9 replies to this topic

[daveraver]

Hi! I've found where security - firewall locate their files on /etc/security, I think so. So, could anybody give me a website where it were explained for our enigma2 box?? On my formuler1 when you install firewall on plugin panel download, it shows dependecies errors, but create the folder 'security' with the access.conf and other files. I would like to read some wiki about firewall and its rules implementation, it would be great. If not, some google search could be useful, but I prefer somewhere recommended by some openpli forum member. I saw inside the files on security folder lots of explanations and config options, I didnt see if it is possible made an only 'hostname' access instead of IP. That's the main key I want to use, close access with only grant acces some hostname.

 

Thanks in advance,

David

[WanWizard]

The STB is not a security device, I doubt iptables even works.

[daveraver]

Then, what is the purpose of the firewall plugin on feeds? Well, I will try it and, if it works, I'll be back here to tell you... I say this because I have a way to run firewall through a script and maybe it will work.

Edited by daveraver, 29 May 2018 - 09:44.

[WanWizard]

Because it's been there for dogs years and nobody bothered to remove it?

[daveraver]

hahaha,      , eternal non functional firewall... ok... I will try anyway by my way... maybe my ignorance make me believe it is possible... greetings!!

Edited by daveraver, 29 May 2018 - 09:57.

[MiLo]

iptables would work on the box, like any other Linux machine out there (e.g. routers...) but doing so would basically kill all the nice features (webinterface, samba server). Opening up a port for, say, the webinterface, voids all security you got from iptables. Since it's rather pointless to do that, and the box is targeted to be behind a firewall already (i.e. your router) the iptables modules aren't even built to keep the kernel smaller (even when built as module, they'll leave some hooks in the kernel). It's basically not in there for the same reason the RAID6 driver (which also works perfectly fine on the box) isn't in there: There's just hardly any demand for it.

It's open source software, so everyone's free to compile and provide the iptables modules.

Edited by MiLo, 29 May 2018 - 18:44.

[daveraver]

But you can give access only to some hostname, with iptables... I wanted to copy and paste the iptables script to the box, but the sintaxis is diferent, to get full iptable feature, kernel has to be ready for take all rules that you can have on debian/ubuntu distros, this is the sintaxis for the package installed on my formuler f1 this afternoon,

root@formuler1:~# iptables --help
iptables v1.4.12.2

Usage: iptables -[ACD] chain rule-specification [options]
       iptables -I chain [rulenum] rule-specification [options]
       iptables -R chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LS] [chain [rulenum]] [options]
       iptables -[FZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)


Commands:
Either long or short options are allowed.
  --append  -A chain Append to chain
  --check   -C chain Check for the existence of a rule
  --delete  -D chain Delete matching rule from chain
  --delete  -D chain rulenum
Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
  --list    -L [chain [rulenum]]
List the rules in a chain or all chains
  --list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
  --flush   -F [chain] Delete all rules in  chain or all chains
  --zero    -Z [chain [rulenum]]
Zero counters in chain or all chains
  --new     -N chain Create a new user-defined chain
  --delete-chain
            -X [chain] Delete a user-defined chain
  --policy  -P chain target
Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
Change chain name, (moving any references)
Options:
    --ipv4 -4 Nothing (line is ignored by ip6tables-restore)
    --ipv6 -6 Error (line is ignored by iptables-restore)
[!] --proto -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
 --jump -j target
target for rule (may load target extension)
  --goto      -g chain
                              jump to chain with no return
  --match -m match
extended match (may load extension)
  --numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
  --table -t table table to manipulate (default: `filter')
  --verbose -v verbose mode
  --line-numbers print line numbers when listing
  --exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
  --modprobe=<command> try to insert modules using this command
  --set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.

So, I cant do copy and paste from my firewall script on my debian server... different sintaxis

 

greetings 

[daveraver]

iptables would work on the box, like any other Linux machine out there (e.g. routers...) but doing so would basically kill all the nice features (webinterface, samba server). Opening up a port for, say, the webinterface, voids all security you got from iptables. Since it's rather pointless to do that, and the box is targeted to be behind a firewall already (i.e. your router) the iptables modules aren't even built to keep the kernel smaller (even when built as module, they'll leave some hooks in the kernel). It's basically not in there for the same reason the RAID6 driver (which also works perfectly fine on the box) isn't in there: There's just hardly any demand for it.

It's open source software, so everyone's free to compile and provide the iptables modules.

Ok, I will ask for a friend of mine, to get the modules compiled, but there are others that compile for comunity... so,,, why make it exclusive to a few persons, to use on openpli? so to use openpli you have to be a coder... ahh ok... nothing happens, everyone is free to compile or to go anywhere he wants...

 

If I thought as you, and I get the compiled modules, then, I wont share here to the community, it doesnt care, other person can compile agains, isnt it?

Edited by daveraver, 29 May 2018 - 19:05.

[Pr2]

The point here is that it is a bad idea to think that your receiver can act as a proper firewall just by enabling iptable on it.

So if people want to play sorcerer's apprentices it is up to there responsibility to compile it and play with it. If OpenPLi compile and offer it from the feed once your box will be hacked you will ask why and how is it possible since you install the iptable from the feed.

[daveraver]

The point here is that it is a bad idea to think that your receiver can act as a proper firewall just by enabling iptable on it.

So if people want to play sorcerer's apprentices it is up to there responsibility to compile it and play with it. If OpenPLi compile and offer it from the feed once your box will be hacked you will ask why and how is it possible since you install the iptable from the feed.

Yes, I think so right now. WanWizard tells me the same. Milo was a little "rude" to consider the users have to be coders to enjoy all their boxes features, on my point of view, but he give me a good idea, but not easy, to configure the ISP router firewall... one more battle for me...