#1 Le 09/04/2009, à 20:19
- seb31
Firestarter, carte wifi, pilote et Dell Inspiron 6400 [résolu]
Bonjour,
Je ne sais pas quelle mise à jour a pu faire ça, mais je ne reconnais plus grand chose sur mon portable Dell Inspiron 6400 en ce qui concerna la configuration réseau
Plus de wlan, mais un wmaster0 à la place qui ne semble pas être correctement reconnu, si bien que Firestarter refuse de démarrer dans un premier temps, puis ensuite il se lance tout seul quand on lance l'interface graphique.
En ce qui concerne les pilotes propriétaires, dans administration, je n'ai plus rien d'indiqué tout est vide.
Je ne contrôle plus grand chose par Firestarter et je ne sais pas si lorsque je ne le lance pas graphiquement il fonctionne, et des périphériques tels webcam avec amsn ne fonctionnent plus.
La carte wifi est une PRO/Wireless 3945BG (en ethernet c'est une broadcom BCM 01)
Voici ce que donne iwconfig:
lo no wireless extensions.
eth0 no wireless extensions.
wmaster0 no wireless extensions.
eth1 IEEE 802.11abg ESSID:"(nom du réseau)"
Mode:Managed Frequency:2.412 GHz Access Point: XX:XX:XX:XX:XX:XX
Bit Rate=54 Mb/s Tx-Power=15 dBm
Retry min limit:7 RTS thr:off Fragment thr=2352 B
Power Management:off
Link Quality=93/100 Signal level:-36 dBm Noise level=-67 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
Bref, si quelqu'un pouvait m'expliquer comment faire pour être certain que tout marche bien, notamment côté pare-feu, je suis preneur !
Merci.
Dernière modification par seb31 (Le 14/04/2009, à 10:26)
Hors ligne
#2 Le 10/04/2009, à 09:47
- Ehorinn
Re : Firestarter, carte wifi, pilote et Dell Inspiron 6400 [résolu]
Plus de wlan, mais un wmaster0 à la place qui ne semble pas être correctement reconnu, si bien que Firestarter refuse de démarrer dans un premier temps, puis ensuite il se lance tout seul quand on lance l'interface graphique.
En ce qui concerne les pilotes propriétaires, dans administration, je n'ai plus rien d'indiqué tout est vide.
Comme le donne le
sudo ifconfig -ata carte est reconnu comme eth1
Je ne contrôle plus grand chose par Firestarter et je ne sais pas si lorsque je ne le lance pas graphiquement il fonctionne, et des périphériques tels webcam avec amsn ne fonctionnent plus.
Firestarter n'est qu'une interface graphique pour le module netfilter (qui offre les possibilités d'un pare-feu)
Iptables est une autre interface (en ligne de commande), va voir la documentation : http://doc.ubuntu-fr.org/iptables
Bien évidement netfilter n'a pas besoin de firestarter ou de iptables pour fonctionner (juste pour être configurer la première fois)
La carte wifi est une PRO/Wireless 3945BG (en ethernet c'est une broadcom BCM 01)
Voici ce que donne iwconfig:
lo no wireless extensions.eth0 no wireless extensions.
wmaster0 no wireless extensions.
eth1 IEEE 802.11abg ESSID:"(nom du réseau)"
Mode:Managed Frequency:2.412 GHz Access Point: XX:XX:XX:XX:XX:XX
Bit Rate=54 Mb/s Tx-Power=15 dBm
Retry min limit:7 RTS thr:off Fragment thr=2352 B
Power Management:off
Link Quality=93/100 Signal level:-36 dBm Noise level=-67 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
eth1 est bien ton interface pour le WiFi.
Si tu as configurer certains logiciels avec le nom de l'ancienne interface (wlan0) il faut les reconfigurer.
(Ou plus simple (?) créer un alias pour dire que wlan0 est eth1)
Dernière modification par Ehorinn (Le 10/04/2009, à 09:48)
Hors ligne
#3 Le 10/04/2009, à 13:43
- seb31
Re : Firestarter, carte wifi, pilote et Dell Inspiron 6400 [résolu]
ifconfig -a donne ça :
eth0 Link encap:Ethernet HWaddr 00:1c:23:92:ae:8f
UP BROADCAST MULTICAST MTU:1500 Metric:1
Packets reçus:0 erreurs:0 :0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:1000
Octets reçus:0 (0.0 B) Octets transmis:0 (0.0 B)
Interruption:17
eth1 Link encap:Ethernet HWaddr 00:1b:77:a9:09:72
inet adr:192.168.0.2 Bcast:192.168.0.255 Masque:255.255.255.0
adr inet6: fe80::21b:77ff:fea9:972/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Packets reçus:5074 erreurs:0 :0 overruns:0 frame:0
TX packets:5533 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:1000
Octets reçus:4588994 (4.5 MB) Octets transmis:1038659 (1.0 MB)
lo Link encap:Boucle locale
inet adr:127.0.0.1 Masque:255.0.0.0
adr inet6: ::1/128 Scope:Hôte
UP LOOPBACK RUNNING MTU:16436 Metric:1
Packets reçus:416 erreurs:0 :0 overruns:0 frame:0
TX packets:416 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
Octets reçus:33024 (33.0 KB) Octets transmis:33024 (33.0 KB)
wmaster0 Link encap:UNSPEC HWaddr 00-1B-77-A9-09-72-30-30-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Packets reçus:0 erreurs:0 :0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:1000
Octets reçus:0 (0.0 B) Octets transmis:0 (0.0 B)
iptables -L donne ça :
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ce qui semblerait indiquer que rien n'est bloqué, ce que la commande suivante confirme :
sudo /etc/init.d/firestarter status
* Firestarter is stopped
Et quand je veux relancer Firestarter pour configuer iptables, voilà ce que j'ai :
Impossible de démarrer le pare-feu
Erreur inconnue
Vérifiez votre périphérique réseau et assurez-vous que le connexion internet est activée
Or, je suis bien sur internet là.
Pour les périphériques réseau, j'ai Firestarter qui m'indique :
Eth0 = Ethernet
Eth1 = Internet
wmaste = Inconnu
Hors ligne
#4 Le 10/04/2009, à 13:49
- Ehorinn
Re : Firestarter, carte wifi, pilote et Dell Inspiron 6400 [résolu]
Heu ... dans le premier post eth1 avait un ESSID, il est passé où ?
Pour wmaster (qui n'est pas configurable) c'est normal, c'est le WiFi pour certains programme comme D-Bus (à vérifier)
Bon sinon, eth1 est ton WiFi, tu peux voir qu'il a la même adresse MAC que wmaster0.
Tu peux vérifier avec :
sudo iwlist scan---
Pour firestarter, essaye de le reconfigurer
sudo dpkg-reconfigure firestarterDernière modification par Ehorinn (Le 10/04/2009, à 13:51)
Hors ligne
#5 Le 10/04/2009, à 15:42
- seb31
Re : Firestarter, carte wifi, pilote et Dell Inspiron 6400 [résolu]
Résultat de sudo iwlist scan :
lo Interface doesn't support scanning.
eth0 Interface doesn't support scanning.
wmaster0 Interface doesn't support scanning.
eth1 Scan completed :
Cell 01 - Address: 16:7E:34:F4:90:40
ESSID:"SuperNounours"
Mode:Master
Channel:1
Frequency:2.412 GHz (Channel 1)
Quality=95/100 Signal level:-33 dBm Noise level=-65 dBm
Encryption key:on
IE: WPA Version 1
Group Cipher : TKIP
Pairwise Ciphers (2) : TKIP CCMP
Authentication Suites (1) : PSK
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
48 Mb/s; 54 Mb/s
Extra:tsf=00000054bc177797
Extra: Last beacon: 52ms ago
Cell 02 - Address: 16:7E:34:F4:90:41
ESSID:""
Mode:Master
Channel:1
Frequency:2.412 GHz (Channel 1)
Quality=52/100 Signal level:-77 dBm Noise level=-65 dBm
Encryption key:on
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : CCMP
Pairwise Ciphers (1) : CCMP
Authentication Suites (1) : PSK
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
48 Mb/s; 54 Mb/s
Extra:tsf=00000054bbeedcd2
Extra: Last beacon: 2712ms ago
Cell 03 - Address: 16:7E:34:F4:90:42
ESSID:""
Mode:Master
Channel:1
Frequency:2.412 GHz (Channel 1)
Quality=51/100 Signal level:-78 dBm Noise level=-65 dBm
Encryption key:on
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : CCMP
Pairwise Ciphers (1) : CCMP
Authentication Suites (1) : PSK
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
48 Mb/s; 54 Mb/s
Extra:tsf=00000054bbeee1bd
Extra: Last beacon: 2712ms ago
Cell 04 - Address: 16:7E:34:F4:90:43
ESSID:""
Mode:Master
Channel:1
Frequency:2.412 GHz (Channel 1)
Quality=88/100 Signal level:-45 dBm Noise level=-65 dBm
Encryption key:on
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : CCMP
Pairwise Ciphers (1) : CCMP
Authentication Suites (1) : PSK
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
48 Mb/s; 54 Mb/s
Extra:tsf=00000054bbe8a684
Extra: Last beacon: 3120ms ago
Cell 05 - Address: 00:1F:33:CD:FA:ED
ESSID:"NUMERICABLE-4232"
Mode:Master
Channel:6
Frequency:2.437 GHz (Channel 6)
Quality=48/100 Signal level:-80 dBm Noise level=-65 dBm
Encryption key:on
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s
24 Mb/s; 36 Mb/s; 54 Mb/s; 6 Mb/s; 9 Mb/s
12 Mb/s; 48 Mb/s
Extra:tsf=000000b2b12bfe8c
Extra: Last beacon: 2112ms ago
Cell 06 - Address: 00:1D:19:8C:9E:8E
ESSID:"SFR_ADSL_0C442"
Mode:Master
Channel:4
Frequency:2.427 GHz (Channel 4)
Quality=35/100 Signal level:-88 dBm Noise level=-65 dBm
Encryption key:on
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
48 Mb/s; 54 Mb/s
Extra:tsf=000000b7e29c0181
Extra: Last beacon: 2880ms ago
Cell 07 - Address: 06:1D:19:8C:9E:8E
ESSID:"SFR_WPA_0C442"
Mode:Master
Channel:4
Frequency:2.427 GHz (Channel 4)
Quality=37/100 Signal level:-87 dBm Noise level=-65 dBm
Encryption key:on
IE: WPA Version 1
Group Cipher : TKIP
Pairwise Ciphers (2) : CCMP TKIP
Authentication Suites (1) : PSK
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : TKIP
Pairwise Ciphers (2) : CCMP TKIP
Authentication Suites (1) : PSK
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
48 Mb/s; 54 Mb/s
Extra:tsf=000000b7e2911181
Extra: Last beacon: 3544ms ago
Cell 08 - Address: 00:1A:2B:68:68:B6
ESSID:"NUMERICABLE-C68E"
Mode:Master
Channel:6
Frequency:2.437 GHz (Channel 6)
Quality=46/100 Signal level:-81 dBm Noise level=-65 dBm
Encryption key:on
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s
24 Mb/s; 36 Mb/s; 54 Mb/s; 6 Mb/s; 9 Mb/s
12 Mb/s; 48 Mb/s
Extra:tsf=000006371c3fd188
Extra: Last beacon: 2500ms ago
Cell 09 - Address: 00:16:41:8E:57:B2
ESSID:"Livebox-94b9"
Mode:Master
Channel:9
Frequency:2.452 GHz (Channel 9)
Quality=31/100 Signal level:-90 dBm Noise level=-65 dBm
Encryption key:on
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s
24 Mb/s; 36 Mb/s; 54 Mb/s; 6 Mb/s; 9 Mb/s
12 Mb/s; 48 Mb/s
Extra:tsf=0000002431375187
Extra: Last beacon: 2084ms ago
Cell 10 - Address: 00:21:86:44:99:9E
ESSID:"LIVEBOXe7e5"
Mode:Master
Channel:10
Frequency:2.457 GHz (Channel 10)
Quality=73/100 Signal level:-61 dBm Noise level=-65 dBm
Encryption key:on
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
48 Mb/s; 54 Mb/s
Extra:tsf=000000655fa2c185
Extra: Last beacon: 1628ms ago
résultat de sudo dpkg-reconfigure firestarter :
Script du pare-feu enregistré dans /etc/firestarter/firewall
* Stopping the Firestarter firewall... [ OK ]
* Starting the Firestarter firewall... [fail]
invoke-rc.d: initscript firestarter, action "restart" failed.
Bref, y a effectivement un proglème, mais alors là lequel ???
Hors ligne
#6 Le 10/04/2009, à 17:49
- Ehorinn
Re : Firestarter, carte wifi, pilote et Dell Inspiron 6400 [résolu]
Solution de facilité :
iptables est très bien tu sais 
Autre :
Je n'en ai aucune idée il faut le reconfigurer
Dis nous ce qu'il y a dans le fichier /etc/firestarter/firewall
-> S'il y a des règles avec wlan0 ... grrr
Hors ligne
#7 Le 11/04/2009, à 10:19
- seb31
Re : Firestarter, carte wifi, pilote et Dell Inspiron 6400 [résolu]
Je n'y connais pas grand chose, mais néanmoins il y a des trucs qui me semblent bizarres dans ce fichier firewall, par exemple le fait que le kernel (le noyau linux donc si je ne me trompe) ne prend pas en charge iptable entre autres choses !!!
C'est un peu long, mais voici le fichier en question :
#-----------( Firestarter 1.0.3, Netfilter kernel subsystem in use )----------#
# #
# This firewall was generated by Firestarter on 2009-04-10 15:42 #
# http://www.fs-security.com #
# #
#-----------------------------------------------------------------------------#
# --------( Initial Setup - Firewall Modules Autoloader )--------
# Remove ipchains module if found
$LSM | grep ipchains -q -s && $RMM ipchains
# Try to load every module we need
$MPB ip_tables 2> /dev/null
$MPB iptable_filter 2> /dev/null
$MPB ipt_state 2> /dev/null
$MPB ip_conntrack 2> /dev/null
$MPB ip_conntrack_ftp 2> /dev/null
$MPB ip_conntrack_irc 2> /dev/null
$MPB ipt_REJECT 2> /dev/null
$MPB ipt_TOS 2> /dev/null
$MPB ipt_MASQUERADE 2> /dev/null
$MPB ipt_LOG 2> /dev/null
$MPB iptable_mangle 2> /dev/null
$MPB ipt_ipv4optsstrip 2> /dev/null
if [ "$NAT" = "on" ]; then
$MPB iptable_nat 2> /dev/null
$MPB ip_nat_ftp 2> /dev/null
$MPB ip_nat_irc 2> /dev/null
fi
if [ "EXT_PPP" = "on" ]; then
$MPB bsd_comp 2> /dev/null
$MPB ppp_deflate 2> /dev/null
fi
# --------( Initial Setup - Firewall Capabilities Check )--------
# Make sure the test chains does not exist
$IPT -F test 2> /dev/null
$IPT -X test 2> /dev/null
if [ "$NAT" = "on" ]; then
$IPT -t nat -F test 2> /dev/null
$IPT -t nat -X test 2> /dev/null
fi
# Iptables support check, mandatory feature
if [ "`$IPT -N test 2>&1`" ]; then
echo Fatal error: Your kernel does not support iptables.
return 100
fi
# Logging support check
log_supported=1
if [ "`$IPT -A test -j LOG 2>&1`" ]; then
echo Warning: Logging not supported by kernel, you will recieve no firewall event updates.
log_supported=""
fi
if [ "$NAT" = "on" ]; then
# NAT support check
nat_supported=1
if [ "`$IPT -t nat -N test 2>&1`" ]; then
echo Warning: Network address translation not supported by kernel, feature disabled.
nat_supported=""
fi
fi
# Mangle support check
mangle_supported=1
if [ "`$IPT -t mangle -F 2>&1`" ]; then
echo Warning: Packet mangling not supported by kernel, feature disabled.
mangle_supported=""
fi
# IP options stripping support check
stripoptions_supported=1
if [ "`$IPT -t mangle -A test -j IPV4OPTSSTRIP 2>&1`" ]; then
stripoptions_supported=""
fi
# --------( Chain Configuration - Flush Existing Chains )--------
# Purge standard chains (INPUT, OUTPUT, FORWARD).
$IPT -F
$IPT -X
$IPT -Z
# Purge extended chains (MANGLE & NAT) if they exist.
if [ "$mangle_supported" ]; then
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -t mangle -Z
fi
if [ "$nat_supported" ]; then
$IPT -t nat -F
$IPT -t nat -X
$IPT -t nat -Z
fi
# --------( Chain Configuration - Configure Default Policy )--------
# Configure standard chains (INPUT, OUTPUT, FORWARD).
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# Configure extended chains (MANGLE & NAT) if required.
if [ "$mangle_supported" ]; then
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
fi
if [ "$nat_supported" ]; then
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
fi
# --------( Chain Configuration - Create Default Result Chains )--------
# Create a new chain for filtering the input before logging is performed
$IPT -N LOG_FILTER 2> /dev/null
$IPT -F LOG_FILTER
# Hosts for which logging is disabled
while read host garbage
do
$IPT -A LOG_FILTER -s $host -j $STOP_TARGET
done < /etc/firestarter/events-filter-hosts
# Ports for which logging is disabled
while read port garbage
do
$IPT -A LOG_FILTER -p tcp --dport $port -j $STOP_TARGET
$IPT -A LOG_FILTER -p udp --dport $port -j $STOP_TARGET
done < /etc/firestarter/events-filter-ports
# Create a new log and stop input (LSI) chain.
$IPT -N LSI 2> /dev/null
$IPT -F LSI
$IPT -A LSI -j LOG_FILTER
if [ "$log_supported" ]; then
# Syn-flood protection
$IPT -A LSI -p tcp --syn -m limit --limit 1/s -j LOG --log-level=$LOG_LEVEL --log-prefix "Inbound "
$IPT -A LSI -p tcp --syn -j $STOP_TARGET
# Rapid portscan protection
$IPT -A LSI -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j LOG --log-level=$LOG_LEVEL --log-prefix "Inbound "
$IPT -A LSI -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j $STOP_TARGET
# Ping of death protection
$IPT -A LSI -p icmp --icmp-type echo-request -m limit --limit 1/s -j LOG --log-level=$LOG_LEVEL --log-prefix "Inbound "
$IPT -A LSI -p icmp --icmp-type echo-request -j $STOP_TARGET
# Log everything
$IPT -A LSI -m limit --limit 5/s -j LOG --log-level=$LOG_LEVEL --log-prefix "Inbound "
fi
$IPT -A LSI -j $STOP_TARGET # Terminate evaluation
# Create a new log and stop output (LSO) chain.
$IPT -N LSO 2> /dev/null
$IPT -F LSO
$IPT -A LSO -j LOG_FILTER
if [ "$log_supported" ]; then
# Log everything
$IPT -A LSO -m limit --limit 5/s -j LOG --log-level=$LOG_LEVEL --log-prefix "Outbound "
fi
$IPT -A LSO -j REJECT # Terminate evaluation
# --------( Initial Setup - Nameservers )--------
# Allow regular DNS traffic
while read keyword server garbage
do
if [ "$keyword" = "nameserver" ]; then
$IPT -A INPUT -p tcp ! --syn -s $server -d 0/0 -j ACCEPT
$IPT -A INPUT -p udp -s $server -d 0/0 -j ACCEPT
$IPT -A OUTPUT -p tcp -s $IP -d $server --dport 53 -j ACCEPT
$IPT -A OUTPUT -p udp -s $IP -d $server --dport 53 -j ACCEPT
fi
done < /etc/resolv.conf
# --------( Initial Setup - Configure Kernel Parameters )--------
source /etc/firestarter/sysctl-tuning
# --------( Intial Setup - User Defined Pre Script )--------
source /etc/firestarter/user-pre
# --------( Rules Configuration - Specific Rule - Loopback Interfaces )--------
# Allow all traffic on the loopback interface
$IPT -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPT -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT
# --------( Rules Configuration - Type of Service (ToS) - Ruleset Filtered by GUI )--------
if [ "$FILTER_TOS" = "on" ]; then
if [ "$TOS_CLIENT" = "on" -a $mangle_supported ]; then
# ToS: Client Applications
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 20:21 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 22 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 68 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 80 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 443 --set-tos $TOSOPT
fi
if [ "$TOS_SERVER" = "on" -a $mangle_supported ]; then
# ToS: Server Applications
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 20:21 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 22 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 25 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 53 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 67 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 80 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 110 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 143 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 443 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 1812 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 1813 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 2401 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 8080 --set-tos $TOSOPT
fi
if [ "$TOS_SERVER" = "on" -a $mangle_supported ]; then
# ToS: The X Window System
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 22 --set-tos 0x10
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 6000:6015 --set-tos 0x08
fi
fi
# --------( Rules Configuration - ICMP )--------
if [ "$FILTER_ICMP" = "on" ]; then
if [ "$ICMP_ECHO_REQUEST" = "on" ]; then
# ICMP: Ping Requests
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
fi
if [ "$ICMP_ECHO_REPLY" = "on" ]; then
# ICMP: Ping Replies
$IPT -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 1/s -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type echo-reply -m limit --limit 1/s -j ACCEPT
fi
if [ "$ICMP_TRACEROUTE" = "on" ]; then
# ICMP: Traceroute Requests
$IPT -A INPUT -p udp --dport 33434 -j ACCEPT
$IPT -A FORWARD -p udp --dport 33434 -j ACCEPT
else
$IPT -A INPUT -p udp --dport 33434 -j LSI
$IPT -A FORWARD -p udp --dport 33434 -j LSI
fi
if [ "$ICMP_MSTRACEROUTE" = "on" ]; then
# ICMP: MS Traceroute Requests
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type destination-unreachable -j ACCEPT
fi
if [ "$ICMP_UNREACHABLE" = "on" ]; then
# ICMP: Unreachable Requests
$IPT -A INPUT -p icmp --icmp-type host-unreachable -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type host-unreachable -j ACCEPT
fi
if [ "$ICMP_TIMESTAMPING" = "on" ]; then
# ICMP: Timestamping Requests
$IPT -A INPUT -p icmp --icmp-type timestamp-request -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type timestamp-reply -j ACCEPT
fi
if [ "$ICMP_MASKING" = "on" ]; then
# ICMP: Address Masking
$IPT -A INPUT -p icmp --icmp-type address-mask-request -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type address-mask-reply -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type address-mask-request -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type address-mask-reply -j ACCEPT
fi
if [ "$ICMP_REDIRECTION" = "on" ]; then
# ICMP: Redirection Requests
$IPT -A INPUT -p icmp --icmp-type redirect -m limit --limit 2/s -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type redirect -m limit --limit 2/s -j ACCEPT
fi
if [ "$ICMP_SOURCE_QUENCHES" = "on" ]; then
# ICMP: Source Quench Requests
$IPT -A INPUT -p icmp --icmp-type source-quench -m limit --limit 2/s -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type source-quench -m limit --limit 2/s -j ACCEPT
fi
# Catch ICMP traffic not allowed above
$IPT -A INPUT -p icmp -j LSI
$IPT -A FORWARD -p icmp -j LSI
else
# Allow all ICMP traffic when filtering disabled
$IPT -A INPUT -p icmp -m limit --limit 10/s -j ACCEPT
$IPT -A FORWARD -p icmp -m limit --limit 10/s -j ACCEPT
fi
if [ "$NAT" = "on" ]; then
# --------( Rules Configuration - Masquerading - Sysctl Modifications )--------
#Turn on IP forwarding
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo 1 > /proc/sys/net/ipv4/ip_forward
fi
# --------( Rules Configuration - Masquerading - Default Ruleset )--------
#TCPMSS Fix - Needed for *many* broken PPPO{A/E} clients
$IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
if [ "$stripoptions_supported" -a "$mangle_supported" ]; then
#IPv4OPTIONS Fix - Strip IP options from a forwarded packet
$IPT -t mangle -A PREROUTING -j IPV4OPTSSTRIP
fi
# --------( Rules Configuration - Forwarded Traffic )--------
if [ "$nat_supported" ]; then
#Masquerade outgoing traffic
$IPT -t nat -A POSTROUTING -o $IF -j MASQUERADE
fi
# Temoporarily set the field separator for CSV format
OLDIFS=$IFS
IFS=','
# Services forward from the firewall to the internal network
while read service ext_port host int_port garbage
do
scrub_parameters
$IPT -A FORWARD -i $IF -p tcp -d $host --dport $int_port -j ACCEPT
$IPT -A FORWARD -i $IF -p udp -d $host --dport $int_port -j ACCEPT
$IPT -A PREROUTING -t nat -i $IF -p tcp --dport $ext_port -j DNAT --to-destination $host:$int_port_dashed
$IPT -A PREROUTING -t nat -i $IF -p udp --dport $ext_port -j DNAT --to-destination $host:$int_port_dashed
done < /etc/firestarter/inbound/forward
IFS=$OLDIFS
fi
# --------( Rules Configuration - Inbound Traffic )--------
if [ "$BLOCK_NON_ROUTABLES" = "on" ]; then
# Block traffic from non-routable address space on the public interfaces
$IPT -N NR 2> /dev/null
$IPT -F NR
while read block garbage
do
$IPT -A NR -s $block -d $NET -i $IF -j LSI
done < /etc/firestarter/non-routables
$IPT -A INPUT -s ! $NET -i $IF -j NR
fi
# Block Broadcast Traffic
if [ "$BLOCK_EXTERNAL_BROADCAST" = "on" ]; then
$IPT -A INPUT -i $IF -d 255.255.255.255 -j DROP
if [ "$BCAST" != "" ]; then
$IPT -A INPUT -d $BCAST -j DROP
fi
fi
if [ "$NAT" = "on" -a "$BLOCK_INTERNAL_BROADCAST" = "on" ]; then
$IPT -A INPUT -i $INIF -d 255.255.255.255 -j DROP
if [ "$INBCAST" != "" ]; then
$IPT -A INPUT -i $INIF -d $INBCAST -j DROP
fi
fi
# Block Multicast Traffic
# Some cable/DSL providers require their clients to accept multicast transmissions
# you should remove the following four rules if you are affected by multicasting
$IPT -A INPUT -s 224.0.0.0/8 -d 0/0 -j DROP
$IPT -A INPUT -s 0/0 -d 224.0.0.0/8 -j DROP
$IPT -A OUTPUT -s 224.0.0.0/8 -d 0/0 -j DROP
$IPT -A OUTPUT -s 0/0 -d 224.0.0.0/8 -j DROP
# Block Traffic with Stuffed Routing
# Early versions of PUMP - (the DHCP client application included in RH / Mandrake) require
# inbound packets to be accepted from a source address of 255.255.255.255. If you have issues
# with DHCP clients on your local LAN - either update PUMP, or remove the first rule below)
$IPT -A INPUT -s 255.255.255.255 -j DROP
$IPT -A INPUT -d 0.0.0.0 -j DROP
$IPT -A OUTPUT -s 255.255.255.255 -j DROP
$IPT -A OUTPUT -d 0.0.0.0 -j DROP
$IPT -A INPUT -m state --state INVALID -j DROP # Block Traffic with Invalid Flags
$IPT -A INPUT -f -m limit --limit 10/minute -j LSI # Block Traffic w/ Excessive Fragmented Packets
# --------( Rules Configuration - Outbound Traffic )--------
$IPT -A OUTPUT -m state --state INVALID -j DROP # Block Traffic w/ Invalid Flags
# --------( Traffic Policy )--------
# Load the inbound traffic policy
source /etc/firestarter/inbound/setup
$IPT -A INPUT -i $IF -j INBOUND # Check Internet to firewall traffic
if [ "$NAT" = "on" ]; then
$IPT -A INPUT -i $INIF -d $INIP -j INBOUND # Check LAN to firewall (private ip) traffic
$IPT -A INPUT -i $INIF -d $IP -j INBOUND # Check LAN to firewall (public ip) traffic
if [ "$INBCAST" != "" ]; then
$IPT -A INPUT -i $INIF -d $INBCAST -j INBOUND # Check LAN to firewall broadcast traffic
fi
fi
# Load the outbound traffic policy
source /etc/firestarter/outbound/setup
$IPT -A OUTPUT -o $IF -j OUTBOUND # Check firewall to Internet traffic
if [ "$NAT" = "on" ]; then
$IPT -A OUTPUT -o $INIF -j OUTBOUND # Check firewall to LAN traffic
$IPT -A FORWARD -i $INIF -j OUTBOUND # Check LAN to Internet traffic
# Allow Internet to LAN response traffic
$IPT -A FORWARD -p tcp -d $INNET -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p udp -d $INNET -m state --state ESTABLISHED,RELATED -j ACCEPT
fi
# --------( User Defined Post Script )--------
source /etc/firestarter/user-post
# --------( Unsupported Traffic Catch-All )--------
$IPT -A INPUT -j LOG_FILTER
$IPT -A INPUT -j LOG --log-level=$LOG_LEVEL --log-prefix "Unknown Input"
$IPT -A OUTPUT -j LOG_FILTER
$IPT -A OUTPUT -j LOG --log-level=$LOG_LEVEL --log-prefix "Unknown Output"
$IPT -A FORWARD -j LOG_FILTER
$IPT -A FORWARD -j LOG --log-level=$LOG_LEVEL --log-prefix "Unknown Forward"
return 0
Hors ligne
#8 Le 14/04/2009, à 08:22
- Ehorinn
Re : Firestarter, carte wifi, pilote et Dell Inspiron 6400 [résolu]
Vide ce fichier et lance firestarter depuis un terminal.
cp /etc/firestarter/firewall /etc/firestarter/firewall.2009.04.14
echo " " > /etc/firestarter/firewall
firestarterHors ligne
#9 Le 14/04/2009, à 10:25
- seb31
Re : Firestarter, carte wifi, pilote et Dell Inspiron 6400 [résolu]
OK merci
tout est rentré dans l'ordre c'est le principal, même si je n'ai pas tout compris !
Hors ligne
#10 Le 14/04/2009, à 11:19
- Ehorinn
Re : Firestarter, carte wifi, pilote et Dell Inspiron 6400 [résolu]
Oo
Bonne nouvelle alors 
Hors ligne