Drobe :: The archives
About Drobe | Contact | RSS | Twitter | Tech docs | Downloads | BBC Micro

Getting to grips with the RISC OS firewall

By Chris Williams. Published: 25th Aug 2003, 23:27:31 | Permalink | Printable

When security through obscurity just isn't enough

The recent onslaught from the Blaster worm would have been curbed if more Windows users had appropriately patched their computers or at least employed a firewall to block off a vulnerable port. While RISC OS users joined in with Apple and Linux users for a good round of smug, gleeful laughter at the expense of those suffering from the worm's more than irritating effects, it should be noted that RISC OS computers themselves can be quite vulnerable when connected directly to the internet.

Due to the size of the platform, it's fortunate that there's no RISC OS specific exploits in the wild. However, it's a good idea to keep third party internet and networking services like your telnet server, http proxy, samba server and mail server are protected and firewalled off.

A firewall is usually some software that, among performing other tricks and feats, is configured to only allow wanted connections to reach your computer and disallowing the rest. For example, a firewall can prevent people trying to access services running on your computer from across the internet, but will allow people on your local network to access the services.

RISC OS Select includes a straightforward firewall, inetfw, and *inetfw help will give a good description on each firewall command. Also, Paul Vigay has begun writing up a tutorial on how to configure the Select firewall. Below is David Ruck's example firewall script which can be used as a basis for Select users wishing to employ the firewall.

Dave's script ensures the freeway, sharefs, http proxy and samba server services and then the standard ports are protected from the internet. Connections from the local network are allowed. Dave's script assumes you're connecting to the internet via ppp0 and ex0 is the local area network interface. These should be substituted with interface names relevant to your hardware setup.

Example firewall script for RISC OS Select


| Enable Firewalling (always defaults policy to 'deny')
IF "<Inet$Error>" = "" THEN InetFW -e Enable on

| Deny ppp connections to freeway or sharefs ports
IF "<Inet$Error>" = "" THEN InetFW -e Add -n 6000 -p deny -W ppp0 -P UDP -I -O -D * 49171,32771,32770,32768

| Deny ppp connections to HTTP proxy
IF "<Inet$Error>" = "" THEN InetFW -e Add -n 6001 -p deny -W ppp0 -P TCP -I -D * 8080

| Deny ppp connections to SMBServer
IF "<Inet$Error>" = "" THEN InetFW -e Add -n 6002 -p deny -W ppp0 -P TCP -I -D * 139
IF "<Inet$Error>" = "" THEN InetFW -e Add -n 6003 -p deny -W ppp0 -P UDP -I -D * 137

| Deny ppp connections to other standard ports so they appear in stealth mode to port scans
IF "<Inet$Error>" = "" THEN InetFW -e Add -n 6004 -p deny -W ppp0 -P TCP -I -D * 21
IF "<Inet$Error>" = "" THEN InetFW -e Add -n 6005 -p deny -W ppp0 -P TCP -I -D * 23
IF "<Inet$Error>" = "" THEN InetFW -e Add -n 6006 -p deny -W ppp0 -P TCP -I -D * 25
IF "<Inet$Error>" = "" THEN InetFW -e Add -n 6007 -p deny -W ppp0 -P TCP -I -D * 37
IF "<Inet$Error>" = "" THEN InetFW -e Add -n 6008 -p deny -W ppp0 -P TCP -I -D * 79
IF "<Inet$Error>" = "" THEN InetFW -e Add -n 6009 -p deny -W ppp0 -P TCP -I -D * 110
IF "<Inet$Error>" = "" THEN InetFW -e Add -n 6010 -p deny -W ppp0 -P TCP -I -D * 113
IF "<Inet$Error>" = "" THEN InetFW -e Add -n 6011 -p deny -W ppp0 -P TCP -I -D * 115
IF "<Inet$Error>" = "" THEN InetFW -e Add -n 6012 -p deny -W ppp0 -P TCP -I -D * 135
IF "<Inet$Error>" = "" THEN InetFW -e Add -n 6013 -p deny -W ppp0 -P TCP -I -D * 143
IF "<Inet$Error>" = "" THEN InetFW -e Add -n 6014 -p deny -W ppp0 -P TCP -I -D * 443
IF "<Inet$Error>" = "" THEN InetFW -e Add -n 6015 -p deny -W ppp0 -P TCP -I -D * 445
IF "<Inet$Error>" = "" THEN InetFW -e Add -n 6016 -p deny -W ppp0 -P TCP -I -D * 5000

| Default policy is 'accept'
IF "<Inet$Error>" = "" THEN InetFW -e Add -n 65532 -p accept -W lo0
IF "<Inet$Error>" = "" THEN InetFW -e Add -n 65533 -p accept -W ex0
IF "<Inet$Error>" = "" THEN InetFW -e Add -n 65534 -p accept -W ppp0



Links


Firewall tutorial Dave's firewall script

Previous: Internet banking and RISC OS
Next: Software news

Discussion

Viewing threaded comments | View comments unthreaded, listed by date | Skip to the end

This is one Select feature that would be very welcome on RISC OS 5, and would no doubt bring in more customers.

Quoting from the article, "However, it's a good idea to keep third party internet and networking services like your telnet server...", does this mean there's a RISC OS telnet server available? -- Simon Wilson, Boulder, Colorado

 is a RISC OS Userksattic on 26/8/03 7:08AM
[ Reply | Permalink | Report ]

But *please* bear in mind, that due to the fact that RISC OS doesn't have a system of different access rights, everybody with access (physical or even remote may be enough) can turn your packet filter (that's what it is, it is no firewall) off. A simle *InetFW off is sufficient and can be disguised in almost every code.

Stefan.

 is a RISC OS Usersbellon on 26/8/03 7:46AM
[ Reply | Permalink | Report ]

I have always assumed that as my Broadband internet connection is via a hardware router that there was little advantage in me setting up the Select firewall (or is it a packet filter?). I have therefore never bothered trying to learn how it works, should I try?. -- Victor Shears, Maidstone

 is a RISC OS Uservshears on 26/8/03 8:43AM
[ Reply | Permalink | Report ]

I'd like to point out that my example isn't necessarily the best way of doing it.

I have it set up to allow everything by default and only deny what I don't want, so I can run various experimental services and not spend half any hour head scratching, before I remember that the port will be disabled by the firewall.

A much better setup for your average user is to put the default rule to deny, and then only accept the type of traffic they are likely to be using.

Of course you need to indentify what you are using, such as outgoing HTTP, SMTP, POP3, telnet, IRC and incoming FTP etc. Perhapse someone has written or would like to write such a script and make it available.

---druck [link]

 is a RISC OS Userdruck on 26/8/03 9:23AM
[ Reply | Permalink | Report ]

sbellon> packet filter (that's what it is, it is no firewall)

I'd have called it a packet filtering firewall or a network level firewall. It examines the header of each network packet in turn and decides on the rules given whether to block or allow the packet.

The alternative is a proxy server firewall (aka application level firewall). All requests for access are processed at the firewall so that all packets are sent to and from the firewall, rather than from the hosts behind the firewall. This type of firewall inspects not only the packet header but the content as well. As you can imagine, it is also a lot more expensive in terms of computer resources. -- Spriteman.

 is a RISC OS UserSpriteman on 26/8/03 10:01AM
[ Reply | Permalink | Report ]

Spriteman: My point is, that the name "firewall" is misleading. A firewall is a concept, not some kind of hardware or software. A firewall concept can include a packet filter, proxy servers and other things. But still, a packet filter is *no* firewall, it can be *part* *of* a firewall.

And my original point remains: As long as you cannot protect your filter rules under RISC OS via FSLock (or some similar mechanism), they can be easily disabled by the easiest possible social engineering. So, you may use them to get rid of annoying "home phoning" applications, but you cannot rely on some sort of security you might want to achieve.

Stefan.

 is a RISC OS Usersbellon on 26/8/03 11:00AM
[ Reply | Permalink | Report ]

Does anyone have any practical justification for preventing outgoing connections under RISC OS? It could be justified on a purely paranoid security basis, but what about practical examples? There are obvious ones on Unix and Windows, but I can't think of any RISC OS ones.

-- Peter, drobe.co.uk

 is a RISC OS Usermrchocky on 26/8/03 11:18AM
[ Reply | Permalink | Report ]

sbellon: dude, your point is totally void - /any/ RISC OS app could just call SWI 0x6A which will soft reset the machine and the user will lose any unsaved data. Or, a *wipe <boot$dir> ~CFR~V in a !boot file. There's also n+1 less destructive things /any/ RISC OS app could do that the user wouldn't notice.

The point is to stop people outside out your local network abusing Antsuite's mail server (and use you like an open relay) or to hijack your taskwindow telnet server (was on gerph's site) etc.

If you're worried about software phoning home, you'll have to get yourself a more sofisticated firewall system if you're concerning about software bringing down inetfw.

Chris, drobe.co.uk

 is a RISC OS Userdiomus on 26/8/03 1:07PM
[ Reply | Permalink | Report ]

Does anyone have a practical justifications for using a firewall for RISC OS in the first place? Apart from the four or five people that are really at risk, has there been anybody who really would think about wanting to write malicious software to attack RISC OS computer in the past five years?

The only malicious peice of software I came across was off the Archimedes World floppy disk and I've never had a problem since - in fact my own programming represents more of a threat than any outside challenge :)

 is a RISC OS Useriamnotamused on 26/8/03 2:29PM
[ Reply | Permalink | Report ]

diomus: No, my point is *not* void. You are completely right in saying that those other nasty things can happen as well. I am aware of that and people are aware of that. However it looks like people are *not* aware that this packet filter can easily be turned off or bypassed as well. That is what I want to bring to attention. Most people think they are protected from any evil if they just hear the word "firewall".

Stefan.

 is a RISC OS Usersbellon on 26/8/03 5:48PM
[ Reply | Permalink | Report ]

This 'firewall' thing is no excuse for a broken server configuration. And stealth mode is just a marketing buzzword. Rejecting connections is a lot more polite than dropping them.

This all may look nice, but it does not replace your brain at all. If you deliberately break things, software won't help.

#include <standard_text_about_solving_social_problems_with_technology.h>

 is a RISC OS Usermaus on 26/8/03 5:57PM
[ Reply | Permalink | Report ]

I think people are just as aware of the OS_Reset as they are of the possibility of nasty apps turning off the firewall. RISC OS is really insecure, seriously insecure by design - now is not the time to start listing limitations. We could be here all night. However the Select firewall goes some way to stop people hijacking your machine. And some server software can't be configured to reject outside connections, or whatever point maus was trying to make.

Doomsaying doesn't get anyone anywhere.

Chris, drobe.co.uk

 is a RISC OS Userdiomus on 26/8/03 7:22PM
[ Reply | Permalink | Report ]

It look like a stateless packet filter which is not very usefull. If it was aware of conection states you could deny all incomming connections and be pretty save. Now you have to allow incomming packets to all ports except the server ports. The best way to set this up would be to block all outgoing packets except to http and ftp. That way the return packets of a attack will be blocked and you still have only a few rules.

firewal is realy not the right name

 is a RISC OS UserJaco on 26/8/03 7:56PM
[ Reply | Permalink | Report ]

vshears: I also would like someone 'knowledgeable' to answer your question. I am also sat behind a broadband router which also says 'firewall' on the box (D-link 640). Comments please........ -- Martin, Sunny Shropshire.

 is a RISC OS UserMart on 26/8/03 8:24PM
[ Reply | Permalink | Report ]

My 2 cents: If the system is hardened, it does logging and keeps track of connection states you can call it a firewall.

Some machines do a lot less and they call it a firewall, but only a simple stateless access list.... It is very hard to set up and still it's not very secure.

 is a RISC OS UserJaco on 26/8/03 9:14PM
[ Reply | Permalink | Report ]

Mart: I bought a DLink modem rather than router. (a) it's cheaper and (b) I place more trust in the ex-smoothwall-now-IPCop box under the desk as a firewall/router than in whatever gets squidged into a router's FlashROM. Plus a proxy is still useful with Oregano/O2.

As Stefan says, the firewall in RISC OS is not as secure as it might be.

Mike

 is a RISC OS Usermikeg on 26/8/03 10:16PM
[ Reply | Permalink | Report ]

Like Mart I am using a DLink router (a 601 IIRC) along with the cable modem supplied by my broadband ISP. At the time I was making my decision DHCP was not yet available for RISC OS. I considered using my PC as a server but did not like the idea of having to have the PC booted up to access the Net via my Risc PC. Consideration was also given to setting up an old Pentium PC as a router using Smoothwall but a small dedicated hardware router seemed a more elegant solution. I admit that the advantage of a proxy did not occure to me at the time.

Cheers Vic -- Victor Shears, Maidstone

 is a RISC OS Uservshears on 27/8/03 10:11AM
[ Reply | Permalink | Report ]

As druck suggests, a default policy of deny is preferable however it does introduce a number of problems. Off the top of my head, problems occur due to the fact that inetfw seems to only properly understand numerical ips. Would be nice if could somehow resolve something like pop.clara.net when the connection is active instead of having to add rules for each ip that pop.clara.net resolves too. There also seems to be a limit to the number of rules that one can define. I'll see if I can dig out my firewall config file... -- James Carey

 is a RISC OS Userjmcarey on 29/8/03 12:58AM
[ Reply | Permalink | Report ]

Please login before posting a comment. Use the form on the right to do so or create a free account.

Search the archives

Today's featured article

  • How to write a screen saver
    Last night some C code saved my life
     3 comments, latest by Footie on 4/9/06 1:29AM. Published: 2 Sep 2006

  • Random article

  • David Ruck comments on RM's decision to pull out of education in Northen Ireland

     1 comment, latest by AndrewDuffell on 5/12/03 7:44PM. Published: 13 Jan 2001

  • Useful links

    News and media:
    IconbarMyRISCOSArcSiteRISCOScodeANSC.S.A.AnnounceArchiveQercusRiscWorldDrag'n'DropGAG-News

    Top developers:
    RISCOS LtdRISC OS OpenMW SoftwareR-CompAdvantage SixVirtualAcorn

    Dealers:
    CJE MicrosAPDLCastlea4X-AmpleLiquid SiliconWebmonster

    Usergroups:
    WROCCRONENKACCIRUGSASAUGROUGOLRONWUGMUGWAUGGAGRISCOS.be

    Useful:
    RISCOS.org.ukRISCOS.orgRISCOS.infoFilebaseChris Why's Acorn/RISC OS collectionNetSurf

    Non-RISC OS:
    The RegisterThe InquirerApple InsiderBBC NewsSky NewsGoogle Newsxkcddiodesign


    © 1999-2009 The Drobe Team. Some rights reserved, click here for more information
    Powered by MiniDrobeCMS, based on J4U | Statistics
    "Your fellow contributor to Drobe seems to have a personal dislike of anything that does not come from Castle"
    Page generated in 0.1508 seconds.