking why i could ever wanted to connect things this way... why not connecting the Cable modem to the Belkin router and then to the desktop... , well the reason is simple, i use torrents a lot and my router seems to crash quite too often when handling torrents (maybe under excessive traffic or too many connections).
  After this long and boring text , i would like to hear from you about possible security issues, advices, and other setup alternatives.
  Final Note: I'm new to Arch, used to be a gentoo user and i'm quite happy for how things are handled here, although i think some improvements must be done in the wiki and documentation, i'll look forward to help contribute in some way. Keep up the good work and many thanks in advance.

  Hi mate,
  my network is similar to what you want to build. My Arch server/firewall is facing the internet with one ADSL connection, behind it is a Switch, not Wireless:D:D:D, cause i don't like wireless network. I also have an OpenVPN server i can connect my laptop when i am away. I also have sshd as a backdoor. You can setup OpenVPN by follow my post here:
  http://bbs.unin83.com/viewtopic.php?t=157
  My advise for you is make your Arch up and running, and then setup iptables to do NAT, and open some ports for OpenVPN and others. You can write your own iptables script and can find it with google. I believe that there are many scripts like this available.
  Remember to enable ip forwarding at the Arch Linux.
  If you setup SSH, the better idea is to open a different port rather than port 22 because when i use port 22, a lot of newbies and bots try to brute force the password-->big log files.
  :D:D
  You can also disable your Root account and use sudo instead for security.
  After you have your server up and running, using nmap, hping, nessus, and other tools to check your server.
  Hope this can help you.
  Cheers.

• Firewall in Arch

  Am I correct in assuming that a firewall (iptables) is not installed by default on Arch ? and we also have to start the daemon in rc.conf right?
  I would also like to know what GUI program people use to manage their firewall. I am used to Firestarter, but now that I am using Openbox, I would not like to install so many Gnome dependencies.

  [root@t4rg3t Downloads]# pacman -S iptables
  Löse Abhängigkeiten auf...
  Suche nach Zwischen-Konflikten...
  Pakete: iptables-1.4.0-2
  Gesamtgröße der heruntergeladenen Pakete: 0,42 MB
  Gesamtgröße der installierten Pakete: 1,26 MB
  Installation fortsetzen? [J/n] j
  :: Empfange Pakete von core...
  iptables-1.4.0-2-x86_64 429,9K 233,1K/s 00:00:02 [#####################] 100%
  Prüfe Paketintegrität...
  (1/1) Prüfe auf Dateikonflikte [#####################] 100%
  (1/1) Installiere iptables [#####################] 100%
  /sbin/ldconfig: /opt/lib32/lib/libe2p.so.2 ist kein symbolischer Link
  /sbin/ldconfig: /opt/lib32/lib/libcom_err.so.2 ist kein symbolischer Link
  /sbin/ldconfig: /opt/lib32/lib/libext2fs.so.2 ist kein symbolischer Link
  /sbin/ldconfig: /opt/lib32/lib/libblkid.so.1 ist kein symbolischer Link
  /sbin/ldconfig: /opt/lib32/lib/libuuid.so.1 ist kein symbolischer Link
  /sbin/ldconfig: /opt/lib32/lib/libss.so.2 ist kein symbolischer Link
  [root@t4rg3t Downloads]#
  Whats up here ? any ideas ? Will be glad for help ...

• Is there any need to firewall Arch?

  Ubuntu advertises as having most of its ports closed to attacks by default.
  How is this set up in Arch? Do I need to install a firewall?
  Thanks.

  I wonder what is the most common way people get hacked. Just ran those tests on Shields UP! and received outstanding reports, and that is sitting behind my Windows computer (behind a router, but that's it):
  Filesharing:
  Your Internet port 139 does not appear to exist!
  One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
  Unable to connect with NetBIOS to your computer.
  All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.
  Common Ports
  Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.
  All Service Ports:
  Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.
  Messenger Spam:
  No mail reveived.
  What would I have to do to enable a hacker to enter my system? Or what does this Shield UP site forget to check, what a hacker could attempt to do, to still break into my system?
  Last edited by ibendiben (2008-02-18 11:46:41)

• Best firewall for use with Arch?

  Any idea?
  Just running a D-link router and that doesn't make me sleep safely.

  http://wiki.archlinux.org/index.php/Spe … wall&go=Go
  http://bbs.archlinux.org/search.php?act … rch=Submit

• Installing Multiple Operating Systems with grub and Arch Linux

  NOTE: Please keep in mind that there are many different ways to achieve this same result using various loop and ramdisk methods, read this with a separate window to jot down your comments and suggestions... this is ongoing for me so any help would be appreciated!
  Read the full article at Install Multiple Os without cds
  This is my first post and I plan on making this topic an official HOWTO with www.tldp.org.
  I have been into the computer security scene since 1990, but I realized that I had very little experience with the various LInux, Unix, and alternative Operating systems out there.
  I have a CD-RW drive but being a struggling computer security researcher I had no money for blank cd-recordables.  What follows is how I managed to install various operating systems on my computer (1 hard drive) without having to burn to a CD the ISO and then boot from that.
  I first partitioned my 120GB harddrive into 10 partitions, the 2nd partition is a small swap and the last partition is extra large because it holds all the ISO images..
  I then wrote a small shell script to automatically download (I love wget!)  the following.
  OpenBSD
  IpCOP
  Libranet
  Arch-Linux
  Fire
  Local Area Security
  Packet Master
  Devil-Linux
  FreeBSD
  Knoppix
  Helix
  Gentoo
  Yoper-Linux
  NetBSD
  RedHat
  Slackware
  The script also downloaded Installation manuals and md5 checksums.. (let me know if I should post... its pretty unsophisticated
  I installed Slackware (personal favorite) on hda1 using my last blank CD-R, note that I do not have a separate boot partitino.  (Should I?).  I also installed grub on the MBR.  I love grub, if you read through the man pages and all info you can find about grub, you can learn a whole lot.  Grub has much more features and capability than lilo, even though lilo comes installed by default with slack.
  I organize my kernel situation as follows...  In my /boot directory, I mkdir KERNEL, CONFIG, MAP, INITRD and that is a good way for me to keep my kernels and everything organized..  Another good way is a separate dir for each new kernel. 
  Since Arch-Linux is a solid distro, I'll use that as a first example.
  Here is the Arch-Linux section of my shell script
  goge Arch-Linux
  $w http://puzzle.dl.sourceforge.net/sourceforge/archlinux/arch-0.6.iso
  $w http://unc.dl.sourceforge.net/sourceforge/archlinux/arch-0.6.md5sum
  $w http://www.archlinux.org/docs/en/guide/install/arch-install-guide.html
  md55
  cat arch-0.6.md5sum
  md5sum arch-0.6.iso
  md55
  The first thing to do is to mount the downloaded ISO image so we can use it as if it were an actual CD.
  mount -t iso9660 -o ro,loop=/dev/loop0 cdimage /mnt/cdrom
  Where cdimage= the ISO image.   EX. /usr/local/src/ISO/Linux/Arch-Linux/arch-0.6.iso
  This mounts the iso as /mnt/cdrom.
  Next you need to copy /mnt/cdrom to a separate partition for the booting process.  So mkfs.ext2 /dev/hda9.  ( I prefer reiserfs or even XFS to ext but if you use something other than ext2 you could run into some problems because some of the installation kernels and initrds don't include support for reiserfs and so can't recognize the files.  Although you could use mkinitrd to create a new initrd with reiserfs support, that might be pushin it IMO...   I use the 9th partition consistently for this.  I know there is a "right" way to copy the /mnt/cdrom files so everything stays the way it is supposed too, using tar or cpio, but I'm lazy so I just do cp -rp.   
  (What is the tar or cpio commands to copy with correct permissions etc??)
  So you mount the 9th partition as whatever, say /mnt/hd and then copy the files.  Now what?
  Now edit your /boot/grub/menu.lst file to include the specific options to boot arch-linux installation. 
  A good idea is to find the isolinux.cfg file somewhere on the distro cd, this will tell you what to include in the menu.lst.
  Here is the section in my menu.lst
  title Arch Install
  root (hd0,8)
  kernel /isolinux/vmlinuz load_ramdisk=1 prompt_ramdisk=0 root=/dev/rd/0
  initrd=/isolinux/initrd.img
  This should be self-explanatory.  The root (hd0,8) is pointing to partition 9.  So the rest of the commands start from partition 9. 
  When you experience problems, remember you can always edit the grub boot options by typing 'e' and then edit the section.  Also, a good idea is to include several variations in your menu.lst so you can easily try other ways to boot efficiently.  And, remember to read up on all the installation guides that come with your distro, specifically, hard-disk installs. 
  There are special cases, Gentoo, has a semi-new compressed filesystem called squashfs.  BTW, this is AWESOME, so check it out.  It has to be compiled into the kernel, so some work is in order, but use this recompile to optimize your kernel.  You can get the squashfs patch for almost any kernel.  I use the latest stable 2.6 kernel.  Squashfs is incredible and although I don't think you need it to install from ISO, you do need it to expand the livecd.squashfs filesystem that comes with the cd.
  Heres a sample Gentoo section from my menu.lst
  title Gentoo Install
  root (hd0,8)
  kernel /isolinux/gentoo root=/dev/ram0
  initrd=/isolinux/gentoo.igz init=/linuxrc acpi=off looptype=squashfs loop=/livecd.squashfs cdroot vga=791 splash=silent
  A nother' tip is the shell that is provided if you experience problems, typically busybox or ash.  The key tools to get you going from here is mount and chroot.  Sometimes you will need to manually create a simulated file system and then chroot into it.  For instance, you might have to create boot, etc, bin, directories on the target partition. 
  I generally install each OS onto the next partition (careful of the logical partition) and add it to my menu.lst after install.  A good idea is after installation, copy the kernel and initrd(if there is one) to the slackware(or whatever) boot partition on hda1.  I copy kernels to /boot/KERNEL/ and initrd's to /boot/INITRD, then menu.lst is more organized...
  You then need to add an updated section to your menu.lst (just comment out the install section for later)
  Here is the finished arch-linux section from menu.lst
  title Arch Linux 6
  root (hd0,2)
  kernel /boot/vmlinuz26 ro root=/dev/hdc3
  This doesn't use my convenient boot/KERNEL/vmlinuz26 as you can tell by setting the root to partition 3.
  ***NOTE: Make a backup of MBR using dd and save to floppy, also backup the partition table to floppy, using cfdisk or parted.  And boot disks (I use 1 with grub, and 1 with slack, and tomsbootdisk) will invariably come in handy.  Tomsbootdisk is recommended, and make the grub boot disk when you install grub.  install to floppy.
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  The final result after some fun experimenting, is when I boot, I have a cool grub boot screen come up with the option to boot into whatever OS I want, this is handy for multiple reasons.  One good thing to do after this is to port scan and vuln scan each OS, after you update of course.  Write this stuff down and you will know the weaknesses/strengths of the various OS's. 
  I can boot a custom Firewall, snort, or multiple honeypots using this procedure, as well as a graphical kde environment with a kernel optimized for graphics and my processor/architecture, or an environment devoted to forensics or even an environment suitable for programming.
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  P.S. Some of the cooler alternative operating systems are BeOS 5, EOS, ER_OS, V2_OS, and my personal favorite Menuet.  Menuet is 100% assembly graphical operating system that fits on a floppy.  Its f'in money!
  This should be a good enough example to get you started, this kind of thing should be learned and not just copied... Knowing how to do this stuff could prove to be exceptionally useful...

  Start by reading all the articles built-in on your Mac - Help > Mac Help, search "printer sharing."
  http://desk.stinkpot.org:8080/tricks/index.php/2008/04/how-to-print-to-a-cups-se rver-from-mac-os-x/
  http://www.macosxhints.com/article.php?story=20080324224027152&query=share%2Bpri nter
  http://members.cox.net/18james/osxprintersharing.html
  http://ubuntuforums.org/archive/index.php/t-56940.html

• Arch and community's attitude towards 'root'

  Dear *,
  I've been debating this with myself for a long time. I use the 'root' account. Don't hang me yet. I'm still making up my mind. Which is why this thread.
  I've used Ubuntu for some time before I came to ArchLand. There we obviously work as mundane 'user's. The problem is I find sudo doesn't let me 'do' anything much. When I started with Arch, I found myself at home in the root account and have always stayed that way. I've read a lot on the security issues with the root account but I'm still not sold. Most people only preach it as gospel. Some people give valid reasons. But Arch is the only distro where I've found that people preach the least. About this as well as other things. So I thought it'll be a good quality control to receive criticism and support here.
  The reasons I've usually seen are thus:
  > You'll end up deleting something really important belonging to:
      >> You: My defence to that is that I can do that similarly stupidly on my /home/username/ files anyway! Right! So just because I'm using sudo does not save me from deleting my own files anyway. And I keep a double backup not more than a few days old at all times!
      >> Someone else: Now, I use a laptop that "only" I work on. And I don't think that anyone will ever work on my laptop (too possessive about my machine!) at least as a permanent user to warrant his/her own /home setup. So that is no problem either.
      >> System: Now, I agree to this completely as a risk. However in my now considerable use of linux, I've ended up breaking my system only a few times, most of which happened in Ubuntu with sudo most probably because I was new and inexperienced in *nix way of doing things. Going as root has taught me in stead to be extra careful as a second nature. Even then, I believe that one can not be too cautious. However, I have multiple views on this:
            >>> Since these are system files we are talking about, even if I was running as a user, I'd be using sudo to work with them, which means if I was being stupid I'll mess up anyway and sudo won't 'magically' save me from my own foolishness.
            >>> I find that even if I mess up my system once in 6 months (which I don't, but just for argument's sake), the productivity loss in terms of taking a day to setup Arch back (with my backups) is MUCH less than the productivity loss I've always experienced in running with sudo. I keep forgetting prepending sudo, writing scripts is a pain with all those exotic options, etc. etc. I know I can edit the sudoers file but that just beats the principle of sudo anyway! Innit?
  > Malignant software: Now this is another area where I don't see how sudo is really useful at all. If I'm running code from someone else, it'll usually come from the Arch or AUR repositories. Not that that is foolproof, but come on, you guys and the open-source community _are_ awesome! Plus ESR's eyeball argument. We know malignant software is _almost_ unprecedented in Linux. Also, again, sounding like a broken record, I'd be using sudo to install (and probably run) that software which leaves me with no safety once the password has been entered.
  > The only "really" dangerous reason I've ever come across that I don't have a good rationalization or counter-argument against is: virii and the possibility of someone taking over the machine virtually (rootkits or something else) and using my stupidity of running as root to use my machine to launch attacks against others. Now this I can't argue against. I don't know how possible this is under the present scenario (boy, I hope not much!) but I'd like to know from you guys. What do you think about this risk. Is there any benefit of running as sudo or root here? Plus I don't want others to be hurt because of my stupidity in the FOSS community.
  So that is my dilemma. Will love to hear what you guys think about this issue. If you think I'm deluding myself with what I said above, please explain how and I'll be indebted. If you think there are more reasons to run as sudo or root, I'd love to hear. Even though I think sudo is a big pain in the a**, I don't mind living with it if I'm convinced that it is "sufficiently" more secure to offset the pain in the a**.
  Just last thing, I also hate that I can't use gnome-screensaver with root. I know and _agree_ with the reasons for that. Just saying.
  Last edited by Dumbledore (2011-07-26 14:46:09)

  Dumbledore wrote:
  Dear *,
  I've been debating this with myself for a long time. I use the 'root' account. Don't hang me yet. I'm still making up my mind. Which is why this thread.
  I've used Ubuntu for some time before I came to ArchLand. There we obviously work as mundane 'user's. The problem is I find sudo doesn't let me 'do' anything much. When I started with Arch, I found myself at home in the root account and have always stayed that way. I've read a lot on the security issues with the root account but I'm still not sold. Most people only preach it as gospel. Some people give valid reasons. But Arch is the only distro where I've found that people preach the least. About this as well as other things. So I thought it'll be a good quality control to receive criticism and support here.
  The reasons I've usually seen are thus:
  > You'll end up deleting something really important belonging to:
      >> You: My defence to that is that I can do that similarly stupidly on my /home/username/ files anyway! Right! So just because I'm using sudo does not save me from deleting my own files anyway. And I keep a double backup not more than a few days old at all times!
      >> Someone else: Now, I use a laptop that "only" I work on. And I don't think that anyone will ever work on my laptop (too possessive about my machine!) at least as a permanent user to warrant his/her own /home setup. So that is no problem either.
      >> System: Now, I agree to this completely as a risk. However in my now considerable use of linux, I've ended up breaking my system only a few times, most of which happened in Ubuntu with sudo most probably because I was new and inexperienced in *nix way of doing things. Going as root has taught me in stead to be extra careful as a second nature. Even then, I believe that one can not be too cautious. However, I have multiple views on this:
            >>> Since these are system files we are talking about, even if I was running as a user, I'd be using sudo to work with them, which means if I was being stupid I'll mess up anyway and sudo won't 'magically' save me from my own foolishness.
            >>> I find that even if I mess up my system once in 6 months (which I don't, but just for argument's sake), the productivity loss in terms of taking a day to setup Arch back (with my backups) is MUCH less than the productivity loss I've always experienced in running with sudo. I keep forgetting prepending sudo, writing scripts is a pain with all those exotic options, etc. etc. I know I can edit the sudoers file but that just beats the principle of sudo anyway! Innit?
  While this is indeed a risk, it is not the most critical one.  I have, as you said, totally f'ed up system files using sudo as well; but it does prevent you from the hassle of rm -rvf in the wrong directory.
  > Malignant software: Now this is another area where I don't see how sudo is really useful at all. If I'm running code from someone else, it'll usually come from the Arch or AUR repositories. Not that that is foolproof, but come on, you guys and the open-source community _are_ awesome! Plus ESR's eyeball argument. We know malignant software is _almost_ unprecedented in Linux. Also, again, sounding like a broken record, I'd be using sudo to install (and probably run) that software which leaves me with no safety once the password has been entered.
  Malignant software is unprecedented BECAUSE of the permissions system.  I can show you tons of rootkits / key loggers / etc., but unless you are running as root, they can't touch important system files.  This includes running programs like Firefox, Chrome, etc.  There is a reason that infections have changed in the Windows 7 era (moving to looking more like legit programs vs straight infections), and that is because they now have a permission system that makes the user do something before anything can be installed / modified at the system level.  As for using the AUR, you better know how to read the PKGBUILD and INSTALL files if you are using sudo .... and even then you really shouldn't be using sudo with the AUR.  Of course, to be fair, without package signing, the argument could also be made that you shouldn't install anything from the repo's either .... but that's another topic entirely.
  > The only "really" dangerous reason I've ever come across that I don't have a good rationalization or counter-argument against is: virii and the possibility of someone taking over the machine virtually (rootkits or something else) and using my stupidity of running as root to use my machine to launch attacks against others. Now this I can't argue against. I don't know how possible this is under the present scenario (boy, I hope not much!) but I'd like to know from you guys. What do you think about this risk. Is there any benefit of running as sudo or root here? Plus I don't want others to be hurt because of my stupidity in the FOSS community.
  Look, its your risk; and it's totally feasable that because you wish to run as someone who has uber access to everything that you can get hacked.  There is a reason that the permission systems put in place in *NIX systems are copied and used throughout other systems.  Especially if you take place in things like torrenting / visiting iffy sites (even pr0n) etc.  And god help you if you don't have a strong firewall!!
  So that is my dilemma. Will love to hear what you guys think about this issue. If you think I'm deluding myself with what I said above, please explain how and I'll be indebted. If you think there are more reasons to run as sudo or root, I'd love to hear. Even though I think sudo is a big pain in the a**, I don't mind living with it if I'm convinced that it is "sufficiently" more secure to offset the pain in the a**.
  Just last thing, I also hate that I can't use gnome-screensaver with root. I know and _agree_ with the reasons for that. Just saying.
  Look, hands down its your choice; and it seems like you made your decision, you are the one who has to live with them.  Personally, I think its stupid, and presents needless risk.  Heck, I love the fact that I can visit and screw around with stuff / sites that others can't, simply because of the bad-ass permission / firewalling that is inherent in my system.  Personally I don't see how sudo is a PITA, but then again I have been using it since I started using Linux (close to 14 years), so maybe I am just used to it. 

• Can't scan from Lexmark multifunction printer - firewall issue?

  Hi there!
  I got a Lexmark printer/scanner combo which used to work fine on my arch install. However, its mobo died, so now I'm back at another install which refuses to scan. Scanning is done through the browser via a java applet residing on the printer's webserver. The applet does start (so it's not a java issue), but refuses to receive data from the scanner. Within the printer's web interface, it reads
  If using Windows XP, the Windows XP personal firewall must be disabled before using Scan to PC profiles.
  , so I'm assuming it might be a firewall issue. Lexmark's website provides the following advice:
  The following two command lines will open the port 5353 for incoming and outgoing connections:
  iptables -I INPUT -p udp -m udp --sport 5353 -j ACCEPT
  iptables -I OUTPUT -p udp -m udp --dport 5353 -j ACCEPT
  NOTE: These steps will work on most distributions configured with IPTABLES. There is no common command to make these rules persistent.
  As I don't know anything about IP tables, I've simply copied these commands (as root, obviously). Still, I can't scan.
  So, my questions are:
  1. Has anybody else ever come across an issue like this?
  2. I don't even know for sure, whether this is a firewall issue - What iptabled magic would I need to temporarily disable the firewall to check?
  3. I tried checking my rules by "iptables -L". How can I tell "iptables -L" to specify the ports it is working on (as I did in the commands copied from lexmark's website)?
  Best wishes,
  Rufus

  Hi Bob
  I believe so.  We put the install disc into this mac back when we bought it to set up the printer.  I'm assuming the scanning drivers were there as well since it's a multifunctional printer/scanner/fax wireless printer.
  We've tried it both ways.  If I press the button scan on the printer, it reads can't find computer (or something like that).  When we go thru the HP icon on my computer screen and choose scan to computer, it does nothing.
  We don't scan that often.  So the few times when we ran into this problem, we just did something else (like take a pic from our iPhone and email the pic...kinda stupid but did the trick.
  But I want to have the function of the scanner available.  So that's why I'm here asking...thought others had this issue and had a solution.

• [SOLVED] Recommendations needed - Arch + Apache for local development

  Hello,
  I'm a new Arch user, and relatively new with Linux. I'm getting to like Arch very much.
  I do web development, and I do most of my programming in PERL.
  I have already installed perl and some tools, and I'm about to install apache. The Idea is to have the apache server just for local development and testing.
  So the question is: Do you recommend me to install some firewall?
  What security measurements should I take?
  Is there any easy way to enable and disable Internet access to the apache server?
  Thank you!
  Last edited by iopo (2009-10-28 19:24:14)

  Thank you friends.
  Yes, my Internet is via router. I like the Idea to set the server to listen at local address, I will try that.
  Now, as I'm new to Linux and Arch, I will like to know if I should take any extra security measurements. In windows I used anti-virus + firewall all the time, and I blocked apache to access the Internet with the firewall.
  I have set a strong root password, but the "normal user" has sudo. Is that secure enough?
  Is there any "must have" security tools or measurements to set is a box like mine (Desktop usage + local network (3 machines) + apache for local usage and testing only)?
  Is it common to get some malware, worm, trojan, spyware or some kind of phishing just by surfing the web without user "action" to install it?
  I know Linux is much safer because users and permissions. I like that very much, It feels a lot safer.
  Now, I have used Arch for a week or so with no firewall (router firewall is disabled also) and no anti-virus. Absolutely no special security measurements and there seems to be no log-in attempts in logfiles .. and no problems at all. Windows without firewall and anti-virus will die in a few hours just by leaving it connected to Internet....
  I just wanted to ask you all (Arch users) if you normally use Firewall, and if you take some special measurement to stay free of  trojans, spyware, etc...
  I will appreciate your comments.
  Thank you!

• Slackware to Arch server switch questions

  I want to have this setup, with all PCs running arch:
  http://img.photobucket.com/albums/v637/ … SYSTEM.jpg
  I currently run NTL and the modem has a eathernet port on it so its all easy and good with my slackware server DHCP on one network card and fixed IP on the other.
  But I have to have a ADSL line in new house with tiscali and I cant see any of their modems that are not USB. So is there a "how to" for USB modems?
  Is it easy to setup the above network?
  The slack server is a firewall (rc.firewall script etc) and a samba share and thats about it.... it forwards some ports here and there but nothing else.
  I have never used arch as a server so I have no idea what im suppose to do etc, even if I had 2 network cards I have no idea how to tell one to be DHCP and other fixed IP in rc.conf etc.... do I just have another section from the 2nd network card?

  CyRiX_BlAcK wrote:But I have to have a ADSL line in new house with tiscali and I cant see any of their modems that are not USB. So is there a "how to" for USB modems?
  I don't know anything about tiscali, but if USB is all they can give you, I would strongly recommend getting your own ethernet gear - it will save you a lot of hassle IMO.
  CyRiX_BlAcK wrote:do I just have another section from the 2nd network card?
  Basically yes. You will have eth0= and eth1= lines with the appropriate parameters, followed by
  INTERFACES=(lo eth0 eth1)

• [Solved]Pacman fails to connect to server in Arch Virtual Machine

  Hi
  I've just installed arch 2008.06 in VMWare Workstation 6.04 on Vista Business x64. The setup all went fine and i am now logged into my system, but Pacman refuses to connect to anything. i have tried Bridged networking and NAT to no avail. whenever i run 'pacman -Syy' i get the message
  "error: failed retrieving file 'core.db.tar.gz' from ftp.archlinux.org : File unavailable (e.g.,file not found, no access)"
  followed by the same message for each mirror in my mirrorlist, and then again for 'extra.db.tar.gz' and 'community.db.tar.gz', and then 'failed to synchronise any databases' at the end.
  I have tried pinging google, as well as several of the arch mirrors and they all work fine. wget also seems to work fine, it's just pacman that's not working.
  Anyone have any suggestions?
  Last edited by henrypootel (2008-09-12 01:53:56)

  That's what i thought too so i switched off the Vista firewall and still no luck. I am behind a hardware firewall here at work, but it shouldn't be blocking FTP traffic. i use FTP in windows all the time.
  Just tried downloading a file using wget and it worked fine.
  Last edited by henrypootel (2008-09-11 03:45:29)