firewall doesn't remember settings

[alphaace]

hm, I never actually looked if shorewall was running in CC.

It wasn't. I tried activating it and it gave me an error when I clicked start:

Compiling... ERROR: No firewall zone defined.

[menotu]

I checked mine today and the settings weren't being kept so I re-installed the following

drakx-net-text (0.87-4pclos2010)
mandi-ifw (1.0-1pclos2007)
shorewall (4.4.11-1pclos2010)

That worked for me and now things are hunky dory (may need to restart)

[alphaace]

worked for me too! Shorewall now loads on boot and it keeps my settings. :-).

On a slightly unrelated note: The bit torrent server, is that for uploading and downloading bittorents or running your own torrent server? Sorry if that's a dumb question!

[menotu]

On a slightly unrelated note: The bit torrent server, is that for uploading and downloading bittorents or running your own torrent server? Sorry if that's a dumb question!

As is always said on the forum - there are no dumb questions. 

Its my understanding that the torrent option is for simply downloading and seeding torrents back out again (if your torrent app is set up to reseed)

[pags]

:-(. I wonder why mine doesn't work.

Thanks for taking the time to answer Tex.

Yes, for example, I disable ssh since I don't login remotely (I uncheck). However, when I go back in, the box is still checked.

Anyone have any suggestions then how to start the debugging??

I'm glad you got your problem resolved.  I was just wondering about your example, though.

In the case of something like ssh

for example, I disable ssh since I don't login remotely

wouldn't it be better to just not run the service at all, instead of running it, and then blocking it with a firewall rule?

[alphaace]

That is a good point pags. I checked and it is disabled. At the time I was just playing with the firewall settings but thanks for checking up :-).

[halgol60]

I just ran into this same problem while installing PCLinuxOS 2010.10 XFCE.   I see a bit of a security hole here, but perhaps I am being overly paranoid.

Between the time that you connect to the internet in order to perform those re-installs (see above) to the time that the firewall is running, you may be wide open to any number of exploits over the Internet.  But, again, maybe I misunderstand the exact inner workings of this system.  Please clarify if so.  If not, then there is a (albeit possibly) short window of vulnerability to be concerned with.

I have installed 2010.1 and 2010.7 several times due to various strange phenomenae, not all of which are necessarily related to security breaches.  However, my system was not otherwise protected during those installs, which likely means that it was vulnerable.  Perhaps at least some of my stability issues are related, particularly the one I posted recently about some klog messages "penetrate" which I cannot find the source of.

This time, installing 2010.10, I am sitting behind my trusty ipcop firewall machine, which I re-added to my "network" after the last install when I discovered that shorewall did not properly work.   I am hoping that I may find fewer problems this time.  But time will tell.

At any rate, this certainly seems like a serious security problem, and could leave new PCLinuxOS users with the wrong impression and drive them away to other distros.   Again, unless I misunderstand something.

[Texstar]

perhaps I am being overly paranoid.

Yes you are.

1. Someone would have to find you in the internet and know that you have booted a live pclinuxos cd and doing an installation. They only have a 10 minute time frame to do this.

2. They would have to some how gain access to your livecd and execute some kind of remote exploit to gain access. (None that I know of at this time). Almost all of the exploits you hear about with Linux are local exploits. Most people these days are behind a router firewall.

3. They would have to wait until you completed your installation then at the precise seconds before you rebooted copy infected files to your hard drive.

[halgol60]

perhaps I am being overly paranoid.

Yes you are.

1. Someone would have to find you in the internet and know that you have booted a live pclinuxos cd and doing an installation. They only have a 10 minute time frame to do this.

2. They would have to some how gain access to your livecd and execute some kind of remote exploit to gain access. (None that I know of at this time). Most people these days are behind a router firewall. Almost all of the exploits you hear about with Linux are local exploits.

3. They would have to wait until you completed your installation then at the precise seconds before you rebooted copy infected files to your hard drive.

Well, then, I apologize for being overly concerned.  However, it seems to me that the install process goes a little differently, at least for me.

I don't set up a network connection until after the 1st reboot when I am no longer working off the liveCD.  This is because the end of the installation wizard urges me to shutdown, remove the media from the drive, etc etc etc.  Furthermore, a newbie user might not realize they need to set up their firewall before they boot off the HD for the first time.

Sure, you and I should be smart enough to realize these obvious things.  But I worry that many people are migrating from Windows land where things are done for them auto-magically (or are they really being done at all? hahaha).   These newbies think that Norton and the like protect them from all the horrors or the Internet so they don't have to worry about them.  I know too many like that.  I'm sure you do, too.

That is why I mentioned it.  I am still here, hanging on to PCLinuxOS because I want to see it thrive.  I just want to make sure that others don't get burned by assumptions we make.  This problem should be repaired, and I think it should be fairly urgent.

[halgol60]

Actually, now that I think about it:  Why not have a nominal firewall set up automatically upon completion of the install?   I'd opt for most paranoid configuration (of course!), and then the user can step it back to whatever level of intrusion they are comfortable with, depending on their needs.

[Texstar]

We've already been through this before.

One release we didn't have a firewall enabled and people complained about it.

The next release we enabled the firewall then people complained they could not connect to various services resulting in numerous support questions about smb, gnutella, bittorrent etc...

The next release we enabled the firewall but opened some common ports that most people would normally use and people complained about the open ports they would not be using.

The next release we said to hell with it. Here's the firewall setup button on your desktop. Click on it if you need a software firewall.

We are not going to babysit our users. Security is your responsibility. We will do our best to provide software security updates. It is your responsibility it install them. We will provide you will the tools to enable a software firewall but it is your responsibility to enable it if you need one. We will tell you not to run as root user but we won't disable root logins.

[Rudge]

mission impossible theme song

[Magickman]

I too am having trouble with Shorewall. When I run the command, "/etc/rc.d/init.d/shorewall reload," I get this in return: ERROR: No IP zones defined.

I tried erasing Shorewall, and re-installing it, but all to no avail. Using Firestarter till someone gets back to me.

On further investigation, I got it fixed. Forgot to configure it in CYC. Works fine now, passed a hostile code test with no trouble. 

[Switchblade]

People are missing the point here...it’s not should the firewall features be enabled or disabled by default, but the fact that the system doesn’t retain settings other than initial default values., Frankly I consider Phoenix Edition very insecure for this reason.

When installing Phoenix I set up a high level of security and “unchecked” all Firewall services. After noticing my data rates ballooning and a file appearing that I didn’t download, I checked the Firewall settings and low and behold they were back to default values.

I, like alphaace, then realised the Firewall has a security issue, and thanks to his post and that of menotu’s, I reinstalled drakx-net-text, mandi-ifw and shorewall with the result that now the Firewall retains all my settings.

It will be interesting to see if my data throughput returns to normal. I suspect someone was tunneling perhaps via the SSH service?

The release needs recompiling, given it’s increasing popularity, otherwise I’m very grateful to the developers for this edition.

Cheers
Kev