Firewall in Arch

Similar Messages

• New Package: Arno's iptables firewall scripts

  I made a PKGBUILD for Arno IPTABLES firewall script. This script has protected my home network for long time and I realized that some other Archers would also like to use it. Also, syslog-ng.conf example is included to get iptable logs into their own log file.
  Script has clear, easy and well commented configuration file. Nice list of
  Features
  Very secure stateful filtering firewall
  Both kernel 2.4 & 2.6 support
  It can be used for both single- and multi(eg. dual)-homed boxes
  Masquerading (NAT) and SNAT support
  Multiple external (internet) interfaces
  Support multiroute NAT & SNAT (load balancing over multiple (internet) interfaces)
  Port forwarding (NAT)
  Support MAC address filtering
  Support for DSL/ADSL modems
  Support for PPPoE, PPPoA and bridging modem setups
  Support for static and ISP assigned (DHCP) IPs
  Support for (transparent) proxies
  Full support for DMZ's and DMZ-2-LAN forwarding. You can also use it to isolate your eg. wireless LAN.
  (Nmap)(stealth) portscan detection
  Protection against SYN-flooding (DoS attacks)
  Protection against ICMP-flooding (DoS attacks)
  Extensive user-definable logging with rate limiting to prevent log flooding
  Includes options to optimize your throughput
  User definable open ports, closed ports, trusted hosts, blocked hosts etc.
  Log & protection options are both highly customizable
  Support for custom iptables rules in a seperate file
  It can be used with chkconfig runlevel system (eg. RedHat/Fedora)
  Main focus on TCP/UDP/ICMP but additional support for *ALL* IP protocols
  It works with Freeswan IPSEC (VPN) & SSH Sentinel (http://www.freeswan.org) (+virtual IP's)
  It works with PoPTop PPTP (http://www.poptop.org)
  It works with UPnP
  DRDOS protection/detection (experimental)
  It's easy to configure
  And much more...
  (edit) PKGBUILD is in the AUR.
  This is my first package ever so tell me what to fix. I will put this to AUR if supported and this really works.

  1c3d0g wrote:
  Is this similar to QuickTables?
  http://qtables.radom.org/
  Arno's iptables has a config file that will be edited as needed and script reads the config file everytime it is executed.
  I can put this pkgbuild to AUR. The init script is not Arch like. I decided to use Arno's script as is in /etc/rc.d/ because I want to see what happens. I could do a Arch type of init script that executes the firewall script arch way.
  What do you think?

• [SOLVED] firewall from wiki, iptables: No chain/target/match by

  I am trying to build a simple firewall using Arch wiki page, https://wiki.archlinux.org/index.php/si … l_firewall
  I ended up with this:
  #!/bin/bash
  iptables -N TCP
  iptables -N UDP
  iptables -P FORWARD DROP
  iptables -P OUTPUT ACCEPT
  iptables -P INPUT DROP
  iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
  iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
  iptables -D INPUT -p tcp -j REJECT --reject-with tcp-rst
  iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
  iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach
  iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreach
  iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach
  iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
  iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
  iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
  iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst
  iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable
  iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
  When I run the script, it gives me this error:
  iptables: No chain/target/match by that name.
  iptables: No chain/target/match by that name.
  iptables: No chain/target/match by that name.
  The problem is caused by the last 4 lines. What do I do wrong?
  (I use current x64 Arch).
  Last edited by dopalek (2014-06-06 11:59:11)

  Gcool wrote:You're probably getting those warnings because you're trying to delete (iptables -D) rules that don't exist. While this is no big deal on itself (the rest of the rules will still be applied); you could consider simply omitting the 3 "iptables -D" rules from your config, which should get rid of the warnings.
  You are right, thank you, I didn't notice it before.
  Anyway I guess -D rules from wiki are in case somebody has own rules applied before. It could be explained in the wiki to avoid confusion in future.
  Last edited by dopalek (2014-06-06 12:02:30)

• Arch as a firewall

  Well, I have a little question: is it possible to use Arch as a firewall distribution like ipcop and similar?

  Have a look at this page.
  Generally, setting up a firewall will require some effort. I'd suggest you to take a look at firehol (needs some patching to work with latest BASH properly; that's what I'm using to set up my firewall), gshield (long not updated), shorewall or some script like Arno's Firewall.

• Arch pc as firewall

  do i just need to configure iptables to setup an arch system as a network firewall. what i want to do is force all pcs or devices to go through my arch system to filter content out in an acl fashion. so i would connect it to a switch and make it then point to my router. would this work or am i going about this wrong?

  This is my setup:
  Internet<----->Modem<---->ArchRouter (iptables, squid)<----->Switch<---->Internal Network
  My house is all wired.
  I recently added a wlan0 to router, but can't get it to work

• Is there any need to firewall Arch?

  Ubuntu advertises as having most of its ports closed to attacks by default.
  How is this set up in Arch? Do I need to install a firewall?
  Thanks.

  I wonder what is the most common way people get hacked. Just ran those tests on Shields UP! and received outstanding reports, and that is sitting behind my Windows computer (behind a router, but that's it):
  Filesharing:
  Your Internet port 139 does not appear to exist!
  One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
  Unable to connect with NetBIOS to your computer.
  All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.
  Common Ports
  Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.
  All Service Ports:
  Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.
  Messenger Spam:
  No mail reveived.
  What would I have to do to enable a hacker to enter my system? Or what does this Shield UP site forget to check, what a hacker could attempt to do, to still break into my system?
  Last edited by ibendiben (2008-02-18 11:46:41)

• Best firewall for use with Arch?

  Any idea?
  Just running a D-link router and that doesn't make me sleep safely.

  http://wiki.archlinux.org/index.php/Spe … wall&go=Go
  http://bbs.archlinux.org/search.php?act … rch=Submit

• Installing Multiple Operating Systems with grub and Arch Linux

  NOTE: Please keep in mind that there are many different ways to achieve this same result using various loop and ramdisk methods, read this with a separate window to jot down your comments and suggestions... this is ongoing for me so any help would be appreciated!
  Read the full article at Install Multiple Os without cds
  This is my first post and I plan on making this topic an official HOWTO with www.tldp.org.
  I have been into the computer security scene since 1990, but I realized that I had very little experience with the various LInux, Unix, and alternative Operating systems out there.
  I have a CD-RW drive but being a struggling computer security researcher I had no money for blank cd-recordables.  What follows is how I managed to install various operating systems on my computer (1 hard drive) without having to burn to a CD the ISO and then boot from that.
  I first partitioned my 120GB harddrive into 10 partitions, the 2nd partition is a small swap and the last partition is extra large because it holds all the ISO images..
  I then wrote a small shell script to automatically download (I love wget!)  the following.
  OpenBSD
  IpCOP
  Libranet
  Arch-Linux
  Fire
  Local Area Security
  Packet Master
  Devil-Linux
  FreeBSD
  Knoppix
  Helix
  Gentoo
  Yoper-Linux
  NetBSD
  RedHat
  Slackware
  The script also downloaded Installation manuals and md5 checksums.. (let me know if I should post... its pretty unsophisticated
  I installed Slackware (personal favorite) on hda1 using my last blank CD-R, note that I do not have a separate boot partitino.  (Should I?).  I also installed grub on the MBR.  I love grub, if you read through the man pages and all info you can find about grub, you can learn a whole lot.  Grub has much more features and capability than lilo, even though lilo comes installed by default with slack.
  I organize my kernel situation as follows...  In my /boot directory, I mkdir KERNEL, CONFIG, MAP, INITRD and that is a good way for me to keep my kernels and everything organized..  Another good way is a separate dir for each new kernel. 
  Since Arch-Linux is a solid distro, I'll use that as a first example.
  Here is the Arch-Linux section of my shell script
  goge Arch-Linux
  $w http://puzzle.dl.sourceforge.net/sourceforge/archlinux/arch-0.6.iso
  $w http://unc.dl.sourceforge.net/sourceforge/archlinux/arch-0.6.md5sum
  $w http://www.archlinux.org/docs/en/guide/install/arch-install-guide.html
  md55
  cat arch-0.6.md5sum
  md5sum arch-0.6.iso
  md55
  The first thing to do is to mount the downloaded ISO image so we can use it as if it were an actual CD.
  mount -t iso9660 -o ro,loop=/dev/loop0 cdimage /mnt/cdrom
  Where cdimage= the ISO image.   EX. /usr/local/src/ISO/Linux/Arch-Linux/arch-0.6.iso
  This mounts the iso as /mnt/cdrom.
  Next you need to copy /mnt/cdrom to a separate partition for the booting process.  So mkfs.ext2 /dev/hda9.  ( I prefer reiserfs or even XFS to ext but if you use something other than ext2 you could run into some problems because some of the installation kernels and initrds don't include support for reiserfs and so can't recognize the files.  Although you could use mkinitrd to create a new initrd with reiserfs support, that might be pushin it IMO...   I use the 9th partition consistently for this.  I know there is a "right" way to copy the /mnt/cdrom files so everything stays the way it is supposed too, using tar or cpio, but I'm lazy so I just do cp -rp.   
  (What is the tar or cpio commands to copy with correct permissions etc??)
  So you mount the 9th partition as whatever, say /mnt/hd and then copy the files.  Now what?
  Now edit your /boot/grub/menu.lst file to include the specific options to boot arch-linux installation. 
  A good idea is to find the isolinux.cfg file somewhere on the distro cd, this will tell you what to include in the menu.lst.
  Here is the section in my menu.lst
  title Arch Install
  root (hd0,8)
  kernel /isolinux/vmlinuz load_ramdisk=1 prompt_ramdisk=0 root=/dev/rd/0
  initrd=/isolinux/initrd.img
  This should be self-explanatory.  The root (hd0,8) is pointing to partition 9.  So the rest of the commands start from partition 9. 
  When you experience problems, remember you can always edit the grub boot options by typing 'e' and then edit the section.  Also, a good idea is to include several variations in your menu.lst so you can easily try other ways to boot efficiently.  And, remember to read up on all the installation guides that come with your distro, specifically, hard-disk installs. 
  There are special cases, Gentoo, has a semi-new compressed filesystem called squashfs.  BTW, this is AWESOME, so check it out.  It has to be compiled into the kernel, so some work is in order, but use this recompile to optimize your kernel.  You can get the squashfs patch for almost any kernel.  I use the latest stable 2.6 kernel.  Squashfs is incredible and although I don't think you need it to install from ISO, you do need it to expand the livecd.squashfs filesystem that comes with the cd.
  Heres a sample Gentoo section from my menu.lst
  title Gentoo Install
  root (hd0,8)
  kernel /isolinux/gentoo root=/dev/ram0
  initrd=/isolinux/gentoo.igz init=/linuxrc acpi=off looptype=squashfs loop=/livecd.squashfs cdroot vga=791 splash=silent
  A nother' tip is the shell that is provided if you experience problems, typically busybox or ash.  The key tools to get you going from here is mount and chroot.  Sometimes you will need to manually create a simulated file system and then chroot into it.  For instance, you might have to create boot, etc, bin, directories on the target partition. 
  I generally install each OS onto the next partition (careful of the logical partition) and add it to my menu.lst after install.  A good idea is after installation, copy the kernel and initrd(if there is one) to the slackware(or whatever) boot partition on hda1.  I copy kernels to /boot/KERNEL/ and initrd's to /boot/INITRD, then menu.lst is more organized...
  You then need to add an updated section to your menu.lst (just comment out the install section for later)
  Here is the finished arch-linux section from menu.lst
  title Arch Linux 6
  root (hd0,2)
  kernel /boot/vmlinuz26 ro root=/dev/hdc3
  This doesn't use my convenient boot/KERNEL/vmlinuz26 as you can tell by setting the root to partition 3.
  ***NOTE: Make a backup of MBR using dd and save to floppy, also backup the partition table to floppy, using cfdisk or parted.  And boot disks (I use 1 with grub, and 1 with slack, and tomsbootdisk) will invariably come in handy.  Tomsbootdisk is recommended, and make the grub boot disk when you install grub.  install to floppy.
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  The final result after some fun experimenting, is when I boot, I have a cool grub boot screen come up with the option to boot into whatever OS I want, this is handy for multiple reasons.  One good thing to do after this is to port scan and vuln scan each OS, after you update of course.  Write this stuff down and you will know the weaknesses/strengths of the various OS's. 
  I can boot a custom Firewall, snort, or multiple honeypots using this procedure, as well as a graphical kde environment with a kernel optimized for graphics and my processor/architecture, or an environment devoted to forensics or even an environment suitable for programming.
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  P.S. Some of the cooler alternative operating systems are BeOS 5, EOS, ER_OS, V2_OS, and my personal favorite Menuet.  Menuet is 100% assembly graphical operating system that fits on a floppy.  Its f'in money!
  This should be a good enough example to get you started, this kind of thing should be learned and not just copied... Knowing how to do this stuff could prove to be exceptionally useful...

  Start by reading all the articles built-in on your Mac - Help > Mac Help, search "printer sharing."
  http://desk.stinkpot.org:8080/tricks/index.php/2008/04/how-to-print-to-a-cups-se rver-from-mac-os-x/
  http://www.macosxhints.com/article.php?story=20080324224027152&query=share%2Bpri nter
  http://members.cox.net/18james/osxprintersharing.html
  http://ubuntuforums.org/archive/index.php/t-56940.html

• Arch and community's attitude towards 'root'

  Dear *,
  I've been debating this with myself for a long time. I use the 'root' account. Don't hang me yet. I'm still making up my mind. Which is why this thread.
  I've used Ubuntu for some time before I came to ArchLand. There we obviously work as mundane 'user's. The problem is I find sudo doesn't let me 'do' anything much. When I started with Arch, I found myself at home in the root account and have always stayed that way. I've read a lot on the security issues with the root account but I'm still not sold. Most people only preach it as gospel. Some people give valid reasons. But Arch is the only distro where I've found that people preach the least. About this as well as other things. So I thought it'll be a good quality control to receive criticism and support here.
  The reasons I've usually seen are thus:
  > You'll end up deleting something really important belonging to:
      >> You: My defence to that is that I can do that similarly stupidly on my /home/username/ files anyway! Right! So just because I'm using sudo does not save me from deleting my own files anyway. And I keep a double backup not more than a few days old at all times!
      >> Someone else: Now, I use a laptop that "only" I work on. And I don't think that anyone will ever work on my laptop (too possessive about my machine!) at least as a permanent user to warrant his/her own /home setup. So that is no problem either.
      >> System: Now, I agree to this completely as a risk. However in my now considerable use of linux, I've ended up breaking my system only a few times, most of which happened in Ubuntu with sudo most probably because I was new and inexperienced in *nix way of doing things. Going as root has taught me in stead to be extra careful as a second nature. Even then, I believe that one can not be too cautious. However, I have multiple views on this:
            >>> Since these are system files we are talking about, even if I was running as a user, I'd be using sudo to work with them, which means if I was being stupid I'll mess up anyway and sudo won't 'magically' save me from my own foolishness.
            >>> I find that even if I mess up my system once in 6 months (which I don't, but just for argument's sake), the productivity loss in terms of taking a day to setup Arch back (with my backups) is MUCH less than the productivity loss I've always experienced in running with sudo. I keep forgetting prepending sudo, writing scripts is a pain with all those exotic options, etc. etc. I know I can edit the sudoers file but that just beats the principle of sudo anyway! Innit?
  > Malignant software: Now this is another area where I don't see how sudo is really useful at all. If I'm running code from someone else, it'll usually come from the Arch or AUR repositories. Not that that is foolproof, but come on, you guys and the open-source community _are_ awesome! Plus ESR's eyeball argument. We know malignant software is _almost_ unprecedented in Linux. Also, again, sounding like a broken record, I'd be using sudo to install (and probably run) that software which leaves me with no safety once the password has been entered.
  > The only "really" dangerous reason I've ever come across that I don't have a good rationalization or counter-argument against is: virii and the possibility of someone taking over the machine virtually (rootkits or something else) and using my stupidity of running as root to use my machine to launch attacks against others. Now this I can't argue against. I don't know how possible this is under the present scenario (boy, I hope not much!) but I'd like to know from you guys. What do you think about this risk. Is there any benefit of running as sudo or root here? Plus I don't want others to be hurt because of my stupidity in the FOSS community.
  So that is my dilemma. Will love to hear what you guys think about this issue. If you think I'm deluding myself with what I said above, please explain how and I'll be indebted. If you think there are more reasons to run as sudo or root, I'd love to hear. Even though I think sudo is a big pain in the a**, I don't mind living with it if I'm convinced that it is "sufficiently" more secure to offset the pain in the a**.
  Just last thing, I also hate that I can't use gnome-screensaver with root. I know and _agree_ with the reasons for that. Just saying.
  Last edited by Dumbledore (2011-07-26 14:46:09)

  Dumbledore wrote:
  Dear *,
  I've been debating this with myself for a long time. I use the 'root' account. Don't hang me yet. I'm still making up my mind. Which is why this thread.
  I've used Ubuntu for some time before I came to ArchLand. There we obviously work as mundane 'user's. The problem is I find sudo doesn't let me 'do' anything much. When I started with Arch, I found myself at home in the root account and have always stayed that way. I've read a lot on the security issues with the root account but I'm still not sold. Most people only preach it as gospel. Some people give valid reasons. But Arch is the only distro where I've found that people preach the least. About this as well as other things. So I thought it'll be a good quality control to receive criticism and support here.
  The reasons I've usually seen are thus:
  > You'll end up deleting something really important belonging to:
      >> You: My defence to that is that I can do that similarly stupidly on my /home/username/ files anyway! Right! So just because I'm using sudo does not save me from deleting my own files anyway. And I keep a double backup not more than a few days old at all times!
      >> Someone else: Now, I use a laptop that "only" I work on. And I don't think that anyone will ever work on my laptop (too possessive about my machine!) at least as a permanent user to warrant his/her own /home setup. So that is no problem either.
      >> System: Now, I agree to this completely as a risk. However in my now considerable use of linux, I've ended up breaking my system only a few times, most of which happened in Ubuntu with sudo most probably because I was new and inexperienced in *nix way of doing things. Going as root has taught me in stead to be extra careful as a second nature. Even then, I believe that one can not be too cautious. However, I have multiple views on this:
            >>> Since these are system files we are talking about, even if I was running as a user, I'd be using sudo to work with them, which means if I was being stupid I'll mess up anyway and sudo won't 'magically' save me from my own foolishness.
            >>> I find that even if I mess up my system once in 6 months (which I don't, but just for argument's sake), the productivity loss in terms of taking a day to setup Arch back (with my backups) is MUCH less than the productivity loss I've always experienced in running with sudo. I keep forgetting prepending sudo, writing scripts is a pain with all those exotic options, etc. etc. I know I can edit the sudoers file but that just beats the principle of sudo anyway! Innit?
  While this is indeed a risk, it is not the most critical one.  I have, as you said, totally f'ed up system files using sudo as well; but it does prevent you from the hassle of rm -rvf in the wrong directory.
  > Malignant software: Now this is another area where I don't see how sudo is really useful at all. If I'm running code from someone else, it'll usually come from the Arch or AUR repositories. Not that that is foolproof, but come on, you guys and the open-source community _are_ awesome! Plus ESR's eyeball argument. We know malignant software is _almost_ unprecedented in Linux. Also, again, sounding like a broken record, I'd be using sudo to install (and probably run) that software which leaves me with no safety once the password has been entered.
  Malignant software is unprecedented BECAUSE of the permissions system.  I can show you tons of rootkits / key loggers / etc., but unless you are running as root, they can't touch important system files.  This includes running programs like Firefox, Chrome, etc.  There is a reason that infections have changed in the Windows 7 era (moving to looking more like legit programs vs straight infections), and that is because they now have a permission system that makes the user do something before anything can be installed / modified at the system level.  As for using the AUR, you better know how to read the PKGBUILD and INSTALL files if you are using sudo .... and even then you really shouldn't be using sudo with the AUR.  Of course, to be fair, without package signing, the argument could also be made that you shouldn't install anything from the repo's either .... but that's another topic entirely.
  > The only "really" dangerous reason I've ever come across that I don't have a good rationalization or counter-argument against is: virii and the possibility of someone taking over the machine virtually (rootkits or something else) and using my stupidity of running as root to use my machine to launch attacks against others. Now this I can't argue against. I don't know how possible this is under the present scenario (boy, I hope not much!) but I'd like to know from you guys. What do you think about this risk. Is there any benefit of running as sudo or root here? Plus I don't want others to be hurt because of my stupidity in the FOSS community.
  Look, its your risk; and it's totally feasable that because you wish to run as someone who has uber access to everything that you can get hacked.  There is a reason that the permission systems put in place in *NIX systems are copied and used throughout other systems.  Especially if you take place in things like torrenting / visiting iffy sites (even pr0n) etc.  And god help you if you don't have a strong firewall!!
  So that is my dilemma. Will love to hear what you guys think about this issue. If you think I'm deluding myself with what I said above, please explain how and I'll be indebted. If you think there are more reasons to run as sudo or root, I'd love to hear. Even though I think sudo is a big pain in the a**, I don't mind living with it if I'm convinced that it is "sufficiently" more secure to offset the pain in the a**.
  Just last thing, I also hate that I can't use gnome-screensaver with root. I know and _agree_ with the reasons for that. Just saying.
  Look, hands down its your choice; and it seems like you made your decision, you are the one who has to live with them.  Personally, I think its stupid, and presents needless risk.  Heck, I love the fact that I can visit and screw around with stuff / sites that others can't, simply because of the bad-ass permission / firewalling that is inherent in my system.  Personally I don't see how sudo is a PITA, but then again I have been using it since I started using Linux (close to 14 years), so maybe I am just used to it. 

• Can't scan from Lexmark multifunction printer - firewall issue?

  Hi there!
  I got a Lexmark printer/scanner combo which used to work fine on my arch install. However, its mobo died, so now I'm back at another install which refuses to scan. Scanning is done through the browser via a java applet residing on the printer's webserver. The applet does start (so it's not a java issue), but refuses to receive data from the scanner. Within the printer's web interface, it reads
  If using Windows XP, the Windows XP personal firewall must be disabled before using Scan to PC profiles.
  , so I'm assuming it might be a firewall issue. Lexmark's website provides the following advice:
  The following two command lines will open the port 5353 for incoming and outgoing connections:
  iptables -I INPUT -p udp -m udp --sport 5353 -j ACCEPT
  iptables -I OUTPUT -p udp -m udp --dport 5353 -j ACCEPT
  NOTE: These steps will work on most distributions configured with IPTABLES. There is no common command to make these rules persistent.
  As I don't know anything about IP tables, I've simply copied these commands (as root, obviously). Still, I can't scan.
  So, my questions are:
  1. Has anybody else ever come across an issue like this?
  2. I don't even know for sure, whether this is a firewall issue - What iptabled magic would I need to temporarily disable the firewall to check?
  3. I tried checking my rules by "iptables -L". How can I tell "iptables -L" to specify the ports it is working on (as I did in the commands copied from lexmark's website)?
  Best wishes,
  Rufus

  Hi Bob
  I believe so.  We put the install disc into this mac back when we bought it to set up the printer.  I'm assuming the scanning drivers were there as well since it's a multifunctional printer/scanner/fax wireless printer.
  We've tried it both ways.  If I press the button scan on the printer, it reads can't find computer (or something like that).  When we go thru the HP icon on my computer screen and choose scan to computer, it does nothing.
  We don't scan that often.  So the few times when we ran into this problem, we just did something else (like take a pic from our iPhone and email the pic...kinda stupid but did the trick.
  But I want to have the function of the scanner available.  So that's why I'm here asking...thought others had this issue and had a solution.

• [SOLVED] Recommendations needed - Arch + Apache for local development

  Hello,
  I'm a new Arch user, and relatively new with Linux. I'm getting to like Arch very much.
  I do web development, and I do most of my programming in PERL.
  I have already installed perl and some tools, and I'm about to install apache. The Idea is to have the apache server just for local development and testing.
  So the question is: Do you recommend me to install some firewall?
  What security measurements should I take?
  Is there any easy way to enable and disable Internet access to the apache server?
  Thank you!
  Last edited by iopo (2009-10-28 19:24:14)

  Thank you friends.
  Yes, my Internet is via router. I like the Idea to set the server to listen at local address, I will try that.
  Now, as I'm new to Linux and Arch, I will like to know if I should take any extra security measurements. In windows I used anti-virus + firewall all the time, and I blocked apache to access the Internet with the firewall.
  I have set a strong root password, but the "normal user" has sudo. Is that secure enough?
  Is there any "must have" security tools or measurements to set is a box like mine (Desktop usage + local network (3 machines) + apache for local usage and testing only)?
  Is it common to get some malware, worm, trojan, spyware or some kind of phishing just by surfing the web without user "action" to install it?
  I know Linux is much safer because users and permissions. I like that very much, It feels a lot safer.
  Now, I have used Arch for a week or so with no firewall (router firewall is disabled also) and no anti-virus. Absolutely no special security measurements and there seems to be no log-in attempts in logfiles .. and no problems at all. Windows without firewall and anti-virus will die in a few hours just by leaving it connected to Internet....
  I just wanted to ask you all (Arch users) if you normally use Firewall, and if you take some special measurement to stay free of  trojans, spyware, etc...
  I will appreciate your comments.
  Thank you!

• Slackware to Arch server switch questions

  I want to have this setup, with all PCs running arch:
  http://img.photobucket.com/albums/v637/ … SYSTEM.jpg
  I currently run NTL and the modem has a eathernet port on it so its all easy and good with my slackware server DHCP on one network card and fixed IP on the other.
  But I have to have a ADSL line in new house with tiscali and I cant see any of their modems that are not USB. So is there a "how to" for USB modems?
  Is it easy to setup the above network?
  The slack server is a firewall (rc.firewall script etc) and a samba share and thats about it.... it forwards some ports here and there but nothing else.
  I have never used arch as a server so I have no idea what im suppose to do etc, even if I had 2 network cards I have no idea how to tell one to be DHCP and other fixed IP in rc.conf etc.... do I just have another section from the 2nd network card?

  CyRiX_BlAcK wrote:But I have to have a ADSL line in new house with tiscali and I cant see any of their modems that are not USB. So is there a "how to" for USB modems?
  I don't know anything about tiscali, but if USB is all they can give you, I would strongly recommend getting your own ethernet gear - it will save you a lot of hassle IMO.
  CyRiX_BlAcK wrote:do I just have another section from the 2nd network card?
  Basically yes. You will have eth0= and eth1= lines with the appropriate parameters, followed by
  INTERFACES=(lo eth0 eth1)

• [Solved]Pacman fails to connect to server in Arch Virtual Machine

  Hi
  I've just installed arch 2008.06 in VMWare Workstation 6.04 on Vista Business x64. The setup all went fine and i am now logged into my system, but Pacman refuses to connect to anything. i have tried Bridged networking and NAT to no avail. whenever i run 'pacman -Syy' i get the message
  "error: failed retrieving file 'core.db.tar.gz' from ftp.archlinux.org : File unavailable (e.g.,file not found, no access)"
  followed by the same message for each mirror in my mirrorlist, and then again for 'extra.db.tar.gz' and 'community.db.tar.gz', and then 'failed to synchronise any databases' at the end.
  I have tried pinging google, as well as several of the arch mirrors and they all work fine. wget also seems to work fine, it's just pacman that's not working.
  Anyone have any suggestions?
  Last edited by henrypootel (2008-09-12 01:53:56)

  That's what i thought too so i switched off the Vista firewall and still no luck. I am behind a hardware firewall here at work, but it shouldn't be blocking FTP traffic. i use FTP in windows all the time.
  Just tried downloading a file using wget and it worked fine.
  Last edited by henrypootel (2008-09-11 03:45:29)

• Arch does not umount busy disks before shutdown?

  Hello,
  Been using Arch on my Laptop, Desktop, Firewall and HTPC for a couple years now. I really like the setup.
  When shutting down the pc, Arch runs the shutdown scripts that umount the mounted volumes. If the volume is busy, it gives me a message:
  "/mnt/sdc4: device is busy"
  But then continues to power off, leaving my disk(s) in an inconsistent state on boot. It seems to me that Arch should wait until the disks are properly un-mounted before shutting off.
  Does anyone else see this as an issue?
  Thanks,
  Nate

  Just saw this:
  http://bbs.archlinux.org/viewtopic.php?id=40747
  Guess I'm not the only one with this issue...

• So does any Linux have a built in firewall?

  I hear that the Linux kernel has a firewall called iptables built in and working. How secure is it? Is it included with Arch by default? I am just wondering because there is a package called iptables in the repos...

  Well, this might help you better and give you a basic understanding of the subject, http://wiki.archlinux.org/index.php/Firewalls. As far as I can tell, iptables is the only firewall linux has, and is as powerful and secure as you make it. I have been using shorewall, which is another application for managing iptables in an easy more logical way, for managing my iptables firewall and my firewall pass the shields up! test with perfect stealth, so it really can be secure.